38

I've been recently downloading PuTTY from the official page and I have noticed a message stating:

LEGAL WARNING: Use of PuTTY, PSCP, PSFTP and Plink is illegal in countries where encryption is outlawed. I believe it is legal to use PuTTY, PSCP, PSFTP and Plink in England and Wales and in many other countries, but I am not a lawyer and so if in doubt you should seek legal advice before downloading it.

The same website then points at a website called cryptolaw.org which explains a bit more, in particular the Regulation of Investigatory Powers Act 2000.

The explanation makes sense, however some people go even further by making claims like the following: In the UK you will go to jail not just for encryption but for astronomical noise too. The author of this claim, Rick Falkvinge (founder of the Swedish Pirate Party), explains further that "you’re going to be sent to jail for an inability to unlock something that the police think is encrypted":

(...) So imagine your reaction when the police confiscate your entire collection of vacation photos, claim that your vacation photos contain hidden encrypted messages (which they don’t), and sends you off to jail for five years for being unable to supply the decryption key?

I guess my full question would be "Can the police put you in jail by simply stating that they think your data contains encrypted data and you refuse to disclose it?"

Improve this question
3
  • 2
    Why was this question downvoted? It meets all of the requirements to be included on this website
    – MMM
    Commented Mar 26, 2014 at 23:46
  • I can't know for sure, but I suspect it was a reaction to the original title that didn't match any claim.
    – Oddthinking
    Commented Mar 27, 2014 at 21:51
  • 1
    Nit-pick: In the UK, the police can't put anyone in jail, only courts can do that. At most, police can put you in a police cell.
    – RedGrittyBrick
    Commented Mar 29, 2014 at 22:31

4 Answers 4

Reset to default
17

Your question links to an article that quotes the relevant law. The law makes it pretty clear that, to answer the question in the title: yes you can be put in jail for refusing to provide a decryption key for encrypted data.

This is a significant reversal of the presumption of guilt. To quote:

For the purposes of this section a person shall be taken to have shown that he was not in possession of a key to protected information at a particular time if— (a)sufficient evidence of that fact is adduced to raise an issue with respect to it; and (b)the contrary is not proved beyond a reasonable doubt.

In other words, it's not a defence to simply say "I don't have the key". You are presumed to have the key unless you can provide some evidence (not necessarily proof) that you don't have it. (With apologies to @Konrad Rudolph, who originally held this view and I disagreed with him)

With that single exception, nothing else in the law appears to override the basic legal principle that you have to be shown to be guilty in a court of law. The police have to show that there is encrypted data in order to show that you failed to provide a key to it. If you have (unencrypted) astronomical data on your laptop, then the burden of proof would still be on the police to show that it was encrypted data. And anyway, the case would still be tried in a court of law. The police can no more send you to jail because they think you have encrypted data than because they think you committed a murder. A court can send you to jail if it can be proved that you have encrypted data, you refuse to disclose the key, and you can't show that you don't have the key.

To answer the question at the end: No you cannot be put in jail just because the police think you have encrypted data.

Improve this answer
10
  • In other words, Falkvinge's claim is false, or rather an exaggeration of the truth.
    – MMM
    Commented Mar 26, 2014 at 21:33
  • 1
    Oh and another note - The maximum penalty is 2 years for non disclosure of keys, which may well be less than the offence that decryption would reveal. In weighting terms, it could well be worth it
    – Owen C. Jones
    Commented Mar 27, 2014 at 9:59
  • 6
    @MMM The claim is certainly paranoid, but it’s not quite as clear cut as made out in the answer. The conjunction used is “and”, not “or”: You need to show that you don’t have the key and the police must not be able to provide counter-evidence. This is much more vague and liable to abuse (how does one show that one is not in possession of the key?!) than the usual presumption of innocence, which has certainly been subverted here. The answer seems to be incorrect in claiming otherwise.
    – Konrad Rudolph
    Commented Mar 27, 2014 at 22:59
  • 1
    @KonradRudolph No you have the sense reversed. You are not guilty if you can show any evidence to indicate that you don't have the key and the police can't prove you do have it. You are guilty only if the police can prove it OR you have no evidence at all that you don't have it.
    – DJClayworth
    Commented Apr 4, 2014 at 3:12
  • 2
    @DJClayworth But that is the default: Here, I have to show evidence before I am declared not guilty. Until that moment I’m assumed guilty.
    – Konrad Rudolph
    Commented Apr 4, 2014 at 6:58
16

Is refusing to decrypt data for the police illegal in England and Wales?

Yes.

Under the Regulation of Investigatory Powers Act 2000 (RIPA), Part III, people can be forced by police to surrender keys to encrypted data. This law has been applied at least three times, twice up until 2009 according to Claire Ward, Parliamentary Under-Secretary, Ministry of Justice, and one additional time in 2010 according to The Register.

Can the police put you in jail by simply stating that they think your data contains encrypted data and you refuse to disclose it?

Yes. Contrary to what DJClayworth’s answer states, the relevant passage reads (emphasis mine):

a person shall be taken to have shown that he was not in possession of a key to protected information at a particular time if—

(a) sufficient evidence of that fact is adduced to raise an issue with respect to it; and

(b) the contrary is not proved beyond a reasonable doubt.

Meaning, unless you can provide sufficient evidence to the contrary – which is vague and subject to interpretation – and no evidence to the contrary exists “beyond a reasonable doubt”, you can be presumed to possess the key. Ignore condition (b) (which on the face of it helps the accused), because condition (a) also needs to fulfilled:

Even if the police cannot prove “beyond a reasonable doubt” that you have a key, you still need to provide “sufficient evidence of that fact” (= “not in possession of a key”). This is a direct reversal of the burden of proof and the principle of innocent until proven guilty. It is telling that the whole paragraph is written from the default assumption of guilt.

Improve this answer
8
  • 1
    Correct me if I'm wrong but does this passage read that: "(...) a person shall be taken to have shown that he was not in possession of a key (...) if (...) the contrary is not proved beyond a reasonable doubt", meaning, that the police would have to prove beyond a reasonable doubt that you have had the key, ergo, the contrary?
    – MMM
    Commented Mar 27, 2014 at 23:49
  • @MMM “if the contrary is not proved” and the accused has provided “sufficient evidence of that fact”. There are a lot of negations in the formulation, making it hard to parse. But in formal logic the statement is something like (evidence for ¬key) ∧ ¬¬(evidence for ¬key) ⇒ ¬key, where “key” means “is in possession of key” … in other words, there is evidence for “has no key”, and there is no evidence for the contrary (= no evidence for not “has no key” = no evidence for a key).
    – Konrad Rudolph
    Commented Mar 28, 2014 at 1:16
  • 2
    @KonradRudolph Do you have a reference establishing that personal sworn testimony that one does not have the key is not "sufficient evidence of that fact"? If it is sufficient evidence, that is a very low bar to pass, and would not be inverting the burden of proof as you state.
    – user5582
    Commented Mar 28, 2014 at 1:31
  • 1
    @KonradRudolph Also, paragraph A only requires sufficient evidence to "raise an issue with respect to it". It does not require anything close to proof.
    – user5582
    Commented Mar 28, 2014 at 1:33
  • 1
    @KonradRudolph On reflection, you are right about the logic of the clauses. In the absence of evidence, the police ARE allowed to assume that you have the key to an encrypted file. However I think that's the only thing they are allowed to assume. They cannot assume that there is encrypted data present, or that a given file is encrypted, without evidence.
    – DJClayworth
    Commented Jun 25, 2014 at 0:03
3

Yes, and people have already been jailed for refusing to do so

Whilst other answers focus on the legal interpretation, there are a number of real world cases where this has occurred.

Activist refused police demands for password, faces jail

"Airport Police Demanded an Activist’s Passwords. He Refused. Now He Faces Prison in the U.K"

"The officers asked Rabbani to turn over his passwords so that they could access the devices — and said that if he did not provide them, they would arrest him."

"we have the power to take your devices and to compel you to give your passwords."

"If convicted, he could face three months imprisonment and a fine. He plans to argue that the police acted unlawfully because they attempted to access confidential information related to his work."

https://theintercept.com/2017/09/23/police-schedule-7-uk-rabbani-gchq-passwords/

Suspect in murder enquiry refuses to give password, jailed

"Judge Christopher Parker QC jailed Nicholson for 14 months."

"Judge Parker today did not accept Nicholson's 'wholly inadequate' excuse that providing his password would expose information relating to cannabis."

https://www.dailymail.co.uk/news/article-6118387/Murder-suspect-Stephen-Nicholson-jailed-refusing-Facebook-password.html

Improve this answer
3
  • 1
    Your first example doesn't state whether the defendant was actually sentenced, but that's highly relevant in an answer to the question whether "refusing to decrypt data for the police" is "illegal in England".
    – Schmuddi
    Commented May 7, 2019 at 18:47
  • 1
    @Schmuddi Although you're right he hasn't been sentenced (there's sparse details and some cases involve secret courts), the fact the officers felt like they could effectively threaten him with prosecution in order to demand his password (unless the officers are lying) suggests they're aware legislation exists that allows them to do so. I put his example first as he's an activist who isn't overtly charged with a specific crime as justification for access, it's simply a suspicion.
    – SE Does Not Like Dissent
    Commented May 7, 2019 at 19:55
  • In the USA, you don’t have to hand over passwords - if they have a right to the data it is fine if you unlock the data without anyone seeing the password. Common sense because my password might allow a police officer to empty my bank account.
    – gnasher729
    Commented Sep 12, 2023 at 11:15
1

This is an expansion to the answer given by DJClayworth above, since he quotes a less than relevant part of the law.

The passage given by DJClayworth describes an afirmative defence against request under section 49 of the law quoted. Section 49 is at http://www.legislation.gov.uk/ukpga/2000/23/section/49 .

Section 49 states, among other things;

(2)If any person with the appropriate permission under Schedule 2 believes, on reasonable grounds—

(a)that a key to the protected information is in the possession of any person,

(b)that the imposition of a disclosure requirement in respect of the protected information is—

(i)necessary on grounds falling within subsection (3), or

(ii)necessary for the purpose of securing the effective exercise or proper performance by any public authority of any statutory power or statutory duty,

(c)that the imposition of such a requirement is proportionate to what is sought to be achieved by its imposition, and

(d)that it is not reasonably practicable for the person with the appropriate permission to obtain possession of the protected information in an intelligible form without the giving of a notice under this section,

the person with that permission may, by notice to the person whom he believes to have possession of the key, impose a disclosure requirement in respect of the protected information.

The language to note is "on reasonable grounds". IANAL, however I take this to mean that the police must have reason to believe that the noice on your hard drive is encrypted information connected to their "proper performance"; and that they must be able to demonstrate that reason.

In short it's insufficient for the police to say "Give me the key to this encrypted information". It's insufficient for them to say "Give me the key to this encrypted information because I believe it to be connected to the case I am working on". They need to be able to say "Give me the key to this encrypted information because I believe it to be connected to the case I am working on. And I believe this because of ...". I do not know what standards govern the things that go into the dots.

If they are able to do the above the sections contested by DJClayworth and Konrad Rudolph comes into play meaning that if you can show that you do not have the keys; for example if you can show that the "encrypted data" is in fact a recording of background astronomical noise, which you keep as a source of entrophy, you would not be liable to hand over the key because you are not in possesion of such a key. - For this you need to have sufficient evidence to cast doubt on the issue of you having the key, and for the police not to have evidence that you have to key.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .