To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://management.silicon.com/government/0,39024677,39161432,00.htm

Will RIPA lead to an infestation of Vamp-ires?
Criminals may try 'the virus ate my password' excuse

By Steve Ranger

Published: Tuesday 15 August 2006

The introduction of legislation to crack down on criminals using encryption to hide their tracks could also leave users open to new forms of electronic attacks, according to one expert.

The Regulation of Investigatory Powers Act (RIPA) provides the legal framework for various methods of surveillance and information gathering by police and other agencies.

But because criminals are now encrypting their email, files, folders, documents and pictures in an attempt to conceal their activities, the government plans to introduce Part III of the Act.

This requires people - when requested - to put protected or encrypted electronic information into an "intelligible" form, or to provide the encryption key. Failure to comply with can lead to between two and five years in jail.

Police have said they want the legislation in order to crack down on criminals using encryption. Detective Chief Inspector Matt Sarti told the a meeting organised by the Foundation for Information Policy Research (FIPR) that there are 200 computers sitting in police forensic centres and property cupboards with encypted data on them which are likely to hold evidence of crime.

But Caspar Bowden, former director of FIPR warned that introduction of the legislation could lead to a new wave of cyber-attacks.

For example criminals could create malware that was able to change the encryption key or password on an innocent user's machine. This virus would then delete itself and the criminals could threaten to tip of the police about the encrypted data, claiming it was information about criminal activity.

Without the key - which the virus deleted or changed - innocent users could find they have to defend themselves against this sort of blackmail.

Similarly, criminals could use these viruses against themselves, claiming "a virus ate my password (Vamp)" as an excuse for not providing the encryption key, he argued.

"The bad guys have an incentive for causing mayhem through Vamp-ware cases for cover," Bowden warned, and said there is a risk of deterring honest users from protecting themselves.

And he said that as a result the the UK could become a "proving ground" for these types of Vamp-ware.