Since the original release of proposals for decryption powers in Part.III of the draft Electronic Communications Bill last July, there have been robust but sporadic exchanges of views between the Home Office and those who have said that these powers "reverse the burden of proof". Who said what, and when ?
...For individuals, forgetting a password is a reasonable thing to do. People in my private office at the Home Office, and others with whom I have worked, accept that it is not unknown for me to forget a password occasionally. ...Depending on the circumstances of the case, people might relatively easily state that they have forgotten their password or their key, and then volunteer how it was generated, when they last used it and what they normally do when they forget their key..."
Simon Hughes MP: " The argument is perfectly reasonable, but the most vulnerable people will be individuals who are not part of a system with a back-up procedure. They are their only check--they invent the password, and they can forget it. Given that the test is only 50/50 in that it is a case of whether the person is believed or not, would it not be better at least to concede that someone must be found, not just on a balance of probabilities, but beyond any reasonable doubt, to be hiding the fact that they know the password, data or encryption mechanism?"
Charles Clarke MP: " I have tried as best I can to deal with the points that have been made fully. The balance suggested by the hon. Gentleman is not right; that which we are suggesting is right, and that is why the Bill is worded as it is."
26/4/00: BBC Radio 4 'You and Yours', e-Minister Patricia Hewitt "...There is no reversal of the burden of proof..."
4/4/2000: Charles Clarke MP (RIP Standing Committee): "The business, which is responsible and secure, always has back-up mechanisms, always anticipates the loss of a key and always has an audit trail that establishes when keys were used for what purposes and when they were thrown away...
...the individual has to demonstrate his forgetfulness only on the balance of probabilities, which means that he is already some way there
...Precisely because forgetting a password is such a reasonable thing to do, it is rare that there are no contingency arrangements for such an eventuality.... individuals could easily state that they had forgotten their password or key, but volunteer information about the last time they remembered it, what they normally do when they forget it, whether their service provider has a back-up system or whether all data are destroyed every time that they lose their key. The court will take such factors into account.... the defence can avoid liability by demonstrating a change of circumstances on a balance of probability."
4/4/2000: Oliver Heald MP (RIP Standing Committee): "The worry is that the burden of proof will be reversed for the defences in the clause. A person is being asked to prove something, whereas the prosecution need only prove facts that are entirely neutral as between guilt and innocence....I expect the Minister to say that the burden of proof has not been reversed. He may argue that, because certain things must be proved, there is a burden on the prosecution. He may say that it will be necessary to prove service, non-compliance and that the person has or has had the key. All those, however, are equally consistent with a guilty and a not guilty intention. Will the Minister accept that there is a burden on the accused to establish innocence, against a background of the prosecution proving neutral facts?"
30/3/2000: Guardian, three exchanges of letters between Caspar Bowden and Charles Clarke MP
Caspar Bowden : "The trouble with your 'statutory defence' is that there is no evidence when someone forgets something, so criminals with a lot to hide will always plead a bad memory. The jury or magistrate.... will simply have to guess whether the defendant is lying. RIP requires no evidence (46.2.b.2) of an underlying (let alone serious - 46.3.b) crime."
Charles Clarke : "How do you demonstrate that you've lost or forgotten a key? You explain what has happened and the court will decide whether, on balance, you're telling the truth. There are statutory defences if you hand over as much information as you can. If you've forgotten your key, you might explain how it was generated, when you last used it and what you normally do if you forget it."
26th Mar 2000: Observer report on SFS2000 (It's RIP basic human rights in 'worst UK legislation ever' looms)
"Ah, that magic phrase, 'balance of probabilities'. And how, pray, is that to be assessed? By the use of lie-detectors in British courts? Clarke was repeatedly pressed on this at the conference, but declined to be drawn. Instead he intoned the 'balance of probabilities' mantra like a speak-your-weight machine on valium"
23rd Mar 2000: Silicon.com report on SFS2000 (Internet 'Snooping Bill' fails human rights audit)
Caspar Bowden said "The government's position seems to be 'don't worry about proving your innocence because we'll only prosecute you if you're guilty'"....... Clarke was unable to explain to Bowden how the government expects people to prove they have forgotten or mislaid encryption keys.
22nd Mar 2000: FIPR/Justice Human Rights Audit updated for RIP:
"...to avoid unjustified suspicion and possible wrongful conviction...good practice to...use steganographic file systems...not to admit to ever having had a key"
"...it seems highly inappropriate for the Government to legislate in the full knowledge that the chosen wording of a provisions would require a 'departure from the natural and ordinary meaning' of its words"
"...Government has failed to address the serious concerns identified....it would be appropriate and desirable that the Minister explain his reasoning on compatibility...rather than merely assert that the provisions of the Bill as currently drafted comply".
22nd Mar 2000: Keynote Speech by Charles Clarke MP to Scrambling for Safety 2000 : no mention of "burden of proof" or "presumption of innocence" (in the text)
21st Mar 2000: Letter to Financial Times from Charles Clarke MP ((if FT link expired search here): "...accusations that we have reversed the burden of proof miss the point..."
14th Mar 2000: Charles Clarke MP, Standing Committee (1st sitting): "legitimate issues were raised about...the reverse burden of proof. However, we do not accept that the criticisms...are well founded. The statutory defence that the Bill provides is not the same as reversing the burden of proof....I do not want to give the impression that we are thinking about modifying our position, because that would imply a flexibility on our part that does not exist"
13th Mar 2000: Open Letter from Charles Clarke MP to ukcrypto: "Accusations that the Bill reverses the burden of proof are simply wrong"
5th Mar 2000: Letter from Caspar Bowden to Guardian in reply to Charles Clarke's letter: "Internet users manage a plethora of passwords to protect email, files, and website registrations. Failure to produce any password required by any public authority for any official purpose (S.46.2.b.ii) means two years' jail. The court will convict if it believes you were lying about forgetting a password, or uncooperative in finding it."
10th Mar 2000: Letter to Guardian from Charles Clarke MP: "Accusations that we've reversed the burden of proof to an unacceptable degree miss the central element of the new decryption proposals. The burden falls on the prosecution to prove, beyond reasonable doubt, that the accused is, or has been, in possession of a key. Then there are statutory defences for individuals who have lost or forgotten a key. These need only be established to the lower level of proof - the balance of probabilities"
6th Mar 2000: Charles Clarke MP, Second Reading debate (Column 833): "The Bill...creates a defence for an individual who has forgotten or mislaid a key or password. It is true that he or she must prove the defence, but they need to do that only on the balance of probabilities."
21st Feb 2000: ZDNet interviews the e-Minister: Part III: "Q. What about claims that powers to give law enforcers access to decryption keys reverses the burden of proof? A.That was much misunderstood. I think the bill has been amended anyway since the draft. Q. I've looked at both and I can't see any differences A..."
10th Feb 2000: Home Office press release on publication of RIP Bill : no mention of "burden of proof" or "presumption of innocence".
10th Feb 2000: Home Office Regulatory Impact Assessment on RIP Pt.III : no mention of "burden of proof" or "presumption of innocence".
10th Feb 2000: Explanatory Notes on RIP Pt.III : no mention of "burden of proof" or "presumption of innocence".
20th Jan 2000: Government replies to T&I Sel. Ctee request to "publish detailed analysis to substantiate its confidence" that decryption powers are ECHR compliant: "...very happy to explain why it believes the provisions to be ECHR compatible when faced with specific argument to the contrary...issues are hard to deal with comprehensively in advance of any particular challenge"
21st Dec 1999: Financial Times, Decrypt with care (Caspar Bowden, Personal View)
19th Nov 1999: Official DTI/HO Press Release on E-Comms/RIP Bills : no mention of "burden of proof" or "presumption of innocence".
17th Nov 1999: FIPR Press Release on Queen's Speech: "the glaring flaw was reversing the burden of proof on possession of a decryption key....The Home Office...avoids the burden-of-proof issue with ambiguous wording."
17th Nov 1999: "Unofficial" Home Office briefing to journalists on RIP for Queen's Speech : no mention of "burden of proof" or "presumption of innocence". (not listed under official HO Press Releases - contact FIPR for details)
26th Oct 1999: T&I Sel. Ctee 14th Report: Burden of Proof : "There may on some occasions be legitimate reasons why a private key or plain text could not be handed over to the law enforcement agencies....a number of respondents...argued that it would not be possible for the subject of a decryption notice to provide proof that they did not possess or have access to a key or plain text....The prospect of users of encryption being fined or gaoled despite having genuinely lost their private keys is, however, a legitimate concern....We recommend that the Government give some indication as to how it is envisaged that those served with written notices requiring plain text or encryption keys can successfully demonstrate that they cannot comply with the notice."
26th Oct 1999: T&I Sel. Ctee 14th Report: Human Rights : "Having certified that legislation does not contravene the European Convention on Human Rights, Ministers must be able to demonstrate, when challenged, that this is indeed the case. We recommend that the Government publish a detailed analysis to substantiate its confidence that part III of the draft Bill does not contravene the European Convention on Human Rights, dealing with the points made to the contrary."
25th Oct 1999: "Unofficial" Home Office rebuttal statement to journalists on FIPR Release: "The Bill does not reverse the onus of proof." (not listed under official HO Press Releases - contact FIPR for details)
25th Oct 1999: FIPR Press Release on previous human rights audit: "failure to comply with a decryption notice will be a criminal offence unless the individual concerned can prove that s/he does not have the key....because, for instance, the password has been forgotten. This contravenes the right to a fair trial guaranteed under Article 6 of the European Convention"
7th Oct 1999: FIPR/JUSTICE Human Rights Audit of draft E-Comms Bill: Legal Opinion: "We consider that section 12 [of the draft E-Comms bill] is likely to be held to infringe...the presumption of innocence in Article 6(2)...the operation of clause 12(2) may well constitute a reverse burden of proof"
3rd Aug 1999: Open Letter from FIPR to Home Office (no reply received) : "How can a person accused of failing to comply with a notice "show"....that they do NOT have a key? This is why the burden of proof is reversed - instead of the prosecution having to show (beyond reasonable doubt) that the defendant is wilfully withholding a key, it is for the defence to prove (somehow - nobody seems to know how) that they do NOT possess a key....to argue that the presumption of innocence is maintained seems reckless casuistry"
23th Jul 1999: FIPR Press Release on Draft E-Comms Bill (1st reference to "burden of proof"?) : "The defence will be presumed guilty of withholding a key unless they can prove otherwise (a likely contravention of the European Convention on Human Rights)....no presumption of innocence : burden of proof on defence to show they DO NOT have a key...how is it logically possible to PROVE non-possession of key?"
8th Jul 1999: Govt. asks Conservatives to approve "carry-over" of E-Comms Bill to next Parliamentary session under new procedures which require Opposition consent. Conservatives refuse after private sight of the Bill. Government publishes bill as "draft" for further formal consultation over summer. Responses to consultation have now been published on the web in response to a FIPR Open Government request.
22nd Jun 1999: NCIS Project Trawler report:
"90...Law enforcement agencies are thus keen that, in specified circumstances only (i.e. where lawful access is presently permitted), they should be able to formally request the decryption key, whether from the user or anyone else to whom the key has been entrusted. Failure to comply with the request would constitute an offence. There are some limitations to this proposed measure’s overall effectiveness and these would undoubtedly be exploited by the most astute criminals."
"91...Lawful access to decryption keys can only be a very partial solution to the problems which will be faced and a range of other measures and tools will need to be developed"
15th Jun 1999: Open Letter from Cyber-Rights and Cyber-Liberties to the Prime Minister: "If faced with a requirement to decrypt...or to provide the decryption key, [the] innocent party would have to prove that they do not possess such a key. For all practical purposes such a proof would never be possible....to impose such an impossible burden of proof on an accused must amount to an infringement of the presumption of innocence embodied under article 6 of the European Convention on Human Rights" (no reply received)
26th May 1999: Cabinet Office report on "Encryption and Law Enforcement": "...further attention should be given in the Bill to placing the onus on the recipient of a disclosure notice to prove to the authorities that the requested keys or plain text are not in his possession, and to state to the best of his knowledge and belief where they are. has not been made effectively"
Go to FIPR front page.
Go to RIP Information Centre
The Foundation for Information Policy Research is registered in England and Wales under the Companies Act 1985 as a private company limited by guarantee (No.3574631). Application for charitable status is in progress
Last Updated May 4th 2000.