Court of Appeal orders men to disclose encryption keys

Two men have been told that they cannot rely on their right to silence to refuse to give British police a computer password.

The men had claimed that forcing them to hand over the key to encrypted data on their computers would be forcing them to incriminate themselves. 

Defendants have a right to silence and to refuse to divulge information which would act as evidence against them.

The Court of Appeal has said, though, that an encryption password is not in itself incriminating information and that both it and the information on the computers exist outside of and independent of the men. It said they do not have the right to refuse to divulge the keys.

Two men, identified in court as S and A, were arrested by police and computers were gathered by police as evidence. 

Parts of the computer were encrypted, and police caught S halfway through entering his encryption password into a computer.

The two men were arrested for helping a third man, H, in a secret house move. H was subject to a control order under anti-terrorism legislation which said he could not move house without permission from the authorities.

Article continues after advert

S was charged in relation to offences under the Terrorism Act and S and A were both served with notices under the Regulation of Investigatory Powers Act (RIPA) ordering them to disclose their encryption passwords. The notices indicated why police believed that disclosure was necessary in the interests of national security and the prevention or detection of crime.

The authorities can demand disclosure of such keys because in the eyes of the law the information on the computers is already in the possession of the police. An order for password disclosure can be made, said Mr Justice Penry-Davey in the Court of Appeal, "no alternative, reasonable method of gaining access to it or making it intelligible is available".

If that order has been legally made and the computers have been lawfully acquired by the police, it is a criminal offence to refuse to hand over the password. Anyone not handing over the password could be jailed for up to two years or up to five years in cases involving national security.