This morning’s BBC report has brought to light the ongoing debate over how to enforce the UK Regulation of Investigatory Powers (RIP) Act from 2000.
Part III of RIPA gives law enforcement agencies the decryption powers and, provided some conditions are met, makes it a serious offence to refuse to turn scrambled files into an “intelligible” form. Those refusing could see their sentence increased as a result.
The government is holding a consultation exercise on the code of conduct that those using these powers will have to abide by.
The code was debated at a public meeting organised by digital rights group the Foundation for Information Policy Research (FIPR).
This debate seems to start from the age old issue of whether people are required to incriminate themselves when police are unable to find evidence against them. This situation, however, is slightly more complicated because encryption keys are so easily hidden and/or destroyed. Moreover, encryption is so frustratingly easy for law enforcement to find precisely because it can be so difficult for them to decipher. In theory you can leave encrypted files lying about without fear of them being used as evidence against you, unlike a smoking gun or a bloody knife, so to speak.
So, just at the time when encryption is starting to really be adopted on the personal computer the police are demanding that they need either special privileges such as a back-door or the right to inflict severe penalties on anyone refusing to decrypt data on demand. It is interesting to read that the US government seems to be moving ahead (“VA to spend $3.7M on encryption tools”) since the adopters must be curiously watching the UK to see what kind of liabilities they could bring to themselves. They spend money trying to avoid liability, and could just end up with a different set (e.g. will internal investigators be able to access VA data without alerting suspects or demanding decryption?).
Mr Bowden [former head of FIPR] also questioned the wisdom of making it an offence to refuse to unscramble evidence. He said there were many scenarios that made it possible for a suspect to deny they ever had the key that unlocked encrypted data.
Already, he said, there had been one court case in which a suspect was acquitted after claiming a computer virus under someone else’s control had caused the offences for which he faced trial. Mr Bowden speculated that other suspects could use the same tactic or would fake a virus infection to get themselves off the hook.
There is certainly no silver bullet here so it is good to see the debate taking place. Unfortunately finding common ground is complicated by a lack of experience and examples to help everyone find an appropriate balance.
Key management systems and encryption that I have deployed have always encountered resistance primarily from those who are the least familiar with what it can and will do for them. I usually tell people that encryption, like other tools, is a double-edged sword that needs careful guidance and legislation/policy to help ensure proper use and to prevent misuse. Many people feel strongly about these issues and so it is important to review the possibilities early to avoid unpleasant surprises. Or as Lord Philips of Sudbury put it:
“You do not secure the liberty of our country and value of our democracy by undermining them,” he said. “That’s the road to hell.”