UK: Part III of RIPA Entering into Force Soon - or: 'That's the Road to Hell'?
On the SCL website (Reg. req'd) Mr. Peter Church and Mr. Richard Cumbley (both of Linklaters) look at the latest move to bring Part III of RIPA into force:
"[...] The [UK, added by AHH] Government has issued a public consultation stating it intends to bring Part III of the Regulation of Investigatory Powers Act 2000 into force. This gives Government bodies the power to order data to be decrypted and, in certain circumstances, demand a copy of the relevant encryption key. [...]"
The Consultation on the Draft Code of Practice for the Investigation of Protected Electronic Information - Part III of the Regulation of Investigatory Powers Act 2000 is explained by the UK Home Office as follows:
"[...] Part III of the Regulation of Investigatory Powers Act 2000 established powers to impose a requirement upon a person to put protected electronic information into an intelligible form or to disclose a key which will enable the data to be put into an intelligible form.
Those provisions have not yet been implemented because the development and adoption of encryption and other information protection technologies has been slower than was anticipated when the Act was passed.
The Government has, however, kept under review the need to implement the provisions in Part III, by taking account of the extent to which protection of electronic data has frustrated law enforcement and obstructed the delivery of justice to victims.
Over the last two to three years, investigators have begun encountering encrypted and protected data with increasing frequency. This, and the rapidly growing availability of encryption products including the advent of encryption products as integrated security features in standard operating systems, has led the Government to judge that it is now timely to implement the provisions of Part III.
This consultation follows an illustrative draft of the code which was made available when the Regulation of Investigatory Powers Bill was before Parliament, comments on the earlier draft code have been taken into account in the revised draft of the code, which has been substantially rewritten.
The consultation closes on 30 August 2006. [...]"
Well, at a first glance this sounds as if it would be one of the usual measures to tighten criminal law. But it is worth to have a closer look:
"[...] Sect. 49 (1) [...]
(2) If any person with the appropriate permission under Schedule 2 believes, on reasonable grounds -
(a) that a key to the protected information is in the possession of any person,
(b) that the imposition of a disclosure requirement in respect of the protected information is - (i) necessary on grounds falling within subsection (3), or (ii) necessary for the purpose of securing the effective exercise or proper performance by any public authority of any statutory power or statutory duty,
(c) that the imposition of such a requirement is proportionate to what is sought to be achieved by its imposition, and
(d) that it is not reasonably practicable for the person with the appropriate permission to obtain possession of the protected information in an intelligible form without the giving of a notice under this section,
the person with that permission may, by notice to the person whom he believes to have possession of the key, impose a disclosure requirement in respect of the protected information.
(3) A disclosure requirement in respect of any protected information is necessary on grounds falling within this subsection if it is necessary - (a) in the interests of national security; (b) for the purpose of preventing or detecting crime; or (c) in the interests of the economic well-being of the United Kingdom.[...]"
To me, those provisions appear to embody a quite breathtaking determinedness to put the powers of the state over legitimate expectations for privacy of citizen. If for example a patent attorney or an attorney-at-law in the UK (I can only hope that UK authorities do not consider attempts to implement cross-border-enforcement of such provisions) duly protects the secrets of clients by means of cryptography (what he or she should do if using ICT!), a disclosure requirement order under Sect. III of RIPA (perhaps even gagged by a secrecy requirement) might come to hand over all the cryptographic keys and passphrases used in the law firm if the UK Government gets through with thsese plans.
Not even only that, severe enough, but if you have stored a lot of encrypted data on your computer system, losing a secret key accidentally e.g. because of the medium on which the cryptographic key material was stored has crashed, then you might find yourself in a severe risk to have to go into jail if you don't manage to get rid of the encrypted files in a timely manner.
And, this all might happen not only in case of an imminent terroristic threat but also if tis is deemed necessary in the interests of the economic well-being of the United Kingdom.
Strong stuff, indeed.
Why did the Lords not filter out such provisions during parliamentary proceedings? They are normally good at that. Didn't they take notice? The UK Government might well get into trouble in view of the European Human Rights Convention to which the UK is a party if such rules were actually enforced.
For the time being, Mr. Peter Church and Mr. Richard Cumbley in their article provide some practical advice to facilitate survival for UK residents:
"[...] Practical Tips
There are a range of steps to consider if Part III of RIPA is brought into force.
Audit your information technology systems to identify how encryption technology is used and the location of all encryption keys.
Establish procedures to check that any notice imposing a disclosure requirement is genuine and has been validly served.
Ensure that encryption keys are accessible in order to respond to a disclosure requirement without compromising the security of those keys. Bear in mind that the notice should be served on a senior member of the organisation and could be subject to a secrecy requirement.
Use separate keys for encryption and authentication to ensure that electronic signature keys are not subject to a disclosure requirement.
Ensure that the disposal of any key (eg session keys that are deleted at the end of a session) is properly documented so that you can prove you are no longer in possession of that key [...]"
"[...] The government faces criticism over plans to give police powers to make suspects produce readable copies of encrypted computer evidence.
The police say the powers are needed because criminals are increasingly using encryption to hide evidence.
They estimate that currently there are 30 cases in which encrypted evidence had stumped investigators.
But some peers, academics and cryptographers say the plans are flawed and risk being abused.
[...]
"But the draft code of conduct has no guidance on weighing privacy against the demands of law enforcement," said Caspar Bowden, former head of FIPR.
He questioned how police could balance the rights of victims, suspects and the general public if this was not made explicit.
Mr Bowden also questioned the wisdom of making it an offence to refuse to unscramble evidence. He said there were many scenarios that made it possible for a suspect to deny they ever had the key that unlocked encrypted data.
Already, he said, there had been one court case in which a suspect was acquitted after claiming a computer virus under someone else's control had caused the offences for which he faced trial. Mr Bowden speculated that other suspects could use the same tactic or would fake a virus infection to get themselves off the hook.
He also asked how someone would prove they had genuinely lost or forgotten a password and wondered if the threat of a jail sentence would hamper efforts to make users take more care of personal data.
'Will it deter the mass of honest users from properly securing their data?' said Mr Bowden.
Veteran investigative journalist Duncan Campbell said there were broader questions about how the police investigate high profile cases that threw into question the effectiveness of the decryption powers.
He said his work as an expert witness in cases involving charges against suspected terrorists and paedophiles led him to question what use the powers would be or imagine any circumstances in which it would prove useful.
The Earl of Erroll, a cross-bench member of the House of Lords, said there was a real danger of 'scope creep' in which the powers given for use in specific circumstances were turned to other purposes they were never intended to tackle.
Professor Douwe Korff, said there was a real question as to whether the powers undermined the presumption of innocence that human rights legislation enshrines. The code of conduct had to be beefed up, he said, to ensure high standards protected fundamental rights.
Lord Phillips of Sudbury described RIPA as a 'hair-raising' piece of legislation and expressed reservations about the effect the powers being given to police would have.
'You do not secure the liberty of our country and value of our democracy by undermining them,' he said. 'That's the road to hell.' [...]"
However, as if this would not be depressing enough, present discussion on security appear to to carry such inadequate proposals in conjunction with ICT usage to the extremes. Mr. Carr writes in the Manchester Evening News:
"[...] Paedophiles should not be able to escape prosecution by simply wiping child porn images from their computer hard drives, campaigners said today.
The law should be changed to allow the prosecution of perverts who use so-called 'evidence erasing' software, the Children's Charities Coalition for Internet Safety (CHIS) urged.
Computer magazines which distribute the programmes as front-cover give-aways were also criticised for encouraging people to break the law.
CHIS also said ministers should consider making it illegal for convicted paedophiles to possess such software.
In a letter to the Home Office in response to a consultation on computer encryption issues, CHIS executive secretary John Carr said: "We think it is irresponsible of the computer magazines ... to promote and advertise software of this kind in the way that they do.
'It's a bit like placing an advertisement to say something like 'If you want to break the law and get away with it, we've got just the thing for you!' [...]"
Such thinking is nothing more than flawed in its very core. If the Police have problems with digital computer forensics then they should do more research in this field. Any legal provision preventing ICT users from effectively deleting data would be outrageous. There are umpteen of perfectly legitimate reasons to erase my own data on my own computer hard disk drive.
Fighting crime and terrorism is a serious matter indeed. However, great care must be exercised in order to make sure that the cure does not get worse than the disease. In the field of ICT-related law enforcement politics, many European Governments are going one step too far and, with all due respect, in my opinion the UK Government appears to be determined to go one further step into an area where the detrimental side-effects of well-intended anti-crime and anti-terrorist measures soon will outweigh any conceivable benefits. Cryptographic-savvy real criminals and terrorists will get acquainted with steganography-related technologies, anyway. The law-abiding citizen using cryptography will be affected in the first place. I therefore wholeheartedly agree to the statement given by Lord Phillips of Sudbury who thinks such provisions in RIPA will form "the road to hell".
The intended improper over-regulation of ICT security provisions by RIPA Part III might easily affect the professional ICT of every attorney operating under UK law.
Moreover, it could also set a very unfavourable precedent for ICT politics throughout the rest of Europe.
Feel free to contact PA Axel H Horns via e-mail
horns@ipjur.com. BEWARE: DO NOT SEND CONFIDENTIAL INFORMATION UNENCRYPTED VIA E-MAIL. USE OF ENCRYPTION SOFTWARE IS HIGHLY RECOMMENDED. PA AXEL H HORNS IS PROVIDING SUPPORT FOR ENCRYPTED E-MAIL MESSAGES USING PGP OR PGP COMPATIBLE FORMATS. THE PGP PUBLIC KEY FOR PA AXEL H HORNS IS AVAILABLE
HERE. THE GnuPG PUBLIC KEY FOR PA AXEL H HORNS IS AVAILABLE
HERE.
Dipl.-Phys. Axel H Horns is Patentanwalt (German Patent Attorney),
European Patent Attorney as well as European Trade Mark Attorney. In particular, he is Member of:
SCL website (Reg. req'd) Mr. Peter Church and Mr. Richard Cumbley (both of 
