Police get powers to demand data decryption

The police have been given powers to demand that businesses' data is decrypted.

Earlier this week, Part III of the Regulation of Investigatory Powers Act 2000 (Ripa) came into effect. Under Section 49 of Ripa Part III, police can serve a notice that requires encrypted data to be "put into an intelligible form" or, in other words, decrypted.

Failure to comply with a Section 49 notice can result in a two-year jail sentence, and failure to hand over an encryption key to the police can result in a five-year sentence.

The law is intended to make it more difficult for criminals and terrorists to use encryption to hide data.

However, a security researcher from the University of Cambridge's Computer Laboratory, Richard Clayton, warned that the law could have unintended consequences for businesses. "Once you hand over the key, it's risky because confidential documents could be exposed. Those documents may not contain evidence of wrongdoing but the police may find more than they're entitled to," said Clayton, who is also an adviser to the House of Lords Science and Technology Committee.

Given the choice, security professionals will not keep their encryption keys in the UK, argued Clayton. He added that those companies using SSL encryption keys that only have premises in the UK may have no choice but to comply with a Section 49 notice.

He said: "The security profession is all about reducing risks. International companies [such as banks] will keep it in Zurich."

According to Clayton's blog, there are some defences in the statute to failing to comply with a notice - one of which is that you can claim to have forgotten the passphrase for the decryption key.

He said: "It's a perfectly sane argument. It's certainly true that a lot of people forget a lot of keys. Whether you are being truthful is a matter for a jury to decide in the end."

In some scenarios it would be obvious if a defendant were lying about having forgotten a key, said the expert: "Try asking a bank if they've forgotten their master key." But he added: "This will not be a widely used law, or be very effective when it is used. It's just going to make everyone a bit twitchy."

The Home Office said encryption keys would be demanded only if a business wasn't able to provide the corresponding data. A spokesman said: "The police can't just ask for a password - they do have to take into account the needs of the business and their security processes."

The spokesman argued that the process was adequate because it will be overseen by the National Technical Assistance Centre (NTAC), a decryption agency.

But civil liberties campaigners have previously criticised NTAC, branding it unaccountable.

Tom Espiner writes for ZDNet UK