Slashdot Mirror
Man Jailed For Refusing To Reveal USB Password
judgecorp writes "Syed Hussain, already serving time for helping to plot attacks against UK targets, got another four months for refusing to divulge the password of a USB stick the police and GCHQ wanted to examine. The USB was believed to contain data about a suspected fraud unconnected with national security, and Hussain claimed to have forgotten it under stress, He later remembered it and it turned out to be a password he had used on other systems investigated by the police."
So an actual terrorist (for once) refused to divulge a password to data on a USB stick and now libtards are all butthurt that he got charged with the Limey Brit version of Obstruction of Justice.
Yeah...
-------
1. Enjoy your job
2. Make lots of money
3. Work within the law
Choose any two.
Don't get caught.
Another point of the story. Don't reuse passwords :D
The password was $ur4ht4ub4h8 - as Bruce Schneider said a few weeks ago - encryption is still on our side. Regardless of the NSA /GCHQ revelations, they cannot break AES yet. That's why the British police resort to section 49 http://www.theregister.co.uk/2014/01/16/password_refusal_earns_terror_suspect_extra_jail_time/
The password he used was the same as one that he had previously divulged, but the incompetent investigators at GCHQ and the police didn't think to try it.
Actually, when they requested the password, the USB stick was believed to contain information related to "national security" (he presumably didn't reveal it then so as not to alert police to the alleged fraud). But when they began to investigate him for fraud he did reveal the password (he presumably thought that once they were investigating coming clean would be the best possible thing to do). In doing so he destroyed his previous plausible deniability that he couldn't provide the password. (http://www.bbc.co.uk/news/uk-25745989)
What makes you think they hadn't it all cracked, but just wanted to have him spend more time in jail while they prepare the other stuff they will hit him with ? What if he really had forgotten the password ? Beside he had already given them; why would not they have tried all other passwords they had received ?
Or they don't consider these cases important enough to reveal that they can break it.
upon the advice of my lawyer, i have no sig at this time
FTA: "Syed Hussain had already been jailed for his part in a cell that had discussed an attack on a Territorial Army base in Luton using a bomb attached to a remote control car"
He has been jailed for discussing something?
Sorry, but it's more like they didn't want to bother. The story makes it probable (not quite certain) that they already knew that it was the password to other devices that he had used.
Also, was he a terrorist? Could be. The story says he was serving time for planning attacks on the UK, but that could be fraud as easily as violence. If I were interested enough, I'd look it up, as it is I'm just commenting on the slipshod nature of reporting (which I'm assuming matches the original story without checking). I did note that an earlier post asserted that he was a terrorist, while another asserted that he was just a fraudster, and that BOTH assertions were reasonably compatible with the summary.
I think we've pushed this "anyone can grow up to be president" thing too far.
I'll be in trouble if I'm ever raided -- I have several USB devices and CD-R's that I used in the past to make a backup of something, and have lost or forgotten the passwords.
I wonder what the penalty would be for someone that filled a device with random data, and the authorities are convinced that it's encrypted and demand the decryption key.
obamaisafilthynigger
Or is it that only UK libertards are angry?
Basically, your "response" makes no sense. The founding fathers would be 100% as worried at this story as any "libertards" AC whined about.
So how does this being in the UK change that?
IT DOESN'T.
Ergo the AC was calling the founding fathers libertards.
And because that whine appears to support the idiocies of the rightwingnuts, you just don't see it.
Worse, you think that "It's the UK" changes a damn thing.
I'm confused. I forgot. Sure, the NSA has the ability to decrypt and listen/read everything we're doing, but this? Is it a tactic to make us all believe that they truly don't have these kind of powers, and our data is safe... a false story... or more likely - the truth, the majority of the people who have the ability to access everything they need to access and technologies reserved for government agencies but simply, are incompetent in their jobs. I believe the latter is the answer, DFUs are managing our information, which ultimately means - most of us, while technically are fully vulnerable, are really safe...simply because the exploiters of our information are fucking idiots.
This article just threw out a bunch of idiot comments. So a few clarifiactions:
1) This is England, not the US. Their rights are similar but not the same.
2) The right to silence (how it's referred to in the UK) does not allow someone the right to obstruct an investigation. It specifically refers to the right to not say anything that will incriminate you, but even in the US obstruction of justice when carrying out a court order is not protected. Him not giving a password is not an incriminating statement, it's obstruction of a legal investigation.
3) The side issue that's rather shocking is that the GCHQ was unable to crack the encryption despite the password being used on other systems and they had already obtained it; wouldn't the first thing you at least try be passwords you already have? Seems like a large oversight by the GCHQ.
What on this beautiful blue ball of earth is classified as national security. What possible secrets are there?
I would propose that all secrets would either benefit humanity or not. If the secret is of benefit to humanity then do away with secret.
If its against humanity the. Do away with the secret so we can arrest the shits.
And before you think I mean terrorist, I actually mean gov.
If they hold secrets its usually the bad kind....
To me, screw national secrets. Security and secrets are two diff things. US is always protecting their dark heart.
Even if you are completely innocent.
http://www.youtube.com/watch?v=6wXkI4t7nuc
Of course in the UK you have no right to silence, because well, you're a terrorist, right.
We have many rights enumerated in UK law, statute and royal proclamation. And as a signatory to the EUHRA too.
Which means the UK has BETTER rights and more strictly enforced rights than the USA, who have a 5th amendment.
Of course, governments ignore the laws when convenient. As do criminals, to be fair. However, we pay a lot of money to jail the second type of criminal, and have little chance to prosecute the former.
He wasn't jailed for refusing to reveal the password. He was jailed for his part in a bomb attack. Once in prison you can get out early for good behavior and for turning over information. Here he tried to trade this password for time. He claimed he had just remembered it. But they found out it was a password that he had already given them for something else. So they backed out of the deal.
This goes directly against prior decisions by the European Court of Human Rights. There is very clear and unambiguous legal precedent, that a person under criminal investigation need not bear witness against himself. For example. in Marttinen v Finland the Court interpreted the article 6.1 that reads inter alia "In the determination of ... any criminal charge against him, everyone is entitled to a fair ... hearing ... by [a] ... tribunal ...". The Court wrote in its decision:
The Court reiterates its case-law on the use of coercion to obtain information: although not specifically mentioned in Article 6 of the Convention, the rights relied on by the applicant, the right to silence and the right not to incriminate oneself, are generally recognised international standards which lie at the heart of the notion of a fair procedure under Article 6
If the defendant is not able to have this sentence overturned in domestic courts, he should hire a lawyer who can bring this case before the European Court of Human Rights ASAP to obtain a decision against the Government of UK. The court will also award compensation for the inhumane treatment of the defendant by the Government, and obligate the government to compensate for the legal expenses.
I've always thought that encryption software should offer a meltdown password such that when entered, instead of decrypting the data it erases it. So when you want to get into your encrypted drive you enter "sesame" but when the authorities which to get your password you enter say "meltdown" (or rather you tell them your password is "meltdown") and they enter it only to find the drive has been hosed. Then you shrug your shoulders and say "I thought that drive was on it's last legs....".
Reporting on this provision of RIPA is always wrong, and the Slashdot discussion is even worse.
To face conviction for failing to disclose a password in the UK the police have to be able to prove beyond reasonable doubt (and that's specifically stated in the legislation itself) that you knew the password at the time.
This case is no different. The guy was arrested for terror plots, asked to divulge a password but then claimed he didn't know it, the police couldn't prove he did know it so nothing came of it, the guy was jailed anyway under all the other evidence they had.
The police then found it seemed he'd been involved in card fraud. Turns out incriminating evidence of this was on the memory stick and that's why he didn't want the police acting it, because he clearly hoped if he got off with the terrorism charge they'd never find out about the card fraud charge, so he had nothing to lose. Once they had found out about it he hoped for further sentencing leniency over the card fraud for admitting the password and hence helping the police. The problem for him is by admitting it he gave the police the "beyond reasonable doubt" that they needed all along to do him for failing to disclose the password.
So to this day, if you don't know the password, if you pretend you don't know the password, then there's fuck all the police can do to you with this legislation, hence it's not half as bad as people make out.
To date the only people getting done by it are those admitting they know the password and explicitly refusing to hand it over, those who do stupid things like this guy, and for example, more complex scenarios where someone pretends they've lost a password and the police can't cracking, but then they manage to crack, say, weaker encryption such as that used for his desktop login to find his desktop password which they can confirm forensically that he has entered and used since denying knowing his encrypted USB password and if it matches the encrypted USB password they can claim, well, he knew his desktop password, he logged in, and it was the same as his encrypted USB password, and hence beyond reasonable doubt...
Really, it's not the worst law in the world, the police have to hit a pretty high standard of evidence, or the accused has to fuck up and basically admit their own guilt to ever become victim of this. If you genuinely don't know your password, or if you deny knowing it and the police can't prove otherwise, then you're fine. You have to explicitly and provably obstruct a police investigation to get done by this law.
The USB was believed to contain data...
Are we really just calling this "a USB" now instead of "a USB flash drive" or something similar?
R.Mo
What makes you think they hadn't it all cracked
To go back to the parent poster and Bruce's declaration: ... they are all used out there in production for quite some time. They are even used in some quite lucrative sectors.
AES, RSA, DSA, SHA256 (SHA-2), Scrypt,
If anyone was actually able to break (as in find a fundamental flaw that helps finding the solution without need to brute force-it) they would be making a killing of money. Thing about hacking e-banking transaction (AES, RSA, DSA), hacking crypto-currencies (DSA, SHA-2, Scrypt, SHA-3), etc. and earning tons of money.
That has not happened yet.
The algorithms and their mathematical and cryptographic basis have stood the test of time (although not yet for more recent addition like SHA-3).
The only methode left are:
- brute forcing, but it's mathematically and physically provable that it's not possible to scan the whole key space before the sun has gone supernova (or even before the heat death of the universe). No matter how much ressources you throw at this problem, you can't brute-force them within the current boundary of science. (and the hashcash-like technology behind crypto-currencies is a nice example of the limits of bruteforcing.
- going around it. find a flaw in the implementation of the software that created the encryption. AES could be the best encryption in the entire universe, it would be no use if the encryption software is stupid enough to leave behind temp file with the information in clear. Or if the user is a moron and doesn't follow proper security procedure (uses the same laptop to surf porn and install every single tool bar and smiley pack, and thus has 25 different key logger constantly listening for all the typed password)
There would be nothing surprising in the police revealing that they have recovered the password. That would be no surprise (specially given the quality of some software or the brightness of some criminals).
The only secret worth keeping, would be hiding that the bugs that were exploited to recover the password, the fatal stupid flaw in the software, weren't accidental but were planted by paying the company / by having an undercover agent hired by the company.
but just wanted to have him spend more time in jail while they prepare the other stuff they will hit him with ?
I don't think that pretending that they don't have the password in order to keep for a longer time would be a very legal method.
If the defending lawyer manager to get suspiction about this (e.g.: if the password was never revealed, but the guy still got charged on fraud anyway), he would have a field day with it.
Beside he had already given them; why would not they have tried all other passwords they had received ?
That's actually a good question. Password re-use has repeatedly been proved to by a frequent security flaw. Re-testing all the previous known password should have been done immediately, even before asking for collaboration.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
If the police, TSA, government or even my mother want to see what is on data storage I have encrypted then they can sit down and crack it, I have no reason to ever decrypt that drive, if you want inside of it then get inside of it but I'm not going to help, after all I didn't encrypt the drive so you could just freely go in and look around.
Don't come here with your facts and logic ... this is Slashdot!!
You'd have to look up details, but even 'planing attacks' doesn't indicate the ability to carry them out. A lot of terrorists in this part of the world turned out to be incompetents who don't know how to make a simple bomb. One lot had their non-functioning car bomb towed away for illegal parking. Being attacked by them isn't terrifying, it's insulting.
You are doing it wrong... m8s.
Which points out one little understood fact.. The police can legally lie to you if they want. So don't answer questions without following your lawyer's advice.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Its long been understood that exposing your capabilities isn't a Good Thing. This brings us to the interesting potential scenario that in fact maybe GCHQ *could* quite easily read his files but wouldn't acknowledge this capability. In essence people can legally be jailed for not revealing access to material they can already bypass the encryption on perhaps? A bit worrying...
Yes and no. I'm neither a security expert nor an expert in intelligence/counter-intelligence. However, if I were to break a crypto scheme, it is paramount that I never reveal that I have broken the crypto scheme. That way, I can continue to intercept and decode your secrets while you believe that your crypto scheme is safely protecting them.
If AES were broken, the last thing that a government entity would want to do was reveal that it is broken. In fact, if AES has been broken, UK law enforcement officials are extremely unlikely to even be aware of this. It would most likely be an entirely different branch of government (or a different government altogether - e.g. US) who has knows of and has the means to break a scheme like AES.
Don't get me wrong. I agree with your assertion that crypto is good, but this story does not in any way suggest that AES has not been broken yet. I am still suspicious, particularly given that the scheme was "blessed" by the American NSA.
-Turkey
What's crazy is that I have a handful of encrypted USB sticks and even an entire laptop whose passwords I've long since forgotten. It's not like there's anything on them (That I know of, but a year or so ago I was playing with encryption schemes, full disk encryption, volume encryption, hidden containers, etc for shits and giggles), and recently I booted my laptop to discover that I really have no idea what the password was. Now imagine the stormtroopers come banging on my door tomorrow.. I'm in deep doodoo if they think I'm hiding something on any of those devices. Eventually, I need to wipe/reinstall, but I've not been in any particular hurry...
If you were me, you'd be good lookin'. - six string samurai
Dude, I'm totally gonna use this password. Bruce Schneier will be so proud of me!
Here, in the UK, you do not have the right to remain silent (let's face it, you don't even have rights anymore, but anyway) if you're being investigated for either fraud or terrorism.
Let's face it, the UK absolutely despises freedom, rights and any kind of concept like that.
" The USB was believed ..."
Argh not on slashdot too. USB is a BUS standard it is not a physical device. Next thing we'll here statement like I stored my files on my SATA and plugged my monitor into my PCIe.
unless they apply the universal "national security" or "suspected terrorist" to the warrant. then they get to do anything they want.
Sure, the NSA has the ability to decrypt and listen/read everything we're doing, but this? Is it a tactic to make us all believe that they truly don't have these kind of powers, and our data is safe...
They can *listen and read* everything we're doing. That's true. That has been suspected as a possibility by experts for a long time, and Edward Snoden's revelations are a comfirmation that it has indeed happened, and a revelation of the methodic large scale of the whole spying program.
BUT
The NSA doesn't have the ability to *decrypt* everything. They have the ability to make sure that the software you're using is broken and doesn't encrypt well, choses its key from a small pool of only 10 alternatives, or plainly leaks the clear text... or even hack you PC and put a keylogger in it... all this thanks to bugs carefully planted either by them (while undercover) or by the companies making the software (after paying them).
Also, if you're dumb enough to re-use password, any policeman with half a brain has the ability to first try all the passwords they already have to see if they can open the encryption without needed a password.
But the NSA can't magically pry AES open. That doesn't work. The maths and cryptology behind it are still sound. And bruteforcing it is in the "not before the heat death of the universe" range of time requirement.
Here lies the small distinction.
If you're careless about your secret stuff, at some moment or another, they are bound to hear something that will help them obtain your secret.
That's why NSA is a massive danger to the privacy of Joe Sixpack. He's careless, and his privacy is completely violated.
If you systematically follow proper security procedure (as in being anal-retentive about it, to the brink of sanity), NSA can nothing about you. That's how Edward Snowden manage to evince detection and to successfully orchestrate the whole leak. That how the journalists managed to keep the whole procedure secret. See Bruce Schneider's explanation about the security procedure).
or more likely - the truth, the majority of the people who have the ability to access everything they need to access and technologies reserved for government agencies but simply, are incompetent in their jobs. I believe the latter is the answer, DFUs are managing our information, which ultimately means - most of us, while technically are fully vulnerable, are really safe...simply because the exploiters of our information are fucking idiots.
There were recent report that indeed, NSA is drowning in too much information. Finding precisely what they need among the see of gathered information is hard (finding a needle in a haysack is hard. When you gather and pile all the haysacks you encounter inside a huge farm, finding the very specific needle you need is getting even harder).
The problem is everybody's privacy. While finding something precise is hard, accidentally landing on something sensitive is much more likely. That's why everyone's privacy is utterly fucked by the whole thing.
Answering open wide question is hard. "Where are all the terrorist of the world ?" is a complex request that can't be answered easily, even more so given the mass of data to scan.
Answering targeted small question is easy. "I want all the photo of naked people !" or "Please keep getting all the data feeds from my ex-girlfriend" are typical abuses that can be done more easily. "Please help me eavesdrop on my competitor" is a type of industrial espionage that can be done as an abuse of the current system.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
They have the passwords for everything!
"Really, it's not the worst law in the world": No, it just forces otherwise innocent people to lie.
To face conviction for failing to disclose a password in the UK the police have to be able to prove beyond reasonable doubt (and that's specifically stated in the legislation itself) that you knew the password at the time.
If that were really the case no-one would ever be convicted of this offence. How can you prove beyond a reasonable doubt that someone remembers something? I forget stuff all the time, especially passwords. Even passwords I was using the day before. In fact especially passwords I was using the day before, if they are new.
The problem for him is by admitting it he gave the police the "beyond reasonable doubt" that they needed all along to do him for failing to disclose the password.
He claims he forgot and then later remembered it. That happens sometimes. I don't see how it proves he never forgot it beyond a reasonable doubt.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
So it never happens to you that you forget something, and then remember it again at a later time?
and for example, more complex scenarios where someone pretends they've lost a password and the police can't cracking, but then they manage to crack, say, weaker encryption such as that used for his desktop login to find his desktop password which they can confirm forensically that he has entered and used since denying knowing his encrypted USB password and if it matches the encrypted USB password they can claim, well, he knew his desktop password, he logged in, and it was the same as his encrypted USB password, and hence beyond reasonable doubt...
Ummm... yeah, that would be a more complex scenario - my head just asploded.
It is up to you to decide if you may or may not be incriminating yourself. You are presumed innocent until proven guilty by a court of law. Anything you say can and will be used against you. Therefore, saying nothing is *always* the best defence. Ask any lawyer about that.
Unless they can prove without a doubt that that USB sticks holds evidence, they can't prove you are obstructing justice. If they can already prove without a doubt that there's evidence on that stick, they don't need the contents any more and they already have their proof, so you're not obstructing either because they already have the evidence.
I was promised a flying car. Where is my flying car?
Just ask our NSA for the password, since the USB stick probably has that tiny wireless chip in it that allows them to hijack and snoop on air-gapped computers that was reported recently.
kurzweil_freak
5th Kyu Genbukan Ninpo/KJJR student
Be the darkness that allows the light to shine.
Here, in the UK, the Police can issue their own warrants.
If he told them the password previously, but they didn't even try it, maybe the password was "F*ck you!"?
cpghost at Cordula's Web.
How does remembering the password later prove beyond reasonable doubt that he hadn't forgotten it earlier. How many times in human history has someone struggled mightily to remember something important (the name of the person who just said hello enthusiastically, the answer to question 3 on the exam, etc) and failed only to have it pop into their head unbidden after it's too late? Certainly often enough that it's a perfectly reasonable claim to make.
What makes you say it was encrypted using AES? I haven't found any comment on exactly how it was encrypted anywhere.
It's not as if the beyond reasonable doubt test is a new thing, it's a well established legal principle and this guy had to be tried by the courts using that principle and was found guilty.
The problem is you're speculating, and the news stories are light on detail, for all we know he was given months to remember the password and never did then when he ultimately did perhaps he incriminated himself by also admitting he knew it all along. The fact is he was deemed guilty by our legal system and there's no evidence that the decision was an unjust one only half assed reporting of this law as usual.
Yes I know it's a lame law but that doesn't mean it's okay to pretend it's something it's not and that there is injustice without evidence of any such thing.
Do I have full faith in our justice system? Not at all, but I've yet to see a single case where this law has been used to jail someone who wasn't stupid enough to incriminate themselves and we have seen cases dropped where police couldn't prove their case precisely because it takes a special amount of stupidity or massively expensive forensic investigation to reach the high standards use of this law to prosecute requires.
I'm not saying it doesn't concern me that this law is open to injustice if that standard isn't asked for by the courts, but this far it's far cry from the "Give me your password", Forgotten it", "Right you're going to jail" that lie publications like The Register have pretended over the years.
The irony is it's so difficult for the police to use precisely as a compromise as the result of strong lobbying by many of those of us that care about technology in the first place. It was us that got that strong reasonable doubt clause there to start with, now we have people in the technology world pretending it doesn't exist.
Just because the law is sometimes used isn't evidence of abuse, it's so far just evidence that sometimes there are idiots that implicate themselves, sometimes through protest, sometimes through simple stupidity.
Maybe the terrorist was using the usb for a "sneakernet". Put him in a back room and punch him until you get the password.
This is a strange one to get past the american audience, because despite the two legal systems sharing a common root ("common law"), they functionally operate very differently.
So I put to you a scenario. I've just been shopping for some housewares, and happen to have in my shopping bag a l large flat-bladed screwdriver. At the same time, the same object can be found about the person of another chap with a known drug problem and a history of breaking & entering.
Now, under English law, I'm doing absolutely nothing wrong, but it would be quite simple to confiscate the screwdriver from the chap with a history of breaking & entering, enquire about his business this evening, where's he's been, going, and even remand him for a more formal chat if his answers aren't convincing, or he's uncooperative.
In English law, this would be "Going equipped to steal"; the American reaction would be "Screwdrivers are illegal? since when?" Which is where we differ so wildly. It's often said that "possession is nine tenths of the law". In English law, Intent is nine tenths of the law. We really do depend on the judicial system showing some common sense, and protest when it fails to do so.
Which is exactly how this case works. If I encrypt my financial documents, my employer opts to encrypt my harddrive, a journalist encrypts their research, etc, this is prudent, and I would call any overreach against this "abuse of police powers" or "abuse of regulatory powers". But if a convicted terrorist has a cache of encrypted data, yes it's kosher for a court to demand the contents to further their investigation.
I'm quite sure all this makes me sound like an apologist; I believe nothing could be further from the truth. I do value my privacy, I do encrypt things "simply because I can", I'm disgusted by untargeted, dragnet surveillance, etc. But I'm also a realist, and there's a very simple problem here: Outrage at stories like this actually damages my position against such breaches of privacy. Internet Pitchforks are far too readily available, but they make us look like the tinfoil nutters. Where common sense dictates that an investigation is overreach, then yes, yell at the top of your lungs. But to protest a court order made during the investigation of a convicted terrorist - use some common sense.
"Why that's the same password as my luggage!"
Society almost seems to be regressing back to the feudal days. In a manner of speaking we are already picking our lords and masters in relation to how we assign our bits: Google, Apple, Microsoft are all feudal systems vying for willing vassals. Creepy methinks.
I'm an ordinary bloke, but after reading this and other stories like this, I'd like to keep the goon squad boffins from taking possession of my tech. I'll be leaving my devices at home even though I have nothing untoward on them nor are they encrypted.
Apparently the authorities don't bother to think you will.
*shudder* Can't be the same guy, I have to assume..
According to a strength test, the password has only 49 bits of entropy, so it's surprising GCHQ couldn't crack it:
< 28 bits = Very Weak; might keep out family members
28 - 35 bits = Weak; should keep out most people, often good for desktop login passwords
36 - 59 bits = Reasonable; fairly secure passwords for network and company passwords
60 - 127 bits = Strong; can be good for guarding financial information
128+ bits = Very Strong; often overkill
The checker had been posted on slashdot a while back [IIRC]:
http://rumkin.com/tools/password/passchk.php
Like a good neighbor, fsck is there
Hussain Husein Make up your mind, and if you're going to post about a person the least you could do is get their name right.
Don't forget the ones who have all of the training and equipment to actually be able to carry out an attack provided by our own law enforcement officials, so they can swoop in at the last moment and play the hero...
They deport you to Saudi Arabia where you'd be water boarded, drugged, beaten and raped for years.
No, just kidding. Nothing at all.
Mind you though, I'd definitely write your passwords down on a Post it note and stick it under your desk if I were you just to be safe.
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
If it was published in a newspaper, it must be true!
News outlets like to spin things so they can sell subscriptions. Don't believe everything you see in a news article.
To be fair it also has a provision that the police have to provide probable cause for needing the password, so if you're innocent it shouldn't concern you any more than the police turning up with a random search warrant.
A police officer can't just walk up to you in the street and demand your password and send you to jail if you refuse, they still have to build up the same amount of justification they'd need to obtain a search warrant. It doesn't have the same degree of judicial oversight as a search warrant but it does have the backing of the law, such that if any such demand didn't have a sound case behind it it would be quickly killed by the European Court of Human Rights - which is why we should be more concerned the Tories and UKIP want to pull us out of that than we should that laws like this exist as it's a far bigger threat as it puts control of such safeguards in the hands of grossly biased politicians rather than an objective external judiciary meaning they're no longer safeguards.
But fundamentally it's really not too dissimilar to the digital concept of a search warrant, the police still have to provide evidence of a need to search the data, and a strong degree of evidence that you know the password.
Honestly? No I've never forgotten a password when it's in my interest to hide illegal activity, and I've never suddenly remembered it again when it gives me a legal advantage.
The problem is that we don't know what was said, we don't know that he didn't outright admit that he knew it all along, that bit isn't being reported.
At the end of the day the rigorous standard of evidence was met, which means it's not as simplistic as you make out.
See my post here:
http://slashdot.org/comments.pl?sid=4675915&cid=45983627
Fundamentally, by itself, it doesn't. But given that the standard of evidence was met it implies there's more to it than him simply forgetting and remembering. At the end of the day our judiciary found his excuse implausible based on the evidence and they have to justify that or face losing on appeal but this guy isn't even bothering to appeal which in itself implies he knows they got him bang to rights.
I'm absolutely for ensuring things like forgetting passwords don't get you sent to jail, but pretending this is the case here is silly. There have been similar RIPA cases that have been dropped precisely because the police couldn't prove their case that the defendant knew the password which shows that the safeguard seems to be working as intended so again in the cases where prosecution has been successful the defendants have thus far always been stupid enough to implicate themselves, or get caught using the password during a period when they deny knowing it.
The problem here is that because it's a law that isn't popular amongst tech circles that we a) have an excessive level of FUD spread about the law and b) that every successful prosecution under it is unfair. The reality is that sometimes, just sometimes, criminals are stupid enough to allow the strict legal standards required for prosecution to be met and if you have a problem with that, you may as well equally claim that all law is unjust and let's have a world of anarchy. I mean, so what if you found a suspect's DNA at a murder scene, recordings of the murder on the suspects computer, eyewitnesses placing him at the scene, and the murder weapon buried in his garden? All of it could just be planted from the DNA to the recordings, to the eyewitnesses, to the murder weapon. So what if the speed camera caught you fair and square? what if the camera was hacked and a photoshopped picture and records injected? Those are the sorts of argument being made, and that's why beyond reasonable doubt exists, because conclusive proof does not exist, we have to go on the overbearing weight of the evidence in every case. Of course it sometimes goes wrong, that's a statistical certainty, but we don't have anything better and this law is no more unjust than any other in this respect and the standard of evidence required.
The reason for that is because we, the tech community, lobbied hard to neuter the fuck out of the law when it was originally being written in the 90s, and we actually won these massive concessions precisely to ensure it does meet the strict legal standards of most pre-existing law. Sure we didn't completely defeat the law, but unless you want to live in a dictatorship where a minority dictate to the majority then compromise is necessary, and we got that massively in our favour in this particular case. We're lucky in this respect that the law was drafted pre-9/11 else we'd likely never have got these concessions. Post 9/11 law on technology and terrorism is a far bigger problem and far worse than this particular clause and so deserves far more attention, hell, even other provisions of RIPA such as those that let any public authority including local councils spy on private individuals were far far worse, but thankfully even that has been neutered now.
I well understand that nothing at all can be proven beyond any doubt, and so we must have a standard of reasonable doubt. My only objection is to laws that cannot be proven to a reasonable standard short of a confession. I am also aware that the beyond reasonable doubt standard get cheated too often in court. That is, a conviction doesn't itself prove that the charges were proven beyond a reasonable doubt. That other have been found not guilty only proves that there i some level of doubt sufficient to prevent a guilty verdict, not that it i the appropriate level.
Notably, none of your examples would call for proving the defendant's memory or knowledge, even by reasonable inference (which CAN be done in some cases beyond reasonable doubt). In your example, the strongest evidence is the recording of the crime and the murder weapon. The DNA only matters if there's no plausible way the defendant was there prior to the crime. The witness testimony would depend strongly on how they were questioned.
This goes hand in hand with the erosion of the once absolute requirement of intent in a criminal prosecution.
So it doesn't.
"the Queen would refuse assent so she is sorta the last defence against full out tyranny."
Pretty much this.
NO MATTER what law was passed, if the Queen decided that the law would not apply at all within her soverignty, then it would NOT be a matter of law, but a matter of politics, therefore the public would NOT be under the law until the parliament and the crown sorted it out amongst themselves.
If the public were enough in support of the crown's interference, then the crown's actions are entirely safe. If the public were enough in support of the parliament, then parliament is entirely safe calling for the regent to be disowned.
But in the meantime, the law could not apply since the laws say that the crown gets the last say, the law only says that parliament can remove the crown, not override the edict of the crown (and after removing the crown, asking for the law to be passed again).
When they came for the terrorists I didn't protest, for I was not a terrorist...
El reg has a great article on what will happen if you have dealing with the police concerning an IT related investigation.
http://www.theregister.co.uk/2013/11/07/feature_what_happens_when_you_arrested_by_computer_police/
My advice is read it and try to understand it, before you comment on a country that most US people cannot even find on a map.
Please US do not demonstrate your ignorance and provincial mindset even more then you already have.
Thanks
Beside he had already given them; why would not they have tried all other passwords they had received ?
My first thought. Is it somehow illegal for them to do that?
"To date the only people getting done by it are those admitting they know the password and explicitly refusing to hand it over"
What if I know the password, but I signed a non-disclosure agreement with the company that owns the laptop or flash drive.
I cannot legally give them the password, and I cannot legally refrain from giving them the password.
You are suggesting my only option for just treatment is to commit a crime by lying to the police.
This is one example where you need a security method that allows for plausible deniability. Trucrypt, for example, has an option to create a hidden volume. You can give up the password for the default volume, but no one will be able to tell that there is an inner (hidden volume) which requires another password.
If that were really the case no-one would ever be convicted of this offence. How can you prove beyond a reasonable doubt that someone remembers something?
I can't speak for this specific case (the parent has more information than I do), but in one of the few other cases of this law being used (one that got appealed on the grounds of it breaching the privilege against self-incrimination), I think the prosecution were able to show that the defendant was at his computer, in the process of entering the password when the police turned up to arrest him. That may have been enough to convince a jury beyond reasonable doubt that he knew the password.
I think that in at least some of the other cases (there aren't many), there have been defendants making it clear that they refused to disclose the password on principle. In others it may be possible to show that the defendant accessed the data (and therefore used the password) shortly before the order for disclosure was issued. Basically it comes down to being able to convince a jury beyond reasonably doubt that the defendant knew the password.
He claims he forgot and then later remembered it.
And it seems the court didn't believe him... which they do. And I imagine they have far more relevant facts than we do.