The National Crime Agency (NCA) has failed in its second attempt to get hacktivist Lauri Love to hand over encryption keys for six devices seized during a raid on his Suffolk home in 2013. The court ruling is part of a civil action being pursued by Love to get those devices back.
Love is accused of stealing massive quantities of sensitive US Government information. Currently facing extradition to the US, he faces up to 99 years in prison if found guilty, according to his lawyers.
In February 2014, the NCA correctly used the Regulation of Investigatory Powers Act (RIPA) – a regulation specifically set up to deal with access requests such as these – to try to get Love to share the keys.
Love refused, the agency backed off and the order simply expired.
When Love later brought a civil action against the NCA to try and get his devices back, the agency used this civil action to try again to force him to decrypt those devices. According to the Telegraph:
The NCA argued the access was necessary to prove whether or not the information on the devices belonged to Love.
Quoting the Police (Property) Act of 1897, the NCA claimed it had the right to access the data since his confiscated equipment was their property. In reality, it was trying to use legislation that clearly pre-dates the digital age to sidestep RIPA.
District Judge Nina Tempia was having none of it. Delivering her judgement at Westminster Magistrates’ Court, she said:
The case management powers of the court are not to be used to circumvent specific legislation that has been passed in order to deal with the disclosure sought.
Similar attempts to use outdated legislation to gain access to data on digital devices have been more successful in the US recently.
Earlier this month, US authorities successfully obtained a search warrant to compel an alleged Armenian gang member’s girlfriend to press her finger to unlock his seized iPhone via Apple’s identification system.
Legal experts had argued that since fingerprints don’t reveal anything we know, forcing suspects to press their fingers to get into a phone doesn’t breach their Fifth Amendment rights against forced self-incrimination.
In another instant, again in the US, a suspect who refused to decrypt hard drives was jailed indefinitely. In this case the government is citing the All Writs Act – a statute that’s been around since 1789 – to compel decryption.
Strong encryption is prohibitively expensive and time consuming for police forces to break, so getting hold of the key that unlocks an encrypted device – whether its a password, encryption key or fingerprint – is, for right or wrong, the only practical way for them to get access to it.
Faced with this new and impenetrable barrier, authorities will no doubt continue to search the tools they have, including laws that pre-date the digital age, to find a way to access encrypted data.
A balance needs to be struck between giving everyone access to encryption that’s free from backdoors, and giving law enforcement the powers they need to protect us.Follow @NakedSecurity