Irish position on giving up encryption keys

Procrastastudy

Does anyone know of any authority for the courts being able to force someone to give up their encryption key for their computer except for in a business investigation setting. I'm thinking in a "has downloaded shed loads of MP3s" type scenario.

I assume Heaney v Ireland [1996] 1 IR 580 would apply?

Disclaimer: Not a home work problem just didn't get a great answer off the lecturer. To be fair I do ask him a lot of (stupid) questions he normally answers really well!

GCDLawstudent

GCDLawstudent wrote: »

Does anyone know of any authority for the courts being able to force someone to give up their encryption key for their computer except for in a business investigation setting. I'm thinking in a "has downloaded shed loads of MP3s" type scenario.

I assume Heaney v Ireland [1996] 1 IR 580 would apply?

Disclaimer: Not a home work problem just didn't get a great answer off the lecturer. To be fair I do ask him a lot of (stupid) questions he normally answers really well!

Criminal Justice Act 2011 s.15 (6)

edit: Somehow managed to miss the "other than a business investigation" part.

Victor

There is other legislation, from the last 10 years, that has a similar provision. I don't recollect what the legislation was.

However, if I am correct, it was merely a requirement to render the document legible, not to hand over the password or other encryption.

krd

GCDLawstudent wrote: »

Does anyone know of any authority for the courts being able to force someone to give up their encryption key for their computer except for in a business investigation setting. I'm thinking in a "has downloaded shed loads of MP3s" type scenario.

I assume Heaney v Ireland [1996] 1 IR 580 would apply?

Disclaimer: Not a home work problem just didn't get a great answer off the lecturer. To be fair I do ask him a lot of (stupid) questions he normally answers really well!

I think the best defence is to claim you've forgotten the passwords.

It's not a crime to have a bad memory.



I think the court can try to compel you to hand over passwords - like handing over the key to something. If you can plausibly claim you've lost the key, through your foolishness...........If that's plausible......Dey cannot touch you.

I think that's the defence, Anglo staff, and AIB staff used. And of this moment, none of those guys are in jail, fanning their balls.


And if anyone has problem with my advice......Why don't they complain to the law society..........................Who can't touch me neither. Boo Yah :P

FreudianSlippers

In reality, in a business investigation situation, the company will own the computer in any event; surely they will have master access to the computers and not need your encryption key?

Procrastastudy

If we were to make this a bit more sinister and lets say proof of terrorist activity was on a computer. Additionally it was known that it was unlikely that the password had been forgotten because several people had the password or the computer had been recently booted.

Wouldn't any legislation fall foul breaching ones constitutional right to silence?

krd

FreudianSlippers wrote: »

In reality, in a business investigation situation, the company will own the computer in any event; surely they will have master access to the computers and not need your encryption key?

The answer to that is simply, no.

Whoever encrypts the document, is the only person with the key. The sys admin doesn't have the encryption key.

The guards investigating the banks have come up against people who've had memory lapses in while trying to acquire the keys to encrypted documents.

These days though, the documents can be decrypted in a reasonable time frame.

audidiesel

krd wrote: »

These days though, the documents can be decrypted in a reasonable time frame.

depends on the level of encryption being used. its relatively straightforward to get powerful encryption systems that would take days/weeks or potentially even months to decrypt files.

Procrastastudy

audidiesel wrote: »

depends on the level of encryption being used. its relatively straightforward to get powerful encryption systems that would take days/weeks or potentially even months to decrypt files.

Truecrypt (GNU Free Application) can provide disk encryption that is virtually impossible to decrypt.

Anyone any thoughts on the constitutionality being forced to give up encryption keys in a criminal law scenario?

krd

audidiesel wrote: »

depends on the level of encryption being used. its relatively straightforward to get powerful encryption systems that would take days/weeks or potentially even months to decrypt files.

Computers are a lot faster than they were. Some of those encryptions, in the past, could potentially take years to crack. Now it's a few months at best. But it's surprising. Some people use such bad passwords, the files can often be popped open in the space of a few minutes. I knew someone who had to do a big decryption job - they thought it would take months. It took days.

But in the context of using a document in a court case - a few months might not be a problem. Though it could derail a police investigation.

Carawaystick

krd wrote: »

Computers are a lot faster than they were. Some of those encryptions, in the past, could potentially take years to crack. Now it's a few months at best. But it's surprising. Some people use such bad passwords, the files can often be popped open in the space of a few minutes. I knew someone who had to do a big decryption job - they thought it would take months. It took days.

But in the context of using a document in a court case - a few months might not be a problem. Though it could derail a police investigation.

If a document is encrypted properly with a proper One Time Pad, it cannot be decrypted without knowledge of the One Time Pad

Generating random data is hard though.

reading the act, I wonder if the use of 'password' instead of key or passphrase is a let out.
password is not defined in the act.

Procrastastudy

Carawaystick wrote: »

If a document is encrypted properly with a proper One Time Pad, it cannot be decrypted without knowledge of the One Time Pad

Generating random data is hard though.

reading the act, I wonder if the use of 'password' instead of key or passphrase is a let out.
password is not defined in the act.

"make legible" covers any eventuality.

castie

Is there anything in Irish law you can do to prevent incriminating yourself?

If there was incriminating evidence there by giving up the key you would be convicting yourself there and then.

Can you refuse on this basis?

nompere

There's an interesting discussion going on in the USA at present in relation to decryption and 5th Amendment rights. Here's a link to Slate online from earlier this week:

http://www.slate.com/articles/technology/future_tense/2012/03/encrypted_files_child_pornography_and_the_fifth_amendment_.html

Kolido

GCDLawstudent wrote: »

Does anyone know of any authority for the courts being able to force someone to give up their encryption key for their computer except for in a business investigation setting. I'm thinking in a "has downloaded shed loads of MP3s" type scenario.

I assume Heaney v Ireland [1996] 1 IR 580 would apply?

Disclaimer: Not a home work problem just didn't get a great answer off the lecturer. To be fair I do ask him a lot of (stupid) questions he normally answers really well!

Extreme tortour

tom traubert

This might answer the original question in the op. It is probably what Victor is referring to in his post also.

http://www.irishstatutebook.ie/2001/en/act/pub/0050/sec0052.html#sec52

Procrastastudy

I understand there is statutes concerning this I just don;t understand how they dont fall foul of exactly the same argument concerning the OASA in the origonaly posted case.

Thats said Thanks for all the responses thus far.

Spell check still not working

Carawaystick

GCDLawstudent wrote: »

"make legible" covers any eventuality.

How is legible defined?

ascii cryptext is legible but might not make a load of sense

What would happen in the case where it was mathematically provable that a document could not be unencrypted? Do the laws of nature trump the laws of Ireland?

Procrastastudy

Carawaystick wrote: »

How is legible defined?

ascii cryptext is legible but might not make a load of sense

What would happen in the case where it was mathematically provable that a document could not be unencrypted? Do the laws of nature trump the laws of Ireland?

The wording makes the purpose of the act pretty obvious when read... your semantic argument isn't really answering the question.

ldxo15wus6fpgm

tom traubert wrote: »

This might answer the original question in the op. It is probably what Victor is referring to in his post also.

http://www.irishstatutebook.ie/2001/en/act/pub/0050/sec0052.html#sec52

s.52(6)(a)(iii) has got me thinking here. It states that information compiled in contemplation of any disciplinary/civil/criminal proceedings are exempt from the requirement to make information legible.

My understanding of the CJ theft and fraud offences act 2011 is that it really only applies in a business setting?

So, if I encrypted a document with Truecrypt with a massive password which I can't remember (which the FBI has admitted it has failed to defeat on numerous occasions - http://news.techworld.com/security/3228701/fbi-hackers-fail-to-crack-truecrypt/ a 20 character password using only the alphabet would take 631 billion years for a supercomputer to crack - see here) I then said to myself "I don't want the cops to see this one!" and took the password for that file and put it in another encrypted document which I memorised the pass for, my understanding is that I would be exempt from the requirements to make the document legible as I encrypted the password in contemplation of prosecution. I would not have to give the password to the file containing the password for the document they want, as I created the second file in contemplation of proceedings.

Or have I got myself mixed up?

Procrastastudy

I think its the Criminal Justice Act 2010 that has a provsion almost identicle to the one found unconstitutional in the OASA in Heany. Thanks for the excellent info in your post - I'll go reseach it and edit this as soon as I get a sec.

Victor

Marilyn Microscopic Bargain wrote: »

s.52(6)(a)(iii) has got me thinking here. It states that information compiled in contemplation of any disciplinary/civil/criminal proceedings are exempt from the requirement to make information legible.

I've not read it, but I presume this means that solicitor-client correspondence is privileged, not that you can encrypt the scam e-mails you have sent.

Procrastastudy

Does anyone know if there have been any cases taken to the ECtHR over s.49 and s.53 of the RIP Act in the UK? I have found Kennedy v UK but it's not really on point.

I'm still on my little hobby horse about how this http://www.irishstatutebook.ie/2011/en/act/pub/0022/sec0015.html#sec15 can be constitutional.

chops018

GCDLawstudent wrote: »

Does anyone know if there have been any cases taken to the ECtHR over s.49 and s.53 of the RIP Act in the UK? I have found Kennedy v UK but it's not really on point.

I'm still on my little hobby horse about how this http://www.irishstatutebook.ie/2011/en/act/pub/0022/sec0015.html#sec15 can be constitutional.

I don't think it is unconstitutional once it is used right, i.e. actually used as part of an investigation and there is a reasonable belief that such documents will be destroyed.

There are many constitutional rights which are only qualified in nature and so are subject to certain limitations.

tricky D

Carawaystick wrote: »

If a document is encrypted properly with a proper One Time Pad, it cannot be decrypted without knowledge of the One Time Pad

It can be decrypted, but the veracity of the message can't be assured as multiple decryptions are possible. Besides one time pads are rarely used outside of diplomatic, nuclear or espionage spheres.

As for handing over keys, the Electronic Commerce Act, 2000, sec 27, 2c has this in relation to making the encrypted data intelligible while not stating anything in relation to handing over the private key:

(c) to seize anything found there, or anything found in the possession of a person present there at the time of the search, which that officer or member reasonably believes to be evidence of or relating to an offence under this Act and, where the thing seized is or contains information or an electronic communication that cannot readily be accessed or put into intelligible form, to require the disclosure of the information or electronic communication in intelligible form.

Procrastastudy

The issues raised ref encryption methods - lets assume that its a method that cannot be decrypted and that there are no issues with the documents being destroyed. Bear in mind its perfectly easy to make an infinite number of perfect copies of even an encrypted hard disk.

My question specifically relates to s.15 of the Criminal Justice Act 2011 and how that can be constitutional given that Heany was successful in the ECtHR, when the SC held that Section 30 of the Offences against the State Act 1939 was constitutional.

Could they just make a declaration of incompatibility with the ECHR?

I suppose I may have answered my own question there that we are not obliged to follow the decisions of the ECtHR. I suppose my question then becomes do you believe that we would, indeed, ignore the decision in Quinn v Ireland?

A scenario presents itself (a potential terrorist trial) which would be almost identical.

MagicSean

I thought the OASA was found unconstitutional because the warrant was issued by a member of the Gardaí who could not be deemed impartial.

Procrastastudy

My reading was that it was held that section 52 was upheld on the basis that the right to Silence was a corollary right of Art 40.6.1 (1) (Freedom of expression) and that this was a proportionate restriction on that constitutional right.

Sorry I had the wrong section doh! Checking now to make sure its defo S.52

52.—(1) Whenever a person is detained in custody under the provisions in that behalf contained in Part IV of this Act, any member of the Gárda Síochána may demand of such person, at any time while he is so detained, a full account of such person's movements and actions during any specified period and all information in his possession in relation to the commission or intended commission by another person of any offence under any section or sub-section of this Act or any scheduled offence.

(2) If any person, of whom any such account or information as is mentioned in the foregoing sub-section of this section is demanded under that sub-section by a member of the Gárda Síoehána, fails or refuses to give to such member such account or any such information or gives to such member any account or information which is false or misleading, he shall be guilty of an offence under this section and shall be liable on summary conviction thereof to imprisonment for a term not exceeding six months.


Section 15 Criminal Justice Act 2011
(6) Where the documents concerned are not in legible form, an order under this section shall have effect as an order—

(a) to give to a member of the Garda Síochána any password necessary to make the documents legible and comprehensible,

(b) otherwise to enable the member of the Garda Síochána to examine the documents in a form in which they are legible and comprehensible, or

(c) to produce the documents to the member of the Garda Síochána in a form in which they can be removed and in which they are, or can be made, legible and comprehensible.

...

(15) A person who without reasonable excuse fails or refuses to comply with an order under this section shall be guilty of an offence and shall be liable—

(a) on summary conviction, to a class A fine or imprisonment for a term not exceeding 12 months or both, or

(b) on conviction on indictment, to a fine or imprisonment for a term not exceeding 2 years or both.

Sorry my initial question was phrased poorly without most of the info. I'm sure I'm probably missing something obvious in the Quinn Judgement - I'll go have a reread - but in the mean time if anyone has any thoughts.