British court: people are bound to reveal computer encryption key

By EDRi · October 22, 2008

(Dieser Artikel ist auch in deutscher Sprache verfügbar)

Two persons were denied by the court the right to silence in relation to the
encryption key they were asked to reveal to the police.

The men had brought as argument to the court that handing over the encrypted
key for the data in their computers would mean forcing them to incriminate
themselves. Defendants have a right to silence and to refuse to divulge
information that could be used as evidence against them.

The Court of Appeal however considered that an encryption password is not
incriminating information in itself and that the key as well as the
information in the computers existed independently from the men just like
any key to a drawer and its content. Therefore, the men had no right to deny
the police the encryption keys.

The two men had been arrested the police for having been involved with a
person who was subject to a control order under anti-terrorism legislation
and their computers had been seized. The police had sent notices ordering
the men to disclose the passwords in the interest of national security and
the prevention or detection of crime. The authorities can ask disclosure of
such keys because, in terms of the law, the information on the computers is
already in the possession of the police and an order for password disclosure
can be made, if “no alternative, reasonable method of gaining access to it
or making it intelligible is available” as expressed by Mr Justice
Penry-Davey in the Court of Appeal.

According to the Regulation of Investigatory Powers Act (RIPA), the refusal
to reveal a decryption key can be punished with imprisonment up to 5 years.
The clause covering this measure has been included in RIPA act since 2007
but has not been activated until 1 October 2008 because, last year, the Home
Office considered that the encryption was not as popular as it had been
predicted. Part III of RIPA was activated after a period of consultation.
People receiving notice from the police are bound to reveal the encryption
keys or render the requested material intelligible by authorities.

The clause has been criticised by civil liberties activists and security
experts who consider that the measure affects privacy and can lead to
persons being forced to incriminate themselves. An argument against the
action is also that passwords can be forgotten and people may pretend to
have forgotten or really forget them.

According to the Home Office, the process will be overseen by the
Interception of Communications Commissioner, the Intelligence Services
Commissioner and the Chief Surveillance Commissioner and complaints about
demands for information will be made by the Investigatory Powers Tribunal.
The Home Office considers that the actions are consistent with the European
Convention on Human Rights and the UK Human Rights Act as long as the demand
for decryption is “both necessary and proportionate”. “The measures in Part
III are intended to ensure that the ability of public authorities to protect
the public and the effectiveness of their other statutory powers are not
undermined by the use of technologies to protect electronic information,”
stated the Home Office.

But besides the concerns raised by civil liberties activists, there are also
voices that warn the measure may even lead to hiding more material from the

“I think putting the powers on the statute book will make it more, not less,
likely that police will encounter encrypted material because people will
become aware of dual key systems and see how easy they are to use,”
commented security expert Dr Richard Clayton.

Court of Appeal orders men to disclose encryption keys (16.10.2008)

England and Wales Court of Appeal (Criminal Division) Decisions (9.10.2008)

RIPA could be challenged on human rights (24.01.2008)

Law requiring disclosure of decryption keys in force (2.10.2007)