On Tuesday, a London court rejected an attempt by UK security officials to compel an alleged hacker, 31-year-old Lauri Love, to hand over his encryption keys.
Love allegedly hacked into several US government offices in 2012 and 2013, including the Department of Defense, the Environmental Protection Agency, the Department of Energy, and NASA.
In October 2013, the UK’s National Crime Agency raided Love’s home and seized his computers and hard drives. However, many of the seized devices contained inaccessible encrypted data.
Initially, British authorities served Love with an order under Section 49 of the UK Regulation of Investigatory Powers Act, demanding that he hand over passwords to open encrypted files stored on the device. The alleged hacker refused to comply with the mandate, and the National Crime Agency determined not to push the issue or charge Love under British law.
The matter was revived, however, when Love filed a lawsuit against the UK government demanding the return of his computers and storage devices, since he had not been charged of any crime. The National Crime Agency responded by renewing their demand for his encryption keys, seeing the civil proceedings as a new means to get a judge to force Love to hand over his passwords.
In court, investigators stated that they refused to return the equipment seized from Love’s home, on the grounds that the devices may contain data of which he did not have legitimate ownership, such as hacked files. UK officials argued that if Love wanted his devices back, he would have to turn over the passwords to prove that they did not contain unauthorized data.
Privacy advocates criticized the UK government’s position, pointing out that requiring people to unveil their personal files to authorities precisely because the government lacks compelling evidence risks shifting the burden of proof from the government to the individual, and creates a precedent of official intrusion. Love’s supporters also raised concern that forcing him to turn over his passwords could have negative implications for journalists who need to guard confidential information.
Westminster Magistrates’ Court judge Nina Tempia agreed with the privacy advocates, ruling in Love’s favor on Tuesday and saying that she was "not persuaded" by the National Crime Agency’s argument that Love should be forced to provide his passwords and encryption keys to prove that he owned the private data on his personal devices, and strongly criticizing the agency for attempting to "circumvent" the Regulation of Investigatory Powers Act.
Following the decision, Karen Todner, Love’s attorney, said that "the case raises important issues of principle in relation to the right to respect for private life and right to enjoyment of property and the use of the Court’s case management powers." She added that an adverse ruling "would have set a worrying precedent for future investigations of this nature and the protection of human rights."
Love’s legal challenges persist, despite Tuesday’s favorable ruling. He may face extradition to the United States, where he could be sentenced to up to 99 years in prison. The 31-year-old, who has been diagnosed with Asperger’s syndrome, said he was worried that he would not get a fair trial in America.
Love also vowed to never hand over his encryption keys, even if compelled by government officials, declaring, "There will be no decryption!" Love called the decision "a victory" before observing that the ruling was "an avoidance of a disaster."