Youth jailed for not handing over encryption password A 19-year old from Lancashire has been sentenced to 16 weeks in a young offenders institution for refusing to give police the password to an encrypted file on his computer. Oliver Drage, from Naze Lane, Freckleton, Lancashire was arrested in May as part of an investigation into child sexual abuse images. His computer was …
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa...
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaab...
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaac...
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaad...
Although he may have to claim expenses for a new keyboard and treatment for carpal tunnel syndrome.
This story just proves how old I am getting. I can still remember the days when a person was presumed innocent until proven guilty.
That said, I am pretty sure that the European human rights charter includes the equivilent of the 5th, i.e. that you can not be forced to incriminate yourself.
...he was. He was considered innocent of not disclosing the password, and then they proved it. So he was guilty. The problem here is not convicting him for a crime they havent proved, it's them criminilising behaviour that *should* be a persons right, i.e not to self-incriminate.
It's easy, you just write the laws the right way. He has been proved guilty of not typing in his password; hence jail time.
Other offences soon to hit the statute book to be used whenever they want:
"Looking funny"
"Taking a photograph"
"Sitting on the tube, reading Metro"
"Breathing"
Encryption exists because there has been a need to safeguard certain information. It is used in a capacity to protect personal files just like it is used to protect say credit card information. However RIPA deems it a crime in circumstances they see fit. If they want to differentiate between what is acceptable and what is not then I suggest that encryption be made illegal in this country for non commercial use rather than jailing people because they will not cooperate. There is a clear distinction here between ones liberties and preventing people from covering up a crime.
I'm not sure that there should be an absolute right to hide behind unbreakable encryption. One doesn't have a similar right with respect to paper documents. Provided the police have obtained a search warrant, they can legally break any physical lock if you won't provide them with the key. (There's no such thing as an unbreakable lock or safe).
Do the police have to obtain a search warrant for your computer, before they can order you to decrypt? If so, that appears to be an appropriate safeguard, and an exact analogue to what has been the case for paperwork for many years.
If they don't have to obtain a search warrant, then they should be required to.
There should probably also be a provision that evidence obtained by requiring one to decrypt should be admissible only if it confirms the suspicions that led to the warrant being granted. In other words, if they are investigating money-laundering and they find only porn, they should not be able to charge one with posession thereof, because the grounds for the warrant have been proved false.
A problem with that approach is that the file in question might be obsolete and the password long forgotten. I'm an IT consultant, and whenever I have to store data from my customers, I use encryption. Most of those passwords are lost and forgotten only a few days after the work is completed, but I often forget to remove the encrypted files from my PC. After reading the article I made a quick search and found seven of those files, aged between three weeks and four and a half years. I just remember one of the passwords, from a file created in summer 2009. I remember it because the password was a funny word related to the owner of the data.
And don't forget I'm an IT pro and use lots of passwords. I have seen people forgetting their passwords two HOURS after creating them.
The thought police can jail you for forgetting something. Sounds really bad, doesn't it?
But how do you enforce a search warrant for the contents of someone's memory? How do you prove that you've forgotten a password or that you've never had the password in the first place.
If you've downloaded the wiki-leaks insurance file how can you prove that you don't have the password, or that it isn't infact your secret stash of terrorist manuals that you've renamed to look like the wiki-leaks file and do really have the password for?
Also if you followed the US system and had "Fruit of the poisonous tree" provisions in the warrants, the exceptions on the search being carried out in good faith would kick in and it would be a legal search.
*Note to self - remember to use the "Reply to this post" button next time
The chap we are discussing "refused" to provide his password. I'm assuming that meant he said "No" rather than "I've forgotten it". The latter would have been a smarter answer and I'd hope it would lead to an acquittal - how can the prosecution possibly prove beyond reasonable doubt that this is not the truth? If it really is illegal to forget, I'd expect a jury nullification, or a successful appeal to the EU court of himan rights.
I agree that the whole concept is stupid. Anyone competent with something to hide will combine steganography and plausible deniability (multiple encrypted volumes in one hidden container, one or two innocuous volumes that you're happy to reveal if they can work out where they are hiding, using software that always creates large amounts of random padding so they can't hope to prove that you're concealing more than you've shown them).
re: Fruit of the poisonous tree... a former net acquaintance was under investigation for Social Security Fraud. Law enforcement was searching his house for proof that he was running several businesses while claiming SS Disability. One of them, I believe a USPS Postal Inspector, found some video tapes in the closet and tried to pop one in a VCR but couldn't because there was already one in the player... he turned the VCR and the TV on, and found to his surprise, not evidence of financial crimes, but porn, and specifically child porn. He stopped the tape, called the courts for another search warrant specifically related to porn and child porn, and then arrested Jack on federal child porn charges... Jack is now doing time in Arizona on some charges, and when he finishes his stay in the Arizona iron bar hotel, he has a date with a federal house of detention for another 5-10 years. He won't be free again until he's about 75 or older. I only "knew" him because we were on the same email list, but the owner of the list tried to hide the charges from the rest of the list, and in fact went to a moderated list and refused to allow anything negative to be posted about him. She also threw a number of people off the list because they tried to post the true story.
Fail, because Jack had already been a guest in the pokey on several previous occasions, including once for murder.
We have arrived at the point where citizens are only allowed to have security of information if the government they elect allows this. I can see the pros and the cons, having a number of TrueCrypt files for sound reasons that do not involve breaking laws of any sort, and having a dislike of the offences of which the individual has been accused. That leads me to ask, was this individual using an encrypted proxy? Is this why the enforcement agencies concerned are not trotting out the data here?
As others have said, "innocent *unless* proven guilty" would be nicer; "innocent until proven guilty" seems to suggest that you are, inevitably, going to be found guilty, but that it has not yet been proven. (That particular phrasing sounds like it was drafted by someone who believes in the concept of "original sin"; we are all guilty.)
Scene 1: a court room.
Judge - What is the password ?
Accused - Not sayin.
Judge - Fair enough, have four months at Her Majesty's pleasure
Scene 2: the same court room,four months later
Judge - What is the password ?
Accused - Not sayin.
Judge - Fair enough, have four months at Her Majesty's pleasure
Rinse and repeat Scene 2 until the accused hands over the password or dies of old age.
Memory erodes over time and it would be a very silly criminal who did not realise that the "I've been in prison for so long that I have forgotten" option is available.
As someone observed indirectly, we are now at the gates of a new era of thought crime. "We know that you remember so we are going to send you back to prison until you unlock your thoughts".
To my mind, at least, it's not clear that the double jeopardy principle would apply. The crime, for which he was imprisoned, was failing to comply with a s49 order. I agree with you that he cannot be tried twice for the breach of a s49 order- the double jeopardy principle.
However, there is nothing in ss49-51 of RIPA which prevent a law enforcement agency from issuing another s49 notice, seeking the same information - this is entirely different to charging someone again for the same crime. If he fails to provide the key, he is tried for the breach of the new order, and thus commits a new, triable, criminal offence. There is no double jeopardy issue here - it's breaching a separate s49 notice.
There are two competing policy issues here - one is that someone should not be tried twice for the same offence (although under attack in some situations), and the other is that someone should not be entitled to obstruct the investigation of a larger crime by committing a smaller crime, and take the penalty for that smaller crime as a way of preventing the investigation.
I'm not aware of any legal authority on this, so just going on the basis of what makes sense to me in terms of approach - I'd be very interested to see something which suggests a different approach.
"Double jeopardy" is not out completely - the Court of Appeal held that there can be a retrial where there is "new and compelling evidence". There's ambiguity as to what this means, for sure, but it does not mean a complete revocation of the principle.
I meant to add in my previous response, that the principle of double jeopardy applies to someone who is tried and acquitted, not someone who is tried, found guilty, and serves their sentence - that someone cannot be tried again for the same offence after serving their sentence comes from the fact that the have done their penance - the slate is wiped clean. In the situation here, the slate is wiped clean only in as much as the breach of the previous s49 order has been remediated - another order, another breach, another slate to wipe.
> Double Jeopardy.
This is incorrect.
> He's refusing to give the password for the same encrypted volume he refused to before.
Doesn't matter. He's guilty of failing to comply with a section 49 notice. He's not been charged with respect to the curernt notice before, so there is no "double jeopardy" involved.
Claiming that this is the same offence is like claiming that a recidivist burglar shouldn't be tried for subsequent burglaries, because he's already served time for it. That was a different burglary. That was a different Section 49 notice.
> Worst that can happen here is being found in contempt of court
No, the worst that can happen is that he can be sent down for another 5 years (if they mention "national security" often enough) *and* face a large fine.
> and being returned to jail every time he refuses to give the password, but that's not within the
> remit of s49
It's within the remit of a new Section 49 notice. There is no stated limit to the number of successive notices that can be issued - only that the issuer must have "reasonable grounds" to believe that the defendant has the decryption keys sought.
Vic.
Surely the crim (according to witnesses and ISP logs an alleged trader in child porn) should be thinking:
X weeks for non-disclosure followed by (after encryption is cracked in a few months) Y months for child porn offences and Z months for perverting the course of justice - and then of course a large bill for the costs incurred in cracking said encryption and a long stretch of the sex-offenders register.
Still on the bright side, its good news for security consultants and children.
I may be wrong, but i was under the impression that police forensics had access to some pretty clever password cracking tools, ie they can use known information about a suspect to steer the attempts. psych profile, hobbies, tv viewing, etc.
A 50 character password has to be some kind of memorable phrase, if it's not written down or the suspect is rain man, a few special character obfuscations could make it nasty enough but a number of set rules could take care of most of those.
>A 50-character password? More like untold trillions of years.
Months more like, its not unknown data - at worst they are looking for filetypes which will provide plenty of known plain text/data, at best they will have specific files which they expect to be there after examing the ISP logs and the files he traded with others who were nicked at the same time.
"and then of course a large bill for the costs incurred in cracking said encryption"
When was the last time you cracked a 50 character password?
If the guy was using decent encryption software and used a 50 character password the police have got a snowballs chance in hell of cracking it. Even if they knew where to start.
If the authorities *could* break encryption they aren't going to admit to it in court for such a minor offence. And before anyone starts he his a small fish as far as the Government are concerned. They aren't going to reveal their capabilities in this field for day-to-day criminals.
So they aren't going to crack his password even if they could.
>When was the last time you cracked a 50 character password?
Quite regularly when doing security audits. Passwords that long are almost always built on dictionary words and simple patterns - in any case a simple brute force attack wouldn't be the approach used where the contents of an encrypted file are already known.
>If the authorities *could* break encryption they aren't going to admit to it in court for such a minor offence.
Weaknesses in practically all commonly used consumer grade encryption are well documented as are the 'authorities' capabilities in defeating them. Its not a question of admission, simply cost over public interest.
> Can the ask him again, treat it as a separate offence and charge him with it?
The issuance of a Section 49 notice does require that the issuer has "reasonable grounds" to believe that the victim[1] has the encryption keys being sought. If the poor sod has already done time for failing to cough up the keys, there is eventually going to be some room to claim that those grounds are unreasonable, and thus that the notice is unlawful.
But that won't necessarily stop second and subsequent notices from being issued - it just gives some sort of defence in court.
Vic.
what you are saying is that if they get done for not giving away their password they still don't get punished ENOUGH for the crime we can't prove they did so we ought to make the dirty pedo sign the offenders register for refusing to disclose the password. Better safe than sorry.
Now how to do something about those THOUGHTS people keep having...
to the right to remain silent?
are UK laws that different from Dutch laws? if i don't want to say anything to the cops, i don't, it's that simple.
"you're only making it harder for yourself"
yeah right buddy, you stick to that story and i'll stick to mine, ok?
so what's the deal here? has the UK given up on this or what?
I am not a lawyer, and thankfully I've never fallen fowl of the law, but the right to silence has been somewhat subjective in the UK for many years.
http://en.wikipedia.org/wiki/Right_to_silence_in_England_and_Wales#Facts_later_relied_upon
When arrested, persons are told "you have the right to remain silent [...] it may harm your defense if you fail to mention when questioned something which you later rely on in court" or words to that effect.
Basically this means that negative inferences can be made on the refusal to provide information. In this instance, refusing to give up the password implies there's something he doesn't want people to see within that file.
As previously pointed out, 16 months in jail and a record for what amounts to failure to cooperate with the police versus them finding the suspected images and the baggage that that brings (assuming, of course, that it contains what they think it contains) probably seemed like a good trade-off.
At least they don't have free reign to convict people of the suspected crime rather than the side-effect crime. Yet.
"You have the right to remain silent ... mention now ... etc...."
Yes officer I'd like to say "zxplLkIujnn*&^fh44£$FklpkjbMHFGXFWzchbjn kju642dhvnblp}[1b36nndfj3jdnx^nbghfhkl;LHGGVBL"
Later in court :
Q: Would you like to tell us your password?
A: I already did. It's not my fault if the police didn't capture that evidence, is it? I've been stuck in a holding cell for the last 3 months awaiting trial and I've now forgotten what the password (if there ever was one) was.
Would that work????
LOL.
Oliver will be out of prison and lying in his casket before they crack that one.
One has to wonder how they know it's 50 characters though... is that just the maximum length permitted by the software he used? Or did he tell them it's 50 characters long, knowing that it's only 49 characters lol.
(can we have a Bacon 'n' Doughnuts icon?)
Long password = GOOD
Not using a hidden container for plausible deniability = FAIL
Also, I've never fully understood the whole "refusing to co-operate" thing with encrypted files... how can they prove you haven't genuinely forgotten the password? Or that the password you gave them is correct but, due to legitimate file corruption, just doesn't work any more?
I've not bothered to read through the TruCrypt docs about this, but I'm intrigued about how this works. I've always wondered about the free map in the main encrypted volume. If the hidden volume blocks are not to be over written then they can not appear on the free map of the main file system. So the prosecution could no doubt argue that the size of the volume you have opened doesn't match the size of the disk. So anything missing must also be encrypted.
I'm sure there is an answer to this as the blokes who write TruCrypt are brighter than me.
Just intrigued.
... TC freespace is encrypted. If you mount the non-hidden volume and write to it, you will indeed run the risk of overwriting a hidden volume. If you want to write to it, you mount it with the hidden volume protected - which of course means entering passwords for both inner and outer volumes.
So if you are forced to give up the outer volume password, noone can prove - except by cryptanalysis - that there is a hidden volume. They could destroy that hidden volume though, by mounting the outer one with the outer password you've given them and filling the disk up.
It's pretty straightforward, it's all about making life easy for our esteemed chums in uniform. They don't need to prove anything, it's up to _you_ to prove that whatever is in the file is legit, by decrypting it. If you don't, you're screwed.
Presumably you could end up with something on your drive that looks as if its encrypted file but is actually just garbage (perhaps a corrupted temp file created while zipping) and go to jail for not turning it into a plod-readable format. That would suck.
"I see you've used TrueCrypt. We know this has a hidden volume function. What is the password for the hidden volume."
"I don't have one."
"Prove it, or another 4 months."
"..."
"Enjoy your communal showers."
You either have a hidden volume with MORE innocuous data, or you are screwed. TrueCrypt is not the answer.
Just having a hidden container isn't enough. There are lots of other things you need to do, and even then if your disc is being monitored (snapshot before, snapshot after) it is possible to break PD enough to prove the existence of a hidden container by modification.
Though no security expert in their right mind is ever going to fall for a True Crypt container not having a hidden container. Most of them probably do and are probably full of kiddy porn or almost certainly something dodgy enough to want to hide from the authorities.
However, with respect to the law on not providing your password, how do they prove you are refusing to provide it rather than you just cannot remember it? (assuming again the disc hasn't been monitored to show a modification to the seemingly random data, which proves you managed to access it recently).
Chances are though the "kid" just left loads of holes open in Windows that leaks the data.
How do they prove you haven't genuinely forgotten the password?
I think the general idea is that the prosecution and defence explain their arguments to a group of 12 people known as a "jury". Apparently then the "jury" decides the outcome of the case based on whom they believe.
The way "they" prove refusal to co-operate is usually to put the defendent on the stand and ask him lots of questions about it.
It's pretty simple really.
...maybe he ain't. But 16 weeks for not handing over a password when you can lamp someone in the face without getting locked up for that time - if at all - is unnecessary.
Two questions -
1) How can they tell the length of the password?
2) If they know it's 50 chars, what makes them think they can 'crack' it?
One assumes our friends in Cheltenham were more helpful. So why not just stuff him for the price of the decryption rather than send a man of previous good conduct to a university of crime where his IT skills may open up more serious career opportunities than he is likely to get on civvy street.
If on the otherhand the guys from the big G can't crack it ... then why do we 'ave 'em?
The big G probably can crack it but they might not want the world and his cat to know they can.
Or maybe they can't but want you to think that they can by not saying they can crack it.
Either way why blow your trump card on some lad with a laptop full of kidde pr0n.
Criminals get lots of information on police techniques from evidence disclosed in court.
"Oliver Drage, from Naze Lane, Freckleton, Lancashire was arrested in May as part of an investigation into child sexual abuse images."
Funny how the news articles haven't said a thing about this investigation such as specifically what was being investigated, whether anyone else was investigated or arrested, what the police's reasons were for believing Mr. Drage was involved in child sexual abuse images, and whether or not those reasons were so compelling it warranted a thorough search of the bloke's hard-drive?
> His computer was seized by police who were unable to access some material on it thanks to a 50-character encryption password.
'Some' material? Anything else to say about that, perchance? What size of material? A suspiciously large size, or something tiny? What was it about the hidden material would give rise to the suspicion that it was related to child sexual abuse images?
> Only one other person has previously been imprisoned for this offence.
Yup, and what a non-threat he turned out to be. Another victory for the legal profession. Yay for the justice system! *farts*.
> Det Sgt Neil Fowler, of Lancashire Police, said: "Drage was previously of good character so the immediate custodial sentence handed down by the judge in this case shows just how seriously the courts take this kind of offence," PA reports.
The courts always take the view that anyone who refuses to co-operate with the police are up to no good, which is odd because it flatly contradicts the principle of 'innocent until proven guilty'. More like 'innocent until your behaviour looks a bit sus and then, despite having little or no evidence, we'll give you a quick blast in the cells to see if that loosens your tongue'.
"Police say they are still trying to crack the password."
Good luck with that.
I seem to recall that Radio4 news either last night or this morning, said that there were a bunch of people the rest of which had been sent down. I may be mis-remembering and to be honest I can't be arsed to check it out, what with being at work at the moment...
Also, it's interesting that he refused to tell them the password rather than claimed he couldn't tell them the password, maybe this is how they know it's a 50 letter password?
I can't really see any difference in principle between the use of torture to obtain a password or the use of imprisonment. Many will argue that he must have been doing something wrong, but nothing has been proven against him other than breaking the controversial law on which he has been imprisoned. There is a wealth of legal tradition that he should not be obliged to provide evidence to be used against himself which this provision of the RIPA ignores, including the US 5th ammendment, the right to remain silent, innocent until proven guilty, and ECHR convention articles concering fair trial and privacy rights.
Black people in the southern US who sat on the wrong seats on segregated buses in the sixties and earlier were also breaking bad laws which did not stand up once finally tested against the US Bill of Rights. This case is little different.
http://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis
Except they had a 5th Amendment.
We have nothing. There is no right we have that cannot be taken away by the government, with the exceptions of those we have signed up for in Europe. But we ignore those too, and simply accept the fine.
I want a Bill Of Rights. And a Constitution limiting what government can do.
It seems to me that this is the sort of thing that led to thousands of people fleeing tyranny and coming to what now is the USA. If there were another habitable, "accessible" hunk of lightly populated land, would this lame law be sufficient trigger for a modern-day exodus?
OTOH, way back when there was a chance to possibly still-birth any creation of the USA, but the powers that were didn't deem their subjects uncontrollable nor deem them worth appeasing sufficiently and more. So, i wonder how long it will take for the UK (irrespective of its unique local terror issues and hugely diverse population from all parts of the world, and that in itself making for a huge potential for undiscovered plots and mischief in the planning) suje.. population for FORCE its will for a wee bit more protection.
All that said, we have enough corruption and incompetence here in the USA to make the 5th irrelevant for some hapless citizens and residents. By the time a sensible judge rules in favor of the accused, the local cops and district attorney generally have wrought their irreparable and uncompensateable damage. Just look at how many people every year or two are exonerated by new DNA testing, years to decades after being wrongly (and maliciously) accused, charged, and convicted so some DA can look productive or proactive.
The police found porn on a YOUTH's computer. They have enough to send him to some reform or rehab, or crime diversion/aversion courses. But, not satisfie, they persist to break his ball$ over some encrypted files they JUST WANT TO KNOW THE CONTENTS OF, and so they use on him laws best applied to bonafie terror threats.
There are people, sheep, and sheeple... and the world is rife with powermongers and crusaders even when good enough is good enough...
The crime he has been convicted of and sentenced for is the "crime" of not revealing his password in order to prevent the cops from looking at his encrypted data.
Totally separate to the charges relating to child abuse images, which they will likely prosecute for if they crack the encryption.
Don't get the two things mixed up, they are quite distinct.
If the Police have a warrant to search your computer, how is refusing to allow them access to an encrypted file (as opposed to claiming you can't because you've forgotten the password, etc) any different from barring their access from your hose, if they have a warrant to search that? I don't see why this implementation of this particular law is a problem. Had the guy said that he couldn't give them the password because he'd forgotten it, that would be a different thing.
You are aware that just because someone claims something, it doesn't make it true. (That appiles just as much to the police).
Real justice is based on evidence of wrongdoing.
Unfortunately, British justice is based on accusation of wrongdoing. And it STINKS.
... but I'll say it again. You cannot prove you don't have a hidden volume, so the implication is that you always have one. When asked for the password for the hidden volume, you will say "I don't have one."
They will say "Prove it."
You will say "I don't have to."
They will say "We didn't find anything on your encrypted volume, so it must be in the hidden one."
You will say "I don't have one."
They will say "Prove it."
You will say "Oh."
They will say "Free room and board, 2 years."
First off, an unmounted TC volume has nothing that identifies it as such - no file header, no volume map, nothing - so until you actually try and mount it with TC then it's a block of random 1s and 0s. If you have encrypted a whole physical drive then the OS actually reports it as unreadable if you don't mount it via TC.
However, let's leave that aside and assume that you want to give up the password to the outer container in the interests of apparent co-operation. Once it's mounted there is again nothing in the volume to suggest that a hidden volume exists. The outer volume will report its size as occupying the whole of the TC volume, and the integrity of the hidden volume is utterly dependent on you not writing files past the offset point that you specified when you created it.
If the authorities have been monitoring your PC and have had access to it to get before/after snapshots then there *may* be enough to introduce reasonable doubt, but it's highly unlike that plod will have had physical access to your PC while you were still using it.
As stupid as the law is over forcing you to hand over passwords, it doesn't give them the power to convict you of theoretical crimes that you have no reasonable way of disproving.
I can't prove that I haven't cast a magic spell to kill someone, but the mere accusation of such isn't enough to get me burnt at the stake for witchcraft.
I have as much contempt as the next man for Blair and the authoritarian bunch of arsewipes that screwed our country over, but unless you can point to actual documentation of the scenario you describe, it's just paranoid fantasy.
The burden of proof for there being an inner encrypted volume would be on the prosecution. They would have to show beyond reasonable doubt in a court of law that such a volume existed which, if you are competent, can't be done using technical means alone. There would have to be evidence, maybe related to personal behaviour or some such which would stand up in court. That will be difficult.
However, the "denier" would have to be very careful indeed as there are plenty of ways that the existence of such an encrypted partition and it's activity can be detected unless the right precautions are taken,
Another thing to note is that who knows if it will be possible to break some encryption in the future using new techniques. As far as I'm aware, with the sole exception of quantum and true "one time" encryption, then there are not mathematical proofs that these schemes can't be broken using some future mathematical principle. If that happens, then decrypted copies of old data might come back to haunt a few people.
Yes, that is correct, you can only be convicted where you have committed a provable offence. That is to say *evidence* must necessarily be offered. In the scenario you describe no evidence is offered. Even if a fool in the CPS (and quite a few exist) allowed arraignment, no judge in their right mind is going to allow conviction; the jury would be directed to satisfy themselves that evidence of an offence had been supplied, were the case even allowed to proceed.
Sounds like he was sentences in front of magistrates rather than taking it to trial infront of a jury. How can the police prove that he is refusing to give the password for the file he could have forgotton it or simply not know the password. Ive downloaded rar files from rapidshare/torrents/forums etc that are passworded and not everytime does the password work. if said files were then in my recycle bin and the plod came a knocking i wouldnt know the passwords for them and would rather face a jury than accept that i was guilty for not providing the password.
The crime was carefully worded by our last government, composed mostly of lawyers, as "failing to provide" not "refusing to give".
As far as the conviction goes, he has been asked, and he didn't provide it, so he's committed a crime! The reason why he didn't provide it doesn't get a look in. I'd assume there are some specific defenses based on "inability to provide" written in to avoid really, really bad press, but again, based on the lawyer backgrounds, these will also be as carefully worded.
It's disgusting how this law was brought in by new labour's Jack straw and now being used by the zealous state police are we living in some 3rd world dictatorship?
We definitely need a repeal of this outrageous abuse of state power on individual civil liberates. Every human being should have a right to privacy and right to remain silent in a free democratic society! New labour was the big brother govt that brought in all kind of laws infringing on everyone's personal and family life its time we all woke up to these abuses of legislation and lobby the government to change them.
.
.
It has been almost a year since they sectioned that other guy, JFL? Is he still in a secure mental unit? Did they ever return all his stuff? In his case I don't think they even came up with a reaosnable suspicion of what illegal material he might have encrypted.
We're getting into the realms of not just "victimless crimes" but "crimeless crimes" with RIPA aren't we?
"Doublethink means the power of holding two contradictory beliefs in one's mind simultaneously, and accepting both of them." -- George Orwell
You are a child until 18.
At 16, you may engage in consenting heterosexual sexual activity with another person over the age of 16.
At 18, you may engage in consenting homosexual sexual activity with another person over the age of 16. You may also take or pose in pictures of a sexual or lewd nature at this age, but not before.
Therefore, you may get down and dirty with your neighbour's 17 year old daughter, but you're a pervert on the sex offenders register if she "sexts" you a pic of her boobs, regardless of consent.
18 years is the age of consent for homosexual sexual activity, and for taking or appearing in sexually provocative images.
What qualifies as "sexually provocative" is left up to Daily Mail readers, by the state of things. Bearing in mind that people have married a fence, the Eiffel Tower, plus Rule 34, pretty much everything made after 1992 is illegal in this country.
Go figure.
If the image pretends their age is younger, or even if it's a generated or cartoon image, then it could still count. So if you have a 21 year old girlfriend and she dresses up like she's 12 and you take a porno photo of her, then it's kiddy porn and off to jail you go, signing the sex offenders register on the way. In the UK that is.
Send that photo to someone, or just even edit it and you're busted for "making" indecent images. Which of course is reported by the Daily Mail and the likes so you're assumed to then be a kiddy porn factory. Brick through the window and lynch mob time.
At 18, you may engage in consenting homosexual sexual activity with another person over the age of 16. You may also take or pose in pictures of a sexual or lewd nature at this age, but not before.
Hey, isn't there a glaring contradiction here? At 18 you may engage in consensual homosexual activity with someone over the age of 16, but that person may not, since he/she is not yet 18, and therefore may not engage in consensual homosexual activity until the age of 18!
Mr Bumble was indeed right!
I'll just get my Beadle's coat.
A lot of posters are commenting on the fact that, how could the police know the password was 50 characters in length. Yes, he could have told the Police which is likely a red herring if he did. Anyone who uses passwords on a regular basis (which I do - over 2000 and wrote a database to manage them) will know 50 characters is a freakishly long password and too round a number to be realistic. But most posters are missing the point here and that is what encryption was used. Did he use AES 256 then likely it would take the Police 50,000 years to decipher or did he use 3DES with a 128bit key then, they may well crack it with the right hardware. I think the charged would have said a 50 character password if the encryption was weak - I would have.
or Indeed anything by Cory Doctorow.
Very good story in it's own right, but very applicable to this so-called 'war on terror'/'think of the children' scare-mongering that seems to be a government favourite.
OK, so he may have an encrypted file with all sorts of child porn in, but then again he may not - obviously without opening the file people will never know - but it seems to me that if he is guilty there must be more than just the contents of a file to get him convicted.
Does that mean that if i encrypt a file and ftp it, to as many publicly-accessible machines as I can get anon access to, that I could get their owners in trouble? After all they will not have the password to that file either.
It smells to me as if the Police don't have anything else to use, so have been forced to go this route.
ttfn
And they will find out the kid is innocent (after they cracked the pw) and he was jailed in unlawful manner. Only the time for "not cooperating with authorities" can be legal. FAIL.
or....
The crime prescribes in 50 years or less and he can´t be convicted anymore. FAIL.
You can only be arrested if their is reasonable suspicion of committing an offence so being able to remember or not at that time is not really relevant except if you were able to provide an aliby which the police could check.
In the event, then if it did come to court and still stated you could not remember then it will be up to either the jury or judge/magistrate (depending on the circumstances) to decide on the credibility of this lapse of memory. If the 18th was three days ago then that's going to be a very different thing to the previous "right to silence". Of course there is also the "right to silence" where the rules have changed. Now if you don't answer questions during the interrogation that can be taken into account.
Note that there was never a "right to silence" in court if you were being cross-examined. That right could only be exercised if you weren't called to testify by the defense (the prosecution had no right to call the defendent to testify - only to cross-examination if he/she did appear as a defense witness).
If you couldn't recall a password for an encrypted file and pleaded that you had forgotten it, then it would be up to the prosection to prove beyond reasonable doubt that this was not the case. If you had a whole-disk encryption and other evidence was such that the machine had been in use the previous day, then the amnesia claim might not hold water. However, if you had a three year old file that was encrupted and hadn't been accessed since, then that would be a different thing.
> If you couldn't recall a password for an encrypted file and pleaded that
> you had forgotten it, then it would be up to the prosection to prove
> beyond reasonable doubt that this was not the case.
That is not the case.
RIPA 2000 makes it a criminal offence to fail to supply a password in response to a Section 49 notice. This notice may be issued by a number of "authorised" persons (many of whom are not judiciary) if that authorised person believes that there is encrypted info in your possession. It is not even a defence to claim that the alleged encrypted dump is nothing of the sort - a court could still send you inside for up to 5 years.
It's one of the worst laws we have on the books. I hope this example might get someone in authority to repeal such draconian nonsense - but I doubt anyone will :-(
Vic.
One thing occurs to me; I use TrueCrypt to encrypt backup data. If the plod decide I might be a terrorist or whatever and pull me in for questioning, and I give them my password -- no point in me not given that there's nothing more exciting than my bank details -- surely there's still the possibility that I've not told them the "other" password, and therefore I must be guilty?
So even though I don't have a hidden part of my TrueCrypt data, no one can prove that I don't and therefore I may not have disclosed a password!!
Seriously... this is nuts!
Also, what if I've simply created a file in some app or other, passworded it, and then forgotten about it? E.g. if I'm testing the application. Or if I've genuinely lost the password but I've not deleted the file.... because of course, I wouldn't because I'd be hoping I'd find/remember the password at some juncture. And *then* I find that because of this I'm guilty.
I honestly can't believe this can be legal.
I can understand why this is an issue to the police/MI5/who-ever, but their approach is terrible. Would they not be better keeping the encrypted data on file and waiting until they do have the tech to decrypt? In many cases I'd expect there will either be a crack discovered which weakens the encryption algo and certainly there will be more computing power available for brute-forcing over time, so I'm sure they'd have the tech to decrypt within 10 years? Not ideal I guess, but better than throwing people in jail for a different crime.
I've got an encrypted hard drive, mail databases with another level of encryption and yet a third on any USB keys I carry. It's not a UK company but I travel to the UK. If I was asked to divulge I'd be in an awkward cleft between my terms of employment (saying I can't tell anyone outside the company my password) and the UK law. To add a level of complexity, sometimes some of that data contains information which is confidential to departments of non UK governments and my company would be in legal trouble (or more important to it, would face financial penalties and possibly be excluded from future work) if it agreed to expose it.
No you wouldn't, any more than you'd have a conflict between your company asking you to attend a conference by a certain time and the police pulling you over on the way. Your company might penalise you for having been speeding, but they can't tell you to force the cop cars off the road.
Employment law is absolutely, totally, without-a-shadow-of-any-kind-of-doubt clear that an employer cannot tell you to do anything illegal. You can tell the cops all this, and you can call your company's lawyer in. But if the cops insist on it being decrypted, they get it.
... use a secure wipe when your deleted your files (with a heavy duty 7 pass or more secure wipe algorithm), wipe caches, temp files, and secure wipe your pagefile (contains chunks of memory that was in use at the time), and don't use hibernation files? Even then, burning the hard disc is about the only safe way to really delete the evidence against a truly determined analyst.
And then of course your memory stick has all the incriminating evidence, complete with your finger prints.
and when you've burnt the memory stick, you've been round to the ISP to wipe the logs of what you've downloaded and the caches from the proxies all along the way that contain copies of your data.
Say the police had a warrent to search your house and you had done something to make that impossible. You are obstructing justice. Whether the warrent is justified or not, once it has been issued they have the right to the search.
Once the police obtain the right to search the laptop any method used by the owner (i.e.: encryption) is interfering with a lafful search.
the whole encryption thing is intended to protect company secrets or personal information and I cannot think of any reason why the police should not be provided with the password. If they misuse the info I also believe that the owner has the right to sue the heck out of them.
>>"It is more like the police having a warrant to search your caravan and asking you were it is parked. How do you prove you don't own a caravan?"
In the case where there clearly is an encrypted file, and the person doesn't deny that that's the case, the it's pretty much exactly like someone having a safe on their premises.
As for cases where passwords may have been lost, or cases where it's not provable that an encrypted file actually exists, etc, I guess we'll have to wait until a case like that gets heard in court.
Of course, someone trying to /falsely/ claim in court that a password was lost/forgotten or that hidden data really was hidden might have to be very confident that the reverse really couldn't be proved in the future, possibly even long into the future, if they didn't want to risk what they said coming back to bite them.
That's pretty much how I see it. (Though misuse of seized data should be a criminal offence as well as a civil one).
If the police had a warrant to search my house, and I had a safe which I *refused* to give them the combination to, and which they would be unable to break into (say it had a mechanism to detect tampering and destroy the contents) that's a reasonably fair analogy to refusing to hand over encryption keys. There's nothing magically more private about data on a computer than data anywhere else.
Whether I'd be committing a crime depends on whether I actually have a legal right to frustrate a search, not on whether I have a right to avoid self-incrimination.
Now, if I'd said that I *didn't know* what the combination was, then I guess it would come down to how plausible my story was to a magistrate or a jury.
If they disbelieve me sufficiently, they may still find I've deliberately frustrated a search.
Actually, your example will be more akin to locking up your computer. A more akin analogy would be me hand-writing my documents in an illegible mess that only I can read. The police with their warrant can confiscate those documents all they want and bring in professional writing analysts to decipher what I've scribbled, but I don't think they should be allowed to force me to read its contents out loud for their convenience, otherwise it defeats all visage of the incrimination thing.
In the 'your house is being raided' scenario, if you handed your front-door, back door and shed keys to the police they could still be locked up afterwards and no-one aside from the holder of the keys could then access those areas.
If you write out, say or otherwise divulge your password to whatever files etc. you may have then anyone can then access those files.
I would have thought a more logical approach would be to get the owner of the files to unlock them - actually knowing the password is pointless, it's knowing the contents of the files is of a criminal nature and that it is provable that the 'accused' is able to access that file.
If they refuse to unlock the file it would then come down to the 'can't or won't?' question which should be handled by a jury with access to the information that led the police to the persons door in the first place.
ttfn
What happens if you have a safe, and you refuse to give them the combination?
You have the right not to incriminate yourself. This trumps the obstruction of justice (or it did, until RIPA was brought in).
While I understand that most sensible people with nothing to hide would just hand over the password or safe combination, the right not to incriminate yourself is a fundamental feature of our law. Without it, how many forced confessions or fake statements would be appear in court. Most of our Police would never do this, however given the pressure from the media to obtain results, you can see why it happens.
Sorry, there are a bunch of posts mentioning the right not to incriminate yourself, but this is completely bogus. The right not to incriminate yourself is NOT a right to obstruct an investigation.
Providing a combination or a key to a safe is not, in itself, self-incriminatory, even if the contents of the safe may incriminate you.
Providing an encryption password is not self-incriminatory either.
I really don't see the distinction as being particularly subtle -- it seems bloody obvious.
In general, you cannot prevent police from gathering information that they have a legal right to gather -- and nor should you be able to. Encryption is a special case, since it may be (practically) impossible for them to gather the information without your co-operation, but I really don't see the difference, in principle, between that and them subpoena-ing documents for example. If the cops show up at your house with a warrant to collect some documents that they know you have, you have no right to lock your door and run in and burn them.
Note, I'm not commenting on the particular implementation of this law. If the law is, as some have commented, specifically "failure" to provide, as opposed to "refusal" to provide, and you can be prosecuted for forgetting, or perhaps never even knowing the password, then the implementation is moronic.
Alternatively... the fuzz come to your house with a warrant. You are there, your house is there, your possessions are there.
Well, this bloke is in jail, and his laptop is where? With who? Data is a heck of a lot easier to invent/falsify than a signed paper document (which can be proven to be genuine or not) and so there should be provisions made accordingly.
Well duh, for exactly the same reason that you don't have to provide police with every encryption password you use before they get a warrant -- you have a right to privacy (albeit not an absolute one). But once they jump through the legal hoops, yes they can search your house and your bedroom and your bathroom, and you have no legal right to prevent them.
And I'm sure, if someone came up with some kind of a front door lock that was unpickable and the house was otherwise impossible to break into, they would come up with a law that said you had to provide the key, if in your possession. And I have absolutely no problem with that.
For all those setting up the strawman of "Warrant to search the permise"
If the police picked you up from your place of work or off the street and told you they had a warrant to search your house and you said
"FIne but I've lost/broken my house key and don't have a backup copy".
You would NOT go to jail for 5 years for loosing your f***ing door key, they would just break in and search the house.
When plods demand access to encrypted data, do they have specify exactly what it is they are looking for? Or can they demand access on the pretext of terrorism/kiddiepron/<insert panic of the day here> and then prosecute if they find something else they don't like?
Perhaps the lad didn't want to reveal details of his drug dealing empire, or the investigation he was doing into corruption in his local force?
Unfortunately, you are completely wrong.
Tony Blair's government abolished Double Jeopardy in order to secure a conviction. Gordon Brown abolished the Law Lords. If Labour had been re-elected, you can bet Nulla Poena Sine Lege would have been next -- they were already grooming the public to accept it.
Double jeopardy means you can't be tried for the same offence again if you were found not guilty first time round. That was what they abolished so they can keep taking you to court until they get the "right" result. However, once they get the guilty conviction, I don't think they can prosecute again.
You are indeed correct; one cannot be punished more than once for committing an offence. It is one of the major bases of law and, were it overturned, there would be little point in the civil populace remaining civil. Such a condition would indicate revolution, the overturning of government, and of a fair law. Punishing an individual more than once for an offence would make the law no better than an offender, walking down the street and assaulting people for no reason other than dislike.
Tony Blair may have been the driving force, but I don't recall there being much resistance from the other parties. The Tories in particular have a poor track record on civil liberties. For example, their manifesto included a pledge to abolish little inconveniences like the human rights act that prevent them getting really down and dirty with you, should the need arise. Roll on AV which will give us a chance to vote for who we want without putting who we *don't* want in charge!
David Allen Green AKA Jack of Kent is going to cover this on his next blog. He's a well known liberal, yet sees there is an obvious conflict of human rights here. The first is the right to privacy against that of handling serious crime; terrorism, paedophilia and the like. As usual, the normal libertarian fringe element sees this in a singularly one dimensional way.
Now this is not to say that there are real issues which could lead to a miscarriage of justice such as forgotten passwords. Then there is the whole issue of "plausible deniability".
Incidentally, failing to reveal a password is not the only case where you can find yourself in legal difficulties for not providing information. For example, if you give somebody permission to drive your car and an offence is committed, and you don't reveal the name then you can be in difficulties. If you don't reveal information demanded by a court order then that will also get you into the realm of criminal law.
Regardless of what offence may (or may not) have been committed, anyone who is accused of a something has rights.
If someone points at you and screams "child murderer", you have the right (and expectation) to be protected from assaults and vigilantism as well as to (legally) defend yourself (physically and in a court). The Daily Wail readers will however, wish to see you strung up regardless, due to the alleged offence, rather than any proven evidence.
We used to have a large set of rights, which have been withdrawn, and the burden of proof now lies not with the authorities, but with the accused. How can anyone prove if someone does or does not remember or know something?
Arrest != Charge
Charge != Conviction
Conviction != Guilt
The problem is that there is seen to be NO leeway for innocence. Your traffic/car example is a case in point - get done for speeding = 3 points and a variable fine (if taken to court). Failure to disclose the name of the driver = 6 points and a £1000 fine (failure to comply with a Section 172). Assume mum, dad and two children all use the same car, and all drive it separately on the same day, in close succession - and someone gets a speeding ticket during the day - 14 days later the owner gets a NIP. They have to somehow prove they don't know who was driving WITHOUT making it look like they're covering it up, OR someone has to cop for a fine and points.
As an IT Professional, I visit many client sites, and regularly work with strictly confidential information, both commercially and personally sensitive. I have been know to work for the Government, including MoD, DWP and Department of Heath.
As a matter of course I work with encrypted media and laptops all the time, and I have a duty to my clients and the Official Secrets act to keep the information confidential.
How does that fit with RIPA ??? In theory each and every client could be asked for authorisation to view the data, but what if one refuses - are they prosecuted instead of me ?
16 weeks for not disclosing the password, or life imprisonment for Treason.
Obviously this guy doesn't have that defence, but it's the exceptions to the law that prove it is fatally flawed.
You ask to talk with a lawyer/judge/home sec., and then say that the contents of the files are classified data pertaining to matters of national security.
At that level you can let *them* look at it and tell the police "nothing to see".
Of course commercial confidentiality is somewhat different, but I imagine a similar process could be applied, assuming you're allowed to tell the company whose data it is that it is being forcible decrypted.
If the employer is suspected of an offence an enquiry will be set up, the enquiry will have rights to access state secrets. You as a contractor may figure in their work, but you can be sure that people upstream will be crapped upon before they reach you and, in the event that no one in the state body purported to have committed the offence (a state body can be a legal actor and thus commit an offence) can be induced to cough up the truth you can be sure that you will at first be the investigating body's best friend. You can also be fairly sure that the enquiring body will be quite clear that the state body has committed an offence, show credentials to access classified material, and then politely ask you what you know and for access to said material which, it has to be said, you do not own and to which appropriately appointed senior state bodies have the right to access on the basis of need to know.
Most countries allow the right to hold your tongue, except when it comes to the USA torturing anything out of victim's mouths - truth or otherwise, but in Britain you are practically forced to state your defence so the Plod can go about working the evidence to refute it.
Everything is weighted against defendants which with the increasing abuse of police power it takes a very plucky young man to withstand.
Hold your tongue, young man, and show them that not all British people are prepared to roll over, figuratively speaking, and say do it again.
Am I the only one who thinks harm, or likely risk thereof, is required before anything can be considered a crime?
This legislation was brought in on the understanding it was to keep us safe from terrorists. NOT so that we can catch fly tippers, parents lying about where they live to get kids into schools or file encrypters.
All power we cede to the government will, eventually, be misused against us. Limit their power, tell your MP you want a written Constitution (and a Bill of Rights).
That'd be my preferred approach - the first half of the password is something you know and never write down, the second half is something you have written down, but is too long to memorise. If the attacker is missing either, the files are safe. The problem is convincing the judge/jury of this if you're ordered to disclose it, which is why this law is so totally fucked up. How are you meant to prove you don't know something or have destroyed something? Shouldn't it be the prosecution proving you do know something, or remain in possession of something?
This brings us to the point not made by the young man now languishing in a prison cell, presumably in a VP wing because the prison population will automatically assume that he is a paedophile; he does not appear to have said that he forgot the password, merely that he would not divulge it. Thus the 'forgotten password' is, in this instance at least, untested. Searching a legal database for precedent may help here. The precedent might possibly be very old, and thus a lawyer would be a useful source of skills.
Roper: So now you'd give the Devil benefit of law!
More: Yes. What would you do? Cut a great road through the law to get after the Devil?
Roper: I'd cut down every law in England to do that!
More: Oh? And when the last law was down, and the Devil turned round on you — where would you hide, Roper, the laws all being flat? This country's planted thick with laws from coast to coast — man's laws, not God's — and if you cut them down — and you're just the man to do it — d'you really think you could stand upright in the winds that would blow then? Yes, I'd give the Devil benefit of law, for my own safety's sake.
...if there was nothing "sensitive" in the crypto file, most people would probably hand the password over just for the sake of convenience (but then why use crypto in the first place?)
My crypto files don't contain kiddy porn or anything, but they do contain account information, passwords, PINs and other sensitive information on my life. There is no bloody way I am handing my password over to plod. It would mean closing every account (current, savings, mortgage etc) and then opening new ones (activity in itself that might seem "suspicious").
So, by the simple act of trying to keep one's life in order and following good practice; one is effectively rendering oneself guilty. Thank you "Labour" and your destruction of liberty.
I can understand why plod might want to see into these files during an investigation (especially into something like kiddy porn) but damning an entire nation in order to to deal with the acts of a minority is NOT the way to do it!
>>"My crypto files don't contain kiddy porn or anything, but they do contain account information, passwords, PINs and other sensitive information on my life."
Plod could presumably find your account numbers anyway.
Hell, anyone I write a cheque to has most of my bank account details.
As for PINs and really important passwords, I'd have thought it was safer to just store /hints/ for them than the plain-text, wherever and however the data is ultimately stored.
For most people, there's a chance that someone else could get access to their machine when such things are unlocked and visible.
Not having the information in a generally intelligible form or easily findable could well be safer than having it encrypted.
All this "will somebody think of the children" bollocks anyway. Peado's, abuser's, weirdo's, etc are nothing new. Maybe it's specific to my upbringing, but i can't imagine i am the only person with a great uncle, who was in his 90's, who we didn't leave alone with the youngsters as he was "a bit handsy". Or grew up in a neighborhood where we were told to keep away from x as he's a bit funny about kids.
None of this is new, it just used to be a "bit of a joke" 15 or so years ago, that everyone knew about and thought was a little bit sad. At some point it just turned from being "a little bit sad" to being a threat to world peace!
Can you remember 50 characters for 6 months?
I have enough trouble remembering a handful of 9 character passwords after a couple of weeks on holiday, let alone 6 months spent, presumably mainly at her majesty's pleasure or undergoing stressful complicated legal wrangling...
Just what those 50 characters are.
It could be a prayer, a poem or a song, or something 4th, maybe in some kind of combination.
Say, first line of your favorite song, followed by chorus from another favorite song, both sans punctuations. Maybe intertwined (alternating letters from the two) if you don't have to type it too often.
This post has been deleted by its author
Anyone know if any companies make a volatile usb memory stick?
Store a randomly generated decryption key (set when the encryption was enabled) on the stick and make sure the device is on an ups. Have an additional password which you are happy to supply. Plod comes in and pulls either the memory stick or the devices power to take it away and in the process, erases the decryption key. You supplying the password doesn't decrypt the data as the key that you never knew, is lost.
Would that stand up in court?
Imagine that you decided to make a secure archive of all you financial data or source code and use a good encryption product. The reason being that you want to store it on some external site like Rapidshare or even a service provided by your ISP.
You write the password down because it is long and difficult to remember, then put it in “safe place”. A year or so passes and that written password has gone missing, so you just make a new archive with new password.
IF in the mean time the fuzz suspect you of something like; “looking foreign”, “wearing a loud shirt in a built up area”, “you must be a terrorist, you encrypt your data!”, and you can no longer provide that password they can now lock you up indefinitely!
Alternatively someone who downloads some 'potentially' copyrighted material that is in an encrypted archive, and they don't see/have lost/forgotten the password can now be locked up for ever, when the maximum fine that could have been issued may be a few quid and only a civil matter, not criminal.
Typical ZanuLabour party law making.
I think it's probably an old-English hangover. 'Until' should be taken as indefinite in this context, not as in 'until death' (a given) or 'until hell freezes over' (an impossibility) but er, somewhere inbetween.
I don't think 'unless' is necessary if you take 'until' as more neutral.
I recall a history long before DNA was ubiquitous. There was a serious crime in a small wood, i think a woman was raped and murdered. A local man had been seen leaving the wood. He was tried and gave no defence, so a guilty verdict then. Several years later the true culprit was found. The original guy was freed, he was gently asked why he did not defend himself. He replied : In the wood I masturbated. Moral : Make No Assumptions.
Now the police know this. They may well be concealing what they know for sure, via credit card payments and interception of traffic. The only way I could have indecent images on my machine without the plod knowing is if I put them there locally because they have access to traffic data and can intercept and decrypt any RSA . If they know for sure what the disc carries then they are demonstrating again that they would rather conceal their omniscient powers so they can do it again, and again.
"The first 50 characters from a favourite book"
I'd make it a bit more complicated than that. There is a finite number of books and it's easily a small enough number to try many variations on the characters at the start of a book as a standard cracking tool. You might want to try combinations from different books, or maybe at different starting points.
real encrypted data is disguised I bet.
If I was bin laden, and I needed to send out my secret instructions or whatever...
I would, were I doing it, for instance, take something like
mp3 or jpeg encryption, and in the lsb parts put my data in.
Then the secret files could only be extracted by the right software
with the correct password.
This type of data hiding would be transparent.
Here the file in clear. Yes its some Hungarian nose flute music. Why don't you like
Hungarian nose flute music ????
real encrypted data is disguised I bet.
If I was bin laden, and I needed to send out my secret instructions or whatever...
I would, were I doing it, for instance, take something like
mp3 or jpeg encryption, and in the lsb parts put my data in.
Then the secret files could only be extracted by the right software
with the correct password.
This type of data hiding would be transparent.
Here the file in clear. Yes its some Hungarian nose flute music. Why don't you like
Hungarian nose flute music ????
What you describe is called steganography, and anything as crude as using the LSBs is readily detectable. GCHQ would just love it if that was what terrorist cells used. hat said, there are tools to do it properly such that it cannot be so easily detected, although it's not easy. However, you can combine it with encryption as well.
Indeed you might argue that the Truecrypt second level hidden partition encryption is actually a type of steganography in that it hides data in, apparently, areas randomised as part of secure data deletion process
I still don't see how this doesn't fall completely under freedom of speech.
You and I make up a language and have a chat.
The language is known only to ourselves.
The Police demand to know what you and I were talking about.
We tell them to f* off and mind their own business.
I would suggest that using coercion to force us to reveal our conversation is an infringement our freedom of speech.
I don't see I am any more obliged to reveal to the Police the meaning of a verbal conversation they don't understand than I am obliged to reveal a written conversation they don't understand. The medium is irrelevant, as is the reason they don't understand it.
> I still don't see how this doesn't fall completely under freedom of speech.
*What* freedom of speech?
We have no Bill of Rights in the UK. We have convention, which permits freedom of speech, but precious little legislation to back that up.
> I would suggest that using coercion to force us
> to reveal our conversation is an infringement our
> freedom of speech.
I would suggest that the freedom you espouse is illusory.
However, the Police have no specific authority to force you to decode your made-up, verbal language, so you could do this (and this is, apparently, the source of Cockney Rhyming Slang).
In the case of digitally-encrypted data, though, there is a significant difference: RIPA 2000 is enacted legislation that grants certain people the authority to require you to hand over your decryption keys. Failure to do so is a criminal offence.
> The medium is irrelevant, as is the reason they don't understand it.
This is not true (even if it ought to be).
Vic.
>>"I still don't see how this doesn't fall completely under freedom of speech."
...
>>"I would suggest that using coercion to force us to reveal our conversation is an infringement our freedom of speech."
An infringement of *privacy*, possibly, or of a right or desire to avoid self-incrimination, but I can't see any connection with *freedom of speech*.
Freedom of speech is about the extent to which you can or can't be prevented from expressing yourself in public, or have action taken against you for past self-expression.
For instance, in many jurisdictions, "telling a police officer to f* off" is something that is likely to be considered as taking self-expression a bit too far.
While I think a law like this is wrong, I can't help thinking that if I were under criminal investigation on child sex charges and I had an encrypted volume which I knew I could unencrypt and prove beyond any doubt that I didn't have any child porn on there then I would run from my moral highground and decrypt my drive quicker than anything rather than be tainted by the paedo brush, so unless his defence is "I forgot the password" you have to question why he won't decrypt it...
Or perhaps he just has something else on there which he doesn't feel like sharing with anybody?
Say, some home-made videos of himself shagging his 70 year old boyfriend?
There are many reasons to keep perfectly legal things private - just because you can't think of any yourself doesn't mean it's the only explanation. Perhaps because it's the only thing you can think of you must have something to hide. Perhaps it's you who has a touch of the "paedo brush"...
then how can anyone prove that is not an encrypted file?
Or for that matter any file - what looks like a list of phone numbers could in fact be an index for a bomb making recipe that refers to pages/chapters in a certain book.
I'm sure if you keep trying to decrypt almost any file for long enough you can generate anything from child porn to, god forbid, a Steps CD.
You can only truly prove a file is encrypted if you did it yourself.
People here seem to be missing the point. Consider the following:-
Case 1. Person is arrested and tortured (pulled finger nails, waterboarding etc.) to reveal information. Basically, give me the information or we'll do something unpleasant. That's called torture and is banned and every government is against it....they claim.
Case 2. Person is arrested and asked for his password (information). He refuses. So, they invoke RIPA and say they'll do something unpleasant (jail). This is called justice and the government is for it.
What's the difference? Both are demanding information in exchange for not doing something unpleasant.
Second point.
People keep talking about documents in safes being the equivalent in the paper world......wrong. If the police seize a written document you have encrypted using some method of another, are they entitled to force you to decrypt it? No. They have every right to seize it and go through any lock to do so, but they can't enforce you to decrypt it. So, an encrypted file is basically the same thing, yet they can force decryption.
> People here seem to be missing the point
No, they aren't.
> What's the difference? Both are demanding information
> in exchange for not doing something unpleasant.
The difference is that RIPA2000 is enacted legislation. It is entirely lawful for the authorities to send you down for a long time because you refuse to hand over your decryption keys.
This should not be the case. It is awful legislation. But it is the law. It protects us all from Terrrrrists, apparently.
> So, an encrypted file is basically the same thing, yet they can force decryption.
Yes, they can.
And the only way we're going to get out from the stranglehold that the last bunch of oppressors put us in is to get our elected representatives to repeal this law - or at least parts of it. A fragile coalition is a good target for pressure from the electorate...
Vic.
In reality he can't be convicted twice for the same offence, but he can be convicted for committing the same offence twice.
The most likely action is that the judge will him for the password and return him to jail for contempt until he relents.
Many journalists have been jailed for contempt for refusing to name sources but the courts always give up in the end.
Being convicted for not disclosing a password (or more accurately not helping investigators look at your stuff) is a major change in common law.
In my view this is a bad thing.
If they wanted to open a safe and wanted the combination they wouldn't have a leg to stand on. You can refuse without penalty.
In my jurisdiction you also have the problem that you have to prove you don't know a password. It's not enough that it's innocent until proven guilty. Now - in this scenario - you are guilty until proven innocent. You also can't use a defense of self-incrimination ( usable in common law )
Overall Big Brother wins. Your right to privacy loses, your right to innocent until proven guilty loses. Your right to avoid self-incrimination loses.
I speak this as someone who works as an officer of the court (expert witness) and who has current cases where this is an issue and will result in conviction or probably innocent parties.
From: Lancashire evening post: http://www.lep.co.uk/news/teen_locked_up_after_failing_to_give_police_computer_code_1_1811470
Teen locked up after failing to give police computer code
Published on Wed Oct 06 08:27:54 BST 2010
A teenager has been sentenced to 16 weeks in a young offender’s institution after withholding his computer password from police.
Oliver Drage, 19, told the jury at Preston Crown Court he had “forgotten” the password, when officers investigating another offence asked him to surrender it.
However, the jury found him guilty of failing to disclose the password when he was lawfully required to do so.
Drage’s computer was seized in May last year. But by December police still did not have access to it.
Janet Ironfield, defending, said it was not known whether the computer was subsequently sent off to an expert bureau for analysis or whether it had simply sat on a shelf throughout the seven month period.
She added: “This man lost a great deal by the fact the police came to arrest him.
“He lost his reputation in the community.”
She said Drage, formerly of Naze Lane, Freckleton, now of Westminster Road, Liverpool, had moved house to avoid bringing shame on his family and had lost his job.
Judge Heather Lloyd said: “This was a deliberate flouting of a court order compounded by your continual denial of guilt.”
-----------------------------------------------------
With these stories tech magazine only seem to get just some details, but not all.
So the two worrying things about this particular case....
First is that he tried the 'I have forgotten the password...' defense and the jury still found him guilty.
Second is that this was a jury case just to decide about whether he was guilty under the RIPA law. So a jury of his peers gave the RIPA law the thumbs up. According to some reports taking only 15 mins to think about it. This is the most worrying thing to me. Just because a government put's in a law I disagree with does not mean that I will support it by finding someone guilty of it when on a jury. To me even though he is guilty to the letter of this law, if the law this is stupid then he is not guilty.
Why do I not support this law, because in the way it is put together there is potential that it will put in prison people who are otherwise innocent (just because you don't give up a password does not mean 100%, you have another crime you are covering up). I will never support a law like this even if it means some guilty people get away.
With law's, you can make them so that they guarantee that all guilty people will go to jail, but to do so you have to sacrifice some innocent people into prison as well. To me, laws that are made should guarantee that no innocent person goes to prison even if it means that some guilty people escape as well. But I am sure other people think differently including this jury.
I also find it interesting that when looking for more news on this through Google news search, the amount of non English places reporting this. Another reason British people cannot hold their heads high in the world any more....
It quite likely was not. The law in this area is so incredibly vague, and so much wider than most people imagine, that it may have been nothing more than a photograph of a nude toddler playing on the beach. However due to the secrecy inherent in this legislation we just have to take the word of the people in the "justice" system. People who make a career out of using, or sometimes abusing, this law.
A law which is badly defined and almost invariably described as being much narrower that it actually is makes a travesty of justice.
Increasingly we can not trust the authorities when they describe someone as a paedophile because they were convicted of having child porongraphy. It is quite likely that it was not pornographic.
It is also likely that the convicted person assumed that legislation described as applying to pornography only applied to pornography. There is no way to distinguish between people who genuinely possessed child pornography and use the lack of clarity as a smokescreen to minimise their culpability and those convicted of posessing non-pornographic photrographs who genuinely thought that they were legal.
It is a complete mess and far too much of my time is wasted on trying to minimise the harm caused but legislatve failings that could easily be fixed.
If this guy or any other person is guilty of involvement in child pornography in any way whatsoever, I hope he rots in one of the world's more hellish jails. I understand the conundrum over freedom to keep at least some things private and away from the eyes of the law and the gummint, but I find it tough to draw lines when it comes to the kind of low-life that gets his or her sexual jollies from diddling with kiddies or seeing images of some other piece of crap doing it.
The powers-that-be think we're all potential terrorists and perverts anyway.
...But they ain't. I'm not sure you understand what the police here in the UK consider CP or 'indecent' imagery these days. How about a semi-nude seventeen year-old boy or girl posing 'provocatively'..? People have gone on to the Sex Offenders Register for less, courtesy of our wonderful coppers. Or how about fully-clothed twelve year-olds posing 'suggestively'..? Ditto.
We seem to be living in a very scary madhouse. Children - yes, even 17 year-old 'children' - are to be feared by adults everywhere. Do not go near. Do not speak to. NEVER, EVER TOUCH. If you transgress, you can look forward to the six o'clock knock, to being rudely awakened by the sound of the standard issue kicking in your door and your life - as you knew it - being ripped apart before your very eyes. Best of all, as far as the morality police are concerned, there will be NO rehabilitation, no coming back from this. You will be damned forever. Even if you are just 19 years old.
Perhaps this is what the government means by a 'terror alert'. Fear is a powerful weapon.
There aren't many crimes worse than kiddie porn, but sedition is one that is.
If we give up our country and our human rights, turn our country into a police state where police can wreck your life at will, we will have suffered much more damage than child porn can inflict.
Think of this as being like other laws. For example, if you are stopped by the police on suspicion of drink driving you can refuse to provide a sample for testing, but if you do you can (and usually will) be prosecuted for refusal to provide a sample.
Quite why they need something specific for this under RIPA I don't know, surely it's just like any other case of withholding evidence.
During the normal course of my duty as anti-paedo enforcement officer in West Tesco Town Shopping Centre, I spotted an suspicious-looking gentleman paying undue attention to a 4 year-old male child inside a Postman Pat van while fumbling his camera phone. I approached the said individual and demanded immediate access to his mobile phone. The "customer" did not collaborate and bleated something about having to attend a job interview and needing his mobile for urgent business calls. At that juncture I had no alternative but to terminate the customer's existence by deploying my newly issued instant-justice laser gun in silent mode. I have reassured all carers of children within 6 kilometre radius of said incident of the elimination of another potential criminal.
On a related note, I will complete my report on the feasibility of installing hidden anti-rape CCTV cameras in all public toilets.
Forgotten is the accused word against the police. If the accused was previously of good character, forgotten simply reduces guilt/innocence to a 50/50 bet. I good defence lawyer should be able to argue effectively that a probability of 0.5 is an awful lot of reasonable doubt........
Stating that you;'ve forgotten the password is not necessarily sufficient. This guy made exactly that claim in court, but the jury didn't believe it. Where it can be shown that you've previously had access to the password and it can be shown, beyond reasonable doubt, that you still know it, then you can be found guilty. As to what reasonable doubt is? Well, that's up to the jury to decide.
I believe a few people have missed something. RIPA doesn't actually require you to hand over the password, but it does require you to make the data available in unencrypted form. So it would be legal for you to enter the password for them rather than hand it over.
However ...
How about putting the password on the same drive, in plain view - but not marked as being a password. Or on a piece of paper in plain view but also not obviously a password.
Plod takes computer, asks for password, you tell them that you do not have the password and it is in their possession - but you give them no further information as to where in all the seized stuff (papers and computers) it is.
When asked, your answer is simply :
The password was not memorable and written down, it is probably in amongst materials you have seized. It is therefore no longer in my possession, and you (the Police) are in possession of all information you need to read the files.
If it was written on a piece of paper, then all you would be able to tell them would be "it was in the pile on my <insert description> shelf". Chances are, in their process of seizing paperwork, they won't be able to associate that description with any single large bag of paper now in their possession.
In my case, I could tell them "it was on my desk" - and I could be quite certain they wouldn't know which bit of paper it was even if I told them "immediately to the right of where I put my laptop".
But like others, I could also be in trouble because, like others, I'm in IT and I often make up temporary passwords - /dev/urandom is a good source. I may write it down, or put it in a text editor window that doesn't get saved. Once the job is done, there is no record of the password. If i miss a file when cleaning up, then I'm screwed.
In Very Long Baseline Interferometry we record digitised noise from the sky, (so it is really
random gaussian noise with embedded timestamps). At one stage these were recorded
to VHS videotapes and customs people had a hard time crediting that we were not up to
something funny. You could only use it when you correlate one set of tapes with another
set from another radio telescope.
Now we send it over the net
This post has been deleted by its author
someone here made a comment about data for national security being encrypted ...
RIPA specifically makes NO EXCEPTIONS for the purported nature of the data to be made available. It trumps doctor-patient privilege, client-solicitor privilege, and (for those that mentioned the catholic church) priest-penitent privilege.
The House of Lords last year confirmed this was the intention of the act, and not an accident that they could remedy. The cases were of a doctor who was forced to divulge patient information, and a barrister who was forced to divulge client information - both made under RIPA.
Wow, I have never seen so many people defend someone who was found downloading child porn..
While I do not subscribe to the idea that the state should control every aspect of our lives, I also dont subscribe to the idea that some pervert should be allowed to encrypt his illegal porn just to keep it from being used as evidence.
If I was to kill and chop up someone, cook them in a stir-fry and serve them up at my local chinease resturant.. Does that exclude me from being charged with murder?
You said "I have never seen so many people defend someone who was found downloading child porn"
if you read the article you would find that it says "he was arrested in May as part of an investigation into child sexual abuse images"
nowhere does it state that he was downloading images.
you have automatically assumed that he was downloading child porn and that the "encrypted file"* contains that porn.
* the file could just as easily be a corrupted file
I don't recall that he had been found to have downloaded anything - only that he was being investigated.
'Innocent until/unless proven guilty' should still be a fundamental aspect of justice.
When he is actually found guilty of making/downloading child porn or indeed any other criminal act then by all means attack him, but until then bear in mind that the only thing that he has actually been found guilty of is not disclosing a password.
He is guilty under RIPA - which is a UK law, but he is not, so far, guilty of anything else.
The obvious question is why he has not decrypted the file himself to prove his 'innocence' - hence a lot of the above discussion, but that does not make him a child molester, or indeed any other sort of criminal.
Unless not disclosing a password also makes him a murder, speeder, bank robber and mugger.
ttfn
The exact point is that he wasn't found downloading child porn, he was suspected of it, but essentially refused to cooperate in the investigation of himself. The police couldn't prove anything, so they prosecuted him for not cooperating instead. They had no solid proof of any wrongdoing, only a file they couldn't interpret.
So he isn't "some pervert" encrypting his "illegal porn". He's a member of the public, with no criminal record, who has an unidentified encrypted file on his pc! Do you honestly believe that should be an offense punishable by up to 2 years in prison?
Yes, it comes across as a little suspicious that he would rather go to goal than reveal the contents, but it still doesn't actually stand up as a legal argument *for* anything.
Does being under investigation mean he's guilty? As you already know (numbnuts), photographers are often "under investigation" for being a terrorist, does that make them terrorists?
I also see no evidence in TFA YFM (you foolish moron - substitute foolish for something more appropriate if you will) that he admitted owning the file, or any related evidence that the yobs had of him committing a crime.
So, in short, if I don't like you I can just put an encrypted file on your disk, drop a tip to the local Wanker of the Law office and you're fucked. Cool. Now, I have a cool file for you to download...
Look at it this way: An encrypted file with a last accessed timestamp a few hours prior to the PC being impounded and the password requested (and no evidence that the date is incorrect) would likely dissuade a jury from accepting a plea of "I forgot the password".
However a protected zipfile from 2 years ago (again with no evidence of date based shennanigans) would probably be accepted as forgotten.
Although it is legally plausible that a person can be jailed for refusing to provide a password and then on release from prison have the password re-requested and a new jail sentence passed only a rabid anti-establishment conspiracy theorist would actually believe that would happen.
I am not a fan of this legislation, not by a long straw, but some of the armagedon scenarios posted here are not worthy of anyone who has the intelligence to use a computer
Do what legal system insiders and lawyers do when cross examined -- forget what the answer is.
I don't remember, it was a long series of numbers on a scrap of paper on my desk.
They can't send you to jail for not remembering. They can send you to jail for refusing to answer.
But when questioned by police in a manner that indicates you are a suspect, ask for a lawyer. Nothing you say to police can prove you innocent, not even a rock solid alibi. Always ask for a lawyer. That is what police do.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
