![\"Hacker](\"https:\/\/www.infolaw.co.uk\/newsletter\/wp-content\/uploads\/2017\/09\/Hacker-Firewall-by-Christoph-Scholz.jpg\")
<\/p>\n<\/p>\n
Encryption is a way of making data secure, so that it can only be accessed by authorised parties. Cryptographic techniques are used to render information unintelligible to any third parties whilst it is being stored on an electronic device such as a laptop or smartphone, or during its transit from sender to recipient over the internet or other types of computer network.<\/p>\n
There are many techniques of encryption but the main principles are as follows:<\/p>\n
Hashing is another method used to help to preserve the integrity<\/em> of data but it is different from encryption. A hash is essentially a digital fingerprint of mapped digital information and it can be used to verify that a second instance of the information is exactly the same as the original and has not been tampered with. But hashing is a one way process; there is no way to reverse a hash or obtain any intelligible information from it. However, it can be used effectively in conjunction with encryption, particularly where the encrypted data needs to be transmitted across insecure networks.<\/p>\n In an age where vast swathes of personal information are stored on internet-connected devices and online, the need to protect privacy has never been greater. Whether it\u2019s alleged Russian interference in the 2016 American elections or personal details of 143 million individuals being compromised by a hack<\/a> into a worldwide credit report company, the relentless surge of cybercrime means that leaving data unencrypted is akin to leaving your front door unlocked. Most of the tech giants are building sophisticated encryption into their devices, apps and software as standard \u2013 not least because laws increasingly demand that data protection be taken seriously, but also due to customer expectation. Furthermore, privacy campaigners, including human rights organisations such as Amnesty International<\/a>, argue that end to end encryption is crucial for providing people who live in totalitarian regimes with the ability to communicate freely without being monitored by oppressive governments or dictatorships.<\/p>\n However there are also many concerns about encryption, primarily raised by governments, police and law enforcement agencies. Whilst encryption can be used to thwart criminal hackers, on the flipside it can also facilitate crime and prevent criminals from being caught. The authorities often claim that encryption impedes criminal investigations into terrorism, paedophilia and other crimes where crucial evidence is locked away on a smartphone, laptop or cloud based storage or communication services. One solution, which is often put forward to prevent criminals hiding behind encryption, is to provide law enforcement with a virtual skeleton key which gives them \u2018backdoor\u2019 access to any encrypted material. However, the fallacy of this argument is that any such backdoor would also be hackable by malevolent parties and consequently creates a huge opportunity for cybercriminals. An example of this is the ransomware attack which affected the NHS; the WannaCry virus apparently used an exploit<\/a> which had previously been leaked as part of a cache of NSA hacking tools.<\/p>\n Principle 7 of the Data Protection Act<\/strong> requires that all businesses holding personal data take \u201cappropriate technical and organisational measures\u201d against its \u201cunauthorised or unlawful processing\u201d. Although it does not specify the use of encryption, the ICO notes<\/a> that data controllers should \u201cbe aware of any industry or sector specific guidelines that may recommend a minimum standard for encrypting personal data\u201d.<\/p>\n The General Data Protection Regulation<\/strong> (GDPR) comes into effect on 25 May 2018. This will tighten up many of the existing data protection requirements, significantly increase maximum penalties and introduce new rules. Of particular note for purposes of encryption is Article 32 which requires data controllers and processors to \u201cimplement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate … the pseudonymisation and encryption of personal data\u201d.<\/p>\n Part III of the Regulation of Investigatory Powers Act 2000<\/strong> (RIPA) allows authorities to force a person to either hand over an encryption key to access data or to provide the requested material in an intelligible form.<\/p>\n The Investigatory Powers Act 2016<\/strong> extends the powers of authorities to demand that service providers who are served a Technical Capability Notice (TCN) remove any \u201celectronic protection\u201d (s 253(5)(c)) \u2013 which essentially means encryption or any similar technology. However, this requirement is subject to the \u201ctechnical feasibility\u201d of complying with the notice (s. 255(3)(c)).<\/p>\n In the USA, following the San Bernardino terror attack in December 2015, the US government asked Apple to help the FBI<\/a> access encrypted data on the suspect\u2019s iPhone in case it contained any useful evidence or leads. Apple refused to comply with this request, arguing that the creation of a backdoor would pose a threat to the data of other customers. Although a legal battle was on the cards, the FBI withdrew its request after it purchased hacking software for $900,000<\/a> \u2013 which in the event found \u201cnothing of real significance\u201d.<\/p>\n In the UK, following the Westminster Bridge terrorist incident in March 2017, home secretary Amber Rudd claimed<\/a> that it was \u201ccompletely unacceptable\u201d that the government could not read messages protected by end-to-end encryption. She argued that: \u201cWe need to make sure that organisations like WhatsApp, and there are plenty of others like that, don\u2019t provide a secret place for terrorists to communicate with each other.\u201d However, her rhetoric was met with resistance<\/a> from the former GCHQ director Robert Hannigan who said that \u201cIt\u2019s not a good idea to weaken security for everybody in order to tackle a minority\u201d and warned that \u201cTrying to weaken the system, trying to build in backdoors won\u2019t work and is technically difficult\u201d.<\/p>\n Pinsent Masons: Cryptography<\/a><\/p>\n TechTarget: Encryption<\/a><\/p>\n ICO: Guide to Encryption<\/a><\/p>\n legislation.gov.uk: Investigatory Powers Act 2016<\/a> s 255<\/p>\n Amnesty International: Easy guide to encryption and why it matters<\/a><\/p>\n The Verge: The five big lies of the encryption debate<\/a><\/p>\n Alex Heshmaty is a legal copywriter and journalist with a particular interest in legal technology. He runs Legal Words<\/a>, a copywriting agency in Bristol. Email alex@legalwords.co.uk<\/a>. Twitter @alexheshmaty<\/a>.<\/em><\/p>\nPros and cons<\/h3>\n
Legislation dealing with encryption<\/h3>\n
Recent developments<\/h3>\n
Further reading<\/h3>\n