Since 2000, the United Kingdom has been operating under the Regulation of Investigatory Powers Act (RIPA). Part 3, Section 49 of RIPA has been of particular interest to the security community because it concerns the disclosure of decrypted data or encryption keys. In the course of an investigation, law enforcement officers can invoke Section 49 to compel notice recipients to provide the encryption keys or disclose the decrypted contents of encrypted files. Failure to do so can lead to prosecution, with a potential for two years in jail, or five years in the case of a national security investigation. For the first time since RIPA’s inception, the latest annual report from the Chief Surveillance Commissioner has revealed that this has resulted in jail time.While the current report suggests that very few notices have been issued under this law, there have been some interesting outcomes. Fifteen notices were issued, and four of those were readily complied with. Of the remaining eleven, seven resulted in charges against the notice recipient. Two of those charges resulted in convictions and will likely result in jail time. The report does not provide details that would reveal anything specific about the cases, other than that all were issues of “counter terrorism, child indecency and domestic extremism.”These statistics raise a few interesting points:
- Section 49 notices were only issued 15 times during the year
- Four recipients complied, while only two of the remaining eleven could be convicted of withholding information
- Of the eleven that did not comply, only seven resulted in prosecution
It is important to note that those receiving Section 49 notices are not necessarily themselves suspected of committing crimes, only that they have encrypted information that may be important to the government’s case under Section 49 provisions. But what sort of implications does this have for businesses under the jurisdiction of Section 49? First of all, if employees of a business use encryption keys for that business that are shared, either with other users or among various content types, then an investigation into that employee might result in the disclosure of business information also encrypted with that key. This is one of the most troubling aspects of Section 49 because it is not a law that requires the disclosure of the encrypted information in question, but of the keys themselves.An alternative scenario, where a key is used and either it or the passphrase are legitimately lost, is perhaps more problematic for the individual. However, the government will have few options to prove the negative, that the individual does not know the key. At the present scale of investigation, it is not likely that users will be caught in a sweeping dragnet where the presence of any encrypted file would result in a RIPA notice being issued. This also makes it unlikely that the adoption of Section 49 will result a rise in ransomware, which is malicious code that encrypts user files and ransoms the key to the user, perhaps with the added threat from the malcode author that the user will be turned in as a suspect for hiding illegal content on their computer. With so few cases of Section 49 being invoked, such malware would stand out as suspicious except in very limited, targeted conditions.In both of these scenarios, businesses are forced to prove a negative. If the authorities request the surrender of a shared key, the business would have to share all data encrypted with that key (within the scope of the warrant) to prove that only some data encrypted with it was of interest to the authorities, or else just divulge the key. For the individual, they would have to prove that they do not know the key in order to avoid prosecution for non-compliance with the notice. Neither position is desirable, and carries a significant, perhaps unattainable, burden of proof on the notice recipient. At only 15 instances the past year, the risk is not high. But two convictions is noteworthy as a first milestone in this developing legal situation. Businesses should closely monitor this for developments, and prepare contingencies if they fall within the jurisdiction of RIPA. Not only will this affect how they employ encryption, who uses keys, and for what purposes data is encrypted, but they will also need to keep keys (and potentially passphrases) archived to satisfy Section 49 notices — not to mention the difficulties of matching old keys and passphrases to old encrypted data.