The UK Home Office has decided to put through the 3rd part of the Regulation of Investigatory Powers Act. Originally introduced in 2000, the first two parts have already been implemented. This particular part would introduce penalties of up to 2 years in jail for companies or individuals who wouldn’t disclose their encryption keys at the government’s request. The final language may be amended, since the Home Office is involved in a consultation process on this matter, and results have yet to be reached.
As usual, the Slashdot people are having a field day with this bit of news. Even the language used by reputable news organizations is sensationalistic. I have to admit I was concerned, but I had a look at the wording of the act, and it says, clearly, that organizations or individuals would only need to release their encryption keys at the specific request of Her Majesty’s forces, for a pending investigation. It’s not as if the government’s asking everyone to hand over their keys, en masse. They’re also going to reimburse them for their expenses of retrieving and reproducing that data.
To me, this is no different than the powers of search and seizure police have here in the States. They can obtain a warrant to search your property, and you can be sure they’ll go through with a fine tooth comb, looking for anything important. On top of that, they won’t reimburse you for the trouble.
Well, now they’ll be able to do the same to someone’s data in the UK. Until now, encrypted data was above the law, so to speak – if it was well encrypted. If RIPA-3 gets going, the police might have a chance to take a look at it. I say “might”, because encryption can use constantly changing keys, and if you forget or misplace the original key, good luck getting that data back…