Regulation of Investigatory Powers Act 2000 part III (RIPA 3) gives the UK power to authorities to compel the disclosure of encryption keys or decryption of encrypted data by way of a Section 49 Notice. A suspect instructed to disclose keys can be prevented from telling anyone else about it, outside of their legal representative. Refusal to comply can result in a maximum sentence of two years imprisonment, or five years in cases involving national security or child indecency.
Terrorism Act 2000 Schedule 7 has also been used by police to compel the disclosure of passwords.
Part 3 of the Regulation of Investigatory Powers Act 2000 gives authorities powers to order the disclosure of encryption keys, or force suspects to decrypt encrypted data. Anyone who refuses to hand over a key to the police would face up to two years' imprisonment. Under current anti-terrorism legislation, terrorist suspects now face up to five years for withholding keys.
While RIPA came into force in 2000, the government had held back from bringing Part 3 into effect for five years. In 2006 Liam Byrne, the new Home Office minister of state, promised Parliament that he would activate Part 3 after a consultation. The consultation received the same negative comments during the consultation that the legislation received when first brought before the commons, but this time with less press coverage. There were concerns that the legislation will have negative effects on business, plus objections from encryption experts that it would fail to achieve its objective while introducing new problems.
Per Section 49(1)(e) the power to make Section 49 requests is limited to material in the possession of
- any of the intelligence services (GCHQ, MI5, MI6)
- the police
- National Crime Agency
- Her Majesty's Revenue and Customs
Simon Watkin (home office) "Public consultation on draft codes of practice for both Part I Chapter II and Part III of RIPA will open in the week commencing 5 June."
Bob Spink MP (Mole Valley) (Con) brought forward a motion to increasing the sentence up to ten years for suspected paedophiles because for a paedophile the alternative penalty, if the information was turned over, would often be five years or more and, frequently, having to go on the sex offenders list. The government said they liked the idea and that it was time to activate Part 3 of the act but that there should be a consultation first, Bob Spink agreed and withdrew the motion.
From the Home Office FAQ on RIPA "The measures in Part III are intended to ensure that the ability of public authorities to protect the public and the effectiveness of their other statutory powers are not undermined by the use of technologies to protect electronic information."
Problems and Concerns
Your average individual could easily come into problems because they had lost a key: how do you prove to the police that you do not have the key and you can not decrypt the data?
In the worse case situation someone accidentally emails you an encrypted message that you do not possess the key to decrypt. The police then arrest you and instruct you under part 3 of the RIP bill to decrypt the message and hand over the key. You are unable to do this as you do not have the key so now you face a 3 year jail sentence as you can not prove the negative that you do not have the key.
For banks the most controversial part is not the requirement to decrypt encrypted data, but that the police can require that the keys used to do the encryption are handed over. Authorities tracking the movement of terrorist funds could demand the encryption keys in use by a bank through which those funds might be moving, thereby laying bare that bank's files on everything from financial transactions to user data.
A London School of Economics report, commissioned by the Confederation of British Industry, estimated that the law will cost UK industry £46bn over the next five years as businesses move their electronic dealings offshore, and new ventures go elsewhere in search of a more secure trading environment.
Simon Davies, visiting fellow at the London School of Economics, said
- "The main issue is the loss of trust in international business dealings. If an overseas partner can't guarantee a high level of security, it simply won't do business with the UK."
The economic impact of the regulation of investigatory powers bill An independent report prepared for the British Chambers of Commerce.
- The argument is, at heart that only a complete clueless security officer would ever permit a multi-national financial institution to keep their master keys in the UK. Hence security jobs -- looking after those master keys -- will migrate elsewhere and hence, eventually, so will the rest of the HQ staff; with a consequent effect on the UK economy.
Richard Clayton a security expert from Cambridge University
- "The notion that international bankers would be wary of bringing master keys into UK if they could be seized as part of legitimate police operations, or by a corrupt chief constable, has quite a lot of traction," ... "With the appropriate paperwork, keys can be seized. If you're an international banker you'll plonk your headquarters in Zurich."
June 08, 2006 the draft code of practice has come out.
- "This isn't a Code of Practice - it's just a repetition of RIPA in different words."
- "It is, as ever, almost impossible to prove ‘beyond a reasonable doubt’ that some random-looking data is in fact ciphertext, and then prove that the accused actually has the key for it, and that he has refused a proper order to divulge it,"
- "The Home Office appear sensitive to the suggestion that every financial institution will remove their keys (and hence a lot of jobs) from the country,"
- "There is a brand new safeguard in that the head of the Financial Services Authority must now countersign requests. But this only applies to "financial services" and not to, say, a company like Ebay, or a British competitor."
- "It gets worse. There is a brand new suggestion that demanding keys might become commonplace — when there might otherwise be doubt as to whether a decryption has been done correctly. This means that instead of asking for keys being highly exceptional, as parliament clearly intended, it will in fact become common," said Clayton.
Analyses a variety of bad scenarios by Dr C. H. Lindsey
- But doesn't the availability of plausible deniability products like TrueCrypt render all this moot? (Not to mention MOOT.) The prosecution cannot prove that there are keys they have not been given, provided they are given at least one.
Are these powers really needed?
wtwu of Spy Blog points out Last year's annual reports mandated under RIPA, by both the the then Interception Commissioner Sir Swinton Thomas and the then Intelligence Services Commissioner Lord Brown of Eaton-under-Heywood both contained this identical paragraph:
- "However, the use of information security and encryption products by terrorist and criminal suspects is not, as I understand, as widespread as had been expected when RIPA was approved by Parliament in the year 2000. Equally the Government's investment in the National Technical Assistance Centre - a Home Office managed facility to undertake complex data processing - is enabling law enforcement agencies to understand, as far as necessary, protected electronic data."
There was a mini-debate in the Commons on the 10 May 2006 about changing the sentence for RIP Part III offences when the encrypted material. House of Commons debate Wednesday, 10 May 2006
Sir Paul Beresford (Mole Valley) (Con)
- Many of the images are in the form of videos or DVDs or are on computers. Increasingly, they are kept on remote storage. Some of the computers that the police collect have no hard drives at all. They are driven or initiated by a disk and the information is stored remotely. Increasingly, the information is hidden by encryption. We used to have simple encryption, but we have moved to 128 bit and, even more, to 256 bit encryption. The software is freely available on the internet and relatively easy to use. Essentially, it is unbreakable.
- The other thing that particularly alarms me is that Vista, which is the replacement for Windows OS, is due out generally next year. Once that system is on board the security is such that, when the computer is turned off, it automatically encrypts all the information on it so that when the police collect the computer and turn it on, they cannot break through the encryption. Some information can be destroyed, preventing access by the police. The police clearly need access for obvious reasons. They need to seek evidence against individuals and, frequently - -- because offenders sometimes work in packs or groups -- against others. In a way, perhaps it is even more important that the police can identify the children in the photographs and movies. Once those children have been located, it is possible to seek care and counselling for them to try to bring them back into a normal life. There is some evidence that abused children go on to become abusers themselves.
- The new clause deals with encrypted data found on computers and storage in cases where the police believe that the encrypted data contains abusive images of children. It does not create any new offence or scheme, but rather amends the sentencing regime under section 53 of the Regulation of Investigatory Powers Act 2000, which is commonly known as RIPA. Part III requires a person to comply with a notice issued by the police to hand over the encryption key for protected data. The penalty for a breach is two years, but that is ludicrous for a paedophile because the alternative penalty, if the information was turned over, would often be five years or more and, frequently, having to go on the sex offenders list. Accordingly, it is unlikely that an offender who has indecent and abusive photographs of children on his computer would comply with the notice. To achieve compliance, we need to step up the penalty, so I suggest that such offenders should be liable for up to 10 years' imprisonment, which is the penalty for contravening section 1 of the Protection of Children Act 1978 -- there is thinking and a link behind the idea.
- The new clause would simply raise the sentence if a court was satisfied that it was more than likely that the majority of the encrypted data consisted of indecent photographs of children. I suggest that the civil burden is permissible because the offence would be not possessing the photographs of children, which would be punished separately, but the failure to hand over the key. The higher sentence would apply only when one of two thresholds was passed: first, that the computer had non- encrypted indecent photos of children or a child on it, as an indication; or, secondly, that the person had been previously convicted of an offence contrary to section 1 of the Protection of Children Act 1978 or section 160 of the Criminal Justice Act 1988.
Liam Byrne Home Office minister
- The use of encryption is, as the Hon. Member for Mole Valley pointed out, proliferating. Encryption products are more widely available and are integrated as security features in standard operating systems, so the Government have concluded that it is now right to implement the provisions of part 3 of RIPA, including section 53, which is not presently in force.
- The threat to public safety posed by terrorist use of encryption technology was recognised in section 15 of the Terrorism Act 2006, which increased the maximum penalty for the section 53 offence to five years in a national security case. The Government will therefore publish for consultation a draft statutory code of practice for the investigation of protected electronic data and the exercise of powers in part 3 of RIPA.
- We have previously given an undertaking to bring forward proposals in line with new clause 2 in the context of consulting on the implementation of part 3, and we shall shortly begin those consultations. We remain very sympathetic to what the new clause is designed to do, but we want to allow an opportunity for public consideration and comment on the proposals first, before implementing any legislative changes.
Article 6 of the European Convention on Human Rights concerns the right to a fair trial. While not explicitly stated in the convention, the "privilege against self-incrimination [is] generally recognised international standards which lie at the heart of the notion of a fair procedure". However this is not necessarily consistent with UK law in practice, such as the power, under the Road Traffic Act, to require the registered keeper of a vehicle to advise them as to the identity of the driver of that vehicle at a particular time.
The question of self-incrimination was raised in the Lords during the passage of the Regulation of Investigatory Powers Bill.
Lord Bassam of Brighton stated that since the key itself would not self-incriminatory the proposals were ECHR compatible.
- In our view, the correct analysis is that a key has an existence independent of the will of the subject. We believe that that was explicitly approved by the European Court in the leading case of Saunders v. United Kingdom in 1996. The court found that the right against self-incrimination does not extend to the use in criminal proceedings of material that may be obtained from the accused for the use of compulsory powers, but which has an existence independent of the will of the suspect; for example, documents recovered under a warrant.
The annual report of the Office of Surveillance Commissioners contains statistics, supplied by NTAC, on Section 49 Notices. Note that the figures supplied refer to activity within the reported period (April-Mar), e.g. convictions may result from a refusal to comply with notices issued within a previous reporting period.
|Period||NTAC approvals||S.49 Notices issued||Refusals to comply||S.53 Convictions|
|2007/2008 ||?||(8) ||(2)||?|
Of the S.49 notices issued and S.53 convictions, only a handful of cases have received media attention.
- 2007-11-03 Animal rights activist (believed to be the first notice) receives a notice for files seized before law in effect.
- 2008-01-16 R v S&A
- 2009-03-07 "JFL" (reported to be the first convicted, June 2009)
- 2010-05: Oliver Drange
- 2011 Thomas Beekmann
- 2012 Lewys Martin
- 2013 Certivox / PrivateSky (S.49 notice implied)
- 2014 Syed Farhan Hussain 
- 2014 Lauri Love 
- 2014 Christopher Wilson 
- 2016 Marvin Jones 
- 2018-08 Stephen Nicholson (convicted for not disclosing Facebook password)
- 2019-10 Simon Finch accused of breaching Official Secrets Act "refused to provide access codes" for three devices. Jailed in 2020.
- 2021 Police employee charged, Operation Venetic / EncroChat
- 2021 Craig Whyte charged under s49 for not providing passwords to the FCA
- wikipedia: Key disclosure law
- 2006 presentation by Simon Watkins, Covert Investigations Policy Team, Home Office
- RIP Part III "in an intelligible form", Richard Clayton, 2005
- Security Against Compelled Disclosure, Brown + Laurie
- FIPR RIP centre - FIPR
- Consultation on the Draft Code of Practice for the Investigation of Protected Electronic Information - Part III of the Regulation of Investigatory Powers Act 2000 - Home office web site for the consultation .
- Scrambling for Safety 8: An open meeting on the Home Office access to keys and communications code of practice consultations, 2006
- The economic impact of the regulation of investigatory powers bill An independent report prepared for the British Chambers of Commerce.
- Analyses a variety of bad scenarios by Dr C. H. Lindsey
- spyblog RIPA3 Consultation blog 2006/7
- Disclosure of encryption keys, Decoded:digital 2018-09-04
- Amended by Terrorism Act 2006 enacted 2006-03-30
- Amended by Policing and Crime Act 2009 enacted 2010-01-25
- The Regulation of Investigatory Powers (Investigation of Protected Electronic Information: Code of Practice) Order 2007
- The Regulation of Investigatory Powers (Acquisition and Disclosure of Communications Data: Code of Practice) Order 2007
- Government backtracks on encryption enquiry, ZDNet, 2001-04-04
- John Murray v. the United Kingdom, European Court of Human Rights, 1996-02-08
- Self-incrimination still a grey area, The Journal, 2000-03-01
- House of Lords, 2000-07-19 Lord Swinfen "If a person has, or is thought to have, possession of a key and fails to provide it, as a defence will he be able to exercise his right not to incriminate himself?"
- House of Lords, 2000-06-28
- Office of Surveillance Commissioners 2007-08 Report
- Hansard, Regulation of Investigatory Powers Act 2000, 2009-11-03: "Up to the end of 2007 (latest available) there have been no persons reported to the Ministry of Justice as being cautioned, prosecuted or convicted under section 53 of the Act in England and Wales."
- Hansard, Regulation of Investigatory Powers Act 2000, 2008-04-29: "to date eight section 49 notices have been served [...] two people have been charged with the offence of failing to comply"
- Office of Surveillance Commissioners 2008-09 Report
- Hansard, Regulation of Investigatory Powers Act 2000, 2010-07-20: "In England and Wales in 2008 (the latest year for which data are available) there were no convictions for offences under section 53 of the Regulation of Investigatory Powers Act 2000."
- Office of Surveillance Commissioners 2009-10 Report
- Office of Surveillance Commissioners 2010-11 Report
- Office of Surveillance Commissioners 2011-12 Report
- Office of Surveillance Commissioners 2012-13 Report
- Office of Surveillance Commissioners 2013-14 Report
- Office of Surveillance Commissioners 2014-15 Report
- Office of Surveillance Commissioners 2015-2016 Report
- Office of Surveillance Commissioners 2015-2016 Report
- Animal rights activist hit with RIPA key decrypt demand, Register, 2007-11-14
- RIPA ruling closes encryption key loophole, The Register, 2008-10-14
- UK jails schizophrenic for refusal to decrypt files, Register, 2009-11-24
- Youth jailed for not handing over encryption password, The Register, 2010-10-06
- Passwords and prosecutions, New Statesman, 2010-10-13
- Computer whizz-kid jailed after being caught with hi-tech cashcard scamming kit which would have netted him £150m a year, Daily Mail, 2011-10-15
- Man facing rare refusal-to-unlock-encryption charge: Court date set, The Register, 2012-12-27
- Kent man admits Oxbridge and police force cyber attacks, BBC, 2013-04-15
- The real story on the PrivateSky takedown, Certivox, 2013-12-12
- Clink! Terrorist jailed for refusing to tell police his encryption password, Register, 2014-01-16
- British Hacker Faces Extradition To US, Not To Mention Five Years' Imprisonment In UK For Failing To Hand Over Encryption Keys, Techdirt, 2014-02-27
- UK cops tell suspect to hand over crypto keys in US hacking case, Ars Technica, 2016-03-31
- Computer whizzkid jailed for failing to provide password after cyber attacks on police, Chronicle Live, 2014-07-04
- Computer student suspected of hacking into police websites is jailed for refusing to hand over his password to the authorities, Mail, 2014-07-05
- 'Dangerous' man locked up after police find two guns in his bedroom during raid, Evening Standard, 2016-08-04 "He was also guilty of failing to disclose to police the PIN code for two mobile phones he had when he was arrested by police."
- Lucy McHugh murder suspect jailed for not revealing Facebook password, Guardian, 2018-08-31
- Official Secrets Act breach caused 'incalculable' harm', BBC News, 2019-10-09
- Ex-missile systems worker jailed for breaching Official Secrets Act after last-second guilty plea, Register, 2020-10-13
- Operation Venetic: Police worker among three charged, NCA, 2021-05-21
- Ex-Rangers owner Craig Whyte appears in court after arrest at Manchester Airport, Daily Record, 2021-12-22 "This is the first prosecution by the FCA in relation to this offence."