Australian Prosecutors Want To Make It Illegal To Refuse To Turn Over Passwords To Law Enforcement
from the they're-just-accused-criminals.-they-shouldn't-have-any-rights. dept
The question is still unsettled here in the United States: is refusing to turn over your password protected by the Fifth Amendment? The argument hasn’t found many judicial supporters but at least there’s a Constitutional basis for claiming the relinquishment of passwords is possibly self-incriminating. Over in Australia, the rights aren’t so clearly defined. But the picture is getting clearer, thanks to legislators seeking to make it a criminal offense to withhold passwords. (h/t Asher Wolf)
New laws – currently in the process of being drafted – would mean any criminals who refuse to do so could face jail time of up to five years, according to reports.
The Adelaide Advertiser reports that the state government also announced that as part of the proposed changes anyone found to be running a child exploitation website or forum would face up to a decade behind bars.
It is understood the new laws are mainly aimed at potential paedophiles and those who share child exploitation material but could apply in instances where police are investigating organised crime.
Like lots of laws that expand law enforcement power, it starts with “for the children.” Here, the drafting of the law isn’t even finished and mission creep has already set in.
Attorney-General John Rau says it’s nothing to be concerned about: just a re-fitting of physical searches for the digital world.
“At present, a police officer’s general search warrant is good enough to access the physical premises, but what this is talking about is a step beyond that,” Mr Rau told the Adelaide Advertiser.
“A person will have to tell them how to get into it (the laptop) or the cloud for that matter.
“It is crucial that the criminal law keeps pace with changes in society and new ways of offending.”
It’s not as if criminals are that far ahead of law enforcement. At least not so far ahead that simply forgetting a password should net a person five years in jail. And there doesn’t appear to be anything tying this to a higher standard for password-reliant warrants. Law enforcement can imagine all sorts of criminal content might be in someone’s digital storage, “based on information and belief,” but that doesn’t mean agencies and officers should be given blanket permission to demand passwords for every locked device/account they come across.
Rau says it’s becoming more difficult for law enforcement to access devices, sometimes requiring outside assistance or hours of internal tech work. This may be true, but there are other approaches that can be taken that don’t directly ask criminal suspects to assist police in delivering incriminating evidence. Cloud services maintain control of users’ accounts and can be asked to turn over content and data. A variety of tech solutions already exist to access locked drives and computers. Making it a crime to withhold passwords from law enforcement puts the South Australian government within throwing distance of banning encryption — especially the kind that hides content and communications from everyone but the end user.
Filed Under: australia, law enforcement, passwords
Comments on “Australian Prosecutors Want To Make It Illegal To Refuse To Turn Over Passwords To Law Enforcement”
“any criminals who refuse to do so could face jail time of up to five years”
It is always good to start with a statement that assumes the accused is already a criminal before gathering evidence.
Re: Re:
I mean, according to this law refusing to do so makes them a criminal. So the statement is technically correct.
Re: Re:
Hmm – I read it like this:
You know, gotta track down those leakers somehow, and those damn pesky reporters never want to give up their sources.
Re: Re:
Almost. It appears the law makes refusal itself criminal, so it doesn’t matter if there’s zero evidence or accusation of any other crime, merely refusing makes you a “criminal” anyway. No evidence of crime needed after that point.
Re: Re: Re:
I have poor memory — not Alzheimers, not along the same but much milder lines. I routinely forget passwords, and have to reset them.
Wouldn’t it suck to wind up in prison in a foreign country for five years because of a medical condition you can do absolutely nothing about?
Re: Re: Re: Re:
I don’t have a poor memory, but on a few different occasions over the years, I’ve tried to log into an account where I am POSITIVE what my password was only to be rejected for giving the wrong password. I eventually had to change the password on those accounts, but I’d have sworn on a stack of Bibles what the password was, only to have it fail.
Re: Re: Re:2 Re:
“Please enter new password:”
“Error: New password can’t be old password.”
>Rau says it’s becoming more difficult for law enforcement to access devices,
Just how did they manage to catch criminals before the advent of records that they could examine? At the dawn of police work they would be exceedingly lucky if there was a letter or diary to record criminal intents and they managed to catch and convict criminals.
Re: Re:
They investigated crimes using community policing methods that caused citizens in their community to want to help them and approach them with tips.
While being all tacticool is a lot more fun, the connection to the community that mindset sacrifices makes it almost impossible to solve crimes and catch criminals using traditional methods.
To say nothing of the way humans tend to be very good at killing things they find threatening.
Beyond all the other reasons, all of these schemes to be compelled to give over passwords for this or that strike me as insane because there’s never any discussion of what will be an inevitable occurrence: what if you’ve forgotten the password?
Sure, in a lot of cases, its easy to prove you just accessed it yesterday, or whatever, but even THEN, I’m sure I’ve had to create a new password, used it and then completely forgotten what it was a mere handful of days later.
How the fuck is this not the exact same thing as indefinitely holding some one prisoner whom you suspect of murder until they agree to show you where the bodies are?
Re: Re:
Or worse, I’m sure at some point some one is going to end up in a situation where the police demand they hand over the password to some account that isn’t even theirs with no way to prove that it isn’t.
Re: Re:
And people get accounts stolen all the time. All it takes is for your account to get stolen around the same time you’re suspected of something and BAM, getting your account stolen costs you 5 years of your life.
Re: Re:
Many of the websites I login to require refreshing logins every so often — two weeks, monthly, annually, etc.
I usually don’t remember my password to them though, so if someone demands I supply it, I can’t do that. Not won’t, but physically can’t.
Re: Re:
Just give them the password to the email account that is used for a reset. They’ll take it from there.
Re: Re: Re:
Then, what if the email account that’s set is no longer active? Most laymen are not particularly good at keeping on top of record keeping, security, etc. They’ll set something up, forget about it, open a new email account because they’d rather do that than deal with spam, have accounts set for security but disabled due to inactivity, have a phone they no longer own set up for 2FA, etc. They may not be able to provide the access themselves.
Basically, the problem here is that as soon as you make it so that something that has a potentially innocent explanation illegal (in this case forgetting a password treated the same as refusing to hand it over), there’s always a loophole that can land a totally innocent person in jail. Add that to the mission creep (the rule is being passed through using child porn as the excuse, but will be applied to anything they want down the road), and you have a bad situation waiting to happen to innocent people.
Re: Re: Re:
warrantless searches
So they think they should be able to search any house without a warrant too?
Re: warrantless searches
Of course they do! Warrantless searches are the Holy Grail of LEOs everywhere!
another crock of shit, removing still more freedom from people in supposedly another democratic country, all thanks to the friggin USA again!! why do we allow this shit to happen here? is everyone so stupid as to think it doesn’t matter? does everyone think it wont spread world wide? we are now just about the worse country for freedom, freedom of speech, etc of the so-called democratic world!
A step? More like a leap.
Yeah, way beyond that. This more like requiring people to also tell the police where to find things and then throwing them in prison for 5 years if the police don’t get what they want.
Re: A step? More like a leap.
Hmm – maybe more like requiring the home owner to give them the combination to the safe in their house. After all, might be evidence of their crimes in the safe.
Re: Re: A step? More like a leap.
In this case they already have the contents of the safe. They want you to sort it out for them.
Re: Re: Re: A step? More like a leap.
It’s like those connect the dot puzzles you did in grade school, but they want you to connect the dots for them. 😀
Re: Re: Re:2 A step? More like a leap.
I believe you’re wrong, in this case it’s more like the police bringing you a safe with no way to prove it’s yours. Digital accounts are different from safes because you can’t physically own an account and thus prove it’s yours.
Any
Anyone here in Law enforcement??
Lets call up and request PASSWORDS…
Come on, Lets do this..
All of their Accounts are OURS…
WE ARE BORG..
It's Not Just Devices, It's All Files.
Police: We demand that you unlock THIS file.
User: That’s a data file that came with a game download. See, it’s in the game’s program directory. I have no idea what it’s for.
Police: We think you’re just hiding your encrypted files there. Unlock it or go to jail.
Voiceover: Purchase your games from Windows Store! Only Windows Store will certify the origin of your files. Anything else is pirated at best, and may be used against you.
Huzzah for self-fulfilling laws
Apparently ‘innocent until proven guilty’ is no longer a concept in australia, if you’re so much as investigated then you’re assumed by default to be guilty, and if you try to assert your innocence and protect your privacy you’re simply demonstrating your guilt.
Also apparently a thing of the past, doing their freakin’ jobs. As others have noted it’s a miracle they managed to get anything done at all if they can’t operate with access to everything, given encryption and not being able to access to everything is a big enough problem that they need to make refusal to hand over everything a jail-worthy offense.
Re: Huzzah for self-fulfilling laws
I don’t think innocent until proven guilty is a concept anywhere. It’s sorta why you get arrested BEFORE you are convicted with a crime. In most cases you are at least charged with a crime, but it is so important to everyone that criminals be caught that the innocent must suffer unjustly as a consequence.
Re: Re: Huzzah for self-fulfilling laws
The concept of innocent until proven guilty (or should that be innocent unless proven guilty) has been around since the ancient greeks and is supposedly the cornerstone of western law. As an aside it’s also a human right according to the UN at least to which Australia and other western “democracies” are signatories.
What you should have noted is that the laws are being drafted in South Australia and not the whole country. How long the rest of the states and feds take to jump on the bandwagon is another matter.
The LNP will be ticked off that Labor has gone down that road before them so they can’t claim the idea as their own.
The conversation on HackerNews
This conversation on HackerNews https://news.ycombinator.com/item?id=14896457
Australia Ueber Alles
That Australia is leading the free world into the next sewer of totalitarianism boggles the mind. This is mighty sick stuff.
Totalitarianism = FAILure = Citizen Abuse.
A step? More like a leap.
Australia has no constitutional Bill of Rights forbidding the state compelling an individual to testify against himself.
But there is a silverlining, a criminal law penalizing refusal to disclose a password would require proof beyond a reasonable doubt, a difficult burden unless the government can prove that (1) The existence of a password, access control or encrypted data and (2) That the person is in possession of that access control.
The article author incorrectly states that the Fifth Amendment argument hasn’t found many judicial supporters, but that’s not correct.
Most observers seem to agree that the Fifth Amendment sometimes limit the government’s power to compel decryption or disclosure of the password.
The only sticking point is how, when or where the foregone conclusion deprives a suspect of the right to refuse to testify against himself.
Must the government prove that the suspect knows the password? Or must the government know with reasonable particularity which contents is protected with the password?
Professor Kerr is in the former category, while the EFF is in the latter.
But in a lot of scenarios, where the government finds storage media with random data, but isn’t otherwise able to tie the suspect to the data, or isn’t able to prove that random data = encrypted data, the suspect still prevails even under the weaker foregone conclusion test.
A step? More like a leap.
“Yeah, way beyond that. This more like requiring people to also tell the police where to find things and then throwing them in prison for 5 years if the
police don’t get what they want.”
Sometimes the police has the physical hardware containing encrypted data (files created with software leaving headers) and maybe the suspect’s fingerprints and DNA can be tied to the hardware, and maybe the hardware with a particular EMEI or Mac address was online and connected to the ISP at a given time.
Some of the cases likely covered by the Australian proposal might also satisfy the foregone conclusion test, or at least the weaker version endorsed by Professor Kerr and the Gelvgat and Fricosu courts.
But others might not, wherein the government only discovers in the execution of a warrant a storage media containing random data with no identifying file structure or manufacturer headers.
We would be wise to pick our battles, because the most sympathetic cases for the self incrimination privilege are also concerned with the presumption of innocence and the right to a fair trial.
The really hard cases, wherein the suspect freely admit that he knows the password, but won’t assist law enforcement or cases wherein the government finds a computer with the suspect’s username, and an installation of encryption software under the suspect’s account, are still self incrimination cases but ought to be treated differently.
Note that the most clever of the suspects in the encryption cases prevailed in the 11th Circuit simply by invoking the Fifth while not admitting anything, while the most stupid of the suspects either showed his kiddie porn to a customs officer; admitted too much during a taped jail telephone call; or simply said to the police that everything was encrypted and that he wasn’t going to help them put him in jail.
Turn the meter on
Australians are all criminals by heritage anyways. Might as well treat them that way.
Re: Turn the meter on
South Australia like to point out to foreigners that it was a Free State colonized with Free People, not convicts.
Sneaky
So that anyone who votes against it knows they would be labeled as soft on pedaphiles and have a history of voting against sending people who run kid porn websites to jail.
Politicians are a cancer on society.
"How to get in"
“… tell them how to get into it (the laptop) or the cloud for that matter.”
Having dealt with both the Victorian Police & Federal Police in Australia, when a client went bust after running something akin to a pyramid scheme – this is quite often the problem (how to get access).
I supplied all the passwords & domains of the services I provided to the business to the Police, but they were too inept to actually understand “how to access them”.
I offered to provide consulting service to the Police to assist with this, but they said as they didn’t believe they were likely to recover any monies, they weren’t interested.
As far as im aware today (as that was approx 6yrs ago), the Police never accessed any data (as they didn’t know how) + all the data is gone, as the services expired and the police weren’t to concerned with maintaining it for prosecution.
Re: "How to get in"
That’s because no one “important” was defrauded by the scheme. Had it caught someone other than peons, you can bet they’d have put effort into gathering evidence and prosecuting to (and beyond) the fullest measure.
How about this
I always encrypt my data prior to sending it to the cloud. This process consists of setting up a transparent Encryption/Decryption Directory, using FUSE (for those who don’t use Linux it’s File system in User SpacE) .
It works in such a way that I can move or copy a file to the Unencrypted Directory, and the appears in the Encrypted Directory in an encrypted form.
The Encrypted Directory is the local directory for the Cloud Service, such as, for example Google Drive, what appears in it is what is uploaded to the Cloud.
To work it requires two passwords, one for Google Drive, and one for the Encrypted File System.
No if I give the Police my password to Google Drive, they can then access, my account on Google drive, but all they get is encrypted files.
So I can later claim I gave them my password, and any problems they are having dealing with the “corrupted” data are theirs.
"How to get in""...
“As far as im aware today (as that was approx 6yrs ago), the Police never accessed any data (as they didn’t know how) + all the data is gone, as the services
expired and the police weren’t to concerned with maintaining it for prosecution.”
Very nice, and that the data is gone or that they never existed would be hard to prove in a lot of cases, unless the government quickly recovers access and server logs from the foreign providers.
Set up a datadump in a foreign jurisdiction at a VPS or cloud provider which doesn’t log for long or none at all.
Only access the remote server via a foreign vpn and with browser SSL.
Encrypt everything locally on one computer and upload from another computer (nonpersistent OS) and often swap hardware.
Arrange with a friend located in another country to pay for the service,so that the government can’t prove from banking statements that you are the likely owner of the account.
To increase plausible deniability, subscribe to some other cloud providers and upload some innocent sounding stuff and let the subscriptions expire after a short time, and always access the second set of accounts directly from your own connection.
If the government asks for password, just hand over the information for the accounts having expired and enjoy the wild goose chase.
How about this
“No if I give the Police my password to Google Drive, they can then access, my account on Google drive, but all they get is encrypted files.”
In that case, the government will likely try to prove that you are the sole user of the account.
Of course, you might try to argue that you were hacked, or that the account security is otherwise weak, and that the file consisting of random data wasn’t placed there by yourself.
Whether or not the government can prove that you are the sole authorized user of the account, or whether it must concede the possibility that someone else might access the account with or without your cooperation might be fatal or beneficial to your case.
Under the Fifth Amendment foregone conclusion, you will have a weak degree of deniability if the government can easily tie you to the account by i.e IP access logs, timestamps, call records and in the case of Google two step verification.
Also if the files stored in the accounts contain headers particular to the encryption software installed on your computer, the government will likely successfully argue that the file can be tied to your computer, and if the file hash kept by Google matches a file uploaded from your own IP at a time you were home, it weakens your defense.
However, if the account is shared, and you can establish that your computer was recently infected, or that your computer is regularly shared with multiple individuals, the government’s burden will be more difficult.
An even better case would arise if a cloud account or server was shared among multiple people using it to store work related projects.
“So I can later claim I gave them my password, and any problems they are having dealing with the “corrupted” data are theirs.”
That brings me to another fascinating possibility to increase plausible deniability, deliberate file corruption of encrypted files.
If you encrypt a file with 7Zip and run a script altering a few blocks in the encrypted data, any attempt to run the encrypted archive through forensic software will fail.
Then you can give them the password, and the process will fool most forensic software.
The corruption of the blocks would have to be random enough to be plausible, but that’s a separate issue.
Re: How about this
There’s a couple thing there I didn’t think of, Mostly in the legal realm. So I’ll have to have a bit of a rethink there.
I’ve already looked at including files that contain random “noise”, randomly generated characters, that are then also encrypted, by the encryption process, as a tool to make it more difficult to brute force decrypt. Not sure how well that would work though.
As for:
“Also if the files stored in the accounts contain headers particular to the encryption software installed on your computer.”
That’s not an issue, there are no headers, and any related files needed for encryption, are either on the decrypted side, and never go to the Cloud, or are provided by Sym Links, and therefore never go to the cloud.
Decryption can only occur on a computer that has all the elements in place, which can be an OS installed on a USB key.
Re: How about this
I’ve been experimenting with encfs, but encfs V 1.x has some serious issues, in that the File meta data can be seen unencrypted, which means at the very least important information about the files can be guessed. V 2, will apparently fix that.
As a means of transparently encrypting/decrypting it works well, and I can keep some important information regarding the encryption hidden by removing the config file from the encrypted directory, and symlinking it back in… the symlink never gets copied to the cloud.
But I’m now experimenting with cryfs, which also encrypts the file metadata, and as such seems like a better choice. In it’s current 0.x version, while file security is covered, it has some minor issues related to file integrity, but it looks very promising.
Has anyone developed a dual password system. One for the owner, the other you give to the authorities. The latter destroys the contents of the file except “Nanna’s cake recipes”. As I understand it, only a few 0s and 1s need to be removed to scramble the private stuff.
Then in the US...
I suppose then, in the US, one would be covered by the Fifth Amendment if one were to set one’s passphrase to a confessional sentence, such as “I smoke dope”. Turning over such a passphrase really would be self incrimination.
Living in Australia sounds about as fun as Catholicism.
As far as business travellers to Australia, the company could prevent the Autralian Border Force from being able to access data if they demand the password to the company VPN, by temporarily deleting the files and then restoring them as soon as they get back to the office.
If say, a US company does this, they are not subject to prosecution in Australia, because the their network and servers are in the United States, they are NOT SUBJECT to prosecution in Australia, if they temporarily delete those worker’s files from the network, and then restore them when they they come back to the office.