Australian Prosecutors Want To Make It Illegal To Refuse To Turn Over Passwords To Law Enforcement

from the they're-just-accused-criminals.-they-shouldn't-have-any-rights. dept

The question is still unsettled here in the United States: is refusing to turn over your password protected by the Fifth Amendment? The argument hasn’t found many judicial supporters but at least there’s a Constitutional basis for claiming the relinquishment of passwords is possibly self-incriminating. Over in Australia, the rights aren’t so clearly defined. But the picture is getting clearer, thanks to legislators seeking to make it a criminal offense to withhold passwords. (h/t Asher Wolf)

New laws – currently in the process of being drafted – would mean any criminals who refuse to do so could face jail time of up to five years, according to reports.

The Adelaide Advertiser reports that the state government also announced that as part of the proposed changes anyone found to be running a child exploitation website or forum would face up to a decade behind bars.

It is understood the new laws are mainly aimed at potential paedophiles and those who share child exploitation material but could apply in instances where police are investigating organised crime.

Like lots of laws that expand law enforcement power, it starts with “for the children.” Here, the drafting of the law isn’t even finished and mission creep has already set in.

Attorney-General John Rau says it’s nothing to be concerned about: just a re-fitting of physical searches for the digital world.

“At present, a police officer’s general search warrant is good enough to access the physical premises, but what this is talking about is a step beyond that,” Mr Rau told the Adelaide Advertiser.

“A person will have to tell them how to get into it (the laptop) or the cloud for that matter.

“It is crucial that the criminal law keeps pace with changes in society and new ways of offending.”

It’s not as if criminals are that far ahead of law enforcement. At least not so far ahead that simply forgetting a password should net a person five years in jail. And there doesn’t appear to be anything tying this to a higher standard for password-reliant warrants. Law enforcement can imagine all sorts of criminal content might be in someone’s digital storage, “based on information and belief,” but that doesn’t mean agencies and officers should be given blanket permission to demand passwords for every locked device/account they come across.

Rau says it’s becoming more difficult for law enforcement to access devices, sometimes requiring outside assistance or hours of internal tech work. This may be true, but there are other approaches that can be taken that don’t directly ask criminal suspects to assist police in delivering incriminating evidence. Cloud services maintain control of users’ accounts and can be asked to turn over content and data. A variety of tech solutions already exist to access locked drives and computers. Making it a crime to withhold passwords from law enforcement puts the South Australian government within throwing distance of banning encryption — especially the kind that hides content and communications from everyone but the end user.

Filed Under: , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Australian Prosecutors Want To Make It Illegal To Refuse To Turn Over Passwords To Law Enforcement”

Subscribe: RSS Leave a comment
48 Comments
JoeCool (profile) says:

Re: Re: Re: Re:

I don’t have a poor memory, but on a few different occasions over the years, I’ve tried to log into an account where I am POSITIVE what my password was only to be rejected for giving the wrong password. I eventually had to change the password on those accounts, but I’d have sworn on a stack of Bibles what the password was, only to have it fail.

Anonymous Coward says:

>Rau says it’s becoming more difficult for law enforcement to access devices,

Just how did they manage to catch criminals before the advent of records that they could examine? At the dawn of police work they would be exceedingly lucky if there was a letter or diary to record criminal intents and they managed to catch and convict criminals.

Bergman (profile) says:

Re: Re:

They investigated crimes using community policing methods that caused citizens in their community to want to help them and approach them with tips.

While being all tacticool is a lot more fun, the connection to the community that mindset sacrifices makes it almost impossible to solve crimes and catch criminals using traditional methods.

To say nothing of the way humans tend to be very good at killing things they find threatening.

Anonymous Coward says:

Beyond all the other reasons, all of these schemes to be compelled to give over passwords for this or that strike me as insane because there’s never any discussion of what will be an inevitable occurrence: what if you’ve forgotten the password?

Sure, in a lot of cases, its easy to prove you just accessed it yesterday, or whatever, but even THEN, I’m sure I’ve had to create a new password, used it and then completely forgotten what it was a mere handful of days later.

How the fuck is this not the exact same thing as indefinitely holding some one prisoner whom you suspect of murder until they agree to show you where the bodies are?

PaulT (profile) says:

Re: Re: Re:

Then, what if the email account that’s set is no longer active? Most laymen are not particularly good at keeping on top of record keeping, security, etc. They’ll set something up, forget about it, open a new email account because they’d rather do that than deal with spam, have accounts set for security but disabled due to inactivity, have a phone they no longer own set up for 2FA, etc. They may not be able to provide the access themselves.

Basically, the problem here is that as soon as you make it so that something that has a potentially innocent explanation illegal (in this case forgetting a password treated the same as refusing to hand it over), there’s always a loophole that can land a totally innocent person in jail. Add that to the mission creep (the rule is being passed through using child porn as the excuse, but will be applied to anything they want down the road), and you have a bad situation waiting to happen to innocent people.

Anonymous Coward says:

another crock of shit, removing still more freedom from people in supposedly another democratic country, all thanks to the friggin USA again!! why do we allow this shit to happen here? is everyone so stupid as to think it doesn’t matter? does everyone think it wont spread world wide? we are now just about the worse country for freedom, freedom of speech, etc of the so-called democratic world!

Anonymous Coward says:

A step? More like a leap.

"At present, a police officer’s general search warrant is good enough to access the physical premises, but what this is talking about is a step beyond that,"

Yeah, way beyond that. This more like requiring people to also tell the police where to find things and then throwing them in prison for 5 years if the police don’t get what they want.

Roger Strong (profile) says:

It's Not Just Devices, It's All Files.

Police: We demand that you unlock THIS file.

User: That’s a data file that came with a game download. See, it’s in the game’s program directory. I have no idea what it’s for.

Police: We think you’re just hiding your encrypted files there. Unlock it or go to jail.

Voiceover: Purchase your games from Windows Store! Only Windows Store will certify the origin of your files. Anything else is pirated at best, and may be used against you.

That One Guy (profile) says:

Huzzah for self-fulfilling laws

Apparently ‘innocent until proven guilty’ is no longer a concept in australia, if you’re so much as investigated then you’re assumed by default to be guilty, and if you try to assert your innocence and protect your privacy you’re simply demonstrating your guilt.

Also apparently a thing of the past, doing their freakin’ jobs. As others have noted it’s a miracle they managed to get anything done at all if they can’t operate with access to everything, given encryption and not being able to access to everything is a big enough problem that they need to make refusal to hand over everything a jail-worthy offense.

Anonymous Coward says:

Re: Huzzah for self-fulfilling laws

I don’t think innocent until proven guilty is a concept anywhere. It’s sorta why you get arrested BEFORE you are convicted with a crime. In most cases you are at least charged with a crime, but it is so important to everyone that criminals be caught that the innocent must suffer unjustly as a consequence.

Wuzzah says:

Re: Re: Huzzah for self-fulfilling laws

The concept of innocent until proven guilty (or should that be innocent unless proven guilty) has been around since the ancient greeks and is supposedly the cornerstone of western law. As an aside it’s also a human right according to the UN at least to which Australia and other western “democracies” are signatories.

Anonymous Coward says:

A step? More like a leap.

Australia has no constitutional Bill of Rights forbidding the state compelling an individual to testify against himself.

But there is a silverlining, a criminal law penalizing refusal to disclose a password would require proof beyond a reasonable doubt, a difficult burden unless the government can prove that (1) The existence of a password, access control or encrypted data and (2) That the person is in possession of that access control.

The article author incorrectly states that the Fifth Amendment argument hasn’t found many judicial supporters, but that’s not correct.

Most observers seem to agree that the Fifth Amendment sometimes limit the government’s power to compel decryption or disclosure of the password.

The only sticking point is how, when or where the foregone conclusion deprives a suspect of the right to refuse to testify against himself.

Must the government prove that the suspect knows the password? Or must the government know with reasonable particularity which contents is protected with the password?

Professor Kerr is in the former category, while the EFF is in the latter.

But in a lot of scenarios, where the government finds storage media with random data, but isn’t otherwise able to tie the suspect to the data, or isn’t able to prove that random data = encrypted data, the suspect still prevails even under the weaker foregone conclusion test.

Anonymous Coward says:

A step? More like a leap.

“Yeah, way beyond that. This more like requiring people to also tell the police where to find things and then throwing them in prison for 5 years if the
police don’t get what they want.”

Sometimes the police has the physical hardware containing encrypted data (files created with software leaving headers) and maybe the suspect’s fingerprints and DNA can be tied to the hardware, and maybe the hardware with a particular EMEI or Mac address was online and connected to the ISP at a given time.

Some of the cases likely covered by the Australian proposal might also satisfy the foregone conclusion test, or at least the weaker version endorsed by Professor Kerr and the Gelvgat and Fricosu courts.

But others might not, wherein the government only discovers in the execution of a warrant a storage media containing random data with no identifying file structure or manufacturer headers.

We would be wise to pick our battles, because the most sympathetic cases for the self incrimination privilege are also concerned with the presumption of innocence and the right to a fair trial.

The really hard cases, wherein the suspect freely admit that he knows the password, but won’t assist law enforcement or cases wherein the government finds a computer with the suspect’s username, and an installation of encryption software under the suspect’s account, are still self incrimination cases but ought to be treated differently.

Note that the most clever of the suspects in the encryption cases prevailed in the 11th Circuit simply by invoking the Fifth while not admitting anything, while the most stupid of the suspects either showed his kiddie porn to a customs officer; admitted too much during a taped jail telephone call; or simply said to the police that everything was encrypted and that he wasn’t going to help them put him in jail.

Anonymous Coward says:

"How to get in"

“… tell them how to get into it (the laptop) or the cloud for that matter.”

Having dealt with both the Victorian Police & Federal Police in Australia, when a client went bust after running something akin to a pyramid scheme – this is quite often the problem (how to get access).

I supplied all the passwords & domains of the services I provided to the business to the Police, but they were too inept to actually understand “how to access them”.

I offered to provide consulting service to the Police to assist with this, but they said as they didn’t believe they were likely to recover any monies, they weren’t interested.

As far as im aware today (as that was approx 6yrs ago), the Police never accessed any data (as they didn’t know how) + all the data is gone, as the services expired and the police weren’t to concerned with maintaining it for prosecution.

tracyanne (profile) says:

How about this

I always encrypt my data prior to sending it to the cloud. This process consists of setting up a transparent Encryption/Decryption Directory, using FUSE (for those who don’t use Linux it’s File system in User SpacE) .

It works in such a way that I can move or copy a file to the Unencrypted Directory, and the appears in the Encrypted Directory in an encrypted form.

The Encrypted Directory is the local directory for the Cloud Service, such as, for example Google Drive, what appears in it is what is uploaded to the Cloud.

To work it requires two passwords, one for Google Drive, and one for the Encrypted File System.

No if I give the Police my password to Google Drive, they can then access, my account on Google drive, but all they get is encrypted files.

So I can later claim I gave them my password, and any problems they are having dealing with the “corrupted” data are theirs.

Anonymous Coward says:

"How to get in""...

“As far as im aware today (as that was approx 6yrs ago), the Police never accessed any data (as they didn’t know how) + all the data is gone, as the services
expired and the police weren’t to concerned with maintaining it for prosecution.”

Very nice, and that the data is gone or that they never existed would be hard to prove in a lot of cases, unless the government quickly recovers access and server logs from the foreign providers.

Set up a datadump in a foreign jurisdiction at a VPS or cloud provider which doesn’t log for long or none at all.

Only access the remote server via a foreign vpn and with browser SSL.

Encrypt everything locally on one computer and upload from another computer (nonpersistent OS) and often swap hardware.

Arrange with a friend located in another country to pay for the service,so that the government can’t prove from banking statements that you are the likely owner of the account.

To increase plausible deniability, subscribe to some other cloud providers and upload some innocent sounding stuff and let the subscriptions expire after a short time, and always access the second set of accounts directly from your own connection.

If the government asks for password, just hand over the information for the accounts having expired and enjoy the wild goose chase.

Anonymous Coward says:

How about this

“No if I give the Police my password to Google Drive, they can then access, my account on Google drive, but all they get is encrypted files.”

In that case, the government will likely try to prove that you are the sole user of the account.

Of course, you might try to argue that you were hacked, or that the account security is otherwise weak, and that the file consisting of random data wasn’t placed there by yourself.

Whether or not the government can prove that you are the sole authorized user of the account, or whether it must concede the possibility that someone else might access the account with or without your cooperation might be fatal or beneficial to your case.
Under the Fifth Amendment foregone conclusion, you will have a weak degree of deniability if the government can easily tie you to the account by i.e IP access logs, timestamps, call records and in the case of Google two step verification.

Also if the files stored in the accounts contain headers particular to the encryption software installed on your computer, the government will likely successfully argue that the file can be tied to your computer, and if the file hash kept by Google matches a file uploaded from your own IP at a time you were home, it weakens your defense.

However, if the account is shared, and you can establish that your computer was recently infected, or that your computer is regularly shared with multiple individuals, the government’s burden will be more difficult.

An even better case would arise if a cloud account or server was shared among multiple people using it to store work related projects.

“So I can later claim I gave them my password, and any problems they are having dealing with the “corrupted” data are theirs.”

That brings me to another fascinating possibility to increase plausible deniability, deliberate file corruption of encrypted files.

If you encrypt a file with 7Zip and run a script altering a few blocks in the encrypted data, any attempt to run the encrypted archive through forensic software will fail.

Then you can give them the password, and the process will fool most forensic software.

The corruption of the blocks would have to be random enough to be plausible, but that’s a separate issue.

tracyanne (profile) says:

Re: How about this

There’s a couple thing there I didn’t think of, Mostly in the legal realm. So I’ll have to have a bit of a rethink there.

I’ve already looked at including files that contain random “noise”, randomly generated characters, that are then also encrypted, by the encryption process, as a tool to make it more difficult to brute force decrypt. Not sure how well that would work though.

As for:

“Also if the files stored in the accounts contain headers particular to the encryption software installed on your computer.”

That’s not an issue, there are no headers, and any related files needed for encryption, are either on the decrypted side, and never go to the Cloud, or are provided by Sym Links, and therefore never go to the cloud.

Decryption can only occur on a computer that has all the elements in place, which can be an OS installed on a USB key.

tracyanne (profile) says:

Re: How about this

I’ve been experimenting with encfs, but encfs V 1.x has some serious issues, in that the File meta data can be seen unencrypted, which means at the very least important information about the files can be guessed. V 2, will apparently fix that.

As a means of transparently encrypting/decrypting it works well, and I can keep some important information regarding the encryption hidden by removing the config file from the encrypted directory, and symlinking it back in… the symlink never gets copied to the cloud.

But I’m now experimenting with cryfs, which also encrypts the file metadata, and as such seems like a better choice. In it’s current 0.x version, while file security is covered, it has some minor issues related to file integrity, but it looks very promising.

Anonymous Coward says:

As far as business travellers to Australia, the company could prevent the Autralian Border Force from being able to access data if they demand the password to the company VPN, by temporarily deleting the files and then restoring them as soon as they get back to the office.

If say, a US company does this, they are not subject to prosecution in Australia, because the their network and servers are in the United States, they are NOT SUBJECT to prosecution in Australia, if they temporarily delete those worker’s files from the network, and then restore them when they they come back to the office.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »