Government still wants your password

The battle to legally compel the disclosure of digital passwords and encryption keys continues.

Having been stopped short of removing immunity from self-incrimination in connection with information revealing a possible offence under the Climate Change Response Bill, the government appears to be trying to push through a similar provision in respect of some relatively trivial offences.

Green member of parliament (MP) Keith Locke, who has objected to the provision, says he is “worried about the whole area of evidence on computers”.

He suggests that, unlike physically written evidence, it may be easily “doctored” or misinterpreted.

“Moreover, the presence of an e-mail on one’s computer, even from a serious criminal, is not evidence that the communication was solicited or desired.

The amending legislation is contained in the Counter-Terrorism Bill, so it may appear at first sight to deal with very serious matters. However, the bill incongruously includes a set of amendments to the Summary Offenses Act, and it is here that the disclosure provision is placed.

Under the proposed amendments to this act, a constable with a search warrant, pursuing evidence of an offence, may “require a specified person to provide information that is reasonable and necessary to allow the constable to access data held in, or accessible from a computer … on the premises”.

Normally, forensic investigators just scan raw disk data, one source points out, so password disclosure is probably irrelevant. But encryption key disclosure is still significant.

A “specified person” is the owner of the computer, or someone with special knowledge of how to access it.

The preamble to the bill mentions the privilege against self-incrimination (New Zealand’s equivalent of the United States’ fifth amendment). The committee recommends insertion of a new subsection (2a) to “explicitly preserve this power”.

However, as Locke points out, the force of this is weakened by subsection (2b), which says the self-incriminating character applies only to the information requested – the password or encryption key – not to any information that may be revealed by using it. The latter is not protected.

Once the right to refuse self-incriminating evidence is removed in one piece of legislation, Locke suggests, it will become easier to do it in a number of laws.

InternetNZ is also considering making representations on this part of the bill.