[e-privacy] [me at privacy.net: Police request power to seize encryption keys

Thu Aug 17 01:00:04 CEST 2006

----- Forwarded message from Brave New Britain <me at privacy.net> -----

From: Brave New Britain <me at privacy.net>
Subject: Police request power to seize encryption keys (again)
Date: Tue, 15 Aug 2006 12:31:58 +0100
X-Newsreader: Forte Agent 2.0/32.652

POLICE REQUEST POWER TO SEIZE ENCRYPTION KEYS

Hundreds of computers belonging to suspected terrorists or paedophiles
are gathering dust as investigators are unable to decrypt the data on
their hard drives, claim police

By Graeme Wearden

ZDNet UK, UK: 15 August 2006
http://news.zdnet.co.uk/internet/security/0,39020375,39280964,00.htm

The fact that law-enforcement officers don't have the powers to seize
encryption keys means an increasing number of criminals are able to
evade justice, a senior police officer warned on Monday.

Detective chief inspector Matt Sarti told a public meeting in London
that suspected terrorists, paedophiles and burglars have all walked
free because encrypted data couldn't be opened and the resulting
information brought before the courts.

"There are more than 200 PCs sitting in property cupboards which
contain encrypted data, for which we have considerable evidence that
they contain data that relates to a serious crime," revealed Sarti.
"Not one of those suspects has claimed that the files are
business-related, and in many cases the names of the files indicate
that they are important to our investigations."

Earlier this summer, the Government announced that
[http://news.zdnet.co.uk/internet/security/0,39020375,39269746,00.htm
it plans to activate Part 3 of the Regulations of Investigatory Powers
(RIP) Act], which will give the police the power, in some
circumstances, to demand an encryption key from a suspect.

Part 3 of the RIP Act has been heavily criticised in the past by
security professionals and academics, who believe that it is a
dangerous and badly written piece of legislation that cannot be
properly implemented.

Sarti was speaking at an open meeting to discuss the Home Office
consultation about the draft code of practice for Part 3 of the RIP
Act, which will govern how its powers can be used.

The meeting was organised by the Foundation for Information Policy
Research (FIPR).

Casper Bowden, a former director of the FIPR who led the fight against
the introduction of the RIP Act several years ago, told the meeting
that Part 3 was flawed because defendents could be prosecuted for
simply losing an encryption key.

"The burden of proof is on the suspect to prove that they don't have
the key, and if they fail they go to prison. But, if they can give an
explanation for not having the key, then the prosecution must prove
beyond reasonable doubt that they are lying," said Bowden.

Bowden explained that in circumstances when the police suspected
someone had encrypted incriminating data, officers could issue an
order under Section 49 of the Act, ordering the suspect to hand over
the key. Failure to do so could lead to a prosecution under Section 53
of the Act.

Dr Richard Clayton, an FIPR trustee and a computer security researcher
at the University of Cambridge, told the meeting that the code of
practice also lacked clear powers against officials who were guilty of
making "deliberate mistakes" in their use of the RIP Act to obtain
private data. Clayton also argued that businesses may take their
encryption keys out of UK jurisdiction so that they can't be seized.

But Simon Watkin of the Home Office, who drafted the code of practice,
insisted that the time was right to activate Part 3 of the Act as the
police are now finding that their investigations are being thwarted by
encryption

"The police have come to us and said that they need powers to get hold
of encrypted data off suspects," said Watkin."We've got a law like
this on the statute book, and we've been waiting for people like them
to come and give us compelling reasons why they need it."

One police officer in the audience argued that, in the case of alleged
child abuse, it was vital to access all the files on a suspect's
machine so that the victims could be identified.

But Duncan Campbell, an investigative journalist who has served as an
expert witness in many computer-related trials, insisted that Part 3
of the RIP Act could not be justified.

"A person who rapes and damages a 12-year-old is going to get a bloody
long sentence, and bloody good too. What's the the point in the police
saying we need a monstrous law so we can get to the rest of the data?"
asked Campbell.

The consultation on the draft code of practice will run until 31
August, and Watkin indicated that submissions received after that date
will still be considered. You can
[http://www.homeoffice.gov.uk/documents/cons-2006-ripa-part3/ see the
code of practice on the Home Office Web site].

----- End forwarded message -----