UK court declines to force alleged British hacker to decrypt his data

A judge tells the National Crime Agency to use the proper procedure if it wants the suspect's password

The U.K.'s National Crime Agency (NCA) failed in its attempt to use what critics described as a legal backdoor to force a suspected hacker to provide the decryption key for data on multiple devices.

Lauri Love, 31, was arrested by U.K. authorities in 2013 under suspicion of hacking into computers belonging to multiple U.S. government agencies including NASA, the FBI, the Federal Reserve, and the Army.

Love is the subject of separate indictments in courts in New Jersey, New York, and Virginia and faces extradition to the U.S. An extradition hearing is scheduled for the end of June.

When Love was arrested in 2013, the U.K. police also seized electronic equipment from his home, including two laptops, a hard disk drive, and an SD card. Love was later released, and the NCA decided not to press any charges in the U.K., but kept some of his devices holding encrypted data.

Love wants those devices back and has filed a civil application under the U.K.'s Police (Property) Act 1897 to recover them. During his application's pre-trial proceedings, the NCA asked the judge to use the court's "good case management" powers to direct Love to provide the encryption key or password for the data stored on three hardware devices.

In the U.K., police have the power to request passwords and decryption keys from suspects under section 49 of Part III of the Regulation of Investigatory Powers Act 2000 (RIPA). Failure to comply with such requests can be prosecuted and carries a prison sentence. However, RIPA also has safeguards, including human rights ones, for recipients of section 49 notices.

In fact, the NCA did serve a RIPA notice on Love in February 2014 requesting that he provide the password to decrypt the data. Love declined, saying that he had no information to give, and the NCA decided not to enforce the notice.

District Judge Nina Tempia declined the NCA's new request.

"After reading the papers and hearing from the parties, I am not granting the application because in order to obtain the information sought the correct procedure to be used, as the NCA did two and a half years ago, is under section 49 RIPA, with the inherent [Human Rights Act] safeguards incorporated therein," Tempia, of the Magistrate's Court, said in her ruling on Tuesday.

The case is important because had the judge accepted the NCA's request to order Love to produce the decryption key, it would have set a dangerous precedent, allowing police in the U.K. to bypass the few protections that exist for suspects to protect their passwords, some privacy advocates said.

"By requesting a direction as part of the civil application, the National Crime Agency is seeking to sidestep the RIPA scheme and effectively circumvent ... safeguards and the protections of the Code of Practice," legal journalist David Allen Green said in a blog post.

The ruling has no direct bearing on Love's extradition proceedings but might complicate the efforts of U.S. prosecutors if they counted on the NCA recovering evidence from Love's devices.

There's a parallel case in the U.S., where the FBI tried to force Apple to decrypt a seized iPhone using the provisions of a 1789 law called the All Writs Act. Critics argued the law was not intended to be used in this way.

Join the CSO newsletter!

Error: Please check your email address.

More about AppleFBINASA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place