UK police can now demand encryption keys

People in the UK who encrypt their data are now obliged by law to give up the encryption keys to law enforcement officials if requested under the Regulation of Investigatory Powers Act 2000 (RIP Act).

Section 49 of Part III of the RIP Act compels a person, when served with a notice, to hand over an encryption key or render the requested material intelligible by the authorities.

This section of the legislation was included in the original draft but was not activated because encryption was not considered to be sufficiently widely used at the time to be of concern.

If the order to give up the encryption keys forms part of a terrorism investigation, refusal to do so can mean up to five years in jail. In non-terrorism cases refusal can mean a two-year sentence.

The new law came into effect from 1 October, the same day that the RIP Act forced all telecoms companies to log details about every call and text message sent and received in the UK for one year.

The Home Office claims that the move will help in the investigation of terrorists as well as criminal gangs and paedophiles.

"The measures are intended to ensure that the ability of public authorities to protect the public and the effectiveness of their other statutory powers are not undermined by the use of technologies to protect electronic information," said a spokesman for the Home Office.

Civil liberty groups have slammed the activation of this part of the Act, however, saying that is it a major invasion of privacy and will have little or no purpose in solving crimes.

Those who genuinely have something to hide would be better off serving the two-year or five-year sentence than giving up the encryption key, the groups say.

Some commentators have also pointed out that, as the encryption key is usually a long series of alphanumeric characters, it is possible that the key may have been lost or forgotten, leaving the owner having to protest their innocence.

The Home Office defended the move, saying that it was consistent with the European Convention on Human Rights, which was last amended on 20 January 1966.

The UK government also made assurances that all requests would be necessary and proportionate.

If the authorities demand that information is provided from someone who believes this is not the case, the accused has the option of registering a complaint with the Investigatory Powers Tribunal which has the power to enforce or reject the demand.