<http://www.vnunet.com/articles/print/2193876> VNU Network Government's RIP Act revisions under fire Questions remain over attempts to assuage concerns over controversial legislation Robert Jaques, vnunet.com 10 Jul 2007 The privacy of UK individuals and business remains under threat despite recent attempts to revise controversial legislation that allows authorities to decrypt files on suspects' computers, experts warned today. The warning follows changes to Part III of the 2000 Regulation of Investigatory Powers (RIP) Act laid before Parliament on 18 June which are due to come into effect on 1 October. These revisions are designed to protect the privacy of individuals and the commercial interests of businesses that hold sensitive encrypted information. Original powers contained in Part III of the legislation were widely criticised by civil rights groups for their intrusive nature. Businesses, particularly in the financial services sector, expressed concerns about data security and conflicts with data privacy rights. "Managing encryption and encryption keys is a complex challenge in itself but having to disclose keys to a third party under these new powers has the potential to open up major security holes," warned Dr Nicko van Someren, chief technology officer at nCipher. "However, the revisions in the new Code of Practice require the level of security for any disclosed key material to, at minimum, match the security that was accorded to it prior to disclosure. "Furthermore, loss or damage arising from a failure to safeguard decrypted information may give rise to civil actions against the authorities and individual officers." Robert Bond, head of intellectual property, technology and commercial law at Speechly Bircham LLP, said: "It remains to be seen whether these revisions to RIP Act legislation will be enough to prevent some financial institutions moving their headquarters out of the UK. "But the revised restrictions on authorities to access keys without good cause and due notice are to be welcomed." In restricting the power of the authorities, the new RIP Act III Code of Practice states that no person can seek permission to serve a disclosure notice without the approval of the UK's National Technical Assistance Centre, and describes the body as the "guardian and gatekeeper". The new legislation must also take into account the legitimate needs of businesses and individuals to maintain the integrity of their information and security processes, and any disclosure must be processed in accordance with the provisions of the Data Protection Act 1998. The new revised Code of Practice for the investigation of protected electronic information restricts the scope of public authorities' powers to access encrypted material, and introduces additional security provisions for key materials and disclosed decrypted data. This includes establishing the National Technical Assistance Centre to provide technical support and supervision along with recommendations that public authorities create bespoke decryption facilities where processing can be done by corporate officers under the investigator's supervision. "With criminals increasingly encrypting their data, the power to force disclosure will allow convictions to be progressed where it might previously have been impossible," added Dr van Someren. -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'