Friday, October 05, 2007

UK Law Demands Decryption Keys for Your Data

The UK has a new law that forces criminal suspects to hand over encryption keys or face jail time. The penalty for refusing is up to five years for terrorism-related investigations or up to two years for other types of criminal investigations. I was immediately struck by the futility of this law - people who are criminally innocent and but use encryption to protect their privacy will surely acquiesce and have their privacy violated. Hardcore criminals will likely take the guaranteed sentence rather than expose what they have been up to, which in many cases would carry a much stiffer penalty.

Perhaps the real hope is that this law gives law enforcement a bit of leverage when trying to elicit confessions or cooperation. In the end, it will just drive legitimate data encryption services out of the UK (the article notes the law doesn't apply to data outside of or in transit through the UK), or force users to some form of security through obscurity. If they don't know it's encrypted, they can't ask for the keys, right?

The US went through a similar debate in the '90s over key escrow; thankfully it never came to pass. The FBI now realizes it is easier to circumvent the encryption entirely.

No comments: