I wrote the below letter to my MP because I oppose laws which potentially criminalise vast swathes of people, leaving open the possibility for the Police to selectively enforce the law. A society where everybody routinely breaks, or is unable to comply with the law and the state enforces the law arbitrarily is in my view a lawless society, something I would like to avoid in the UK.
Subject: Reject proposal to activate section 3 of RIPA
David Howarth (Cambridge MP),
I would like to urge you to ensure that the activation of part three of the Regulation of Investigatory Powers Act (RIPA) does not criminalise ordinary people who may not be aware that they use encryption in their daily lives and who may not know what an encryption key is – their information being automatically encrypted by software and appliances that they use.
I do not want a situation where the state can jail people simply for not being able to provide encryption keys. As many (most?) people would find it impossible to comply with a request to disclose encryption keys they have used I envisage this law could be used to jail people the state merely suspects or dislikes, which I view as an unacceptable situation.
Charles Clark as home secretary indicated that the law was to be used to jail those merely suspected of terrorism as this exchange from the Common’s home affairs committee on 21/March/06 :
Q329 Colin Burgon: The penalty under Part 3 of RIPA for failing to release an encryption key is two years. Do you think that is inadequate in the light of the fact that the suspect could be facing something like 20 years in prison on a terrorism charge? How do you balance that one out?
Mr Clarke: I do, and that is why we put the proposal in clause 15 on the Terrorism Bill to increase the maximum in national security cases to five years, for exactly the reason you imply, because the encryption key is so important that it needs to be seen as a very serious offence. Some might argue that five years is itself not long enough, but we are increasing it to five years for the reason that you have said.
I interpret that as saying – if we can’t prove the terrorism charge we’ll get them for not disclosing an encryption key.
In the same exchange Clarke said:
We will, I think within the next three months, be consulting publicly on a draft code of practice on Part 3 of RIPA and, after that public consultation, Parliament will be required to approve the statutory code.
(http://www.publications.parliament.uk/pa/cm200506/cmselect/cmhaff/uc910-iv/ uc91002.htm – Reference for the above)
I believe you can act on this by:
1. Doing what you can to ensure that the public consultation on a code of practice for using the powers in section 3 of RIPA which has been (sort of) promised actually occurs and is well publicised. (It is not yet listed: http://www.homeoffice.gov.uk/about-us/haveyoursay/current-consultations/)
2. Voting against the code of practice when it is put to parliament for its approval if it leaves open the possibility that individuals can be jailed just for not providing a requested encryption key.
3. Educating yourself on the use of encryption technology, and the extent to which it is pervading many elements of modern life.
The proposed law is also I believe potentially bad for the UK as a centre internet, information and banking industries, if companies can be forced to give up encryption keys they may well decide to base their operations elsewhere.
Related Link: “More then 600 people took part in a poll on ZDNet UK, which asked whether they supported the government’s plans. Nearly 90 percent said they opposed the idea, with eight percent saying they were unconvinced and just two percent backing the government.”
Please do not bother spending time and money replying to me, I am happy to have simply had the opportunity to make my opinion known to you.
Update: March 2008: I wrote to my MP on 05 June 2006, Section Three of the Regulation of Investigatory Powers Act (RIPA) came into force at the start in October 2007, and already the existence of the law is providing a licence for arms of the state to intimidate people – http://www.theregister.co.uk/2007/11/14/ripa_encryption_key_notice/.
6 responses to “Part 3 of RIPA – A Step Towards Lawlessness”
I thought I’d just add the following to this article, as some readers were not aware of it:
http://security.homeoffice.gov.uk/ripa/encryption/faqs/
The first person know to have been jailed as a result of this law is reportedly not a criminal but a mentally ill hobbyist refusing to disclose his encryption keys on principle.
This is a bad law; with potential to be abused.
http://www.theregister.co.uk/2009/11/24/ripa_jfl/
Another individual has been reported to have been jailed for refusing to disclose a password:
http://www.bbc.co.uk/news/uk-england-11479831
In this case its a 50 character password; and the police have the individual’s computer.
Part III of RIPA is the law under which David Miranda, who was detained at Heathrow Airport while reportedly carrying reportedly encrypted information linked to Edward Snowden could be considered to be committing an offence if he fails to provide the UK state with the encryption keys to enable them to access the information. It has been reported :
A further case relating to this law is being reported:
http://www.theregister.co.uk/2014/01/16/password_refusal_earns_terror_suspect_extra_jail_time
Dear Richard,
Thank you for this article and the follow up comments, I was curious if you know how many people have been convicted and how many notices given since the law came into force in October 2007? I am wondering how many of these instances actually result in convictions. It would be great to get more details on the individual cases, I have no idea where (and if) we can find that at all.