alphaspirit - Fotolia

NCA attempts 'back door' access to obtain activist Lauri Love’s passwords

Court told that use of civil proceedings to force disclosure of alleged hacker Lauri Love's passwords is disproportionate and would breach human rights law

Britain’s security services have been criticised for trying to obtain the passwords of an alleged computer hacker “by the back door”.

Activist Lauri Love, aged 31, is facing extradition to the US and a possible 99-year prison sentence after allegedly downloading “massive quantities” of data from US government computer systems.

He is accused of breaking into computer systems belonging to US government agencies, including the FBI, the Federal Reserve Bank and the Missile Defence Agency.

During a hearing at Westminster Magistrate’s Court on 12 April 2016, Stephen Cragg, representing Love, said the UK’s National Crime Agency (NCA) is attempting to use civil court proceedings to obtain access to encrypted files on Love’s computer equipment.

The move constituted an attempt to bypass the proper statutory mechanism for seeking keys and passwords – section 49 of the Regulation of Investigatory Powers Act (RIPA) – and the legal safeguards it contained, Cragg told the court.

“There is a concern that the NCA is seeking in this application to access Mr Love's data by the back door, rather than by the route sanctioned by Parliament in RIPA,” he said.

Love, the son of a church minister, is suing the NCA for the return of five items of computer equipment, seized by the police during a raid on his parent’s home in Stradishall, Suffolk, in October 2013.

Court documents show that an officer from the NCA posed as delivery courier to gain access to the property, accompanied 14 police officers who searched the house and seized computer equipment belonging to the family.

‘It is everything I have ever made: Writing, software, photos, correspondence, memories of an inestimable personal sentimental value’

Activist Lauri Love

Love, a former electrical engineering student turned activist, argued that, as he has not been charged with any offences, the NCA should return his laptop and hard drives containing personal correspondence and photographs.

“My property is being held to ransom. It is not just the devices that cost money – and I don't have a lot of money – but it is everything I have ever made: writing, software, photos, correspondence, memories of an inestimable personal sentimental value,” he said, speaking after the hearing.

Disappearing evidence

Ben Keith, representing the NCA, told the court that there was evidence of material on Love’s computer equipment that did not belong to him.

The NCA had taken screen shots which showed a list of file structures and a directory of employees from the US Department of Energy (DoE), he said. Other screen shots showed material from the US military.

“That information was the only material we took from the computer before it turned itself off and encryption stepped in,” he said.

One of Love’s hard drives contained information about the Police Oracle website, and may contain encrypted passwords to the site; while another computer may contain material downloaded in breach of copyright, he told the court.

“There are a number of items that are said to be in breach of copyright, containing film and music that Love does not own.”

NCA ‘failed to establish encryption’

Love – who was given permission to address the court – said Keith had misrepresented the evidence.

He questioned whether the screen shots showed material from the DoE and said there was no claim he had accessed the Police Oracle website.

“The NCA has failed to establish whether there is encryption on the devices,” he said. “Unless the court can establish the encryption exists and it should be decrypted, the court must be very wary.”

Human rights concerns

Cragg told the court that using civil procedures to force Love to disclose encryption keys would breach his rights under the Human Rights Act – including the right to respect for his private life and the right to the peaceful enjoyment of his possessions.

Cragg also raised questions about the timing of the NCAs application for Love’s passwords and encryption keys.

“A notice was issued to Love in Feb 2014  – two years ago –  and he has not provided the information. There are procedures that could ensue and they have not been used. Two years on we find ourselves in court with the NCA seeking exactly the same notice as in Feb 2014.”

He told the court, that Love was concerned that if he hands over encryption keys and passwords, that could be used against him at a later date.

“Mr Love has an understandable concern that if an application is made and he wants to persue his case [to seek return of his equipment], he runs the risk the information would be used for other purposes. He should not be forced to incriminate himself,” he said.

Keith, representing the NCA, said the court had to conduct a balancing exercise, to weigh Love’s rights under the Human Rights Act, against the NCA’s claim for the passwords and encryption keys.

Judge Nina Tempia reserved judgement until 10 May 2016.


Lauri Love’s road to court

  • November 2015
    Lauri Love launches legal action against the NCA for the return of his computer equipment: A desktop computer, two laptops, two external hard drives and an SD card.
  • 15 July 2015
    Love is re-arrested by the extradition unit of the Metropolitan Police.
  • 3 July 2015
    Love withdraws his court action against the NCA, after it returns 25 items seized from his home, including laptops, computers, memory sticks and hard drives. The NCA retains six other items of computer equipment which it alleges contain encrypted files.
  • May 2015
    The National Crime Agency returns a number of items it had seized from his parents' house, but holds on to two desktops, a laptop and other devices which officers said they had been unable to decrypt.
  • March 2015
    Love launches his first legal action against the NCA for the return of computer equipment seized from his home, under the Police (Property) Act. Bury St Edmunds Magistrate’s Court gives case management directions that Love provides decryption keys. Love objects, then withdraws his application to recover his property.
  • November 2014
    The NCA offers to return Love’s remaining property, on condition that it forensically wipes the data on the devices. Love refuses, saying the devices contain everything he owns digitally, including personal photographs, writing and other creative pieces of work.
  • 24 July 2014
    The Eastern District of Virginia indicts Love for allegedly hacking computers at the Department of Energy, the US Department of Health and Social Services, the US Sentencing Commission, the FBI’s Regional Computer Forensics Laboratory and two companies, Deltek and Forte Interactive.
  • 7 July 2014
    The National Crime Agency releases Lauri Love from bail.
  • 27 February 2014
    Love is charged in New York, with allegations of working with other computer hackers to access the computer servers of the US Federal Reserve Bank. He is accused of stealing confidential information – including emails and phone numbers – and posting it to a website.
  • February 2014
    The government attempts to force Love to hand over his encryption keys under Section 49 of the Regulation of Investigatory Powers Act (RIPA). Love refuses, facing a possible jail sentence of two years. UK police makes no attempt to prosecute.
  • November 2013
    Supporters raise concerns that Lauri Love will be extradited to the US, where he would face much harsher treatment under US law.
  • 28 October 2013
    Love is indicted in New Jersey for hacking US government computer systems run by the Army, Missile Defence Agency,  Environmental Protection Agency, and Nasa. Authorities allege he worked with accomplices to hack into thousands of computer systems and downloaded confidential information on thousands of people, including members of the military.
  • 25 October 2013
    The National Crime Agency arrests 28-year-old Lauri Love under the UK’s Computer Misuse Act, on suspicion of network intrusion offences against the US Army, US military and US Government. He is released on bail until February 2014.

Read more on IT for government and public sector

CIO
Security
Networking
Data Center
Data Management
Close