The Regulation of Investigatory Powers Act 2000 (RIPA) requires that when public authorities use covert techniques to obtain private information about someone, they must do so in a way that is necessary, proportionate, and compatible with human rights. The Act has in the past been regarded by some as harsh and overused, for example by local authorities to check on fly tippers.
However the recent case of R –v- Padellec 2012  EWCA Crim 1956 highlights just one of the wide ranging implications of the Act with regards to cyber crime and that the Act may in fact be prone to manipulation. Given that it is fairly new law, especially in the context that assault cases are prosecuted using legislation that is over 150 years old, the Court of Appeal have yet to properly grapple with the finer details.
Section 49 of RIPA allows Police, law enforcement agencies, security services and the military to demand access to encrypted data. Section 53 of the Act provides for people to be convicted if they fail to allow access to this information. A person guilty of an offence under this section could be liable to a term in prison, a fine or both. Under this section, the appellant pleaded guilty to an offence of failing to disclose a key for encrypted information on his computer.
In Padellec, the appellant’s computer was searched by Police for suspected indecent images. Although no images were recovered there were a number of deleted files and encrypted volumes. The titles of the deleted files gave rise to suspicion of exactly what information was protected, however, the appellant refused to provide the relevant key and allow the authorities to have a look for themselves.
The sentencing Judge accepted a basis of plea based upon keeping the contents secret, which the Court of Appeal found entirely wrong. The Court advised that if a similar situation arose again under section 53 of the Regulation of Investigatory Powers Act, they hoped that a defendant could not manipulate, what appears to be a loophole in the law, by choosing to keep certain information private, and as such obtain a lesser sentence.
The Court was fairly critical of Pierre Padellac commenting that, “What [not handing over the encryption key] does is to enable the defendant in question to identify, to his advantage, what was or was not on the computer and so get the benefit of a lesser sentence than otherwise might be appropriate. That is to enable him to dictate, wrongly, what the situation is. The whole point of requiring access is so that it can be seen what was in fact there. We express the hope that in a situation such as arose in this case, and in the context of an offence under the Regulation of Investigatory Powers Act (section 53), there will never again be a basis of plea accepted which is based upon keeping the contents secret and the defendant saying, to his advantage, what was or was not contained.”
It seems a sensible approach and there seems little doubt that the remarks made in this case have a wider implication on other cyber crime offences, particularly in relation to terrorism and hacking matters. As with Padellec, it seems that a defendant will simply not be allowed to manipulate the situation to his own advantage.