Christopher Wilson, who has his own business programming artificial intelligence systems, is suspected of hacking into police websites and using a voice-changing device to make hoax telephone calls warning of a cyber attack.
When detectives asked Wilson to reveal his computer password to aid in their investigation he refused. They subsequently made a special application to Crown Court judge Roger Thorn QC who ordered that the password should be made available in the interests of national security.
The 22-year-old, who has Asperger’s syndrome, refused to play ball though, handing over 50 different passwords, all of which proved to be fake.
In handing down a six-month jail sentence, Judge Simon Hickey said:
Despite numerous attempts by the authorities to obtain passwords from you in order to investigate, what you did was evade giving any details. Police asked you time and again, served you with a notice and you still did not give them the password.
What you were doing was for your own satisfaction, showing what you could do with your undoubted skill with computers.
But this is a serious offence and I can't avoid an immediate custodial sentence.
Wilson had admitted failing to disclose his password, a breach of the Regulation of Investigatory Powers Act 2000, which requires disclosure in the interests of national security, for the purposes of detecting or preventing crime or in furtherance of the economic well-being of the United Kingdom.
An offence under the Act carries a maximum sentence of two years but that can be increased to five years in cases surrounding national security or child indecency.
Police first investigated Wilson in October 2012 after the vice-chancellor of Newcastle University received two emails saying that a gunman would kill a member of his staff.
The emails were sent under the username of ‘Catch 22’ which police were later able to link to Wilson’s server. At his home in Washington they seized computer equipment but were unable to access it due to the sophisticated password protection employed.
Later investigations then linked the university emails to calls made to Northumbria police, warning that their systems were going to be attacked. An attack did indeed occur, lasting for eight minutes before the site was taken down briefly as a precaution.
Wilson was subsequently arrested in January 2013 and admitted making the call with a voice-changing device but he denied being the attacker, saying he was merely passing on a warning that an attack may come from someone else.
When his phone was examined, police discovered boasts about how he planned to attack the Serious Organised Crimes Agency (SOCA) and his intention to infiltrate the university network in order to obtain passwords for 50 other students. Wilson had also made reference to trolling a police memorial page set up in memory of PCs Fiona Bone and Nicola Hughes who were murdered in September 2012.
In Wilson’s defence, David Lister said:
He has expressed genuine remorse, he bitterly regrets his actions. He was 19 at the time and the impact of his Autism Spectrum Disorder or Asperger's meant he matured more slowly than others.
For the prosecution, Neil Pallister concluded that:
Effectively, the crown's case is, the only appropriate inference to draw from the defendant's refusal to disclose the password to allow access to the computer is it would have revealed activity of the type mentioned in the messaging, namely hacking of police, Serious Organised Crime Agency and university websites.
At this point our American readers may be thinking they get a better deal when it comes to keeping their passwords to themselves due to the protections they are afforded by the Fourth and Fifth Amendments.
Sadly, however, that isn’t likely to be the case.
The Fourth Amendment protects US citizens from unreasonable searches and seizures but does not offer any form of protection where due process has been followed, i.e. a court has authorised a search warrant.
In the case of the Fifth Amendment, things are not quite so clear.
The US v. Fricosu case led to the government demanding that a decrypted version of information on a laptop should be handed over rather than the password itself (which would have been potentially self-incriminating).
Fricosu’s lawyer had argued that she may not remember the password but when, a month later, her husband provided a list of possible logins, she subsequently entered into a plea agreement, thus negating the need for mandatory decryption to be tried and tested in a higher US court.