Government wants your view on encryption keys

GOVERNMENT WANTS YOUR VIEW ON ENCRYPTION KEYS

The Home Office is getting ready to enforce Part III of the RIP Act,
which will give police the power to demand encryption keys

By Tom Espiner

ZDNet UK, UK: 8 June 2006
http://news.zdnet.co.uk/business/0,39020645,39273873,00.htm

The Government has launched a public consultation into a draft code of
practice for a controversial UK law that critics have said could
alienate big business and IT professionals.

Part III of the [http://www.opsi.gov.uk/acts/acts2000/20000023.htm
Regulation of Investigatory Powers Act 2000] (RIPA) will, as it
stands, give police the authority to force organisations and
individuals to disclose encryption keys.

The Government issued the public consultation on the code of practice
for Part III, which will regulate how police and the courts use powers
under the legislation, on Wednesday.

"The Home Office has today issued a public consultation on the
investigation of protected electronic data, which invites comments on
a draft code of practice relating to the exercise of powers under Part
III of the Regulation of Investigatory Powers Act 2000 (RIPA)," said
Simon Watkin of the Home Office Covert Investigation Policy Team.

The closing date for the consultation is 30 August.

Cambridge University security expert Richard Clayton told ZDNet UK
that any company that was concerned by Part III of RIPA would be
"foolish to pass up the opportunity" of voicing their concerns.

"Although in theory the Government's mind is made up, the proposals
are so incomplete and confused that they may have a rethink anyway,"
said Clayton.

The security expert said that there were "a lot of complexities not
addressed" by the code of practice, including the rules which will
govern how access to keys can be demanded. Clayton predicted in May
that financial institutions would consider moving to countries without
encryption key disclosure laws.

"The Home Office appear sensitive to the suggestion that every
financial institution will remove their keys (and hence a lot of jobs)
from the country," said Clayton.

"There is a brand new safeguard in that the head of the FSA [Financial
Services Authority] must now countersign requests [for key
disclosure]. But this only applies to "financial services" and not to,
say, a company like Ebay, or a British competitor."

"It gets worse. There is a brand new suggestion that demanding keys
might become commonplace - when there might otherwise be doubt as to
whether a decryption has been done correctly. This means that instead
of asking for keys being highly exceptional, as parliament clearly
intended, it will in fact become common," said Clayton.

The security expert also raised the question of whether an arrested
person should be allowed access to their laptop to decode encrypted
files.

"If so, how should we avoid the authorities "cheating" and installing
some keystroke logging software first?" Clayton said.

"The last issue is whether (when the police don't like your attitude)
it should be suggested that your hard disk in fact contains encrypted
copies of child pornography - because then they can lock you up for
longer," Clayton added.

The code of practice has already been criticised by mathematician and
encryption expert Peter Fairbrother.

"This isn't a code of practice - it's just a repetition of RIPA in
different words," said Fairbrother on ukcrypto, a public email list.

The Act was passed six years ago, when Part III was held back from
becoming law. The Home Office claims it now wants to bring Part III
into law as "investigators have begun encountering encrypted and
protected data with increasing frequency."

The Home Office also claimed that the law was needed due to the
inclusion of encryption technologies in standard operating systems,
such as Microsoft's Vista which will include an encryption tool called
Bitlocker.

"This, and the rapidly growing availability of encryption products
including the advent of encryption products as integrated security
features in standard operating systems, has led the Government to
judge that it is now timely to implement the provisions of Part III,"
said the Home Office on its Web site.

Businesses and individuals can raise concerns about the draft code of
practice at:
http://www.homeoffice.gov.uk/documents/cons-2006-ripa-part3/

.

Relevant Pages