RIPA III encryption regs may stifle investment

IT security experts believe the new RIPA III regulations designed to allow law enforcement officers to access encrypted data may stifle investment in the UK.

IT security experts believe that new Government regulation designed to allow law enforcement officers to access encrypted data may stifle investment in the UK's digital economy, and hinder international business.

The new legislation is part III of the Regulation of Investigatory Powers Act 2000 (RIPA), and it is thought that organisations with extensive encryption architectures – such as multinational banks – will choose to store their keys and encrypted information elsewhere, rather than submit to the process laid out under the new bill.

If I were an international business, I would certainly seriously consider keeping such data offshore.
Dr Nicko Van Someren
CTO, nCipher
"If I were an international business, I would certainly seriously consider keeping such data offshore. It must be remembered that key demands will be a lot of hassle to deal with, purely in terms of the admin required, and offshoreing would solve this entire issue," said Dr Nicko Van Someren, CTO of nCipher.

The jury is still out on the risks involved, but Dr Van Someren is not alone - Robert Bond, partner at law firm Speechly Bircham LLP, believes that the situation is also in the balance. He said: "It remains to be seen whether these revisions to RIPA legislation will be enough to prevent some financial institutions moving their headquarters out of the UK."

The Regulation of Investigatory Powers Act 2000 (RIPA) is designed to allow police forces more powers to investigate online crime, and became law in 2003. However, one section (part III) concerning official powers to demand encryption keys was judged too controversial to be introduced at the same time as the main body of legislation. However, after a long consultation, amendments were presented to Parliament in June 2007, and RIPA Part III became law in October 2007. The amendments restrict the powers of police to access encrypted material, and also created the National Technical Assistance Centre (NTAC), a body that is now both 'guardian and gatekeeper' of any seized data's security, as well as issuer of notices requesting access to any encrypted materials.

Opponents of part III point to an obvious flaw in the legal redress for the authorities if such requests are ignored. The penalty for refusing to disclose your secret decryption key(s) or to provide plaintext decrypted versions of the protected data, has been increased from 2 years to 5 years in prison. However, the penalties for espionage and terrorism are likely to be greater, so a criminal stands to gain by refusing to give up their encryption key.

Van Someren of nCipher, said: "The police also face risks when in custody of encryption keys. It is impossible to know the content of encrypted files before they are opened. Therefore, police officers will spread their nets widely in an effort to catch the right material. This could have severe, unintended consequences. Officers could be exposed to files that contain privileged information, compromising the pursuit of other cases. Bank files containing information about the flow of criminal funds might tempt insider collusion. The nature of computer data makes it extremely easy to copy and open to alteration or tampering by anyone who can access it, which would then damage its value as evidence."

Although the legislation was conceived to allow law enforcement access to suspected terrorists' and paedophiles' hidden information, the first case of RIPA being used in anger concerns animal rights activists. In early November 2007 it was reported that 30 animal rights activists received letters from the Crown Prosecution Service in Hampshire 'inviting' them to reveal their passwords to decrypt data stored on seized computers. The letter is the first stage of the process, after which the authorities can then issue a Section 49 notice demanding that a person turn the data into an "intelligible" form or, under Section 51 hand over keys.

One protester claimed in an online posting that: "Funny thing is PGP and I never got on together I confess that I am far too dense for such a complex (well to me anyway) programme. Therefore in a so-called democracy I am being threatened with prison simply because I cannot access encrypted files on my computer."

IT security experts also point to the existence of 'plausible deniability' encryption systems, such as the freeware TrueCrypt, which allow users to create encrypted vaults inside each other. This allows the user to reveal only the password to the outer layer of encryption, without compromising the inner, secret area. As all the data stored in the outer 'wrapper' is random, it is thought to be technically impossible to prove that additional information is concealed within it, a proof required to demand a key to decrypt it.

Many industry observers agree that RIPA was originally rushed into being, and that subsequent re-writes were only just sufficient to make it fit for purpose. The heart of the matter concerns all legislation that applies directly to technology. The trouble is that technology tends to move faster than the legislative process, so that as one loophole or issue is closed, another has already opened. The only question that remains is to what extent the result affects business in the longer term – 2008 should provide some, if not all, of these answers.

Read more on Regulatory compliance and standard requirements