Youth jailed for not handing over encryption password A 19-year old from Lancashire has been sentenced to 16 weeks in a young offenders institution for refusing to give police the password to an encrypted file on his computer. Oliver Drage, from Naze Lane, Freckleton, Lancashire was arrested in May as part of an investigation into child sexual abuse images. His computer was …
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa...
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaab...
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaac...
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaad...
Although he may have to claim expenses for a new keyboard and treatment for carpal tunnel syndrome.
This story just proves how old I am getting. I can still remember the days when a person was presumed innocent until proven guilty.
That said, I am pretty sure that the European human rights charter includes the equivilent of the 5th, i.e. that you can not be forced to incriminate yourself.
...he was. He was considered innocent of not disclosing the password, and then they proved it. So he was guilty. The problem here is not convicting him for a crime they havent proved, it's them criminilising behaviour that *should* be a persons right, i.e not to self-incriminate.
It's easy, you just write the laws the right way. He has been proved guilty of not typing in his password; hence jail time.
Other offences soon to hit the statute book to be used whenever they want:
"Looking funny"
"Taking a photograph"
"Sitting on the tube, reading Metro"
"Breathing"
Encryption exists because there has been a need to safeguard certain information. It is used in a capacity to protect personal files just like it is used to protect say credit card information. However RIPA deems it a crime in circumstances they see fit. If they want to differentiate between what is acceptable and what is not then I suggest that encryption be made illegal in this country for non commercial use rather than jailing people because they will not cooperate. There is a clear distinction here between ones liberties and preventing people from covering up a crime.
I'm not sure that there should be an absolute right to hide behind unbreakable encryption. One doesn't have a similar right with respect to paper documents. Provided the police have obtained a search warrant, they can legally break any physical lock if you won't provide them with the key. (There's no such thing as an unbreakable lock or safe).
Do the police have to obtain a search warrant for your computer, before they can order you to decrypt? If so, that appears to be an appropriate safeguard, and an exact analogue to what has been the case for paperwork for many years.
If they don't have to obtain a search warrant, then they should be required to.
There should probably also be a provision that evidence obtained by requiring one to decrypt should be admissible only if it confirms the suspicions that led to the warrant being granted. In other words, if they are investigating money-laundering and they find only porn, they should not be able to charge one with posession thereof, because the grounds for the warrant have been proved false.
A problem with that approach is that the file in question might be obsolete and the password long forgotten. I'm an IT consultant, and whenever I have to store data from my customers, I use encryption. Most of those passwords are lost and forgotten only a few days after the work is completed, but I often forget to remove the encrypted files from my PC. After reading the article I made a quick search and found seven of those files, aged between three weeks and four and a half years. I just remember one of the passwords, from a file created in summer 2009. I remember it because the password was a funny word related to the owner of the data.
And don't forget I'm an IT pro and use lots of passwords. I have seen people forgetting their passwords two HOURS after creating them.
The thought police can jail you for forgetting something. Sounds really bad, doesn't it?
But how do you enforce a search warrant for the contents of someone's memory? How do you prove that you've forgotten a password or that you've never had the password in the first place.
If you've downloaded the wiki-leaks insurance file how can you prove that you don't have the password, or that it isn't infact your secret stash of terrorist manuals that you've renamed to look like the wiki-leaks file and do really have the password for?
Also if you followed the US system and had "Fruit of the poisonous tree" provisions in the warrants, the exceptions on the search being carried out in good faith would kick in and it would be a legal search.
*Note to self - remember to use the "Reply to this post" button next time
The chap we are discussing "refused" to provide his password. I'm assuming that meant he said "No" rather than "I've forgotten it". The latter would have been a smarter answer and I'd hope it would lead to an acquittal - how can the prosecution possibly prove beyond reasonable doubt that this is not the truth? If it really is illegal to forget, I'd expect a jury nullification, or a successful appeal to the EU court of himan rights.
I agree that the whole concept is stupid. Anyone competent with something to hide will combine steganography and plausible deniability (multiple encrypted volumes in one hidden container, one or two innocuous volumes that you're happy to reveal if they can work out where they are hiding, using software that always creates large amounts of random padding so they can't hope to prove that you're concealing more than you've shown them).
re: Fruit of the poisonous tree... a former net acquaintance was under investigation for Social Security Fraud. Law enforcement was searching his house for proof that he was running several businesses while claiming SS Disability. One of them, I believe a USPS Postal Inspector, found some video tapes in the closet and tried to pop one in a VCR but couldn't because there was already one in the player... he turned the VCR and the TV on, and found to his surprise, not evidence of financial crimes, but porn, and specifically child porn. He stopped the tape, called the courts for another search warrant specifically related to porn and child porn, and then arrested Jack on federal child porn charges... Jack is now doing time in Arizona on some charges, and when he finishes his stay in the Arizona iron bar hotel, he has a date with a federal house of detention for another 5-10 years. He won't be free again until he's about 75 or older. I only "knew" him because we were on the same email list, but the owner of the list tried to hide the charges from the rest of the list, and in fact went to a moderated list and refused to allow anything negative to be posted about him. She also threw a number of people off the list because they tried to post the true story.
Fail, because Jack had already been a guest in the pokey on several previous occasions, including once for murder.
We have arrived at the point where citizens are only allowed to have security of information if the government they elect allows this. I can see the pros and the cons, having a number of TrueCrypt files for sound reasons that do not involve breaking laws of any sort, and having a dislike of the offences of which the individual has been accused. That leads me to ask, was this individual using an encrypted proxy? Is this why the enforcement agencies concerned are not trotting out the data here?
As others have said, "innocent *unless* proven guilty" would be nicer; "innocent until proven guilty" seems to suggest that you are, inevitably, going to be found guilty, but that it has not yet been proven. (That particular phrasing sounds like it was drafted by someone who believes in the concept of "original sin"; we are all guilty.)
Scene 1: a court room.
Judge - What is the password ?
Accused - Not sayin.
Judge - Fair enough, have four months at Her Majesty's pleasure
Scene 2: the same court room,four months later
Judge - What is the password ?
Accused - Not sayin.
Judge - Fair enough, have four months at Her Majesty's pleasure
Rinse and repeat Scene 2 until the accused hands over the password or dies of old age.
Memory erodes over time and it would be a very silly criminal who did not realise that the "I've been in prison for so long that I have forgotten" option is available.
As someone observed indirectly, we are now at the gates of a new era of thought crime. "We know that you remember so we are going to send you back to prison until you unlock your thoughts".
To my mind, at least, it's not clear that the double jeopardy principle would apply. The crime, for which he was imprisoned, was failing to comply with a s49 order. I agree with you that he cannot be tried twice for the breach of a s49 order- the double jeopardy principle.
However, there is nothing in ss49-51 of RIPA which prevent a law enforcement agency from issuing another s49 notice, seeking the same information - this is entirely different to charging someone again for the same crime. If he fails to provide the key, he is tried for the breach of the new order, and thus commits a new, triable, criminal offence. There is no double jeopardy issue here - it's breaching a separate s49 notice.
There are two competing policy issues here - one is that someone should not be tried twice for the same offence (although under attack in some situations), and the other is that someone should not be entitled to obstruct the investigation of a larger crime by committing a smaller crime, and take the penalty for that smaller crime as a way of preventing the investigation.
I'm not aware of any legal authority on this, so just going on the basis of what makes sense to me in terms of approach - I'd be very interested to see something which suggests a different approach.
"Double jeopardy" is not out completely - the Court of Appeal held that there can be a retrial where there is "new and compelling evidence". There's ambiguity as to what this means, for sure, but it does not mean a complete revocation of the principle.
I meant to add in my previous response, that the principle of double jeopardy applies to someone who is tried and acquitted, not someone who is tried, found guilty, and serves their sentence - that someone cannot be tried again for the same offence after serving their sentence comes from the fact that the have done their penance - the slate is wiped clean. In the situation here, the slate is wiped clean only in as much as the breach of the previous s49 order has been remediated - another order, another breach, another slate to wipe.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
