U.K. uses new law to force hand-over of encryption keys

Published 16 November 2007

In October 2007 Parliament passed a law allowing authorities to force people to hand over encryption keys to data stored on their private computers; an animal rights activist is among first to be ordered to hand over encryption keys for her computer, which was seized in May

The United Kingdom is often referred to as the Surveillance Country. Here is another example: A U.K. animal rights activist has been ordered to hand over her encryption keys to the authorities. Section Three of the Regulation of Investigatory Powers Act (RIPA) came into force at the start in October 2007, seven years after the original legislation passed through parliament. It was intended primarily to deal with terror suspects, but it allows police to demand encryption keys or provide a clear text transcript of encrypted text. Failure to comply may result in up to two years imprisonment for cases not involving national security, or five years for terrorism offenses and the like. Orders can be made to turn over data months or even years old. The Register’s John Leyden writes that contentious measure, introduced after years of consultation, was sold to Parliament as a necessary tool for law enforcement in the fight against organized crime and terrorism. It was the animal rights activist, however, who was among the first people to receive a notice to give up encryption keys. Her computer was seized by police in May, but now that the law is on the books, she has been given twelve days to hand over a pass-phrase to unlock encrypted data held on the drive — or face the consequences.

The woman was issued a notice by the Crown Prosecution Service (CPS), and not (as might be expected) the police. According to the code of conduct, the authorities would normally ask a suspect to put the files into intelligible form, though how this would work when a PC is being held by the police is not clear. It is also unclear whether the woman was given an official Section 49 notice or was simply “invited” to hand over the data voluntarily. Richard Clayton, a security researcher at Cambridge University and long-time contributor to U.K. security policy working groups, said that only the police are authorized to issue Section 49 notices. “What seems to have happened is that the CPS (who couldn’t issue a notice anyway) have written asking the person to volunteer their key,” he adds. “Should they refuse this polite request, they are being threatened with the subsequent issuing of a notice, which might or might not require the key to be produced (it might of course just require the putting into an intelligible form of the data).” Clayton expressed concern that the incident illustrates possible holes in the long-delayed code of practice. “It would clearly be desirable to seek National Technical Assistance Center’s (NTAC) views before approaching suspects with requests for keys (rather than requests to put into an intelligible form) - lest the authorities give the impression that they know rather less about the rules (and the operation of encryption systems) than everyone else,” he said.