New laws going into effect today in the United Kingdom make
it a crime to refuse to decrypt almost any encrypted data requested by
authorities as part of a criminal or terror investigation. Individuals who are
believed to have the cryptographic keys necessary for such decryption will face
up to 5 years in prison for failing to comply with police or military orders to
hand over either the cryptographic keys, or the data in a decrypted form.
Part 3, Section 49 of the Regulation of Investigatory Powers
includes provisions for the decryption requirements, which are applied
differently based on the kind of investigation underway. As we reported last
year, the five-year imprisonment penalty is reserved for cases involving
anti-terrorism efforts. All other failures to comply can be met with a maximum two-year sentence.
The law can only be applied to data residing in the UK, hosted
on UK servers, or stored on devices located within the UK. The law does not
authorize the UK government to intercept encrypted materials in transit on the
Internet via the UK and to attempt to have them decrypted under the auspices of
the jail time penalty.