At a court hearing earlier this month, the UK's National Crime Authority (NCA) demanded that Lauri Love, a British computer scientist who allegedly broke into US government networks and caused "millions of dollars in damage," decrypt his laptop and other devices impounded by the NCA in 2013, leading some experts to warn that a decision in the government's favor could set a worrisome precedent for journalists and whistleblowers.

Arrested in 2013 for the alleged intrusions but subsequently released, Love was re-arrested in 2015 and is currently fighting extradition to the United States. He has so far refused to comply with a Section 49 RIPA notice to decrypt the devices, a refusal that carries potential jail time. However, British authorities have not charged Love with any crime, leading him to counter-sue in civil court for the return of his devices.

In the NCA's submission to the court, which Ars has seen a copy of, the government demanded that Love turn over the passwords and encryption keys to his confiscated devices. The devices in question include a Samsung laptop, a Fujitsu Siemens laptop, a Compaq computer tower, an SD card, and a Western Digital hard drive. The NCA in particular wants Love to decrypt TrueCrypt files on the SD card and external drive.

The government's demands threaten to erode the right against self-incrimination, Dr. Richard Tynan of Privacy International told Ars. "This is the first time we have heard of a UK agency using two different legal mechanisms to compel the decryption of data," he said. "It is particularly worrisome given that no prosecution is underway against the individual [Love] and is in the context of a serious extradition case to the US. The right not to provide evidence against oneself is cherished in the US and around the world but apparently not so in the UK."

Love's argument in his civil case is that if the police aren't going to charge him with a crime, they should return his property. "The problem is that the NCA are effectively arguing that any information that cannot be read and comprehended by the police has a presumption of guilt," Love told Ars in an e-mailed statement. "This has clear and troubling implications for groups that handle sensitive communications or other data—journalists, advocates, activists and whistleblowers, and members of the legal profession.

"An executive body of the state is saying that any information to which they are not privy... cannot be owned and kept securely but instead confiscated and access denied," Love added. "This is a fundamental reversal of rights and the potential for abuse is alarming."

The NCA's submission argues that Love should decrypt his devices in order to demonstrate that the data they contain belongs to him and demands that Love provide a witness statement indicating his entitlement to the allegedly stolen data, including, according to the court's Directions order, allegedly "pirated versions of copyrighted films," "data from the 'Police Oracle' website," and "data obtained from the United States Department of Energy and the United States Senate."

The NCA declined to comment for this article, simply saying, "We have no updates that we are in a position to offer at this time."

A bevy of alleged victims

As Ars reported in 2013, Love allegedly hacked into networks operated by the US Army, the US Missile Defense Agency, NASA, the Environmental Protection Agency, and other US government agencies. According to prosecutors in 2013, Love allegedly employed SQL injection and a ColdFusion security flaw to gain admin access to the servers in question, and he used the elevated privileges to steal confidential data.

Tor Ekeland, Love's attorney in the States, worries that the NCA's demands have nothing to do with the civil suit at hand.

"I think they want to gain access to the information on Lauri's computers in order to turn it over to the US authorities, with whom it seems to me they are plainly cooperating," he told Ars. "Lauri is currently under indictment in the US, and it appears the UK government is sharing information with the US, so the question on our end is whether the UK government is violating Lauri's US constitutional rights as a criminal defendant by engaging in activity that US prosecutors may not be able to do in the US.

"Are the UK prosecutors acting as agents for the US in this instance?" Ekeland asked. "The possibility that the US government may use foreign sovereigns to do an end run around US constitutional criminal defendant protections is disturbing to me."

The timing of the NCA's demands, made at roughly the same time as the FBI's (now-failed) demands of Apple in the San Bernardino case, suggests that the NCA may also be looking to set a precedent. "This is very similar to the 'FBI v IT Security' case… except here a company is not involved in the process," Tynan said. "It is interesting that even if the individual whose iPhone is at the center of that case in the US was still alive, they could not be compelled in a similar fashion to do what is being sought for a second time against Lauri Love."

Love worried that a court decision in the NCA's favor, and at a time of heightened anxiety over the growing use of encryption, would be a "step backward in history" and signal a return to "medieval witch-trials and the inquisition."

"Cryptography, an essential and indispensable pillar of information security, becomes indistinguishable from black magic," he said, "and the mere presence or even the unsubstantiated suspicion of encrypted contents—which, I must note, is indistinguishable in the general case from purely random data—reverses the presumption of innocence for... an organization or individual desiring, responsibly and rightly, to store their data securely.

"We can't have a free society under the rule of law under a system like that," he said.

The court is set to hear arguments on the decryption demand on April 12 at Westminster Magistrate's Court. Love's extradition case is ongoing, with the extradition hearing itself set for June 28 to 29.

J.M. Porup is a freelance cybersecurity reporter who lives in Toronto. When he dies, his epitaph will simply read, "assume breach." You can find him on Twitter at @toholdaquill.