From a legal perspective, this is a troubling side-effect of a poorly-crafted law. His lawyer should have had the power to negotiate immunity from prosecution for unrelated charges that might have spurred from disclosure during the original process.
"you can now be thrown in prison on no more evidence than the presence of a few pieces of paper in a filing cabinet that the police can just claim is evidence that you're refusing to give up"
If you did a full wipe of a pendrive with random data,and didn't create a filesystem, you would now have a device that could be used to incriminate you, even thought it really, really isn't encrypted. But you can't prove that.
So I guess that if I were to use your analogy, the police would look through your cabinet, find a few pieces of paper,and then demand that you tell them how to read that invisible ink that you used on the paper. What ink? - you might ask. But it's irrelevant, you can still go to jail for not telling, even though there really is no ink.
This is why we have judges. In order for a warrant to be issued and enforced there has to be evidence that there is something there to search for.
Please, they can just ask for the algorithm and passord for all that data you inserted in your photos through stenography.
Also interesting that a password based on word-and-number games, an approach that has been criticized lately as vulnerable to new attacks using common password fragments, seems to have flummoxed the pros in this case anyway.
Here's one point that I think should be referenced more prominently, maybe in the headline somehow:
Police accessed the memory stick [as part of a counter-terrorism operation] and found it contained ... nothing relating to terrorism or national security.
That is: We convicted this guy of a crime for obstructing a terror investigation, even though he wasn't actually doing that. We used our special emergency terrorism powers to push someone around and make demands that were potentially impossible, but it turned out to be just another false alarm. Of course, the guy we pushed around is a certified scumbag and he doesn't look like the sort of white-bread upstanding citizen that most readers of the article imagine themselves to be, so we can count on you to not get too worked up about the whole thing.
If you're talking about the Ars Technica article that showed that crackers are using common passages from books and movies, it's worth nothing that it's not some kind of issue with passphrases, just the construction of them.
It is not a bad thing to use a passphrase (the Ars article implied that by saying "your long password isn't safe either," or something to that effect.) It is a bad thing to use a passphrase that is not randomly constructed. It's just the same for passwords, and, indeed, cryptographic keys.
It's a numbers game. If it's not random, there's a pattern/bias. If there's a bias, an attacker can exploit that. If there's no bias--i.e. the words of a passphrase were truly randomly selected--then there is no method to crack it more effective than brute force.
Information - the password, is in his head.
For example, do judges need to issue the paper work or can a senior police officer do it?
Not that you are likely to get any jail-time if you kill someone while drunk-driving here...
Given that he doesn't share my ideals, or indeed, much like anything i might be open to considering, he can go fuck himself, if you'll excuse my language.
If someone is accused of terrorism (however flimsy the accusation), that's now enough to damn them in your eyes and strip them of their civil rights, that's quite dangerous and open to abuse.
You can now be jailed for withholding a password, without evidence that any crime was committed.
"He was already in jail for being part of a cell that considered attacking a Territorial Army base in the town."
or this part of the story:
"Hussain and three other men were jailed in 2012 after admitting discussing attacking the town's TA headquarters by placing a homemade bomb on to a remote controlled toy car."
Not exactly a flimsy accusation. They had ample reason to believe the USB stick may contain additional plans for other attacks. Without knowing if there were others involved, I'd say they were right justified in what they did.
And it seems to mean that any password can now be presumed to be incriminating evidence. What happens if my company gets investigated for some financial fraud and they find a forgotten password protected usb stick in the back of a drawer. Now the prosecutors can threaten me with jail time unless I prove that I do not know the password to that usb stick. How can I begin to mount a defence to that? That presumption of guilty until proven innocent is whats wrong here.
You leave a lot of details out of your example. Such as, where you low level developer or a financial officer responsible for the company finances? If you were the latter, there would be ample suspicion to think a locked USB stick in your drawer would be useful evidence in the case. If you were a low level developer, probably not so much. You have to build context to determine if someone should be considered suspicious.
Obviously it isn't enough to say "I reckon he's a bad man, strip him of his rights", but once someone has been convicted, there are certain rights that they rightly lose (e.g. if they are given a custodial sentence, they no longer have liberty).
There may be arguments as to why this should be a right that even convicted criminals should retain, but that is a totally different argument to whether an accusation is sufficient to remove someone of their right to privacy.
Under UK law (RIPA), I think he is. If he is accused of a crime, and the police want him to decode information, he has no recourse and will be sent to jail for not doing so.
Don't equate the term "accused" with the term "convicted". They mean totally different things.
What I was trying to get at was that the word terrorism has been used to scare people into judging others when in fact there is no solid proof - for example in the case of David Miranda, his rights were infringed on the basis of an accusation of association with terrorism. Sorry I didn't meant to imply that in this particular case the man was only accused, not convicted, though it was not an act of terror, only being involved (how involved?) in planning an attack.
There are degrees of evil when it comes to attacking other people, from association, through proven plans, through actually carrying out an attack (which is far worse). I think it's important to distinguish these degrees and not switch off all judgement when the word terrorism is mentioned, and I don't think that your rights should vary depending on which category of person you are - everyone should be equal under the law. The most evil criminal in our country should have the same rights as everyone else, because otherwise everyone's rights will gradually be eroded.
This is a sorry state of affairs, leaving us in a situation where all we can do is trust the judgement of those in power not to abuse it (not much hope there), and the judiciary to keep them in check if they try (only slightly more hope there).
I agree that there often seems to be a bit too much waving around of "terrorism" to justify government infringement of rights.
However, I still disagree with your assertion that the most evil criminal should have the same rights as the rest of us. This should certainly be true until conviction and once their conviction is spent, but as I mentioned before, a convicted criminal (in the case of a custodial sentence at least) quite rightly loses freedom of movement. Freedom of association is rightly withheld from prisoners released on licence. Convicted prisoners also lose the right to vote, which is arguable as to whether or not that is right.
There is clearly a list of rights that can rightly be withdrawn from convicts, so the question is which rights belong on that list and which ones don't? Bear in mind that poorly worded laws such as RIPA may come about because of a desire to keep that list as short as possible, constraining the rights of all of us, instead of just those who have, by their own conscious action, infringed on the rights of others.
I think RIPA came about more as a way to make the work of investigators of terrorism easier, and it was just badly written and too broad.
note that forgetting the password is supposed to be a valid defence!
The group were convicted of discussing the idea of driving a bomb under the base's gate attached to a remote controlled car . They didn't actually do it. They also discussed obtaining weapons, but didn't do that either. They did arrange to attend terrorist training camps in Pakistan, but its not clear from the news reports whether they actually travelled there.
EDIT: According to  one of the group did go abroad for training.
If the discussion alone is the damning part, with disregard to the intent... coupled with some prejudice, and add irrational fear.
Self censorship is what you get.
Sorry this guy is a criminal and a murderer, his value to society is pretty low to considering he hasn't done anything of a value in his life, except moving to UK.
I do agree that "considering attacking" does sound slightly weasely and like a thought-crime; hopefully they were seriously considering it.
If people would just quit being afraid of this stuff, by definition, 'terror' wouldn't be created, would it?
Telling people the rapture will happen at 2:30pm tomorrow would in fact create terror in the minds/hearts of certain people. Are you a terrorist if you tell people that Jesus is coming back tomorrow afternoon?
The subtle difference is between using terror to reach a goal and using some action to reach a goal with a side effect that people experience terror. For example:
A group of hackers could hack into the bank accounts of the 1% to distribute their wealth among the other 99%. They don't have any intention to create terror and probably think that the 1% can easily take. Of course, the 1% will see it as an act of terror. And probably journalists, lobbyists, politicians will spin it and use it to create terror among the larger populace.
Another group of hackers is hacking into facebook accounts to make people's secrets public to try to get the public to care about privacy and not to put their trust blindly into social media. In this case, they would use terror consciously as a means to this end.
Seems to me like these guys were talking about guerrilla tactics against a military target. I don't think that's necessarily terrorism.
EDIT: Though as the defence counsel for one of the four pointed out, they remained free for another 7 months after the alleged plans, so it's questionable how likely they were to have been carried out.
The article might make it appear they jokingly talked/thought about a bomb, but others make it clear there plans were concrete. It mentions them going to "meet the brothers" at a training camp where duties would include "helping them making the bombs". I think it becomes a crime when it goes from curious learning to definitive plans. They weren't just thinking something socially unacceptable, they were planning to cause harm.
It sounds like they only charged him for this after he gave up the keys he was previously withholding. While I disagree with the power this law gives, its less extreme if its only used when they can prove the password was both covering up a crime and not forgotten. More of a deterrent, and slightly less of a thoughtcrime.
Conspiracy is a crime, though. A guy can be charged for saying something like, "Let's plan out how we're going to kill my wife. You go buy a gun..." The police don't have to wait until the guy actually kills his wife before arresting him.
When people you don't like are prosecuted for a thought crime, or something else you won't like good guys being prosecuted for, you don't care. Bad guys may go to hell no matter what!
When people you do like are prosecuted for technically the same thing, you might start caring, but it might be a bit late then.
A bad law is a bad law, no matter if a bad guy or a bad guy becomes its victim. The law seemingly does not care about your notion of 'good / bad guys'. It's not unlike a contagious disease hitting a bad guy. Not caring about this disease is a poor policy, even if you sincerely wish that bad guy to die. The virus is not going to discriminate.
When you protest about a bad law doing a bad thing to a bad guy, you're not doing it for the benefit of the bad guy (unless you're a saint). You're doing it for the benefit of good guys that risk to be hit with the same bad law.
If you genuinely forget the password for any data you encrypt, you are now (by precedent) committing a jailable offence.
This may extend to holding random data. Since ideal encrypted data is indistinguishable from random: prove that you are not withholding the password. Good luck.
I am still bothered that I can be sent to jail for being unable to supply a password, even though I don't know or care much about Syed Hussain.
That said, if those GCHQ bums can't hack it, put the filesystem raw online and offer 50p and a jar of pickled onions to break it, we like a challenge.
Police routinely misuse anti-terrorist laws to harass photographers, and this still happens despite the Met poloce issuing guidance to their officers about not harassing photographers.
People, especially terrorists, need due process of law.
Please try to remember that the law is blind and is meant to both protect people who do and don't share your ideals. What if some day this law were used against somebody who shares your ideals, what then? Or are you also part of the, "if you've nothing to hide you've got nothing to fear" brigade?
Alternatively (and more likely I suspect), these is some gamesmanship being played to get shiny new additional super-snooping laws passed because it's needed to cope with all this uncrackable terrorist encryption. See, here's the proof it exists ! [edit: sorry, this did not make it clear I'm suggesting it was cracked but found to be irrelevant to the terrorism case. I've expanded in a reply below.]
The UK already has laws making it an offence to have 'have information' 'which may be of use to anyone planning a terrorist offence'. This is so broadly defined that railway enthusiast pictures of trains could fall into it (and have been questioned under it - http://www.telegraph.co.uk/news/uknews/road-and-rail-transpo...)
The UK's unwritten constitution is not worth the paper it's written on. Unfortunately the US written one seems to be about as useful in protecting peoples rights these days as the UK one. (See previous HN stories of your choice)
GCHQ have considerable computing power. That probably has weird costings. Thus the cost of 48 hours to run this task is possibly costed at some huge amount that police forces cannot afford unless they know it is a significant target with a spectacular result.
Remember this was originally a terrorist case; there would have been plenty of resources made available - there always are for these.
A likely scenario is it was cracked and found to be irrelevant so the option of going for a political angle for more powers was much more preferable than letting some low-level frauster know his encryption had been cracked (and hence letting lots of people know the USB encryption was worthless and risking real terrorist cases where suspects used the same approach).
Just wow! Does that include engineering books?
Under the Regulation of Investigatory Powers Act 2000 it doesn't matter whether you forgot a password or not. Failure to provide it is against the law.
This Act has proved highly controversial for a number of reasons. The potential for fitting someone up by claiming that they aren't disclosing a password that in reality they can't disclose was one of the civil liberties concerns expressed even before the Act was passed.
It seems like there was a reasonable reason to suspect that the drive might contain actual information that was needed for a serious crime, and a proper procedure was followed to get a court order to get at it.
It's like searching your house. The police should not have the ability to simply decide they want to. But if you were already in prison for terrorist related crimes it hardly seems unreasonable to give them the right to do so.
This wasn't some random abuse.
I wonder if a big part of the reason for his jailing is that he actually did give them the password in the end - making it less likely that he had forgotten it, and that he was deliberately trying to pervert the course of justice.
Of course, it doesn't help that he did seem to have plenty to hide, and he wasn't in a great position anyway.
If the normal encrypted volume looked particularly empty or unused, and the police knew the suspect used the drive regularly, they might be able to make a good case that a hidden drive must exist. But it's very dependent on the circumstances.
In this case? Yes. A bit crazy.
But in general? If I was using a hidden volume for something "deep" I'd put stuff that was technically borderline illegal (or at least frowned upon / embarrassing) on the "visible" encrypted volume. ISOs of games I own with stripped DRM, (legitimate) ebook copies of adultish graphic novels, chat logs, that sort of thing. It would make it much more deniable that I had a hidden volume.
Nothing that could get me sent to jail for too long, and (probably) nothing that would ruin things long-term, but things that would be relatively embarrassing if they got out.
Better to let them find something, as opposed to detailed plans about your terrorists plans or confederates.
Of course they can steal your stuff; it happens with physical evidence (fairly routinely, in many areas - do you really think all that sequestered ganja gets destroyed?), so it can happen with digital stuff too. There are laws and rules about this, but no physical impediment afaik.
No, they shouldn't be entitled.