Regulation of Investigatory Powers (Investigation of Protected Electronic Information: Code of Practice) Order 2007

I thank the Minister for his detailed explanation of the safeguards included in this provision. I have five areas of concern. First, there is the secrecy requirement. Paragraph 10.8 of the code of practice details the possible provision mandating that the person to whom a Section 49 notice is delivered keeps the existence of the notice secret. The enactment of such a secrecy provision, in combination with the fact that an individual may be ordered to disclose encryption keys to which he has access with a business or personal associate, means that authorities might be able to encrypt an individual’s information without their knowledge. Secondly, paragraph 3.19 notes that encryption key material can be retained in the memory of an individual. The Minister explained at some length how the provision would work. Paragraph 10.5 states that if an individual provides evidence to the effect that he or she does not have possession of the key, the burden is on the prosecutor to prove the contrary beyond reasonable doubt, but it is unclear how that would work in the case of memorised passwords. Thirdly, the sentencing guidelines seem to provide some bizarre incentives. Paragraph 10.2 lays out the penalties for failure to comply with an order: a maximum of two years’ imprisonment in most cases, rising to five years in national security cases. However, if an individual were in possession of an encryption key that would reveal their involvement in, say, a terrorist plot or other crimes such as child pornography, they would get off far easier by refusing to give the key and going to prison for non-compliance than they would by revealing the evidence of their other crimes. Fourthly, the penalties for the abuse of power under Part 3 of RIPA need to be laid out. At present, only failure to protect disclosed information is covered, but there is a danger that public authorities will misuse their investigative power, and that remains unaddressed. Finally, no mention is made of the need to protect the confidentiality of financial services. I refer to paragraphs 6.8 to 6.9. There are concerns that, if a bank is required to disclose keys that enable investigators to track the flow of money into and out of suspect bank accounts, the same data could be used to monitor other accounts. It would be helpful if the Minister could give his observations on the five points I have raised.