Login

Please login to Techworld.com

Forgot password?
Need your new account confirmation email resent?
Forgot email?

Not a member yet?

Register for a Techworld Account and enjoy unlimited access to our extensive white paper library and exclusive Enterprise multi-user software trials. Account members can also comment on articles and access best practices guides.

Security

Top How-Tos / Advice articles

Suspects must reveal encryption keys, court rules

UK spooks in sigh of relief.

By Jeremy Kirk, IDG News Service | Published: 16:11, 14 October 2008

Defendants can't deny police an encryption key because of fears the data it unlocks will incriminate them, a British appeals court has ruled.

The case marked an interesting challenge to the UK's Regulation of Investigatory Powers Act (RIPA), which in part compels someone served under the act to divulge an encryption key used to scramble data on a PC's hard drive.

Failure to do so could mean a two-year prison sentence or up to five years if the case involves national security.

The appeals court heard a case in which two suspects refused to give up encryption keys, arguing that disclosure was incompatible with the privilege against self incrimination.

One of the suspects had been ordered not to move house without permission under a terrorism-prevention act. The man defied the order, and he and another man were arrested, according to the ruling from the England and Wales Court of Appeal Criminal Division.

Police also seized encrypted material on a disc belonging to the first man. When the second man was arrested, police saw he had partially entered an encryption key into a computer.

In its ruling, the appeals court said an encryption key is no different than a physical key and exists separately from a person's will.

"The key to the computer equipment is no different to the key to a locked drawer," the court found. "The contents of the drawer exist independently of the suspect; so does the key to it. The contents may or may not be incriminating: the key is neutral."

The right against self-incrimination is not without bounds, as suspects also can't refuse to give a DNA sample if properly compelled.

RIPA, passed in 2000 by the UK Parliament, is intended to give police new powers to conduct covert surveillance and wiretap operations in respect to new communication technologies.

The third part of RIPA concerning the disclosure of encryption keys came into force in October 2007. It was delayed since when RIPA was approved, law enforcement wasn't seeing wide use of encryption. It was also one of the more controversial parts of RIPA, as critics said companies could be at risk if law enforcement mishandled their data.

To obtain a key, a so-called "Section 49" request must first be approved by a judicial authority, chief of police, the customs and excise commissioner or a person ranking higher than a brigadier or equivalent. Authorities can also mandate that recipients of a Section 49 request not tell anyone except their lawyer that they have received it.

Send to a friend

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.