New Garda powers to allow access to mobiles and other devices

derekeire wrote: »

Does that mean if you give them access to your phone, do you have to give them access to your individual applications such as banking apps, social media apps, other financial apps etc? I might not mind giving access to my phone but why should I allow a Garda to go through all my bank accounts without a warrant?

You shouldn't, because that's not what is being proposed here.

Read the Bill and not newspaper articles on it.

derekeire wrote: »

Thanks but having read the bill in its entirety, my statement is still valid. There is no limitation on what a Garda can search on a mobile if they wish to do so. In fact the statement in the bill is so loosely defined that if I stole a bar of chocolate, a Garda could demand my mobile and password plus any passwords that would enable them to search the device.

Read it again. Pay particular attention to heads 15 and 16, which are the only provisions that require you to provide passwords and encryption keys to the guards.

Kill switch pin would be useful for any person and is a great idea. But one of the principles of forensics relates to the absence of evidence is not evidence of absence. A purposeful investigation resulting in zero evidence being itself a avenue of interest.

Also, if a kill-switch is used you'd lose your own data unless there's a backup. If that backup is on a public cloud service, well that's open to law enforcement subpoena anyway - and some apps don't encrypt their backups.

Probably the extension of power is somewhat necessary to shorten investigation time, there *should* be a balancing control that would limit use and of course the purposes. i.e. access to text/social media but not banking or vice versa. Gerneral access to everything seems too broad.

Kinda makes encryption within encryption less useful; TrueCrypt and VeraCrypt styles.

derekeire wrote: »

While you are at it, take a look at heads 66 and 67.

They don't oblige anybody to provide passwords or encryption keys in any circumstances.

I'm not saying that the power to demand passwords, encryption keys, etc is harmless or that it shouldn't be opposed. But it only applies in relation to computers, phones etc found on premises during the execution of a search warrant for those premises, and it is only people on the premises at the time the search is being conducted who can be required to provide passwords. The claim that a guard can demand your passwords without a warrant is simply false.

Opposition to the proposal that is based on wild exaggerations about when and to whom it applies will be worse than useless; it's easy to dismiss arguments that are based on untruths.

The draft provision requires some careful parsing. There are several distinct powers that will apply when a search warrant for premises is executed.

1. The guards can operate any computer at the premises being searched. To do this, they can use any password or encryption key they find at the premises. So if you write your passwords down and they find that, or if you have your passwords saved in the browser on the computer found at the premises, they can go ahead and make use of whatever access to information that gives them. Obviously, they can do this even if you're not there. So if you have your passwords written down, stored or saved they can look at your bank account, your PornHub account, even — shocking thought! — your private messages on boards.ie. Obviously a lot of that information is stored not in your computer or phone, etc, but can be accessed through your computer or phone (or quite possibly any computer or phone, if they find your login details during the search).

2. If they don't find the passwords written down or stored, then if you are at the premises while the search is conducted they can require you to give them any passwords or encryption keys necessary to enable them to operate a computer found at the premises during the search.

3. They don't, it appears to me, have any power to require you to provide passwords necessary to enable them to operate any other computer. So, you give them the password to your iPad, say. They operate your iPad and launch your banking app. The banking app demands a password. As I read it, you don't have to give them that; that's a password to operate (remotely) the bank's computer, which is not a computer found on the premises during the search.

4. They can require you to "otherwise enable him or her to examine the information accessible by [the iPad]". You could argue that this imports a requirement to give you the banking app password, so that they can examine the banking information accessible by the iPad. But I don't think this argument will fly. This is a provision that significantly restricts your rights; the courts are going to interpret it conservatively; there are provisions dealing explicitly with when you are required to give passwords and encryption keys; I think the courts will say that those provisions are intended to be exhaustive and they won't interpret other, more general, provisions so as to fill any gaps.

On edit: No, no, point 3 is wrong; Hadron is correct. They can demand the passwords for your banking app, etc. You can avoid the obligation to provide this by simply not being on the premises while the search is being conducted. (Though of course the option of absenting yourself may not be open to you if you are under arrest.)