Hacker News new | past | comments | ask | show | jobs | submit login
Irish police to be given powers over passwords (bbc.com)
391 points by shivbhatt on June 14, 2021 | hide | past | favorite | 258 comments



This appears to actually go significantly beyond enforced password disclosure. From the text ( http://www.justice.ie/en/JELR/Gen_Scheme_of_AGS_(Powers)_Bil... ), on Head 16 (p 28):

- An officer can use these requirements on anyone who "appears to him or her to have access". They don't appear to need any evidence beyond that. The person does not need to be a suspect or, it appears, the subject of a warrant, just a person present at the location subject to the search warrant.

- It applies not just to access to information on the device, but information "which can be accessed by the use of that computer", and thus presumably includes information that is on other machine, or potentially not even in Ireland or the EU.

- It allows officers to freely operate computers on site during a search (this seems like horrible forensic practice?), and use passwords found on the site to try to access any information accessible from the computer.

- It does not just include disclosing passwords. It includes "any password or encryption key", and anything "to otherwise enable [the officer] to examine the information accessible by the computer".

- It even appears that it allows officers to compel people not just to disclose passwords but to actually operate the device for them so as to enable information access, and "to produce the information in a form in which it can be removed".

- It is not clear to me that there is any restriction on the scope of information, so long as it is in some way accessible.

- Head 17 appears to allow even legally (or otherwise) privileged information to be seized, so long as "the confidentiality of the material can be maintained pending the determination by the court of the issue as to whether the material is privileged material".

Combining these powers would seem to be able to result in ridiculous situations, for example, forcing a person to take data from a US server using an SSH key on their laptop, potentially violating US law by doing so, and for the person to do all the work necessary to do this themselves.


Interestingly, the Irish Times coverage of this change in Irish law¹ has:

> Security sources said the person refusing to surrender their password would have to be a suspect in a crime and trying to obstruct the investigation of that core offence before they would be convicted over the password refusal.

It’s annoying that media coverage (by the “newspaper of record”) would rather cite speculation by anonymous sources rather than link directly to the text of the actual Bill. It’s only when I check the discussion on Hacker News that the source is directly referenced.

On the other hand, the state broadcaster does not even deem this proposed change to Irish law to be newsworthy enough to warrant coverage on its news website².

Somewhat Off Topic: The typesetting of the Bill itself is woeful and really impacts on readability of the text. It seems like the content was copied and pasted from multiple sources into MS Word without any consistent styling or indentation to reflect the hierarchy of bullet pointst.

1. https://www.irishtimes.com/news/crime-and-law/new-garda-powe...

2. https://www.rte.ie/news/


> - An officer can use these requirements on anyone who "appears to him or her to have access". They don't appear to need any evidence beyond that. The person does not need to be a suspect or, it appears, the subject of a warrant, just a person present at the location subject to the search warrant.

Well that's handy then, the "helpful roomate" tries his best to enter the password, but didn't realise that after 3 wrong tries it wipes the device!


Yes, this legislation either seems to have been written by people who just want overly broad powers they'll use in a technically sound way, or by people who have no understanding of computer forensics.

The way it's written makes it sound like the officers would be rifling through the computers and phones on site trying passwords they've found, themselves, or standing over the shoulder of people being forced to do so. It specifically talks about forcing someone to make information "visible and legible" and about copying documents, rather than just making forensically secure images of devices.


If so, it's a recipe for disaster.

Easy enough to booby trap discreetly to delete things if not accessed the 'correct' way.

Maybe this is to show that this approach is so crazy that it could never work (hence the written reports to gather data), and that they do actually need <insert some crazy power> here in order to do it properly because "we tried to do it the nice way and it didnt work"


Deleting probably wouldn't be the best approach, because (a) the drive could just be duplicated before-hand, (b) they'd know you'd done it.

Better just to buy a bunch of USB sticks, wipe 'em all with random noise, use a couple for mundane files, and use a couple for sensitive files — deniably encrypted so as to look like random noise. Then, you can plausibly deny that they contain any sensitive files.

The real issue here is that we shouldn't need to use these sorts of measures. No one will do this unless they're a software professional with something to hide, and "having nothing to hide" doesn't mean you're not still entitled to privacy.


> (b) they'd know you'd done it.

That depends entirely on how exactly you do it. And knowing something and being able to prove it are two very different things.


It's fine, just have the legislature pass a Bill of Attainder that declares the thing you know is a proven fact, and you're peachy. It worked great in the Trial of Thomas Wentworth.


> Better just to buy a bunch of USB sticks, wipe 'em all with random noise, use a couple for mundane files, and use a couple for sensitive files — deniably encrypted so as to look like random noise. Then, you can plausibly deny that they contain any sensitive files.

You're creating a situation where you have a set of encrypted and non-encrypted devices that are indistinguishable, and expecting the police to let you off. But there's nothing stopping someone with only encrypted devices to claim the same thing. I'd be worried that approach would fail either by 1) the police calling your bluff, or 2) indefinitely holding you in jail for contempt of court until you decrypt a drive that has un-decryptable random data.


An unreasonable adversary, such as a terrorist group or something, could plausibly do that. But the legal system has things like the "beyond reasonable doubt" standard of guilt. If the court finds encryption headers on your disk, they've got evidence beyond reasonable doubt that there's encrypted data on it. If there's only noise, it's totally plausible that it's just a spare usb stick, especially if you consistently wipe your unused disks and don't just have one conspicuous disk full of noise.


>If the court finds encryption headers on your disk

Encryption with plausible deniability will not have readable headers. It will appear to be completely random data.


Yeah, that's my point. A proper plausibly-deniable system will be indistinguishable from a disk which has been wiped, to the point that no court can reasonably accuse you of hiding files on it.


Eventually it will become illigal to have randomly generated data stored somewhere.


>you can plausibly deny that they contain any sensitive files.

"Don't worry about my large collection of seemingly encrypted USB sticks officer, it's actually just random noise I filled them with for the lulz! No sensitive files here."

I see no flaws with this plan.


"Yeah, when I'm done with a USB stick I wipe it with random noise, so that I know that the data I'm finished with is properly deleted."

Usually when you encrypt a drive there's a telltale header, so the disks wouldn't be "seemingly encrypted" at all — and wiping disks clean with noise isn't especially uncommon. It's as plausibly-deniable as it gets, and it'd certainly fly in court.


>Usually when you encrypt a drive there's a telltale header

Not necessarily.

https://www.truecrypt71a.com/documentation/plausible-deniabi...

2. Until decrypted, a TrueCrypt partition/device appears to consist of nothing more than random data (it does not contain any kind of “signature”).


Huh — I was unaware that TrueCrypt has plausible deniability by default. I know it's possible to set up plausible deniability, but with LUKS that takes extra steps, and I assumed the same was true of other disk encryption schemes.


> Easy enough to booby trap discreetly to delete things if not accessed the 'correct' way.

Exactly! If I had anything to hide, I'd make sure to give them the 'correct" password that will wipe out selected data from the device.


How exactly would you create this booby trap? I'm not aware of anything that could do that, apart from VeraCrypt hidden volumes maybe.


Both iOS and Android have a setting to wipe the device after N unsuccessful attempts to enter passcode.


Can you elaborate how you would do that on a mobile device, laptop/pc? Would you run different partitions?

Can it be done by giving them one wrong password which will trigger a disc erasure?

Serious question, as I wouldn't know how to do that.


The easiest solution I see is to write a custom screen-lock for Linux. That could be defeated by a simple reboot, but the hapless roommate in this scenario wouldn't know to do that.

For example, insert your filesystem-nuke (perhaps with an attempts counter) around line 78 of main.rs here https://github.com/akermu/rlock


Not quite the same but a hidden veracrypt volume [0] would easily circumvent this law.

[0] https://veracrypt.eu/en/docs/hidden-volume/


Look into PAM configuration. In particular I think you'd probably want some combination of pam_faillock and pam_exec. pam_exec can be used to call some arbitrary script to wipe your disks and possibly be extra evil and call flashrom to even wipe the firmware beforehand.


> wipe your disks

Actually wiping the disk would take way too long. Assuming that you're running Linux and that all connected drives are fully encrypted: overwrite all keyfiles in a secure manner (ie flushing all caches and etc), write random garbage to the entirety of RAM, and trigger the equivalent of `halt -ff` (note the double --force).

Potentially of interest: `__noreturn machine_real_restart` in reboot.c (https://github.com/torvalds/linux/blob/5bfc75d92efd494db37f5...)

Bonus points for additionally finding a way to trigger the "secure erase" firmware feature of all attached devices as part of the above sequence. That's likely to prove a bit tricky though since that feature is generally locked out (for obvious reasons) once you leave the bootloader.


By "wipe your disks" I meant issue a secure erase assuming you have a SSD like Intel's where it would overwrite an encryption key and be done in short order.

The contents of RAM in this scenario shouldn't be particularly vulnerable. If they're trying random passwords on the actual machine without any attempt to preserve the disks beforehand there's zero chance they're about to take the machine apart and extract what's left in RAM before it's gone.

>Potentially of interest: `__noreturn machine_real_restart` in reboot.c

Just write "b" to /proc/sysrq-trigger, it'll immediately trigger an ungraceful reboot without trying to unmount filesystems or flush the cache.


>Yes, this legislation either seems to have been written by people who just want overly broad powers they'll use in a technically sound way, or by people who have no understanding of computer forensics.

Or both.


Or they wish to extend the powers to detain, arrest and issue fines so that they can be based on over-broad and ill-defined premises.


They would probably have to bag the devices as evidence.

But let’s be serious here it has to be at a place where a warrant is issued right? Tech folks are super paranoid. Like, try to make sure no warrants are out for you and your cousins and you should be fine. If you’re in the wrong place at the wrong time: sucks to be you anyway!


Like a store or tech conference or a city. Location is overly broad.


I can even see an option where they want me to unlock the phone but I was so stressed that I totally forgot my pin and I was trying to be helpful by trying as many times as possible...


I mean if you were going to do that, you'd want to be sure not to talk about it on a public forum.


> - It even appears that it allows officers to compel people not just to disclose passwords but to actually operate the device for them so as to enable information access, and "to produce the information in a form in which it can be removed"

I can see it now: "I'm sorry, Officer, but my company's Data Loss Prevention (DLP) policy will not allow this document to be copied to any removable media or emailed outside of the company. I can make a request to Compliance for an exception but they take 7-10 days to respond!"


In a form in which it can be removed? Like a printer?


I'd be interested in the reaction of all the folks who put their datacentres in Ireland (for tax or other purposes :p).


Most of them are US based, where the concept isn’t unheard of:

https://imgs.xkcd.com/comics/security.png


The police can also do fun stuff like force you to send all your Bitcoins to them. Without a warrant or evidence of any kind.


I wonder if you could bend the wording as an excuse to seize somebody’s crypto assets for the duration of the investigation and after


so that would make them a good target for ransomware with all of those extra coins. or just hack them to get access to wallets to transfer funds. they are cops after all, so it's doubtful their own OpSec would be very good. Password try 1 "back the blue", Password try 2 "respect my authority"


Well for reference, I knew one guy I went to high school who did remedial classes all his life, then went on to college with a full basketball scholarship with some unbelievably easy business degree only to become a cop.

This kid couldn't write a paper let alone a police report. Boggles my mind why they'd ever let someone like that be a cop. I guess they value people skills over knowing people have rights.


>Boggles my mind why they'd ever let someone like that be a cop.

Of all the jobs available, how many people really want a job that is historically known for low pay, long hours, and on more than occassionally requested to put your life on the line? How long did you personally contemplate that as an option? Of all of the people left that didn't say hellznah, fill the positions you have open on your police force. Policing is like politics in this one manner: those who want/seek the job, tend to be those that should never have the job.


Horrifying thought, there are probably active duty cops in the US with the n-word in their password


That actually sounds like a great way to lessen the temptation of sharing passwords.


> It is not clear to me that there is any restriction on the scope of information

Presumably the warrant defines the scope of the search. Of course the judges issuing the warrants aren't technical and generally cooperate with investigations, so I would expect vague and over-broad warrants to be the rule.


I'm not too familiar with Irish law, but the explanatory notes for Head 16 seem to suggest that the search warrants would be scoped by location, rather than topic.


> It applies not just to access to information on the device, but information "which can be accessed by the use of that computer"

So... basically the entire internet, then?


The Arts of Confiscating Cryptocurrency, entry #7:

- Stage a crime scene next door to the targeted machine.

- Ask for a warrant for the location.

- Knock on the door and ask the person to give the password for the Bitcoin.


- Know that someone has crypto in the first place.


I wonder what would happen in the event of a person working for a foreign government (diplomat, etc on assignment) being forced to log in to their govt laptop and access confidential info.


"I assert diplomatic immunity "


Can regular government workers do that, or just actual diplomats? If the latter, just go for their assistant.


Under the Vienna Conventions, only people with diplomatic rank have full diplomatic immunity. Administrative and technical agents do have diplomatic immunity, but only for actions taken "in the course of their duties."

But it wouldn't matter: documents and archives of the state are inviolable no matter where they are. And the property of a diplomatic mission must remain free of search and seizure.


I can't wait for some Irish cop to start a massive diplomatic incident because some embassy worker happened to be in the wrong neighbourhood.


I think this is more likely to bite as it pertains to Ireland as a friendly business environment than it does to Ireland as a diplomatic partner.


Yeah but the diplomatic disaster would have far more entertaining visuals.


I had a diplomatic passport for many years as a kid. It was definitely handy in our case as cops were quite corrupt where we were living and would try to con us out of money all the time. I don't know how far it'd go in court or under a serious warrant but in practice they always left us alone once we showed our passports.


This is nuts.


I can't stop wondering why do the people of the UK and Ireland allow legislation like this to exist.


Because in modern democracies it's not we the People writing laws. We vote someone with good enough promises and campaign, but when they're up there they pretty much do whatever they want. And voting for the other side doesn't make as much a difference as you'd think it will.


This seemed a reasonable way to make sure decisions are made by competent people rather than the crowd. But today this seems becoming a scam.


We need to invent hardware with biometric verification such that the device will not give access without the rightful owner present and operating it.

Otherwise this will degenerate into police being allowed to sneeze devices and operate them away from their owner's presence.

Make it possible to "lock in" a single biometric profile and not permit adding a second profile without automatically wiping all data.


We have those. But compelling a finger print is much easier than a password.


Exactly. Biometrics are awful because

1. they can be compelled by force,

2. they can be physically collected, unbeknownst to the owner,

3. they share all the risks of digital passwords, including being leaked,

4. they can't ever be changed, even when known to be compromised by 1, 2, or 3.

Much better to have 2+ passwords for deniable secrets.

    A unlocks the device. Most people only have this one "normal" password.
    B unlocks the device plus secret b, maybe some extra kinky porn so people feel they've found your real secret.
    C unlocks the device plus secret c, your real secret, maybe Bitcoin wallets or that novel you've been working on forever.
If there's software on the device that does this, it's only evidence that 1+ secret dirs might exist. It should be impossible to tell that c exists, let alone compel its disclosure via C. But if b is quite stale, that's at least a hint that c might exist.


or even better ... a kernel backdoor to expose hidden encrypted filesystems and false physical disk size reporting, with a specific userspace trigger (eg: open the password manager, when this password is selected destroy the hidden filesystem(s); when this other app is opened and the phrase "X y Z" is typed, expose the hidden filesystem as a disk to userspace).

You can go on forever with this stuff, especially if you have root on the device. Which gives you some clues about the true purpose of laws like this and who thinks they are useful.


Nobody really does that in practice although. Something that catches %99.9 is pretty good!


Have it as a second factor. Just make it harder for police to confiscate devices. U2F keys are great but they can be confiscated too along with your password. Fingerprint or face is possible to copy but much harder. Most police don't walk around with 3D face scanners.

Also make software self-destructing with a warning, i.e. if the user chooses it at installation time, all data will be destroyed automatically by the OS if they move the device off-premises. Make the setting unchangeable after installation time.

Police won't want to destroy evidence, so they'll have no choice but to leave it on premises.

I'm not trying to enable criminals, but rather enable whistleblowers and to not succumb to unreasonable new laws, and keep unethical searches for bad reasons in check.


> Also make software self-destructing with a warning

This is not how forensic analysis works. Data is copied to read-only supports before any attempt of access is made.


no, what you do is make a second password for the same account that opens a secret profile with different access.


A biometric is a username, not a password.


It's an authentication factor. It's not a username because you can change those.

(For twins they're more likely to have different usernames than different biometrics.)


No, it's an identification factor.


Tomato tomato. It’s all vectors and Boolean logic at the end of the day. Or if you want to get fancy, then add weights and step ups.


In theory though, this is no different than making someone “empty their pockets.” It’s just we happen to have information in our pockets.

Folks, keep your information AT HOME where it belongs. Don’t dirty the streets with those ugly snaps no one wants to see (unless there’s a cat filter) :)


In theory, there's a world of difference between the two.

* Pockets may contain items that are dangerous to an arresting officer, or to other arrestees. Emptying pockets serves the purpose of removing that danger. Data stored on a phone are not dangerous to nearby people, and so there is no corresponding danger that needs to be removed.

* Pockets can be verified to be empty, and so it can be verified that the person has complied with the order. There is no way to verify that all information accessible from a computer has been revealed. A police officer can demand that a suspect produce passwords that they don't have, then use the "noncompliance" as a way to add additional charges.

* Emptied pockets can be returned to their original state. If my pockets contain a driver's license, $5 and lip balm, those items can be returned to me. If I reveal a password, the reveal of that password cannot be undone, and that account must be assumed to be compromised.

* (For the US only) I have the enumerated right for my papers and effects to be secure against unreasonable search and seizure. A full investigation of accounts to which I have access, done at the site of an arrest, by untrained officers, with no checks for data security, no limits on the breadth of the search, with no basis of reducing external harm, and no right to contest the disclosure until after it has occurred, is entirely unreasonable.

I agree with your conclusions, that information security is important and should be more widely practiced. I disagree strongly with how you reached that conclusion, as a physical search of pockets is entirely unlike a search of one's phone or connected devices.


> this is no different than making someone “empty their pockets.”

Except they can take your key, search your house, take your work key from there and drive with your car to you workplace and search everything there you can access, as well. So metaphorically as well as actually (home server etc.), your home is not safe.


Interestingly, such a law does nothing against proper criminals. People that know they have incriminating evidence will either not carry it on their phones or uses some form of steganography to hide it perfectly. In the worst case, they will have some form of wipe-me passphrase that cleans the device before unlocking.

Normal people, on the other hand, do not have these kind of (mental, time) resources. They will be forced to unlock their phones and something incriminating (for instance regarding "hate speech" or "intellectual property rights" or just "traffic violations") will be found. I consider this approach one step more in the direction of keeping every citizen an on-demand criminal. There are so many, sometimes incomprehensible, laws nowadays that pretty much everyone is not compliant.


>such a law does nothing against proper criminals. People that know they have incriminating evidence will either not carry it on their phones or uses some form of steganography to hide it perfectly.

I oppose such a law, as it appears to be very poorly written, but it's pure fantasy that criminals won't do crime via their phones, or will use some sort of advanced steg. Maybe some very talented criminals will do such things, but most criminals are just people: they either don't understand technology well, or else simply engage in risky behaviors.


I agree. Most criminals are not very bright, and in the case of large organized crime, you still need to be able to communicate with employees that aren't very bright. Custom stenography comes at a cost to your organization in terms of troubleshooting and reliability...

The drug dealers are probably just using whatever encrypted app they hear works well, which is why there was that big successful sting using an FBI controlled app recently.


> I agree. Most criminals are not very bright,

The bright ones are not being caught and therefore not on the list of criminals.


Laws are so arcane and complex that most people have violated some law if you look hard enough.

Ex. "More than 70 percent of American adults have committed a crime that could lead to imprisonment."

https://www.politifact.com/factchecks/2014/dec/08/stephen-ca...


Alright, let's say: "not on the list of criminals relevant for the topic".


Criminals not very bright? If this is true there seem to be an awful lot of bright ones in Britain.

"A suspect was charged in 7.8% of crimes recorded in England and Wales in the year to March 2019, down from 9.1% the previous year".


Most cops aren't very bright either.


That was far more than just some encrypted messaging app. It was custom secure hardware running on its own (tunneled) network. The manufacturer and operator turned out to be law enforcement in this case though ...


Food for thought: Attending a diplomatic dinner where EU liaisons from various police forces were also present, the head investigator of that country—which I shall not name—told me that their country's biggest outflow of crime to other European countries, were high tech economic crime such as card skimming, money laundry, and white collar crimes. I.e. things that require at least some technical understanding to perform.


"Proper criminals"? What does that even mean?

There are hundreds of criminals who are not tech savvy (or not tech savvy enough) who will not have any of the mechanisms you postulate, who are frequently caught by the police and are very much "proper criminals".

I don't agree with this law but to say it doesn't do anything against proper criminals is patently false.


I think its more that proper criminals have no reason to give up their password and incriminate themselves. Only a "Legal" person would comply.


Can't you say this about all laws?

'What's the point of a law against breaking and entering? A criminal will break and enter anyway!'


> What's the point of a law against breaking and entering? A criminal will break and enter anyway!'

Laws are about justice not prevention.

Other laws are enforced without the criminals cooperation or consent. For example you stab some one, cop finds the knife with your finger prints and the victims blood case closed your off to jail.

This law would be like the cops requiring you to hand over the bloody knife and if you say no then the cops will have no evidence and little recourse but to arrest you for the lesser crime of lying to the police, not very effective.


Law is more than just Criminal law.


Ok? What difference do you think that makes?


You said "Can't you say this about all laws?" implying that laws are redundant since criminals won't follow them and obeying citizens don't need them. But that's only true for Criminal law, not for other types of law because people might be breaking the law unintentionally that's why we need it.

To give a trivial example, killing someone would be an example of a Criminal law and you would be right. But tearing down a supporting wall in a block of flats to expand the living room would be an example of a law that needs to be written down because it's not obvious and clear to everyone.


> You said "Can't you say this about all laws?" implying that laws are redundant since criminals won't follow them

No that's what I was arguing against.


I never said that laws where redundant I argued that any law that requires cooperation to be effective is inherently in-effective on anyone that won't cooperate, namely criminals.


> I don't agree with this law but to say it doesn't do anything against proper criminals is patently false.

It’s not false, we see this with gun control laws 100% of the time. Handguns being illegal in Chicago yet it being rather easy to get one. The laws are followed by noncriminals but criminals don’t care and only get caught after they do something. If at all. So the laws reduce freedoms for noncriminals and criminals just get charged with something else when/if they’re caught. And mind you the criminals don’t care what or how many crimes they’re charged with. At best it deters law abiding citizens, nothing more.


> such a law does nothing against proper criminals.

Doesn't sound right to me; The intersection between criminals and people with good information opsec is tiny(mostly because the latter category is tiny anyway).

I agree the law is problematic, but not for that reason.


Out of curiosity. Why do you mention the latter group (people with good information opsec) is tiny when the former group (criminals) is probably an order of magnitude smaller?


Honestly I thought you were way off base and that the number of criminals would be orders of magnitude higher than infosec workers, but apparently I'm wrong.

"in 2020, there were 1.8 million people in prison" [1]

"[in 2019,] the country’s total employed cybersecurity workforce is just 716,000" [2]

"There are about 465,000 open positions in cybersecurity nationwide as of May 2021" [3]

[1]: https://easyreadernews.com/why-are-so-many-americans-in-pris... [2]: https://www.csis.org/analysis/cybersecurity-workforce-gap [3]: https://www.cbsnews.com/news/cybersecurity-job-openings-unit...


> is tiny when the former group (criminals) is probably an order of magnitude smaller?

How did you arrive at that? Even a significant fraction of people I know who do security work would agree they don't in general have good info opsec, because it's a pain in the ass. Most of the technical people I know wouldn't even know how to do it properly.

"Criminals" is hard to define precisely, but some small integer percent is at least a reasonable lower bound. Afaics people who are actually good at info opsec don't number in the millions.

So even if we simplify by assuming the rough magnitude of both groups is the same, you still have the intersection of two small groups -> tiny. This is probably complicated a little bit because criminals have more incentive than average, if not more experience.


(Not OP) It does not really matter: if someone is a criminal (however tiny that group is), and we make the (reasonable?) hypothesis that criminals are not more (nor less) informed that the general population, the intersection is really tiny.

   tiny * tiny = very tiny


Two two variables aren’t independent so you can’t just multiply the two. You must account for their covariance before you do that.


Re to mLuby: you don’t have to work in infosec to be worried about it.


But not everyone in infosec have good security because it is a pain in the ass. I would say people with good personal infosec is at most the same order of magnitude as criminals but probably fewer.


> People that know they have incriminating evidence will either not carry it on their phones or uses some form of steganography to hide it perfectly.

I think your point is valid, especially the part about normal people, but you might be overestimating the intelligence of most criminals.


> an on-demand criminal.

Wow. What a phrase.


It’s an apt description for broadly-scoped criminal laws with highly deferential and selective enforcement. I’d bet a prosecutor could look at any given cellphone and find something to charge the owner with.

Edit- It reminds me this first amendment wonk who pissed off local police and was then ticketed for failure to register his bike: https://m.youtube.com/watch?v=28w6xvRj9EM


True only normal people will feel compelled to give their passwords to authority. A criminal won't give a shit there is nothing an authority can do to compel a criminal to incriminate themselves. I mean what can they do arrest them? I think criminals have made their peace with that.


Can they use something they find if it's not in the scope of the warrant? (I have no idea?)

But yea, your high profile criminal doing the real bad stuff is not going to be walking around with it on something that keeps a record.


Fruit of the poisonous tree doctrine mostly doesn’t exist in Europe.


It sounds to me that the warrants are scoped by location, not by purpose.


I think the ANOM case demonstrates that criminals are not sufficiently more technically adept than the general public.


> proper criminals

Lol now gatekeeping criminality!


Here's a fun fact! If you appear to the police officer to have access or passwords, and don't give it to them, they can charge you with obstruction and jail you for up to 5 years!

So if you can't prove that you don't have the password, you're in a bit of trouble!

-------------------------------------

16 (1).(e).(v) to require any person at that place who appears to him or her to have access to or to have under his power or control the information held in any such computer or which can be accessed by the use of that computer—

(I) to give to him or her any password or encryption key necessary to operate it,

(II) to otherwise enable him or her to examine the information accessible by the computer in a form in which the information is visible and legible,

(III) to produce the information in a form in which it can be removed and in which it is, or can be made, visible and legible

67 (2).(d) A person who fails to comply with a requirement under Head 9 (1), (2) or (3), or Head 16 (1). is guilty of an offence and is liable—

(i) on summary conviction, to a class A fine or imprisonment for a term not exceeding 12 months or both, or

(ii) on conviction on indictment, to a fine not exceeding €30,000 or imprisonment for a term not exceeding 5 years or both


This is the part that interests me. I always thought that the primary reason that Canada and the US has protections against self-incrimination was not some moral stance but because it is effectively impossible to prove that someone can incriminate themselves. With our current technology "I can't remember" is basically impossible to disprove.

IIUC The way this works in the UK and is being proposed here for Ireland is guilty until proven innocent. You need to prove that you don't know something, which is equally impossible.

Of course court rarely "proves" things. It is more aimed at "beyond a reasonable doubt" which does allow some chance for proving both ways. But I don't think that makes much difference to the fundamental issue.

This point of view also cleanly solves the "unlock the phone" debate. They can't make you type your password because they can't prove that you know the password, but they can make you touch the fingerprint reader because whether or not your fingerprint unlocks the phone is something that can be tested.

Of course the question of morality is important. Especially as we are sprinting towards a future where we have more and more visibility into people's brains. It would be nice to answer this question, and with the current direction that governments are moving it seems like the answer is going to be that accessing a suspect's mind is acceptable, which I have very mixed feelings about.


I wonder if using a bot that tweets "Fuck, just forgot a very important password" about once a month would help.


As a theoretical or as a practical matter, is there ever actually any possible way to prove that you don't know something like a password?

I imagine that the way this would have to work in practice is that the prosecution would seek to prove that the accused did in fact know the password, and seek conviction on those grounds, rather than forcing the accused to refute unfounded accusations. But how it actually ends up working would depend on how the Irish legal system works.

Wouldn't the presumption of innocence protect the accused from the impossibility of proving their ignorance? Wouldn't the prosecution need to produce clear evidence that the accused did in fact know a particular password (for instance, by demonstrating that they recently used the password to log into a particular system)? How badly could this actually be abused, in practice, in Ireland specifically?


> As a theoretical or as a practical matter, is there ever actually any possible way to prove that you don't know something like a password?

No, you can’t prove a negative. Though some agencies may try lie detector tests, those have been proven fairly useless


That is a wonderful guilty until proven innocent law...


[flagged]


Anyone here with reasonable knowledge of Irish jurisprudence?

Is that a reasonable worry for someone who has an encrypted drive that they forgot the password for?


>has an encrypted drive that they forgot the password for

This scenario is indistinguishable from just simply having a chunk of random data in your possession. Let's say you decide to use shred to delete some file, any file. If you become the target of an investigation and they find a deleted file and the blocks haven't been overwritten since you ran shred they could claim that this file was an encrypted archive and jail you for 5 years for not being able to "unlock" it.


Spoiler: no they are not.

EU Directive 2016/343 part 25 very clearly prohibits this kind of nonsense. Yes, the Irish state insists on pretending that EU law doesn't exist over and over and over again, but how wrong it is about that is documented by its endless appearances at the CJEU in Luxembourg and its 0% win record.


Where did you get the 0% win record? Googling throws up a bunch of cases which have mixed outcomes - most recently their success in the case against the commission.


What is the deal with the governments of the British Isles being so intrusive and privacy hostile? I'm always hearing about new laws that intrude on personal privacy while also establishing an extensive surveillance capability. What is it about the cultures of that place that make the people so accepting of such government overreach?


I’ve wondered the same thing but chalked it up to some sort of selection bias.

I always remember Pink Floyd’s Another Brick in the Wall Part 2 [0] and the story of how authoritarian British schools were. I guess there some sort of contingent for making lots of rules and demanding adherence.

There’s a pretty great book called Albion’s Seed [1] by Fischer that goes into the four groups of British people that founded America. The “border” peoples of Scotland/north England were pretty anarchistic and moved to the colonies fleeing British rule. And I think there was quite a bit of rule that resulted in the people who don’t follow rules leaving Britain for the US/Australia/other colonies. So after a few hundred years, that perhaps had an effect on the type of people who stayed.

[0] https://youtu.be/HrxX9TBj2zY

[1] https://en.wikipedia.org/wiki/Albion%27s_Seed


> The “border” peoples of Scotland/north England were pretty anarchistic and moved to the colonies fleeing British rule.

And they ended up in Appalachia because even the other colonies couldn't stand them and kicked them out.


I can't really speak for them, but I keep seeing this in the US too. Individuals just don't seem to have any real recourse. These laws and systems are kafkaesque--there's just some system out there that determines the rules, and good luck finding a functioning way to push back.

Also, here's one of my favorite fairly relevant quotes:

> "We operate under the rule of law and are accountable for it. In some countries secret intelligence is used to control their people. In ours, it only exists to protect their freedoms."

- William Hague (UK Politician)

https://www.bbc.com/news/uk-politics-23053691


Maybe this is just my inner American, but what the Irish government is doing is tyrannical. The idea that you must render your secrets to the government just seems anathema to personal liberty. This must run afoul of some human rights commitments the UK has made, no? And, the doublespeak of the quote you mentioned is absolutely repugnant.

Edit: I wrote UK government... I was mistaken and thought of Northern Ireland instead of the Republic of Ireland.


It really isn't just the UK (or Ireland) though. Governments everywhere are slowly closing in on privacy and freedom.

Unelected global institutions are rising, and their vision of the future is not promising.

https://mises.org/wire/no-privacy-no-property-world-2030-acc...


While I'm sure UK police are after the same powers (or already have them!) Ireland isn't a part of the UK.


My apologies, for some reason my mind went to 'Northern Ireland' as I've come to expect this sort of thing from the UK.


Easily done. The ROI aren't as different from the the UK as they like to think.


England is a very different kind of place to most places I think you’ll find!


The UK does indeed already have similar powers under RIPA [0].

0: https://en.wikipedia.org/wiki/Regulation_of_Investigatory_Po...


The US is not much better. Germany [0] is not much better. This seems to be a general trend right now.

If I had to guess, police has a hard time accessing anything on smartphones and PCs - which probably is a major holdback for them - and hardly anybody involved in the making of the legislature has enough technical understanding and/or political stake to defend the privacy side of things.

[0] https://www.heise.de/news/Cyberbunker-Klausel-in-StPO-Durchs...


Most people are not accepting but there is only so much power you have over an elected government. Previous suggestions have been stopped though so you can kick up a stink sometimes and have the right results.

I also don't think it is that unique to the UK. It was a multi-national attack that broke EncroChat and the Australians breaking An0m (maybe with US help). Some countries love privacy at all costs like Germany and Scandinavia, some don't even assume they have privacy like Iran and China and those in the middle, like the UK, want to pretend they have privacy and are principled until they need to solve a crime and then it goes out the window!


Just for the avoidance of doubt, Ireland is not part of the UK.


English law has basically no protections against search and seizure (no posion tree doctrine). So police are used to doing as they please and politicians like it too. The mathematical impossibility of breaking hard encryption is an afront to literally hundreds of years of entitlement.


It's the "If you have nothing to hide, then you have nothing to fear" culture. People still trust authorities with their information and believe that nobody cares what kind of illnesses they have or what kind of porn they are into or how their body looks like or what they talked about with mates.


Look into the history. Rebellions of all kinds have been ruthlessly and brutally suppressed. The aristocracy is not as important as it used to be in Britain, but but it's still a power-centric society where those without have few choices open to them. Despite winning independence from Britain a century ago and having a clearly written constitution, Ireland kept a great deal of the legal and some of the social culture; following independence the informal power just moved towards the catholic church and (as always, everywhere) toward money.


> cultures of that place

Aside from sensitivity around the (technically correct but the status quo should always be open to question) term "British Isles", even accepting that term geographically, conflating the islands culturally demonstrates a certain level of ignorance on the subject.


I think it’s partly down to more visibility since these are English speaking countries, so the dark underside is more exposed.


Random thought: they all have terrorist attacks in recent-ish memory.


It's Limerick criminal gangs and the typical "think of the children" approach of using pedophiles to limit everyone's freedom that are used in rhetoric here way more than terrorists


The Limerick gangs were more or less dealt with about a decade ago. It's the likes of the Kinahans, and possibly some of the various dissident republican groups, who are much more of a target for this bill.


Of course, and we sent the largest organization covering up for pedophiles a nasty letter and let them continue to run schools.

What's used in public discourse and what's at large are two different groups.


Ireland is not a British isle. Irish police are unarmed and the country is not a surveillance state. However, there have been some high profile cases of murders committed by drug gangs who have used encrypted phones to put their communications beyond scrutiny / use in evidence. Ireland is a democracy and the public is perfectly able and willing to change govt if it sees fit (and it does so regularly). I think you'll find that in Ireland the people wonder WTF is wrong with the US that it could elect a cretin like Donald Trump to its highest office, denies healthcare to its citizens, tolerates vote suppression, electoral gerrymandering, mass shootings, endless racially motivated police assassinations, unlimited corporate expenditure in political campaigns etc. Ireland is fully signed up to the EU's GDPR which puts citizen's data rights on a far firmer footing than those of Americans.


https://en.wikipedia.org/wiki/British_Isles

>The British Isles are a group of islands in the North Atlantic off the north-western coast of continental Europe, consisting of the islands of Great Britain, Ireland, the Isle of Man, the Hebrides and over six thousand smaller islands.


> In Ireland, the term "British Isles" is controversial, and there are objections to its usage. The Government of Ireland does not officially recognise the term, and its embassy in London discourages its use.


The term "encrypted phone" is meaningless and stupid. Do you use imessage, whatsapp, signal or any chat app that is currently thought of as "good" by tech or privacy people? Then you have an "encrypted phone". Does your phone have a lock code that is not easily hackable? Then you have an "encrypted phone".

It'd be hard to find any person using a smartphone whos phone is not "encrypted".


Maybe it's socialism? It creates the feeling that we're all in it together.


>What is the deal with the governments of the British Isles being so intrusive and privacy hostile?

I don't consider Ireland to be a "British Isle" -- 26 counties out of 32 on the island are Irish.

How and ever -- we see the US in the same light. You're so hostile to privacy laws like GDPR and we aren't etc.


The "British Isles" is a geographic term encompassing Great Britain and Ireland, plus some smaller islands.


This is technically correct, but no context is devoid of political overtones and there's very reasonable arguments for decolonising the terminology.

"British Isles" is the widely accepted term internationally in large part due to the historical dominance of the British Empire, coupled with the ongoing influence of the British state internationally (particularly in the anglosphere). It is however not a generally preferred term within Ireland, which is worth noting alongside any technical facts about geography.


You're correct, and I'm British, but it's not surprising to me that an Irishman would object to it.

Besides, to us 'English Channel' is a geographic term; in France it's La Manche ('the sleeve'). (Having said that we do say 'Irish Sea'.)


Quite correct. Just like “GB” (“Great Britain” or “Grand Bretagne” in the original French) means “large Brittany”.


Bizarre comment. British isles is a geographic term, which is correct in this case.

No one for a moment is suggesting that because of that you have to drink tea or invent the computer or anything else that is considered British.


> You're so hostile to privacy laws like GDPR and we aren't etc.

You're arguing about an entirely different context. One involves private corporations, one involves the powers of the government. It's critical to make a distinction between those things, they are not the same issue at all.

Facebook, fortunately, doesn't have taxing authority, regulatory authority, law-passing authority or a private militia. I can banish Facebook from my existence, I can choose never to use their services, and I can legally use numerous options for blocking their ability to track me (and do so quite easily). Try doing that with a government that passes a very invasive law, just tell them to right piss off with their laws, refuse to obey their laws.

It's fine to argue for restrictions on privacy invasion re private corporations. However these are two separate matters to be argued, what should be allowed in the private sphere vs the public/government sphere.


For Irish people who wish to subvert this order, there's a handy concept in cryptography known as deniable encryption. Essentially, users (you) may convincingly deny that a plaintext version of encrypted data exists.

VeraCrypt, a source-available encryption program, supports this form of encryption, such that you can create an encryption file, say 1GB. You place a password on the "outer" volume, so that when you enter the password, it mounts the encrypted volume and it appears unencrypted. However, you also put into place an "inner" hidden volume. When you enter the password for the inner volume, it mounts a separate encrypted volume. Adversaries cannot detect this inner volume, and when they twist your arm to unlock the encrypted veracrypt file, you can enter the password for the outer volume, keeping the secrets of the inner volume safe.


so let's say the encrypted volume is 1GB. let's say there's 250MB stored in the hidden volume. Can't you reveal the existence of the hidden volume by writing data to the 'outer' volume until it is full? If you can't fit 1GB of data in the 'outer' volume doesn't that mean there must exist a hidden volume?


When mounting, you must provide the outer volume password and you may provide the inner volume password. If you mount the inner volume, you must provide the inner volume password.

If you are plausibly denying the existence of the inner volume, you mount the outer volume without the inner volume password. The driver happily overwrites the "free space" where the inner volume keeps its data. It is in fact unsafe to modify the outer volume at all without providing the inner volume password (if an inner volume exists).

[edit] VeraCrypt it seems only accepts the outer volume password when creating the hidden volume, but here's more about it: https://www.veracrypt.fr/en/Protection%20of%20Hidden%20Volum...


Great. Now they don't know when to stop twisting your arm.


I understand how "clever law hacks" like warrant canaries are not clever when faced against actual law enforcement practices. I say this to try to explain that the following isn't meant to be a clever trick and instead is meant as a reason why I worry about these kinds of law.

I have a very long passphrase that I only have to enter at machine boot up time. After entering the pw once the password manager remains open in cache and can be opened with a much shorter and easier to remember password. Because I do not restart my phone or devices frequently I don't need to enter my password often and so my very long complicated password isn't used often. My practice has been to automatically restart my phone whenever I am approached by a police officer. This has happened maybe once in the last year or 2.

If I live in Ireland, am I screwed when the stress of being detained causes me to forget my very long, complicated, and infrequently entered password?


I'm genuinely wondering how someone could implement a system that functions like a dead man's hand where the key to recovery (despite entering the valid password as required by law) which lies outside of the jurisdiction of that government, or relies on the data being unavailable for a long stretch of time.

>"If I live in Ireland, am I screwed when the stress of being detained causes me to forget my very long, complicated, and infrequently entered password? "

As for this part, I've become a cynic after learning so much about how courts actually function on a daily basis. There really isn't anything stopping a judge from simply finding you in contempt of court - even if you legitimately did lose your password. Ultimately, if the judge wants to, they can easily drag you through the mud and you have virtually no recourse.

Edit: I know Apple has a feature that disables FaceID that acts like a 'panic' button. How do the courts deal with that?


Sometime during quarantine I had an evening thought excercise about clever password choices in this context. It was a fun game, and would be a cute scene in a movie or a book.

Ultimately the password `fuck you cop I'll never tell` is a fun idea, but little value. Complying without appearing to comply might change up the game a bit, but you're still screwed.

_edit_ it is kind of fun to think of a password so offensive that it doesn't matter who asks you, they won't believe that's your password. Technically might buy you some time before they figure it out.


> a password so offensive that it doesn't matter who asks you, they won't believe that's your password.

If they don't believe it's your password, then you haven't really avoided the punishment for not disclosing your password (although you might take some comfort from a kind of moral victory, having told the truth and complied with the letter of the law).

Instead of coming up with a password that offends the police, a better approach is to come up with one that interests them, specifically a detailed admission of a crime. For example, the password could be of the form "I killed John Doe, and buried the body in my garden".

Assuming your jurisdiction has protections against self-incrimination, and you can convince a judge that your password really does contain such information, they may have to choose between not learning your password, and giving you some sort of immunity deal.

Of course, if this approach leads to innocent citizens routinely committing crimes just to come up with a unique password (or worse, criminals baiting police into giving them immunity in return for access to dummy encrypted data) then the only law that will be followed is the Law of Unintended Consequences.


>Assuming your jurisdiction has protections against self-incrimination, and you can convince a judge that your password really does contain such information, they may have to choose between not learning your password, and giving you some sort of immunity deal.

I think it's quite unlikely they'd give immunity, especially when they could just instruct you to unlock the device and hand it over without telling them the password


I'm assuming the offensive password works in a situation where you have a deadman's handle. So then a month later you can say "I told you my password was '$offensive-phrase' and can prove it was, now you need to release me" (presumably after your lawyer acquires the audio from the interview to back up your assertion).


The way the law is worded (see my other comment), the police can force you to do whatever is necessary to unlock the device by any means at your disposal, not just disclose your password. While this would be technically a terrible idea on their part for a number of reasons, having a clever password would not be helpful.


I wonder if its possible to easily set up a phone or other device with a multiple password/ login system that depending on the credentials could either show something benign or wipe the device. I'd expect such systems to become more popular (and make the main result of these new powers be that police have a new tool to harass unsophisticated and already downtrodden folks, rather than actually to disrupt any serious crime)



Is there some more modern version of this?


Okay, I know it's very keyboard-warrior-eqsue, and I don't know how I'd really react if actually faced with this situation, but I think this is something I'd be proud to sit in jail over.

Ask me after a month/week/day/hour of course, but I hope I'd be strong enough to deal with this appropriately.


> My practice has been to automatically restart my phone whenever I am approached by a police officer. This has happened maybe once in the last year or 2.

In the United States (where I live) this seems risky. I think most here would prefer their phone to be on and readily available for filming in case they need to film the police encounter. We have a lot of cops spazzing out on people.


Yes, I honestly think you are screwed.


We're going to start needing "burn the battery on demand" mods.


Please don't bring these on airplanes.


You can use TC hidden volumes that will log you into different volume depending on entered password. It is not possible to detect that a volume has hidden volumes.

Something like this should exist natively in Android and other operating systems, but obviously there would be a push back from governments.


Whatever the likelihood of this passing, the BBC's coverage here seems poor: right now this is a Bill. It's far from being made law.

Some good analyses from actual informed Irish-based perspectives here:

https://twitter.com/Tupp_Ed/status/1404380471186821122


Thanks for this, I’ve been looking for a good run thru like this all day. There’s a lot (70 odd tweets) in that linked thread anyone looking for the summation can look here https://twitter.com/drvconway/status/1404425167699382278?s=2...

There is little in the analysis that gives me comfort. FG are the law and order party but paradoxically they have a history of passing poorly conceived laws presumably because they don’t feel the downsides will ever apply to them, and to provide enough legal ambiguity for those well connected to wriggle free. Ambiguity also good for the legal folk that constitute the rank and file of their membership.

They are currently shored up in coalition with another establishment party (FF) and the greens so it’s conceivable that much of this could get through without challenge.

Of course it’s important to remember that it is kite flying season and there is a battle for hearts and minds with the main opposition party (Sinn Féin) so it might just be a matter of whipping up their conservative base.


Serious Question- The tech that was built to be an answer to this sort of thing ,Deniable Encryption and Plausible Deniability, exists in ...it looks like, Veracrypt, and possibly the Phone variant EDS(to a smaller extent)-

But, how come there's been nothing else in the field? The only thing that appeared in the past decade to be more advanced on that front was this,

https://www.bankinfosecurity.com/rise-self-concealing-stegan...

https://i.blackhat.com/eu-18/Thu-Dec-6/eu-18-Schaub-Perfectl...

https://portswigger.net/daily-swig/russian-doll-steganograph...

and there's been nothing since... It must truly be hard to make fully deniable encryption mechanisms..unfortunately....


It seems every time that England and its neighboring countries create any form of legislation regarding the internet, it's in an authoritarian direction. It's distasteful and gives me a bad feeling about these places.

People should get on a ship somewhere and build a colony with freedom as an ideal. Something like that.


> People should get on a ship somewhere and build a colony with freedom as an ideal

Somebody tried that. Did not fare that much better [0].

[0] https://en.wikipedia.org/wiki/Mass_surveillance_in_the_Unite...


I think he was talking about Seasteading: https://www.seasteading.org/

(j/k, kinda)


> People should get on a ship somewhere and build a colony with freedom as an ideal. Something like that.

https://en.wikipedia.org/wiki/Liberland


Wow, this is very bad. Best to only ever use apps with self destroying messages and not saving images except where you want them to be seen. Warrant or not, this is going very, very far.

I do not think these warrant issuing procedures will be throughout, either way, would never trust it.

Which politicians are responsible for passing this into law?


Heather Humphries. She is a stand in while the Minister for Justice is on maternity leave. She can get away with politically toxic stuff because she enjoys staunch support in her constituency. She’s not known for being the brightest so could not have held such a brief under normal circumstances but she is great for doing dirty jobs.


Ah yes, thought something like this. This is one of these laws, on itself it bad, but people will not realize, because they're - ironically - too busy on their phones on social media....

Nobody will go protest in the streets over this.

But a couple 100 single of these shenanigans and the people will ask themselves how we ended up in this mess, and everyone will jump on the divide train and blame the "other" party, when it's really equally distributed usually.

Testimony to that is that nobody opposed this hard enough to bring it down.

The only bright side to this is, it appears the governments cannot easily access all things, despite five eyes and international collaboration.

I find if a case is bad enough for a warrant, then maybe deploying a keylogger or similar would be the better way. At least then it's handled by a specialist. But delegating this to police officers? Hellno


Ireland isn't part of the Five Eyes though.

I don't really think Helen McEntee's maternity leave is relevant either because she's in the same party as Heather Humphreys, and they are in a three-party coalition government. There's no main partisan divide like there is in the US or UK.


Do you really think Humphries just decided to introduce a bill while McEntee is on leave? Surely this bill would've been in preparation for months.


That's what I'm saying. I don't think they were sitting on it until McEntee left either.


No but they got humphries to jump on the bomb. Just like they did with the PUP.


There’s no partisan divide? You’re having a laugh.


There is no main partisan divide like there is in the US or UK. We don't have a two party system.

The last election was basically a three way tie, with a significant vote share split across another handful of small parties and independents. It's way more complex than just FG v SF.


We have FF+FG, a pantomime to collectively keep the conservatives in power, and we have everybody else. FF+FG have been in power almost continuously since the formation of the state.


I feel like this was part of a William Gibson short story (Johnny mnemonic maybe) where data gets encrypted with a key unknown to the bearer. The key is sent through some channel unknown to the bearer. The bearer meets up with the key holders / some Dropbox location and decrypts data.

The enhancement here would be some little unencrypted portion/vm so the bearer can play FarmVille in transit.


This gives the police the power to force folks to give their passwords to the police when there is a valid search warrant issued for the electronic device.

Not saying its great, but at least they have to have an actual search warrant for it first.


The law gives police the right "to seize any material found at that place or in the possession of a person present at the place" and "to request assistance from persons present so as to gain access"

It sounds like anything found at the at the address of the search warrant is a valid target, and you are legally required to assist no matter the reason that you or your device was there.

A search warrant is extremely powerful and should clearly spell out what it's searching for. If the police find something outside of the scope of the warrant, at very least they should be required to go back to the judge and justify why they should have access to it.


I don't think Ireland scopes their warrants like the US. I think warrants are location based.


We need dual profiles on phones and computers - that is you can log in to the same account using different passwords and that will land you in a different environment depending on which password you used. You cannot mathematically prove that there may be a second account and thus that gives you a lot of plausible deniability.


This makes me half-wonder whether or not concerns about this are preventing Apple from implementing multiple iOS accounts.


Cross Ireland off the list of places I want to visit. A man's phone is an extension of his mind.


Wait & see if the bill passes in parliament. After that, I may very well contemplate emigration myself (but... to where...)


Fortunately, nobody has jurisdiction over your brain. They can ask you to reveal the password but they have no way to extracit it from your head. You can always claim you forgot it.


The UK has a similar law [0], which has been used in the past to prosecute people for not disclosing their passwords [1].

[0]: https://en.wikipedia.org/wiki/Regulation_of_Investigatory_Po...

[1]: https://www.newstatesman.com/blogs/the-staggers/2010/10/poli...


If the Irish legal system is like the U.S. the judge can conclude you are lying and throw you in jail for contempt of court.


That's not quite true. The Crown would have to prove that you had either obstructed the investigation (in which case the crime would be perverting the course of justice) or you have deliberately disobeyed a court order from a previous court hearing, in which case you could be jailed but I am unaware of a judge deciding that you can be jailed just because they don't believe you.

Disclaimer: UK resident who is NOT qualified in law ;-)


>Disclaimer: UK resident who is NOT qualified in law ;-)

More importantly these are the Gardai not the PSNI -- despite the source being the BBC which may have thrown you off.


> They can ask you to reveal the password but they have no way to extracit it from your head.

I wouldn't be too sure of that. I recall reading about some experiments where by monitoring brain activity the researchers could fairly reliably tell if a person shown a photo of a place had been to that place before.

I can't think of a way to adapt that to extracting a passcode or password, but it does suggest that the head is not as safe a storage place as we might have thought.

Isaac Asimov had some mystery short stories set in a future where there was a machine that could probe a mind and extract any information the subject knew, but there was a very small chance that a probing would drive the person incurably insane.

The way they balanced the right of privacy and the need to protect people from crime was to only allow any given person to be involuntarily probed once in their life. Of course this led to many criminals trying to arrange so that they would get involuntarily probed either over something they were actually innocent of or over something they did but that did not have too long a sentence. The criminals recognized that for really serious crimes juries would be reluctant to convict without probe evidence, so once you were probed you could take your criminal career much more safely to the next level.


Idk, there's ways of making you speak

https://xkcd.com/538/


If your threat model includes "The government is prepared to torture me to obtain my encryption keys", it should also include "The government is prepared to lie and claim they found incriminating evidence on my device, and lock me away forever."

Just make sure that your device doesn't contain information incriminating other people who the government are trying to track down. That means not using real names, or metadata that connects pseudonyms with physical identities (e.g. phone numbers).


"Sorry sir, I've been trying to remember it all day. I think 10 more times might do it."

Fuck giving testimony against yourself.


Ooof, what happens if you use some sort of hardware key as your password - yubikey or similar - and it ends up getting broken somehow (maybe during you being tackled to the floor or something), there would be no way to recover that password or TOTP.

Simply falling over and breaking it on your keys would be enough to put you foul of this law?


Presumably not, because "the key is broken" is not the same as "I refuse to hand over the keys". This law, rightly or wrongly, is concerned with the latter concept.


Right ok yea, that is a difference.

I guess "Ah crap, it was on my keys earlier, I must have lost it - I can't do anything" would be a grey area!


I don't think it would be a grey area. If the police couldn't prove that you were lying or had deliberately obstructed the investigation, it would be tough luck for them if you couldn't get into your own device.

If you were prepared to lose your device, it would be easier to ditch it than ditch the keys but, again, not all criminals think that far ahead. I read that they caught Dread Pirate Roberts because he thought he would never get caught (in a public library!)


I dunno, "losing" a Yubikey Nano would be a lot easier and more believable than "losing" a laptop that you are known to carry about. In terms of plausibility, I'd favour the key being "lost" over the device.

Also, if you have a backup key somewhere, you haven't lost any data or your machine.


Make sure they don't know a backup exists though, or you'd have to unlock that.


So there's at least some demand for a key that works like a Yubikey but has a breakable form (that presumably sets off a piezo device that scrambles the key). Keep it in your pocket, break it with your hand, or slam your hip into a wall/floor to break. Make sure to take the key out before you sit down!

Or, once they exist, just carry a broken key with you for plausible deniability?


How well does the I can’t remember excuse work in this case?

This actually is pretty bad. Password is not just for information revealing. It’s for proof of ownership and control of the accounts. Revealing the password means ceasing control of the accounts to police.



Its court will strike this down in toto as unlawful. About twelve years from now.


Ireland is currently a country that is very friendly towards large corporations, and a lot of EU data is stored in Ireland. I don't see how these rules safeguard such data; and I don't see how GDPR is complied with.


I guess that if you have PII on your device/machine that is extra sensitive, you probably also have a decent size company behind you, in which case you could refuse until the legal team gets to you and challenges the warrant or asks for an actual forensics team to do the investigation - of course you may just give it up and let the company deal with the fallout after.

If as another commentor has said, it is based on location, rather than specific devices, then I can't see a lot of these warrants holding up once it affects someone with a lot of classified stuff on there. Eg. You pop round a friends house from work, you do contracting work for the MOD and have your work laptop with you, turns out your friend is involved in some financial "bad stuff" and you happen to be there.


GDPR explicitly permits data to be accessed for legal purposes. I'm sure most judges would be well aware that their warrants shouldn't be overly broad but there is also a trust in legal officers to be discreet enough not to disclose anything they might have accidentally seen.


That reminds me of the recent post titled "I Miss the Old Internet (2019)" ... every time they create a new law, it makes the old Internet disappear.


From the article:

> "Irish police will have the power to compel people to provide passwords for electronic devices when carrying out a search warrant under new legislation."

This is not unique to Ireland, we see this here in the US as well.


This is something that varies state to state. Quick search shows that Pennsylvania considers giving up a password as self-incriminating testimony (protected by the 5th amendment), while Massachusetts does not. They can generally force you to use biometrics to unlock or give them a physical key anywhere, however.

This seems to be an actively developing area of law around the world.


Hold power button on iphone and it disables biometric without turning off the device

They might still have a way to image it though, depends on the day as the imaging software always gets thwarted


Power+volume whoops

Also believe it depends on the model but the 12 pro does it like this and a few models before


On the subject of the fifth amendment, there was a (possibly) non-serious theory that having one's password be the admission of guilt to a crime would serve as protection as revealing the password would actual be self-incriminating. Like most legal theories on the internet, it (probably) isn't true.


> [...] we see this here in the US as well.

This is only true when the revealed information is a "foregone conclusion", specifically when it "adds little or nothing to the sum total of the Government’s information."

Here is a good treatment on the subject: https://harvardlawreview.org/2021/04/state-v-andrews/


I'll likely already know the answer (jail time?), but what if you were to "forget"?

I have some long passwords that I keep out of password managers for private stuff that I don't want to be leaked from a password manager leak or w/e. I can remember them, but had a really hard time remembering even the start of most of them after not using them for a few weeks.


There have been times that I’ve had to close my eyes and completely rely on muscle memory to enter a long password. Last time it happened was after a 2 week vacation.

That kind of timeframe isn’t abnormal for the speed of law.


This happens to me a lot. I need to have access to keyboard for being able to type some older password. Same thing with pin codes.. Funny how brain works.


Impressive! After all these years I still need to look at the keyboard.


I find it somewhat disconcerting that my fingers remember my passwords better than my brain does!


Muscle memory still happens in the brain. A better description might be unconscious memory. I believe the proper term is "procedural memory". https://en.wikipedia.org/wiki/Procedural_memory


I would love to go visit Ireland and some point, it is supposed to be a beautiful country and I am a history buff, there are so many interesting places to see.

I guess it will have to wait until this law is struck down, if ever.


it would be great if phones allowed you to store 2 different passwords. One to unlock the phone as normal, and the other would actually wipe the phone. Sure, officer, my password is "deleteitall"


I keep seeing this suggestion, and it seems not to occur to the proponents that it would simply land someone with destruction-of-evidence charges.

What I want is a system that has two passwords that unlock two wholly separate partitions, one of which is anodyne and the other which is where I keep my private opinions about Big Brother.

Of course, astute investigators might wonder why the accessible partition only uses half the storage capacity of the device; you might wish to make your secret space very small and perhaps use some compression scheme as well. If you have a large amount of information that you wish to keep private, you're probably best storing it somewhere else entirely and only accessing it remotely.


> I keep seeing this suggestion, and it seems not to occur to the proponents that it would simply land someone with destruction-of-evidence charges.

Only if someone can prove the data was there in the first place.


I don't think so; 'evidence' takes in more than just 'what you're looking for.'

If I put in my password and you get back a reset phone with no personal data whatever, then it's rather obvious that I've wiped it (eg my wallpaper picture has likely reset from my personal taste to the system default). So now you don't have the evidence to convict me of what you suspected me for, but you can bring another charge, and DoE charges will cause most people to assume that the original accusation/suspicion was well founded. If you are able to prove it by other means I'll get less sympathy from a jury and likely a much higher penalty.


Yes, the same applies to the current existing functionality of iPhone and Android to remotely wipe your device. How is this different?


What's to stop someone from "forgetting" their password?


It's better to live life in prison for not giving up a password, than to be convicted of whatever they might find. (Not all will agree with this mentality, and that's fine.)


Why? Isn't life in prison effectively the conviction?

I could see, "better than to reveal a secret", but that's not "conviction"


There's different types of prison


So what is being done (if anything) to push back against this? Are there any Irish civil liberties organisations kicking up a fuss?


The bill's only been very recently published (HN is picking up on this quite quickly), so there hasn't been very much official commentary on this just yet.

The Irish Council for Civil Liberties are in the process of analysing it https://twitter.com/ICCLtweet/status/1404417358135971841

Otherwise though, there has been widespread backlash. The govt. absolutely have the votes to push this through parliament if they want to, but public sentiment could definitely give them pause.

Given the scale of the bill, and it being accompanied by another related bill which apparently reduces oversight of the Garda (police), my suspicion is that this is a strategic strawman bill, with the intent being to push through a watered-down-but-still-pretty-terrible version of it after some "consultation" & amendments to remove the most publicly-objectionable highlights.


Thanks. What's the underlying motive behind the push do you think? Political pressure to do something about the kinahan/hutch gangland killings? Can't see how this would be particularly effective for that but it seems to have come from nowhere no?


Honestly I've no idea.

Off the top of my head, while the severity and scope of this is indeed surprising, the direction is not. Just as police authoritarianism has been on the rise internationally (notably in the misuse of vague anti-terrorist legislation in the US & UK to grant broad policing power in many areas unrelated to terrorism), the same trend has also been present to a certain degree in Ireland. FG have been in power for 10 uninterrupted years and have traditionally been the law and order party. Their idea of police reform when the Garda was hit with numerous misconduct scandals was to install a former-RUC officer as head of the Gardaí. So this is all ideologically in line with the ruling party at least.

Additionally, anti police sentiment has generally been on the increase in the past 2 years so this could be a response to that. Recently the country has been trying to open up post-covid by encouraging outdoor dining, events and gatherings (given doing so indoors is still prohibited), with many initiatives being heavily invested in by local city councils. Those initiatives have been completely undermined by riot police arriving to clear public spaces & incite street violence, seemingly with no communication or coordination with local councils (local councils typically being populated by representatives of parties who are in opposition at national gov level).

So... it could be a lot of things. Or it could be gangland killings.


My friend's password is "All pigs must die"



It's not.


Why not? I think it's exactly relevant.

Replace "hit him with this $5 wrench" with "put him in jail for contempt of court" and it amounts to the same thing.

Give us your password or we will do bad things to you.


Last time I was in Ireland, we only saw a Guarda at the airport and nowhere else. I mean, nowhere else at all. No police cars on any road and none in any towns. It was very quiet so how would they enforce this?


Organise a protest against being taxed a third time for water, or protest against a large fashion company pulling out with giving you your contractually obligated severance pay, and the Gardai will show up 40 strong.

Landlords have gotten Gardai to assist evictions multiple times, even without cause or paperwork being shown.

In contrast, a week ago or so it came out that Gardai were ignoring thousands of domestic abuse calls to emergency services - just deleting them without follow-up.

I could go on and on but let there be no doubt, these are not people you would want to trust with your phone - and if you are crossing them they absolutely will show up and stand by as you get pulled around by your ears by balaclavaed thugs, etc.


Just because you didn't see any police on your visit doesn't mean there are none.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: