Monday, June 29, 2009

Incrimination and Encryption -- UK Style

I’ve done a couple of posts about the 5th Amendment privilege against self-incrimination’s applicability to encryption keys. I’ve analyzed whether US officers can compel someone to give up their encryption key without violating the privilege.

This post is about how that issue is handled – or has been handled – under UK law. I am indebted to Professor Ian Walden of the School of Law, Queen Mary, University of London for the case I’m going to write about.

The case is R. v. S and A, [2008] EWCA Crim. 2177 (Court of Appeal – Criminal Division 2008). Here are the facts that led to the charges:
H was made the subject of a control order under the Prevention of Terrorism Act 2005 . The order obliged him . . . not to leave his home address without the consent of the Secretary of State for the Home Department. [S and A] are alleged to have conspired . . . with H and others, to breach that order. The objective . . . was to assist H to abscond from his address in Leicester and to convey him to a new, secret address in Sheffield. On 9 September 2007 S collected H and drove him there. Shortly after their arrival in Sheffield the police entered the premises. H was in one room and S was in another

alone [with] a computer. The key to an encrypted file appeared to have been partially entered. He was arrested, and . . . made no comment. . . . [H]is home in London was searched. The search revealed computer material. Various documents had been deleted from the computer hard drives, but when retrieved, they provided the basis for charges . . . under section 58 of the Terrorism Act 2000, that is, possessing documents or records . . . likely to be useful to a terrorist or potential terrorist. However without the encryption keys . . ., the encrypted files could not be accessed and their contents examined.
R v. S and A, supra.

S and A were charged with conspiracy to breach the control order imposed on H. S was arrested; after refusing to answer questions, was charged under § 58 of the Terrorism Act. He was then served with a notice under § 53 of the UK Regulation of Investigatory Powers Act 2000. Under § 53, officers can order someone to give up their encryption key; it is a crime to comply with such an order.

The disclosure notice identified the purpose of seeking the key as the “investigation of protected electronic information”; it explained that S was legally obliged to comply and that refusing to do so constituted a crime. R v. S and A. supra. It then read as follows:
I hereby require you to disclose a key or any supporting information to make information intelligible [T]he information to which this notice relates is: the full encryption key in order to access the encrypted volume of the laptop computer that is exhibited as exhibit AM/1 under file path: C:\ Documents and Settings\Administrator\My Documents\My Videos, within a file called Ronin.wma. This was found in the room where you were arrested. . . .’
R. v. S and A, supra. The notice explained the “circumstances in which the” encryption key implicated the “interests of national security and the detection of crime.” It said S could comply by providing the information in “verbal or written” form. S did not comply, claiming that requiring him to disclose the encryption keys violated the privilege against self-incrimination. The judge who ruled on that claim rejected it, so S appealed.

In the US, the 5th Amendment creates the privilege against self-incrimination. In the U.K., the privilege arises under Article 6 of the European Convention on Human Rights. Article 6 doesn’t mention the privilege, but it creates a right to a fair trial in criminal cases. In a 1996 case from the U.K., the European Court of Human Rights held that Article 6 implements the privilege against self-incrimination:
Although not specifically mentioned in Article 6 . . ., the right to remain silent . . . and the privilege against self-incrimination are generally recognised international standards which lie at the heart of the notion of a fair procedure under Article 6. . . . By providing the accused with protection against improper compulsion by the authorities these immunities contribute to . . . securing the aims of Article 6.
Murray v. United Kingdom, 22 Eur. H.R. Rep. 29 (1996). S, then, has the privilege against self-incrimination under U.K. law. The issue is whether he can invoke it.

In ruling on the issue, the Court of Appeal began its analysis by noting that under prior cases, the issue was whether the constituted a “statement” S was being compelled to make or a “piece of information with an existence separate from his `will’”. If it was a separate piece of information, S could not claim the privilege; it had to be a statement.

The court found that while the key had an existence separate from S’s will, the analysis was not that simple. It noted that if police learned S had the key in his possession, their knowledge of that was incriminating evidence. So the court found “the privilege against self-incrimination may be engaged by a requirement of disclosure of knowledge of the means of access to protected data under compulsion of law”. R. v. S and A, supra. In this, it disagreed with the lower court, which essentially found that since the key had an independent existence, it did not come within the scope of the privilege.

That was not the end of the matter. The court noted that while S’s knowledge of the
means of access to the data may engage the privilege . . ., it would only do so if the data itself - which . . . exists independently of the will of [S] and to which the privilege . . . does not apply - contains incriminating material. If that data was neutral or innocent, the knowledge of the means of access to it would . . . be neutral or innocent. . . . [I]f the material were, . . . incriminatory, it would be open to the trial judge to exclude evidence of the means by which the prosecution gained access to it. Accordingly the extent to which the privilege against self-incrimination may be engaged is indeed very limited.
R. v. S and A, supra. The Court of Appeals then addressed an issue that does not arise under the US version of the privilege against self-incrimination:
[T]he question which arises, if the privilege is engaged at all, is whether the interference with it is proportionate and permissible. . . . The material which really matters is lawfully in the hands of the police. Without the key it is unreadable. That is all. The . . . material in the possession of the police will simply be revealed for what it is. To enable the otherwise unreadable to be read is a legitimate objective which deals with a recognised problem of encryption. The key . . . is . . . a fact. It does not constitute an admission of guilt. Only knowledge of it may be incriminating. . . .The requirement for information is based on the interests of national security and the prevention and detection of crime. . . . [T]he requirement to disclose extends no further than the provision of the key . . . or access to the information. No further questions arise. . . . Procedural safeguards . . . are addressed . . . in the powers under section 78 of the 1984 Act to exclude evidence in relation, first, to the underlying material, second, the key or means of access to it, and third, an individual defendant's knowledge of the key or means of access, remain.
R. v. S and A, supra. The Court of Appeals therefore upheld the lower court’s order requiring S to give up the encryption key, which meant S would be charged with refusing to comply with a disclosure notice. In closing, it noted that if S were to give up the key, “we suspect the prosecution would be disinclined” to pursue the charge and, if it did, the judge “would take a merciful view when addressing sentence”. R. v. S and A, supra.

I disagree with the Court of Appeals (and the lower court) on the first issue – whether the privilege applies to turning over an encryption key. As I explained in an earlier post, under the 5th Amendment you can take the privilege against self-incrimination only as to “testimony,” which is essentially a communication. To constitute a communication, you must use the contents of your mind to express a fact (the key) or to express thoughts or feelings. You can’t take the 5th as to non-communicative physical evidence, like blood or a gun or a key. You CAN, however, take the 5th Amendment if the act of handing over evidence is itself a testimonial act; as I explained in that earlier post, the US Supreme Court has held that producing evidence is a testimonial act when it tells the government that (i) you have it, (ii) it’s in your possession or control and (iii) what you’re handing over is what the government asked for. For more on that, see the prior post.

In the US we don’t have anything like the “proportionate and permissible” intrusion principle, which apparently provides a loophole when someone successfully invokes the privilege against self-incrimination. In the US, if you successfully invoke the privilege, that’s the end of the matter . . . unless, as I noted in that prior post, the government gives you immunity from prosecution. As I think I noted in that post, the rationale is that since immunity means the government can’t prosecute you, you no longer need the privilege.

My disagreement on the first issue is a function of the fact that I take a very different view of the scope of the privilege than this court and the US federal court I wrote about in the earlier post. As to the “proportionate and permissible” principle, I don’t like the idea of a loophole in the rule (5th Amendment or the UK rule). Maybe that’s because I’m an American and I’m used to the fact that our version of the privilege is impenetrable. Seems to me that’s the point.


Anwalt said...

You did a couple of post as you mention in your post. but i haven't read that.This post is first which i read and i must say that you are doing good job for providing such a nice information.

Anonymous said...

Very nice. It is an interesting post. What would happen if he had not been viewing ronnin. Would they still be able to "know" that he had access to the key?

Or rather: in logical following:

The police saw him viewing evidence on his harddrive.

The police therefore "know" he has an encryption key.

I mean is having encrpted data in and of itself proof that one has an encryption key?

If the computer is fully functional without such key, is the encrypted data still proof that such a key exists?

Ie: by the courts logic: if I have an encrypted partition and do not have the key to said partition, and some evidence shows that I am a bad man with a poor choice of occupation with a bad reputation or something else that puts my character in question (ie here some terror-something), then the court can order me to turn over the key?

What would be required so that the court objectively knows that the key exists? Testimony of the prosecuter?

It seems to me in the american court system the 5th starts with the admission that such key might exist.

But then again what do i know. thanks for the article.

Anonymous said...

is there any case in which the self incrimination clause is upheld and on dat reasoning court has refused to give encryption keys