I don't know if a law compelling you to reveal encryption keys to the government/police/courts is valid in the UK.
I do, however, know that such a law is morally reprehensible. Quite frankly, it is in the interest of the people to ensure encryption tools are entirely useable by criminals, gangsters, and terrorists, because that ensures they are entirely useable by lawful citizens as well.
Unlike guns (something possible to "defend liberty" as well as commit crime with), encryption has no victims, has no negative consequences. It can hide negative things, but it merely provides automation for knowing something you refuse to tell.
Let's say I have a hard drive full of illegal material, the police suspect it and have enough evidence to obtain a warrant, should I not then be obligated to show the contents of the hard drive? Much like a warrant for a home or business premises, why should it not be enforceable for digital things too?
Three weeks later and this fast food worker is still in jail. I guess in the UK there is no "innocent until proven guilty" and that's why some left to form the USA a while back. This story couldn't occur in the USA.
If I type in "foo", I get my stuff. If I type in "bar", it may selfdestruct the data, but at least it will show a different content.
So I create a 100GB container, and reserve 10GB as dummy content, maybe 1 mio. copies of the constitution, which will show up with "bar" as password. So I have a password for the police, and everybody is happy.
>> originally arrested for another alleged offence last May. It would be interesting to know the nature of this crime. Was it technology related, or was the computer ceased for less direct relationship with the crime?
1) While it is true to say you are protected under First and Fifth Amendment rights from having to disclose a password here in the US, it doesn't cover border inspections (including airport custom/immigration, where it is considered you are in 'no mans land'). The legal issues of this are currently going through the courts based around the number of people who have had their laptops searched (passwords are requested at the time of the search if necessary). But even if this is resolved, it probably will only apply to US Citizens and not visitors.
2) The chap who has gone to prison for not disclosing his password will go back again for another term if he doesn't disclose the password when he is released. Someone mentioned "maybe it's better to server 90 days in prison for not disclosing the password then to be caught with something more incriminating on his hard drive". That is mitigated by the fact that each request is treated separately so he could be in prison indefinitely if he doesn't comply :/
3) I've always thought a great defense would be to have your password something like "gofuckyourself" or "obvious". That way if someone asks you for your password you can say "go fuck yourself" or "dude, it's obvious". When you go to court you can say "no, I fully complied. The password was 'gofuckyourself'"
Some really good PDF on how this works in Europe, the Netherlands and comparisons to US law. (I took me quite some time to find something looking authoritative enough to actually read.)
"If Alice has stored her key on a diskette
or a smart card, and if Polly is certain of its existence and Alice’s possession of them, she can
summon Alice to deliver it – at least, in the United States she can, and also in European
countries, according to the European Court’s decision in Saunders. In the Netherlands, article
107 paragraph 1 DCCP, however, prohibits Polly from commanding delivery from suspects."
Further on (page 11) goes on to state that a key that doesn't exist in the physical plane might be considered admission, and therefore protected. That is unless it is demonstrated that the suspect used the same key (elsewhere) recently -- in which case it's already "admitted" by the suspect and the s/he needs to deliver the key.
I think the point here is that this Teenager thinks that the punishment for not handing over the password can't be as long as the punishment for proving a crime using the evidence stored on his harddrive. I didn't go to the link, but from what I remember, he's accused of possessing child porn. In US, it would be as easy as saying, I've been under so much duress because of all this, that I forgot what the key is and where I kept it. I mean, they can't keep him locked up forever, right.
And that's the magic phrase right there. Along with "Terrorism", "Drugs" and "Rape", "Child Porn" is a bogeyman which many people feel justifies a reduction in rights of a serious nature.
Are they right? Well, that's not something I'm going to speculate on, but I believe the judicial system will push as hard as people expect/will permit them too. If the encrypted data was stolen e-books, I doubt they'd be so very harsh.
I think it's bollucks, however. I think you should have no punishment for refusing to help convict yourself, regardless of what you may have done.
Doesn't sound like much of a story. He's jailed for obstruction of justice. His password was requested because he was already arrested and under investigation for something else. The fact that it's a computer password doesn't make this a 21st century "Big Brother" issue.
Downvotes, what on earth for? Is it the checkmarks?
Edit: not meaning to complain, I was trying to sort out if it was the Unicode, the tone, the list format, or the "no need to discuss" which is probably a bit rude.
I was hoping to make a quickly read mark that would let people know HN had already been over this ground and there was nothing new in the article, but I failed miserably.
If Moore's Law keeps working, this is a ticking time bomb for him. If the police stay interested and crack his crypto, he'll do more time for whatever he's concealed on his computer (if anything).
Who knows what he does have in that hard drive. Maybe 4 months in prison is significantly better to what might happen if they do get to his data. Hell 4 months in jail because he refused to give a password sounds a lot better than a sexual offender conviction for 4 years.
In any case, if I was him I wouldn't worry about them decrypting the data in my lifetime. Do you know how many millions of years would it take to decrypt a 50 random char pass phrase decent encryption. Lots of those. So unless there is a breakthrough on computing power several magnitudes bigger than what we have experienced and the money to dedicate millions of computers to the cause, or someone finds a loophole in the encryption algorithm (highly unlikely if using any type of military grade encryption), his data won't be decrypted.
Even if you account for not having backspaces and linfeeds in the password, he could still easily have 256 bits of entropy.
Even with Moore's law, a strong algo like AES-256 is generally considered to be uncrackable, assuming the algorithm and the implementation don't have any flaws.
[+] [-] moxiemk1|15 years ago|reply
I do, however, know that such a law is morally reprehensible. Quite frankly, it is in the interest of the people to ensure encryption tools are entirely useable by criminals, gangsters, and terrorists, because that ensures they are entirely useable by lawful citizens as well.
Unlike guns (something possible to "defend liberty" as well as commit crime with), encryption has no victims, has no negative consequences. It can hide negative things, but it merely provides automation for knowing something you refuse to tell.
Edit: spelling
[+] [-] smokeyj|15 years ago|reply
Encryption doesn't hide negative things, people hide negative things. Almost like guns don't kill people, people do.
[+] [-] ax0n|15 years ago|reply
[+] [-] citricsquid|15 years ago|reply
[+] [-] RiderOfGiraffes|15 years ago|reply
http://news.ycombinator.com/item?id=1760700
It's very likely that any comments here will cover the same ground, so if you're interested in might be worth reading the comments there first.
[+] [-] kgermino|15 years ago|reply
[+] [-] marze|15 years ago|reply
[+] [-] eiji|15 years ago|reply
Why not have two passwords: "foo" and "bar".
If I type in "foo", I get my stuff. If I type in "bar", it may selfdestruct the data, but at least it will show a different content.
So I create a 100GB container, and reserve 10GB as dummy content, maybe 1 mio. copies of the constitution, which will show up with "bar" as password. So I have a password for the police, and everybody is happy.
[+] [-] yummyfajitas|15 years ago|reply
[+] [-] kgo|15 years ago|reply
I think they call them shadow volumes...
[+] [-] templaedhel|15 years ago|reply
[+] [-] olegkikin|15 years ago|reply
2) Call the police.
3) ???
[+] [-] dotBen|15 years ago|reply
1) While it is true to say you are protected under First and Fifth Amendment rights from having to disclose a password here in the US, it doesn't cover border inspections (including airport custom/immigration, where it is considered you are in 'no mans land'). The legal issues of this are currently going through the courts based around the number of people who have had their laptops searched (passwords are requested at the time of the search if necessary). But even if this is resolved, it probably will only apply to US Citizens and not visitors.
2) The chap who has gone to prison for not disclosing his password will go back again for another term if he doesn't disclose the password when he is released. Someone mentioned "maybe it's better to server 90 days in prison for not disclosing the password then to be caught with something more incriminating on his hard drive". That is mitigated by the fact that each request is treated separately so he could be in prison indefinitely if he doesn't comply :/
3) I've always thought a great defense would be to have your password something like "gofuckyourself" or "obvious". That way if someone asks you for your password you can say "go fuck yourself" or "dude, it's obvious". When you go to court you can say "no, I fully complied. The password was 'gofuckyourself'"
[+] [-] ojilles|15 years ago|reply
"If Alice has stored her key on a diskette or a smart card, and if Polly is certain of its existence and Alice’s possession of them, she can summon Alice to deliver it – at least, in the United States she can, and also in European countries, according to the European Court’s decision in Saunders. In the Netherlands, article 107 paragraph 1 DCCP, however, prohibits Polly from commanding delivery from suspects."
Further on (page 11) goes on to state that a key that doesn't exist in the physical plane might be considered admission, and therefore protected. That is unless it is demonstrated that the suspect used the same key (elsewhere) recently -- in which case it's already "admitted" by the suspect and the s/he needs to deliver the key.
http://rechten.uvt.nl/koops/THESIS/cryptocontroversy-ch08.PD...
[+] [-] dot-sean|15 years ago|reply
[+] [-] Dylanlacey|15 years ago|reply
Are they right? Well, that's not something I'm going to speculate on, but I believe the judicial system will push as hard as people expect/will permit them too. If the encrypted data was stolen e-books, I doubt they'd be so very harsh.
I think it's bollucks, however. I think you should have no punishment for refusing to help convict yourself, regardless of what you may have done.
[+] [-] jinushaun|15 years ago|reply
[+] [-] ax0n|15 years ago|reply
[+] [-] jws|15 years ago|reply
✓ Original article omits context.
✓ US Constitution does not cover the British.
✓ Already covered. http://news.ycombinator.com/item?id=1760700
No discussion required.
[+] [-] talbina|15 years ago|reply
✓ Old story (September 1, 1939).
✓ Thousands of articles likely omitting full context.
✓ US Constitution does not cover the British.
✓ Already covered. http://news.ycombinator.com/item?id=1507526
No discussion required.
[+] [-] marze|15 years ago|reply
If he had been released and nothing further had happened, maybe you could say "No discussion required".
[+] [-] unknown|15 years ago|reply
[deleted]
[+] [-] jws|15 years ago|reply
Edit: not meaning to complain, I was trying to sort out if it was the Unicode, the tone, the list format, or the "no need to discuss" which is probably a bit rude.
I was hoping to make a quickly read mark that would let people know HN had already been over this ground and there was nothing new in the article, but I failed miserably.
[+] [-] gstar|15 years ago|reply
[+] [-] sp4rki|15 years ago|reply
In any case, if I was him I wouldn't worry about them decrypting the data in my lifetime. Do you know how many millions of years would it take to decrypt a 50 random char pass phrase decent encryption. Lots of those. So unless there is a breakthrough on computing power several magnitudes bigger than what we have experienced and the money to dedicate millions of computers to the cause, or someone finds a loophole in the encryption algorithm (highly unlikely if using any type of military grade encryption), his data won't be decrypted.
[+] [-] kgo|15 years ago|reply
50 characters x 8 bits = 400 bits of entropy
Even if you account for not having backspaces and linfeeds in the password, he could still easily have 256 bits of entropy.
Even with Moore's law, a strong algo like AES-256 is generally considered to be uncrackable, assuming the algorithm and the implementation don't have any flaws.
[+] [-] ax0n|15 years ago|reply
[+] [-] marcusbooster|15 years ago|reply