UK banks are up in arms over the privacy threat posed by new government powers allowing the police and other agencies...
to demand the encryption keys that will unlock confidential data.
They say the powers, which will be put into effect in the next few months, could lead to misuse of disclosed keys and compromise the security of data storage. Individual privacy rights would be undermined in the process, hitting the reputation of the UK financial services industry and discouraging investment in the UK.
The banks have also warned that the enforced disclosure of encryption keys under UK law could place them in conflict with secrecy laws in countries such as Switzerland, which require data encryption keys to be kept confidential.
The powers have been on the statute books since 2000 as part of the Regulation of Investigatory Powers Act and could affect any company that uses encryption to store or transmit confidential data.
Telecoms companies have joined the banking community in raising concerns about the new powers, which might affect new services, such as video on demand, which rely on encryption keys.
"In future we think there will be more services where encryption is an issue. We are really feeling our way in the dark," said one security specialist at a large telco.
The London Investment Banking Association (Liba) and the Investment Management Association (IMA) have already written to the Home Office calling for a rethink.
"The ability of firms to protect the confidentiality of clients' information and the security of their assets is crucial to reputation and competitiveness," said Liba. "If that confidence should become fragile, the harm to the UK's attractiveness to international financial services business could be substantial."
The banks have also told the Home Office that since many of their encryption systems use smartcards which are designed to make it impossible to disclose encryption keys, they would not always find it straightforward to comply with disclosure orders.
Ministers say the powers are an essential tool to fight terrorism and other serious crime.
"We totally support the objective, because the government does need to be able to tackle crime and terrorism," said an IMA spokesperson.
"However, we do think you need to balance that with the need for firms to protect the confidentiality of their financial information and the security of their assets."
The Home Office said all banks had been consulted on encryption and had been supportive.
"The Home Office has taken on board comments which will be incorporated into the revised draft code of practice. In addition, a forum was hosted by [industry and government IT forum] Eurim during the consultation phase where many of the banks were present."