Campaigner who refused to hand over passwords found guilty

Rubik's cube

Last November, Muhammad Rabbani was detained and questioned by border police at Heathrow Airport in London, where they demanded he hand over the password and PIN that would unlock his laptop and smartphone.

He refused, citing that the devices contained confidential data connected to the case of a man he’d just met in Qatar and who alleged he’d been tortured while in US custody.

According to Rabbani, who works as international director for campaign group CAGE, he’d been stopped from entering the UK before but had never been asked to give up his PINs. Charged under the Terrorism Act 2000, he later offered this explanation at a hearing in May 2017:

There were around 30,000 (documents) which I was especially uncomfortable handling and I felt an enormous responsibility to try and discharge the trust that was given to me.

Earlier this week, Rabbani was found guilty of obstructing justice, given a conditional discharge and fined £620 ($830) in costs.

Normally, that would be that, but this case is different, starting with the fact that Rabbani’s organisation, CAGE, is controversial for reasons too involved to explore here.

From a privacy and security perspective this incident, and the subsequent court case, may have implications for the thorny issue of when you can be legally compelled to reveal encryption keys in the UK, and perhaps beyond.

In the UK, people can be charged with not providing encryption keys or passwords under one of two pieces of legislation.

General provisions are provided under the Regulation of Investigatory Powers Act 2000 (RIPA), amended to this effect in 2007, with terrorism suspects covered by schedule 7 of the Terrorism Act 2000 used in this case.

Schedule 7 has been deployed before, notably in the 2013 case of David Miranda, who was forced to hand over passwords for devices containing data connected to the Edward Snowden leaks.

Meanwhile, RIPA was used in 2014 to add four months to the sentence of a convicted terrorist who refused to hand over the password for an encrypted USB key.

The USA, by contrast, lacks specific key disclosure laws, although individuals can still be ordered to do so by a judge, for example in the case of a former policeman accused of storing child pornography who is in jail indefinitely, until he lets authorities into his hard drive.

In a similar vein was the 2014 case of Lavabit, which went out of business rather than hand over the private SSL keys of one of its users, reportedly Edward Snowden.

So, what if anything, does Muhammad Rabbani’s fine for withholding his encryption password mean for the average person, say, travelling to or from the USA or UK?

In reality, at a time when the average Android and iPhone ships with strong encryption turned on by default, things remain as they have been for a while now: anyone going to or from the UK, USA, and a growing list of other countries, can be asked for a device password, whether they are suspected of an offence or not.

People entering the USA are now routinely asked to supply passwords to devices and even social media accounts in order to meet visa requirements or, in some cases, gain admission. Presumably, most people quietly comply for the sake of convenience.

The more secure devices become, the greater their storage, and the deeper the conviction that they might hold data police should be looking at, the more universal these demands become. There is no escaping it. I expect the whole world will be like this soon.

The only way to avoid being asked for an encryption key is not to travel with a device on which such a thing can be used. It’s unsatisfactory but that’s how it is. For people concerned about privacy, this is a depressing choice.