Handing your encryption key to authorities: US vs. UK law

Two years ago, a US federal judge decreed that a criminal defendant can’t be coerced into giving up the encryption key to his encrypted hard drive because that would constitute a violation of the 5th Amendment (the right not to self-incriminate).

Things are very different in the UK, where their Regulation of Investigatory Powers Act 2000 (RIPA) is actually used to demand encryption keys from suspected criminals. And this leads us to the case of a 33-year-old Londoner who refused to give in to law enforcement’s demands – on account of the principle.

The Register reports that he was returning to the UK from France, and he was stopped by a counter terrorist unit, whose sniffer dogs sniffed out a model rocket he bought. He was then detained under the Terrorism Act.

After posting bail, he “disappeared” – moved to Southampton and changed houses every so often to avoid detection. He was wary of the authorities and believed they tried to pin every crime they could on him. After the police discovered his whereabouts, he was arrested and refused to hand over the encryption key to the encrypted disks he had with him. He maintained that he encrypted the data as a security measure for the small business he ran.

Even the judge that imposed the final sentence of 13 months in jail (because of additional offences and refusing to collaborate with the police) admitted in his judgement that this was not a person that had any kind of malicious intent – he was somewhat of a recluse, a “hobby scientist” with a distrust towards authorities. He also said that the police failed to decrypt the PGP encrypted disks.

Two months ago, just before finishing his shortened stint in prison, he was transferred to a hospital because of mental health problems, a fact that was unknown prior to the investigation and the sentencing, and that could have made a difference to his case. He is currently still detained in the hospital, and has no idea when he’ll be allowed to get out.