Wednesday, October 24, 2007

Stealing privacy from the innocent

You might have missed this, because it didn't get a lot of mainstream press attention, but from the start of this month:

New laws going into effect today in the United Kingdom make it a crime to refuse to decrypt almost any encrypted data requested by authorities as part of a criminal or terror investigation. Individuals who are believed to have the cryptographic keys necessary for such decryption will face up to 5 years in prison for failing to comply with police or military orders to hand over either the cryptographic keys, or the data in a decrypted form.
The danger here isn't the decryption so much as the requirement that keys be handed over - thereby compromising all data encrypted with them whether or not it falls within the scope of an investigation. No significant business can be expected to bring their keys to the UK, and this has implications for the establishment of UK facilities.

At the same time, anyone with really dubious data to hide will either take the relatively light prison term (compared with a sentence for, say, terrorism), or keep the data location secret by using portable storage, or simply keep the files offshore (the law only applies to data physically stored in the UK). The latter is trivial - I use remote disks mounted into my regular filesystem as a matter of routine, and these disks could as easily be in Moscow as Manchester.

No comments: