Slashdot Mirror
British Teen Jailed Over Encryption Password
An anonymous reader writes "Oliver Drage, 19, of Liverpool has been convicted of 'failing to disclose an encryption key,' which is an offense under the Regulation of Investigatory Powers Act 2000 and as a result has been jailed for 16 weeks. Police seized his computer but could not get past the 50-character encrypted password that he refused to give up. And just to get it out of the way, obligatory XKCD."
Pfft, Britan. Glad my ancestors were smart enough to split that dive and setup someplace safe for me to live....
"When I am king, you will be first against the wall..."
"xkcd", not "XKCD". We really don't need to shout the comic name.
But it's hard to remember all those special characters after they beat you with a wrench. Be sure to choose a password that's easy to remember under bludgeoning to limit the number of times they have to hit you in the head.
This one's tricky. You have to use imaginary numbers, like eleventeen... --Hobbes
I wonder what he is hiding.
Don't you have the right to remain silent, so as to not incriminate yourself? We have it here in the US.
Unless I missed it.. the article doesn't seem to mention WHY they want to see what's behind the 50character password. What does his hard drive contain that's so bloody important?
The article says "encryption password" which makes way more sense.
He's getting off easy. In the USA, the cops would get a court order and the judge could order him jailed for contempt of court until he gives up the password.
Oliver Drage, 19, of Liverpool, was arrested in May 2009 by police tackling child sexual exploitation.
Well, I guess that makes it okay, then. After all, we can't allow people accused of child sexual exploitation to be free, can we?
On a more serious note, this sucks.
Det Sgt Neil Fowler, of Lancashire police, said: "Drage was previously of good character so the immediate custodial sentence handed down by the judge in this case shows just how seriously the courts take this kind of offence.
"Computer systems are constantly advancing and the legislation used here was specifically brought in to deal with those who are using the internet to commit crime.
"It sends a robust message out to those intent on trying to mask their online criminal activities that they will be taken before the courts with the ultimate sanction, as in this case, being a custodial sentence."
I guess insisting on your privacy is taboo now. Even if you're a good kid, if you refuse to let the police into your private files just on principle, you're boned.
i know this is slashdot, and we dont RTFS, but come on!
Considering what he's charged with if they can't prove their case without what's on his computer and if they can't get past his crypto he'll have gotten off light.
everyone gets this wrong - just say - "dang it i made it so long i forgot it, now iv'e lost all the family photos because I am so stupid"
I know It's the UK, but couldn't this be defended as the right to not self incriminate? IANAL, but I'm just throwing that out there.
Could he have given them a random password, and then act dumbfounded when it does not work?
Maybe even accuse them of breaking his system?
It is hard to prove that the header of an encrypted disk has not been corrrupted.
Would that work with the current law? Has anyone already tried it?
DUH. Obviously he's a terrorist.
Deleted
Now they'll just fall back on plan B: Generate a one-time-pad that when combined with his encrypted data will yield whatever happens to be the most incriminating data imaginable.
"Prefiero morir de pie que vivir siempre arrodillado!"
or he can be like Terry Childs sit 2 years in jail waiting for the trail.
I'm going to have to make my passphrase "I don't know", maybe see what trouble it causes.
How exactly do they know its a 50 character password? And if they do actually know its a 50 char password, wouldn't that narrow it down a bit for brute forcing?
XKCD
downloaded music? games? movies? software?
I see no legitimate reason why someone would refuse to disclose a password that is related to it.
You have never ever forgotten a password, right?
Seven puppies were harmed during the making of this post.
16 years
The article says the pigs were investigating some child porn or what not, and they got this kid with his computer.
OK, so now the kid is in jail for 16 weeks based on what evidence? Only based on the fact he doesn't want to give up his password.
GOOD FOR HIM.
I only wonder what they will do in 16 weeks time, will they again ask for his password and if he refuses throw him back in the slammer?
There is no way for anybody to say that he has any child porn on his computer and pigs could come up with any excuse just to look into his computer.
PIGS: -We want your computer files.
KID: Fuck you.
PIGS saying to judge: -We are investigating child porn, we want his computer files.
Judge: -Give us your password.
KID: Fuck you.
Judge: -Off to jail you go for not giving us your password.
--
That's it. No child porn, only a stubborn kid. Again, good for him.
You can't handle the truth.
You don't see a difference between being forced to say something and some DNA being taken?
Why don't we just force them to say they are guilty instead of the encryption key?
That would save the taxpayer a lot of money.
Nono, just testing the level of grumpiness among the /. crowd today by having my karma modified accordingly.
Pfft, Britan. Glad my ancestors were smart enough to split that dive and setup someplace safe for me to live....
What makes you think it would be any different in the USA?
Computer crime + Contempt of court = jail until hand over the password.
I wonder what the laws are if you happen to forget the password? I use one-time passwords all the time. Some are 10 characters or more. I count on my ability to either reset the password or re-create the data. Politicians do it all the time. "It slipped my mind" or "It was ten years ago" or "I get so many papers that it's hard to remember what I signed".
Is it illegal in Britain to have a disk/folder full of large, strangly named files with random data in it? If not, how do they tell it from encrypted data?
Of course, this is wrong on so many levels that not all of them have to do with encryption or computers. What if he really forgot the password, or the policemen accidentally removed and discarded the sticker on the monitor while seizing the computer? What
PlusFive Slashdot reader for Android. Can post comments.
WTF, how was that posted as AC?
...because using steganograpy buys you DENIABILITY.
"Your honor, these are just snapshots from the countryside. Why are they in 48 bits per pixel "raw" format? Because I hate the lossy JPEG compression, I just like the "raw" format."
Considering the sex offenders register is pretty much a life sentence these days, especially with parental notification laws.
Of course, the UK is not unique in much of this. But what makes these examples so sad for me is how the UK was the foundation for much of what one might consider Western freedom. It fought the good fight against totalitarianism (let's not Godwin this). I don't think those who struggled back then would consider all this to be what they were struggling *for*.
Will this constant erosion of freedom ever stop?
You should set up multi-level encryption. Encrypt your mildly interesting stuff with one key, and the really nasty stuff with another. When they seize your computer, let them beat you for a bit, then give up the mildly interesting key. They'll give you an ice-pack, and when they find the deeper encryption, just say, "that's old junk, I forgot the password to that, and never got around to deleting it."
I need trepanation like I need a hole in the head.
It seems you've managed to fail on multiple levels today. Congratulations.
Do what thou wilt shall be the whole of the Law
He could use an encryption method that looks like random data, or use multiple layers of encryption so that a valid password can be used as a decoy.
You have to assert that you forgot it, and make it convincing. Just answering "no" when they ask you to write it down kills that angle.
Link up one citation to this happening in the U.S. Sure, you can be abductd off to parts unknown, tried under a military court and executed, but in a US court we still have a Constitution and the Fifth Amendment.
I don't see this a "self-incrimination" issue, after all DNA and biological samples can be taken against your will and you cannot refuse to provide it if its called for.
They can collect your DNA, but you're not required to tell them if you're a chimera. There's a difference between being the subject of an investigation against your will (which goes for your person and your effects), and being compelled to assist in it actively.
In exactly the same way, they can read your encrypted hard disk (with a warrant), and they can break your safe (with a warrant). In the latter case, they'll likely ask you to open it for them for the simple reason that you'd rather have a functional safe afterwards and they'd rather do less work (so everybody wins). However, this law differs by saying that if the cops can't break your safe, you have to help.
why we bothered fighting WW2? If the Brits are just going to turn into fascists anyway? Not to mention the good ol' US of A.
A.
...I don't see this a "self-incrimination" issue...
Your neighbor spits on your lawn.
This really pisses you off.
You make a detailed journal entry (which you keep encrypted) about how much you hate your neighbor and you want to shoot him.
Your neighbor gets shot.
You still want to show them your data?
B.
You arrive home and find your neighbor's wife's dog (who continually craps on your lawn) has been slaughtered and hung like a side of beef in your bathroom.
You call the cops even though you're an obvious suspect.
They ask you a few questions and want to examine some of your stuff, including your computer.
They find that your computer has been encrypted (not by you).
Will the law think it's likely that someone encrypted your computer, or will they think that you don't want to share the data?
Neither of these are even remotely likely, but that's what the law has to account for: the possible.
Seems British subjects are being oppressed. Why don't we liberate them and annex Britain to the U.S.? Of course they'd have to give up that silly royalty business.
Good for him.
You just give them the wrong one first, then when challenged on it you admit you may have forgotten it.
I don't see this a "self-incrimination" issue, after all DNA and biological samples can be taken against your will and you cannot refuse to provide it if its called for.
Then you don't see the issue clearly at all. They have physical possession of his computer(s), they have physical possession of his data, if they can't figure out what it means, then why is he being compelled to assist?
If you invent a language of squiggles and dots and use that to do all of your record keeping, the police come and sieze your journals and can't read a thing, but they know that you know how to. Why should it be your obligation to teach them?
That's what we have here. Law enforcement has the information that they want, they just don't know how to read it.
Don't get me wrong, I'm not siding with child exploitation. I'm the father of two little girls. I would kill, I mean literally kill, anyone who tried to molest them.
That's not the point.
I and my children have far more to fear from an overreaching government than from the pervert in the bushes.
Most likely, you clicked on the "Post Anonymously" checkbox in the left corner of the submit box.
Umm with all the turmoil i just cant remember it.
---- Booth was a patriot ----
Not quite. Terry Childs gave out the password and he still stayed in jail. It's almost as if there was something else going on than just a password.
Why on earth would you encrypt a hard drive with any public key algorithm?? That would be incredibly slow.
Even if a judge ruled that wasn't you testifying against yourself, you could still protect yourself if you simply said "I don't recall that password." You may notice that not being able to recall is used a lot when under oath. The reason is that there really isn't any way to challenge it. We forget shit all the time (hell everyone seems to forget their passwords if my job is any indication). You can't prove someone hasn't. So they say "What is the password and the 5th amendment doesn't protect you," you say "Sorry, I can't recall that password."
See this doesn't work in Britain because they made it a crime not to provide the password period. If you fail to provide it, regardless of the reason, that's illegal. It was a specific law made for passwords. So can't remember? You are boned. The US has no such similar law. Thus the only way they could get you is if you said you knew the password, but refused to give it up, and it was ruled that wasn't protected under the 5th.
However if you look in to it you discover that while there's little case law, indeed it HAS been ruled that that the 5th prevents you from having to give up a password. As such that will probably stay, in general courts abide by the rulings of other courts of competent jurisdiction.
How do you know the encrypted data is related to the case?
How do you know the encrypted data is not something that is, at least to the 19 year old suspect, even worse?
What if he's secretly gay, his entire family are raging homophobes, and he KNOWS beyond the shadow of doubt that revealing his encryption password will get him disowned?
If this was you, would YOU reveal the password?
-=This sig has nothing to do with my comment. Move along now=-
I wonder how they found out that the length of the passphrase is 50 characters. Did he brag to the authorities? Was there some way of detecting the length of the passphrase when they looked at the encrypted key?
This is why you need hardware encryption with a selfdestruct mechanism.
A software solution can not do this. They will mirror your disk and work on the mirror. But a self contained chip can be made tamperproof and such that enough mistyped passwords or just the special self destruct passwords makes the chip irreversible lose the key.
After the selfdestruct event happened you just claim they caused it. That you gave the correct password the first time they asked. Even if you end up getting convicted on giving the selfdestruct password that might be less than what they are really after.
A variant of this scheme is to store your password on a key device with the same properties. Someone could make an application for your phone that did this. It would not be as secure, as they could be mirroring your phone, but likely they would catch on to that too late.
If you kept you rlong unrememberable key on say, a postit, and then when the cops come in burn it. Then you dont know the key and cannot recover it. I think that would get you off the hook. However, post-its are not so reliable. What you would need is a way to store the key on some form of removable memory which can be quickly, but not accidentally, totaly erased. Or use some clever hidden partitions as a way to plausibly deny the data exists at all.
best xkcd ever!
Munroe, who often gets so much stuff right, got the Crypto Nerd's Imagination all wrong. There are three other (much more plausible) panels he could have drawn.
1) One panel would say, "The laptop is encrypted. I wish I knew where to find the guy I stole it from, so that I could ask him the password or beat it out of him with my $5 wrench. Surely he'll come back to the coffee shop if I sit here and wait long en-- Oh goody, he's here. SHIT, he has a $10 wrench!!"
2) One panel would say, "Half the country's packets are encrypted. We're not going to know what everyone is doing on the internet, until we hire a fifty thousand people and buy them each a wrench and give them a house-to-house route. [Later:] SHIT, the budget didn't get approved, because the press made a big stink after we threatened the 207th person."
3) One panel would say, "Muahahah, we got his laptop. Quick, let's get the info off it really fast and then slip it back into his office before he gets back from lunch. He'll never know!! Shit, it's encrypted. Go get the wrench. No, wait. SHIT. If we threaten him with the wrench into revealing the key, he'll know what we did."
Everybody knows that once people with greater force and the willingness to use it come after you, you're fucked. You're either going to give up your secrets, suffer their wrath, or (unlikely but possible) get a bigger bully to fight them off. That's not the problem that crypto solves. The other scenarios I just mentioned, though, it does solve, and it solves very well. If you're a crypto nerd and these aren't in your imagination, then you don't have much of an imagination.
As for Oliver Drage, a sneak-and-peek warrant would have failed. He knows they're investigating him, can talk to a lawyer, and defend himself as much as a government allows someone to do that. Without crypto, what might have happened?
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Use TrueCrypt. Use Hidden Volumes. Any questions?
He can give them the password to the one that has his hardcore porn in it, and keep the password to the hidden volume that has his ILLEGAL hardcore porn, because nobody can prove it's there, and the courts aren't really smart enough to consider the possibility anyway.
Note: I categorically do not use TrueCrypt, or hidden volumes.
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
get everyone to carry around virgin laptops, thus the feds will be consumed pursuing dead ends. The whole, we have rights to your data just flies so in the face of the 1st amendment, it is worth the citizens to carry unbreakable encryption just cause. Nothing illegal, just a nuisance. I am a libertarian. The counter veiling policy is everyone is some kind of terrorist. Just absurd. We need to fight this total power grab under the guise of terror preparation. The number of people meaning harm is tiny. The number of citizens is great and all under the gun. That is bas ackwards. Let's restore individual liberty in this environment of wacko violence.
Amateurs always ask for this.. Or a duress password which will do the self-destruct the first time its entered.
Pros know that imaging the drive is the first step of any process.
One Laptop Per Pornographer
You say you never had it.
The self-incrimination issue is that if you give the password, it indicates you had the password and thus you knew what was in there.
If you admit you have the password but won't give it, the self-incrimination issue is moot.
So you say you don't have the password. Not that you forgot it, but that you never had it.
http://lkml.org/lkml/2005/8/20/95
The UK has NEVER been a model for any "freedom" as we think of it here. Remember that whole revolutionary war thing? The one we had to fight TWICE just to be free of the King?
France gave us Lady Liberty. It's a French painting that inspired both the walking liberty and standing liberty coins; it's the French that came in and fought alongside us to kick England to the curb. England is the home USAians left BECAUSE of the lack of liberty.
Better to just say you forgot it, and then forget it.
Because if you screw with them it pisses them off, and if they find out they nail you for perjury.
So he's spending 16 weeks in jail. At the end of those 16 weeks, can they ask him for the password again and throw him in jail again if he does not divulge it?
If the authorities chose to arrest you, with or without good cause, they often put you in a pre-sentencing prison, then repeatedly "postpone" your trial for stupid reasons. I have seen MANY people who have been subject to this treatment in excess of two years (yes... in the USA). So, just to be clear:
1. you can be 100% innocent and remain imprisoned in the USA if they want you there
2. if you are politically connected or wealthy enough to afford an expensive laywer (even better if you ARE a lawyer) - no problem... get out of jail free card.
3. never, EVER, tell the police or anyone investigating you anything. There are thousands of laws all intended to prosecute you, and only one which affords you protection -- the right to remain silent. Every good defense lawyer will tell you this.
Finally, if you actually believe America is free, then you are:
1. a lawyer, or politician
2. stupid
3. insane
At least in China they tell you the truth -- USA, not so much.
All protesters must be willing to accept the consequences of breaking the law. Props to this teen. A true blackhat in the making.
What they aren't telling you is that he just has a bunch of the old "dance off, pants off" video's on his computer and he's just embarrassed for people to find out.
If you're so committed to the truth, then you should give them the password and the truth shall set you free.
But if for some reason you aren't interested in that, this is your next option.
http://lkml.org/lkml/2005/8/20/95
There's only one way to tell if someone has actually forgotten a password...dissect his brain!
If you build it, nerds will come. Soylentnews.org
Not a password I just curse alot.
... deals with plausible deniability nicely. Always be paranoid.
http://www.truecrypt.org/docs/?s=plausible-deniability
Sure, encrypt your partitions, but any sensitive data should be in a seperate dual-encrypted container file- use a pass-word for the "dummy" side of the container, and the _same_ pass-word plus a passkey (which you don't have on you) to get to the real stuff.
1) no-one can prove it is an encrypted container in the first place
2) You can honestly provide your actual password, but 'they' still don't have the key to unlock your goodies
2 a) In fact keep your password a simple dictionary word, (even in a file called passwords.txt) if they crack it they will be feeling smug and won't think about hidden containers.
3) You don't have to have your key with you, you can download it from the web ( a particular picture(s), or a particular mix of a song(s) on itunes for example)
4) keep and enjoy ur pr0n
The very best drive encryption out there (IMCO) is Tru-Crypt and is both open source and free.
For the truly security crazed, you can set up a hidden operating system that you use for only your most secure stuff and use a DIFFERENT but valid password to get at it. Use your regular password for day to day stuff and only log in with the really secure one to get into the alternate OS.
The whole purpose of that is so if someone has a gun to your head (or a court order, or a $5 pipe wrench) you can give them your perfectly valid password and they can access all your perfectly normal files --and never even know the alternate data is there (it can be hidden across thousands of normal looking data and executable files in the normal OS).
Seriously cool stuff.
In security, there are only two levels of paranoia. Absolute, and insufficient.
The problem with quotes on the internet, is that nobody bothers to check their veracity. -- Abraham Lincoln
The kid was not successfully prosecuted on anything. This is purely on suspicion, and who's to say the police haven't/don't plant fake evidence on his computer once they get access. It's pretty rotten that they can destroy (try getting a job after spending 2 days in jail) someone's life over so little.
"The Brady Bunch is back...working homicide"
...ask him again. If he still refuses, send him back. At some point, either he will die, or tell ya the password, or hardware will advance enough to crack it in hours.
What encryption is he using exactly?
Just curious, of course...
He's 19 now. He was arrested in 2009 when he was 18.
How old was the child probably 17.
He is seriously disturbed and needs to be put away.
Post your address so I can mail you a USB drive with random data on it.
Then a phone call to your local Police dept will be very interesting.
I see no legitimate reason why you would refuse to provide your local police the password to your USB drive full of kiddie porn.
So just provide the password or go to jail.
Starting to see the problem?
There is no way to prove that you honestly DON'T know the password or even that the random data ISN'T an encrypted disk of kidde porn.
When the govt simply has to point to random data and claim you are a criminal and all the burden is on you to prove that you aren't well you can be put in jail to any reason at anytime.
Likely there is some random data on your hard drive right now (in the "blank" space). Prove it isn't an encrypted kidde porn pic.
Is there a encryption software that supports 2 passwords: 1 for decryption, 1 for wipe all the data if it's entered ?
So we're required to participate in search and seizure of our own property now? I thought it was the burden was on the police to gather all the evidence, but I guess I was wrong. Looks like the court can coerce you into locating evidence against yourself.
First step is to copy the drive...
If you really want to hide data, you need to encrypt it then steg it into innocuous media. Home videos would be best as there is no reference copy to show a difference with. Without a header encrypted data should be uniformly distributed. Camera noise should be normally distributed, so that might still be a way to detect it.
refactor the law, its bloated, confusing and unmaintainable.
Godwin's Law!
Here is a design I have for a secure hard disk that would, if stolen or seized by the cops, prevent the recovery of any useful data. (assuming the thief/cops follow standard practice and just steal/sieze the device rather than caring about how it works)
Items needed:
1.A hard disk (any one will do). Or you could use flash memory if you wanted to.
2.A microprocessor capable of encrypting/decrypting (using a strong algorithim such as AES) all data passed to the hard disk on the fly and circuitry to allow it to talk to the host PC and to the hard disk. Possibnly, a FPGA or custom ASIC could be used to accellerate the crypto operations.
3.A GPS module that outputs data in a form the microprocessor can parse.
4.A small amount of non-volitile memory that can hold a set of GPS coordinates and a set of keys for the encrption algorithim
5.A power supply for all this
6.A backup battery designed to power the microprocessor, GPS module and memory. Something that is charged up whilst its plugged into the wall and only runs down when there is no household power.
7.A nice case to put all this in that hides the inner workings and makes it look just like a normal external storage device.
The idea is that you wire up the GPS module and program the microprocessor so that it polls the GPS module every couple of minutes for the current GPS coordinates. If the GPS coordinates dont match what is stored in the memory, the microprocessor should erase the encryption keys. Add a nice large fudge factor to account for the inaccuracy of GPS units
The backup battery is so that when its unplugged, it erases the encryption keys before the cops/thief can get to the lab and analyze it. If you were REALLY paranoid, you could put the keys on memory that goes away if the power is removed. (and hope you dont have a power outage longer than the life of your UPS and backup battery_
You will need a special way to reprogram the GPS coordinates (i.e. temporarily disable the coordinate check then program new coordinates at the new location) in case you ever need to move the device legitimatly.
The idea is to ensure that if the device is seized by the cops (following standard practice of seizing anything that looks like its computer related and throwing it in the back of the cop car/van for later examination), the GPS module and backup battery will detect it and will permanenty erase the encryption keys.
You guys just dont get it, it boils down to simple contract law.
If he AGREES to give them the password then he is permitting them to view the information - irrespective of the content.
If he REFUSES to give them the password then he is not permitting them.
The government issues warrants to permit activities that could be perceived illegal.
if they FORCE him to provide the password, it is a non binding contract. they are screwed.
It may take 6 weeks, 6 months, or 6 years, no one can keep a secret forever unless they die, live an isolated existence or forget it.
If they want his password they'll stop at nothing to get it.
Assume the Constitution does not exist, what would the government do to get the information? Anything necessary to achieve the end is what they'll do, including torture.
And in this case it might not work if he recalls it.
What proof do you have that he showed his "child porn collection"? Maybe that proof should be shown to a jury because if it's just the police witness testimony this is no different than any random informant saying they saw child porn on your computer. Fact is anyone can claim anything and use it as an excuse.
There are no secrets, you have no secrets live with it.
None of this would prevent the government agent from torturing/interrogating you.
Both of these examples are rather bizarre, and I don't really see how they would be fundamentally different than warrants for stuff IRL.
In situation A, if you'd been keeping journal entries on paper, you'd have to show them to cops who had a warrant. Why should it be any different if you had typed it on your computer?
In situation B, someone could leave a locked safe on your desk instead of encrypting some files on your computer.
The law doesn't have to account for all possible options. It's generally trying to prove beyond reasonable doubt. For the most part with encrypted stuff, if it's beyond reasonable doubt that the person knows the password, I don't see why they should be able to withhold files on their computer when they wouldn't be able to withhold files in their filing cabinet. Just because it's digital, I don't see why it's different.
Imagine that you have some photos and videos of yourself and your girlfriend/boyfriend(Both over 18! Or 21... or whatever your stupid countrie counts as "not be able to have sex whitout beeing rapped")
And now some nice gentleman come around to have a look at them... no, not this files specific just your WHOLE FUCKING HARDDISK.
But because you are a cautious and dont want other people to see your girlfriend/boyfriend and yourself you encrypted all files. Not to forget all the other secrets... like your diary, your love emails (That you sended and recived encrypted as well)...
Your computer (memory) can become a vital part of your most private life... yet you have no right to protect it... no it is even worse... Protecting it even became a CRIME!
If you copy some stupid music files you can be sentenced to financial death, but if they are after your files... maybe your most private information... defending this by passive messures becomes A FUCKING CRIME!
Here's an idea. It might even be a good one:
Imagine an encryption system with 2 (or more) passwords for an encrypted file, each "decrypting" different things. So when someone demands the password, you give them one that produces data that won't get you in trouble. I can see a few practical problems, but they seem solvable.
A simpler version of the same idea is an emergency ATM pin code, to prevent "ATM muggings". When entered, the bank would pretend you only had small amount on the account, and/or alert police/security.
you could still protect yourself if you simply said "I don't recall that password." You may notice that not being able to recall is used a lot when under oath. The reason is that there really isn't any way to challenge it. We forget shit all the time (hell everyone seems to forget their passwords if my job is any indication). You can't prove someone hasn't. So they say "What is the password and the 5th amendment doesn't protect you," you say "Sorry, I can't recall that password."
You can say it.
But a judge isn't obliged to believe it.
In the real world, "plausible deniability" translates to six months in pink undies, tenting out in the desert sun with a bunk mate named Big Mike --- with no end in sight.
best thing you can do is not say anything ever. never talk to police. pretty much all convictions are because someone talks.
So the real question, I guess, is "Is he serving more or less time than what he'd be convicted for if they found out what's on his disk?"
In what way is that different from having documents locked in a safe?
So how about the police doing some old-fashioned legwork and actually collect some real evidence.
IF this person is actually sexually exploiting children, then it should be easy to trail him and catch him in the act.
I thought under the British system of Justice you had are considered innocent till proven guilty?
http://en.wikipedia.org/wiki/Presumption_of_innocence
He didn't give them a password at maximum I would expect 2-3 weeks and a maybe fine but 4 months !!! thats the sort of sentence you get for stealing a car or causing grievous bodily harm.
Britain congratulations you are now a police state.
http://en.wikipedia.org/wiki/Police_state
If I was a British citizen, I'd petition my MP to have this privacy-destroying law changed at once. Ridiculous.
"It sends a robust message out to those intent on trying to mask their online criminal activities that they will be taken before the courts with the ultimate sanction, as in this case, being a custodial sentence."
Weren't the Timelords always taking The Doctor to court over stuff, too?
Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF
You're a trusting AC, aren't you?
"Give a woman two glasses of wine and some pad thai, and they'll agree to just about anything." the Sports Guy
So, just get a password manager like KeePass and generate some large, complex password that nobody would have a chance in remembering. That one's fake. Keep the real one inside your head. They ask for the password, tell them that it's stored in the password managing software. They come back and say it didn't work. "Well, what the fuck did you do to it?" Might be a good idea to keep a dead man's switch on your computer too, that's programmed to scramble the data should you not log in for x days. A little bit more deniability. They want to know why the fuck you went through all this trouble to encrypt your data, just say that it's some embarrassing porn. Pick a fetish, any fetish. Keeping it secret from your parents, boy/girlfriend, husband/wife, roommates, whoever. I'd be willing to bet most every member of the jury has one embarrassing kink, and they would sympathize with you a bit more.
Prove me wrong.
It's pretty similar here in Australia. A distant friend of mine is, in fact, a convicted child sex criminal - because of photos of HIS CHILDREN taken WITH HIS WIFE THERE, in the BATH. A photo developer called the police, who seized his computers and media. They were unable to prosecute based on the original images, but the search turned up a collection of manga/hentai on a machine used by him and friends. Some of which "could be considered" to depict children, especially by a suitably encouraged jury. Bang, you're on the sex offender register and your life is fucked.
W.T.F.
Under Australian law, I could be considered a sex criminal if I accidentally include photos of partly clothed children in a wide-angle photo of a beach. Unsurprisingly, I'm now incredibly paranoid about taking photos - in fact, I flatly refuse to photograph anybody's children even with their permission or by their request. I'll let them do it, but only if I'm somewhere I can download the images, burn a CD to give to them, and destroy any copies I may have.
Sad, isn't it, that it's come to this. And all the fuss is further sexualizing children in people's minds, while doing NOTHING to even slow down the real perverts, who won't notice or care.
Just give them your logon password. When they ask for another just say it's the only pw you have. How can they prove, beyond a resonable doubt, that not only is there an encrypted file on your computer, but that you know about it. If you can stomach it, run xp, turn off swap, and rename your encrypted file pagefile.sys. I have been considering private files on a volume accessed by a virtual machine which I only run from a shell, no gui or menu entry. Can you encrypt the "file system" of a virtual computer? Maybe even keep the VM on a flash drive?
The reason we subjugate ourselves to law is to better procure justice. If law does not accomplish this purpose then it m
so you go to court and they ask for the key. you tell them YOUR part of the key but one aspect is outside their control; while they had you locked up, time marched on. you were not 'at your desk' to refresh the clock or keygen and so the machine detected an abonormality. at that point, given this theoretical situation, you are now UNABLE to unlock the disk. you may WANT to, but its beyond your control. the machine that gives you the 2nd part is now out of sync and you 'cant fix it' since it may not be your own coding (again, lets say for agument sake)
It's at times like these, when I see the geek in full flight, that I start to think that Joe Arpaio may be on the right track after all.
I think it's the number of people on Slashdot who are programmers, system administrators and engineers that makes us so desire to bake perfection into everything or reject it as valueless.
First, understand this: Neither the legislatures nor the courts of any country are going to pseudo-legalize any crime that can be done with a computer and where the evidence is primarily on that computer so long as the person is smart enough to use encryption. It's not going to happen, and most people outside of sites like this are okay with that concept. If they can't wiggle around any particular law that may be stopping them, they will simply change it -- and it will happen with overwhelming support. The court system is about justice, and they're simply not going to let a loophole that big go.
Second, this case and similar ones is no more the person incriminating himself than it is self-incrimination to open the door when the police come knocking with a search warrant. You're not telling them anything about the (alleged) crime; you're complying with a court order that allows them access to private property to search for what they expect is there. The difference, of course, is that if you don't open the door they can simply and easily kick it in. If you don't open the safe they can easily cut it open or crack it. If you do not give them the encryption password, well, assuming there are no backdoors and no major security flaws they have no recourse. If you think the police and the court system will--or even should--just throw up their hands and go "shucks, guess we lose" then you're living in some reality that can probably only be accessed by the ingestion of certain mushrooms. Computers aren't going anywhere and neither is encryption, neither of which changes the fact that these are real crimes with real victims that deserve real punishment. If this is the case of some 19 year old with a picture of his sixteen year old girlfriend's boobs, that is the problem to be solved -- not self-incrimination. It's not about evidence, it is about access.
So long as these things are controlled by a judge and required by search warrant and demonstration of probable cause I have no problem with it, nor is it somehow a shift of the burden of proof from prosecution to accused. It is not a setup; you're not being asked to turn over the body and caught in some catch-22 that you either do it and incriminate yourself or can't because you're innocent but can't prove you're not actually guilty and pretending to be innocent. You're being ordered by a judge to let them look at your computer because cause exists to believe there is evidence there, and if such evidence is not found the case will probably be dropped. If you DID commit the crime, am I supposed to feel some sort of sympathy for you because you used technology to try to cover it up?
Of course the system isn't perfect. No system is. There are probably legitimate times at which an accused person might not remember the password in question, especially if the alleged crime took place relatively long ago. Once in a great while somebody really might end up in jail for being forgetful -- though I suspect it would still be far less than the amount of time an innocent person is convicted on average. It's a sad reality of an imperfect world, one that can be mitigated by a maximum incarceration term (even if that maximum is the maximum potential penalty you could receive if you were found guilty of the crime you're accused of) and allowing judges to exercise proper discretion given the facts of the case. Yes, if you just so happened to write a journal article about how much you want to shoot your neighbor and then he turns up dead by that exact same means you're probably going to have problems -- but what is your point? Innocent men have gone to prison before. It's sad, but like the legal system itself, scrapping it because of its imperfections would do far more harm than good. (As an aside that is a fairly bad example since we're talking about
A nice way around this is a usb stick but instead of flash memory, you have a 256 bit counter. When its plugged in, a little switch stops the counter. You read the number from the stick, and in combination with your password makes a 260 bit key sequence to access the encrypted file system. Unplug the stick and it starts counting again (and your data is basically hosed unless you happen to plug it in again when its on the same number, good luck with that). You plug it in, format your drive and put in all your stuff. Tie a string through the usb stick, the other end to the desk. They pull out the computer, out pops the stick (or they could just remove it themselves). Either way, you provide all the information, but they only have a 1*10^77 chance of accessing your data (even with what you give them). They might get lucky.
How the * did they know it is a 50 character password? And which programs use such long passwords? Or is it just an RSA key?
The world makes perfect sense and slashdot commentators are FUNNY. LAUGH HAHAHAHAHAHHAHAHAHAHA
just connect him to lie detector, and start asking questions: "is the first letter 'A'?", is it 'B'?, etc
granted, it will take a while..
Just plant an encrypted memory stick. You can even hide it a little. When the police finds it, and ask about its password, and the suspect acts confused, because he/she is confused and knows nothing about it, they can then jail him/her for not disclosing the password.
In britain there is no presumption of innocence. There is no "Right To Be Presumed Innocent Until Proven Guilty". That thing IS NOT on the British statute book.
You grew up in a house with lead water pipes, didn't you?
I have a different idea... On your harddrive you will have an encrypted file that you will pretend to be protecting, but in reality you don't really care about anyone finding out what it contains:
SecretData.bin
Then on your USB drive you have a one-time pad file that is the same size:
OTP.bin
Someone gets a warrant, you hand over the USB drive and the password "hunter2". They XOR your OTP file with SecretData.bin and get an encrypted file, that they can decrypt with a common encryption algorithm and the password "hunter2". They now have access to the data you're pretending to hide.
The problem is that each time you want to change some document in the real secret file OTP.bin, you'll need first to decrypt SecretData.bin, then decrypt OTP.bin, change doc, crypt OTP.bin and crypt SecretData.bin with the new pad and passwd. That's uneasy and if you make an automated procedure, it can give an hint about your trick.
How do you know the encrypted data is not something that is, at least to the 19 year old suspect, even worse?
This is very possible. I've had a number of people tell me that they have some shameful secret they are terribly embarrassed about, only to later reveal some innocuous piece of information that leaves me baffled as to why they thought it was important. One woman's shameful secret was that she she had worked as a croupier in a casino! It took her a while to tell me and I was certain she must have been a prostitute she was so nervous of telling me. (Not that I cared, but I could imagine someone being ashamed of prostitution but dealing cards? WTF?). This guy could have some poetry on there about a girl he's sweet on and hasn't had the nerve to speak to or something similarly innocent that seems like a big deal to him.
Notice that quote from the copper - he's using the defendant's technical guilt under the New Labour password law to imply that he must also be guilty of the alleged offences that they seized his computer in connection with.
Here's a simple option that might very well work. Design a simple challenge response device with LCD which requests PIN code and then provides the long password.
You got a point here, well... two.
1) Challenge response
Can be used without specific hardware, think of a login with no password but a screen filled with ascii characters. You need to type in a response to the patern displayed, with a secret algorythm you invented and that you can master with your brain. (find a "&" displayed and then 3 cols, 2 lines from it, give the character there with a rot13, etc).
The response is used to unlock the real drive key.
Setup a fake login with an alternate password to unlock a second system, which blanks uncrypted drives at boot time.
2) Specific hardware
Make sure that anyone trying to get your drives at home will trigger a self-destruct mecanism. Document the system as a proof of data loss in case they force you to give the password. Actually the self destruction is a blanking of the encrypted master key of the drive. Don't tell you made a backup of it. Usually users don't make such a backup.
A boot script can handle the master key erasure in case you don't comply to the hidden boot procedure. Then if they get your laptop and switch it on without you arround, the key is lost. But they could be smart enough to image the drive before trying anything, thus forcing you to start the system once re-imaged.
This is why a specific hardware (incl. UPS) with such a self-destruct defense system is required. The encrypted master key backup will prevent a full data loss in case the mecanism is triggered by a some unfortunate event.
His mistake was not having an alternate decryption algorithm "uncovering" something trivial (triggered by an alternate password), a cache of porn images or something.
It's a strict liability law, you either comply with the order or you're breaking the law no matter your reason. It's no more a defence to this law to say you forgot your password than it's a defence to speeding to say you didn't notice the speed limit sign. Both may be perfectly true, but you're still guilty. They might choose not to convict if they believe you genuinely have forgotten your password, but they might equally choose to go the other way and convict you, even if there's a good chance you are telling the truth. Now that is a dangerous law.
Actually I can see this as being reasonably likely. Not those exact scenarios, but if person A wants person B to go to jail, they just need access to their PC (trivial bit of breaking and entering) and an anonymous tip off to the police. From that point on there is nothing person B can do or say to avoid this law, unless he can prove someone broke into his house and did nothing other than encrypting his hard drive. Maybe it'll take person B being a high profile politician for us to see a rethink of this law. We just need a volunteer to be person A :)
Generally the police don't publish public reports of the evidence they find during criminal investigations. Any police officer who revealed details they found, that were not relevant to the case, to the suspect's family is probably going to find himself out of a job and with criminal charges. That of course doesn't mean there aren't other genuine reasons - he might have evidence of religious or political affiliations which, while not illegal, he believes would prejudice any trial against him or something similar.
In britain there is no presumption of innocence.
Of course there is. The presumption of innocence in English and Scots law comes from common law. The concept itself has been part of British society for thousands of years - Alexander Volokh says that it has been present since Greece and Sparta and Rome, all the way back to the first (Judaic?) legal systems.
Common law is the basis of the British legal system. Your logic is like claiming that "there is no law against murder in Britain" and then going on to claim that this means murder is legal. English Law - "there is no statute making murder illegal. It is a common law crime - so although there is no written Act of Parliament making murder illegal, it is illegal by virtue of the constitutional authority of the courts and their previous decisions."
It after that went on and voted into the statute book several hundred criminal offences which explicitly postulate that you are guilty until proven innocent. The RIPA act, The H&S act, you name them. Half of Blair's legislation (Blair and Co raised the number of criminal offences on the statutes by more than 100% in 10 years) is based around "guilty until proven innocent".
[citationneeded]. Please name these "hundreds of acts that explicitly say British people are guilty until proven innocent.". And are you seriously blaming the Blair government (which came to power in 1997) for the 1974 Health and Safety Act?!? What?!
So the new government has actually promissed to fix this by accepting _ALL_ rights in the convention and repealing most of Blair's handywork as a big block vote including most of the RIPA act.
Right, that would be the same Conservative party that fully supported the RIP Act then? ('Only a pitiful handful of MPs (pictured below) were present to debate the bill, which was fully supported by the "opposition" Conservative party, and passed by 189 votes to 47 keeping the majority of its original clauses intact.')
Say that a door can't be broken down for some reason, without the owner opening it. Can the police then force the owner to open it when executing a search warrant?
Encryption has given us a new technology that allows us to create locks that cannot be busted open. BUT we KNOW how to deal with this. A bank issued with a search warrant HAS to open the safe. They cannot choose not to cooperate. IF there is a search warrant you MIGHT think that you do not have to cooperate because the SWAT team is holding a gun to your head while you are on the ground BUT that is because your house door is far more easily busted in.
A lot of people seem to think that the legal system can operate if new tech gets all kinds of exceptions. Tell me, would you accept that the police did NOT read Al Capone's diary because it had a lock on it? No? Then WHY is your PC with encryption supposed to have some sort of immunity?
Changing tech changes the law. We might not like it but that is the way the law works. Else you WOULD allow an ISP to read all your emails. After all ONLY mail that is SEALED cannot be read by the carrier (old mail law) so email which is not sealed can be read just as a postcard. New tech, new laws.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
It has two passwords: One password provides access to the system. The other, if used, causes the system to silently erase itself or otherwise self-destruct. In this case, the prisoner could solve two problems with the second password: He provides "the password" to the authorities, thereby keeping himself out of jail, and he has those same authorities do the dirty work of destroying the evidence.
Does there already exist an encryption system and/or filesystem does this?
In the course of every project, it will become necessary to shoot the scientists and begin production.
I have been in the same situation in a western european country almost a year ago.
1. Raided
2. confiscated everything
3. held for questioning for 24 hours
4. Questioned for 12 hours straight by the cops.
In the end taken to a judge and forced to give up my encryption keys. I denied based on the local privacy laws. I was released and the case is still ongoing in courts.
...and set it to "there is no password"
So what's the password? I keep telling you "there is no password" but you won't listen. Should be interesting when it comes to court.
Oh, and of course use a proper password on your second and third level Truecrypt volumes, you know the ones where you hide your "Hello Kitty" club membership details.
I just posted this comment on another blog, but it may be even more suitable for slashdot.
To my knowledge, Oliver Drage was in fact a paedophile. For his sake I will not prove it here, but it is certainly true. Were there indecent images on his hard drive? (Maybe in cache and, of course, many of which don't even have to involve child abuse any more). Quite possibly. Did he deserve what would have come his way had he been convicted for it? Definitely not. He had been involved with a website which offered support to paedophiles who otherwise had nowhere to turn. Not a "child abuse ring" as it is being painted. I not only attended Oliver's trial but also a second trial in the same operation. When the police expert was questioned in evidence as to the nature of the website, he said it was "clearly a website encouraging child abuse". When the defense barrister asked him if he had read the rules to the website, he said no. When he was asked if he had seen the content of the website he said no. When asked why he knew the website fostered child abuse, his reply was "well, you can just see that from the look of the home page, can't you?". I wish I could say I was paraphrasing that quote.
While the news seems to be going mad over the RIPA issue alone, I think the more pertinent angle is: how have we got to the point at which the simple act of downloading an image is through some cognitive distortion metamorphosed to a manifestation of real, physical abuse? I don't care how offensive an individual find it. I don't care how graphic the description is the police give of the images in question. They're images. Here's the real question: aside from mere offensiveness of a particular act, has Oliver actually contributed anything concrete to the abuse of a child? Would he actually have done so? Had the images been used to blackmail the child in question? Had he actually *produced* abusive images? Why are we so keen on punishing, when society doesn't even offer any help or support for an unchosen sexuality to begin with? Is this brazen slavery to practically benign acts such as downloading indecent images actually contributing anything genuine to child protection,or is it only inflating statistics, hysteria, driving paedophiles further underground (in turn worsening the problems), wasting resources and providing a significant distraction from the real issues at hand? When it gets to the point that people can't find support merely for what they are without potentially subjecting themselves to some of the most brutal prejudice in history, then you know things are going BADLY wrong.
I guess in Britain they don't have the right to remain silent...
Yeah, good point, and what if he was a giraffe living on a different planet being interrogated by spider like aliens with supernatural powers. Would you give you password?!
Right next door to Scotland and Wales? /gets coat
Which I'm sure your average 19 year old is:
A: Fully aware of.
B: Has total faith in.
Bear with me please, IANAL:
Let's say Bob has been charged with a crime. He keeps a personal handwritten journal that plausibly may contain evidence of his guilt, so the authorities obtain a warrant for it. Bob dutifully turns it over to them.
Case 1: Bob's native language is some obscure dialect that only a few people in the world can read and write. The authorities are unable to find anyone willing to translate it for them.
Case 2: Bob is a linguist, and his journal is in a dead language that only a handful of people can translate. None of them are willing to do so.
Case 3: Bob is a cryptographer, and his journal is written in a unique code devised by him. The task of breaking the code will require far greater resources than the authorities can devote to a criminal case.
Case 4: Bob has read about "book code" and has decided to keep his journal in one for fun. The authorities suspect that he has used book code, but are unable to identify the correct "key" book.
What are Bob's legal rights and obligations in these cases? What should they be? (Assume either UK or US law, as it pleases you.)
The case under discussion in the OP would seem to be closest to Case 4: there is a "key" that the defendant is being compelled to reveal. He is not being asked for the encrypted material itself.
Going by the same logic, can Bob be compelled to reveal the encryption algorithm used in Case 3? In this case, it's not a "key" that's being compelled, but the actual method of encryption. Is there a meaningful distinction?
In Cases 1 and 2, I don't think many people would be willing to place an obligation on Bob to translate a natural language ... but why? Is it merely because he would be the one doing the work? (Ignore for a moment the practical problem of determining the accuracy of his translation.)
The analogy between an encryption "key" and the key or combination to a safe is logically flawed, I believe. Authorities can compel a physical key or access code as a means of getting to evidence. It's the ability to obtain the evidence that's being sought.
In the case of encrypted data, the authorities already *have* the evidence. They just can't understand it. It's the equivalent of finding Bob's encrypted, handwritten journal. The involvement of a computer is irrelevant.
I wonder what the judicial response to this argument would be, especially in the US. "Your Honor, prosecution has sought evidence that was duly provided. The defendant is under no obligation to read it for them."
I think I would make my password into an end-user license agreement; something like--ByEnteringThisPasswordUserAgreesToIndemnifyComputerOwnerAndHoldHimBlameless.
~Loyal
I aim to misbehave.
How did they know the key was 50 characters??
"There are 11 kinds of people: those who know binary, those who don't, and those who could not care less!"
The Golden Thread that the great British defence attorney, Horace Rumpole, refers to is an inalienable presumption in British Common Law, that any individual brought before the bar for judgment has a presumption of innocence in his/her favour, i.e. that we all presumed innocent until we are proven guilty beyond a reasonable doubt to twelve good people true (our peers). This holds whether in Old Bailey, or the wilds of darkest Africa--wherever the British system of justice has taken root and grown.
Couldn't you have a system that accepts multiple passwords that enables different partitions or something like that?
Using that you can easily give them your password to your not-so-secret data while you keep the password for the very-secret data to yourself!
The very-secret data could be shown as some bogus bin-files when using the not-so-secret password.
Read More... 999 comments
Adolf Hitler wants this to be the last post.
The quick brown fox jumps over the lazy dog, dick
Home computer as a secure (SSH&Truecrypt) backup for a doctor's office; patient records, encrypted, stored on the computer in case of a catastrophic loss at the office. I've seen it.
No OS on the planet can protect itself from a user with the admin password. - Yvan256
The first thing I thought when I read this article is how obvious his password is. generally short passwords tend to be someones name. over 7 characters tends to be something like: "tpicjbwbrhtg" i.e This Password Is Complete Jibberish But Would Be Really Hard To Guess slightly longer passwords are sentences "fuckyeahloliishot" people NEVER use special characters. people tend to only use numbers when they are forced to and even then at the end. eg "password1" is a very popular password. Think about it. he has to type this in every time he accesses this file. the password will be a pattern password. like "qwerty" (also a popular password) people tend to start in the top left and move over. I bet my left ball its something like qazxswedcvfrtgbnhyujmkiolpoiuytrewqasdfghjklmnbvcxz
How am I supposed to remember a 50 character random password?
It was written on a sticky note on the bottom of the keyboard.
Don't tell me you guys lost it when confiscating the computer!
You make a large file called DBLSPACE.BIN and put a TrueCrypt volume in there. Use a long password and several keyfiles. Best to make it so that it has a hidden volume also, but if you don't, then they will have a very hard time figuring out whether DBLSPACE.BIN is a corrupted double-spaced partition or if it is where your encrypted files are.
"They said I probly shouldn't fly with just one eye," "I am Bender. Please insert girder."
I should find a way to implement a second failsafe password that automatically deletes all incriminating files when used.
I am very surprised that this has not been mentioned
yet. This is -precisely- the situation that TrueCrypt
hidden containers were created for...
Evil Mr. Paws
50-char password? What about "Lorem ipsum dolor sit amet, consectetur adipiscing"?
Both of these examples are rather bizarre...
In situation A, if you'd been keeping journal entries on paper, you'd have to show them to cops who had a warrant. Why should it be any different if you had typed it on your computer?
In situation B, someone could leave a locked safe on your desk instead of encrypting some files on your computer.
Yeah, they are bizarre.
Quite right on point A. On point B, they could just crack the safe to see the contents. Not so with a computer - which, in theory, lands you afoul of the law through no wrongdoing of your own.
In short:
If I were keeping anything illegal on a computer, I would simply install a dead-mans-switch system on it. Lose power without activating a failsafe and the password (and data) is all lost.
If this kind of thing becomes law, I expect any [reasonably intelligent] criminal would do the same.
Then what?
Why don't they just boot the computer with Ubuntu from a CD...? You can access the hard drive and extract the evidence! Are we talking about a BIOS password? Why don't they just remove the CMOS battery? herp derp...
Who the fuck puts a 50 char password on a file? A> someone with something pretty fucking serious to hide.
A jury of his peers gets to decide whether they believe his plea of "I forgot it", not the police. With the evidence in front of them,
There is no reason to believe that if there was something embarrassing oh his PC that it would be shared with anyone outside the investigating team - how would the family find out exactly?
The tin hat slashdot brigade in full effect again...
The guy has shit on that drive that would seriously implicate him and every last one of you know it. Now back to your fruitless debate...
Holy Shit, I was just reading Cory Doctorow's Little Brother last weekend.
http://en.wikipedia.org/wiki/Little_Brother_%28Cory_Doctorow_novel%29
Guess it didnt take a genius to figure this one was coming.