UK: Decrypt data or go to prison!

By EDRi · October 10, 2007

(Dieser Artikel ist auch in deutscher Sprache verfügbar)

The controversial Part 3 of the Regulation of Investigatory Powers Act
(RIPA) in UK is in force starting with 1 October 2007. This new regulation
gives the power to police forces to ask for the disclosure of encryption
keys, or force suspects to decrypt encrypted data.

RIPA was adopted in 2000, but Part 3 was not in force until last year when
the UK government has started a public consultation on its enforcement.
Despite the negative comments received from the security experts and the
major concerns that the adoption of such a measure will push businesses
outside UK, the authorities decided to uphold their initial position and
to apply the law starting with 1 October 2007.

Section 49 of RIPA Part 3 foresees that people are obliged by law to provide
to the law enforcement authorities, when served with a notice either the key
to decrypt the materials or the materials as such. If they refused, a
five-year imprisonment penalty could be applied for cases involving
anti-terrorism efforts or a maximum two-year sentence for other cases.

The UK Government has pushed the application, considering that the
terrorist, paedophiles, and hardened criminal could use encryption to hide
their actions, but a criminal that refuses to decrypt its incriminating
data could, in this way, serve less time in jail. “The measures in Part III
are intended to ensure that the ability of public authorities to protect the
public and the effectiveness of their other statutory powers are not
undermined by the use of technologies to protect electronic information”
explained the Home Office.

The Home Office said that the process will be overseen by the Interception
of Communications Commissioner, the Intelligence Services Commissioner and
the Chief Surveillance Commissioner.

The law also foresees that someone that has received a notice based on
Section 49 can be prevented to disclose this information to anyone
else, except his attorney.

RIPA can be applied only on UK territory, thus to data hosted on UK
servers or stored on devices located within the UK.

UK can now demand data decryption on penalty of jail time (1.10.2007)
http://arstechnica.com/news.ars/post/20071001-uk-can-now-demand-data-decryption-on-penalty-of-jail-time.html

EDRI-gram : UK Government asks for the encryption keys (24.05.2006)
http://www.edri.org/edrigram/number4.10/ukencryption

Law requiring disclosure of decryption keys in force (2.10.2007)
http://www.out-law.com/page-8515