New RIPA Act powers puts data security at risk
Encryption expert warns that new police powers will open up "a host of management problems" for companies
New powers to allow police to decrypt data for evidence will risk compromising data confidentiality and security, an encryption expert warned.
New powers under Part III of the Regulation of Investigatory Powers Act 2000 (RIPA), which comes into effect in the next few months, allows law enforcement officers to gain access to encryption keys needed to decrypt data which could be vital for a conviction.
But according to Dr. Nicko Van Someren, chief technology officer at nCipher, the new powers open up "a host of management problems".
"Company executives will have to disclose encryption keys without opening up security holes or face up to five years in prison; while law enforcement officers face legal action if they fail to adequately secure evidentiary keys leading to loss or consequential damage," said Van Someren. "It is clear that sophisticated key management systems will be needed to avoid the possibility of the misuse of disclosed keys or breaches of data protection laws."
Many financial institutions and other organisations are concerned about data security and conflicts with data privacy rights as a result of RIPA part III. Since companies can be held liable for the accidental or negligent disclosure of customer information, the keys used to protect customer data are just as valuable as those used for banking transactions.
The new legislation means businesses have to implement strict control over encryption and to provide authorised access to keys. According to Van Someren, making copies of cryptographic keys is "not a safe option".
"Businesses and authorities need to adopt best practice already used by many banks and security conscious companies," he said. "RIPA part III places a heavy duty of disclosure on companies and organisations; but it also places a burden of care and security on the law enforcement authorities."
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.