Feeds

RIPA ruling closes encryption key loophole

No pleas against self-incrimination allowed

The essential guide to IT transformation

A landmark ruling over the Regulation of Investigatory Powers Act 2000 (RIPA) may just have reduced our rights to refuse to self-incriminate. Or not, if you accept the arguments of the judges involved.

The verdict handed down in the Criminal Division of the Court of Appeal last week, relates to a plot in which the the defendants were alleged to have conspired to help an individual evade a control order imposed under terrorism legislation. At the time of their arrest, the police seized computer equipment believed to contain material "likely to be useful to a terrorist or potential terrorist".

Such possession is an offence under section 58 of the Terrorism Act 2000, and would open the individuals who held that material to criminal prosecution.

However, the material in question was encrypted, and when the police ordered the defendants to hand over the keys to this material, they refused to do so. In court, they argued that, irrespective of whether the material was illegal or not, handing it over could have the result of incriminating them in a crime – and that there were a number of precedents in English Law protecting against self-incrimination.

The Appeal Court ruling hinged on whether the encryption key could be said to have an existence separate from the "will" of the individual. The judges noted existing case law that "No one is bound to answer any question if the answer thereto would, in the opinion of the judge, have a tendency to expose (him) to any criminal charge, penalty or forfeiture which the judge regards as reasonably likely to be preferred".

Against this, they cited the European Court in Saunders v UK, according to which "the right not to incriminate oneself … does not extend to the use in criminal proceedings of material which may be obtained from the accused through compulsory powers but which have an existence independent of the will of the suspect, such as, inter alia, documents acquired pursuant to a warrant, breath, blood and urine samples and bodily tissue for the purpose of DNA testing".

The Appeal Court judges therefore held that an encryption key – even one that exists only in the mind of a single defendant – does have an independent existence, and the defendants should hand it over.

Failing reversal in a higher court, this closes what might have been a loophole in RIPA.

Critics of RIPA continue to argue that the law is over-broad and capable of bringing about serious injustice. For instance, you could cause a lot of aggro for a work rival by dropping a file on their hard drive, entitled "My plans for blowing up the Houses of Parliament" - and then informing the Police.

A further criticism is levelled by those who point out that this law is essentially about policing memory. If you forget your encryption key, it is for you to prove to a court that this is a genuine – as opposed to "convenient" – lapse.

This question became all too real in one of the first outings for RIPA last year. Although the Act was passed in 2000, it was not finally activated until 2007. In this case, an animal rights’ activist was charged with failing to hand over an encryption key. Her defense was that she wasn’t even aware there were encrypted files on her hard drive and therefore was unable to comply with the CPS request.

For all that, encryption may still offer a useful alternative to being found guilty of some offences. The maximum penalty for failing to hand over an encryption key on demand is two years – or five years where you are being investigated under anti-terror legislation.

Critics of the legislation – including some childrens’ charities – have argued that this is not enough where individuals are under investigation for the most serious crimes, such as possession of child porn, for which the penalty is 10 years. A similar argument has been made in respect of publishing obscene material, for which the penalty has recently been raised to 5 years.

The thought is that, when faced with a choice between doing two years under RIPA or significantly longer under some other law, individuals are going to opt for the former.

A spokesperson for the Home Office disputes this. According to the Home Office, RIPA is an additional penalty, rather than an alternative, and it would be very unlikely that the police would seek to view the contents of a hard drive where they did not already have evidence to charge someone under other legislation.

RIPA was intended to assist and to speed up inquiries – not substitute for them. ®

The essential guide to IT transformation

More from The Register

next story
GCHQ protesters stick it to British spooks ... by drinking urine
Activists told NOT to snap pics of staff at the concrete doughnut
Britain's housing crisis: What are we going to do about it?
Rent control: Better than bombs at destroying housing
What do you mean, I have to POST a PHYSICAL CHEQUE to get my gun licence?
Stop bitching about firearms fees - we need computerisation
Top beak: UK privacy law may be reconsidered because of social media
Rise of Twitter etc creates 'enormous challenges'
Redmond resists order to hand over overseas email
Court wanted peek as related to US investigation
Ex US cybersecurity czar guilty in child sex abuse website case
Health and Human Services IT security chief headed online to share vile images
NZ Justice Minister scalped as hacker leaks emails
Grab your popcorn: Subterfuge and slur disrupts election run up
We need less U.S. in our WWW – Euro digital chief Steelie Neelie
EC moves to shift status quo at Internet Governance Forum
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?