British Teen Jailed Over Encryption Password 1155
An anonymous reader writes "Oliver Drage, 19, of Liverpool has been convicted of 'failing to disclose an encryption key,' which is an offense under the Regulation of Investigatory Powers Act 2000 and as a result has been jailed for 16 weeks. Police seized his computer but could not get past the 50-character encrypted password that he refused to give up. And just to get it out of the way, obligatory XKCD."
Only 16 weeks? (Score:5, Interesting)
He's getting off easy. In the USA, the cops would get a court order and the judge could order him jailed for contempt of court until he gives up the password.
Miranda rights (Score:3, Interesting)
Just give them something? (Score:3, Interesting)
Could he have given them a random password, and then act dumbfounded when it does not work?
Maybe even accuse them of breaking his system?
It is hard to prove that the header of an encrypted disk has not been corrrupted.
Would that work with the current law? Has anyone already tried it?
Re:What is he hiding? (Score:5, Interesting)
"Oliver Drage, 19, of Liverpool, was arrested in May 2009 by police tackling child sexual exploitation"
He was probably suspected of having pictures of his 17-year old naked self on his computer. Quite frankly, I don't give a rat's ass about child porn accusations anymore. If somebody tells me to think of the children, I say "fuck the children" (well, not literally). It's an empty argument, a way of saying "I don't want to discuss this, it's going to happen so shut up." I instinctively assume that anyone who brings up child porn accusations is lying. This is just another instance: They want to read his hard disk, so they accuse him of something unspeakable. The punishment for not remembering a 50 character password after 6 months of not using it is atrocious. These people deserve our deepest disdain. THEY have done wrong and parade their deeds in front of us, while Oliver Drage, for all I know, has not been convicted of anything I would consider a wrong-doing.
Re:Different in the USA? (Score:5, Interesting)
No person (...) shall be compelled in any criminal case to be a witness against himself
Re:But it's hard to remember... (Score:5, Interesting)
But is it only 16 weeks, and that's it, or at the end of the 16 weeks do they ask again? If he refuses again do they just put him back for another 16 weeks (or more)?
Re:investigating what? (Score:1, Interesting)
He's an idiot - he's scouse he could have said I dont know the password I stole the laptop. Its not like any one wouldnt believe him.
Re:right to not incriminate yourself? (Score:4, Interesting)
At common law, and particularly following the passing of the Criminal Justice and Public Order Act 1994, adverse inferences may be drawn in certain circumstances where the accused:
* fails to mention any fact which he later relies upon and which in the circumstances at the time the accused could reasonably be expected to mention;
* fails to give evidence at trial or answer any question;
* fails to account on arrest for objects, substances or marks on his person, clothing or footwear, in his possession, or in the place where he is arrested; or
* fails to account on arrest for his presence at a place.
Re:Just give them something? (Score:3, Interesting)
Re:right to not incriminate yourself? (Score:5, Interesting)
Well, they can also say: -Tell us where the body is. If you don't tell us where the body is, we'll throw you into the slammer.
You'll tell me that it's not the same thing because if you didn't kill anybody you wouldn't know about the body's location and that if the kid is hiding child porn on his computer and is not 'telling where the body is', he must be guilty then.
But it is the same thing is there is no child porn on that computer just as well. If you don't have any child porn on your computer you are innocent of that crime, whether there is or there isn't a court order telling you to give up the password.
So now let's say there isn't child porn on that computer. The judge is still saying: -Show us the child porn on your computer.
If you refuse to show the child porn on your computer (and there is no child porn there) then throwing you in jail for not showing the files is equivalent to throwing your ass in jail for not providing whereabouts of a body of a person, when you have no idea about the body and you are innocent of any crime there.
Not showing them the child porn images on your computer by not providing the password, while being innocent and not having any images of child porn on your computer, and being thrown in jail for that? I say it's bullshit and a violation of your rights. You say on the contrary, that nobody has a right to refuse to help an investigation by providing some information.
--
OK, so you are throwing somebody in jail because they don't want to help you with investigation. Good path on the way of becoming a police state on one hand, on another hand it's an example of a police state in action.
This xkcd comic bothers me (Score:2, Interesting)
Why on earth would you encrypt a hard drive with any public key algorithm?? That would be incredibly slow.
Re:Only 16 weeks? (Score:3, Interesting)
So even inability to provide is not a defense?
Excellent, I will start mailing people encrypted USB keys and no password next time they piss me off.
Then a simple call to the cops and away they go.
How did they find the length of the passphrase? (Score:4, Interesting)
I wonder how they found out that the length of the passphrase is 50 characters. Did he brag to the authorities? Was there some way of detecting the length of the passphrase when they looked at the encrypted key?
Selfdestruct (Score:3, Interesting)
This is why you need hardware encryption with a selfdestruct mechanism.
A software solution can not do this. They will mirror your disk and work on the mirror. But a self contained chip can be made tamperproof and such that enough mistyped passwords or just the special self destruct passwords makes the chip irreversible lose the key.
After the selfdestruct event happened you just claim they caused it. That you gave the correct password the first time they asked. Even if you end up getting convicted on giving the selfdestruct password that might be less than what they are really after.
A variant of this scheme is to store your password on a key device with the same properties. Someone could make an application for your phone that did this. It would not be as secure, as they could be mirroring your phone, but likely they would catch on to that too late.
Re:right to not incriminate yourself? (Score:5, Interesting)
But if you've encrypted the hard drive of your main computer, and you have to enter a password every time you start it... a jury isn't necessarily going to believe that you've suddenly conveniently 'forgotten it'.
I'm going to have to go against the prevailing view on /. on this one. Of course you have a right to encrypt your files so that people can't snoop through without your permission. But I don't think it's a problem that the state can, with good reason, compel you to decrypt it. If the police get a search warrant, that overrides your normal right to refuse them entry to your house. What's wrong with something similar for computers? Or is this just rabid, unthinking anti-establishmentism I smell?
Re:right to not incriminate yourself? (Score:5, Interesting)
So what happens when you say:
"No,I do not understand. I will need my lawyer to explain this to me"
Re:What is he hiding? (Score:5, Interesting)
Theoretically it could be something as innoccuous as a photo of his 16 year old girfriend's boobs (not to mention all sorts of other stuff, like diaries, etc)
The Labour party when it was in power and creating laws out its wazoo (including the RIP Act deployed here) made it an offence to have photos of persons under the age of 18 engaged in sexual acts. To put that in context, you can have a gangbang with a 16 year old (assuming that's her thing) and it's perfectly legal. But if you have a photo of the same girl with her boobs out, taken while you weren't there (!) or if you aren't in a government-sanctioned relationship, ie, long-term or stable (I shit you not) you're a dirty sex criminal.
And that means your life could be destroyed: sex offender's register (probably just for 5 years for a photo of the boobs of a legal to fuck, but not photograph girl) and a bar on any career you might want or develop in all sorts of areas to do with children and 'vulnerable adults'. And maybe any chance of decent employment.
Compared to any of that, even 16 months in prison, after which you at least get to rebuild your life, is probably a price well worth paying. Even for something as trivial as legal-to-touch teen boobs. Or a bit of manga. Or a sexualized stick-figure srawing that some prosecutor might say was 15.
Maybe they think that bikini shot of that cute girl is over-sexualized, and she was only 17 when it was taken...
Maybe it's just regular porn. Or you think so. But get this: you own one picture from a series, which you've never seen. That series of photos contains 'extreme pornography'. Even though your photo doesn't, you still may be guilty of an offence! And stuck on the sex offender's register.
You'd have to be an idiot, assuming the most, er, innocent of porn collections to want to take that risk, hand over your password and place your entire life in the hands of the Criminal Prosecution Service.
Re:Different in the USA? (Score:5, Interesting)
That's why my passphrase is "I committed the crime."
Oops, now I need to change the passphrase on my luggage. Maybe I'll change it to "is my little secret" and when the keystone kops come after me, I'll quip a cryptic comment about Quine.
When he gets out, can they ask for it again? (Score:4, Interesting)
indeed it is (Score:3, Interesting)
If you're so committed to the truth, then you should give them the password and the truth shall set you free.
But if for some reason you aren't interested in that, this is your next option.
Re:right to not incriminate yourself? (Score:3, Interesting)
If that's going to be your argument, then maybe you can explain why the police can't get a warrant to have your 5th amendment rights suspended entirely?
Re:Just give them something? (Score:1, Interesting)
Yes the free software TrueCrypt has something similar - one password accesses your secret files but a different one accesses a separate encrypted partition to get around having to reveal the password. Don't think it has a "kill" password like you mean thought
Re:Only 16 weeks? (Score:5, Interesting)
just a random idea: suppose you need some salt (maybe that's not the right word) to add to the key to make it really secure. and that salt comes from something that must be accessed regularly or the time skews (or something like that) and you'll never (...) be able to get your data back. as a precaution; a dead-man's switch of sorts.
so you go to court and they ask for the key. you tell them YOUR part of the key but one aspect is outside their control; while they had you locked up, time marched on. you were not 'at your desk' to refresh the clock or keygen and so the machine detected an abonormality. at that point, given this theoretical situation, you are now UNABLE to unlock the disk. you may WANT to, but its beyond your control. the machine that gives you the 2nd part is now out of sync and you 'cant fix it' since it may not be your own coding (again, lets say for agument sake).
has that been thought of or tried? a dead-man switch that needs to be kept alive or it won't give up ITS part of the password? its no longer YOU denying the cops, but some other system.
maybe a loophole? maybe someone can use this concept?
Re:Different in the USA? (Score:4, Interesting)
"May contain" isn't the same as "did contain", and I'd hate to see anyone convicted of a crime he or she "might" have done.
Even if the agent believed it to be child porn doesn't necessarily make it so -- he could have been a Melissa Ashley fan, for example.
Of course, the pr0n might have been illegally copied, in which case it's perfectly valid to not want to incriminate oneself.
I have no idea whether the guy was guilty or not, but I know that forcing him to decrypt his HD in order to find evidence to convict him with is mocking the intent of the fifth amendment.
The problem in that case isn't over the guy's guilt, but that both the judge and the review found that the mere presence of encryption was admissible as evidence against the accused.
It's like arresting someone for arson and using the presence of a ski mask as evidence against him, with absolutely nothing that indicates that a ski mask was used, whether during the crime or to hide his face.
But apparently, possession of encryption software is allowed used as incriminating evidence in itself, and the fifth amendment doesn't cover refusal to disclose encryption passwords.
Yes, we most certainly live in the land of the free. For very small values of free.
Re:What history books did you read? (Score:4, Interesting)
The UK has NEVER been a model for any "freedom" as we think of it here. Remember that whole revolutionary war thing? The one we had to fight TWICE just to be free of the King?
Fun times: after saving Europe from the tyranny from the Nazis, Britain went right back to their own tyranny in holding on to the dying embers of the British Empire. Churchill in fact bragged of shooting "savages" in places like South Africa (i.e., he shot black people) in his young days, before his government tortured Barack Obama's paternal grandfather in the 50's during Churchill's second stint as Prime Minister. Which makes it even more awesome when Obama pushes forward in the military trial of a 16 year old child soldier - who's confession was given under....wait for it....torture.
Re:Different in the USA? (Score:3, Interesting)
When the revolution comes, I nominate that judge to be the first against the wall & shot as a "domestic enemy" of the US and Vermont Constitutions.
The purpose of the "not be compelled to testify against oneself" is to protect the accused(s) from older 1600s and 1700s governments that would torture them to confess. Or imprison them, until they confessed. That's what is happening here: Imprisoning people until they confess the password.
Re:Bleh he's 19 (Score:1, Interesting)
He's 19 now. He was arrested in 2009 when he was 18.
How old was the child probably 17.
He is seriously disturbed and needs to be put away.
Re:right to not incriminate yourself? (Score:5, Interesting)
But if you've encrypted the hard drive of your main computer, and you have to enter a password every time you start it... a jury isn't necessarily going to believe that you've suddenly conveniently 'forgotten it'.
There are other ways to remember passwords other than committing them to memory. I seem to remember hearing about intelligence agencies teaching spies passwords based on muscle memory so that they couldn't be divulged under torture.
I'm a pianist and I've experimented with using passwords based on songs that I know by heart and it works great. My left hand is a bit sloppy, so I just use it on the shift key as if it was the sustain pedal. I had one password that was over 100 characters long and I had no problems entering it in. And even if someone knew the song, it's doubtful they could determine the password since it depends entirely on how I play the piece and which part of the piano key I use for each note. I suppose someone could figure it out by watching me play the piece, but I'm not even sure that would work and I could always play it slightly differently if I knew I was being watched.
If someone is a talented musician, I could see them plausibly telling a jury that they're unsure of the password because they enter it by playing a particularly difficult part of a song. Bonus difficulty points for telling them that the software is time sensitive and expects keys to be keyed in at the same rate as when the password was set.
Re:Bleh (Score:3, Interesting)
"Computer systems are constantly advancing and the legislation used here was specifically brought in to deal with those who are using the internet to commit crime.
Wasn't this legislation introduced specifically to fight terrorists?
So now the Ministry of Truth has revised the facts. Never trust those who have power over us.
Re:right to not incriminate yourself? (Score:3, Interesting)
Short answer: No. Through some creative legal thinking producing your encryption password is now considered equal to handing over the key to your safe, not to compel information from your mind. It's bullshit but Britain takes 1984 as a role model, not a warning.
The location and use of a physical key must also be found and extracted from your head.
There is no useful distinction to be made here.
The level of protection in the U.S. Constitution is framed in only fourteen words:
nor shall be compelled in any criminal case to be a witness against himself
The origins of the privilege lie in the use of torture to extract confessions.
The primary meaning of the word "witness" is this context is your testimony in open court.
Not the simple actions a judge can order you to do to advance a civil or criminal investigation.
The farther you are from your turn on the witness stand, and the more civilized the means of compulsion, the more likely a court will insist on your compliance.
Re:Also as a practical matter (Score:3, Interesting)
The old hereditary lords (as opposed to the appointed ones of today) often looked at the long term, because they were going to sit in office until they died and be succeeded by their sons and grandsons. An elected politician seldom thinks further ahead than the next election, and the voters seldom think even that far ahead. (Which, by the way, is why supreme court judges in the US are appointed for life -- they can then take a longer view than those who pass the laws in the first place.)
The downside to the hereditary lords is that there were no guarantee that there wouldn't be a bad apple in the barrel, and when there was, there was no-one to blame, unlike with elected idiots (at least you can say that YOU never voted for Goldwater). You pretty much had to trust that the other lords and crown would sort things out through a "hunting accident" or "lost at sea".
As for the Roy, it's useful to have a king or queen for diplomacy. Being brought up to do the job, and not actually getting the job until middle aged tends to give them a lot of experience. Sure, there are mad ones (John, George) too, but you get that in elections too, where charisma and being different from [insert hated former ruler] counts for more than actual abilities.
And, a royal family is always useful to pull out of the hat for people to rally behind in times of war. After all, the royals do fight, unlike the protected children of US presidents, and I'm sure you'd have an easier time finding Englishmen willing to die for Queen Liz than Americans willing to die for president Obama.
Re:Also as a practical matter (Score:3, Interesting)
Last time I checked you guys have elections,
Its the same problem as the US. The only real options are candidates endorsed by, and subservient to, two parties who are much the same.
And why the hell haven't you thrown out the stupid queen yet, while we're at it? Are you really OK with having royalty?
Actually, the Queen is kind of cool. When she dies and Charles takes the throne, the monarchy's time might be very limited. At least here in Australia I think it will. The Queen has a lot more respect personally, than the monarchy in general.
P L A U S I B L E D E N I A B I L I T Y (Score:2, Interesting)
Prove me wrong.
Re:right to not incriminate yourself? (Score:2, Interesting)
When arrested for DUI in New Jersey, the officers read a lengthy explanation of how you must submit to a chemical test (breathalyzer), and in this explanation, it states that you are not allowed to consult with a lawyer before agreeing. It also states that if you do not agree, you will be charged with refusing (which carries a penalty equal to the lowest penalties for DUI (between .08 and .10, first offense)) in addition to still facing the charges of the DUI itself. If you say you don't understand what you are agreeing to, they simply repeat it. If they repeat it more than a few times, you are "guilty" of attempting to delay the chemical test (also explained in this long thing you MUST agree to as being equivalent to refusal). The way they put it is that asking a lawyer to explain it to you, or asking them to repeat it too many times if you don't understand it, counts as delaying it, which counts as a refusal. Furthermore, they speak fast and monotone (cause they've read it a thousand times themselves), making it harder to understand, and they don't even allow you to read it yourself; it must be read TO you.
Re:right to not incriminate yourself? (Score:1, Interesting)
So what happens when you say:
"No,I do not understand. I will need my lawyer to explain this to me"
If everyone plays by the book you will be taken down to the police station and give the choice of speaking to a legal aid lawyer or getting your own. After that things will proceed exactly as they would have done if you said you understood. The prosecution (or the defence) would have the right to mention that this happened in court.
Re:Only 16 weeks? (Score:3, Interesting)
There is software for laptop locking that does this if not accessed in 7 days. It is designed to brick stolen laptops. It it is not connected to the corportate server for a week, it locks. Even if stolen with the password, simply never connecting to work will cause this.
Simply taking the laptop and waiting for trial would make it impossible to unlock without taking it to the corporate IT department.
Comment removed (Score:3, Interesting)
Re:Only 16 weeks? (Score:1, Interesting)
I have a different idea... On your harddrive you will have an encrypted file that you will pretend to be protecting, but in reality you don't really care about anyone finding out what it contains:
SecretData.bin
Then on your USB drive you have a one-time pad file that is the same size:
OTP.bin
Someone gets a warrant, you hand over the USB drive and the password "hunter2". They XOR your OTP file with SecretData.bin and get an encrypted file, that they can decrypt with a common encryption algorithm and the password "hunter2". They now have access to the data you're pretending to hide. Porn, bank statements, love letters, whatever.
Status: They've found a file on your harddrive. They've used your OTP file and the password you gave them to decrypt that file. You've been nothing but cooperative in helping them decrypt your data. If they ask, you tell them that you use an OTP file so that a hacker can never steal your data, even if he guesses your password, because you always remove your USB drive from your PC when you're not using it.
What they don't know, probably don't even suspect and could never ever prove: Your OTP file isn't random data. It is the data you really want to hide, encrypted with an algorithm that produces results that are indistinguishable from random data. Anytime you want, you can decrypt your OTP file to access the data you're really hiding.
Re:Only 16 weeks? (Score:1, Interesting)
Make a keyserver that stores your master key in ram, maybe inverting the bits from time to time to avoid the possibility of the RAM retaining data too long after power is removed. Maybe some kind of low power microcontroller would be right for this. Take serious precautions with backup power - get this wrong and all your data is lost.
The keyserver wants to be small, battery backed up etc. and have some tamper sensors. Motion sensor, light sensor, pressure sensor, others.
It probably wants to look like something other than a computer.
It needs to be somewhere that the cops will find it when they search your place, somewhere where they are pretty certain to move it or otherwise trigger its tamper sensors.
Cops raid at 5 in the morning - disturb server - goodbye master key.
Cops interview:
Cops: "Give us your keys"
You: "Sure thing officer. The master key is stored in a little keyserver that looks like a DVD case. It is on the bookshelf half way down a pile of Playboy magazines. You talk to it by IR from the laptop using the getkey program. The icon for that is on the desktop and the passphrase is 'w@lk1ng 1n the r@1n w1th my g1rl', all lower case"
Later...
getkey 1.02.
Comms to keyserver v1.00a OK at 2400 baud.
Input passphrase to access stored keys.
keyserv> w@lk1ng 1n the r@1n w1th my g1rl
Passphrase OK.
Tamper detected at 05:24:47 on 19/11/10. Keys were deleted.
In court: "I asked the policeman not to pick up the pile of Playboys, but he told me to shut up and took them down from the shelf. The keyserver detected the weight of the magazines being removed and decided that it was being tampered with so it deleted the keys."
Re:What is he hiding? (Score:3, Interesting)
I would make the same assumption about two year old pictures as the AC.
This despicable law is just a crutch for lazy investigators.
Quite simply the guy was not at his computer 24 hours a day and it would have been easy to install a key logger that records the first 200 keys after boot. Such a 'wiretapping' process is currently well covered by existing laws.
Re:Also as a practical matter (Score:3, Interesting)
I believe that compelling disclosing a password to your computer might be a Fourth Amendment issue, not a Fifth ("The right of the people to be secure in their persons, houses, papers and effects, against unreasonable searches and seizures...")
The Fifth isn't going to help.
In your strawman example, you'll be jailed for contempt if you are under subpoena to provide the color of the car, since you were only observing it as it sped away.
I am not a lawyer, and this is not legal advice. However, I can read the Constitution.
Re:Also as a practical matter (Score:3, Interesting)
Re:Also as a practical matter (Score:3, Interesting)
Thee monarch is a symbol of the power of inherited wealth and privilege. As there are no plans to impose a 100% inheritance tax any time soon, there would be no real point in getting rid of her, however much a lot of us would like to see it happen just for the symbolism.