UK can now demand data decryption on penalty of jail time

R.A. Hettinga rah at
Tue Oct 2 17:22:28 PDT 2007

Game over?

Naw, prolly not. Yet, anyway...


Ars Technica

UK can now demand data decryption on penalty of jail time

By Ken Fisher | Published: October 01, 2007 - 10:20PM CT

New laws going into effect today in the United Kingdom make it a crime to
refuse to decrypt almost any encrypted data requested by authorities as
part of a criminal or terror investigation. Individuals who are believed to
have the cryptographic keys necessary for such decryption will face up to 5
years in prison for failing to comply with police or military orders to
hand over either the cryptographic keys, or the data in a decrypted form.

Part 3, Section 49 of the Regulation of Investigatory Powers Act (RIPA)
includes provisions for the decryption requirements, which are applied
differently based on the kind of investigation underway. As we reported
last year, the five-year imprisonment penalty is reserved for cases
involving anti-terrorism efforts. All other failures to comply can be met
with a maximum two-year sentence.

The law can only be applied to data residing in the UK, hosted on UK
servers, or stored on devices located within the UK. The law does not
authorize the UK government to intercept encrypted materials in transit on
the Internet via the UK and to attempt to have them decrypted under the
auspices of the jail time penalty.

The keys to the (United) Kingdom

The law has been criticized for the power its gives investigators, which is
seen as dangerously broad. Authorities tracking the movement of terrorist
funds could demand the encryption keys used by a financial institution, for
instance, thereby laying bare that bank's files on everything from
financial transactions to user data.

Cambridge University security expert Richard Clayton said in May of 2006
that such laws would only encourage businesses to house their cryptography
operations out of the reach of UK investigators, potentially harming the
country's economy. "The controversy here [lies in] seizing keys, not in
forcing people to decrypt. The power to seize encryption keys is spooking
big business," Clayton said.

"The notion that international bankers would be wary of bringing master
keys into UK if they could be seized as part of legitimate police
operations, or by a corrupt chief constable, has quite a lot of traction,"
he added. "With the appropriate paperwork, keys can be seized. If you're an
international banker you'll plonk your headquarters in Zurich."

The law also allows authorities to compel individuals targeted in such
investigation to keep silent about their role in decrypting data. Though
this will be handled on a case-by-case basis, it's another worrisome facet
of a law that has been widely criticized for years. While RIPA was
originally passed in 2000, the provisions detailing the handover of
cryptographic keys and/or the force decryption of protected content has not
been tapped by the UK Home Office-the division of the British government
which oversees national security, the justice system, immigration, and the
police forces of England and Wales. As we reported last year, the Home
Office was slowly building its case to activate Part 3, Section 49.

The Home Office has steadfastly proclaimed that the law is aimed at
catching terrorists, pedophiles, and hardened criminals-all parties which
the UK government contends are rather adept at using encryption to cover up
their activities.

Yet the law, in a strange way, almost gives criminals an "out," in that
those caught potentially committing serious crimes may opt to refuse to
decrypt incriminating data. A pedophile with a 2GB collection of encrypted
kiddie porn may find it easier to do two years in the slammer than expose
what he's been up to.

R. A. Hettinga <mailto: rah at>
The Internet Bearer Underwriting Corporation <>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

More information about the cypherpunks-legacy mailing list