Online child protection is all over the news this week, with the resignation of Jim Gamble of CEOP (and part of his team) being rued by mainstream media, and welcomed by ISPs. However, a lower profile headline is equally interesting: a teenager jailed for 16 weeks for refusal to disclose his encryption password to police investigating indecent images on his PC.
This is a rare example of the RIPA paradox in action. Under the Regulation of Investigatory Powers Act (2000), police can demand that an individual hand over encryption keys as part of an investigation. Refusal to do so can result in a jail sentence which, in theory, could become indefinite if they stand by that refusal. The Act was much criticised for this when it was originally passed, since privacy campaigners pointed out the stalemate that might arise when an individual feels that they have the right to privacy over their personal data and refuses to disclose a key for that reason alone. On the other hand, it is quite possible that the individual in this particular case is not acting from a position of principle, and does in fact have something more serious hidden on his PC, in which case a 16 week sentence might be considered 'getting off lightly' from his point of view.
In general, this particular aspect of RIPA hasn't worked out as badly as campaigners originally feared, since very few law-abiding individuals would choose jail over the principle of their privacy (although that by implication means that in all probability an individual who does opt for jail probably has something they wish to keep hidden from the authorities). But it is an ongoing worry, a case of legislating that old lie "nothing to hide, nothing to fear," and when that approach is linked with child protection then great care is essential - after all, if refusal to disclose is taken as an admission of guilt, then individuals who find themselves wrongfully accused are obliged to disclose all their personal information, regardless of sensitivity, simply to clear their names.