RIPA: Decryption of protected information

17 December 2007

Rhian Hill

On 1 October 2007, Part III of the Regulation of Investigatory Powers Act 2000 came into force. This Act governs interception of communications, surveillance and sets out the circumstances in which public authorities can acquire and disclose information. Part III of the Act gives authorities the right to request that information that is encrypted be converted to an intelligible form, or to request that a key is provided to enable certain public authorities to decrypt encrypted information.

Also on 1 October 2007, the ‘Investigation of Protected Electronic Information Code of Practice’ was published. This Code states that its aim is to “provide guidance to be followed when exercising powers under Part III of the Act”. The Code will be admissible as evidence in either civil or criminal proceedings and therefore provides a valuable guide as to how Part III of the Act will be implemented.

Part III will apply where a public authority has obtained “protected information” (i.e. encrypted information) in the exercise of its statutory powers. Where information is protected, the public authority can serve a notice upon any person who can decrypt that information, requesting that they either provide the information in an intelligible form or provide the key to enable the public authority to decrypt the information itself.

The Code states that notices could potentially be served on individuals who use products to protect data under their control and “businesses involved in producing or supplying these products or services”. The Code envisages that in most cases the people who will be subject to the Act are individuals who have protected information that is relevant to an investigation. However, a business or individual that possess the key to information by virtue of a relationship with a person under investigation may be required to disclose a key in their possession.

The Code states that putting information in an intelligible form means “restoring the protected information to the condition it was in before being protected”, even if that state is encrypted. A notice to put information in an intelligible form will be the most common type of notice. A notice to disclose the key (e.g. passwords, codes, algorithms etc) will only be served in special circumstances. The Code states that “investigators must take into account the legitimate needs of businesses and individuals to maintain the integrity of their information” and should therefore require the disclosure of information in an intelligible form and not a disclosure of the key. A key should only be required where this is proportionate and where the investigator reasonably believes that “assistance to make the protected information available… is unlikely to be forthcoming or effective”.

Any notices served under Part III should indicate a time frame by which the information should be provided. The Code states that the time frame must be “reasonable and realistic in all the circumstances” taking into account the practical and technical requirements of making the information available. The Code states that these timeframes should allow enough time for individuals to consult with their legal and technical teams prior to disclosing the information.

It is a criminal offence to knowingly fail to disclose information in an intelligible form, or to fail to disclose a key on receipt of a notice to do so. If convicted on indictment an individual could face 2 years imprisonment (or 5 years if the disclosure is necessary in the interests of national security). On summary conviction the maximum penalty is a six month term of imprisonment and/or a fine. It is also an offence not to keep the fact that the notice has been given confidential (although companies may inform their legal advisers that they have received the notice and also contact the National Technical Assistance Centre (NTAC) to ensure that the notice is genuine).

The Code maintains that in practice notices should be served upon company secretaries, legal directors, chief information officers and individuals in similar positions. Where there is no senior officer in a company notices can be served on the officer or employee who is in possession of the key.

The Code states that in most circumstances a firm or corporate body should not be given a notice unless there has been prior consultation with them. This consultation has to address the “technical and practical implications for the business of a proposed disclosure requirement”.

Once a notice has been complied with the person receiving the notice should receive a written confirmation stating that they have complied with the terms of the notice.