Analysis of Part III of the (draft) Electronics Communications Act 1999
Burden of Proof
If you are served with a Section 10 notice then you commit an offence if you fail to produce the plaintext or a decryption key. It is a defence to show that you didn't have them - but how do you prove a negative ?
To put this another way, 12(2) and 12(3) reverse the usual burden of proof which is that the Crown must show (a) offence has been committed and (b) that the statutory defences do not work. There are similar problems with 13(8) and 10(5)(b).
The Home Office wrote to FIPR during the consultation period to set out their position. As you will see from the dialogue, this did not calm matters down (or indeed persuade anyone they understood what the issue was):
Anthony B Sylvester
In general, it is only justifiable to place the burden of proof of a defence on the accused where that burden is straighforward to discharge and where it is impracticable for the prosecution to discharge the burden of negativing the defence. (Example: burden on driver - accused of being uninsured - to prove he was insured to drive is easy to discharge, and very tedious for prosecution to negative.)
Clause 12 plainly fails that test hopelessly, and it also fails even a minimalist statement of that proposition, in which the only requirement for justifying such a reversal is that the burden is heavier for the prosecution than for the defence. The obvious reason is that the burden on the accused is manifestly impossible.
In a university context the _ultimate_ ownership of any "data" (e-mail, files, crypto keys, etc) produced/stored on university computing facilities by staff and students appears to reside with the university.
One implication of this is that such an organisation can snoop on e-mail traffic to/from its site with impunity since it owns the data. It could also do this snooping on behalf of an outside body without the need of a warrant.
I suspect that it is much cheaper and simpler for an LEA to seek the electronic information its wants by getting the cooperation of the "owner" (as opposed to the "user") of that information rather than having to seek judicial or HO permission then negotiate the monitoring and collection with a third party such as GCHQ, etc.
Is the situation in industry much different to that in a university?
The fact that it is an offence not to disclose it would almost certainly be a sufficient answer to any disciplinary or breach of contract proceedings taken against the discloser, at any rate in the UK. (Problems of clashes between different jurisdictions are sometimes not easy to resolve.)
Home Office letter
But the prosecution will need to prove the offence beyond all reasonable doubt in all cases. Our belief, therefore, is that we have not reversed the burden of proof with this Clause. A person charged with an offence under Clause 12, as with any other offence, remains innocent until he is proved guilty by a court of law.
The Home Office must have an idea what it would consider satisfactory proof of non-possession in typical cases. These are not covered by the Explanatory Notes, but further clarification of the Government's intentions would be most helpful in drafting responses to the consultation. I think people are looking for a practical answer, rather than a general legal statement.
Do you now accept that a s.10 decryption notice can be served on persons not suspected or accused of any offence, and therefore it is not the case that only persons suspected of 'wrongdoing' would be liable for prosecution ?
To require the accused to prove a defence therefore reverses the burden of proof. That is what clause 12 does.
But the offence created by clause 12 suffers from two serious flaws.
The first is that it can be proved without any evidence whatever that the accused is in possession of a key to protected information, since all that must be proved is that a notice was given under clause 10 to the effect that it **appeared** to the giver of the notice that the accused was in possession of a key to protected information. So the accused can be convicted on the basis of what the police think.
The second flaw (or, if you like, a second aspect of the same flaw) is that possession of the key, instead of being an element of the offence that must be proved by the Crown, is turned as if by by sleight of hand into a defence which must be disproved by the accused.
It might be argued that it's a bit unfair and prejudicial to keen penpals belonging to the Society for Exchange of Random Numbers, but it's a lot better than a medieval presumption of guilt.
At the moment, this is irrelevant because IOCA 1985 S.9 says that this kind of circumstantial evidence is inadmissable in court. But if it WERE admissible it would certainly help the prosecution shoulder the burden of proof. I think the Home Office is well aware of this, but is still thinking short term of its take from voice-intercepts, and it desperate to avoid going down the road of repealing S.9, which would then open up such cans of worms as subject notification, and remove a lot of the culture of secrecy arguments against more robust oversight.
William Geiger III
Nicholas Bohm Certainly; but evidence of past possession of a key would at least justify serving a notice seeking it. If in response to the notice the key is claimed to have been destroyed, then of course past possession does not justify reversing the burden of proof that it is still held. But if, after such a claim is made, further evidence shows that the allegedly destroyed key is still in use, bit by bit the prosecution may be accumulating enough to make a case. (Please bear in mind that according to John Abbott, Director-General of the National Criminal Intelligence Service, criminals are lazy, greedy and stupid.)
The prosecution have the burden of proof, but what they have to prove is pure will o'the wisp surmise.
The jumping hurdle for the prosecution has been reduced to a mere hop skip and a jump, and that created for the defence is a logical impossibility - but technically the burden of proof has not been reversed.
The availability of mass encryption in a world of mass communication puts the seal on a fundamental shift in the balance between the state and the individual.
The more fundamental, the more extreme will be the measures required to try to recover what is felt to be lost ground. The fact that these proposals are so egregious and offensive only shows the depth of fear of a government of the privacy of its citizens.
It is not a lot more complicated, but the fear is real, and these measures will not be substantially defeated without an acceptance in high office that this shift in the fault lines has already happened.
Pete Chown I would like to suggest a few other changes to clarify the burden of proof issue:
In 12(2), 12(3), 13(3) and 13(4) change "for that person to show" to "if". Delete the word "that" from the beginning of each of the following paragraphs in section 12. In 12(4), delete "he also shows". In 13(7) change "to show that" to "if". In 13(8) change "to show that" "if".
Nicholas Bohm No doubt it's always best to be clear who has to prove defences, but the default rule is one of the fundamental basics of criminal law: the burden of proof is on the Crown. This includes the burden of negativing defences raised, and doing so beyond reasonable doubt. The fact that the Home Office seems to think there is a general rule that the defendant must prove a defence tells you much about the Home Office, nothing much about the law.
(That's not to say there are no exceptions, and legitimate ones at that. One case even suggests that when the legislation is silent, you decide by seeing whether it's easier for the Crown to have to prove or for the defendant to have to disprove. Although I think that case puts it much too favourably for the Crown, even on that test it is just outrageous to put on the defendant the burden of proving he has no key or other relevant information.)
Return to the Draft E-Commerce 1999 Bill Review front page.