Criminal Justice (Offences against Information Systems ) Act

AnCatDubh

Some [useful] summertime reading

Criminal Justice (Offences against Information Systems ) Act, which can into force on 12th June.

http://www.irishstatutebook.ie/eli/2017/act/11/enacted/en/print.html

liamo

From Section 7 (4) (Modified for brevity)

A Garda with a valid search warrant may require the operator of the computer to give to the Garda any password necessary to operate it and any encryption key or code necessary to unencrypt the information accessible by the computer.

So, failure to hand over your password(s) to the PC or any encrypted information on it can lead to a five year jail term.

Additionally, "information accessible by the computer" seems vague enough to possibly include information not actually stored on the computer - ie cloud services.

I'm feeling a little unsettled by this.

LoLth

If you're the controller of the information then you should be responsible for it regardless of where you store it physically.

I'd like to see some sort of qualifier on it though, something like "proven to have been accessed from..." rather than "legally accessible from"

that would require that a device be identified and not just an IP or organisation.

liamo

I agree with you. However, that wasn't the point I was making. The fault is mine for not being clear enough in my post.

It's not the cloud services aspect of it that I find unsettling. It's the mandatory disclosure of passwords/keys.

I understand the motivation behind this approach and might agree with it under certain circumstances.

However, being compelled to surrender keys to an encrypted file/container/service is tantamount to a compulsion to surrender information (a confession, perhaps?).

This makes me uncomfortable.

LoLth wrote: »

If you're the controller of the information then you should be responsible for it regardless of where you store it physically.

I'd like to see some sort of qualifier on it though, something like "proven to have been accessed from..." rather than "legally accessible from"

that would require that a device be identified and not just an IP or organisation.

howamidifferent

Seems to be following/copying the UK's RIP act. Not good in my opinion.

LoLth

liamo wrote: »

I agree with you. However, that wasn't the point I was making. The fault is mine for not being clear enough in my post.

It's not the cloud services aspect of it that I find unsettling. It's the mandatory disclosure of passwords/keys.

I understand the motivation behind this approach and might agree with it under certain circumstances.

However, being compelled to surrender keys to an encrypted file/container/service is tantamount to a compulsion to surrender information (a confession, perhaps?).

This makes me uncomfortable.

to draw a parallel I would ask how is a password protected / encrypted container any different from a closet with a padlock?

Gardai arrive to search a premises for a shotgun used in a robbery and have a search warrant that is all valid and correct, should they not search the locked cupboard because they dont have a bolt cutter with them? Would that mean that if you invest in a larger vault door you can get away with something someone that can only afford a Yale padlock cannot?

I completey agree with the discomfort of handing over encryption keys and disagree completely with the idea of building backdoors but why should evidence be inadmissable because the suspect (who was already judged to be suspect enough to be issued a warrant for) thought to encrypt the hard drive or hit ctrl-alt-delete + return when he heard the knock on the door?

Personally, much as I would defend the right to privacy for any citizen I would find perfect secrecy for criminal elements a much scarier possibility.

of course this all assumes that the authorities don't abuse this access which, given recent headlines and past incidents of abuse of mobile phone surveillance with little to no repercussions for the offending party I am not naive enough to believe to be the case. However, on balance, I would still find the capability to evade discovery through technological means the less desirable of the two options.

we'd just better continue (start) using different passwords for different services so you don't have to hand over everything in one go!

liamo

LoLth wrote: »

to draw a parallel I would ask how is a password protected / encrypted container any different from a closet with a padlock?

In all honesty, I would have to say "not much different" (apart from scale, perhaps). However, I'm still uncomfortable about it.

Personally, much as I would defend the right to privacy for any citizen I would find perfect secrecy for criminal elements a much scarier possibility.

I think I'm leaning somewhat in the opposite direction.

of course this all assumes that the authorities don't abuse this access .... I am not naive enough to believe to be the case.

Spot on. I would possibly be less unsettled by this if I had faith in the controls around it.

we'd just better continue (start) using different passwords for different services so you don't have to hand over everything in one go!

I think - like water - technology (and some clever people) will find a way to simply go around this.

nate.drake

howamidifferent wrote: »

Seems to be following/copying the UK's RIP act. Not good in my opinion.

I share your concerns howamidifferent. Essentially this is criminalising those who forget their password.

Also how can we know a volume is encrypted or has just been wiped with pseudorandom data as you can do with the 'dd' command in Linux?

Next thing you know you're in court because they believe a drive is encrypted when it's just meaningless random data...!

LoLth

you make it sound like gardai will randomly stop you on the street and ask for your passwords and then engage in a spot of police brutality if you hesitate or cant remember if its a lower case l or a capital i ....

look at the legislation: it requires a search warrant which means evidence has been presented to a judge or senior official who has signed off on the warrant. its not just a random check.

yes you may get a situation where someone suspected of a crime is wrongfully assumed to be hiding evidence in an encrypted container. So this innocent person is just unfortunate that they happen to be in the same house as someone who has had a search warrant issued for them and the innocent party is using a device that is owned/controlled by the suspect named in the warrant - but its actually the innocent party's device - and it happens to be linux/mac which happens to have been wiped recently enough using dd and overwritten with the contents of /dev/random

thats a pretty small subset of the population.

also, you wouldnt be in court for encryption, you'd be in court based on the evidence already gathered that made a search warrant covering your system viable for some other crime.

its not a perfect law but doing nothing or compromising encryption for everyone would be worse.

pah

The act itself is designed to combat hackers and malware developers who will most certainly have everything encrypted.

What's the point in enacting legislation in this area that is basically toothless if there is no penalty for refusing to decrypt data?


This is what the Act is meant to replace.

Criminal Damage Act 1991

Unauthorised accessing of data.

5.—(1) A person who without lawful excuse operates a computer—

..... with intent to access any data kept either within or outside the State....
shall be guilty of an offence and shall be liable on summary conviction to a fine not exceeding £500 or imprisonment for a term not exceeding 3 months or both.

nate.drake

Hi LoLth,

I don't know I'm still of two minds about this. It's not very mollifying that they can only do this while executing a search warrant... the good news is that legislation like this will encourage more people to use Plausible Deniability i.e. hidden volumes in their containers.

The problem is that this also puts anyone subjected to a search warrant in a position that even if they do give up *A* password there's no way to prove it's the only one. Presumably the law technically requires you to give up all keys, even those to hidden containers...

LoLth wrote: »

you make it sound like gardai will randomly stop you on the street and ask for your passwords and then engage in a spot of police brutality if you hesitate or cant remember if its a lower case l or a capital i ....

look at the legislation: it requires a search warrant which means evidence has been presented to a judge or senior official who has signed off on the warrant. its not just a random check.

yes you may get a situation where someone suspected of a crime is wrongfully assumed to be hiding evidence in an encrypted container. So this innocent person is just unfortunate that they happen to be in the same house as someone who has had a search warrant issued for them and the innocent party is using a device that is owned/controlled by the suspect named in the warrant - but its actually the innocent party's device - and it happens to be linux/mac which happens to have been wiped recently enough using dd and overwritten with the contents of /dev/random

thats a pretty small subset of the population.

also, you wouldnt be in court for encryption, you'd be in court based on the evidence already gathered that made a search warrant covering your system viable for some other crime.

its not a perfect law but doing nothing or compromising encryption for everyone would be worse.

nate.drake

I just read the legislation:

8. (1) A person who commits an offence under section 2 , 4 , 5 , 6 or 9 (1) shall be liable—


(a) on summary conviction, to a class A fine or imprisonment for a term not exceeding 12 months or both, or

In that case I think if I were a criminal, I'd probably just plead guilty to refusing to hand over my password and take my 12 months in prison. Certainly if the alternative was being convicted of Terrorism related or child sex offences, there's not much in it.

The five years seems to be on indictment, so presumably you'd only get this if you pleaded not guilty and went to trial. My concern with this as I mentioned above is if you're not using encryption you could still be convicted.

For instance, I overwrite the LUKS headers on my laptop with random data each time I go abroad. As you guys know, this destroys the unique 'salt' and master key, so there's no way to retrieve the data but the hard drive still appears to contain random data.

Of course this means I can safely give the password to anyone who asks but there's no way for them to check it's the real one or to retrieve the files... As other posters have pointed out, most people won't be in this situation, so it might be possible to extort passwords from other users as they do with RIPA in the UK.

BaronVon

Actually, the offence of not supplying the password is summary only, i.e. District Court, max of 12 months imprisonment. That means there is no power of detention for the Guards to interview about it either, under Section 4 Criminal justice Act 1984. As you said, well worth taking the hit if you do have something to hide!

(4) A member acting under the authority of a search warrant under this section may—

(a) operate any computer at the place that is being searched or cause any such computer to be operated by a person accompanying the member for that purpose, and

(b) require any person at that place who appears to the member to have lawful access to the information in any such computer—

(i) to give to the member any password necessary to operate it and any encryption key or code necessary to unencrypt the information accessible by the computer,

(ii) otherwise to enable the member to examine the information accessible by the computer in a form in which the information is visible and legible, or

(iii) to produce the information in a form in which it can be removed and in which it is, or can be made, visible and legible.


(7) A person who—

(a) obstructs or attempts to obstruct a member acting under the authority of a search warrant under this section,

(b) fails to comply with a requirement under subsection (4)(b) or (5), or

(c) in relation to a requirement under subsection (5), gives a name and address or provides information which the member has reasonable cause for believing is false or misleading in a material respect,

shall be guilty of an offence.



(3) A person who commits an offence under section 7 (7) shall be liable on summary conviction, to a class A fine or imprisonment for a term not exceeding 12 months or both.

nate.drake

infacteh wrote: »

Actually, the offence of not supplying the password is summary only, i.e. District Court, max of 12 months imprisonment. That means there is no power of detention for the Guards to interview about it either, under Section 4 Criminal justice Act 1984. As you said, well worth taking the hit if you do have something to hide!

I suppose the question will be for multiple devices whether your sentences would run consecutively or concurrently... for instance my hard drive is encrypted with LUKS (one password), the home folder is encrypted with a different password, my password manager uses another again and my phone has a PIN code... I imagine they'd just give you 12 months for the lot... Maybe out in 6-8 months for first time offender with good behaviour?

BaronVon

You'd get no jail time with no previous convictions, no violence used, no likelihood to re-offend, and a guilty plea..... Suspended sentence all the way, if not the Probation Act with a few quid to charity!

nate.drake

infacteh wrote: »

You'd get no jail time with no previous convictions, no violence used, no likelihood to re-offend, and a guilty plea..... Suspended sentence all the way, if not the Probation Act with a few quid to charity!

I forgot to say thank you in the last post infacteh for clarifying things for us. I think this will make for an interesting case. Certainly in the UK we've had a few cases where people have gone to jail rather than surrender their password, they're certainly not getting mine!

pah

nate.drake wrote: »

I'd probably just plead guilty to refusing to hand over my password and take my 12 months in prison. Certainly if the alternative was being convicted of Terrorism related or child sex offences, there's not much in it.

You're probably better off as you say as the penalties on indictment are up to 10 years for an offence under Section 3.

This legislation is however specific to information systems - so unauthorised access / corruption / interception of data or unauthorised access to systems and creation of harmful malware etc

It doesn't relate to Child Pornography (unfortunately) or Terrorism.