October 1st 2007 is another milestone in the British State Surveillance, when some more of the authoritarian and repressive Labour Government's snooping policies come into legal force. Why were the Opposition parties so feeble and ineffective when these horribly complicated and bureaucratic yet draconian laws and secondary legislation were meant to have been properly scrutinised by Parliament ?
Firstly, Communication Traffic Data, initially for mobile phones and landline telephones and faxes etc. is to be retained by the telecommunications network providers for at least a year i.e. far longer than would otherwise be legal to do so once they have no legitimate business use for the data such itemised phone bills which have been paid.
- Statutory Instrument 2007 No. 2197 - The Regulation of Investigatory Powers (Acquisition and Disclosure of Communications Data: Code of Practice) Order 2007
- Statutory Instrument 2007 No. 2199 - The Data Retention (EC Directive) Regulations 2007
This extension of the Regulation of Investigatory Powers Act 2000 Part II, which has been in force for years, will obviously take a few weeks or months to start to affect the millions of innocent people whose privacy and security is being put at risk "just in case" there may be some unspecified criminal investigation or intelligence agency snooping in the future
However, there is now a further immediate potential threat to your privacy, security and online financial transactions and money, namely Government access to encryption keys or decrypted data, under the Regulation of Investigatory Powers Act Part III Section 49 Disclosure Notices:
- Statutory Instrument 2007 No. 2196 (C. 85) - The Regulation of Investigatory Powers Act 2000 (Commencement No. 4) Order 2007
- Statutory Instrument 2007 No. 2200 -The Regulation of Investigatory Powers (Investigation of Protected Electronic Information: Code of Practice) Order 2007
Incredibly, this bit of law, which has lain dormant on the statute books for over 7 years, was amended by the notorious Terrorism Act 2006, so that the penalty for refusing to disclose your secret cryptographic Decryption Key(s) or to provide plaintext decrypted versions of the protected data, has been increased from 2 years in prison to 5 years in prison for catch all and undefined "national security investigations". Since the penalties for terrorism or espionage are longer than this, how is this anything but gesture politics ?
There is also the provision for a "tipping off " offence, again, punishable by up to 5 years in prison, if the law enforcement or intelligence agency bureaucrats tick the "secrecy" box on the still as yet undefined format of a Section 49 Notice demanding your cryptographic keys etc.
It sjhould also be remembered that RIPA Part III also makes the Police or Intelligence Agenciy staff legally liable for breaches of the security of seized cryptographic keys or the protected material disclosed under a Section 49 order.
Even though our good advice during the alleged public consultation on the Code of Practice last year has been ignored, we still feel that is is vital that any such cryptographic keys and / or protected plaintext data should itself be encrypted using UK Government approved cryptography or even reasonable commercially or freely available cryptography, especially when on removable media or laptop computers or when transfered via the internet or WiFi etc
If there are any lost or stolen or computer malware infected laptop computers or removable media or USB flash memory devices or plaintext email attachments or data transfers or data backups etc, then those individuals responsible and their bosses, should be prosecuted for malfeasance in public office, and be made to pay financial compensation and damages to anyone whose innocent data, intellectual property or electronic money etc. has been compromised or put at risk.
If, say, the private encryption key for the SSL / TLS Digital Certificate for an e-commerce or internet banking website is compromised by negligent data handling following a RIPA Section 49 Notice, then the amount of damages which a Court might award could run into millions of pounds.
See our sub-blog published last summer during the so called public consultation process on the Code of Practice for RIPA Part III
Please contact us if you are served with a RIPA Section 49 notice, (obviously not if it has a secrecy rider), as we would like to be able to recognise a genuine one, to differentiate it from the inevitable "phishing" scams which will seek to exploit the secrecy and unfamiliarity of the public and commercial with such Notices.
We demand that the RIPA Commissioners, the Home Office and the supposed Single Point of Contact, the National Technical Assistance Centre (now under the management of GCHQ and the Foreign Office) should keep records of, and provide a breakdown of the actual numbers of RIPA Section 49 Notices which have been served. These figures should include how many Section 49 Notices have the "tipping off" secrecy requirement, and how many, according to the Code of Practice, have required that the Financial Services Authority be informed (e.g. when obtaining financial services cryptographic keys).