Encryption
Disclosure of keys
Law enforcement agencies cannot lawfully obtain keys unless they have the appropriate permission of a judicial authority, the chief officer of police, the Commissioner of Customs and Excise, or a person of or above the rank of brigadier or its equivalent.
Where protected information has been obtained under a warrant issued by the Secretary of State, permission for serving a Section 49 or decryption notice may be obtained from the Secretary of State.
All public authorities should consult with the National Technical Assistance (NTAC) at the earliest opportunity when considering the use of the powers in Part III of the Regulation of Investigatory Powers Act.
Decryption or Section 49 notices
Law enforcement agencies like the police may serve a person or organisation that uses encryption with a notice called a Section 49 requiring them to decode encrypted information into plain text and hand it over.
They are most likely to be imposed only on individuals who have protected information directly relevant to an investigation or operation and are themselves a subject of, or are connected to, the investigation or operation.
A Section 49 will only be authorised:
-
in the interests of national security
-
for the prevention or detection of crime
-
in the interests of the economic well-being of the UK
-
for securing the effective exercise by any public authority of any statutory power or duty
In almost all cases, disclosing the plain text of decoded encrypted material, rather than the decoding key, will be a sufficient response to a decryption notice. Keys are only required in special circumstances.
Who may notices be served upon?
Section 49 notices are most likely to be served on individuals who have protected material directly relevant to an investigation or operation and are themselves a subject of, or are connected to, the investigation or operation.
Notices could potentially be served on a wide variety of individuals, bodies or organisations. Care must be taken when serving a notice on a corporate body or firm and prior consultation must always take place. Particular care must be taken when serving a section 49 notice upon a provider of financial services in view of the crucial role that protected information has in the financial sector. For example, a notice may not be served upon any company or firm regulated by the Financial Services Authority without prior notification to the Chairman of the Authority.
Time to comply with a notice
The time by which any notice has to be complied by, must:
-
be reasonable and realistic
-
must take into account practical and technical requirements
-
offer sufficient time to seek legal or technical advice.
Special circumstances where there is an urgent requirement to comply with a notice include:
-
where there is an immediate threat to life
-
when exceptional operational requirements are time restricted
-
when there is a credible or immediate threat to national security
In all cases, consideration of the actual or potential collateral intrusion must take place.
Failure to comply with a notice
It is an offence for a person who has been given a notice to knowingly fail to disclose the information required.
