The Washington Post
Print Edition | Subscribe | PostPoints
SEARCH:
washingtonpost.com
Web
| Search Archives

Contested UK encryption disclosure law takes effect

A controversial new British law requires individuals and businesses to decrypt data sought in police investigations.

Jeremy Kirk
PC World
Monday, October 1, 2007; 10:19 AM

British law enforcement gained new powers on Monday to compel individuals and businesses to decrypt data wanted by authorities for investigations.

The measure is in the third part of the Regulation of Investigatory Powers Act (RIPA), legislation passed in 2000 by the U.K. Parliament to give law enforcement new investigation powers with respect to evolving communication technologies.

TOOLBOX

Resize Text

Save/Share +
Print This
E-mail This

COMMENT

Discussion Policy
CLOSE
Comments that include profanity or personal attacks or other inappropriate comments or material will be removed from the site. Additionally, entries that are unsigned or contain "signatures" by someone other than the actual author will be removed. Finally, we will take steps to block users who violate any of our posting standards, terms of use or privacy policies or any other policies governing this site. Please review the full rules governing commentaries and discussions. You are fully responsible for the content that you post.

The government contends law enforcement more frequently encounters encrypted data, which delays investigations. But RIPA Part III wasn't activated when the act was passed due to the less prevalent use of encryption.

But as of Monday, those served with a "Section 49" notice have to either make decryption keys available or put the data in an intelligible form for authorities. Failure to comply could mean a prison sentence of up to two years for cases not involving national security or five years for those that do.

A Section 49 request must first be approved by a judicial authority, chief of police, the customs and excise commissioner or a person ranking higher than a brigadier or equivalent. Authorities can also mandate that the recipient of a Section 49 request not tell anyone except their lawyer that they have received it.

Critics countered RIPA Part III could put corporate data at risk if mishandled by government officials, although the government wrote a code of practice concerning the handling of encryption keys.

Spy Blog, a Web site that comments on privacy and data security issues, called on the government to publish regular statistics on the number of Section 49 notices served. The site furthercalled for feedbackfrom organizations served with notices.

The U.K. Home Office addresses only one specific type of device and technology in its publishedguidance on RIPA Part III: the BlackBerry, the omnipresent handheld for business people.

E-mails sent to a BlackBerry are decrypted on the device, meaning neither Research in Motion Ltd., the BlackBerry's manufacturer, nor the wireless operator handling the data transfer are privy to the encryption keys, the Home Office guidance said.

If investigators want encrypted data, they will have to go directly to the device owner, the Home Office said. Also, RIPA Part III only applies to data stored in the U.K., so encrypted data that transited through the U.K. would not fall under the legislation.


© 2007 PC World Communications, Inc. All rights reserved