[Infowarrior] - UK can now demand data decryption on penalty of jail time

[Richard Forno]

UK can now demand data decryption on penalty of jail time

By Ken Fisher | Published: October 01, 2007 - 10:20PM CT

http://arstechnica.com/news.ars/post/20071001-uk-can-now-demand-data-decrypt
ion-on-penalty-of-jail-time.html

New laws going into effect today in the United Kingdom make it a crime to
refuse to decrypt almost any encrypted data requested by authorities as part
of a criminal or terror investigation. Individuals who are believed to have
the cryptographic keys necessary for such decryption will face up to 5 years
in prison for failing to comply with police or military orders to hand over
either the cryptographic keys, or the data in a decrypted form.

Part 3, Section 49 of the Regulation of Investigatory Powers Act (RIPA)
includes provisions for the decryption requirements, which are applied
differently based on the kind of investigation underway. As we reported last
year, the five-year imprisonment penalty is reserved for cases involving
anti-terrorism efforts. All other failures to comply can be met with a
maximum two-year sentence.

The law can only be applied to data residing in the UK, hosted on UK
servers, or stored on devices located within the UK. The law does not
authorize the UK government to intercept encrypted materials in transit on
the Internet via the UK and to attempt to have them decrypted under the
auspices of the jail time penalty.
The keys to the (United) Kingdom

The law has been criticized for the power its gives investigators, which is
seen as dangerously broad. Authorities tracking the movement of terrorist
funds could demand the encryption keys used by a financial institution, for
instance, thereby laying bare that bank's files on everything from financial
transactions to user data.

Cambridge University security expert Richard Clayton said in May of 2006
that such laws would only encourage businesses to house their cryptography
operations out of the reach of UK investigators, potentially harming the
country's economy. "The controversy here [lies in] seizing keys, not in
forcing people to decrypt. The power to seize encryption keys is spooking
big business," Clayton said.

"The notion that international bankers would be wary of bringing master keys
into UK if they could be seized as part of legitimate police operations, or
by a corrupt chief constable, has quite a lot of traction," he added. "With
the appropriate paperwork, keys can be seized. If you're an international
banker you'll plonk your headquarters in Zurich."

The law also allows authorities to compel individuals targeted in such
investigation to keep silent about their role in decrypting data. Though
this will be handled on a case-by-case basis, it's another worrisome facet
of a law that has been widely criticized for years. While RIPA was
originally passed in 2000, the provisions detailing the handover of
cryptographic keys and/or the force decryption of protected content has not
been tapped by the UK Home Office‹the division of the British government
which oversees national security, the justice system, immigration, and the
police forces of England and Wales. As we reported last year, the Home
Office was slowly building its case to activate Part 3, Section 49.

The Home Office has steadfastly proclaimed that the law is aimed at catching
terrorists, pedophiles, and hardened criminals‹all parties which the UK
government contends are rather adept at using encryption to cover up their
activities.

Yet the law, in a strange way, almost gives criminals an "out," in that
those caught potentially committing serious crimes may opt to refuse to
decrypt incriminating data. A pedophile with a 2GB collection of encrypted
kiddie porn may find it easier to do two years in the slammer than expose
what he's been up to.