more on Can you be compelled to give a password? [was: PoliceBlotter: Laptop border searches OK'd]

[David Farber <dave () farber net>]

Begin forwarded message:

From: "Jonathan H. Care" <j.care () securitypractice com>
Date: July 29, 2006 8:25:54 AM EDT
To: bensons () neohaven net
Cc: dave () farber net
Subject: RE: [IP] more on Can you be compelled to give a password?  
[was: PoliceBlotter: Laptop border searches OK'd]



> -----Original Message-----
> From: bensons () neohaven net [mailto:bensons () neohaven net]
> Sent: 29 July 2006 00:02
> To: Jonathan H. Care
> Cc: dave () farber net
> Subject: Re: [IP] more on Can you be compelled to give a
> password? [was: PoliceBlotter: Laptop border searches OK'd]
>
> Jonathan-
>
> In the UK, what does it mean to be "required to do so by law
> enforcement"?
> If a traffic officer demands my password am I obliged to give
> it? I assume that a subpeona or some other due-process can
> "require" me, but I'm not sure where that line gets drawn in
> the US, UK, or elsewhere.

This is an interesting one. The original RIPA of 2000 earmarked specific
officers and processes that would be required to demand disclosure of
encryption keys (or passwords). Some five years after the original
deployement of this legislation, the UK Home Office are now deploying
RIPA Part III. Parts I and III of RIPA have been particularly
controversial because they address the interception of communications,
and government access to encryption keys respectively.

In 2002, there was a backlash from Telco's and ISPs in the UK over the
costs involved in complying with the Act. BT, Vodafone and lobby group
Eurim called for more clarity on the costs involved in complying with
the Act. Vodafone suggested that, even if the code does not go into
detail on costs, it should mention the fact that the Government had
agreed to provide a fair contribution. Eurim, meanwhile, said it wanted
more information to be provided in the code on the potential costs of
the technical upgrading that would be required to comply with the Act.

In September 2003, Home Secretary David Blunkett announced wide-ranging
extensions to the list of those entitled to see information collected
under the RIPA. The list now includes jobcentres, local councils, and
the Chief Inspector of Schools. Civil rights and privacy campaigners
have dubbed these extensions a "snoopers' charter".

Part 3 of RIPA is now being brought into effect by HMG. "The use of
encryption is... proliferating," Liam Byrne, Home Office minister of
state told Parliament last week. "Encryption products are more widely
available and are integrated as security features in standard operating
systems, so the Government has concluded that it is now right to
implement the provisions of Part 3 of RIPA... which is not presently in
force."

Part 3 of RIPA gives the police powers to order the disclosure of
encryption keys, or force suspects to decrypt encrypted data. Anyone who
refuses to hand over a key to the police would face up to two years'
imprisonment. Under current anti-terrorism legislation, terrorist
suspects now face up to five years for withholding keys. If Part 3 is
passed, financial institutions could be compelled to give up the
encryption keys they use for banking transactions.


> Cheers,
> -Benson

Kind Regards,
Jonathan Care
Director, The Security Practice Ltd.
Tel: +44 (0)845 123 5413
Email: j.care () securitypractice com
Skype: jonathancare






-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/