U.K. appeals court rejects encryption key disclosure defense

LONDON – Defendants can’t deny police an encryption key because of fears the data it unlocks will incriminate them, a British appeals court has ruled.

The case marked an interesting challenge to the U.K.’s Regulation of Investigatory Powers Act (RIPA), which in part compels someone served under the act to divulge an encryption key used to scramble data on a PC’s hard drive. Failure to do so could mean a two-year prison sentence or up to five years if the case involves national security.

The appeals court heard a case in which two suspects refused to give up encryption keys, arguing that disclosure was incompatible with the privilege against self incrimination.

One of the suspects had been ordered not to move house without permission under a terrorism-prevention act. The man defied the order, and he and another man were arrested, according to the ruling from the England and Wales Court of Appeal Criminal Division. Police also seized encrypted material on a disc belonging to the first man. When the second man was arrested, police saw he had partially entered an encryption key into a computer.

In its ruling, the appeals court said an encryption key is no different than a physical key and exists separately from a person’s will. “The key to the computer equipment is no different to the key to a locked drawer,” the court found. “The contents of the drawer exist independently of the suspect; so does the key to it. The contents may or may not be incriminating: the key is neutral.”

The right against self incrimination is not without bounds, as suspects also can’t refuse to give a DNA sample if properly compelled.

RIPA, passed in 2000 by the U.K. Parliament, is intended to give police new powers to conduct covert surveillance and wiretap operations in respect to new communication technologies.

The third part of RIPA concerning the disclosure of encryption keys came into force in October 2007. It was delayed since when RIPA was approved, law enforcement wasn’t seeing wide use of encryption. It was also one of the more controversial parts of RIPA, as critics said companies could be at risk if law enforcement mishandled their data.

To obtain a key, a so-called “Section 49” request must first be approved by a judicial authority, chief of police, the customs and excise commissioner or a person ranking higher than a brigadier or equivalent. Authorities can also mandate that recipients of a Section 49 request not tell anyone except their lawyer that they have received it.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Empowering the hybrid workforce: how technology can build a better employee experience

Across the country, employees from organizations of all sizes expect flexibility...

What’s behind the best customer experience: How to make it real for your business

The best customer experience – the kind that builds businesses and...

Overcoming the obstacles to optimized operations

Network-driven optimization is a top priority for many Canadian business leaders...

Thriving amid Canada’s tech talent shortage

With today’s tight labour market, rising customer demands, fast-evolving cyber threats...

Staying protected and compliant in an evolving IT landscape

Canadian businesses have changed remarkably and quickly over the last few...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now