The sentencing of 19-year old Oliver Drage for refusal to provide his encryption key has generated a lot of discussion. Drage was suspected of having child porn on his computer but apparently has not been tried or convicted on those charges — possibly because law enforcement couldn’t access what they suspect is the evidence on his hard drive. So Drage was charged with violating the Regulation of Investigatory Powers Act by not providing the encryption key and convicted of that offense. Whether the police were unable to find any evidence of child pornography from ISP logs is unknown. What is known is that you might be truly innocent of charges and still go to jail if you refuse to provide your encryption key to authorities investigating you.
Kevin Townsend writes:
Oliver Drage is 19 years old and a convicted and imprisoned criminal. His crime is that he declined to give the police the password to his computer. He is convicted of no other crime.
This really does raise some difficult issues. When I was 19 – and possibly even today in my, er, more mature years – if the police knocked on my door and demanded access to the content of my computer, I would politely decline. It is my computer and I have broken no laws. But what if they then said, publicly, well we think you have; we think you’re a paedophile and the proof is on your computer?
Read more on Kevin Townsend.
Is this issue comparable to one in which police demand a key to a locked suitcase that they believe contains evidence of a crime? Do they have to meet some probable cause or reasonable suspicion standard or get a court order to demand production of the key? The key itself is not the incriminating evidence, right?
This case represents the second conviction under RIPA for refusal to provide an encryption key. The Daily Mail reports:
Last year the first person jailed for not giving police access to encrypted material, was a 33-year old businessman known only as JFL.
He was not judged to be a threat to national security, and the encrypted material in question was not suspected of securing illegal material.
The man who ran a software company in London told a judge he was refusing to disclose the code on principle, on the basis that he should have a right to silence but was jailed for 13 months for refusing to hand over his decryption keys.
That earlier case is more troubling to me in terms of privacy invasion and abuse of power. If there is no suspicion that an encrypted folder contains illegal material, what right does the law have to access it or to send you to prison for refusing to allow inspection? And if there is suspicion, then shouldn’t law enforcement be able to meet a probable cause standard? It almost sounds like law enforcement wants to use a lower standard to help it investigate someone to develop its charges against them. But why should they be allowed to do that? And would they be allowed to demand your encryption key here in the U.S. absent probable cause? In the Sebastien Boucher case, a magistrate judge quashed a subpoena requiring production of an encryption key on grounds that it would amount to compelling self-incrimination. The government appealed the decision, but the appellate court was able to avoid the issue when the government changed its request to simply producing an unencrypted version of the hard drive instead of the key to the encrypted version.