On March 23, 2026, the Hong Kong government amended the rules of its National Security Law, making it a criminal offense to refuse police passwords or decryption assistance for personal devices. When I read the security alert, my initial plan was simply to compile a list of jurisdictions with similar laws. That catalog quickly outgrew its premise. Tracking these statutes revealed a fractured global approach to digital privacy and state power, resulting in a comparative study too broad for a single article. I decided to split the research into two parts. This first installment examines the countries that criminalize digital silence.

The catalyst for these laws is strictly technological. Modern electronic devices hold an unprecedented concentration of our private lives. At the same time, the widespread adoption of strong encryption has built mathematical walls that investigative agencies cannot breach. Faced with this barrier, the state’s focus has shifted. Unable to break the device, governments increasingly use the threat of separate jail time to compel the user to open it.

This dynamic forces a re-examination of the right against self-incrimination. The core debate asks whether forcing a suspect to hand over a password is akin to surrendering a physical key, like a safe combination, or if it constitutes forcing them to testify against themselves. This article maps out the jurisdictions that bypass that debate entirely, choosing instead to make the refusal to decrypt an independent crime.

The Offenders

As I mapped out how different legal systems handle the encryption roadblock, a distinct, highly pragmatic pattern emerged. The philosophical debate over whether a password is a physical key or a piece of testimony is legally rich, but it is also incredibly slow. For an investigator staring at a locked device that might hold the centerpiece of a case, abstract constitutional theory offers little immediate use.

A growing number of jurisdictions have decided they simply do not have the patience for that debate. Rather than untangling the historical nuances of self-incrimination, they bypassed the problem entirely by creating a brand new crime.

In these countries, digital silence is a standalone offense. The logic is a fascinating piece of legislative circumvention: the state is not punishing you for whatever illicit material might be hidden on your hard drive because they cannot see it. Instead, you are prosecuted strictly for the act of keeping the door locked. By severing the refusal to provide a password from the underlying criminal investigation, these governments have weaponized the penal code against the locked screen itself.

It is a blunt, highly effective workaround to the mathematics of encryption. Here is how that hardline approach plays out on the ground.

The United Kingdom

When tracing the origins of the coercive model, the path leads directly to the United Kingdom. The British approach serves as a primary blueprint for how a state can pivot its penal code against a locked screen.

The mechanism driving this is the Regulation of Investigatory Powers Act 2000, commonly known as RIPA. Under Section 49 of the act, police and other authorities can serve a formal notice demanding a suspect hand over their password, PIN, or decryption key. To issue this demand, authorities need a reasonable belief that the person knows the code and that access is necessary to prevent crime, protect national security, or safeguard the country’s economic well-being; the notice also has to be necessary, proportionate, and used where it is not reasonably practicable to obtain the intelligible information another way.

The real teeth of the legislation reside in Section 53. Failing to comply with a Section 49 notice without a lawful excuse is classified as a standalone criminal offense. The penalties are explicitly designed to act as a coercive lever: a standard refusal carries a maximum two-year prison sentence, but if the underlying investigation involves national security or indecent images of children, that penalty jumps to five years.

Watching this dynamic operate in practice, the legal paradox it creates inside an interrogation room is striking. Suspects are forced into a high-stakes calculation, having to immediately weigh whether the data on their device is so incriminating that taking a guaranteed prison sentence for silence is a better bet than facing the primary charges.

It is easy to mischaracterize how this looks on the ground. When I first started assembling notes for this section, I looked at the case of Stephen Nicholson, who refused to hand over his Facebook password during the 2018 Lucy McHugh murder investigation. It is tempting to frame his resulting prison sentence as an example of a man locked up “strictly for withholding a password” – but looking at the actual timeline breaks that narrative.

Nicholson was the prime suspect in a murder case. When he refused to yield his password, the state didn’t wait for the homicide investigation to conclude. They hit him with a RIPA charge immediately, resulting in a 14-month prison sentence in August 2018. This allowed authorities to effectively incarcerate an uncooperative murder suspect while they built the primary case against him. By July 2019, Nicholson was convicted of the rape and murder. In this context, RIPA functioned less as a standalone punishment and more as an immediate tactical holding maneuver for a much darker crime.

To see how the law operates completely independent of underlying guilt, a clearer example is the case of Tajan Spalding. Spalding was handed an eight-month prison sentence for refusing to provide the passcodes to his iPhone and iPad during a drug investigation.

France: an Act of Staying Silent as an Active Obstruction of Justice

France, a country whose national motto was Liberté, égalité, fraternité, has taken a surprisingly hardline stance on digital privacy under Article 434-15-2 of its Penal Code. This law makes it a severe criminal offense to refuse to hand over a decryption key or password to law enforcement during an investigation. For a while, there was legal back-and-forth about whether a standard smartphone PIN actually counted as a decryption key or just a simple lock. However, in late 2022, France’s highest court, the Court of Cassation, definitively settled the debate: a phone PIN is legally recognized as a decryption tool if the phone is encrypted. Refusing to provide it to the police can land you with a prison sentence of up to three years and a staggering €270,000 fine.

The key nuance here is that this obligation falls on absolutely anyone who knows the code, up to and including the suspect themselves. This raises obvious and tricky questions about the right against self-incrimination, a cornerstone of many legal systems. The French courts, however, have effectively bypassed this protection by framing the refusal not as an act of staying silent, but as an active obstruction of justice. They argue the code isn’t inherently incriminating evidence; it’s just the key to access a space where evidence might be.

For the average private citizen, this means the old idea that “my phone is my private digital vault” doesn’t hold much water if you’re ever taken into custody. You can be hit with heavy criminal charges purely for keeping your passcode to yourself, completely separate from whatever crime the police were originally investigating.

To be fair, the Court of Cassation did introduce a technical caveat in its November 2022 ruling, clarifying that a phone PIN isn’t automatically considered a “decryption key” by default. The judges specified that for the offense to trigger, the state must prove the specific device is actively equipped with encryption software and that the PIN actually unscrambles the data, rather than just acting as a simple home screen lock. While this sounds like a meaningful privacy safeguard on paper, it is a slightly cynical moot point in the real world. Virtually all modern smartphones come with full-device encryption enabled out of the box. Ironically, if a suspect happened to possess an older, unencrypted phone where the passcode merely locked the screen, law enforcement wouldn’t need to compel them to reveal the code anyway – they could easily bypass the lock and pull the data using standard forensic extraction tools. So, while the court drew a careful legal distinction, the everyday reality of consumer tech ensures the threat of prosecution remains practically universal.

Australia

Looking further afield, the Australian framework caught my attention for its sheer punitive weight. The foundation of this approach was laid when the Cybercrime Act 2001 inserted Section 3LA into the federal Crimes Act. While much of the modern public debate around encryption focuses on forcing major tech companies or telecommunication providers to build systemic backdoors, Section 3LA zeroes in squarely on the individual. It is a legal lever designed exclusively to compel physical persons – suspects and witnesses alike – to unlock their personal devices. This leaves corporate responsibility out of the equation as Australia aggressively targets tech companies through parallel legislation like the 2018 TOLA Act.

Under this provision, if law enforcement believes a device holds evidence of a crime, they can obtain a magistrate’s order forcing the specified person with knowledge to provide the necessary passwords, PINs, or biometric access. The mechanism is simple: you are handed a warrant, and your failure to immediately decrypt the phone or laptop becomes a standalone federal offense. There is no drawn-out constitutional debate inside the interrogation room about the historical right to silence. The state simply demands the keys, and the individual must make an immediate choice.

What makes the Australian model staggering is the consequence of saying no. In investigations involving serious federal offenses, refusing a Section 3LA order carries a maximum penalty of ten years in prison. This is not a subtle legal nudge; it operates as an overwhelming coercive force. By threatening a decade behind bars strictly for keeping a screen locked, the law effectively neutralizes any practical reliance on the privilege against self-incrimination. It creates an environment where the individual is strong-armed into doing the investigative heavy lifting for the state, rendering their digital silence a highly penalized luxury.

New Zealand

As a direct neighbor to this Australian framework, New Zealand offers a compelling bonus case study in how state coercion is applied directly to the individual. Under Section 130 of the Search and Surveillance Act 2012, New Zealand law enforcement officers executing a search warrant possess the explicit authority to compel a physical person to provide the PIN, password, or encryption key to a lawfully seized device. Refusal to comply is not met with a procedural negotiation; it is prosecuted as a standalone offense punishable by up to 3 months’ imprisonment. Like the Australian model, this legislation zeroes in entirely on the personal responsibility of the suspect or witness holding the device, completely bypassing any reliance on the cooperation of external tech corporations.

It is important to note that this domestic investigative power operates parallel to an entirely separate border regime. When I initially looked into New Zealand’s approach, I had to draw a line between standard police powers and customs enforcement. Under the Customs and Excise Act 2018, border agents can demand travelers unlock their devices or hand over passwords under the much lower threshold of having “reasonable cause to suspect” wrongdoing. Refusal at the border triggers a distinct $5,000 NZD fine and potential prosecution. While border searches rely on a different legal foundation – rooted in a sovereign state’s inherent right to control its ports of entry rather than domestic criminal warrants – the underlying legislative mechanics remain similar.

Expanding the Map

Moving further East, the legal landscape surrounding compelled decryption fractures significantly, ranging from rigid statutory demands to complex constitutional debates.

In Singapore, authorities rely heavily on Section 39 of the Criminal Procedure Code (CPC). Following a suite of criminal justice reforms in 2018, Singaporean investigators were granted explicit, broad powers to order any individual to provide their login credentials or assist in decrypting a device. Crucially, this applies to anyone the police reasonably believe has knowledge of the password – whether they are the primary suspect, a family member, or a bystander. Refusing to hand over a passcode or help bypass security measures during a criminal investigation is treated as a direct obstruction of justice. The practical penalty reflected in a Singapore Police press release is up to S$5,000, 6 months, or both.

In Hong Kong, the legal boundary for forced decryption is explicitly tied to “National Security,” though the practical application of that term is notoriously broad. Under the March 2026 amendments to the Implementation Rules of the National Security Law (NSL), police officers can demand device passwords, decryption keys, or technical assistance. On March 27, the Hong Kong government publicly said police may require a password only after legal authorization to search the device has been obtained, and said there is no power to randomly demand passwords from ordinary people on the street. While this rule is technically confined to national security investigations, it applies to everyone physically present in the jurisdiction, both residents and visitors. Refusing to unlock a phone or laptop is a standalone criminal offense punishable by up to a year in prison and a hefty fine.

Contested Jurisdictions

While some nations have deployed blunt statutes to mandate decryption, other major democracies find themselves caught in a constitutional tug-of-war. In contested jurisdictions like the United States and India, law enforcement’s push for digital access constantly collides with deeply entrenched protections against self-incrimination. Rather than relying on a single, clear-cut law, these countries navigate an evolving patchwork of local court rulings, procedural workarounds, and ongoing legal debates. For the average person, this turns digital privacy into a highly unpredictable gray area, where the right to keep a passcode secret often depends less on unified legislation and more on how a specific judge decides to apply older legal principles to the smartphone era.

United States

Unlike the statutory coercion found in the UK and Australia where refusing to decrypt a device is a standalone criminal offense, the United States relies on procedural workarounds to force compliance. The primary hurdle for US law enforcement is the Fifth Amendment’s protection against self-incrimination, which generally covers the “testimonial” act of retrieving a password from your memory. To bypass this, prosecutors frequently invoke the “Foregone Conclusion” doctrine. If the government can prove they already know a suspect owns the device, knows the passcode, and can generally identify the files inside, courts in some jurisdictions have held that unlocking the device adds nothing to the government’s knowledge. This effectively strips away the Fifth Amendment shield. If a private citizen still refuses to comply with a judge’s decryption order, they aren’t charged with a new data-related crime; instead, they are held in civil contempt of court until they yield.

This procedural tactic has created a significant legal loophole, illustrated by the harrowing case of Francis Rawls. Suspected of possessing illicit digital material, Rawls was ordered to decrypt his hard drives. When he claimed he could not remember the passwords, the judge held him in civil contempt. The federal Recalcitrant Witness Statute is explicitly designed to cap this kind of coercive confinement at 18 months. However, prosecutors successfully argued for years that Rawls was a suspect rather than a mere witness, keeping the statutory limit at bay. As a result, Rawls was held in a federal detention center for over four years without ever facing a trial, a jury, or formal criminal charges. He was ultimately released in 2020 only after the Third Circuit Court of Appeals ruled the 18-month cap applied to him, highlighting how civil contempt can morph into an indefinite, uncharged prison sentence.

Rawls’s ordeal contrasts sharply with how similar cases are handled elsewhere in the country, showcasing the precarious geographic lottery of US digital rights. In the 2012 case In re Grand Jury Subpoena, the 11th Circuit Court of Appeals took a much stricter stance on the Foregone Conclusion doctrine. They ruled that because the government couldn’t identify with “reasonable particularity” what specific files were hidden on the encrypted drives, forcing the suspect to decrypt them fundamentally violated the Fifth Amendment. Because the US Supreme Court has yet to issue a definitive, nationwide ruling on compelled decryption, a citizen’s fundamental right to digital privacy – and their risk of being jailed for contempt – currently depends entirely on which federal circuit they happen to reside in.

India

In India, the legal landscape is currently caught in a tense tug-of-war between statutory power and constitutional rights that can be best described as “unsettled”. On one side is Section 69 of the Information Technology Act, 2000, which broadly compels individuals to provide technical assistance to decrypt data or face up to seven years in prison. On the other side is the Indian Constitution – specifically Article 20(3), which protects against self-incrimination, alongside the landmark Puttaswamy judgment that enshrined privacy as a fundamental right. This clash has sparked ongoing legal debates over whether forcing a suspect to hand over a memorized passcode constitutes an unconstitutional extraction of protected knowledge from their mind. Karnataka and Kerala High Courts have taken views allowing compelled disclosure, while the Delhi High Court said an accused could not be coerced to reveal passwords during an ongoing trial. Reporting from March 2026 also indicates the Kerala High Court has stayed a compelled-passcode order pending review.

Conclusion

Ultimately, the global patchwork of compelled decryption laws points to an ongoing shift in how justice systems navigate the digital age. Whether relying on explicit statutory offenses or procedural workarounds like civil contempt, authorities are steadily bypassing the nemo tenetur principle – the long-established safeguard against self-incrimination. From an analytical standpoint, this trend isn’t a simple matter of right versus wrong. Law enforcement naturally seeks the most efficient path to secure evidence, and encrypted devices present a genuine hurdle. However, redefining a memorized passcode as a mere physical key rather than protected personal knowledge structurally alters the legal landscape.

The core issue with eroding this principle is the resulting imbalance of power. The state already holds a natural monopoly on legal force and authority. Constitutional rights and historical legal doctrines exist specifically to counterbalance that weight, ensuring private citizens have a baseline defense against the machinery of prosecution. When courts and legislatures steadily chip away at the right to remain digitally silent, they tilt that scale heavily in the state’s favor. It establishes a dynamic where traditional boundaries on government power are quietly downgraded for the sake of technological convenience, significantly reshaping the equilibrium between the individual and the state.

Sources

• Section 49 RIPA Notices: Duties, Defences and Risks – PastPaperHero
• Prosecuted for your password – Saunders Law
• 3LA orders Crimes Act 1914 – NGM Lawyers
• Australia’s first-in-the-world ‘decryption’ laws will impact tech providers globally | IAPP
• Article 434-15-2 of the Penal Code: Refusal to unlock one’s phone, a new criminal offense – PCS Avocat
• French Court rules that refusing to disclose a mobile passcode to law enforcement is a criminal offence – Fair Trials
• New Hong Kong rules force people to give up passwords in security cases – CNA
• Hong Kong police can now demand phone and computer passwords under new national security rule – The Independent
• Criminal Procedure Code 2010 – Singapore Statutes Online
• Information Technology Act, 2000 – Wikipedia
• Whether an accused can be directed to disclose his phone password by the investigators? – Bharat Chugh
• United States v. Rawls – Wikipedia
• Suspect who refused to decrypt hard drives released after four years | SOPHOS
• In Re: Grand Jury Subpoena Duces Tecum Dated March 25, 2011, USA v. John Doe, No. 11-12268 (11th Cir. 2012) – Justia Law
• New Zealand Fines Travelers Who Won’t Unlock Secure Devices – MBT Mag