Do you have to give up your password in Ireland?

anvilfour

Hi guys,

Just read this very interesting article on the IT Law in Ireland Blog about how the infamous Anglo scandal was slowed down by a failure to require former employees to provide passwords to encrypted documents.

According to the article, there was no requirement for a former employee to surrender passwords to a document or device no longer under their control.

However it does seem that under Section 48 your Criminal Justice (Theft and Fraud Offences) Act 2001 that a Police Officer can "require" a suspect to hand over a password or otherwise do what is necessary to enable them to access information on a computer when enacting a search warrant.

It also seems that a Judge can make out an evidence order requiring a suspect to provide data in its unencrypted form, provided that they are satisfied the suspect has access to the data and there's a reasonable belief that it would help with the investigation.

The only thing it doesn't make clear is what happens if you refuse/say no?

Naturally I can't condone refusing to comply with the law but unlike in the UK where you can be jailed for up to two years for refusal, it's not made clear what happens if you tell the Garda/Judge to go to hell or that you've forgotten the password.

Perhaps this is best for the Legal Section but I'm interested if any of you have experience with this?

anvilfour

To forestall anyone else mentioning it, the point can be rendered moot through employing Plausible Deniability when it comes to your encryption.

A little more information in the documentation for Veracrypt available here.

As encrypted volumes appear to only contain random data you can plausibly say that the volume is not in fact encrypted and you've just wiped it using the Linux dd command.

Alternatively you can just use a hidden volume. This will probably only work though if your outer container has something inside it you'd plausibly like to hide. My own has the details for my foreign bank accounts for instance.

anvilfour

bedlam wrote: »

As long as you don't openly admit on a public forum to using hidden containers...

Your concern is very touching however I'll take my chances, thanks.

timmywex

I actually did quite a comprehensive case study on this in college, well mainly on the UK law, RIPA it is called, which punishes if you refuse to hand it over for any reason. The ethical situations that arise are interesting, some people jailed for failing to hand over and were innocent, others were guilty so got shorter prison sentences!

In Ireland it's far less strict, let me just say I forget my passwords all the time :cool:

dbit

LAws have been changed in Switzerland when dealing with banking, the secrecy act is strong over there but has been all but stripped from banking sector , your info can be obtained RE bank accounts very easily via interpol. Play nice now.

anvilfour

timmywex wrote: »

I actually did quite a comprehensive case study on this in college, well mainly on the UK law, RIPA it is called, which punishes if you refuse to hand it over for any reason. The ethical situations that arise are interesting, some people jailed for failing to hand over and were innocent, others were guilty so got shorter prison sentences!

In Ireland it's far less strict, let me just say I forget my passwords all the time :cool:

Very interesting Timmy!

Like you I have a brain like swiss cheese!

There's no absolute right against self incrimination in the UK unlike in the US.

As you say, it's a no brainer if you really are a terrorist/pedo you'd take your 18 months, be out in 9 for good behaviour and run off cackling into the bushes. Only innocent people who stand up for their rights will really lose out!

catastrophy

anvilfour wrote: »

Hi guys,

Just read this very interesting article on the IT Law in Ireland Blog about how the infamous Anglo scandal was slowed down by a failure to require former employees to provide passwords to encrypted documents.

According to the article, there was no requirement for a former employee to surrender passwords to a document or device no longer under their control.

However it does seem that under Section 48 your Criminal Justice (Theft and Fraud Offences) Act 2001 that a Police Officer can "require" a suspect to hand over a password or otherwise do what is necessary to enable them to access information on a computer when enacting a search warrant.

It also seems that a Judge can make out an evidence order requiring a suspect to provide data in its unencrypted form, provided that they are satisfied the suspect has access to the data and there's a reasonable belief that it would help with the investigation.

The only thing it doesn't make clear is what happens if you refuse/say no?

Naturally I can't condone refusing to comply with the law but unlike in the UK where you can be jailed for up to two years for refusal, it's not made clear what happens if you tell the Garda/Judge to go to hell or that you've forgotten the password.

Perhaps this is best for the Legal Section but I'm interested if any of you have experience with this?

Section 49 covers obstruction

catastrophy

anvilfour wrote: »

Only innocent people who stand up for their rights will really lose out!

Really. Do you not think that the Gardai would have had to have reasonable suspicion to obtain the warrant in the first place? Lets be honest, genuinely innocent people will normally do whatever they can to assist an investigation.

syklops

anvilfour wrote: »

Hi guys,

Just read this very interesting article on the IT Law in Ireland Blog about how the infamous Anglo scandal was slowed down by a failure to require former employees to provide passwords to encrypted documents.

According to the article, there was no requirement for a former employee to surrender passwords to a document or device no longer under their control.

However it does seem that under Section 48 your Criminal Justice (Theft and Fraud Offences) Act 2001 that a Police Officer can "require" a suspect to hand over a password or otherwise do what is necessary to enable them to access information on a computer when enacting a search warrant.

It also seems that a Judge can make out an evidence order requiring a suspect to provide data in its unencrypted form, provided that they are satisfied the suspect has access to the data and there's a reasonable belief that it would help with the investigation.

The only thing it doesn't make clear is what happens if you refuse/say no?

Naturally I can't condone refusing to comply with the law but unlike in the UK where you can be jailed for up to two years for refusal, it's not made clear what happens if you tell the Garda/Judge to go to hell or that you've forgotten the password.

Perhaps this is best for the Legal Section but I'm interested if any of you have experience with this?

Pick a recent tribunal. The inability of most of them to find wrong doing mostly came down to the key witnesses inabability to recollect key points. Bertie didn't know how much money he got in donations because he didn't have a bank account at the time. :rolleyes:

Where was the legal guidance in these cases when everyone in the room knows all the truth is not being told? I am sure you can slow things down significantly by not fully remembering the password.

You: "Maybe there was a 1 on the end. Did you try it with a 1 on the end?".
Prosecution: No
Judge: Case adjourned until two weeks from today while the prosecution tries the password but with a 1 at the end.

dbit

syklops wrote: »

Pick a recent tribunal. The inability of most of them to find wrong doing mostly came down to the key witnesses inability to recollect key points. Bertie didn't know how much money he got in donations because he didn't have a bank account at the time. :rolleyes:

I worked for Morgan Stanley back then . Bertie had an investment bank account, I asked an investment banker what was required to open an account with them , he told me 5 million , go under it and the account will close. Berties details were up on his 8 screen CRM tool . Nearly choked on my lunch the day he pronounced that he didnt have a bank account back then .......

No longer Bound by the 10 year secrecy contract :-).

Khannie

catastrophy wrote: »

Really. Do you not think that the Gardai would have had to have reasonable suspicion to obtain the warrant in the first place? Lets be honest, genuinely innocent people will normally do whatever they can to assist an investigation.

Suspicion isn't worth crap IMO. It could be founded on the fact that you like privacy for example. "Ooooh. Likes his privacy, does he? Must have something to hide".

I would go to jail on point of principle before giving up my passwords and I have nothing to hide.

syklops

dbit wrote: »

I worked for Morgan Stanley back then . Bertie had an investment bank account, I asked an investment banker what was required to open an account with them , he told me 5 million , go under it and the account will close. Berties details were up on his 8 screen CRM tool . Nearly choked on my lunch the day he pronounced that he didnt have a bank account back then .......

No longer Bound by the 10 year secrecy contract :-).

10 years or not, I'd avoid admitting stuff like this online. Morgan Stanley, ex-VMware, it wouldnt be very hard to figure out who you are. Especially a "secret" which the entire country knew and still knows.

Manach

Even outside a criminal investigation, my understanding from what I had read on Anton Pillar orders, one could be made to disclose all types of information to prevent the destruction of evidence. They had been used fairly draconically to acquire evidence in civil cases but recent rulings seem to have throttled back their effect. However this would likely apply to work passwords and might to home if one does company work there.

catastrophy

Khannie wrote: »

Suspicion isn't worth crap IMO. It could be founded on the fact that you like privacy for example. "Ooooh. Likes his privacy, does he? Must have something to hide".

I would go to jail on point of principle before giving up my passwords and I have nothing to hide.

No your right, suspicion isn't worth a crap. Reasonable suspicion is what's required. Which in the scenario given by the op would also have to have satisfied a judge.

But you see you wouldn't go to jail. Not even close. What for?

Unless of course you were suspected of committing a crime under the act. But certainly not over a privacy issue.

RainyDay

What kind of scenarios would a work password be relevant in a court case?

Surely for any kind of business, the documents would be on a shared server, so passwords of individual users are irrelevant. They also change frequently, so no-one could be expected to remember what work password they had 2 or 3 years ago.

Are businesses using strong encryption with passwords set by individual users?

anvilfour

catastrophy wrote: »

Really. Do you not think that the Gardai would have had to have reasonable suspicion to obtain the warrant in the first place? Lets be honest, genuinely innocent people will normally do whatever they can to assist an investigation.

Clearly you haven't seen this video:

The video is centred around US law which of course has an enshrined right against self incrimination unlike here in Ireland but the points raised are valid even over here.

I also hope you have a peek at Moxie Marlinspike's excellent article on the "nothing to hide" fallacy, this has been thoroughly debunked now. The article draws on the above video too.

Anyone who expects fairer treatment through cooperating with a Police investigation is simply ignorant.

anvilfour

dbit wrote: »

LAws have been changed in Switzerland when dealing with banking, the secrecy act is strong over there but has been all but stripped from banking sector , your info can be obtained RE bank accounts very easily via interpol. Play nice now.

Agreed! The days of the good old numbered account are gone. Fortunately Switzerland aren't the only poker game in town!

anvilfour

RainyDay wrote: »

What kind of scenarios would a work password be relevant in a court case?

Surely for any kind of business, the documents would be on a shared server, so passwords of individual users are irrelevant. They also change frequently, so no-one could be expected to remember what work password they had 2 or 3 years ago.

Are businesses using strong encryption with passwords set by individual users?

Hi RainyDay,

It does seem that in the case of the Anglo Scandal, it wasn't reasonable to punish individual former employees for failing to providing the password, particularly as you say it might have been related to documents on a server, also in some cases they might be asked to remember it years after the fact!

Also if they were anything like me, they'd have written down their work passwords near their work machine so they didn't have to remember them!

pah

catastrophy wrote: »

No your right, suspicion isn't worth a crap. Reasonable suspicion is what's required. Which in the scenario given by the op would also have to have satisfied a judge.

It's reasonable grounds more so than suspicion.

Section 51 of the Theft and Fraud Offences Act allows for the offence of concealment of a document that might fall under this.

Concealing facts disclosed by documents.

51.—(1) Any person who—

(a) knows or suspects that an investigation by the Garda Síochána into an offence under this Act is being or is likely to be carried out, and

(b) falsifies, conceals, destroys or otherwise disposes of a document or record which he or she knows or suspects is or would be relevant to the investigation or causes or permits its falsification, concealment, destruction or disposal,

is guilty of an offence.

(2) Where a person—

(a) falsifies, conceals, destroys or otherwise disposes of a document, or

(b) causes or permits its falsification, concealment, destruction or disposal,

in such circumstances that it is reasonable to conclude that the person knew or suspected—

(i) that an investigation by the Garda Síochána into an offence under this Act was being or was likely to be carried out, and

(ii) that the document was or would be relevant to the investigation,

he or she shall be taken for the purposes of this section to have so known or suspected, unless the court or the jury, as the case may be, is satisfied having regard to all the evidence that there is a reasonable doubt as to whether he or she so knew or suspected.

(3) A person guilty of an offence under this section is liable on conviction on indictment to a fine or imprisonment for a term not exceeding 5 years or both.

The problem however still arises that the person is simply unable to recall the password. If it seems to be a purposeful attempt to conceal evidence the DPP might run with a prosecution under Section 51. It would be up to the court/jury to determine at that stage

pah

Section 48 5b states

(b) require any person at that place who appears to the member to have lawful access to the information in any such computer—
(i) to give to the member any password necessary to operate it,
(ii) otherwise to enable the member to examine the information accessible by the computer in a form in which the information is visible and legible, or
(iii) to produce the information in a form in which it can be removed and in which it is, or can be made, visible and legible.

IMO that means providing encryption keys and passwords

The penalties for failing to do so under Section 49 are quite low

iable on summary conviction to a fine not exceeding £500 or imprisonment for a term not exceeding 6 months or both.

anvilfour

pah wrote: »

Section 48 5b states



IMO that means providing encryption keys and passwords

The penalties for failing to do so under Section 49 are quite low

Thanks pah, this was what I was after, sorry for not reading the legislation more thoroughly! Then again, this would be a no brainer for someone like a drug dealer - take your six months (probably out in four) and then carry on as before.

An innocent person, or someone as you mentioned who genuinely has forgotten their password is the most likely to get stiffed by this.