UK court refuses to force alleged British hacker to decrypt his data
The U.K.’s National Crime Agency (NCA) failed in its attempt to use what critics described as a legal backdoor to force a suspected hacker to provide the decryption key for data on multiple devices.
In the U.K., police have the power to request passwords and decryption keys from suspects under section 49 of Part III of the Regulation of Investigatory Powers Act 2000 (RIPA). Failure to comply with such requests can be prosecuted and carries a prison sentence. However, RIPA also has safeguards, including human rights ones, for recipients of section 49 notices.
Lauri Love, 31, was arrested by U.K. authorities in 2013 under suspicion of hacking into computers belonging to multiple U.S. government agencies including NASA, the FBI, the Federal Reserve, and the Army.
Love is the subject of separate indictments in courts in New Jersey, New York, and Virginia and faces extradition to the U.S. An extradition hearing is scheduled for the end of June.
When Love was arrested in 2013, the U.K. police also seized electronic equipment from his home, including two laptops, a hard disk drive, and an SD card. Love was later released, and the NCA decided not to press any charges in the U.K., but kept some of his devices holding encrypted data.
Love wants those devices back and has filed a civil application under the U.K.’s Police (Property) Act 1897 to recover them. During his application’s pre-trial proceedings, the NCA asked the judge to use the court’s “good case management” powers to direct Love to provide the encryption key or password for the data stored on three hardware devices.
In fact, the NCA did serve a RIPA notice on Love in February 2014 requesting that he provide the password to decrypt the data. Love declined, saying that he had no information to give, and the NCA decided not to enforce the notice.
District Judge Nina Tempia declined the NCA’s new request.
“After reading the papers and hearing from the parties, I am not granting the application because in order to obtain the information sought the correct procedure to be used, as the NCA did two and a half years ago, is under section 49 RIPA, with the inherent [Human Rights Act] safeguards incorporated therein,” Tempia, of the Magistrate’s Court, said in her ruling on Tuesday.
The case is important because had the judge accepted the NCA’s request to order Love to produce the decryption key, it would have set a dangerous precedent, allowing police in the U.K. to bypass the few protections that exist for suspects to protect their passwords, some privacy advocates said.
“By requesting a direction as part of the civil application, the National Crime Agency is seeking to sidestep the RIPA scheme and effectively circumvent … safeguards and the protections of the Code of Practice,” legal journalist David Allen Green said in a blog post.
There’s a parallel case in the U.S., where the FBI tried to force Apple to decrypt a seized iPhone using the provisions of a 1789 law called the All Writs Act. Critics argued the law was not intended to be used in this way.
The ruling has no direct bearing on Love’s extradition proceedings but might complicate the efforts of U.S. prosecutors if they counted on the NCA recovering evidence from Love’s devices.