JUSTICE, the legal human rights organisation, and the Foundation for Information Policy Research today (Wednesday, 22nd March) warn that those aspects of the Regulation of Investigatory Powers Bill dealing with police powers to unscramble encoded e-mail are likely to breach human rights standards under the European Convention on Human Rights.
Part III of the Bill (previously in the Electronic Communications Bill) allows the police to serve written notice to demand either that a communication be decrypted or the private encryption key be handed over.
According to an Opinion obtained from two leading lawyers, the Government has wrongly opted for the widest police powers enabling open-ended interception of encrypted material. It says that this “will have the inevitable consequence of compromising the affected individual’s whole security and privacy apparatus” and thereby likely contravene Article 8 of the European Convention on respect for private life.
In a second, up-to-date Opinion on Part III of the RIP bill, a number of potential human rights breaches are again emphasised:
· The presumption of innocence is violated: failure to comply with a decryption notice will be a criminal offence unless the person can prove that s/he does not have the key, or does not have access to it because, for instance, the password has been forgotten. This contravenes an important element of the fair trial right guaranteed by Art 6 ECHR: that it is for the prosecution to prove the offence, not for the defendant to prove his or her innocence.
· The right not to self-incriminate is infringed: It is impossible for the police to prove by technical means that the defendant ‘has’ possession of the key. And, the only way of proving that he ‘has had’ the key is by way of an admission by the defendant. Furthermore, disclosure of the key by the defendant may lead to the discovery of incriminating material. This contravenes a person’s right to remain silent and not to contribute to incriminating him/herself as guaranteed under the fair trial right of Art 6 ECHR.
· There are inadequate safeguards against abuse: Not all decryption notices have to be first authorised by a judge. There is no requirement that the notice be restricted to serious crime; it could therefore be used for low-level criminal data gathering. There are inadequate safeguards on the holding of the decryption key and any material obtained. There is no requirement to inform the Covert Investigations Commissioner that such notices have been served. These are all requirements necessary to safeguard privacy rights under Art 8 ECHR.
As the Opinion concludes:
‘The above would suggest that for anyone using encryption, in order to avoid unjustified suspicion and possible wrongful conviction, it would have to be good practice to
a) Use steganographic file systems or equivalent technology; and
b) Not to admit to ever having had a key rather than be helpful and co-operative.
For the vast majority of individuals this is counter-intuitive and for society in general counter-productive. ‘
Madeleine Colvin, Legal Policy Director at JUSTICE, said today:
“As these are significant breaches, we expect the Home Office to engage in open debate on how far this Bill will fail to be human rights compliant in practice, rather than merely asserting that it is”.
Caspar Bowden, Director of the Foundation for Information Policy Research, said:
“The question of the reversal of the burden of proof has been festering for eight months. It is now time for the Home Office to give a reasoned explanation for how an innocent person who has forgotten their key can be expected to prove this on a balance of probabilities”.
Notes to Editors: