British Teen Jailed Over Encryption Password 1155
An anonymous reader writes "Oliver Drage, 19, of Liverpool has been convicted of 'failing to disclose an encryption key,' which is an offense under the Regulation of Investigatory Powers Act 2000 and as a result has been jailed for 16 weeks. Police seized his computer but could not get past the 50-character encrypted password that he refused to give up. And just to get it out of the way, obligatory XKCD."
Re:What is he hiding? (Score:5, Insightful)
Bleh (Score:5, Insightful)
Oliver Drage, 19, of Liverpool, was arrested in May 2009 by police tackling child sexual exploitation.
Well, I guess that makes it okay, then. After all, we can't allow people accused of child sexual exploitation to be free, can we?
On a more serious note, this sucks.
Det Sgt Neil Fowler, of Lancashire police, said: "Drage was previously of good character so the immediate custodial sentence handed down by the judge in this case shows just how seriously the courts take this kind of offence.
"Computer systems are constantly advancing and the legislation used here was specifically brought in to deal with those who are using the internet to commit crime.
"It sends a robust message out to those intent on trying to mask their online criminal activities that they will be taken before the courts with the ultimate sanction, as in this case, being a custodial sentence."
I guess insisting on your privacy is taboo now. Even if you're a good kid, if you refuse to let the police into your private files just on principle, you're boned.
Re:right to not incriminate yourself? (Score:5, Insightful)
Actually, everyone has it everywhere. What varies from place to place is whether the government recognizes the right and refrains from violating it. This is true of all human rights.
perspective (Score:1, Insightful)
Considering what he's charged with if they can't prove their case without what's on his computer and if they can't get past his crypto he'll have gotten off light.
Re:What do they want? (Score:4, Insightful)
I can see how it's easy to miss, as it is the first sentence in TFA:
Re:right to not incriminate yourself? (Score:5, Insightful)
They can cut the safe open, you can say you forgot the combination. Forgetting is legally great, Reagen forgot iran-contra and look how that turnout for him.
Re:Only 16 weeks? (Score:5, Insightful)
Which is why you never refuse. You simply forget it. It is not illegal to forget something 50 chars long, it could easily happen.
Re:Only 16 weeks? (Score:1, Insightful)
Is this the whole 5th amendment thing?
"nor shall be compelled in any criminal case to be a witness against himself"
If my laptop is full of trade secrets, and kitty porn, I'm not going to tell you my password... Because it would incriminate me.
Shaved Cat porn is HAWT!
(Ironically, my pass-phrase was decrypt for this message!)
Re:But it's hard to remember... (Score:1, Insightful)
downloaded music? games? movies? software? (Score:4, Insightful)
downloaded music? games? movies? software?
16 weeks is better than (Score:4, Insightful)
Different in the USA? (Score:2, Insightful)
Pfft, Britan. Glad my ancestors were smart enough to split that dive and setup someplace safe for me to live....
What makes you think it would be any different in the USA?
Computer crime + Contempt of court = jail until hand over the password.
Re:perspective (Score:3, Insightful)
They haven't tried him on their other evidence.
When they do, they'll use his refusal to give up his password as evidence, added to whatever else they have.
He can get years anyway. But he may know he has hundreds of files on that computer and that each one can be counted as a single crime, so years in lieu of centuries may be his best defense.
Of course, if he's guilty, I don't much care what they do to him.
Re:right to not incriminate yourself? (Score:5, Insightful)
Re:But it's hard to remember... (Score:4, Insightful)
Or, he really does care about his rights and truly believes that he should not be compelled to divulge this password. You're probably right, but it is possible.
Can't photograph policemen on duty... (Score:5, Insightful)
Of course, the UK is not unique in much of this. But what makes these examples so sad for me is how the UK was the foundation for much of what one might consider Western freedom. It fought the good fight against totalitarianism (let's not Godwin this). I don't think those who struggled back then would consider all this to be what they were struggling *for*.
Will this constant erosion of freedom ever stop?
Re:16 weeks is better than (Score:1, Insightful)
Child sex offences by an adult tend to be frowned upon in the UK. The 16 week sentence is likely to be a lot less than the multi-year sentence that he would have gotten if they had had access to the data.
Additionally, remember that any crimes the police come across during the investigation can also be charged, so he might be covering up for something else entirely. (drug ring, gambling, counterfeiting, etc)
Re:right to not incriminate yourself? (Score:3, Insightful)
You have the right to not provide the combination, which would result in them getting a safe cracking team in and adding that onto your legal fee's should you lose your case. You have the right to not provide your passwords, which will result in them getting a crypto team in to crack the password and adding THAT to your legal fee's WHEN you lose your case.
Yes, different in the USA (Score:4, Insightful)
Re:perspective (Score:4, Insightful)
Re:right to not incriminate yourself? (Score:5, Insightful)
So only rich people have privacy?
Seems like that could be improved, why not just make being poor a crime?
Re:Different in the USA? (Score:5, Insightful)
I think you're forgetting the commerce clause. Specifically the part that says "LALALALALA I CAN'T HEAR YOU!".
Re:Just Awesome (Score:3, Insightful)
Not only that, but is that XKCD reference implying that British police are beating the teen with a wrench to get his encryption password?!? Geez, I know we waterboard suspected terrorists and sympathizers, but hopefully it will be a few months before we start torture for computer access. At least reserve that shit for evil, job killing bittorrent files.
(/s)
Re:Only 16 weeks? (Score:3, Insightful)
"Which is why you never refuse. You simply forget it."
This is why we need destructive encryption. Enter the wrong passphrase, and the data is locked (and preferably damaged or wiped).
Re:Just give them something? (Score:4, Insightful)
Anyone who enters a password to decrypt a disk they haven't already imaged belongs on a prime time cop tv show.
Also as a practical matter (Score:5, Insightful)
Even if a judge ruled that wasn't you testifying against yourself, you could still protect yourself if you simply said "I don't recall that password." You may notice that not being able to recall is used a lot when under oath. The reason is that there really isn't any way to challenge it. We forget shit all the time (hell everyone seems to forget their passwords if my job is any indication). You can't prove someone hasn't. So they say "What is the password and the 5th amendment doesn't protect you," you say "Sorry, I can't recall that password."
See this doesn't work in Britain because they made it a crime not to provide the password period. If you fail to provide it, regardless of the reason, that's illegal. It was a specific law made for passwords. So can't remember? You are boned. The US has no such similar law. Thus the only way they could get you is if you said you knew the password, but refused to give it up, and it was ruled that wasn't protected under the 5th.
However if you look in to it you discover that while there's little case law, indeed it HAS been ruled that that the 5th prevents you from having to give up a password. As such that will probably stay, in general courts abide by the rulings of other courts of competent jurisdiction.
Re:I Agree With This Law (Score:5, Insightful)
How do you know the encrypted data is related to the case?
How do you know the encrypted data is not something that is, at least to the 19 year old suspect, even worse?
What if he's secretly gay, his entire family are raging homophobes, and he KNOWS beyond the shadow of doubt that revealing his encryption password will get him disowned?
If this was you, would YOU reveal the password?
Re:Just Awesome (Score:3, Insightful)
Re:Also as a practical matter (Score:1, Insightful)
>Thus the only way they could get you is if you said you knew the password, but refused to give it up, and it was ruled that wasn't protected under the 5th.
Not quite the same thing, but Terry Childs found out that this isn't really a winning strategy. IIRC, Childs got four years.
Re:right to not incriminate yourself? (Score:2, Insightful)
So... what would it cost to break, say a 4096 bit RSA key? Oh, they can bill my grandkid's estate.
Re:Also as a practical matter (Score:5, Insightful)
Not quite the same thing, but Terry Childs found out that this isn't really a winning strategy. IIRC, Childs got four years.
Not quite the same? Try completely different, it wasn't a password to decrypt his information and there was no fifth amendment issue. Irrelevant example.
Re:Different in the USA? (Score:2, Insightful)
"Holding that the 5th Amendment privilege against self-incrimination does not require the conclusion that a criminal defendant may elect not to divulge a password for an encrypted hard drive." is proof that some Judges are absolute $%^&! morons.
Calling that $%^&! "his honor" makes me want to throw up.
As for "using the presence of encryption and unwillingness to give up the keys as evidence of misconduct", any decent attorney would immediately argue that the State itself, inlcuding the court, must be guilty, as it "uses encryption and refuses to give up the keys."
Re:What is he hiding? (Score:5, Insightful)
You know it's bad when you need to post as AC just to even speak such 'blasphemy'. The additional effect that has happened is anyone defending an accused 'pedophile', for any reason, is assumed to be a pedophile themselves and attacked accordingly. We may actually be watching the end of the age of reason.
Re:Different in the USA? (Score:5, Insightful)
The reason the courts see it this way is because of the distinction the legal system places on written vs oral evidence. Oral evidence is obvious; the person giving it may or may not be telling the truth. Written evidence however has a more privileged status. Once you've written something down, you can't "take it back". It's out there as physical evidence and can be used against you. This is why even the most gung ho characters will back up if you ask them to put things in writing. The written word is powerful rope with which to hang yourself.
As far as most judges and lawyers are concerned, data on computers is simply another form of the written word, and so anything you've "written" there--encrypted or not--is legitimate evidence waiting to be used against you. In some sense they are in fact right. Personally, I view computer data by its very nature to be more abstract and far more transitory than the traditional written word, and so worthy of less... distinction as evidence in a court. But that said, it is a (quasi-)permanent record of events and that's what courts are interested in.
Bottom line, the old rules still apply. If you don't want to reveal something, never, ever write it down. Encrypting it on your computer is just not good enough. If you don't want people reading it and aren't willing to take a risk, then you either need to delete the data or better yet not write it down in the first place. All that said, encryption is preferable to just leaving your papers lying around, but don't expect encryption alone to magically make your written words disappear.
Re:What is he hiding? (Score:2, Insightful)
Lower crime rate than the US?
Re:Different in the USA? (Score:5, Insightful)
Eh. The Boucher case is a special one, because the idiot was stupid enough to first show his child-porn collection to a law enforcement officer, and then - after the computer was rebooted - refused to provide the password. Initially the state ruled that he couldn't be forced to divulge the password, and in most cases this would hold; however, due to the fact that the presence of child porn on his computer had already been verified, the appeals court ruled that he isn't protected under the 5th. The problem here is that their definition of "already verified" is too loose, because it depends solely on the testimony of the arresting officer(s). Now, if the cops had had the common sense to take a few pictures of the laptop screen, then there would be no issue at all. As it is, if he appeals I'd say he has a pretty good chance of having the decision overturned.
As for the second case, you're talking about a guy who was convicted based on multiple lines of evidence, and is now bitching because the state lawyer happened to mention that "encryption programs" were present on the computer. That's asinine.
If anything, Britain has stronger protection of individual rights than we have here in the US
Thanks for the lulz :)
Re:How did they find the length of the passphrase? (Score:3, Insightful)
I'm guessing bragging, which is why they're giving him the full tar and feathering. It doesn't really get better than your name, picture and location in the paper saying you were arrested by police "tackling child sexual exploitation" so that absolutely everybody gets the message what the police think is on that computer. Could you possibly be any more publicly brandished without any actual conviction to that fact?
Re:How do they know it's encrypted? (Score:3, Insightful)
So having encryption software installed is now evidence of guilt?
You are one sick person.
Re:Also as a practical matter (Score:2, Insightful)
That's funny. Here in America, Congress made it a crime for the executive branch to not keep copies of every single e-mail in or out of their systems. And yet, when the Bush Administration couldn't pony up those emails due to "technical problems", no one got boned.
Re:Different in the USA? (Score:3, Insightful)
No, it hadn't. By the officer's own statement, he witnessed something that might be child porn, which is not the same thing [telegram.com].
The onus should not be on the accused to prove his innocence by showing that it isn't child porn, it should be up to the prosecutor to establish his guilt without forcing the accused to incriminating himnself. Or at least that was the case back when the fifth amendment still had balls.
As for the other case, the question isn't about the guy's guilt, but whether the mere presence of encryption software should be allowed as corroborating evidence against an accused.
Re:indeed it is (Score:4, Insightful)
If you're so committed to the truth, then you should give them the password and the truth shall set you free.
Erm, maybe not so much Doc, if that collection of Bugs Bunny cartoons on your hard drive, some of which featuring Bugs in "drag", are declared to be "kiddy porn" at some point in the near future.
Th-th-th-that's all, folks!
Strat
Re:How did they find the length of the passphrase? (Score:4, Insightful)
"Your Honor (or however they say it on that side of the pond), how can I possibly remember a 50 character long passphrase while under all this stress of unfounded charges?"
Re:right to not incriminate yourself? (Score:3, Insightful)
But I don't think it's a problem that the state can, with good reason, compel you to decrypt it.
And who gets to decide if the reason is good? The police?
Re:Yes, different in the USA (Score:4, Insightful)
The really sad part is that I've heard people say Muslims shouldn't have constitutional rights ("they are the enemy"), even if they were natural-born Americans.
Stupid, stupid bastards.
That's exactly what the Germans did - redefine jewish-German citizens as "not german" and therefore executable whenever the government felt like it. And then the US did it in 1942 by defining japanese-Americans as "not american" and locked up 0.2 million of them. Why are we repeating the same mistake in 2010?
Comment removed (Score:5, Insightful)
Re:investigating what? (Score:3, Insightful)
Yeah, why waste the time on pesky stuff like search warrants? If you have nothing to hide, you won't mind the police searching you house anytime they want, right? Make police work much easier, that's good, right?
Re:Also as a practical matter (Score:2, Insightful)
Well, "I don't recall" served Ronald Reagan very well when he was accused of selling arms to terrorists, which was about as credible as this young Brit forgetting the password he used yesterday.
Either way, how did a law saying you have to turn over information that is stored inside your fucking head ever get passed in Britain, anyway? Last time I checked you guys have elections, so which elected officials thought this was something worth voting for and why are their heads still attached to their necks? It sounds like the voters must be as "low-information" as the voters here in the US to let something like that get through.
And why the hell haven't you thrown out the stupid queen yet, while we're at it? Are you really OK with having royalty? I mean, isn't that a little bit creepy that a bunch of inbred morons get to live high on the public dole just because they happen to be related to an earlier inbred moron? If you want to be taken seriously, it might be time to set aside all that aristocracy and "House of Lords" stuff. I'd say it's "so last-century" but really it was "so last century" last century.
Re:Also as a practical matter (Score:2, Insightful)
> Is "I don't recall" credible if the police have reason to think you've
> been using it day-in day-out, as I do, for example, on my porn drive?
I don't see why not. There are a couple of passwords I use almost everyday myself that I know by muscle memory, not by the actual string. I can type them in under a second. But if you were to ask me what they are, I could 100% honestly tell you that I do not recall. I'd have to stop, think for a minute, look at my keyboard, and trace the path of my fingers.
Likewise, if I use a different keyboard I also mistype them a couple of times before I slow down and get it right.
Re:Also as a practical matter (Score:5, Insightful)
If you want to be taken seriously, it might be time to set aside all that aristocracy and "House of Lords" stuff. I'd say it's "so last-century" but really it was "so last century" last century.
Easy, tiger. Someone might point out that generations of politicians are quite common in the US. In fact, the Kennedys were about as close to royalty as you could get without actually wearing a crown.
Re:Only 16 weeks? (Score:2, Insightful)
defending yourself becomes a crime (Score:1, Insightful)
Imagine that you have some photos and videos of yourself and your girlfriend/boyfriend(Both over 18! Or 21... or whatever your stupid countrie counts as "not be able to have sex whitout beeing rapped")
And now some nice gentleman come around to have a look at them... no, not this files specific just your WHOLE FUCKING HARDDISK.
But because you are a cautious and dont want other people to see your girlfriend/boyfriend and yourself you encrypted all files. Not to forget all the other secrets... like your diary, your love emails (That you sended and recived encrypted as well)...
Your computer (memory) can become a vital part of your most private life... yet you have no right to protect it... no it is even worse... Protecting it even became a CRIME!
If you copy some stupid music files you can be sentenced to financial death, but if they are after your files... maybe your most private information... defending this by passive messures becomes A FUCKING CRIME!
The Joe Arpaio Cure For Short-Term Memory Loss (Score:3, Insightful)
you could still protect yourself if you simply said "I don't recall that password." You may notice that not being able to recall is used a lot when under oath. The reason is that there really isn't any way to challenge it. We forget shit all the time (hell everyone seems to forget their passwords if my job is any indication). You can't prove someone hasn't. So they say "What is the password and the 5th amendment doesn't protect you," you say "Sorry, I can't recall that password."
You can say it.
But a judge isn't obliged to believe it.
In the real world, "plausible deniability" translates to six months in pink undies, tenting out in the desert sun with a bunk mate named Big Mike --- with no end in sight.
Re:The Joe Arpaio Cure For Short-Term Memory Loss (Score:3, Insightful)
Re:Different in the USA? (Score:2, Insightful)
IAAL and I would say that many (not just "some") judges are f***ing morons.
Example:
Client gets a restraining order put against him several years ago, moves on with his life. 3 years later he wants to move in with GF who lives with the protected person (with me so far?). He remembers that there was once a restraining order, but can't remember how long it was in effect for. So, being the reasonable person he is, calls the court and asks if there is a restraining order. Clerk tells him "I can't find it in the system. That means it has either expired or was never entered in correctly."
He thinks, "Great!" and moves in thinking restraining order is a non-issue. Lives there for 1.5 years and all of a sudden gets charged with violating the restraining order. Turns out clerk was wrong.
So, we want to present his testimony that he'd made this call. Judge says that the evidence is "not relevant". Needless to say we lose. Just got done with the appeal and the second judge has also said the evidence is not relevant.
Judges suck balls.
Re:Yes, different in the USA (Score:5, Insightful)
After that, it says, "The government is assuming extraordinary powers to stop and search individuals within this zone," but it cites none of these "extraordinary powers", nor does it cite a single case of abuse of these powers, nor does it explicitly say that any of them are actually unconstitutional. Instead, they resort to shady wording and scare tactics by labeling that 100 mile border/coastal region as a "Constitution Free Zone" on the basis of these uncited and unsubstantiated powers. And their "Fact Sheet" is no better, resorting purely to unsubstantiated claims of wrongdoing which even they admit are being upheld in court.
If this is true, why didn't they cite a single law, a single case, or a single ruling? Not even one. The whole thing reads like a conspiracy theorist paper, except at least the conspiracy nuts can cite examples of these things actually happening. Apparently the ACLU is still working on that.
Re:Also as a practical matter (Score:2, Insightful)
Um, yes, lots of people got boned.
I'm sure there were lots of bushites that went out and boned hookers at the time, in the middle of the boning saying things like "Take that American public. And that, Congress. And here's something for the Senate." [and yes, I've heard that Republican's do frequent hookers, even though they are pro-marriage, pro-fidelity, anti-cheating, and abstain from sex before marriage].
And of course, the American people collectively took it up the ass during the 8 years he was there.
But then again, they asked for it.
Re:Only 16 weeks? (Score:3, Insightful)
Geek solutions to legal problems don't work.
A court would find that you set up this scenario specificially so you could escape the issue, and jail you anyways. There is only one thing that judges like less than guilty people and that is guilty people who try to play with them.
Re:Different in the USA? (Score:3, Insightful)
"May contain" isn't the same as "did contain", and I'd hate to see anyone convicted of a crime he or she "might" have done.
They can still get you on circumstantial evidence if it is compelling enough. They don't necessarily need to see the pictures. It would make their job easier.
WRT law, passwords are a key to a locked chest, not some kind of self-incriminating revelation (like admitting you were at so-and-so's the night they died). They already know you have the password, so the self incrimination angle no longer works. A judge issues a warrant for the contents of the locked chest, and you must comply or be held in contempt of court. It is not a 5th amendment issue. Just because the key is something in your memory instead of a physical object does not mean you do not have to comply. You must still allow the police access to that which they have obtained a warrant to search.
Still, depending on what is actually on your hard drive, it may be better to take the contempt of court and whatever lesser crime you end up being convicted of (assuming they didn't have enough circumstantial evidence to convict you, that is). For example, if you're a traitor, and there is damning evidence on your encrypted hard drive, then keep your damn mouth shut! That shit carries the death penalty in states that still have it. I'd gladly take 20 years over that any day. Of course, I'd never be a traitor either anyway, but you get the idea.
Re:Trucrypt (Score:3, Insightful)
"I don't have a hidden volume."
"Ah, now you're not being helpful again. This won't look good."
Plausible deniability, in this case, isn't enough. You'd need proof you didn't have a hidden volume, or you'd spend your life in contempt of court. I know it sucks, but that's how it's worded.
Re:Different in the USA? (Score:4, Insightful)
I believe you will find it in the Magna Carta (MC.29 on http://alexpeak.com/twr/mc/ [alexpeak.com]) for an early variation on the concept.
"No freeman shall be taken captive or imprisoned, or deprived of his lands, or outlawed, or exiled, or in any way destroyed, nor will we go with force against him nor send forces against him, except by the lawful judgment of his peers or by the law of the land."
While this was originally intended for the nobles, since the emancipation of the masses, I believe it applies to everybody. However, there may be more recent statues that supersede it, such as European Convention on Human Rights.
Re:Different in the USA? (Score:5, Insightful)
These two statements are not the same and your entire argument in this thread relies on them meaning the same thing. In a legal system with formally defined rights they would be the same (ie the US legal system). But in a system of common law there can be principles that are not formally stated.
In the case of this principle [wikipedia.org], it has been widely stated and incorporated into rulings in the British justice system. As such it forms a part of British law, regardless of whether or not we have a document that "grants" this "right" to people.
Re:right to not incriminate yourself? (Score:4, Insightful)
ok sir, here is your keyboard, a copy of your hard drive and a mouse.
please 'play' your password at the prompt.
great way to generate a secure password, but I don't think it gets you around the requirement to give up your password when required to do so.
Re:Only 16 weeks? (Score:1, Insightful)
Nope. This wouldn't work as a defence.
The act requires you to 'provide the data in readable form' from any system that you have control over. If you do not provide the readable data, then you commit an offence.
If the system is rigged such that it destroys keys, or requires continuous maintenance to preserve the keys - then that is your problem. The crime is 'failure to provide' access not 'refusal to provide' access. In other words, the onus is on anyone using an encryption system to ensure that they can always provide access to law enforcement.
The only loophole I can see, is sending the data to a trusted 3rd party in another country, where it is held in encrypted form. If that 3rd party refuses or is unable to hand over the keys, then there is nothing the local police can do about it (unless they have an agreement with the police in the remote country).
Re:Also as a practical matter (Score:3, Insightful)
Re:Mod parent down, just plain wrong. (Score:5, Insightful)
This makes no sense in British terms - Parliament is sovereign and cannot be bound.
That said, the centuries old common law presumption of innocence was enshrined in positive law in the Human Rights Act, 1998.
I can't figure out if you are American with a Blair fixation, or British but enamoured of the concept of a written constitution. In either case I think you are misguided:
A written constitution is not "fundamental, nonrevocable and unalienable" since it can be amended, the procedure is just a little more involved than normal legislation. And you only need to look at Prohibition in the US to see that this is no bar to stupid laws that restrict freedom. It also makes them a lot harder to get rid of. Ultimately the cost of freedom is eternal vigilance either way; a citizenry that is either complacent or uncaring of their liberties will lose them in any system, whether or not you have the speed bump of a written constitution or not.
Re:Also as a practical matter (Score:5, Insightful)
by touting convictions like the one in TFA as evidence of how you should always hand your key over without a fight, or without playing innocent they strengthen that idea amongst the public as to that's how it works.
From TFA (my emphasis):
Oliver Drage, 19, of Liverpool, was arrested in May 2009 by police tackling child sexual exploitation.
Hmm, 16 weeks in prison for refusing to hand over keys or:
If guilty, 5 years in prison for sexually exploiting children.
If innocent, a lengthy trial with your name dragged through the mud by the tabloid press. Let's face it, everyone he knows will remember the trial but forget the verdict, and something like that's not the kind of thing you can easily shake off.
Tough choice.