

Teenager jailed for refusing to hand over computer password - kgermino
http://www.itworld.com/legal/123153/teenager-jailed-refusing-hand-over-computer-password

======
moxiemk1
I don't know if a law compelling you to reveal encryption keys to the
government/police/courts is valid in the UK.

I do, however, know that such a law is morally reprehensible. Quite frankly,
it is in the interest of the people to ensure encryption tools are entirely
useable by criminals, gangsters, and terrorists, because that ensures they are
entirely useable by lawful citizens as well.

Unlike guns (something possible to "defend liberty" as well as commit crime
with), encryption has no victims, has no negative consequences. It can _hide_
negative things, but it merely provides automation for knowing something you
refuse to tell.

Edit: spelling

~~~
ax0n
It is valid, and it is morally reprehensible. In the US, the Fifth Amendment
protects us from such travesties.

~~~
gunzler
Has there been a case where the Fifth Amendment protected someone from
disclosing a password? I'm not sure that giving up your password is analogous
to being forced to testify against yourself.

Edit: Indeed there has been a case, and so far the Fifth Amendment is holding
strong: [http://cyb3rcrim3.blogspot.com/2010/04/passwords-and-5th-
ame...](http://cyb3rcrim3.blogspot.com/2010/04/passwords-and-5th-amendment-
privilege.html)

~~~
praptak
_"I'm not sure that giving up your password is analogous to being forced to
testify against yourself."_

This one is tricky. It depends on ones beliefs about the true reasons for the
anti-self-incrimination laws. If you believe (as I do) that it is a
fundamental right to remain silent whenever it could make your situation
worse, then it is indeed analogous.

An opposing view is that not being forced to testify against oneself comes
from other, more basic reasons. One of the "higher-order" reasons against
forced self-incrimination might be that punishment for refusing self-
incrimination gives incentive to false self-accusation. This one does not
apply to forced revealing of passwords (you cannot falsely self-accuse in this
case.)

------
RiderOfGiraffes
Same story from three weeks ago with many, _many_ comments.

<http://news.ycombinator.com/item?id=1760700>

It's very likely that any comments here will cover the same ground, so if
you're interested in might be worth reading the comments there first.

~~~
marze
Three weeks later and this fast food worker is still in jail. I guess in the
UK there is no "innocent until proven guilty" and that's why some left to form
the USA a while back. This story couldn't occur in the USA.

~~~
evgen
_This story couldn't occur in the USA._

Actually it can and does. If a judge compels you to turn over your password as
a part of the discovery process and you refuse then you can be served with a
contempt warrant and go straight to jail without trial and with limited
possibility to appeal.

~~~
daten
What you have said isn't true or accurate.

On December 17, 2006, defendant Sebastien Boucher was arrested on a complaint
charging him with transportation of child pornography in violation of 18
U.S.C. § 2252A(a)(1). At the time of his arrest government agents seized from
him a laptop computer containing child pornography. The government has now
determined that the relevant files are encrypted, password-protected, and
inaccessible. The grand jury has subpoenaed Boucher to enter a password to
allow access to the files on the computer. Boucher has moved to quash the
subpoena on the grounds that it violates his Fifth Amendment right against
self-incrimination.

The district court held that Boucher could invoke the Fifth Amendment and
refuse to comply.

[http://cyb3rcrim3.blogspot.com/2007/12/court-upholds-
using-f...](http://cyb3rcrim3.blogspot.com/2007/12/court-upholds-using-fifth-
amendment-to.html)

They later worked around it by requiring him to provide the decrypted contents
of the drive instead of the password itself since a border agent witnessed
some of the files on the drive and he wouldn't be providing new evidence.

[http://cyb3rcrim3.blogspot.com/2009/03/5th-amendment-
bummer....](http://cyb3rcrim3.blogspot.com/2009/03/5th-amendment-bummer.html)

------
eiji
This brings up an idea for TrueCrypt.

Why not have two passwords: "foo" and "bar".

If I type in "foo", I get my stuff. If I type in "bar", it may selfdestruct
the data, but at least it will show a different content.

So I create a 100GB container, and reserve 10GB as dummy content, maybe 1 mio.
copies of the constitution, which will show up with "bar" as password. So I
have a password for the police, and everybody is happy.

~~~
kgo
Already in there...

I think they call them shadow volumes...

------
templaedhel
>> originally arrested for another alleged offence last May. It would be
interesting to know the nature of this crime. Was it technology related, or
was the computer ceased for less direct relationship with the crime?

------
olegkikin
1) Plant an encrypted file on somebody's computer.

2) Call the police.

3) ???

------
dotBen
A few random thoughts:

1) While it is true to say you are protected under First and Fifth Amendment
rights from having to disclose a password here in the US, it doesn't cover
border inspections (including airport custom/immigration, where it is
considered you are in 'no mans land'). The legal issues of this are currently
going through the courts based around the number of people who have had their
laptops searched (passwords are requested at the time of the search if
necessary). But even if this is resolved, it probably will only apply to US
Citizens and not visitors.

2) The chap who has gone to prison for not disclosing his password will go
back again for another term if he doesn't disclose the password when he is
released. Someone mentioned "maybe it's better to server 90 days in prison for
not disclosing the password then to be caught with something more
incriminating on his hard drive". That is mitigated by the fact that each
request is treated separately so he could be in prison indefinitely if he
doesn't comply :/

3) I've always thought a great defense would be to have your password
something like "gofuckyourself" or "obvious". That way if someone asks you for
your password you can say "go fuck yourself" or "dude, it's obvious". When you
go to court you can say "no, I fully complied. The password was
'gofuckyourself'"

------
ojilles
Some really good PDF on how this works in Europe, the Netherlands and
comparisons to US law. (I took me quite some time to find something looking
authoritative enough to actually read.)

"If Alice has stored her key on a diskette or a smart card, and if Polly is
certain of its existence and Alice’s possession of them, she can summon Alice
to deliver it – at least, in the United States she can, and also in European
countries, according to the European Court’s decision in Saunders. In the
Netherlands, article 107 paragraph 1 DCCP, however, prohibits Polly from
commanding delivery from suspects."

Further on (page 11) goes on to state that a key that doesn't exist in the
physical plane might be considered admission, and therefore protected. That is
unless it is demonstrated that the suspect used the same key (elsewhere)
recently -- in which case it's already "admitted" by the suspect and the s/he
needs to deliver the key.

[http://rechten.uvt.nl/koops/THESIS/cryptocontroversy-
ch08.PD...](http://rechten.uvt.nl/koops/THESIS/cryptocontroversy-ch08.PDF)

------
dot-sean
I think the point here is that this Teenager thinks that the punishment for
not handing over the password can't be as long as the punishment for proving a
crime using the evidence stored on his harddrive. I didn't go to the link, but
from what I remember, he's accused of possessing child porn. In US, it would
be as easy as saying, I've been under so much duress because of all this, that
I forgot what the key is and where I kept it. I mean, they can't keep him
locked up forever, right.

~~~
Dylanlacey
And that's the magic phrase right there. Along with "Terrorism", "Drugs" and
"Rape", "Child Porn" is a bogeyman which many people feel justifies a
reduction in rights of a serious nature.

Are they right? Well, that's not something I'm going to speculate on, but I
believe the judicial system will push as hard as people expect/will permit
them too. If the encrypted data was stolen e-books, I doubt they'd be so very
harsh.

I think it's bollucks, however. I think you should have no punishment for
refusing to help convict yourself, regardless of what you may have done.

------
jinushaun
Doesn't sound like much of a story. He's jailed for obstruction of justice.
His password was requested because he was already arrested and under
investigation for something else. The fact that it's a computer password
doesn't make this a 21st century "Big Brother" issue.

------
ax0n
If he was using Truecrypt Deniable Filesystem with FDE (and the proper
protocols), we wouldn't even be having this conversation.

------
jws
✓ Old story (October 6th).

✓ Original article omits context.

✓ US Constitution does not cover the British.

✓ Already covered. <http://news.ycombinator.com/item?id=1760700>

No discussion required.

~~~
talbina
Word War II:

✓ Old story (September 1, 1939).

✓ Thousands of articles likely omitting full context.

✓ US Constitution does not cover the British.

✓ Already covered. <http://news.ycombinator.com/item?id=1507526>

No discussion required.

~~~
eru
I agree without irony.

------
gstar
If Moore's Law keeps working, this is a ticking time bomb for him. If the
police stay interested and crack his crypto, he'll do more time for whatever
he's concealed on his computer (if anything).

~~~
sp4rki
Who knows what he does have in that hard drive. Maybe 4 months in prison is
significantly better to what might happen if they do get to his data. Hell 4
months in jail because he refused to give a password sounds a lot better than
a sexual offender conviction for 4 years.

In any case, if I was him I wouldn't worry about them decrypting the data in
my lifetime. Do you know how many millions of years would it take to decrypt a
50 random char pass phrase decent encryption. Lots of those. So unless there
is a breakthrough on computing power several magnitudes bigger than what we
have experienced and the money to dedicate millions of computers to the cause,
or someone finds a loophole in the encryption algorithm (highly unlikely if
using any type of military grade encryption), his data won't be decrypted.

~~~
proexploit
And yet, I'm surprised by technological advancement every day. If you'd asked
me several years ago if I thought we'd have artificial limbs controlled by
thoughts, I'd have said it was far far away.

It's a race between the statute of limitations and encryption/computing
technology. (I do agree it seems unlikely).

