UK law now can compell disclosure of decryption keys in certain cases - Entering the Networked World. DON'T PANIC!

Topics: Security & Insecurity, Privacy & Liberties, Cryptography, Law, Investigations, UK, RIPA

As of 1 October 2007, a change in UK laws has made it illegal to refuse to decrypt and/or hand over cryptography keys requested by the authorities in criminal or terrorism cases. A person believed to have the keys necessary for decryption who refuses to comply in a criminal case can face a maximum of two years in prison. In a terrorism case, the prison sentence can be five years.

This requirement and penalties for non-compliance is specified by Part 3, Section 49 of the Regulation of Investigatory Powers Act (RIPA). Here is an excerpt from RIPA specifying situations where the authorities must given the decrypted information and/ot the decryption keys:

---
Part III Investigation of electronic data protected by encryption etc.

49 Notices requiring disclosure

[...]
(3) A disclosure requirement in respect of any protected information is necessary on grounds falling within this subsection if it is necessary—

(a) in the interests of national security;

(b) for the purpose of preventing or detecting crime; or

(c) in the interests of the economic well-being of the United Kingdom.
---

Yes, encrypted data can pose significant challenges for investigators. But the RIPA section on investigation of encrypted data presents several difficulties. Among them is the broadness of this section and who may be subject to it.

For example, financial institutions may be required to decrypt or hand over keys in, say, a terrorism case involving funds transfers. The possibility may discourage financial firms from basing their operations in the UK. (The interests of UK's economic well-being reference in the above RIPA snippet may raise concerns for foreign firms.) Richard Clayton, a Cambridge University security expert, had commented in 2006:

---
The notion that international bankers would be wary of bringing master keys into (the United Kingdom) if they could be seized as part of legitimate police operations, or by a corrupt chief constable, has quite a lot of traction. With the appropriate paperwork, keys can be seized. If you're an international banker, you'll plunk your headquarters in Zurich.
---

(See also Richard Clayton's recent posting on the Light Blue Touch Paper site. He goes into more details about some of the problems with the RIPA crypto provisions.)

One of difficulties that could arise is where a person is believed to possess the ability to decrypt the data sought in the investigation doesn't really have that ability. Perhaps the person really has forgottent the passphrase and/or deleted the cryptographic keys. Would "I simply cannot remember" be an adequate defence? Probably not and the person goes to prison.

In some cases, there would be an incentive to pretend to have forgotten or otherwise hamper the access to the encrypted data. If the encrypted data could net a significantly longer sentence, a two or five year prison sentence may be a good deal. But would would be a reasonable penalty to discourage such an option? Give the maximum sentence for whatever crime the police suspected had been committed? That would strain concepts of justice.

Many issues to be considereed and resolved.

See also...

There's a posting & an interesting discussion on this matter at Schneier on Security blog. Elsewhere on the Web, J.D. "Illiad" Frazer has done a couple of comic strips on the new law on Oct 5^th and this one on Oct 6^th:

Comic strip posted per Web use conditions specified in the UF FAQ.

Actually, the comment in the above comic strip that a decryption key isn't a physical object but something in one's head may be confusing if one is thinking of, say, public and private keys as electronic files. The character's reference fits things such as passphrases that can be required to practically decrypted encrypted data. Still, the comic strip make a good point,

Cryptically yours,
J.D. Abolins