Feeds

RIPA ruling closes encryption key loophole

No pleas against self-incrimination allowed

The Power of One Brief: Top reasons to choose HP BladeSystem

A landmark ruling over the Regulation of Investigatory Powers Act 2000 (RIPA) may just have reduced our rights to refuse to self-incriminate. Or not, if you accept the arguments of the judges involved.

The verdict handed down in the Criminal Division of the Court of Appeal last week, relates to a plot in which the the defendants were alleged to have conspired to help an individual evade a control order imposed under terrorism legislation. At the time of their arrest, the police seized computer equipment believed to contain material "likely to be useful to a terrorist or potential terrorist".

Such possession is an offence under section 58 of the Terrorism Act 2000, and would open the individuals who held that material to criminal prosecution.

However, the material in question was encrypted, and when the police ordered the defendants to hand over the keys to this material, they refused to do so. In court, they argued that, irrespective of whether the material was illegal or not, handing it over could have the result of incriminating them in a crime – and that there were a number of precedents in English Law protecting against self-incrimination.

The Appeal Court ruling hinged on whether the encryption key could be said to have an existence separate from the "will" of the individual. The judges noted existing case law that "No one is bound to answer any question if the answer thereto would, in the opinion of the judge, have a tendency to expose (him) to any criminal charge, penalty or forfeiture which the judge regards as reasonably likely to be preferred".

Against this, they cited the European Court in Saunders v UK, according to which "the right not to incriminate oneself … does not extend to the use in criminal proceedings of material which may be obtained from the accused through compulsory powers but which have an existence independent of the will of the suspect, such as, inter alia, documents acquired pursuant to a warrant, breath, blood and urine samples and bodily tissue for the purpose of DNA testing".

The Appeal Court judges therefore held that an encryption key – even one that exists only in the mind of a single defendant – does have an independent existence, and the defendants should hand it over.

Failing reversal in a higher court, this closes what might have been a loophole in RIPA.

Critics of RIPA continue to argue that the law is over-broad and capable of bringing about serious injustice. For instance, you could cause a lot of aggro for a work rival by dropping a file on their hard drive, entitled "My plans for blowing up the Houses of Parliament" - and then informing the Police.

A further criticism is levelled by those who point out that this law is essentially about policing memory. If you forget your encryption key, it is for you to prove to a court that this is a genuine – as opposed to "convenient" – lapse.

This question became all too real in one of the first outings for RIPA last year. Although the Act was passed in 2000, it was not finally activated until 2007. In this case, an animal rights’ activist was charged with failing to hand over an encryption key. Her defense was that she wasn’t even aware there were encrypted files on her hard drive and therefore was unable to comply with the CPS request.

For all that, encryption may still offer a useful alternative to being found guilty of some offences. The maximum penalty for failing to hand over an encryption key on demand is two years – or five years where you are being investigated under anti-terror legislation.

Critics of the legislation – including some childrens’ charities – have argued that this is not enough where individuals are under investigation for the most serious crimes, such as possession of child porn, for which the penalty is 10 years. A similar argument has been made in respect of publishing obscene material, for which the penalty has recently been raised to 5 years.

The thought is that, when faced with a choice between doing two years under RIPA or significantly longer under some other law, individuals are going to opt for the former.

A spokesperson for the Home Office disputes this. According to the Home Office, RIPA is an additional penalty, rather than an alternative, and it would be very unlikely that the police would seek to view the contents of a hard drive where they did not already have evidence to charge someone under other legislation.

RIPA was intended to assist and to speed up inquiries – not substitute for them. ®

Designing a Defense for Mobile Applications

More from The Register

next story
Adam Afriyie MP: Smart meters are NOT so smart
Mega-costly gas 'n' 'leccy totting-up tech not worth it - Tory MP
'Blow it up': Plods pop round for chat with Commonwealth Games tweeter
You'd better not be talking about the council's housing plans
Arrr: Freetard-bothering Digital Economy Act tied up, thrown in the hold
Ministry of Fun confirms: Yes, we're busy doing nothing
ONE EMAIL costs mining company $300 MEEELION
Environmental activist walks free after hoax sent share price over a cliff
Help yourself to anyone's photos FOR FREE, suggests UK.gov
Copyright law reforms will keep m'learned friends busy
Apple smacked with privacy sueball over Location Services
Class action launched on behalf of 100 million iPhone owners
UK government officially adopts Open Document Format
Microsoft insurgency fails, earns snarky remark from UK digital services head
You! Pirate! Stop pirating, or we shall admonish you politely. Repeatedly, if necessary
And we shall go about telling people you smell. No, not really
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.