British Teen Jailed Over Encryption Password 1155
An anonymous reader writes "Oliver Drage, 19, of Liverpool has been convicted of 'failing to disclose an encryption key,' which is an offense under the Regulation of Investigatory Powers Act 2000 and as a result has been jailed for 16 weeks. Police seized his computer but could not get past the 50-character encrypted password that he refused to give up. And just to get it out of the way, obligatory XKCD."
Re:right to not incriminate yourself? (Score:4, Informative)
You don't have the right to keep your safe locked if there's a warrant for it to be opened. You don't have a right to not provide your fingerprints or DNA if that evidence is appropriate to the case and a warrant is issued.
You have a right to refuse to testify. This only extends to your own testimony, not to everything about you.
Re:right to not incriminate yourself? (Score:5, Informative)
Don't you have the right to remain silent, so as to not incriminate yourself? We have it here in the US.
No. That right was removed about 10 years ago.
Now, if you refuse to answer questions during your arrest and questioning, the prosecution are allowed to use that silence as circumstantial evidence against you.
Re:right to not incriminate yourself? (Score:3, Informative)
You have the right to remain silent, unless they want something from you, in which case silence is an additional crime you've just committed in full and flagrant view of a police officer
Re:But it's hard to remember... (Score:5, Informative)
Never start with the head. It just makes the persons memory all fuzzy.
Re:What is he hiding? (Score:2, Informative)
RTFA - "Oliver Drage, 19, of Liverpool, was arrested in May 2009 by police tackling child sexual exploitation."
Re:right to not incriminate yourself? (Score:5, Informative)
Short answer: No. Through some creative legal thinking producing your encryption password is now considered equal to handing over the key to your safe, not to compel information from your mind. It's bullshit but Britain takes 1984 as a role model, not a warning.
Re:Just give them something? (Score:3, Informative)
TrueCrypt [truecrypt.org] has something where you can set up an encrypted virtual disk that you first put some files you don't care about on there with a password you wouldn't mind divulging. Then you make another virtual drive on that one that will store the files and a password you do care about. When asked for your password, you give the one you don't care about and it only shows files you don't care about. Plausible deniability.
Re:right to not incriminate yourself? (Score:2, Informative)
Correct me if wrong, but I believe this is only if you later choose to not be silent any more.
E.g. you are accused of murdering someone two hours' drive away. You refuse to make any statement. A witness is able to clearly identify your car having seen it a few blocks from the scene of crime. Having been told this you say that you were just driving around randomly to clear your mind. In this case they would be able to use your earlier silence against you and imply that you are now only making excuses.
Which I feel is certainly alright and in tune with commonly accepted notions of justice.
Re:50 char pass (Score:3, Informative)
If it is 50 all lowercase letters, that gives you about 5.6*10^70 possible combinations. If you have a supercomputer that can do for example 2.8bn combinations per second (fastest example on this page http://www.elcomsoft.com/distributed_password_recovery.html [elcomsoft.com]), then it would take 6*10^53 years to go through them all. In other words 50 characters is a pretty secure password.
Add uppercase, numbers and all the symbols on my keyboard to the mix, and you have 3.6*10^99 combinations. You can work out how much longer that would take, but it makes no difference, the world would come to an end long before you did it.
Re:I Agree With This Law (Score:5, Informative)
A.
...I don't see this a "self-incrimination" issue...
Your neighbor spits on your lawn.
This really pisses you off.
You make a detailed journal entry (which you keep encrypted) about how much you hate your neighbor and you want to shoot him.
Your neighbor gets shot.
You still want to show them your data?
B.
You arrive home and find your neighbor's wife's dog (who continually craps on your lawn) has been slaughtered and hung like a side of beef in your bathroom.
You call the cops even though you're an obvious suspect.
They ask you a few questions and want to examine some of your stuff, including your computer.
They find that your computer has been encrypted (not by you).
Will the law think it's likely that someone encrypted your computer, or will they think that you don't want to share the data?
Neither of these are even remotely likely, but that's what the law has to account for: the possible.
Re:right to not incriminate yourself? (Score:5, Informative)
Or more recently, Alberto "I do not recall" Gonzales.
Re:What is he hiding? (Score:3, Informative)
Re:Obligatory XKCD (Score:3, Informative)
Most likely, you clicked on the "Post Anonymously" checkbox in the left corner of the submit box.
Re:Just give them something? (Score:5, Informative)
Re:Different in the USA? (Score:5, Informative)
The fifth amendment doesn't seem to apply in the courts; to quote his honor, William K. Sessions, Chief District Court Judge in Vermont in United States vs. Boucher:
"Holding that the 5th Amendment privilege against self-incrimination does not require the conclusion that a criminal defendant may elect not to divulge a password for an encrypted hard drive."
It also hasn't stopped judges from using the presence of encryption and unwillingness to give up the keys as evidence of misconduct [state.mn.us].
If anything, Britain has stronger protection of individual rights than we have here in the US -- the defendant in this case doesn't risk a dozen years in jail, disenfranchisement and being barred from many occupations for life, like he would over here. I'd take good old Ius Commune over our system.
Re:Miranda rights (Score:5, Informative)
No this law was written as an ego trip by Jack Straw to prove his power. Among other things it reverses the onus of proof thus taking it outside fundamental principles of British (and US) law. It also goes further an limits the means by which you can prove your innocence, prescribing a few (probably impossible) ways. It also deprives the defendant of the right to a jury trial and gags the defendant from talking about the charge with anyone but his lawyer (and gags the lawyer).
In effect a corrupt government official can send you an encrypted email then demand that you provide the key... As you never had it you can never prove your innocence, so they can lock you up for years after a secret trial.
Add to this another set of laws formed by a radical feminist basically assuming any image of a female that you can't prove is of someone over the age of consent (16) is an image of a child (this includes cached images that may be advertisments that you never intended to view).
So the cops can trawl your computer until they find something you can't prove is legal and lock you up. If you take the precaution of encrypting your PC they can lock you up for that too.
We have now removed these politicians from power however the damage has been done. There are murmurs from some of the politicians about repealing some of the very dangerous laws that were brought in, however they are unlikely to repeal any of the technology based ones. There will be no pressure, the journalists over here consider it a point of pride to not understand technology.
Re:What do they want? (Score:3, Informative)
Then I read the law and, shockingly enough, the Sexual Offences Act 2003 [hmso.gov.uk] changed the age of adult from 16 to 18.
Re:right to not incriminate yourself? (Score:3, Informative)
Pretty much sums it up, a standard UK police caution when detaining/arresting somebody.
Re:Also as a practical matter (Score:5, Informative)
Wasn't his password.
Re:50 char pass (Score:3, Informative)
Cryptographically speaking, each added character makes it an order of magnitude more difficult than the previous character.
For a keyspace attack, beating a 50 character password is exactly the same amount of complexity as the ENTIRE SUM of the previous 49 characters possible passwords, times the keyspace for that 50th character.
So no, it reduces the complexity by half, but we're still talking about a septillion years on a quadrillion supercomputers (and more passwords than there are atoms on earth, etc, etc).
Re:right to not incriminate yourself? (Score:3, Informative)
So you are faced with the rather novel situation where any motivated individual can successfully resist the state and your instinct is to label it rabid anti-establishmentism?
(and as others have pointed out, it is novel, doors can be broken, safes can be cracked, well used encryption is not so trivial to defeat)
Re:What is he hiding? (Score:4, Informative)
It's worse, given an over-zealous prosecutor. Search for the "little lupe child porn case". Poor dude had videos of an obvious, over-18 "pro" and even though a phone call and a fax would have produced the age custodial records, the prosecutor refused to cooperate and plowed head-on with trying to ruin the defendant. I hope there's a special hell for this woman (the prosecutor).
Re:right to not incriminate yourself? (Score:2, Informative)
The prosecution can and does use anything and everything they can against you. But.. giving information to the police or an investigating officer of the law is not the same as being in court and testifying and providing information in front of a jury and/or judge.
This was posted to /. in the past and worth watching.
http://video.google.com/videoplay?docid=-4097602514885833865# [google.com]
and something completely different...in the USA (Score:1, Informative)
If the authorities chose to arrest you, with or without good cause, they often put you in a pre-sentencing prison, then repeatedly "postpone" your trial for stupid reasons. I have seen MANY people who have been subject to this treatment in excess of two years (yes... in the USA). So, just to be clear:
1. you can be 100% innocent and remain imprisoned in the USA if they want you there
2. if you are politically connected or wealthy enough to afford an expensive laywer (even better if you ARE a lawyer) - no problem... get out of jail free card.
3. never, EVER, tell the police or anyone investigating you anything. There are thousands of laws all intended to prosecute you, and only one which affords you protection -- the right to remain silent. Every good defense lawyer will tell you this.
Finally, if you actually believe America is free, then you are:
1. a lawyer, or politician
2. stupid
3. insane
At least in China they tell you the truth -- USA, not so much.
Re:But it's hard to remember... (Score:3, Informative)
You mean cryptology, but we'll go over that when we get you downtown.
Re:What is he hiding? (Score:2, Informative)
Yeah, it would. Or it would under the definition of most governments, anyway.
Re:What is he hiding? (Score:1, Informative)
I think you had a typo.
You were trying to write HIGHER crime rate than the US right?
http://www.nationmaster.com/graph/cri_tot_cri_percap-crime-total-crimes-per-capita [nationmaster.com]
Before you complain about the weak nationmaster source you can go to the original sources but honestly I don't care enough to look those up.
So your choices are:
a) accept you are wrong
b) refused to accept you are wrong and try to prove it only to discover you are wrong and the original sources confirm it
c) live in denial.
Re:What is he hiding? (Score:5, Informative)
http://en.wikipedia.org/wiki/Mike_diana [wikipedia.org]
I remember reading about this in some underground zines almost 15 years ago. Dude got railroaded for drawing adult comics that depicted child abuse. Alot of which Mike himself lived, and he used the drawing as therapy. He was sentenced to real live prison, and wasn't allowed to draw.
They essentially took away his right to draw with a pen and paper for drawing things with pen and paper.
Trucrypt (Score:4, Informative)
The very best drive encryption out there (IMCO) is Tru-Crypt and is both open source and free.
For the truly security crazed, you can set up a hidden operating system that you use for only your most secure stuff and use a DIFFERENT but valid password to get at it. Use your regular password for day to day stuff and only log in with the really secure one to get into the alternate OS.
The whole purpose of that is so if someone has a gun to your head (or a court order, or a $5 pipe wrench) you can give them your perfectly valid password and they can access all your perfectly normal files --and never even know the alternate data is there (it can be hidden across thousands of normal looking data and executable files in the normal OS).
Seriously cool stuff.
In security, there are only two levels of paranoia. Absolute, and insufficient.
Re:What is he hiding? (Score:4, Informative)
Re:I Agree With This Law (Score:3, Informative)
Post your address so I can mail you a USB drive with random data on it.
Then a phone call to your local Police dept will be very interesting.
I see no legitimate reason why you would refuse to provide your local police the password to your USB drive full of kiddie porn.
So just provide the password or go to jail.
Starting to see the problem?
There is no way to prove that you honestly DON'T know the password or even that the random data ISN'T an encrypted disk of kidde porn.
When the govt simply has to point to random data and claim you are a criminal and all the burden is on you to prove that you aren't well you can be put in jail to any reason at anytime.
Likely there is some random data on your hard drive right now (in the "blank" space). Prove it isn't an encrypted kidde porn pic.
Re:What is he hiding? (Score:2, Informative)
and
Participating in our own searches and seizures? (Score:4, Informative)
Re:Participating in our own searches and seizures? (Score:1, Informative)
This isn't the US where there is still a remnant of liberty, the Bill of Rights. England never had this. There, there is no such thing as citizens in the UK; they are still known as subjects.
Re:Miranda rights (Score:3, Informative)
I have a copy of the Australian constitution. It is full of paragraphs which read like The Queen may decide to create a house of representatives, and may decide to take advice from such a body... and so on. Nowhere does it say what the Queen must do. Thats how it will be until we vote for a republic and write A proper constitution.
Comment removed (Score:4, Informative)
Re:The Joe Arpaio Cure For Short-Term Memory Loss (Score:3, Informative)
so if what you have encrypted is worth more than that, keep your mouth shut and do your time
The contempt citation means you remain in the lock-up until hell freezes over or a judge sets you free, whichever comes first. I believe the record in a divorce case is 14 years.
Re:right to not incriminate yourself? (Score:1, Informative)
Don't you have the right to remain silent, so as to not incriminate yourself? We have it here in the US.
No. That right was removed about 10 years ago.
Now, if you refuse to answer questions during your arrest and questioning, the prosecution are allowed to use that silence as circumstantial evidence against you.
Pre-arrest silence can be used against you.
Post-arrest silence can not be used against you.
You must invoke the right to remain silent in order for Miranda protections to apply.
Your invocation must be clear and unequivocal.
Choosing to be silent cannot be used against you after your arrest. And, if a prosecutor brings it up in trial, it's grounds for a mistrial.
Source: Employee of the State Appellate Defender's Office.
Re:Different in the USA? (Score:3, Informative)
You are all forgetting the fundamentals.
In britain there is no presumption of innocence. There is no "Right To Be Presumed Innocent Until Proven Guilty". That thing IS NOT on the British statute book. It is IMO the most basic of all human rights and a country that does not have it cannot claim to have human rights at all because not having this cornerstone allows it to suspend any other right at any given time with or without reason.
Interestingly enough it is part of conventions which Britain has signed like the European convention on human rights. However the Labour government that signed them specifically opted out of these clauses. It after that went on and voted into the statute book several hundred criminal offences which explicitly postulate that you are guilty until proven innocent. The RIPA act, The H&S act, you name them. Half of Blair's legislation (Blair and Co raised the number of criminal offences on the statutes by more than 100% in 10 years) is based around "guilty until proven innocent".
Thankfully, someone pointed this to Cameron and Co in the run up to the elections as the Conservatives initially wanted to revoke Britain's signature under the convention altogether. So the new government has actually promissed to fix this by accepting _ALL_ rights in the convention and repealing most of Blair's handywork as a big block vote including most of the RIPA act. Unfortunately, that fix has not been forthcoming as fast as it should. It was promissed for mid-summer before the parliament goes in recess. However it looks like it was what all politician promisses are... Talk the talk, but cannot walk the walk.
Re:right to not incriminate yourself? (Score:3, Informative)
The caution now runs thus:
“You do not have to say anything. But it may harm your defence if you do not mention when questioned something which you later rely on in court. Anything you do say may be given in evidence.”
which is to say, the prosecution is permitted to sneeer and imply that you've found an alibi after the fact; the judge won't censure them for it, and will not instruct jurors to ignore those comments.
Re:But it's hard to remember... (Score:1, Informative)
At the end of the 16 weeks, they will formally ask him again and then charge him with the same crime. The RIPA allows for perpetual recharging, no "cant be charged twice for the same crime" or "right not to incriminate yourself" laws in the UK.
Re:Yes, different in the USA (Score:5, Informative)
linky [findlaw.com]
linky [openjurist.org]
linky [resource.org]
While not specific to the case of searches inside borders based on these laws you may find this [syr.edu] link enlightening, it's what our congresscritters are reading about these things.
Warrentless stops and searches inside our borders are being done and it needs to stop.
Re:right to not incriminate yourself? (Score:3, Informative)
Completely Utterly Wrong. (Score:5, Informative)
In britain there is no presumption of innocence.
Of course there is. The presumption of innocence in English and Scots law comes from common law. The concept itself has been part of British society for thousands of years - Alexander Volokh [bepress.com] says that it has been present since Greece and Sparta and Rome, all the way back to the first (Judaic?) legal systems.
Common law is the basis of the British legal system. Your logic is like claiming that "there is no law against murder in Britain" and then going on to claim that this means murder is legal. English Law - "there is no statute making murder illegal. It is a common law crime - so although there is no written Act of Parliament making murder illegal, it is illegal by virtue of the constitutional authority of the courts and their previous decisions." [wikipedia.org]
It after that went on and voted into the statute book several hundred criminal offences which explicitly postulate that you are guilty until proven innocent. The RIPA act, The H&S act, you name them. Half of Blair's legislation (Blair and Co raised the number of criminal offences on the statutes by more than 100% in 10 years) is based around "guilty until proven innocent".
[citationneeded]. Please name these "hundreds of acts that explicitly say British people are guilty until proven innocent.". And are you seriously blaming the Blair government (which came to power in 1997) for the 1974 Health and Safety Act?!? What?!
So the new government has actually promissed to fix this by accepting _ALL_ rights in the convention and repealing most of Blair's handywork as a big block vote including most of the RIPA act.
Right, that would be the same Conservative party that fully supported the RIP Act then? ('Only a pitiful handful of MPs (pictured below) were present to debate the bill, which was fully supported by the "opposition" Conservative party, and passed by 189 votes to 47 keeping the majority of its original clauses intact.' [infowars.net])
Re:Just Awesome (Score:2, Informative)
No, over here, we'd hit him with a spanner [wikipedia.org].
Re:Also as a practical matter (Score:2, Informative)
It's also the first case I've noticed where it's been used.
If The Daily Mail [dailymail.co.uk] has done their research correctly (hahahahaha), it's the fourth time a prosecution has resulted in a conviction under this law (see final paragraphs)
"In 2008 the then Labour Home Secretary Jacqui Smith told the House of Commons the legal provisions for withholding passwords and encryption keys to hard drives came into force on 1 October 2007 and eight notices have been served on PC users - four of which had resulted in prosecutions all relating to terrorism activity.
Last year the first person jailed for not giving police access to encrypted material, was a 33-year old businessman known only as JFL.
He was not judged to be a threat to national security, and the encrypted material in question was not suspected of securing illegal material.
The man who ran a software company in London told a judge he was refusing to disclose the code on principle, on the basis that he should have a right to silence but was jailed for 13 months for refusing to hand over his decryption keys."
Re:Also as a practical matter (Score:5, Informative)
"See this doesn't work in Britain because they made it a crime not to provide the password period. If you fail to provide it, regardless of the reason, that's illegal. It was a specific law made for passwords. So can't remember? You are boned."
This isn't really true. The police have to have reasonable grounds to believe you have the information to be able to issue a notice- this may for example be as simple as getting computer forensicists to provide evidence that the encrypted content has been accessed recently, and that it's unlikely anyone else had access to it- if the file was for example, stored in a private documents folder specific to the user in question. See the relevant legislation, under 49.2 here which clearly states that someone pushing for a disclosure notice must have reasonable grounds to believe that person has it (part a) of 49.2):
http://www.legislation.gov.uk/ukpga/2000/23/part/III/crossheading/power-to-require-disclosure [legislation.gov.uk]
It's also worth pointing out to date, that those convicted of failing to adhere to a section 49 notice have all actively refused to hand the key over, rather than claiming they have forgotten it. Of those that have claimed they're not in possession of the key, to date the case has either not been pursued, or the person in question has been charged/convicted for other crimes. This is a common story when it comes to computer crimes- many supposed attempts to prosecute based on new laws, or new twists on old laws don't actually succeed- look at the failure to succesfully prosecute the Oink admin, look at the fact that to date, file sharing cases in the UK haven't succeded in UK courts (although one supposedly won by default due to defendant not showing according to ACS:Law, there is no evidence that this is even true). Ultimately the police have to depend on either scaring people into accepting fault- i.e. if they say they've forgotten the password, reminding them that if they are found to be lying it could lead to an increase in their sentence, or depend on the person being stupid enough to incriminate themselves, or alternatively, for them to simply get caught for other crimes. The police mostly rely on ensuring people are confused about what the law actually says in the hope of making them waver and admit guilt or at least incriminate themselves- by touting convictions like the one in TFA as evidence of how you should always hand your key over without a fight, or without playing innocent they strengthen that idea amongst the public as to that's how it works. It's worth noting that in the words of RIPA itself if you can either demonstrate somehow that the police do not have reasonable grounds to require access to encrypted content (perhaps by use of a witness who would testify that the contents of that file were personal, or trade secrets maybe?), or if you can argue succesfully that giving access to the content is disproportionate to the crime with which they're attempting to charge you with, then you can also escape RIPA's clutch.
In these respects, RIPA is quite similar to a search warrant- the police can only get one if they have reasonable evidence to suggest they have a need to enter the premises, and if it's proportionate to the crime they're investigating. The actual text of the legislation also seems to suggest that providing the content in an unencrypted form is an alternative to producing the key under the RIPA also.
"However if you look in to it you discover that while there's little case law, indeed it HAS been ruled that that the 5th prevents you from having to give up a password. As such that will probably stay, in general courts abide by the rulings of other courts of competent jurisdiction."
This is true, but it's also true that much like with RIPA, a defendant can be compelled by a court to provide access to encrypted content if not provide access to the key itself, in this respect US case precedence is basically similar
Re:Also as a practical matter (Score:4, Informative)
While it seems to have fallen out of fashion, it should be pointed out that one of Teddy Roosevelt's kids (Teddy Jr.) fought in both World Wars, and one of FDr's sons was a Marine in WW2.
In both cases, the sons in question were in places where the bullets were flying. In one case, the son shouldn't have been there at all, since his health was questionable enough he should have had a medical discharge long before he got around to a heart attack in the field.
Re:Also as a practical matter (Score:3, Informative)
No, re-read my post and have a look at the relevant legislation I linked. As I pointed out it's quite clear that the police have to have a good reason to believe you have the key in the first place. If they issue a notice without having enough evidence to demonstrate they had a reasonable belief that you have ownership of the key, then they would have not correctly followed procedure, and if you stood your ground you'd almost certainly get away with it on a technicality when it got to court in that the order was issued innapropriately in the first place. The point is they can't just demand the key without any real solid demonstrable basis for demanding it.
My analogy to search warrants holds quite well in this respect too- the police can't just raid a house without a warrant, and they can't get a warrant without having enough evidence to justify it. If they faked a warrant or lied to the courts to get one under false pretenses or whatever and searched based on that then their case would similarly fall apart in court.
We don't have enough information available on the relevant cases, but I would be willing to bet that this is why so many of the section 49 notices issued so far have not been pursued or have failed when the person refused to hand over the keys- because the police know full well that they didn't have valid grounds to issue the notice in the first place and were just hoping the people in question would just agree to hand them over. Of the initial 15 notices issued (which covers the first year of the relevant portion of the act being enforced), 11 refused to comply, 7 were charged and only 2 were ever convicted for refusing to comply, also of those 7 charged, we can't even be sure if they were charged under RIPA, and not something else because the information released by the previous government is so vague. This suggests that they're not going as well as the police like to claim, and it's why when one does succeed, as in this case, they make a big fuss over it to try and push the idea that it's a tool they can use largely without challenge as people like yourself believe, such that more people simply just hand them over when they don't actually have to because the notice wasn't legitimately issued in the first place. Another rather disgusting problem with the act is that part of the act makes a provision such that anyone issued with a section 49 notice may not be allowed to talk about it, which is why we haven't heard much about those cases that failed, or the cases where charges were never even filed against people refusing to adhere to the notice.
To date, a much larger percentage of people issued a section 49 notice have avoided handing over their keys, than have been convicted for not doing so, and this is quite telling. I'll also reiterate the point that those where the case has succeded to date, have always admitted having the key but refused to hand it over, rather than denying they have the key in the first place. Also, based on the most recent figures, the number of people convicted is still half the number of people issued a notice, who refused to comply, but who the police then backed down from pursuing under RIPA once they refused to comply.
Personally, I think this is just another good reason why the act should be abolished though- it clearly seems to be being used innappropriately as a tool to strong arm people whether guilty or not, and whether the police had valid grounds to issue a notice in the first place or not.