UK Home >  Legal Info About... >  Crime and Security >  Cryptography

Cryptography

This guide is based on UK law. It was last updated in February 2008.

Introduction

Cryptography is concerned with communicating information in a protected manner so that any unintended recipient of the communication is not able to read it. In relation to computing cryptography is associated with information security.

Cryptography has many forms, the best known being encryption, which is the use of an algorithm to encode or "encrypt" data so that only the intended recipient, using a special key, can decrypt and understand the data. A message encrypted with state of the art software is virtually impossible to decode without the key. However, cryptography is not just about keeping information secret; it's also used for authentication, so that, for instance, a company's extranet has stronger protection than just the usual username and password, or so that individuals in that company can sign their emails with digital signatures.

The criminal element

The security offered by cryptography can be vital for businesses that demand confidentiality in their information access or exchange. The Data Protection Act 1998 and in particular the Seventh Data Protection Principle requires all businesses holding data about individuals to take "appropriate technical and organisational measures" against unauthorised access to and use of that data. The Act does not specifically say that cryptography should be used to protect the data, but depending on the nature of the data and how it is held, industry practice may expect a certain level of security to comply with this and in certain circumstances that will mean cryptography. For example, when a laptop was stolen containing details of 26,000 Marks & Spencer employees in 2007 the Information Commissioner’s Office issued Mark & Spencer with an enforcement notice that ordered it to ensure that all of its laptop hard drives were encrypted within a specific period of time. See: Marks & Spencer ordered to encrypt data after laptop theft, OUT-LAW News, 28/01/2008.

Cryptography also makes governments nervous because the technology can be used by terrorists to communicate without detection. Accordingly, governments have put restrictions on the use of and trade in encryption products. Furthermore, in order to address the increase in the usage of encryption the UK government brought into force Part III of the Regulation of Investigatory Powers Act 2000 on 1 October 2007, which provides that a suspect must hand over a decryption key or put the relevant information into an intelligible form (see below for more details on RIPA). 

Electronic signatures

The European Commission Directive on Electronic Signatures was implemented in the UK by the Electronic Communications Act 2000 and Electronic Signatures Regulations 2002. The respective legislation provides a definition of an electronic signature and an advanced electronic signature (see our guide on Electronic Signatures – FAQs for further details). There are a variety of forms of electronic signature including a typed named, an email address, a scanned signature and a digital signature which can be used to prove the sender’s intention to authenticate the message. Electronic signatures are legally effective and admissible as evidence in courts.

Digital signatures

The legislation does not specifically define a digital signature. In practice a digital signature uses a type of cryptography know as public key cryptography where the respective parties to the communication have a public key (a key which anyone can use to send encrypted messages) and a private key (which only the holder of the key can use to open and decrypt the messages). This process ensures that electronic communications passing between the parties are secure, authentic and unaltered.

Public key infrastructure

To ensure that the public key used in public key cryptography is genuine companies can use public key infrastructure (PKI), an administrative system which establishes that the public key has not been interferred with by an unauthorised third party. With PKI a certification authority (CA) will issue a digital certificate (see below) to confirm the identity of the holder of the public key. PKI can be used by a company to securely and privately exchange data and money. It also offers directory services that can store, allocate and revoke certificates as and when necessary. There are several vendors of business PKI solutions – see, by way of example, RSA.com or VeriSign.com.

Digital certificates

This is an electronic document issued by a CA which usually contains your name, a serial number, an expiration date and a copy of your public key and the digital signature of the CA. Use of a CA when doing business on-line allows anyone to check that you are who you say you are.

Regulation of Investigatory Powers Act 2000

The Regulation of Investigatory Powers Act 2000 (RIPA) provides that a person with appropriate permission, including members of the police, intelligence service or an officer of Revenue and Customs, who come into possession of protected data can demand that an owner of a decryption key hand over the key or provide disclosure of the information in an intelligible form. Failure to do so is a criminal offence which is punishable by up to two years imprisonment or a fine or both or up to five years imprisonment or a fine or both if the issues concern terrorism or national security.

RIPA has attracted some criticism by civil liberties groups who argue that the Act compromises one’s privacy. The Act has also caused controversy because someone who has genuinely forgotten the decryption key may have difficulty convincing a court of his innocence. Further, a real terrorist from whom a key is demanded could, in theory, claim to have lost his key in order to face prosecution for a lesser crime than that which he was plotting. See: Law requiring disclosure of decryption keys in force, OUT-LAW News, 02/10/2007

There is no key escrow policy in place in the UK which would require any one using encryption software to deposit a decryption key in escrow with a trusted third party.

What should you do?

Consider the information your business holds or exchanges electronically. Next consider the risk to your business if that information were to be accessed by unauthorised individuals. This could be direct – e.g. the loss of your trade secrets – or indirect, e.g. the threat of legal action if you compromise a client's confidential information.

If the risk is at all significant, you could consider cryptography in some form. Inexpensive and easy to use digital signature services which can encrypt your email communications are widely available. However, you must balance this against the practicality: encrypting your email also puts requirements on the recipient to have compatible software and understanding.

Contacts

Jon Fell

Jon Fell
Biography
email Jon
+44 (0) 121 626 5719

David McIlwaine

David McIlwaine
Biography
email David
+44 (0) 207 490 6224

Disclaimer: We hope you find OUT-LAW’s content useful. It’s prepared by the lawyers at Pinsent Masons. Please remember, though, that it’s intended as general information only. It’s not legal advice. If that’s what you’re seeking, please contact us. See also: our full disclaimer

OUT-LAW Recommends

This week's podcast
Bribery law extended

Advert: Pinsent Masons works with forensic accountants to help you to manage the costs of litigation. Our approach is called Reaching Solutions.
OUT-LAW star: link to the home page
Disclaimer | Privacy | Site Map | Accessibility Logon
Disclaimer: This was printed from OUT-LAW.COM, a service of international law firm Pinsent Masons. We hope you find this content useful. However, please note that nothing in this document constitutes specific legal advice. You should consult a suitably qualified lawyer on any specific legal problem or matter. Any questions, please email info@out-law.com.