The use of ciphers to obscure sensitive information stretches back hundreds of years. But computers have democratised this process: sensitive information can now be encrypted by anyone with access to a reasonable PC and an Internet connection – much to the chagrin of the public authorities.
Now, the British government, after years of public wrangling, is set to implement controversial legislation that will help law enforcement agencies to decrypt documents pertinent to their investigations.
Under provisions in Part III of the Regulation of Investigatory Powers Act (RIPA) 2000, individuals and businesses can be compelled to either decrypt documents or hand over the necessary encryption key.
This part of the Act has never been implemented, but the Home Office insists it is now necessary. On its website it states: “Over the last two to three years, investigators have begun encountering encrypted and protected data with increasing frequency. This, and the rapidly growing availability of encryption products, including the advent of encryption products as integrated security features in standard operating systems, has led the Government to judge that it is now timely to implement the provisions of Part III.”
However, despite a public consultation process over the controls to be put in place in relation to Part III of the Act, critics still argue that it would place too great a burden on businesses to be justified.
The controversial provisions empower police to demand that businesses hand over encryption keys. However, there are fears that this could jeopardise sensitive business information – key management is a sophisticated process, and many fear that given breaking the encryption is likely to be a priority, scant consideration may be given to preserving the information.
The experts' response…
Alex van Someren, CEO of cryptography specialist nCipher, does not believe the authorities have the capabilities to handle sensitive corporate data.
Due to the ease with which digital data can be modified, access to the data brings with it considerable risks of contamination, which is what the science of computer forensics attempts to deal with. This is not for amateurs – constables tromping through the scenes of crimes already damage evidence in the physical world.
There will probably be more disappointments than successes [and] there will undoubtedly be false convictions using these new legislative powers. The question is only: How long it will be before the proper care and treatment of cryptographic keys, and the use of tools to manage them, becomes second nature to law enforcement officers?
Robert Bond, partner and head of technology and commerce at law firm Speechly Bircham, says that, despite the associated problems, RIPA III has value.
Businesses have problems that they don’t have the processes in place to work out how to use and manage [keys]. But where you genuinely have got paedophile rings, the police do want to follow through and will need to serve warrants on businesses [to provide keys to encrypted matter].
I suspect the police won’t use this authority unless they really feel that it’s absolutely necessary. I think if there was serious concern about a terrorism cell or about a paedophile ring, they would use the powers. In other circumstances, if there were a number of choices as to how they would gather evidence, this would probably be the last resort.