Proposed changes to the legislation laid before Parliament on Monday 18 June (and due to come into effect on 1 October) are designed to protect the privacy of individuals and the commercial interests of businesses that hold sensitive, encrypted information.
Of course, the original powers contained in Part III of RIPA were widely criticised by the Civil and Human Rights Groups because of their “intrusive nature”. Meanwhile, the business community – in particular those in the financial services environment – expressed grave concerns about data security and conflicts with data privacy rights.
Now, the revised Code of Practice for the investigation of protected electronic information restricts the scope of public authorities’ powers to access encrypted material, while at the same time introducing additional security provisions for both key materials and disclosed, decrypted data. This includes establishing the National Technical Assistance Centre to provide technical support and supervision, along with recommendations that public authorities create bespoke decryption facilities whereby processing may be carried out by corporate officers under the investigator’s supervision.
Managing encryption (and encryption keys) is a complex enough challenge in itself, but surely having to disclose keys to a third party under these new powers has the potential for opening up major security holes?
That said, revisions in the new Code require the level of security for any disclosed key material to – at the very least – match the security accorded to it prior to disclosure. Not only that, any loss or damage arising from a failure to safeguard decrypted information might give rise to civil actions against the authorities and individual officers alike.
With criminals increasingly encrypting their data, the power to action disclosure will allow convictions to be progressed where that may previously have been impossible.
Thankfully, RIPA Part III will force businesses to adopt the Best Practice key management already being used by banks.