Sophos Cloud Optix
A university student has fallen foul of the law after refusing to give up his computer password.
Christopher Wilson, who has his own business programming artificial intelligence systems, is suspected of hacking into police websites and using a voice-changing device to make hoax telephone calls warning of a cyber attack.
When detectives asked Wilson to reveal his computer password to aid in their investigation he refused. They subsequently made a special application to Crown Court judge Roger Thorn QC who ordered that the password should be made available in the interests of national security.
The 22-year-old, who has Asperger’s syndrome, refused to play ball though, handing over 50 different passwords, all of which proved to be fake.
In handing down a six-month jail sentence, Judge Simon Hickey said:
Despite numerous attempts by the authorities to obtain passwords from you in order to investigate, what you did was evade giving any details. Police asked you time and again, served you with a notice and you still did not give them the password.
What you were doing was for your own satisfaction, showing what you could do with your undoubted skill with computers.
But this is a serious offence and I can't avoid an immediate custodial sentence.
Wilson had admitted failing to disclose his password, a breach of the Regulation of Investigatory Powers Act 2000, which requires disclosure in the interests of national security, for the purposes of detecting or preventing crime or in furtherance of the economic well-being of the United Kingdom.
An offence under the Act carries a maximum sentence of two years but that can be increased to five years in cases surrounding national security or child indecency.
Police first investigated Wilson in October 2012 after the vice-chancellor of Newcastle University received two emails saying that a gunman would kill a member of his staff.
The emails were sent under the username of ‘Catch 22’ which police were later able to link to Wilson’s server. At his home in Washington they seized computer equipment but were unable to access it due to the sophisticated password protection employed.
Later investigations then linked the university emails to calls made to Northumbria police, warning that their systems were going to be attacked. An attack did indeed occur, lasting for eight minutes before the site was taken down briefly as a precaution.
Wilson was subsequently arrested in January 2013 and admitted making the call with a voice-changing device but he denied being the attacker, saying he was merely passing on a warning that an attack may come from someone else.
When his phone was examined, police discovered boasts about how he planned to attack the Serious Organised Crimes Agency (SOCA) and his intention to infiltrate the university network in order to obtain passwords for 50 other students. Wilson had also made reference to trolling a police memorial page set up in memory of PCs Fiona Bone and Nicola Hughes who were murdered in September 2012.
In Wilson’s defence, David Lister said:
He has expressed genuine remorse, he bitterly regrets his actions. He was 19 at the time and the impact of his Autism Spectrum Disorder or Asperger's meant he matured more slowly than others.
For the prosecution, Neil Pallister concluded that:
Effectively, the crown's case is, the only appropriate inference to draw from the defendant's refusal to disclose the password to allow access to the computer is it would have revealed activity of the type mentioned in the messaging, namely hacking of police, Serious Organised Crime Agency and university websites.
At this point our American readers may be thinking they get a better deal when it comes to keeping their passwords to themselves due to the protections they are afforded by the Fourth and Fifth Amendments.
Sadly, however, that isn’t likely to be the case.
The Fourth Amendment protects US citizens from unreasonable searches and seizures but does not offer any form of protection where due process has been followed, i.e. a court has authorised a search warrant.
In the case of the Fifth Amendment, things are not quite so clear.
The US v. Fricosu case led to the government demanding that a decrypted version of information on a laptop should be handed over rather than the password itself (which would have been potentially self-incriminating).
Fricosu’s lawyer had argued that she may not remember the password but when, a month later, her husband provided a list of possible logins, she subsequently entered into a plea agreement, thus negating the need for mandatory decryption to be tried and tested in a higher US court.
Image of jailed man courtesy of Shutterstock.
What’s most disturbing is the reasoning that “the only appropriate inference to draw from the defendant’s refusal to disclose the password to allow access to the computer is it would have revealed activity of the type mentioned in the messaging….” Not true, people refuse to cooperate for all sorts of reasons. In the U.S. taking the fifth (refusing to speak to police, etc.) is specifically NOT allowed to be used as evidence of guilt.
To be fair, that was just the concluding summary of the prosecuting brief’s case. In other words, the prosecutor (this is an adversarial system, don’t forget) was drawing together all the other facts that had been presented by the prosecution to suggest that there was no reasonable room for doubt that the accused was effectively trying to destroy evidence against him.
The defence brief, who IIRC gets to speak last, no doubt presented exactly the opposite point of view, namely that people refuse to co-operate with the police for all sort of reasons, and that at least some of those would make a perfectly good explanation of the defendant’s decision not to decrypt his data, leaving plenty of room for doubt.
And then the court had to decide whether the case presented did, indeed, overwhelmingly suggest a successful attempt to suppress evidence by the defendant.
This isn’t about choosing whether to testify against yourself or not, but about blockading an investigation. I suspect you will find that even in the USA, the Fifth Amendment doesn’t, for example, give you the right to refuse to unlock a cupboard (closet?) listed in a search warrant, and doesn’t shield you from negative inferences a court might make if you were to do so.
Here, the accused wasn’t actually required to offer a statement, after all. He was asked, or more accurately, required, to surrender the contents of his storage device.
In Germany (where I live) you ARE allowed to refuse to unlock a cupboard listed in a search warrant.
The rule ist: You are not allowed to interfere with the search, but you are under no obligation to help in any way. You don’t even have to open the door to your house. Of course, the police is allowed to break open the door (call the locksmith) if you refuse to open it. But that’s all.
In a constitutional state nobody should be required to incriminate himself or to help in an investigation against himself.
Is this really different in the USA?
There’s a difference between incriminating yourself and acting appropriately in response to a warrant. The cops can’t knock on the door and ask if you shot the young boy out in the street. (Well, they can ASK, but you don’t have to answer.)
But, they CAN come into your house if they have a warrant, and look for the gun used to shoot the victim. And you have to let them in. The idea is that a judge has determined that there’s good reason for them to search. The US Constitution protects against “unreasonable searches”, not just searches in general.
If they have “probable cause”, they don’t even need the warrant. “Probable cause” is when the peace officer has a good reason to suspect you are indeed the killer. For example, if the officer saw a bullet hole in your window that came from inside the house, they wouldn’t need to get a warrant to go inside. This is another example of where the word “unreasonable” comes into play: if it seems likely the person is guilty, entering is “reasonable”. Whether it truly was reasonable or not would come up in the trial.
Finally, without a warrant, they CAN ask for permission to come in and look around. You do not have to give them permission if they don’t have a warrant. (Of course, that makes it look like you have something to hide, so many people will allow the intrusion.)
Actually, the Constitution is quite clear. It’s just that we now live in a police state in which courts chronically ignore or misinterpret the 1st, 4th, and 5th Amendments in favor of “national security.”
Not if your a politician, you can plead the 5th and your good to go..!!
what does happen in the Uk if one has simply forgotten the password? I have many files on my various computers that I have PW protected – including some reasonably valuable commercial code I wrote – fo rwhich I am quite unable to remember or find the passwords 🙁
If you don’t commit any cybercrimes in the UK you won’t have to worry about it. 😉
Bummer about your code – I took to using GitHub many years ago for similar reasons. It’s fairly cheap to go private with GitHub and I put the less sensitive projects on my public repo.
More like “if you aren’t suspected or accused of committing any cybercrimes in the UK you probably won’t have to worry about it.”
When law enforcement is not held to rigid, well thought out and publically upheld standards, everyone is capable of being accused or suspected of anything.
It’s fairly easy for someone to ruin your whole life just because they have a suspicion or make an accusatory statement to the wrong person or agency.
I am pretty sure that if you have forgotten the password, then that’s that. You haven’t refused to surrender evidence, you simply don’t have the wherewithal to do so, and the court couldn’t convict you.
Of course, if the prosecution can show that at first you said you wouldn’t hand it over, and only later that you couldn’t, a jury might understandably conclude you were lying about forgetting it.
Or the prosecution might be able to establish that you must have used the password (for example due to things that happened while you were on bail) after you had said you hadn’t the faintest idea what it was.
I suspect that playing the “I forgot it” card is bit of a gamble if it’s a lie, because your behaviour would need to be consistent with forgetting it throughout the investigation. (And if you play the “I forgot it” card, then no Fifth Amendment or right-to-silence will save you…you have to open your mouth to introduce that claim, and there goes your silence 🙂
The second half of your last paragraph isn’t quite correct. If you say “I forgot” in TESTIMONY, then you better have truly forgotten it. Testimony is a little shy of “under oath”, but it’s the same idea: If you profess your innocence under oath, then you can’t claim the 5th later when cross-examined.
If you just say you forgot when asked casually, you can get away with lying about it. But, even then you are correct: it can seriously backfire. Cops are very good at figuring out how to crack a lie and reveal the truth. Very few people can lie consistently over time.
THIS guy, however, gave 50 false passwords. He clearly isn’t cooperating, despite saying he is.
Regulatory Investigatory (Abuse of) Powers Act 2000 – Fixed that for you.
William …
It works by the authorities who have seized the encrypted information issuing a notice to the person demanding the key/password is handed over by a certain date – the person commits an offence if they fail to hand over the key or make the information accessible by that date.
There is a defence if the person is not in possession of the password/key.
The person has to give sufficient evidence to show this is an issue, then it is for the authorities have to prove – in a criminal court and beyond reasonable doubt – that what he is saying is not true.
Trying to be fair: it is not like some random person has been picked up from the street and asked for a password. He has sent threats and admitted to illegal activities. His phone has also shown that he has been planning to infiltrate computer networks; acts which prompted investigators to think the passwords would reveal more evidence of crimes. Again, they did not just simply drag the innocent bystander proverbial “grandma” out of her home and ask her for her password.
Irrelevant.
No it’s not, He had already pleaded guilty.
Never ever travel via/to cyber-fascist countries like USA or England etc with data even if it is encrypted. Use cloud services for that purpose and at destination country fetch it, use it and remember to wipe it out again.
Worth reminding readers that this case comes under English Law and any reference to US law is an aside. The Washington mentioned in the story is the town of Washington in the administrative ‘county’ of Tyne and Wear in the North East of England.
That the individual refused to adhere to the terms of the RIPA notice meant he had committed the offence and the fact he suppers from an autistic spectrum problem suggests hiw level of understanding of the law is limited – but ignorance of the law is no defence.
Asperger’s syndrome is a condition often found in very high functioning individuals.
For example some think Alan Turing, one of the best minds of the 20th century, is likely to have had Aspergers. The idea that this syndrome denoted any intellectual limits is preposterous.
If he had a business writing code for AI then he was clearly tech savvy enough to write code that would overwrite all data on a hard drive when given a special “destruct password”. He could even program a bar graph of the progress of the overwrite while labeling the graph “decripting drive” so as not to alert the authorities of the data destruction in progress.
Most police use hardware write blockers; which are compatible with most major hard drives that can be purchased by regular users. Destroying information after the fact would not be effective, and could lead to further charges of destruction of evidence.
– NOTICE: I AM NOT A LAWYER AND THIS COMMENT SHOULD NOT BE CONSTRUED AS LEGAL ADVICE.
And if they are working off the original drive rather than a clone they are incompetent..
I was thinking more of a thumb drive than a regular hard drive. They would have to access it before they could clone it.With the storage capacity on modern thumb drives, there is very little advantage to keeping your sensitive data on a hard drive.
Same for hard drives.
Most forensic disk copying systems I’m aware of include some sort of ‘write blocking’ feature – a hardware interlock that is there in addition to careful programming so it is uncontroversial for a court to accept that when the drive was cloned or imaged, the original was not modified in the process, and thus that the clone is for legal purposes “the same as” the original as at the instant it was seized.
There are thumb drives available that won’t even allow themselves to be read until they are unlocked by a password. One in particular even destroys it’s data automaticly if an incorrect password is entered more than twice. It has an internal battery so pulling it out of a computer’s USB port won’t stop the self destruct.
Actually, here in the states we don’t have to worry about giving up our PW. The already have access to all of our stuff anyway!
If we sent it they will come.
The restatement of US Fifth Amendment law is misleading.
United States v. Fricosu was a district court ruling from Colorado, but a subsequent case from Florida within the 11th circuit wend the other way.
Under the Fifth Amendment no one can be compelled to provide incriminating testimony against himself.
But one exception is the foregone conclusion doctrine; if the government already can prove that you are in possession of records it can ask a court to compel its production.
Fricosu lost because she admitted during a taped telephone conversation that the documents sought by the prosecution was on a computer under her custody.
If you hack the police or any other organisation, you’ll hack me & others, … Book Him Danno, …
I like how people want to claim “all of a sudden” forget their password when the police show up. Um, you NEVER forget your password when someone texts you a link to lolcats. So basically anyone is lying when they say they forgot. C’mon people, c’mon.
Correct. And, that’s kind of what I referred to above: The police are good at figuring out what’s a lie and what’s truthful. If they suspect it’s a lie, they can look for other evidence that proves you really do remember it.
For example, if you store your encrypted data in the cloud, but refuse to give the password because “I forgot”, then you better not connect to that same cloud from another PC and your “forgotten” password, because they’ll be watching.
@Paul Ducklin ·
“This isn’t about choosing whether to testify against yourself or not, but about blockading an investigation. I suspect you will find that even in the USA,
the Fifth Amendment doesn’t, for example, give you the right to refuse to unlock a cupboard (closet?) listed in a search warrant, and doesn’t shield you
from negative inferences a court might make if you were to do so.”
You are confusing the Fourth and Fifth Amendment.
Invocation of the Fifth Amendment privilege against self incrimination does not go out the window because the government has probable cause to search your property.
And yes, you have a right to refuse to unlock a box the government claims contains contraband unless it’s proven it belongs to you.
Unlocking a box is a testimonial act if it communicates an incriminating fact — namely that the box is yours.
However, if you either have admitted that the box belongs to you, or the government can prove custody and control from an independent source, it’s now a foregone conclusion, and you no longer have a right to refuse to unlock it.
Why are the police so insistent about getting his password? It sounds like they already have enough evidence to imprison him for a very long time anyway.