U.K. Likely to Begin Requiring E-Data Disclosure Next Year
LONDON -- Police and other authorities could begin as early as next year to force disclosure of encrypted e-data, Home Office Covert Investigation Policy Team member Simon Watkin said Mon. Under a code of practice (CoP) in the last stages of public comment before parliamentary debate in 2006, individuals in criminal or civil cases could be forced to make encrypted data intelligible or hand over the key to unlock them. One aspect of the CoP worries civil rights advocates and technologists, they said at the “Scrambling for Safety 8” meeting here.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The CoP is just nearing completion, but the encryption disclosure rule appears in the Regulation of Investigatory Powers (RIPA) Act 2000. The legislative provisions haven’t been enforced because encryption technologies haven’t been taken up as quickly or broadly as expected, the Home Office consultation document said. But in recent years, protected data increasingly have shown up in high-profile cases, said Watkin. And encryption products have become more available, easier to use and more frequently included in operating systems, he said.
Misconceptions about the law abound, Watkin said. It won’t introduce 3rd party “escrow” of someone’s cryptographic key, or expand public officials’ power to get information, he said. The law merely allows those lawfully in possession of coded data to get access to them. Police still need computer forensics expertise, and investigations won’t occur more swiftly. The only people threatened by the law are suspects whose protected data are seized but who decline to make it intelligible, Watkin said. They risk imprisonment of 2-5 years, depending on whether disclosure is necessary for national security.
Creating a crime of failure to comply with a notice to unlock e-data is troublesome, panelists said. Initially the burden is on the defendant to explain why he didn’t obey the order, said Caspar Bowden, Microsoft senior security & privacy officer for Europe, the Middle East & Africa, who stressed he was voicing personal views. If a defendant can “adduce sufficient evidence” he hasn’t got a key, the burden shifts to the prosecution.
The problem is how to prove a negative, Bowden said. Does the defendant claim bad memory or old data? Argue his key backup seems to have failed? Claim “the key just doesn’t seem to work"? Judges will have to direct juries on the confusing burden of proof, Bowden said. The law also raises the possibility that jurors might think anyone using encryption “has something to hide,” he said.
London Metropolitan U. Prof. Douwe Korff panned the idea of making knowing failure disclose an encryption key a crime. The law’s power derives from a public authority’s “belief” that someone has the decoding tool, he said -- a “purely subjective standard.”
Investigative journalist and TV producer Duncan Campbell worries most about “trust,” he said. The law’s encryption provisions are aimed at fighting child porn and terrorism, but time and again evidence of both has proven false, due largely to police officers’ lack of technical savvy, he said. If the police seize a computer and fail to find violative material, there’s a “grave” question as to whether the owner can be liable for failure to comply with a decryption notice, he said .
Encryption isn’t used much -- yet, Bowden said. Even so, RIPA’s disclosure mandates ultimately could discourage honest users from protecting data, he said. One security expert later called encryption a vital tool in the arsenal of information security and data protection professionals. The source, who said he hasn’t followed the Home Office inquiry closely, said the new rules might persuade more companies to use compound decryption keys to avoid being forced by one govt. to unlock data.
Comments on the decryption proposal are due by Aug. 30 at encryption@homeoffice.gsi.gov.uk.