UK can now demand data decryption on penalty of jail time

October 3rd, 2007

New laws going into effect today in the United Kingdom make it a crime to refuse to decrypt almost any encrypted data requested by authorities as part of a criminal or terror investigation. Individuals who are believed to have the cryptographic keys necessary for such decryption will face up to 5 years in prison for failing to comply with police or military orders to hand over either the cryptographic keys, or the data in a decrypted form.

After the ‘perpetrator’ comes out of gaol, does the ciphertext magically decrypt by itself?

Part 3, Section 49 of the Regulation of Investigatory Powers Act (RIPA) includes provisions for the decryption requirements, which are applied differently based on the kind of investigation underway. As we reported last year, the five-year imprisonment penalty is reserved for cases involving anti-terrorism efforts. All other failures to comply can be met with a maximum two-year sentence.

We know that these laws written specifically for ‘terrorism’ are routinely used for everything OTHER than that, like shutting up 82 year old hecklers.

The law can only be applied to data residing in the UK, hosted on UK servers, or stored on devices located within the UK. The law does not authorize the UK government to intercept encrypted materials in transit on the Internet via the UK and to attempt to have them decrypted under the auspices of the jail time penalty.

So, if you run an IMAP account with the servers in another country, there is nothing they can do to force you to decrypt your email. Similarly, if you have a .Mac account and keep all the files encrypted, HMG cannot compel you to decrypt those files, even though they appear as a mountable drive on your laptop or desktop.

It is completely absurd on its face.

The keys to the (United) Kingdom

The law has been criticized for the power its gives investigators, which is seen as dangerously broad. Authorities tracking the movement of terrorist funds could demand the encryption keys used by a financial institution, for instance, thereby laying bare that bank’s files on everything from financial transactions to user data.

Cambridge University security expert Richard Clayton said in May of 2006 that such laws would only encourage businesses to house their cryptography operations out of the reach of UK investigators, potentially harming the country’s economy. “The controversy here [lies in] seizing keys, not in forcing people to decrypt. The power to seize encryption keys is spooking big business,” Clayton said.

“The notion that international bankers would be wary of bringing master keys into UK if they could be seized as part of legitimate police operations, or by a corrupt chief constable, has quite a lot of traction,” he added. “With the appropriate paperwork, keys can be seized. If you’re an international banker you’ll plonk your headquarters in Zurich.”

Not only will they relocate to Zurich, but they will run all their corporate email from there. Essentially, all this data will ‘go dark’. HMG will have to enact laws saying that any banking that happens here must be done on servers located here. That is clearly undoable.

The people who wrote this nonsense legislation are computer illiterate and clueless. They do not understand the world they are living in, and they do not have the sense to take advice from the people who do understand the complexities.

The law also allows authorities to compel individuals targeted in such investigation to keep silent about their role in decrypting data.

This is a page straight out of the PATRIOT act.

Though this will be handled on a case-by-case basis,

All crime is handled on a case by case basis. This is nonsense speak.

it’s another worrisome facet of a law that has been widely criticized for years. While RIPA was originally passed in 2000, the provisions detailing the handover of cryptographic keys and/or the force decryption of protected content has not been tapped by the UK Home Office—the division of the British government which oversees national security, the justice system, immigration, and the police forces of England and Wales. As we reported last year, the Home Office was slowly building its case to activate Part 3, Section 49.

here comes the bullshit:

The Home Office has steadfastly proclaimed that the law is aimed at catching terrorists, pedophiles, and hardened criminals—all parties which the UK government contends are rather adept at using encryption to cover up their activities.

Paedophiles, if they were locked up permanently when caught, would not be a problem. But I digress; sex criminals cannot be stopped by decrypting files. If they have enough evidence to suspect that someone is engaged in this unforgivable activity, like, credit card info (which is how they caught thousands of people recently) they do not need to decrypt files all they need to demonstrate is that the person bought access. These people are serial offenders; it is easy to catch them if the police are willing to do REAL police work. That means setting up honeypot sites, compromising the owners of sites that sell the images and then locking them up FOREVER and not just for three or four years.

Terrorists do not use encryption. That is a fact. They do not use Steganography, PGP, GPG or any of those tools. We have been over this a million times. This is about maintaining access to banking information in real time. It has nothing to do with any of the Cause célèbre that HMG is trotting out.

Yet the law, in a strange way, almost gives criminals an “out,” in that those caught potentially committing serious crimes may opt to refuse to decrypt incriminating data. A pedophile with a 2GB collection of encrypted kiddie porn may find it easier to do two years in the slammer than expose what he’s been up to.


Which is what I said.

This law is not about porn. It is not about ‘terrorism’. Those are pretexts. RIPA is bad law that is being shoehorned onto the books, whose real purpose is financial surveillance.

Money sees laws like RIPA as damage and it routes around it…or more accurately, it runs away from it. People will move their money into jurisdictions that are business and privacy friendly. Britain will suffer until it comes to its senses, and it will come to its senses, just as France did with its absurd ban on 128 bit SSL encryption.

Leave a Reply

You must be logged in to post a comment.