back to article Clink! Terrorist jailed for refusing to tell police his encryption password

A convicted terrorist will serve additional time in jail after he was found guilty of refusing to supply police with the password for a memory stick that they could not crack. Syed Farhan Hussain, 22, from Luton, was handed a four-month sentence at the Old Bailey on Tuesday after a jury took just 19 minutes to deliver the …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Boffin

    Ironically, given the likely time to brute force a 12 char pass-phrase and the promise of quantum devices, the logical approach is not bothering to start.

    1. Destroy All Monsters Silver badge

      You must understand that quantum devices are of no fecking use against good old 3DES or any symmetric cipher.

  2. Anonymous Coward
    Anonymous Coward

    I still don't get how it can be legal to try and force someone to talk. That's all this is really, a law that says "if you don't give us evidence against you, it means you are guilty".

    You'd think the lawyer would have bothered to contest that particular law ....

    1. BongoJoe

      You'd think the lawyer would have bothered to contest that particular law ...

      If it's Law then it's law and there is no point in contesting it in this court. What needs to be done is to have the law itself contested in the High Court.

      But you will need only one guess to work out how that will turn out.

      1. Jonathan Richards 1

        No constitution, remember...? @BongoJoe

        > have the law itself contested in the High Court

        Your post reads as if you are used to living in a jurisdiction where the legislation is framed by a constitution, e.g. the United States of America? We in the UK do not. There is no analogue of a Federal Judge or Supreme Court declaring a law to be unconstitutional, for the good and sufficient reason that the United Kingdom does not have a constitution. We have a constitutional monarchy, sure, which means [1] that any bill that Parliament can persuade the Queen to sign becomes an Act, and the operative law, i.e. in this case the Regulation of Investigatory Powers Act. There is no mechanism to petition a court, crying "Not fair!".

        In the US, RIPA would be declared incompatible with the Constitution as amended by the 5th Amendment. Not here.

        [1] Gross oversimplification warning!

        1. Graham Dawson Silver badge

          @Jonathan Richards 1 Re: No constitution, remember...? @BongoJoe

          You're correct that we don't have a document called "The Constitution", but you aren't correct that we don't have a constitution. A constitution is simply that which constitutes a thing - and we have that in spades. We have the founding documents of the modern United Kingdom, the Parliamentary Bill of Rights and a few other bits and pieces of legislation and treaty, and accompanying that we have legal precedent as set by the courts over about a thousand years.

          Together the form our constitution - they constitute the legal foundation of Parliament and grant its authority to govern by the will of the people.

          Up until about seventy years ago it was common for people of a certain sort to discuss British constitutional issues. Knowledge of the constitution of our nation was taught widely and in rather great depth. Not any more. The lack of knowledge of our constitution allows the current governments to sweep away huge swathes of our ancient liberties without even bothering to convince us why, and people aren't able to properly protest because they've accepted the idea that we have no constitutional body of law defining the limits of Parliament's power, and outlining the source of that power.

          On top of that: courts can and do overturn legislation all the time. Our legal system rests on the assumption that the courts have the authority to overturn legislation that is unjust, or goes against the rights of the people, or when a precedent exists to contradict the legislation in place. The courts used to limit the power of the legislature rather nicely by this mechanism.

          Where do you think the Americans got the idea in the first place?

          1. Tom 13

            Re: legal precedent as set by the courts over about a thousand years.

            I wasn't aware we were in the 23rd Century.

            As too where we got our ideas from, it was the result of abuses of justice and fairness even within the boundaries that existed at the time. Hence they are more protected under our unitary constitution. Part of the problem with the assembled bits and pieces in the UK is that it leaves more than sufficient room for word manglers to rework clear intentions.

            Not that it has helped us all that much on this side of the pond. Here judges just ignore the plain meaning and substitute their prejudices when they see fit, then claim stare decisis when someone challenges their interpretation in subsequent cases.

            The underlying problem on both sides of the pond is that neither of our governments are fit for purpose under any except a religious people. Absent essentially immovable rights granted from an all powerful, just and sovereign God its all just words on paper that are easily re-arranged by other clever men. And if that fails, they can always just shoot you.

          2. Jonathan Richards 1

            Re: @Graham Dawson re: No constitution, remember...?

            I agree with you entirely that the UK isn't anarchic, but wished to point out to the OP that we hadn't got a written constitution which sets up a legal framework for assessing the constitutionality of laws, and your accurate observation of the "swathes of ancient liberties" being swept away rather makes my point, I think.

            You wrote "On top of that: courts can and do overturn legislation all the time. Our legal system rests on the assumption that the courts have the authority to overturn legislation that is unjust", but I don't recognise that in our current systems. At the risk of being mocked for quoting from Wikipedia:

            "Because of the doctrine of parliamentary sovereignty, the Supreme Court is much more limited in its powers of judicial review than the constitutional or supreme courts of some other countries. It cannot overturn any primary legislation made by Parliament."

            Source: http://en.wikipedia.org/wiki/Supreme_Court_of_the_United_Kingdom

        2. ian 22

          Re: No constitution, remember...? @BongoJoe

          Does this mean the UK and the US are right off the list of places to visit? Or only the UK?

          I hear Afganistan is lovely this time of year....

          1. ThomH

            Re: No constitution, remember...? @BongoJoe

            My understanding of the legal position is this:

            Per Factortame, some acts are of constitutional significance. The European Communities Act is the one that case is about but it's far from being the only one. Such acts are special because they are not subject to implicit repeal. If a later act wants to contradict a constitutional act then it has to do so explicitly.

            Subsequent acts like the Human Rights Act (which incorporates the European Convention on Human Rights) have adopted some of the logic of this line of thinking: all acts are to be interpreted compatibly with the HRA unless they state explicitly that they're incompatible. Were there no recognition of the idea of a set of elevated acts, such a provision would be void since there's an underlying rule that no parliament can dictate which laws a future parliament may make or unmake.

            So if a barrister could find a suitably significant act then he or she could argue that the subsequent one is not to be applied literally as written. Similarly judges could try to finagle some sort of unintended meaning out of the literal words if they really put their minds to it.

            But in England and Wales courts cannot strike down legislation in any broad sense. This is something the Americans explicitly did differently as a balance and measure to try better to ensure ongoing separation of powers. See e.g. the Lord Chief Justice prior to 2005 for an idea of how much the British system has ever been bothered about technical separation of powers. We like strong competing interests but have historically not generally been especially bothered about whether powers technically may flow from one body to another.

      2. wolfetone Silver badge

        So what happened to the whole "You don't have to say anything, but anything you do say will be taken down and used as evidence against you"?

        The law is an ass. Always has been, always will be.

        1. Jonathan Richards 1

          @Wolfetone re right to silence

          > So what happened to the whole "You don't have to say anything, but anything you do say will be taken down and used as evidence against you"?

          It was heavily modified (and weakened, I guess) by the 1984 Police and Criminal Evidence Act. If you are now cautioned, it will (probably) take the form of words:

          “You do not have to say anything. But it may harm your defence if you do not mention

          when questioned something which you later rely on in Court. Anything you do say may

          be given in evidence.”

          Source: https://www.gov.uk/government/publications/pace-code-c-2008

    2. Anonymous Coward
      Anonymous Coward

      Innocent until proven guilty

      Yeah, we're not doing that anymore in England and Wales. Dumb fuckwits thought "innocent until proven or assumed guilty" would give their judicial system better conviction rates, so they could claim they were being "tough on the causes of crime".

      See http://en.wikipedia.org/wiki/Self-incrimination#English_.26_Welsh_law

      I'm afraid it's like much of the CJS nowadays, it has abolsutely nothing to do with Justice anymore, it's about serving the interests of those who are members of it.

      1. Anonymous Coward
        Anonymous Coward

        Re: Innocent until proven guilty

        The other disgusting aspect of our law as it's developed over the last 20 years or so is the trick of turning a non-criminal act into a criminal one by creating a (potential) crime via an ASBO. I see the current Government have, unsurprisingly, some even more illiberal proposals in the pipeline.

    3. The Mole

      Regardless of the morality or ethicity of the law, a barrister (as this is the UK) doesn't have any (strong) grounds to contest the law as it has been passed into law by both houses of parliament including a declaration from the home secretary stating that it complies with the human right act.

      There's always the option of going to the European Courts of Justice to get them to declare that actually it doesn't comply with the human rights act but that will take more than 4 months and a convicted terrorist probably isn't the best poster child for that campaign

      1. Anonymous Coward
        Anonymous Coward

        Regardless of the morality or ethicity of the law, a barrister (as this is the UK) doesn't have any (strong) grounds to contest the law

        How about the English Bill of rights "excessive bail" and "cruel and unusual punishments" provisions. Locking someone up for refusing to hand over what amounts to a word, must surely class as excessive bail.

        1. The Mole

          Generally in UK law the last bill passed takes precedence and implicitly amends the previous bill - the basic principle is that parliament can't be bound by decisions of past parliaments.

          There's a couple of exceptions such as the Human Rights Act which explicitly has wording in that says it can't be implicitly amended instead parliament have to explicitly state that they are amending it in the later passed legislation (which they can do - although that may then be violating treaty obligations which could cause other political but not actually legal issues).

      2. Primus Secundus Tertius

        @Mole 13:11

        Worse cases than that have won the blessing of the European Court.

        But what a contempt for English law and England the terrorist showed. Could not remember his password, until suddenly he could. He would deserve to be jailed for contempt, even if the RIPA law did not exist. I hope we can throw him out one day.

        1. Uffish
          Headmaster

          Contempt

          Contempt for others is a nasty condition to fall into but is not a crime. Trying to injure and kill people is a crime, as is hindering a police investigation. The guy was jailed for those crimes.

        2. Charles Manning

          deserve to be jailed for contempt [of court]

          It depends...

          You can only be charged with contempt of court if a judge tells you to do something within his powers to command and you fail to obey.

          He cannot command you to wear a pink miniskirt, for example.

          Since there is a http://en.wikipedia.org/wiki/Right_to_silence_in_England_and_Wales, it is only the RIPA act that could give the court any teeth.

        3. Roj Blake Silver badge

          Yeah let's send him back to where he came from!

          Errr, that would be Luton then.

      3. Anonymous Coward
        Anonymous Coward

        @The Mole

        1. There's no such word as "ethicity", despite its resemblance to "ethnicity".

        2. If you believe there is a difference between morality and ethics, what do you think it is? Or were you just repeating yourself?

    4. Richard Barnes

      The Golden Thread

      If you are a fan of Rumpole of the Bailey, you'll remember his waxing lyrical over the Golden Thread that ran through British justice. These were:

      - The right to silence

      - The presumption of innocence and the fact that the burden of proof rests with the prosecution

      - The right not to be tried twice for the same offence.

      Pillars of justice that had stood for centuries were removed in the space of about 10 years between 1994 and 2004 after terrorist attacks that killed, in this country, rather fewer than the number dying in road accidents in two weeks. Rumpole's Golden Thread is no more.

      1. NP-HARD
        Pint

        Re: The Golden Thread

        +1 for Rumpole ref.

      2. codejunky Silver badge

        Re: The Golden Thread

        @ Richard Barnes

        But those rules dont work against the current threats to our lives. We are now facing some of the worst terrorists you can possibly imagine, we used to call them the people. And of course to ensure every potential criminal can be identified we must remove the rights of the terrorists (formally known as the people) so we can identify which ones need arresting now or can be controlled under whatever government takes over.

        This is a sick situation where the people have their protection stripped from them in the name of protecting them. And regardless of our faith in current governments (if we have it) is leaving us open to abuse by a future gov

        1. Sir Runcible Spoon

          Re: The Golden Thread

          "is leaving us open to abuse by a future gov"

          It doesn't matter who you vote for, the government always get in.

          "A patriot must always be ready to defend his country against his government.

          -- Edward Abbey "

          1. Kane

            @ Sir Runcible Spoon

            It doesn't matter who you vote for, the government always get in.

            Or alternatively, "The House always wins"

        2. Bartholomew

          Re: The Golden Thread

          The real solution to stop terrorism is to stop doing what is causing them to be created by the UK, US of A, France, ........ and stop selling them weapons.

          1. Pookietoo

            Re: The real solution to stop terrorism ...

            ... is to stop worrying about terrorists, and pay more attention to important issues like obesity and road safety.

            1. Roj Blake Silver badge

              Re: The real solution to stop terrorism ...

              I recall Omid Djalilli once suggesting that the media should call the nancyboys instead of terrorists.

              That would stop the worrying.

            2. cortland

              Re: The real solution to stop terrorism ...

              Or as a British online acquaintance wrote in 2005:

              "I'll worry about TERRORISTS when they're more dangerous than MOTORISTS "

              http://forums.delphiforums.com/callahan/messages/?msg=34277.56

            3. Arthur Dent

              Re: The real solution to stop terrorism ...

              There are a few changes in resource usage that could be more useful than switching effort from antiterrorism. For example we could make all those nasty drug things availanble from state-organised shops at a far lower price than the current criminal system delivers them, and put a lot of big criminals out of business while making a nice income for the state which could perhaps be used on helping people hooked on the really bad stuff, probably reducing a lot of small scale crime because addicts would not have to spend so much to servuice their habits, and completely eliminating the process of dealers persuading people to step up from comparatively harmless drogs to more harmful (and more expensive) ones. Or we could scrap nuclear armaments and use the savings either to produce some useful naval power and give the army some of the reources it needs instead of just cutting it back while throwing ever-growing commitments at it or, if defence is less important, to reduce the fiscal deficit.

              But the chances of a British government adopting any sort of sensible policy on anti-terrorism, drugs, human rights, surveillance, immingration, defence, or taxation are even less than those of democracy replacing plutocracy in the USA; recent years of Labour government took us in the wrong direction on all those thigs, and the current mob have continued to push most of the same antidemocratic statist and syndicalist ideas.

          2. DiViDeD

            Re: The Golden Thread

            @Bartholomew: I don't think you'll find that availability of weapons is what makes a terrorist. It's the perception of oppression, unjust treatment, prejudice, and so on, real or imagined, and a general impression that there is no legal way to change the situation which leads to acts of desperation on the part of those who want to change things.

            Weapons provide the means for terrorists, but not the motivation

        3. I. Aproveofitspendingonspecificprojects

          WTF: Worst terrorist you can possibly imagine?

          They seem to have been the worst bunglers anyone could possibly imagine.

          The worst we could imagine having had a shot at Britain were the green and orange ****ers that Blair bought off by letting George Bush bugger us.

          I can't think of a more badly managed episode since Blair introduced martial law into the UK. At least when the Irish bungled a threat and blew themselves up they did it by accident :) These monkeys couldn't peel a banana.

          As for GCHQ not decoding that silly password...

          His password was unlocked immediately and the police failed to inform him of the fact, thus adding to his incarceration. No doubt the secondary case brought against him after the sell by date for the password one lapsed was framed -as in framed; to suit the mentality of the imbecile.

          after so many days unattended. Assuming that the GCHQs antics wouldn't count.

          He should have kept his mouth shut. And he should have put the USB in a timelock device where it would blank itself after so many days unattended (assuming that GCHQ's antics wouldn't count) and blanked if mishandled in some way al la Cryptonomicon

          In the world of terrorism and espionage are there no memory sticks that are designed to lose all their data when attacked?

          Is that not irredemably inept?

          It's about as inept as an Arab terrorist using dollar signs in his password. He should have used some non Latin characters. And burned the keyboard every time he used it. A foreign keyboard that required three or so keys to produce each character would be difficult to force, especially if it didn't exist. It might take a few seconds as opposed to instantaneous.

          What we want in the free world is a password that is time dependent as well as having any imaginable character in it. Only the characters must be home made. How long do you think it would be before owning such a device would be deemed and act of terrorism?

          Despite the fact that to be a terrorist means you have to be unimaginably stupid enough to use a blown password that is easily forced.

          Ah well, it takes all sorts, الحمد الله.

          1. Jim 59

            Re: WTF: Worst terrorist you can possibly imagine?

            Aproveofitspendingonspecificprojects is a bot, and a good one - who the hell is voting him down. LOL

      3. NomNomNom

        Re: The Golden Thread

        On the otherhand Rumpole didn't lift a finger to stop Jimmy Savile.

      4. Jim 59

        Re: The Golden Thread

        I agree with Rumpole. But without a law making suspects reveal passwords, it is hard to see how any investigation could progress. Previous laws were written before electronic encrypted data became widespread, as was Rumpole.

      5. Neil McAliece

        Re: The Golden Thread

        That's the Labour party for you.

      6. Tom 13

        Re: The Golden Thread

        None of which apply AFTER you have been convicted.

        1. I. Aproveofitspendingonspecificprojects

          AFTER you have been convicted

          The trick is to hide it down the back of a sofa and wipe it clean before dropping it there. But you must do all this before you are convicted and have a seemingly identical USB that is also password protected (but obviously doesn't contain evidence against you) and has a different password. A GIANT! fail for the fool.

          But at least after reading all this, the others will know better. (Or not, as the case will be.)

          Why the hell did he need a USB to tell him what he'd been up to?

          And why was any reference to any crime clearly identifiable?

          What an absolute mutt!

          Why do we need draconian laws to deal with idiots like that?

      7. Matt Bryant Silver badge
        Boffin

        Re: Richard Barnes Re: The Golden Thread

        ".....his waxing lyrical over the Golden Thread that ran through British justice....." Yeah, well that are a lot of old laws that people used to wax lyrical over - like being able to beat your servant, employ children to clean chimneys and work down mines, or shoot Welshmen with a longbow if they enter Chester after midnight (oops! that one's still legal! http://news.bbc.co.uk/1/hi/wales/6204511.stm). Laws change and develop as the society we live in develops and faces new challenges.

        ".....The right to silence......" The Section 49 bit does not remove his right to silence, it merely allows him to be prosecuted for obstructing the Police investigation in a very narrow set of circumstances.

        "....The presumption of innocence and the fact that the burden of proof rests with the prosecution....." He was already found guilty of the terrorism charges which meant the Police were free to insist he decrypted the drive in the interest of protecting others. The fact it turned out to be related to a different crime (fraud( is neither here nor there as these twits were trying to use the stolen credit card numbers to fund their terror plans.

        "....The right not to be tried twice for the same offence...." Where does it say he was tried a second time for the same offence? First charge for terrorism, second for not answering a Section 49.

        1. I. Aproveofitspendingonspecificprojects

          Where does it say he was tried a second time for the same offence?

          I think he has just cause for claiming the police withheld evidence. But I very much doubt he can prove it.

          Maybe he can find a case where the experts that failed to crack the password managed to crack a similar one in times past?

          Or can claim they must have already known it?

          How much would it cost him to appeal?

        2. Aldous

          Shooting Welshmen with a longbow

          It may still be on the books but it is illegal as it is superseded by the murder laws. That is how English law works, there is no great rule book and that is it, but instead a great big rule book and a shed load of case law. Most of these old laws that people claim still exist are like this (London cabs and bails of hay etc), sure they were never repealed but they have been superseded by newer laws that cover the area

          English Law is all about the interpretation for example it is very hard to get someone convicted for stealing a car as to be classed as stealing you need to have stolen it with the aim of permanently depriving the rightful owner of their property. If you steal a car and joyride it, then dump it you have not permanently deprived them of it and therefore cannot be charged with theft. You can be charged with Taking Without Owners Consent (TWOC) which is why car thefts are charged as TWOC's and not theft.

      8. Scorchio!!

        Re: The Golden Thread

        "[...] terrorist attacks that killed, in this country, rather fewer than the number dying in road accidents in two weeks."

        Yes, I know what you mean, and didn't Uncle Jo Stalin himself say that you cannot make omelettes without cracking eggs? So yes, fuck those who might die of terrorism, let 'em die with the words of a fictional character from a TV legal soap echoing in their ears, never mind all of the plots that were thwarted. I'm right with you; "let freedom ring".

      9. Psyx

        Re: The Golden Thread

        "Pillars of justice that had stood for centuries were removed in the space of about 10 years between 1994 and 2004 after terrorist attacks that killed, in this country, rather fewer than the number dying in road accidents in two weeks."

        And yet, we'd suffered far more deaths from domestic terrorism in the twenty years prior to the cited period, without our rights being so smartly whisked away.

    5. No, I will not fix your computer

      Not "complying" is the crime, not the results of complying.

      It's the same as "failure to provide a breath test specimen", and I'm sure it's not coinicdence that the punishment happens to be the same as drink driving.

      >>That's all this is really, a law that says "if you don't give us evidence against you, it means you are guilty".

      Nope, the way the law is, is means "if you don't give us the means to easily gather evidence, it means you are guilty of not allowing us to easily gather evidence".

      Personally, I suspect that they wanted to firstly convict him of something easily provable (not supplying the key) which gives them time to build a subsequent case around what they have already found, this buys them lots of time.

      1. Anonymous Coward
        Anonymous Coward

        Re: Not "complying" is the crime, not the results of complying.

        I struggle to see what is wrong with this law. This is just an extension of the law to take account of technology. Just as the court can issue a warrant to allow a search of premises for evidence, the same applies to encrypted information.

        In any event, in this case, I definitely can’t see what is wrong the defendant has already been convicted of terrorism offences.

        1. Bloakey1

          Re: Not "complying" is the crime, not the results of complying.

          "I struggle to see what is wrong with this law. This is just an extension of the law to take account of technology. Just as the court can issue a warrant to allow a search of premises for evidence, the same applies to encrypted information."

          <snip>

          Yes a court can issue a warrant. In this case we are obliged without any warrant and at the whim of an officer to allow access to private data. I would have no problems if due process took place and I was then legally obliged to supply a key or password. At the moment a bloke in a pub with a warrant card can do it.

          1. Anonymous Coward
            Stop

            Re: Not "complying" is the crime, not the results of complying.

            A section 49 request, which may then lead to prosecution under section 53 has to authorised in the same way as a search warrant.

            1. Vic

              Re: Not "complying" is the crime, not the results of complying.

              A section 49 request, which may then lead to prosecution under section 53 has to authorised in the same way as a search warrant.

              No, that's not true.

              A search warrant has to be authorised by a magistrate.

              A Section 49 notice may be issued by a number of people detailed in Schedule 2; each must have been granted permission to grant Section 49 notices by a member of the judiciary, but each individual notice does not require judicial oversight.

              IMO, this is way, way too lax...

              Vic.

              1. Anonymous Coward
                Anonymous Coward

                Re: @Vic Not "complying" is the crime, not the results of complying.

                A Section 49 notice may be issued by a number of people detailed in Schedule 2; each must have been granted permission to grant Section 49 notices by a member of the judiciary, but each individual notice does not require judicial oversight.

                IMO, this is way, way too lax...

                That isn't the way I read the law ......

                Schedule 2 (1)Subject to the following provisions of this Schedule, a person has the appropriate permission in relation to any protected information if, and only if, written permission for the giving of section 49 notices in relation to that information has been granted

                (a)in England and Wales, by a Circuit judge [or a District Judge (Magistrates' Courts)

                (b)in Scotland, by a sheriff; or

                (c)in Northern Ireland, by a county court judge.

                I would read this as a permission is given for a specific instance of a section 49 notice by variety of magistrates .......very much analogous to a search warrant.

              2. Arthur Dent

                Re: Not "complying" is the crime, not the results of complying.

                > > A section 49 request, which may then lead to prosecution under section 53 has to authorised in the same way as a search warrant.

                > >

                > No, that's not true.

                >

                > A search warrant has to be authorised by a magistrate.

                No, it doesn't. In England and Wales a police inspector (or any higher rank constable) can authorise a search in some circumstances (for example to find evidence which is at risk of being destroyed if the search is delayed), so not all searches require a warrant authorised by a magstrate (and this power is easily abused - - for example it's been know for the authorisatio to have been issued after the search took place because the inspector wasn't available fast enough; but I'm not sure whether the inspector's authorisation is even required by law, as opposed to by policy or regulation or guidance promulgated by ACPO or some such body). Certainly any police constable can conduct an unwarranted search of your car or your person without even authorisation from an inspector or higher oficer if he has "reasonable grounds for suspicion" that he will find items of certain tyoes, and if a serious violent incident has taken place he/she doesn't even have to have reasonable grounds.

                Of course it is completely different in Scotland - a vehicle or premises can't be searched without authorisation by a sheriff - although that may have changed in the last 21 months, I'm not up to date. (stratchclyde police were agitating for power to search without authorisation at the Aviemore SPF conference in 2012).

                1. Vic

                  Re: Not "complying" is the crime, not the results of complying.

                  In England and Wales a police inspector (or any higher rank constable) can authorise a search in some circumstances (for example to find evidence which is at risk of being destroyed if the search is delayed)

                  A magistrate is still required to authorise the warrant - but that authorisation may be retrospective.

                  I'm not sure what happens should the magistrate refuse to authorise said warrant - I'd have to look it up. I doubt it happens.

                  Vic.

          2. 's water music

            Re: Not "complying" is the crime, not the results of complying.

            > At the moment a bloke in a pub with a warrant card can [authorise a section 49 notice to reveal a password].

            AFAICT (and IANAL) in this context the section 49 notice would require authorisation under the Police Act 1977 part 3 which means a police commissioner or chief constable (or deputies) so not quite as open to abuse as you suggest though far from judicial oversight (which is available as an alternative authorisation for a section 49 notice)

            1. Bloakey1

              Re: Not "complying" is the crime, not the results of complying.

              "AFAICT (and IANAL) in this context the section 49 notice would require authorisation under the Police Act 1977 part 3 which means a police commissioner or chief constable (or deputies) so not quite as open to abuse as you suggest though far from judicial oversight (which is available as an alternative authorisation for a section 49 notice)"

              The person who ordered me to give up my password did it so at the moment he discovered the hard drive and no judge or other appointed person was consulted. I was informed of act and section and told I had to comply. This was however at an airport and different laws apply once security has been passed or prior to egress beyond security.

              When I gave him the password to the hardware encryption side of things I did so in the knowledge that the PGP'd data was all that was on there. This example of the her majesty's finest was very miffed when I gave him the password and damn near apoplectic when I started calling him a lid ;)

              1. Arthur Dent

                Re: Not "complying" is the crime, not the results of complying.

                > "AFAICT (and IANAL) in this context the section 49 notice would require authorisation under the Police Act 1977 part 3 which means a police commissioner or chief constable (or deputies) so not quite as open to abuse as you suggest though far from judicial oversight (which is available as an alternative authorisation for a section 49 notice)"

                Judicial authorisation is (or was in the 2000 act) only available when the material for which plain text or a key is required was obtained through an action undertaken with judicial authorisation. The Chief or Assistant rule only applies when the material was obtained under section 3 of the police act 1997 (which I imagine is the act you intended to reference), which also has a or section 44 of the terrorism act 2000. As a decryption key was needed in this case, the ability to deputise to lower levels would not apply (if provision of the plain text had been acceptable, someone could do it with delegated authority - and chiefs can designate a rank any of whose holders count as delegated in the event that the main authorities are unavailable; in the police that rank could be as low as superintendant, and usually was superintendant back in the days when the original code of practise was in force - but I imagine that it has changed a bit in the last 13 years.

        2. Anonymous Coward
          Anonymous Coward

          Re: Not "complying" is the crime, not the results of complying.

          You should hope that one day the police don't raid your house and find a 10 year old USB drive with an old truecrypt test container on it for which you can't remember the password.

          If this ever happens you will go to prison with all the other 'terrorists'.

          1. Anonymous Coward
            Anonymous Coward

            Re: Not "complying" is the crime, not the results of complying. @AC 17:46

            "You should hope that one day the police don't raid your house and find a 10 year old USB drive with an old truecrypt test container on it for which you can't remember the password.

            If this ever happens you will go to prison with all the other 'terrorists'."

            The "You should hope it never happens to you" is a typical response to someone who supports this kind of law. Wrong. BongoJoe simply stated why the guy was done; he didn't state support for it and it seems quite clear to me he doesn't.

            1. Anonymous Coward
              Anonymous Coward

              Re: Not "complying" is the crime, not the results of complying. @AC 17:46

              "Wrong. BongoJoe simply stated why the guy was done; he didn't state support for it and it seems quite clear to me he doesn't."

              Correction - the post I was referring to was by "No, I will not fix your computer", 14:26.

          2. Jim 59

            Re: Not "complying" is the crime, not the results of complying.

            You should hope that one day the police don't raid your house and find a 10 year old USB drive with an old truecrypt test container on it for which you can't remember the password.

            If this ever happens you will go to prison with all the other 'terrorists'.

            Only if the cops suspect you are concealing credible plans about mass murder etc. Simply having a TC container is not evidence of this.

        3. Steve Brooks

          Re: Not "complying" is the crime, not the results of complying.

          Actually no, the equivalent would be, "you must tell us where you hid the evidence." What this lets them do is to jail you whether they have evidence or not, simply because you refused to tell them where you hid the evidence, but more importantly, it lets them jail you whether or not any evidence actually exists. This not only saves them the bother of finding evidence, it also saves them the bother of finding criminals, since everybody can be presumed guilty simply by asking the question.

        4. Ben Norris

          Re: Not "complying" is the crime, not the results of complying.

          What is wrong with this law is that if you happen to have an encrypted file which you genuinely can't remember or never knew the password of, you can be sent to jail. This is completely against the presumption of innocence.

          The reason why you should see something wrong with this is that YOU have a number of files where that is the case on your computer right now.

          1. Chemist

            Re: Not "complying" is the crime, not the results of complying.

            I've got lots of files on all my computers that are NOT encrypted but are pure binary and for which I potentially have no idea what program other than a hex editor can read them. Some of them might be ( they are not BTW ) encrypted files that have been obfuscated by various means and would just look like pure binary until de-obfuscated.

            Much of the scientific software I use generates (HUGE) pure text files as output but some does indeed generate (HUGE) binary files without any headers to indicate what they are if the filename is changed.

            1. Duke2010

              Re: Not "complying" is the crime, not the results of complying.

              You are going straight to jail then pal, sorry.

          2. cortland

            Re: Not "complying" is the crime, not the results of complying.

            It has been possible to deliberately erase memories for some time. See for example

            http://www.wired.com/magazine/2012/02/ff_forgettingpill/

            excerpt:

            If new proteins couldn’t be created during the act of remembering, then the original memory ceased to exist. The erasure was also exceedingly specific. The rats could still learn new associations, and they remained scared of other sounds associated with a shock but that hadn’t been played during the protein block. They forgot only what they’d been forced to remember while under the influence of the protein inhibitor.

          3. Matt Bryant Silver badge
            FAIL

            Re: Ben Norris Re: Not "complying" is the crime, not the results of complying.

            "What is wrong with this law is that if you happen to have an encrypted file which you genuinely can't remember or never knew the password of, you can be sent to jail....." IF you are arrested in conjunction with a very narrow list of crimes, so Joe Public losing his password has nothing to fear. Just paedophiles, drug dealers, people smugglers and terrorists. Oh, and sheeple.

        5. Duke2010

          Re: Not "complying" is the crime, not the results of complying.

          Taking what you said into account what if you said you forgot the key? Then it cant count as you stopping the gathering of evidence? If you dont know it you dont know it. Same as if you don't remember what someone looked like at the scene of a crime. Its impossible to prove you don't know the key.

    6. Tom 13

      Re: how it can be legal to try and force someone to talk.

      Legal is easy, you pass a law saying so, provided you don't have some higher framework law that prohibits said law. Fairness is a whole other issue.

      That being said, even in places where you have those protections prior to conviction, once you've been convicted you tend to lose most of those rights. In the US which does have a higher thresholds against a number of these invasions, a paroled prisoner is subject to search by any law enforcement officer without the requirement that a warrant by issued. Similarly free movement is also restricted as is free association (hangout with other previously convicted felons will earn you a quick trip back to the pen).

      Given the terror conviction, it seems reasonable that he lost the right to protect the data on the drive.

    7. Turtle

      "Self-Incrimination"

      "I still don't get how it can be legal to try and force someone to talk. That's all this is really, a law that says if you don't give us evidence against you, it means you are guilty'."

      There is a "right to silence" in some jurisdictions, and the "right to refuse to answer questions" in others but the right to refuse to give testimony against oneself extends only to oral testimony.

      He may not be compelled to give testimony against himself but a refusal to give the password is obstruction of justice, obstruction of a police investigation, and concealment of evidence; the right to silence does not shield one from sanctions in such cases. (I don't know that these are specific charges in the UK but that's the underlying intent.) The password he was required to give is, in itself, not evidence against himself, even though that password unlocked a device that did contain evidence against him. Additionally, as he had already been convicted of a serious crime, there was probable cause to think that the USB stick held information bearing on the crime and its attendant circumstances and therefore the police and investigating authorities have a right to demand access.

      As he had already been convicted of a crime, the right not to incriminate oneself becomes moot: as he is no longer capable of incriminating himself as he has been found guilty. Moreover, concealing facts and "refusing to talk" after conviction is still (as ever) frowned upon to the extent that longer sentences can be imposed by the court, or parole denied later on.

      It is possible that the possession of the password becomes evidence against him after he gives it up and the device is thereupon found to contain evidence but again, concealment of evidence is taken more seriously and the right to silence does not protect the concealer.

      (Somewhat analogous are court decisions in the US stating that income must be declared even if the result of criminality and a failure to declare such income renders one liable for imprisonment for income tax evasion. The specific objection that being compelled to declare income from criminal activity is self-incriminatory has been specifically rejected, see http://evans-legal.com/dan/tpfaq.html#5th although tax cases are generally civil cases.)

      1. intrigid

        Re: "Self-Incrimination"

        Your entire argument is a disaster.

        "The password he was required to give is, in itself, not evidence against himself"

        First of all, what if his password was "I_confess_to_the_crimes_of_xyz"? Wouldn't the requirement for him to give up his password be in direct conflict with his right not to incriminate himself? Please don't say "Well, he would be stupid to do that" because fundamental rights belong to everyone, not just the intelligent.

        Secondly, other than name, date of birth, and address, ANY AND ALL information that you give to the police is potentially incriminating. The police can demand to know what your favorite color is, and you are STILL protected from having to tell them this. That's because police can, and do, twist anything you say to make you appear as guilty as possible.

        That is why nobody can ever be "required" to give "innocent" information to the police.

        "Additionally, as he had already been convicted of a serious crime, there was probable cause "

        No. Wrong. A criminal record NEVER constitutes probable cause. If it did, the police would be entitled to search his car, search his home, etc etc, every day for the rest of his life.

        "As he had already been convicted of a crime, the right not to incriminate oneself becomes moot: as he is no longer capable of incriminating himself as he has been found guilty. "

        It pains me to have to explain how wrong you are on this. NO, A CRIMINAL RECORD DOES NOT REVOKE YOUR RIGHT NOT TO INCRIMINATE YOURSELF IN FUTURE CRIMES. THAT I NEED TO EXPLAIN THIS TO YOU IS DEEPLY DISTURBING.

        "but again, concealment of evidence is taken more seriously and the right to silence does not protect the concealer."

        You are just 100 percent dead wrong. Nobody on this planet is legally required to provide evidence that might be used against them. This is so basic it almost gives me a headache.

        "(Somewhat analogous are court decisions in the US stating that income must be declared even if the result of criminality and a failure to declare such income renders one liable for imprisonment for income tax evasion."

        And there's a very good argument to be made, a slam-dunk case even, that the laws in the tax code are unconstitutional. The only reason the IRS can get away with this is because filing an income tax return is officially declared a voluntary act, not compulsory. However, the law states that you MUST volunteer to submit your 100% completely non-compulsory income tax return. If you fail to volunteer, you're guilty of tax evasion.

        Pointing to the Internal Revenue Service as a role model of legality is ridiculous.

        1. Turtle

          Re: "Self-Incrimination"

          "'The password he was required to give is, in itself, not evidence against himself'

          First of all, what if his password was "I_confess_to_the_crimes_of_xyz"? Wouldn't the requirement for him to give up his password be in direct conflict with his right not to incriminate himself? Please don't say "Well, he would be stupid to do that" because fundamental rights belong to everyone, not just the intelligent.

          Secondly, other than name, date of birth, and address, ANY AND ALL information that you give to the police is potentially incriminating. The police can demand to know what your favorite color is, and you are STILL protected from having to tell them this. That's because police can, and do, twist anything you say to make you appear as guilty as possible.That is why nobody can ever be "required" to give "innocent" information to the police."

          We are talking about a person who was ordered by a court to divulge a password. It doesn't matter what the password is. If the court feels that there is sufficient reason to discover the contents of the USB stick, they permitted by law to order the (in this case) convicted defendant to do so. This is not the same as the police, on their own, asking or requiring him to do so; what information one is and is not required to give to the police is not at issue here: we are discussing court orders.

          "Additionally, as he had already been convicted of a serious crime, there was probable cause "

          No. Wrong. A criminal record NEVER constitutes probable cause. If it did, the police would be entitled to search his car, search his home, etc etc, every day for the rest of his life.

          The USB stick was found during the course of the original investigation. There was every reason to think that the encrypted USB stick held evidence germane to the investigation - and that's what a judge decided, as per his prerogative by law. (Bear in mind that the investigating authority has the right - and the duty - to investigate all other crimes uncovered by the original investigation.) However, while his conviction might serve as a probable cause to order the decryption of the USB drive, it does not necessarily serve as probable cause for everything that any law enforcement agency might ever want to do. So your objection has nothing to do with the case at hand. (As for the right to search a someone's premises in the future because of a criminal conviction, I am pretty sure that parole officers have the authority a part of their duty to supervise parolees to search (or at least inspect) the parolee's living quarters. I'm not really sure though. It is possible that they have to agree to this as a condition of being paroled.)

          "As he had already been convicted of a crime, the right not to incriminate oneself becomes moot: as he is no longer capable of incriminating himself as he has been found guilty. "

          It pains me to have to explain how wrong you are on this. NO, A CRIMINAL RECORD DOES NOT REVOKE YOUR RIGHT NOT TO INCRIMINATE YOURSELF IN FUTURE CRIMES. THAT I NEED TO EXPLAIN THIS TO YOU IS DEEPLY DISTURBING.

          A person's testimony can not incriminate them for a crime after they have been convicted of that crime. Nor can he refuse to hand over evidence because of danger of incriminating himself in future crimes - the right against self-incrimination applies only to testimony and does not extend to concealing any other kind of evidence. And that is the issue here: the usb key and its contents are not testimony; they are evidence.

          "but again, concealment of evidence is taken more seriously and the right to silence does not protect the concealer."

          You are just 100 percent dead wrong. Nobody on this planet is legally required to provide evidence that might be used against them. This is so basic it almost gives me a headache.

          Well this guy we're discussing was required to do so. So it's not easy to know where you get the idea that he (or other people in other jurisdictions) can't be required to do so. And see that page I cited above, http://en.wikipedia.org/wiki/Key_disclosure_law where you can learn that there are many jurisdictions where a defendant or person of interest can be compelled to surrender encryption keys (or other kinds of evidence. You do know, I hope, that, for example, concealing evidence, destroying evidence, contaminating evidence, altering evidence, refusing to produce evidence when ordered to do so, and whatever else, is the basis of charges such a perverting the course of justice, impeding an official investigation, contempt of court, and so forth.)

          Although you did not feel like citing it, I said that there is a right to silence and a right to refuse to talk - neither of which is absolute, by the way. What you need to is show that the right against self-incrimination extends to refusing to provide evidence when ordered to do so by a judge, and that you are allowed to do anything other than remain silent. What you have failed to grasp is that, while all testimony is evidence, not all evidence is testimony.

          And there's a very good argument to be made, a slam-dunk case even, that the laws in the tax code are unconstitutional. The only reason the IRS can get away with this is because filing an income tax return is officially declared a voluntary act, not compulsory. However, the law states that you MUST volunteer to submit your 100% completely non-compulsory income tax return. If you fail to volunteer, you're guilty of tax evasion.

          Pointing to the Internal Revenue Service as a role model of legality is ridiculous.

          Why? Because it's inconvenient for you? Or because your lack of knowledge of the way the law works made you susceptible to all that tax-protestor rhetoric?

          The page I cited in the last section of my post is http://evans-legal.com/dan/tpfaq.html#5th and it consists almost solely of legal cases and court decisions. And they cover your misconception that income tax is somehow voluntary. We have "voluntary assessment" as opposed to "distraint". It has nothing to do with the income tax being voluntary.

          Here's what Wikipedia has to say on http://en.wikipedia.org/wiki/Tax_protester_statutory_arguments#The_.22income_taxes_are_voluntary.22_argument : The quoted language from Flora refers to the Federal income tax: "Our system of taxation is based upon voluntary assessment and payment, not upon distraint." The key words are "voluntary" and "distraint." Like many legal terms, "voluntary" has more than one legal meaning. In the context of the quoted sentence, the income tax is voluntary in that the person bearing the economic burden of the tax is the one required to compute (assess) the amount of tax and file the related tax return. In this sense, a state sales tax is not a voluntary tax - i.e., the purchaser of the product does not compute the tax or file the related tax return. The store at which he or she bought the product computes the sales tax, charges the customer, collects the tax from him at the time of sale, prepares and files a monthly or quarterly sales tax return and remits the money to the taxing authority.

          The real problem here is that you don't understand what the "right against self-incrimination" is, or what its limitations are.

          And here is the real difference between your post and mine. This guy (and others too, in various jurisdictions around the world) was ordered to give up his key, he refused, and was tried, convicted, and sentenced for it. A person reading my post will have some understanding of why that happened. A person reading your post won't have a clue.

          1. Anonymous Coward
            Anonymous Coward

            Re: "Self-Incrimination"

            You claim "he refused"; the story says "he was unable to remember the password". Perhaps the court had a good reason not to believe that, but I'd like to know what that reason is. I have loads of encrypted data for which I no longer have the password. Would a court believe me? (Perhaps it would; I'm white!)

        2. Tom 13

          Re: what if his password was

          Wow talk about desperate attempts to go for a straw man. No, no, no, and no. A password is just a password not a confession.

          other than name, date of birth, and address

          You seem to be suffering from some perverted combination of POW and law frameworks. The rules don't work that way. The place where thugs usually fall down is that once you speak on any of it, you are required to be truthful and answer all subsequent inquiries. You may be able to temporarily suspend an investigation by pleading the 5th, but once on the stand it's the 5th or everything.

          A criminal record NEVER constitutes probable cause.

          No, you're the one who has this wrong. Once convicted the police, the prison warden, even the guard can search [your] car, search []your] home, etc etc, every day for the rest of [the term of your conviction].

          No, you are the one who is wrong. Once you have been convicted you lose almost all civil protection until the term of your conviction is expired.

          Nobody on this planet is legally required to provide evidence...

          No, YOU are dead wrong. You are not required to testify against yourself. You can be compelled to produce evidence. That's the whole point of a search warrant: it forces you to produce evidence against yourself. This is so basic it actually gives me a headache.

          The only reason the IRS can get away with this is because filing an income tax return is officially declared a voluntary act, not compulsory.

          The code I comply with reads:

          Sec. 6012. Persons required to make returns of income

          TITLE 26, Subtitle F, CHAPTER 61, Subchapter A, PART II, Subpart B, Sec. 6012.

          STATUTE

          (a) General rule

          Returns with respect to income taxes under subtitle A shall be made by the following:

          (1) (A) Every individual having for the taxable year gross income which equals or exceeds the exemption amount, except that a return shall not be required of an individual -

          http://www.fourmilab.ch/uscode/26usc/www/t26-F-61-A-II-B-6012.html

          That sounds pretty mandatory to me.

          Or perhaps you'll find this bit more convincing:

          What if you fail to file?

          The IRS may file what is known as a substitute return for you. However, as you well know, the IRS will not be looking to save you any money. In fact, a substitute return will not include any of the standard deductions your accountant would typically include in your return. Case in point, a substitute return only allows one exemption: single or married filing separate, so you end up with higher tax liability than if you would have just filed.

          http://www.legalzoom.com/taxes/personal-taxes/what-are-penalties

          You really need to stop hanging out with Truthers, Birthers, and Birchers. It rots the brain.

          1. Vic

            Re: what if his password was

            > Once you have been convicted you lose almost all civil protection until the term of your conviction is expired.

            That rather depends on which jurisdiction you're in...

            Vic.

    8. Scorchio!!

      The appropriate venue to contest laws is in the legislature, not the executive.

  3. Christoph

    Of course our wonderful honourable police would never dream of trying the same password, finding it worked, finding that the resulting data wasn't any use, then claiming that they couldn't crack it so they could pile another conviction on.

    1. Sir Runcible Spoon

      That's a good point - if they already had the password (just not used it) then how can they convict him of not giving it to them?

      Plotting to blow up the TA deserves jail-time, but let's make it based on something that doesn't call into question the relationship between the police and the people.

      1. lurker

        If you read the article carefully, it doesn't say that it's the same password used elsewhere, just that it is based on the same phrase (from the Koran) on which other passwords were based.

        1. Tom 13

          Re: If you read the article carefully

          Doesn't really matter. If you've tried the phrase and it didn't work, running permutations on other phrases he's used should be at the top of your "why don't we try this" list. I might not be able to work through the myriad of ways I might mangle 'Terroristjailedforrefusing" by hand, but a code breaker certainly should, especially when I'm likely using simple substitution encryption on the phrase.

  4. dogged

    I'm just shocked that an anti-terrorist law was actually used against an actual terrorist.

    That must be a first.

    1. JP19

      "I'm just shocked that an anti-terrorist law was actually used against an actual terrorist."

      "to use a remote-control toy car to plant a homemade bomb at the TA centre"

      Actual terrorist or bumbling fool that got his ideas from watching movies and

      "were arrested before any preparations for an attack were put together"

      hadn't actually done anything?

      I would say the chances of them implementing this cunning plan were slim, the chances of it working slim again, and the chances of it doing significant harm or damage if it worked at all also slim.

      Forgive me for not feeling terrorised.

      1. Anonymous Coward
        Anonymous Coward

        "hadn't actually done anything?"

        In the good old days I'm sure the intelligence services would have let them see just how far they could get with the scheme. If there's a chance of someone blowing themselves up, getting them to do the feasibility study might make sense.

  5. PaulyV

    I don't understand.

    Is a random 12 letter password effectively uncrackable or not?

    Surely this would be crackable with some work or is everything (admittedly little) I understand about what security services have at their disposal incorrect?

    1. I. Aproveofitspendingonspecificprojects

      Simple substitution

      The original Bletchley Park hackers were working on a simple substitution scheme a lifetime ago -in precomputer days, and cracking them. And they weren't just working on a 12 character word. The machine they were trying to crack was capable of changinging each character 26(?) x 3^n ways every time the key was used. And that was just the three wheels, not including the cross-wiring permutations nor including the 4 wheeled machines used later.

      The data the codebreakers worked on was recieved over the air by young women not told what they were doing nor how important it was that what they wrote down had to be spelled correctly; writing direct radio transcripts, not recorded. And the quesrtion mark bracketed is because they were doing it in a foreign language. (and I am not sure how many letters there were to a wheel.)

      It is preposterous that the Germans only used German letters. Fortunately they did (I am presuming it was possible to frame other letters in morse?) and also fortunately they only used one frequency, did not record and speed up their messages and the interceptors could identify the hand the morse was sent in and tended to send their messages at predictable times.)

      1. Jim 59

        Re: Simple substitution

        Aproveofitspendingonspecificprojects

        is a bot.

  6. ratfox

    Priorities?

    Maybe GCHQ has better things to do than looking into proof against a guy who is already serving time? Though you could argue that this is could have been info allowing to find other terrorists…

  7. You have not yet created a handle
    Thumb Up

    Yep, happy with that

    It would take a desktop PC about 157 billion years to crack your password

    1. Anonymous Coward
      Anonymous Coward

      Re: Yep, happy with that

      That and variants of it are in the rainbow tables!

      FFS!

      Most other wierd things are.

      1. Anonymous Coward
        Anonymous Coward

        Re: Yep, happy with that

        "That and variants of it are in the rainbow tables! FFS!"

        Rainbow tables? Meh! I'll see your rainbow tables and raise you a little random salt. Oh, you don't have tables for every possible salted hash? That's a pity ;)

    2. Andus McCoatover
      Windows

      Re: Yep, happy with that

      It would take a desktop PC about 157 billion years to crack your password

      Whooo Hooo, Guys! Somebody's still running Vista!!!!

      YAAAAAAYYY!!!

  8. Anonymous Coward
    Anonymous Coward

    This was a USB stick not a BBC stick !

    Well no wonder they did not succeed... they did not try to retrieve the information from the USB stick they tried to "receiver it" (I quote: "...attempts to receiver the information the device contained....").

    I may not be on top of the latest technologies but USB sticks usually don't broadcast their contents.... and you could spend a long time trying to receive anything meaningful from them :-)

    1. Primus Secundus Tertius

      Re: This was a USB stick not a BBC stick !

      According to recent news, the NSA did exactly that with bits and pieces attached to non-networked computers. At a range of up to 8 miles - pretty good, huh?

  9. Patrick R
    Pirate

    "$ur4ht4ub4h8", a play on words relating to a chapter of the Koran

    He plaid with the Koran.... let him burn in hell.

    1. Anonymous Coward
      Coat

      Re: "$ur4ht4ub4h8", a play on words relating to a chapter of the Koran

      "He plaid with the Koran"

      Obviously he's a satin-ist.

      1. Anonymous Coward
        Anonymous Coward

        Re: "$ur4ht4ub4h8", a play on words relating to a chapter of the Koran

        Or a dyslexic scot - "He plaid with his sporan"

        1. John 110

          Re: "$ur4ht4ub4h8", a play on words relating to a chapter of the Koran

          I think there are 2 "R" in sporran.

    2. Jonathan Richards 1
      Coat

      plaid with the Koran

      Tartan around, possibly. Could have got somebody kilt.

    3. Bloakey1
      Happy

      Re: "$ur4ht4ub4h8", a play on words relating to a chapter of the Koran

      "He plaid with the Koran.... let him burn in hell."

      Let him go to the battlefield and be kilt <sic>.

      Ooops, sorry J. you beat me to it.

  10. The Axe

    Confused

    So he told the police what the password was and he still got jailed for refusing to tell them. I'm confused.

    1. Anonymous Coward
      Anonymous Coward

      Re: Confused

      He had refused to tell them, at that point the offence had been committed. You normally can't rob a bank be caught then be let off if you give the money back.

      I was trying to think of an anology using as an example the thieving [very long string of extremely strong expletives] MPs who fiddled their expenses but they didn't even give anything back.

      My personal opinion is that GCHQ could have cracked it but it wasn't necessary as the police probably did try the previous password and just wanted to increase their performance figures with another conviction.

      1. Julian Taylor

        Re: Confused

        Probably don't want you to know that they *can* crack BitCoin algos now that the NSA have given them lots and lots of their hand-me-downs.

        1. I. Aproveofitspendingonspecificprojects

          I'm Confused

          Are you an American or are you being sarcastic?

          Or were you referring to Lord Snowden?

  11. nsld

    Seems odd

    That as he had already given up the same password that he should be prosecuted again.

    It seems more of a case that our high tech plod are less than competent as this would be one of the first things you would try when presented with an item from the same source given how many people use the same password.

    Its also a monumental waste of taxpayers money to bring this prosecution when it stems from the incompetence of the plod in the first place, after all it may have contained more critical information and no one thought to try a known password?

    1. Anonymous Coward
      Anonymous Coward

      Re: Seems odd

      "Seems odd

      That as he had already given up the same password that he should be prosecuted again."

      The refusal itself is a new, separate crime under RIPA. Your point about trying passwords you know he used is spot on, but refusing to give a password up when demanded is automatically 5 years, if I recall correctly from when it first came out. Don't know what happens if, say, they ask you for a device's password, that you've given them some months before but lost or whatever and you genuinely have forgotten. They'd probably have you for that too.

      1. Anonymous Coward
        Anonymous Coward

        Re: Seems odd

        but they didn't try him for not giving up the password until he suddenly remembered it.

        the take-away from this tale is, if you ever are asked for your passwords, and you've "forgotten" them, make sure you don't ever suddenly remember what they were

        easier, don't use passwords, just write everything in pig-latin. that'll fox 'em

        1. Tom 7

          Re: Seems odd

          Are muslims allowed pig-latin?

  12. JimmyPage Silver badge

    Once more proof

    that we have to rely on the baddies being marginally more stupid that the people tasked with catching them.

    He should have used a TrueCrypt style encrypted container. Police unlock device, unaware there's a hidden file within.

    As a matter of interest, since terrorists work in cells, what would the situation be if the password was broken into pieces and shared out with no single terrorist knowing the whole? If the police catch one, and he gives them *his* piece, but they can't decrypt because they haven't caught the others (or have killed them in apprehension) would he still be liable under RIPA ?

    1. Anonymous Coward
      Anonymous Coward

      Re: Once more proof

      The Terrorists would then have to all be in the same room to decrypt the file. Why not just talk the guy next to you through it?

    2. John G Imrie

      would he still be liable under RIPA

      Yes. If it's encrypted and you have it you are deemed to know the password.

    3. Anonymous Coward
      Anonymous Coward

      Re: Once more proof

      It seems that there is a new attack against Truecrypt.

      http://it.slashdot.org/story/14/01/15/2214249/truecrypt-master-key-extraction-and-volume-identification

      Since the police had physical access to the device it would appear that this makes all such devices vulnerable.

      1. TS

        Re: Once more proof

        "It seems that there is a new attack against Truecrypt."

        This is not a new attack, just a new tool to make it easier to find what was always there.

        "Since the police had physical access to the device it would appear that this makes all such devices vulnerable."

        Access to the USB device itself isn't enough. The keys and file location information is cached in memory on the computer that the USB device was plugged into. It's possible they have the computer, but if it was powered down, then the chances of recovering the keys are low.

  13. lnLog

    IronKey

    brute force does not work against IronKeys; they just wipe their contents or self destruct.

    1. Yet Another Anonymous coward Silver badge

      Re: IronKey

      But calling up Ironkey and asking for the backdoor password does

  14. ukgnome
    Trollface

    That's why my passwords are 123ABC!"£

    No one will ever crack them!

    1. Anonymous Coward
      Anonymous Coward

      That's why my passwords are 123ABC!"£

      No one will ever crack them

      Probably safe from the NSA as they won't have a "£" key!

    2. Anonymous Coward
      Anonymous Coward

      and all my passwords are themselves encrypted strings... and just to be sure, they're encrypted twice.

      What do you mean, "rot13 isn't encryption"???

      1. VinceH

        Always use double-ROT13, just to be sure.

    3. Bloakey1

      I had an incident where a password on a hardware encrypted drive was set to "gofsckyourselfmate" . I travel frequently and was pulled up and asked the key. I told them the key and they got mighty batey and threatened me with all sorts of punishment. the matter was eventually cleared with red faces at their end. Sadly all the data on the drive was encrypted again and I had no idea what the passwords were.

      Probable cause innit.

      1. Yet Another Anonymous coward Silver badge

        re: gofsckyourselfmate

        That's why the same law was ruled unconstitutional in the US

        If you had a password of "IwantToKillThePresident" then revealing the password would be self-incrimination.

        But they have a constitution and a supreme court and all sorts of weird stuff in the Land of the Free.

        1. Anonymous Coward
          Anonymous Coward

          Re: re: gofsckyourselfmate

          I don't get that. You just posted that. So are you not incriminated? How does a password cause incrimination, but a post not?

          If it was that easy, everyone would change their name to "I did it", then would never be able to answer any question from the police. Because giving their name would be incrimination!?

    4. Anonymous Coward
      Anonymous Coward

      You could also try..

      "Accountability"

      cos that word certainly isn't in any of their dictionaries.

  15. sugerbear

    GCHQ isn't the problem

    It doesn't matter if GCHQ can or cannot brute force the password. (maybe they have already and dont want to alert anyone to whatever is contained within it).

    It matters only that the person charged has refused to disclose the password.

    That is how the law is framed.

    1. P. Lee

      Re: GCHQ isn't the problem

      >It matters only that the person charged has refused to disclose the password.

      >That is how the law is framed.

      Indeed. Though the absurdity shows when you claim that someone is impeding an investigation by not helping you decrypt stuff, when you don't know what the stuff is. In this case, it had nothing to do with terrorism.

      No doubt it will still be chalked up under, "terrorist convictions" though.

      It would be interesting to know if the "I can't remember" defense would stand up if you had 50-odd usb keys.

      I'm pretty sure I have a few USB keys lying around with encrypted contents. I was playing with them for a while and don't remember what the passphrases might be. I wonder if I deleted encrypted files on a FAT drive, if I would still be liable to provide passwords.

      Its a bad law. Sometimes you have to accept that people will get away with crime. It's the price of a free society.

      1. Anonymous Coward
        Anonymous Coward

        Re: GCHQ isn't the problem

        If only we still had a free society eh?

      2. peter 45

        Re: GCHQ isn't the problem

        " don't remember what the passphrases are"

        So you are guilty of a criminal act.....you just haven't been charged for it yet.

        That is how this law works, right?

      3. Bloakey1

        Re: GCHQ isn't the problem

        <snip>

        "Its a bad law. Sometimes you have to accept that people will get away with crime. It's the price of a free society."

        When those that are ostensibly free have to pay a price for aforesaid freedom then they are no longer free.

  16. Destroy All Monsters Silver badge
    Holmes

    The suspects were arrested before any preparations for an attack were put together.

    Frankly, is this another "incite idiots to talk stupid, then arrest them under terrorist offences" kinda shit blue forces are pulling all over nowadays?

    Also, should have used Truecrypt with hidden vaults.

    1. Anonymous Coward
      Anonymous Coward

      Nope

      Frankly, is this another "incite idiots to talk stupid, then arrest them under terrorist offences" kinda shit blue forces are pulling all over nowadays?

      No. This looks more like an arrest of terrorists having been tracked the Security Services.

      The men were arrested following a series of raids at their homes in April last year after an intelligence-led joint operation by the Metropolitan police counter-terrorism command and the security service.

      Looks to me like an example of exactly what the Security Services should be doing.

    2. Yet Another Anonymous coward Silver badge

      >is this another "incite idiots to talk stupid, then arrest them under terrorist offences"

      After the pub you don't want to say "EEh I could murder an Indian" if you don't want to become a terrorist suspect

  17. amanfromMars 1 Silver badge

    If loose lips, sink ships ...... keeping schtum is sound official government advice and smart policy

    Is there not a right in the UK to remain silent ..... "You do not have to say anything, but it may harm your defence if you do not mention, when questioned, something which you later rely on in court. Anything you do say may be given in evidence." ..... or is that a fiction and for real only in films and television and media?

    And whereas it may be the case that others have noted that perhaps GCHQ made a strategic decision not to expose its capabilities in this area, John, others would counter and posit that probably GCHQ made a strategic decision not to expose its weaknesses in areas and arenas in which they might be presumed/assumed or assume and presume themselves to be in the lead and in charge/command and control.

    1. Clive Galway

      Re: If loose lips, sink ships ......

      The laws on revealing passwords when requested by the police waive your right to silence in that matter, that is the whole point of them.

      IANAL, but AFAIK it is the only law where you are legally required to incriminate yourself.

      1. rh587

        Re: If loose lips, sink ships ......

        "IANAL, but AFAIK it is the only law where you are legally required to incriminate yourself."

        Try telling the Police that you can't remember which named driver was in control of the car when it got flashed by a speed trap and see how far you get.

    2. rh587

      Re: If loose lips, sink ships ......

      "Is there not a right in the UK to remain silent ..... "You do not have to say anything, but it may harm your defence if you do not mention, when questioned, something which you later rely on in court. Anything you do say may be given in evidence." ..... or is that a fiction and for real only in films and television and media?"

      It's pretty meaningless today, the jury are no longer instructed to infer nothing from a refusal to answer questions in the dock. They can make whatever assumptions they like if you refuse to answer an incriminating question.

      A non-RIPA example would be closing the loophole with speed cameras - if you "can't remember" who was driving when the car got flashed then it will be assumed to be the registered keeper and they will get the fine and points. This is despite the fact the Police usually cannot provide a frontal shot of the car clearly showing the driver's face thus proving their guilt.

      1. Yet Another Anonymous coward Silver badge

        Re: If loose lips, sink ships ......

        > if you "can't remember" who was driving when the car got flashed

        Unless you are a chief constable, then you can claim that all records of who was driving have been destroyed - and get off

  18. Clive Galway

    Password != Pass Phrase

    Curiously the password "turned out to be the same phrase from the Koran that Hussain had used before on other devices”

    "Why didn't authorities try the same password on the 3rd USB device, which NTAC had found for first 2 USB devices?"

    Clearly he used the same phrase, but transcribed differently (eg Sur4ht4ub4h8 instead of $ur4ht4ub4h8)

  19. Clive Galway
    FAIL

    Stupid that people are still getting caught out on this one.

    Why oh why do these morons not use a hidden volume? Just put some mildly interesting files (porn being the obvious choice, or naked pics of the wife) inside the outer volume, and all the really naughty stuff inside the inner hidden volume.

    Voila, instant plausible deniability.

    Do terrorist training schools have an equivalent to OFSTED? Anyone got the address of the complaints dept?

    1. Luke McCarthy

      Re: Stupid that people are still getting caught out on this one.

      Surely they could just ask for the password for the hidden volume (even though there is no proof of its existence), therefore the same law comes in to effect?

      1. Anonymous Coward
        Anonymous Coward

        Re: Luke

        They would have to know there is a hidden volume. Hopefully for when it matters they do. However, it raises a problem if they do not (for both convicting true criminals through such evidence, and proving innocent those who don't have any hidden evidence... as you cannot prove such a negative).

    2. Vociferous

      Re: Stupid that people are still getting caught out on this one.

      Oh thanks you've just blown my super-secret concealment strategy!

    3. Chris 201

      Re: Stupid that people are still getting caught out on this one.

      But they never found any terrorism-related information so perhaps he did have a hidden volume....

  20. Velv
    Big Brother

    This law worries me.

    In the past I've had to wipe a USB stick because I couldn't remember the password I'd set. All content gone.

    I don't believe I have anything to hide from the authorities, however I bet if you were to take every USB stick out my house there'd be at least one old hardly used one that I couldn't get back into. I keep backups in multiple places so I wouldn't lose anything by not being able to access an old stick, but I couldn't prove there was nothing else on it.

  21. Anonymous Coward
    Anonymous Coward

    brimstone

    Some of you downvoted Patrick R's comment "he played with the Koran let him burn in hell".

    What you PC chaps don't understand is that altering the Koran or disrespecting it, is punishable by burning in hell.

    But this case seems totally correct that he goes to prison for not divulging the password.

    He's already involved in playing with bombs - I hope he does burn in hell.

  22. JimmyPage Silver badge
    Boffin

    and another thing ...

    How do they tell the difference between encrypted data, and a capture of a few seconds pink noise from a quiet part of the FM spectrum ?

    1. Peter Gathercole Silver badge

      Re: and another thing ...

      That's a very interesting question that I've wanted answering for a while.

      If a file is of a format that the investigating authorities don't recognise, how do you prove to their satisfaction that it is not some new form of encryption that they don't know about?

      Suspect: "Officer, I was investigating patterns in files of captured entropy data for use in random number generators"

      Police: "Don't believe you, sonny. Tell us how to decrypt it, or go to jail!"

      1. Yet Another Anonymous coward Silver badge

        Re: and another thing ...

        We asked this when the police computer guy gave a talk to our high energy physics group.

        How can we prove that background noise in the LHC data isn't an encrypted message?

        Do we have to keep the data in Switzerland, if we access it remotely does that come under UK law ?

        We were told not to worry because the laws were only for terrorists - so that's a relief then !

        1. Anonymous Coward
          Anonymous Coward

          Re: and another thing ...

          This is what is totally fucked up about this sort of law, it may only be used against terrorists now, but while it remains on the statute books there is no reason it can't be used against someone who is rocking the establishment's boat. If you get a worse version of the current Home Secretary then that could easily happen without any change of government or indeed law.

        2. Anonymous Coward
          Anonymous Coward

          Re: and another thing ...

          The background noise in your LHC data might contain an encoded (not encrypted) message - think abut the cosmic microwave background radiation and what has been learned from it.

          1. Peter Gathercole Silver badge

            Re: and another thing ... @AC 21:14

            in reality, there is no practical difference between encoding and encrypting. Encrypting just has a more complex encoding method.

            If you think about it in a lexical manner, en-coding means applying a code to a data set, and at a fundamental level, a code and a crypt (as in encrypt, not that room under a church) are different names for the same thing.

            Now sit back and wait for someone to offer a reason why a code and a crypt are different.

    2. Frumious Bandersnatch

      Re: and another thing ...

      Q: How do they tell the difference between encrypted data, and a capture of a few seconds pink noise from a quiet part of the FM spectrum?

      I think you just answered your own question there. An encrypted file will sound like white noise, whereas pink is 1/f.

      1. Peter Gathercole Silver badge

        Re: and another thing ... @Frumious Bandersnatch

        I believe that was just an example.

        An encrypted file may not sound like white noise. The encryption method may introduce patterns, and may not generate a white noise type distribution. I'm sure I could come up with some (admittedly poor, but I only spent 10 seconds on it) method of using integer encoding of an exponential of the bytes in a data stream to generate significantly non-random files.

        And how do you 'play' a data file? All audio data has to be encoded in some form or other, even it is successive 8-bit sampled voltage values from a microphone.

        Have you ever played around with SoX, and got the encoding wrong. Sometimes not even music sounds like music. Try playing an MP3 as a raw WAV.

        The assumption in this sub-thread is that you can recognise that some file or device is actually encrypted. In reality, a file of seemingly jumbled data without a recognisable format could be anything. There does not have to be any implicit recognisable format in a data file. Some files contain headers or some fingerprint that point to the format file the file for convenience, but that is by convention, not any fundamental property of the data.

        As long as you know how to process the data (be it background noise from the LHC, some new audio or video encoding, or a valuable secret), there is no need to put hints into the file to help other people. All that is needed is that you and anybody else using the data knows how to process it. It then becomes a matter of inspired guess work with some maths and statistics for anybody else to access the data.

        For some background in arbitrary pre-shared secret codes, look back at this previous story. Follow up stories suggested that the message was read only when the pre-shared secret was identified.

    3. Charles 9

      Re: and another thing ...

      Well, for one thing, encrypted volumes tend to strictly follow certain randomness characteristics. TrueCrypt volumes, for example, would be distinctly nondescript when subject to a chi-square analysis. Can the same thing be said of pink noise?

  23. Tom 7

    Anyone know a way of attaching a hidden file to an email to my MP?

    Just wondering.

  24. Anonymous Coward
    Anonymous Coward

    Panic Password

    How about an encrypted drive with two passwords. One decrypts the data and the other wipes it, or presents a different set of data. When you're asked for the password you give it to them. The choice of which one is all yours.

    1. Luke McCarthy

      Re: Panic Password

      That wouldn't work since they will first image the drive and then use their own software to do the decryption.

    2. cbars Bronze badge

      Re: Panic Password

      Kali just included this by default

      http://lxer.com/module/newswire/view/103692/index.html

      Wipe your keys. Then you are free to hand out your password to all and sundry.

      Keep your keys backed up in a USB in a tree.

      Bad luck if the day you want to read it "they" are at your door and can grab the backed up keys though ;)

  25. Anonymous Coward
    Anonymous Coward

    misdirection

    "Other security experts have expressed surprise that GCHQ was supposedly unable to brute-force a 12 character alpha-numeric password, given the resources at its disposal."

    oh they can crack it all right. they just don't want everyone to *know* they can crack it.

  26. Anonymous Coward
    Anonymous Coward

    GCHQ

    I wonder if they cracked it, passed on the information on what's inside to the plods, and some obscure law allowed them to claim they couldn't crack it (as they always act within the legal boundaries, as we all know from another accusation they have faced ;)

  27. JimmyPage Silver badge

    Here's another legal hypothetical ...

    suppose a company devises a circuit which can't be read without the correct key being loaded into a register somewhere. Loading the wrong key causes the device to short and destroy the contents.

    Police seize device. Ask for key. Suspect accidentally (!) gets a digit wrong. Police try key, and device bricks itself, and is completely unreadable.

    Since the device no longer contains encrypted data (in fact it contains no data) what's the score under RIPA ?

    As a rule, if changes in technology can cause a law to become invalid, then the law was probably a bad one to start with.

    1. mastodon't

      Re: Here's another legal hypothetical ...

      Deliberate destruction of 'evidence' matey, you are nicked my son, i'll just get on the phone to the sun and let them know we've got another 'terrorist' bust going down while my friend DI nasty here applies the waterboard.

      1. JimmyPage Silver badge

        @mastodon't

        but who destroyed the evidence ? Certainly not the suspect.

        1. nuked

          Re: @mastodon't

          That is like saying the bomb maker is innocent because he didn't open the briefcase...

    2. DropBear

      Re: Here's another legal hypothetical ...

      The thing is, most things usable as storage are pretty standardized today, so dismantling the box before even trying a password then disconnecting / desoldering / etc. and imaging the known data storage components of it would be pretty trivial; if you mess up, restore the image and try again. To avoid this sort of thing, you'd need your own custom integrated ASIC, or a device potted into a solid block, or at least a tamper switch on the box - then strong faith that whoever you're up against will not be able to defeat the switch or dissolve your potting compound, or indeed de-coat your chip and put it under an electron microscope...

      1. JimmyPage Silver badge

        @dropbear

        I was envisaging a device where the actual silicon gets blown.

      2. Anonymous Coward
        Anonymous Coward

        Re: Here's another legal hypothetical ...

        Really decent tamper-proof hardware has several measures in it to prevent physical intrusion, often just cutting a single conductor in a wire net surrounding the storage elements within a potted assembly causes the inbuilt battery to be inverted to several kV and this is then applied backwards across the storage device power rails until they are no longer able to recall their own names.

    3. Anonymous Coward
      Anonymous Coward

      Re: Here's another legal hypothetical ...

      If they have any sense they never do any work on the 'evidence'. For forensic purposes storage is always cloned at the bit level before trying to read data from the clone.

      1. Bloakey1

        Re: Here's another legal hypothetical ...

        "If they have any sense they never do any work on the 'evidence'. For forensic purposes storage is always cloned at the bit level before trying to read data from the clone."

        All work is done on the image as required by PACE guidelines. Imaging is normally done on a device that makes a true clone and does not adjust time stamps etc. Once you have the image you can play away in Encase to your hearts desire and pass subsequent data to plod, linguists or anybody lurking around Vauxhall station that wears a suit.

        Interesting story:

        I used to hang out with ne'er do wells from around there and their favourite watering hole was the Queen Anne pub / knocking shop. The owner of the Queen Anne went on a holiday a few years back and was slotted. I wonder if it was to do with her clientel?

  28. Anonymous Coward
    Anonymous Coward

    Should have used steganography

    Hide in plain sight.. maybe pictures of seaside, trees, pets etc.

    MP3's work well, but they might lock you up for longer than a terrorist if they think it might be copyrighted!

    anonymous - obviously

  29. John Savard

    "perhaps GCHQ made a strategic decision not to expose its capabilities in this area"

    Certainly that's possible, but that reminds me of the story about the Coventry bombing that took a while to refute: the Enigma wasn't needed to give orders to pilots on the ground in France, and they got through that time because of problems with the radar instead.

  30. NomNomNom
    Trollface

    Police: "we've found a number of encrypted files on your usb pen, what is the key?"

    "All the files are encrypted with different keys"

    Police: "So what are the keys?"

    "The key to decrypt data1.txt is in data2.txt, the key to decrypt data2.txt is in data3.txt and so on.."

    "You will need to start from data9001.txt and work down. Although it's a waste of time I can tell you what's in data1.txt, it's file called trollolololol.wav and a cat video. But I understand if you can't take my word for it."

    (of course jokes on me when they give me the laptop and tell me to do it myself..)

  31. Syntax Error
    FAIL

    "Others have noted that perhaps GCHQ made a strategic decision not to expose its capabilities in this area."

    Just too clever for their own good aren't they.

  32. bigtimehustler

    Although you could not contest the law in a normal court here, you could take it to the high court, fully knowing you intend to take it the European Court of Human rights as being forced to reveal your password (when you may not know it) is a contravention of your rights, seeing as you may not know the password, probably under cruel and unusual punishment.

    1. Arthur Dent

      @bigtimehustler

      > Although you could not contest the law in a normal court here, you could take it to the high court, fully knowing you intend to take it the European Court of Human rights as being forced to reveal your password (when you may not know it) is a contravention of your rights, seeing as you may not know the password, probably under cruel and unusual punishment.

      Unfortunately for this line of argument, not knowing the password is a valid defense; in theory the prosecution have to prove beyond rasonable doubt that you are lying when you say you don't know it. Of course it's up to the jury to decide what is reasonable, but I suspect that in a case like this one the jury would believe the prosecution case, not you.

    2. Arthur Dent
      Boffin

      @bigtimehustler

      > Although you could not contest the law in a normal court here, you could take it to the high court, fully knowing you intend to take it the European Court of Human rights as being forced to reveal your password (when you may not know it) is a contravention of your rights, seeing as you may not know the password, probably under cruel and unusual punishment.

      Unfortunately for this line of argument, not knowing the password is a valid defense; in theory the prosecution have to prove beyond rasonable doubt that you are lying when you say you don't know it. Of course it's up to the jury to decide what is reasonable, but I suspect that in a case like this one the jury would believe the prosecution case, not you.

  33. Anonymous Coward
    Anonymous Coward

    Works 4 me

    I'm all for jailing perps who refuse to supply their password even if in most cases it can be cracked given enough time and resources. There is no reason why authorities should need to invest those resources when the perp can supply the password. MUCH longer prison sentences for digital crimes need to be implemented to get through to these social degenerates.

    1. Fink-Nottle
      Trollface

      Re: Works 4 me

      Quite agree. Authorities resources are better used snooping on the general public.

    2. I. Aproveofitspendingonspecificprojects

      Re: Works fool you

      "There is no reason why authorities should need to invest those resources when the perp can supply the password."

      Obviously the same applies for any burglar that hides his loot, causing wilful obstruction.

      What's the penalty for that, if they don't find anything?

    3. Intractable Potsherd

      Re: Works 4 me

      And, AC, it doesn't work work for me. There are few crimes that are so heinous that there should be a specific compulsion on the accused to make an investigation easier. It is the job of the police etc to *find* the evidence, not the job of the accused to *give* the evidence. No evidence, no proof, no crime - that is the way it has been for several hundred years, and there has been no compelling (pun intended) reason to change it.

      Why the hell are you so afraid of people that can barely hurt you? Are you same "perp" user as always trolls copyright threads - you have the same casual hostility towards due process.

  34. This post has been deleted by its author

  35. sisk

    So in the UK you can be forced to hand over your encryption passwords or you're presumed guilty? Let me guess. Someone said that if you're innocent you have nothing to fear, right? Terrorist or not I think that's a violation of human rights as currently recognized by international law.

    Also....why did they not try the password they already knew he had used in multiple other places? Seriously, that cannot be asked enough. What kind of 'expert' misses such an obvious password?

  36. intrigid

    How is this conscionable at all? I thought "No obligation to incriminate one's self" is a fundamental tenant of the justice system of literally every country in the world.

    1. Anonymous Coward
      Anonymous Coward

      Not in the UK it isn't.

  37. Boris the Cockroach Silver badge
    Big Brother

    Just use

    my all time classic password

    "I am not telling you".... and demand lie detector tests/truth drugs , 5 hrs of waterboarding and all the other tricks the authorities use with RIPA to find people who let their dogs shit on the pavement .. sorry locate evil peodos and terrorists.

    Guess with posting this, I'll be accused of giving out info to help terrorists and get a 3am knock at the door followed by a black bag over me head and a trip to a 'secure location'....

  38. Anonymous Coward
    Anonymous Coward

    What about passwords to secure government VPNs?

    I have signed agreements to not disclose login / encryption passwords to anyone!

    If the police were to ask, would I have to disclose them, therefore defeating my NDAs?

    If this is the case, then I'd be in trouble from multiple agencies all in one hit!

    Anon just in case;)

    1. nuked

      Re: What about passwords to secure government VPNs?

      I suspect your NDA has some form of 'imminent danger' clause

    2. Bloakey1

      Re: What about passwords to secure government VPNs?

      "I have signed agreements to not disclose login / encryption passwords to anyone!"

      <snip>

      I have as well and other acts that bind me to keep quiet even about extra legal actions.

      Hmm perhaps:

      I am sorry officer but I have no knowledge of such a password and or key chain and should such a a password and or key chain exist I would be unable to divulge or otherwise discuss it due to the constraints of the official secrets act, an act which supersedes and takes precedence over your authority you little lid twat.

      I would also put it to you officer that I intend to take a personal interest in your positive vetting and career path from this day hence.

      That should do it and I am sure they would give you a nice cell overlooking the courtyard, potential revocation of security clearances and a life time's free membership of the James Saville chapter of the sex offenders register.

    3. Turtle

      Re: What about passwords to secure government VPNs?

      "I have signed agreements to not disclose login / encryption passwords to anyone!"

      Compliance with the law is your paramount and over-riding obligation. No private contracts or agreements will ever give you a basis for refusing to comply with the law (and contractual provisions at odds with the law are not enforceable.) And if in real life you were to refuse to comply with legal orders and demands citing private contractual obligations, the courts will be more than happy to sentence you to prison and you will be able to think about your, uh, conscientiousness to your heart's content.

  39. Malcolm Weir Silver badge

    To those who have suggested that the US protections against self-incrimination are somehow a magic bullet against this sort of intrusion, the reality is not so clear cut.

    US courts (up to and including the Supreme Court) have regularly ruled that e.g. you do not have the right to prevent a search pursuant to a warrant just because that search might/will incriminate you. And in 1988's Doe vs United States (487 U.S. 201) the Supremes held that could compel a defendant to sign a document authorizing foreign banks to disclose information on any accounts owned or controlled by the defendant, even though IF the banks did provide any data, THEN it would be prima facie evidence of a criminal offsense (in that case, failing to respond to a lawful subpoena to disclose all banking records).

    So the argument by the defendant boiled down to "if I unlock the door of the safe, then you'll open it and find stuff which will land me in trouble", whereas the government argued that unlocking the door to the safe is not in itself an act that could incriminate you (although the contents could). The government won.

    A similar situation exists with destruction of evidence: if your husband burns the letter you wrote that instructed someone to tap the phone of the the prime minister (to be topical), your husband is likely to find himself on trial for obstruction of justice charges. So if you destroy (or cause to be destroyed) evidence by triggering anti-tamper devices, you're still in hot water (although the charge may be different).

    1. Chris 201

      But aren't laws about destruction of evidence normally targeted at third parties? If a burgular carefully wipes his fingerprints after breaking into a house he isn't charged with destroying evidence. It's accepted that criminals try to avoid getting caught and don't have a specific obligation to help the Police catch them (if only because such an obligation would always be ignored by actual criminals).

      A search warrant means you can't prevent the Police from searching but you don't have to help them. You don't even have to open the door, you can let them smash it down if you prefer.

      1. Malcolm Weir Silver badge

        Chris 201: you're quite right about destruction of evidence, etc. But the point is that IF you act in such a way as to prevent The Authorities from rampaging through your files, THEN you can be done for the offense of Preventing Authorities Rampaging aka obstruction of justice. Likewise, if they can't prove the suspect actually did the burgling, but can prove he wiped the door handles knowing that so doing would impede the investigation, that's obstruction.

        And the point of the Doe case was that the government COULD compel Mr. Doe to authorize the banks to release information; they couldn't magically force him to sign the document, but they could hold in contempt of court (in jail) until he did... and they could continue to hold him indefinitely.

  40. nuked

    I don't get some of the comments here. Taking the story at face value[1], this guy had history trying to blow us up and we jailed him for not providing a password which may have stopped some of his nutter mates from also trying to blow us up. Forget laws for a minute, seems like a perfectly reasonable way to deal with the situation.

    [1] yeah

    1. nsld
      Mushroom

      The problem is

      That you are viewing the law from an incredibly narrow perspective.

      Given how inept our police are what happens if Constable Savage decides that your screenname "nuked" suggests you might be a dodgy bomb wielding terrorist and he raids your house and takes all your IT kit and lots of USB keys.

      Included in this is a USB memory stick that isn't yours that a friend must have dropped, its encrypted and you don't have the password.

      But the USB stick was recovered in a search of your home and therefore its your responsibility and thanks to RIPA you get some jail time for failing to provide the key.

      Welcome to our brave new UK police state world.

      1. Matt Bryant Silver badge
        FAIL

        Re: nsld Re: The problem is

        "That you are viewing the law from an incredibly narrow perspective....." Reallly? I suspect you want us to see it from your incredibly brain-dead, paranoid-induced perpsective, yes?

        ".....Given how inept our police are what happens if Constable Savage decides that your screenname "nuked" suggests you might be a dodgy bomb wielding terrorist and he raids your house and takes all your IT kit and lots of USB keys. Included in this is a USB memory stick that isn't yours that a friend must have dropped, its encrypted and you don't have the password. But the USB stick was recovered in a search of your home and therefore its your responsibility and thanks to RIPA you get some jail time for failing to provide the key....." And this has happened when? Surely, by your insistance this must be happening five times a day in every town in the land, right? Except it is not, outside of your fevered imagintaion. Please grow up.

        "......Welcome to our brave new UK police state world." Sorry, but that just came across as "baaaah, baaaah, baaaah."

    2. I. Aproveofitspendingonspecificprojects

      At face value the authorities(?) didn't already know what was on the drive?

      How stupid do you want us to be?

      Homer Simpson stupid?

      Or Arab Terrrst stupid?

      None of us like terrorism but when the police state is the terrorist it is too late to do much about it.

      If you really want to go back to the core, then you must give the Palestinians their country back, unkill all the innocent men women and children whose families want revenge and then sort out the US of A and the damned, perfidious British.

      I'm pretty sure that if you could just give back Palestine and beat George Dumarse to a pulp then hang him on a strangefruit tree, things would settle down.

      1. Anonymous Coward
        Anonymous Coward

        @I. Aproveofitspendingonspecificprojects

        "None of us like terrorism but when the police state is the terrorist it is too late to do much about it."

        As has often been pointed out, states are the original and by far the dominant terrorist organizations. Compared to, say, Al Qaeda (assuming such an entity really exists at all) the US federal government is like a T Rex next to a shrew. (The UK government would be intermediate; something like those nasty little chicken-sized dinosaurs that ganged up on Richard Attenborough in "Jurassic Park").

      2. Jim 59

        Aproveofitspendingonspecificprojects = bot

        Looks like a version of amanfrommars, but better, and specializing in politics.

        But dude, seriously ? You botted 8 posts in one article ? We don't mind an occasional visit but don't take the Michael. Or likely the vultures will have you. Unless it is an El Reg plot...

  41. Anonymous Coward
    Anonymous Coward

    Hold the phone...

    What's this?

    GCHQ stumped by a password?

    Isn't this the same GCHQ that "cracked" Ian Watkin's password of "ifuckids" or whatever it was? (If you even believe that...)

  42. Vociferous

    So, how can this be legal?

    He's been convicted for not divulging his password. The inference must be that he's sentenced on the assumption that there's something incriminating and criminal on that stick, and the only evidence to support that assumption is that he refuses to prove that there isn't.

    Which means that the UK has both reversed burden of proof and dispensed with the assumption of innocence.

    I really hope he sues the UK in EU court.

    1. Turtle

      Re: So, how can this be legal?

      There's no "inference". He's been convicted of non-compliance with the law. It doesn't matter what's on the drive and if it's incriminating or not. He's required to give up the key and he didn't. The law provides sanctions for such behavior. Case closed.

      "Burden of proof" is for actual trials - and nothing else. Investigations are based on probable cause. Search warrants and key disclosure orders are issued because it's considered reasonable to assume that they will yield results pertinent to on-going investigations.

      1. Vociferous

        Re: So, how can this be legal?

        > He's been convicted of non-compliance with the law.

        That's simply a statement that no law, and no order from an officer of the law, can be unlawful. My argument is that this UK law is unlawful under European law.

  43. Carpetsmoker
    Alert

    I think I have an encrypted USB drive, I experimented with various disk encryption techniques a few years ago for fun. Better find it and erase the drive, 'cuz I don't remember the password.

  44. Lamb0
    Holmes

    Perhaps...

    by willfully incriminating himself for the credit card fraud investigation; his next batch with 25 to 50+ years of consecutive sentences will be reduced by, maybe, four months?

    1. Matt Bryant Silver badge

      Re: Lamb0 Re: Perhaps...

      "....y willfully incriminating himself for the credit card fraud investigation; his next batch with 25 to 50+ years of consecutive sentences will be reduced by, maybe, four months?" IMHO, hopefully they'll sentence him to a long enough sentence the four months will be about ten years after he dies.

  45. Anonymous Coward
    Anonymous Coward

    Since the only thing on there was credit card crimes they already knew it, likely the reason they were after him for those crimes. Maybe they just want him to do the extra time.

  46. regnik

    Publication of the password

    So once you have handed over your password to the police so that they can search the data on the encrypted drive is it OK for this information to be released to the press.

    Not that I know who released the password into the public domain.

  47. Anonymous Coward
    Anonymous Coward

    Better cultivate your memory

    This guy, and anyone in a similar position, would have done well simply to memorize whatever dark secrets he had. Throughout history, after all, poets and others have memorized the equivalent of whole libraries.

    Even more important, no technology yet exists to determine what information a person has memorized.

    As Bernard in "Yes, Minister" quotes Francis Bacon: "He that would keep a secret, must keep it secret that he has a secret to keep". That is probably the biggest single blunder made by those who wish to keep secrets. Once the secret's existence is known, it's only a matter of time - whether the technique involves decryption, thumbscrews, or drugs.

    1. Bloakey1

      Re: Better cultivate your memory

      <snip>

      "Even more important, no technology yet exists to determine what information a person has memorized."

      <snip>

      A rubber hose works wonders as does sodium thiopental allegedly.

      1. Anonymous Coward
        Anonymous Coward

        Re: Better cultivate your memory

        "A rubber hose works wonders as does sodium thiopental allegedly."

        Sodium thiopental can be fatal if the dose is wrong. Furthermore, it's more difficult to use with a very driven or determined subject (it makes the subject more prone to persuasion).

        As for the rubber hose, suppose they find he's the kinky type that responds to the rubber hose with, "Harder!"

  48. Anonymous Coward
    Anonymous Coward

    Why won't this work?

    Can't you ask the prosecution to prove that the data is encrypted and not just junk? This is mathematically impossible without the key. Therefore the concept of innocent before proven guilty would hold, unless they could brute force the key.

    This law is very dodgy on two counts - the above and also it requires a defendant to incriminate themselves.

    AC because I want to live!

  49. john 103
    Pint

    What about being able to prove you don't know the pwd?

    Ie - Bruce Schneier's Trick* in The Cryptonomicon where the Key is the sequence of cards in a shuffled deck.

    When the front Door gets busted down - Drop the cards & the pwd disappears.

    You can then prove to the court that the pwd is non-recoverable.

    Or is it possible to be Charged with Contempt retrospectively?

    Any Terrorists out there willing to try this out?

    *Bruce did say not to use cards as spooks/secret police are often known to read books on Crypto...

    1. Charles 9

      Would probably be construed as destruction of evidence. It would be analogous to keeping the password on flash paper and taking a quick match or lighter to it (or something of the like; flash paper is designed to ignite easily and burn quickly and cleanly) when threatened.

      1. Intractable Potsherd

        But surely it would have to be proved that the cards had anything to do with the password before it can be classed as evidence that was destroyed ... and that is a difficult task which could lead to appeals all the way to the top.

        1. Anonymous Coward
          Anonymous Coward

          It would presumably be somewhat self-defeating to say, "Hah! You can't prosecute because the password was in the deck of cards!" and when told you destroyed evidence by shuffling them, then say, "The cards had nothing to do with it!!@-$"...

  50. Anonymous Coward
    Anonymous Coward

    Human rights laws should not apply to convicted terrorists....

    In my opinion...

    1. Anonymous Coward
      Anonymous Coward

      Re: Human rights laws should not apply to convicted terrorists....

      Of course - how else will we prove to the world that our system is better than the terrorists' unless we conveniently ignore our most fundamental values when we encounter people we particularly dislike?

      *sigh*

  51. Anonymous Coward
    Anonymous Coward

    Re, Human rights laws

    I agree, however be sure that this means "convicted in a fair, OPEN court with an actual jury" and not some family wishy washy "court" that are doing the rounds in the tabloids at the moment.

    Personally, I'd like to see the lawyers in court on contempt charges, because they clearly have the capability to decode a simple 12 digit password so failing to do so means they are incompetent, or lying, or both.

    Anyone with a brain would see that using about £10K worth of graphics card based server could crack such a simple password in about a week.

    AC

  52. 10minutemail

    Question

    "What you have failed to grasp is that, while all testimony is evidence, not all evidence is testimony"

    OK - imagine following:

    I decide to type up a letter explaining how I committed a bank robbery. A confession.

    I save it on to an encrypted drive.

    The police come knocking on my door, cause someone has suggested I was involved.

    Now if I gave the police the password to the encrypted drive, am I not incriminating myself (right to silence?).

    I am assuming testimony is not just oral?

    btw, note it doesn't matter whether I committed the crime or not. I might have, I might not have. I might have just been typing the letter for someone else. I might have a fetish for typing these letters.... Yet, when this letter is taken with any other circumstantial evidence...

    1. Turtle

      @ 10minutemail

      First, look the Wikipedia page about it (http://en.wikipedia.org/wiki/Self-incrimination):

      Self-incrimination is the act of exposing oneself (generally, by making a statement) "to an accusation or charge of crime; to involve oneself or another [person] in a criminal prosecution or the danger thereof." Self-incrimination can occur either directly or indirectly: directly, by means of interrogation where information of a self-incriminatory nature is disclosed; indirectly, when information of a self-incriminatory nature is disclosed voluntarily without pressure from another person.

      In many legal systems, accused criminals cannot be compelled to incriminate themselves—they may choose to speak to police or other authorities, but they cannot be punished for refusing to do so. The precise details of this right of the accused vary between different countries, and some countries do not recognize such a right at all.

      There are people who have decided to obfuscate the matter by positing some sort of "right against self-incrimination" instead of a "right to refuse to answer questions" or a "right to silence". This kind of obfuscation only serves to help misunderstand the matter. There is no right against self-incrimination; there is (in most but evidently not all jurisdictions) a right to refuse to answer questions or a right to silence but nothing more..

      I am sure that there are no jurisdictions anywhere in the world where a suspect is allowed to conceal evidence, no matter what the charges or how damning that evidence is. Quite the contrary, in fact: as previously mentioned, there is no "right" anywhere in the world by which the law will condone concealing evidence, destroying evidence, contaminating evidence, altering evidence, refusing to produce evidence when ordered to do so, and whatever else; such actions will be considered perverting the course of justice, impeding an official investigation, contempt of court, and so forth.)

      Interestingly, although, in US criminal procedure, a jury is not allowed to draw any inferences from a defendant's refusal to answer questions (i.e. when they "take the 5th") in a civil procedure, a jury may assume that a witness who refuses to answer questions is hiding information that would be prejudicial to the matter at issue and the jury can use that assumption in their deliberations.

      If in the case you draw, you give the password to an encrypted USB drive with a confession on it, you are indeed "incriminating" yourself but if you voluntary give them the password, there is nothing to discuss about legalities, right? After all, no matter how broad a "right to silence" extends, you voluntarily gave them the password. You are not required to remain silent.

      If they demand the password and you refuse, you can continue to refuse until you are presented with an order from the relevant authorities, which would seem to be, in most jurisdictions, a magistrate. Once the magistrate has decided that the investigators' demand to see the contents of the encrypted drive is reasonable in that there is probable cause to consider that it might hold information relevant to the investigation, the order is issued, and you are required to give them access.

      Courts have decided that digital documents are evidence, and not testimony that can be concealed under the umbrella of a right to silence. You can consider key disclosure orders to be a form of search warrant.

      Of course, you don't have to take any of this at face value. If you prefer, you can listen to and believe someone like "intrigid" - the kind of self-assured guy whose profound lack of knowledge could nevertheless turn a routine traffic stop into a long stretch in the penitentiary.

  53. Anonymous Coward
    Anonymous Coward

    GCHQ Fail

    GCHQ must have spent all the budget tapping in to internet pron just in case they find any hidden messages, leaving only a few coppers to buy an old Speccy to do the decrypting. Pathetic bunch of numpties !

  54. Anonymous Coward
    Anonymous Coward

    I've been thinking...

    What's stopping say, some disgruntled wife creating an empty TrueCrypt file on her husbands computer called "child_abuse.truecrypt" or whatever, then calling the police?

    Or what's stopping the Police from doing the same thing before they clone the hard drives, just because it gives them an excuse to jail someone for failing to divulge the password. (Esp. more so if they have it in for them.)

This topic is closed for new posts.

Other stories you might like