Out-Law Guide | 30 Mar 2005 | 3:44 pm | 3 min. read
This article is based on UK law. It was last updated in August 2008.
Encryption has long been used to facilitate secret communication and is now used routinely in IT networks and telephony. It is also used in digital rights management (DRM) to prevent unauthorised use or reproduction of copyrighted material and in software to protect against reverse engineering.
However, although encryption has many legitimate business and other uses, there are concerns over the use of encryption for military and/or criminal purposes. These concerns have led to the introduction of controls on the use of encryption as well as the granting of rights for investigatory authorities to access encrypted data. Moreover, mechanisms are needed to verify the authenticity of electronic data, in addition to dealing with electronic data security and access.
Those involved in the export of encryption products should be aware that such export may be subject to regulatory export controls. The UK has many export controls, mainly targeted at goods and technology which are for military use or capable of dual-use. Dual-use items are goods, software or technology (documents, diagrams etc.) which can be used for civil and military purposes. Encryption software, for example, is subject to export controls because it is capable of dual-use: although such software can be used to ensure the confidentiality of information for common commercial transactions, it could also be used by terrorists to keep their plans secret.
UK export controls apply to export by either physical or electronic means from the UK, and operate so that, if a product is restricted, a licence to export that product is required. It would be impractical for individual licences to be obtained for each export.
Given this, Open General Export Licences (OGELs) are available. These permit export of certain products without the need to obtain an individual licence. For example there is an OGEL covering the export of certain software and source code. However, the terms of any available licence need careful review, to ensure that the licence covers the products in question and permits export to the country in question. In addition, any conditions around the use of the licence need to be complied with (such as registration requirements).
Export control in the UK is primarily the province of the Export Control Organisation (part of the Department for Business, Enterprise and Regulatory Reform).
Encryption can be used to maintain the secrecy of communications relating to criminal activity and other activity which would be contrary to the interests of national security. As a result, authorities such as the police and the intelligence services need access to encryption keys in certain circumstances in order to decrypt potentially damaging or harmful communications. The key legislation in this area is the Regulation of Investigatory Powers Act 2000 (RIPA).
Under RIPA, relevant authorities can demand that the encryption key to communications data is disclosed (or that encrypted data is disclosed in an intelligible form) by a person if there are reasonable grounds for believing that:
(a) the key to the relevant information is in the possession of that person;
(b) disclosure is necessary for one of the reasons specified in RIPA (for example to prevent a crime or in the interests of national security);
(c) disclosure would be proportionate in the circumstances; and
(d) it is not reasonably practicable to obtain possession of the information in an intelligible form without access to the key.
The wider regulatory framework governing the use of communications data should also be noted. For example, the Data Protection Act 1998 will govern the use of any personal data, and RIPA and related regulations contain provisions dealing with the monitoring, storage and use of data.
Encryption is relevant not only to the security of data, but also in relation to its authenticity and integrity.
For example, digital signatures (a type of electronic signature) rely on a form of encryption (known as asymmetric cryptography) to authenticate messages.
In this type of encryption two 'keys' are used: (i) the private key, which is known only to the signatory and is used to create the digital signature and change the message into encrypted form; and (ii) the public key, which is used by a relying party to verify the digital signature and decrypt the message.
Often this type of encryption is known as 'public key infrastructure' or PKI because the public key is made widely available in an online directory. This enables a wide audience to rely on the public key and the authenticity of messages sent using it. Third parties (also known as certification service providers) are often used to validate the authenticity of the public key.
For further detail on digital signatures (and electronic signatures more generally), see the separate OUT-LAW guide: Electronic Signatures – FAQs.