Almost a year since the Public Consultation held last summer, and over 7 years since the legislation was passed, the Home Office the seems to be intent on bringing the controversial Regulation of Investigatory Powers Act 2000 Part III - Investigation of Electronic Data Protected by Encryption etc. into force on 1st October 2007.
- See the relevant Home Office Encryption Code of Practice web page.
Draft Statutory Instrument 2007 No. -
The Regulation of Investigatory Powers (Investigation of Protected Electronic Information: Code of Practice) Order 2007
- The full text of the Investigation of Protected Electronic Information Dreft Code of Practice (.pdf 51 pages)
- See also our RIPA3 sub-blog which helped to gather some responses to last summer's public consultation.
It does seem that some of our (and obviously other people's suggestions) have been listened to, but some sensible , practical ones have been ignored:
The published Draft Code of Practice puts the National Technical Assistance Centre (which is no longer part of the Home Office bureaucratic empire, but has been absorbed by GCHQ under the Foreign and Commonwealth Office) firmly in the role of a SIngle Point of Contact (SPoC), through which all requests for Encryption Keys or plaintext material de-crypted material has to be approved by, in an analogous manner to the SPoC concept used in practice for several years regarding Communications Traffic Data requests.
If NTAC are sane and professionally competent, they will publish a public PGP Signature Key for their email address, and set up a contact website indexable by search engines, with an SSL/TLS protected web contact form and official 24 hour contact telephone numbers.
NTAC may be contacted at: email@example.com
Even though there is still no explicit mandatory use of DIgital Signatures to help with rapid authentication, especially outside of normal office hours, of Section 49 Disclosure Notices, this could perhaps happen in practice:
4.22 It is essential that any person who is given a notice is able to confirm its authenticity should they need to do so. Where such assurance is required the person given notice or their professional legal adviser should contact NTAC to seek confirmation that the notice is authentic and lawful. Doing so will not breach any secrecy requirement of the notice.
4.26 Public authorities must provide a means for authenticating any notice they give at whatever time the notice is given.
Incredibly, and despite our suggestions via the public consultation process, this Draft Code of Practice still does not mandate the use of UK Government Approved Cryptography e.g. Kilgetty,or similar commercial products, to protect either disclosed cryptographic key material or plaintext disclosed "intelligible material" in transit.
We foresee future scandals involving the accidental loss or theft of portable computers or USB memory stick devices etc. containing such sensitive material.
The amendment to RIPA brought in by the controversial terrorism Act 2006, which increased the penalty for "national security investigations", does not have any extra safeguards introduced by this Draft Code of Practice, except to stste the primacy of MI5 and Scotland Yard's Counter Terrorism Command, over other public bodies which may wish to invoke the magic words "national security".
There is still no clarification of how a regulated financial industry or e-commerce company is meant to cope with the optional secrecy and anti-tipping off demands under RIPA Part III, which may well be in conflict with the unlimited financial snooping powers granted to the Treasury by the then Chancellor Gordon Brown last year.