Defendants will have to give encryption keys to police even if the data it unlocks incriminates them, a British appeals court has ruled.
An appeals court has heard the case of two defendants who were arrested under the terrorism prevention act. One suspect's homes was searched, revealing computer material which was partially encrypted.
The Regulation of Investigatory Powers Act imposed a legal obligation for them to reveal the full encryption keys and allow access to the encrypted material, the ruling said. However, the suspects appealed, claiming that it was incompatible with the privilege against self-incrimination.
The appeals ruling said that as the encryption key was no different to a physical key, it existed separately from their will and so the self-incrimination defence couldn't be used.
The court said: "The key to the computer equipment is no different to the key of a locked drawer. The contents of the drawer existed independently of the suspect; so did the key to it. The contents might or might not be incriminating; the key was neutral."
It is Part three of the RIPA act which requires people under particular circumstances to supply encryption keys to particular authorities. It has caused controversy as a failure to disclose decrypted data could lead to a penalty of up to two years in jail.
Critics have said that law enforcement could cost businesses by mishandling this data, with some of the provisions complex and even unworkable.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2023.