Skip to main content

Golden Rant : RIPA Part III - watered down, but still contentious

Part III of the Regulatory and Investigatory Powers Act proposals, I have just discovered, were quietly laid before Parliament last month and are now due to come into force on October 1 this year.

The original provisions of RIPA Part III were roundly criticised a few years back when it became apparent that a central registry was required to store master passwords and keys for encryption systems on company servers.

Following a media furore, the government promised a rethink and now, we learn, the provisions of the Act have been reworked to better focus on terrorism and national security issues, as well as tackle organised crime.

The official line is that the draconian centralised password provisions of the proposed legislation have been scaled down

Instead of companies being required to hand over their master passwords to a centralised registry, the government will create a National Technical Assistance Centre (NTAC) to provide technical support and supervision of - wait for it - master passwords and encryption keys.

As a form of protection against the misuse of master passwords and encryption keys, the new RIPA III Code of Practice states that "no person can seek permission to serve a disclosure notice without the NTAC's approval."

So let me get this straight - in place of a central registry where companies must store their master passwords and encryption keys, there will be NTAC, a central registry where companies must store their master passwords and encryption keys.

Am I alone in thinking this is simply a reworking of the provisions of RIPA III? Or did Alistair Campbell draw up the new legislation?

Whatever you think, the Act will become law on October 1. Democracy anyone?