Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Canada Encryption Privacy Your Rights Online

Canada's Police Chiefs Want New Law To Compel People To Reveal Passwords (www.cbc.ca) 209

Reader DaveyJJ writes: CBC is reporting that the Canadian Association of Chiefs of Police, has passed a resolution calling for a legal measure to unlock digital evidence, saying criminals increasingly use encryption to hide illicit activities. The chiefs are recommending new legislation that would force people to hand over their electronic passwords with a judge's consent. RCMP Assistant Commissioner Joe Oliver is using the usual scare tactics "child-molesters and mobsters live in the 'dark web'" in his statement today to drum up public support in his poorly rationalized privacy-stripping recommendation. A few years ago, Canada's Supreme Court ruled that police must have a judge's order to request subscriber and customer information from ISPs, banks and others who have online data about Canadians. I guess that ruling isn't sitting too well with law enforcement and Canada's domestic spy agencies.
This discussion has been archived. No new comments can be posted.

Canada's Police Chiefs Want New Law To Compel People To Reveal Passwords

Comments Filter:
  • by gurps_npc ( 621217 ) on Tuesday August 16, 2016 @02:43PM (#52715151) Homepage

    "What's your password or you go to jail?"

    "I don't remember what's my password."

    "He's lying, throw him in jail!"

    Five years later, released from jail because they crack the password, finding embarrassing porn, but nothing illegal.

    But no compensation for throwing a man in jail for the 'crime' of a poor memory.

    • by Anonymous Coward on Tuesday August 16, 2016 @02:58PM (#52715285)

      "What's your password or you go to jail?"

      "I don't remember what's my password."

      "He's lying, throw him in jail!"

      Five years later, released from jail because they crack the password, finding embarrassing porn, but nothing illegal.

      But no compensation for throwing a man in jail for the 'crime' of a poor memory.

      Under stressful situations you may actually forget your password. I forgot my bank card PIN when I was getting a passport.

    • by Anonymous Coward

      I'm wondering what happens when you are in possession of the device but claim you never had a passcode/password for the device. Is possession enough to claim the defendant should have full access to the device?

      • Well, especially as some forms of encryption use a TPM chip in the computer, in which case, you can say with absolute certainty that you do not know the password to decrypt the drive...it is in the TPM chip.

    • by OzPeter ( 195038 )

      Five years later, released from jail

      Five years? Go look up the number of people who have be incarcerated for a lifetime based on a false conviction - including all those people saved from death row.

    • That's why my password is 'a'.
    • by kuzb ( 724081 )
      That's not true. In cases of wrongful imprisonment there are plenty of cases of people suing and winning.

      Ivan Henry won 8m in 2010: http://www.cbc.ca/news/canada/... [www.cbc.ca]

      Réjean Hinse won 13.1m in 1997: http://www.ctvnews.ca/feds-que... [ctvnews.ca]

      Ron and Linda Sterling won 925k in 2004: http://www.cbc.ca/news/canada/... [www.cbc.ca]

      I could go on, there are plenty of other cases where victims of wrongful imprisonment were compensated.
    • by Kjella ( 173770 )

      Simple "fix", stop looking for the password. Then you're screwed, if you remember/find it later they'll say you knew how to produce it all along and if you never find it everyone will just assume that you took the time to hide something worse. Also remember this won't just apply to whole disks, say you zip some sensitive files for Bob. Since they'll be attached on open email you password protect it and call to tell Bob the key. Two years later the cops think "files_for_bob.zip" is your secret kiddie porn/te

      • by AmiMoJo ( 196126 )

        It would probably work similarly to the UK law that can send you to jail for not handing over a password. It's up to the police to prove that you know it beyond a reasonable doubt, e.g. by showing that you had the files open recently.

        It's really dodgy because it relies on the judge or jury understanding how the files are used and under what kind of stress a person might forget their password. For example, you can have encrypted files open for weeks out months while the computer is on or sleeping, plenty of

        • by Kjella ( 173770 )

          It would probably work similarly to the UK law that can send you to jail for not handing over a password. It's up to the police to prove that you know it beyond a reasonable doubt, e.g. by showing that you had the files open recently.

          Except that they don't do any of that. They just air their suspicions towards you and say It's your phone, your laptop so give us the PIN/password or else. It's about as bad as civil forfeiture in the US, guilty until proven innocent.

        • by Mashiki ( 184564 )

          It would probably work similarly to the UK law that can send you to jail for not handing over a password.

          That in itself in Canada would be a Charter violation and would be thrown out by any competent court unless the crown could show that there's a pressing need for a charter 1 violation. Up until a few years ago we had "exigent circumstances" codified in law, and it allowed the access to things(house entry, demand phone records/taps, etc) without a warrant as long as they could be fully justified afterwards and a warrant was then created. Had to be severe like abducted child, imminent threat against a perso

        • by showing that you had the files open recently.

          It's really dodgy because it relies on the judge or jury understanding how the files are used and under what kind of stress a person might forget their password. For example, you can have encrypted files open for weeks out months while the computer is on or sleeping, plenty of time to forget the password

          Or flat-out stress. I forgot my PIN number once. I used the card most days, because I never like carrying large quantities of cash and had the card for well o

    • There must be a physical life example.

      Suppose you have a combination wall-safe.
      The police want to search that safe.
      So they get a warrant.

      Now, what happens if you don't give them the combination to the safe? This must have happened numerous times in the past.

      I'm no lawyer, but I googled and it looks like they could NOT make you give up a safe combination; at least in the US.

      So I don't see how cell phone password are any different. They shouldn't be able to compel you to give up your passwords.

      Assuming they h

      • I'm no fan of the movement to force people to give up passwords but there isn't a physical real world comparison that is valid. If someone forgets their safe combination and LE wants in, they can use a variety of tools to go at the safe in anything from a quick brutal manner all the way up to an expensive careful opening and they will get in if they want.

        With a password and sufficiently capable encryption, LE will never get in, no matter how much time and money they throw at the problem. That's what outra

      • by AmiMoJo ( 196126 )

        In the UK they can demand you open the safe, if you are physically able to do so. That could be with the passcode or some other way. They have to show that you have the ability to open it. It's similar to how they can demand you let them in to your house to search it (or break in themselves if possible) when armed with a warrant.

        In other words, the encryption is viewed much like a safe, a space that they can force you to give them access to.

        The UK law (RIPA) allows you to give them the decrypted data rather

    • "What's your password or you go to jail?"

      "I don't remember what's my password."

      "He's lying, throw him in jail!"

      Five years later, released from jail because they crack the password, finding embarrassing porn, but nothing illegal.

      But no compensation for throwing a man in jail for the 'crime' of a poor memory.

      Wait till it happens to somebody because they found suspicious files or areas of the hard drive and just think that something is encrypted. Then demand the password to the suspected encrypted devices and there is no password.

    • "What's your password or you go to jail?"

      "I don't remember what's my password."

      "He's lying, throw him in jail!"

      Five years later, released from jail because they crack the password, finding embarrassing porn, but nothing illegal..

      And it turned out the password was "I don't remember what's my password."

    • by mark-t ( 151149 )
      They only throw you in jail because of the assumption that you are lying, but what would they do if circumstances were such that they could not objectively make that assumption because other evidence exists that makes it apparent you literally *couldn't* provide the password for them?
  • Deceptive at best (Score:5, Insightful)

    by spacepimp ( 664856 ) on Tuesday August 16, 2016 @02:47PM (#52715189) Homepage

    The Government whining about encryption protecting guilty parties by going dark from scrutiny is flawed. Governments now have more information gathered daily than they could ever have dreamed of in the cold war, and yet they are still baiting and spreading fear and uncertainty that they can't see it all so bad people are getting away with bad things. Did they run around saying in the late 80's that citizens need to carry walking spy devices wherever they roam to make certain their actions can be monitored? The fact is governments have more information available to them about every aspect of life including citizens and non alike, and they are still saying if they had more then they could do their jobs.

    • by Anonymous Coward

      Whenever they can't jail the people they want they just cry for more data.

      "If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him." - Cardinal Richelieu

      They must really suck at their jobs since they've collected several encyclopedias worth of lines and they still can't hang people.
      Maybe we should show them how to make rope.

    • They have more information, but they don't have ALL of the information. Only when they have all of the information can they tighten their grip, crush down on those who oppose them, and serve you better.

      (Anyone remember the Dinosaurs TV show? Fran convinces a store to accept returns and the owner remarks: "This is just the policy that will enable us to crush our competition, become a monopoly, and serve you better!" Basically this only with the government.)

      • I agree with you. I do wish that the media would ask these sorts of questions, but it doesn't seem they get time for adversarial questions.

  • by Anonymous Coward

    Let's make everyone reveal their passwords.

    Let's make backdoor passwords THE LAW.

    Let's trust that only the government will have those secret backdoor passwords.

    Let's watch as the government gets hacked [slashdot.org] and everyone's information is owned by Russians, or Iranians, or whoever is the highest bidder...

    Really, these idiots need to be called out. Every time they propose crap like this, it needs to be pointed out VERY LOUDLY IN THE NEWS MEDIA that these stupid plans will never work.

  • by Anonymous Coward

    Canadians Want New Law To Compel Police Chiefs To Reveal Their IQ.
    Never mind, we already cracked that one.

  • >> "child-molesters and mobsters live in the 'dark web'"

    OMG! Think of THE CHILDREN!!!

  • by JustNiz ( 692889 ) on Tuesday August 16, 2016 @03:14PM (#52715427)

    Just have 2 passwords, one that deletes a private folder on login and one that doesn't.

    • Rest assured that they will not try this against the original data. Any work in forensics is done on copies.

      • Rest assured, not all police dept are that smart.

        • Then your country does it wrong. In mine there is a whole department that has the ONLY reason to exist to make certain forensic evidence is usable in court. I was working for them for a while in the IT area, and NOBODY as much as touched anything containing data who didn't know exactly what he was doing.

          There are ways to tamper with data in such a way that it cannot be used by forensics but relying on them being idiots isn't really a good idea.

    • Just have 2 passwords, one that deletes a private folder on login and one that doesn't.

      2 passwords. One decrypts one file, presumably deserving of encryption but innocent, such as your tax information. The other decrypts to the things you don't want found out.

    • by AmiMoJo ( 196126 )

      They will image your drives first, and then charge you with destroying evidence or at least use it as evidence you are hiding something.

      Veracrypt plausible deniability is a better solution.

    • by gweihir ( 88907 )

      That does not work in reality. You have seen too many bad movies.

  • by ubergeek65536 ( 862868 ) on Tuesday August 16, 2016 @03:16PM (#52715439)

    All that is needed is one number to unlock it, another to wipe it.

    • All that is needed is one number to unlock it, another to wipe it.

      You don't need to wipe it. It's encrypted that's all you need to prevent unauthorized access. That's why LE is asking/demanding your password in the first place.

      Do you have a "right to remain silent" in Canada? That would be the best course of action. Let your lawyer do all the talking for you.

    • by AmiMoJo ( 196126 )

      They will probably image the drive first, and then use the wipe code as evidence that you are hiding something.

      A better option is to keep a load of broken disks around. Hard drives with read errors, failed SSDs, broken flash drives. Tell them that they keyfile that is required to unlock is on one of those drives. The cops must have broken it when they collected it or imaged it. There is now no way to ever decrypt the data.

    • by houghi ( 78078 )

      Finding nothing is suspicious. Leave something in it that is 'embaressing' like old-people porn'. See that is legal, but embarressing. That means perhaps buying a DVD with the stuff if you think they will go after you for copyright infringement otherwise. The idea is to walk away, not only to not give the data.
      See it as an audit. If you leave something for them to find, they will be happy and you will know what to say when they find it.
      Unless they are really looking for something, they will be happy. And if

  • by zarmanto ( 884704 ) on Tuesday August 16, 2016 @03:21PM (#52715477) Journal

    This isn't any kind of a magic bullet against crime: it's just another example of people failing to follow a rational chain of events to its conclusion. If you tell an even moderately intelligent person that he will be forced to give up the password to his cell phone if he's ever arrested, then he will simply add one more layer of obfuscation between his phone and his secrets... and you still won't be able to prosecute the worst offenders. The only people who will get caught up in this new dragnet are those in the first round of arrests who don't pay attention to the latest changes in their local laws, and therefore fail to take precautions. Most others (intelligent and otherwise) will quickly learn about those prosecutions from the media frenzy that follows, and will lock down their crap soon thereafter.

    Seriously... just follow the pieces around the board, and you should be able to tell who's going to ultimately win in this kind of game. (Doesn't anyone play chess, anymore?)

  • I guess that's bad news for all the grumblers out there threatening to "move to Canada" when their candidate doesn't get elected. :-D

  • Alleged criminals will just not keep incriminating things on their phones. I know if it came to pass that you were required to turn over your phone and passwords on demand, I'd go back to memorizing people's phone numbers, and never storing a single thing on the phone itself, ever. Maybe get a cheap-ass bare-bones $50 phone, and if they demand it, hand it to them and tell them to keep it, tell the wireless company I lost it, and get another one.
  • by Anonymous Coward

    Instead of "criminals increasingly use encryption to hide illicit activities", we have "government officials increasingly use secrecy classifications to hide illicit activities". Let's have a law that says if governments want to be able to force people to give up passwords then governments can't delay or deny open records requests. Any effort by government officials to hide information should be punished at a personal level exactly the same as how they want to punish citizens for denying their passwords.

  • I have nothing on my computer that I'd need to hide. Well, I'm sure that there's probably some way that they would find to prosecute me or anyone else given enough personal data and the breadth of the criminal code.
    And that's why warrants with scope should always be used for such searches.

    But, with or without a warrant, I'm not handing over my password.

  • Fuck'em, hard. Just because everyone else is asking for this nonsense does not make it right.
    Everyone else: Run as much encryption, and Tor nodes, as you can. Drives them bonkers when they can't just fish through plaintext.

  • What's my password? Shoot!!, i forgot my password.
    • "What's my password? Shoot!!" Uhm, don't say that in the US, the police might oblige...
      • "What's my password? Shoot!!" Uhm, don't say that in the US, the police might oblige...

        Haha, you're right, i better don't forget my password then...

  • Encrypted data that is in the possession of the police, is not hidden. They are asking the victim to assist them with interpreting the data.
  • I wrote a toy example of an end to end encrypted messaging service, which also functions as a data store, in about 300 lines of php, js, HTML, using only cryptojs.

    Basic idea is to generate two separate strings ( e.g. pinkSecretBunny and fluffySecretBunny ), run both through a hash, use one output as an index in a table (e.g. mysql), the other is the encryption key for the data. Given just the key+encrypted data, you need to invert the hash to have any idea of how to generate the encryption key.

    It is quite f

  • I want a poney and a couple millions dollars too....and then?
  • FUCK YOU CANADA!

    Really hard, with moose antlers

  • Why don't they just compel people to admit all their crimes to the police?
    It would make their work still simpler than just giving up passwords.

  • Hahahaha

    No

  • This group (Canadian Association of Chiefs of Police) is just a very weak lobby organization. What they ask for will certainly be noted by the Government of the day, but that's it. A respected Journalist in an Op-Ed piece in one of the major newspapers would get the exact same consideration.

    Since this particular wish-list involves some fairly serious legal issues, not the least of which is the likelihood of any enabling legislation almost certainly ending up in the Supreme Court of Canada for what will at b

The Tao is like a stack: the data changes but not the structure. the more you use it, the deeper it becomes; the more you talk of it, the less you understand.

Working...