The Home Office has given some vague details about the number of Regulation of Investigatory Powers Act 2000 Part III - Investigation of Electronic Data Protected by Encryption etc. Section 49 Notices which have been issued since October 2007:
29 Apr 2008 : Column 361W
Regulation of Investigatory Powers Act 2000
David Davis: To ask the Secretary of State for the Home Department (1) how many people have been (a) proceeded against for and (b) convicted of failing to disclose information in encrypted form under section 53 of the Regulation of Investigatory Powers Act 2000; 
(2) how many prosecutions and convictions there have been under the Regulation of Investigatory Powers Act 2000 for withholding passwords and encryption keys to hard drives since that provision entered into force. 
Jacqui Smith [holding answer 23 April 2008]: These provisions came into force on 1 October 2007 and to date eight section 49 notices have been served, four of which were in terrorism related cases. In these four cases two people have been charged with the offence of failing to comply with a section 49 notice, and the appropriate investigating authorities are also considering what action to take in regard to the other two terrorist related cases. These cases have yet to come before the courts.
Remember that even before this legislation was brought into force, after seven years or so of delay, it had been amended so that the penalty in a vaguely worded, undefined "national security" investigation could be up to 5 years in prison, instead of up to 2 years in "normal" cases.
In two of the remaining (non-terrorism related cases) the encryption keys have been disclosed.
What about the other two non-terrorism related cases then ?
See the URL links in the previous Spy Blog entry - "All Your Encryption Keys Are Belong To Us" - RIPA Part III to come into force on 1st October 2007
We are still not impressed with the alleged safeguards in contained in the Statutory Code of Practice, which fails to insist that disclosed Cryptographic Keys or the sensitive data which they are protecting, is always encrypted by the Police or or Intelligence Agencies themselves during transit and storage.
How long before there is a missing laptop computer / CDROM disk / USB flash memory device etc. scandal involving such RIPA Part III section 49 seized cryptographic data ?
We suggested this during the Public Consultation on the Draft Code of Practice, back in 2006, but we were ignored.