Where exactly does the law state that? There's no "then and only then"
It was the law I quoted immediately above it. I even bolded the relevant part.
For the purposes of this section a person shall be taken to have shown that he was not in possession of a key [ie he forgot it] to protected information at a particular time if—
(a)sufficient evidence of that fact is adduced to raise an issue with respect to it; *AND*
(b)the contrary is not proved beyond a reasonable doubt.
Note the word 'AND'.
Hopefully most people understand that X = a AND b means you need to test b if and only if a is true.
even the CPS themselves highlight that your earlier interpretation
This is a press release from the CPS - not an argument made in court. We don't know what was said in court. We do know, for certain, what the law says and it's quite clear. The prosecution do NOT need to prove 'beyond reasonable doubt' that someone remembers their password, as you claimed they do, except in exceptional circumstances.
someone stupid enough to incriminate himself
The information we have is that he behaved consistently with someone who was being as helpful as possible to the police, but had forgotten his password.
Note that there is little special status in England for 'self-incriminating' evidence, unlike America. If you refuse to answer the police questions on the grounds that they are 'self-incriminating' the prosecution can and will use this in court.
, he admitted he had set the password,
So are you saying he should have lied to the police? Will any encryption software will let you encrypt data /without/ setting a password?
To recap, you said :
Similarly there's a lot of FUD about RIPA's password clause by people who haven't read the law which explicitly states that police have to prove beyond reasonable doubt that someone has a key before they can be prosecuted for not handing it over
I quoted the exact law, which 'explicitly states' the precise opposite of what you claimed - implying that you yourself 'haven't read the law'.
You also said, about people being imprisoned for apparently forgetting their password:
I gave a example of precisely that happening.
This is a far cry from simply saying ... "I forgot it". As I said, no such case to date has ever happened -
from the press release:
the defendant [said he] could not recall it ... As the defendant claimed to have forgotten a password ...
So this is exactly what happened.
Some people, if they were caught out so badly wrong about so many things they were so dogmatic about, might think "when you're in a hole - stop digging".
But I'm glad you don't because it gives me an opportunity to repeat this point about which there certainly is 'a lot of FUD':
Basically, based on the few contested cases that have come up so far, if the police demand a password to some file you encrypted, only 2 things can happen:
a) you give them the password
b) you go to prison.
Except in special circumstances, saying 'I forgot my password' is NOT a valid defence.
The claim that the prosecution always have to prove 'beyond reasonable doubt' that you remember it is clearly false. It's up to the victim to show 'sufficient evidence' they have forgotten it, something that has never happened, and may be impossible in practice.
The following are also not defences:
- 'I didn't set a password' (an obvious lie)
- 'My answers would be self-incriminating' (this isn't America)
This is going to have a chilling effect on the use of encryption in general, will give the authorities power over people who have done nothing wrong, and will encourage those in the know to use 'deniable encryption' which will give police still less knowledge about the metadata.