The National Crime Agency (“NCA”) has been criticised following a recent unsuccessful application to obtain passwords and encryption keys to computers that it seized from Lauri Love in 2013. The Magistrates Court held in Love v NCA that the NCA could not bypass the Regulation of Investigatory Powers Act (“RIPA”) by using the courts’ case management powers to try to obtain the passwords and keys.
Mr Love is currently challenging his extradition to the US to face charges of hacking US government computer systems. In 2013, the NCA executed a search warrant under the Computer Misuse Act and seized a number of computers belonging to Mr Love and his parents. The NCAlater returned the parents’ computers but retained several computers belonging to Mr Love. Mr Love was arrested and interviewed under caution by the NCA. He was asked to provide the encryption keys and passwords for his computers but refused to do so.
Five months after Mr Love was arrested, and while he was still on bail, the NCA obtained a notice under section 49 of RIPA ordering him to produce the passwords and encryption keys. Mr Love again refused to provide them. Mr Love was later released from bail and was not charged with any offences in the UK.
For unknown reasons, the NCA did not enforce the RIPA notice. Failure to comply with a section 49 RIPA is a criminal offence punishable by up to five years’ imprisonment in national security cases and two years’ imprisonment in other cases. Similar enforcement provisions are currently contained in the Investigatory Powers Bill which will replace RIPA and other legislation relating to the interception of communications.
In 2015, Mr Love applied to the Magistrates’ Court under the Police Property Act 1897 for the return of his computers which the NCA continued to hold. The NCA responded to Mr Love’s application with its own application to the Court for a direction requiring Mr Love to supply the encryption keys or passwords “in the interests of good case management”. In opposing the application, counsel for Mr Love described the NCA’s approach as an attempt to access the data on the computers “by the back door”. Mr Love also contended that it would be a breach of the Human Rights Act for the NCAto obtain the passwords and keys through the courts’ case management powers rather than through the process required by RIPA.
The Court agreed that the NCA could not circumvent RIPA by seeking to obtain the passwords and keys through the courts’ case management powers. The appropriate course was to make an application under RIPA, as the NCA had done in 2014.
It is not clear why the NCA chose not to enforce the 2014 RIPA notice against Mr Love. There have only been a handful of prosecutions for non-compliance with RIPA notices and warrants and the majority of these prosecutions have been brought in conjunction with other criminal charges. It is, however, of concern that a law enforcement agency sought to circumvent the processes and safeguards set out in RIPA when it had already been through the process of obtaining a RIPAnotice and decided not to enforce it.