RIPA III: A legislative turkey comes home to roost
The tragic consequences of anti-crypto law
Comment The first conviction of a man under the draconian powers of RIPA Part III tragically bears out a prediction I made at the time: that these powers would do little or nothing to tackle serious crime or terror, but would create a power the police could use to harass people and undermine their right to remain silent.
After all, a hardened criminal can use deniable encryption, or claim to have forgotten the password; the likely victims would be the less organised and the vulnerable.
And so it has turned out. The first person convicted under this law was a vulnerable eccentric who refused to decrypt the files on his laptop when the Met's terror squad told him to. He was convicted and jailed despite prosecutors accepting that he was not involved in terrorism at all. He is now in a mental hospital.
Old-timers will remember the crypto wars of the 1990s. The US government tried to force everyone to use the Clipper chip, an encryption device for which they had a back-door key. When cryptographers broke the Clipper chip, Washington tried to make cryptography illegal unless the keys were deposited with a 'trusted third party' from whom the police could obtain keys secretly using a warrant.
Cryptographers and computer companies fought back, complaining of the threat to privacy, the chilling effect on e-commerce and the cost. Eventually the chief crypto warrior, Al Gore, dropped the issue during his presidential campaign in an attempt to curry favour with the industry.
As sometimes happens, US policy had toxic effects here. In 1996, trade minister Ian Taylor laid a trap for the opposition by talking of government control of cryptography. His shadow Chris Smith was not to be outdone at the 'tough on crime' game, and promised that New Labour would require people to hand over keys so that paedophiles could not escape surveillance.
This raised a storm of protest from geeks and from the IT industry, which had been cosying up to New Labour in the belief they’d win the 1997 election. Anne Campbell, the MP for Cambridge, ended up in charge of the issue as back then she was the only Labour MP with a publicly visible email address that she actually answered.
The compromise that appeared among New Labour’s election promises was a power to compel decryption of seized material. Taylor then calmly said that he'd changed his mind; crypto control was not necessary.
This nifty piece of political footwork was not enough to save John Major, though, and Labour's election promise duly arrived as Part III of the Regulation of Investigatory Powers Act 2000.
Blair initially tried for even more macho controls on crypto, but these were undermined by UK crypto campaigners, by the Gore U-turn, and by an EU ruling that keys would only be good for digital signatures if only the signer had a copy. So the bill's passage through Parliament was turbulent; there was much talk of serious crime and of terror. But even despite the events of 2001, Part III was not actually brought into force until 2007.
The whole business brings to mind a comment attributed to Bismarck: "Laws are like sausages – it's best not to watch them being made." ®
Copyright Ross Anderson 2009. Ross Anderson is Professor of Security Engineering at the University of Cambridge Computer Laboratory.
My locked box is none of their business
"If you had a locked box in your house and the police had a search warrant would you expect them to not demand you open the box ?"
If I had a locked box in your house and the police went on a fishing expedition, would you expect me to open the box? Why? Because they ask me to?
Police kicking in doors and searches belong to the old Soviet Union, not to a free country. He has the right to privacy, that right is enshrined in law, and the rozzers have not laid charges suitable to use this anti terror power.
Remember they've simply insinuated he is a terrorist pedo or something, but laid no charges to that effect. So you assert a search warrant rather than a fishing expedition, but what this case is is a fishing expedition backed by innuendo.
That's the key point, this is the first time they've prosecuted without A REASON TO REQUIRE THE REMOVAL OF PRIVACY.
It's a sad state of affairs, to see how bad the UK has become that the police can claim anyone is a terrorist and use powers given to them for anti-terror purposes against anyone at any time.
All your thoughts belong to us
A good article, if perhaps a little predictable.
It is clear though that there was a knee jerk reaction and the law was passed without being fully analysed or debated. I think unlikely that any subsequent government will repeal it, unless there is a really pressing reason for doing so. It needs a serious set of lobbying; and too few people care sufficiently about the issue to do anything. We are sleep walking into the sort of police state that once was the preserve of Uncle Joe or one of the African dictatorships.
BTW, like the new layout of comments - 1 thumb up.
Not going to work.
Truecrypt provides no way to prove there *isn't* a hidden volume. Conversation goes thusly:
PC Plod: "Give us the key."
Perp: "Here you go."
PC Plod: "Ok, thanks. Nice girlfriend you have. Now, the key for the hidden volume."
Perp: "There isn't one."
PC Plod: "Key for the hidden volume or RIPA S.3 violation."
Perp: "There isn't one!"
PC Plod: "Move directly to jail."