U.K. data decryption law takes effect

It is not for nothing that the United Kingdom is now described as the “Surveillance society.” On Monday U.K. law enforcement gained new powers to compel individuals and businesses to decrypt data wanted by authorities for investigations. The measure is in the third part of the Regulation of Investigatory Powers Act (RIPA), legislation passed in 2000 by the U.K. Parliament to give law enforcement new investigation powers with respect to evolving communication technologies. PCWorld’s Jeremy Kirk writes that the government contends law enforcement more frequently encounters encrypted data, which delays investigations. RIPA Part III, however, was not activated when the act was passed seven years ago because of the less prevalent use of encryption. That was then, this is now. As of Monday, those served with a “Section 49” notice have either to make decryption keys available or put the data in an intelligible form for authorities. Failure to comply could mean a prison sentence of up to two years for cases not involving national security or five years for those that do.

A Section 49 request must first be approved by a judicial authority, chief of police, the customs and excise commissioner, or a person ranking higher than a brigadier or equivalent. Authorities can also mandate that the recipient of a Section 49 request not tell anyone except their lawyer that they have received it. Critics countered RIPA Part III could put corporate data at risk if mishandled by government officials, although the government wrote a code of practice concerning the handling of encryption keys. Spy Blog, a Web site which comments on privacy and data security issues (site’s motto: “Watching them watching us”), called on the government to publish regular statistics on the number of Section 49 notices served. The site further called for feedback from organizations served with notices.

The U.K. Home Office addresses only one specific type of device and technology in its published guidance on RIPA Part III: the BlackBerry, the omnipresent handheld for business people. E-mails sent to a BlackBerry are decrypted on the device, meaning neither Research in Motion, the BlackBerry’s manufacturer, nor the wireless operator handling the data transfer are privy to the encryption keys, the Home Office guidance said. If investigators want encrypted data, they will have to go directly to the device owner, the Home Office said. Also, RIPA Part III only applies to data stored in the United Kingdom, so encrypted data that transited through the U.K. would not fall under the legislation.