Government's encryption key plan could backfire, warns expert

The clause of a law which forces people to hand over encryption keys will be activated after controversy delayed its implementation for six years. But one security expert has warned that the law itself could cause more criminals to turn to encryption.

The Regulation of Investigatory Powers Act will be modified later this year to allow government agencies to force the handing over of data keys after a consultation period announced on Monday. The contentious section of the legislation lay dormant when opponents argued that it could infringe on civil liberties, but the Home Office has said that increasing use of encryption makes its enaction necessary.

"The provisions have not yet been implemented because the development and adoption of encryption and other information protection technologies has been slower than was anticipated when the Act was passed," said the Home Office consultation paper. "The Government has, however, kept under review the need to implement the provisions in Part III, by taking account of the extent to which protection of electronic data has frustrated law enforcement and obstructed the delivery of justice to victims."

"Over the last two to three years, investigators have begun encountering encrypted and protected data with increasing frequency," said the document.

Not all experts are convinced, however, that this has been the case. Cambridge University Security Group researcher Dr Richard Clayton believes that the enacting of the powers will actually increase the amount of encryption used by criminals.

"I've never seen the figures that say that the amount of encrypted material they come up against is increasing," said Clayton. "In fact I think putting the powers on the statute book will make it more, not less, likely that police will encounter encrypted material because people will become aware of dual key systems and see how easy they are to use."

If the Home Office implements the changes as currently constituted, anyone using encryption to protect information can be asked to decrypt it via the courts if the police suspect criminality connected with the data. Anyone not complying can be imprisoned for two years, or up to five years for a case involving national security.

Enforcing the legislation will be difficult if accused people pretend to have forgotten their passwords, said Clayton; it could also prove controversial in cases where a person has actually forgotten a password.

"There is also the question of whether or not decrypting something for the police counts as incriminating yourself," Clayton said. "The Home Office takes the view that the information is there, it exists on its own, so the act of decrypting does not make you incriminate yourself. It is the same argument as for DNA, that you do not have the right to refuse it."

The legislation also forces the handing over of encryption keys, something to which large corporations and City banks have objected, because these keys keep sensitive information secret. New safeguards have been introduced in that regard, including the need to inform the head of the financial regulator the Financial Services Authority before demanding a key.

"The trouble is that criminals do not build hierarchical key structures; the only person who uses the key is the person whose information it is and if they won't decrypt something they are not going to hand over the key," said Clayton. "The only people who have hierarchies like that are big business. This comes from a very government view of the world, that everyone works the same way."

Sue Cullen, an Associate with Pinsent Masons, the law firm behind OUT-LAW.COM, said the problem is "not so much the legislation – which has been with us for six years – as how it is now being sold to the public."

She points to the 57-page consultation document. The introduction is illustrated by gruesome examples of child sex abuse cases in which evidence of even more horrific crime was not able to be decrypted by the investigators.

"Nobody would object to encryption key disclosure in these cases," she said. "But don't be misled into thinking that these powers can be used only in such serious cases, or in the context of terrorism, for instance. They are available for preventing or detecting any crime, however minor, and for the 'economic well-being of the UK', which might make you think differently about them."

The consultation runs until 30th August, and also encompasses two other proposals relating to the people who can access communications data and the circumstances under which they can do it.