UK police can now force you to reveal decryption keys
OUT-LAW.com | 03.10.2007 12:49 | Technology
Users of encryption technology can no longer refuse to reveal keys to UK authorities after amendments to the powers of the state to intercept communications took effect on Monday (Oct 1).
The Regulation of Investigatory Powers Act (RIPA) has had a clause activated which allows a person to be compelled to reveal a decryption key. Refusal can earn someone a five-year jail term.
Part III of RIPA was in the original Act but was not activated. The Home Office said last year that it had not implemented the provision because encryption had not been as popular as quickly as it had predicted. It launched a consultation which culminated in Part III being made active on 1st October.
The measure has been criticised by civil liberties activists and security experts who say that the move erodes privacy and could lead a person to be forced to incriminate themselves.
It is also controversial because a decryption key is often a long password – something that might be forgotten. An accused person might pretend to have forgotten the password; or he might genuinely have forgotten it but struggle to convince a court to believe him.
Section 49 of Part III of RIPA compels a person, when served with a notice, to either hand over an encryption key or render the requested material intelligible by authorities.
Anyone who refuses to decrypt material could face five years in jail if the investigation relates to terrorism or national security, or up to two years in jail in other cases.
Controversially, someone who receives a Section 49 notice can be prevented from telling anyone apart from their lawyer that they have received such a notice.
The Home Office said that the process will be overseen by the Interception of Communications Commissioner, the Intelligence Services Commissioner and the Chief Surveillance Commissioner.
Complaints about demands for information must be made by the Investigatory Powers Tribunal. "The Tribunal is made up of senior members of the judiciary and the legal profession and is independent of the Government. The Tribunal has full powers to investigate and decide any case within its jurisdiction, which includes the giving of a notice under section 49 or any disclosure or use of a key to protected information," said a Home Office explanation of the process.
The Home Office said that the actions were consistent with the European Convention on Human Rights and the UK Human Rights Act as long as the demand for decryption was "both necessary and proportionate".
"The measures in Part III are intended to ensure that the ability of public authorities to protect the public and the effectiveness of their other statutory powers are not undermined by the use of technologies to protect electronic information," said the Home Office.
Part III of RIPA was in the original Act but was not activated. The Home Office said last year that it had not implemented the provision because encryption had not been as popular as quickly as it had predicted. It launched a consultation which culminated in Part III being made active on 1st October.
The measure has been criticised by civil liberties activists and security experts who say that the move erodes privacy and could lead a person to be forced to incriminate themselves.
It is also controversial because a decryption key is often a long password – something that might be forgotten. An accused person might pretend to have forgotten the password; or he might genuinely have forgotten it but struggle to convince a court to believe him.
Section 49 of Part III of RIPA compels a person, when served with a notice, to either hand over an encryption key or render the requested material intelligible by authorities.
Anyone who refuses to decrypt material could face five years in jail if the investigation relates to terrorism or national security, or up to two years in jail in other cases.
Controversially, someone who receives a Section 49 notice can be prevented from telling anyone apart from their lawyer that they have received such a notice.
The Home Office said that the process will be overseen by the Interception of Communications Commissioner, the Intelligence Services Commissioner and the Chief Surveillance Commissioner.
Complaints about demands for information must be made by the Investigatory Powers Tribunal. "The Tribunal is made up of senior members of the judiciary and the legal profession and is independent of the Government. The Tribunal has full powers to investigate and decide any case within its jurisdiction, which includes the giving of a notice under section 49 or any disclosure or use of a key to protected information," said a Home Office explanation of the process.
The Home Office said that the actions were consistent with the European Convention on Human Rights and the UK Human Rights Act as long as the demand for decryption was "both necessary and proportionate".
"The measures in Part III are intended to ensure that the ability of public authorities to protect the public and the effectiveness of their other statutory powers are not undermined by the use of technologies to protect electronic information," said the Home Office.
OUT-LAW.com
Homepage:
http://www.theregister.co.uk/2007/10/03/ripa-decryption_keys_power/
Comments
Hide the following 7 comments
Is there a Section 49 Notice being served to grab your Decryption Keys ?
03.10.2007 13:01
October 1st 2007 is another milestone in the British State Surveillance, when some more of the authoritarian and repressive Labour Government's snooping policies come into legal force. Why were the Opposition parties so feeble and ineffective when these horribly complicated and bureaucratic yet draconian laws and secondary legislation were meant to have been properly scrutinised by Parliament ?
Firstly, Communication Traffic Data, initially for mobile phones and landline telephones and faxes etc. is to be retained by the telecommunications network providers for at least a year i.e. far longer than would otherwise be legal to do so once they have no legitimate business use for the data such itemised phone bills which have been paid.
* Statutory Instrument 2007 No. 2197 - The Regulation of Investigatory Powers (Acquisition and Disclosure of Communications Data: Code of Practice) Order 2007
* Statutory Instrument 2007 No. 2199 - The Data Retention (EC Directive) Regulations 2007
This extension of the Regulation of Investigatory Powers Act 2000 Part II, which has been in force for years, will obviously take a few weeks or months to start to affect the millions of innocent people whose privacy and security is being put at risk "just in case" there may be some unspecified criminal investigation or intelligence agency snooping in the future
However, there is now a further immediate potential threat to your privacy, security and online financial transactions and money, namely Government access to encryption keys or decrypted data, under the Regulation of Investigatory Powers Act Part III Section 49 Disclosure Notices
* Statutory Instrument 2007 No. 2196 (C. 85) - The Regulation of Investigatory Powers Act 2000 (Commencement No. 4) Order 2007
* Statutory Instrument 2007 No. 2200 -The Regulation of Investigatory Powers (Investigation of Protected Electronic Information: Code of Practice) Order 2007
Incredibly, this bit of law, which has lain dormant on the statute books for over 7 years, was amended by the notorious Terrorism Act 2006, so that the penalty for refusing to disclose your secret cryptographic Decryption Key(s) or to provide plaintext decrypted versions of the protected data, has been increased from 2 years in prison to 5 years in prison for catch all and undefined "national security investigations". Since the penalties for terrorism or espionage are longer than this, how is this anything but gesture politics ?
There is also the provision for a "tipping off " offence, again, punishable by up to 5 years in prison, if the law enforcement or intelligence agency bureaucrats tick the "secrecy" box on the still as yet undefined format of a Section 49 Notice demanding your cryptographic keys etc.
It sjhould also be remembered that RIPA Part III also makes the Police or Intelligence Agenciy staff legally liable for breaches of the security of seized cryptographic keys or the protected material disclosed under a Section 49 order.
Even though our good advice during the alleged public consultation on the Code of Practice last year has been ignored, we still feel that is is vital that any such cryptographic keys and / or protected plaintext data should itself be encrypted using UK Government approved cryptography or even reasonable commercially or freely available cryptography, especially when on removable media or laptop computers or when transfered via the internet or WiFi etc
If there are any lost or stolen or computer malware infected laptop computers or removable media or USB flash memory devices or plaintext email attachments or data transfers or data backups etc, then those individuals responsible and their bosses, should be prosecuted for malfeasance in public office, and be made to pay financial compensation and damages to anyone whose innocent data, intellectual property or electronic money etc. has been compromised or put at risk.
If, say, the private encryption key for the SSL / TLS Digital Certificate for an e-commerce or internet banking website is compromised by negligent data handling following a RIPA Section 49 Notice, then the amount of damages which a Court might award could run into millions of pounds.
See our sub-blog published last summer
Please contact us if you are served with a RIPA Section 49 notice, (obviously not if it has a secrecy rider), as we would like to be able to recognise a genuine one, to differentiate it from the inevitable "phishing" scams which will seek to exploit the secrecy and unfamiliarity of the public and commercial with such Notices.
We demand that the RIPA Commissioners, the Home Office and the supposed Single Point of Contact, the National Technical Assistance Centre (now under the management of GCHQ and the Foreign Office) should keep records of, and provide a breakdown of the actual numbers of RIPA Section 49 Notices which have been served. These figures should include how many Section 49 Notices have the "tipping off" secrecy requirement, and how many, according to the Code of Practice, have required that the Financial Services Authority be informed (e.g. when obtaining financial services cryptographic keys).
SpyBlog
Homepage:
http://spyblog.org.uk/
my key
03.10.2007 14:02
Har Har
What does this mean in practice?
03.10.2007 14:56
Am I still secure (ie anonymous) when posting on Inymedia, or using say, riseup mail?
advice gratefully awaited
a non-teckie
non techie
03.10.2007 16:10
for secure posting.
and if you feel you need to wipe your tracks google dban and wipe your disk with a combination of russian and us dept of defence software.
Scrapit
non tech
03.10.2007 17:13
www.knoppix.de
when your there click the english flag and download knoppix.You will need a dvd burner,might be able to get knoppix 3 which fits on cd.Anyway once you burn it boot from cd.When splash screen comes on type knoppix lang=english.= will be shift+0(zero)press enter.when it boots click the blue icon on the taskbar once(left clik)set screen to 1024.By default the browser konquerer will open.clik settings and scroll to configure konqurer.scroll down to browser identification and uncheck the four box's.
Rabid anti-state
you should have
03.10.2007 17:20
anyway. anyone answar this.i snapped a pin off my hard disk,now 39,but it seems to have made it much faster.anyone know why?
me
DASP
03.10.2007 20:50
Pin 39 on an ATA is the Drive Active / Slave Present signal. During POST, pin 39 shows whether a slave drive is present on the interface and then each drive asserts the signal to indicate that it is active. Breaking the pin will let the signal float. It shouldn't really speed things up unless you had your jumper settings in the wrong position to start with, but I'm guessing on that, I don't want to break a pin on a working drive to test that !
Danny