U.K. police: Let us seize encryption keys

Because British law enforcement officers don't have the authority to seize encryption keys, an increasing number of criminals are able to evade justice, a senior police officer said.

Suspected terrorists, pedophiles and burglars have all walked free because encrypted data couldn't be opened, Detective Chief Inspector Matt Sarti of the Metropolitan Police said Monday during a public meeting in London.

"There are more than 200 PCs sitting in property cupboards which contain encrypted data, for which we have considerable evidence that they contain data that relates to a serious crime," Sarti said. "Not one of those suspects has claimed that the files are business-related, and in many cases, the names of the files indicate that they are important to our investigations."

Earlier this summer, the British government announced that it plans to activate Part 3 of the Regulations of Investigatory Powers (RIP) Act, which will give the police the power, in some circumstances, to demand an encryption key from a suspect.

Part 3 of the RIP Act has been heavily criticized in the past by some security professionals and academics who believe that it is a dangerous and badly written piece of legislation that cannot be properly implemented.

Sarti was speaking at an open meeting to discuss the Home Office consultation about the draft code of practice for Part 3 of the RIP Act, which will govern how its powers can be used.

The meeting was organized by the Foundation for Information Policy Research.

Casper Bowden, a former director of the FIPR who led the fight against the introduction of the RIP Act several years ago, said during the meeting that Part 3 is flawed because defendants could be prosecuted for simply losing an encryption key.

"The burden of proof is on the suspect to prove that they don't have the key, and if they fail, they go to prison. But if they can give an explanation for not having the key, then the prosecution must prove beyond reasonable doubt that they are lying," Bowden said.

Bowden explained that in circumstances when the police suspected someone had encrypted incriminating data, officers could issue an order under Section 49 of the act, ordering the suspect to hand over the key. Failure to do so could lead to a prosecution under Section 53 of the Act.

Richard Clayton, an FIPR trustee and a computer security researcher at the University of Cambridge, said the code of practice also lacks clear powers against officials who were guilty of making "deliberate mistakes" in their use of the RIP Act to obtain private data. Clayton also argued that businesses may take their encryption keys out of U.K. jurisdiction so that they can't be seized.

But Simon Watkin of the Home Office, who drafted the code of practice, insisted that the time is right to activate Part 3 of the Act as the police are finding that their investigations are being thwarted by encryption.

"The police have come to us and said that they need powers to get hold of encrypted data off suspects," Watkin said. "We've got a law like this on the statute book, and we've been waiting for people like them to come and give us compelling reasons why they need it."

One police officer in the audience argued that in the case of alleged child abuse, it was vital to access all the files on a suspect's machine so that the victims could be identified.

But Duncan Campbell, an investigative journalist who has served as an expert witness in many computer-related trials, insisted that Part 3 of the RIP Act could not be justified.

"A person who rapes and damages a 12-year-old is going to get a bloody long sentence, and bloody good, too. What's the point in the police saying, 'We need a monstrous law so we can get to the rest of the data'?" Campbell asked.

The consultation on the draft code of practice will run until Aug. 31, and Watkin indicated that submissions received after that date will still be considered. You can see the code of practice on the Home Office Web site.

Graeme Wearden of suspect, police, officer, U.K., practice

Add a Comment (Log in or register) 11 comments

Breaking Encryption Keys

by ricksco August 15, 2006 7:28 AM PDT

Breaking Encryption Keys

It is difficult but absolutely possible to break the code on any encryption key. Intelligence agencies have been doing it for decades. Intelligence community computers are far superior to commercially available computers. Perhaps the British police should touch base with the code breakers if the suspected crime warrants the effort.

Reply to this comment View all 3 replies Hide replies

Processing

They also want to be judge and jury

by rcrusoe August 15, 2006 8:46 AM PDT

They also want to be judge and jury

http://news.bbc.co.uk/2/hi/uk_news/4793117.stm

Reply to this comment View reply Hide reply

Processing

So criminals are using encryption and government isn't?

by ml_ess August 15, 2006 11:52 AM PDT

So criminals are using encryption and government isn't?

I found this story to be very very ironic. Here we have criminals taking care to protect their information when the government isn't (remember all the data breaches? http://www.techknowbizzle.com/2006/06/20788366461-brief-history-of-data.html)

So a lesson to be learned...even from criminals: encryption DOES work. It might not be perfect, but, look, even cops are having a hard time getting to secured information. http://www.essentialsecurity.com/Documents/article16.htm

Now if only private businesses and government agencies would start using this technology to protect us, as citizens and consumers...

Reply to this comment View reply Hide reply

Processing

how about the fifth amendment?

by thanhvn August 15, 2006 1:39 PM PDT

how about the fifth amendment?

I know this story is about the UK, but I can't help of thinking how long before the US goverment follows suit. In that case I'm wondering if the Fifth Amendment can be successfully invoked to strike down this type of law?

Reply to this comment

Add a comment

Comment SUBMIT U.K. police: Let us seize encryption keys

Click here to add another comment.

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

Need help? » Feedback »

Powered by Jive Software

Comment reply

Submit Cancel

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

Report offensive content:

If you believe this comment is offensive or violates the CNET's Site Terms of Use, you can report it below (this will not automatically remove the comment). Once reported, our staff will be notified and the comment will be reviewed.

Select type of offense:

Offensive: Sexually explicit or offensive language

Spam: Advertisements or commercial links

Disruptive posting: Flaming or offending other users

Illegal activities: Promote cracked software, or other illegal content

Comments (optional):

Report Cancel

E-mail this comment to a friend.

E-mail this to: (Separate multiple e-mail addresses with commas. Limited to 10 addresses.)

Your e-mail address:

Send me a copy of this message

Note: Your e-mail address is used only to let the recipient know who sent the e-mail and in case of transmission error. Neither your address nor the recipients's address will be used for any other purpose.

Add your own personal message: (Optional)

Hi, I found this user's comment on CNET and thought you might be interested in reading it. Send e-mail Cancel

Warning! You will be deleting this comment and all its replies (if applicable).

Click to delete FOREVER Cancel

[ricksco]

Breaking Encryption Keys

It is difficult but absolutely possible to break the code on any encryption key. Intelligence agencies have been doing it for decades. Intelligence community computers are far superior to commercially available computers. Perhaps the British police should touch base with the code breakers if the suspected crime warrants the effort.

[rcrusoe]

They also want to be judge and jury

http://news.bbc.co.uk/2/hi/uk_news/4793117.stm

[ml_ess]

So criminals are using encryption and government isn't?

I found this story to be very very ironic. Here we have criminals taking care to protect their information when the government isn't (remember all the data breaches? http://www.techknowbizzle.com/2006/06/20788366461-brief-history-of-data.html)

So a lesson to be learned...even from criminals: encryption DOES work. It might not be perfect, but, look, even cops are having a hard time getting to secured information. http://www.essentialsecurity.com/Documents/article16.htm

Now if only private businesses and government agencies would start using this technology to protect us, as citizens and consumers...

[thanhvn]

how about the fifth amendment?

I know this story is about the UK, but I can't help of thinking how long before the US goverment follows suit. In that case I'm wondering if the Fifth Amendment can be successfully invoked to strike down this type of law?