The section of the Regulation of Investigatory Powers Act (RIPA) that deals with the release of software encryption keys could come into force soon, according to the Home Secretary, Jacqui Smith.Part III of RIPA 2000 is aimed at fighting terrorism and organised crime by giving the police new powers to decrypt files for use as evidence and force the release of encryption keys. Although the power was included in the legislation five years ago, it has not come into effect yet.
Speaking in a parliamentary debate in the House of Commons yesterday, Smith said that the Government was in the process of reviewing the law and would make a decision shortly.
However, encryption company nCipher argues that changes to the legislation, which were laid before Parliament on 18 June and are due to come into effect on 1 October, should ensure the police only obtain keys as a last resort and therefore, protect the privacy of individuals and businesses that hold sensitive encrypted information.
The original powers in the Act were widely criticised for their intrusive nature and businesses, particularly in the financial services sector, voiced concerns about information security and conflicts with data privacy rights.
The revised code of practice restricts the scope of the police’s powers to access encrypted material and introduces additional security provisions for key materials and decrypted data.
"Managing encryption is a complex challenge in itself, but having to disclose keys to a third party under these new powers has the potential to open up major security holes," warns Dr. Nicko van Someren, chief technology officer at nCipher.
Robert Bond, partner at law firm Speechly Bircham LLP, added: “It remains to be seen whether these revisions to RIPA legislation will be enough to prevent some financial institutions moving their headquarters out of the UK, but the revised restrictions on authorities to access keys without good cause and due notice are to be welcomed.”