How Refusing to Hand Over Your Passwords Can Land You in Jail
The latest UK case of refusing to hand over crypto-keys shows how widely a law originally intended as a counter-terrorism measure can be applied.
A 22-year-old man has been jailed for six months after refusing to provide passwords to his encrypted hard-drives, the Daily Mail reported. He was imprisoned under a section of RIPA, a UK law that was originally pushed as a counter-terrorism measure, but which has now ballooned to cover many different aspects of crime—something that has got civil liberties groups worried.
Christopher Wilson is suspected of attempting to break into a law enforcement website and “trolling” the Newcastle Police by fooling them with a prank phone call. However, these are not what he is going to prison for: he's spending time behind bars for not giving up his passwords.
Section 49 of the Regulation of Investigatory Powers Act 2000 (RIPA) allows law enforcement to demand a suspect hand over the password to encrypted files (which they refer to as “key to protected material”), or to provide unencrypted copies of the material that agencies are after. If a suspect refuses to do this, it is considered an offence and, under section 53 of the same law, carries the possibility of up to two years imprisonment, and up to five years if the case is one of national security.
Mike Harris, campaign director of open rights group Don't Spy on Us, told me that RIPA doesn't just deal with serious crime, and agencies that can use it include HMRC—the part of the UK government that deals with tax and other financial issues. According to the legislation, any of the intelligence services (GCHQ, MI5 and MI6), the police, and the National Crime Agency (the recently introduced UK version of the FBI, essentially) can make requests to suspects to provide passwords.
“It isn't up to a judge whether someone should hand over their private key. You have to do it if requested [by an agency]. Then if you refuse, you definitely go to court,” Harris told me. Wilson's case is the latest to show quite how broadly the law can be applied.
The first known case of someone being formally charged with refusing to provide their password, however, came a little later in 2009, and involved "JFL", a “science hobbyist with no previous criminal record,” according to the Register. JFL was given a section 49 notice, but he refused to disclose his keys and was sentenced to nine months imprisonment.
There was also the case of Syed Hussain, who admitted to driving a remote-controlled toy car carrying a home-made bomb into an army barracks. Hussian refused to hand over a password to an encrypted USB stick for 20 months, until giving it to investigators in December 2013. According to Spy Blog, this is the first conviction for refusing to reveal a password involving “national security”, which put five years on top of Hussain's sentence.
That's obviously a very different situation to the kind presented by JFL or Wilson, the computer science student. Over its short history, this legislation has been used in a wide variety of cases.
In 2012/2013, 26 demands for a password were made, and 19 people refused to comply. Of those, three were convicted for not doing so. This is all according to the latest report from the Office of Surveillance Commissioners, the body that monitors use of RIPA, and the Open Rights Group provide a breakdown of the use of the law over the years.
In 2009/2010, section 49s were issued to deal with illegal broadcasting and theft, amongst other things, reported the Register.
According to Harris, this broad spectrum of cases the law can be used in is a problem. The legislation states that a section 49 notice can be issued “in the interests of national security,” “for the purpose of preventing or detecting crime,” and “in the interests of the economic well-being of the United Kingdom.”
“Protecting economic interests; that's very broad,” he said, and crime “could be anything from downloading illegal music or minor crimes such as a traffic violation.”
Another problem he has with RIPA Part III is that the application of the law may be disproportionate to whatever crime has been allegedly committed. “There will be incidences when the police do need to ask people for their private keys and to decrypt data,” Harris said, “but that needs to be done in a way that is necessary and proportionate.”
And jailing someone for not providing a password—and not the crime they are originally under investigation for—could end up being disproportionate. “You can be totally innocent of a crime, but the criminal act is the refusal to pass over the key,” he explained.
Even politicians responsible for the law have voiced worries about it. “It's been described as a bad piece of legislation,” Harris said. Indeed, former home secretary David Blunkett stated that RIPA is a problem law in an interview with the Guardian (referring to the law in its broad sense, not specifically with handing over encryption keys).
Wilson's case highlights how a law originally drafted to deal with issues of national security and terrorism has been amended to the point where it can be applied to pretty much anything.