alphaspirit - Fotolia

Activist Lauri Love faces order to disclose encryption keys

The UK’s National Crime Agency takes an unusual legal step to force a former university student accused of hacking to disclose encryption keys

The UK’s National Crime Agency (NCA) is attempting to force a political activist accused of hacking to disclose encryption keys in a case that could have ramifications for others who want to protect confidential information.

Lauri Love, age 31, is facing extradition to the US and a possible 99-year prison sentence after being accused of breaking into computer systems belonging to US government agencies, including the FBI, the Federal Reserve Bank and the Missile Defence Agency.

In an unusual legal move, the NCA is using civil court proceedings to force Love, who has Asperger syndrome, to hand over encryption keys and passwords at a hearing at Westminster Magistrates Court on 12 April 2016.

The agency, the UK’s equivalent of the FBI, arrested Love and seized computer equipment from his parents’ home in Stradishall, Suffolk, in 2013, for alleged offences under the Computer Misuse Act.

The NCA has not pressed any charges against Love, despite his earlier refusal to disclose passwords and encryption keys under Section 49 of the Regulation of Investigatory Powers Act (Ripa) and has released him from bail.

NCA uses contempt of court to force key disclosure

The latest attempt to force Love to hand over password and encryption keys came after Love launched legal action against the NCA to force it to return his computer equipment.

The NCA asked the court to order Love to disclose passwords and encryption keys as a precondition to returning Love’s property, documents filed in Westminster Magistrates court revealed.

The case is believed to be the first time police have used the threat of contempt of court under civil proceedings, rather than Section 49 of Ripa, to require disclosure of encryption keys. It could have wider ramifications for journalists and activists, said Richard Tynan, technology specialist at the human rights group Privacy International.

Lauri Love is facing extradition to the US and a possible 99-year prison sentence after being accused of breaking into US government computer systems

“The mere attempt by the government to secure court directions which include forced decryption is extremely worrying,” he said. “As a basic principle, individuals should not be compelled to potentially provide evidence against themselves. This is a long-standing principle with a sound legal basis.”

The NCA asked the court to order Love to provide witness statements stating whether two TrueCrypt files on his computer equipment contain data from the US Senate and the Department of Energy.

Police are also seeking a statement from Love on whether his Fujitsu laptop contains information to download the “Police Oracle” website and whether a Compaq computer contains pirated films.

Police moves threaten work of legitimate campaigners

Tynan said any technical and legal means used to undermine encryption – including forced key disclosure – threaten the public’s safety and jeopardise the ability for journalists and campaigners to hold powerful organisations to account.

“One only has to look at the attempt to compel the Guardian to turn over its source material in relation to the Snowden files, and the subsequent destruction of the hardware in the Guardian basement, to see how extreme the UK government is willing to act,” he said.

Love told Computer Weekly the police had “concocted a bunch of excuses” to avoid returning computer equipment they had no legal right to retain.

“In one of the cases, they said they found a bunch of films on the computer, so now they are very concerned about movie piracy,” he said. “They are not returning property which they would normally have to return.”

The NCA is understood to have passed images of Love’s computer disks to the FBI and is believed to be co-operating with the extradition request.

US accuses Love of hacking conspiracy

US prosecutors claim that Love was part of a sophisticated network of criminals involved in computer intrusions, and have filed separate criminal charges in New YorkNew Jersey and East Virginia.

He is alleged to have taken part in OpLastRestort, a protest by the hacktivist group Anonymous over the treatment of Aaron Swartz at the hands of the US legal system, after Swartz downloaded thousands of academic articles.

Swartz committed suicide following what his family described as “intimidation and prosecutorial over-reach” over a crime that had no victims.

Court documents claim that Love worked with accomplices to infiltrate a wide range of US government computers and steal personal information and credit card details of government employees.

The group is alleged to have exploited a known vulnerability in Adobe’s Cold Fusion software to access US government servers between 2012 and 2013.

Love is accused of uploading “shells” or “backdoors” into vulnerable servers and using them to gain administrator rights, which allowed the group to download “massive amounts” of sensitive information.

There is no suggestion in the indictments that Love profited from his activities, or that any personal or financial data was made public.

However, the case is potentially embarrassing for the US authorities as it highlights the government’s failure to protect its IT systems by patching a known security flaw.

“The US wants blood,” said Tor Ekeland, Love’s US attorney. “I really think they see Anonymous as a big threat to their control of information.”

Parallels with Gary McKinnon case

Love’s supporters draw parallels with hacker Gary McKinnon, who had his extradition blocked by home secretary Theresa May for humanitarian reasons following a 10-year legal battle.

“I think the same reasoning that stopped Gary McKinnon being extradited applies in Lauri’s case. They are very similar cases. I think on humanitarian grounds alone, this extradition should be blocked,” said Ekeland.

Naomi Colvin, campaigner for the advocacy group Courage Foundation, which is supporting Love, said he was in no condition to cope with the harsh conditions of the US prison system.

Other hackers and activists represented by the Courage Foundation have frequently faced hash treatment in US prisons, including loss of email and communication privileges, and solitary confinement, she said.

“Stays in solitary confinement are very damaging anyway, but the effect would probably be more severe in Lauri’s case,” she said. “Lauri has particular health and welfare needs and the US courts and prison system are not set up to deal with those.”

Guilty until proved innocent

Wikileaks founder Julian Assange said the NCA’s attempts to use civil proceedings against Love could set a precedent that would require people using encryption to prove to the police they were not holding illegal material – reversing the normal legal burden of proof.

“In the case of Lauri Love, the National Crime Agency is making a grab for even more police powers. If it succeeds, anyone who uses encryption will be considered suspect under the law – a breathtaking reversal of the presumption of innocence,” he said.

Love forced to seek prosecution in UK courts

Love said he had been placed in the invidious position of trying to persuade the UK courts to prosecute him.

“Even if I won all three cases in the US, that is more expense in legal fees than I would ever be able to repay. I would not get bail, so I would spend 10 years in pre-trial detention, just getting through the trials,” he said.

Love, who is now working as a security consultant, and speaking at security conferences, told Computer Weekly that he had been in legal limbo for two-and-a-half years, and had suffered stress and depression.

“It is particularly stressful for my parents,” he said. “I have been involved in activism for years, so I was kind of ready for this. The stress my parents feel is the thing I regret the most.”

Hacking conspiracy revealed in internet chat rooms

US prosecutors claim that Love used a variety of nicknames, including “nsh”, “route”, “peace”, “shift” and “Smedley Buttler”, to discuss the attacks with accomplices on Internet Relay Chat (IRC) rooms.

One discussion refers to an attack on the US Sentencing Commission server, which was defaced with a video supporting Aaron Swartz, according to documents filed in the US courts: “Found a whole bunch more sh*t on the hoster’s network … we are aiming to go public for 5am ESA=11am tomorrow UK … the script is finalised and the video will be ready tonight.”

On another occasion, Love is alleged to have written: “You have no idea how much we can f*ck with the US government if we want to … this … stuff is really sensitive … it’s basically every piece of information you need to do full identity theft on any employee or contractor.”

Another conversation revealed the group was able to download large quantities of data from US government servers: “Man this govwin site is really useful ... they do breakdowns of spending for all gov agencies .. org charts … related docents … related articles ... We need like a team of lots of people pouring over this data.” 

Read more on Hackers and cybercrime prevention

Data Center
Data Management