back to article Missile systems software dev leaker has sentence almost doubled after UK.gov says 4½ years was too soft

A former missile software engineer who boasted about leaking critical defence secrets to hostile foreign powers and refused to give police his VeraCrypt key has had his prison sentence nearly doubled by the UK Court of Appeal. Simon Finch, formerly of Swansea and now of one of Her Majesty’s prisons, will spend a minimum of …

  1. Hubert Cumberdale Silver badge

    "The sentence for refusing to hand over his password was increased to 2½ years"

    Hmm. The guy sounds like a bit of a dick, all told, but I feel uneasy about people being compelled to hand over passwords on pain of imprisonment. I don't think it's a good road to go down.

    1. Tom Chiverton 1

      Re: "The sentence for refusing to hand over his password was increased to 2½ years"

      Too late :(

      1. Hubert Cumberdale Silver badge

        Re: "The sentence for refusing to hand over his password was increased to 2½ years"

        On the plus side, it's a ringing endorsement of the security of VeraCrypt.

        1. Tomato Krill

          Re: "The sentence for refusing to hand over his password was increased to 2½ years"

          Well that or they did defeat it, found nothing of value and didn’t want to telegraph the fact they defeated it

          1. Hubert Cumberdale Silver badge

            Re: "The sentence for refusing to hand over his password was increased to 2½ years"

            I think you give them way too much credit with that idea.

            Or maybe that's what they want us to think...

            1. Danny 14

              Re: "The sentence for refusing to hand over his password was increased to 2½ years"

              just because you arent paranoid doesnt mean they arent out to get you.

          2. Cynic_999

            Re: "The sentence for refusing to hand over his password was increased to 2½ years"

            Highly unlikely on two counts:

            1) The police and security services will always pretend to have far *greater* abilities than they actually have, and

            2) Hardly anyone would choose to spend years in prison over revealing a password unless revealing the encrypted material would result in at least a similar penalty.

            1. This post has been deleted by its author

      2. NoneSuch Silver badge
        FAIL

        Re: "The sentence for refusing to hand over his password was increased to 2½ years"

        The real world example is giving someone a jail sentence for not providing a murder weapon to the police, for a crime they didn't commit.

    2. marcellothearcane

      Re: "The sentence for refusing to hand over his password was increased to 2½ years"

      I think it's just what they call an "aggrivating factor". He is being jailed for something else, and refusing to cooperate just makes it worse.

      A bit like how it's not a crime* to refuse to tell police your name, but if you're already in trouble, then it is.

      *Something like that, anyway

      1. teknopaul

        Re: "The sentence for refusing to hand over his password was increased to 2½ years"

        Innocent until proven guilty by a copper.

        I think this has been the case since 2000AD.

        1. Danny 14

          Re: "The sentence for refusing to hand over his password was increased to 2½ years"

          obstruction of justice. 5 years in an iso cube.

        2. Bogle
          Terminator

          Re: "The sentence for refusing to hand over his password was increased to 2½ years"

          I think the punishment is much harsher in 2000AD, no? It's the cubes, Devil's Island or perhaps even Titan.

    3. Dan 55 Silver badge

      Re: "The sentence for refusing to hand over his password was increased to 2½ years"

      Well you're 21 years too late, it became an offence when RIPA became law.

    4. Anonymous Coward
      Anonymous Coward

      Re: "The sentence for refusing to hand over his password was increased to 2½ years"

      And when he's served his sentence, if he still refuses to hand over the encryption keys, he can be arrested and jailed again, ad infinitum. Lets see how pleased he is with his actions then.

      1. Phones Sheridan Silver badge

        Re: "The sentence for refusing to hand over his password was increased to 2½ years"

        “he can be arrested and jailed again“

        This has not and will not ever happen. Stop spreading myths.

        1. James 51
          Big Brother

          Re: "The sentence for refusing to hand over his password was increased to 2½ years"

          If you think that you need to look at how the police used seven day detention in Northern Ireland or investigated familes like Stephen Lawrence's for dirt when they are trying to coverup their own failings. The fact of the matter is this power (five years for not handing over passwords) is ripe for abuse and we'll never hear about when it was used to threaten someone and it worked.

          1. Phones Sheridan Silver badge

            Re: "The sentence for refusing to hand over his password was increased to 2½ years"

            Ok well put it this way, I've never read the opinion of a professional defence or CPS lawyer that practices law day in and day out that agrees with you. I've never read of a single case where it has actually happened in the last 21 years, since the act came out in Y2K. But I've read countless conspiracy nuts droning on about the same thing. Provide evidence it is a credible possibility, or stfu and stop spreading conspiracy theory bollocks.

      2. Dave314159ggggdffsdds Silver badge

        Re: "The sentence for refusing to hand over his password was increased to 2½ years"

        That simply isn't true .

      3. Cynic_999

        Re: "The sentence for refusing to hand over his password was increased to 2½ years"

        That is simply not true.

    5. Doctor Syntax Silver badge

      Re: "The sentence for refusing to hand over his password was increased to 2½ years"

      "The guy sounds like a bit of a dick"

      The guy sounds as if he might have mental health problems.

      1. Hubert Cumberdale Silver badge

        Re: "The sentence for refusing to hand over his password was increased to 2½ years"

        That too. Depends on how you want to describe it. I guess if they can find something in the DSM that covers it, that makes him move from "being a dick" to "having a definable disorder". If someone stabbed me as a result of a definable disorder, I would argue that they may well also be a dick. Others may be less polite about it.

      2. low_resolution_foxxes

        Re: "The sentence for refusing to hand over his password was increased to 2½ years"

        I was a bit confused during the original case. If I recall correctly, he claims to be straight, but someone yelled at him he was "gay" in a bar, but the police didn't investigate because they had no ID on the suspect.

        Why the f it's relevant to this I don't know.

        My best guess is autism/mental health episode.

        1. Jimmy2Cows Silver badge

          Re: autism

          Sheesh. The "autism" label always seems to be thrown about with things like this.

          Chances are he's just a run-of-the-mill sociopath with no thought or concern to the consequences (possible and real) of his actions, with a deluded sense of self importance and a deep seated resentment complex. So the cops didn't take his complaint as seriously as he wanted. Hardly a reason to reveal (or boast about having revealed) Top Secret information.

          Could be his actions are the result of non-autistict mental health issues, could be he's just a twat. Sure, he might be autistic but as that's not been mentioned in the defence it seems very unlikely.

          Either way, can we (society in general) please stop suggesting everyone remotely involved in tech who does something illegal is autistic. There are usually far more simple and likely reasons.

          1. Anonymous Coward
            Unhappy

            Re: autism

            Sheesh. The "autism" label always seems to be thrown about with things like this.

            Chances are he's just a run-of-the-mill sociopath with no thought or concern to the consequences (possible and real) of his actions, with a deluded sense of self importance and a deep seated resentment complex.

            It beggars belief that clinical psychologists choose to undergo those long years of training and conduct tedious interviews with their subjects, when they could just as easily make a diagnosis without knowing anything at all about mental illness simply by glancing at news article and applying a bucket full of bias.

    6. Anonymous Coward
      Anonymous Coward

      Re: "The sentence for refusing to hand over his password was increased to 2½ years"

      Well, maybe its not a good idea in general, but when you've: signed the OSA, are DV cleared, you've deliberately leaked top secret military info, travelled all round Europe with it to meet god knows who, boasted about posting it to foreign embassies, told the cops there's far more secret stuff on your laptop, but its encryped and im not giving you the key. I would argue its a perfectly fair request. Witholding the key could pose huge risks to the country, our infrastructure or military personnel. And he is clearly not sharing key out of spite alone. His behaviour is enormously reckless, has potentially very serious implications for national security and is entirely deliberate. This is not a bog standard request for a password and the guy was DV cleared, he has a clear moral and legal obligation to provide it. His sentence should be tripled unless he shares it.

  2. Flip

    It may not be a good road to go down, but the UK has been moving down this road for more than a few years, as far as I know.

    I'm still hoping for a legal ruling about handing border guards your phone and social media account password(s). It seems nobody wants to put that to the legal test.

  3. Anonymous Coward
    Anonymous Coward

    Going from being heavily institutionalised to attacking the institutions he once believed in. I do kind of feel for the guy, he's been let down by the state. Let's be honest, you have to be a bit of a wrong 'un to work for BAE Systems in the first place.

    OK, he might have overreacted a bit, but there is no evidence of any harm coming from his actions (disclaimer: I'm yet to read the 27 page PDF).

    1. Cragganmore

      Call me naive but...

      ... maybe having DV and Codeword level clearance should have been a tiny clue as to whether touting national secrets around foreign embassies was a slightly wrong thing to do! He's a first class idiot and deserves his sentence.

      1. Anonymous Coward
        Anonymous Coward

        Re: Call me naive but...

        anon for obvious reasons, I worked for BAE on "missile systems", supposedly, we never really knew because no one is told the whole story, just code words. Its amazing anything gets done but I can say with certainty that infosec is a top priority. I may be wrong but I suspect he wouldn't have much to pass on and he can expect the full force of the law for being a dick. Nothing on his laptop from the sounds of it. The military have simple techniques for getting someone's password if they care.

        Sad case, Leaker without a story to tell apart from: BAE make bombs.

        1. herman

          Re: Call me naive but...

          In my experience one can give a complete production file pack to a contract factory and they won’t be able to replicate a working missile, due to all the errors and omissions.

  4. DevOpsTimothyC

    The Irony

    I'm not supporting the actions that were taken but I've got to note the irony in the legal system making a point of Mr Finch not co-operating when they have failed to investigate criminal acts that he is claiming happened against him.

    1. jdiebdhidbsusbvwbsidnsoskebid Silver badge

      Re: The Irony

      Maybe the police did investigate, just not to Finch's satisfaction, hence his apparent annoyance.

    2. DrXym

      Re: The Irony

      Even if they didn't investigate (to his satisfaction), it is a slight overreaction to give official secrets to enemy powers. A normal person would be complaining to the ombudsman or similar. And it calls into question how he got clearance in the first place.

  5. I am David Jones
    Headmaster

    It's all about the presentation

    "Sentences passed by judges are never applied in full."

    Without changing any sentence lengths, I always think the headline sentence should be the minimum time in jail, which is then extendable by n years depending on behaviour/risk to the public/whatever else they use to decide parole.

    It's always a bit of a disappointment when I hear some evil b*******'s* sentence and a couple of seconds later have to remember to divide by two.

    There's no doubt a good legal reason for the judge announcing it as they do (e.g. separation of sentencing guidelines and parole rules) but the press could do the math for us...

    *this is not a comment on the subject of the article about whom I've not formed any opinion.

    1. sbt
      Alert

      Re: extendable by n years

      This creates a risk of arbritary detention without further, proper judicial review. The assumption is that the complete sentence as applied by the courts is available to the corrections system and there is an incentive for the convict to reform and get 'early' release in the form of licence (which is still subject to supervision). If the convict slips up, then the parole board or equivalent has a portion of the already awarded sentence period to re-impose.

      If the headline sentence was only the custodial part, and early release had be earned (i.e. tied to rehabilitation/good behaviour) there would be less transparency about what minimum time would actually be served. While the licence/parole period could be set to the same length as whatever time was served and it would effectively be the same outcome in most cases.

      Focusing on the custodial portion probably overestimates the value of incarceration and underestimates the impact on convicts of the supervised release period; the impact of being a recently released convict on licence to their job prospects, family life and place in the community.

      If you're not going to hang criminals and you can't dump them overseas any more, you have to work out ways to bring them back into society after prison. It's a really hard problem to balance the competing goals of protecting society from wrong-doers, justice for the victims and disincentiving criminality, but also reducing recividism; particularly difficult with the tainting effect of keeping your bruised apples with your rotten ones.

      Prison doesn't do anything for the root causes of criminal behaviour. It's at best like a splint on an arm that's already broken. We need more social arm guards so we have fewer broken arms to begin with. That means dealing with hard problems like poverty, parenting skills and education as well as mental health and social cohesion.

      1. Anonymous Coward
        Anonymous Coward

        Re: extendable by n years

        Damn right. Serving licence is no picnic, and I speak from current experience. Judges apply sentences knowing that it's usually 50/50. Interference from politicians in this sort of thing needs to stop – it almost hurts me to say this, but judges usually have a reasonable idea of what they're doing when they pass sentence. The IPP sentence was, and continues to be, a massive fuck up*: even Blunkett admits that now. Being "tough on crime" and extending sentences solves absolutely nothing (except for getting the approval of right-leaning voters). It's both expensive and ineffective, and the money would be vastly better spent on prevention and evidence-based community rehabilitation programmes.

        *See, for example, today's news: https://www.bbc.co.uk/news/uk-56445407

        (AC, obviously.)

        1. sbt
          Thumb Up

          Re: Serving licence is no picnic

          Thanks for sharing and the link. Do you think the custodial portion of a sentence (if any) can have any rehabilitive effect (e.g. separation from toxic peers/situations, or drug treatment (if applicable) or education/vocational training, introspection, something else)? Is the licence period effective in making those effects 'stick', or is it more like a box-ticking bureaucratic exercise ("yep, we know where AC is this week. Get lost, but be back here 8 am on Monday")?

          1. Anonymous Coward
            Anonymous Coward

            Re: Serving licence is no picnic

            Well, from personal experience, it did give me ample time to reflect. But then that's more of a side-effect, and if someone is not already inclined to reflection, they may not get the benefit of that. As for separation from toxic peers, absolutely the opposite is the case. People were constantly trying to recruit me for their schemes, and I had access to a whole new world of criminal connections. Ironically, they threw me together with these people for years, and they were pretty much the only ones I could talk to on a day-to-day basis. Now I'm on licence, I'm banned from being in touch with any of them at all.

            This, among other things, makes for a precarious situation. I can be swooped on at any point, and they can check my phone/computers/whatever to see if I've been in touch with the "wrong" people. If I have, I'll be straight back in. In addition, I have a condition to be "generally well behaved", which is a potential nightmare. If I so much as get a speeding ticket, I could be thrown back. Have a few too many drinks and fall asleep on a bench on the way home? Thrown back. Get punched by someone else for no reason? Thrown back. Forget to turn up for an appointment because I'm too busy trying to rebuild my life? Thrown back. Oh, and these days, walk somewhere too far from home and get a Covid fine? Thrown back.

            Yes, now I've been out a while, probation do largely leave me to my own devices, but I feel I'm constantly walking a knife edge. All it would take is someone with a grudge to make a phone call alleging something or other, and they'd be rather safe than sorry and send me back. In a sense, yes, it is box ticking, but as soon as I show any sign of stepping out of line, the supervision ramps terrifyingly up. It's a continuous source of anxiety. Am I given actual useful help though? Not much. Anyone who thinks being on licence is basically the same as being free should try it for a while.

            1. mattje

              Re: Serving licence is no picnic

              Thank you for sharing your experience.

              I'm sure most of us keyboard warriors on here fortunately have no such experiences and we should refrain from commenting or judging on stuff we haven't lived through.

              I wish you all the best in your rebuild.

            2. sbt
              Go

              Re: a precarious situation

              What mattje said, many thanks for this detailed insight and best wishes. I was afraid peer-wise it would be out the frying-pan and into the fire for many. It must be very isolating when you lose any useful support networks you may have formed inside and must rely on what appears to be an unsupportive, monitoring function in the shape of the parole officers on the outside.

              I hope you can get through the licence period and back on track successfully.

          2. Cynic_999

            Re: Serving licence is no picnic

            Unfortunately only lip-service is applied to most prison rehabilitation programs. If it were applied more seriously it would almost certainly reduce the percentage of re-offending considerably. There are no votes to be had by increasing spending on prisoners. Unfortunately the prison environment is more toxic for most inmates than the environment outside prison, with many inmates being taught to increase the severity of their crimes. Probably the most effective education an inmate receives in prison is how to avoid getting caught next time!

            The licence period is probably the most effective rehabilitation method we have.

        2. batfink

          Re: extendable by n years

          I would suggest that it is expensive but is not ineffective. It meets exactly the intended purpose: to harvest right-leaning votes, as you say.

      2. onemark03

        dealing with hard problems

        Yes, but successive governments have considered that too hard and too expensive. As a result, they have put the problem in the political "too hard" basket and handed it to the police, prisons, probation and welfare services to cope with (I won't say "solve").

    2. James 51

      Re: It's all about the presentation

      You might want to look at the history of indefinite detention and the problems it's still causing.

    3. teknopaul

      Re: It's all about the presentation

      I am sure 1 year will always sound like a light sentence until its you that is doing it.

      1. Cynic_999

        Re: It's all about the presentation

        Every study I know of has concluded that crime rate has almost no correllation to severity of sentencing. A person who commits a crime has either acted "on the spur of the moment" or has no intention of getting caught. In both cases they have absolutely no consideration for the sentence they might get if convicted.

        Things that reduce crime are (1) increased probability of getting caught and (2) reduction of the factors that cause crime in the first place (e.g. inequality of weath, environmental factors such as street lighting, road and building layout as just two things.)

    4. Cynic_999

      Re: It's all about the presentation

      The system has been this way for many decades. The fault is with the media for giving the impression that serving a certain part of the sentence in prison and the rest out of prison on licence is an unexpected leniency rather than how it has always been done.

      If the full term needed to be served in prison, judges would simply reduce the sentences they hand down proportionately. But it is done that way for a very good reason. Having criminals closely monitored after release from prison, and subjected to significant restrictions on what they are and are not permitted to do makes it *far* less likely that they will re-offend after the end of the full sentence period.

      Licence conditions are customised to the individual offender, and can be extremely restrictive. If they are caught breaking the most minor restriction it results in an immediate return to prison to serve the full sentence. This method has a very good chance of ensuring that (say) a person whose only income has been the fruits of burglaries will be forced to get a normal job and adopt a non-offending lifestyle while on licence, which hopefully becomes a habit that will continue after the restictions on their life are lifted.

  6. Anonymous Coward
    Anonymous Coward

    Brimstone I guess...

    Did they actually prove that he had anything encrypted at all, or did they just claim it?

  7. Steve Foster
    FAIL

    Plausible Deniability

    I guess he didn't use the hidden volume feature in VeraCrypt to protect against password disclosure.

    1. NetBlackOps

      Re: Plausible Deniability

      Really, that doesn't make a difference at all as they can assert that such a hidden volume exists, whether that is true or not.

      1. Hubert Cumberdale Silver badge

        Re: Plausible Deniability

        Well, they can, but if it's going to stand up in court then they at least need to have some evidence for it. Don't they? Surely? (Please?)

    2. DrXym

      Re: Plausible Deniability

      I don't think he was thinking this through at all to be honest.

  8. xyz Silver badge

    Mmmm...

    Having knobs and whistles above DV is like being a member of Fight Club... You don't say jack. Something has happened that's really pissed him off and he's gone a bit err... off. He really needs mental help but being a loose cannon now means he'll just be locked away for a long time or "have a accident".

  9. hoola Silver badge

    Digital Era

    We have reached a time when it is going to become increasingly difficult for police and other agencies to actually investigate crime because so much is mow digital. With physical evidence once you have a suspect then with the appropriate warranty they can take what is needed for the investigation. Entire filing cabinets, even the contents of a safe. Now they can ask for it to be unlocked or if not find keys or codes or if not get a specialist.

    Now move to the digital age we are in. Encryption is easy even for those who are not technically minded. Huge amounts of information that would have been accessible is no longer unless you have the password/biometrics. Now this is all well and good until such time as that is needed as evidence. It is very easy to take the privacy route and have people refuse to allow the authorities even when they have all the warrants in place to allow access to the information but where do you go then. You reach a point where everything is so skewed in favour of those committing crimes, fraud or whatever that the police are simply helpless. They may as well just not bother. I realise there are all the arguments about corruption blah blah and we all know it is an issue BUT do we really want to live in a society where the police simply don't bother investigating most crime because they cannot get the evidence?

    There is no easy answer but we are rapidly getting to the point where the digital information/evidence outweighs the physical. Just screaming "Privacy" is not the solution. I don't know how this can be addressed but there has to be a sensible, adult discussion on who and how this digital material can be accessed with the correct authorisation.

    1. Anonymous Coward
      Trollface

      Re: Digital Era

      We have reached a time when it is going to become increasingly difficult for police and other agencies to actually investigate crime because so much is mow digital. With physical evidence once you have a suspect then with the appropriate warranty they can take what is needed for the investigation. Entire filing cabinets, even the contents of a safe. Now they can ask for it to be unlocked or if not find keys or codes or if not get a specialist.

      Most crime is still non-digital. People still get assaulted, people still have physical things stolen.

      It is extremely rare for the police or other agencies to bother to investigate anything at all, unless it is a very serious crime like actual bodily harm, or has at least inconvenienced someone powerful.

      Virtually all prosecutions are for the low hanging fruit of people who either incriminate themselves or are arrested by plod as a result of a stop and found to be in possession of cannabis, a weapon, or a lack of respect towards the fearless crime fighter.

    2. onemark03

      how this digital material can be accessed

      This, I think, is the nub of the problem.

      It would be possible to solve a lot more "digitally-related" crime (the term will serve) if privacy were to go by the wayside, i.e. be abolished. However, I seriously doubt whether society would want that.

      1. v2k
        Paris Hilton

        Re: how this digital material can be accessed

        Does society want absolute privacy then? I'll paint with broad strokes for the sake of argument.

        In my experience those who are most vocal about privacy tend to be of about 0% interest to law enforcement as the later tends to have no interest in your online activities or the content of your computer unless you:

        -rape children

        -deal drugs

        -plan to kill people

        -steal stuff (excluding entertainment products)

        As a society isn't that things that we would like the police to do something about? And how much privacy would you actually have to give up for that to happen?

        Privacy is a part of this discussion but far from the only thing that complicates investigations into "digital crime". I would set the big three as:

        -Jurisdiction, where did the crime actually happen and is it a crime where it happened?

        -Big tech, happy to take the profits but then do little to aid or plain refuse to cooperate with law enforcement.

        -Encryption.

        For me it boils down to that if, big if, you come under investigation you have no privacy within the scope of the investigation.

        And I'm not trying to be funny, I think this is a really interesting topic.

    3. Anonymous Coward
      Anonymous Coward

      Re: Digital Era

      Just screaming "Privacy" is not the solution.

      Ah but it is! certainly around here.

      I've heard "Privacy loudmouths have expressed concern" dozens of times

      I've rarely heard what the concerns are.

      Apparently if we trust the government , they will stab us in the back , turn us into slaves and/or put us in gulags or something .

      Thats the recieved wisodm from the otherwise highly intelligemnt and well informed el reg commentards.

      Personally I'd advocate fitting each and every citizen with madatory implanted GPS tracking and trusting the govt to use for the purposes of stopping crime. Some of these leftys think thats a step too far though

      1. Hubert Cumberdale Silver badge

        Re: Digital Era

        I can't tell if you're trolling, so I downvoted you just in case you're serious.

      2. Anonymous Coward
        Anonymous Coward

        Re: Digital Era

        The main problem about having this or any other discussion is that unfortunately a minority is too poorly educated to comprehend nuance which makes any sensible discussion effectively impossible.

        Personally I'd advocate fitting each and every citizen with madatory implanted GPS tracking and trusting the govt to use for the purposes of stopping crime. Some of these leftys think thats a step too far though

        Hardly any point; your phone has all of that, plus potentially recording and transmitting everything you say if GCHQ so desires. And people religiously keep them on them at all times with a decent battery charge even if it means charging repeatedly throughout the day. If you gave somebody a tracking/recording device like that from the government then they'd "lose it", smash it or deliberately run the battery flat and not recharge it despite whatever laws were in place.

        1. Anonymous Coward
          Anonymous Coward

          Re: Digital Era

          If you gave somebody a tracking/recording device like that from the government then they'd "lose it", smash it or deliberately run the battery flat and not recharge it despite whatever laws were in place.

          .

          Thats why it should be implanted

          If they let it go flat or break it , The govt know because they lose signal , and they send the sandmen out - Logans Run style.

    4. ChipsforBreakfast
      Big Brother

      Re: Digital Era

      You are assuming the motives of those issuing such warrants are benign. In many cases they are but when they are not the impact can be enormous. Encryption provides a way for ordinary people to take control of their information back from the grasping claw of the state - there is generally no need for the authorities to read every e-mail, record every website, monitor every phone call and read every document a person writes but todays technology permits just that, in real time, without the victim's knowledge and on a massive scale.

      That is what is driving the uptake of encryption - state overreach and pervasive surveillance. If it wasn't for that there would be no driver to make encryption easier to use or to make it default for normal communications.

      Proper encryption has been around since the days of PGP in the 90's but was always hard to use and so remained a niche product, then along came Snowdon and the dawning realization of just how much information was being hoovered up and suddenly there was a huge public interest in encryption technology and lots of effort went into making it easy to use, accessible & almost the default for everything.

      That leads to the situation we now find ourselves in. Encryption is ubiquitous and very effective - by it's very nature you can't have encryption that only 'authorized' people can break - it's either secure or it's not, there is no middle ground in mathematics. So the authorities resort to laws compelling people to produce keys or face punishment - however distasteful the idea may be it's probably the best solution there is going to be and it carries one huge benefit over any technical solution - a properly drafted disclosure law (and I'm not saying RIPA is that!) will ensure that such requests get proper judicial and public scrutiny, hopefully limiting any attempts to use those provisions unfairly or without proper justification.

      It's not ideal, but it's the best we've got.

    5. hoola Silver badge

      Re: Digital Era

      To those who are downvoting this please expand on what you feel the solution is?

      I have not said that encryption is bad or that the various authorities have a right to access your data without the appropriate warrants.

      To put some perspective on the issue let us assume that someone has viewed, created or stored a large quantity of child pornography and this evidence is on their computer. Now the likelihood is that it may have a password and may even be encrypted. The police have all the circumstantial evidence but need to seize the computer to access the material.

      The same could be applied if there is a financial or fraud investigation, the crooks scamming people out of the pensions and savings.

      If there is a password this could be circumvented however that still doe not guarantee access but if there is encryption, without the key they are completely stuck. If the person under investigation refuses to provide the key what can they do?

      Look at all the issues around the iPhones that were seized. My point is that if the assets have been seized as evidence with all the correct procedures there needs to be a way of the authorities gaining access to the information.

      Traditionally they can gain access to the premises to get the evidence, here they effectively have the filing cabinet but not the key. With the filing cabinet you can drill the lock with out destroying the contents. With encrypted you cannot.

      If the only option available to them is to arrest and charge the person under investigation for not disclosing the passwords, pins or keys to the material that is required as evidence then the penalties need to be appropriate. Let's say that the potential charges if the evidence is available are for a 10 or 15 year jail term, then serving a sentence for a year and not providing the keys is clearly better for the accused.

      This is not about backdoors, accessing every digital asset a person has but giving the authorities the ability to access digital evidence required for the investigation.

  10. Prst. V.Jeltz Silver badge
    Headmaster

    “Offenders always complete their full sentence but usually half the time is spent in prison and the rest is spent on licence

    Thats some sreative wording right there.

    1. Santa from Exeter

      Pedant

      Apart from spelling 'creative' incorrectly when using the Pedant Alert :-)

      It's not creative at all.

      The sentence is one to curtail your freedoms, there are several ways of acheiving this, only one of which involves actually locking you up.

      There is also being required to report to a Police Station daily, surrender of your passport, or electronic tagging to name but 3.

      The sentence might also be a community order, and you must then perform supervised community service for a set number of hours, which also curtails your freedom.

      A conditional discharge may even contain the condition that you report to a Police Station periodically.

      1. Prst. V.Jeltz Silver badge

        Re: Pedant

        I still conject that with all the described post incarceration restrictions on licence you are still 90% free.

        Therefore if released on licence halfway through a custodial sentence , by the end of the full term with the second half 'on licence' , you have in fact served 55%

        I'm not against getting out early , but perhaps it should be more geared to reward than automatic.

        1. Anonymous Coward
          Anonymous Coward

          Re: Pedant

          Personal experience says you don't know shit. See my posts above:

          https://forums.theregister.com/forum/all/2021/03/18/simon_finch_veracrypt_sentence_doubled/#c_4224306

    2. herman

      My wife tends to speak in half sentences...

  11. Anonymous Coward
    Anonymous Coward

    Inexcusable

    I have little sympathy for this guy. I'm subject to this type of vetting, and there is no way you can go through it without realising the gravity of the situation and the enormous trust that is being placed in you. Multiply that by 10 when you sign the official secrets act - the consequences are made very clear in black and white. They can be summarised thus: do anything naughty with your access or the information you work with and your'e fucked, you might be living rent free for a long time. As the act is UK law, it stll applies even if you dont sign it. But to be honest, I enjoyed the process - it appealed to my childish vanity, and for five minutes of my life I felt like James Bond.

    What this guy did was egregious, and he fully understood that. He knew what harm he could cause, but didnt care. He did it purely out of spite and his desire for retribution. I have to say it seems a strange way to avenge your local police force though.

    I understand the civil liberties concerns about revealing crypto keys, but this is way beyond a normal case, and it's him that has made it so. He's signed the OSA, shared classified nat security info, boasted about having much more extensive info on his laptop, encrypted it, travelled widely with it, and claims to have posted it to foreign embassies. He knows what he's doing and is purposely witholding the keys. Damn right he should be made to cough up the key. And damn right he should be punished severely for not doing so.

    He's risked, maybe seriously harmed national security. His actions could cause serious harm or loss of life. He did it anyway, out of pure spite. Someone above claimed no evidence of harm exists. Thats not particularly relevant here though. If someone plants a bomb in a primary school do you let him go with a ticking off becuse the detonator failed? I think not. He deserves all he gets, I'd lock him up for twice as long.

    Ps. To the commentard saying he might be autistic, I say ***k you pal, I resent the implication of the autistic weirdo stereotype. I'm autistic, probably half the people i work with are (seriously), we're not all like rain man and we dont have an increased proclivity to break the law. I suppose most of us are a little weird, myself included. I read maths books for fun, but so do a lot of software engineers. Anyway, if you are an engineer, the liklehood that you are, or work with, an autistic person is overwhelming. IT is full of 'em, and without us, the software teams of the big firms would be half empty. So again, ***k you pal, dont be a douche by flinging around stereotypes. Please.

    1. Electronics'R'Us
      Holmes

      Re: Inexcusable

      Just for a bit of support; I have been through the DV process (it was continuous vetting back in the day) and is required for uncontrolled frequent access to Top Secret information. Anyone with DV clearance is under absolutely no illusions as to what damage unauthorised disclosure can cause.

      Here is the definition of Top Secret:

      HMG’s most sensitive information requiring the highest levels of protection from the most serious threats. For example, where compromise could cause widespread loss of life or else threaten the security or economic wellbeing of the country or friendly nations.

      Regardless of the motivation of the particular individual, the information he was working with, when disclosed, could and usually will, cause major problems.

      Refusing to provide the encryption key(s) is compounding the problem as a damage assessment is very difficult if not impossible to achieve. I would note that in this sort of case, the powers under RIPA are simply a bit more convenient to invoke; if the government has some evidence that he has TS information on his personal laptop (a very big no no) they could ask the court to require access using the official secrets act anyway and refusal would be contempt of court.

      He can consider the damage done when he comes out and will quite probably have to choose a new career path. Note that I really believe in rehabilitation as it is the best for all concerned, but this person has now, through their own actions, put themselves in a position of not being trusted which will be a difficult bar to overcome.

    2. jdiebdhidbsusbvwbsidnsoskebid Silver badge

      Re: Inexcusable

      Well said. Finch would have fully been aware of the consequences of his actions.

      As for him maybe having mental health issues, or autism, or any neurodiversity whatsoever, that does not automatically make anyone unsuitable for holding DV clearance or unable to understand the consequences of their actions. DV clearance like Finch had, is always on a very specific case by case basis.

      I feel sorry for his line manager/s. They'll have had to have dealt with a shedload of investigative paperwork after all that.

    3. Anonymous Coward
      Anonymous Coward

      Re: Inexcusable

      You seem to think that he went through his DV and signed the OSA just last week. Maybe a decade or more of stress and low pay and lack of recognition from BAE meant that the lack of support he got from the police tipped him over the edge?

      1. Anonymous Coward
        Anonymous Coward

        Re: Inexcusable

        Erm.. No, he would've had to renew DV every 5 years, and you don't easily forget signing the OSA, it's pretty intimidating seeing all the legal penalties. And as I said, I felt like James Bond for 5 mins, which is hard to forget on its own. But even if he did it's a risible excuse, it's like telling the missus "Sorry, I know you're upset at me shagging your sister, but it's years since we got married. As for the cert, I can't even remember signing it!". You're reminded of your responsibilities all the time in such a job, including regular compliance audits and training sessions on info security including your personal and professional obligations, along with a run down of the consequences of being a naughty boy.

        As for the low pay, I doubt that very much! You have to be a very good techie to work on this critical stuff, often with quals in formal systems theory and other abstract stuff. Your code has to be perfect in robustness and efficiency. And people do not put up with DV for low pay. Believe me, he will not have been poorly paid. He may have been resentful due to being unoticed by mgmnt though, I dont know.

        To suggest that any of this justifies or excuses his crimes, even remotely, is frankly ludicrous. This stuff is top secret for a reason - sharing it can be hugely damaging to the security of the country, and not just in a hypothetical sense. You should understand cybersecurity well enough to know what he has leaked will be of far more value to the right people than he realises. And it will present far more risk to us. Our institutions are bombarded constantly by state hackers and they use leaked info like this to gain chunks of knowledge with which to adapt their approaches. Thats why there are stiff penalties for being a reckless dickhead with govt secrets.

        His refusal to share the password means we cannot predict what the fallout could be, and that amplifies the seriousness for me, I would triple his sentence for that. He leaves us with huge uncertainty about what was shared; shows a total absence of remorse or contrition; and gives a smug middle finger of disrespect and contempt to the court and to our national security. All from a guy who was trusted with top secret clearence. He's a total disgrace, at least he'll have a long time to think about in prison, hopefully he'll come to realise how much of an arsehole he is.

        I stand by what I said: his behaviour is inexcusable.

        1. Anonymous Coward
          Anonymous Coward

          Re: Inexcusable

          You really do like to put words in other people's mouths don't you?

          No one said that stress or anything else *justified* his crimes - merely that it might have been the trigger or a contribution to the trigger.

          Knowing the trigger is important because it will help identify and prevent future cases. Throwing someone in jail is all well and good but the secrets have still been spilt.

  12. helkiah

    This guy has put lives at risk and has got off lightly. Even if he suffered mental health issues it should not be a pass for all and any criminality. I expect some terrorists were indoctrinated as children, and a bit of sympathy is not inappropriate, doesn't change the fact they should be locked up for a long long time, same with metal health. After all, criminal justice should not be just about punitive action against an individual, it should be about protecting society.

  13. Long John Silver
    Pirate

    Veracrypt's deniability feature?

    Veracrypt offers a deniability option whereby the container holds two sets of data each with its own access key. One key leads to unremarkable content: the other to the hidden data. According to Veracrypt's makers, it is not possible (by which I think they mean exceedingly difficult) to tell whether a container has two differing sets of contents. When opened the non-covert version offers a directory to which more information can be added up to the titular capacity of the container; that risks destroying the hidden content.

    The 'open access' content ought at least be deemed confidential (e.g. bank details and other personal information such as Bitcoin wallet containing trivial amount of coinage) to give justification for having encrypted it. The key to this can be handed over. I suggest a more professional malefactor or security agent would profess great reluctance to hand over the false key by virtue of privacy concerns etc. Only when push by the authorities becomes real shove with charges laid should the false key be disclosed.

    1. mutt13y

      Re: Veracrypt's deniability feature?

      That is a huge problem you know?

      Let's say you are using an encryption system with this feature but you didn't use it.

      Police ask you for you password, as you don't want to go to prison and there is nothing much of importance in the encrypted data so you hand it over.

      They find nothing.

      Now they want the other password (which does not exist)

      Of course they won't believe you and there is no way you can prove you haven't used the deniability feature.

      so its 2.5 Years in prison for you for using an encryption system with this feature.

  14. tentimes

    I forgot

    I forget my passwords all the time when I make veracrypt containers - why can't he just say "Sorry, I forgot"

  15. Claverhouse Silver badge

    Judiciary or Minister ?

    Amidst all this my main concern is that the government can intervene and determine [ increase in other words ] judicial punishment after the sentence.

    It all sounds like the sort of thing attributed to enemy regimes, whomever they might be on the day, or antique tyrannies against whom the enlightened lovers of Freedom! fought. Very Bidenesque --- he loves stuffing people in prison and increasing penalties: see the War on Drugs and a dozen other little wars...

  16. Anonymous Coward
    Anonymous Coward

    crime in 2021

    Must be exhausing being a criminal in 2021. You have that spur of the moment impulse to do wrong but you have to figure out how to do it in a digital way.

    You get the impression the authorities encourage this impression in the hope people will do it all like that.

    Must be real disappointing when another stabbing or fly tip occures and they have nothing to go on online sat at their desk next to the radiator lol.

  17. Anonymous Coward
    Anonymous Coward

    Some have multiple OSA signatures in different legislations.

    Anonymous for reasons. I have on many occasions signed and resigned the OSA (UK) and foreign versions as well for other nation states. Each change of project involved another signing, as each project had to have its own paperwork clearly in order. that and clearance are not 'forgettable'. There is some containment of risk, due to no one having 'complete knowledge' except for 'fault tracers' who investigate incidents, as they can only do so with a full oversight of the entire project, its hardware and understand its use and software and political controls; and its 'results' if badly used (accident, or deliberate breach) or out of control or just 'plain error in design'.

    If laptop contained facts, why did the accused 'write from memory' as to what he knew. The paper trail in all security work is enormous, and his laptop may only have what he 'took home'. I doubt it was his work laptop but a personal laptop.. My work laptop was safely put into a safe every evening. Clear desk policy.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon