People convicted in UK for refusing to surrender cryptographic keys

By EDRi · August 26, 2009

This article is also available in:
Deutsch: [Verurteilungen in Großbritannien für die Weigerung, Entschlüsselungen herauszugeben |]

According to the Annual Report of the Chief Surveillance Commissioner Sir
Christopher Rose to the UK Prime Minister and Scottish Ministers, people
were sentenced between 1 April 2008 and 31 March 2009 for not having given
their passwords or cryptographic keys, on the basis of powers provided to
authorities by section 49 of the Regulation of Investigatory Powers Act
(RIPA) that came into force in October 2007.

The law, initially intended to deal with organised crime and terrorism,
allows the police and other enforcement agencies to demand from a person
passwords, encryption keys or a clear text transcript of encrypted texts.
Failure to comply can result in two years imprisonment for cases not
involving national security, or five years for terrorism or similar
offences. The required data can be even several years old.

The report, ordered by the House of Commons, shows that there were 26
applications for section 49 RIPA powers, out of which 17 obtained permission
from a judge to proceed. Out of the 17, 15 notices were served and 11 people
having received the notices failed to comply with the request. The actions
resulted in seven charges being brought and two convictions. According to
the report, the types of crimes under investigation in these cases were
“counter terrorism, child indecency and domestic extremism”.

Sir Christopher was unable to give details on the two convictions or the
situations regarding the other five charges as the former High Court judge
did not provide such information and the Crown Prosecution Service stated it
could not track down any information on the cases without the defendants’

According to The Home Office, the National Technical Assistance Centre
(NTAC) where the police is suppose to apply in order to obtain a section 49
notice do not follow up the results of the notices they approve and UK
Government Communications Headquarters which apparently covers NTAC, did not
answer to the request of revealing some information on these cases.

Annual Report of the Chief Surveillance Commissioner to the Prime Minister
and to Scottish Ministers for 2008-2009 (21.07.2009)

Initial password prosecutions in UK (17.08.2009)

Two convicted for refusal to decrypt data (12.08.2009)

EDRi-gram: UK: Decrypt data or go to prison! (10.10.2007)