Feeds

RIPA ruling closes encryption key loophole

No pleas against self-incrimination allowed

Reducing the cost and complexity of web vulnerability management

A landmark ruling over the Regulation of Investigatory Powers Act 2000 (RIPA) may just have reduced our rights to refuse to self-incriminate. Or not, if you accept the arguments of the judges involved.

The verdict handed down in the Criminal Division of the Court of Appeal last week, relates to a plot in which the the defendants were alleged to have conspired to help an individual evade a control order imposed under terrorism legislation. At the time of their arrest, the police seized computer equipment believed to contain material "likely to be useful to a terrorist or potential terrorist".

Such possession is an offence under section 58 of the Terrorism Act 2000, and would open the individuals who held that material to criminal prosecution.

However, the material in question was encrypted, and when the police ordered the defendants to hand over the keys to this material, they refused to do so. In court, they argued that, irrespective of whether the material was illegal or not, handing it over could have the result of incriminating them in a crime – and that there were a number of precedents in English Law protecting against self-incrimination.

The Appeal Court ruling hinged on whether the encryption key could be said to have an existence separate from the "will" of the individual. The judges noted existing case law that "No one is bound to answer any question if the answer thereto would, in the opinion of the judge, have a tendency to expose (him) to any criminal charge, penalty or forfeiture which the judge regards as reasonably likely to be preferred".

Against this, they cited the European Court in Saunders v UK, according to which "the right not to incriminate oneself … does not extend to the use in criminal proceedings of material which may be obtained from the accused through compulsory powers but which have an existence independent of the will of the suspect, such as, inter alia, documents acquired pursuant to a warrant, breath, blood and urine samples and bodily tissue for the purpose of DNA testing".

The Appeal Court judges therefore held that an encryption key – even one that exists only in the mind of a single defendant – does have an independent existence, and the defendants should hand it over.

Failing reversal in a higher court, this closes what might have been a loophole in RIPA.

Critics of RIPA continue to argue that the law is over-broad and capable of bringing about serious injustice. For instance, you could cause a lot of aggro for a work rival by dropping a file on their hard drive, entitled "My plans for blowing up the Houses of Parliament" - and then informing the Police.

A further criticism is levelled by those who point out that this law is essentially about policing memory. If you forget your encryption key, it is for you to prove to a court that this is a genuine – as opposed to "convenient" – lapse.

This question became all too real in one of the first outings for RIPA last year. Although the Act was passed in 2000, it was not finally activated until 2007. In this case, an animal rights’ activist was charged with failing to hand over an encryption key. Her defense was that she wasn’t even aware there were encrypted files on her hard drive and therefore was unable to comply with the CPS request.

For all that, encryption may still offer a useful alternative to being found guilty of some offences. The maximum penalty for failing to hand over an encryption key on demand is two years – or five years where you are being investigated under anti-terror legislation.

Critics of the legislation – including some childrens’ charities – have argued that this is not enough where individuals are under investigation for the most serious crimes, such as possession of child porn, for which the penalty is 10 years. A similar argument has been made in respect of publishing obscene material, for which the penalty has recently been raised to 5 years.

The thought is that, when faced with a choice between doing two years under RIPA or significantly longer under some other law, individuals are going to opt for the former.

A spokesperson for the Home Office disputes this. According to the Home Office, RIPA is an additional penalty, rather than an alternative, and it would be very unlikely that the police would seek to view the contents of a hard drive where they did not already have evidence to charge someone under other legislation.

RIPA was intended to assist and to speed up inquiries – not substitute for them. ®

Security and trust: The backbone of doing business over the internet

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
JINGS! Microsoft Bing called Scots indyref RIGHT!
Redmond sporran metrics get one in the ten ring
Driving with an Apple Watch could land you with a £100 FINE
Bad news for tech-addicted fanbois behind the wheel
Murdoch to Europe: Inflict MORE PAIN on Google, please
'Platform for piracy' must be punished, or it'll kill us in FIVE YEARS
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Found inside ISIS terror chap's laptop: CELINE DION tunes
REPORT: Stash of terrorist material found in Syria Dell box
Sony says year's losses will be FOUR TIMES DEEPER than thought
Losses of more than $2 BILLION loom over troubled Japanese corp
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.