back to article Youth jailed for not handing over encryption password

A 19-year old from Lancashire has been sentenced to 16 weeks in a young offenders institution for refusing to give police the password to an encrypted file on his computer. Oliver Drage, from Naze Lane, Freckleton, Lancashire was arrested in May as part of an investigation into child sexual abuse images. His computer was …

COMMENTS

This topic is closed for new posts.
  1. Sime

    Still trying to crack password..

    I'd love to be the consultant employed to give that a go!

    Free income for a year or more.. Then just tell them you couldn't do it and hand the disk back.. "That encryption is just too good!!".. No need to even plug the thing in! :-D

    1. Anonymous Coward
      Happy

      Insurance

      This is why I ALWAYS store my porn in the WikiLeaks download directory as a file called "insurance"

      1. Alan Firminger

        Boasting

        A similar post that could be read as a terrorist threat is before the courts now.

    2. Shady

      The consultant might have had a decent work ethic....

      aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa...

      aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaab...

      aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaac...

      aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaad...

      Although he may have to claim expenses for a new keyboard and treatment for carpal tunnel syndrome.

  2. Anonymous Coward
    Paris Hilton

    Question

    "50-character encryption password"

    How do they know the string length of the password??

  3. Anonymous Coward
    Anonymous Coward

    Just wondering

    How would they know it's 50 characters?

    1. This post has been deleted by its author

      1. C Yates
        Happy

        Spaceballs ftw!

        What's your password??

        1... 2... 3... 4...

        1234? that's the sort of password an IDIOT would have on his matched luggage!

        =D

      2. David 45

        Ho ho

        Like that.

        Might not be 50 characters. In fact, it's probably not. How do you remember that lot? Some password boxes automatically add more as a safeguard to baffle folks who might be observing your screen.

    2. Jinxter
      Joke

      50 char password...

      Wavehishands,thisisnotthepasswordyouarelookingfor!

    3. Richard Stubbs
      Joke

      Because he told them!

      Yes my password is "fiftycharacterslong" what? 16 weeks! but i've told you my password is "fiftycharacterslong"

    4. Tigra 07
      Thumb Up

      RE: AC

      The actual password is "50 characters"

      They just keep typing it in without the space so locked him up to cover their stupidity

  4. King Edward I
    Stop

    You have the right...

    ...to remain silent.

    Or not if we decide so,

    1. Pablo
      Badgers

      Wrong Country

      tvtropes.org/pmwiki/pmwiki.php/Main/EaglelandOsmosis

  5. Paul Smith

    Nostalgia

    This story just proves how old I am getting. I can still remember the days when a person was presumed innocent until proven guilty.

    That said, I am pretty sure that the European human rights charter includes the equivilent of the 5th, i.e. that you can not be forced to incriminate yourself.

    1. King Edward I
      Stop

      Technically...

      ...he was. He was considered innocent of not disclosing the password, and then they proved it. So he was guilty. The problem here is not convicting him for a crime they havent proved, it's them criminilising behaviour that *should* be a persons right, i.e not to self-incriminate.

    2. BristolBachelor Gold badge
      Black Helicopters

      Proven guilty

      It's easy, you just write the laws the right way. He has been proved guilty of not typing in his password; hence jail time.

      Other offences soon to hit the statute book to be used whenever they want:

      "Looking funny"

      "Taking a photograph"

      "Sitting on the tube, reading Metro"

      "Breathing"

      1. Annihilator
        Unhappy

        re: Proven guilty

        Unfortunately I'm pretty sure "Taking a photograph" is already there. Probably next to the unwritten one of "Looking a bit foreign", added at the request of the Daily Mail...

      2. Anonymous Coward
        Alert

        or...

        how about 'wearing a load shirt in a built-up area'?

        1. captain veg Silver badge

          Insufficient length

          That's only 39 characters.

          -A.

    3. The Original Ash

      I remember that too

      It was 1994, with the Criminal Justice and Public Order Act.

      http://en.wikipedia.org/wiki/Right_to_silence_in_England_and_Wales#Adverse_inferences_from_silence

  6. Anonymous Coward
    Anonymous Coward

    How would they know

    ...that the password is 50 characters long?

  7. Jim T
    WTF?

    50 character password

    How did they work out that it's 50 characters, exactly, if they don't know what it is?

    Unless he was bragging, of course.

  8. Anonymous Coward
    Flame

    Encryption right

    Encryption exists because there has been a need to safeguard certain information. It is used in a capacity to protect personal files just like it is used to protect say credit card information. However RIPA deems it a crime in circumstances they see fit. If they want to differentiate between what is acceptable and what is not then I suggest that encryption be made illegal in this country for non commercial use rather than jailing people because they will not cooperate. There is a clear distinction here between ones liberties and preventing people from covering up a crime.

    1. Nigel 11

      Other safeguards

      I'm not sure that there should be an absolute right to hide behind unbreakable encryption. One doesn't have a similar right with respect to paper documents. Provided the police have obtained a search warrant, they can legally break any physical lock if you won't provide them with the key. (There's no such thing as an unbreakable lock or safe).

      Do the police have to obtain a search warrant for your computer, before they can order you to decrypt? If so, that appears to be an appropriate safeguard, and an exact analogue to what has been the case for paperwork for many years.

      If they don't have to obtain a search warrant, then they should be required to.

      There should probably also be a provision that evidence obtained by requiring one to decrypt should be admissible only if it confirms the suspicions that led to the warrant being granted. In other words, if they are investigating money-laundering and they find only porn, they should not be able to charge one with posession thereof, because the grounds for the warrant have been proved false.

      1. Mephistro
        Thumb Down

        @Nigel11

        A problem with that approach is that the file in question might be obsolete and the password long forgotten. I'm an IT consultant, and whenever I have to store data from my customers, I use encryption. Most of those passwords are lost and forgotten only a few days after the work is completed, but I often forget to remove the encrypted files from my PC. After reading the article I made a quick search and found seven of those files, aged between three weeks and four and a half years. I just remember one of the passwords, from a file created in summer 2009. I remember it because the password was a funny word related to the owner of the data.

        And don't forget I'm an IT pro and use lots of passwords. I have seen people forgetting their passwords two HOURS after creating them.

        The thought police can jail you for forgetting something. Sounds really bad, doesn't it?

      2. Andrew the Invertebrate

        Nice in theory

        But how do you enforce a search warrant for the contents of someone's memory? How do you prove that you've forgotten a password or that you've never had the password in the first place.

        If you've downloaded the wiki-leaks insurance file how can you prove that you don't have the password, or that it isn't infact your secret stash of terrorist manuals that you've renamed to look like the wiki-leaks file and do really have the password for?

        Also if you followed the US system and had "Fruit of the poisonous tree" provisions in the warrants, the exceptions on the search being carried out in good faith would kick in and it would be a legal search.

        *Note to self - remember to use the "Reply to this post" button next time

        1. Nigel 11

          Refused, not forgotten

          The chap we are discussing "refused" to provide his password. I'm assuming that meant he said "No" rather than "I've forgotten it". The latter would have been a smarter answer and I'd hope it would lead to an acquittal - how can the prosecution possibly prove beyond reasonable doubt that this is not the truth? If it really is illegal to forget, I'd expect a jury nullification, or a successful appeal to the EU court of himan rights.

          I agree that the whole concept is stupid. Anyone competent with something to hide will combine steganography and plausible deniability (multiple encrypted volumes in one hidden container, one or two innocuous volumes that you're happy to reveal if they can work out where they are hiding, using software that always creates large amounts of random padding so they can't hope to prove that you're concealing more than you've shown them).

        2. Anonymous Coward
          FAIL

          Nice in Theory...

          re: Fruit of the poisonous tree... a former net acquaintance was under investigation for Social Security Fraud. Law enforcement was searching his house for proof that he was running several businesses while claiming SS Disability. One of them, I believe a USPS Postal Inspector, found some video tapes in the closet and tried to pop one in a VCR but couldn't because there was already one in the player... he turned the VCR and the TV on, and found to his surprise, not evidence of financial crimes, but porn, and specifically child porn. He stopped the tape, called the courts for another search warrant specifically related to porn and child porn, and then arrested Jack on federal child porn charges... Jack is now doing time in Arizona on some charges, and when he finishes his stay in the Arizona iron bar hotel, he has a date with a federal house of detention for another 5-10 years. He won't be free again until he's about 75 or older. I only "knew" him because we were on the same email list, but the owner of the list tried to hide the charges from the rest of the list, and in fact went to a moderated list and refused to allow anything negative to be posted about him. She also threw a number of people off the list because they tried to post the true story.

          Fail, because Jack had already been a guest in the pokey on several previous occasions, including once for murder.

          1. Marcus Aurelius
            Big Brother

            UK fruit of the poisonous tree

            If I recall, evidence discovered in this accidental way is acceptable in the UK, but it is up to the courts to rule on admissability depending on just how far the method of discovery has stretched relevant laws..

      3. Vic

        No safeguards

        > Do the police have to obtain a search warrant for your computer

        No.

        A Section 49 notice can be issued by a number of Authorised Persons. Many of these are not in the judiciary.

        There is no legal oversight. There should be.

        Vic.

      4. Ist alles doof

        They would have needed a warrant to take his computer away.

        Unlocking his computer's encryption system would be covered by the same warrant which legitimated the removal of his computer.

    2. John G Imrie

      Steam files

      Arn't all the files that Steam downloads encrypted. I'm sure I don't have the key for them. So hide all your encrypted files in plane sight in your Steam directories.

    3. Scorchio!!

      Right to security

      We have arrived at the point where citizens are only allowed to have security of information if the government they elect allows this. I can see the pros and the cons, having a number of TrueCrypt files for sound reasons that do not involve breaking laws of any sort, and having a dislike of the offences of which the individual has been accused. That leads me to ask, was this individual using an encrypted proxy? Is this why the enforcement agencies concerned are not trotting out the data here?

  9. Paul Smith

    Nope. I was wrong

    I just checked and it seems that the European Charter does not protect you from having to incriminate yourself. Poor kid rightly screwed now.

    1. The Original Ash

      It's Blair's fault

      There is an "innocent until proven guilty" provision in there, but Blair excluded it before signing. There was talk before the election of the Tories / Lib Dems pulling out of the Charter, then re-signing it in its entirety. So far, no dice.

      1. Chris Fox

        until v unless

        As others have said, "innocent *unless* proven guilty" would be nicer; "innocent until proven guilty" seems to suggest that you are, inevitably, going to be found guilty, but that it has not yet been proven. (That particular phrasing sounds like it was drafted by someone who believes in the concept of "original sin"; we are all guilty.)

        1. John Smith 19 Gold badge
          Boffin

          @Chris Fox

          I think you'll find it's the police officers version.

  10. Anonymous Coward
    FAIL

    RIPA is flawed

    Crim thinks:

    x years for not disclosing password

    y years for disclosing password

    x < y

    I'll not disclose password.

    Police think:

    at least we got him for something.

    1. Andrew the Invertebrate
      FAIL

      Fail yourself

      Scene 1: a court room.

      Judge - What is the password ?

      Accused - Not sayin.

      Judge - Fair enough, have four months at Her Majesty's pleasure

      Scene 2: the same court room,four months later

      Judge - What is the password ?

      Accused - Not sayin.

      Judge - Fair enough, have four months at Her Majesty's pleasure

      Rinse and repeat Scene 2 until the accused hands over the password or dies of old age.

      1. Kelvari
        Black Helicopters

        Would be ironic...

        ... if "Not sayin" actually WAS the password. Or even something like "There is no encryption password," or anything else to that effect.

      2. Anonymous Coward
        Anonymous Coward

        after 4 months

        I'm pretty sure I'd have forgotten...

      3. Anonymous Coward
        Happy

        No Thats the password, its

        Not sayin

      4. Scorchio!!

        Time

        Memory erodes over time and it would be a very silly criminal who did not realise that the "I've been in prison for so long that I have forgotten" option is available.

        As someone observed indirectly, we are now at the gates of a new era of thought crime. "We know that you remember so we are going to send you back to prison until you unlock your thoughts".

    2. Neil Brown

      Jail time for not disclosing password expires

      Police request password again under s49.

      Password owner declines again.

      Police prosecute for failure to comply with (new) s49 order.

      Password owner goes back to prison.

      Repeat.

      1. The Original Ash

        @Neil Brown

        Double Jeopardy. He's refusing to give the password for the same encrypted volume he refused to before. Worst that can happen here is being found in contempt of court and being returned to jail every time he refuses to give the password, but that's not within the remit of s49.

        1. Neil Brown

          @TAO: Application of double jeopardy to s49

          To my mind, at least, it's not clear that the double jeopardy principle would apply. The crime, for which he was imprisoned, was failing to comply with a s49 order. I agree with you that he cannot be tried twice for the breach of a s49 order- the double jeopardy principle.

          However, there is nothing in ss49-51 of RIPA which prevent a law enforcement agency from issuing another s49 notice, seeking the same information - this is entirely different to charging someone again for the same crime. If he fails to provide the key, he is tried for the breach of the new order, and thus commits a new, triable, criminal offence. There is no double jeopardy issue here - it's breaching a separate s49 notice.

          There are two competing policy issues here - one is that someone should not be tried twice for the same offence (although under attack in some situations), and the other is that someone should not be entitled to obstruct the investigation of a larger crime by committing a smaller crime, and take the penalty for that smaller crime as a way of preventing the investigation.

          I'm not aware of any legal authority on this, so just going on the basis of what makes sense to me in terms of approach - I'd be very interested to see something which suggests a different approach.

        2. Oliver Mayes

          @The Original Ash

          Except double jeopardy prevents you being punished for the same crime twice, if you refuse to hand over a password and get prosecuted that's only once. If they ask you again and you refuse that's a second offence and you can be prosecuted for it.

        3. Andrew the Invertebrate

          @The Original Ash

          Hate to break it to you, but double jeopardy laws were shown the exit about 5 years ago

          http://news.bbc.co.uk/1/hi/uk/4406129.stm

          1. Neil Brown

            @ Andrew the Invertebrate

            "Double jeopardy" is not out completely - the Court of Appeal held that there can be a retrial where there is "new and compelling evidence". There's ambiguity as to what this means, for sure, but it does not mean a complete revocation of the principle.

            I meant to add in my previous response, that the principle of double jeopardy applies to someone who is tried and acquitted, not someone who is tried, found guilty, and serves their sentence - that someone cannot be tried again for the same offence after serving their sentence comes from the fact that the have done their penance - the slate is wiped clean. In the situation here, the slate is wiped clean only in as much as the breach of the previous s49 order has been remediated - another order, another breach, another slate to wipe.

        4. Vic

          Not Double Jeopardy

          > Double Jeopardy.

          This is incorrect.

          > He's refusing to give the password for the same encrypted volume he refused to before.

          Doesn't matter. He's guilty of failing to comply with a section 49 notice. He's not been charged with respect to the curernt notice before, so there is no "double jeopardy" involved.

          Claiming that this is the same offence is like claiming that a recidivist burglar shouldn't be tried for subsequent burglaries, because he's already served time for it. That was a different burglary. That was a different Section 49 notice.

          > Worst that can happen here is being found in contempt of court

          No, the worst that can happen is that he can be sent down for another 5 years (if they mention "national security" often enough) *and* face a large fine.

          > and being returned to jail every time he refuses to give the password, but that's not within the

          > remit of s49

          It's within the remit of a new Section 49 notice. There is no stated limit to the number of successive notices that can be issued - only that the issuer must have "reasonable grounds" to believe that the defendant has the decryption keys sought.

          Vic.

      2. Intractable Potsherd
        Unhappy

        Thanks, Neil

        ... You've seriously messed up my day. I had never thought of that, and there is nothing to prevent it (except for a court refusing to play that game).

    3. Anonymous Coward
      Anonymous Coward

      #Flawed

      Surely the crim (according to witnesses and ISP logs an alleged trader in child porn) should be thinking:

      X weeks for non-disclosure followed by (after encryption is cracked in a few months) Y months for child porn offences and Z months for perverting the course of justice - and then of course a large bill for the costs incurred in cracking said encryption and a long stretch of the sex-offenders register.

      Still on the bright side, its good news for security consultants and children.

      1. Gweilo
        Boffin

        months?

        "after encryption is cracked in a few months"

        A 50-character password? More like untold trillions of years. However, often a search through file remnants in "deleted" parts of the disk can find a clue, unless whole disk encryption was used.

        1. Anonymous Coward
          Anonymous Coward

          @Gweilo

          I may be wrong, but i was under the impression that police forensics had access to some pretty clever password cracking tools, ie they can use known information about a suspect to steer the attempts. psych profile, hobbies, tv viewing, etc.

          A 50 character password has to be some kind of memorable phrase, if it's not written down or the suspect is rain man, a few special character obfuscations could make it nasty enough but a number of set rules could take care of most of those.

          1. Ben Cwilewicz

            @AC

            I have a 25 char randomly generated Admin password which I can remember (muscle memory can type it faster than I can say it mind)

            I change the pass every year or so, chain two of them together and you have 50 chars memorised without having to be rain man

        2. Anonymous Coward
          Thumb Down

          #months

          >A 50-character password? More like untold trillions of years.

          Months more like, its not unknown data - at worst they are looking for filetypes which will provide plenty of known plain text/data, at best they will have specific files which they expect to be there after examing the ISP logs and the files he traded with others who were nicked at the same time.

      2. Matt Hawkins
        Megaphone

        Police cracking?

        "and then of course a large bill for the costs incurred in cracking said encryption"

        When was the last time you cracked a 50 character password?

        If the guy was using decent encryption software and used a 50 character password the police have got a snowballs chance in hell of cracking it. Even if they knew where to start.

        If the authorities *could* break encryption they aren't going to admit to it in court for such a minor offence. And before anyone starts he his a small fish as far as the Government are concerned. They aren't going to reveal their capabilities in this field for day-to-day criminals.

        So they aren't going to crack his password even if they could.

        1. Anonymous Coward
          Anonymous Coward

          #Police Cracking...

          >When was the last time you cracked a 50 character password?

          Quite regularly when doing security audits. Passwords that long are almost always built on dictionary words and simple patterns - in any case a simple brute force attack wouldn't be the approach used where the contents of an encrypted file are already known.

          >If the authorities *could* break encryption they aren't going to admit to it in court for such a minor offence.

          Weaknesses in practically all commonly used consumer grade encryption are well documented as are the 'authorities' capabilities in defeating them. Its not a question of admission, simply cost over public interest.

    4. Anonymous John
      Unhappy

      What happens when he's released?

      Can the ask him again, treat it as a separate offence and charge him with it? It could go on indefinitely.

      1. Vic

        Perhaps

        > Can the ask him again, treat it as a separate offence and charge him with it?

        The issuance of a Section 49 notice does require that the issuer has "reasonable grounds" to believe that the victim[1] has the encryption keys being sought. If the poor sod has already done time for failing to cough up the keys, there is eventually going to be some room to claim that those grounds are unreasonable, and thus that the notice is unlawful.

        But that won't necessarily stop second and subsequent notices from being issued - it just gives some sort of defence in court.

        Vic.

  11. Dan 55 Silver badge
    WTF?

    How did the police know it was 50 characters but not know the password?

    Knowing them it was the maximum field length the text box accepted.

  12. Cucumber C Face
    Unhappy

    Tough choice

    16 weeks

    OR

    5 years with other inmates trying to kill him and a lifetime unemployable as a social leper on the sex offenders register.

    Probably a thumbnail of a 30 year old flat chested Russian prostitute in pigtails or mpeg of a bloke shagging a dead mollusc anyway.

    1. Anonymous Coward
      Big Brother

      So...

      what you are saying is that if they get done for not giving away their password they still don't get punished ENOUGH for the crime we can't prove they did so we ought to make the dirty pedo sign the offenders register for refusing to disclose the password. Better safe than sorry.

      Now how to do something about those THOUGHTS people keep having...

  13. Danny 5
    Thumb Down

    what happened

    to the right to remain silent?

    are UK laws that different from Dutch laws? if i don't want to say anything to the cops, i don't, it's that simple.

    "you're only making it harder for yourself"

    yeah right buddy, you stick to that story and i'll stick to mine, ok?

    so what's the deal here? has the UK given up on this or what?

    1. bluesxman
      Black Helicopters

      RE: what happened

      I am not a lawyer, and thankfully I've never fallen fowl of the law, but the right to silence has been somewhat subjective in the UK for many years.

      http://en.wikipedia.org/wiki/Right_to_silence_in_England_and_Wales#Facts_later_relied_upon

      When arrested, persons are told "you have the right to remain silent [...] it may harm your defense if you fail to mention when questioned something which you later rely on in court" or words to that effect.

      Basically this means that negative inferences can be made on the refusal to provide information. In this instance, refusing to give up the password implies there's something he doesn't want people to see within that file.

      As previously pointed out, 16 months in jail and a record for what amounts to failure to cooperate with the police versus them finding the suspected images and the baggage that that brings (assuming, of course, that it contains what they think it contains) probably seemed like a good trade-off.

      At least they don't have free reign to convict people of the suspected crime rather than the side-effect crime. Yet.

      1. bluesxman
        FAIL

        RE: what happened

        I meant to say "16 weeks" not "16 months".

      2. max allan

        So, blab your password straight away

        "You have the right to remain silent ... mention now ... etc...."

        Yes officer I'd like to say "zxplLkIujnn*&^fh44£$FklpkjbMHFGXFWzchbjn kju642dhvnblp}[1b36nndfj3jdnx^nbghfhkl;LHGGVBL"

        Later in court :

        Q: Would you like to tell us your password?

        A: I already did. It's not my fault if the police didn't capture that evidence, is it? I've been stuck in a holding cell for the last 3 months awaiting trial and I've now forgotten what the password (if there ever was one) was.

        Would that work????

        1. OziWan

          however

          Police interviews are recorded in the UK

          1. Scorchio!!

            Interviews

            Correct, but I think that the OP is referring to the arrest and caution, which usually take place outside of the interview room.

  14. Anonymous Coward
    Anonymous Coward

    "Police say they are still trying to crack the password"

    LOL.

    Oliver will be out of prison and lying in his casket before they crack that one.

    One has to wonder how they know it's 50 characters though... is that just the maximum length permitted by the software he used? Or did he tell them it's 50 characters long, knowing that it's only 49 characters lol.

    (can we have a Bacon 'n' Doughnuts icon?)

  15. Graham Bartlett

    Silly sod

    Guess he didn't think they'd actually do it. Oops.

  16. Ian Davies
    FAIL

    Should have read the TruCrypt manual

    Long password = GOOD

    Not using a hidden container for plausible deniability = FAIL

    Also, I've never fully understood the whole "refusing to co-operate" thing with encrypted files... how can they prove you haven't genuinely forgotten the password? Or that the password you gave them is correct but, due to legitimate file corruption, just doesn't work any more?

    1. Dazed and Confused

      Re hidden containers

      I've not bothered to read through the TruCrypt docs about this, but I'm intrigued about how this works. I've always wondered about the free map in the main encrypted volume. If the hidden volume blocks are not to be over written then they can not appear on the free map of the main file system. So the prosecution could no doubt argue that the size of the volume you have opened doesn't match the size of the disk. So anything missing must also be encrypted.

      I'm sure there is an answer to this as the blokes who write TruCrypt are brighter than me.

      Just intrigued.

      1. John H Woods

        Doesn't work that way....

        ... TC freespace is encrypted. If you mount the non-hidden volume and write to it, you will indeed run the risk of overwriting a hidden volume. If you want to write to it, you mount it with the hidden volume protected - which of course means entering passwords for both inner and outer volumes.

        So if you are forced to give up the outer volume password, noone can prove - except by cryptanalysis - that there is a hidden volume. They could destroy that hidden volume though, by mounting the outer one with the outer password you've given them and filling the disk up.

    2. Trygve
      Unhappy

      What's not to get?

      It's pretty straightforward, it's all about making life easy for our esteemed chums in uniform. They don't need to prove anything, it's up to _you_ to prove that whatever is in the file is legit, by decrypting it. If you don't, you're screwed.

      Presumably you could end up with something on your drive that looks as if its encrypted file but is actually just garbage (perhaps a corrupted temp file created while zipping) and go to jail for not turning it into a plod-readable format. That would suck.

    3. Anonymous Coward
      FAIL

      Re: Plausible Deniability

      "I see you've used TrueCrypt. We know this has a hidden volume function. What is the password for the hidden volume."

      "I don't have one."

      "Prove it, or another 4 months."

      "..."

      "Enjoy your communal showers."

      You either have a hidden volume with MORE innocuous data, or you are screwed. TrueCrypt is not the answer.

    4. Bod

      Hidden container

      Just having a hidden container isn't enough. There are lots of other things you need to do, and even then if your disc is being monitored (snapshot before, snapshot after) it is possible to break PD enough to prove the existence of a hidden container by modification.

      Though no security expert in their right mind is ever going to fall for a True Crypt container not having a hidden container. Most of them probably do and are probably full of kiddy porn or almost certainly something dodgy enough to want to hide from the authorities.

      However, with respect to the law on not providing your password, how do they prove you are refusing to provide it rather than you just cannot remember it? (assuming again the disc hasn't been monitored to show a modification to the seemingly random data, which proves you managed to access it recently).

      Chances are though the "kid" just left loads of holes open in Windows that leaks the data.

      1. Allicorn
        Thumb Down

        No defence

        According to RIPA, "I can't remember" is exactly the same as "I refuse to tell you". There is no defence against this section of the act. If you cannot provide a working password - for any reason whatsoever - then you're guilty.

        1. John G Imrie

          In which caseWhat ever you do

          Never take a copy of /dev/random

    5. Anonymous Coward
      Stop

      re: Should have read the TruCrypt manual

      How do they prove you haven't genuinely forgotten the password?

      I think the general idea is that the prosecution and defence explain their arguments to a group of 12 people known as a "jury". Apparently then the "jury" decides the outcome of the case based on whom they believe.

      The way "they" prove refusal to co-operate is usually to put the defendent on the stand and ask him lots of questions about it.

      It's pretty simple really.

  17. JakeyC

    Maybe he's innocent...

    ...maybe he ain't. But 16 weeks for not handing over a password when you can lamp someone in the face without getting locked up for that time - if at all - is unnecessary.

    Two questions -

    1) How can they tell the length of the password?

    2) If they know it's 50 chars, what makes them think they can 'crack' it?

  18. Stuart 22

    Doh!

    One assumes our friends in Cheltenham were more helpful. So why not just stuff him for the price of the decryption rather than send a man of previous good conduct to a university of crime where his IT skills may open up more serious career opportunities than he is likely to get on civvy street.

    If on the otherhand the guys from the big G can't crack it ... then why do we 'ave 'em?

    1. Anonymous Coward
      Black Helicopters

      The big G probably can crack it

      The big G probably can crack it but they might not want the world and his cat to know they can.

      Or maybe they can't but want you to think that they can by not saying they can crack it.

      Either way why blow your trump card on some lad with a laptop full of kidde pr0n.

      Criminals get lots of information on police techniques from evidence disclosed in court.

  19. Anonymous Coward
    Anonymous Coward

    Quis custodiet ...

    "Oliver Drage, from Naze Lane, Freckleton, Lancashire was arrested in May as part of an investigation into child sexual abuse images."

    Funny how the news articles haven't said a thing about this investigation such as specifically what was being investigated, whether anyone else was investigated or arrested, what the police's reasons were for believing Mr. Drage was involved in child sexual abuse images, and whether or not those reasons were so compelling it warranted a thorough search of the bloke's hard-drive?

    > His computer was seized by police who were unable to access some material on it thanks to a 50-character encryption password.

    'Some' material? Anything else to say about that, perchance? What size of material? A suspiciously large size, or something tiny? What was it about the hidden material would give rise to the suspicion that it was related to child sexual abuse images?

    > Only one other person has previously been imprisoned for this offence.

    Yup, and what a non-threat he turned out to be. Another victory for the legal profession. Yay for the justice system! *farts*.

    > Det Sgt Neil Fowler, of Lancashire Police, said: "Drage was previously of good character so the immediate custodial sentence handed down by the judge in this case shows just how seriously the courts take this kind of offence," PA reports.

    The courts always take the view that anyone who refuses to co-operate with the police are up to no good, which is odd because it flatly contradicts the principle of 'innocent until proven guilty'. More like 'innocent until your behaviour looks a bit sus and then, despite having little or no evidence, we'll give you a quick blast in the cells to see if that loosens your tongue'.

    "Police say they are still trying to crack the password."

    Good luck with that.

    1. Anonymous Coward
      Anonymous Coward

      News

      I seem to recall that Radio4 news either last night or this morning, said that there were a bunch of people the rest of which had been sent down. I may be mis-remembering and to be honest I can't be arsed to check it out, what with being at work at the moment...

      Also, it's interesting that he refused to tell them the password rather than claimed he couldn't tell them the password, maybe this is how they know it's a 50 letter password?

  20. Anonymous Coward
    WTF?

    50 chars?

    .

    .

    How do they know how long the passphrase is?

  21. Anonymous Coward
    FAIL

    Child abuse images??

    He's 19. My bet's on he has photographs of his 17 year old girlfriend and somehow the old bill found out and wanted a look themselves. He's barely left childhood himself.

  22. copsewood
    Big Brother

    rubber hose cryptanalysis

    I can't really see any difference in principle between the use of torture to obtain a password or the use of imprisonment. Many will argue that he must have been doing something wrong, but nothing has been proven against him other than breaking the controversial law on which he has been imprisoned. There is a wealth of legal tradition that he should not be obliged to provide evidence to be used against himself which this provision of the RIPA ignores, including the US 5th ammendment, the right to remain silent, innocent until proven guilty, and ECHR convention articles concering fair trial and privacy rights.

    Black people in the southern US who sat on the wrong seats on segregated buses in the sixties and earlier were also breaking bad laws which did not stand up once finally tested against the US Bill of Rights. This case is little different.

    http://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis

    1. scrubber
      Megaphone

      Revolution

      Except they had a 5th Amendment.

      We have nothing. There is no right we have that cannot be taken away by the government, with the exceptions of those we have signed up for in Europe. But we ignore those too, and simply accept the fine.

      I want a Bill Of Rights. And a Constitution limiting what government can do.

      1. dssf
        WTF?

        How do you put up with not having a 5th?

        It seems to me that this is the sort of thing that led to thousands of people fleeing tyranny and coming to what now is the USA. If there were another habitable, "accessible" hunk of lightly populated land, would this lame law be sufficient trigger for a modern-day exodus?

        OTOH, way back when there was a chance to possibly still-birth any creation of the USA, but the powers that were didn't deem their subjects uncontrollable nor deem them worth appeasing sufficiently and more. So, i wonder how long it will take for the UK (irrespective of its unique local terror issues and hugely diverse population from all parts of the world, and that in itself making for a huge potential for undiscovered plots and mischief in the planning) suje.. population for FORCE its will for a wee bit more protection.

        All that said, we have enough corruption and incompetence here in the USA to make the 5th irrelevant for some hapless citizens and residents. By the time a sensible judge rules in favor of the accused, the local cops and district attorney generally have wrought their irreparable and uncompensateable damage. Just look at how many people every year or two are exonerated by new DNA testing, years to decades after being wrongly (and maliciously) accused, charged, and convicted so some DA can look productive or proactive.

        The police found porn on a YOUTH's computer. They have enough to send him to some reform or rehab, or crime diversion/aversion courses. But, not satisfie, they persist to break his ball$ over some encrypted files they JUST WANT TO KNOW THE CONTENTS OF, and so they use on him laws best applied to bonafie terror threats.

        There are people, sheep, and sheeple... and the world is rife with powermongers and crusaders even when good enough is good enough...

      2. Alan Firminger
        Grenade

        The government

        The government has the power of the monarch, it is HMG . That cannot be limited.

        Republic now.

        1. Michael H.F. Wilkinson Silver badge

          In the Netherlands

          there is a monarch, but also a constitution

          And a compete idiot wanting to scrap discrimination paragraphs from the constitution, unfortunately.

  23. Anonymous Coward
    Thumb Up

    I say...

    good on him

  24. csaenemy
    Unhappy

    Police State

    I remember a time when a crime had to be committed and proven to have been committed before sentencing could take place

    1. Anonymous Coward
      Boffin

      RE: Police State

      The crime he has been convicted of and sentenced for is the "crime" of not revealing his password in order to prevent the cops from looking at his encrypted data.

      Totally separate to the charges relating to child abuse images, which they will likely prosecute for if they crack the encryption.

      Don't get the two things mixed up, they are quite distinct.

      1. Bod

        Dickens

        "The crime he has been convicted of and sentenced for is the "crime" of not revealing his password in order to prevent the cops from looking at his encrypted data."

        A "crime" that would have made Dickens spout about asses.

        1. Anonymous Coward
          Anonymous Coward

          @Bod

          If the Police have a warrant to search your computer, how is refusing to allow them access to an encrypted file (as opposed to claiming you can't because you've forgotten the password, etc) any different from barring their access from your hose, if they have a warrant to search that? I don't see why this implementation of this particular law is a problem. Had the guy said that he couldn't give them the password because he'd forgotten it, that would be a different thing.

          1. Vic

            @AC

            > If the Police have a warrant to search your computer

            What about when they don't have a warrant to search your computer?

            None is required for a Section 49 notice :-(

            Vic.

          2. Anonymous Coward
            FAIL

            "Had the guy said that he couldn't give them the password because he'd forgotten it..."

            You are aware that just because someone claims something, it doesn't make it true. (That appiles just as much to the police).

            Real justice is based on evidence of wrongdoing.

            Unfortunately, British justice is based on accusation of wrongdoing. And it STINKS.

  25. Anonymous Coward
    Anonymous Coward

    Jim needs a job

    The Reverend Gamble is in need of gainful occupation these days. Give him a pen and some nice clean paper and he can write down all the permutations till he hits password paydirt. His halo wil remain intact AND it may well prove more useful than a panic button on every website.

  26. JaitcH
    WTF?

    So much for British Freedom of Speech and a Man's Home is his Castle

    Another Blair/Brown/Blunkett version of 'justice' British style.

    Hope the guy has the wherewithal to last out his sentence. Maybe by then he could plead amnesia.

  27. Just Thinking

    50 characters - try the obvious ones

    antidisestablishmentarianism?

    Oh, not quite long enough.

    What was that Welsh village called? Or maybe it is some sleb's kids middle names?

  28. Anonymous Coward
    Thumb Up

    What encrypted files?

    http://www.truecrypt.org/docs/?s=plausible-deniability

    1. The Original Ash
      FAIL

      I've said this earlier...

      ... but I'll say it again. You cannot prove you don't have a hidden volume, so the implication is that you always have one. When asked for the password for the hidden volume, you will say "I don't have one."

      They will say "Prove it."

      You will say "I don't have to."

      They will say "We didn't find anything on your encrypted volume, so it must be in the hidden one."

      You will say "I don't have one."

      They will say "Prove it."

      You will say "Oh."

      They will say "Free room and board, 2 years."

      1. Ian Davies

        Sorry, but that's BS

        First off, an unmounted TC volume has nothing that identifies it as such - no file header, no volume map, nothing - so until you actually try and mount it with TC then it's a block of random 1s and 0s. If you have encrypted a whole physical drive then the OS actually reports it as unreadable if you don't mount it via TC.

        However, let's leave that aside and assume that you want to give up the password to the outer container in the interests of apparent co-operation. Once it's mounted there is again nothing in the volume to suggest that a hidden volume exists. The outer volume will report its size as occupying the whole of the TC volume, and the integrity of the hidden volume is utterly dependent on you not writing files past the offset point that you specified when you created it.

        If the authorities have been monitoring your PC and have had access to it to get before/after snapshots then there *may* be enough to introduce reasonable doubt, but it's highly unlike that plod will have had physical access to your PC while you were still using it.

        As stupid as the law is over forcing you to hand over passwords, it doesn't give them the power to convict you of theoretical crimes that you have no reasonable way of disproving.

        I can't prove that I haven't cast a magic spell to kill someone, but the mere accusation of such isn't enough to get me burnt at the stake for witchcraft.

        I have as much contempt as the next man for Blair and the authoritarian bunch of arsewipes that screwed our country over, but unless you can point to actual documentation of the scenario you describe, it's just paranoid fantasy.

      2. Steven Jones

        Burden of proof

        The burden of proof for there being an inner encrypted volume would be on the prosecution. They would have to show beyond reasonable doubt in a court of law that such a volume existed which, if you are competent, can't be done using technical means alone. There would have to be evidence, maybe related to personal behaviour or some such which would stand up in court. That will be difficult.

        However, the "denier" would have to be very careful indeed as there are plenty of ways that the existence of such an encrypted partition and it's activity can be detected unless the right precautions are taken,

        Another thing to note is that who knows if it will be possible to break some encryption in the future using new techniques. As far as I'm aware, with the sole exception of quantum and true "one time" encryption, then there are not mathematical proofs that these schemes can't be broken using some future mathematical principle. If that happens, then decrypted copies of old data might come back to haunt a few people.

      3. Scorchio!!

        Correct

        Yes, that is correct, you can only be convicted where you have committed a provable offence. That is to say *evidence* must necessarily be offered. In the scenario you describe no evidence is offered. Even if a fool in the CPS (and quite a few exist) allowed arraignment, no judge in their right mind is going to allow conviction; the jury would be directed to satisfy themselves that evidence of an offence had been supplied, were the case even allowed to proceed.

  29. mark l 2 Silver badge

    refusal or forgetting password

    Sounds like he was sentences in front of magistrates rather than taking it to trial infront of a jury. How can the police prove that he is refusing to give the password for the file he could have forgotton it or simply not know the password. Ive downloaded rar files from rapidshare/torrents/forums etc that are passworded and not everytime does the password work. if said files were then in my recycle bin and the plod came a knocking i wouldnt know the passwords for them and would rather face a jury than accept that i was guilty for not providing the password.

    1. Sooty

      it doesn't really need to go to a jury

      The crime was carefully worded by our last government, composed mostly of lawyers, as "failing to provide" not "refusing to give".

      As far as the conviction goes, he has been asked, and he didn't provide it, so he's committed a crime! The reason why he didn't provide it doesn't get a look in. I'd assume there are some specific defenses based on "inability to provide" written in to avoid really, really bad press, but again, based on the lawyer backgrounds, these will also be as carefully worded.

  30. Anonymous Coward
    Anonymous Coward

    "Drage was previously of good character"

    If the judge believes that why do they want to access his hard drive?

  31. Anonymous Coward
    Alert

    UK democratic free country that respects civil liberties? or abuse of the state?

    It's disgusting how this law was brought in by new labour's Jack straw and now being used by the zealous state police are we living in some 3rd world dictatorship?

    We definitely need a repeal of this outrageous abuse of state power on individual civil liberates. Every human being should have a right to privacy and right to remain silent in a free democratic society! New labour was the big brother govt that brought in all kind of laws infringing on everyone's personal and family life its time we all woke up to these abuses of legislation and lobby the government to change them.

  32. Anonymous Coward
    Anonymous Coward

    Sorted!

    http://en.wikipedia.org/wiki/Deniable_encryption

  33. Anonymous Coward
    Anonymous Coward

    Shocking

    I assume the traffic approach is coming to criminal law - guilty until proven innocent?

    You cannot condone child porn but I think this youf has done the right thing. Civil liberties are more important than his collection of sexts on his PC.

  34. Anonymous Coward
    Big Brother

    What happened to the other one...JFL?

    .

    .

    It has been almost a year since they sectioned that other guy, JFL? Is he still in a secure mental unit? Did they ever return all his stuff? In his case I don't think they even came up with a reaosnable suspicion of what illegal material he might have encrypted.

    We're getting into the realms of not just "victimless crimes" but "crimeless crimes" with RIPA aren't we?

    "Doublethink means the power of holding two contradictory beliefs in one's mind simultaneously, and accepting both of them." -- George Orwell

  35. jimbarter
    Big Brother

    Repeat Offence

    I suppose he has been told by his lawyers that when he gets out they'll ask him for the password again?

    ...another 16 weeks.

    ..and again?

    ...etc.

  36. ShaggyDoggy

    21 not 18 or even 16

    Look it up ... for the purposes of padeo-laws you are a "child" until 21

    1. The Original Ash

      Wrong.

      You are a child until 18.

      At 16, you may engage in consenting heterosexual sexual activity with another person over the age of 16.

      At 18, you may engage in consenting homosexual sexual activity with another person over the age of 16. You may also take or pose in pictures of a sexual or lewd nature at this age, but not before.

      Therefore, you may get down and dirty with your neighbour's 17 year old daughter, but you're a pervert on the sex offenders register if she "sexts" you a pic of her boobs, regardless of consent.

      1. Anonymous Coward
        WTF?

        Does not compute!

        "At 18, you may engage in consenting homosexual sexual activity with another person over the age of 16. "

        So just ONE of them has to be 18? Or just one of them has to be consenting?

        1. The Original Ash

          Apologies, Re. Homosexual activity

          18 years is the age of consent for homosexual sexual activity, and for taking or appearing in sexually provocative images.

          What qualifies as "sexually provocative" is left up to Daily Mail readers, by the state of things. Bearing in mind that people have married a fence, the Eiffel Tower, plus Rule 34, pretty much everything made after 1992 is illegal in this country.

          Go figure.

          1. Anonymous Coward
            Stop

            Huh?

            "At 18, you may engage in consenting homosexual sexual activity"

            "18 years is the age of consent for homosexual sexual activity"

            ---------

            Where are you getting this from? The age of consent for homosexual activity is 16, not 18.

            This has been the case for the last 10 years.

          2. Anonymous Coward
            Anonymous Coward

            Age of consent is 16 for everyone.

            Correction: The age of consent for homosexual activity was lowered from 18 to 16 a decade ago.

          3. Anonymous Coward
            Anonymous Coward

            re age of consent

            It's actually 16 years old for homosexual sexual activity as well - it was lowered about 10 years ago despite the best efforts of the House of Lords.

          4. Anonymous Coward
            Anonymous Coward

            You're out of date, Ash

            The age of consent for homosexual acts was lowered to 16 in 2000 after three previous attempts (1994, 1997, 1998) had been rejected by the Lords.

          5. Scorchio!!

            I don't think so

            ISTR the New Labour government lowered the age of consent for homosexual acts to 16.

      2. Bod

        The actual age doesn't matter

        If the image pretends their age is younger, or even if it's a generated or cartoon image, then it could still count. So if you have a 21 year old girlfriend and she dresses up like she's 12 and you take a porno photo of her, then it's kiddy porn and off to jail you go, signing the sex offenders register on the way. In the UK that is.

        Send that photo to someone, or just even edit it and you're busted for "making" indecent images. Which of course is reported by the Daily Mail and the likes so you're assumed to then be a kiddy porn factory. Brick through the window and lynch mob time.

      3. Anonymous Coward
        Coat

        Really?

        At 18, you may engage in consenting homosexual sexual activity with another person over the age of 16. You may also take or pose in pictures of a sexual or lewd nature at this age, but not before.

        Hey, isn't there a glaring contradiction here? At 18 you may engage in consensual homosexual activity with someone over the age of 16, but that person may not, since he/she is not yet 18, and therefore may not engage in consensual homosexual activity until the age of 18!

        Mr Bumble was indeed right!

        I'll just get my Beadle's coat.

  37. Anonymous Coward
    Black Helicopters

    I cant remember..

    I cant even remember by password for El reg without a password reminder email occasionally and as its the same as my credit card pin number! (or is it.......)

    Therefore Im pretty sure I would have trouble remembering a 50 odd character password!

    Thats my excuse anyway.

  38. Anonymous Coward
    Alert

    Encryption truth

    A lot of posters are commenting on the fact that, how could the police know the password was 50 characters in length. Yes, he could have told the Police which is likely a red herring if he did. Anyone who uses passwords on a regular basis (which I do - over 2000 and wrote a database to manage them) will know 50 characters is a freakishly long password and too round a number to be realistic. But most posters are missing the point here and that is what encryption was used. Did he use AES 256 then likely it would take the Police 50,000 years to decipher or did he use 3DES with a 128bit key then, they may well crack it with the right hardware. I think the charged would have said a 50 character password if the encryption was weak - I would have.

  39. Paul_Murphy

    Read 'Little Brother'

    or Indeed anything by Cory Doctorow.

    Very good story in it's own right, but very applicable to this so-called 'war on terror'/'think of the children' scare-mongering that seems to be a government favourite.

    OK, so he may have an encrypted file with all sorts of child porn in, but then again he may not - obviously without opening the file people will never know - but it seems to me that if he is guilty there must be more than just the contents of a file to get him convicted.

    Does that mean that if i encrypt a file and ftp it, to as many publicly-accessible machines as I can get anon access to, that I could get their owners in trouble? After all they will not have the password to that file either.

    It smells to me as if the Police don't have anything else to use, so have been forced to go this route.

    ttfn

    1. John G Imrie

      You don't need to FTP it

      Just email it to letters@dailymail.co.uk

  40. Anonymous Coward
    FAIL

    It will take 50 years to crack that...

    And they will find out the kid is innocent (after they cracked the pw) and he was jailed in unlawful manner. Only the time for "not cooperating with authorities" can be legal. FAIL.

    or....

    The crime prescribes in 50 years or less and he can´t be convicted anymore. FAIL.

  41. Arclight

    Gene Hunt would be proud

    I wonder if they can apply this kind of thinking to other cases.

    "What were you doing on the night of the 18th, when she was murdered?"

    "I don't know"

    "Your refusing to tells us?"

    "No, I just can't remember"

    "Your nicked sonny"

    1. Steven Jones

      Not quite...

      You can only be arrested if their is reasonable suspicion of committing an offence so being able to remember or not at that time is not really relevant except if you were able to provide an aliby which the police could check.

      In the event, then if it did come to court and still stated you could not remember then it will be up to either the jury or judge/magistrate (depending on the circumstances) to decide on the credibility of this lapse of memory. If the 18th was three days ago then that's going to be a very different thing to the previous "right to silence". Of course there is also the "right to silence" where the rules have changed. Now if you don't answer questions during the interrogation that can be taken into account.

      Note that there was never a "right to silence" in court if you were being cross-examined. That right could only be exercised if you weren't called to testify by the defense (the prosecution had no right to call the defendent to testify - only to cross-examination if he/she did appear as a defense witness).

      If you couldn't recall a password for an encrypted file and pleaded that you had forgotten it, then it would be up to the prosection to prove beyond reasonable doubt that this was not the case. If you had a whole-disk encryption and other evidence was such that the machine had been in use the previous day, then the amnesia claim might not hold water. However, if you had a three year old file that was encrupted and hadn't been accessed since, then that would be a different thing.

      1. Vic

        Another title

        > If you couldn't recall a password for an encrypted file and pleaded that

        > you had forgotten it, then it would be up to the prosection to prove

        > beyond reasonable doubt that this was not the case.

        That is not the case.

        RIPA 2000 makes it a criminal offence to fail to supply a password in response to a Section 49 notice. This notice may be issued by a number of "authorised" persons (many of whom are not judiciary) if that authorised person believes that there is encrypted info in your possession. It is not even a defence to claim that the alleged encrypted dump is nothing of the sort - a court could still send you inside for up to 5 years.

        It's one of the worst laws we have on the books. I hope this example might get someone in authority to repeal such draconian nonsense - but I doubt anyone will :-(

        Vic.

  42. Peter X

    Re TrueCrypt and plausible deniability

    One thing occurs to me; I use TrueCrypt to encrypt backup data. If the plod decide I might be a terrorist or whatever and pull me in for questioning, and I give them my password -- no point in me not given that there's nothing more exciting than my bank details -- surely there's still the possibility that I've not told them the "other" password, and therefore I must be guilty?

    So even though I don't have a hidden part of my TrueCrypt data, no one can prove that I don't and therefore I may not have disclosed a password!!

    Seriously... this is nuts!

    Also, what if I've simply created a file in some app or other, passworded it, and then forgotten about it? E.g. if I'm testing the application. Or if I've genuinely lost the password but I've not deleted the file.... because of course, I wouldn't because I'd be hoping I'd find/remember the password at some juncture. And *then* I find that because of this I'm guilty.

    I honestly can't believe this can be legal.

    I can understand why this is an issue to the police/MI5/who-ever, but their approach is terrible. Would they not be better keeping the encrypted data on file and waiting until they do have the tech to decrypt? In many cases I'd expect there will either be a crack discovered which weakens the encryption algo and certainly there will be more computing power available for brute-forcing over time, so I'm sure they'd have the tech to decrypt within 10 years? Not ideal I guess, but better than throwing people in jail for a different crime.

    1. Anonymous Coward
      Unhappy

      my company makes me encrypt

      I've got an encrypted hard drive, mail databases with another level of encryption and yet a third on any USB keys I carry. It's not a UK company but I travel to the UK. If I was asked to divulge I'd be in an awkward cleft between my terms of employment (saying I can't tell anyone outside the company my password) and the UK law. To add a level of complexity, sometimes some of that data contains information which is confidential to departments of non UK governments and my company would be in legal trouble (or more important to it, would face financial penalties and possibly be excluded from future work) if it agreed to expose it.

      1. Graham Bartlett

        @AC, company makes me encrypt

        No you wouldn't, any more than you'd have a conflict between your company asking you to attend a conference by a certain time and the police pulling you over on the way. Your company might penalise you for having been speeding, but they can't tell you to force the cop cars off the road.

        Employment law is absolutely, totally, without-a-shadow-of-any-kind-of-doubt clear that an employer cannot tell you to do anything illegal. You can tell the cops all this, and you can call your company's lawyer in. But if the cops insist on it being decrypted, they get it.

  43. Anonymous Coward
    Anonymous Coward

    this kind of shit is why,

    whatever i'm down loading; i stick it on a usb stick or memory card and then clear all index.dat files etc.

    1. Bod

      and...

      ... use a secure wipe when your deleted your files (with a heavy duty 7 pass or more secure wipe algorithm), wipe caches, temp files, and secure wipe your pagefile (contains chunks of memory that was in use at the time), and don't use hibernation files? Even then, burning the hard disc is about the only safe way to really delete the evidence against a truly determined analyst.

      And then of course your memory stick has all the incriminating evidence, complete with your finger prints.

      and when you've burnt the memory stick, you've been round to the ISP to wipe the logs of what you've downloaded and the caches from the proxies all along the way that contain copies of your data.

  44. NBCanuck
    Thumb Up

    Look at it another way....

    Say the police had a warrent to search your house and you had done something to make that impossible. You are obstructing justice. Whether the warrent is justified or not, once it has been issued they have the right to the search.

    Once the police obtain the right to search the laptop any method used by the owner (i.e.: encryption) is interfering with a lafful search.

    the whole encryption thing is intended to protect company secrets or personal information and I cannot think of any reason why the police should not be provided with the password. If they misuse the info I also believe that the owner has the right to sue the heck out of them.

    1. Just Thinking

      Broken analogy

      It is more like the police having a warrant to search your caravan and asking you were it is parked. How do you prove you don't own a caravan?

      1. david wilson

        @Just Thinking

        >>"It is more like the police having a warrant to search your caravan and asking you were it is parked. How do you prove you don't own a caravan?"

        In the case where there clearly is an encrypted file, and the person doesn't deny that that's the case, the it's pretty much exactly like someone having a safe on their premises.

        As for cases where passwords may have been lost, or cases where it's not provable that an encrypted file actually exists, etc, I guess we'll have to wait until a case like that gets heard in court.

        Of course, someone trying to /falsely/ claim in court that a password was lost/forgotten or that hidden data really was hidden might have to be very confident that the reverse really couldn't be proved in the future, possibly even long into the future, if they didn't want to risk what they said coming back to bite them.

    2. david wilson

      @NBCanuck

      That's pretty much how I see it. (Though misuse of seized data should be a criminal offence as well as a civil one).

      If the police had a warrant to search my house, and I had a safe which I *refused* to give them the combination to, and which they would be unable to break into (say it had a mechanism to detect tampering and destroy the contents) that's a reasonably fair analogy to refusing to hand over encryption keys. There's nothing magically more private about data on a computer than data anywhere else.

      Whether I'd be committing a crime depends on whether I actually have a legal right to frustrate a search, not on whether I have a right to avoid self-incrimination.

      Now, if I'd said that I *didn't know* what the combination was, then I guess it would come down to how plausible my story was to a magistrate or a jury.

      If they disbelieve me sufficiently, they may still find I've deliberately frustrated a search.

      1. arkhangelsk

        Don't think this is so good an analogy

        Actually, your example will be more akin to locking up your computer. A more akin analogy would be me hand-writing my documents in an illegible mess that only I can read. The police with their warrant can confiscate those documents all they want and bring in professional writing analysts to decipher what I've scribbled, but I don't think they should be allowed to force me to read its contents out loud for their convenience, otherwise it defeats all visage of the incrimination thing.

      2. Paul_Murphy

        Another way to look at it.

        In the 'your house is being raided' scenario, if you handed your front-door, back door and shed keys to the police they could still be locked up afterwards and no-one aside from the holder of the keys could then access those areas.

        If you write out, say or otherwise divulge your password to whatever files etc. you may have then anyone can then access those files.

        I would have thought a more logical approach would be to get the owner of the files to unlock them - actually knowing the password is pointless, it's knowing the contents of the files is of a criminal nature and that it is provable that the 'accused' is able to access that file.

        If they refuse to unlock the file it would then come down to the 'can't or won't?' question which should be handled by a jury with access to the information that led the police to the persons door in the first place.

        ttfn

    3. Velv
      FAIL

      So looking at it the other way?

      What happens if you have a safe, and you refuse to give them the combination?

      You have the right not to incriminate yourself. This trumps the obstruction of justice (or it did, until RIPA was brought in).

      While I understand that most sensible people with nothing to hide would just hand over the password or safe combination, the right not to incriminate yourself is a fundamental feature of our law. Without it, how many forced confessions or fake statements would be appear in court. Most of our Police would never do this, however given the pressure from the media to obtain results, you can see why it happens.

      1. Anonymous Coward
        Anonymous Coward

        Re: So looking at it the other way?

        Sorry, there are a bunch of posts mentioning the right not to incriminate yourself, but this is completely bogus. The right not to incriminate yourself is NOT a right to obstruct an investigation.

        Providing a combination or a key to a safe is not, in itself, self-incriminatory, even if the contents of the safe may incriminate you.

        Providing an encryption password is not self-incriminatory either.

        I really don't see the distinction as being particularly subtle -- it seems bloody obvious.

        In general, you cannot prevent police from gathering information that they have a legal right to gather -- and nor should you be able to. Encryption is a special case, since it may be (practically) impossible for them to gather the information without your co-operation, but I really don't see the difference, in principle, between that and them subpoena-ing documents for example. If the cops show up at your house with a warrant to collect some documents that they know you have, you have no right to lock your door and run in and burn them.

        Note, I'm not commenting on the particular implementation of this law. If the law is, as some have commented, specifically "failure" to provide, as opposed to "refusal" to provide, and you can be prosecuted for forgetting, or perhaps never even knowing the password, then the implementation is moronic.

    4. Anonymous Coward
      Anonymous Coward

      @ NBCanuck

      Alternatively... the fuzz come to your house with a warrant. You are there, your house is there, your possessions are there.

      Well, this bloke is in jail, and his laptop is where? With who? Data is a heck of a lot easier to invent/falsify than a signed paper document (which can be proven to be genuine or not) and so there should be provisions made accordingly.

    5. A J Stiles
      Thumb Down

      @ NBCanuck

      Have you handed over copies of your front and back door keys -- together with the necessary tools to unlock your bathroom and bedroom doors from the outside -- to your local police station?#

      And if not, why not?

      1. Anonymous Coward
        Anonymous Coward

        @ A J Stiles

        Well duh, for exactly the same reason that you don't have to provide police with every encryption password you use before they get a warrant -- you have a right to privacy (albeit not an absolute one). But once they jump through the legal hoops, yes they can search your house and your bedroom and your bathroom, and you have no legal right to prevent them.

        And I'm sure, if someone came up with some kind of a front door lock that was unpickable and the house was otherwise impossible to break into, they would come up with a law that said you had to provide the key, if in your possession. And I have absolutely no problem with that.

    6. Eden
      FAIL

      RE The comparison to house search

      For all those setting up the strawman of "Warrant to search the permise"

      If the police picked you up from your place of work or off the street and told you they had a warrant to search your house and you said

      "FIne but I've lost/broken my house key and don't have a backup copy".

      You would NOT go to jail for 5 years for loosing your f***ing door key, they would just break in and search the house.

  45. Red Bren
    Big Brother

    Fishing trip?

    When plods demand access to encrypted data, do they have specify exactly what it is they are looking for? Or can they demand access on the pretext of terrorism/kiddiepron/<insert panic of the day here> and then prosecute if they find something else they don't like?

    Perhaps the lad didn't want to reveal details of his drug dealing empire, or the investigation he was doing into corruption in his local force?

  46. Winkypop Silver badge
    Thumb Down

    Tough justice indeed

    Guy sets password

    Guy gets arrested

    Guy won't disclose

    Guy gets leaned on, stressed

    Guy goes to court

    Guy gets gaol

    [time.............]

    Guy genuinely forgets password

    Guy won't disclose

    Guy gets leaned on, stressed

    Guy gets gaol

    [repeat]

  47. xS9
    Stop

    Same Crime Twice?

    I maybe completely wrong here,

    But you can't be convicted of the same crime twice? If he has been convicted for not providing the password for a certain file... he can't be convicted for the same crime again?

    1. A J Stiles
      Thumb Down

      No

      Unfortunately, you are completely wrong.

      Tony Blair's government abolished Double Jeopardy in order to secure a conviction. Gordon Brown abolished the Law Lords. If Labour had been re-elected, you can bet Nulla Poena Sine Lege would have been next -- they were already grooming the public to accept it.

      1. jonathanb Silver badge

        Re: No

        Double jeopardy means you can't be tried for the same offence again if you were found not guilty first time round. That was what they abolished so they can keep taking you to court until they get the "right" result. However, once they get the guilty conviction, I don't think they can prosecute again.

        1. Scorchio!!

          Correct

          You are indeed correct; one cannot be punished more than once for committing an offence. It is one of the major bases of law and, were it overturned, there would be little point in the civil populace remaining civil. Such a condition would indicate revolution, the overturning of government, and of a fair law. Punishing an individual more than once for an offence would make the law no better than an offender, walking down the street and assaulting people for no reason other than dislike.

      2. Anonymous Coward
        Anonymous Coward

        @AJ Stiles

        Actually you can't be convicted for the same crime twice, in exceptional circumstances, you can be tried for the same crime twice.

      3. Ocular Sinister

        @ A J Stiles

        Tony Blair may have been the driving force, but I don't recall there being much resistance from the other parties. The Tories in particular have a poor track record on civil liberties. For example, their manifesto included a pledge to abolish little inconveniences like the human rights act that prevent them getting really down and dirty with you, should the need arise. Roll on AV which will give us a chance to vote for who we want without putting who we *don't* want in charge!

        1. A J Stiles

          You have a point.

          You have a point there.

          For that matter, I don't remember the Queen hesitating much over giving her royal assent to any of his measures.

    2. JaitcH

      @ Same crime twice

      Sure he can as he continuing to commit the alleged crime or disobey a court.

      Sounds like Russian justice.

      1. Scorchio!!

        Wrong

        If he is "he continuing to commit the alleged crime or disobey a court" he continues to commit offences other than the original one. For the original crime he cannot be charged again. The emphasis here is on "continuing to commit", rather than 'did once commit and was punished for'.

    3. Sooty
      WTF?

      @xs9

      Unfortunately, with this particularly bad law, you are not tried for the same crime twice. Every time you are asked (given an official notice) and fail to give the password is a completely separate crime.

  48. Steven Jones

    JoK

    David Allen Green AKA Jack of Kent is going to cover this on his next blog. He's a well known liberal, yet sees there is an obvious conflict of human rights here. The first is the right to privacy against that of handling serious crime; terrorism, paedophilia and the like. As usual, the normal libertarian fringe element sees this in a singularly one dimensional way.

    Now this is not to say that there are real issues which could lead to a miscarriage of justice such as forgotten passwords. Then there is the whole issue of "plausible deniability".

    Incidentally, failing to reveal a password is not the only case where you can find yourself in legal difficulties for not providing information. For example, if you give somebody permission to drive your car and an offence is committed, and you don't reveal the name then you can be in difficulties. If you don't reveal information demanded by a court order then that will also get you into the realm of criminal law.

    1. Anonymous Coward
      Anonymous Coward

      Not quite...

      Regardless of what offence may (or may not) have been committed, anyone who is accused of a something has rights.

      If someone points at you and screams "child murderer", you have the right (and expectation) to be protected from assaults and vigilantism as well as to (legally) defend yourself (physically and in a court). The Daily Wail readers will however, wish to see you strung up regardless, due to the alleged offence, rather than any proven evidence.

      We used to have a large set of rights, which have been withdrawn, and the burden of proof now lies not with the authorities, but with the accused. How can anyone prove if someone does or does not remember or know something?

      Arrest != Charge

      Charge != Conviction

      Conviction != Guilt

      The problem is that there is seen to be NO leeway for innocence. Your traffic/car example is a case in point - get done for speeding = 3 points and a variable fine (if taken to court). Failure to disclose the name of the driver = 6 points and a £1000 fine (failure to comply with a Section 172). Assume mum, dad and two children all use the same car, and all drive it separately on the same day, in close succession - and someone gets a speeding ticket during the day - 14 days later the owner gets a NIP. They have to somehow prove they don't know who was driving WITHOUT making it look like they're covering it up, OR someone has to cop for a fine and points.

  49. Anonymous Coward
    FAIL

    And for not breaking the law....

    As an IT Professional, I visit many client sites, and regularly work with strictly confidential information, both commercially and personally sensitive. I have been know to work for the Government, including MoD, DWP and Department of Heath.

    As a matter of course I work with encrypted media and laptops all the time, and I have a duty to my clients and the Official Secrets act to keep the information confidential.

    How does that fit with RIPA ??? In theory each and every client could be asked for authorisation to view the data, but what if one refuses - are they prosecuted instead of me ?

    16 weeks for not disclosing the password, or life imprisonment for Treason.

    Obviously this guy doesn't have that defence, but it's the exceptions to the law that prove it is fatally flawed.

    1. Anonymous Coward
      Big Brother

      I imagine

      You ask to talk with a lawyer/judge/home sec., and then say that the contents of the files are classified data pertaining to matters of national security.

      At that level you can let *them* look at it and tell the police "nothing to see".

      Of course commercial confidentiality is somewhat different, but I imagine a similar process could be applied, assuming you're allowed to tell the company whose data it is that it is being forcible decrypted.

    2. Scorchio!!

      Terms of engagement

      If the employer is suspected of an offence an enquiry will be set up, the enquiry will have rights to access state secrets. You as a contractor may figure in their work, but you can be sure that people upstream will be crapped upon before they reach you and, in the event that no one in the state body purported to have committed the offence (a state body can be a legal actor and thus commit an offence) can be induced to cough up the truth you can be sure that you will at first be the investigating body's best friend. You can also be fairly sure that the enquiring body will be quite clear that the state body has committed an offence, show credentials to access classified material, and then politely ask you what you know and for access to said material which, it has to be said, you do not own and to which appropriately appointed senior state bodies have the right to access on the basis of need to know.

  50. Tempest
    FAIL

    British citizens have no rights, get it?

    Most countries allow the right to hold your tongue, except when it comes to the USA torturing anything out of victim's mouths - truth or otherwise, but in Britain you are practically forced to state your defence so the Plod can go about working the evidence to refute it.

    Everything is weighted against defendants which with the increasing abuse of police power it takes a very plucky young man to withstand.

    Hold your tongue, young man, and show them that not all British people are prepared to roll over, figuratively speaking, and say do it again.

  51. scrubber
    WTF?

    Crime

    Am I the only one who thinks harm, or likely risk thereof, is required before anything can be considered a crime?

    This legislation was brought in on the understanding it was to keep us safe from terrorists. NOT so that we can catch fly tippers, parents lying about where they live to get kids into schools or file encrypters.

    All power we cede to the government will, eventually, be misused against us. Limit their power, tell your MP you want a written Constitution (and a Bill of Rights).

  52. scrubber
    Joke

    OR....

    Claim to be a Catholic priest and say the data is from electronic confessions you have been taking and thus is protected...

    And if you are a Catholic priest then we already know what's in those encrypted files, don't we?

  53. carlos_c

    Lose the password

    What happens if you have a complicated password written down on a bit of paper - then you destroy the paper - ergo you cannot remember the password and the only record has been destroyed - rest of your life in gaol ?

    1. Anonymous Coward
      FAIL

      Sigh

      That'd be my preferred approach - the first half of the password is something you know and never write down, the second half is something you have written down, but is too long to memorise. If the attacker is missing either, the files are safe. The problem is convincing the judge/jury of this if you're ordered to disclose it, which is why this law is so totally fucked up. How are you meant to prove you don't know something or have destroyed something? Shouldn't it be the prosecution proving you do know something, or remain in possession of something?

      1. Scorchio!!

        Bringing us to the point

        This brings us to the point not made by the young man now languishing in a prison cell, presumably in a VP wing because the prison population will automatically assume that he is a paedophile; he does not appear to have said that he forgot the password, merely that he would not divulge it. Thus the 'forgotten password' is, in this instance at least, untested. Searching a legal database for precedent may help here. The precedent might possibly be very old, and thus a lawyer would be a useful source of skills.

  54. akicif

    Paging Mr Bolt...

    Roper: So now you'd give the Devil benefit of law!

    More: Yes. What would you do? Cut a great road through the law to get after the Devil?

    Roper: I'd cut down every law in England to do that!

    More: Oh? And when the last law was down, and the Devil turned round on you — where would you hide, Roper, the laws all being flat? This country's planted thick with laws from coast to coast — man's laws, not God's — and if you cut them down — and you're just the man to do it — d'you really think you could stand upright in the winds that would blow then? Yes, I'd give the Devil benefit of law, for my own safety's sake.

  55. The BigYin
    Flame

    Here's the thing...

    ...if there was nothing "sensitive" in the crypto file, most people would probably hand the password over just for the sake of convenience (but then why use crypto in the first place?)

    My crypto files don't contain kiddy porn or anything, but they do contain account information, passwords, PINs and other sensitive information on my life. There is no bloody way I am handing my password over to plod. It would mean closing every account (current, savings, mortgage etc) and then opening new ones (activity in itself that might seem "suspicious").

    So, by the simple act of trying to keep one's life in order and following good practice; one is effectively rendering oneself guilty. Thank you "Labour" and your destruction of liberty.

    I can understand why plod might want to see into these files during an investigation (especially into something like kiddy porn) but damning an entire nation in order to to deal with the acts of a minority is NOT the way to do it!

    1. david wilson

      @Big Yin

      >>"My crypto files don't contain kiddy porn or anything, but they do contain account information, passwords, PINs and other sensitive information on my life."

      Plod could presumably find your account numbers anyway.

      Hell, anyone I write a cheque to has most of my bank account details.

      As for PINs and really important passwords, I'd have thought it was safer to just store /hints/ for them than the plain-text, wherever and however the data is ultimately stored.

      For most people, there's a chance that someone else could get access to their machine when such things are unlocked and visible.

      Not having the information in a generally intelligible form or easily findable could well be safer than having it encrypted.

    2. Anonymous Coward
      Anonymous Coward

      when did things change?

      All this "will somebody think of the children" bollocks anyway. Peado's, abuser's, weirdo's, etc are nothing new. Maybe it's specific to my upbringing, but i can't imagine i am the only person with a great uncle, who was in his 90's, who we didn't leave alone with the youngsters as he was "a bit handsy". Or grew up in a neighborhood where we were told to keep away from x as he's a bit funny about kids.

      None of this is new, it just used to be a "bit of a joke" 15 or so years ago, that everyone knew about and thought was a little bit sad. At some point it just turned from being "a little bit sad" to being a threat to world peace!

    3. Scorchio!!

      Exactly

      My files contain similar material, plus research passwords, professional association passwords, and some actual research files for a sensitive subject that will I hope become a Ph.D. next year. I am damned if I want to hand this sort of thing over to anyone.

  56. max allan

    Can you remember 50 characters for 6 months?

    Can you remember 50 characters for 6 months?

    I have enough trouble remembering a handful of 9 character passwords after a couple of weeks on holiday, let alone 6 months spent, presumably mainly at her majesty's pleasure or undergoing stressful complicated legal wrangling...

    1. Rob - Denmark
      Boffin

      You don't have to remember 50 chars

      Just what those 50 characters are.

      It could be a prayer, a poem or a song, or something 4th, maybe in some kind of combination.

      Say, first line of your favorite song, followed by chorus from another favorite song, both sans punctuations. Maybe intertwined (alternating letters from the two) if you don't have to type it too often.

  57. This post has been deleted by its author

  58. Anonymous Coward
    Anonymous Coward

    Likely just a misunderstanding

    Clearly his password is

    "you will never guess my 50 character long password"

    1. OrsonX
      Pint

      50

      tre bien!

  59. Anonymous Coward
    Anonymous Coward

    Volatile memory stick?

    Anyone know if any companies make a volatile usb memory stick?

    Store a randomly generated decryption key (set when the encryption was enabled) on the stick and make sure the device is on an ups. Have an additional password which you are happy to supply. Plod comes in and pulls either the memory stick or the devices power to take it away and in the process, erases the decryption key. You supplying the password doesn't decrypt the data as the key that you never knew, is lost.

    Would that stand up in court?

    1. John G Imrie

      Would that stand up in court?

      No, you did not hand over the password. 16 Months

    2. KLane
      Big Brother

      Unfortunately.....

      It probably wouldn't. How would you prove the key was on the stick, and not in your head instead, or as well? Good luck proving that particular negative. I wonder, have the previous convictions tried to use the 'I don't remember' defense?

    3. Anonymous Coward
      Big Brother

      UPS

      The police have equipment to keep up mains power while they move kit, it was a clever system which spliced into the wires then took over power and cut the mains without any drop off.

  60. L.B
    Big Brother

    The big issue with this is that IT IS possible to forget a password!

    Imagine that you decided to make a secure archive of all you financial data or source code and use a good encryption product. The reason being that you want to store it on some external site like Rapidshare or even a service provided by your ISP.

    You write the password down because it is long and difficult to remember, then put it in “safe place”. A year or so passes and that written password has gone missing, so you just make a new archive with new password.

    IF in the mean time the fuzz suspect you of something like; “looking foreign”, “wearing a loud shirt in a built up area”, “you must be a terrorist, you encrypt your data!”, and you can no longer provide that password they can now lock you up indefinitely!

    Alternatively someone who downloads some 'potentially' copyrighted material that is in an encrypted archive, and they don't see/have lost/forgotten the password can now be locked up for ever, when the maximum fine that could have been issued may be a few quid and only a civil matter, not criminal.

    Typical ZanuLabour party law making.

  61. Anonymous Coward
    Coat

    Pedant alert

    It's "innocent _UNLESS_ proven guilty". "Until" implies you'll get 'em in the end, you just have to prove it.

    Grrr.

    1. Sarah Bee (Written by Reg staff)

      Re: Pedant alert

      I think it's probably an old-English hangover. 'Until' should be taken as indefinite in this context, not as in 'until death' (a given) or 'until hell freezes over' (an impossibility) but er, somewhere inbetween.

      I don't think 'unless' is necessary if you take 'until' as more neutral.

      1. Steven Jones

        Gender stereotypes

        I do love it when a girl talks pedantic.

        (Yes, I know; it ought to be the adverb form, not the adjective).

  62. Anonymous Coward
    FAIL

    Y'all need to remember

    that we as the taxpayer are paying for this chap to remain in prison. When he eventually gives up his password and it is found that the data on his disk was not of any consequence, we that taxpayer should sue the justice system for wasting our money.

    1. Anonymous Coward
      FAIL

      @Y'all need to remember

      And then, the justice system will get a hefty fine, which they'll pay out of taxpayer's money...

  63. kain preacher

    Tempest

    Most countries allow the right to hold your tongue, except when it comes to the USA torturing anything out of victim's mouths - truth or otherwise, but in Britain you are practically forced to state your

    Really look at the 5th amendment.

    1. Steven Jones

      Limits to the 5th amendment

      There are, of course, limits to the 5th amendment and that it's scope most certainly didn't extend to Guantanamo Bay...

  64. John Murgatroyd

    The offence

    was failing to comply with an order to disclose the encryption key.

    So once released he can be asked again.

    Failure to disclose again is another offence.

  65. jonfr
    Stop

    Some people never learn...

    Some people never learn, see youtube video.

    http://www.youtube.com/watch?v=i8z7NC5sgik

  66. Alan Firminger

    Dangerous

    I recall a history long before DNA was ubiquitous. There was a serious crime in a small wood, i think a woman was raped and murdered. A local man had been seen leaving the wood. He was tried and gave no defence, so a guilty verdict then. Several years later the true culprit was found. The original guy was freed, he was gently asked why he did not defend himself. He replied : In the wood I masturbated. Moral : Make No Assumptions.

    Now the police know this. They may well be concealing what they know for sure, via credit card payments and interception of traffic. The only way I could have indecent images on my machine without the plod knowing is if I put them there locally because they have access to traffic data and can intercept and decrypt any RSA . If they know for sure what the disc carries then they are demonstrating again that they would rather conceal their omniscient powers so they can do it again, and again.

  67. damian Kelly

    Easy peasy to remember 50 character passwords.......

    The first 50 characters from a favourite book,

    The first 50 characters from pi,

    Combine the 2,

    You dont need to know the key just how the key is created....

    1. Steven Jones

      Rather too easy to guess...

      "The first 50 characters from a favourite book"

      I'd make it a bit more complicated than that. There is a finite number of books and it's easily a small enough number to try many variations on the characters at the start of a book as a standard cracking tool. You might want to try combinations from different books, or maybe at different starting points.

  68. Anonymous Coward
    Anonymous Coward

    ghost filing

    real encrypted data is disguised I bet.

    If I was bin laden, and I needed to send out my secret instructions or whatever...

    I would, were I doing it, for instance, take something like

    mp3 or jpeg encryption, and in the lsb parts put my data in.

    Then the secret files could only be extracted by the right software

    with the correct password.

    This type of data hiding would be transparent.

    Here the file in clear. Yes its some Hungarian nose flute music. Why don't you like

    Hungarian nose flute music ????

  69. Anonymous Coward
    Happy

    ghost filing

    real encrypted data is disguised I bet.

    If I was bin laden, and I needed to send out my secret instructions or whatever...

    I would, were I doing it, for instance, take something like

    mp3 or jpeg encryption, and in the lsb parts put my data in.

    Then the secret files could only be extracted by the right software

    with the correct password.

    This type of data hiding would be transparent.

    Here the file in clear. Yes its some Hungarian nose flute music. Why don't you like

    Hungarian nose flute music ????

    1. Steven Jones

      Steganography

      What you describe is called steganography, and anything as crude as using the LSBs is readily detectable. GCHQ would just love it if that was what terrorist cells used. hat said, there are tools to do it properly such that it cannot be so easily detected, although it's not easy. However, you can combine it with encryption as well.

      Indeed you might argue that the Truecrypt second level hidden partition encryption is actually a type of steganography in that it hides data in, apparently, areas randomised as part of secure data deletion process

  70. Neil Stansbury
    Thumb Down

    Freedom of Speech?

    I still don't see how this doesn't fall completely under freedom of speech.

    You and I make up a language and have a chat.

    The language is known only to ourselves.

    The Police demand to know what you and I were talking about.

    We tell them to f* off and mind their own business.

    I would suggest that using coercion to force us to reveal our conversation is an infringement our freedom of speech.

    I don't see I am any more obliged to reveal to the Police the meaning of a verbal conversation they don't understand than I am obliged to reveal a written conversation they don't understand. The medium is irrelevant, as is the reason they don't understand it.

    1. Vic

      Freedom of Speech?

      > I still don't see how this doesn't fall completely under freedom of speech.

      *What* freedom of speech?

      We have no Bill of Rights in the UK. We have convention, which permits freedom of speech, but precious little legislation to back that up.

      > I would suggest that using coercion to force us

      > to reveal our conversation is an infringement our

      > freedom of speech.

      I would suggest that the freedom you espouse is illusory.

      However, the Police have no specific authority to force you to decode your made-up, verbal language, so you could do this (and this is, apparently, the source of Cockney Rhyming Slang).

      In the case of digitally-encrypted data, though, there is a significant difference: RIPA 2000 is enacted legislation that grants certain people the authority to require you to hand over your decryption keys. Failure to do so is a criminal offence.

      > The medium is irrelevant, as is the reason they don't understand it.

      This is not true (even if it ought to be).

      Vic.

    2. david wilson

      Freedom of Speech?

      >>"I still don't see how this doesn't fall completely under freedom of speech."

      ...

      >>"I would suggest that using coercion to force us to reveal our conversation is an infringement our freedom of speech."

      An infringement of *privacy*, possibly, or of a right or desire to avoid self-incrimination, but I can't see any connection with *freedom of speech*.

      Freedom of speech is about the extent to which you can or can't be prevented from expressing yourself in public, or have action taken against you for past self-expression.

      For instance, in many jurisdictions, "telling a police officer to f* off" is something that is likely to be considered as taking self-expression a bit too far.

  71. ZungTee

    Scary

    Sure hope he used a very high grade encryption algorithm!

    www.be-anon.net.tc

  72. miknik

    Hmmmm

    While I think a law like this is wrong, I can't help thinking that if I were under criminal investigation on child sex charges and I had an encrypted volume which I knew I could unencrypt and prove beyond any doubt that I didn't have any child porn on there then I would run from my moral highground and decrypt my drive quicker than anything rather than be tainted by the paedo brush, so unless his defence is "I forgot the password" you have to question why he won't decrypt it...

    1. Anonymous Coward
      Flame

      @miknik

      Or perhaps he just has something else on there which he doesn't feel like sharing with anybody?

      Say, some home-made videos of himself shagging his 70 year old boyfriend?

      There are many reasons to keep perfectly legal things private - just because you can't think of any yourself doesn't mean it's the only explanation. Perhaps because it's the only thing you can think of you must have something to hide. Perhaps it's you who has a touch of the "paedo brush"...

    2. Pablo

      Or perhaps...

      He has a load of porn off a p2p network. The women are all legal age *as far as he can tell* but "beyond any doubt"? Not so much.

  73. Tom 7

    I'f I make a recording of static

    then how can anyone prove that is not an encrypted file?

    Or for that matter any file - what looks like a list of phone numbers could in fact be an index for a bomb making recipe that refers to pages/chapters in a certain book.

    I'm sure if you keep trying to decrypt almost any file for long enough you can generate anything from child porn to, god forbid, a Steps CD.

    You can only truly prove a file is encrypted if you did it yourself.

  74. Mad Mike
    FAIL

    Missing the Point

    People here seem to be missing the point. Consider the following:-

    Case 1. Person is arrested and tortured (pulled finger nails, waterboarding etc.) to reveal information. Basically, give me the information or we'll do something unpleasant. That's called torture and is banned and every government is against it....they claim.

    Case 2. Person is arrested and asked for his password (information). He refuses. So, they invoke RIPA and say they'll do something unpleasant (jail). This is called justice and the government is for it.

    What's the difference? Both are demanding information in exchange for not doing something unpleasant.

    Second point.

    People keep talking about documents in safes being the equivalent in the paper world......wrong. If the police seize a written document you have encrypted using some method of another, are they entitled to force you to decrypt it? No. They have every right to seize it and go through any lock to do so, but they can't enforce you to decrypt it. So, an encrypted file is basically the same thing, yet they can force decryption.

    1. Vic

      Not Missing the Point

      > People here seem to be missing the point

      No, they aren't.

      > What's the difference? Both are demanding information

      > in exchange for not doing something unpleasant.

      The difference is that RIPA2000 is enacted legislation. It is entirely lawful for the authorities to send you down for a long time because you refuse to hand over your decryption keys.

      This should not be the case. It is awful legislation. But it is the law. It protects us all from Terrrrrists, apparently.

      > So, an encrypted file is basically the same thing, yet they can force decryption.

      Yes, they can.

      And the only way we're going to get out from the stranglehold that the last bunch of oppressors put us in is to get our elected representatives to repeal this law - or at least parts of it. A fragile coalition is a good target for pressure from the electorate...

      Vic.

    2. Keith T
      Boffin

      It is forcing you to provide evidence against yourself

      Forcing you to provide encryption keys in a case where you are a suspect is forcing you to provide evidence against yourself.

      I'd like to see the legality and constitutionality of this (the RIP Act) tested by the new supreme court.

  75. Seven_Spades

    Double trouble

    In reality he can't be convicted twice for the same offence, but he can be convicted for committing the same offence twice.

    The most likely action is that the judge will him for the password and return him to jail for contempt until he relents.

    Many journalists have been jailed for contempt for refusing to name sources but the courts always give up in the end.

  76. Jerry
    FAIL

    I'm a bit late - but

    Being convicted for not disclosing a password (or more accurately not helping investigators look at your stuff) is a major change in common law.

    In my view this is a bad thing.

    If they wanted to open a safe and wanted the combination they wouldn't have a leg to stand on. You can refuse without penalty.

    In my jurisdiction you also have the problem that you have to prove you don't know a password. It's not enough that it's innocent until proven guilty. Now - in this scenario - you are guilty until proven innocent. You also can't use a defense of self-incrimination ( usable in common law )

    Overall Big Brother wins. Your right to privacy loses, your right to innocent until proven guilty loses. Your right to avoid self-incrimination loses.

    I speak this as someone who works as an officer of the court (expert witness) and who has current cases where this is an issue and will result in conviction or probably innocent parties.

    1. Keith T
      Big Brother

      The RIP Act is a travesty

      There is no doubt that Tony Blair and his administration did more damage to the people of the UK and their civilization than a hundred al Qadas. The RIP Act. War crimes. Going to war against the overwhelming will of the people.

  77. Andy Moreton

    He was arrested 17 months ago

    May 2009, so the police have already had 17 months to break the password. It looks like it must have been a good one.

  78. Anonymous Coward
    Anonymous Coward

    The full story / more details...

    From: Lancashire evening post: http://www.lep.co.uk/news/teen_locked_up_after_failing_to_give_police_computer_code_1_1811470

    Teen locked up after failing to give police computer code

    Published on Wed Oct 06 08:27:54 BST 2010

    A teenager has been sentenced to 16 weeks in a young offender’s institution after withholding his computer password from police.

    Oliver Drage, 19, told the jury at Preston Crown Court he had “forgotten” the password, when officers investigating another offence asked him to surrender it.

    However, the jury found him guilty of failing to disclose the password when he was lawfully required to do so.

    Drage’s computer was seized in May last year. But by December police still did not have access to it.

    Janet Ironfield, defending, said it was not known whether the computer was subsequently sent off to an expert bureau for analysis or whether it had simply sat on a shelf throughout the seven month period.

    She added: “This man lost a great deal by the fact the police came to arrest him.

    “He lost his reputation in the community.”

    She said Drage, formerly of Naze Lane, Freckleton, now of Westminster Road, Liverpool, had moved house to avoid bringing shame on his family and had lost his job.

    Judge Heather Lloyd said: “This was a deliberate flouting of a court order compounded by your continual denial of guilt.”

    -----------------------------------------------------

    With these stories tech magazine only seem to get just some details, but not all.

    So the two worrying things about this particular case....

    First is that he tried the 'I have forgotten the password...' defense and the jury still found him guilty.

    Second is that this was a jury case just to decide about whether he was guilty under the RIPA law. So a jury of his peers gave the RIPA law the thumbs up. According to some reports taking only 15 mins to think about it. This is the most worrying thing to me. Just because a government put's in a law I disagree with does not mean that I will support it by finding someone guilty of it when on a jury. To me even though he is guilty to the letter of this law, if the law this is stupid then he is not guilty.

    Why do I not support this law, because in the way it is put together there is potential that it will put in prison people who are otherwise innocent (just because you don't give up a password does not mean 100%, you have another crime you are covering up). I will never support a law like this even if it means some guilty people get away.

    With law's, you can make them so that they guarantee that all guilty people will go to jail, but to do so you have to sacrifice some innocent people into prison as well. To me, laws that are made should guarantee that no innocent person goes to prison even if it means that some guilty people escape as well. But I am sure other people think differently including this jury.

    I also find it interesting that when looking for more news on this through Google news search, the amount of non English places reporting this. Another reason British people cannot hold their heads high in the world any more....

  79. Malcolm Boura 2

    Was it really photographs of child abuse?

    It quite likely was not. The law in this area is so incredibly vague, and so much wider than most people imagine, that it may have been nothing more than a photograph of a nude toddler playing on the beach. However due to the secrecy inherent in this legislation we just have to take the word of the people in the "justice" system. People who make a career out of using, or sometimes abusing, this law.

    A law which is badly defined and almost invariably described as being much narrower that it actually is makes a travesty of justice.

    Increasingly we can not trust the authorities when they describe someone as a paedophile because they were convicted of having child porongraphy. It is quite likely that it was not pornographic.

    It is also likely that the convicted person assumed that legislation described as applying to pornography only applied to pornography. There is no way to distinguish between people who genuinely possessed child pornography and use the lack of clarity as a smokescreen to minimise their culpability and those convicted of posessing non-pornographic photrographs who genuinely thought that they were legal.

    It is a complete mess and far too much of my time is wasted on trying to minimise the harm caused but legislatve failings that could easily be fixed.

  80. Anonymous Coward
    Thumb Down

    Child pron

    If this guy or any other person is guilty of involvement in child pornography in any way whatsoever, I hope he rots in one of the world's more hellish jails. I understand the conundrum over freedom to keep at least some things private and away from the eyes of the law and the gummint, but I find it tough to draw lines when it comes to the kind of low-life that gets his or her sexual jollies from diddling with kiddies or seeing images of some other piece of crap doing it.

    The powers-that-be think we're all potential terrorists and perverts anyway.

    1. Anonymous Coward
      Big Brother

      If Only Things Were That Simple...

      ...But they ain't. I'm not sure you understand what the police here in the UK consider CP or 'indecent' imagery these days. How about a semi-nude seventeen year-old boy or girl posing 'provocatively'..? People have gone on to the Sex Offenders Register for less, courtesy of our wonderful coppers. Or how about fully-clothed twelve year-olds posing 'suggestively'..? Ditto.

      We seem to be living in a very scary madhouse. Children - yes, even 17 year-old 'children' - are to be feared by adults everywhere. Do not go near. Do not speak to. NEVER, EVER TOUCH. If you transgress, you can look forward to the six o'clock knock, to being rudely awakened by the sound of the standard issue kicking in your door and your life - as you knew it - being ripped apart before your very eyes. Best of all, as far as the morality police are concerned, there will be NO rehabilitation, no coming back from this. You will be damned forever. Even if you are just 19 years old.

      Perhaps this is what the government means by a 'terror alert'. Fear is a powerful weapon.

      1. Anomalous Cowturd
        Happy

        Standard issue kicking in your door

        I saw what you did there!

        Now I'm going to have to go and dig out the CD...

        You can relax, on both sides of the tracks, and maniacs...... Wanders off, humming......

    2. Keith T
      WTF?

      Sedition is a worse crime

      There aren't many crimes worse than kiddie porn, but sedition is one that is.

      If we give up our country and our human rights, turn our country into a police state where police can wreck your life at will, we will have suffered much more damage than child porn can inflict.

  81. Anonymous Coward
    Anonymous Coward

    Damned if you do...

    Think of this as being like other laws. For example, if you are stopped by the police on suspicion of drink driving you can refuse to provide a sample for testing, but if you do you can (and usually will) be prosecuted for refusal to provide a sample.

    Quite why they need something specific for this under RIPA I don't know, surely it's just like any other case of withholding evidence.

  82. Neil Gardner
    Joke

    Guilty until proven innocent

    During the normal course of my duty as anti-paedo enforcement officer in West Tesco Town Shopping Centre, I spotted an suspicious-looking gentleman paying undue attention to a 4 year-old male child inside a Postman Pat van while fumbling his camera phone. I approached the said individual and demanded immediate access to his mobile phone. The "customer" did not collaborate and bleated something about having to attend a job interview and needing his mobile for urgent business calls. At that juncture I had no alternative but to terminate the customer's existence by deploying my newly issued instant-justice laser gun in silent mode. I have reassured all carers of children within 6 kilometre radius of said incident of the elimination of another potential criminal.

    On a related note, I will complete my report on the feasibility of installing hidden anti-rape CCTV cameras in all public toilets.

  83. Fred Flintstone Gold badge

    Now just imagine..

    .. you forget your password. It's happened to me, and the file may still be around. Congratulations, you just got yourself a ticket to jail..

  84. Anonymous Coward
    Anonymous Coward

    Surely "forgotten" is the best defence?

    Forgotten is the accused word against the police. If the accused was previously of good character, forgotten simply reduces guilt/innocence to a 50/50 bet. I good defence lawyer should be able to argue effectively that a probability of 0.5 is an awful lot of reasonable doubt........

    1. Steven Jones

      Insufficient

      Stating that you;'ve forgotten the password is not necessarily sufficient. This guy made exactly that claim in court, but the jury didn't believe it. Where it can be shown that you've previously had access to the password and it can be shown, beyond reasonable doubt, that you still know it, then you can be found guilty. As to what reasonable doubt is? Well, that's up to the jury to decide.

      1. Anonymous Coward
        WTF?

        I'd love to know

        how you can show beyond reasonable doubt that I haven't forgotten er.. hang on.. er.. shit, what was I saying?

      2. Keith T

        This is what appeals courts are for

        This is what appeals courts are for

  85. Anonymous Coward
    Anonymous Coward

    One option ...

    I believe a few people have missed something. RIPA doesn't actually require you to hand over the password, but it does require you to make the data available in unencrypted form. So it would be legal for you to enter the password for them rather than hand it over.

    However ...

    How about putting the password on the same drive, in plain view - but not marked as being a password. Or on a piece of paper in plain view but also not obviously a password.

    Plod takes computer, asks for password, you tell them that you do not have the password and it is in their possession - but you give them no further information as to where in all the seized stuff (papers and computers) it is.

    When asked, your answer is simply :

    The password was not memorable and written down, it is probably in amongst materials you have seized. It is therefore no longer in my possession, and you (the Police) are in possession of all information you need to read the files.

    If it was written on a piece of paper, then all you would be able to tell them would be "it was in the pile on my <insert description> shelf". Chances are, in their process of seizing paperwork, they won't be able to associate that description with any single large bag of paper now in their possession.

    In my case, I could tell them "it was on my desk" - and I could be quite certain they wouldn't know which bit of paper it was even if I told them "immediately to the right of where I put my laptop".

    But like others, I could also be in trouble because, like others, I'm in IT and I often make up temporary passwords - /dev/urandom is a good source. I may write it down, or put it in a text editor window that doesn't get saved. Once the job is done, there is no record of the password. If i miss a file when cleaning up, then I'm screwed.

  86. tony2heads
    Alert

    noise

    In Very Long Baseline Interferometry we record digitised noise from the sky, (so it is really

    random gaussian noise with embedded timestamps). At one stage these were recorded

    to VHS videotapes and customs people had a hard time crediting that we were not up to

    something funny. You could only use it when you correlate one set of tapes with another

    set from another radio telescope.

    Now we send it over the net

  87. This post has been deleted by its author

  88. Anonymous Coward
    Flame

    The full horror of RIPA

    someone here made a comment about data for national security being encrypted ...

    RIPA specifically makes NO EXCEPTIONS for the purported nature of the data to be made available. It trumps doctor-patient privilege, client-solicitor privilege, and (for those that mentioned the catholic church) priest-penitent privilege.

    The House of Lords last year confirmed this was the intention of the act, and not an accident that they could remedy. The cases were of a doctor who was forced to divulge patient information, and a barrister who was forced to divulge client information - both made under RIPA.

  89. maclovinz

    Adult/Child?

    Whats the adult age over thar?

  90. Maty

    So ...

    This guy had a 50 char password, and the jury did not believe that he could have forgotten it.

    Wtf?

  91. J Lewter

    Child Porn

    Wow, I have never seen so many people defend someone who was found downloading child porn..

    While I do not subscribe to the idea that the state should control every aspect of our lives, I also dont subscribe to the idea that some pervert should be allowed to encrypt his illegal porn just to keep it from being used as evidence.

    If I was to kill and chop up someone, cook them in a stir-fry and serve them up at my local chinease resturant.. Does that exclude me from being charged with murder?

    1. Jess--

      Missed the point

      You said "I have never seen so many people defend someone who was found downloading child porn"

      if you read the article you would find that it says "he was arrested in May as part of an investigation into child sexual abuse images"

      nowhere does it state that he was downloading images.

      you have automatically assumed that he was downloading child porn and that the "encrypted file"* contains that porn.

      * the file could just as easily be a corrupted file

    2. Paul_Murphy

      You may want to read the article.

      I don't recall that he had been found to have downloaded anything - only that he was being investigated.

      'Innocent until/unless proven guilty' should still be a fundamental aspect of justice.

      When he is actually found guilty of making/downloading child porn or indeed any other criminal act then by all means attack him, but until then bear in mind that the only thing that he has actually been found guilty of is not disclosing a password.

      He is guilty under RIPA - which is a UK law, but he is not, so far, guilty of anything else.

      The obvious question is why he has not decrypted the file himself to prove his 'innocence' - hence a lot of the above discussion, but that does not make him a child molester, or indeed any other sort of criminal.

      Unless not disclosing a password also makes him a murder, speeder, bank robber and mugger.

      ttfn

    3. Anonymous Coward
      Anonymous Coward

      erm

      The exact point is that he wasn't found downloading child porn, he was suspected of it, but essentially refused to cooperate in the investigation of himself. The police couldn't prove anything, so they prosecuted him for not cooperating instead. They had no solid proof of any wrongdoing, only a file they couldn't interpret.

      So he isn't "some pervert" encrypting his "illegal porn". He's a member of the public, with no criminal record, who has an unidentified encrypted file on his pc! Do you honestly believe that should be an offense punishable by up to 2 years in prison?

      Yes, it comes across as a little suspicious that he would rather go to goal than reveal the contents, but it still doesn't actually stand up as a legal argument *for* anything.

    4. Anonymous Coward
      Thumb Down

      Um, since when

      Does being under investigation mean he's guilty? As you already know (numbnuts), photographers are often "under investigation" for being a terrorist, does that make them terrorists?

      I also see no evidence in TFA YFM (you foolish moron - substitute foolish for something more appropriate if you will) that he admitted owning the file, or any related evidence that the yobs had of him committing a crime.

      So, in short, if I don't like you I can just put an encrypted file on your disk, drop a tip to the local Wanker of the Law office and you're fucked. Cool. Now, I have a cool file for you to download...

  92. kain preacher

    Re:so

    "This guy had a 50 char password, and the jury did not believe that he could have forgotten it.

    Wtf?"

    it's simple, they believe the password is on a sticky note some were, after all thats what they would of done.

  93. Anonymous Coward
    Anonymous Coward

    Forgotten passwords

    Look at it this way: An encrypted file with a last accessed timestamp a few hours prior to the PC being impounded and the password requested (and no evidence that the date is incorrect) would likely dissuade a jury from accepting a plea of "I forgot the password".

    However a protected zipfile from 2 years ago (again with no evidence of date based shennanigans) would probably be accepted as forgotten.

    Although it is legally plausible that a person can be jailed for refusing to provide a password and then on release from prison have the password re-requested and a new jail sentence passed only a rabid anti-establishment conspiracy theorist would actually believe that would happen.

    I am not a fan of this legislation, not by a long straw, but some of the armagedon scenarios posted here are not worthy of anyone who has the intelligence to use a computer

  94. Keith T
    Pint

    Never refuse to answer questions in court

    Do what legal system insiders and lawyers do when cross examined -- forget what the answer is.

    I don't remember, it was a long series of numbers on a scrap of paper on my desk.

    They can't send you to jail for not remembering. They can send you to jail for refusing to answer.

    But when questioned by police in a manner that indicates you are a suspect, ask for a lawyer. Nothing you say to police can prove you innocent, not even a rock solid alibi. Always ask for a lawyer. That is what police do.

This topic is closed for new posts.