No, I am not referring to your car keys …
Five years after the Regulation of Investigatory Powers Act (RIP or RIPA) was enacted by lawmakers in the United Kingdom, they are now attempting to expand it’s current power to include a requirement that encryption keys be turned over or face a prison sentence. This particular Part 3 was held back in 2000 when it was enacted due to controversy.
This ZDNet article discusses the controversy over Part 3:
Some security experts are concerned that the plan could criminalize innocent people and drive businesses out of the United Kingdom. But the Home Office, which has just launched a consultation process, says the legislation contained in Part 3 is needed to combat an increased use of encryption by criminals, pedophiles and terrorists.
And the ZDNet article further discusses what could result from the threat of seizing keys, particularly in how it relates to the banking industry:
“The notion that international bankers would be wary of bringing master keys into (the United Kingdom) if they could be seized as part of legitimate police operations, or by a corrupt chief constable, has quite a lot of traction,” Clayton added. “With the appropriate paperwork, keys can be seized. If you’re an international banker, you’ll plunk your headquarters in Zurich.”
Not only would this be bad for business in the United Kingdom, but this would be of concern even to individuals. With the ‘right paperwork,’ anyone could have their encryption keys seized or face two years in prison.
The Wikipedia article in part says the following about this expansive legislation:
Critics claim that the spectre of internet crime and paedophilia was used to push the act through and there was little substantive debate in the House of Commons. The act still has numerous critics, most regarding the regulations as dangerously excessive and a threat to civil liberties.
Especially contentious was Part III of the Act which (under some circumstances) might require persons to supply the cryptographic key to a duly authorised person. Key disclosure would only be appropriate in circumstances where the actual encrypted traffic was not supplied. Failure to disclose encrypted traffic (or if appropriate the relevant key) would be a criminal offence, with a maximum penalty of two years in jail. The debate about Part III of the Act is largely hypothetical since it is not yet in force. Using the mechanism of secondary legislation, some parts of the Act require activation by a ministerial order before attaining legal force. Such orders have been made in respect of the relevant sections of Part I and Part II of the RIP Act – but not Part III, although the Home Office is now (May 2006) reportedly seeking to activate this third part of the legislation .
Critics claim that the provisions of Part III are too complex, and possibly unworkable, and that this might be a reason for government reluctance to activate this part of the legislation. Another possibility is that the government wishes to have the powers in reserve, such that if they were deemed necessary they could be implemented more quickly and easily than if new primary legislation were required. Another possibility is that relevant government agencies might reasonably believe that it is easier to use pre-existing judicial procedures to compel production of evidence rather than the more cumbersome and difficult procedures that ultimately found their way into Part III.
Sound familiar? Citizens of both the US and the United Kingdom are facing similar threats to civil liberties. So it begs the question: What freedoms are we ultimately willing to give up for safety? Is there a limit? I am beginning to think that maybe unfortunately, there is no limit.
This type of legislation is certainly not restricted to the United States and the United Kingdom by a long shot, but at one time, civil liberties were more important to these two great nations than most anything, or at least more so than they are today. It is a very sad turn of events for both nations.