Australian Prosecutors Want To Make It Illegal To Refuse To Turn Over Passwords To Law Enforcement

from the they're-just-accused-criminals.-they-shouldn't-have-any-rights. dept

The question is still unsettled here in the United States: is refusing to turn over your password protected by the Fifth Amendment? The argument hasn't found many judicial supporters but at least there's a Constitutional basis for claiming the relinquishment of passwords is possibly self-incriminating. Over in Australia, the rights aren't so clearly defined. But the picture is getting clearer, thanks to legislators seeking to make it a criminal offense to withhold passwords. (h/t Asher Wolf)

New laws – currently in the process of being drafted - would mean any criminals who refuse to do so could face jail time of up to five years, according to reports.

The Adelaide Advertiser reports that the state government also announced that as part of the proposed changes anyone found to be running a child exploitation website or forum would face up to a decade behind bars.

It is understood the new laws are mainly aimed at potential paedophiles and those who share child exploitation material but could apply in instances where police are investigating organised crime.

Like lots of laws that expand law enforcement power, it starts with "for the children." Here, the drafting of the law isn't even finished and mission creep has already set in.

Attorney-General John Rau says it's nothing to be concerned about: just a re-fitting of physical searches for the digital world.

"At present, a police officer's general search warrant is good enough to access the physical premises, but what this is talking about is a step beyond that," Mr Rau told the Adelaide Advertiser.

"A person will have to tell them how to get into it (the laptop) or the cloud for that matter.

"It is crucial that the criminal law keeps pace with changes in society and new ways of offending."

It's not as if criminals are that far ahead of law enforcement. At least not so far ahead that simply forgetting a password should net a person five years in jail. And there doesn't appear to be anything tying this to a higher standard for password-reliant warrants. Law enforcement can imagine all sorts of criminal content might be in someone's digital storage, "based on information and belief," but that doesn't mean agencies and officers should be given blanket permission to demand passwords for every locked device/account they come across.

Rau says it's becoming more difficult for law enforcement to access devices, sometimes requiring outside assistance or hours of internal tech work. This may be true, but there are other approaches that can be taken that don't directly ask criminal suspects to assist police in delivering incriminating evidence. Cloud services maintain control of users' accounts and can be asked to turn over content and data. A variety of tech solutions already exist to access locked drives and computers. Making it a crime to withhold passwords from law enforcement puts the South Australian government within throwing distance of banning encryption -- especially the kind that hides content and communications from everyone but the end user.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Michael, 31 Jul 2017 @ 12:06pm

    "any criminals who refuse to do so could face jail time of up to five years"

    It is always good to start with a statement that assumes the accused is already a criminal before gathering evidence.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 31 Jul 2017 @ 12:26pm

      Re:

      I mean, according to this law refusing to do so makes them a criminal. So the statement is technically correct.

      reply to this | link to this | view in chronology ]

    • icon
      JoeCool (profile), 31 Jul 2017 @ 12:39pm

      Re:

      Hmm - I read it like this:

      would mean any reporters who refuse to do so could face jail time of up to five years

      You know, gotta track down those leakers somehow, and those damn pesky reporters never want to give up their sources.

      reply to this | link to this | view in chronology ]

    • icon
      Toom1275 (profile), 31 Jul 2017 @ 12:44pm

      Re:

      Almost. It appears the law makes refusal itself criminal, so it doesn't matter if there's zero evidence or accusation of any other crime, merely refusing makes you a "criminal" anyway. No evidence of crime needed after that point.

      reply to this | link to this | view in chronology ]

      • icon
        Bergman (profile), 31 Jul 2017 @ 3:56pm

        Re: Re:

        I have poor memory -- not Alzheimers, not along the same but much milder lines. I routinely forget passwords, and have to reset them.

        Wouldn't it suck to wind up in prison in a foreign country for five years because of a medical condition you can do absolutely nothing about?

        reply to this | link to this | view in chronology ]

        • icon
          JoeCool (profile), 31 Jul 2017 @ 4:20pm

          Re: Re: Re:

          I don't have a poor memory, but on a few different occasions over the years, I've tried to log into an account where I am POSITIVE what my password was only to be rejected for giving the wrong password. I eventually had to change the password on those accounts, but I'd have sworn on a stack of Bibles what the password was, only to have it fail.

          reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 31 Jul 2017 @ 12:08pm

    >Rau says it's becoming more difficult for law enforcement to access devices,

    Just how did they manage to catch criminals before the advent of records that they could examine? At the dawn of police work they would be exceedingly lucky if there was a letter or diary to record criminal intents and they managed to catch and convict criminals.

    reply to this | link to this | view in chronology ]

    • icon
      Bergman (profile), 31 Jul 2017 @ 3:58pm

      Re:

      They investigated crimes using community policing methods that caused citizens in their community to want to help them and approach them with tips.

      While being all tacticool is a lot more fun, the connection to the community that mindset sacrifices makes it almost impossible to solve crimes and catch criminals using traditional methods.

      To say nothing of the way humans tend to be very good at killing things they find threatening.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 31 Jul 2017 @ 12:18pm

    Beyond all the other reasons, all of these schemes to be compelled to give over passwords for this or that strike me as insane because there's never any discussion of what will be an inevitable occurrence: what if you've forgotten the password?

    Sure, in a lot of cases, its easy to prove you just accessed it yesterday, or whatever, but even THEN, I'm sure I've had to create a new password, used it and then completely forgotten what it was a mere handful of days later.

    How the fuck is this not the exact same thing as indefinitely holding some one prisoner whom you suspect of murder until they agree to show you where the bodies are?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 31 Jul 2017 @ 12:20pm

      Re:

      Or worse, I'm sure at some point some one is going to end up in a situation where the police demand they hand over the password to some account that isn't even theirs with no way to prove that it isn't.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 31 Jul 2017 @ 12:21pm

      Re:

      And people get accounts stolen all the time. All it takes is for your account to get stolen around the same time you're suspected of something and BAM, getting your account stolen costs you 5 years of your life.

      reply to this | link to this | view in chronology ]

    • icon
      Bergman (profile), 31 Jul 2017 @ 3:59pm

      Re:

      Many of the websites I login to require refreshing logins every so often -- two weeks, monthly, annually, etc.

      I usually don't remember my password to them though, so if someone demands I supply it, I can't do that. Not won't, but physically can't.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 31 Jul 2017 @ 5:49pm

      Re:

      Just give them the password to the email account that is used for a reset. They'll take it from there.

      reply to this | link to this | view in chronology ]

      • icon
        PaulT (profile), 1 Aug 2017 @ 12:39am

        Re: Re:

        Then, what if the email account that's set is no longer active? Most laymen are not particularly good at keeping on top of record keeping, security, etc. They'll set something up, forget about it, open a new email account because they'd rather do that than deal with spam, have accounts set for security but disabled due to inactivity, have a phone they no longer own set up for 2FA, etc. They may not be able to provide the access themselves.

        Basically, the problem here is that as soon as you make it so that something that has a potentially innocent explanation illegal (in this case forgetting a password treated the same as refusing to hand it over), there's always a loophole that can land a totally innocent person in jail. Add that to the mission creep (the rule is being passed through using child porn as the excuse, but will be applied to anything they want down the road), and you have a bad situation waiting to happen to innocent people.

        reply to this | link to this | view in chronology ]

      • icon
        btr1701 (profile), 1 Aug 2017 @ 11:52am

        Re: Re:

        > Just give them the password to the email account that is
        > used for a reset. They'll take it from there

        That might be a solution for a cloud account or some web service, but it won't work for a laptop or the unlock code for a tablet or phone.

        reply to this | link to this | view in chronology ]

  • identicon
    Jordan Chandler, 31 Jul 2017 @ 12:36pm

    warrantless searches

    So they think they should be able to search any house without a warrant too?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 31 Jul 2017 @ 12:37pm

    another crock of shit, removing still more freedom from people in supposedly another democratic country, all thanks to the friggin USA again!! why do we allow this shit to happen here? is everyone so stupid as to think it doesn't matter? does everyone think it wont spread world wide? we are now just about the worse country for freedom, freedom of speech, etc of the so-called democratic world!

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 31 Jul 2017 @ 12:51pm

    A step? More like a leap.

    "At present, a police officer's general search warrant is good enough to access the physical premises, but what this is talking about is a step beyond that,"

    Yeah, way beyond that. This more like requiring people to also tell the police where to find things and then throwing them in prison for 5 years if the police don't get what they want.

    reply to this | link to this | view in chronology ]

    • icon
      JoeCool (profile), 31 Jul 2017 @ 1:06pm

      Re: A step? More like a leap.

      Hmm - maybe more like requiring the home owner to give them the combination to the safe in their house. After all, might be evidence of their crimes in the safe.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 31 Jul 2017 @ 6:21pm

        Re: Re: A step? More like a leap.

        In this case they already have the contents of the safe. They want you to sort it out for them.

        reply to this | link to this | view in chronology ]

        • icon
          JoeCool (profile), 31 Jul 2017 @ 7:06pm

          Re: Re: Re: A step? More like a leap.

          It's like those connect the dot puzzles you did in grade school, but they want you to connect the dots for them. :D

          reply to this | link to this | view in chronology ]

          • identicon
            silversheltie, 1 Aug 2017 @ 8:48am

            Re: Re: Re: Re: A step? More like a leap.

            I believe you're wrong, in this case it's more like the police bringing you a safe with no way to prove it's yours. Digital accounts are different from safes because you can't physically own an account and thus prove it's yours.

            reply to this | link to this | view in chronology ]

  • icon
    ECA (profile), 31 Jul 2017 @ 1:00pm

    Any

    Anyone here in Law enforcement??

    Lets call up and request PASSWORDS...
    Come on, Lets do this..
    All of their Accounts are OURS...
    WE ARE BORG..

    reply to this | link to this | view in chronology ]

  • icon
    Roger Strong (profile), 31 Jul 2017 @ 1:10pm

    It's Not Just Devices, It's All Files.

    Police: We demand that you unlock THIS file.

    User: That's a data file that came with a game download. See, it's in the game's program directory. I have no idea what it's for.

    Police: We think you're just hiding your encrypted files there. Unlock it or go to jail.

    Voiceover: Purchase your games from Windows Store! Only Windows Store will certify the origin of your files. Anything else is pirated at best, and may be used against you.

    reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 31 Jul 2017 @ 2:34pm

    Huzzah for self-fulfilling laws

    Apparently 'innocent until proven guilty' is no longer a concept in australia, if you're so much as investigated then you're assumed by default to be guilty, and if you try to assert your innocence and protect your privacy you're simply demonstrating your guilt.

    Also apparently a thing of the past, doing their freakin' jobs. As others have noted it's a miracle they managed to get anything done at all if they can't operate with access to everything, given encryption and not being able to access to everything is a big enough problem that they need to make refusal to hand over everything a jail-worthy offense.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 31 Jul 2017 @ 3:17pm

      Re: Huzzah for self-fulfilling laws

      I don't think innocent until proven guilty is a concept anywhere. It's sorta why you get arrested BEFORE you are convicted with a crime. In most cases you are at least charged with a crime, but it is so important to everyone that criminals be caught that the innocent must suffer unjustly as a consequence.

      reply to this | link to this | view in chronology ]

      • identicon
        Wuzzah, 31 Jul 2017 @ 10:48pm

        Re: Re: Huzzah for self-fulfilling laws

        The concept of innocent until proven guilty (or should that be innocent unless proven guilty) has been around since the ancient greeks and is supposedly the cornerstone of western law. As an aside it's also a human right according to the UN at least to which Australia and other western "democracies" are signatories.

        reply to this | link to this | view in chronology ]

  • identicon
    Kronomex, 31 Jul 2017 @ 4:03pm

    What you should have noted is that the laws are being drafted in South Australia and not the whole country. How long the rest of the states and feds take to jump on the bandwagon is another matter.

    The LNP will be ticked off that Labor has gone down that road before them so they can't claim the idea as their own.

    reply to this | link to this | view in chronology ]

  • identicon
    Stan, 31 Jul 2017 @ 4:08pm

    The conversation on HackerNews

    This conversation on HackerNews https://news.ycombinator.com/item?id=14896457

    reply to this | link to this | view in chronology ]

  • icon
    DerekCurrie (profile), 31 Jul 2017 @ 5:07pm

    Australia Ueber Alles

    That Australia is leading the free world into the next sewer of totalitarianism boggles the mind. This is mighty sick stuff.

    Totalitarianism = FAILure = Citizen Abuse.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 31 Jul 2017 @ 5:50pm

    A step? More like a leap.

    Australia has no constitutional Bill of Rights forbidding the state compelling an individual to testify against himself.


    But there is a silverlining, a criminal law penalizing refusal to disclose a password would require proof beyond a reasonable doubt, a difficult burden unless the government can prove that (1) The existence of a password, access control or encrypted data and (2) That the person is in possession of that access control.



    The article author incorrectly states that the Fifth Amendment argument hasn't found many judicial supporters, but that's not correct.

    Most observers seem to agree that the Fifth Amendment sometimes limit the government's power to compel decryption or disclosure of the password.

    The only sticking point is how, when or where the foregone conclusion deprives a suspect of the right to refuse to testify against himself.

    Must the government prove that the suspect knows the password? Or must the government know with reasonable particularity which contents is protected with the password?

    Professor Kerr is in the former category, while the EFF is in the latter.


    But in a lot of scenarios, where the government finds storage media with random data, but isn't otherwise able to tie the suspect to the data, or isn't able to prove that random data = encrypted data, the suspect still prevails even under the weaker foregone conclusion test.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 31 Jul 2017 @ 6:13pm

    A step? More like a leap.

    "Yeah, way beyond that. This more like requiring people to also tell the police where to find things and then throwing them in prison for 5 years if the
    police don't get what they want."

    Sometimes the police has the physical hardware containing encrypted data (files created with software leaving headers) and maybe the suspect's fingerprints and DNA can be tied to the hardware, and maybe the hardware with a particular EMEI or Mac address was online and connected to the ISP at a given time.

    Some of the cases likely covered by the Australian proposal might also satisfy the foregone conclusion test, or at least the weaker version endorsed by Professor Kerr and the Gelvgat and Fricosu courts.

    But others might not, wherein the government only discovers in the execution of a warrant a storage media containing random data with no identifying file structure or manufacturer headers.

    We would be wise to pick our battles, because the most sympathetic cases for the self incrimination privilege are also concerned with the presumption of innocence and the right to a fair trial.


    The really hard cases, wherein the suspect freely admit that he knows the password, but won't assist law enforcement or cases wherein the government finds a computer with the suspect's username, and an installation of encryption software under the suspect's account, are still self incrimination cases but ought to be treated differently.

    Note that the most clever of the suspects in the encryption cases prevailed in the 11th Circuit simply by invoking the Fifth while not admitting anything, while the most stupid of the suspects either showed his kiddie porn to a customs officer; admitted too much during a taped jail telephone call; or simply said to the police that everything was encrypted and that he wasn't going to help them put him in jail.

    reply to this | link to this | view in chronology ]

  • identicon
    Pixelation, 31 Jul 2017 @ 7:26pm

    Turn the meter on

    Australians are all criminals by heritage anyways. Might as well treat them that way.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 1 Aug 2017 @ 12:39am

      Re: Turn the meter on

      South Australia like to point out to foreigners that it was a Free State colonized with Free People, not convicts.

      reply to this | link to this | view in chronology ]

  • identicon
    Bitedge, 1 Aug 2017 @ 12:27am

    Sneaky

    as part of the proposed changes anyone found to be running a child exploitation website or forum would face up to a decade behind bars.

    So that anyone who votes against it knows they would be labeled as soft on pedaphiles and have a history of voting against sending people who run kid porn websites to jail.

    Politicians are a cancer on society.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 1 Aug 2017 @ 12:41am

    "How to get in"

    "... tell them how to get into it (the laptop) or the cloud for that matter."

    Having dealt with both the Victorian Police & Federal Police in Australia, when a client went bust after running something akin to a pyramid scheme - this is quite often the problem (how to get access).

    I supplied all the passwords & domains of the services I provided to the business to the Police, but they were too inept to actually understand "how to access them".

    I offered to provide consulting service to the Police to assist with this, but they said as they didn't believe they were likely to recover any monies, they weren't interested.

    As far as im aware today (as that was approx 6yrs ago), the Police never accessed any data (as they didn't know how) + all the data is gone, as the services expired and the police weren't to concerned with maintaining it for prosecution.

    reply to this | link to this | view in chronology ]

    • icon
      JoeCool (profile), 1 Aug 2017 @ 8:24am

      Re: "How to get in"

      That's because no one "important" was defrauded by the scheme. Had it caught someone other than peons, you can bet they'd have put effort into gathering evidence and prosecuting to (and beyond) the fullest measure.

      reply to this | link to this | view in chronology ]

  • identicon
    tracyanne, 1 Aug 2017 @ 1:20am

    How about this

    I always encrypt my data prior to sending it to the cloud. This process consists of setting up a transparent Encryption/Decryption Directory, using FUSE (for those who don't use Linux it's File system in User SpacE) .

    It works in such a way that I can move or copy a file to the Unencrypted Directory, and the appears in the Encrypted Directory in an encrypted form.

    The Encrypted Directory is the local directory for the Cloud Service, such as, for example Google Drive, what appears in it is what is uploaded to the Cloud.

    To work it requires two passwords, one for Google Drive, and one for the Encrypted File System.

    No if I give the Police my password to Google Drive, they can then access, my account on Google drive, but all they get is encrypted files.

    So I can later claim I gave them my password, and any problems they are having dealing with the "corrupted" data are theirs.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 1 Aug 2017 @ 5:19am

    "How to get in""...

    "As far as im aware today (as that was approx 6yrs ago), the Police never accessed any data (as they didn't know how) + all the data is gone, as the services
    expired and the police weren't to concerned with maintaining it for prosecution."

    Very nice, and that the data is gone or that they never existed would be hard to prove in a lot of cases, unless the government quickly recovers access and server logs from the foreign providers.

    Set up a datadump in a foreign jurisdiction at a VPS or cloud provider which doesn't log for long or none at all.

    Only access the remote server via a foreign vpn and with browser SSL.

    Encrypt everything locally on one computer and upload from another computer (nonpersistent OS) and often swap hardware.


    Arrange with a friend located in another country to pay for the service,so that the government can't prove from banking statements that you are the likely owner of the account.

    To increase plausible deniability, subscribe to some other cloud providers and upload some innocent sounding stuff and let the subscriptions expire after a short time, and always access the second set of accounts directly from your own connection.

    If the government asks for password, just hand over the information for the accounts having expired and enjoy the wild goose chase.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 1 Aug 2017 @ 5:47am

    How about this

    "No if I give the Police my password to Google Drive, they can then access, my account on Google drive, but all they get is encrypted files."

    In that case, the government will likely try to prove that you are the sole user of the account.

    Of course, you might try to argue that you were hacked, or that the account security is otherwise weak, and that the file consisting of random data wasn't placed there by yourself.

    Whether or not the government can prove that you are the sole authorized user of the account, or whether it must concede the possibility that someone else might access the account with or without your cooperation might be fatal or beneficial to your case.
    Under the Fifth Amendment foregone conclusion, you will have a weak degree of deniability if the government can easily tie you to the account by i.e IP access logs, timestamps, call records and in the case of Google two step verification.

    Also if the files stored in the accounts contain headers particular to the encryption software installed on your computer, the government will likely successfully argue that the file can be tied to your computer, and if the file hash kept by Google matches a file uploaded from your own IP at a time you were home, it weakens your defense.

    However, if the account is shared, and you can establish that your computer was recently infected, or that your computer is regularly shared with multiple individuals, the government's burden will be more difficult.

    An even better case would arise if a cloud account or server was shared among multiple people using it to store work related projects.

    "So I can later claim I gave them my password, and any problems they are having dealing with the "corrupted" data are theirs."

    That brings me to another fascinating possibility to increase plausible deniability, deliberate file corruption of encrypted files.

    If you encrypt a file with 7Zip and run a script altering a few blocks in the encrypted data, any attempt to run the encrypted archive through forensic software will fail.

    Then you can give them the password, and the process will fool most forensic software.

    The corruption of the blocks would have to be random enough to be plausible, but that's a separate issue.

    reply to this | link to this | view in chronology ]

    • identicon
      tracyanne, 1 Aug 2017 @ 3:25pm

      Re: How about this

      There's a couple thing there I didn't think of, Mostly in the legal realm. So I'll have to have a bit of a rethink there.

      I've already looked at including files that contain random "noise", randomly generated characters, that are then also encrypted, by the encryption process, as a tool to make it more difficult to brute force decrypt. Not sure how well that would work though.

      As for:

      "Also if the files stored in the accounts contain headers particular to the encryption software installed on your computer."

      That's not an issue, there are no headers, and any related files needed for encryption, are either on the decrypted side, and never go to the Cloud, or are provided by Sym Links, and therefore never go to the cloud.

      Decryption can only occur on a computer that has all the elements in place, which can be an OS installed on a USB key.

      reply to this | link to this | view in chronology ]

    • identicon
      tracyanne, 1 Aug 2017 @ 11:47pm

      Re: How about this

      I've been experimenting with encfs, but encfs V 1.x has some serious issues, in that the File meta data can be seen unencrypted, which means at the very least important information about the files can be guessed. V 2, will apparently fix that.

      As a means of transparently encrypting/decrypting it works well, and I can keep some important information regarding the encryption hidden by removing the config file from the encrypted directory, and symlinking it back in... the symlink never gets copied to the cloud.

      But I'm now experimenting with cryfs, which also encrypts the file metadata, and as such seems like a better choice. In it's current 0.x version, while file security is covered, it has some minor issues related to file integrity, but it looks very promising.

      reply to this | link to this | view in chronology ]

  • icon
    helping (profile), 1 Aug 2017 @ 7:12am

    Has anyone developed a dual password system. One for the owner, the other you give to the authorities. The latter destroys the contents of the file except “Nanna’s cake recipes”. As I understand it, only a few 0s and 1s need to be removed to scramble the private stuff.

    reply to this | link to this | view in chronology ]

  • icon
    mvario (profile), 1 Aug 2017 @ 9:37am

    Then in the US...

    I suppose then, in the US, one would be covered by the Fifth Amendment if one were to set one's passphrase to a confessional sentence, such as "I smoke dope". Turning over such a passphrase really would be self incrimination.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 2 Aug 2017 @ 3:58am

    Living in Australia sounds about as fun as Catholicism.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Show Now: Takedown
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.