In the case of the penalty of 2 years to 5 years, which bad deed is being punished? Surely there's nothing wrong with encryption itself, it's even a GOOD THING he has a right to privacy, a right defined in the Human Rights Act. Article 8.

Assumptions.

1. Exercising your rights under the human rights act is not a crime.

2. Privacy is covered by Article 8

3. Encryption he is entitled to under Article 8.1

4. He is innocent until proven guilty.

5. Article 8.2 exception sets conditions which are not met simply by exercising your right under 8.1, because step 1).

6. So in the absence of evidence that can convict him, by default he is a person exercising his Human Rights of Privacy.

7. Hence you cannot be forced to decrypt the data, unless you're convicted of a crime in which that data may be relevent. At which point you lose your right of privacy, by 8.2 and can subsequently be forced to disclose on further penalty.

The refusal to hand over a key is only a multiplier to the crime he's being convicted of. But if there is no crime committed then the failure to release the key is not a bad thing. He's entitled to privacy under article 8, and the right to lose that privacy stems from him being a criminal. But if he's not a criminal then he's just a citizen exercising his protected rights under article 8.

And he's innocent until proven guilty.

You see my point? i.e. He has the right to exercise Article 8 rights. His loss of Article 8 protection has to stem from the exception 8.2

"(2) There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others."

But if he's not a criminal and you can't get a conviction you think unless there is something special in that file, then you are just fishing for evidence. But he has the right to prevent such fishing expeditions, under article 8. There's nothing in the encryption itself that can prevent 'CRIME' because he is not a criminal if you can't get a conviction absence your .

So you think he's a terrorist and have reasonable evidence to support that. You'd like to look at his files, but he won't decrypt them. But you get a conviction anyway. The court says the penalty is 10 years, and the withholding of the key makes the crime 20% worse.

penalty * penalty_for_not_decrypting =

10 *1.2 =12

So you think he's guilty of being a terrorist but have no evidence and he won't hand over the key. The court find he is not a terrorist and hence sets penalty=0.

penalty * penalty_for_not_decrypting =

0 * 1.2 = 0

Not releasing the files only exasperates a crime, it is not itself a crime, it's not even a bad thing, it's a protected right. In the abscence of a crime, it is a good thing! He is entitled to privacy, even from the police fishing expeditions, and the key ensures that.

Since you're also not allowed to tell anyone that you've been forced to hand over the passwords/keys how the hell could you challenge it in any court.

Surely they mean "cooperate", not "corroborate"?

Anyway, I'm more worried that it is against the law to reveal that you have been asked to hand over your password. Why, exactly, is this? You can go to prison for five years (for not knowing something which you actually don't know) and you're not allowed to tell anybody why?

The "prevention of crime and disorder" also removes the need to convict someone first as they only need to believe that you *might* commit a crime in the future and that the encrypted information *might* contain information about that hypothetical future crime.

Er, if you don't reveal the information, how can they assess the use to which it might be put?

"The "prevention of crime and disorder" also removes the need to convict someone first as they only need to believe that you *might* commit a crime in the future and that the encrypted information *might* contain information about that hypothetical future crime."

I don't think it does. You can't be punished without judicial process ("Everyone has the right to liberty and security of person"), and to remove a human right (removal of Article 8.1 right of privacy) is clearly a punishment to "security of person" and hence requires a judicial process first, or an exception in the basics human rights laws.

Without that evidence (separate from the decryption ) I think it's just a pure fishing expedition.

e.g. Police demand decryption of a file, hypothesize 'serious crime'. man refuses to decrypt, police prosecute the refusal, man decrypts the file, nothing prosecutable found.

In that case he's been prosecuted for exercising his rights under Article 8 pure and simple.

There are exceptions to the 'prepunishment' rule, (e.g. detention prior to trial) but they're spelled out in article 5.

i.e.

Article 5, 1a doesn't apply because they haven't been convicted yet when they're required to give up their Article 8 rights.

1b. doesn't apply because the detention for exercising a human right isn't a lawful order. All lawful order must necessarily comply with the Human rights legilsation!

1c. Doesn't apply, because that's only for 'pre-trial' detention, not for 2-5 years in prison.

1d, 1e, 1f etc. don't apply.

So there's no exception in the Human Rights laws that lets them 'prepunish' by removal of their Article 8 rights, someone on the basis of a future conviction they 'hypothesize' they might be able to obtain.

So I think they have to first obtain the conviction in order to be able to force the convict to then remove his article 8 rights.

Put it conversely, what level of proof is needed to put someone away for 2-5 years? A balance of evidence? Beyond reasonable doubt? Or a hypothesis of a police officer?

The way the law is worded, none of the above is needed. The officer/civil servant/political appointee doesn't even have to prove a plausible (or implausible) hypothesis to issue a section 49 notice. The breach of which has a 2-5 year penalty.

We're talking about keys here, but RIPA is a privacy disaster all the way through. The secrecy clause is a dead giveaway. The ability to keep them secret indefinitely can's possibly be compatible with the human rights legislation. It was a sort of creepy Blair thing that should be thrown out and redone from scratch.

I wonder how many times elReg has been served with RIPA notices?

Why doesn't the government want anyone to know that you were "forcibly requested" to give up your encryption key?

they don't want you to be able to tell anyone, directly or otherwise you have been asked to hand the key over, since they will want to continue to monitor things, and are still thinking a whole group will use the same password.

they way round that is to just rotate keys say weekly, that way they get a weeks worth of stuff and nothing more.

note they can force the issue througha court, but apparently they tend to try and use the 'hand the key over or else' argument without going to a court. its a bit like a copper asking to search a house because he could get a warrant anyway. i.e. we have a legal right but we don't want to follow the process and if you are 'giving us' information as opposed to use demanding it there will be rules governing what can be done with it that will not apply.

the whole law is pointless and anyone with half a brain can find ways round it. thankfully the sort of people they will actually use this against tend to be stupid enough it will work.

i.e. 'doctors' who can make a bomb, animal rights types who didn't think things through etc.

its not hard to hide stuff AND encrypt it. you won't be asked for a key to a file they don't have.

the other way of course is to make the filename part of the key, i.e. you have a 'key' but decoding the file requires 'key' + 'filename' now you can hand the key over, but its no use directly. also you can decode a specific file for them, but they will need another request, via a court, for the next file etc.

anyway I have a linux box somewhere that can encrypt the hard drive and I won't ever see the the key, or need it. it will work in my machine but swap the drive out etc and it won't. and if they have any sense they won't use my machine, not knowing what it may do.

besides how do they actually search the Tb of data people may have these days for a few bytes they may want?

I would assume they 'know' the file is there 'know' what it contains its a matter of proving it.

RIPA is a joke, as are the idiots who drafted it. just about any law related to computers tends to be out dated by the time it has been drafted & passed. drafting it by people who don't know what they are talking about won't help either.

You say "senior police officer" as if they are a breed of officer that is beyond reproach,but believe me they are as big a bunch of shits ,if not bigger, that the lower ranks. Amazes me how everyone thinks they are all so great ,if only they knew the truth about many.

TrueCrypt http://www.truecrypt.org/ provides an "aleatory" defence against RIPA, and, indeed, against any similar legislation. This defence works because TrueCrypt makes encrypted material indistinguishable from pseudo-random data. And before the authorities can insist that you hand over an encryption key, they would first be obliged to prove to the satisfaction of a court that you were in possession of encrypted material. Depending on how TrueCrypt is set up it might be obvious that you have some pseudo-random data in an atypical location on your computer, and you might well be asked how it got there. Now, there are many computer processes that produce pseudo-random data, and you are not obliged by the legislation to account for the origins of every file on your computer that contains such data given the tens of thousands of files on the average PC this would be an impossible task. However, TrueCrypt can also provide you with an excellent and highly plausible reason as to why you possess such a file of pseudo-random data irrespective of where it is found.