Ripa law may expose firms to blackmail

Companies may suffer more attacks if police powers are boosted, say experts

Proposed changes to the Regulation of Investigatory Powers Act (Ripa) giving police powers to make suspects produce "intelligible" copies of encrypted computer files could make firms vulnerable to new forms of electronic attacks, experts warned this week.

The Home Office is currently undertaking a consultation exercise about its plans to activate a previously dormant part of Ripa, giving police powers to force individuals to decrypt data or potentially face a prison sentence of up to five years. The Home Office has maintained such powers are necessary to tackle criminals, such as paedophiles and terrorists, who encrypt suspect computer files.

Police estimated there have already been 30 cases where potentially important computer evidence has been inaccessible to investigators.

However, experts at a public meeting organised by the Foundation for Information Policy Research (FIPR) to discuss the code of conduct that will accompany the new powers last week warned that the proposals could increase individuals and firms' vulnerability to cyber attacks.

Caspar Bowden, former director of FIPR, reportedly warned that criminals could develop malware that could change or remove an encryption key, allowing them to blackmail the user with the threat that they could tip off the police that the encrypted files contain information on criminal activity.

Under the proposed legislation the users' inability to decrypt the data could be deemed a criminal offence, although the Home Office's Simon Watkin said prosecutors would have to prove beyond reasonable doubt that the defendant possessed an encryption key before they were given a notice demanding they disclose the suspect files.

Bowden added that criminals could also use such viruses on their own computers, creating a so-called "virus ate my password" (Vamp) defence that would allow them to claim it is not their fault they can no longer open suspect files.

Richard Clayton, a security expert at Cambridge University, said that while blackmail scams were rarely successful it was technically feasible for criminals to introduce viruses capable of changing or removing encryption keys. He added that the proposed changes to Ripa were "extremely unsatisfactory" and would introduce new legal liability for firms.

"If you can’t open an encrypted file - perhaps because it was encrypted by someone who has since left - and you receive a notice from the police, there is a risk it could go to a jury, and you have to bear in mind most juries don't know much about encryption technology," said Clayton.

Clayton said the legislation should provide a reminder to firms to ensure they have clear encryption policies in place. "You need policies on what should and shouldn’t be encrypted and on who should be allowed to decrypt it - as much to handle the risk of people leaving or getting hit by a bus as to counter the risk of police asking to see the data," he explained.