As of yesterday, businesses trading in the UK are legally obliged to hand over their data encryption keys should the authorities require them in a criminal or anti-terrorist investigation.
Refusal to co-operate can result in a five-year prison sentence, in cases that concern national security, while for criminal cases a two-year sentence is possible.
The law came into effect after a Home Office consultation on encryption decided to activate a clause in Part III of the Regulation of Investigatory Powers Act (RIPA) 2000, which describes the government’s legal rights to intercept private communications.
“Over the last two to three years, investigators have begun encountering encrypted and protected data with increasing frequency,” a Home Office statement published last year said. “This, and the rapidly growing availability of encryption products, including the advent of encryption products as integrated security features in standard operating systems, has led the Government to judge that it is now timely to implement the provisions of Part III.”
The Home Office has issued specific guidance on the use of BlackBerry devices, which transmit encrypted data that is unlocked on the device. This means that investigators cannot subpoena the service provider, Research in Motion, to hand over its customers’ emails. Section 49 of RIPA allows them to demand the device holders’ encryption keys.
Critics have suggested the provision infringes upon personal liberties, and puts businesses at risk. Some argue that security managers now run the risk of being arrested for an error in encryption key management.
Meanwhile, UK state surveillance monitor Spy Blog questions whether the provision will really help authorities combat terrorism.
“The penalty for refusing to disclose your secret cryptographic Decryption Key(s) or to provide plaintext decrypted versions of the protected data, has been increased from 2 years in prison to 5 years in prison for “national security investigations”,” the blogger writes. “Since the penalties for terrorism or espionage are longer than this, how is this anything but gesture politics?”
Further reading
Action / Reaction – Can the authorities be trusted with encyption keys?
Spy Blog on Section 49 of RIPA
Home Office: Section 49 FAQ