Slashdot Mirror
British Teen Jailed Over Encryption Password
An anonymous reader writes "Oliver Drage, 19, of Liverpool has been convicted of 'failing to disclose an encryption key,' which is an offense under the Regulation of Investigatory Powers Act 2000 and as a result has been jailed for 16 weeks. Police seized his computer but could not get past the 50-character encrypted password that he refused to give up. And just to get it out of the way, obligatory XKCD."
Pfft, Britan. Glad my ancestors were smart enough to split that dive and setup someplace safe for me to live....
"When I am king, you will be first against the wall..."
But it's hard to remember all those special characters after they beat you with a wrench. Be sure to choose a password that's easy to remember under bludgeoning to limit the number of times they have to hit you in the head.
This one's tricky. You have to use imaginary numbers, like eleventeen... --Hobbes
I wonder what he is hiding.
He's getting off easy. In the USA, the cops would get a court order and the judge could order him jailed for contempt of court until he gives up the password.
You don't have the right to keep your safe locked if there's a warrant for it to be opened. You don't have a right to not provide your fingerprints or DNA if that evidence is appropriate to the case and a warrant is issued.
You have a right to refuse to testify. This only extends to your own testimony, not to everything about you.
Oliver Drage, 19, of Liverpool, was arrested in May 2009 by police tackling child sexual exploitation.
Well, I guess that makes it okay, then. After all, we can't allow people accused of child sexual exploitation to be free, can we?
On a more serious note, this sucks.
Det Sgt Neil Fowler, of Lancashire police, said: "Drage was previously of good character so the immediate custodial sentence handed down by the judge in this case shows just how seriously the courts take this kind of offence.
"Computer systems are constantly advancing and the legislation used here was specifically brought in to deal with those who are using the internet to commit crime.
"It sends a robust message out to those intent on trying to mask their online criminal activities that they will be taken before the courts with the ultimate sanction, as in this case, being a custodial sentence."
I guess insisting on your privacy is taboo now. Even if you're a good kid, if you refuse to let the police into your private files just on principle, you're boned.
i know this is slashdot, and we dont RTFS, but come on!
Actually, everyone has it everywhere. What varies from place to place is whether the government recognizes the right and refrains from violating it. This is true of all human rights.
I can see how it's easy to miss, as it is the first sentence in TFA:
I know It's the UK, but couldn't this be defended as the right to not self incriminate? IANAL, but I'm just throwing that out there.
Don't you have the right to remain silent, so as to not incriminate yourself? We have it here in the US.
No. That right was removed about 10 years ago.
Now, if you refuse to answer questions during your arrest and questioning, the prosecution are allowed to use that silence as circumstantial evidence against you.
Could he have given them a random password, and then act dumbfounded when it does not work?
Maybe even accuse them of breaking his system?
It is hard to prove that the header of an encrypted disk has not been corrrupted.
Would that work with the current law? Has anyone already tried it?
DUH. Obviously he's a terrorist.
Deleted
You have the right to remain silent, unless they want something from you, in which case silence is an additional crime you've just committed in full and flagrant view of a police officer
Nope, and even in the US this has been contentious in the courts (not sure on the current status). Basically, the logic goes that the encryption is like a lock when a search warrant is issued. If a search warrant is issued, you have to provide access, and you can potentially get in legal hot water if you don't cooperate with the warrant. It isn't considered self incrimination.
REMEMBER, in the intertubes, no one can hear you shout unless you use ALL CAPS.
REMEMBER, ALL CAPS.
GOT IT. THANKS.
They can cut the safe open, you can say you forgot the combination. Forgetting is legally great, Reagen forgot iran-contra and look how that turnout for him.
Short answer: No. Through some creative legal thinking producing your encryption password is now considered equal to handing over the key to your safe, not to compel information from your mind. It's bullshit but Britain takes 1984 as a role model, not a warning.
Live today, because you never know what tomorrow brings
downloaded music? games? movies? software?
16 years
Pfft, Britan. Glad my ancestors were smart enough to split that dive and setup someplace safe for me to live....
What makes you think it would be any different in the USA?
Computer crime + Contempt of court = jail until hand over the password.
They haven't tried him on their other evidence.
When they do, they'll use his refusal to give up his password as evidence, added to whatever else they have.
He can get years anyway. But he may know he has hundreds of files on that computer and that each one can be counted as a single crime, so years in lieu of centuries may be his best defense.
Of course, if he's guilty, I don't much care what they do to him.
He would have died eventually in any case though, I suspect.
Maybe some cops see it that way... but videos such as http://www.youtube.com/watch?v=i8z7NC5sgik would have me believe that it's always a good idea to plead the 5th and refuse to say anything. It's related to the idea that refusing to consent to a search without a warrant shouldn't be allowed as evidence that a warrant is necessary ("If he has nothing to hide, then he wouldn't mind us looking around..."). What's the precedent where pleading the 5th has been considered a crime? I can see how refusing to talk would get cops to find something to charge you with and arrest you, since it's annoying for them, but when has it been used as the actual charge for an arrest?
Correct me if wrong, but I believe this is only if you later choose to not be silent any more.
E.g. you are accused of murdering someone two hours' drive away. You refuse to make any statement. A witness is able to clearly identify your car having seen it a few blocks from the scene of crime. Having been told this you say that you were just driving around randomly to clear your mind. In this case they would be able to use your earlier silence against you and imply that you are now only making excuses.
Which I feel is certainly alright and in tune with commonly accepted notions of justice.
Of course, the UK is not unique in much of this. But what makes these examples so sad for me is how the UK was the foundation for much of what one might consider Western freedom. It fought the good fight against totalitarianism (let's not Godwin this). I don't think those who struggled back then would consider all this to be what they were struggling *for*.
Will this constant erosion of freedom ever stop?
If it is 50 all lowercase letters, that gives you about 5.6*10^70 possible combinations. If you have a supercomputer that can do for example 2.8bn combinations per second (fastest example on this page http://www.elcomsoft.com/distributed_password_recovery.html), then it would take 6*10^53 years to go through them all. In other words 50 characters is a pretty secure password.
Add uppercase, numbers and all the symbols on my keyboard to the mix, and you have 3.6*10^99 combinations. You can work out how much longer that would take, but it makes no difference, the world would come to an end long before you did it.
You have the right to not provide the combination, which would result in them getting a safe cracking team in and adding that onto your legal fee's should you lose your case. You have the right to not provide your passwords, which will result in them getting a crypto team in to crack the password and adding THAT to your legal fee's WHEN you lose your case.
Noone writes jokes in base 13!
My ears! The goggles do nothing!
Link up one citation to this happening in the U.S. Sure, you can be abductd off to parts unknown, tried under a military court and executed, but in a US court we still have a Constitution and the Fifth Amendment.
please stop... since caps are larger, they will fill up the tubes faster.
A.
...I don't see this a "self-incrimination" issue...
Your neighbor spits on your lawn.
This really pisses you off.
You make a detailed journal entry (which you keep encrypted) about how much you hate your neighbor and you want to shoot him.
Your neighbor gets shot.
You still want to show them your data?
B.
You arrive home and find your neighbor's wife's dog (who continually craps on your lawn) has been slaughtered and hung like a side of beef in your bathroom.
You call the cops even though you're an obvious suspect.
They ask you a few questions and want to examine some of your stuff, including your computer.
They find that your computer has been encrypted (not by you).
Will the law think it's likely that someone encrypted your computer, or will they think that you don't want to share the data?
Neither of these are even remotely likely, but that's what the law has to account for: the possible.
Or more recently, Alberto "I do not recall" Gonzales.
I am officially gone from
There are other inferences too, from http://en.wikipedia.org/wiki/Right_to_silence#England_and_Wales
At common law, and particularly following the passing of the Criminal Justice and Public Order Act 1994, adverse inferences may be drawn in certain circumstances where the accused:
* fails to mention any fact which he later relies upon and which in the circumstances at the time the accused could reasonably be expected to mention;
* fails to give evidence at trial or answer any question;
* fails to account on arrest for objects, substances or marks on his person, clothing or footwear, in his possession, or in the place where he is arrested; or
* fails to account on arrest for his presence at a place.
I sort of do - even the guilty deserve due process.
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
So only rich people have privacy?
Seems like that could be improved, why not just make being poor a crime?
Well, they can also say: -Tell us where the body is. If you don't tell us where the body is, we'll throw you into the slammer.
You'll tell me that it's not the same thing because if you didn't kill anybody you wouldn't know about the body's location and that if the kid is hiding child porn on his computer and is not 'telling where the body is', he must be guilty then.
But it is the same thing is there is no child porn on that computer just as well. If you don't have any child porn on your computer you are innocent of that crime, whether there is or there isn't a court order telling you to give up the password.
So now let's say there isn't child porn on that computer. The judge is still saying: -Show us the child porn on your computer.
If you refuse to show the child porn on your computer (and there is no child porn there) then throwing you in jail for not showing the files is equivalent to throwing your ass in jail for not providing whereabouts of a body of a person, when you have no idea about the body and you are innocent of any crime there.
Not showing them the child porn images on your computer by not providing the password, while being innocent and not having any images of child porn on your computer, and being thrown in jail for that? I say it's bullshit and a violation of your rights. You say on the contrary, that nobody has a right to refuse to help an investigation by providing some information.
--
OK, so you are throwing somebody in jail because they don't want to help you with investigation. Good path on the way of becoming a police state on one hand, on another hand it's an example of a police state in action.
You can't handle the truth.
Most likely, you clicked on the "Post Anonymously" checkbox in the left corner of the submit box.
Why on earth would you encrypt a hard drive with any public key algorithm?? That would be incredibly slow.
Even if a judge ruled that wasn't you testifying against yourself, you could still protect yourself if you simply said "I don't recall that password." You may notice that not being able to recall is used a lot when under oath. The reason is that there really isn't any way to challenge it. We forget shit all the time (hell everyone seems to forget their passwords if my job is any indication). You can't prove someone hasn't. So they say "What is the password and the 5th amendment doesn't protect you," you say "Sorry, I can't recall that password."
See this doesn't work in Britain because they made it a crime not to provide the password period. If you fail to provide it, regardless of the reason, that's illegal. It was a specific law made for passwords. So can't remember? You are boned. The US has no such similar law. Thus the only way they could get you is if you said you knew the password, but refused to give it up, and it was ruled that wasn't protected under the 5th.
However if you look in to it you discover that while there's little case law, indeed it HAS been ruled that that the 5th prevents you from having to give up a password. As such that will probably stay, in general courts abide by the rulings of other courts of competent jurisdiction.
How do you know the encrypted data is related to the case?
How do you know the encrypted data is not something that is, at least to the 19 year old suspect, even worse?
What if he's secretly gay, his entire family are raging homophobes, and he KNOWS beyond the shadow of doubt that revealing his encryption password will get him disowned?
If this was you, would YOU reveal the password?
-=This sig has nothing to do with my comment. Move along now=-
I wonder how they found out that the length of the passphrase is 50 characters. Did he brag to the authorities? Was there some way of detecting the length of the passphrase when they looked at the encrypted key?
This is why you need hardware encryption with a selfdestruct mechanism.
A software solution can not do this. They will mirror your disk and work on the mirror. But a self contained chip can be made tamperproof and such that enough mistyped passwords or just the special self destruct passwords makes the chip irreversible lose the key.
After the selfdestruct event happened you just claim they caused it. That you gave the correct password the first time they asked. Even if you end up getting convicted on giving the selfdestruct password that might be less than what they are really after.
A variant of this scheme is to store your password on a key device with the same properties. Someone could make an application for your phone that did this. It would not be as secure, as they could be mirroring your phone, but likely they would catch on to that too late.
Then I read the law and, shockingly enough, the Sexual Offences Act 2003 changed the age of adult from 16 to 18.
But if you've encrypted the hard drive of your main computer, and you have to enter a password every time you start it... a jury isn't necessarily going to believe that you've suddenly conveniently 'forgotten it'.
I'm going to have to go against the prevailing view on /. on this one. Of course you have a right to encrypt your files so that people can't snoop through without your permission. But I don't think it's a problem that the state can, with good reason, compel you to decrypt it. If the police get a search warrant, that overrides your normal right to refuse them entry to your house. What's wrong with something similar for computers? Or is this just rabid, unthinking anti-establishmentism I smell?
Wait, I thought the US of A were fighting -for- royalties?
-=This sig has nothing to do with my comment. Move along now=-
“You do not have to say anything but it may harm your defence if you do not mention, when questioned, something which you later rely on in court. Anything you do say may be given in evidence. Do you understand?”
Pretty much sums it up, a standard UK police caution when detaining/arresting somebody.
Please consider this account deleted, I just can't be bothered with the spam anymore.
So... what would it cost to break, say a 4096 bit RSA key? Oh, they can bill my grandkid's estate.
Cryptographically speaking, each added character makes it an order of magnitude more difficult than the previous character.
For a keyspace attack, beating a 50 character password is exactly the same amount of complexity as the ENTIRE SUM of the previous 49 characters possible passwords, times the keyspace for that 50th character.
So no, it reduces the complexity by half, but we're still talking about a septillion years on a quadrillion supercomputers (and more passwords than there are atoms on earth, etc, etc).
So you are faced with the rather novel situation where any motivated individual can successfully resist the state and your instinct is to label it rabid anti-establishmentism?
(and as others have pointed out, it is novel, doors can be broken, safes can be cracked, well used encryption is not so trivial to defeat)
Nerd rage is the funniest rage.
So what happens when you say:
"No,I do not understand. I will need my lawyer to explain this to me"
So he's spending 16 weeks in jail. At the end of those 16 weeks, can they ask him for the password again and throw him in jail again if he does not divulge it?
The prosecution can and does use anything and everything they can against you. But.. giving information to the police or an investigating officer of the law is not the same as being in court and testifying and providing information in front of a jury and/or judge.
This was posted to /. in the past and worth watching.
http://video.google.com/videoplay?docid=-4097602514885833865#
Bad boys rape our young girls but Violet gives willingly.
If you're so committed to the truth, then you should give them the password and the truth shall set you free.
But if for some reason you aren't interested in that, this is your next option.
http://lkml.org/lkml/2005/8/20/95
If that's going to be your argument, then maybe you can explain why the police can't get a warrant to have your 5th amendment rights suspended entirely?
So having encryption software installed is now evidence of guilt?
You are one sick person.
The UK has NEVER been a model for any "freedom" as we think of it here. Remember that whole revolutionary war thing? The one we had to fight TWICE just to be free of the King?
Fun times: after saving Europe from the tyranny from the Nazis, Britain went right back to their own tyranny in holding on to the dying embers of the British Empire. Churchill in fact bragged of shooting "savages" in places like South Africa (i.e., he shot black people) in his young days, before his government tortured Barack Obama's paternal grandfather in the 50's during Churchill's second stint as Prime Minister. Which makes it even more awesome when Obama pushes forward in the military trial of a 16 year old child soldier - who's confession was given under....wait for it....torture.
The very best drive encryption out there (IMCO) is Tru-Crypt and is both open source and free.
For the truly security crazed, you can set up a hidden operating system that you use for only your most secure stuff and use a DIFFERENT but valid password to get at it. Use your regular password for day to day stuff and only log in with the really secure one to get into the alternate OS.
The whole purpose of that is so if someone has a gun to your head (or a court order, or a $5 pipe wrench) you can give them your perfectly valid password and they can access all your perfectly normal files --and never even know the alternate data is there (it can be hidden across thousands of normal looking data and executable files in the normal OS).
Seriously cool stuff.
In security, there are only two levels of paranoia. Absolute, and insufficient.
The problem with quotes on the internet, is that nobody bothers to check their veracity. -- Abraham Lincoln
But I don't think it's a problem that the state can, with good reason, compel you to decrypt it.
And who gets to decide if the reason is good? The police?
Oliver.
Post your address so I can mail you a USB drive with random data on it.
Then a phone call to your local Police dept will be very interesting.
I see no legitimate reason why you would refuse to provide your local police the password to your USB drive full of kiddie porn.
So just provide the password or go to jail.
Starting to see the problem?
There is no way to prove that you honestly DON'T know the password or even that the random data ISN'T an encrypted disk of kidde porn.
When the govt simply has to point to random data and claim you are a criminal and all the burden is on you to prove that you aren't well you can be put in jail to any reason at anytime.
Likely there is some random data on your hard drive right now (in the "blank" space). Prove it isn't an encrypted kidde porn pic.
But if you've encrypted the hard drive of your main computer, and you have to enter a password every time you start it... a jury isn't necessarily going to believe that you've suddenly conveniently 'forgotten it'.
There are other ways to remember passwords other than committing them to memory. I seem to remember hearing about intelligence agencies teaching spies passwords based on muscle memory so that they couldn't be divulged under torture.
I'm a pianist and I've experimented with using passwords based on songs that I know by heart and it works great. My left hand is a bit sloppy, so I just use it on the shift key as if it was the sustain pedal. I had one password that was over 100 characters long and I had no problems entering it in. And even if someone knew the song, it's doubtful they could determine the password since it depends entirely on how I play the piece and which part of the piano key I use for each note. I suppose someone could figure it out by watching me play the piece, but I'm not even sure that would work and I could always play it slightly differently if I knew I was being watched.
If someone is a talented musician, I could see them plausibly telling a jury that they're unsure of the password because they enter it by playing a particularly difficult part of a song. Bonus difficulty points for telling them that the software is time sensitive and expects keys to be keyed in at the same rate as when the password was set.
"Don't blame me, I voted for Kodos!"
Yeah, why waste the time on pesky stuff like search warrants? If you have nothing to hide, you won't mind the police searching you house anytime they want, right? Make police work much easier, that's good, right?
Oliver.
So we're required to participate in search and seizure of our own property now? I thought it was the burden was on the police to gather all the evidence, but I guess I was wrong. Looks like the court can coerce you into locating evidence against yourself.
you could still protect yourself if you simply said "I don't recall that password." You may notice that not being able to recall is used a lot when under oath. The reason is that there really isn't any way to challenge it. We forget shit all the time (hell everyone seems to forget their passwords if my job is any indication). You can't prove someone hasn't. So they say "What is the password and the 5th amendment doesn't protect you," you say "Sorry, I can't recall that password."
You can say it.
But a judge isn't obliged to believe it.
In the real world, "plausible deniability" translates to six months in pink undies, tenting out in the desert sun with a bunk mate named Big Mike --- with no end in sight.
Short answer: No. Through some creative legal thinking producing your encryption password is now considered equal to handing over the key to your safe, not to compel information from your mind. It's bullshit but Britain takes 1984 as a role model, not a warning.
The location and use of a physical key must also be found and extracted from your head.
There is no useful distinction to be made here.
The level of protection in the U.S. Constitution is framed in only fourteen words:
nor shall be compelled in any criminal case to be a witness against himself
The origins of the privilege lie in the use of torture to extract confessions.
The primary meaning of the word "witness" is this context is your testimony in open court.
Not the simple actions a judge can order you to do to advance a civil or criminal investigation.
The farther you are from your turn on the witness stand, and the more civilized the means of compulsion, the more likely a court will insist on your compliance.
Prove me wrong.
When arrested for DUI in New Jersey, the officers read a lengthy explanation of how you must submit to a chemical test (breathalyzer), and in this explanation, it states that you are not allowed to consult with a lawyer before agreeing. It also states that if you do not agree, you will be charged with refusing (which carries a penalty equal to the lowest penalties for DUI (between .08 and .10, first offense)) in addition to still facing the charges of the DUI itself. If you say you don't understand what you are agreeing to, they simply repeat it. If they repeat it more than a few times, you are "guilty" of attempting to delay the chemical test (also explained in this long thing you MUST agree to as being equivalent to refusal). The way they put it is that asking a lawyer to explain it to you, or asking them to repeat it too many times if you don't understand it, counts as delaying it, which counts as a refusal. Furthermore, they speak fast and monotone (cause they've read it a thousand times themselves), making it harder to understand, and they don't even allow you to read it yourself; it must be read TO you.
The caution now runs thus:
“You do not have to say anything. But it may harm your defence if you do not mention when questioned something which you later rely on in court. Anything you do say may be given in evidence.”
which is to say, the prosecution is permitted to sneeer and imply that you've found an alibi after the fact; the judge won't censure them for it, and will not instruct jurors to ignore those comments.
I just hope he uses TrueCrypt and suddenly "remembers" his password. How will they know it was the password they were looking for when they only see images of puppies?
Don't fight for your country, if your country does not fight for you.
In the UK witness coaching is not allowed even if you are the defendant. So you are not allowed to refer to council if you are on the stand, you just have to answer the questions asked. Your lawyer can go through questions that may be asked but they cannot tell you how to answer them.
In britain there is no presumption of innocence.
Of course there is. The presumption of innocence in English and Scots law comes from common law. The concept itself has been part of British society for thousands of years - Alexander Volokh says that it has been present since Greece and Sparta and Rome, all the way back to the first (Judaic?) legal systems.
Common law is the basis of the British legal system. Your logic is like claiming that "there is no law against murder in Britain" and then going on to claim that this means murder is legal. English Law - "there is no statute making murder illegal. It is a common law crime - so although there is no written Act of Parliament making murder illegal, it is illegal by virtue of the constitutional authority of the courts and their previous decisions."
It after that went on and voted into the statute book several hundred criminal offences which explicitly postulate that you are guilty until proven innocent. The RIPA act, The H&S act, you name them. Half of Blair's legislation (Blair and Co raised the number of criminal offences on the statutes by more than 100% in 10 years) is based around "guilty until proven innocent".
[citationneeded]. Please name these "hundreds of acts that explicitly say British people are guilty until proven innocent.". And are you seriously blaming the Blair government (which came to power in 1997) for the 1974 Health and Safety Act?!? What?!
So the new government has actually promissed to fix this by accepting _ALL_ rights in the convention and repealing most of Blair's handywork as a big block vote including most of the RIPA act.
Right, that would be the same Conservative party that fully supported the RIP Act then? ('Only a pitiful handful of MPs (pictured below) were present to debate the bill, which was fully supported by the "opposition" Conservative party, and passed by 189 votes to 47 keeping the majority of its original clauses intact.')
ok sir, here is your keyboard, a copy of your hard drive and a mouse.
please 'play' your password at the prompt.
great way to generate a secure password, but I don't think it gets you around the requirement to give up your password when required to do so.
VLC Remote for iPhone and Android
This makes no sense in British terms - Parliament is sovereign and cannot be bound.
That said, the centuries old common law presumption of innocence was enshrined in positive law in the Human Rights Act, 1998.
I can't figure out if you are American with a Blair fixation, or British but enamoured of the concept of a written constitution. In either case I think you are misguided:
A written constitution is not "fundamental, nonrevocable and unalienable" since it can be amended, the procedure is just a little more involved than normal legislation. And you only need to look at Prohibition in the US to see that this is no bar to stupid laws that restrict freedom. It also makes them a lot harder to get rid of. Ultimately the cost of freedom is eternal vigilance either way; a citizenry that is either complacent or uncaring of their liberties will lose them in any system, whether or not you have the speed bump of a written constitution or not.
This sig all sigs devours