The legal power to decrypt materials is expressly granted as a statutory function to GCHQ in the Intelligence Services Act 1994, where it is empowered to “obtain and provide information derived from … encrypted material” (s.3 (1)(a)).
Further, sections 49-51 of RIPA gives a range of government agencies the power to compel decryption of material or, as necessary, compel a person to provide information, such as a password or decryption key, that allows encrypted material to be decrypted. Permission is required from the Secretary of State, or for police, a judge (RIPA Schedule 2). Such measures, according to the Interception of Communication Commissioner, are “intended to ensure that the ability of public authorities to protect the public and the effectiveness of their other statutory powers are not undermined by the use of technologies to protect electronic information (such as passwords, encryption etc).[1] However, the 2015 Report of the Interception of Communications Commissioner noted that no RIPA section 49 notices have been issued by the Secretary of State with regard to intercepted material since 2013.[2]
The Intelligence and Security Committee’s 2015 ‘Privacy and Security’ report found that “the ability to decrypt [communications of interest] is core to GCHQ’s work”, and noting that the agency has a “programme of work … to enable them to read encrypted communications”, though the name of this programme, and the substance of two of its three main strands, are redacted [3]. The report also noted that “many people believe, based on the Snowden leaks, that GCHQ systematically undermine and weaken common internet encryption products.”
As the report points out, under the terms of the Intelligence Services Act no additional authorisation at a ministerial level is required for these activities. While acknowledging a general need for GCHQ to decrypt communications in the interests of public safety, the report expressed the concern that such decisions are taken internally, and recommended that ministers be “kept fully informed of all such work and specifically consulted where it involves potential political and economic risks.” [4]
[1] Report of the Interception of Communications Commissioner, March 2015, p.75.
[2] Ibid.
[3] Intelligence and Security Committee, ‘Privacy and Security: a modern and transparent legal framework’, p.67.
[4] Ibid., p.69.