Australian Prosecutors Want To Make It Illegal To Refuse To Turn Over Passwords To Law Enforcement
from the they're-just-accused-criminals.-they-shouldn't-have-any-rights. dept
The question is still unsettled here in the United States: is refusing to turn over your password protected by the Fifth Amendment? The argument hasn't found many judicial supporters but at least there's a Constitutional basis for claiming the relinquishment of passwords is possibly self-incriminating. Over in Australia, the rights aren't so clearly defined. But the picture is getting clearer, thanks to legislators seeking to make it a criminal offense to withhold passwords. (h/t Asher Wolf)
New laws – currently in the process of being drafted - would mean any criminals who refuse to do so could face jail time of up to five years, according to reports.
The Adelaide Advertiser reports that the state government also announced that as part of the proposed changes anyone found to be running a child exploitation website or forum would face up to a decade behind bars.
It is understood the new laws are mainly aimed at potential paedophiles and those who share child exploitation material but could apply in instances where police are investigating organised crime.
Like lots of laws that expand law enforcement power, it starts with "for the children." Here, the drafting of the law isn't even finished and mission creep has already set in.
Attorney-General John Rau says it's nothing to be concerned about: just a re-fitting of physical searches for the digital world.
"At present, a police officer's general search warrant is good enough to access the physical premises, but what this is talking about is a step beyond that," Mr Rau told the Adelaide Advertiser.
"A person will have to tell them how to get into it (the laptop) or the cloud for that matter.
"It is crucial that the criminal law keeps pace with changes in society and new ways of offending."
It's not as if criminals are that far ahead of law enforcement. At least not so far ahead that simply forgetting a password should net a person five years in jail. And there doesn't appear to be anything tying this to a higher standard for password-reliant warrants. Law enforcement can imagine all sorts of criminal content might be in someone's digital storage, "based on information and belief," but that doesn't mean agencies and officers should be given blanket permission to demand passwords for every locked device/account they come across.
Rau says it's becoming more difficult for law enforcement to access devices, sometimes requiring outside assistance or hours of internal tech work. This may be true, but there are other approaches that can be taken that don't directly ask criminal suspects to assist police in delivering incriminating evidence. Cloud services maintain control of users' accounts and can be asked to turn over content and data. A variety of tech solutions already exist to access locked drives and computers. Making it a crime to withhold passwords from law enforcement puts the South Australian government within throwing distance of banning encryption -- especially the kind that hides content and communications from everyone but the end user.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: australia, law enforcement, passwords
Reader Comments
Subscribe: RSS
View by: Time | Thread
It is always good to start with a statement that assumes the accused is already a criminal before gathering evidence.
[ link to this | view in chronology ]
Re:
I mean, according to this law refusing to do so makes them a criminal. So the statement is technically correct.
[ link to this | view in chronology ]
Re:
Hmm - I read it like this:
You know, gotta track down those leakers somehow, and those damn pesky reporters never want to give up their sources.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
Wouldn't it suck to wind up in prison in a foreign country for five years because of a medical condition you can do absolutely nothing about?
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
"Error: New password can't be old password."
[ link to this | view in chronology ]
Just how did they manage to catch criminals before the advent of records that they could examine? At the dawn of police work they would be exceedingly lucky if there was a letter or diary to record criminal intents and they managed to catch and convict criminals.
[ link to this | view in chronology ]
Re:
While being all tacticool is a lot more fun, the connection to the community that mindset sacrifices makes it almost impossible to solve crimes and catch criminals using traditional methods.
To say nothing of the way humans tend to be very good at killing things they find threatening.
[ link to this | view in chronology ]
Sure, in a lot of cases, its easy to prove you just accessed it yesterday, or whatever, but even THEN, I'm sure I've had to create a new password, used it and then completely forgotten what it was a mere handful of days later.
How the fuck is this not the exact same thing as indefinitely holding some one prisoner whom you suspect of murder until they agree to show you where the bodies are?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
I usually don't remember my password to them though, so if someone demands I supply it, I can't do that. Not won't, but physically can't.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
Basically, the problem here is that as soon as you make it so that something that has a potentially innocent explanation illegal (in this case forgetting a password treated the same as refusing to hand it over), there's always a loophole that can land a totally innocent person in jail. Add that to the mission creep (the rule is being passed through using child porn as the excuse, but will be applied to anything they want down the road), and you have a bad situation waiting to happen to innocent people.
[ link to this | view in chronology ]
Re: Re:
> used for a reset. They'll take it from there
That might be a solution for a cloud account or some web service, but it won't work for a laptop or the unlock code for a tablet or phone.
[ link to this | view in chronology ]
warrantless searches
[ link to this | view in chronology ]
Re: warrantless searches
[ link to this | view in chronology ]
[ link to this | view in chronology ]
A step? More like a leap.
Yeah, way beyond that. This more like requiring people to also tell the police where to find things and then throwing them in prison for 5 years if the police don't get what they want.
[ link to this | view in chronology ]
Re: A step? More like a leap.
[ link to this | view in chronology ]
Re: Re: A step? More like a leap.
[ link to this | view in chronology ]
Re: Re: Re: A step? More like a leap.
[ link to this | view in chronology ]
Re: Re: Re: Re: A step? More like a leap.
[ link to this | view in chronology ]
Any
Lets call up and request PASSWORDS...
Come on, Lets do this..
All of their Accounts are OURS...
WE ARE BORG..
[ link to this | view in chronology ]
It's Not Just Devices, It's All Files.
User: That's a data file that came with a game download. See, it's in the game's program directory. I have no idea what it's for.
Police: We think you're just hiding your encrypted files there. Unlock it or go to jail.
Voiceover: Purchase your games from Windows Store! Only Windows Store will certify the origin of your files. Anything else is pirated at best, and may be used against you.
[ link to this | view in chronology ]
Huzzah for self-fulfilling laws
Apparently 'innocent until proven guilty' is no longer a concept in australia, if you're so much as investigated then you're assumed by default to be guilty, and if you try to assert your innocence and protect your privacy you're simply demonstrating your guilt.
Also apparently a thing of the past, doing their freakin' jobs. As others have noted it's a miracle they managed to get anything done at all if they can't operate with access to everything, given encryption and not being able to access to everything is a big enough problem that they need to make refusal to hand over everything a jail-worthy offense.
[ link to this | view in chronology ]
Re: Huzzah for self-fulfilling laws
[ link to this | view in chronology ]
Re: Re: Huzzah for self-fulfilling laws
[ link to this | view in chronology ]
The LNP will be ticked off that Labor has gone down that road before them so they can't claim the idea as their own.
[ link to this | view in chronology ]
The conversation on HackerNews
[ link to this | view in chronology ]
Australia Ueber Alles
Totalitarianism = FAILure = Citizen Abuse.
[ link to this | view in chronology ]
A step? More like a leap.
But there is a silverlining, a criminal law penalizing refusal to disclose a password would require proof beyond a reasonable doubt, a difficult burden unless the government can prove that (1) The existence of a password, access control or encrypted data and (2) That the person is in possession of that access control.
The article author incorrectly states that the Fifth Amendment argument hasn't found many judicial supporters, but that's not correct.
Most observers seem to agree that the Fifth Amendment sometimes limit the government's power to compel decryption or disclosure of the password.
The only sticking point is how, when or where the foregone conclusion deprives a suspect of the right to refuse to testify against himself.
Must the government prove that the suspect knows the password? Or must the government know with reasonable particularity which contents is protected with the password?
Professor Kerr is in the former category, while the EFF is in the latter.
But in a lot of scenarios, where the government finds storage media with random data, but isn't otherwise able to tie the suspect to the data, or isn't able to prove that random data = encrypted data, the suspect still prevails even under the weaker foregone conclusion test.
[ link to this | view in chronology ]
A step? More like a leap.
police don't get what they want."
Sometimes the police has the physical hardware containing encrypted data (files created with software leaving headers) and maybe the suspect's fingerprints and DNA can be tied to the hardware, and maybe the hardware with a particular EMEI or Mac address was online and connected to the ISP at a given time.
Some of the cases likely covered by the Australian proposal might also satisfy the foregone conclusion test, or at least the weaker version endorsed by Professor Kerr and the Gelvgat and Fricosu courts.
But others might not, wherein the government only discovers in the execution of a warrant a storage media containing random data with no identifying file structure or manufacturer headers.
We would be wise to pick our battles, because the most sympathetic cases for the self incrimination privilege are also concerned with the presumption of innocence and the right to a fair trial.
The really hard cases, wherein the suspect freely admit that he knows the password, but won't assist law enforcement or cases wherein the government finds a computer with the suspect's username, and an installation of encryption software under the suspect's account, are still self incrimination cases but ought to be treated differently.
Note that the most clever of the suspects in the encryption cases prevailed in the 11th Circuit simply by invoking the Fifth while not admitting anything, while the most stupid of the suspects either showed his kiddie porn to a customs officer; admitted too much during a taped jail telephone call; or simply said to the police that everything was encrypted and that he wasn't going to help them put him in jail.
[ link to this | view in chronology ]
Turn the meter on
[ link to this | view in chronology ]
Re: Turn the meter on
[ link to this | view in chronology ]
Sneaky
So that anyone who votes against it knows they would be labeled as soft on pedaphiles and have a history of voting against sending people who run kid porn websites to jail.
Politicians are a cancer on society.
[ link to this | view in chronology ]
"How to get in"
Having dealt with both the Victorian Police & Federal Police in Australia, when a client went bust after running something akin to a pyramid scheme - this is quite often the problem (how to get access).
I supplied all the passwords & domains of the services I provided to the business to the Police, but they were too inept to actually understand "how to access them".
I offered to provide consulting service to the Police to assist with this, but they said as they didn't believe they were likely to recover any monies, they weren't interested.
As far as im aware today (as that was approx 6yrs ago), the Police never accessed any data (as they didn't know how) + all the data is gone, as the services expired and the police weren't to concerned with maintaining it for prosecution.
[ link to this | view in chronology ]
Re: "How to get in"
[ link to this | view in chronology ]
How about this
It works in such a way that I can move or copy a file to the Unencrypted Directory, and the appears in the Encrypted Directory in an encrypted form.
The Encrypted Directory is the local directory for the Cloud Service, such as, for example Google Drive, what appears in it is what is uploaded to the Cloud.
To work it requires two passwords, one for Google Drive, and one for the Encrypted File System.
No if I give the Police my password to Google Drive, they can then access, my account on Google drive, but all they get is encrypted files.
So I can later claim I gave them my password, and any problems they are having dealing with the "corrupted" data are theirs.
[ link to this | view in chronology ]
"How to get in""...
expired and the police weren't to concerned with maintaining it for prosecution."
Very nice, and that the data is gone or that they never existed would be hard to prove in a lot of cases, unless the government quickly recovers access and server logs from the foreign providers.
Set up a datadump in a foreign jurisdiction at a VPS or cloud provider which doesn't log for long or none at all.
Only access the remote server via a foreign vpn and with browser SSL.
Encrypt everything locally on one computer and upload from another computer (nonpersistent OS) and often swap hardware.
Arrange with a friend located in another country to pay for the service,so that the government can't prove from banking statements that you are the likely owner of the account.
To increase plausible deniability, subscribe to some other cloud providers and upload some innocent sounding stuff and let the subscriptions expire after a short time, and always access the second set of accounts directly from your own connection.
If the government asks for password, just hand over the information for the accounts having expired and enjoy the wild goose chase.
[ link to this | view in chronology ]
How about this
In that case, the government will likely try to prove that you are the sole user of the account.
Of course, you might try to argue that you were hacked, or that the account security is otherwise weak, and that the file consisting of random data wasn't placed there by yourself.
Whether or not the government can prove that you are the sole authorized user of the account, or whether it must concede the possibility that someone else might access the account with or without your cooperation might be fatal or beneficial to your case.
Under the Fifth Amendment foregone conclusion, you will have a weak degree of deniability if the government can easily tie you to the account by i.e IP access logs, timestamps, call records and in the case of Google two step verification.
Also if the files stored in the accounts contain headers particular to the encryption software installed on your computer, the government will likely successfully argue that the file can be tied to your computer, and if the file hash kept by Google matches a file uploaded from your own IP at a time you were home, it weakens your defense.
However, if the account is shared, and you can establish that your computer was recently infected, or that your computer is regularly shared with multiple individuals, the government's burden will be more difficult.
An even better case would arise if a cloud account or server was shared among multiple people using it to store work related projects.
"So I can later claim I gave them my password, and any problems they are having dealing with the "corrupted" data are theirs."
That brings me to another fascinating possibility to increase plausible deniability, deliberate file corruption of encrypted files.
If you encrypt a file with 7Zip and run a script altering a few blocks in the encrypted data, any attempt to run the encrypted archive through forensic software will fail.
Then you can give them the password, and the process will fool most forensic software.
The corruption of the blocks would have to be random enough to be plausible, but that's a separate issue.
[ link to this | view in chronology ]
Re: How about this
I've already looked at including files that contain random "noise", randomly generated characters, that are then also encrypted, by the encryption process, as a tool to make it more difficult to brute force decrypt. Not sure how well that would work though.
As for:
"Also if the files stored in the accounts contain headers particular to the encryption software installed on your computer."
That's not an issue, there are no headers, and any related files needed for encryption, are either on the decrypted side, and never go to the Cloud, or are provided by Sym Links, and therefore never go to the cloud.
Decryption can only occur on a computer that has all the elements in place, which can be an OS installed on a USB key.
[ link to this | view in chronology ]
Re: How about this
As a means of transparently encrypting/decrypting it works well, and I can keep some important information regarding the encryption hidden by removing the config file from the encrypted directory, and symlinking it back in... the symlink never gets copied to the cloud.
But I'm now experimenting with cryfs, which also encrypts the file metadata, and as such seems like a better choice. In it's current 0.x version, while file security is covered, it has some minor issues related to file integrity, but it looks very promising.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Then in the US...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
If say, a US company does this, they are not subject to prosecution in Australia, because the their network and servers are in the United States, they are NOT SUBJECT to prosecution in Australia, if they temporarily delete those worker's files from the network, and then restore them when they they come back to the office.
[ link to this | view in chronology ]