Right to Silence vs Encryption Keys

paulmclaughlin

Let me pre-empt this by saying I am a layperson with no in-depth knowledge of the justice system.

I am curious about the position of Irish law regarding the disclosure of passwords for encrypted hard drives versus the right to silence in a criminal case.

In 2007, the UK passed a law which required the disclosure of keys or face up to 2 years in prison. Link.
In the US, a child sex abuse image suspect has been jailed indefinitely, until such time as he complies with the decryption order. Link.

Now, in section 28 of the Electronic Commerce Act, 2000, it is stated

28.—Nothing in this Act shall be construed as requiring the disclosure or enabling the seizure of unique data, such as codes, passwords, algorithms, private cryptographic keys, or other data, that may be necessary to render information or an electronic communication intelligible.

However, in section 48 of the Criminal Justice (Theft and Fraud Offences) Act, 2001 it states

(5) A member of the Garda Síochána acting under the authority of a warrant under this section may—

(a) operate any computer at the place which is being searched or cause any such computer to be operated by a person accompanying the member for that purpose, and

(b) require any person at that place who appears to the member to have lawful access to the information in any such computer—

(i) to give to the member any password necessary to operate it,

(ii) otherwise to enable the member to examine the information accessible by the computer in a form in which the information is visible and legible, or

(iii) to produce the information in a form in which it can be removed and in which it is, or can be made, visible and legible.

Would you assume this only applies if you are present at the time of searching? Also, doesn't this conflict with a right to silence, if the hard drive contains evidence which would incriminate yourself?

MarkAnthony

paulmclaughlin wrote: »

Also, doesn't this conflict with a right to silence, if the hard drive contains evidence which would incriminate yourself?

There's no requirement to be guilty to be silent. Putting that aside for a moment, if this ever happens it will be a huge constitutional case, probably less well decided with the passing of Hardiman J.

I've absolutely no doubt that this would be made clear to anyone wishing to keep any internet 'proclivities' to themselves/as quiet as possible.

It's unclear how it would be decided in the wake of the JC decision IMHO, at the moment we seem to be back peddling on a total protectionist stance to constitutional rights.

hullaballoo

It does seem that way.

Hardiman J. was a major protector of the constitution and it seems that the move away from the in-depth study of jurisprudence and legal history has left the legal profession bereft of an understanding of the why of it all.

It isn't just a matter of deciding on what the law says from their perspective, it ought to be a matter of what the law does.

There have been a number of major losses to the judiciary in terms of how the constitution is protected over the past few years and I have to say, I find it worrying to see how the constitution and other vital legal doctrines have been taken to task with little or no thought about the consequences.

I actually still struggle with the fact that jurisprudence isn't a mandatory subject for entry to the bar.

constance tench

Some interesting insight here:http://www.tjmcintyre.com/2010/11/police-access-to-encrypted-files-does.html

Johnboy1951

constance tench wrote: »

Some interesting insight here:http://www.tjmcintyre.com/2010/11/police-access-to-encrypted-files-does.html

The part of that which I find 'interesting' is this

Gardai are unable to examine more than 100 key files in their investigation into Anglo Irish Bank because former senior executives have not handed over the computer passwords.

If the files are encrypted, how can the Garda know those files are 'key' to anything, as they can have no knowledge of the contents of the files?
What makes those files 'key' in the Garda's view?

BattleCorp

I'm sorry Garda. It's been almost 7 years since I encrypted those devices and I can't remember what the password was. Oops.

Fred Swanson

This post has been deleted.

gizmo555

Johnboy1951 wrote: »

The part of that which I find 'interesting' is this



If the files are encrypted, how can the Garda know those files are 'key' to anything, as they can have no knowledge of the contents of the files?
What makes those files 'key' in the Garda's view?

Good question. Even broader, how can the Garda even prove that there is any encrypted data? For example, from the documentation for VeraCrypt, open source encryption software:

In case an adversary forces you to reveal your password, VeraCrypt provides and supports two kinds of plausible deniability:

• Hidden volumes (see the section Hidden Volume) and hidden operating systems (see the section Hidden Operating System).
• Until decrypted, a VeraCrypt partition/device appears to consist of nothing more than random data (it does not contain any kind of "signature"). Therefore, it should be impossible to prove that a partition or a device is a VeraCrypt volume or that it has been encrypted. . .
  

Fred Swanson

This post has been deleted.

constance tench

Johnboy1951 wrote: »

The part of that which I find 'interesting' is this



If the files are encrypted, how can the Garda know those files are 'key' to anything, as they can have no knowledge of the contents of the files?
What makes those files 'key' in the Garda's view?

The court was told that four key areas of inquiry centred on:

• Financial aid from Anglo in 2008 to a group of investors, known as the Maple Ten, to purchase shares in circumstances that might be contrary to the Companies Act.
• The provision of loans by Anglo to its former directors and the regular "warehousing" of some of the loans in the Irish Nationwide Building Society at the end of Anglo's financial year, which might also be contrary to the Companies Act.
• A "back-to-back" deposit deal undertaken between Anglo and Irish Life and Permanent Group for the benefit of Anglo at the end of 2008.
• The provision of a loan to an Anglo director in circumstances that might be contrary to common law and certain provisions of the Companies Act.

http://www.independent.ie/irish-news/anglo-chiefs-facing-quiz-on-missing-passwords-26698319.html

Carawaystick

The Gardaí can't seize anything subject to legal privelige, so use some legal advice as your passphrase....

MarkAnthony

Carawaystick wrote: »

The Gardaí can't seize anything subject to legal privelige, so use some legal advice as your passphrase....

Novel idea! Is it still legal advice when used as a password though?

Carawaystick

Obviously still legal advice, No idea at all if its still privileged though.

The act quoited seems odd. If the garda suspect you have a password you've to give it to them.
Unsure how this works when their suspicions are incorrect?

Fred Swanson

This post has been deleted.

MarkAnthony

Fred Swanson wrote: »

This post has been deleted.

Your confidence in the upstanding members of the Gardai gives me a warm and fuzzy feeling inside.

Shep_Dog

Carawaystick wrote: »

The act quoited seems odd. If the garda suspect you have a password you've to give it to them.
Unsure how this works when their suspicions are incorrect?

You have to prove they're wrong.

MarkAnthony

Shep_Dog wrote: »

You have to prove they're wrong.

What is that assumption based on - it's possible that the evidential burden is shifted but I'm not sure what in the legislation or precedent backs up that assertion. I make that comment genuinely seeking enlightenment.

Shep_Dog

MarkAnthony wrote: »

What is that assumption based on - it's possible that the evidential burden is shifted but I'm not sure what in the legislation or precedent backs up that assertion. I make that comment genuinely seeking enlightenment.

There are no precedents here. There is the US precedent quoted earlier in the thread. The law itself offers no line of defence to a person suspected of knowing a password and does not describe a burden of proof required of the authorities, mere suspicion is accepted.

rsh118

You'd think the 5th amendment (Right not to self-incriminate) would apply to this one in the states.

As for here, the right to privacy outweighs the government I'm afraid. I don't want Enda looking at me in my speedos on holiday again.

I never buy the "I've nothing to hide, have a rifle through" argument. If that's the case, share all your family photos, passwords, bank statements etc with us. I'd love to read. I really like numbers. Especially ones starting with acc:

MarkAnthony

Shep_Dog wrote: »

There are no precedents here. There is the US precedent quoted earlier in the thread. The law itself offers no line of defence to a person suspected of knowing a password and does not describe a burden of proof required of the authorities, mere suspicion is accepted.

I'm not sure you understood my point. In some cases an evidential burden shifts. IIRC an example was the IRA calls the shots case (Healy, Heany so bad at case names). These have found to be compatible with the Constitution, are you saying that the legislation does a similar thing in this case. Could I ask you to spell it out for me in more direct terms, perhaps with some links?

Thanks in advance.

Shep_Dog

MarkAnthony wrote: »

Could I ask you to spell it out for me in more direct terms, perhaps with some links?
Thanks in advance.

This is the link to the US case

Section 5b of the act under discussion says "b) require any person at that place who appears to the member to have lawful access to the information in any such computer—(i) to give to the member any password necessary to operate it,". So, in order to be subject to compulsion under this act, merely requires a decision by a Garda. Failure to comply risks a fine and imprisonment.

Once tha Garda has made up his mind, the only defence I can think of would be to try and persuade the court that the Garda was wrong?

MarkAnthony

Shep_Dog wrote: »

This is the link to the US case

Section 5b of the act under discussion says "b) require any person at that place who appears to the member to have lawful access to the information in any such computer—(i) to give to the member any password necessary to operate it,". So, in order to be subject to compulsion under this act, merely requires a decision by a Garda. Failure to comply risks a fine and imprisonment.

Once tha Garda has made up his mind, the only defence I can think of would be to try and persuade the court that the Garda was wrong?

I'm not sure it does. The prosecution of any case requires that all elements of an office be proven. How does the prosecution prove the accused knows the password? Is there an reference in the legislation to a shift of the evidential burden?

Shep_Dog

MarkAnthony wrote: »

I'm not sure it does. The prosecution of any case requires that all elements of an office be proven. How does the prosecution prove the accused knows the password? Is there an reference in the legislation to a shift of the evidential burden?

The prosecution does not need to prove that the accused knows the password, merely that that it appeared to the Garda this was so. Perhaps this is similar to a person appearing to be intoxicated while driving and refusing to give a sample?

Johnboy1951

Shep_Dog wrote: »

The prosecution does not need to prove that the accused knows the password, merely that that it appeared to the Garda this was so. Perhaps this is similar to a person appearing to be intoxicated while driving and refusing to give a sample?

I would view it more like a Garda accusing me of having an unlicensed firearm without any proof that such a firearm is in my possession/control (or ever was).

vector

So, we should all be using passwords and not fingerprint unlocking on our phones!

Robbo

Fred Swanson wrote: »

This post has been deleted.

Rubber-Hose Cryptanalysis.

MarkAnthony

Shep_Dog wrote: »

The prosecution does not need to prove that the accused knows the password, merely that that it appeared to the Garda this was so. Perhaps this is similar to a person appearing to be intoxicated while driving and refusing to give a sample?

I'm not sure I see where you're getting that from - fair enough though I'm not sure there's ever been a case reported on at least. I guess we'll have to leave it arguable from both sides.

gizmo555

A British court on Tuesday rejected an attempt by security agents to force an alleged hacker to hand over his encryption keys.

Thirty-one-year-old Lauri Love has been accused by U.S. authorities of hacking into U.S. government networks between 2012 and 2013, including those of the Department of Defense, the Environmental Protection Agency, the Department of Energy, and NASA.

In October 2013, the U.K.’s equivalent of the FBI, the National Crime Agency, raided Love’s home and seized his computers and hard drives. But some of the devices contained encrypted data, meaning the agency could not access it.

Initially the British authorities served Love with an order under Section 49 of the U.K’s controversial Regulation of Investigatory Powers Act, which demanded that he hand over his passwords to open encrypted files stored on the devices. He declined to comply, and the National Crime Agency did not push the issue; Love was not charged with an offense under any British laws.

However, when Love recently launched a civil case seeking the return of his computers and storage devices, the agency renewed its encryption demand, and attempted to turn the civil proceedings around on him by using them as new means to get a judge to order Love to disclose his passwords and encryption keys. Investigators refused to return Love’s computers and hard drives on the basis that they claimed the devices could contain data that he did not have legitimate “ownership” of – for instance, hacked files. The authorities stated that if Love wanted to get his devices back, he would have to first turn over his passwords and show what was contained on them.

As The Intercept previously reported, civil liberties campaigners were alarmed by this development, because it seemed to be an effort to bypass the normal procedure under the Regulation of Investigatory Powers Act, which includes safeguards against abuse. The campaigners feared that, if successful, the case would set a new precedent that could have had implications for journalists, activists, and others who need to guard confidential information, potentially making it easier in the future for British police and security agencies to gain access to, or to seize and retain, encrypted material.

On Tuesday, at Westminster Magistrates’ Court in London, judge Nina Tempia ruled in Love’s favor. Tempia said that she was “not persuaded” by the National Crime Agency’s argument that Love should be compelled to disclose his passwords and encryption keys to prove his ownership of the data. She also took a swipe at the agency’s attempt to “circumvent” the Regulation of Investigatory Powers Act, which she described as the “specific legislation that has been passed in order to deal with the disclosure sought.”


https://theintercept.com/2016/05/10/uk-hacker-lauri-love-encryption-court-victory/

Shep_Dog

Under section 53 of the UK's Regulation of Investigatory Powers Act, which the authorities did not enforce in the 'Love' case, the onus of proof that a person has passwords is clearly placed on the plaintiff and can be decided in court:

2)In proceedings against any person for an offence under this section, if it is shown that that person was in possession of a key to any protected information at any time before the time of the giving of the section 49 notice, that person shall be taken for the purposes of those proceedings to have continued to be in possession of that key at all subsequent times, unless it is shown that the key was not in his possession after the giving of the notice and before the time by which he was required to disclose it.

(3) For the purposes of this section a person shall be taken to have shown that he was not in possession of a key to protected information at a particular time if—

(a)sufficient evidence of that fact is adduced to raise an issue with respect to it; and

(b)the contrary is not proved beyond a reasonable doubt.

The Irish law, discussed in this thread is not as specific as RIPA. It appears that the opinion of a Garda will suffice to prove liability and the court has no role.

In the UK, if a person sets a password, too complex for a human to remember, makes a note of it and then loses the note before being served with notice, the UK law could lead to absurd arguments as to proving you don't know or have something.

MarkAnthony

Shep_Dog wrote: »

Under section 53 of the UK's Regulation of Investigatory Powers Act, which the authorities did not enforce in the 'Love' case, the onus of proof that a person has passwords is clearly placed on the plaintiff and can be decided in court:



The Irish law, discussed in this thread is not as specific as RIPA. It appears that the opinion of a Garda will suffice to prove liability and the court has no role.

In the UK, if a person sets a password, too complex for a human to remember, makes a note of it and then loses the note before being served with notice, the UK law could lead to absurd arguments as to proving you don't know or have something.

I think you're fundamentally misunderstanding the presumption of innocence and differences given a written Constitution in Ireland.

The quoted passage requires proof beyond a reasonable doubt the person had the key. It then requires some* evidence to raise the issue of no longer having it at which point it must again be proved the person has the key to the criminal standard.

This sort of evidential back and forth isn't entirely unheard of but a complete reversal of the burden of proof is incompatible with Irish law. I take issue with the fact that the legislation doesn't say what you think it says but even if it did it would be open to challenge.

*Usually this is the balance of probabilities test in Ireland.

Shep_Dog

MarkAnthony wrote: »

I think you're fundamentally misunderstanding the presumption of innocence and differences given a written Constitution in Ireland.

The UK law is admirable in attempting to provide legal clarity.

The Irish law states that if it appears to a Garda that you have a password, he or she can demand it, and if you don't give it, you've broken the law. There's no stated provision for the court to review the Garda's opinion. It does not say 'if it appears to the court', it says 'if it appears to the member'.

Of course, if a defendent can afford good representation, constitutional arguments might prevail depending on the weight given to constitutional rights.

MarkAnthony

Shep_Dog wrote: »

The UK law is admirable in attempting to provide legal clarity.

The Irish law states that if it appears to a Garda that you have a password, he or she can demand it, and if you don't give it, you've broken the law. There's no stated provision for the court to review the Garda's opinion. It does not say 'if it appears to the court', it says 'if it appears to the member'.

Of course, if a defendent can afford good representation, constitutional arguments might prevail depending on the weight given to constitutional rights.

Most legislation is phrased as such. It's still reviewed during a criminal trial. The guards can't impose a sanction. Therefore the conversation would go something like this:

Guard: "I have formed the opinion you have the password"
Banker: "That's nice"
Guard: "Give me the password or make the information readable"
Banker: "I can't I don't have the password"
Guard: "You'll have to go to court"
Banker: "You'll have to prove I have the password"
:Banker falls down the stairs: :pac:

Legal Aid is, rightly, almost always granted in Criminal cases.

Edit: Okay I think I see what your driving at:

In the UK it's a triple test:

1) It must be shown the accused had the key
2) Accused provides an excuse as to why they no longer have the key
3) That evidence is rebutted to the criminal standard as per the legislation.

In Ireland:

49.—(1) A person who—

(a) obstructs or attempts to obstruct a member of the Garda Síochána acting under the authority of a warrant issued under this Part, or

(b) is found in or at the place named in the warrant by a member of the Garda Síochána so acting and fails or refuses to give the member his or her name and address when required by the member to do so or gives the member a name and address that is false or misleading, or

(c) fails without lawful authority or excuse to comply with a requirement under paragraph (b) or section 48 (5)(b),

is guilty of an offence and is liable on summary conviction to a fine not exceeding £500 or imprisonment for a term not exceeding 6 months or both.

(2) A member of the Garda Síochána may arrest without warrant any person who is committing an offence under this section or whom the member suspects, with reasonable cause, of having done so.

It's

1) Excuse that they don't have they key - presumably on the balance of probabilities.
2) Proved - to the criminal standard - accused has the key.

That said it's a summary conviction like not having a TV licence so could he heard in the DC's normal expedited manner.

That said it's not the same as saying the guard is the only one involved.