Slashdot Mirror
British Teen Jailed Over Encryption Password
An anonymous reader writes "Oliver Drage, 19, of Liverpool has been convicted of 'failing to disclose an encryption key,' which is an offense under the Regulation of Investigatory Powers Act 2000 and as a result has been jailed for 16 weeks. Police seized his computer but could not get past the 50-character encrypted password that he refused to give up. And just to get it out of the way, obligatory XKCD."
You don't have the right to keep your safe locked if there's a warrant for it to be opened. You don't have a right to not provide your fingerprints or DNA if that evidence is appropriate to the case and a warrant is issued.
You have a right to refuse to testify. This only extends to your own testimony, not to everything about you.
Don't you have the right to remain silent, so as to not incriminate yourself? We have it here in the US.
No. That right was removed about 10 years ago.
Now, if you refuse to answer questions during your arrest and questioning, the prosecution are allowed to use that silence as circumstantial evidence against you.
Never start with the head. It just makes the persons memory all fuzzy.
No sig for you!!
Short answer: No. Through some creative legal thinking producing your encryption password is now considered equal to handing over the key to your safe, not to compel information from your mind. It's bullshit but Britain takes 1984 as a role model, not a warning.
Live today, because you never know what tomorrow brings
TrueCrypt has something where you can set up an encrypted virtual disk that you first put some files you don't care about on there with a password you wouldn't mind divulging. Then you make another virtual drive on that one that will store the files and a password you do care about. When asked for your password, you give the one you don't care about and it only shows files you don't care about. Plausible deniability.
A.
...I don't see this a "self-incrimination" issue...
Your neighbor spits on your lawn.
This really pisses you off.
You make a detailed journal entry (which you keep encrypted) about how much you hate your neighbor and you want to shoot him.
Your neighbor gets shot.
You still want to show them your data?
B.
You arrive home and find your neighbor's wife's dog (who continually craps on your lawn) has been slaughtered and hung like a side of beef in your bathroom.
You call the cops even though you're an obvious suspect.
They ask you a few questions and want to examine some of your stuff, including your computer.
They find that your computer has been encrypted (not by you).
Will the law think it's likely that someone encrypted your computer, or will they think that you don't want to share the data?
Neither of these are even remotely likely, but that's what the law has to account for: the possible.
Or more recently, Alberto "I do not recall" Gonzales.
I am officially gone from
Um. Which is exactly what Truecrypt does, except for the wiping the disc part (Which doesn't work because any good forensics investigator probably clones said disc before attempting any data retrieval, and they won't use your system whilst doing it because they could give you deniability if timestamps change on the disc, and you could booby trap it, but I digress). The hidden volume is accessible by a second password which reads a key from the other end of the container. If you want to write to the outer volume without overwriting the inner volume, you provide both passwords.
The fifth amendment doesn't seem to apply in the courts; to quote his honor, William K. Sessions, Chief District Court Judge in Vermont in United States vs. Boucher:
"Holding that the 5th Amendment privilege against self-incrimination does not require the conclusion that a criminal defendant may elect not to divulge a password for an encrypted hard drive."
It also hasn't stopped judges from using the presence of encryption and unwillingness to give up the keys as evidence of misconduct.
If anything, Britain has stronger protection of individual rights than we have here in the US -- the defendant in this case doesn't risk a dozen years in jail, disenfranchisement and being barred from many occupations for life, like he would over here. I'd take good old Ius Commune over our system.
No this law was written as an ego trip by Jack Straw to prove his power. Among other things it reverses the onus of proof thus taking it outside fundamental principles of British (and US) law. It also goes further an limits the means by which you can prove your innocence, prescribing a few (probably impossible) ways. It also deprives the defendant of the right to a jury trial and gags the defendant from talking about the charge with anyone but his lawyer (and gags the lawyer).
In effect a corrupt government official can send you an encrypted email then demand that you provide the key... As you never had it you can never prove your innocence, so they can lock you up for years after a secret trial.
Add to this another set of laws formed by a radical feminist basically assuming any image of a female that you can't prove is of someone over the age of consent (16) is an image of a child (this includes cached images that may be advertisments that you never intended to view).
So the cops can trawl your computer until they find something you can't prove is legal and lock you up. If you take the precaution of encrypting your PC they can lock you up for that too.
We have now removed these politicians from power however the damage has been done. There are murmurs from some of the politicians about repealing some of the very dangerous laws that were brought in, however they are unlikely to repeal any of the technology based ones. There will be no pressure, the journalists over here consider it a point of pride to not understand technology.
Wasn't his password.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
So you are faced with the rather novel situation where any motivated individual can successfully resist the state and your instinct is to label it rabid anti-establishmentism?
(and as others have pointed out, it is novel, doors can be broken, safes can be cracked, well used encryption is not so trivial to defeat)
Nerd rage is the funniest rage.
It's worse, given an over-zealous prosecutor. Search for the "little lupe child porn case". Poor dude had videos of an obvious, over-18 "pro" and even though a phone call and a fax would have produced the age custodial records, the prosecutor refused to cooperate and plowed head-on with trying to ruin the defendant. I hope there's a special hell for this woman (the prosecutor).
Method of processing duck feet
For more, check out Mike Diana's case:
http://en.wikipedia.org/wiki/Mike_diana
I remember reading about this in some underground zines almost 15 years ago. Dude got railroaded for drawing adult comics that depicted child abuse. Alot of which Mike himself lived, and he used the drawing as therapy. He was sentenced to real live prison, and wasn't allowed to draw.
They essentially took away his right to draw with a pen and paper for drawing things with pen and paper.
The very best drive encryption out there (IMCO) is Tru-Crypt and is both open source and free.
For the truly security crazed, you can set up a hidden operating system that you use for only your most secure stuff and use a DIFFERENT but valid password to get at it. Use your regular password for day to day stuff and only log in with the really secure one to get into the alternate OS.
The whole purpose of that is so if someone has a gun to your head (or a court order, or a $5 pipe wrench) you can give them your perfectly valid password and they can access all your perfectly normal files --and never even know the alternate data is there (it can be hidden across thousands of normal looking data and executable files in the normal OS).
Seriously cool stuff.
In security, there are only two levels of paranoia. Absolute, and insufficient.
The problem with quotes on the internet, is that nobody bothers to check their veracity. -- Abraham Lincoln
The US comes in higher on assault, murder, and rape on the site you listed. Crimes per capita is meaningless if each country has different standards that they report. So in the UN report mentioned on the nationmasterlist the US comes in with a higher rate on violent crimes and the UK comes in higher on fraud and various property crimes. Choice D, the US has higher crime rates in the things that are generally considered more severe and that have more similar reporting criteria.
Xavier Rabourdin for president 2012
Post your address so I can mail you a USB drive with random data on it.
Then a phone call to your local Police dept will be very interesting.
I see no legitimate reason why you would refuse to provide your local police the password to your USB drive full of kiddie porn.
So just provide the password or go to jail.
Starting to see the problem?
There is no way to prove that you honestly DON'T know the password or even that the random data ISN'T an encrypted disk of kidde porn.
When the govt simply has to point to random data and claim you are a criminal and all the burden is on you to prove that you aren't well you can be put in jail to any reason at anytime.
Likely there is some random data on your hard drive right now (in the "blank" space). Prove it isn't an encrypted kidde porn pic.
So we're required to participate in search and seizure of our own property now? I thought it was the burden was on the police to gather all the evidence, but I guess I was wrong. Looks like the court can coerce you into locating evidence against yourself.
Hillary made "I don't recall" a house hold phrase.
Actually, Ronald Reagan Made the phrase in popular in American politics. I'm curious if you were pushing any particular political agenda yourself with your selective memory, or if you're simply too young to remember Reagan's famous hearings...
-=Geoskd
I wish I had a good sig, but all the good ones are copyrighted
You are all forgetting the fundamentals.
In britain there is no presumption of innocence. There is no "Right To Be Presumed Innocent Until Proven Guilty". That thing IS NOT on the British statute book. It is IMO the most basic of all human rights and a country that does not have it cannot claim to have human rights at all because not having this cornerstone allows it to suspend any other right at any given time with or without reason.
Interestingly enough it is part of conventions which Britain has signed like the European convention on human rights. However the Labour government that signed them specifically opted out of these clauses. It after that went on and voted into the statute book several hundred criminal offences which explicitly postulate that you are guilty until proven innocent. The RIPA act, The H&S act, you name them. Half of Blair's legislation (Blair and Co raised the number of criminal offences on the statutes by more than 100% in 10 years) is based around "guilty until proven innocent".
Thankfully, someone pointed this to Cameron and Co in the run up to the elections as the Conservatives initially wanted to revoke Britain's signature under the convention altogether. So the new government has actually promissed to fix this by accepting _ALL_ rights in the convention and repealing most of Blair's handywork as a big block vote including most of the RIPA act. Unfortunately, that fix has not been forthcoming as fast as it should. It was promissed for mid-summer before the parliament goes in recess. However it looks like it was what all politician promisses are... Talk the talk, but cannot walk the walk.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
Here's an illegal checkpoint based on that law. here (warning: pdf) is a whole slew of them. This article tells of one specific victim. So does this one. Here's a dragnet for you folks in the UK. This case is the one where they stretched it to include all mail sent anywhere in America. But wait! There's more!
linky
linky
linky
While not specific to the case of searches inside borders based on these laws you may find this link enlightening, it's what our congresscritters are reading about these things.
Warrentless stops and searches inside our borders are being done and it needs to stop.
If video games influenced behavior the Pac Man generation would be eating pills and running away from their problems.
In britain there is no presumption of innocence.
Of course there is. The presumption of innocence in English and Scots law comes from common law. The concept itself has been part of British society for thousands of years - Alexander Volokh says that it has been present since Greece and Sparta and Rome, all the way back to the first (Judaic?) legal systems.
Common law is the basis of the British legal system. Your logic is like claiming that "there is no law against murder in Britain" and then going on to claim that this means murder is legal. English Law - "there is no statute making murder illegal. It is a common law crime - so although there is no written Act of Parliament making murder illegal, it is illegal by virtue of the constitutional authority of the courts and their previous decisions."
It after that went on and voted into the statute book several hundred criminal offences which explicitly postulate that you are guilty until proven innocent. The RIPA act, The H&S act, you name them. Half of Blair's legislation (Blair and Co raised the number of criminal offences on the statutes by more than 100% in 10 years) is based around "guilty until proven innocent".
[citationneeded]. Please name these "hundreds of acts that explicitly say British people are guilty until proven innocent.". And are you seriously blaming the Blair government (which came to power in 1997) for the 1974 Health and Safety Act?!? What?!
So the new government has actually promissed to fix this by accepting _ALL_ rights in the convention and repealing most of Blair's handywork as a big block vote including most of the RIPA act.
Right, that would be the same Conservative party that fully supported the RIP Act then? ('Only a pitiful handful of MPs (pictured below) were present to debate the bill, which was fully supported by the "opposition" Conservative party, and passed by 189 votes to 47 keeping the majority of its original clauses intact.')
"See this doesn't work in Britain because they made it a crime not to provide the password period. If you fail to provide it, regardless of the reason, that's illegal. It was a specific law made for passwords. So can't remember? You are boned."
This isn't really true. The police have to have reasonable grounds to believe you have the information to be able to issue a notice- this may for example be as simple as getting computer forensicists to provide evidence that the encrypted content has been accessed recently, and that it's unlikely anyone else had access to it- if the file was for example, stored in a private documents folder specific to the user in question. See the relevant legislation, under 49.2 here which clearly states that someone pushing for a disclosure notice must have reasonable grounds to believe that person has it (part a) of 49.2):
http://www.legislation.gov.uk/ukpga/2000/23/part/III/crossheading/power-to-require-disclosure
It's also worth pointing out to date, that those convicted of failing to adhere to a section 49 notice have all actively refused to hand the key over, rather than claiming they have forgotten it. Of those that have claimed they're not in possession of the key, to date the case has either not been pursued, or the person in question has been charged/convicted for other crimes. This is a common story when it comes to computer crimes- many supposed attempts to prosecute based on new laws, or new twists on old laws don't actually succeed- look at the failure to succesfully prosecute the Oink admin, look at the fact that to date, file sharing cases in the UK haven't succeded in UK courts (although one supposedly won by default due to defendant not showing according to ACS:Law, there is no evidence that this is even true). Ultimately the police have to depend on either scaring people into accepting fault- i.e. if they say they've forgotten the password, reminding them that if they are found to be lying it could lead to an increase in their sentence, or depend on the person being stupid enough to incriminate themselves, or alternatively, for them to simply get caught for other crimes. The police mostly rely on ensuring people are confused about what the law actually says in the hope of making them waver and admit guilt or at least incriminate themselves- by touting convictions like the one in TFA as evidence of how you should always hand your key over without a fight, or without playing innocent they strengthen that idea amongst the public as to that's how it works. It's worth noting that in the words of RIPA itself if you can either demonstrate somehow that the police do not have reasonable grounds to require access to encrypted content (perhaps by use of a witness who would testify that the contents of that file were personal, or trade secrets maybe?), or if you can argue succesfully that giving access to the content is disproportionate to the crime with which they're attempting to charge you with, then you can also escape RIPA's clutch.
In these respects, RIPA is quite similar to a search warrant- the police can only get one if they have reasonable evidence to suggest they have a need to enter the premises, and if it's proportionate to the crime they're investigating. The actual text of the legislation also seems to suggest that providing the content in an unencrypted form is an alternative to producing the key under the RIPA also.
"However if you look in to it you discover that while there's little case law, indeed it HAS been ruled that that the 5th prevents you from having to give up a password. As such that will probably stay, in general courts abide by the rulings of other courts of competent jurisdiction."
This is true, but it's also true that much like with RIPA, a defendant can be compelled by a court to provide access to encrypted content if not provide access to the key itself, in this respect US case precedence is basically similar
While it seems to have fallen out of fashion, it should be pointed out that one of Teddy Roosevelt's kids (Teddy Jr.) fought in both World Wars, and one of FDr's sons was a Marine in WW2.
In both cases, the sons in question were in places where the bullets were flying. In one case, the son shouldn't have been there at all, since his health was questionable enough he should have had a medical discharge long before he got around to a heart attack in the field.
"I do not agree with what you say, but I will defend to the death your right to say it"