Give us your password or go to jail!

FruitLover

On the one hand:

As mentioned previously in the thread, privacy is a basic human (and civil) right and bleating about someone having 'something to hide' simply because they choose to exercise this right is ignorant and short-sighted. I bet everyone in this thread who has noted the use of computer encryption as 'suspicious' still locks the door when they're taking a dump, or closes the blinds/curtains when they're drying after a shower.

On the other:

Police don't just randomly raid people's houses on suspicions of child abuse, and if they have been granted a warrant to search the house based on reasonable suspicion, I think they should be able to search the computer as well, considering this is a likely source of evidence. Preventing this (e.g. by withholding an encryption key or password) could reasonably considered obstruction of justice.

Manic Moran

Here's the question I've not seen answered: Was there a legal justification for the search of the hard drive? i.e. was there a warrant out?

If so, then the obstruction or refusal could be validly a jailable offence.

The issue has been in the courts a few times in the US, the jury is still sortof out on whether or not compelling a person to reveal his password is a violation of the Fifth. The caselaw is still being fine-tuned, but the nutshell is that 'You have the right to remain silent, with a few exceptions you may not be aware of if you've not paid attention to the wider caselaw relating to the 5th'

NTM

old_aussie

Deleted User wrote: »

Is the stuff on your computer worth going to jail for?

If you don't want to wear the tag of pedofile for the rest of your life.

old_aussie

pwd wrote: »

The only software you need is Windows itself

You must know very little about encrypted password protection.

Overheal

mikom wrote: »

At a guess.......... Llanfairpwllgwyngyllgogerychwyrndrobwllllantysiliogogogoch

58 letters though.

I would have presumed something easier to remember like H0w4r3j00g3ntl3m3n477urb453rb370ng2us, or something to that effect.

Overheal

Manic Moran wrote: »

Here's the question I've not seen answered: Was there a legal justification for the search of the hard drive? i.e. was there a warrant out?

If so, then the obstruction or refusal could be validly a jailable offence.

The issue has been in the courts a few times in the US, the jury is still sortof out on whether or not compelling a person to reveal his password is a violation of the Fifth. The caselaw is still being fine-tuned, but the nutshell is that 'You have the right to remain silent, with a few exceptions you may not be aware of if you've not paid attention to the wider caselaw relating to the 5th'

NTM

I was about to raise the same point but the article cites an english act of 2000 about investigatory powers. Im not exactly up to scratch on british criminal law.

Dravokivich

minidazzler wrote: »

Unless they have some pretty damning evidence

From the article...

was arrested in May 2009 by police tackling child sexual exploitation.

I think they may have had evidence linking him to people who trafficed such data, or even possibly a direct complaint from someone he may have been harrassing.

Police can't act on this kind of thing without a warrant.

This was not a fúcking whim...

CreepingDeath

Amalgam wrote: »

Quite probably using: http://www.truecrypt.org/

Yeah, the FBI weren't able to crack TrueCrypt. News Link

I use it on my USB drives in case I lose them... I don't want a lot of personal & work related documents falling into the wrong hands.

Cavehill Red

Under A Funeral Moon wrote: »

If he had nothing to hide, he should have gave them the encryption password. Why else run the risk of going to prison? Serves him right. If he's found innocent in the future, I'll gladly take back my previous comment.

Er, he IS innocent. Innocent until proven guilty.
The only thing he has been found guilty of is not giving the police his computer password. Unless you do believe that privacy is a criminal act?

CreepingDeath

Cavehill Red wrote: »

Er, he IS innocent. Innocent until proven guilty.
The only thing he has been found guilty of is not giving the police his computer password. Unless you do believe that privacy is a criminal act?

True.
Not giving out the password is the equivalent of the right to silence.

enda1

CreepingDeath wrote: »

True.
Not giving out the password is the equivalent of the right to silence.

Maybe,

though its more like if the police have a warrant to search your house and you then pour about 5 metres of concrete over and all around it. Leaving one door which is nuclear bomb proof - and don't give them the key.

Cavehill Red

enda1 wrote: »

Maybe,

though its more like if the police have a warrant to search your house and you then pour about 5 metres of concrete over and all around it. Leaving one door which is nuclear bomb proof - and don't give them the key.

Er, no it isn't.

coffee_cake

stepbar wrote: »

Not if you have kiddie porn on it you don't.... :mad:

Who the hell puts a 50-character encryption password on their PC unless they have something to hide?

Wtf kind of cr@p is this?
Why do you have a lock on your door if you have nothing to hide?
Why do you wear clothes if you have nothing to hide?
Why don't you disclose your salary and bank details to every man on the street if you have nothing to hide?

I hate this stupid ridiculous "if you have nothing to hide you don't mind sharing every intimate detail with everyone".
Fair fcuks to the kid standing up and not giving his password.
Even if he was hiding something, it's good on principle.

nudist

CreepingDeath wrote: »

Yeah, the FBI weren't able to crack TrueCrypt. News Link

I use it on my USB drives in case I lose them... I don't want a lot of personal & work related documents falling into the wrong hands.

I use truecrypt as well-tell me what is the best way to remember passwords? using acronyms i can remember 12-14 symbols but that is too short for a password these days.

For more sensitive data you could obviously store the password on a encrypted usb disk but then you have to remember the password for the usb key as well then.

Oh and by the way my username is 'nudist' but its just that- a username i picked cos it was free. I do wear clothes :pac:

28064212

bluewolf wrote: »

Wtf kind of cr@p is this?
Why do you have a lock on your door if you have nothing to hide?

If the Gardaí have a valid warrant for my house, I don't lock it to them

bluewolf wrote: »

Why do you wear clothes if you have nothing to hide?

If the Gardaí have reason to believe I'm hiding something on my person, I strip down

bluewolf wrote: »

Why don't you disclose your salary and bank details to every man on the street if you have nothing to hide?

If the Gardaí have evidence I'm in posession of money I shouldn't have, I give them my salary details to account for it

bluewolf wrote: »

I hate this stupid ridiculous "if you have nothing to hide you don't mind sharing every intimate detail with everyone".
Fair fcuks to the kid standing up and not giving his password.
Even if he was hiding something, it's good on principle.

There is a huge difference between "sharing every intimate detail with everyone" and disclosing legally relevant information to society's law-keepers. Assuming that the police in this case had a warrant, they had to have enough evidence to convince a magistrate that there was cause to seize his computer. This wasn't a random search. Here is the warrant-issuing guidelines. There are a number of criteria which needs to be met.

To the posters disagreeing with the suspect being forced to give up his password, what would be the correct course of action in the following scenario: A suspected arms dealer is arrested and a warrant is issued to search his home, where there is believed to be a weapons shipment. The police search the home, finding nothing, except for a walk-in safe which they can't access. Should the suspect be required to give up access to the safe?

An entirely separate issue that people seem to be bringing into the discussion is the responsibilities of the Gardaí in regard to private legal information. If the police find a load of (legal) BDSM porn on his computer, they have no right to discuss that or make it public knowledge. If they do, they can be sued and face expulsion from the force. If the suspect in this case has confidential, personal or sensitive (legal) information on his computer, the police are bound by law to respect the privacy of what they found.

coffee_cake

28064212 wrote: »

There is a huge difference between "sharing every intimate detail with everyone" and disclosing legally relevant information to society's law-keepers..

There's another huge difference between the latter and "Who the hell puts a 50-character encryption password on their PC unless they have something to hide?"

28064212

bluewolf wrote: »

There's another huge difference between the latter and "Who the hell puts a 50-character encryption password on their PC unless they have something to hide?"

Sorry, I misread and assumed your implication was that he shouldn't be forced to give up his password.

Do you think he should be required to give the police his password?

seamus

In case anyone is imagining an insanely complicated password, remember that space is a character too.
A simple phrase or sentence, such as "According to Douglas Adams, the meaning of life is 42" weighs in at 53 characters and assuming that it's not a direct quote would be next to impossible to crack. Because it's a sentence, it's much easier to type in correctly.

Though if you leave your PC and lock it every five minutes I'm sure it would become a nightmare over time. But even a simple phrase of twenty characters or so would be super-strong and easy to type in.

fergalr

28064212 wrote: »

An entirely separate issue that people seem to be bringing into the discussion is the responsibilities of the Gardaí in regard to private legal information. If the police find a load of (legal) BDSM porn on his computer, they have no right to discuss that or make it public knowledge. If they do, they can be sued and face expulsion from the force. If the suspect in this case has confidential, personal or sensitive (legal) information on his computer, the police are bound by law to respect the privacy of what they found.

First off, its not specifically the Gardai that are being discussed in this thread, its a UK case.

From from the current case, it seems that if they are just investigating you for having child porn, they can just tell this to the press and get you tarred with the same 'guilty until proven innocent' brush used here, with little respect for what a police accusation like that will do.

Separately, police leak strategically useful stuff all the time. You are naive if you think otherwise, there are frequent examples if this.

In the example you gave, if you start complaining about them frivolously forcing you to disclose your password, you might soon see a newspaper report disclosing that BDSM porn you didn't want to come out.

JohnK

28064212 wrote: »

There is a huge difference between "sharing every intimate detail with everyone" and disclosing legally relevant information to society's law-keepers.

Bull****! People store every tiny little detail about their lives on their computers these days so giving a password is giving the police every tiny little detail about your life and in the event you work for yourself like I do then it also gives every little detail about your job and loads of confidential client information.

nudist

seamus wrote: »

In case anyone is imagining an insanely complicated password, remember that space is a character too.
A simple phrase or sentence, such as "According to Douglas Adams, the meaning of life is 42" weighs in at 53 characters and assuming that it's not a direct quote would be next to impossible to crack. Because it's a sentence, it's much easier to type in correctly.

Though if you leave your PC and lock it every five minutes I'm sure it would become a nightmare over time. But even a simple phrase of twenty characters or so would be super-strong and easy to type in.

I was under the impression that using full words, let alone a sentence composed of full words was a bad idea due to many brute force hack attacks these days using dictionaries composed of rainbow tables. Can someone comment on this?

28064212

fergalr wrote: »

First off, its not specifically the Gardai that are being discussed in this thread, its a UK case.

Yes, and the Gardaí and the UK police share a huge amount of law. I switched between using "Gardaí" and "police" deliberately.

fergalr wrote: »

From from the current case, it seems that if they are just investigating you for having child porn, they can just tell this to the press and get you tarred with the same 'guilty until proven innocent' brush used here, with little respect for what a police accusation like that will do.

No, they can disclose what you were arrested for and what you were convicted for. No private information from the police is in that article, only stuff that was in the public domain.

fergalr wrote: »

Separately, police leak strategically useful stuff all the time. You are naive if you think otherwise, there are frequent examples if this.

Hearsay at best. What examples do they have of leaking information that they are legally required to keep private?

fergalr wrote: »

In the example you gave, if you start complaining about them frivolously forcing you to disclose your password, you might soon see a newspaper report disclosing that BDSM porn you didn't want to come out.

Incredibly illegal, and they would be sued for a massive amount

JohnK wrote: »

Bull****! People store every tiny little detail about their lives on their computers these days so giving a password is giving the police every tiny little detail about your life and in the event you work for yourself like I do then it also gives every little detail about your job and loads of confidential client information.

Which, as I've already stated, the police are legally required to keep private. If any information is disclosed, you are entitled to sue them for damages arising from it. If you're suspected of carrying drugs in your briefcase, they are entitled to search that, and you don't have the right to refuse on the grounds of sensitive business information. How much information could they get on you if your business was suspected of money-laundering and they got a warrant to inspect your accounts? What about a warrant to search your home?

AKA pat sheen

bluewolf wrote: »

Fair fcuks to the kid standing up and not giving his password.
Even if he was hiding something, it's good on principle.

He didn't need to withhold his password.

If he was using truecrypt (correctly set up) he could have given his pre-boot authentication password and then a decoy decryption password in which case his outer volume and decoy operating system would be mounted leaving his hidden volume and hidden OS out of site. That's like an invisible safe within a safe to use the previous analogy. That would give plausible deniability, the cops would then have access to AN operating system and couldn't prove another hidden volume & OS exists. Of course he would have to take other precautions with regard to NICs.

You could even have an encrypted virtual machine with a hidden OS within a decoy OS, on a disguised thumbprint or pin protected USB drive if your really into privacy.

Overheal

Overheal wrote: »

I would have presumed something easier to remember like H0w4r3j00g3ntl3m3n477urb453rb370ng2us, or something to that effect.

More likely it's thequickbrownfoxjumpsoverthelazydogs123456789times (50 letters)

nudist

nudist wrote: »

I was under the impression that using full words, let alone a sentence composed of full words was a bad idea due to many brute force hack attacks these days using dictionaries composed of rainbow tables. Can someone comment on this?

Passwords are case sensative, so a sentence like "marY=hAd/á|l1ttl3-LaM8" would seriously slow down a dictionary attack.

pwd

old_aussie wrote: »

You must know very little about encrypted password protection.

Did you read the post I replied to? Was talking about standard Windows passwords, which can be bypassed without any specialist software or knowledge.

nudist

pwd wrote: »

Did you read the post I replied to? Was talking about standard Windows passwords, which can be bypassed without any specialist software or knowledge.

Like a linux live cd ? and then copy and paste the home folder? Physical access is root access no?

fergalr

nudist wrote: »

I was under the impression that using full words, let alone a sentence composed of full words was a bad idea due to many brute force hack attacks these days using dictionaries composed of rainbow tables. Can someone comment on this?

Individual full words are very bad because of rainbow tables.
Short sequences of letters and numbers are bad because of brute force searches.

The advantage of a passphrase rather than a password is that its too long to be brute forced by random character search.

If you look at freely available rainbow tables its easy to get 8 character alphanumeric ones. I'm not familiar with the state of the art, but I guess someone with a lot of resources might have 10 character rainbows, maybe even a few digits more, but you fast get to the point where you'd be requiring tens of thousands of terabytes just to store, never mind generate, the hashes.


There are a lot more words than there are letters.

If you had a phrase of words that didn't make english sense with more than 10 or so words, I find it hard to conceive of someone rainbow cracking it.

Even if you assume only 200 possible words, a 10 word !! ** random ** !!phrase, is (200^10) combinations. If it takes 10 bytes (lets be very conservative, because I've no idea what clever encoding schemes people use) to store a rainbow entry you are talking about a trillion terabytes of storage.
With 7 words is (((200^7) * 10)/ 1000000000000) = 128,000 terabytes of storage, which is maybe in the realms of possibility.


Now, someone is probably building rainbow tables of popular phrases, doing a structured search through english language key phrase space; maybe some sort of markov chain thing where you generate phrases based on the probability of english words following on from each other.

You wouldn't use popular phrases, obviously. I absolutely guarantee you that someone, somewhere, has built a dictionary with first lines from books, poems, famous quotes etc.


Using meaningful english phrases makes probabilities much harder to estimate.

To come at it another way, shannon calculated entropy of english with a lower bound of 0.6 bits per letter. A ten word phrase, with 3 letters per word on average, should thus be equivalent to 30 * 0.6 bits of entropy. Probably more, as the shorter words and the lack of context reduces entropy, but again, lets be conservative.

Thats 18 bits, which means 2^18 combinations, ~ 200k - not very many.

Twenty five words, (25*3*.6) = 45bits. 2^45 combinations, lets again assume it takes 10 bytes to store a rainbow hash entry, =351 terabytes of storage required; at the cusp of serious resources there.


That's probably very conservative though, but should give some idea. All back of the envelope stuff, and I could have made order of magnitude mistakes, so if you are in charge of national security, please get a second opinion.

fergalr

28064212 wrote: »

Yes, and the Gardaí and the UK police share a huge amount of law. I switched between using "Gardaí" and "police" deliberately.

One of the laws they specifically do not share is the controversial RIP legislation which is what the guy was convicted of violating; hence I think its important to maintain that distinction.

28064212 wrote: »

No, they can disclose what you were arrested for and what you were convicted for. No private information from the police is in that article, only stuff that was in the public domain.

I didn't see that he was arrested for anything other than failing to provide his passport. The articles write that he was under investigation for other crimes. Was he also arrested for them?

28064212 wrote: »

Hearsay at best. What examples do they have of leaking information that they are legally required to keep private?

I don't really follow the UK current affairs, but I can recall several politically relevant leaks from the Gardai here in Ireland (which you argue are similar) over the last few months. I believe one such forced Trevor Sargent to resign? And that an investigation has been ordered into how the disgraceful behaviour by the TD PJ Sheehan was made public too?
Thats only two examples off the top of my head.

Do you ever wonder what the phrase 'who was known to the Gardai' means? You often hear it after someone has been died. I wonder what that phrase means? Does it necessarily mean 'was arrested by the Gardai'? How do the media source these things?

28064212 wrote: »

Incredibly illegal, and they would be sued for a massive amount


Which, as I've already stated, the police are legally required to keep private. If any information is disclosed, you are entitled to sue them for damages arising from it. If you're suspected of carrying drugs in your briefcase, they are entitled to search that, and you don't have the right to refuse on the grounds of sensitive business information. How much information could they get on you if your business was suspected of money-laundering and they got a warrant to inspect your accounts? What about a warrant to search your home?

http://en.wikipedia.org/wiki/Right_to_silence

Are you familiar with the idea of a 'right to remain silent'?
Do you see any reason why lots of different countries might have decided such a right was a good idea?
It must strike you as a very curious thing that such a right exists?

Do you have any thoughts on the right to remain silent? If it is a bad right, why?
Do you think that forcing someone to go to jail unless they break their silence and tell you what their password is, is compatible with a right to remain silent?

Sykk

Naab police, use a copy of *** (Better not say) to easily surpass the password and boot right into the OS. Fail