Oliver Drage, suspected trader in child pornography, has just been sent down for refusing to disclose the password he’d used to encrypt his PC. This is an offence under RIPA (the Regulation of Investigatory Powers Act 2000). So if you’ve got something dodgy on your computer, you’ll get locked up whether or not the cops can decrypt it (or you’ve lost the password).
A spokesman for Lancashire police was pleased: “Drage was previously of good character so the immediate custodial sentence handed down by the judge in this case shows just how seriously the courts take this kind of offence.”
Really. Drage is going to gaol for sixteen weeks (read “two months”) . How long would he have been locked up for if he’d given them the password so they could decrypt whatever it’s alleged he was hiding? Five years? Ten years? Lock up and throw away the key?
This is not what I call “taking it seriously”.
The penalties under RIPA for not disclosing passwords are far lower than the likely sentence assuming someone’s been up to anything of interest of the authorities in this way. They don’t take it seriously at all.
26 Replies to “Oliver Drage makes mockery out of RIPA”
It seems some people on here listen to too much Alex Jones while clutching their tin foil hats desperately to their scalps.
Imagine yourself in the same situation. You have two choices: –
1. Don’t give up the password. That’s going to lead to a prison sentence, your name being made public along with the accusations, and many people will think you are guilty and that you were hiding something.
2. Give up the password. If you are innocent, your name is cleared. If you are guilty, you are convicted of a much worse crime and your name is tainted pretty much forever (and rightly so).
The majority of the paranoid “police state” tin foil hatters would do number 2, presuming they were actually innocent, regardless of their so-called principles.
If they repealed the law and you could say “I’m not giving you the password, so go away” and the police were powerless to do anything, then that’s exactly what every paedophile would do. The police aren’t kicking down the doors of innocent people in large numbers on a daily basis accusing them of being paedophiles. Exceptional circumstances like these call for laws such as the one that lead to this kid’s jail sentence and some of you should grow up and stop believing everything that paranoid idiots like Alex Jones tell you.
“It seems some people on here listen to too much Alex Jones”
…and by that I assume you are a believer in totalitarianism?
“many people will think you are guilty and that you were hiding something.”
Exactly the problem. We need to get out of this stupid way of thinking. He obviously WAS hiding something. Maybe it was illegal, maybe it wasn’t.
As I’ve already said, on the balance of probabilities I wouldn’t too much sleep on him being convicted for what he has done. His name was thrown around many times about him being involved in all sorts of sick stuff. BUT, and it’s a MASSIVE BUT, we don’t convict people on the balance of probabilities and nor should we. We don’t want a legal system based on how many times your time was thrown into the mix.
The point of this isn’t Oliver himself. It’s the way the law is creeping and very real risks.
“The majority of the paranoid “police state””
You mention Alex Jones…are you American yourself since no one really follows lunatics like that here. If so you’ll start to understand why your government has such a strong constitution. Governments ARE dangerous. There’s no Alex Jones bullshit about it. Humans have been around for thousands and thousands of years and as recently as the last 100 years on our very door step in Europe we’ve seen what CAN happen when a concentration of power takes an interest in private lives.
A name and a refusal to cooperate IS not a substitute for evidence based policing.
Nothing to do with Alex Jones.
Morning Chris! I was wondering who Alex Jones might be.
@Iron Lung: Chris and I actually agree on most of this, but I don’t share his obvious conviction that it’s black and white. It’s an interesting debate, as I feel this is a genuine case of new technology creating a situation that our old legal system can’t cope with properly, and it needs more thought than was put in to RIPA to deal with it.
There are (AFAIK) two *known* cases of convictions under this law. The first was of a rather strange guy in November 2009, who apparently wanted to be arrested after repeatedly acting in a suspicious manner. He’s now been sectioned under the mental health act. This law was “sold” as dealing with pedophiles and terrorists – not eccentrics. The second is Oliver Drage. Assuming his refusal to cough up the password is to conceal something carrying a longer sentence, it just goes to show what we in the digital forensics field said in 2000 – basically that encryption was so good that it can’t be broken and the threat of a short prison sentence wasn’t going to yeald much in the way passwords from the guilty.
Continuation to Chris (in particular):
There’s no presumption of innocence needed here – the guy is guilty. Yep – he’s refused to had over the password and that’s a crime. You might argue that it shouldn’t be. I’d certainly argue that RIPA stinks on many levels, and it’s likely to be used (indeed has been) as a way of locking someone up when there’s no suitable evidence for a “real” crime (e.g. JFL last November). The fact that the encrypted data might or might not be relevant to another crime doesn’t matter. Keeping anything encrypted is against the law.
I’ve campaigned long and hard against these laws (SOCA in particular) and the people responsible for making them. They’re too dangerous in a free society AND they fail to address the problem.
As to Oliver Drage; he’s always had the option – get out of jail any time by handing over the password. If the drive contained what the police suspected (and I have to admit, I suspect) then he’s got off lightly by keeping his mouth shut. I’m not going to feel sorry for him being locked up now.
What does worry me a lot more is the JFL case, where a conviction was secured against a guy who was a bit weird (now sectioned under the mental health act). I get the impression that he wanted to be prosecuted for something, but that’s no excuse.
“There’s no presumption of innocence needed here – the guy is guilty. Yep – he’s refused to had over the password and that’s a crime. You might argue that it shouldn’t be.”
Only because the people that drafted that law threw the presumption of innocence out of the window.
“As to Oliver Drage; he’s always had the option – get out of jail any time by handing over the password. If the drive contained what the police suspected (and I have to admit, I suspect) then he’s got off lightly by keeping his mouth shut. I’m not going to feel sorry for him being locked up now.”
No, no, no, no, NO! Not because I think the guy is innocent – on the balance of probabilities I wouldn’t lose too much sleep about convicting him (not the burden of proof required for criminal convictions) but I and lot of other people will lose a LOT of sleep if this HORRIBLE idea of “there’s no problem having the government snooping into people’s lives is fine if you’ve got nothing to hide” keeps getting more and more momentum. That’s what is completely terrifying. We need to stop it dead right NOW.
I think you all havnt read the article properly and are jumping to conclusions…
Didnt you guys read how they caught him? As part of a crack-down on a child porn ring on which his name came up numerous times. Its that reason why they tracked him down. Its not that the police will go after anyone.
But you do have to remember, if you have nothing to hide then why use a 50-character cypher and not give it up when asked???
Convictions are not based on the circumstances of arrest and nor should it be. Convictions are based on evidence of criminal activity and so it should be.
Convictions are not based on how many times you name comes up and nor should it be. It’s pretty obvious that is start incriminating based on how many times your name comes up you’re going to have a LOT of problems.
The area of crime you’re part of an investigation of should not have any influence on your guilt! If you’re being investigated for child sex exploitation that shouldn’t suddenly increase the likelihood of your guilt.
A ROBUST legal system is essential. Concepts like the presumption of innocence are EXTREMELY important. Governments have proven themselves FAR more dangerous than individuals (go look up history) when you give them powers.
“But you do have to remember, if you have nothing to hide then why use a 50-character cypher and not give it up when asked???”
Oh please. No idea. None of your business quite frankly. None of the police’s business either unless they have evidence of a crime.
Let’s keep the law based on evidence please.
If and when, cogent evidence tending to show that Oliver Drage has committed some criminal offence against any person, be they adult or child, then he may be formally charged with that offence and if the Crown Prosection Service should take the view that there is a realistic chance of a conviction and that a prosecution would be in the public interest, then he may be committed for trial.
Whether it be a young man in his teens or Satan himself standing in the dock, remember how things used to be until quite recently…
1. The silence of an accused, either during police questioning or his choice not to give evidence in chief in either a single or multiple count endictment is not evidential and shall not be the subject of prosecution comment .
2. An accused, though generally competent in his own defence, is never compellable, except as in Regina vs Houghton, where, after being acquited of all charges against him, he may become compellable for the defence of a co-defefendant jointly charged with him.
3. The prosecution must prove the defendant’s guilt (both actus reus and mens rea as per Woolmington vs DPP) and generally speaking it is not for an accused to prove his innocence. Where a defendent relies upon a defence of licence or premit, then the responsibility for adducing evidence fall upon him, and he may discharge that burden by adducing evidence that meets the civil standard of proof.
4. Whereas a court may order production of physical artefacts as evidence under pain of holding a party to be in contempt of court,
the choice by an accused to remain silent is absolutely sacrosant and must never be infringed. A plea of not guilty man be entered on behalf of a defandant who refuses to speak or to plead.
5. By the Judges Rules, the merest hint of advantage or fear of prejudice exercised or held out by authority shall be prejudicial to the admissibility in evidence, against any person of any evidence obtained thereby.
6. It is scandalous that politicians have been able to trample so many long standing safeguards of English law underfoot with impunity. The passage of the RIPA legislation makes it all to clear that there is no constituency for the defence of legal and democratic rights within the ruling circles in Britain. This legislation is absolutely outrageous and should be repealed forthwith.
For the avoidance of any doubt, I’ve always said that RIPA (Part III in particular) was dreadful, as proved by the CTC and their pursuit of the eccentric JFL last year – the first conviction I believe. The original post was pointing out that it appears to have failed to solve the original problem too; but should be read after earlier criticism of the Act itself for balance.
But this still leaves us with a problem. As you say, all of your points above relate to “quite recently”, but things have changed.
Can you think of anything that existed before total encryption that presented similar problems to the police when investigating a crime? (This is not a rhetorical question).
Previously the police could watch someone, gather evidence that they were up to something and if it looked suspicious enough, could get a warrant to search their house (for example). Never before have the police been bared access to a location likely to contain evidence BY THE SUSPECT. They could be refused a warrant, but that’s different.
I would imagine that before RIPA it was possible for the court to demand access to encrypted data, but being held in contempt could be just as inadequate.
Correct me if I’m wrong, but this situation is completely unprecedented. It’s now possible for someone to conceal the evidence of a crime completely. Where there’s a trail of circumstantial evidence leading somewhere, but the any direct evidence is encrypted, what are we (as a society) supposed to do?
RIPA was available for two years before it was first used for this purpose, which rather suggests the police don’t think much of it either – but they do tend to get a taste for things.
“Can you think of anything that existed before total encryption that presented similar problems to the police when investigating a crime?”
I can. Police always have hunches of a crime and know their suspects are hiding SOMETHING and some might be tempted to torture stuff out of their suspects mind’s.
“It’s now possible for someone to conceal the evidence of a crime completely.”
Except it’s COMPLETELY indistinguishable from non-criminal private data so tough cookies.
Even a S49 notice needs the Chief Constable to review the evidence so far before approving it – more than a hunch (in theory). Also, having your drive decrypted hardly compares with being tortured (or harassed).
Encrypted data is (or should be) indistinguishable from random numbers; likewise it’s not possible to see what’s behind a locked door until its opened by search warrant (backed up by sledgehammers). RIPA (in its current form) may be no good, but we either want the police to be able to investigate, or we don’t.
“Also, having your drive decrypted hardly compares with being tortured (or harassed).”
Frank, you’re confusing analogies here. Oliver Drage’s drive being decrypted is not the analogy of torture but him being incarcerated IS which is exactly what has happened here .
“but we either want the police to be able to investigate, or we don’t.”
This isn’t the issue!!! We’re not discussing whether police are able to investigate or not (no one would disagree on this). We’re discussing ideas such as privacy and presumption of innocence etc.
“Encrypted data is (or should be) indistinguishable from random numbers”
But criminal encrypted data is not indistinguishable from non-criminal encrypted data.
You sound like an interesting guy and make some good points but you’re slipping here. Some basic logical mistakes.
[Ed: This has reached the nesting limit of replies, so can’t reply directly]
Everyone should be entitled to privacy and a right to remain silent. Rightly or wrongly this kid is excercising his right to a degree of that. Whether you choose to provide your whole life story on Facebook or roam the planet with what little degree of anonymity that can be afforded to you, that very choice should always be yours.
Probably the whole reason this is being publicised is that it is well known that RIPA infringes civil libities and has been misused by all sorts of govt dept includnig councils to poke around where they otherwise wouldn’t be entitled to.
Someone wants RIPA to stay as it is, at a time when a new govt could review it.
The person RIPA has been used against for the alledged crime(s) is the intended type of target RIPA was started for and remains a type of crime thats been a hot potato with the media now for over 10 years or so.
It will be used by thoose who want to keep RIPA to help maintain public support for it.
Equally it could back fire dramatically if the media choose to educate the public or the public choose to self educate on RIPA its self rather than just focusing on the alledged crime.
Freedom and privacy are everything.
Perhaps the irony is that a 19 year old, intentionally or not, is making a mokery of Lancashire Police force as they can’t unlock his computer. He maybe screwed if they do unlock it or equally charged with wasting police time. But for now he’s probably somewhere between crapping it and chuckling about it.
RIP makes a mockery out of the right to silence and the privilege against self-incrimation.
Both, according to the European Court of Human Rights are “generally recognised international standards which lie at the heart of the notion of a fair procedure under Article 6.”
Get yopur facts straight.
Which of my facts aren’t straight? Or are is your comment an expression of your exasperation with some of the stupid legislation seen in the last few years (see previous posts).
However, I’m not sure I’d go along with this “right to silence” business. This isn’t an ancient principle of English law, although the notion does seem to have spread from England to former colonies (and mainland Europe in the 20th century) without much in the way of justification. It doesn’t literally mean what it says (even before 1994 Act). There can’t be a conviction based on silence, or in recent times, based on silence alone (i.e. the jury can only draw inferences from it but can’t use it as proof).
Take a “non technical” example and clear away the clutter.
Mr Plod sees some burly bloke in a mask and striped jersey and climbing out of a window in the early hours of the morning, carrying a large bag marked “Swag”. Does Mr Plod have the right to see what’s in the bag? The answer is basically “yes”, and I’m sure you’d agree if it was your window in question.
Situations just like this come up computer forensics, but it’s hard to explain why they’re so blatant in a non-technical way.
Now, under the “right to remain silent” umbrella, there’s a principle that you don’t have to help the police with their inquiries. Giving the police a password is clearly helping. Right or wrong? In the case of the burly bloke with the (alleged) swag bag, Mr Plod would always get a look inside. Showing the police what’s inside an encrypted file should be the same; it’s hardly in the same league as determining that a defendant is incompetent to give evidence. The police can obtain a warrant to search anywhere they like if they’ve got good grounds, and hard disks should be no different. The difference is that a refusal to “help” the police by unlocking a physical door can be overcome using sledge hammers so the “right to remain silent” remains intact, if absurd.
RIPA isn’t going to work because it’s a quick-fix law to deal with something that really needs to be dealt with in another way.
It should be zero weeks. Innocent until proven guilty I thought. Keeping data private is not in itself immoral. Maybe this kid is scum, then get the evidence and convict him. If you can’t get any evidence then tough shit I’m afraid. It’s not this specific case that is the problem it’s the fact that this law is undoubtedly a step in completely the wrong direction.
That’s basically my point. The (previous) government rushed through a load of ludicrous legislation to fix problems with technology, most of doomed never to work. The way they’re trying to regulate ISPs is a case in point. I fear that the new government isn’t likely to do much better. Don’t get me started on SOCA!
Hi Frank, Maybe I’m being thick but I can’t put my finger on your viewpoint.
“The penalties under RIPA for not disclosing passwords are far lower than the likely sentence if you’ve been doing something likely to get the interest of the authorities in this way. They don’t take it seriously at all.”
Are you saying the sentences should be the same as the suspected crime or non-existent?
You think the “presumption of innocence” in law is a bad idea?
I think others haven’t understood either.
I think Hanzidle’s got it (see below).
“Perhaps the irony is that a 19 year old, intentionally or not, is making a mokery of Lancashire Police force as they can’t unlock his computer. He maybe screwed if they do unlock it or equally charged with wasting police time. But for now he’s probably somewhere between crapping it and chuckling about it.”
But I can see why you’re asking – you don’t know me and I should explain the context…
I’ve been campaigning against RIPA, SOCA and highly dubious legislation since it first started appearing – demos, lobbying, verbally challenging ministers at public meetings – you-name-it. I’m not friend of RIPA. I wrote this, not expecting anyone much to read it, in a hurry last night after I’d seen the Lancashire police inspector crowing about how tough they were (and how good RIPA was) and I was simply drawing attention to how wrong they were. So many people have read it, it swamped the tiny server it’s running on this morning. I wish I’d done a fuller article and put it on a larger server – but roll on the debate!
I’m also a serious “digital forensics” expert. I know how the police think (they’re human, and don’t all think the same). I’ve got a high level of confidence that in case they were on to something, but this was all they could prove – like the Al Capone affair. I also know just how nasty some of these child-sex characters are, and they’re certainly devious.
Not only does RIPA give dangerous powers to the police, but it also DOESN’T WORK for its intended purpose (assuming this character is as guilty as it appears). Some “civil liberties” are carried too far (e.g. Americans’ perceived right to pack an uzi while shopping) but if they are ever eroded it needs to done properly, so that it fixes the intended problem. This does not.
1) Plant random file on enemy’s computer
2) Tip off police that enemy has child porn on their computer
3) Enemy fails to hand over key and is given criminal record
Although the maximum term for failure to disclose a password from RIPA is two years, so people are better off planting the real thing. RIPA doesn’t make any difference if this is your plan.
In practice it’s fairly easy to determine what’s happened, and who did the planting.
There’s just been a council by-election in Kensington caused by the resignation of a Councillor who alleges he was unknowingly sent an emails with unsuitable attachments. Worth a closer look if you’re interested.
If you’re certain your mark will refuse to give up his password, step 1 is unnecessary.
You misunderstand. Jo meant ‘random file’ as in ‘file containing random information’ – that is, something which could be suspected to be an encrypted container. The benefit of this approach (vs. planting actual illegal material) being that you wouldn’t actually have to ever handle illegal material yourself…
It was five years ago, but I think I did read it that way. I’m not entirely sure what I was thinking (if you’re referring to my post), as it doesn’t all make sense now. You’re certainly right about the speed and convenience of using random images as opposed to real ones, but I doubt the police would act on an anonymous tip-off with no actual material present. At least I hope they wouldn’t.
(FWIW A dd of /dev/random probably wouldn’t look like an encrypted file but it’d be easy enough to make one with a convincing header).
and after being released he will be asked again for his password
he’ll probably refuse and be charged a second time
rinse and repeat…
whoever he is and whatever he is suspected of, he has the right to remain silent. uk is a police state.