Jailed for defending his privacy?

Online child protection is all over the news this week, with the resignation of Jim Gamble of CEOP (and part of his team) being rued by mainstream media, and welcomed by ISPs. However, a lower profile headline is equally interesting: a teenager jailed for 16 weeks for refusal to disclose his encryption password to police investigating indecent images on his PC.

This is a rare example of the RIPA paradox in action. Under the Regulation of Investigatory Powers Act (2000), police can demand that an individual hand over encryption keys as part of an investigation. Refusal to do so can result in a jail sentence which, in theory, could become indefinite if they stand by that refusal. The Act was much criticised for this when it was originally passed, since privacy campaigners pointed out the stalemate that might arise when an individual feels that they have the right to privacy over their personal data and refuses to disclose a key for that reason alone. On the other hand, it is quite possible that the individual in this particular case is not acting from a position of principle, and does in fact have something more serious hidden on his PC, in which case a 16 week sentence might be considered ‘getting off lightly’ from his point of view.

In general, this particular aspect of RIPA hasn’t worked out as badly as campaigners originally feared, since very few law-abiding individuals would choose jail over the principle of their privacy (although that by implication means that in all probability an individual who does opt for jail probably has something they wish to keep hidden from the authorities). But it is an ongoing worry, a case of legislating that old lie “nothing to hide, nothing to fear,” and when that approach is linked with child protection then great care is essential – after all, if refusal to disclose is taken as an admission of guilt, then individuals who find themselves wrongfully accused are obliged to disclose all their personal information, regardless of sensitivity, simply to clear their names.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

You're right: this highlights the clash between the pernicious "nothing to hide, nothing to fear" canard and the principle of innocence until guilt is proven. The best approach might be to offer the accused the option of disclosing their key (and data) to a disinterested third party - such as a judge - to decide whether the request for decryption is justified. If the judge rules that it is, and the accused still refuses, a penalty could be imposed. That seems to me to be more proportionate and accountable than allowing the police to treat it as a 'strict liability' offence.
Robin is wrong I think. His solution would require the third party to prejudge the entire issue in the case of voluntary disclosure, and doesn't solve the problem that the process is initiated by police for their own reasons. The simplest and most comprehensive approach is to bring all RIPA requests themselves under court warrant, rather than have them a self-authorised and effectively arbitrary weapon of investigators. In order to demand a decryption key - or indeed communications data, or another intrusive surveillance measure - the investigators should have to satisfy a court that there was grounds for reasonable suspicion that it would yield evidence of the crime under investigation. Someone failing to disclose would then be disobeying the order of an independent court, not the interested instructions of police, and it would be much harder to suspect that the powers were being used capriciously or oppressively.
Regardless of approach, I think the point here is that the police shouldn't be the ones making RIPA decisions. Sooner or later someone who has genuinely lost or forgotten their crypto key is going to end up jailed for poor key management...