Contested U.K. encryption disclosure law takes effect

British law enforcement gained new powers on Monday to compel individuals and businesses to decrypt data wanted by authorities for investigations.

The measure is in the third part of the Regulation of Investigatory Powers Act (RIPA), legislation passed in 2000 by the U.K. Parliament to give law enforcement new investigation powers with respect to evolving communication technologies.

The government contends law enforcement more frequently encounters encrypted data, which delays investigations. But RIPA Part III wasn't activated when the act was passed due to the less prevalent use of encryption.

But as of Monday, those served with a "Section 49" notice have to either make decryption keys available or put the data in an intelligible form for authorities. Failure to comply could mean a prison sentence of up to two years for cases not involving national security or five years for those that do.

A Section 49 request must first be approved by a judicial authority, chief of police, the customs and excise commissioner, or a person ranking higher than a brigadier or equivalent. Authorities can also mandate that the recipient of a Section 49 request not tell anyone except their lawyer that they have received it.

Critics countered RIPA Part III could put corporate data at risk if mishandled by government officials, although the government wrote a code of practice concerning the handling of encryption keys.

Spy Blog, a Web site that comments on privacy and data security issues, called on the government to publish regular statistics on the number of Section 49 notices served. The site further called for feedback from organizations served with notices.

The U.K. Home Office addresses only one specific type of device and technology in its published guidance on RIPA Part III: the BlackBerry, the omnipresent handheld for business people.

E-mails sent to a BlackBerry are decrypted on the device, meaning neither Research in Motion, the BlackBerry's manufacturer, nor the wireless operator handling the data transfer are privy to the encryption keys, the Home Office guidance said.

If investigators want encrypted data, they will have to go directly to the device owner, the Home Office said. Also, RIPA Part III only applies to data stored in the United Kingdom, so encrypted data that transited through the country would not fall under the legislation.