
Man jailed in UK for refusing to give police USB stick password - wrboyce
http://www.bbc.co.uk/news/uk-25745989
======
toyg
It looks like he refused to reveal the password because he knew it would have
incriminated him for something _unrelated to the original case_. Once they got
wind of his other activities, he realised the gig was up and disclosed the
password.

From a legal perspective, this is a troubling side-effect of a poorly-crafted
law. His lawyer should have had the power to negotiate immunity from
prosecution for unrelated charges that might have spurred from disclosure
during the original process.

~~~
avar
That's the least troubling side of this law. The most troubling thing is that
you can now be thrown in prison on no more evidence than the presence of a
blob of random data on your computer that the police can just claim is
encrypted data that you're refusing to give up.

~~~
harryh
How is that more troubling than:

"you can now be thrown in prison on no more evidence than the presence of a
few pieces of paper in a filing cabinet that the police can just claim is
evidence that you're refusing to give up"

?

~~~
gambiting
Because with a pendrive you can't even prove that the paper is there. It could
literally be random data, and the police could be insisting that you give them
a password.

If you did a full wipe of a pendrive with random data,and didn't create a
filesystem, you would now have a device that could be used to incriminate you,
even thought it really, really isn't encrypted. But you can't prove that.

So I guess that if I were to use your analogy, the police would look through
your cabinet, find a few pieces of paper,and then demand that you tell them
how to read that invisible ink that you used on the paper. What ink? - you
might ask. But it's irrelevant, you can still go to jail for not telling, even
though there really is no ink.

~~~
harryh
Has anything ever actually gone to jail for refusing to decrypt data that
wasn't actually real data?

This is why we have judges. In order for a warrant to be issued and enforced
there has to be evidence that there is something there to search for.

------
Lagged2Death
How interesting that they report an irrelevant hyper-detail (the password
itself) but not the specifics of what "sophisticated encryption technology"
that "GCHQ ... were unable to crack."

Also interesting that a password based on word-and-number games, an approach
that has been criticized lately as vulnerable to new attacks using common
password fragments, seems to have flummoxed the pros in this case anyway.

Here's one point that I think should be referenced more prominently, maybe in
the headline somehow:

 _Police accessed the memory stick [as part of a counter-terrorism operation]
and found it contained ... nothing relating to terrorism or national
security._

That is: We convicted this guy of a crime for obstructing a terror
investigation, even though he wasn't actually doing that. We used our special
emergency terrorism powers to push someone around and make demands that were
potentially impossible, but it turned out to be just another false alarm. Of
course, the guy we pushed around is a certified scumbag and he doesn't look
like the sort of white-bread upstanding citizen that most readers of the
article imagine themselves to be, so we can count on you to not get too worked
up about the whole thing.

~~~
thirsteh
> Also interesting that a password based on word-and-number games, an approach
> that has been criticized lately as vulnerable to new attacks using common
> password fragments, seems to have flummoxed the pros in this case anyway.

If you're talking about the Ars Technica article that showed that crackers are
using common passages from books and movies, it's worth nothing that it's not
some kind of issue with passphrases, just the construction of them.

It is _not_ a bad thing to use a passphrase (the Ars article implied that by
saying "your long password isn't safe either," or something to that effect.)
It _is_ a bad thing to use a passphrase that is not randomly constructed. It's
just the same for passwords, and, indeed, cryptographic keys.

It's a numbers game. If it's not random, there's a pattern/bias. If there's a
bias, an attacker can exploit that. If there's no bias--i.e. the words of a
passphrase were truly randomly selected--then there is no method to crack it
more effective than brute force.

------
aheilbut
There is long-established precedent for compelling the provision of testimony
and/or physical evidence within our legal system. Do people seriously think
that USB sticks have some special privilege?

~~~
exo762
You don't have to testify against yourself. Giving away password is exactly
this.

~~~
jmackinn
If the information was in his head and not on a thumb drive then yes, but it
was on a piece of physical evidence, therefore the password is the same as a
key to a storage locker or the combo of a safe. Refusal to provide either will
result in a charge of contempt, exactly what happened in this case.

~~~
exo762
Nope. This is my knowledge and my words. You can have any number of "metaphor"
you want, but direct, literally, word by word, meaning of legislature trumps
all metaphors.

Information - the password, is in his head.

------
detritus
If he hadn't've already been convicted of being part of a terrorist cell
planning on attacking the nation's infrastructure, I might've cared.

Given that he doesn't share my ideals, or indeed, much like anything i might
be open to considering, he can go fuck himself, if you'll excuse my language.

~~~
hingisundhorsa
I tried to find where in the article it says anything that might back up
"already been convicted of being part of a terrorist cell". The closest I
found is where it says: "already in jail for being part of a cell that
considered attacking a Territorial Army base in the town.". This sounds a bit
like a thought crime to a laymen like me and the verbiage flags my weasel
alarm. Also, could you clarify where you're getting the term "nation's
infrastructure" because all I saw was: "discussing attacking the town's TA
headquarters". If we accuse everyone who's pissed off at the town council /
home association and starts talking about blowing them up of terrorism, then
we'll need a much bigger prison system.

~~~
andyjohnson0
TA is the UK Territorial Army, approximately equivalent to the US Reserve
Forces or National Guard.

The group were convicted of _discussing_ the idea of driving a bomb under the
base's gate attached to a remote controlled car [1]. They didn't actually do
it. They also _discussed_ obtaining weapons, but didn't do that either. They
did arrange to attend terrorist training camps in Pakistan, but its not clear
from the news reports whether they actually travelled there.

EDIT: According to [2] one of the group did go abroad for training.

[1]
[http://www.bbc.co.uk/news/uk-22178105](http://www.bbc.co.uk/news/uk-22178105)

[2] [http://www.theguardian.com/uk/2013/apr/18/four-jailed-toy-
ca...](http://www.theguardian.com/uk/2013/apr/18/four-jailed-toy-car-plot)

~~~
okamiueru
That sounds a bit disconcerting. I've discussed things like how to beat
airport security, plant bombs to do the most damage, and in general ways to
circumvent security measures. It's simply an intellectual curiosity, one even
necessary to make things safe, and protect against those who think the same,
but with intent of causing harm.

If the discussion alone is the damning part, with disregard to the intent...
coupled with some prejudice, and add irrational fear.

Self censorship is what you get.

~~~
coo
Media may have used the term "discussed" but they were convicted for plotting.
By legal definition, in order to commit a crime there has to be a proved
conscious intent and actions taken. Even grouping together is considered an
action, I assume for 16 years they've dome more than that. There was also
existing home made bomb.

Sorry this guy is a criminal and a murderer, his value to society is pretty
low to considering he hasn't done anything of a value in his life, except
moving to UK.

------
digitalengineer
He chose his passwords well it seemed: $ur4ht4ub4h8 It's not entirely
impossible to forget that is it? How are you tp prove you did in fact not
forget it?

~~~
mortov
Given the password is relatively simple - remember this is supposed to be one
of the premier encryption cracking organizations in the world, GCHQ, here - I
think there is a distinct lack of skill (or absence) by GCHQ. He's perhaps
being jailed for showing them up.

Alternatively (and more likely I suspect), these is some gamesmanship being
played to get shiny new additional super-snooping laws passed because it's
needed to cope with all this uncrackable terrorist encryption. See, here's the
proof it exists ! [edit: sorry, this did not make it clear I'm suggesting it
was cracked but found to be irrelevant to the terrorism case. I've expanded in
a reply below.]

The UK already has laws making it an offence to have 'have information' 'which
may be of use to anyone planning a terrorist offence'. This is so broadly
defined that railway enthusiast pictures of trains could fall into it (and
have been questioned under it - [http://www.telegraph.co.uk/news/uknews/road-
and-rail-transpo...](http://www.telegraph.co.uk/news/uknews/road-and-rail-
transport/4123672/Trainspotters-being-stopped-under-anti-terror-powers.html))

The UK's unwritten constitution is not worth the paper it's written on.
Unfortunately the US written one seems to be about as useful in protecting
peoples rights these days as the UK one. (See previous HN stories of your
choice)

~~~
DanBC
GCHQ giving the password is problematic when the case goes to court.

GCHQ have considerable computing power. That probably has weird costings. Thus
the cost of 48 hours to run this task is possibly costed at some huge amount
that police forces cannot afford unless they know it is a significant target
with a spectacular result.

~~~
mortov
Standard Operating Procedure is to say it was handed to the Metropolitan
specialist computer crimes unit who cracked it. Someone turns up in court
saying they are a Met officer from the unit and they worked really really
hard. It's never been a problem.

Remember this was originally a _terrorist_ case; there would have been plenty
of resources made available - there always are for these.

A likely scenario is it was cracked and found to be irrelevant so the option
of going for a political angle for more powers was much more preferable than
letting some low-level frauster know his encryption had been cracked (and
hence letting lots of people know the USB encryption was worthless and risking
_real_ terrorist cases where suspects used the same approach).

------
callesgg
In my country(NOT UK) one is considered innocent unless proven guilty.

------
jbb555
This seems reasonable to me.

It seems like there was a reasonable reason to suspect that the drive might
contain actual information that was needed for a serious crime, and a proper
procedure was followed to get a court order to get at it.

It's like searching your house. The police should not have the ability to
simply decide they want to. But if you were already in prison for terrorist
related crimes it hardly seems unreasonable to give them the right to do so.

This wasn't some random abuse.

------
toyg
In many ways this is actually good news: _GCHQ couldn 't crack the drive_. As
Snowden said, cryptography still works: _trust the math_. As long as you can
bear the consequences (i.e. up to 2 years in jail if the Police thinks you're
up to no good), you can safely save data that nobody else will ever read.

------
ceeK
Can anyone shed any light if deniable encryption
([http://en.wikipedia.org/wiki/Deniable_encryption](http://en.wikipedia.org/wiki/Deniable_encryption))
would have been useful here?

~~~
adrianoconnor
I doubt there are many UK lawyers specialising in this niche area of law
stalking the HN forums right now. But you never know :)

I wonder if a big part of the reason for his jailing is that he actually did
give them the password in the end - making it less likely that he had
forgotten it, and that he was deliberately trying to pervert the course of
justice.

Of course, it doesn't help that he did seem to have plenty to hide, and he
wasn't in a great position anyway.

~~~
vidarh
It really annoys me with articles like this when the chronology is unclear. If
we was given 4 extra months _after_ he gave them the password, then that's
quite different than if he was given 4 extra months before.

------
gonvaled
So now am I supposed to give my passwords for my encrypted bitcoin wallets,
and all my banking access codes? And be happy and relaxed when the police
tells me that they will not steal anything?

~~~
toyg
They already have access to your banking data, they won't need your codes.
They would probably be entitled to asking for your wallet password, yes.

Of course they can steal your stuff; it happens with physical evidence (fairly
routinely, in many areas - do you really think all that sequestered ganja gets
destroyed?), so it can happen with digital stuff too. There are laws and rules
about this, but no physical impediment afaik.

~~~
mortyseinfeld
_They would probably be entitled to asking for your wallet password, yes._

No, they shouldn't be entitled.

------
nottrobin
In America, wouldn't the 5th ammendant protect you in this case?

~~~
warmwaffles
Not when you are associated with Terrorism. But in a way, yes. As long as you
are not associated with terrorism, then you can not be compelled to testify
against yourself. I am not a lawyer, but I do remember reading about a case
where a judge said the defendant had to give up his password. So in this case,
a deniable encryption scheme would probably suffice. Again, not a lawyer.

~~~
hippich
court still has right and can force you to reveal password

------
gannimo
[https://en.wikipedia.org/wiki/Die_Gedanken_sind_frei](https://en.wikipedia.org/wiki/Die_Gedanken_sind_frei)
Unfortunately not.

------
JensRantil
I wish the article would have stated what encryption he used for his data.
Apparently not even GCHQ could crack (or so they say...).

------
staticelf
This is horrible.

~~~
adrianoconnor
Except he eventually gave them the password, which means he didn't just
'innocently' forget his password. However, it looks like he was trying to
cover up for fraud rather than terrorism, so maybe he decided that guilty
fraudster was better than suspected terrorist.

~~~
callesgg
He gave them the password after he had been jail 4 mounths for not
remembering, if i got the article correct.

~~~
DanielStraight
You did not. He was in jail because he admitted to planning a bomb attack. He
was not charged for failing to provide the password until he later made it
clear that he either lied when he said he forgot or remembered later and
failed to comply at the point when he remembered.

------
dutchbrit
Can you say unibrow?

