British court: people are bound to reveal computer encryption key
(Dieser Artikel ist auch in deutscher Sprache verfügbar)
Two persons were denied by the court the right to silence in relation to the encryption key they were asked to reveal to the police.
The men had brought as argument to the court that handing over the encrypted key for the data in their computers would mean forcing them to incriminate themselves. Defendants have a right to silence and to refuse to divulge information that could be used as evidence against them.
The Court of Appeal however considered that an encryption password is not incriminating information in itself and that the key as well as the information in the computers existed independently from the men just like any key to a drawer and its content. Therefore, the men had no right to deny the police the encryption keys.
The two men had been arrested the police for having been involved with a person who was subject to a control order under anti-terrorism legislation and their computers had been seized. The police had sent notices ordering the men to disclose the passwords in the interest of national security and the prevention or detection of crime. The authorities can ask disclosure of such keys because, in terms of the law, the information on the computers is already in the possession of the police and an order for password disclosure can be made, if "no alternative, reasonable method of gaining access to it or making it intelligible is available" as expressed by Mr Justice Penry-Davey in the Court of Appeal.
According to the Regulation of Investigatory Powers Act (RIPA), the refusal to reveal a decryption key can be punished with imprisonment up to 5 years. The clause covering this measure has been included in RIPA act since 2007 but has not been activated until 1 October 2008 because, last year, the Home Office considered that the encryption was not as popular as it had been predicted. Part III of RIPA was activated after a period of consultation. People receiving notice from the police are bound to reveal the encryption keys or render the requested material intelligible by authorities.
The clause has been criticised by civil liberties activists and security experts who consider that the measure affects privacy and can lead to persons being forced to incriminate themselves. An argument against the action is also that passwords can be forgotten and people may pretend to have forgotten or really forget them.
According to the Home Office, the process will be overseen by the Interception of Communications Commissioner, the Intelligence Services Commissioner and the Chief Surveillance Commissioner and complaints about demands for information will be made by the Investigatory Powers Tribunal. The Home Office considers that the actions are consistent with the European Convention on Human Rights and the UK Human Rights Act as long as the demand for decryption is "both necessary and proportionate". "The measures in Part III are intended to ensure that the ability of public authorities to protect the public and the effectiveness of their other statutory powers are not undermined by the use of technologies to protect electronic information," stated the Home Office.
But besides the concerns raised by civil liberties activists, there are also voices that warn the measure may even lead to hiding more material from the Police.
"I think putting the powers on the statute book will make it more, not less, likely that police will encounter encrypted material because people will become aware of dual key systems and see how easy they are to use," commented security expert Dr Richard Clayton.
Court of Appeal orders men to disclose encryption keys (16.10.2008)
England and Wales Court of Appeal (Criminal Division) Decisions (9.10.2008)
RIPA could be challenged on human rights (24.01.2008)
Law requiring disclosure of decryption keys in force (2.10.2007)