Disclosing Encryption Keys and IP Addresses

European courts have had something to say lately about whether disclosing encryption keys would amount to self-incrimination, and whether disclosing an IP address involved an undue disclosure of personal information.

An English court (R. v. S and A [2008] EWCA Crim 2177) held that compulsory disclosure of an encryption key was not improper. Out-Law.com has the story:

“In this sense the key to the computer equipment is no different to the key to a locked drawer,” said the judge. “The contents of the drawer exist independently of the suspect: so does the key to it. The contents may or may not be incriminating: the key is neutral. In the present cases the prosecution is in possession of the drawer: it cannot however gain access to the contents. The lock cannot be broken or picked, and the drawer itself cannot be damaged without destroying the contents.”

Mr Justice Penry-Davey did concede, though, that if the computers were found to contain incriminating material then the fact that the two men knew what the passwords were could itself become incriminating evidence. The fact of their knowledge of the password, and not the password itself, could incriminate them.

The Court said that there was a balance between the rights of the two men not to incriminate and the needs of society to be protected, and that the systems in place held that balance.

A German court (30.09.2008 AG, Munich – English translation) held that storing (not disclosing) IP addresses alone did not violate privacy laws. Again, Out-Law.com has the story:

Search engine companies and other web publishing operations store IP addresses in a bid to identify users and their usage patterns. Privacy activists have argued that IP addresses should count as personal data under data protection legislation. Publishers have claimed that while IP addresses can be personal data, they are not always necessarily so.

In a provisional ruling, the district court of Munich has said that when stored by an internet publisher, IP addresses are not personal data under the country’s Privacy Act because the information cannot be easily used to determine a person’s identity.

The issue has never been tested in a UK court but the view of the German court is consistent with guidance published last year by the UK’s Information Commissioner.

The Article 29 Working Party, the committee of Europe’s privacy watchdogs, has said that IP addresses should be treated as personal data by ISPs and search engines, even if they are not always personal data.

[Note this limit to the ruling: The ruling said that an internet service provider (ISP) could not tell a third party who was using a particular IP address at a particular time without a legal basis. ISPs generally do not give out such information except when ordered to do so by a court.]

Are these cases right? Do they depend on particular legislation in the relevant countries, to the extent that there are no lessons to be learned here?

Should Canada have something like the UK’s Regulatory Investigation Procedure Act (RIPE) that requires disclosures of encryption keys on pain of criminal sanction?

Can law enforcement officials here, or ISPs, take comfort from the reasoning in Germany when they seek disclosure of, or choose to disclose, IP addresses of people suspected of crimes (or who might be doing things of interest to the police)?