A report issued in July by the UK’s Chief Surveillance Commissioner, Sir Christopher Rose, reported that two people had been convicted during 2008-2009 for failing to comply with section 49 notices issued under the Regulation of Investigatory Powers Act (RIPA). In simple terms, when asked to hand over passwords to encrypted files or hard drives or face imprisonment and fines, they opted to keep their data secure.

Part three of RIPA came into force in October 2007 and includes powers to force computer users to reveal passwords to encrypted data or risk jail time. It was first used against an animal rights activist the following month. According to online magazine The Register, she was not one of those convicted though. Failure to comply with a disclosure notice may result in a two year jail term or if the suspect is part of a national security investigation, that threat rises to five years.

The report revealed that of the 15 notices served between April 1st 2008 and March 31st 2009, 11 individuals failed to comply. Of those only seven were charged resulting in just two convictions, which were said to relate to “counter terrorism, child indecency and domestic extremism” cases.

First offense

encryptionThe Register claims to have recently discovered the identity of the first person to be jailed for “persistent refusal to give counter-terrorism police the keys to decrypt his computer files”. The 33-year-old science enthusiast and software businessman, referred to only as JFL, told the magazine that he used encryption to protect his company data.

Whilst on his way back to the UK from France, sniffer dogs picked up the scent of a model rocket in his luggage and he was detained under the Terrorism Act. Believing in his right to silence, he said nothing when subsequently interviewed by counter terrorism officers. When asked to provide encryption keys to allow examination of USB keys and hard drives, he continued his silent vigil.

Feeling that the authorities “were determined to pin a crime on him”, he tried to disappear under the radar of the authorities while out on bail. He was soon found and arrested by sub-machine gun wielding officers and after failing to disclose passwords again, was charged under part three of RIPA. “In his final police interview, CTC officers suggested JFL’s refusal to decrypt the files or give them his keys would lead to suspicion he was a terrorist or pedophile,” reports The Register.

After pleading guilty in June of this year (apparently incorrectly assuming that he would be released under tagged surveillance), he was sentenced to 13 months imprisonment – the judge, whilst  accepting that JFL was not a national security threat, seemed to suggest that his counter-culture, internet-centered, amateur scientist, geek lifestyle (coupled with his refusal to cooperate with the authorities) might just have worked against him.

It could happen to any of us

Apart from the fact that JFL has since been sectioned under the UK’s Mental Health Act and is now enjoying the comfort and security of a mental health hospital, the history of this man’s case could easily relate to any of us.

I would guess that most of us use encryption in one form or another and would probably be somewhat guarded when ordered to reveal passwords (if you look into the history of things like the Clipper Chip fiasco and its knock-on effects for data encryption and privacy around the world, it’s easy to see why folks are wary of the intentions of those in power).

I would further suggest that a significant number of us tinker with technology and may occasionally transport items which could, when taken out of context, be misrepresented or at the very least misunderstood.

By taking the time and trouble to encrypt data in the first place, it’s obvious that the last thing you’d want to do is give someone free and easy access to it. So if you were ordered to reveal your encrypted secrets, would you resist or would you risk imprisonment “on principle”?