142 comments

[ 2.8 ms ] story [ 213 ms ] thread
An individual's free speech and privacy rights are very dangerous to governing bodies. Hence, they require significant effort to protect.
And that's also why authoritarian regimes always undermine them. Anti-terror laws such as that are an attack on human rights and our freedom. A justice system enforcing them is not acting in accordance with what is good and what is right. The law itself in unlawful, and if the system were healthy it would resist. It is not.
Do you think the censorship of Mein Kampf, the anti-hate speech laws, and the illegality of Holocaust denial in some parts of Europe have authoritarian motives?
Motives? It is sometimes needed to balance rights. We need to fight nazism, therefor we need to forbid those things.

But that's not happening here, there is no balance being stuck. There is just "remove all characteristics of a legal system" (Rechtsstaatlichkeit) on the one side, and the gain is "have the means for absolute power".

Edit: I feel that question leans too much into pure politics, and was hesitant answering. The link with HN is that the story is also about criminalizing encryption. Mein Kampf, not so much linked.

Yes, it is authoritarian but it is authoritarianism that some people have justified and like.
"Some" being the key-word there. I wonder how it'll go if it were put down to a referendum on that one, singular issue. Without politics, parties, and candidates to muddy the water.
A recent poll had 40% of "millenniums" that didn't think that the 1st Amendment covered "hate speech."

Though, I'm not really sure you can remove politics from the question and I doubt candidates and parties would not be involved, even if they have to force their way into the issue.

All forms of authoritarianism are justified by some.
Of course it does. It's censorship and authoritarianism that the majority of people there seem to be ok with, and perhaps actively like, but that doesn't change what it is.
I would argue that this is the case indeed.
There isn't an equivalent to the first amendment in Britain.

In Britain people have been sent to jail for tweeting or posting facebook statuses.

http://www.thedailybeast.com/can-a-tweet-put-you-in-prison-i...

This has nothing to do with free speech (that's the 1st Amendment). This is a problem of illegal search and seizure (at least in the U.S.). Illegal search is covered under the 4th Amendment.
That's no longer true. The Patriot Act enables government behavior that's functionally equivalent to this incident in the U.K.
As does the fact that we now consider "the border" to include anything within 100 miles of the border.
If you count the US's 98 international airports, doesn't that cover the entire country?
You may wish to read the third paragraph on this site:

https://en.m.wikipedia.org/wiki/Border_search_exception

So, I read that paragraph, and the section I think you're highlighting is this:

> the Supreme Court has clearly and repeatedly confirmed that the border search exception applies only at international borders and their functional equivalent (such as international airports)

but that line cites https://en.wikipedia.org/wiki/United_States_v._Martinez-Fuer..., which is weird because it says the opposite.

That was at a permanent checkpoint. That would be a functional equivalent, in the eyes of the court - or so I understand.

For example, I live on the border - pretty much. I'm just a short drive to Canada. Border Patrol can't actually stop me and search my car, search my house, or anything like that - unless I'm going through the border.

If I'm not going through the border, they need a warrant. There are no checkpoints other than at the border, but those would be functionally equivalent (in the eyes of the court). I believe temporary checkpoints also count as functional equivalents but that's a guess - I'm not sure if that's been tested in court yet.

Other than those checkpoints and the border, you retain your rights as you would elsewhere. Or so precedent and SCOTUS say - except I speculate that they include temporary checkpoints along with permanent checkpoints.

> Border Patrol can't actually stop me and search my car, search my house, or anything like that - unless I'm going through the border.

The ACLU disagrees and says all the CPB needs is probable cause.

>8 U.S.C. § 1357(a)(3) addresses CBP officials’authority to stop and conduct searches on vessels, trains, aircraft, or other vehicles anywhere within “a reasonable distance from any external boundary of the United States.” Without further statutory guidance, regulations alone expansively define this “reasonable distance” as 100 air miles from any external boundary of the U.S., including coastal boundaries, unless an agency official sets a shorter distance.1CBP agentscan also even enter private property without a warrant (excepting dwellings) within 25 miles of any border. In this 100-mile zone, CBP has claimed certain extra-constitutional powers. For instance, Border Patrol claims the authority tooperate immigration checkpoints. Agents, nevertheless, cannot pull anyone over without "reasonable suspicion" of an immigration violation or crime (more than just a "hunch"). Similarly, courts have determined that outside of Ports of Entry Border Patrol cannot search vehicles in the 100-mile zone without a warrant or "probable cause" (a reasonable belief, based on the circumstances, that an immigration violation or crime has occurred). In practice, Border Patrol agents routinely ignore or misunderstand the limits of their legal authority, violating the constitutional rights of innocent people. Although the 100-mile border zone is not literally "Constitution-free," CBP frequently acts like it is.

https://www.aclu.org/other/aclu-factsheet-customs-and-border...

As well as "the border" including any international airports, it is difficult to find a heavily populated area that is not in this zone
That was not my understanding, can you tell me what part of the currently enacted PATRIOT act enables searching a US citizen without probable cause or a warrant from a court (FISA or otherwise) ?
Further evidence that the ideas behind the American Revolution and the Anti-Federalists were important then, and now...
It is a search and seizure issue. But note that the man was stopped in Heathrow airport. In the UK, as in the US and most other countries, you have to submit to searches as a precondition for air travel. It is firmly established that the government can require you to give up certain rights as a precondition of entrance to certain places. Like going through airport security, or having to go through a metal detector before entering a courthouse, etc. Which isn't to say that what happened here is not or could not be an illegal search in the US. It isn't necessarily a constitutional issue, there are/can be laws limiting what law enforcement can do.
Actually this is a case for 5th amendment. Police can confiscate your phone on a judge's order, but no judge can compel you to give up your password if it's protected under 5th amendment (i.e. self-incrimination).
I've seen that fall apart in the US too.

The defendant tried arguing 4th amendment privacy protections over the information obtained in property that implicated him, but the judge said that didn't apply unless he admitted to owning the property which would equally incriminate him if he did, haha.

very narrow protection

Has any such case ever gone to Supreme Court?
Nothing similar to the one I was mentioning. Always evolving protections around computational and digital properties.
The consensus of the courts is that providing a password is not considered self-incrimination. Self-incrimination means testifying against yourself. It specifically doesn't cover, say, providing a key to police so they can unlock your door and search your house (assuming they have a valid search warrant). If you had a safe that police had a warrant to search, you would have to open it for them, that is not considered self-incrimination. The courts have largely reached the consensus that unlocking or decrypting a device is like providing a lock to open a door, or opening a safe, and is not like providing testimony against yourself.
Is this the US you are talking about? I though the consensus was that when using biometrics you can be legally compeled to unlock but not when it is a password.
I may have over-stated how firm this is on legal grounds, as the supreme court has not ruled on this scenario specifically and two appeals courts have made contradictory conclusions. But, there is clear precedent showing that you can absolutely be compelled to decrypt something in certain circumstances. See https://en.wikipedia.org/wiki/Key_disclosure_law#United_Stat... for some reading.

Generally, the Fifth Amendment provides protections against producing documents only if the very act of producing them would be incriminating. The relevant term is the foregone conclusion doctrine. The government has to show evidence that the documents they want you to produce exist and that you are able to produce them. For more information, see http://federalevidence.com/blog/2013/january/applying-forego...

The interpretation in favor of allowing the government to compell encryption under this doctrine would be that the government simply has to prove that the encrypted data exists and that you are able to unlock it, and they have to limit the scope of their search to specific documents.

A tweet is a publication like any other; expecting it to be any different is baffling to me.
Unless something weird happened the UK should will still be bound to the European Convention of Human Rights. Which (among other things) protects the rights to free speech (with some limitations).
In Europe, free speech is understood in a somewhat more narrow context than in the USA.
> In Britain people have been sent to jail for tweeting or posting facebook statuses.

In your link:

- the nameless chip shop employee doesn't even get named, let alone do we hear of any punishment given. Instead, we just get a couple of paragraphs about a tweet of his

- half a paragraph is spent on someone who got half a year in jail for using one word in a podcast; seems like more context would be valuable here

- two twitter users making threats fronted up to court, but we never hear what happened to them. Freedom of Speech doesn't extend to making threats.

- the Mandela-joke-maker supports the article's premise, yes

- more threats on twitter were responded to, one leading to an arrest

The only item that clearly supports the article's premise is the guy who made jokes about Mandela, but the whole article is written in a way that it's clear there's a lot of missing context. The one and only example that actually got jail time is only half a paragraph long and has feeble information available. Independently of whether or not you agree with the point it's making, this is a 'spun' article.

Your link would be more believable if it linked to the cases or to publicity of the cases.

About the first case: he was a Rangers fan. He posted about the Celtic manager. Are you missing the sectarian violence[1] linked to Celtic and Rangers? Several people have been actually really killed and many others injured in stabbing and other violent crime.

That context is crucial to understanding his arrest.

Also, police weren't just searching for offensive football tweets. They were searching for evidence as part of a case about parcel bombing.

Finally, he wasn't convicted.

tl;dr I don't think much of your link if it misrepresents the case this badly.

EDIT: the second case wasn't just the use of the word "taig", he organised a harassment campaign against a woman

http://www.dailyrecord.co.uk/news/scottish-news/tv-comic-lim...

EDIT2: Your link totally misrepresents the criado-perez harassment. She was getting hundreds of direct, credible, threats of harm. One man was sending 50 messages an hour for 12 hours. Have a read of the sentencing remarks: https://www.judiciary.gov.uk/judgments/r-v-nimmo-and-sorley-...

tl:dr2 your link is shit.

[1] https://en.wikipedia.org/wiki/Sectarianism_in_Glasgow

> In Britain people have been sent to jail for tweeting or posting facebook statuses.

You can be sent to jail in probably any country for Twitter/Facebook posts. Just ask Martin Shkreli[1]. I worked at a smaller social media company and a girl was pissed off at the politics of the governor of her state; she make a very specific threat (time, place, and action) and my company was required by law (and ethics) to report it to the local police.

[1] https://www.washingtonpost.com/news/business/wp/2017/09/13/m...

The UK is inching its way towards a police state step by step. Well done!
So it's a 12 month probation, not sure exactly what conditional discharge means in the UK but it sounds a lot like probation from a quick search, and a fine for what seems to amount to a contempt of court charge? Not sure why this is particularly remarkable.
Seems increasingly clear that you should never cross a border carrying sensitive data. Encrypt and transfer it separately.
I wipe and clean everything before crossing a border, encrypting and storing in the cloud, or encrypt and fedex.
Be careful with using private entities to mail your stuff. Yes, it's encrypted, but they also don't need a warrant to open the package. USPS does. Obviously for international shipping this is going to change based on the country of departure/origin, but something to keep in mind if you actually have a need to be concerned with this type of thing.
Fair point. FedEx was a catch all. USPS would be better. It's encrypted so if they seized it ...they'd have more problems than the encryption as my work is government in nature.
Actually it makes having a Chromebook and two Google accounts seem more and more realistic. Now with Google's cooperation you could have a 'duress' password, and log into your account for them and have Google supply an alternate reality.
I would not bet against the fact that those two accounts are linked being known to border patrol / law enforcement.
Probably, it comes down in the US case to probable cause. Random border searches are probably not going to pick you up by your ID, and having a cover would not be detected. If they were specifically targeting your identity then they might dig deeper. If Google (for instance) would not disclose your 'other' account without a court order, then they wouldn't have access to that information unless they previously got the order.

There is another twist here in that there isn't a precedent for them to ask for access to your network presence, they can ask you to 'unlock' hardware in their possession but it does them no good when there is nothing on it.

So it pushes them back to having to do things more traditionally (with a warrant).

In general it saddens me that we've come to this.

> In general it saddens me that we've come to this.

No kidding. It's a pretty sad state of affairs all around. The reason I mentioned this is that if the border patrol / the police / the feds / some random official are already aware of your linked accounts and you lie about it that you are in much hotter water than before.

True, but it isn't a 'lie' to type in a password and unlock a device, if the device is completely unlocked. But on such technicalities interesting case law can be built.
If there is one thing I could influence it would be never to be the subject of interesting new case law. Life is pretty short.
They used the same "counter-terrorism" law to confiscate David Miranda's laptop and other possessions, as well as detain him for 9 hours.

https://www.theguardian.com/world/2013/aug/19/david-miranda-...

It's a shame UK doesn't have a real constitution. It would probably help prevent some of this bullshit. Maybe it's time the British people start asking for one.

The US constitution doesn't seem to be preventing almost every modern administration and congress from ignoring it.

What protects the constitution from those sworn from upholding it?

It’s the greatest question, and i often ponder it. I believe the answer is different incentives. The specifics are much harder.
nothing, but at least you can try to fight it in court
Right now, one political party has majority over all three branches of government (including both houses of congress).

About the only reason changes aren't being made into law quicker is that this party in control is pushing some very polarizing/unpopular legislation/edicts.

At the moment? Momentum of the general belief that, in fact, the Constitution worked .. for a while. It is only Americas belief in itself which perpetuates the mythos that Americans had rights (in the not-too-distant past) that most of the rest of the world, explicitly did not have...

Whereas, the British (and the Australians, who have one of the most embarrassing 'constitutions' of them all) seem to have been fine, all along, to just roll over and expose themselves to their masters, the ruling classes.

Nevertheless, these constitutions are nothing more than smart contracts. I'm wondering if anyone has done the UDHR as a smart contract .. seems that might be the right thing to ICO.

You've phrased your response in a way that seems to prevent falsification, but I'll give it a shot anyway.

For example-- the Trump administration's initial travel ban executive order was blocked by the courts based directly on issues of consitutionality. Furthermore, if you read the text of that bill you can tell the authors were careful not to use the frank, unambiguous language that Trump used on the campaign trail as that would have been thrown out by the courts even more quickly.

So there you have it-- an example where the current administration did the opposite of ignoring the U.S. constitution, and a court system that blocked the executive order even though the administration tried to skirt the intent of the constitution (namely, the 1st amendment). Does this falsify your statement? If you don't think so, please give me an example of what you think would falsify it and I'll give that a shot.

The 3rd and 4th boxes of liberty. As a reminder, the four boxes are: 1. Soap 2. Ballot 3. Jury 4. Ammo

If the first two aren't working, you take to the jury box, and when people are unjustly charged with crimes that are either misapplied laws or simply that which people deem to be unjust laws, they can find a defendant not guilty on any grounds they wish in the US. That's one of the more critical aspects of the courtroom that often goes overlooked. Jury nullification is rarely talked about but it's a crucial power of the people. Judges and law enforcement hate it because society can effectively nullify anything by refusal to return guilty verdicts. So even if someone is clearly guilty under the wording of a law but the jury determines it to be an unfair law or a law applied unfairly, they can find them not guilty. However, the reverse is not true. Guilty verdicts must be returned in accordance with the wording of the law and historical precedent, in conjunction with the guidance the judge provides.

In cases like this, though, things are more difficult because it's not just the charges that are levied, it's the entire way the government is conducting itself. That is much more difficult to solve is 1 and 2 don't work and why the 4th box is supposed to be used under only the most dire of circumstances.

Of course, I don't think the government is entirely to blame. People keep voting these scumbags back into office for some reason so apparently there are people out there who approve of what their representatives are doing. And yet, amazingly, everyone seems displeased at the results. It's fascinating, really. It's like everyone has this mentality of, "all these congresspeople are lying dirtbags...except for mine."

Indeed.. it seems they need...

MIRANDA RIGHTS

wocka wocka wocka

The fact that you felt this was an appropriate comment for Hacker News is shocking.
> It's a shame UK doesn't have a real constitution.

The UK has a real Constitution, even if it isn't in a single document; OTOH, it may not have the content you would prefer on this issue. But even if it did, a Constitution, like any set of laws, doesn't constraint behavior in the absence of people actually exerting effort to enforce it, it's just—absent enforcement—just words.

The UK does have a constitution. I’m puzzled as to why you think it would be more effective were it codified in a single document.
You make it sound as if the UK has a constitution which is codified in some patchwork of documents, like statute law.

But it isn't; it isn't even as coherently defined as something like the common law of murder, where you can make a pile of statutes and legal precedents and get a fairly clear idea of where the boundaries are.

The constitution is very fuzzy indeed, and parts of it depend very much on how much political and media support someone can get when they point a finger and declare "unconstitutional!".

The UK doesn't have a constitution in a sense that US does - i.e. supreme law that checks powers of all branches of government - because the doctrine of parliamentary sovereignty allows the Parliament to override any constitutional limitations, simply by fiat. Worse yet, this only requires a simple majority.
“The Met has retained Rabbani’s phone and laptop and is continuing its efforts to examine the contents.”

I'm guessing that means that it's encrypted and, since he still hasn't given them the password, they are stuck.

The fine, the cost of a laptop and phone... altogether, I can't see this stopping terrorists, just making people's lives worse.

As always when this comes up, I wonder about the legality or "legality" of a remote wipe. I have the option using cerberus, and if I did so I'd have a hard time imagining how someone could prove I did it.
How would you trigger a remote wipe?
Dead man switch
That's unlikely to work. Police forensics usually work with a drive image instead of with the device itself as much as possible to avoid damaging evidence either through allowing active measures like a dead mans switch or mishandling by investigators.

Beyond that simply removing the dive and putting it in another computer would bypass any switch except one in the drive firmware itself. Are there any software out there designed to do that?

What do they do with devices that have soldered in storage?

Hilariously enough, an Intel Management Engine-esque system could come in handy here for nuking data.

Not sure. Last time I read about these things soldered in storage wasn't really a thing. For some things where it's still largely a separate board they could probably just desolder it and attach it to another device via pogo pins or something. For monolithic boards you could attach wires directly to the chip given enough resources.

IME could maybe be useful for this but it's hard to prevent the take the drive out and attach it to another machine without having firmware or a ME-like chip on the drive to make it wipe if it's connected to a different machine.

Doesnt every new Macbook Pro have a soldered-in SSD?
Yes though in this [0] teardown there's a comment at the bottom that makes it sound like there's an easy connector where the SSD CPU connection can be accessed which would probably allow non-destructive imaging without involving the CPU so no userland software could protect against imaging.

> The funny connector to nowhere is the connector to tap into the SSD. When the Apple connector is mounted (as supplied) it connects the CPU to the SSD. When removed the signals for the SSD can be accessed.

[0] https://www.ifixit.com/Teardown/MacBook+Pro+13-Inch+Touch+Ba...

They desolder it and resolder it into a platform to read it
Not feasible with iPhones, as it is not possible to access the security processor memory. At least, not without some very sophisticated attack, e.g. using some sort of differential power analysis on the chip. Very expensive.
If you could get to it quick enough that is. I assume police departments these days have a procedure for cutting off wireless access to devices they confiscate by using radio frequency blocking bags. This of course brings up an interesting counter for actual terrorists, devices which don't fully power down and monitor for radio frequencies so if they are lost, the device automatically wipes itself.
I find this wording especially creepy, given the source is police PR:

> argued incorrectly that this gave him the privilege of not sharing information with police

Yea I did a double take on the URL after seeing that. So it is a police PR site or what's the story?
It's the police's own news site. So yeah, the contents are coloured at best :-)
The Guardian have more context: https://www.theguardian.com/uk-news/2017/sep/25/campaign-gro...

This was very clearly politically motivated to hamper the efforts of CAGE; a UK based group which lobbies of behalf of young Muslim men who have been detained without charge it gitmo, harassed by the security services etc.

Regardless of whether readers like CAGE's politics (which are considered inflammatory by the government), this raises a worrying precedent.

It's also worth noting that given the UK's recent authoritarian laws, he got off lightly --- this could easily have been spun to possessing encrypted data (while being unwilling or unable to decrypt upon command), which carries a two year sentence, IIRC five if the magic word "terrorism" is conjured.

>possessing encrypted data

Is... a crime? Woah.

If you don't provide the means to decrypt.

Absurd nonetheless.

With very selective enforcement.

Almost everyone with an internet connected device possess encrypted data.

(comment deleted)
Welcome to <current year>, where more and more math is considered illegal.
Well, more and more math is used for non-math purposes too, so the illegality is not exactly as absurd as it seems.
What is that supposed to mean and how does it make it less absurd?
It's supposed to mean that wondering something akin to "it's just math, how can it be illegal" doesn't mean much in an era when math are not just some abstract theory or things used to measure our plots of land, but are at the core of very important technologies with great applications and huge implications.

Not to mention that with digitization, every file is "just a number" anyway. Top secret document leaked? Naked photos of an ex posted for all to see? "Hey, I just shared a binary number on the internet" doesn't really hold water.

It might be politically abhorrent to persecute people for such things, but absurd it is not.

Possessing random data is also a crime since it's indistinguishable from encrypted data, and if you can't provide the non-existent keys, your SOL.
Which is incredibly worrying as that 'random data' could it's self be a one time pad (the passphrase used for something else).
How does that make things worse or change the situation?
I think I meant to say:

You have no idea if a file contains something needed as part of a decryption process, or if the file itself contains encrypted informations.

So basically, having a "pad" file incriminate you.

Presumably in that the data itself is not criminal, and there could be no viable method to determine whether the data the key decrypts is criminal.
It certainly raises red flags, don't you agree? After all, what were you planning to do with those alledged "random" digits? What do you have to hide?

You really shouldn't be able to access /dev/urandum until you have been cleared by a reputable Alphabet company. This is for our security and that "obviously" trumps individual rights (whatever that means).

Root cause of all this is, of course, "bad thoughts" and "bad information", which IMHO should also be made illegal and only permitted in designated "free and error prone thought" areas and participants monitored by physicians from the Ministry of Error Free Thought.

Oh that gives me an idea. Let's make it so the blob can be decrypted 2 ways. One shows your tax receipts and spec indie-horror script, the other is your real shit.
TrueCrypt/VeraCrypt do that in a way.

Plausible deniability by allowing you to decrypt with one of two different passwords. One gives you access to the volume with your data, the other opens a shadow volume that contains random non-senstive data.

In the UK, yes. Holding encrypted data against the wishes of the government, that is to say you are unwilling to decrypt it for them, is a crime. I believe up to two years in prison.
That's actually fucking insane. Things aren't great here in the USA, but as another user stated, encrypted data is indistinguishable from random data. Someone could point at scrambled bits on your harddrive and accuse you a crime you didn't necessarily commit.

jeeeeesus

Its even worse. I heard of someone who was raided in London based on the fact their IP was busy with torrents. Two of his drives were encrypted. But guess what - it wasn't he who torrented but another person who shared housing/same IP. So he happily gave up the password. Unfortunately for him, one drive got open (with bunch of his emails) another one did not want to. Although he swears he used same pass for both, apparently the second drive got corrupted during transportation, which can happen very easily. He still sits in jail 8 months later. So when you ready to give out your password - pray your drives did not get corrupted.
Do you have a source?

(Not disbelief or concern trolling, I'd like to find out more about this case.)

(comment deleted)
> This was very clearly politically motivated

Well, it depends. Though some information there might be protected by "attorney-client privilege" today's verdict doesn't seem to support it

> IIRC five if the magic word "terrorism" is conjured.

Well, there is another way, but when people are more preoccupied with the rights of outspoken jihadists (not saying it's the case here) and not appearing racist in reporting crimes pressure shifts to those who have less connections to wrongdoings

I would much rather the odd "outspoken jihadist" remains free than live under an oppressive police-state with no privacy rights. And that's exactly where we're headed.
It isn't a dichotomy, but since I don't abide by self-loathing I'd rather see criminals arrested (without forfeiting privacy, since it's not needed in most cases)
I'd like to see criminals arrested as well, but it seems that most investigations into police misconduct are inconclusive. I wonder why?
I think Theresa May (and tens of thousands of bureaucrats) should be able to see everything on your phone at all times. Not anyone else's, just yours.
I specifically mentioned "without forfeiting privacy"
Where are you getting self-loathing from?
>possessing encrypted data (while being unwilling or unable to decrypt

How does this work with things like DRM? What if you have media on your phone from something like Spotify or Netflix that's presumably encrypted or protected in some way, that you cannot decrypt if your subscription expires...

My naive understanding of my country's laws is that it doesn't.

I could have a file filled with /dev/random and the law would still apply.

Back when the Regulation of Investigatory Powers Bill was being circulated, to much outcry from technical folk, someone encrypted a file with a provocative name and sent it to the Home Secretary for exactly that reason, as a form of demonstation-cum-protest.

Suddenly the Minister[0] possessed a file which he couldn't decrypt on demand. Would he consider amending the Bill to remove penalties for such eventualities? Of course not, nothing was changed.

If you possess the bytes you'll do the time. Delete everything that is unnecessary as soon as its usefulness has expired - big corps learned that lesson, for other reasons, in the early 2000s.

[0] well one of his staff

> Suddenly the Minister[0] possessed a file which he couldn't decrypt on demand.

While I entirely sympathise with this idea abstractly, so much of law depends on the context of actions where it's easy to dismiss this stunt. Merely having encrypted data in your possession is technically not within the scope of the law if the context is "as part of a counterterrorism investigation" and if the person could reasonably be expected to decrypt it (which would imply they were both the person to encrypt in the first place AND with the means to decrypt it - as this politician clearly wasn't).

Wrongful convictions and dragnet searches are the serious consequence of these laws, yes, but the real test comes when it's hateable/despicable people at risk. The problem with these laws isn't that it's fundamentally or potentially arbitrary, it's that it's wrong even when it's not arbitrary. And the mere fact of a police investigation or allegation is not sufficient to cross that line.

People should have the right to encrypt anything they want without being coerced into decrypting it. There are more than enough means for police in our modern technological era to convict terrorists/criminals and prevent conspiracies without having total access to all data. And the costs of removing that right is much higher than the rewards of a few extra convictions.

I'd guess that authorities would also have issues with situations where one purposely encrypts a hard-drive and disables decryption until later / confirmed safe by a third party. At the very least, that is what "Possession of encrypted data whilst being unable to decrypt it" sounds like.

It then becomes a grey area between having been sent encrypted data, and having used the previously mentioned scheme to avoid decryption.

I also wonder how this interacts with the new 5-tap SOS function on iPhones.

> Merely having encrypted data in your possession is technically not within the scope of the law if the context is "as part of a counter-terrorism investigation"

Not quite; the bar is not as high as an existing 'terrorism' investigation. To quote RIPA (2000)[0], if anyone authorized has the belief (upon reasonable grounds), that

    (3) A disclosure requirement in respect of any protected information is necessary on grounds falling within this subsection if it is necessary—
        (a) in the interests of national security;
        (b) for the purpose of preventing or detecting crime; or
        (c) in the interests of the economic well-being of the United Kingdom.
It is very very easy to imagine how this could be abused. Saying that you'd like to slap POTUS or May on Twitter could conceivably meet grounds for (2), and (3) is so broad that it's possible to imagine it could be triggered by something like being Alexandra Elbakyan of SciHub, or Sundae of The Pirate Bay. Depending on the mood of the press and the 'authorized persons', why not any old person caught using BitTorrent, or cracking DRM?

[0]: http://www.legislation.gov.uk/ukpga/2000/23/pdfs/ukpga_20000...

The point is that the law doesn't make any sense, and can be used to intimidate and imprison difficult people, at the Crown's discretion.
The idea is to create crimes that they can apply to anyone. Technically they apply to everyone, but they can then use selective enforcement based on criteria that the general public would never have openly tolerated as a law.
> How does this work with things like DRM? What if you have media on your phone from something like Spotify or Netflix that's presumably encrypted or protected in some way, that you cannot decrypt if your subscription expires...

Interesting point, but I think in this situation they'd be putting pressure on the media provider to decrypt it for them (since the media provider is the one in control of the encryption, not the consumer). That's assuming said media provider is in a jurisdiction that the relevant govt has some control over, and/or media provider is compliant.

Here's a thought experiment: suppose ISIS (or your preferred terrorist organisation of the day) set up a media service for users to share videos (or other media) that are protected by DRM. The media service can disable the viewing of said content on a whim. A person using this service has their phone/computer confiscated, but the authorities are powerless to gain access to the content due to the DRM. Is this person liable under these laws, even though the encryption is outside their control?

Imagine a malicious attack on a target where a cryptolocker is pushed to a victim, an anonymous tip is sent to the authority about the same person holding potential documents related to terrorism, and the attacker just throw away the key.

How can you even defend yourself?

> Met Police Counter Terrorism Command officers stopped Muhammad Rabbani, 36 (03.03.81) from east London at Heathrow Airport

Giving his age kind of adds context, but I don't understand the reason for publishing his date of birth. Odd.

Perhaps so that somebody with the same name and age can prove it isn't him?
You could censor it from you r post if you think it's private information (I do).
To me it makes little sense.

For Police work, time is "relative", as an example the cop that is held in the US for contempt of the Court for not revealing the password to his drives is suspected of possessing child pornography, whether he is kept in jail because he won't reveal them or because as the sheer moment he reveals them he will be proved guilty doesn't change things much (there is anyway other evidence against him).

Here it is not a "Police" case, but rather a "counter-intelligence" one, in these cases time is everything, a delay of hours, or at the most days in gathering the information is vital.

AFAIK Mr.Rabani NEVER revealed the password(s), he refused revealing it/them on 20/Nov/2016, now, almost one year later, he is found guilty of obstructing the search, still there is no evidence that he is or was - even tangentially - connected with terrorism.

So, £620+12 months' conditional discharge seem to me a lot of time/a very severe punishment if he was in good faith attempting to protect some sensitive data for his non-governement organization, and nothing if he was in bad faith or however protecting terrorism related info.

In any case, whatever the Police expected to find on the device(s) they didn't access it/them, and much worse than that they didn't access it/them in a timely fashion (and no charges of terrorism or connections to it were made against Mr.Rabani in almost one year) so - besides seeming more a petty vengeance than anything else - it is not like it helped in ANY way the counter-terrorism.

>> To me it makes little sense.

It isn't supposed to make sense. it's suppose to reinforce the "you do whatever the police ask you or face the consequences." Apparently the law backs them....

>It isn't supposed to make sense. it's suppose to reinforce the "you do whatever the police ask you or face the consequences." Apparently the law backs them...

I meant "make sense" as a deterrent for next occasion AND useful for counter-terrorism.

If you are "innocent" and refuse to give away your passwords, you now know that you have serious chances to be punished in a non-trivial way.(losing your electronic device + fine + 12 months conditional)

If you are "guilty" (of terrorism or contiguity with it) you now know that you can refuse to give away your password, effectively preventing the police to read your data and maybe in one year time you will get a slap on the wrist (when compared to the punishments for actual being part of a terrorist plot).

So, "real" terrorists will surely continue not giving away their passwords to the Police, whilst most innocent people will be giving them - fearing the punishment[1].

The net effect will be that Police will have not access to relevant terrorism related material but it will lose a lot of time on analyzing gigabytes of - say - lolcat videos.

[1] a few innocent people will anyway refuse to give away the passwords for this or that principle, so among the "non-answering" will be both innocent and possibly guilty people, so it doesn't even work as a "screening" method.

>>If you are "guilty" (of terrorism or contiguity with it) you now know that you can refuse to give away your password, effectively preventing the police to read your data and maybe in one year time you will get a slap on the wrist

Actually I think is why the law was passed, so the cops can keep harassing the people on a likely terrorist cell hoping they slip. Time and time again. Slap on a wrist? Not if it's one after the other. It's not like London doesn't have the police manpower

The key term is foregone conclusion, at least in the US. If the contents of the device are known, they can be ordered decrypted. If they are unknown, it is protected by the 5th amendment.

>Whether the government can compel decryption in this manner depends on a legal doctrine called “foregone conclusion” that was first articulated in a 1976 Supreme Court ruling relating to paper documents in a tax fraud case.

>Under the “foregone conclusion” doctrine as applied to digital documents, handing over files is not considered testimony if the government already knows that the files exist and what machines they live on. And when there is no testimony, the protection of the Fifth Amendment’s self-incrimination clause is not available. Prosecutors with specific information about the existence and location of files on encrypted hard drives are more likely to convince a court to order a suspect to decrypt them.

1. http://www.slate.com/articles/technology/future_tense/2012/0...

If it is a foregone conclusion that they have the file, then they already have enough evidence to prosecute the individual, since possession of the file is the crime, compared to the tax file where the contents may be evidence of a crime, but is itself not a crime to possess.
> So, £620+12 months' conditional discharge seem to me a lot of time/a very severe punishment if he was in good faith attempting to protect some sensitive data for his non-governement organization, and nothing if he was in bad faith or however protecting terrorism related info.

Or, the third option: he is not protecting anything or anybody but merely feels this law is unjust and one should stand up against it on principle.

Increasingly "real" security not only requires that data be encrypted in a way that frustrates those with greater resources, but does so while maintaining the appearance of compliance.

People have known this for awhile, but it seems like actual products suggesting security have been slow to adopt it.

Any good examples of products that do this? TrueCrypt?
TrueCrypt is long dead and uh, like may never have actually done what it said it did and was probably stolen technology to begin with.

Let's not mention it again.

Veracrypt continues TrueCrypt lineage and goes ahead to improve on it. It was audited last year and also published the results to the public. Unless we start believing it's all a big conspiracy, I would say that's pretty good.
Do have a reputable source on these claims?
I don't know why anyone would cross a border with electronics of any sort in this day and age.

But not having electronics is also grounds for suspicion.

(comment deleted)
This slanted, misleading title from the police is a perfect example of how important the language we use to describe events is. Like the David Miranda case this had nothing to do with terrorism, but laws put in place ostensibly to fight terrorism were instead used to harass people the security services find troublesome. Just reading the title would give you a different impression.

In fact this man was arrested without cause and convicted only of refusing to give up the passwords and data of his devices. This law renders our spies and police above the law and able to intercept the communications of anyone they choose without a warrant.

For a more informative take on the arrest see this intercept article

https://theintercept.com/2017/09/25/muhammad-rabbani-guilty-...

This paragraph really gives me a better idea what we are facing:

PC Tariq Chowdhury, the officer who stopped him, said that he had never come across anyone refusing to give the passwords. Some people resisted initially but eventually complied with the order, he added.

terrorist /ˈterərəst’/ noun

A person who doesnt willfully provide passwords for their electronic devices.

/s