RIPA ruling closes encryption key loophole
No pleas against self-incrimination allowed
A landmark ruling over the Regulation of Investigatory Powers Act 2000 (RIPA) may just have reduced our rights to refuse to self-incriminate. Or not, if you accept the arguments of the judges involved.
The verdict handed down in the Criminal Division of the Court of Appeal last week, relates to a plot in which the the defendants were alleged to have conspired to help an individual evade a control order imposed under terrorism legislation. At the time of their arrest, the police seized computer equipment believed to contain material "likely to be useful to a terrorist or potential terrorist".
Such possession is an offence under section 58 of the Terrorism Act 2000, and would open the individuals who held that material to criminal prosecution.
However, the material in question was encrypted, and when the police ordered the defendants to hand over the keys to this material, they refused to do so. In court, they argued that, irrespective of whether the material was illegal or not, handing it over could have the result of incriminating them in a crime – and that there were a number of precedents in English Law protecting against self-incrimination.
The Appeal Court ruling hinged on whether the encryption key could be said to have an existence separate from the "will" of the individual. The judges noted existing case law that "No one is bound to answer any question if the answer thereto would, in the opinion of the judge, have a tendency to expose (him) to any criminal charge, penalty or forfeiture which the judge regards as reasonably likely to be preferred".
Against this, they cited the European Court in Saunders v UK, according to which "the right not to incriminate oneself … does not extend to the use in criminal proceedings of material which may be obtained from the accused through compulsory powers but which have an existence independent of the will of the suspect, such as, inter alia, documents acquired pursuant to a warrant, breath, blood and urine samples and bodily tissue for the purpose of DNA testing".
The Appeal Court judges therefore held that an encryption key – even one that exists only in the mind of a single defendant – does have an independent existence, and the defendants should hand it over.
Failing reversal in a higher court, this closes what might have been a loophole in RIPA.
Critics of RIPA continue to argue that the law is over-broad and capable of bringing about serious injustice. For instance, you could cause a lot of aggro for a work rival by dropping a file on their hard drive, entitled "My plans for blowing up the Houses of Parliament" - and then informing the Police.
A further criticism is levelled by those who point out that this law is essentially about policing memory. If you forget your encryption key, it is for you to prove to a court that this is a genuine – as opposed to "convenient" – lapse.
This question became all too real in one of the first outings for RIPA last year. Although the Act was passed in 2000, it was not finally activated until 2007. In this case, an animal rights’ activist was charged with failing to hand over an encryption key. Her defense was that she wasn’t even aware there were encrypted files on her hard drive and therefore was unable to comply with the CPS request.
For all that, encryption may still offer a useful alternative to being found guilty of some offences. The maximum penalty for failing to hand over an encryption key on demand is two years – or five years where you are being investigated under anti-terror legislation.
Critics of the legislation – including some childrens’ charities – have argued that this is not enough where individuals are under investigation for the most serious crimes, such as possession of child porn, for which the penalty is 10 years. A similar argument has been made in respect of publishing obscene material, for which the penalty has recently been raised to 5 years.
The thought is that, when faced with a choice between doing two years under RIPA or significantly longer under some other law, individuals are going to opt for the former.
A spokesperson for the Home Office disputes this. According to the Home Office, RIPA is an additional penalty, rather than an alternative, and it would be very unlikely that the police would seek to view the contents of a hard drive where they did not already have evidence to charge someone under other legislation.
RIPA was intended to assist and to speed up inquiries – not substitute for them. ®
Nothing is secure
Hah! You think physical destruction is secure? I watched an episode of CSI once where they managed to spot, in a photograph taken with a mobile phone, a reflection in the cornea of a passer-by, of the smoke from some documents that some bad guy was burning, and reconstruct the information from that.
Damn you Ash . Guess I need to make sure the blades go down 2mm and then use an explosive charge.
"The maximum penalty for failing to hand over an encryption key on demand is two years"
Remember folks, that's the *maximum*. First offence, previous good character, profuse apology, sincere regret... 'I really have forgotten but I can't prove it and you don't believe me'... guilty plea... you might not even get a custodial sentence at all. You don't impose the maximum sentence on first offenders unless there's some serious aggravating factors!