The Government has launched a public consultation into a draft code of practice for a controversial UK law that critics have said could alienate big business and IT professionals.
Part III of the Regulation of Investigatory Powers Act 2000 (RIPA) will, as it stands, give police the authority to force organisations and individuals to disclose encryption keys.
The Government issued the public consultation on the code of practice for Part III, which will regulate how police and the courts use powers under the legislation, on Wednesday.
"The Home Office has today issued a public consultation on the investigation of protected electronic data, which invites comments on a draft code of practice relating to the exercise of powers under Part III of the Regulation of Investigatory Powers Act 2000 (RIPA)," said Simon Watkin of the Home Office Covert Investigation Policy Team.
The closing date for the consultation is 30 August.
Cambridge University security expert Richard Clayton told ZDNet UK that any company that was concerned by Part III of RIPA would be "foolish to pass up the opportunity" of voicing their concerns.
"Although in theory the Government's mind is made up, the proposals are so incomplete and confused that they may have a rethink anyway," said Clayton.
The security expert said that there were "a lot of complexities not addressed" by the code of practice, including the rules which will govern how access to keys can be demanded. Clayton predicted in May that financial institutions would consider moving to countries without encryption key disclosure laws.
"The Home Office appear sensitive to the suggestion that every financial institution will remove their keys (and hence a lot of jobs) from the country," said Clayton.
"There is a brand new safeguard in that the head of the FSA [Financial Services Authority] must now countersign requests [for key disclosure]. But this only applies to "financial services" and not to, say, a company like Ebay, or a British competitor."
"It gets worse. There is a brand new suggestion that demanding keys might become commonplace — when there might otherwise be doubt as to whether a decryption has been done correctly. This means that instead of asking for keys being highly exceptional, as parliament clearly intended, it will in fact become common," said Clayton.
The security expert also raised the question of whether an arrested person should be allowed access to their laptop to decode encrypted files.
"If so, how should we avoid the authorities "cheating" and installing some keystroke logging software first?" Clayton said.
"The last issue is whether (when the police don't like your attitude) it should be suggested that your hard disk in fact contains encrypted copies of child pornography — because then they can lock you up for longer," Clayton added.
The code of practice has already been criticised by mathematician and encryption expert Peter Fairbrother.
"This isn't a code of practice — it's just a repetition of RIPA in different words," said Fairbrother on ukcrypto, a public email list.
The Act was passed six years ago, when Part III was held back from becoming law. The Home Office claims it now wants to bring Part III into law as "investigators have begun encountering encrypted and protected data with increasing frequency."
The Home Office also claimed that the law was needed due to the inclusion of encryption technologies in standard operating systems, such as Microsoft's Vista which will include an encryption tool called Bitlocker.
"This, and the rapidly growing availability of encryption products including the advent of encryption products as integrated security features in standard operating systems, has led the Government to judge that it is now timely to implement the provisions of Part III," said the Home Office on its Web site.
Businesses and individuals can raise concerns about the draft code of practice at: http://www.homeoffice.gov.uk/documents/cons-2006-ripa-part3/
Talkback
People, get a clue. Your political decision makers are informed beyond any reasonable doubt. In short, they've been hi-jacked, lobbied for, or whatever you want to call it. Not making a stand now will have consequences later on that won't be easier to turn back. First question, who's been informing who about what exactly? Full public disclosure please.
Only in instances where the police would draw a weapon in cases of terrorism and drugs ..... The police forces are no more secure than any other organisation and should not br given carte balnche = a police state.
i fully agree with fighting crime and crime prevention, but everyone seems to have gone wild - doesnt anyone remember what privacy was? a time when you wernt caught 900 times on cctv while shopping, and when your cell phone couldnt be traced, or your internet usage logged by your isp, we watch bigbrother because the contestants are in effect knowningly being spied upon, yet wouldnt it be easier just to look in the mirror? and say someone cant remember their encrytion key or doesnt want to, what happens then? does the government assume the documents are future terrorist plans and charge you according or let you off with a caution and tell you to be less absent minded? i pretty certain no-one from senior government fully understands encryption, if someone has data encrypted - chances are that they dont want you to see it, so there unlikely to just hand over the key what ever the sentence, wouldnt it have been more pro-active and effective to work on better way to crack the encryption keys, then just decipher any codes needed to open the documents? its just the government on a power trip, they'll bring in the mouse click tax and LAN traffic levi next.
Your concern should not be with the Police but with the political masters. They will dance for whom ever pulls the strings & it would seem that Labour is no different from any other party. Once you have power you always want more. Our job is to stop them.