# UK Law Demands Decryption Keys for Your Data

The UK has [a new law that forces criminal suspects to hand over
encryption keys or face jail time][1]. The penalty for refusing is
up to five years for terrorism-related investigations or up to two
years for other types of criminal investigations.

I was immediately struck by the futility of this law - people who
are criminally innocent and but use encryption to protect their
privacy will surely acquiesce and have their privacy
violated. Hardcore criminals will likely take the guaranteed
sentence rather than expose what they have been up to, which in many
cases would carry a much stiffer penalty.

Perhaps the real hope is that this law gives law enforcement a bit
of leverage when trying to elicit confessions or cooperation. In the
end, it will just drive legitimate data encryption services out of
the UK (the article notes the law doesn't apply to data outside of
or in transit through the UK), or force users to some form of
security through obscurity. If they don't know it's encrypted, they
can't ask for the keys, right?

The US went through a similar debate in the '90s over [key
escrow][2]; thankfully it never came to pass. The FBI now realizes
it is easier to [circumvent the encryption entirely][3].

[1]: http://arstechnica.com/news.ars/post/20071001-uk-can-now-demand-data-decryption-on-penalty-of-jail-time.html
[2]: http://www.epic.org/crypto/key_escrow/
[3]: http://www.schneier.com/blog/archives/2007/07/federal_agents_1.html