A 19-year old from Lancashire has been sentenced to 16 weeks in a young offenders institution for refusing to give police the password to an encrypted file on his computer. Oliver Drage, from Naze Lane, Freckleton, Lancashire was arrested in May as part of an investigation into child sexual abuse images. His computer was seized …
How would they know it's 50 characters?
how do they know 50 characters?
There are 50 asterisks on the post-it note beside his monitor.
What's your password??
1... 2... 3... 4...
1234? that's the sort of password an IDIOT would have on his matched luggage!
50 char password...
Might not be 50 characters. In fact, it's probably not. How do you remember that lot? Some password boxes automatically add more as a safeguard to baffle folks who might be observing your screen.
Because he told them!
Yes my password is "fiftycharacterslong" what? 16 weeks! but i've told you my password is "fiftycharacterslong"
The actual password is "50 characters"
They just keep typing it in without the space so locked him up to cover their stupidity
"50-character encryption password"
How do they know the string length of the password??
Still trying to crack password..
I'd love to be the consultant employed to give that a go!
Free income for a year or more.. Then just tell them you couldn't do it and hand the disk back.. "That encryption is just too good!!".. No need to even plug the thing in! :-D
This is why I ALWAYS store my porn in the WikiLeaks download directory as a file called "insurance"
The consultant might have had a decent work ethic....
Although he may have to claim expenses for a new keyboard and treatment for carpal tunnel syndrome.
A similar post that could be read as a terrorist threat is before the courts now.
You have the right...
...to remain silent.
Or not if we decide so,
Nope. I was wrong
I just checked and it seems that the European Charter does not protect you from having to incriminate yourself. Poor kid rightly screwed now.
It's Blair's fault
There is an "innocent until proven guilty" provision in there, but Blair excluded it before signing. There was talk before the election of the Tories / Lib Dems pulling out of the Charter, then re-signing it in its entirety. So far, no dice.
until v unless
As others have said, "innocent *unless* proven guilty" would be nicer; "innocent until proven guilty" seems to suggest that you are, inevitably, going to be found guilty, but that it has not yet been proven. (That particular phrasing sounds like it was drafted by someone who believes in the concept of "original sin"; we are all guilty.)
I think you'll find it's the police officers version.
This story just proves how old I am getting. I can still remember the days when a person was presumed innocent until proven guilty.
That said, I am pretty sure that the European human rights charter includes the equivilent of the 5th, i.e. that you can not be forced to incriminate yourself.
...he was. He was considered innocent of not disclosing the password, and then they proved it. So he was guilty. The problem here is not convicting him for a crime they havent proved, it's them criminilising behaviour that *should* be a persons right, i.e not to self-incriminate.
It's easy, you just write the laws the right way. He has been proved guilty of not typing in his password; hence jail time.
Other offences soon to hit the statute book to be used whenever they want:
"Taking a photograph"
"Sitting on the tube, reading Metro"
re: Proven guilty
Unfortunately I'm pretty sure "Taking a photograph" is already there. Probably next to the unwritten one of "Looking a bit foreign", added at the request of the Daily Mail...
I remember that too
It was 1994, with the Criminal Justice and Public Order Act.
how about 'wearing a load shirt in a built-up area'?
That's only 39 characters.
Encryption exists because there has been a need to safeguard certain information. It is used in a capacity to protect personal files just like it is used to protect say credit card information. However RIPA deems it a crime in circumstances they see fit. If they want to differentiate between what is acceptable and what is not then I suggest that encryption be made illegal in this country for non commercial use rather than jailing people because they will not cooperate. There is a clear distinction here between ones liberties and preventing people from covering up a crime.
I'm not sure that there should be an absolute right to hide behind unbreakable encryption. One doesn't have a similar right with respect to paper documents. Provided the police have obtained a search warrant, they can legally break any physical lock if you won't provide them with the key. (There's no such thing as an unbreakable lock or safe).
Do the police have to obtain a search warrant for your computer, before they can order you to decrypt? If so, that appears to be an appropriate safeguard, and an exact analogue to what has been the case for paperwork for many years.
If they don't have to obtain a search warrant, then they should be required to.
There should probably also be a provision that evidence obtained by requiring one to decrypt should be admissible only if it confirms the suspicions that led to the warrant being granted. In other words, if they are investigating money-laundering and they find only porn, they should not be able to charge one with posession thereof, because the grounds for the warrant have been proved false.
A problem with that approach is that the file in question might be obsolete and the password long forgotten. I'm an IT consultant, and whenever I have to store data from my customers, I use encryption. Most of those passwords are lost and forgotten only a few days after the work is completed, but I often forget to remove the encrypted files from my PC. After reading the article I made a quick search and found seven of those files, aged between three weeks and four and a half years. I just remember one of the passwords, from a file created in summer 2009. I remember it because the password was a funny word related to the owner of the data.
And don't forget I'm an IT pro and use lots of passwords. I have seen people forgetting their passwords two HOURS after creating them.
The thought police can jail you for forgetting something. Sounds really bad, doesn't it?
Nice in theory
But how do you enforce a search warrant for the contents of someone's memory? How do you prove that you've forgotten a password or that you've never had the password in the first place.
If you've downloaded the wiki-leaks insurance file how can you prove that you don't have the password, or that it isn't infact your secret stash of terrorist manuals that you've renamed to look like the wiki-leaks file and do really have the password for?
Also if you followed the US system and had "Fruit of the poisonous tree" provisions in the warrants, the exceptions on the search being carried out in good faith would kick in and it would be a legal search.
*Note to self - remember to use the "Reply to this post" button next time
Arn't all the files that Steam downloads encrypted. I'm sure I don't have the key for them. So hide all your encrypted files in plane sight in your Steam directories.
Refused, not forgotten
The chap we are discussing "refused" to provide his password. I'm assuming that meant he said "No" rather than "I've forgotten it". The latter would have been a smarter answer and I'd hope it would lead to an acquittal - how can the prosecution possibly prove beyond reasonable doubt that this is not the truth? If it really is illegal to forget, I'd expect a jury nullification, or a successful appeal to the EU court of himan rights.
I agree that the whole concept is stupid. Anyone competent with something to hide will combine steganography and plausible deniability (multiple encrypted volumes in one hidden container, one or two innocuous volumes that you're happy to reveal if they can work out where they are hiding, using software that always creates large amounts of random padding so they can't hope to prove that you're concealing more than you've shown them).
> Do the police have to obtain a search warrant for your computer
A Section 49 notice can be issued by a number of Authorised Persons. Many of these are not in the judiciary.
There is no legal oversight. There should be.
Right to security
We have arrived at the point where citizens are only allowed to have security of information if the government they elect allows this. I can see the pros and the cons, having a number of TrueCrypt files for sound reasons that do not involve breaking laws of any sort, and having a dislike of the offences of which the individual has been accused. That leads me to ask, was this individual using an encrypted proxy? Is this why the enforcement agencies concerned are not trotting out the data here?
Nice in Theory...
re: Fruit of the poisonous tree... a former net acquaintance was under investigation for Social Security Fraud. Law enforcement was searching his house for proof that he was running several businesses while claiming SS Disability. One of them, I believe a USPS Postal Inspector, found some video tapes in the closet and tried to pop one in a VCR but couldn't because there was already one in the player... he turned the VCR and the TV on, and found to his surprise, not evidence of financial crimes, but porn, and specifically child porn. He stopped the tape, called the courts for another search warrant specifically related to porn and child porn, and then arrested Jack on federal child porn charges... Jack is now doing time in Arizona on some charges, and when he finishes his stay in the Arizona iron bar hotel, he has a date with a federal house of detention for another 5-10 years. He won't be free again until he's about 75 or older. I only "knew" him because we were on the same email list, but the owner of the list tried to hide the charges from the rest of the list, and in fact went to a moderated list and refused to allow anything negative to be posted about him. She also threw a number of people off the list because they tried to post the true story.
Fail, because Jack had already been a guest in the pokey on several previous occasions, including once for murder.
UK fruit of the poisonous tree
If I recall, evidence discovered in this accidental way is acceptable in the UK, but it is up to the courts to rule on admissability depending on just how far the method of discovery has stretched relevant laws..
They would have needed a warrant to take his computer away.
Unlocking his computer's encryption system would be covered by the same warrant which legitimated the removal of his computer.
50 character password
How did they work out that it's 50 characters, exactly, if they don't know what it is?
Unless he was bragging, of course.
How would they know
...that the password is 50 characters long?
How did the police know it was 50 characters but not know the password?
Knowing them it was the maximum field length the text box accepted.
RIPA is flawed
x years for not disclosing password
y years for disclosing password
x < y
I'll not disclose password.
at least we got him for something.
Surely the crim (according to witnesses and ISP logs an alleged trader in child porn) should be thinking:
X weeks for non-disclosure followed by (after encryption is cracked in a few months) Y months for child porn offences and Z months for perverting the course of justice - and then of course a large bill for the costs incurred in cracking said encryption and a long stretch of the sex-offenders register.
Still on the bright side, its good news for security consultants and children.
Jail time for not disclosing password expires
Police request password again under s49.
Password owner declines again.
Police prosecute for failure to comply with (new) s49 order.
Password owner goes back to prison.
Scene 1: a court room.
Judge - What is the password ?
Accused - Not sayin.
Judge - Fair enough, have four months at Her Majesty's pleasure
Scene 2: the same court room,four months later
Judge - What is the password ?
Accused - Not sayin.
Judge - Fair enough, have four months at Her Majesty's pleasure
Rinse and repeat Scene 2 until the accused hands over the password or dies of old age.
What happens when he's released?
Can the ask him again, treat it as a separate offence and charge him with it? It could go on indefinitely.
Double Jeopardy. He's refusing to give the password for the same encrypted volume he refused to before. Worst that can happen here is being found in contempt of court and being returned to jail every time he refuses to give the password, but that's not within the remit of s49.
Would be ironic...
... if "Not sayin" actually WAS the password. Or even something like "There is no encryption password," or anything else to that effect.
after 4 months
I'm pretty sure I'd have forgotten...
@TAO: Application of double jeopardy to s49
To my mind, at least, it's not clear that the double jeopardy principle would apply. The crime, for which he was imprisoned, was failing to comply with a s49 order. I agree with you that he cannot be tried twice for the breach of a s49 order- the double jeopardy principle.
However, there is nothing in ss49-51 of RIPA which prevent a law enforcement agency from issuing another s49 notice, seeking the same information - this is entirely different to charging someone again for the same crime. If he fails to provide the key, he is tried for the breach of the new order, and thus commits a new, triable, criminal offence. There is no double jeopardy issue here - it's breaching a separate s49 notice.
There are two competing policy issues here - one is that someone should not be tried twice for the same offence (although under attack in some situations), and the other is that someone should not be entitled to obstruct the investigation of a larger crime by committing a smaller crime, and take the penalty for that smaller crime as a way of preventing the investigation.
I'm not aware of any legal authority on this, so just going on the basis of what makes sense to me in terms of approach - I'd be very interested to see something which suggests a different approach.
@The Original Ash
Except double jeopardy prevents you being punished for the same crime twice, if you refuse to hand over a password and get prosecuted that's only once. If they ask you again and you refuse that's a second offence and you can be prosecuted for it.
No Thats the password, its