Letwin wants increased penalties for refusal to decrypt

Richard Clayton richard at highwayman.com
Sat, 17 Aug 2002 10:08:16 +0100 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In article <200208170327.35776.twister@stop1984.com>, Bettina Jodda
(Twister) <twister@stop1984.com> writes

>A probably silly question from someone not being acquainted with (?) 
>cryptography but trying to find some sense in these laws:

A lot of people are confused :( partly because many remember what the
law was going to be before the Government entirely rewrote it as it was
going through the Lords

>What happens if you truly do not remember your passphrase?
>I mean --- I have often failed to open some data (duck and cover) because I 
>did forget the password.
>So what will happen then?
>Will they believe me? Or will they rather say I deny to decrypt my files?

they will serve a notice on you

you will fail to decrypt the material

there will be a trial

s52(3) will then come into play:

    For the purposes of this section a person shall be taken to have
    shown that he was not in possession of a key to protected
    information at a particular time if- 
  
        (a) sufficient evidence of that fact is adduced to raise an
        issue with respect to it; and 
        (b) the contrary is not proved beyond a reasonable doubt. 

which roughly means that you say you've forgotten the key, they then
have to find some evidence otherwise (some decrypts with datestamps say)
and in the end the jury decides if they like your suit

>Furthermore:
>where will be the difference between
>a) someone who is owning pedophilia material
>b) someone who is "likely to be owning" pedophilia material but fails to 
>decrypt files on his hard-disc supposed to be pedophilia material?

in case (a) you'll be charged with possession -- for which you'll get
anything up to 10 years in theory - in practice you may escape prison if
you don't have a lot, haven't distributed it and the judge thinks that
you're serious about seeking professional help. [there's been a recent
review of tariffs since there's not a lot of consistency at the moment]

and in case (b) you'll be charged under RIP. Maximum tariff is 2 years.
This part of the Act is not yet in force and no-one has ever mentioned
any sentencing guidelines... so what you get could be a lottery and it
could be the full amount to reflect your "getting away with it" or it
could be just a small fine to reflect a judges view that the police have
been wasting his time by bringing a deeply technical charge before him.
Ask again in 2005 and we may know what sentence is likely.

There is an important difference which is why (a) would be preferable to
the CPS. The offence is absolute : viz there's no need to prove mens
rea, and the statutory defences are few. Your best strategy is to deny
the machine is used only by you and/or that it's been hacked. You'll get
asked about the first issue right at the start of the first interview
[which will queer the pitch if you think of this wheeze later] and the
latter won't wash if the forensics people can't find a copy of Back
Orifice (or similar) on the disk. So bottom line is that its a
straightforward case to prosecute.  Whereas (b) will look like a real
mess to take to court ....  expect the CPS to avoid it where possible.

>So forgetting your passphrase will be equal to owning pedophilia material?

no - see above

BTW chances are that if you have a disk full of such material and look
at it then the forensics lab will find something to charge you with. 

Even some of the oldest cases involving encryption were successfully
prosecuted because the people involved were not disciplined enough to
ensure that absolutely everything was secured. Since its hard to do
this, its possible to see RIP as unnecessary for this type of case.

>And - what happens when people be able to see your material and it is not 
>pedophilia material? Will they examine it furthermore? What if it is some 
>kind of secret information for your business?...

They will in principle look at it all to see what it is, but since disks
tend to have a LOT of material on them these days, there are scanning
tools that try and skip past known files (all the Windows files for
example) and zero in on the type of file of interest. Hence they may not
bother to open your spreadsheets to see what porkies your accountant has
been telling ;)

Finally, when there is a Code of Practice for this part of the Act
expect it to say something about taking account of the intrusion
involved when asking for material to be decrypted that is special - viz
correspondence with/by lawyers, journalists and ministers of religion.

- -- 
richard                                              Richard Clayton

Are you a Friend of FIPR yet?       http://www.fipr.org/friends.html

-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1

iQA/AwUBPV4SgBfnRQV/feRLEQL9cQCeJ685eUX7Bw3o3W8KUbnOg5sMn/8AnR7L
Fj6QR+uaSO7rZm2g2K3H8O56
=lVBg
-----END PGP SIGNATURE-----