Posted on Oct 10, 2016 by Rick Falkvinge

In the UK, running a blog over HTTPS is an act of terrorism, says Scotland Yard




In a bizarre case, Scotland Yard is accusing a person for six separate acts of preparing terrorism. Those six acts include researching encryption, developing an “encrypted version” of his blog, and instructing others how to use encryption.

This is one of those cases where you do a double take. As reported by Ars Technica, UK’s Scotland Yard is charging a Cardiff person with preparing for terrorism – but the list of charges shows activities we associate with very ordinary precautionary privacy measures. “Developing an encrypted version of a blog” can be read as, and probably means, publishing it over HTTPS – such as this blog and many others, simply because it’s considered best practice.

He was also charged with having a flash drive in a cufflink with a bootable operating system, presumably Tails. Using open and free operating systems with the capacity for general-purpose encryption is now an act of terrorism?


UPDATE: Scotland Yard describes the case here in much more detail. The two charges discussed here are items 3 and 5:

Count 3: Preparation for terrorism. Between 31 December 2015 and 22 September 2016 [name redacted], with the intention of assisting another or others to commit acts of terrorism, engaged in conduct in preparation for giving effect to his intention namely, by researching an encryption programme, developing an encrypted version of his blog site and publishing the instructions around the use of programme on his blog site. Contrary to section 5 Terrorism Act 2006.

Count 5: On or before 22 September 2016 [name redacted] had in his possession an article namely one Universal Serial Bus (USB) cufflink that had an operating system loaded on to it for a purpose connected with the commission, preparation or instigation of terrorism, contrary to section 57 Terrorism Act 2000.

While this adds significant nuance to the Ars article above, the primary point still stands as to count three: the criminal act was researching encryption, developing an encrypted version of a blog site (which describes publishing over HTTPS and a few other things), and teaching encryption. The intent of this criminal act was to aid and assist terrorism, but the criminal act was still researching, deploying, and teaching cryptography. This is a hugely important nuance – quoting a comment from user Withabeard on Reddit:

He hasn’t been charged for helping terrorists.

He has been charged for having an encrypted blog. The reason authorities have chosen to charge him, is because that blog may contain material that helps terrorists. The distinction is small, but it has a massive impact on how we apply laws in the UK.

Helping other people conduce killing of other humans is already illegal in the UK, so that is what he should be charged with if there is evidence he did it.

But he has literally been charged with “instruction or training in the use of encryption programmes”.

It shouldn’t matter what the encryption was going to be used for, no-one should ever be charged with doing that.

(end of update insertion)


Three things are noteworthy in this bizarre case, in terms of predictions coming true.

The first is that four years ago, I predicted that the UK won’t just jail you for encryption, but for carrying astronomical noise, too. It’s already a crime to not give up keys to an encrypted document in the UK (effectively making encryption illegal), but it’s worse than that – it’s a five-years-in-prison offense to not give up the keys to something that appears encrypted to law enforcement, but may not actually be. In other words, carrying astronomical noise is a jailable offense, because it is indistinguishable from something encrypted, unless you can pull the documents the police claim are hidden in the radio noise from a magic hat. This case takes the UK significantly closer to such a reality, with charging a person for terrorism (!) merely for following privacy best practices.

The second observation is that in the cat-and-mouse game between surveillance and encryption, there will come a point where authorities start mistaking a right to attempt breaking into somebody’s privacy with a right to succeed with breaking into somebody’s privacy. Such a right has never existed, of course: even if law enforcement gets a search warrant for a house, including a right to attempt breaking a safe, there is never a right to succeed breaking into a safe, or a right to magically find what they think is there.

The third observation is the bizarre charge of “researching encryption” and “instructing others in how to use encryption”. According to Scotland Yard, learning and teaching mathematics is apparently terrorism. This would affect lots of efforts – for example, EFF’s HTTPS Everywhere and Linux Foundation’s Let’s Encrypt. Possibly even all the Linux repositories, as they contain lots of encryption and instruct others in setting it up.

This is a case that needs to be closely watched and Scotland Yard needs more than a slap on the wrist here.

Privacy remains your own responsibility.


UPDATE II: People who are pointing out that Scotland Yard is strictly legally in the right are most likely correct, but that’s missing the point. See the followup post: Scotland Yard, Terrorism, and Encryption: How wording of charges contain hidden layers designed to shape public opinion.

About Rick Falkvinge

Rick is Head of Privacy at Private Internet Access. He is also the founder of the first Pirate Party and is a political evangelist, traveling around Europe and the world to talk and write about ideas of a sensible information policy. Additionally, he has a tech entrepreneur background and loves good whisky and fast motorcycles.


VPN Service

Leave a Reply

Your email address will not be published. Required fields are marked *

52 Comments

  1. Jardar Øhrn

    Saw this coming. UK does not value people’s security or privacy.

    1 year ago
    Reply
  2. Alex Ferguson

    Clickbait article… the author of the blog is suspected to be a member of ISIS

    1 year ago
    Reply
    1. Falkvinge

      So charge for that then, and not for researching/deploying/teaching encryption.

      1 year ago
      Reply
      1. Ben

        They did. It’s the first thing on the list.

        1 year ago
        Reply
        1. Joep Lijnen

          If using HTTPS is considered illegal encryption, then any eating utensil should be considered an unlicensed lethal weapon. Did they also charge him for owning a fork?

          1 year ago
          Reply
          1. Turgo

            The point is that the article is plain wrong. HTTPS isn’t illegal. Your comment on a fork is instructive. If I go out and buy a fork (or a knife, or learn about encryption) with the intent of carrying out a terrorist act, then I’d fall under this legislation. It wouldn’t follow though that forks (or knives or encryption) are illegal.

            1 year ago
          2. Brandon M. Sergent

            Your myopia and obsession with defending your owners is astounding.

            Where do you people come from? Because I promise if it’s not a government factory already, it will be soon.

            The fact is that HTTPS IS illegal in this case. That is their entire assertion. The point is that it should never be illegal ever. Which frankly I think you already know. You’re just scared and kneeling in advance, or you’re a totalitarian wannabe.

            1 year ago
    2. giles_wells

      So charge him with terrorism and not this shit. They are going to set a nasty precedence with this case and it will kill internet innovation and entrepreneurs throughout the UK if any of these encryption charges stick.

      Just imagine for a moment that Google sees a conviction here as too much risk to continue business in the UK and opts to leave. They would take 11 billion pounds out of the economy with them as they go. Its a stupid law and they need to find another way of handling this that won’t cause massive destruction to the rest of the internet community throughout the UK.

      1 year ago
      Reply
  3. Abulurd Boniface

    Fighting this is the wrong approach. We have to let the law run the course to the far end of the reductio ad absurdum. One day, very soon too, it will down on someone that ‘a horrible mistake’ has been made. In the grand tradition of politicised institutions there will be absolutely no one in officialdom to blame, only the people who found themselves involved, through no fault of their own and without their consent, will be held accountable.

    By then it will be too late.

    Remember, D.: TLBCSPEMZXSGEUKLQNSY

    1 year ago
    Reply
  4. Ben

    This article is deeply hyperbolic. He’s not being charged with using/teaching encryption, he’s being charged with “conduct in preparation for giving effect to his intention to commit acts terrorism or assisting another to commit such acts”. The specific things he did, in the process of assisting others to commit acts of terrorism, involved the use of encryption, but it does not follow that all uses of encryption are therefore illegal. Likewise, just because “developing an encrypted version of his blog” could describe simply using HTTPS, does not mean that using HTTPS is now illegal, because the criminal act is “conduct in preparation for giving effect to his intention to commit acts terrorism or assisting another to commit such acts”.

    1 year ago
    Reply
    1. Ben

      And further: he’s not being charged with “instruction or training in the use of encryption programmes”; he’s been charged with instruction or training in the use of encryption programmes knowing that the training would be used for the commission of terrorist acts — the latter part is what makes it a crime.

      Perhaps you should get your legal advice from lawyers, not Reddit.

      1 year ago
      Reply
      1. Mr Trainbeans

        I think you’re missing something. all these charges stem from one single assertion on the part of the Met – that he’s a member of Isis. Maybe they have evidence for this, maybe they don’t. But once the police have made this assertion, which for all we know could be completely baseless, all these other perfectly harmless activities get pulled onto the charge list as acts aiding and abetting the terrorist organization that, we are assured, he is part of. It’s a positive feedback effect that magnifies the power of weak or nonexistent evidence. The law IS the problem, not this man’s alleged transgression of it

        1 year ago
        Reply
        1. MyrddinWilt

          If the Met can’t prove a connection to ISIS then their whole case collapses. Membership in a proscribed organization is pretty much impossible to prosecute absent evidence of what the individual did in the organization.

          1 year ago
          Reply
          1. Mr Trainbeans

            So why pile on all the other charges? They’re not being honest here. Between Chilcot and Ferguson, no intelligent person ought to trust intelligence agencies or law enforcement further than they can throw them

            1 year ago
          2. n4zhg

            For the same reason the US “Justice” Department piles on charges: To get the poor slob to plead guilty, or kill himself.

            1 year ago
          3. John Neil

            Also favoured as a jury will see a whole lot of offences as an indication of probable guilt, throw enough mud and eventually some will stick.

            1 year ago
          4. Bjørn Remseth

            It’s a standard procedure for any attacker: Saturate your opponents defenses in the hope that something will break.

            1 year ago
      2. Charles Guillory

        When you provide an encrytion service,there is no way you can garuntee someone wont use it for terrorism.

        1 year ago
        Reply
        1. Bullshoot

          The same could be said of underwear, and knives, guns, and even the shirts terrorists wore.

          That’s the whole point of terrorism, do crap to scare people that can’t really be stopped. If you stop encryption because “it could be used for terrorism” you are caving in to their wishes. Stop being such a coward.

          1 year ago
          Reply
          1. Charles Guillory

            That is my point. (Lawmakers) cant (shouldn’t)blindly attack tools because they “might be used in terrorism” since that would mean forcing everyone to consider taking responsibility into their hands for the maluse they may not even get to see- that would be ridiculous

            1 year ago
  5. David Hughes

    As I type this each letter on my keyboard is converted from a letter e.g. capital M which on the ASCII code chart is 77 then it needs to be converted to its binary number equivalent 01001101 which a computer can process.

    1 year ago
    Reply
    1. Bruce Epper

      Uh… There is no conversion of anything here. You press the ‘M’ key on your keyboard and the computer sees 01001101. That is it.

      1 year ago
      Reply
      1. Richi Jennings

        No. Assuming a regular PC keyboard, an M would be generated by a scancode combination of 0x2a+0x32 or 0x36+0x32 or 0x2a+0x36+0x32 or a previous receipt of 0x3a followed by 0x32.

        In Windows, this gets converted into 0x0102 with VK parameter 0x4d. Or there are other types of WM messages that the thread can explicitly listen for. This is then typically converted into U+004d. This in turn may often be converted to an ANSI-based code table as 0x4d, or (unlikely) 0xd4.

        But are you sure you meant M? Perhaps you meant М, which is U+041c or 0x8c in CP866. Or did you mean м, which is U+043c or 0xac.

        My point is: that is not “it”. It’s more complicated. And it’s all about the context.

        1 year ago
        Reply
  6. John c

    By that token, anyone using a vpn is also at risk of spurious accusations.The government are pushing back the boundaries of their surveilance overreach once more.

    1 year ago
    Reply
    1. chris

      no they are not

      1 year ago
      Reply
    2. Nick Strugnell

      Only if they are using the VPN in the preparation of an act of terrorism. Same as if they bought a car with the purpose of using it in an act of terrorism. This does not outlaw the use of VPNs, or indeed cars.

      1 year ago
      Reply
      1. Brandon M. Sergent

        Considering they can define “terrorism” however they please you just defended establishing permanent Marshall law.

        You people are horrifying.

        At this rate the UK will look like the DPRK in a decade.

        1 year ago
        Reply
        1. Nick Strugnell

          The definition of terrorism is not arbitrary – it’s clearly defined in the TA 2000. If “they” want to redefine it they will need a new Act of Parliament. You could have argued that the definition is too broad, but you didn’t as you haven’t even bothered to read the relevant legislation before your lofty pronouncements.

          You’re horrified? Really? I suspect you would have found being caught up in the Baltic Exchange bombing, or 7/7, as I was, rather more horrifying.

          1 year ago
          Reply
          1. Brandon M. Sergent

            XD So glad I logged into disqus and saw this 5 months later. X)

            Paste me exact said “definition” and I’ll tell you in turn exactly how it’s open to law daily interpretation. You’re high on bath salts if you actually think officials aren’t making judgement calls constantly about what is and isn’t “terrorism.”

            Terrorism’s a nonsensical concept ultimately. Just a way of scolding whoever we don’t like, especially if they are weaker than us militarily. (Not that western culture is even close to ready to face such truths.) Like the old saying; One man’s terrorist is another’s freedom fighter. Was shock and awe NOT organized terrorism? Is not ALL COMBAT designed to murder and or terrify (“demoralize”) your opponent into submission?

            At any rate *encrypting web traffic* isn’t terrorism, or crime, or combat, by any stretch of the rational imagination. Even encrypted military communications aren’t combat. To assert that speech is combat makes you the worst kind of authoritarian. Which brings us to why I didn’t say I’m horrified, I said *you people* (authoritarians) are horrifying.

            Need I really make the obvious historical references to what power drunk authoritarians turn into if given power? X)

            7 months ago
  7. Richi Jennings

    I suspect the author has not yet read the two sections under which the accused is charged. They require “intent” and “purpose”. IANAL, but I’m 100% sure that conviction would require proof of intent to commit a terrorist act, and/or proof that his purpose was to commit same.

    1 year ago
    Reply
    1. Charles Guillory

      Well that would be a handy way to force soneone to decrypt a message,wouldnt it? “If you cant prove its not about terrorism and want to hide the key,we can only assume you at least intended it to be”

      1 year ago
      Reply
      1. Richi Jennings

        Nothing in any Act can override the courts’ presumption of innocence.

        1 year ago
        Reply
    2. Reinhard Schu

      The sections in question do not require intent. Section 57 (possession of an article) requires “circumstances which give rise to a reasonable suspicion that his possession is for a purpose connected with […] terrorism”. Section 58 (collection of information) requires the information to be “of a kind likely to be useful to a person committing or preparing an act of terrorism”.
      No intent required. No actual support of terrorism required. Mere suspicion and usefulness of the information for terrorism is enough to be charged with a criminal offence.

      1 year ago
      Reply
      1. Richi Jennings

        No, you’ve accidentally selectively quoted only one of the two Sections under which he’s charged. And you’ve accidentally quoted another section that’s not relevant.

        §5 of the 2006 Act requires “intent”
        §57 of the 2000 Act requires “purpose”

        Nothing in the Acts can override the presumption of innocence.

        1 year ago
        Reply
        1. Reinhard Schu

          You are correct that Section 5 of the TA 2006 requires intent.

          However, Section 75 of the TA 2000 does not require purpose. It merely requires that the circumstances of the possession of an article give rise to a reasonable suspicion that the possession is for a purpose connected with terrorism. So the “purpose” is a completely subjective concept of the hypothetical observer whose “suspicion” is aroused. To charge under S. 57 TA 2000, it is enough for the police to suspect that the article is being possessed for the purpose of terrorism.

          The presumption of innocence is overturned in S. 57 TA 2000, because the accused now needs to prove that the article is not being possessed for the purpose of terrorism. The same applies to S. 58 TA (which was not invoked in this case).

          Your claim that “nothing in the Acts can override the presumption of innocence” is incorrect. Please read S. 57(2) and S.58(3) TA 2000, which are a reversal of the presumption of innocence.

          1 year ago
          Reply
          1. Richi Jennings

            No mere Act can override the Court’s presumption of innocence.

            1 year ago
          2. Reinhard Schu

            You keep repeating this claim with no supporting explanation. S.57 and 58 TA 2000 do override the presumption of innocence, as is very clear from their wording. The defendant has to prove his innocence (“It is a defence….”).

            1 year ago
          3. Richi Jennings

            Primary legislation cannot override the presumption of innocence

            1 year ago
  8. Andyj

    So the guy is possibly a member of Daesh operating within the UK. I’m not so sure the cops say HTTPS is illegal per se’. everyone uses it. Not revealing the key to access the site as part of the investigation is like a US citizen quoting the fifth amendment. you cannot do that here any more.

    Habeas Corpus is dead. We are now under the EU’s napoleonic code where you are guilty before charged & can be kept in prison until you admit how guilty you are.

    If Daesh is an enemy then the US who enabled them should be considered our enemy. Kudos to Putin eh?

    1 year ago
    Reply
    1. Homer Slated

      Actually I think you’ll find that the UK not only devised this “napoleonic code” without any EU mandate, but directly in violation of it, since RIPA (the law that facilitated the above travesty), along with various other bits of Draconian UK legislation, have been legally challenged on numerous occasions by the EU.

      https://www.privacyinternational.org/node/830

      The fact is that the UK would be a considerably more oppressive regime without EU oversight, and thanks to the xenophobic half of the population, sadly that is now inevitable.

      1 year ago
      Reply
  9. Ken Mackenzie

    If you buy batteries, a clock or a pizza with the intention of helping terrorists then you commit an offence. That is not the government criminalising batteries, clocks or pizzas. It is punishing assistance to terrorists. It’s the same with encryption.

    1 year ago
    Reply
    1. Brandon M. Sergent

      This is literal insanity.

      You clearly don’t realize that you just asserted that everything should be illegal whenever authorities want it to be.

      Legislating intent itself is already insane, and you just cubed the insanity by an abstract noun and an every day object.

      It’s literally like criminalizing ordering pizza via the “desire” to “blasphemy.” Prove desire(intent), define blasphemy(terrorism), and criminalize pizza(https).

      1 year ago
      Reply
  10. LEGOlord208

    ROFL

    Poor guy, though 🙁

    1 year ago
    Reply
  11. Jigsy

    I had a scary thought about the whole jailing for failure to hand over a password.

    1. Police raid house of somebody, let’s say under the “guise” of child pornography
    2. Seize equipment as per protocol
    3. Before cloning the equipment, they band together and plant an encrypted file on a drive, then clone everything
    4. Demand they hand over the password for a file they never created
    5. Jail them every five years until they cough up a password they don’t know…

    The UK created a system that allows them jail people they classifiy as “enemies” with minimal effort.

    1 year ago
    Reply
    1. Brandon M. Sergent

      I would seriously leave the UK or go full zero computer Luddite. This law is exactly as you say. Total license to jail arbitrarily.

      1 year ago
      Reply
  12. Homer Slated

    The problem is that “preparation for terrorism” is presumptive, explicitly based on ignorance of facts unobtainable due to encryption, and therefore the encryption itself is being criminalised to coerce discovery.

    But that completely destroys the principle of “innocent until proven guilty”, because they have to begin by assuming guilt before they can claim that your otherwise legal measures to hide that presumed guilt are illegal.

    That isn’t how justice is supposed to work.

    Either they have the evidence of an actual crime, or they don’t If they don’t then it should be case closed.

    1 year ago
    Reply
  13. kootzie

    There will always be the facile infantilized doofuses who align themselves with , and are cheerleading apologists for the control-freak class on the premise that unlimited unconditional obedience to what is “legal” – i.e. permitted/unprohibited somewhere in the pile of legalese scribblings accreted by generations of malfeasant malingerers on the public dole acting as double-agents for their bettors … is the highest public good.

    Let us take a moment for a mass passing of gas in their general direction. Pffffffft

    1 year ago
    Reply
  14. Ben

    Oh geez man “pointing out that Scotland Yard is strictly legally in the right” Ghahh! what nonsense. Jews were technically against the law while existing in a “living healthy state” in WWI Nazi Germany as well. after the kill order went out. Just because someone wrote something down as a law or decree, does not mean it is infallible, or humanitarian, or even half right.

    1 year ago
    Reply
  15. Icarus

    He was working with ISIS according to the list of charges, I doubt people would come under this kind of scrutiny without actual links to real terrorist organisations which are a real and serious threat.

    1 year ago
    Reply