Passwords and self-incrimination
The BBC reports that Syed Hussain was sentenced to a further three months in prison after failing to disclose to the police the password for a USB stick they had seized from him. Hussain was already serving a prison sentence for terrorism-related offences.
The police are empowered to impose a “disclosure requirement” (s.49(1) RIPA 2001) upon a person whom they have reasonable grounds to believe knows the password to material they have seized, and where disclosure of that material is required in the interests of national security, for the purposes of preventing or detecting crime, or in the interests of the economic well-being of the United Kingdom. Otherwise there is a broad power to require the information where it is “necessary for the purpose of securing the effective exercise or proper performance by any public authority of any statutory power or statutory duty”. Failure to disclose the key or password is an offence carrying up to 2 years’ imprisonment.
The issue of self-incrimination is not dealt with in the legislation, although the question was addressed in R v Kearns when Aikens J stated, “There is a distinction between the compulsory production of documents or other material which had an existence independent of the will of the suspect or accused person and statements that he has had to make under compulsion. In the former case there was no infringement of the right to silence and the right not to incriminate oneself. In the latter case there could be, depending on the circumstances.”
In R v S Sir Igor Judge said, “On analysis, the key which provides access to protected data, like the data itself, exists separately from each appellant’s “will”. Even if it is true that each created his own key, once created, the key to the data, remains independent of the appellant’s “will” even when it is retained only in his memory, at any rate until it is changed. If investigating officers were able to identify the key from a different source (say, for example, from the records of the shop where the equipment was purchased) no one would argue that the key was not distinct from the equipment which was to be accessed, and indeed the individual who owned the equipment and knew the key to it. Again, if the arresting officers had arrived at the premises in Sheffield immediately after S had completed the process of accessing his own equipment enabling them to identify the key, the key itself would have been a piece of information existing, at this point, independently of S himself and would have been immediately available to the police for their use in the investigation. In this sense the key to the computer equipment is no different to the key to a locked drawer. The contents of the drawer exist independently of the suspect: so does the key to it. The contents may or may not be incriminating: the key is neutral. In the present cases the prosecution is in possession of the drawer: it cannot however gain access to the contents. The lock cannot be broken or picked, and the drawer itself cannot be damaged without destroying the contents.”
So a person in possession of the key to encrypted data cannot, it would seem, rely on the privilege against self-incrimination in refusing to comply with the requirement to disclose. However, given the sentencing powers available to a Crown Court judge, it seems likely that there will be more cases such as that of Mr Hussain who chose not to comply rather than allow immediate access to the encrypted material.