Encryption

The measures in Part III are intended to ensure that the ability of public authorities to protect the public and the effectiveness of their other statutory powers are not undermined by the use of technologies to protect electronic information.

Part III provides a statutory framework, subject to independent oversight, enabling public authorities to require protected information which they have obtained or are likely to obtain to be put into an intelligible form, to acquire the means to gain access to protected information and to acquire the means to put protected data into an intelligible form.

Protected information means any electronic material that cannot be accessed or put into an intelligible form without a key.

Exercise of the powers to require disclosure of protected information, disclosure of the means to access such information or to put it into an intelligible form may amount to interference with an individual’s right to respect for their private and family life. Such interference will be justifiable under Article 8 of the European Convention on Human Rights and in accordance with the Human Rights Act 1998 only if the conduct being required or taking place is both necessary and proportionate and in accordance with the law. The provisions in Part III are designed to meet the requirements that such activities are in accordance with law and to provide guidance to ensure that the activities are, in fact, both necessary and take place in a proportionate manner.

Public authorities may seek permission to serve a notice in relation to protected information that has already been obtained lawfully or in relation to protected information which is not yet in their lawful possession.

Section 49 notices may potentially be served on a wide variety of individuals, bodies or organisations. Individuals using products or services to protect data under their control, and businesses involved in producing or supplying such products or services, or using such technologies themselves could, conceivably, be in a position to disclose protected information in an intelligible form or to disclose a key required to put such information into an intelligible form.

The time by which any notice has to be complied with must be reasonable and realistic in all the circumstances and must take into account the practical and technical requirements of undertaking the disclosure.

Should any person or persons incur costs in complying with a notice an appropriate contribution towards those costs may be made by the public authority that has imposed the disclosure requirement.

The Act clearly indicates that arrangements must be in place to safeguard keys and key material obtained by the imposition of disclosure requirements. The Code of Practice outlines the procedures for keeping keys safe.

The absolute minimum necessary to allow protected information to be made intelligible.

Public authorities must retain copies of all written applications for permission to give a section 49 notice. Such applications must be available for scrutiny by the relevant independent Commissioner with a statutory oversight role.

Where a disclosure requirement upon a corporate body or firm is being considered, the person intending to seek appropriate permission must determine if that body or firm would be able to comply with the proposed disclosure requirement. The imposition of a disclosure requirement upon a corporate body or firm without any prior consultation should only be undertaken rarely. Particular care must be taken when considering the imposition of a requirement to disclose a key upon a provider of financial services in view of the crucial role that protected information has in the financial services sector. For example, no such requirement should be imposed upon any company or firm regulated by the Financial Services Authority without prior notification to the Chairman of the Authority.

In general the permission to give a section 49 notice must be given by a person with at least the same level of authority as that required for the exercise of any power to obtain the protected information. With certain exceptions, the appropriate permission to give a notice should be given by the same person authorising, or who authorised, the use of any power to obtain the protected information.

Failure to comply with a disclosure requirement or a secrecy requirement is a criminal offence. Where a person given a section 49 notice knowingly fails to make the disclosure required they commit an offence. If the disclosure required is necessary in the interests of national security they may be convicted on indictment to a maximum of 5 years imprisonment or in any other case 2 years. On summary conviction they may be liable to a maximum six-month term of imprisonment or a fine not exceeding the statutory maximum or both.

Section 49 notices may contain a provision requiring the person to whom the notice is given and every other person who becomes aware of it or of its contents to keep secret the giving of the notice, its contents and the things done to comply with it. The inclusion of a secrecy requirement in a notice requires the consent of the person granting permission for the notice to be given or for the person giving the notice to have that permission. However, the notice should also inform the recipient that he (or she) may nonetheless approach a professional legal adviser for advice about the effect of the provisions of Part III of the Act. In addition, it is not the intention of the Act to penalise individuals within organisations who, for example, have been given a notice imposing a disclosure requirement but need the assistance of another colleague in order to comply with the notice.

There are three independent Commissioners with relevant oversight responsibilities: the Interception of Communications Commissioner, the Intelligence Services Commissioner and the Chief Surveillance Commissioner.

The Act established an independent Tribunal (‘the Investigatory Powers Tribunal’). The Tribunal is made up of senior members of the judiciary and the legal profession and is independent of the Government. The Tribunal has full powers to investigate and decide any case within its jurisdiction, which includes the giving of a notice under section 49 or any disclosure or use of a key to protected information.

Emails sent from your BlackBerry are strongly encrypted whilst in transit and only decrypted once inside your firewall or delivered to your handheld. Since neither RIM nor the wireless operator ever has access to the encryption key they can not provide the contents of your email to a law enforcement agency.  This means that under RIPA Part III, if an investigation requires access to data held on a BlackBerry, investigators would have to go directly to the device owner for an encryption key.

No. RIPA is domestic UK legislation. As such, it applies only to data stored in the UK and not transient content. Encrypted content transmitted from a BlackBerry device that transits UK is only in transit and never copied or stored, therefore, it will never fall under RIPA Part III.

Furthermore, as outlined above, only the owner of the BlackBerry device has access to the encrypted data.