Article - New UK cryptography law challenges Internet communication (April 2000)
NOTE: Following the publication of this article, the legislation was passed without the controversial requirement of proving innocence to the balance of probabilities - August 2000
The United Kingdom has moved to regulate covert surveillance and interception of communications by law enforcement and security agencies under the Regulation of Investigatory Powers Bill, (the RIP Bill) which was introduced into Parliament in February 2000.
The RIP Bill is designed to regulate the use of surveillance and interception powers by the police, security services and other law enforcement agencies to cover new technologies which have been developed in recent years, especially Internet related technologies. A summary of the main provisions is provided in the attached information box
The Bill brings interception legislation up to date to include e-mail services through Internet Service Providers (ISPs), satellite telephones, and radio pagers. It also extends the interception regulation to non-public networks, eg office switchboards. The Bill requires these services, including Internet Service Providers to maintain ‘reasonable interception capabilities’. This is similar to Australian requirements imposed in telecommunications legislation on carriage service providers.
The main impact of the Bill on the Internet, however, is its regulation of the use of encryption. The Bill allows law enforcement, security and intelligence agencies to require any person to provide a decryption key or the plain text of specified material in response to the service of a written notice. This power applies to material which itself is being, lawfully obtained.
This power to compel decryption throws up an enormous challenge to Internet communication. It has caused serious international controversy and may serve to undermine confidence in encryption and general Internet security.
Like Australia, the United Kingdom has not resolved the policy debate surrounding the use of cryptography. In both countries the use of cryptography is not banned, although export restrictions may restrict its availability. In addition, despite requirements to cooperate with law enforcement agencies, there has been no specific power to compel decryption until now, and neither country has a general requirement to participate in a key escrow regime.
The RIP Bill introduces a new element into the cryptography debate, one that may be followed in time in Australia. The power to compel decryption may be seen by government as a natural extension of the requirement to cooperate with law enforcement agencies contained in Australian telecommunications legislation. Where a party has both the ability to intercept communications and the ability to decrypt information, they would be required to do so under the UK model.
While the policy debate on this issue in the UK seems to have closed, there is some continuing argument about the details of the legislation.
Clause 46 provides that authorities must have ‘reasonable grounds to believe’ the decryption key is in possession of a person who they are compelling to decrypt the information.
Clause 49 provides that in order to prove non-compliance with a notice to decrypt, the prosecution must prove the person ‘has or has had’ possession of the key. This satisfies the objection to the case where a person may never have had possession of the key (‘encrypted e-mail out of the blue’), but leaves unchanged the essential reverse-burden-of-proof for someone who has forgotten or irreplaceably lost a key.
This aspect of the legislation is likely to be challenged under European Human Rights law by civil liberties advocates in the UK. The Foundation for Information Policy and Research (FIPR), for example, have argued that requiring the defence to prove that they do not posess a key was a likely breach of the European Convention of Human Rights.
Specifically, the bill stipulates that if a message or device traced to an individual contains encrypted data, they can be required by a statutory order to hand over the key needed to decrypt that data. If the individual has lost or forgotten that key, they will be presumed to be guilty of an offence and required to prove to a court that they have indeed lost or forgotten it. If convicted, the individual may be jailed. The defence must be proved on the balance of probabilities.
As some critics have pointed out, this requirement breaches a basic principle of human rights law, as espoused in the Canadian case R v Whyte:
‘If an accused is required to prove some fact on the balance of probabilities to avoid conviction, the provision violates the presumption of innocence because it permits a conviction in spite of a reasonable doubt in the mind of the trier of fact as to the guilt of the accused.’
These issues may cloud the initial impact of the legislation, and developments will be monitored closely in Australia
The Regulation of Investigatory Powers Bill (UK) is summarised below, including key headings and some specific provisions:
Part I - Communications Interception
Unlawful and authorised interception
1. Unlawful interception.
2. Meaning and location of ‘interception’ etc.
3. Lawful interception without an interception warrant.
4. Power to provide for lawful interception.
5. Interception with a warrant.
6. Application for issue of an interception warrant.
7. Issue of warrants.
8. Contents of warrants.
9. Duration, cancellation and renewal of warrants.
10. Modification of warrants and certificates.
11. Implementation of warrants.
Interception capability and costs
12. Maintenance of interception capability.
(1) The Secretary of State may by order provide for the imposition by him on persons who-
(a) are providing public postal services or public telecommunications services, or
(b) are proposing to do so,
of such obligations as it appears to him reasonable to impose for the purpose of securing that it is and remains practicable for requirements to provide assistance in relation to interception warrants to be imposed and complied with.
Part II - Surveillance And Covert Human Intelligence Sources
Authorisation of surveillance and human intelligence sources
26. Lawful surveillance etc.
27. Authorisation of directed surveillance.
28. Authorisation of covert human intelligence sources.
(2) Neither the Secretary of State nor any senior authorising officer shall grant an authorisation for the carrying out of intrusive surveillance unless he believes-
(a) that the authorisation is necessary on grounds falling within subsection (3); and
(b) that the authorised surveillance is proportionate to what is sought to be achieved by carrying it out.
(3) Subject to the following provisions of this section, an authorisation is necessary on grounds falling within this subsection if it is necessary-
(a) in the interests of national security;
(b) for the purpose of preventing or detecting serious crime; or
(c) in the interests of the economic well-being of the United Kingdom.
Part III - Investigation Of Electronic Data Protected By Encryption Etc.
Power to require disclosure of key
47. Disclosure of information in place of key.
(1) Subsection (2) applies where-
(a) a person is required by a section 46 notice to disclose a key to any protected information; and
(b) compliance with the requirement by the provision of the information in an intelligible form is authorised for the purposes of this section.
(2) The person required to disclose the key-
(a) may use it to obtain access to the protected information, or to put that information into an intelligible form; and
(b) (b) shall be taken for the purposes of this Part to have complied with the requirement to disclose the key if, by the time by which he is required to disclose it to any person, he has instead provided that person with the information in an intelligible form.
49. Failure to comply with a notice.
(1) A person is guilty of an offence if-
(a) he fails to comply, in accordance with any section 46 notice, with any requirement of that notice to disclose a key to protected information; and
(b) he is a person who has or has had possession of the key.
(2) In proceedings against any person for an offence under this section, it shall be a defence (subject to subsection (4)) for that person to show-
(a) that the key was not in his possession after the giving of the notice and before the time by which he was required to disclose it; but
(b) that he did, before that time, make a disclosure, to the person to whom he was required to disclose the key, of all such information in his possession as was required by that person to enable possession of the key to be obtained.
(3) In proceedings against any person for an offence under this section it shall be a defence (subject to subsection (4)) for that person to show-
(a) that it was not reasonably practicable for him to make a disclosure of the key before the time by which he was required to do so;
(b) where the key was not in his possession at that time, that it was not reasonably practicable for him, before that time, to make such a disclosure as is mentioned in subsection (2)(b); and
(c) that as soon after that time as it was reasonably practicable for him to make a disclosure of the key or (if earlier) of sufficient information to enable possession of the key to be obtained, he made such a disclosure to the person to whom he was required to disclose the key.
(4) Except in a case where there is no authorisation for the purposes of section 47, in proceedings for an offence under this section a person shall have a defence under subsection (2) or (3) only if he also shows that it was not reasonably practicable for him to comply with the requirement in the manner allowed by that section.
(4) In proceedings against any person for an offence under this section in respect of any disclosure, it shall be a defence for that person to show that-
(a) the disclosure was effected entirely by the operation of software designed to indicate when a key to protected information has ceased to be secure; and
(b) that person could not reasonably have been expected to take steps, after being given the notice or (as the case may be) becoming aware of it or of its contents, to prevent the disclosure.
(5) In proceedings against any person for an offence under this section in respect of any disclosure, it shall be a defence for that person to show that-
(a) the disclosure was made by or to a professional legal adviser in connection with the giving, by the adviser to any client of his, of advice about the effect of provisions of this Part; and
(b) the person to whom or, as the case may be, by whom it was made was the client or a representative of the client.
(6) In proceedings against any person for an offence under this section in respect of any disclosure, it shall be a defence for that person to show that the disclosure was made by a legal adviser-
(a) in contemplation of, or in connection with, any legal proceedings; and
(b) for the purposes of those proceedings.
(7) Neither subsection (5) nor subsection (6) applies in the case of a disclosure made with a view to furthering any criminal purpose.
(8) In proceedings against any person for an offence under this section in respect of any disclosure, it shall be a defence for that person to show that the disclosure was authorised by or on behalf of either the person who gave the notice or a person who-
(a) is in possession of the protected information to which the notice relates; and
(b) came into possession of that information as mentioned in section 46(1).
(9) In proceedings for an offence under this section against a person other than the person to whom the notice was given, it shall be a defence for the person against whom the proceedings are brought to show that he neither knew nor had reasonable grounds for suspecting that the notice contained a requirement to keep secret what was disclosed.
Part IV - Scrutiny Etc. Of Investigatory Powers And Of The Functions Of The Intelligence Services
A series of new Commissioners are to be appointed, including the Interception of Communications Commissioner, the Covert Investigations Commissioner, the Security Service Act Commissioner and the Intelligence Services Act Commissioner.
In addition, the Act establishes a new Tribunal and mandates the development of a Code of Practice.
Full details of the enacted legislation appear at: http://www.hmso.gov.uk/acts/acts2000/00023--e.htm
 Reg v Whyte (1988) 51 DLR (4th) 481