Feeds

RIPA ruling closes encryption key loophole

No pleas against self-incrimination allowed

Secure remote control for conventional and virtual desktops

A landmark ruling over the Regulation of Investigatory Powers Act 2000 (RIPA) may just have reduced our rights to refuse to self-incriminate. Or not, if you accept the arguments of the judges involved.

The verdict handed down in the Criminal Division of the Court of Appeal last week, relates to a plot in which the the defendants were alleged to have conspired to help an individual evade a control order imposed under terrorism legislation. At the time of their arrest, the police seized computer equipment believed to contain material "likely to be useful to a terrorist or potential terrorist".

Such possession is an offence under section 58 of the Terrorism Act 2000, and would open the individuals who held that material to criminal prosecution.

However, the material in question was encrypted, and when the police ordered the defendants to hand over the keys to this material, they refused to do so. In court, they argued that, irrespective of whether the material was illegal or not, handing it over could have the result of incriminating them in a crime – and that there were a number of precedents in English Law protecting against self-incrimination.

The Appeal Court ruling hinged on whether the encryption key could be said to have an existence separate from the "will" of the individual. The judges noted existing case law that "No one is bound to answer any question if the answer thereto would, in the opinion of the judge, have a tendency to expose (him) to any criminal charge, penalty or forfeiture which the judge regards as reasonably likely to be preferred".

Against this, they cited the European Court in Saunders v UK, according to which "the right not to incriminate oneself … does not extend to the use in criminal proceedings of material which may be obtained from the accused through compulsory powers but which have an existence independent of the will of the suspect, such as, inter alia, documents acquired pursuant to a warrant, breath, blood and urine samples and bodily tissue for the purpose of DNA testing".

The Appeal Court judges therefore held that an encryption key – even one that exists only in the mind of a single defendant – does have an independent existence, and the defendants should hand it over.

Failing reversal in a higher court, this closes what might have been a loophole in RIPA.

Critics of RIPA continue to argue that the law is over-broad and capable of bringing about serious injustice. For instance, you could cause a lot of aggro for a work rival by dropping a file on their hard drive, entitled "My plans for blowing up the Houses of Parliament" - and then informing the Police.

A further criticism is levelled by those who point out that this law is essentially about policing memory. If you forget your encryption key, it is for you to prove to a court that this is a genuine – as opposed to "convenient" – lapse.

This question became all too real in one of the first outings for RIPA last year. Although the Act was passed in 2000, it was not finally activated until 2007. In this case, an animal rights’ activist was charged with failing to hand over an encryption key. Her defense was that she wasn’t even aware there were encrypted files on her hard drive and therefore was unable to comply with the CPS request.

For all that, encryption may still offer a useful alternative to being found guilty of some offences. The maximum penalty for failing to hand over an encryption key on demand is two years – or five years where you are being investigated under anti-terror legislation.

Critics of the legislation – including some childrens’ charities – have argued that this is not enough where individuals are under investigation for the most serious crimes, such as possession of child porn, for which the penalty is 10 years. A similar argument has been made in respect of publishing obscene material, for which the penalty has recently been raised to 5 years.

The thought is that, when faced with a choice between doing two years under RIPA or significantly longer under some other law, individuals are going to opt for the former.

A spokesperson for the Home Office disputes this. According to the Home Office, RIPA is an additional penalty, rather than an alternative, and it would be very unlikely that the police would seek to view the contents of a hard drive where they did not already have evidence to charge someone under other legislation.

RIPA was intended to assist and to speed up inquiries – not substitute for them. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Britain's housing crisis: What are we going to do about it?
Rent control: Better than bombs at destroying housing
Top beak: UK privacy law may be reconsidered because of social media
Rise of Twitter etc creates 'enormous challenges'
GCHQ protesters stick it to British spooks ... by drinking urine
Activists told NOT to snap pics of staff at the concrete doughnut
What do you mean, I have to POST a PHYSICAL CHEQUE to get my gun licence?
Stop bitching about firearms fees - we need computerisation
Ex US cybersecurity czar guilty in child sex abuse website case
Health and Human Services IT security chief headed online to share vile images
We need less U.S. in our WWW – Euro digital chief Steelie Neelie
EC moves to shift status quo at Internet Governance Forum
Oz biz regulator discovers shared servers in EPIC FACEPALM
'Not aware' that one IP can hold more than one Website
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?