[Infowarrior] - British police: We need power to seize encryption keys

Tue Aug 15 12:32:05 EDT 2006

British police: We need power to seize encryption keys

By Graeme Wearden
http://news.com.com/British+police+We+need+power+to+seize+encryption+keys/21
00-7348_3-6105680.html

Story last modified Tue Aug 15 08:47:45 PDT 2006

Because British law enforcement officers don't have the authority to seize
encryption keys, an increasing number of criminals are able to evade
justice, a senior police officer said.

Suspected terrorists, pedophiles and burglars have all walked free because
encrypted data couldn't be opened, detective chief inspector Matt Sarti of
the Metropolitan Police said Monday during a public meeting in London.

"There are more than 200 PCs sitting in property cupboards which contain
encrypted data, for which we have considerable evidence that they contain
data that relates to a serious crime," Sarti said. "Not one of those
suspects has claimed that the files are business-related, and in many cases,
the names of the files indicate that they are important to our
investigations."

Earlier this summer, the British government announced that it plans to
activate Part 3 of the Regulations of Investigatory Powers (RIP) Act, which
will give the police the power, in some circumstances, to demand an
encryption key from a suspect.

Part 3 of the RIP Act has been heavily criticized in the past by some
security professionals and academics who believe that it is a dangerous and
badly written piece of legislation that cannot be properly implemented.

Sarti was speaking at an open meeting to discuss the Home Office
consultation about the draft code of practice for Part 3 of the RIP Act,
which will govern how its powers can be used.

The meeting was organized by the Foundation for Information Policy Research.

Casper Bowden, a former director of the FIPR who led the fight against the
introduction of the RIP Act several years ago, said during the meeting that
Part 3 is flawed because defendants could be prosecuted for simply losing an
encryption key.

"The burden of proof is on the suspect to prove that they don't have the
key, and if they fail, they go to prison. But if they can give an
explanation for not having the key, then the prosecution must prove beyond
reasonable doubt that they are lying," Bowden said.

Bowden explained that in circumstances when the police suspected someone had
encrypted incriminating data, officers could issue an order under Section 49
of the act, ordering the suspect to hand over the key. Failure to do so
could lead to a prosecution under Section 53 of the Act.

Richard Clayton, an FIPR trustee and a computer security researcher at the
University of Cambridge, said the code of practice also lacks clear powers
against officials who were guilty of making "deliberate mistakes" in their
use of the RIP Act to obtain private data. Clayton also argued that
businesses may take their encryption keys out of U.K. jurisdiction so that
they can't be seized.

But Simon Watkin of the Home Office, who drafted the code of practice,
insisted that the time is right to activate Part 3 of the Act as the police
are finding that their investigations are being thwarted by encryption.

"The police have come to us and said that they need powers to get hold of
encrypted data off suspects," Watkin said. "We've got a law like this on the
statute book, and we've been waiting for people like them to come and give
us compelling reasons why they need it."

One police officer in the audience argued that in the case of alleged child
abuse, it was vital to access all the files on a suspect's machine so that
the victims could be identified.

But Duncan Campbell, an investigative journalist who has served as an expert
witness in many computer-related trials, insisted that Part 3 of the RIP Act
could not be justified.

"A person who rapes and damages a 12-year-old is going to get a bloody long
sentence, and bloody good, too. What's the point in the police saying, 'We
need a monstrous law so we can get to the rest of the data'?" Campbell
asked.

The consultation on the draft code of practice will run until Aug. 31, and
Watkin indicated that submissions received after that date will still be
considered. You can see the code of practice on the Home Office Web site.

Graeme Wearden of ZDNet UK reported from London.