OnPoint by Keith Ng

Read Post

OnPoint: Legal Context

14 Responses

  • Matthew Poole,

    Normal encryption doesn’t help, as you can be legally compelled to give up the password.

    However, if the penalty for conviction on whatever charges the encryption is delaying is higher than the two-year maximum for failing to release a password, you're better to stay mum and face the music (which will probably be home-D music at that) for withholding your password.

    Auckland • Since Mar 2007 • 4097 posts Report Reply

  • Rich of Observationz,

    Would the use of some sort of duress alarm to destroy data (or encryption keys) be contempt?

    Back in Wellington • Since Nov 2006 • 5550 posts Report Reply

  • Nick Russell, in reply to Rich of Observationz,

    Yes. You might also be liable for damages for despoiling evidence. If a Court orders you to deliver up evidence the only valid defence is privilege. If the evidence isn't privileged, you cannot avoid the order by uttering magic words or destroying the evidence.

    Wellington • Since Jul 2008 • 129 posts Report Reply

  • Thomas Goodfellow, in reply to Rich of Observationz,

    Ignoramus response: actively using a duress password seems like contempt at best or plausibly destruction of evidence (since that surely includes materials due for searching, not merely materials already known to contain relevant evidence). But of course the penalty may still be less than that which may be due for the offense being investigated.

    But how about a deadman's switch, i.e. a self-powered drive that makes itself physically corrupt if not properly unlocked within some interval? It might be harder to show that stalling on the unlock ("I need to talk to my company lawyer first") was deliberate vandalism than using a corrupting password since it can be seen that the drive says "DEAD" before starting password entry, as opposed to password entry appearing to succeed and then yielding a reset drive. Of course such a needy device would be an utter pain to live with, since the deadman interval needs to be short enough to prevent it being recognised and countermeasures applied (remove power, freeze, ablate chip housings, have Superman fly backwards around world until the drive is unlocked again...)

    But it will take scrupulous discipline to ensure that the only solid evidence is on that drive - many a hacker has been bagged for tradecraft slips. However unless a conviction for evidence destruction is served in addition to sentence the underlying offence attracts then it could be a sensible gamble (practically, not morally - given this I hope such sentences are consecutive?)

    Germany • Since May 2012 • 12 posts Report Reply

  • Ross Mason,

    “At rest” huh? So, traveling through space at a gizillion miles per hour counts as not at rest? I’ll give Einstein a call on that one.

    So if I had 2, 3 or many more “clouds” that constantly shuffled my data around so it was never “at rest”, would that count? What constitutes the “minimum time” of “at rest”? It might be an interesting discussion.

    Does a letter sitting in a letter box constitute it being “at rest”? In the postie’s bike bag? Sitting on my table unopened? Opened, read and put on the table?

    Are the words sitting on the screen in front of me “at rest”? Oops…they’ve gone again….

    Bizarre. And its a nightmare.

    Upper Hutt • Since Jun 2007 • 1590 posts Report Reply

  • Ian Dalziel, in reply to Ross Mason,

    restive missive or Shrodinger's catalogue entry?

    Does a letter sitting in a letter box constitute it being “at rest”? In the postie’s bike bag? Sitting on my table unopened? Opened, read and put on the table?

    Neither particle, nor wave, the letter exists at all points in the journey (alpha to omega) and none of them...

    yrs Half-full Glasshopper

    Christchurch • Since Dec 2006 • 7950 posts Report Reply

  • Moz,

    So does a search warrant require you to obtain stuff for the police? In other words, if your data is in the cloud are you required to download it for them? Or do they have to run off to the cloud and get it from the cloud provider? I'm specifically thinking of the encrypted, distributed storage schemes. No one person or location has all the data, none of it is in your house, but it's all accessible to you.

    Sydney, West Island • Since Nov 2006 • 1233 posts Report Reply

  • Stephen R,

    I have some pgp keys and files encrypted with them on one or other of my hard-disks, which time and the fallibility of memory have erased the passphrases from my memory.

    If my hard disks were searched and a theoretical investigator asked for the passwords, I'm assuming that since none of those files are less than 4 or 5 years old, claiming to have forgotten the passphrase is a plausible defence against charges of contempt for failure to decrypt?

    I've occasionally forgotten the passphrase to a key that's merely days old. I guess it's less plausible in that case, though still (obviously) it has happened to me.

    What level of evidence does a court need to decide if you're showing them contempt in this sort of situation? What possible evidence could you use to prove that you really have forgotten?

    Wellington • Since Jul 2009 • 259 posts Report Reply

  • Ross Mason, in reply to Stephen R,

    I’ve occasionally forgotten the passphrase to a key that’s merely days old. I guess it’s less plausible in that case, though still (obviously) it has happened to me.

    Oh you mean like writing the password down on a piece of paper and swallowing it.

    I presume that means you are safe as it is not at rest, rather, it is in motion....

    Upper Hutt • Since Jun 2007 • 1590 posts Report Reply

  • Ross Mason,

    Upper Hutt • Since Jun 2007 • 1590 posts Report Reply

  • Ross Mason,

    From the wiki link:

    In the same year the High Court also clarified that Norwich Pharmacal orders should not be granted for "fishing expeditions". In Arab Satellite Communications Organisation v Saad Fagih & Anr [2008] Middle Eastern inter-governmental organisations applied for an order against a Saudi dissident for the identification of individuals that "may have been involved" in the broadcast of political material. The High Court refused to grant an order which would compel a third party to make a judgement about who "may have" done something, and ruled that "Norwich Pharmacal does not give claimants a general licence to fish for information that will do not more than potentially assist them to identify a claim or a defendant".[17]

    Does this mean that this could be the reason Kim Dotcom has't been served with one of these to find those "culprits" who might have used Mega to "hide" their music???

    Upper Hutt • Since Jun 2007 • 1590 posts Report Reply

  • nzlemming, in reply to Ross Mason,

    Does this mean that this could be the reason Kim Dotcom has't been served with one of these to find those "culprits" who might have used Mega to "hide" their music???

    It's more likely because he hasn't had access to the servers since the raid.

    Waikanae • Since Nov 2006 • 2935 posts Report Reply

  • tussock,

    It seems kinda silly to have a law that only protects sources and journalists who don't own cellphones or computers, eh. Almost like someone should be thinking of some amendments there, sometime.

    Not that it'll matter once the GCSB's running the infrastructure. It's not like they bothered about warrants before they had all that power.

    Still, enjoy your attempts at cloak & dagger folks, and good luck picking software, operating systems, and hardware that the NSA hasn't built any backdoors into for the whole world to browse.

    Since Nov 2006 • 610 posts Report Reply

  • Paul Campbell,

    Attachment

    Surely what we've found out in the past few weeks is that the NSA is running the infrastructure, even in places here in NZ, the GCSB has already lost control.

    Frankly I don't think we can trust any of them, their interests are not aligned with ours - we have to build our own

    Dunedin • Since Nov 2006 • 2622 posts Report Reply

Post your response…

Please sign in using your Public Address credentials…

Login

You may also create an account or retrieve your password.