Slashdot Mirror
UK Computing Student Jailed After Failing To Hand Over Crypto Keys
stephendavion sends news that Christopher Wilson, a 22-year-old computer science student, has been sent to jail for six months for refusing to hand over his computer encryption passwords. Wilson has been accused of "phoning in a fake warning of an impending cyber attack against Northumbria Police that was convincing enough for the force to temporarily suspend its site as a precaution once a small attack started." He's also accused of trolling on Facebook.
Wilson only came to the attention of police in October 2012 after he allegedly emailed warnings about an online threat against one of the staff at Newcastle University. ... The threatening emails came from computer servers linked to Wilson. Police obtained a warrant on this basis and raided his home in Washington, where they seized various items of computer equipment. ... Investigators wanted to examine his encrypted computer but the passwords supplied by Wilson turned out to be incorrect. None of the 50 passwords he provided worked. Frustration with his lack of co-operation prompted police to obtained a order from a judge compelling him to turn over the correct passphrase last year. A judge ordered him to turn over these passwords on the grounds of national security but Wilson still failed to comply, earning him six months behind bars.
Everything about this is a fiasco.
"He's also accused of trolling on Facebook."
If that doesn't spell out terrorist, I don't know what does.
The passwords worked, they were just case sensitive and the police didn't realize they had Caps Lock on.
I'm not saying this is likely, but what if he forgot the passphrase? This was two years ago after all.
Who's to say if he has actually forgotten it or just doesn't want to supply it?
(Haven't read the article of course, so maybe they covered this...)
I wish the penalties for trolling legislation would be at least half as severe ...
Data stored digitally on your computer is the equivalent of your own memory.
Encrypting it keeps others out of it.
5th amendment protects against self-incrimination, period.
This trumped up charge needs to be dropped.
The judge needs to be de-benched and sent to prison for being a constitutional terrorist.
The prisoner should sue the City, the district attorney's office and the judge for everything they have for wrongful imprisonment, falsifying charges, and basic ass-hattery.
Who is general failure, and why is he reading my hard drive?
So now threatening to deface a police website is a matter of national security. Got it.
We don't have a state-run media we have a media-run state.
There is no "5th Amendment" in the UK.
It is UK, so there is no 5th amendment, but I believe that they have something similar.
Real question...what happens if somebody legitimately forgets their password? If they're paranoid (or realistic) enough to use AES to begin with, they're likely going to have a good strong password. That's a lot of entropy for a human to remember for a number of years, especially if they don't decrypt it very often.
"Never let your sense of morals prevent you from doing what is right" - Salvor Hardin
Seems the founders of computing as we know it have lost their way.
Its not trolling facebook, it is the scatter gun effect. The police will ALWAYS character assassinate anybody whom they are dealing with. For example when there was an extra judicial execution of a Brazilian bloke in London about 10 years back. The PR system of police immediately made up rumours that he was a rapist (he wasn't) , and that he was an illegal immigrant (he wasn't). Also in the UK there are laws against causing people distress online, and therefore trolling can fall under this, essentially there were some children who were bullied online (apparently there is no off switch) topped themselves and their parents campaigned for such a law. Also inciting hate and disorder, so for instance if one were to say kill all [insert ethnic group/religion/sect/government minister] you'll be happily sent to prison for at least a year.
People have argued the right to not incriminate themselves right up to the European courts, but it was rejected. When you are arrested in the UK you are told that if you fail to mention when questioned anything you later rely on in court it may harm your defence, so there is no right to silence either.
What isn't clear from the story is if this guy just forgot his password or if he refused to hand it over. The law says that the police must prove you knew the password, e.g. by showing that you used it very recently.
Either way, it's a fucked up law that needs to be repealed.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Sounds like you woke up from a coma and think it still is the 20th century.
If that is the case : Times have changed, my friend. Times have changed and not into the direction of flying cars.
Don't fight for your country, if your country does not fight for you.
Forgetting is not a legitimate defence, much like torturers say, you would say that wouldn't you?
One of them is it only applies in the United States, not in the United Kingdom. duh.
Another is that if you agree to give up your right (i.e. offer a password), then you can be punished for lying about it (i.e. offering a false password).
excitingthingstodo.blogspot.com
That's why you need two factor authentication. A password and a keyfile stored on floppy disk. Ideally an old floppy disk with multiple read errors. If you are arrested you can say that the police must have damaged the disk.
Alternatively TrueCrypt's plausible deniability works well.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Wrong, wrong, wrong, and wrong.
Leaving aside that this is UK news and the UK doesn't have the 5th Amendment, protection from being forced to testify against yourself is not based on this ideology you assume it is where your memory would be protected. You misunderstand the entire reason for the right. The reason for the right is because of the long history of forced confessions. History teaches that when the police interrogate them long enough and hard enough they can get them to "confess" to almost anything; even heinous crimes carrying the death penalty. This can be achieved without traditional torture, with just hard questioning and lack of sleep. Because of the physical power the police hold over a person who has been arrested, this is a pervasive problem in places without these protections, including historical England.
But the 5th Amendment doesn't protect physical facts, and it doesn't protect your memory; it protects you from testifying about your memory. If your memory could be read by doctors using a harmless mind-reading machine, that would be allowed, because it would be physical evidence, not testimony that might have been compelled.
Another problem with compelled testimony is where they attempt to accuse a person of lying in their claim of innocence, even before it is established that they are guilty. Prosecutors are very good at that; finding some innocent detail you remember wrong, or perceived differently than witnesses, and then using that to "prove" you're lying. And your denial contains lies, that is almost the same as a confession in the hands of a skilled prosecutor.
Another example of what can be compelled is the location of a key to safe, or the combination to a safe; assuming the police have a warrant, no physical evidence is protected by the 5th Amendment, including things like the location of a key. The safe is physical evidence, not testimony. And the location of the key is an objective physical fact that is not prone to the type of abuse that a compelled confession is.
And you would send a judge to freakin' prison over your lack of understanding of the very rights you claim to value, yet somehow know nothing about. You even then somehow manage to work in a false accusation of terrorism. There is nothing basic about your ass-hattery; you're a first class champion ass-hat!
That is a totally different issue, because if they plant evidence on your computer, they don't need encryption for that. And if they're going to "go there" they can just plant some drugs on you if for some reason they don't have the technical skill to get it onto your computer, or if you have encryption.
As bad as the US is getting, I sure AM glad I don't live in the UK with THIS crap going on...
THANK YOU, Edward Snowden!! Americans owe you a debt of gratitude (whether they know it or not..)
http://xkcd.com/538/
Brings new meaning to "brute force" hacking. Or is that whacking?
Life is not for the lazy.
It's called a dead man's switch. You can set up something to delete your data if you don't log in every so often.
None of the 50 passwords he provided worked
I really want to meet the cop who said, after failure 35: "Hey come on guys let's ask one more time!"
This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
But they would be equivalent to paper files written in a code only you know how to decipher. It isn't your responsibility to interpret your own files for the police.
Nah effectively you have to prove conclusively that you have forgotten what the keys were, else they consider it to be a convenient lapse of memory and therefore you are hiding something. Since the UK police used to consider silence as an indicator of being guilty....
Yeah, I always wanted to do a UK trip, but their crazy laws have always kept me away. Not even because I'm worried that I'll get caught up in them, so much as I look down on them as a people for institutiting them in the first place.
And no, the irony isn't lost on me that many do not want to visit America for the same reasons. I probably wouldn't either, if I weren't a native.
[boot up in single user mode so syslog and ntpd are not running]
# date 0417212012
# su - victim
$
[pigs copy incriminating files at will using cp without -p]
[could change the date numerous times for different files]
Yeah, that's REAL hard. They just planted files with an mtime, ctime, and atime of 2012.
How can timestamps be "out of sync with the rest of the system"? Every file in the system has different timestamps as it is.
Reactionary? What are you, a shill for tyranny?
An independent judiciary is a keystone of a free society. So, yes, jailing judges for their rulings is quite reactionary.
I would love for gmail to give people the option of a random noise uuencoded .sig to be attached to each and every e-mail. Flood the world with random data and this issue goes away. No one would be able to say for sure what was encrypted or not. If done ubiquitously, it could bring all the STASI-like agencies to their knees.
Yes, you turn over they keys to the safe and inside they find sheets of paper with what appears to be random letters and numbers written on them. Can the court compel you to disclose the "meaning" of what is written on those documents?
And in the US, you can be similarly compelled in some circumstances.
https://www.youtube.com/watch?... - interesting presentation by the EFF on forced disclosure laws.
The 5th amendment does _NOT_ always apply.
That will not work - UK law expects you to keep safe copies of all your keys and passwords so that you can provide them when asked to do so - you go to jail for not being able to provide them, saying you forgot them does not get you out of jail.
The problem with demanding the key and jailing him for not doing so is that they haven't (as far as I know) proven he actually remembers the key at all. Have they done anything to prove that he didn't genuinely believe the passwords he told them would decrypt the data? People do forget things all the time, even very important things. Throw in some duress and mental anguish over being jailed plus autism and it's a wonder if he gets his middle name right.
The fundamental problem with any penalty for not testifying is that it hinges on punishing someone for a crime you can never actually prove them guilty of. That might actually be good reason to punish a judge, or at least remove them from the bench. Not being punished unless proven guilty is a fundamental right that goes well beyong the Constitution or any particular foundational document.
To be fair, in the US they'd have just charged you with a bunch of more serious crimes as well, which they'd offer to drop if you plead guilty for the one they wanted you for.
that's a fiction, you are no more interpreting your files than the police are. it's encrypted and decrypted by an algorithm that requires a specific key... the person interpreting for you and for them was whoever designed the software. if you want to use the "interpreting" argument, you'd have to write your own encryption software.
Because a court ordered him to, and he didn't. The fact that encryption keys are the subject of the order or whether they unlock anything incriminating is pretty much irrelevant under the circumstances, disobey any court order and you face going to jail.
Blank until
I know what you want to say, and it is largely correct, but I won't let that get in the way of pedantry. The UK does have a constitution, which is often referred to as "unwritten". This is a bit of a misnomer, as most of the constitutional provisions in the UK are written down somewhere. For instance, most of what would be the equivalent of the US Fourth Amendment protections against unreasonable search and seizure are contained in the Police and Criminal Evidence Act 1984. The UK constitution is not codified, and there are no framework constitutional principles (well maybe Parliamentary Sovereignty ), but it does exist. There are rules and processes that govern what become laws. It's more that Parliament can decide to remove any rights by repealing any enabling legislation, PACE, HRA, whatever. In the US, rights are supposedly natural, and cannot easily be taken away by government. Certainly, in the UK Parliament has not granted the citizenry any general protection from self incrimination. While there are laws against torture and other practices that could lead to malignant self incrimination, even the police caution when being interviewed reminds you that "You do not have to answer any questions, but it may harm your defense if you do not now mention something which you later rely on in court." So you definitely do not enjoy the same broad protections from self incrimination in the UK as you do in the US.
Not true. (http://www.bbc.co.uk/news/uk-25745989 guy wasn't convicted until he decided to reveal it as part of separate proceedings proving he hadn't forgotten it; I'm surprised they didn't have him for perjury or something too.) Think about it - if that was the law every time you visit an SSL secured website you'd be breaking the law since your computer doesn't record the session keys. And perfect forward secrecy would be illegal too. Not that I'd put any of that past the government here, mind you, but it hasn't happened yet.
It seems you can be compelled to reveal your passwords in the US if they're looking for evidence they already know to exist rather than information they may not know about.
I stole this Sig
When you are arrested in the UK you are told that if you fail to mention when questioned anything you later rely on in court it may harm your defence, so there is no right to silence either.
That isn't a right to silence. You're quite free to keep your mouth shut from arrest to the end of the trial. The only worrying part is that maintaining silence can be taken as an indication of guilt*. Talking about something in court which was not mentioned during police questioning may harm one's defence because anyone in the court is likely to think "if that would have helped, why didn't you say when you first had the chance?".
*This might be another one of those things that is only in English or Scots law, like a scottish court returning a verdict of "not proven"**.
**Which basically means "We can't prove you did it, but we know you did. Don't do it again."
"Tyrant judge"?! He was applying the law. A bad law in the opinion of many people, sure, but nonetheless crystal clear in its scope and effect. Are you saying the judge should have not applied the law? That he should have ignored the statute and made up his own rules? You're in favor of "activist judges"?
My next sig will be ready soon, but subscribers can beat the rush
If your memory could be read by doctors using a harmless mind-reading machine, that would be allowed, because it would be physical evidence, not testimony that might have been compelled.
Typical lawyer doublespeak bullshit.
same asshattery that gives
Actually, every file in the system does not have different time stamps and they tend to be in clusters (e.g., different groups of system files).
Timestamps can be manipulated in various ways and they are often taken at face value, but it does get quite a bit harder if the investigator digs deeper. For example, in your proposed situation the inodes for the newly created files would not be as expected for files having those time stamps.
Funny isn't it - the US doesn't allow compelled testimony, but resolves 97% of federal cases through plea-bargain, so that's >97% conviction rate.
I'm sure plea bargains are always always guilty people accepting a lesser charge to reduce their punishment, and never the innocent feeling compelled threatened or coerced into pleading guilty to a lesser charge, but in the UK where it's not used I think the prosecutors only get about 80% convictions - and you'd think they would be much _more_ careful to pick the strong cases because they have to have the expense of trial every time.
So, hats off to the US law enforcement and prosecutors or being so very very good at identifying the guilty, or at compelling the innocent to admit guilt (in the land of the fifth) whichever it is...
Probably wire fraud, resisting arrest and impeding a police officer's fist with your face.
SJW n. One who posts facts.
and never the innocent feeling compelled threatened or coerced into pleading guilty to a lesser charge, b
You know what? If an innocent person pleads guilty before a judge, they are perjuring themselves.
That's what "No Contest" pleas are for.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
Alternatively TrueCrypt's plausible deniability works well.
I tend to start twitching a little whenever our neighborhood geek starts talking long and loudly about his "plausible deniability."
The denial is there, in spades. I'll give him that.
The plausible, not so much.
The poor guy probably had the password written down on a Post-it note underneath the keyboard because it was too long and complicated to reasonably remember. The police in their hurry, when they confiscated the computer, lost that little note. How can anyone prove that this was not so. How can anyone prove that the guy does indeed not remember the password? After all, humans are forgetful creatures. I suppose being forgetful can land you in jail in the UK.
A sufficiently advanced simulation is indistinguishable from reality.
Actually, you are incorrect.
The 5th absolutely protects the "contents of one's mind". The Supreme often uses those exact words in many cases affirming the notion. In fact, one common analogy the court uses in deciding these issues is that the government can force a suspect to produce the key to a safe, but it cannot force him/her to produce a combination for a safe.
The 5th does protect against coerced testimony, and that includes passwords or knowledge of physical evidence. However, once the government knows that physical evidence exists and is in the possession or under the control of the suspect they can compel the suspect to produce the evidence, whether that evidence be business records, personal papers or computer data. So while the suspect cannot be compelled to reveal his password, if the government knows an encrypted drive contains incriminating evidence it can compel him/her to produce the unencrypted data. That is why the suspect are not ordered to reveal the password, but to unlock the data for the police.
One key distinction here is that the government must have ‘reasonably particularity’ concerning the evidence it requests. They cannot merely suspect the evidence may exist. Cases where defendants are compelled to produce unencrypted drives usually have other factors such as U.S. v. Friscou where the government had recordings of the defendant talking about the incriminating contents of the encrypted data. Or, in re Boucher where police saw the unencrypted content of a laptop that was turned on, but then lost access when it was powered down.
In the safe analogy the police cannot compel a suspect to produce a combination, but if they have sufficient reason to believe the safe contains a incriminating accounting ledger, they can compel the suspect to open it and produce the ledger.