The amount of information stored in encrypted form is steadily increasing, supported by recommendations from the Information Commissioner and others. When deciding to adopt encryption, it’s worth planning for what might happen if the police or other authorities need to access it in the course of their duties.
Normally the existing access rules under section 22 of the Regulation of Investigatory Powers Act 2000 (RIPA) or sections 28 and 29 of the Data Protection Act 1998 will be sufficient. When an organisation receives an order or request to disclose information that is encrypted it will simply decrypt it and provide that version (securely!) to the police.
There are three situations where that won’t work:
- If someone else encrypted the information and the organisation doesn’t have a key to decrypt it;
- If the information was encrypted using someone else’s public key, so the organisation (not having the private key) can’t decrypt it;
- If the organisation used to be able to decrypt the information but the key has been lost/forgotten/destroyed.
If the police believe that you are refusing to decrypt information, then they can make a disclosure order under s.49 of RIPA. Failing to comply with an order is a criminal offence so if you actually can’t decrypt it then it’s important to be able to explain that. Ideally that explanation will prevent anyone serving an s.49 notice on you in the first place. But even if a notice is served you don’t need particularly strong evidence, just “sufficient evidence to raise an issue” (s.53). Then the prosecution need to prove, beyond reasonable doubt, that you are lying.
Unfortunately neither the legislation nor the very limited case law (the Open Rights Group maintain a list of cases) provide much guidance on what your evidence might look like. But it should help to have a consistent, well-documented explanation of your encryption practice and how it resulted in you being unable to decrypt the required information. For example:
- If you are advising others on encryption, make sure the guidance tells them how to keep the key secure without revealing it to others (that way there should be less chance of anyone thinking that an organisation can decrypt anything that happens to be on its systems);
- If you are sending a message to someone else’s public key and not keeping a copy encrypted to yourself there’s little point in keeping the message you sent: without their private key you’ll never be able to read it anyway;
- If you are encrypting information that you intend to be able to decrypt in future, make sure the keys are kept securely and in a way that’s appropriate to the circumstances in which you expect to use the information. Encrypting something that you don’t plan to use for months but expecting nonetheless to remember a long and complex key without writing it down doesn’t make operational sense and is unlikely to be a plausible story in court;
- And if you discover at any stage that you are no longer able to decrypt the information then record that at the time, don’t wait till after you’ve been served with a notice!
Finally, if you are using digital signatures, it’s probably a good idea to use different keys for signing and encryption. According to s.49(9) an order can’t be made to disclose a key that “is intended, and has only been used, for creating digital signatures”.