The passage of the Regulation of Investigatory Powers Act through parliament was the occasion of much controversy, especially as regards its provisions relating to cryptography. It appeared that it breached the European Convention on Human Rights at many points, and that the possibility of having their private keys seized would drive many E-commerce businesses overseas. In the event, the Act was amended to mitigate the worst excesses, with the simultaneous introduction of much window dressing. Nevertheless, many lesser problems remain, which may or may not be addressed in the Code of Practice. Since the implementation of that part of the Act has now been postponed for a year, we may have to wait some considerable time before the full picture becomes clear.
This talk will analyse exactly what the Act can now demand of people upon whom decryption notices are served, and will describe the precautions which a prudent and honest E-commerce business should take in order to ensure that its legitimate operations cannot be compromised through the operation of the Act.
I shall also describe the operation of the Lawful Business Practice Regulations (as established by the Act), paying particular attention to various forms of "interception" which, even though at first sight they might appear to be covered by those Regulations, and in fact perfectly lawful.