Out-Law / Your Daily Need-To-Know

This guide is based on UK law. It was last updated in January 2013 .


Cryptography is concerned with communicating information in a protected manner so that any unintended recipient of the communication is not able to read it. In relation to computing cryptography is associated with information security.

Cryptography has many forms, the best known being encryption, which, in the information security context, is the use of an algorithm to encode or "encrypt" data so that only the intended recipient, using a special key, can decrypt and understand the data. The objective is to make a message encrypted with state of the art software virtually impossible to decode without a key.

Cryptography is not just about keeping information secret; it's also used for authentication, so that, for instance, a company's extranet has stronger protection than just the usual username and password, or so that individuals in a company can sign their emails with digital signatures.

The criminal element

The security offered by cryptography can be vital for businesses that demand confidentiality in their information access or exchange. The Data Protection Act 1998 and in particular the Seventh Data Protection Principle requires all businesses holding data about individuals to take "appropriate technical and organisational measures" against unauthorised access to and use of that data.

The Act does not specifically say that cryptography or encryption should be used to protect the data, but depending on the nature of the data and how it is held, industry practice may expect a certain level of security to comply with this and in certain circumstances that will mean cryptography. In October 2012 the ICO reminded organisations that it is of the view that sensitive personal information should be encrypted when being stored or communicated electronically and that failure to do so can result in enforcement action. The ICO's reminder followed its issuing of a £120,000 fine to the Stoke-on-Trent City Council which resulted from sensitive information about a child protection legal matter being emailed to the wrong person.

In order to address the increase in the use of encryption in communications in connection with criminal activities the UK government brought into force Part III of the Regulation of Investigatory Powers Act 2000 on 1 October 2007, which provides that a suspect must hand over a decryption key or put the relevant information into an intelligible form (see below for more details on RIPA).

Electronic signatures

Some but not all electronic signatures are based on cryptography.

The European Commission Directive on Electronic Signatures was implemented in the UK by the Electronic Communications Act 2000 and Electronic Signatures Regulations 2002. The respective legislation provides a definition of an electronic signature and an advanced electronic signature (see our guide on Electronic Signatures – FAQs for further details).

An electronic signature can take many forms: it must be in an electronic form, incorporated into or associated with an electronic communication, and serve the purpose of establishing the authenticity or integrity of a communication or data. An electronic signature therefore can include an email address, a scanned signature or a digital signature, a type of electronic signature that goes further in establishing the authenticity of the sender and utilises cryptography. Electronic signatures are legally effective and admissible as evidence in courts.

Digital signatures

The legislation does not specifically define a digital signature. In practice a digital signature uses a type of cryptography known as public key cryptography (or asymmetric cryptography) where the respective parties to the communication have a public key (a key which anyone can use to send encrypted messages) and a private key (which only the holder of the key can use to open and decrypt the messages). This process ensures that electronic communications passing between the parties are secure, authentic and unaltered. An alternative is to use symmetric cryptography where both keys are private but identical. This is useful when private, sensitive information is being exchanged between two parties who can authenticate each other's identities by offline means, but is less suited to e-commerce where a seller requires all buyers to have access to the key.

Public key infrastructure

To ensure that the public key used in public key cryptography is genuine companies can use public key infrastructure (PKI), an administrative system which establishes that the public key has not been interfered with by an unauthorised third party. With PKI a certification authority (CA) will issue a digital certificate (see below) to confirm the identity of the holder of the public key. PKI can be used by a company to securely and privately exchange data. It also offers directory services that can store, allocate and revoke certificates as and when necessary.

Digital certificates

This is an electronic document issued by a CA which usually contains your name, a serial number, an expiration date and a copy of your public key and the digital signature of the CA. Use of a CA when doing business online allows anyone to check that you are who you say you are.

Regulation of Investigatory Powers Act 2000

The Regulation of Investigatory Powers Act 2000 (RIPA) provides that a person with appropriate permission, including members of the police, intelligence service or an officer of Revenue and Customs, who come into possession of protected data can demand that an owner of a decryption key hand over the key or provide disclosure of the information in an intelligible form. Failure to do so is a criminal offence which is punishable by up to two years imprisonment or a fine or both or up to five years imprisonment or a fine or both if the issues concern terrorism or national security.

RIPA has attracted some heavy criticism by civil liberties groups who argue that the Act compromises one’s privacy. The Act has also caused controversy because someone who has genuinely forgotten the decryption key may have difficulty convincing a court of his innocence.
There is no key escrow policy in place in the UK which would require any one using encryption software to deposit a decryption key in escrow with a trusted third party.

What should you do?

Consider the information your business holds or exchanges electronically and the risk of it being accessed by unauthorised individuals. The consequences of unauthorised access can include the loss of your trade secrets, fines and the threat of legal action for example if you compromise a client's confidential information.

Every business should consider the extent to which these risks could be mitigated through the use of encryption and cryptographic technologies.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.