--- begin forwarded text Delivered-To: rah@shipwright.com Delivered-To: clips@philodox.com Date: Mon, 27 Nov 2006 09:00:38 -0500 To: Philodox Clips List <clips@philodox.com> From: "R.A. Hettinga" <rah@shipwright.com> Subject: [Clips] EuroGAK: New RIPA Act powers puts data security at risk Reply-To: clips-chat@philodox.com Sender: clips-bounces@philodox.com <http://www.itpro.co.uk/news/98805/new-ripa-act-powers-puts-data-security-at-risk.html> ITPro: News: New RIPA Act powers puts data security at risk Posted by Rene Millman at 10:52AM, Monday 27th November 2006 Encryption expert warns that new police powers will open up "a host of management problems" for companies New powers to allow police to decrypt data for evidence will risk compromising data confidentiality and security, an encryption expert warned. New powers under Part III of the Regulation of Investigatory Powers Act 2000 (RIPA), which comes into effect in the next few months, allows law enforcement officers to gain access to encryption keys needed to decrypt data which could be vital for a conviction. But according to Dr. Nicko Van Someren, chief technology officer at nCipher, the new powers open up "a host of management problems". "Company executives will have to disclose encryption keys without opening up security holes or face up to five years in prison; while law enforcement officers face legal action if they fail to adequately secure evidentiary keys leading to loss or consequential damage," said Van Someren. "It is clear that sophisticated key management systems will be needed to avoid the possibility of the misuse of disclosed keys or breaches of data protection laws." Many financial institutions and other organisations are concerned about data security and conflicts with data privacy rights as a result of RIPA part III. Since companies can be held liable for the accidental or negligent disclosure of customer information, the keys used to protect customer data are just as valuable as those used for banking transactions. The new legislation means businesses have to implement strict control over encryption and to provide authorised access to keys. According to Van Someren, making copies of cryptographic keys is "not a safe option". "Businesses and authorities need to adopt best practice already used by many banks and security conscious companies," he said. "RIPA part III places a heavy duty of disclosure on companies and organisations; but it also places a burden of care and security on the law enforcement authorities." -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' _______________________________________________ Clips mailing list Clips@philodox.com http://www.philodox.com/mailman/listinfo/clips --- end forwarded text -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'