British law enforcement has gained new powers to compel individuals and businesses to decrypt data wanted by authorities for investigations.
The measure is in the third part of the Regulation of Investigatory Powers Act (RIPA) – legislation passed in 2000 by parliament to give law enforcement new investigation powers with respect to evolving communication technologies.
The government contends law enforcement more frequently encounters encrypted data, which delays investigations. But RIPA Part III wasn't activated when the act was passed due to the less prevalent use of encryption.
But as of today those served with a "Section 49" notice have to either make decryption keys available or put the data in an intelligible form for authorities. Failure to comply could mean a prison sentence of up to two years for cases not involving national security – or five years for those that do.
A Section 49 request must first be approved by a judicial authority, chief of police, the customs and excise commissioner or a person ranking higher than a brigadier or equivalent. Authorities can also mandate that the recipient of a Section 49 request not tell anyone except their lawyer that they have received it.
Critics countered that RIPA Part III could put corporate data at risk if mishandled by government officials, although the government wrote a code of practice concerning the handling of encryption keys.
SpyBlog, a website that comments on privacy and data security issues, called on the government to publish regular statistics on the number of Section 49 notices served. The site further called for feedback from organisations served with notices.
The Home Office addresses only one specific type of device and technology in its published guidance on RIPA Part III: namely, the BlackBerry.
Emails sent to a BlackBerry are decrypted on the device, meaning neither RIM, the BlackBerry's manufacturer, nor the wireless operator handling the data transfer are privy to the encryption keys, the Home Office guidance said.
If investigators want encrypted data, they will have to go directly to the device owner, the Home Office said. Also, RIPA Part III only applies to data stored in the UK, so encrypted data that transited through the UK would not fall under the legislation.