Court of Appeal orders men to disclose encryption keys

Out-Law News | 16 Oct 2008 | 4:51 pm | 4 min. read

Two men have been told that they cannot rely on their right to silence to refuse to give British police a computer password.

Advert: free OUT-LAW Breakfast Seminars - 1. Making your contract work: pitfalls and best practices; 2. Transferring data: the information security issuesThe men had claimed that forcing them to hand over the key to encrypted data on their computers would be forcing them to incriminate themselves. Defendants have a right to silence and to refuse to divulge information which would act as evidence against them.

The Court of Appeal has said, though, that an encryption password is not in itself incriminating information and that both it and the information on the computers exist outside of and independent of the men. It said they do not have the right to refuse to divulge the keys.

Two men, identified in court as S and A, were arrested by police and computers were gathered by police as evidence. Parts of the computer were encrypted, and police caught S halfway through entering his encryption password into a computer.

The two men were arrested for helping a third man, H, in a secret house move. H was subject to a control order under anti-terrorism legislation which said he could not move house without permission from the authorities.

S was charged in relation to offences under the Terrorism Act and S and A were both served with notices under the Regulation of Investigatory Powers Act (RIPA) ordering them to disclose their encryption passwords. The notices indicated why police believed that disclosure was necessary in the interests of national security and the prevention or detection of crime.

The authorities can demand disclosure of such keys because in the eyes of the law the information on the computers is already in the possession of the police. An order for password disclosure can be made, said Mr Justice Penry-Davey in the Court of Appeal, "no alternative, reasonable method of gaining access to it or making it intelligible is available".

If that order has been legally made and the computers have been lawfully acquired by the police, it is a criminal offence to refuse to hand over the password. Anyone not handing over the password could be jailed for up to two years or up to five years in cases involving national security.

People have a right not to incriminate themselves, but the Court of Appeal said that it was not an absolute right and that there were exceptions to it in cases of legitimate public interest.

Mr Justice Penry-Davey also pointed out that the right not to self-incriminate does not apply to evidence which has an existence independent of the person involved.

The judge quoted a previous ruling which established that principle. "There is a distinction between the compulsory production of documents or other material which have an existence independent of the will of the suspect or accused person and statements that he has had to make under compulsion. In the former case there is no infringement of the right to silence and the right not to incriminate oneself. In the latter case there could be, depending on the circumstances," said the ruling in the 2003 case of R v Kearns.

Mr Justice Penry-Davey said that the key did exist independently of the two men's wills, as did the data on the computers.

"In this sense the key to the computer equipment is no different to the key to a locked drawer," said the judge. "The contents of the drawer exist independently of the suspect: so does the key to it. The contents may or may not be incriminating: the key is neutral. In the present cases the prosecution is in possession of the drawer: it cannot however gain access to the contents. The lock cannot be broken or picked, and the drawer itself cannot be damaged without destroying the contents."

"The actual answers, that is to say the product of the appellants' minds could not, of themselves, be incriminating. The keys themselves simply open the locked drawer, revealing its contents," he said.

Mr Justice Penry-Davey did concede, though, that if the computers were found to contain incriminating material then the fact that the two men knew what the passwords were could itself become incriminating evidence. The fact of their knowledge of the password, and not the password itself, could incriminate them.

In this case the trial judge in relation to the terrorism offences would be able to order that the manner of the discovery of the computer-stored information could be concealed.

"If the material were, as we have assumed, incriminatory, it would be open to the trial judge to exclude evidence of the means by which the prosecution gained access to it. Accordingly the extent to which the privilege against self-incrimination may be engaged is indeed very limited," said Mr Justice Penry-Davey.

The Court said that there was a balance between the rights of the two men not to incriminate and the needs of society to be protected, and that the systems in place held that balance.

"The material which really matters is lawfully in the hands of the police. Without the key it is unreadable. That is all. The process of making it readable should not alter it other than putting it into an unencrypted and intelligible form that it was in prior to encryption; the material in the possession of the police will simply be revealed for what it is. To enable the otherwise unreadable to be read is a legitimate objective which deals with a recognised problem of encryption."

"Procedural safeguards and limitations on the circumstances in which this notice may be served are addressed in a comprehensive structure, and in relation to any subsequent trial, the powers under section 78 of the 1984 [Police and Criminal Evidence] Act to exclude evidence in relation, first, to the underlying material, second, the key or means of access to it, and third, an individual defendant's knowledge of the key or means of access, remain. Neither the process, nor any subsequent trial can realistically be stigmatised as unfair," said the ruling.

RIPA was changed last year to bring into force the legal requirement for people to divulge encryption keys. It has been opposed by human rights activists and defended by the Government.

Security expert Dr Richard Clayton even told OUT-LAW when the plans to introduce the law were announced that its very introduction could obscure more material from police eyes.

"I think putting the powers on the statute book will make it more, not less, likely that police will encounter encrypted material because people will become aware of dual key systems and see how easy they are to use," he said.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.