Slashdot Mirror
British Teen Jailed Over Encryption Password
An anonymous reader writes "Oliver Drage, 19, of Liverpool has been convicted of 'failing to disclose an encryption key,' which is an offense under the Regulation of Investigatory Powers Act 2000 and as a result has been jailed for 16 weeks. Police seized his computer but could not get past the 50-character encrypted password that he refused to give up. And just to get it out of the way, obligatory XKCD."
Pfft, Britan. Glad my ancestors were smart enough to split that dive and setup someplace safe for me to live....
"When I am king, you will be first against the wall..."
But it's hard to remember all those special characters after they beat you with a wrench. Be sure to choose a password that's easy to remember under bludgeoning to limit the number of times they have to hit you in the head.
This one's tricky. You have to use imaginary numbers, like eleventeen... --Hobbes
I wonder what he is hiding.
He's getting off easy. In the USA, the cops would get a court order and the judge could order him jailed for contempt of court until he gives up the password.
You don't have the right to keep your safe locked if there's a warrant for it to be opened. You don't have a right to not provide your fingerprints or DNA if that evidence is appropriate to the case and a warrant is issued.
You have a right to refuse to testify. This only extends to your own testimony, not to everything about you.
Oliver Drage, 19, of Liverpool, was arrested in May 2009 by police tackling child sexual exploitation.
Well, I guess that makes it okay, then. After all, we can't allow people accused of child sexual exploitation to be free, can we?
On a more serious note, this sucks.
Det Sgt Neil Fowler, of Lancashire police, said: "Drage was previously of good character so the immediate custodial sentence handed down by the judge in this case shows just how seriously the courts take this kind of offence.
"Computer systems are constantly advancing and the legislation used here was specifically brought in to deal with those who are using the internet to commit crime.
"It sends a robust message out to those intent on trying to mask their online criminal activities that they will be taken before the courts with the ultimate sanction, as in this case, being a custodial sentence."
I guess insisting on your privacy is taboo now. Even if you're a good kid, if you refuse to let the police into your private files just on principle, you're boned.
i know this is slashdot, and we dont RTFS, but come on!
Actually, everyone has it everywhere. What varies from place to place is whether the government recognizes the right and refrains from violating it. This is true of all human rights.
I can see how it's easy to miss, as it is the first sentence in TFA:
Don't you have the right to remain silent, so as to not incriminate yourself? We have it here in the US.
No. That right was removed about 10 years ago.
Now, if you refuse to answer questions during your arrest and questioning, the prosecution are allowed to use that silence as circumstantial evidence against you.
DUH. Obviously he's a terrorist.
Deleted
Nope, and even in the US this has been contentious in the courts (not sure on the current status). Basically, the logic goes that the encryption is like a lock when a search warrant is issued. If a search warrant is issued, you have to provide access, and you can potentially get in legal hot water if you don't cooperate with the warrant. It isn't considered self incrimination.
REMEMBER, in the intertubes, no one can hear you shout unless you use ALL CAPS.
REMEMBER, ALL CAPS.
GOT IT. THANKS.
They can cut the safe open, you can say you forgot the combination. Forgetting is legally great, Reagen forgot iran-contra and look how that turnout for him.
Short answer: No. Through some creative legal thinking producing your encryption password is now considered equal to handing over the key to your safe, not to compel information from your mind. It's bullshit but Britain takes 1984 as a role model, not a warning.
Live today, because you never know what tomorrow brings
downloaded music? games? movies? software?
16 years
He would have died eventually in any case though, I suspect.
Maybe some cops see it that way... but videos such as http://www.youtube.com/watch?v=i8z7NC5sgik would have me believe that it's always a good idea to plead the 5th and refuse to say anything. It's related to the idea that refusing to consent to a search without a warrant shouldn't be allowed as evidence that a warrant is necessary ("If he has nothing to hide, then he wouldn't mind us looking around..."). What's the precedent where pleading the 5th has been considered a crime? I can see how refusing to talk would get cops to find something to charge you with and arrest you, since it's annoying for them, but when has it been used as the actual charge for an arrest?
TrueCrypt has something where you can set up an encrypted virtual disk that you first put some files you don't care about on there with a password you wouldn't mind divulging. Then you make another virtual drive on that one that will store the files and a password you do care about. When asked for your password, you give the one you don't care about and it only shows files you don't care about. Plausible deniability.
Of course, the UK is not unique in much of this. But what makes these examples so sad for me is how the UK was the foundation for much of what one might consider Western freedom. It fought the good fight against totalitarianism (let's not Godwin this). I don't think those who struggled back then would consider all this to be what they were struggling *for*.
Will this constant erosion of freedom ever stop?
No person (...) shall be compelled in any criminal case to be a witness against himself
Link up one citation to this happening in the U.S. Sure, you can be abductd off to parts unknown, tried under a military court and executed, but in a US court we still have a Constitution and the Fifth Amendment.
A.
...I don't see this a "self-incrimination" issue...
Your neighbor spits on your lawn.
This really pisses you off.
You make a detailed journal entry (which you keep encrypted) about how much you hate your neighbor and you want to shoot him.
Your neighbor gets shot.
You still want to show them your data?
B.
You arrive home and find your neighbor's wife's dog (who continually craps on your lawn) has been slaughtered and hung like a side of beef in your bathroom.
You call the cops even though you're an obvious suspect.
They ask you a few questions and want to examine some of your stuff, including your computer.
They find that your computer has been encrypted (not by you).
Will the law think it's likely that someone encrypted your computer, or will they think that you don't want to share the data?
Neither of these are even remotely likely, but that's what the law has to account for: the possible.
Or more recently, Alberto "I do not recall" Gonzales.
I am officially gone from
There are other inferences too, from http://en.wikipedia.org/wiki/Right_to_silence#England_and_Wales
At common law, and particularly following the passing of the Criminal Justice and Public Order Act 1994, adverse inferences may be drawn in certain circumstances where the accused:
* fails to mention any fact which he later relies upon and which in the circumstances at the time the accused could reasonably be expected to mention;
* fails to give evidence at trial or answer any question;
* fails to account on arrest for objects, substances or marks on his person, clothing or footwear, in his possession, or in the place where he is arrested; or
* fails to account on arrest for his presence at a place.
I sort of do - even the guilty deserve due process.
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
So only rich people have privacy?
Seems like that could be improved, why not just make being poor a crime?
Well, they can also say: -Tell us where the body is. If you don't tell us where the body is, we'll throw you into the slammer.
You'll tell me that it's not the same thing because if you didn't kill anybody you wouldn't know about the body's location and that if the kid is hiding child porn on his computer and is not 'telling where the body is', he must be guilty then.
But it is the same thing is there is no child porn on that computer just as well. If you don't have any child porn on your computer you are innocent of that crime, whether there is or there isn't a court order telling you to give up the password.
So now let's say there isn't child porn on that computer. The judge is still saying: -Show us the child porn on your computer.
If you refuse to show the child porn on your computer (and there is no child porn there) then throwing you in jail for not showing the files is equivalent to throwing your ass in jail for not providing whereabouts of a body of a person, when you have no idea about the body and you are innocent of any crime there.
Not showing them the child porn images on your computer by not providing the password, while being innocent and not having any images of child porn on your computer, and being thrown in jail for that? I say it's bullshit and a violation of your rights. You say on the contrary, that nobody has a right to refuse to help an investigation by providing some information.
--
OK, so you are throwing somebody in jail because they don't want to help you with investigation. Good path on the way of becoming a police state on one hand, on another hand it's an example of a police state in action.
You can't handle the truth.
I think you're forgetting the commerce clause. Specifically the part that says "LALALALALA I CAN'T HEAR YOU!".
Anyone who enters a password to decrypt a disk they haven't already imaged belongs on a prime time cop tv show.
How we know is more important than what we know.
Even if a judge ruled that wasn't you testifying against yourself, you could still protect yourself if you simply said "I don't recall that password." You may notice that not being able to recall is used a lot when under oath. The reason is that there really isn't any way to challenge it. We forget shit all the time (hell everyone seems to forget their passwords if my job is any indication). You can't prove someone hasn't. So they say "What is the password and the 5th amendment doesn't protect you," you say "Sorry, I can't recall that password."
See this doesn't work in Britain because they made it a crime not to provide the password period. If you fail to provide it, regardless of the reason, that's illegal. It was a specific law made for passwords. So can't remember? You are boned. The US has no such similar law. Thus the only way they could get you is if you said you knew the password, but refused to give it up, and it was ruled that wasn't protected under the 5th.
However if you look in to it you discover that while there's little case law, indeed it HAS been ruled that that the 5th prevents you from having to give up a password. As such that will probably stay, in general courts abide by the rulings of other courts of competent jurisdiction.
How do you know the encrypted data is related to the case?
How do you know the encrypted data is not something that is, at least to the 19 year old suspect, even worse?
What if he's secretly gay, his entire family are raging homophobes, and he KNOWS beyond the shadow of doubt that revealing his encryption password will get him disowned?
If this was you, would YOU reveal the password?
-=This sig has nothing to do with my comment. Move along now=-
I wonder how they found out that the length of the passphrase is 50 characters. Did he brag to the authorities? Was there some way of detecting the length of the passphrase when they looked at the encrypted key?
Um. Which is exactly what Truecrypt does, except for the wiping the disc part (Which doesn't work because any good forensics investigator probably clones said disc before attempting any data retrieval, and they won't use your system whilst doing it because they could give you deniability if timestamps change on the disc, and you could booby trap it, but I digress). The hidden volume is accessible by a second password which reads a key from the other end of the container. If you want to write to the outer volume without overwriting the inner volume, you provide both passwords.
The fifth amendment doesn't seem to apply in the courts; to quote his honor, William K. Sessions, Chief District Court Judge in Vermont in United States vs. Boucher:
"Holding that the 5th Amendment privilege against self-incrimination does not require the conclusion that a criminal defendant may elect not to divulge a password for an encrypted hard drive."
It also hasn't stopped judges from using the presence of encryption and unwillingness to give up the keys as evidence of misconduct.
If anything, Britain has stronger protection of individual rights than we have here in the US -- the defendant in this case doesn't risk a dozen years in jail, disenfranchisement and being barred from many occupations for life, like he would over here. I'd take good old Ius Commune over our system.
No this law was written as an ego trip by Jack Straw to prove his power. Among other things it reverses the onus of proof thus taking it outside fundamental principles of British (and US) law. It also goes further an limits the means by which you can prove your innocence, prescribing a few (probably impossible) ways. It also deprives the defendant of the right to a jury trial and gags the defendant from talking about the charge with anyone but his lawyer (and gags the lawyer).
In effect a corrupt government official can send you an encrypted email then demand that you provide the key... As you never had it you can never prove your innocence, so they can lock you up for years after a secret trial.
Add to this another set of laws formed by a radical feminist basically assuming any image of a female that you can't prove is of someone over the age of consent (16) is an image of a child (this includes cached images that may be advertisments that you never intended to view).
So the cops can trawl your computer until they find something you can't prove is legal and lock you up. If you take the precaution of encrypting your PC they can lock you up for that too.
We have now removed these politicians from power however the damage has been done. There are murmurs from some of the politicians about repealing some of the very dangerous laws that were brought in, however they are unlikely to repeal any of the technology based ones. There will be no pressure, the journalists over here consider it a point of pride to not understand technology.
But if you've encrypted the hard drive of your main computer, and you have to enter a password every time you start it... a jury isn't necessarily going to believe that you've suddenly conveniently 'forgotten it'.
I'm going to have to go against the prevailing view on /. on this one. Of course you have a right to encrypt your files so that people can't snoop through without your permission. But I don't think it's a problem that the state can, with good reason, compel you to decrypt it. If the police get a search warrant, that overrides your normal right to refuse them entry to your house. What's wrong with something similar for computers? Or is this just rabid, unthinking anti-establishmentism I smell?
So you are faced with the rather novel situation where any motivated individual can successfully resist the state and your instinct is to label it rabid anti-establishmentism?
(and as others have pointed out, it is novel, doors can be broken, safes can be cracked, well used encryption is not so trivial to defeat)
Nerd rage is the funniest rage.
So what happens when you say:
"No,I do not understand. I will need my lawyer to explain this to me"
The reason the courts see it this way is because of the distinction the legal system places on written vs oral evidence. Oral evidence is obvious; the person giving it may or may not be telling the truth. Written evidence however has a more privileged status. Once you've written something down, you can't "take it back". It's out there as physical evidence and can be used against you. This is why even the most gung ho characters will back up if you ask them to put things in writing. The written word is powerful rope with which to hang yourself.
As far as most judges and lawyers are concerned, data on computers is simply another form of the written word, and so anything you've "written" there--encrypted or not--is legitimate evidence waiting to be used against you. In some sense they are in fact right. Personally, I view computer data by its very nature to be more abstract and far more transitory than the traditional written word, and so worthy of less... distinction as evidence in a court. But that said, it is a (quasi-)permanent record of events and that's what courts are interested in.
Bottom line, the old rules still apply. If you don't want to reveal something, never, ever write it down. Encrypting it on your computer is just not good enough. If you don't want people reading it and aren't willing to take a risk, then you either need to delete the data or better yet not write it down in the first place. All that said, encryption is preferable to just leaving your papers lying around, but don't expect encryption alone to magically make your written words disappear.
May the Maths Be with you!
That's why my passphrase is "I committed the crime."
Oops, now I need to change the passphrase on my luggage. Maybe I'll change it to "is my little secret" and when the keystone kops come after me, I'll quip a cryptic comment about Quine.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
So he's spending 16 weeks in jail. At the end of those 16 weeks, can they ask him for the password again and throw him in jail again if he does not divulge it?
Eh. The Boucher case is a special one, because the idiot was stupid enough to first show his child-porn collection to a law enforcement officer, and then - after the computer was rebooted - refused to provide the password. Initially the state ruled that he couldn't be forced to divulge the password, and in most cases this would hold; however, due to the fact that the presence of child porn on his computer had already been verified, the appeals court ruled that he isn't protected under the 5th. The problem here is that their definition of "already verified" is too loose, because it depends solely on the testimony of the arresting officer(s). Now, if the cops had had the common sense to take a few pictures of the laptop screen, then there would be no issue at all. As it is, if he appeals I'd say he has a pretty good chance of having the decision overturned.
As for the second case, you're talking about a guy who was convicted based on multiple lines of evidence, and is now bitching because the state lawyer happened to mention that "encryption programs" were present on the computer. That's asinine.
If anything, Britain has stronger protection of individual rights than we have here in the US
Thanks for the lulz :)
"May contain" isn't the same as "did contain", and I'd hate to see anyone convicted of a crime he or she "might" have done.
Even if the agent believed it to be child porn doesn't necessarily make it so -- he could have been a Melissa Ashley fan, for example.
Of course, the pr0n might have been illegally copied, in which case it's perfectly valid to not want to incriminate oneself.
I have no idea whether the guy was guilty or not, but I know that forcing him to decrypt his HD in order to find evidence to convict him with is mocking the intent of the fifth amendment.
The problem in that case isn't over the guy's guilt, but that both the judge and the review found that the mere presence of encryption was admissible as evidence against the accused.
It's like arresting someone for arson and using the presence of a ski mask as evidence against him, with absolutely nothing that indicates that a ski mask was used, whether during the crime or to hide his face.
But apparently, possession of encryption software is allowed used as incriminating evidence in itself, and the fifth amendment doesn't cover refusal to disclose encryption passwords.
Yes, we most certainly live in the land of the free. For very small values of free.
The UK has NEVER been a model for any "freedom" as we think of it here. Remember that whole revolutionary war thing? The one we had to fight TWICE just to be free of the King?
Fun times: after saving Europe from the tyranny from the Nazis, Britain went right back to their own tyranny in holding on to the dying embers of the British Empire. Churchill in fact bragged of shooting "savages" in places like South Africa (i.e., he shot black people) in his young days, before his government tortured Barack Obama's paternal grandfather in the 50's during Churchill's second stint as Prime Minister. Which makes it even more awesome when Obama pushes forward in the military trial of a 16 year old child soldier - who's confession was given under....wait for it....torture.
The very best drive encryption out there (IMCO) is Tru-Crypt and is both open source and free.
For the truly security crazed, you can set up a hidden operating system that you use for only your most secure stuff and use a DIFFERENT but valid password to get at it. Use your regular password for day to day stuff and only log in with the really secure one to get into the alternate OS.
The whole purpose of that is so if someone has a gun to your head (or a court order, or a $5 pipe wrench) you can give them your perfectly valid password and they can access all your perfectly normal files --and never even know the alternate data is there (it can be hidden across thousands of normal looking data and executable files in the normal OS).
Seriously cool stuff.
In security, there are only two levels of paranoia. Absolute, and insufficient.
The problem with quotes on the internet, is that nobody bothers to check their veracity. -- Abraham Lincoln
If you're so committed to the truth, then you should give them the password and the truth shall set you free.
Erm, maybe not so much Doc, if that collection of Bugs Bunny cartoons on your hard drive, some of which featuring Bugs in "drag", are declared to be "kiddy porn" at some point in the near future.
Th-th-th-that's all, folks!
Strat
Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
Post your address so I can mail you a USB drive with random data on it.
Then a phone call to your local Police dept will be very interesting.
I see no legitimate reason why you would refuse to provide your local police the password to your USB drive full of kiddie porn.
So just provide the password or go to jail.
Starting to see the problem?
There is no way to prove that you honestly DON'T know the password or even that the random data ISN'T an encrypted disk of kidde porn.
When the govt simply has to point to random data and claim you are a criminal and all the burden is on you to prove that you aren't well you can be put in jail to any reason at anytime.
Likely there is some random data on your hard drive right now (in the "blank" space). Prove it isn't an encrypted kidde porn pic.
But if you've encrypted the hard drive of your main computer, and you have to enter a password every time you start it... a jury isn't necessarily going to believe that you've suddenly conveniently 'forgotten it'.
There are other ways to remember passwords other than committing them to memory. I seem to remember hearing about intelligence agencies teaching spies passwords based on muscle memory so that they couldn't be divulged under torture.
I'm a pianist and I've experimented with using passwords based on songs that I know by heart and it works great. My left hand is a bit sloppy, so I just use it on the shift key as if it was the sustain pedal. I had one password that was over 100 characters long and I had no problems entering it in. And even if someone knew the song, it's doubtful they could determine the password since it depends entirely on how I play the piece and which part of the piano key I use for each note. I suppose someone could figure it out by watching me play the piece, but I'm not even sure that would work and I could always play it slightly differently if I knew I was being watched.
If someone is a talented musician, I could see them plausibly telling a jury that they're unsure of the password because they enter it by playing a particularly difficult part of a song. Bonus difficulty points for telling them that the software is time sensitive and expects keys to be keyed in at the same rate as when the password was set.
"Don't blame me, I voted for Kodos!"
So we're required to participate in search and seizure of our own property now? I thought it was the burden was on the police to gather all the evidence, but I guess I was wrong. Looks like the court can coerce you into locating evidence against yourself.
I think I'll make my passphrase "I don't remember". That should make for a fun interview.
You are all forgetting the fundamentals.
In britain there is no presumption of innocence. There is no "Right To Be Presumed Innocent Until Proven Guilty". That thing IS NOT on the British statute book. It is IMO the most basic of all human rights and a country that does not have it cannot claim to have human rights at all because not having this cornerstone allows it to suspend any other right at any given time with or without reason.
Interestingly enough it is part of conventions which Britain has signed like the European convention on human rights. However the Labour government that signed them specifically opted out of these clauses. It after that went on and voted into the statute book several hundred criminal offences which explicitly postulate that you are guilty until proven innocent. The RIPA act, The H&S act, you name them. Half of Blair's legislation (Blair and Co raised the number of criminal offences on the statutes by more than 100% in 10 years) is based around "guilty until proven innocent".
Thankfully, someone pointed this to Cameron and Co in the run up to the elections as the Conservatives initially wanted to revoke Britain's signature under the convention altogether. So the new government has actually promissed to fix this by accepting _ALL_ rights in the convention and repealing most of Blair's handywork as a big block vote including most of the RIPA act. Unfortunately, that fix has not been forthcoming as fast as it should. It was promissed for mid-summer before the parliament goes in recess. However it looks like it was what all politician promisses are... Talk the talk, but cannot walk the walk.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
I believe you will find it in the Magna Carta (MC.29 on http://alexpeak.com/twr/mc/) for an early variation on the concept.
"No freeman shall be taken captive or imprisoned, or deprived of his lands, or outlawed, or exiled, or in any way destroyed, nor will we go with force against him nor send forces against him, except by the lawful judgment of his peers or by the law of the land."
While this was originally intended for the nobles, since the emancipation of the masses, I believe it applies to everybody. However, there may be more recent statues that supersede it, such as European Convention on Human Rights.
Mod me down now and I will become more powerful than you can possibly imagine
These two statements are not the same and your entire argument in this thread relies on them meaning the same thing. In a legal system with formally defined rights they would be the same (ie the US legal system). But in a system of common law there can be principles that are not formally stated.
In the case of this principle, it has been widely stated and incorporated into rulings in the British justice system. As such it forms a part of British law, regardless of whether or not we have a document that "grants" this "right" to people.
Slashdot: where don knuth is an idiot because he cant grasp the awesome power of php
In britain there is no presumption of innocence.
Of course there is. The presumption of innocence in English and Scots law comes from common law. The concept itself has been part of British society for thousands of years - Alexander Volokh says that it has been present since Greece and Sparta and Rome, all the way back to the first (Judaic?) legal systems.
Common law is the basis of the British legal system. Your logic is like claiming that "there is no law against murder in Britain" and then going on to claim that this means murder is legal. English Law - "there is no statute making murder illegal. It is a common law crime - so although there is no written Act of Parliament making murder illegal, it is illegal by virtue of the constitutional authority of the courts and their previous decisions."
It after that went on and voted into the statute book several hundred criminal offences which explicitly postulate that you are guilty until proven innocent. The RIPA act, The H&S act, you name them. Half of Blair's legislation (Blair and Co raised the number of criminal offences on the statutes by more than 100% in 10 years) is based around "guilty until proven innocent".
[citationneeded]. Please name these "hundreds of acts that explicitly say British people are guilty until proven innocent.". And are you seriously blaming the Blair government (which came to power in 1997) for the 1974 Health and Safety Act?!? What?!
So the new government has actually promissed to fix this by accepting _ALL_ rights in the convention and repealing most of Blair's handywork as a big block vote including most of the RIPA act.
Right, that would be the same Conservative party that fully supported the RIP Act then? ('Only a pitiful handful of MPs (pictured below) were present to debate the bill, which was fully supported by the "opposition" Conservative party, and passed by 189 votes to 47 keeping the majority of its original clauses intact.')
ok sir, here is your keyboard, a copy of your hard drive and a mouse.
please 'play' your password at the prompt.
great way to generate a secure password, but I don't think it gets you around the requirement to give up your password when required to do so.
VLC Remote for iPhone and Android
This makes no sense in British terms - Parliament is sovereign and cannot be bound.
That said, the centuries old common law presumption of innocence was enshrined in positive law in the Human Rights Act, 1998.
I can't figure out if you are American with a Blair fixation, or British but enamoured of the concept of a written constitution. In either case I think you are misguided:
A written constitution is not "fundamental, nonrevocable and unalienable" since it can be amended, the procedure is just a little more involved than normal legislation. And you only need to look at Prohibition in the US to see that this is no bar to stupid laws that restrict freedom. It also makes them a lot harder to get rid of. Ultimately the cost of freedom is eternal vigilance either way; a citizenry that is either complacent or uncaring of their liberties will lose them in any system, whether or not you have the speed bump of a written constitution or not.
This sig all sigs devours