Legal changes may turn IT staff into criminals

Proposed changes to the Regulation of Investigatory Powers Act (RIPA) and Computer Misuse Act (CMA) could inadvertently criminalise many IT professionals, legal and security experts have warned.

The Home Office announced last week that it plans to bring into force a previously dormant part of RIPA that gives police the power to force organisations to disclose their encryption keys. Speaking to Parliament, Home Office minister Liam Byrne said the growing availability of encryption technology and the potential for it to be used by criminals and terrorist groups meant it was time to give police powers included when the legislation was passed in 2000 allowing seizure of encryption keys.

Refusal to hand over keys could result in two years imprisonment, rising to five years if there is suspected terrorist activity. The Home Office said it will publish a draft code of practice early next month outlining how police will use the new powers and it will start a consultation with stakeholders.

However, some security experts warned that in its current form the law could inadvertently discourage firms from investing in the UK and could even criminalise innocent IT professionals.

Dr Richard Clayton, a security expert at Cambridge University, told IT Week that giving the police the power to seize encryption keys would be "damaging to the UK economy" as multinational firms would be reluctant to keep encryption keys in the country. "Multinationals are very risk-averse and it would be stupid of them keep master keys in the UK where they could be commanded to hand them over," he explained. "They are just going to keep them in New York or Zurich instead."

Any firm forced to hand over an encryption key would also have to re-encrypt all affected data, according to George Gardiner of solicitors Gardiner & Co. "Once you release a key there is no way you as an organisation know it will stay secure so you have to re-encrypt," he argued.

IT professionals will also have to be careful to ensure they can decrypt any encrypted corporate data, because if they cannot do so it might be an offence. "You need to make sure you can decrypt everything or have a very good reason as to why something can't be decrypted, because failure to turn encrypted data into an "intelligible form" could lead a jury to convict," warned Clayton.

The concerns echo similar fears that proposed amendments to the CMA - which will soon be debated by the Lords having been passed by the Commons earlier this month - could also criminalise innocent IT security professionals.

Experts have broadly welcomed proposals to increase sentences for hackers and clearly criminalise denial-of-service attacks. But Clayton warned that proposed measures to make it an offence to make, supply or obtain articles that are " likely" to be used by hackers would criminalise people developing or distributing dual-use software tools that can be used for both hacking and legitimate activities.

"People write and publish a program to demonstrate a security flaw so that related vulnerabilities can be addressed, but in publishing the program you know hackers are likely to use it as well," said Clayton. "The industry has decided it is worth publishing these programs, but under the proposed wording of the CMA it is technically illegal."

Clayton added that other legitimate software tools likely to be used by hackers, such as network vulnerability-detection programs, password crackers and the Perl scripting language would also be criminalised.

The Home Office maintained that the CMA would not be used to prosecute legitimate activity, but critics said that even if the law is not enforced it would technically criminalise innocent behaviour and therefore increases the legal risk faced by IT professionals.

"The issue with both these laws is that IT directors won't be able to quickly deploy software tools anymore," argued Gardiner. "Before undertaking any project you will have to sit down with the HR and legal departments and draw up policies governing how you use these tools, so that even if what you do could be deemed technically illegal you can create a strong case that it was done for legitimate business reasons."