Man facing rare refusal-to-unlock-encryption charge: Court date set A 20-year-old Brit will appear before magistrates in Maidstone, Kent, on 20 December charged with launching denial-of-service attacks on the websites of Kent Police and Oxford and Cambridge Universities. Lewys Martin, from Walmer near Dover in Kent, also faces charges of theft of personal data and failure to disclose passwords …
The answer to that quandry is to take legal advice on whether or not you should answer their questions.
The advice is likely to be "don't say anything" and then in court you say: I didn't give this explanation when questioned because my legal advice was that I should't answer the question.
That's a good enough reason to not have answered it.
This post has been deleted by its author
It is all a bit of a mess. You should have a right to silence, to a fair trial and not be forced to incriminate yourself, courtesy of the ECHR. However, the Criminal Justice and Public Order Act 1994 changed things. Now, a court is allowed to infer intent or guilt from a refusal to answer police questions - but this varies according to whether or not the accused has had legal advice. I guess the answer is to tell the pigs that you will be happy to answer their questions,once you have had legal advice - whereupon they will leave you locked up for many hours and tell you that they cannot find your lawyer, in the hope that you will get bored and talk to them.
The issue with passwords, encryption keys, etc. has been added with the Regulation of Investigatory Powers Act - and a court of appeal has ruled that the right to silence and the right to not be forced to incriminate oneself don't apply as any password or encryption key is not incriminating information in itself.
"You understand it wrong."
Citation, please.
From Wikipedia:
The Criminal Justice and Public Order Act 1994 provides statutory rules under which adverse inferences may be drawn from silence.
Adverse inferences may be drawn in certain circumstances where before or on being charged, the accused:
o fails to mention any fact which he later relies upon and which in the circumstances at the time the accused could reasonably be expected to mention;
o fails to give evidence at trial or answer any question;
o fails to account on arrest for objects, substances or marks on his person, clothing or footwear, in his possession, or in the place where he is arrested; or
o fails to account on arrest for his presence at a place.
That's not much of a right to silence is it? It's a bit like saying "You have the right to hold your breath indefinitely". You do have such a right, but you're going to be rather screwed if you exercise it.
When arrested in England and Wales, the arresting officer will read you your rights and (s)he will say something like:
"You have the right to remain silent, but it may harm your defence if you do not mention, when questioned, something which you later rely on in court. Anything you do say may be given in evidence."
This I'd imagine then gets superseded by further laws that I presume state things like "You must provide decryption keys when requested for the collection of evidence" (which I don't agree with personally).
So yes, we do roughly speaking have the right to remain silent until that is removed by another law depending on your case. I don't think a court will convict anyone who stays silent when asked "did you kill Testy McTest?" for example.
> Its an EU human right o remain silent under police questioning
Yes, but the law in England and Wales permits a court to infer bad things about you should you choose to exercise that right. Hence the newer version of the caution :-
"You do not have to say anything, but it may harm your defence if you do not mention when questioned something which you later rely on in court."
So it's all very well having a right to silence, but you stand a good chance of getting yourself locked up for it. Not really much of a right...
Vic.
The problem with saying that you were advised by your lawyer to remain silent is that you've waived your attorney-client privilege over that part of your advice, meaning that your lawyer can be compelled to confirm/deny that he (or she) gave the advice.
1. It was then, and it is now
2. It wasn't this government
3. He is a terrorist. And a criminal. And a thief (tried to steal data, I'm sure). Violating private networks makes him a rapist too. And a traitor, as he betrayed the trust of this loving country. Give him 25 years, then deport to Scotland, or some such wild territory.
I supposes they could call him a Cyber Terrorist? just be glad uncle sam didn't get hold of him, much worse fates will await him...
The problem is not that they can demand encryption keys, but that you don't know what they will do with your data afterwards...
What if you have pictures on your HDD of your family, some of them are of your kids running round the house nude, or your wife sunbathing topless, or even more risque photos of your wife.... Photos you planned to keep for yourselves, hence the encryption.. Can you get compensation for invasion of privacy? what if one of those photos appeared online afterwards? will they compensate you?
@AC 07:46 - You're making an absurd point - It's not suggested that we allow authorities to rifle through our private files on the off chance. What is happening here is that someone is being compelled to hand over passwords for encrypted files which are the subject of a court issued search warrant into a criminal investigation. Were I to withhold a key to a safe, in a similar situation, I would be held in contempt of court and could be imprisoned.
You're making an equally absurd point.
If you've lost the key then the authorities are compelled to either use physical force to open the safe or search your property to find the key.
If you lose or forget a password on encryption key, then the assumption is that you're actually refusing to give them the information because, as we all know, people never forget passwords. You may be in a position where you genuinely have nothing to hide but are completely unable to prove it and get sent to prison as a result.
Feel better?
And also about bloody mindedness.
No, I would NOT let self-appointed 'authorities' nose through my hard drives.
I confirm to you good people that there is nothing more secret on it than my monthly budget and Christmas shopping list. But why the hell should any government - local, national or plod - decide they have the right to see it?
They don't - they can sod off. And to their acolytes I say "No I've got nothing to hide, but my private affairs are just that". "Private!" "Now kindly Foxtrot Oscar".
OK.....
Even under RIP, you can tell plod you have "forgotten" your pass-phrase and there isn't too much they or a jury can infer.
By saying to plod "I'm not telling" he is either making a stand to get RIP struck down (and has very big, hairy balls indeed), or he is a bit thick and has had crap legal advice.
Prace bets now.
A third option would be to deny that the block of data is encrypted at all.
You'd hope that something that was encrypted properly would appear as just a series of random bytes. Before the police start demanding passwords, shouldn't they first be required to produce evidence that there is, in fact, something there to decrypt?
As luck would have it, a decent encryption regime would mean that the only way to distinguish the difference (from random bytes) would be to decrypt it in the suspicious data first place. Only _then_ would there be something that you could be legally required to hand over the password for. But of course, by then the topic is moot.
Good luck.
The encryption is done with software, which is on the disk.
Unless he was using an external boot disk (and lets be honest, so far the hackers in the news don't appear to be all that ;)) then the software for decrypting is clearly visible on the disk before the encrypted data.
> shouldn't they first be required to produce evidence that there is, in fact, something there to decrypt?
They should be. They aren't.
A Section 49 notice only requires belief "on reasonable grounds" that there is an encrypted data block. And it doesn't need to be Plod issuing the notice - it can be anyone in Schedule 2.
Note that 49(3) gives the grounds on which a Section 49 notice can be issued. The first is the one I find least troubling. The grounds are :-
(a)in the interests of national security;
(b)for the purpose of preventing or detecting crime; or
(c)in the interests of the economic well-being of the United Kingdom.
(c) above should worry any foreign nationals storing commercially-sensitive data in the UK...
Vic.
>> shouldn't they first be required to produce evidence that there is, in fact, something there to decrypt?
>They should be. They aren't.
>A Section 49 notice only requires belief "on reasonable grounds" that there is an encrypted data block. And it doesn't need to be Plod issuing the notice - it can be anyone in Schedule 2.
Which is worrying in itself. Usually it's not the responsibility of the accused to prove that a crime has been committed. The police are the ones who have to produce (or at least suspect) that a law has been broken. Once they've done that, they proceed to collect evidence and if there's enough, the CPS will make a decision to prosecute. I suppose it could be argued that providing a password is part of the interrogation process and just like perverting the course of justice, lying about not knowing a password (or having forgotten it) is a bit naughty. But to be required to provide a password when there's no proof that one even exists sounds like a policeman requiring ordinary citizens to 'fess up to any crimes they may (and the presumption being that they did) have committed at any point in the past - even if there's no proof that the person has committed any.
Yes, he should have just given them a "password" instead of making a stand as judges dont like having the piss taken with the law. Jurys tend not too either.
"But of course its that PASSWORD" (give them your online bank account password) "its my online bank account password, my super secret one! What do you mean it doesnt work?"
Then your job to the jury is just convincing them you have forgotten it under duress of possibly getting 10 years. Here is a list of all the passwords ive used for email, bank, voicemail etc.
Obviously perjury is bad. Anal sex under 18 is illegal, do not infringe copyright, shooting dwarves with crossbows in chester is *still* murder even though you wont break any by-laws. etc etc
You do realise that telling plod you "forgot" your password still counts as "failing to disclose the password" under the RIPA legislation.
Under RIPA if an encrypted file is found on your system and you cannot decrypt it you face jail time and no amount of arguing will save you.
" You do realise that telling plod you "forgot" your password still counts as "failing to disclose the password" under the RIPA legislation. "
My understanding is that there has never been a prosecution for 'forgetting' a password.
There have only been prosecutions for outright refusal.
If you can find a reference otherwise, I am very willing to be proven wrong.
I'd suggest that the courts know that trying to prosecute somebody for forgetting something is a potential minefield. Maybe even enough to call the act into question.
Passwords are supposed to be complicated, which can make them difficult to remember.
If you show plod your email account with all the emails received after using "I've forgotten my password" to get a link to reset yet another forgotten password, when does "I've forgotten it" become a reasonable excuse?
I've just had to reset my password here (again) to be able to log in....
I think it would end badly for you. It's the balance of probabilities and how beleivable you are in court. Trying to be a smart arse in court will alienate you from the jury and a lair normally gets found out. "it must be corrupted officer" excuses if found to be untrue will be reflected in your sentence.
To think a highly skilled hacker/cracker whatever manages to infiltrate networks and launch DDOS attacks but then the file the police are trying to unlock is corrupted ! Any decent barrister will be able to show either malicous damage or wilful obstruction.
Anyway, I have several dead bodies locked in a safe in my home and there is absolutely NO WAY that I am going to incriminate myself by giving the police the combination. I have NOTHING to hide ;-)
This post has been deleted by its author
Having spoken to my local beat copper, you could probably just set the file attribute to hidden to confuse most. It's the clever ones you have to worry about, hence my encrypted files detailing the plans for the Death Star and world domination stored on lozenge shaped USB sticks carefully inserted in the rear of the local cat population....
Well mine has a sort of deadman's time lock. If I don't reset it once every 24 hours it zeroes all the drives, and then ejects the drives and they fall down through a T4 degausser to make sure the data is not recoverable.
Not go anything to hide though - just don't want those dodgy photo's of me ending up on the internet ;-)
> So *any* assemblage of random bytes can be assumed to be encrypted ?
That does seem to be the unqualified opinion.
The thing is, yer avrige copper assumes that any collection of random bytes )must_ be an encrypted file (probably because their forensic software tells them so, not due to any actual knowledge they possess). Further, they'll assume that you'd only encrypt something you wanted to hide, ergo that must be illegal, immoral or fattening.
What if every geek in the country spent a couple of minutes being subversive? If everyone sacrificed a partition of a few GB and went on record (e.g. with a youtube video) as dd'ing the contents of /dev/random into it? Once there was "proof" that blocks of random data were commonplace on peoples' disk, the suppository that it must be encrypted and it must be illegal fails.
My reading of S49(2)(d):
that it is not reasonably practicable for the person with the appropriate permission to obtain possession of the protected information in an intelligible form without the giving of a notice under this section,
So: he offer to decrypt files on demand - one at a time. When PC Plod refuses and demands the key he says ''see you in court'' - I suspect that a jury may side with him, he did offer.
See: http://www.legislation.gov.uk/ukpga/2000/23/section/49
This is an arms race and ordinary people are badly outgunned. It *is* possible for someone like me (who can write the code) to make it very challenging to recover encrypted material, but it is almost mystically difficult to even generate good encryption keys. With sufficient determination, organizations like the NSA will likely be able to breach any barrier ordinary people can put in place.
What we need are laws that not only allow people to keep their privacy intact, but laws that punish people relentlessly attacking our rights. The real criminal elements are people pushing legislation to allow things like state surveillance and criminalization of modest civil breaches. Additionally, we need to make it so that things like data obtained by coercion or trickery is inadmissible in court. Most of that type of stuff is what I would consider 'fruit of the poison tree' and regardless of what is found that way, it should not have any legal standing.
Some electronically stored material, about plans or other ideas represent basically computer aided thought. They are a way to increase your power to form ideas and remember them so you can build upon them later. No entity besides yourself has any inherent right to inspect your thoughts. You should be at liberty to construct whatever fantasy or narrative you please.
Things change. What is an amusing artistic break from the mundane today could become a serious crime in the future.
We do, in fact, have a large variety of common-law rights which would adequately protect us if the newer laws contradicting them were struck down. Or if existing laws still in place were enforced.
People here seem to feel that coercing decryption keys is wrong. That is likely because they understand the subject area more than average. Somehow, someone with more grace and wit than myself needs to help people understand issues like these.
"Some electronically stored material, about plans or other ideas represent basically computer aided thought. They are a way to increase your power to form ideas and remember them so you can build upon them later. No entity besides yourself has any inherent right to inspect your thoughts. You should be at liberty to construct whatever fantasy or narrative you please."
This has always been my argument, but then the further notion occurs that the only reason one's thoughts are sacrosanct is because nobody has yet invented the technology to read them. The day someone does, you can wave every last vestige of privacy goodbye. And that day may not be as far away as we'd like to believe.
There's is a sequence in one of Daniel Suarez' novels, either Daemon or its sequel Freedom, in which a man is being questioned by an AI while hooked up to an advanced fMRI. By showing him images and playing sounds, then reading which parts of his brain respond, the program is able to extract information by couching all questions in a form that only requires a Yes or No response. It shows him a Google Earth type map and narrows down his place of origin by sequentially zooming in on areas his brain responds to more strongly. For more complex information, such as his name, it simply shows sequential letters of the alphabet and selects each in turn as a positive response is recorded.
All of this seemed very cool, but comfortably far-fetched when the books were written just a couple of years ago. But recent breakthroughs like the case of Scott Routley (the culmination of earlier findings by the same doctor), while potentially offering fantastic news for vegetative patients and their families, should worry us greatly. When used with the subject's consent it's a miracle. But if a version that could coerce answers from the unwilling was developed it would be an Orwellian nightmare.
Personally I fear this sort of future technology at least as much as the autonomous weapons that everyone seems to be in such a flap over at the moment. Not least because I fear the "truth machine" could be with us long before the T-800s.
The lad DoS attacks a couple of university sites, okay, factually did he breach the network perimeter... Or was it just attacking publicly facing sites, like any other DoS attacker?
How could one know that this kid stole personal data, if he hasnt handed over, purely for example, the AES-256 crypto seeds enabling the operator to distinguish this from a government secret or his secret porno stash?
I find it shocking SIB publicly accepts that they're unable to decrypt such at this present time, probably not by technical limitation, but due to privacy law... I'm sure the exclusion of breaching ones privacy is conditional for certain acts of terrorism.
It could be funny, but an expensive joke, if the encrypted data was corrupted or had nothing of value! You'd have wasted your time!
Sounds like the kid needs therapy, if hes got that much stuff to hide... The avalanches - frontier psychiatry anyone?
He has been arrested and is subject to a court ordered search warrant. There is no expectation of privacy at this point. Refusing to hand over encryption keys, or any keys, in this circumstance is contempt of court and probably perverting the course of justice. The police don't care if you've got porn or if you've got some embarrassing financial situation or are having an affair, they are trying to investigate a (potential) crime.
Does the defendent have the right to be present, alongside legal or techical representation, during any investigation of the contents of a hard drive or other digital data? Can they ensure that only copies of any files or data related to the alleged offence are considered or copied?
Terror squad arrest over model rocket
In this country, not wanting to incriminate yourself is a sign of 'schizophrenia' ...
that for RIPA to be valid, the police have to go to a judge first. They are very reluctant to do this (under home office guidelines) and will try to bully a suspect into volunteering the keys.
If you are ever asked by the police to provide keys, refuse. Call their bluff. By it's very nature, we have no idea how many people they've blindsided, only the ones who forced them to go to court.
As another poster has said, RIPA has been deemed to trump privileged communications ... this is something the ECHR will eventually throw out.
> for RIPA to be valid, the police have to go to a judge first.
No they don't.
Schedule 2 shows who can issue a Section 49 notice. In many cases, this needs to be someone to whom a Judge has granted the right to issue notices - but most importantly, once such powers are granted, there is no further judicial oversight. People issuing notices by way of this route (Section 1 of Schedule 2) do not need to be Police Officers or any other authority figure (although in practice they probably will be).
Section 2 opens things up considerably for the Police - authorisation for a Section 49 notice can come from the Police Act 1997. No judicial oversight is required.
There's loads more in there - it explicitly allows for anyone authorised under Section 94 of the Police Act[1], for example. Have a read at your leisure. It's scary stuff.
Vic.
[1] This pretty much equates to "anyone"...
an encrypt / decrypt system with dual passwords - one to decrypt the data, and one that would show a normal decryption progress screen while secretly destroying the encrypted files (a nuclear option) ?
"I never used it to encrypt any files yet, yer honor. There was nothing to decrypt". Icon shows the nuclear option in use.
There are many ways around the encrypted password issue.
Decryption keys are often released using a password in the password table (certainly I understand that this is the method for LUKS).
You use a continuously changing password sequence that is generated from a password device that cycles through the same sequence in lock step with the machine.
When not using the machine, give the device to a 3rd party that is instructed to destroy the device if/when you are arrested.
You state that it is not possible to give the password/decryption key because the password device has been destroyed. There is never a single password that can be used twice to supply.
For the really paranoid, use a password device that obtains the password from a remote device by radio etc such that you never have the device in your possesion. So it can't be seized while you are using the machine.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
