A judge has refused to allow UK authorities to obtain an encryption key from suspected criminal hacker Lauri Love using civil proceedings. The case, campaigners have said, had potential consequences for journalists and activists, with legal commentators adding that authorities were trying to side-step the already established legislation, and protections, that govern password disclosure.
Love was arrested back in October 2013, and is currently fighting extradition to the US over computer hacking charges. He is accused of attacking the US army, the Federal Reserve Bank and others during 2012 and 2013.
Love is suing the UK's National Crime Agency (NCA) for the return of his seized devices, and as part of those civil proceedings, the NCA made an application that would force Love to hand over "the encryption key or password" for data found on his laptop, hard-drives and a memory card. The files had been encrypted with Truecrypt, a popular, but no longer maintained, piece of software for protecting data.
But this isn't exactly above board. That's because requests for encryption keys are already handled under Part III of the Regulation of Investigatory Powers Act 2000 (RIPA). Under that law, an agency would serve a "section 49" notice, demanding the keys or passwords. If the person refuses, the agency can then use section 53 of the Act, which carries the possibility of two years imprisonment, or up to five years if the case involves national security. Suspected internet trolls and animal rights activists are some of those who have been jailed for not disclosing passwords.
"If the National Crime Agency want the encryption key then they should follow the RIPA statutory scheme and not try to get round it"
But importantly, RIPA also includes the safeguards and oversight mechanisms of section 55, such as making sure that the obtained password is only used for the relevant purpose, that the disclosed key is only retained for as long as necessary, and that the key is stored securely.
By asking the judge in this roundabout way to force disclosure of the password under civil proceedings, the NCA is departing from what RIPA intended, Financial Times commentator and legal blogger David Allen Green, argues.
"If the National Crime Agency want the encryption key then they should follow the RIPA statutory scheme and not try to get round it. Instead, the National Crime Agency are asking the courts to construct an civil law 'backdoor' for obtaining encryption keys (and encrypted data) outside the statutory scheme of RIPA," he wrote on Tuesday, before the ruling.
In fact, the NCA did ask Love to disclose his password under RIPA in February 2014, but Love refused. The NCA did not then pursue the rest of the RIPA process.
A judge previously approved the NCA's request that witness statements and general arguments made by the parties should not be disclosed publicly. Those arguments were recently made available on the website of the Courage Foundation however, an advocacy group that is raising financial support for Love's case. Courage Foundation anticipated that the judge would rule in Love's favour.
"After reading the papers and hearing from the parties, I am not granting the application because in order to obtain the information sought the correct procedure to be used, as the NCA did 2 ½ years ago, is under section 49 RIPA, with the inherent HRA safeguards incorporated therein," judge Nina Tempia wrote in her ruling on Tuesday.
The NCA declined to comment as the court proceedings are ongoing. The hearing revolving around the return of Love's equipment is scheduled for July 28.