Government's RIP Act revisions under fire

R.A. Hettinga rah at shipwright.com
Tue Jul 10 09:18:59 PDT 2007


<http://www.vnunet.com/articles/print/2193876>

VNU Network

Government's RIP Act revisions under fire

Questions remain over attempts to assuage concerns over controversial
legislation

Robert Jaques, vnunet.com 10 Jul 2007

The privacy of UK individuals and business remains under threat despite
recent attempts to revise controversial legislation that allows authorities
to decrypt files on suspects' computers, experts warned today.

The warning follows changes to Part III of the 2000 Regulation of
Investigatory Powers (RIP) Act laid before Parliament on 18 June which are
due to come into effect on 1 October.

These revisions are designed to protect the privacy of individuals and the
commercial interests of businesses that hold sensitive encrypted
information.

Original powers contained in Part III of the legislation were widely
criticised by civil rights groups for their intrusive nature.

Businesses, particularly in the financial services sector, expressed
concerns about data security and conflicts with data privacy rights.

"Managing encryption and encryption keys is a complex challenge in itself
but having to disclose keys to a third party under these new powers has the
potential to open up major security holes," warned Dr Nicko van Someren,
chief technology officer at nCipher.

"However, the revisions in the new Code of Practice require the level of
security for any disclosed key material to, at minimum, match the security
that was accorded to it prior to disclosure.

"Furthermore, loss or damage arising from a failure to safeguard decrypted
information may give rise to civil actions against the authorities and
individual officers."

Robert Bond, head of intellectual property, technology and commercial law
at Speechly Bircham LLP, said: "It remains to be seen whether these
revisions to RIP Act legislation will be enough to prevent some financial
institutions moving their headquarters out of the UK.

"But the revised restrictions on authorities to access keys without good
cause and due notice are to be welcomed."

In restricting the power of the authorities, the new RIP Act III Code of
Practice states that no person can seek permission to serve a disclosure
notice without the approval of the UK's National Technical Assistance
Centre, and describes the body as the "guardian and gatekeeper".

The new legislation must also take into account the legitimate needs of
businesses and individuals to maintain the integrity of their information
and security processes, and any disclosure must be processed in accordance
with the provisions of the Data Protection Act 1998.

The new revised Code of Practice for the investigation of protected
electronic information restricts the scope of public authorities' powers to
access encrypted material, and introduces additional security provisions
for key materials and disclosed decrypted data.

This includes establishing the National Technical Assistance Centre to
provide technical support and supervision along with recommendations that
public authorities create bespoke decryption facilities where processing
can be done by corporate officers under the investigator's supervision.

"With criminals increasingly encrypting their data, the power to force
disclosure will allow convictions to be progressed where it might
previously have been impossible," added Dr van Someren.

-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'





More information about the cypherpunks-legacy mailing list