Canadian Law Enforcement Want Government To Force People To Turn Over Their Passwords

from the the-legislative-$5-wrench dept

Thu, Aug 25th 2016 3:33am — Tim Cushing

Legislators and law enforcement (for the most part…) have been hesitant to demand companies build backdoors into their encryption schemes. The unwillingness to cross this government overreach line hasn't really tempered cursing of the impending darkness, however. That remains, largely propelled by a few of law enforcement's loudest mouths, who haven't seen a problem nerds can't solve, even after the nerds have told them repeatedly the problem (safely backdoored encryption) is unsolvable.

A lobbying group for Canadian law enforcement thinks it has the answer. Why mandate encryption backdoors when you can just utilize the "backdoor" built into every electronic device?

Canada's police chiefs want a new law that would force people to hand over their electronic passwords with a judge's consent.

The Canadian Association of Chiefs of Police has passed a resolution calling for the legal measure to unlock digital evidence, saying criminals increasingly use encryption to hide illicit activities.

The legislated human backdoor. Obviously, such a demand raises constitutional questions, even on that side of the border.

The chiefs' proposed password scheme is "wildly disproportionate," because in the case of a laptop computer it would mean handing over the "key to your whole personal life," said David Christopher, a spokesman for OpenMedia, a group that works to keep the Internet surveillance-free.

"On the face of it, this seems like it's clearly unconstitutional."

On this side of the border, such a mandate would also seem clearly unconstitutional, even though some courts have ruled that providing a passcode to unlock a device isn't testimonial -- even if what's on the unlocked device may prove to be incriminating.

The head of Royal Canadian Mounted Police echoes FBI Director James Comey's lament about (potential) evidence remaining out of reach of investigators. In fact, he pretty much quotes him directly.

There is nothing currently in Canadian law that would compel someone to provide a password to police during an investigation, RCMP Assistant Commissioner Joe Oliver told a news conference Tuesday.

Oliver said criminals -- from child abusers to mobsters -- are operating online in almost complete anonymity with the help of tools that mask identities and messages, a phenomenon police call "going dark."

Mandating the divulging of passwords relies on some very dubious assumptions. One, it assumes that any information still unseen by prosecutors or investigators is of evidentiary value -- hence the perceived need to force suspects to unlock devices. As was seen in the San Bernardino case, a lengthy court battle and a million-dollar payout to Israeli hackers recovered nothing of interest from the shooter's iPhone.

Second, it assumes law enforcement will use this power wisely and with restraint -- something that has historically been a problem for it. When an agency uses repurposed military technology (Stingrays) to (almost) hunt down fast food thieves, it's safe to assume forcing someone to expose their "whole personal life" by turning over a password is likely to result in the same sort of misuse… and abuse. It won't be reserved for the "worst of the worst" criminal suspects and will likely be legislated into existence without enough statutory restrictions to prevent device seizures incident to even the most innocuous of arrests to be viewed as evidentiary fishing expeditions.

The only standing between this law (if it becomes law) will be Canada's judges. While some judges may be unwilling to expose a person's entire life just because law enforcement swears it's necessary, others will be more amenable. Bring on the forum shopping!

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: canada, encryption, going dark, law enforcement, passwords

38 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

That One Guy (profile), 25 Aug 2016 @ 1:54am

'You first'
Prior to any vote each and every person pushing for this should be required to make public the log-in credentials to their personal computers, email accounts, and any other personal password protected systems/devices they have access to.

After all it's entirely possible that one or more of those devices/accounts might contain evidence of illegal actions, and if a 'maybe' is good enough for them, it should be good enough to be used against them to demonstrate what it's like to have their privacy stripped from them on nothing more than the whim of another.

They're welcome to refuse of course, in which case they get to enjoy being known from then on as the hypocrites that they are, demanding that their privacy be respected while the privacy of others is blatantly violated.
[ link to this | view in chronology ]
- Roger Strong (profile), 25 Aug 2016 @ 10:33am
  
  Re: 'You first'
  That would never happen here in Canada.
  
  Consider public safety minister Vic Toews in the previous Conservative government, who introduced the "Protecting Children from Internet Predators Act." A massive attack on privacy and the presumption of innocence, the bill did not mention children or internet predators other than in its title.
  
  When faced with opposition, Toews declared that you could "either stand with us or with the child pornographers."
  
  Which is when someone started tweeting details of the safety minister’s messy divorce (Mr. Toews, once called the "minister of family values" and in his 50s, fathered a child with his teenage babysitter) gleaned from publicly available court records. The tweets also detailed his spending of public money.
  
  Needless to say, he considered THAT to be an unjustified and invasion of privacy.
  [ link to this | view in chronology ]
  - That One Guy (profile), 25 Aug 2016 @ 2:07pm
    
    Re: Re: 'You first'
    Oh I'm fully aware it's more wishful thinking than anything on my part, those that tend to push for these type of bills are almost always gigantic hypocrites who also believe that their privacy is of vital importance and absolutely not to be infringed, despite their completely indifference if not outright hostility towards the privacy of everyone else.
    
    My comment was along the lines of 'this is how it should be', where those pushing for a law are the first to experience it themselves, rather than being completely immune, as I imagine were the legal system that way a lot less stupid and/or unjust laws like this one would be proposed or passed.
    [ link to this | view in chronology ]
  - Tin-Foil-Hat, 25 Aug 2016 @ 8:38pm
    
    Re: Re: 'You first'
    That is fucking awesome.
    [ link to this | view in chronology ]
  - Tin-Foil-Hat, 25 Aug 2016 @ 8:59pm
    
    Re: Re: 'You first'
    He's a judge now. I don't think it would happen here in the US. You probably wouldn't even be considered if you had an affair and impregnated a teenager.
    [ link to this | view in chronology ]
Anonymous Coward, 25 Aug 2016 @ 4:03am

yet another thing that the USA has started and snowballing to other nations! why the hell cant the USA just stop with all these anti-privacy and anti-freedom laws? does it not realise that it is fucking up the planet more than even terrorism is? it just never seems to stop! and those at the top of the USA tree who are so paranoid as to want to bring in the very things it fought against Germany to stop need to get the fuck off the planet!!
[ link to this | view in chronology ]
Anonymous Coward, 25 Aug 2016 @ 4:07am

The Iimpending darkness is in reality the world stepping back to towards a pre-electronic era, where there was just not the records available for the governments and law enforcement to gather up and use or abuse. It is not so much the world going dark, as the world realizing leaving readable information lying around is much too tempting for governments and law enforcement to resist.
Even with encryption, the meta-data is giving law enforcement and governments much more information than they had pre-Internet.
[ link to this | view in chronology ]
Anonymous Coward, 25 Aug 2016 @ 4:20am

Remember, in the U.S., a lot of the argument against this practice is based on your Fifth Amendment right to not incriminate yourself.

No such right exists in Canada: you can be compelled to testify against yourself here.
[ link to this | view in chronology ]
- Paul Renault (profile), 25 Aug 2016 @ 4:46am
  
  Re:
  Um, in a word or two, "no, that's not true".
  
  Anyone spending two minutes googling the question "In Canada, can you be compelled to testify against yourself?", would have found that, while you can't 'plead the fifth' and refuse to testify, the Canadian Charter of Rights and Freedoms provides that (confirms a long standing rule, actually) that there's a right to not be self-incriminated as the result of testimony you give, except when the prosecution is for perjury or for the giving of contradictory evidence, even when the testimony is from civil cases - effectively the same protection as the American Fifth.
  
  https://www.bennettjones.com/Publications/Updates/Avoiding_Self-Incrimination_in_Canada
  "Sectio n 13 of the Charter states: “A witness who testifies in any proceedings has the right not to have any incriminating evidence so given used to incriminate that witness in any other proceedings, except in a prosecution for perjury or for the giving of contradictory evidence.” The Supreme Court has described this protection as a quid pro quo: a witness is compelled to give evidence, even if that evidence may incriminate him or her, on the condition that the evidence will not be used to establish his or her guilt. Of critical importance for U.S. counsel to recognize on their clients' behalf is that this bargain is different from that in the United States, where witnesses may rely on the Fifth Amendment to the U.S. Bill of Rights and refuse to testify."
  
  There is an exception for a prosecution for perjury or for the giving of contradictory evidence (even when the testimony is from civil cases).
  [ link to this | view in chronology ]
- Anonymous Coward, 25 Aug 2016 @ 5:40am
  
  Re:
  There are many more reasons to oppose this, some of which have more leverage than the 5th.
  
  Can a court legally compel a defendant to violate the law?
  If so, is the defendant given immunity relative to said violation as a condition prior to capitulating?
  [ link to this | view in chronology ]
Anonymous Coward, 25 Aug 2016 @ 5:36am

So I wonder...
what would give the biggest punishment ? Not giving up your password, or giving the password that either deletes and overwrites everything or encrypts it with an unknown key.

I wonder if they take into account two-factor authentication? Password correct but camera did not detect face or voice not recognized so now everything is gone... well they did get your password.

What if you forget your password? Can they punish you now for bad memory? What if the person has Alzheimers?
Would they force you to write your passwords down on yellow sticky notes in the future and to make it easier to remember: "you must keep your password below 8 letters with no capital letters and no numbers or special characters."
My dad would probably be very happy about this.
[ link to this | view in chronology ]
- Anonymous Coward, 25 Aug 2016 @ 5:52am
  
  Re: So I wonder...
  There won't be any punishment... well, maybe the first couple of times perhaps. But a simple "I forgot" will be the most common answer. They can't prove you remember, and you can't prove you forgot. They can toss you in jail maybe, but for what? Forgetting your password? They have to be able to prove contempt, or prove a lie. How are they going to do that?
  [ link to this | view in chronology ]
  - Lesath, 25 Aug 2016 @ 10:29am
    
    Re: Re: So I wonder...
    They can toss you in jail maybe, but for what? Forgetting your password?
    
    They could in the US. "Failure" to remember password.
    
    They have to be able to prove contempt, or prove a lie.
    
    I don't know about Canada, but you can be criminally punished for "failure" to do things in the US, intentional or not.
    [ link to this | view in chronology ]
  - That One Guy (profile), 25 Aug 2016 @ 10:37am
    
    Re: Re: So I wonder...
    Yeah, unfortunately that's not necessarily true. In the US at least you can be tossed in jail for 'contempt of court' simply because the judge doesn't believe you, and they don't have to prove a thing. If the judge doesn't buy your 'I forgot' and thinks you're obstructing with the case by refusing to answer it's into a cell to rot until you do remember, with no maximum sentence in jail.
    [ link to this | view in chronology ]
- Padpaw (profile), 25 Aug 2016 @ 6:12am
  
  Re: So I wonder...
  The moment they decide to target you, you are probably screwed regardless of what you choose to do. If they wanted to things legally and respect you're rights stuff like this would never even be thought of.
  [ link to this | view in chronology ]
Anonymous Coward, 25 Aug 2016 @ 5:50am

Why are they even considering this? There's no need for a law mandating this since courts can already order a defendant to unlock his or her password and to decrypt an electronic device by way of a court order.

Besides, just because there is a law or a court order doesn't mean that the defendant is going to unlock or decrypt the device because it still boils down to pressuring someone to decrypt their device. If they don't want to do that, they aren't going to do that.
[ link to this | view in chronology ]
Jason, 25 Aug 2016 @ 5:57am

Mandating the divulging of passwords relies on some very dubious assumptions. One, it assumes that any information still unseen by prosecutors or investigators is of evidentiary value -- hence the perceived need to force suspects to unlock devices. As was seen in the San Bernardino case, a lengthy court battle and a million-dollar payout to Israeli hackers recovered nothing of interest from the shooter's iPhone.
This is a hypothetical I've wondered about for a while now... suppose one was "ordered" to unlock their phone (computer, etc.) and didn't want to for whatever reason. (It's not important why... let's say you're simply one of the unfortunate people with their cell phone held as "evidence" for no reason.)

Would it be realistic to propose a solution where the government must provide a specific, detailed warrant describing precisely what they're looking for and where they expect to find it (i.e., what they're supposed to do all the time) but accompanied by immunity from prosecution for anything else that might be on that phone that doesn't exactly match the warrant?

I'm definitely not a lawyer or Constitutional expert... but considering the fact that these devices really are massively personal supercomputers with practically our whole lives stored inside them, would that be a somewhat realistic compromise, a sort of way to bring the much-vaunted "All Writs Act" into the modern era? It certainly seems more reasonable than the "compromise" they seem to be offering, namely the "this cell phone is a locked door and we have the right to open doors with a warrant" argument.
[ link to this | view in chronology ]
- That One Guy (profile), 25 Aug 2016 @ 10:49am
  
  "We'll know it when we see it."
  Yeah, first of all court order or not there's no way they'd ever restrict themselves to just what they listed, more often than not searches like this are less 'searching for X' and more 'Searching for anything we can use', so a limitation like that would have them crying 'undue burden!' loud enough to shatter eardrums.
  
  Following on the above, assuming they knew exactly what they were looking for, and assuming they did only use the one specific thing they were looking for, you'd still be in a position where you'd be forcing someone to provide incriminating evidence against themself, something that's (theoretically at this point) not allowed in the US, and apparently somewhat similar in Canada, where you can be forced to provide self-incriminating evidence but it can't be used against you outside of perjury and similar charges.
  [ link to this | view in chronology ]
Padpaw (profile), 25 Aug 2016 @ 6:03am

No doubt they will lead by example by making their passwords open to all.

If they refuse then why would they expect anyone else to be that selfless?
[ link to this | view in chronology ]
Agent76, 25 Aug 2016 @ 6:05am

Mass Spying Is Always Aimed at Crushing Dissent
January 10, 2014 *500* Years of History Shows that Mass Spying Is Always Aimed at Crushing Dissent *It’s Never to Protect Us From Bad Guys*

No matter which government conducts mass surveillance, they also do it to crush dissent, and then give a false rationale for why they’re doing it.

http://www.globalresearch.ca/500-years-of-history-shows-that-mass-spying-is-always-aimed-at-crush ing-dissent/5364462
[ link to this | view in chronology ]
- Roger Strong (profile), 25 Aug 2016 @ 6:38am
  
  Re: Mass Spying Is Always Aimed at Crushing Dissent
  Globalresearch.ca is essentially a rebranded InfoWars. Endless "9/11 truther" stories. Endless articles warning us of a "North American Union" by 2007, by 2010 and so on. Endless stories about an antenna in Alaska - HAARP - being used for mind control, to create earthquakes, etc. Endless stories about how martial law will be used to cancel US elections in 2004 (and 2008, 2012 and 2016.)
  [ link to this | view in chronology ]
  - Padpaw (profile), 25 Aug 2016 @ 9:41am
    
    Re: Re: Mass Spying Is Always Aimed at Crushing Dissent
    Though all this spying and depriving citizens of their rights hasn't made us any safer in fact the opposite.
    
    Most of these laws that are supposed to be used against criminals have been well documented of being abused to go after protesters, dissenters, or anyone those in charge just plain does not like.
    
    Be they porn industry actors, gun sellers etc.
    [ link to this | view in chronology ]
Anonymous Coward, 25 Aug 2016 @ 6:07am

What happens when computing power surpasses the maximum entropy passphrase that can be stored in human memory?
[ link to this | view in chronology ]
DannyB (profile), 25 Aug 2016 @ 6:14am

New Feature idea
Hey Google and Apple:

The system can have TWO (or more) passwords. The real one and zero or more Fake passwords.

You use the real password in every day use.

You give the fascist tyrant police state dictators one of the fake ones. When the fake one is entered, all that you can see are a few apps, uninteresting contacts (grocer, dog groomer, hospital, etc) and uninteresting data.

Another fake password could be configured by the user so that upon first use, it destroys the real data and the real password.

If pressured you could give the fascist tyrant police state dictators more than one fake password.
[ link to this | view in chronology ]
- Anonymous Coward, 25 Aug 2016 @ 6:18am
  
  Re: New Feature idea
  Multiple passwords are irrelevant when the authorities can copy the contents of your storage medium.
  [ link to this | view in chronology ]
TheResidentSkeptic (profile), 25 Aug 2016 @ 6:24am

This will get interesting.
Let's say a vendor decides to side with the public - and creates a lock screen with 2 keys - an "Unlock" and "Brick NOW" code. The brick code does more than just brick the device - it sets it to "stolen"; wipes the cloud backup copies, secure wipes the SIM and local memory... effectively rendering it useless - even to "sell" after the evidence expiration date.

Now what do they do? Does the government make such a lock screen illegal? Does Bricking your device become a new illegal activity? How far are they going to push?
[ link to this | view in chronology ]
- Anonymous Coward, 25 Aug 2016 @ 6:27am
  
  Re: This will get interesting.
  2 keys is a bad idea since it is imperative on the user having physical access to the device which may be impossible if it is seized. A better idea would be some kind of dead-mans switch which activates on the absence of a trigger.
  [ link to this | view in chronology ]
- Anonymous Coward, 25 Aug 2016 @ 6:31am
  
  Re: This will get interesting.
  >Does Bricking your device become a new illegal activity?
  If you delete evidence you could be charged with contempt.
  [ link to this | view in chronology ]
  - Anonymous Coward, 25 Aug 2016 @ 8:01am
    
    Re: Re: This will get interesting.
    What about the dead mans trigger? OR 3 bad password attempts and it erases the drive?
    [ link to this | view in chronology ]
- Roger Strong (profile), 25 Aug 2016 @ 8:21am
  
  Re: This will get interesting.
  In the US at least, this is already settled.
  
  Techdirt: According To The Government, Clearing Your Browser History Is A Felony
  
  Sarbanes-Oxley's rules about preservation of evidence apply to everyone. The law forbids the destruction of evidence, regardless of personal knowledge of ongoing investigations, or even if no investigation has even commenced. It doesn't even have to be willful destruction.
  
  "It was used to bring additional charges against David Kernell, who hacked into Sarah Palin's email account. The actual hacking resulted in misdemeanor charges. The cleanup processes deployed by Kernell (clearing browser cache, running a disk defragmenter, deleting downloaded photos) were treated as felony obstruction of justice under Sarbanes-Oxley. When these actions occurred, Kernell wasn't under investigation."
  
  If those actions are felony obstruction of justice, it's a safe bet that willfully bricking your device is too.
  
  It could even happen in say, copyright lawsuits. Prenda Law cried "destruction of evidence" when they sued someone for copyright infringement. The victim dutifully turned over his computer to prove otherwise. Prenda found no evidence, so they declared the his registry cleaner to be "proof" that he was destroying evidence.
  [ link to this | view in chronology ]
Anonymous Coward, 25 Aug 2016 @ 8:02am

The problem with this mandatory law is that even with a court order, it still does not guarantee that a suspect will provide the unlock code for the suspect's device. Personally, for myself, I would never provide my unlock code, no matter what the government did or threatened me with.
[ link to this | view in chronology ]
mattshow (profile), 25 Aug 2016 @ 8:09am

The legislated human backdoor. Obviously, such a demand raises constitutional questions, even on that side of the border.

Why does Techdirt insist on pushing this narrative that Canadians have no (or substantially weaker) constitutional protections?

Just because our constitutional rights are not phrased in exactly the same way or have not been intepreted in the same way as US constitutional rights doesn't mean they don't exist. But every time something like this comes up, Techdirt takes this surprised tone, like the fact that Canada has a constitution at all is shocking.

Particularly ironic considering US courts have allowed exactly this kind of thing to happen, while no Canadian court ever has. (Allain Phillipon doesn't count - he plead guilty and the trial was never heard by a court).
[ link to this | view in chronology ]
- mattshow (profile), 25 Aug 2016 @ 8:10am
  
  Re:
  No idea why I added all those extra Ls to his name.
  [ link to this | view in chronology ]
Tin-Foil-Hat, 25 Aug 2016 @ 8:10am

Different Culture
Canada's culture is different than the US. The people in power ALWAYS abuse it. They are malicious here. They love to punish people. They've convinced themselves that civil forfeiture is not stealing and actively pursue the goal. In the US every crime comes with a life sentence. You can kiss the middle class goodbye if you commit even the most minor offense which is easy because there are so many laws. Prosecutors always try to expand the reach of those laws. That sort of maliciousness isn't as prevalent in other free democracies. The constitution is meaningless if all of your institutions are susceptible to corruption.

Of course it doesn't make this right. Canadians need to fight tooth and nail to keep the destructive oppressive influence of the US out.
[ link to this | view in chronology ]
Pixelation, 25 Aug 2016 @ 8:24am

What's all the fuss?
Here ya go... spɹoʍssɐԀ
[ link to this | view in chronology ]
Lawrence D’Oliveiro, 25 Aug 2016 @ 4:41pm

Plausibly-Deniable Passwords
I had this idea for a way to use encryption such that, if you gave a wrong password, you could never be completely sure the password was wrong. This way, law enforcement could never be sure whether you were stalling, or had made an honest mistake.

The downside is, you can’t be sure when you’ve made a mistake either.
[ link to this | view in chronology ]
GEMont (profile), 28 Aug 2016 @ 1:39pm

I forgot it!!
Kinda curious as to whether or not the defense "I forget my password officer." would be acceptable in this kind of situation.

After all, if I don't write 'em down, there is no way I could remember even 5% of my passwords.

I'd have zero shame claiming I forgot the password.

I could even embellish it with "I just reset my password and did not have time to write it down."

Question is, would the kangaroo kourts of Kanada accept such a defense, or have they already decided that cell-phone owning suspects all have eidetic memories?

---
[ link to this | view in chronology ]
csumbler, 30 Aug 2016 @ 7:19pm

Self destruct?
So such a law is passed.
New hidden App, give the authorities a password that will wipe all memory? Shouldn't be to difficult.
[ link to this | view in chronology ]