I don't know if a law compelling you to reveal encryption keys to the government/police/courts is valid in the UK.
I do, however, know that such a law is morally reprehensible. Quite frankly, it is in the interest of the people to ensure encryption tools are entirely useable by criminals, gangsters, and terrorists, because that ensures they are entirely useable by lawful citizens as well.
Unlike guns (something possible to "defend liberty" as well as commit crime with), encryption has no victims, has no negative consequences. It can hide negative things, but it merely provides automation for knowing something you refuse to tell.
Has there been a case where the Fifth Amendment protected someone from disclosing a password? I'm not sure that giving up your password is analogous to being forced to testify against yourself.
"I'm not sure that giving up your password is analogous to being forced to testify against yourself."
This one is tricky. It depends on ones beliefs about the true reasons for the anti-self-incrimination laws. If you believe (as I do) that it is a fundamental right to remain silent whenever it could make your situation worse, then it is indeed analogous.
An opposing view is that not being forced to testify against oneself comes from other, more basic reasons. One of the "higher-order" reasons against forced self-incrimination might be that punishment for refusing self-incrimination gives incentive to false self-accusation. This one does not apply to forced revealing of passwords (you cannot falsely self-accuse in this case.)
Not necessarily. For example, let's say I have a safe, and I've hidden the key. The police get a warrant to search my safe. I am then legally obligated to allow them to search my safe, which means that I am legally obligated to reveal the location of the key.
In the case of the safe, if I refuse they'll just break it open. Strong encryption is not so easily broken so it may not be in my best interest to cooperate (whereas with the safe, it probably is).
Personally I think encryption passwords should be protected by the 5th amendment, but I understand the logic in saying it's not.
In this example your safe is the medium in which the data is stored. If the police get's a warrant to search my safe, they may do so, but when they find a notebook full of enciphered text or a tape with "noise" in it I'm not obligated to provide them with means to decipher them. Hell I could just say I forgot the key, how is anyone going to prove I'm lying?
Personally I agree with you. My data is my data, and I should be able to do whatever I want with it.
I had the opportunity to attend a public gathering with Jack Straw during the public consultation of this bill (he was the MP who introduced this law).
The issue of "what if you forget your password" is covered in the law, which basically says you have to know and keep control/ability to decrypt all encrypted media you own.
Forgetting the password isn't a defense.
(don't shoot the messenger, I think it's crap too, but I'm just saying they already covered that 'defense').
Oh no really I understand the implications and everything... but let's say you do forget the password, what can they do realistically? It seems highly immoral to throw you in jail because you forgot a password.
Now let's say you're in the middle of a murder case, and it is about to be thrown away because of lack of evidence. So they ask you to provide the key to your encrypted drive, but you've forgotten the key... So now do you go to jail on a life in prison sentence because of it? Do they let you go? Do they keep you in prison while they try to decrypt it which might take millions of years?
I can always say "I forgot, this whole ordeal has affected me psychologically and I can't seem to recall the key because of it". Then what happens? I go to jail for 4 months? Which might be a total injustice since there's a possibility it's actually true. Or maybe it's a loophole for a crook because he might have had to serve life in prison, and now he's only doing 4 months thanks to encryption.
A judge can easily send you to jail if there's proof you did something. The same way your girlfriend can easily send you packing because she has proof you cheated. The question is, can you send your girlfriend packing for cheating if you have no proof? If you have no proof then you're sending her packing because of an idea on your head (not real fact and you might be wrong), which is hardly fair and will probably be looked at with contempt and frowned upon by peers (read the rest of the world). Now can the state send you to jail because it thinks that you have child porn on your hard drive, without ever proving you have it?
What happens then when the state has the power to lock you up without proof?
<i>I understand the implications and everything</i>
I don't think you do.
<i>I can always say "I forgot[...]" Then what happens? I go to jail for 4 months?</i>
No, you go to jail for a few months and then they take you back to court to see if your memory has improved. If you don't have the key or if you produce a key that doesn't reveal the data they wanted it to, you go back to jail for longer.
If you can't produce the data the state demands, either because it isn't there or never existed, or because you really forgot, then you can stay in jail the rest of your life.
That is the purpose, goal, and implication that so-called law enforcement wished for and got from data investigation rules.
I said realistically. From what I've seen this "lost my password" is in the US a non issue, and in the UK it warrants a few months of jail time (treated as a misdemeanor depending on the severity of the charges). In any case, it's almost impossible to prove intent in cases like this. It can't be treated as obstruction of justice because the drives were not encrypted after the fact. And intent can't be proven, so at max you get a misdemeanor charge, fines and a year in jail (using us law as a basis for time served).
I'm pretty sure that there is a limit to the amount of time you can spend in jail for that (only a few months), at least for criminal cases.
I remember reading about a guy who was basically given an indefinite jail sentence in a civil case because the judge didn't believe that he really lost all his money is poor investments.
However I remember that the article highlighted the distinction between criminal and civil cases.
Wow, that's an interesting point of view (as enshrined in law). For example, I own some DVDs or say Blu-Ray discs. Shouldn't the company provide me the key to decrypt them in case the police want to decrypt them? I suspect those companies wouldn't appreciate that.
Also, since encrypted data, if done properly is very hard to distinguish between random noise, and people often use writes with random noise as a secure erasure technique, it could also be that you erased that data? That is a thorny issue as well.
Is "I erased the data on that drive securely using random bits" a valid defense?
It is a valid defense if you deleted the data before the investigation took place. If you did so with the intent of destroying evidence (of course, after the investigation starts) your obstructing justice which carries a maximum sentence of 20 years in the U S of A.
> The issue of "what if you forget your password" is covered in the law, which basically says you have to know and keep control/ability to decrypt all encrypted media you own.
Heh. Would love to see them take that at face value. "But officer, I need this list of Blu-Ray disk keys. Otherwise, I can't decrypt all my movies the way I'm legally required to!"
And that would explain why I heard of people emailing him encrypted documents / random bits. I'm sure he knows how to decrypt those.
The medium verses transformation is a really interesting argument. I wonder how the law will see it when that day comes.
I have a feeling that the transformation argument may fall pray to the "color of bits" problem but perhaps not. I think it may even come down the choice of algorithm - if I use a publicly available encryption algorithm then it might be considered a medium, whereas if I invent my own language maybe it won't.
As for the forgotten key, that's another argument. There is probably a burden of proof somewhere in there (and probably more on the side of the prosecution). If, for example, the police knew you accessed the contents of the hard drive last week, it would be pretty difficult to claim you forgot your key.
If the law sees it as anything other than what it is, a separation between what my data is and the fact that it belongs to me, in contrast to where it is stored, it will probably open a a big ass can of worms. Might as well change the name of the USA to North Korean States of America.
My opinion: If I write a poem in a notebook (hard drive) using a cipher (encryption) for which only I know the key, the law is able to take my notebook as evidence and process it as they see fit for their investigation, but the data is still mine, it's my set of bits which I'm entitled to not share with anyone unless it's my desire. I'd even say that to force me to share my data is equal to torturing me to get information from me. In both cases the law would be forcing me to reveal something against my consent, which is a violation of my rights however you look at it.
This is sort of why I think it may come down to your choice of algorithms. For example, let's say I buy a hypothetical external hard drive. This external drive has built in encryption, and I have to enter a password using a keypad on the drive before I can mount it. Should I be legally compelled to enter the combination?
While I agree with you and believe that the 5th amendment does protect you in theory, this hasn't really been tested in US courts. The law may decide that encryption is a safe rather than a language. In that case the 5th amendment won't protect you. Hopefully that won't be the case.
Let's say I have a hard drive full of illegal material, the police suspect it and have enough evidence to obtain a warrant, should I not then be obligated to show the contents of the hard drive? Much like a warrant for a home or business premises, why should it not be enforceable for digital things too?
But if you've written notes in your notebook that are comprehensible only to you, should you be compelled to explain to the authorities what they mean?
That was one of the jokes with the original wording.
To cover encrypted, as well as enciphered, text it said something like "any clear text that has a hidden meaning".
Which immediately made most of literature and theology illegal. You couldn't posses a poem or a bible unless you could explain to the police any hidden symbolism!
Pictures of the police kicking down doors and shouting "you're nicked - now explain what the poet really meant by a host of yellow daffodils"
Computer programmers think, aha, I can apply an arbitrary algorithmic translation to input A and get output B, and applying the law to B would be absurd, so therefore applying the law to A is also absurd. What they fail to realize is that bits have color -- a type of metadata that law algorithms can see and operate on which your computer algorithms are ignorant of.
You think that encrypted contents of a computer harddrive is a logically equivalent operation to writing things in a form only comprehensible to oneself. This is only true if you're Colorblind.
> You think that encrypted contents of a computer harddrive is a logically equivalent operation to writing things in a form only comprehensible to oneself.
This entirely depends on whether you view your computer as an extension of your personal consciousness or as being an external service that you're interacting with. I'd rather a society where computers act as individuals' agents, rather than people being at the mercy of the computers.
"Much like a warrant for a home or business premises, why should it not be enforceable for digital things too?"
In most (democratic) countries you do not have to cooperate with the police if they have a warrant. So they are allowed to search your house, they are allowed to break your lock/door, but you are not obligated to give them the key to your house.
It's already the same with digital things: The police can get a warrant and is then allowed to try to crack my password. But I'm not obligated to give them the key.
I'm not so sure that's true. I'm pretty sure that not allowing the police to search your house (given that they have a search warrant) is at the very least considered obstruction of justice (in the US).
The difference is in the consequences of refusal. For a home search, it's usually in your best interest to open the door because it's really easy for the police to break it down. For an encrypted hard drive, it's nearly impossible to retrieve the data if you refuse to decrypt it.
Because it's more like the police being given a warrant for you to tell them everything you know.
In most countries the police don't get a search warrant for your head - except where you are wearing an orange jumpsuit and having water poured down your throat.
Three weeks later and this fast food worker is still in jail. I guess in the UK there is no "innocent until proven guilty" and that's why some left to form the USA a while back. This story couldn't occur in the USA.
Actually it can and does. If a judge compels you to turn over your password as a part of the discovery process and you refuse then you can be served with a contempt warrant and go straight to jail without trial and with limited possibility to appeal.
On December 17, 2006, defendant Sebastien Boucher was arrested on a complaint charging him with transportation of child pornography in violation of 18 U.S.C. § 2252A(a)(1). At the time of his arrest government agents seized from him a laptop computer containing child pornography. The government has now determined that the relevant files are encrypted, password-protected, and inaccessible. The grand jury has subpoenaed Boucher to enter a password to allow access to the files on the computer. Boucher has moved to quash the subpoena on the grounds that it violates his Fifth Amendment right against self-incrimination.
The district court held that Boucher could invoke the Fifth Amendment and refuse to comply.
They later worked around it by requiring him to provide the decrypted contents of the drive instead of the password itself since a border agent witnessed some of the files on the drive and he wouldn't be providing new evidence.
I'm not going to argue the rights and wrongs of the law, that's a different question. What is certainly true is that he has broken the law regarding providing the password when requested to do so by officers of the law following due process.
I repeat that I'm not arguing that the law is right. I'm merely pointing out that he is not innocent of the charges for which he is imprisoned.
I'm also pretty sure there are similar or analogous breaches of what one might call natural justice in the USA - I'm sure someone can provide examples.
If I type in "foo", I get my stuff. If I type in "bar", it may selfdestruct the data, but at least it will show a different content.
So I create a 100GB container, and reserve 10GB as dummy content, maybe 1 mio. copies of the constitution, which will show up with "bar" as password. So I have a password for the police, and everybody is happy.
>> originally arrested for another alleged offence last May. It would be interesting to know the nature of this crime. Was it technology related, or was the computer ceased for less direct relationship with the crime?
1) While it is true to say you are protected under First and Fifth Amendment rights from having to disclose a password here in the US, it doesn't cover border inspections (including airport custom/immigration, where it is considered you are in 'no mans land'). The legal issues of this are currently going through the courts based around the number of people who have had their laptops searched (passwords are requested at the time of the search if necessary). But even if this is resolved, it probably will only apply to US Citizens and not visitors.
2) The chap who has gone to prison for not disclosing his password will go back again for another term if he doesn't disclose the password when he is released. Someone mentioned "maybe it's better to server 90 days in prison for not disclosing the password then to be caught with something more incriminating on his hard drive". That is mitigated by the fact that each request is treated separately so he could be in prison indefinitely if he doesn't comply :/
3) I've always thought a great defense would be to have your password something like "gofuckyourself" or "obvious". That way if someone asks you for your password you can say "go fuck yourself" or "dude, it's obvious". When you go to court you can say "no, I fully complied. The password was 'gofuckyourself'"
Some really good PDF on how this works in Europe, the Netherlands and comparisons to US law. (I took me quite some time to find something looking authoritative enough to actually read.)
"If Alice has stored her key on a diskette
or a smart card, and if Polly is certain of its existence and Alice’s possession of them, she can
summon Alice to deliver it – at least, in the United States she can, and also in European
countries, according to the European Court’s decision in Saunders. In the Netherlands, article
107 paragraph 1 DCCP, however, prohibits Polly from commanding delivery from suspects."
Further on (page 11) goes on to state that a key that doesn't exist in the physical plane might be considered admission, and therefore protected. That is unless it is demonstrated that the suspect used the same key (elsewhere) recently -- in which case it's already "admitted" by the suspect and the s/he needs to deliver the key.
I think the point here is that this Teenager thinks that the punishment for not handing over the password can't be as long as the punishment for proving a crime using the evidence stored on his harddrive. I didn't go to the link, but from what I remember, he's accused of possessing child porn. In US, it would be as easy as saying, I've been under so much duress because of all this, that I forgot what the key is and where I kept it. I mean, they can't keep him locked up forever, right.
And that's the magic phrase right there. Along with "Terrorism", "Drugs" and "Rape", "Child Porn" is a bogeyman which many people feel justifies a reduction in rights of a serious nature.
Are they right? Well, that's not something I'm going to speculate on, but I believe the judicial system will push as hard as people expect/will permit them too. If the encrypted data was stolen e-books, I doubt they'd be so very harsh.
I think it's bollucks, however. I think you should have no punishment for refusing to help convict yourself, regardless of what you may have done.
Doesn't sound like much of a story. He's jailed for obstruction of justice. His password was requested because he was already arrested and under investigation for something else. The fact that it's a computer password doesn't make this a 21st century "Big Brother" issue.
Downvotes, what on earth for? Is it the checkmarks?
Edit: not meaning to complain, I was trying to sort out if it was the Unicode, the tone, the list format, or the "no need to discuss" which is probably a bit rude.
I was hoping to make a quickly read mark that would let people know HN had already been over this ground and there was nothing new in the article, but I failed miserably.
If Moore's Law keeps working, this is a ticking time bomb for him. If the police stay interested and crack his crypto, he'll do more time for whatever he's concealed on his computer (if anything).
Who knows what he does have in that hard drive. Maybe 4 months in prison is significantly better to what might happen if they do get to his data. Hell 4 months in jail because he refused to give a password sounds a lot better than a sexual offender conviction for 4 years.
In any case, if I was him I wouldn't worry about them decrypting the data in my lifetime. Do you know how many millions of years would it take to decrypt a 50 random char pass phrase decent encryption. Lots of those. So unless there is a breakthrough on computing power several magnitudes bigger than what we have experienced and the money to dedicate millions of computers to the cause, or someone finds a loophole in the encryption algorithm (highly unlikely if using any type of military grade encryption), his data won't be decrypted.
And yet, I'm surprised by technological advancement every day. If you'd asked me several years ago if I thought we'd have artificial limbs controlled by thoughts, I'd have said it was far far away.
It's a race between the statute of limitations and encryption/computing technology. (I do agree it seems unlikely).
Even if you account for not having backspaces and linfeeds in the password, he could still easily have 256 bits of entropy.
Even with Moore's law, a strong algo like AES-256 is generally considered to be uncrackable, assuming the algorithm and the implementation don't have any flaws.
I do, however, know that such a law is morally reprehensible. Quite frankly, it is in the interest of the people to ensure encryption tools are entirely useable by criminals, gangsters, and terrorists, because that ensures they are entirely useable by lawful citizens as well.
Unlike guns (something possible to "defend liberty" as well as commit crime with), encryption has no victims, has no negative consequences. It can hide negative things, but it merely provides automation for knowing something you refuse to tell.
Edit: spelling