Forgot your password?
typodupeerror
United Kingdom Crime Encryption Government Privacy

Man Jailed For Refusing To Reveal USB Password 374

Posted by timothy
from the oh-yeah-forgot-to-mention dept.
judgecorp writes "Syed Hussain, already serving time for helping to plot attacks against UK targets, got another four months for refusing to divulge the password of a USB stick the police and GCHQ wanted to examine. The USB was believed to contain data about a suspected fraud unconnected with national security, and Hussain claimed to have forgotten it under stress, He later remembered it and it turned out to be a password he had used on other systems investigated by the police."
This discussion has been archived. No new comments can be posted.

Man Jailed For Refusing To Reveal USB Password

Comments Filter:
  • by dmitrygr (736758) <dmitrygr@gmail.com> on Thursday January 16, 2014 @11:57AM (#45976427) Homepage
    Yeah...
    • by Punko (784684)
      It has been obvious for a long time, that when it comes to privacy of the person and their rights when in conflict with the demands of the state and defending these rights in court, that the subject of the court case will be a scumball.

      Just because he is scum doesn't mean he doesn't have rights. Someone's grandmother up on similar charges, we could all support defending their rights, unfortunately, they are not the ones likely to end up with those charges in the first place.
    • Re:freedom... (Score:4, Informative)

      by prelelat (201821) on Thursday January 16, 2014 @12:40PM (#45976903)

      There are two scenarios in forcing someone to hand over information on an encrypted disk.
      1) With no evidence of wrong doing they make you hand over information that's encrypted. There is no court order, because there isn't any evidence. It's like passing through security and they want to view secret documents in your locked briefcase. That's not warranted. It's a violation.

      2) Court has evidence against you there is an investigation and they court orders you to hand it over. It's the same as asking for the key to your briefcase because they have a warrant to search it. The only difference is, is that if you don't give them the key they can't smash the lock to open it up. If you don't give them the key and they can't open it up they will throw you in jail for disobeying the court. I see that as nothing different than what has happened here.

      Now it has been argued I believe successfully that encrypted data should be treated just personal speech which should be protected by the 5th. Now this wasn't the U.S. so this has no barring on the current case. It's quite interesting to think of how this falls. Is it the same as making someone testify or make a statement or is it more like locked files in a cabinet.

      So while the scenario in part 1) isn't debatable the scenario in part 2) is. Was this a violation of freedom it's hard for me to say.

      The EFFs thoughts https://www.eff.org/deeplinks/2013/10/new-eff-amicus-brief-argues-fifth-amendment-prohibits-compelled-decryption [eff.org]

  • by Chatterton (228704) on Thursday January 16, 2014 @12:00PM (#45976461) Homepage

    Another point of the story. Don't reuse passwords :D

    • by Hypotensive (2836435) on Thursday January 16, 2014 @12:35PM (#45976861)

      That's not the moral of this story. He was given 4 months because he wasted police time - that was because he actually gave them the password in the end.

      If he had continued not to give them the password, even if it were actually true that he had forgotten it, they could have imprisoned him for considerably longer, the current maximum is 10 years, which is more than you get for cutting someone's throat with a smashed beerglass in the pub, and considerably more than the slap on the wrist you get for killing an unarmed civilian if you're a police marksman.

      This warped and clearly unfair legislation was brought to you courtesy of this total bastard [wikipedia.org].

      • by AmiMoJo (196126) *

        He was given 4 months because he had a poor memory

        FTFY. Maybe he was lying, maybe he really was stressed by, you know, being prosecuted on terrorism charges and having immense pressure put on him by the police. I find it hard to believe that it could be proven beyond reasonable doubt either way.

  • by Anonymous Coward on Thursday January 16, 2014 @12:00PM (#45976471)

    The password was $ur4ht4ub4h8 - as Bruce Schneider said a few weeks ago - encryption is still on our side. Regardless of the NSA /GCHQ revelations, they cannot break AES yet. That's why the British police resort to section 49 http://www.theregister.co.uk/2014/01/16/password_refusal_earns_terror_suspect_extra_jail_time/

    • by PIBM (588930) on Thursday January 16, 2014 @12:05PM (#45976519) Homepage

      What makes you think they hadn't it all cracked, but just wanted to have him spend more time in jail while they prepare the other stuff they will hit him with ? What if he really had forgotten the password ? Beside he had already given them; why would not they have tried all other passwords they had received ?

      • by Xest (935314) on Thursday January 16, 2014 @12:52PM (#45977065)

        Reporting on this provision of RIPA is always wrong, and the Slashdot discussion is even worse.

        To face conviction for failing to disclose a password in the UK the police have to be able to prove beyond reasonable doubt (and that's specifically stated in the legislation itself) that you knew the password at the time.

        This case is no different. The guy was arrested for terror plots, asked to divulge a password but then claimed he didn't know it, the police couldn't prove he did know it so nothing came of it, the guy was jailed anyway under all the other evidence they had.

        The police then found it seemed he'd been involved in card fraud. Turns out incriminating evidence of this was on the memory stick and that's why he didn't want the police acting it, because he clearly hoped if he got off with the terrorism charge they'd never find out about the card fraud charge, so he had nothing to lose. Once they had found out about it he hoped for further sentencing leniency over the card fraud for admitting the password and hence helping the police. The problem for him is by admitting it he gave the police the "beyond reasonable doubt" that they needed all along to do him for failing to disclose the password.

        So to this day, if you don't know the password, if you pretend you don't know the password, then there's fuck all the police can do to you with this legislation, hence it's not half as bad as people make out.

        To date the only people getting done by it are those admitting they know the password and explicitly refusing to hand it over, those who do stupid things like this guy, and for example, more complex scenarios where someone pretends they've lost a password and the police can't cracking, but then they manage to crack, say, weaker encryption such as that used for his desktop login to find his desktop password which they can confirm forensically that he has entered and used since denying knowing his encrypted USB password and if it matches the encrypted USB password they can claim, well, he knew his desktop password, he logged in, and it was the same as his encrypted USB password, and hence beyond reasonable doubt...

        Really, it's not the worst law in the world, the police have to hit a pretty high standard of evidence, or the accused has to fuck up and basically admit their own guilt to ever become victim of this. If you genuinely don't know your password, or if you deny knowing it and the police can't prove otherwise, then you're fine. You have to explicitly and provably obstruct a police investigation to get done by this law.

        • by Rinikusu (28164)

          What's crazy is that I have a handful of encrypted USB sticks and even an entire laptop whose passwords I've long since forgotten. It's not like there's anything on them (That I know of, but a year or so ago I was playing with encryption schemes, full disk encryption, volume encryption, hidden containers, etc for shits and giggles), and recently I booted my laptop to discover that I really have no idea what the password was. Now imagine the stormtroopers come banging on my door tomorrow.. I'm in deep dood

        • by AmiMoJo (196126) *

          To face conviction for failing to disclose a password in the UK the police have to be able to prove beyond reasonable doubt (and that's specifically stated in the legislation itself) that you knew the password at the time.

          If that were really the case no-one would ever be convicted of this offence. How can you prove beyond a reasonable doubt that someone remembers something? I forget stuff all the time, especially passwords. Even passwords I was using the day before. In fact especially passwords I was using the day before, if they are new.

          The problem for him is by admitting it he gave the police the "beyond reasonable doubt" that they needed all along to do him for failing to disclose the password.

          He claims he forgot and then later remembered it. That happens sometimes. I don't see how it proves he never forgot it beyond a reasonable doubt.

      • What makes you think they hadn't it all cracked

        To go back to the parent poster and Bruce's declaration:
        AES, RSA, DSA, SHA256 (SHA-2), Scrypt, ... they are all used out there in production for quite some time. They are even used in some quite lucrative sectors.
        If anyone was actually able to break (as in find a fundamental flaw that helps finding the solution without need to brute force-it) they would be making a killing of money. Thing about hacking e-banking transaction (AES, RSA, DSA), hacking crypto-currencies (DSA, SHA-2, Scrypt, SHA-3), etc. and ear

    • by compro01 (777531)

      Or they don't consider these cases important enough to reveal that they can break it.

    • by HiThere (15173)

      Sorry, but it's more like they didn't want to bother. The story makes it probable (not quite certain) that they already knew that it was the password to other devices that he had used.

      Also, was he a terrorist? Could be. The story says he was serving time for planning attacks on the UK, but that could be fraud as easily as violence. If I were interested enough, I'd look it up, as it is I'm just commenting on the slipshod nature of reporting (which I'm assuming matches the original story without checking)

      • You'd have to look up details, but even 'planing attacks' doesn't indicate the ability to carry them out. A lot of terrorists in this part of the world turned out to be incompetents who don't know how to make a simple bomb. One lot had their non-functioning car bomb towed away for illegal parking. Being attacked by them isn't terrifying, it's insulting.

    • by j-turkey (187775)

      Yes and no. I'm neither a security expert nor an expert in intelligence/counter-intelligence. However, if I were to break a crypto scheme, it is paramount that I never reveal that I have broken the crypto scheme. That way, I can continue to intercept and decode your secrets while you believe that your crypto scheme is safely protecting them.

      If AES were broken, the last thing that a government entity would want to do was reveal that it is broken. In fact, if AES has been broken, UK law enforcement offic

  • GCHQ is incompetent (Score:5, Interesting)

    by djmurdoch (306849) on Thursday January 16, 2014 @12:02PM (#45976497)

    The password he used was the same as one that he had previously divulged, but the incompetent investigators at GCHQ and the police didn't think to try it.

  • by hawguy (1600213) on Thursday January 16, 2014 @12:13PM (#45976635)

    I'll be in trouble if I'm ever raided -- I have several USB devices and CD-R's that I used in the past to make a backup of something, and have lost or forgotten the passwords.

    I wonder what the penalty would be for someone that filled a device with random data, and the authorities are convinced that it's encrypted and demand the decryption key.

    • In the UK? Life imprisonment without trial, under section 49 of the Regulation of Investigatory Powers Act.
    • by guttentag (313541) on Thursday January 16, 2014 @12:27PM (#45976785) Journal

      I'll be in trouble if I'm ever raided -- I have several USB devices and CD-R's that I used in the past to make a backup of something, and have lost or forgotten the passwords.

      Forget your CDs, it's your DVD collection you should be worried about. "All I remember is the first part! 09 F9... then the hex code for some shade of red [stewd.io]... I swear!" This is why everyone should have that number handy.

    • by Spad (470073)

      A maximum of 2 years in jail, in the UK at least.

    • by gurps_npc (621217)
      Doesn't even have to be filled with random data.

      You can hide a truecrypt data file in an apparently blank USB. No way to tell that it's not empty unless you know the password.

      TELL US THE PASSWORD FOR THIS BLANK USB OR WE WILL JAIL YOU!

    • by AmiMoJo (196126) *

      I wonder what the penalty would be for someone that filled a device with random data, and the authorities are convinced that it's encrypted and demand the decryption key.

      Up to two years. There are people in jail now who claim this has happened to them, but the jury did not agree. So basically it hinges on if you can convince a jury that you really forgot, or if they think you are lying.

  • He wasn't jailed for refusing to reveal the password. He was jailed for his part in a bomb attack. Once in prison you can get out early for good behavior and for turning over information. Here he tried to trade this password for time. He claimed he had just remembered it. But they found out it was a password that he had already given them for something else. So they backed out of the deal.
  • by hydrofix (1253498) on Thursday January 16, 2014 @12:48PM (#45977007)

    This goes directly against prior decisions by the European Court of Human Rights. There is very clear and unambiguous legal precedent, that a person under criminal investigation need not bear witness against himself. For example. in Marttinen v Finland [ketse.com] the Court interpreted the article 6.1 [wikisource.org] that reads inter alia "In the determination of ... any criminal charge against him, everyone is entitled to a fair ... hearing ... by [a] ... tribunal ...". The Court wrote in its decision:

    The Court reiterates its case-law on the use of coercion to obtain information: although not specifically mentioned in Article 6 of the Convention, the rights relied on by the applicant, the right to silence and the right not to incriminate oneself, are generally recognised international standards which lie at the heart of the notion of a fair procedure under Article 6

    If the defendant is not able to have this sentence overturned in domestic courts, he should hire a lawyer who can bring this case before the European Court of Human Rights ASAP to obtain a decision against the Government of UK. The court will also award compensation for the inhumane treatment of the defendant by the Government, and obligate the government to compensate for the legal expenses.

    • This goes directly against prior decisions by the European Court of Human Rights. There is very clear and unambiguous legal precedent, that a person under criminal investigation need not bear witness against himself.

      This was widely discussed in US decisions, but probably applies to Europe as well. If there is evidence, then giving the prosecution access to that evidence is not "bearing witness against yourself". The case where you _actually_ don't have to reveal a password is if admitting that you know the password would incriminate you. Not what's on the drive, but the fact that you know the password. For example, a man is murdered by being hit by a laptop. In the laptop there's an encrypted drive. If you have the pas

  • The USB was believed to contain data...

    Are we really just calling this "a USB" now instead of "a USB flash drive" or something similar?

    • by malakai (136531)

      I think the person who wrote that article recently return from hospital, after an accident on holiday.

  • If the police, TSA, government or even my mother want to see what is on data storage I have encrypted then they can sit down and crack it, I have no reason to ever decrypt that drive, if you want inside of it then get inside of it but I'm not going to help, after all I didn't encrypt the drive so you could just freely go in and look around.

Help me, I'm a prisoner in a Fortune cookie file!

Working...