According to Ars Technica, new laws go into effect in the United Kingdom that make it a crime to refuse to decrypt almost any encrypted data that’s requested as part of a police investigation.
Individuals who refuse to comply with orders to hand over either cryptographic keys or data in decrypted form will face up to five years in prison.
Part 3, Section 49 of the Regulation of Investigatory Powers Act (RIPA) includes provisions for the decryption requirements, which are applied differently based on the kind of investigation underway… the five-year imprisonment penalty is reserved for cases involving anti-terrorism efforts. All other failures to comply can be met with a maximum two-year sentence.
This law is applicable only to data physically stored in the United Kingdom and does not allow the U.K. government to intercept encrypted materials in transit.
The aspect of this new legislation that has experts worried has to do with the fact that law enforcement now has the power to seize encryption keys.
Cambridge University security expert Richard Clayton said earlier last year, “The notion that international bankers would be wary of bringing master keys into the U.K. if they could be seized as part of legitimate police operations, or by a corrupt chief constable, has quite a lot of traction. With the appropriate paperwork, keys can be seized. If you’re an international banker you’ll plonk your headquarters in Zurich.”
With the increasing availability and use of strong encryption, enacting laws to force the surrender of encryption keys appears to be the easiest way out for government agencies.
Subscribe to the Cybersecurity Insider Newsletter
Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays