[HN Gopher] Irish police to be given powers over passwords
___________________________________________________________________
Irish police to be given powers over passwords
Author : shivbhatt
Score : 304 points
Date : 2021-06-14 12:33 UTC (10 hours ago)
(HTM) web link (www.bbc.com)
(TXT) w3m dump (www.bbc.com)
| prepend wrote:
| I feel like this was part of a William Gibson short story (Johnny
| mnemonic maybe) where data gets encrypted with a key unknown to
| the bearer. The key is sent through some channel unknown to the
| bearer. The bearer meets up with the key holders / some Dropbox
| location and decrypts data.
|
| The enhancement here would be some little unencrypted portion/vm
| so the bearer can play FarmVille in transit.
| LWIRVoltage wrote:
| Serious Question- The tech that was built to be an answer to this
| sort of thing ,Deniable Encryption and Plausible Deniability,
| exists in ...it looks like, Veracrypt, and possibly the Phone
| variant EDS(to a smaller extent)-
|
| But, how come there's been nothing else in the field? The only
| thing that appeared in the past decade to be more advanced on
| that front was this,
|
| https://www.bankinfosecurity.com/rise-self-concealing-stegan...
|
| https://i.blackhat.com/eu-18/Thu-Dec-6/eu-18-Schaub-Perfectl...
|
| https://portswigger.net/daily-swig/russian-doll-steganograph...
|
| and there's been nothing since... It must truly be hard to make
| fully deniable encryption mechanisms..unfortunately....
| MattIPv4 wrote:
| This gives the police the power to force folks to give their
| passwords to the police _when_ there is a valid search warrant
| issued for the electronic device.
|
| Not saying its great, but at least they have to have an actual
| search warrant for it first.
| xnyan wrote:
| The law gives police the right "to seize any material found at
| that place or in the possession of a person present at the
| place" and "to request assistance from persons present so as to
| gain access"
|
| It sounds like anything found at the at the address of the
| search warrant is a valid target, and you are legally required
| to assist no matter the reason that you or your device was
| there.
|
| A search warrant is extremely powerful and should clearly spell
| out what it's searching for. If the police find something
| outside of the scope of the warrant, at very least they should
| be required to go back to the judge and justify why they should
| have access to it.
| anfilt wrote:
| I don't think Ireland scopes their warrants like the US. I
| think warrants are location based.
| totalZero wrote:
| Cross Ireland off the list of places I want to visit. A man's
| phone is an extension of his mind.
| lucideer wrote:
| Wait & see if the bill passes in parliament. After that, I may
| very well contemplate emigration myself (but... to where...)
| TrueGeek wrote:
| From the article:
|
| > "Irish police will have the power to compel people to provide
| passwords for electronic devices when carrying out a search
| warrant under new legislation."
|
| This is not unique to Ireland, we see this here in the US as
| well.
| jhauris wrote:
| This is something that varies state to state. Quick search
| shows that Pennsylvania considers giving up a password as self-
| incriminating testimony (protected by the 5th amendment), while
| Massachusetts does not. They can generally force you to use
| biometrics to unlock or give them a physical key anywhere,
| however.
|
| This seems to be an actively developing area of law around the
| world.
| aaron-santos wrote:
| On the subject of the fifth amendment, there was a (possibly)
| non-serious theory that having one's password be the
| admission of guilt to a crime would serve as protection as
| revealing the password would actual be self-incriminating.
| Like most legal theories on the internet, it (probably) isn't
| true.
| vmception wrote:
| Hold power button on iphone and it disables biometric without
| turning off the device
|
| They might still have a way to image it though, depends on
| the day as the imaging software always gets thwarted
| kingsloi wrote:
| I'll likely already know the answer (jail time?), but what if
| you were to "forget"?
|
| I have some long passwords that I keep out of password managers
| for private stuff that I don't want to be leaked from a
| password manager leak or w/e. I can remember them, but had a
| really hard time remembering even the start of most of them
| after not using them for a few weeks.
| jagger27 wrote:
| There have been times that I've had to close my eyes and
| completely rely on muscle memory to enter a long password.
| Last time it happened was after a 2 week vacation.
|
| That kind of timeframe isn't abnormal for the speed of law.
| tediousdemise wrote:
| Impressive! After all these years I still need to look at
| the keyboard.
| jagger27 wrote:
| I find it somewhat disconcerting that my fingers remember
| my passwords better than my brain does!
| dkersten wrote:
| Muscle memory still happens in the brain. A better
| description might be unconscious memory. I believe the
| proper term is "procedural memory".
| https://en.wikipedia.org/wiki/Procedural_memory
| spentu wrote:
| This happens to me a lot. I need to have access to keyboard
| for being able to type some older password. Same thing with
| pin codes.. Funny how brain works.
| hwbehrens wrote:
| > _[...] we see this here in the US as well._
|
| This is only true when the revealed information is a "foregone
| conclusion", specifically when it "adds little or nothing to
| the sum total of the Government's information."
|
| Here is a good treatment on the subject:
| https://harvardlawreview.org/2021/04/state-v-andrews/
| tomjen3 wrote:
| I would love to go visit Ireland and some point, it is supposed
| to be a beautiful country and I am a history buff, there are so
| many interesting places to see.
|
| I guess it will have to wait until this law is struck down, if
| ever.
| boredwithlife wrote:
| Just bring a gun. People are so ready to allow gov to get wild,
| but gov will start to hesitate when people begin to express
| displeasure. For example, your friend gets held in contempt for
| not providing a password. You stick it to the state by
| murdering one cop or gov official per day until that person's
| release.
|
| Of course, that relies on people giving up their lives to for
| the cause. But that's war.
| [deleted]
| _user112 wrote:
| My friend's password is "All pigs must die"
| mdavis6890 wrote:
| Relevant XKCD: https://m.xkcd.com/538/
| ex_amazon_sde wrote:
| It's not.
| mdavis6890 wrote:
| Why not? I think it's exactly relevant.
|
| Replace "hit him with this $5 wrench" with "put him in jail
| for contempt of court" and it amounts to the same thing.
|
| Give us your password or we will do bad things to you.
| Hamuko wrote:
| What will the EU say about this?
|
| https://www.whitecase.com/publications/alert/european-court-...
| handelaar wrote:
| Its court will strike this down in toto as unlawful. About
| twelve years from now.
| vzaliva wrote:
| Fortunately, nobody has jurisdiction over your brain. They can
| ask you to reveal the password but they have no way to extracit
| it from your head. You can always claim you forgot it.
| tzs wrote:
| > They can ask you to reveal the password but they have no way
| to extracit it from your head.
|
| I wouldn't be too sure of that. I recall reading about some
| experiments where by monitoring brain activity the researchers
| could fairly reliably tell if a person shown a photo of a place
| had been to that place before.
|
| I can't think of a way to adapt that to extracting a passcode
| or password, but it does suggest that the head is not as safe a
| storage place as we might have thought.
|
| Isaac Asimov had some mystery short stories set in a future
| where there was a machine that could probe a mind and extract
| any information the subject knew, but there was a very small
| chance that a probing would drive the person incurably insane.
|
| The way they balanced the right of privacy and the need to
| protect people from crime was to only allow any given person to
| be involuntarily probed once in their life. Of course this led
| to many criminals trying to arrange so that they would get
| involuntarily probed either over something they were actually
| innocent of or over something they did but that did not have
| too long a sentence. The criminals recognized that for really
| serious crimes juries would be reluctant to convict without
| probe evidence, so once you were probed you could take your
| criminal career much more safely to the next level.
| Err_Eek wrote:
| Idk, there's ways of making you speak
|
| https://xkcd.com/538/
| dane-pgp wrote:
| If your threat model includes "The government is prepared to
| torture me to obtain my encryption keys", it should also
| include "The government is prepared to lie and claim they
| found incriminating evidence on my device, and lock me away
| forever."
|
| Just make sure that your device doesn't contain information
| incriminating _other people_ who the government are trying to
| track down. That means not using real names, or metadata that
| connects pseudonyms with physical identities (e.g. phone
| numbers).
| staticman2 wrote:
| If the Irish legal system is like the U.S. the judge can
| conclude you are lying and throw you in jail for contempt of
| court.
| lbriner wrote:
| That's not quite true. The Crown would have to prove that you
| had either obstructed the investigation (in which case the
| crime would be perverting the course of justice) or you have
| deliberately disobeyed a court order from a previous court
| hearing, in which case you could be jailed but I am unaware
| of a judge deciding that you can be jailed just because they
| don't believe you.
|
| Disclaimer: UK resident who is NOT qualified in law ;-)
| s_dev wrote:
| >Disclaimer: UK resident who is NOT qualified in law ;-)
|
| More importantly these are the Gardai not the PSNI --
| despite the source being the BBC which may have thrown you
| off.
| bitdivision wrote:
| The UK has a similar law [0], which has been used in the past
| to prosecute people for not disclosing their passwords [1].
|
| [0]:
| https://en.wikipedia.org/wiki/Regulation_of_Investigatory_Po...
|
| [1]: https://www.newstatesman.com/blogs/the-
| staggers/2010/10/poli...
| yawaworht1978 wrote:
| Wow, this is very bad. Best to only ever use apps with self
| destroying messages and not saving images except where you want
| them to be seen. Warrant or not, this is going very, very far.
|
| I do not think these warrant issuing procedures will be
| throughout, either way, would never trust it.
|
| Which politicians are responsible for passing this into law?
| rusk wrote:
| Heather Humphries. She is a stand in while the Minister for
| Justice is on maternity leave. She can get away with
| politically toxic stuff because she enjoys staunch support in
| her constituency. She's not known for being the brightest so
| could not have held such a brief under normal circumstances but
| she is great for doing dirty jobs.
| yawaworht1978 wrote:
| Ah yes, thought something like this. This is one of these
| laws, on itself it bad, but people will not realize, because
| they're - ironically - too busy on their phones on social
| media....
|
| Nobody will go protest in the streets over this.
|
| But a couple 100 single of these shenanigans and the people
| will ask themselves how we ended up in this mess, and
| everyone will jump on the divide train and blame the "other"
| party, when it's really equally distributed usually.
|
| Testimony to that is that nobody opposed this hard enough to
| bring it down.
|
| The only bright side to this is, it appears the governments
| cannot easily access all things, despite five eyes and
| international collaboration.
|
| I find if a case is bad enough for a warrant, then maybe
| deploying a keylogger or similar would be the better way. At
| least then it's handled by a specialist. But delegating this
| to police officers? Hellno
| ploika wrote:
| Ireland isn't part of the Five Eyes though.
|
| I don't really think Helen McEntee's maternity leave is
| relevant either because she's in the same party as Heather
| Humphreys, and they are in a three-party coalition
| government. There's no main partisan divide like there is
| in the US or UK.
| rusk wrote:
| There's no partisan divide? You're having a laugh.
| kstenerud wrote:
| Here's a fun fact! If you appear to the police officer to have
| access or passwords, and don't give it to them, they can charge
| you with obstruction and jail you for up to 5 years!
|
| So if you can't prove that you don't have the password, you're in
| a bit of trouble!
|
| -------------------------------------
|
| 16 (1).(e).(v) to require any person at that place who appears to
| him or her to have access to or to have under his power or
| control the information held in any such computer or which can be
| accessed by the use of that computer--
|
| (I) to give to him or her any password or encryption key
| necessary to operate it,
|
| (II) to otherwise enable him or her to examine the information
| accessible by the computer in a form in which the information is
| visible and legible,
|
| (III) to produce the information in a form in which it can be
| removed and in which it is, or can be made, visible and legible
|
| 67 (2).(d) A person who fails to comply with a requirement under
| Head 9 (1), (2) or (3), or Head 16 (1). is guilty of an offence
| and is liable--
|
| (i) on summary conviction, to a class A fine or imprisonment for
| a term not exceeding 12 months or both, or
|
| (ii) on conviction on indictment, to a fine not exceeding
| EUR30,000 or imprisonment for a term not exceeding 5 years or
| both
| kevincox wrote:
| This is the part that interests me. I always thought that the
| primary reason that Canada and the US has protections against
| self-incrimination was not some moral stance but because it is
| effectively impossible to prove that someone _can_ incriminate
| themselves. With our current technology "I can't remember" is
| basically impossible to disprove.
|
| IIUC The way this works in the UK and is being proposed here
| for Ireland is guilty until proven innocent. You need to prove
| that you don't know something, which is equally impossible.
|
| Of course court rarely "proves" things. It is more aimed at
| "beyond a reasonable doubt" which does allow some chance for
| proving both ways. But I don't think that makes much difference
| to the fundamental issue.
|
| This point of view also cleanly solves the "unlock the phone"
| debate. They can't make you type your password because they
| can't prove that you know the password, but they can make you
| touch the fingerprint reader because whether or not your
| fingerprint unlocks the phone is something that can be tested.
|
| Of course the question of morality is important. Especially as
| we are sprinting towards a future where we have more and more
| visibility into people's brains. It would be nice to answer
| this question, and with the current direction that governments
| are moving it seems like the answer is going to be that
| accessing a suspect's mind is acceptable, which I have very
| mixed feelings about.
| cwkoss wrote:
| I wonder if using a bot that tweets "Fuck, just forgot a very
| important password" about once a month would help.
| nickthemagicman wrote:
| So they can just throw you in jail for up to 5 years under
| SUSPICION.
|
| Stalin called. He wants his laws back.
| dsr_ wrote:
| Anyone here with reasonable knowledge of Irish jurisprudence?
|
| Is that a reasonable worry for someone who has an encrypted
| drive that they forgot the password for?
| MertsA wrote:
| >has an encrypted drive that they forgot the password for
|
| This scenario is indistinguishable from just simply having
| a chunk of random data in your possession. Let's say you
| decide to use shred to delete some file, any file. If you
| become the target of an investigation and they find a
| deleted file and the blocks haven't been overwritten since
| you ran shred they could claim that this file was an
| encrypted archive and jail you for 5 years for not being
| able to "unlock" it.
| syshum wrote:
| That is a wonderful guilty until proven innocent law...
| bennyp101 wrote:
| Ooof, what happens if you use some sort of hardware key as your
| password - yubikey or similar - and it ends up getting broken
| somehow (maybe during you being tackled to the floor or
| something), there would be no way to recover that password or
| TOTP.
|
| Simply falling over and breaking it on your keys would be enough
| to put you foul of this law?
| pbhjpbhj wrote:
| So there's at least some demand for a key that works like a
| Yubikey but has a breakable form (that presumably sets off a
| piezo device that scrambles the key). Keep it in your pocket,
| break it with your hand, or slam your hip into a wall/floor to
| break. Make sure to take the key out before you sit down!
|
| Or, once they exist, just carry a broken key with you for
| plausible deniability?
| ploika wrote:
| Presumably not, because "the key is broken" is not the same as
| "I refuse to hand over the keys". This law, rightly or wrongly,
| is concerned with the latter concept.
| bennyp101 wrote:
| Right ok yea, that is a difference.
|
| I guess "Ah crap, it was on my keys earlier, I must have lost
| it - I can't do anything" would be a grey area!
| lbriner wrote:
| I don't think it would be a grey area. If the police
| couldn't prove that you were lying or had deliberately
| obstructed the investigation, it would be tough luck for
| them if you couldn't get into your own device.
|
| If you were prepared to lose your device, it would be
| easier to ditch it than ditch the keys but, again, not all
| criminals think that far ahead. I read that they caught
| Dread Pirate Roberts because he thought he would never get
| caught (in a public library!)
| bennyp101 wrote:
| I dunno, "losing" a Yubikey Nano would be a lot easier
| and more believable than "losing" a laptop that you are
| known to carry about. In terms of plausibility, I'd
| favour the key being "lost" over the device.
|
| Also, if you have a backup key somewhere, you haven't
| lost any data or your machine.
| RealStickman_ wrote:
| Make sure they don't know a backup exists though, or
| you'd have to unlock that.
| varispeed wrote:
| We need dual profiles on phones and computers - that is you can
| log in to the same account using different passwords and that
| will land you in a different environment depending on which
| password you used. You cannot mathematically prove that there may
| be a second account and thus that gives you a lot of plausible
| deniability.
| flenserboy wrote:
| This makes me half-wonder whether or not concerns about this
| are preventing Apple from implementing multiple iOS accounts.
| goddang wrote:
| It is likely that the "clean" environment will not be used
| often. Therefore, it will not be very plausible.
| handelaar wrote:
| Spoiler: no they are not.
|
| EU Directive 2016/343 part 25 very clearly prohibits this kind of
| nonsense. Yes, the Irish state insists on pretending that EU law
| doesn't exist over and over and over again, but how wrong it is
| about that is documented by its endless appearances at the CJEU
| in Luxembourg and its 0% win record.
| derriz wrote:
| Where did you get the 0% win record? Googling throws up a bunch
| of cases which have mixed outcomes - most recently their
| success in the case against the commission.
| choeger wrote:
| Interestingly, such a law does nothing against proper criminals.
| People that know they have incriminating evidence will either not
| carry it on their phones or uses some form of steganography to
| hide it perfectly. In the worst case, they will have some form of
| wipe-me passphrase that cleans the device before unlocking.
|
| Normal people, on the other hand, do not have these kind of
| (mental, time) resources. They will be forced to unlock their
| phones and _something_ incriminating (for instance regarding
| "hate speech" or "intellectual property rights" or just "traffic
| violations") will be found. I consider this approach one step
| more in the direction of keeping every citizen an on-demand
| criminal. There are so many, sometimes incomprehensible, laws
| nowadays that pretty much everyone is not compliant.
| pavel_lishin wrote:
| > _People that know they have incriminating evidence will
| either not carry it on their phones or uses some form of
| steganography to hide it perfectly._
|
| I think your point is valid, especially the part about normal
| people, but you might be overestimating the intelligence of
| most criminals.
| lbriner wrote:
| "Proper criminals"? What does that even mean?
|
| There are hundreds of criminals who are not tech savvy (or not
| tech savvy enough) who will not have any of the mechanisms you
| postulate, who are frequently caught by the police and are very
| much "proper criminals".
|
| I don't agree with this law but to say it doesn't do anything
| against proper criminals is patently false.
| dangerface wrote:
| I think its more that proper criminals have no reason to give
| up their password and incriminate themselves. Only a "Legal"
| person would comply.
| chrisseaton wrote:
| Can't you say this about all laws?
|
| 'What's the point of a law against breaking and entering? A
| criminal will break and enter anyway!'
| bsd44 wrote:
| Law is more than just Criminal law.
| chrisseaton wrote:
| Ok? What difference do you think that makes?
| ska wrote:
| > such a law does nothing against proper criminals.
|
| Doesn't sound right to me; The intersection between criminals
| and people with good information opsec is tiny(mostly because
| the latter category is tiny anyway).
|
| I agree the law is problematic, but not for that reason.
| runarberg wrote:
| Out of curiosity. Why do you mention the latter group (people
| with good information opsec) is tiny when the former group
| (criminals) is probably an order of magnitude smaller?
| throwaway744678 wrote:
| (Not OP) It does not really matter: if someone is a
| criminal (however tiny that group is), and we make the
| (reasonable?) hypothesis that criminals are not more (nor
| less) informed that the general population, the
| intersection is really tiny. tiny * tiny =
| very tiny
| [deleted]
| runarberg wrote:
| Two two variables aren't independent so you can't just
| multiply the two. You must account for their covariance
| before you do that.
| ska wrote:
| > is tiny when the former group (criminals) is probably an
| order of magnitude smaller?
|
| How did you arrive at that? Even a significant fraction of
| people I know who _do security work_ would agree they don
| 't in general have good info opsec, because it's a pain in
| the ass. Most of the technical people I know wouldn't even
| know how to do it properly.
|
| "Criminals" is hard to define precisely, but some small
| integer percent is at least a reasonable lower bound.
| Afaics people who are actually good at info opsec don't
| number in the millions.
|
| So even if we simplify by assuming the rough magnitude of
| both groups is the same, you still have the intersection of
| two small groups -> tiny. This is probably complicated a
| little bit because criminals have more incentive than
| average, if not more experience.
| fedreserved wrote:
| Many smaller rust belt cities where the factories left the
| majority of employment is drug dealing. I have to imagine
| there's a sizable minority in states like
| California/Colorado/Washington etc with marijuana growers
| luke2m wrote:
| Re to mLuby: you don't have to work in infosec to be
| worried about it.
| jeltz wrote:
| But not everyone in infosec have good security because it
| is a pain in the ass. I would say people with good
| personal infosec is at most the same order of magnitude
| as criminals but probably fewer.
| mLuby wrote:
| Honestly I thought you were way off base and that the
| number of criminals would be orders of magnitude higher
| than infosec workers, but apparently I'm wrong.
|
| "in 2020, there were 1.8 million people in prison" [1]
|
| "[in 2019,] the country's total employed cybersecurity
| workforce is just 716,000" [2]
|
| "There are about 465,000 open positions in cybersecurity
| nationwide as of May 2021" [3]
|
| [1]: https://easyreadernews.com/why-are-so-many-americans-
| in-pris... [2]:
| https://www.csis.org/analysis/cybersecurity-workforce-gap
| [3]: https://www.cbsnews.com/news/cybersecurity-job-
| openings-unit...
| [deleted]
| chrisseaton wrote:
| > proper criminals
|
| Lol now gatekeeping criminality!
| whoopdedo wrote:
| I think the ANOM case demonstrates that criminals are not
| sufficiently more technically adept than the general public.
| knob wrote:
| > an on-demand criminal.
|
| Wow. What a phrase.
| elliekelly wrote:
| It's an apt description for broadly-scoped criminal laws with
| highly deferential and selective enforcement. I'd bet a
| prosecutor could look at any given cellphone and find
| _something_ to charge the owner with.
|
| Edit- It reminds me this first amendment wonk who pissed off
| local police and was then ticketed for failure to register
| his bike: https://m.youtube.com/watch?v=28w6xvRj9EM
| everdrive wrote:
| >such a law does nothing against proper criminals. People that
| know they have incriminating evidence will either not carry it
| on their phones or uses some form of steganography to hide it
| perfectly.
|
| I oppose such a law, as it appears to be very poorly written,
| but it's pure fantasy that criminals won't do crime via their
| phones, or will use some sort of advanced steg. Maybe some very
| talented criminals will do such things, but most criminals are
| just people: they either don't understand technology well, or
| else simply engage in risky behaviors.
| ggggtez wrote:
| I agree. Most criminals are not very bright, and in the case
| of large organized crime, you still need to be able to
| communicate with employees that aren't very bright. Custom
| stenography comes at a cost to your organization in terms of
| troubleshooting and reliability...
|
| The drug dealers are probably just using whatever encrypted
| app they hear works well, which is why there was that big
| successful sting using an FBI controlled app recently.
| vixen99 wrote:
| Criminals not very bright? If this is true there seem to be
| an awful lot of bright ones in Britain.
|
| "A suspect was charged in 7.8% of crimes recorded in
| England and Wales in the year to March 2019, down from 9.1%
| the previous year".
| cwkoss wrote:
| Most cops aren't very bright either.
| [deleted]
| Krasnol wrote:
| > I agree. Most criminals are not very bright,
|
| The bright ones are not being caught and therefore not on
| the list of criminals.
| cwkoss wrote:
| Laws are so arcane and complex that most people have
| violated some law if you look hard enough.
|
| Ex. "More than 70 percent of American adults have
| committed a crime that could lead to imprisonment."
|
| https://www.politifact.com/factchecks/2014/dec/08/stephen
| -ca...
| Krasnol wrote:
| Alright, let's say: "not on the list of criminals
| relevant for the topic".
| kebman wrote:
| Food for thought: Attending a diplomatic dinner where EU
| liaisons from various police forces were also present, the
| head investigator of that country--which I shall not name--
| told me that their country's biggest outflow of crime to
| other European countries, were high tech economic crime such
| as card skimming, money laundry, and white collar crimes.
| I.e. things that require at least some technical
| understanding to perform.
| bennyp101 wrote:
| Can they use something they find if it's not in the scope of
| the warrant? (I have no idea?)
|
| But yea, your high profile criminal doing the _real_ bad stuff
| is not going to be walking around with it on something that
| keeps a record.
| barsonme wrote:
| Fruit of the poisonous tree doctrine mostly doesn't exist in
| Europe.
| dkersten wrote:
| It sounds to me that the warrants are scoped by location, not
| by purpose.
| dangerface wrote:
| True only normal people will feel compelled to give their
| passwords to authority. A criminal won't give a shit there is
| nothing an authority can do to compel a criminal to incriminate
| themselves. I mean what can they do arrest them? I think
| criminals have made their peace with that.
| Black101 wrote:
| That reminds me of the recent post titled "I Miss the Old
| Internet (2019)" ... every time they create a new law, it makes
| the old Internet disappear.
| cge wrote:
| This appears to actually go significantly beyond enforced
| password disclosure. From the text (
| http://www.justice.ie/en/JELR/Gen_Scheme_of_AGS_(Powers)_Bil...
| ), on Head 16 (p 28):
|
| - An officer can use these requirements on anyone who "appears to
| him or her to have access". They don't appear to need any
| evidence beyond that. The person does not need to be a suspect
| or, it appears, the subject of a warrant, just a person present
| at the location subject to the search warrant.
|
| - It applies not just to access to information on the device, but
| information "which can be accessed by the use of that computer",
| and thus presumably includes information that is on other
| machine, or potentially not even in Ireland or the EU.
|
| - It allows officers to freely operate computers on site during a
| search (this seems like horrible forensic practice?), and use
| passwords found on the site to try to access any information
| accessible from the computer.
|
| - It does not just include disclosing passwords. It includes "any
| password or encryption key", and anything "to otherwise enable
| [the officer] to examine the information accessible by the
| computer".
|
| - It even appears that it allows officers to compel people not
| just to disclose passwords but to actually _operate_ the device
| for them so as to enable information access, and "to produce the
| information in a form in which it can be removed".
|
| - It is not clear to me that there is any restriction on the
| scope of information, so long as it is in some way accessible.
|
| - Head 17 appears to allow even legally (or otherwise) privileged
| information to be seized, so long as "the confidentiality of the
| material can be maintained pending the determination by the court
| of the issue as to whether the material is privileged material".
|
| Combining these powers would seem to be able to result in
| ridiculous situations, for example, forcing a person to take data
| from a US server using an SSH key on their laptop, potentially
| violating US law by doing so, and for the person to do all the
| work necessary to do this themselves.
| merlincorey wrote:
| > - It even appears that it allows officers to compel people
| not just to disclose passwords but to actually operate the
| device for them so as to enable information access, and "to
| produce the information in a form in which it can be removed"
|
| I can see it now: "I'm sorry, Officer, but my company's Data
| Loss Prevention (DLP) policy will not allow this document to be
| copied to any removable media or emailed outside of the
| company. I can make a request to Compliance for an exception
| but they take 7-10 days to respond!"
| bennyp101 wrote:
| > - An officer can use these requirements on anyone who
| "appears to him or her to have access". They don't appear to
| need any evidence beyond that. The person does not need to be a
| suspect or, it appears, the subject of a warrant, just a person
| present at the location subject to the search warrant.
|
| Well that's handy then, the "helpful roomate" tries his best to
| enter the password, but didn't realise that after 3 wrong tries
| it wipes the device!
| cge wrote:
| Yes, this legislation either seems to have been written by
| people who just want overly broad powers they'll use in a
| technically sound way, or by people who have no understanding
| of computer forensics.
|
| The way it's written makes it sound like the officers would
| be rifling through the computers and phones on site trying
| passwords they've found, themselves, or standing over the
| shoulder of people being forced to do so. It specifically
| talks about forcing someone to make information "visible and
| legible" and about copying documents, rather than just making
| forensically secure images of devices.
| bjornjajayaja wrote:
| They would probably have to bag the devices as evidence.
|
| But let's be serious here it has to be at a place where a
| warrant is issued right? Tech folks are super paranoid.
| Like, try to make sure no warrants are out for you and your
| cousins and you should be fine. If you're in the wrong
| place at the wrong time: sucks to be you anyway!
| ipaddr wrote:
| Like a store or tech conference or a city. Location is
| overly broad.
| [deleted]
| bennyp101 wrote:
| If so, it's a recipe for disaster.
|
| Easy enough to booby trap discreetly to delete things if
| not accessed the 'correct' way.
|
| Maybe this is to show that this approach is so crazy that
| it could never work (hence the written reports to gather
| data), and that they do actually need <insert some crazy
| power> here in order to do it properly because "we tried to
| do it the nice way and it didnt work"
| yawaworht1978 wrote:
| Can you elaborate how you would do that on a mobile
| device, laptop/pc? Would you run different partitions?
|
| Can it be done by giving them one wrong password which
| will trigger a disc erasure?
|
| Serious question, as I wouldn't know how to do that.
| MertsA wrote:
| Look into PAM configuration. In particular I think you'd
| probably want some combination of pam_faillock and
| pam_exec. pam_exec can be used to call some arbitrary
| script to wipe your disks and possibly be extra evil and
| call flashrom to even wipe the firmware beforehand.
| klyrs wrote:
| The easiest solution I see is to write a custom screen-
| lock for Linux. That could be defeated by a simple
| reboot, but the hapless roommate in this scenario
| wouldn't know to do that.
|
| For example, insert your filesystem-nuke (perhaps with an
| attempts counter) around line 78 of main.rs here
| https://github.com/akermu/rlock
| hatboxreappoint wrote:
| Not quite the same but a hidden veracrypt volume [0]
| would easily circumvent this law.
|
| [0] https://veracrypt.eu/en/docs/hidden-volume/
| RealStickman_ wrote:
| How exactly would you create this booby trap? I'm not
| aware of anything that could do that, apart from
| VeraCrypt hidden volumes maybe.
| bccdee wrote:
| Deleting probably wouldn't be the best approach, because
| (a) the drive could just be duplicated before-hand, (b)
| they'd know you'd done it.
|
| Better just to buy a bunch of USB sticks, wipe 'em all
| with random noise, use a couple for mundane files, and
| use a couple for sensitive files -- deniably encrypted so
| as to look like random noise. Then, you can plausibly
| deny that they contain any sensitive files.
|
| The real issue here is that we shouldn't _need_ to use
| these sorts of measures. No one will do this unless they
| 're a software professional with something to hide, and
| "having nothing to hide" doesn't mean you're not still
| entitled to privacy.
| DistressedDrone wrote:
| > (b) they'd know you'd done it.
|
| That depends entirely on how exactly you do it. And
| knowing something and being able to prove it are two very
| different things.
| rapht wrote:
| > Easy enough to booby trap discreetly to delete things
| if not accessed the 'correct' way.
|
| Exactly! If I had anything to hide, I'd make sure to give
| them the 'correct" password that will wipe out selected
| data from the device.
| Accujack wrote:
| >Yes, this legislation either seems to have been written by
| people who just want overly broad powers they'll use in a
| technically sound way, or by people who have no
| understanding of computer forensics.
|
| Or both.
| Zuider wrote:
| Or they wish to extend the powers to detain, arrest and
| issue fines so that they can be based on over-broad and
| ill-defined premises.
| ozim wrote:
| I can even see an option where they want me to unlock the
| phone but I was so stressed that I totally forgot my pin and
| I was trying to be helpful by trying as many times as
| possible...
| Anthony-G wrote:
| Interestingly, the Irish Times coverage of this change in Irish
| law1 has:
|
| > Security sources said the person refusing to surrender their
| password would have to be a suspect in a crime and trying to
| obstruct the investigation of that core offence before they
| would be convicted over the password refusal.
|
| It's annoying that media coverage (by the "newspaper of
| record") would rather cite speculation by anonymous sources
| rather than link directly to the text of the actual Bill. It's
| only when I check the discussion on Hacker News that the source
| is directly referenced.
|
| On the other hand, the state broadcaster does not even deem
| this proposed change to Irish law to be newsworthy enough to
| warrant coverage on its news website2.
|
| Somewhat Off Topic: The typesetting of the Bill itself is
| woeful and really impacts on readability of the text. It seems
| like the content was copied and pasted from multiple sources
| into MS Word without any consistent styling or indentation to
| reflect the hierarchy of bullet pointst.
|
| 1. https://www.irishtimes.com/news/crime-and-law/new-garda-
| powe...
|
| 2. https://www.rte.ie/news/
| advisedwang wrote:
| > It is not clear to me that there is any restriction on the
| scope of information
|
| Presumably the warrant defines the scope of the search. Of
| course the judges issuing the warrants aren't technical and
| generally cooperate with investigations, so I would expect
| vague and over-broad warrants to be the rule.
| cge wrote:
| I'm not too familiar with Irish law, but the explanatory
| notes for Head 16 seem to suggest that the search warrants
| would be scoped by location, rather than topic.
| thanhhaimai wrote:
| The Arts of Confiscating Cryptocurrency, entry #7:
|
| - Stage a crime scene next door to the targeted machine.
|
| - Ask for a warrant for the location.
|
| - Knock on the door and ask the person to give the password for
| the Bitcoin.
| bakedbeanz wrote:
| > It applies not just to access to information on the device,
| but information "which can be accessed by the use of that
| computer"
|
| So... basically the entire internet, then?
| dheera wrote:
| We need to invent hardware with biometric verification such
| that the device will not give access without the rightful owner
| present and operating it.
|
| Otherwise this will degenerate into police being allowed to
| sneeze devices and operate them away from their owner's
| presence.
|
| Make it possible to "lock in" a single biometric profile and
| not permit adding a second profile without automatically wiping
| all data.
| dsr_ wrote:
| A biometric is a username, not a password.
| LatteLazy wrote:
| We have those. But compelling a finger print is much easier
| than a password.
| dheera wrote:
| Have it as a second factor. Just make it harder for police
| to confiscate devices. U2F keys are great but they can be
| confiscated too along with your password. Fingerprint or
| face is possible to copy but much harder. Most police don't
| walk around with 3D face scanners.
|
| Also make software self-destructing with a warning, i.e. if
| the user chooses it at installation time, all data will be
| destroyed automatically by the OS if they move the device
| off-premises. Make the setting unchangeable after
| installation time.
|
| Police won't want to destroy evidence, so they'll have no
| choice but to leave it on premises.
|
| I'm not trying to enable criminals, but rather enable
| whistleblowers and to not succumb to unreasonable new laws,
| and keep unethical searches for bad reasons in check.
| ex_amazon_sde wrote:
| > Also make software self-destructing with a warning
|
| This is not how forensic analysis works. Data is copied
| to read-only supports before any attempt of access is
| made.
| mLuby wrote:
| Exactly. Biometrics are awful because
|
| 1. they can be compelled by force,
|
| 2. they can be physically collected, unbeknownst to the
| owner,
|
| 3. they share all the risks of digital passwords, including
| being leaked,
|
| 4. they can't ever be changed, even when known to be
| compromised by 1, 2, or 3.
|
| Much better to have 2+ passwords for deniable secrets.
| A unlocks the device. Most people only have this one
| "normal" password. B unlocks the device plus secret
| b, maybe some extra kinky porn so people feel they've found
| your real secret. C unlocks the device plus secret
| c, your real secret, maybe Bitcoin wallets or that novel
| you've been working on forever.
|
| If there's software on the device that does this, it's only
| evidence that 1+ secret dirs _might_ exist. It should be
| impossible to tell that c exists, let alone compel its
| disclosure via C. But if b is quite stale, that 's at least
| a hint that c might exist.
| drvdevd wrote:
| or even better ... a kernel backdoor to expose hidden
| encrypted filesystems and false physical disk size
| reporting, with a specific userspace trigger (eg: open
| the password manager, when this password is selected
| destroy the hidden filesystem(s); when this other app is
| opened and the phrase "X y Z" is typed, expose the hidden
| filesystem as a disk to userspace).
|
| You can go on forever with this stuff, especially if you
| have root on the device. Which gives you some clues about
| the true purpose of laws like this and who thinks they
| are useful.
| dec0dedab0de wrote:
| no, what you do is make a second password for the same
| account that opens a secret profile with different access.
| lawn wrote:
| The police can also do fun stuff like force you to send all
| your Bitcoins to them. Without a warrant or evidence of any
| kind.
| gentleman11 wrote:
| I wonder if you could bend the wording as an excuse to seize
| somebody's crypto assets for the duration of the
| investigation and after
| dylan604 wrote:
| so that would make them a good target for ransomware with
| all of those extra coins. or just hack them to get access
| to wallets to transfer funds. they are cops after all, so
| it's doubtful their own OpSec would be very good. Password
| try 1 "back the blue", Password try 2 "respect my
| authority"
| cwkoss wrote:
| Horrifying thought, there are probably active duty cops
| in the US with the n-word in their password
| Thiez wrote:
| That actually sounds like a great way to lessen the
| temptation of sharing passwords.
| bjornjajayaja wrote:
| In theory though, this is no different than making someone
| "empty their pockets." It's just we happen to have information
| in our pockets.
|
| Folks, keep your information AT HOME where it belongs. Don't
| dirty the streets with those ugly snaps no one wants to see
| (unless there's a cat filter) :)
| MereInterest wrote:
| In theory, there's a world of difference between the two.
|
| * Pockets may contain items that are dangerous to an
| arresting officer, or to other arrestees. Emptying pockets
| serves the purpose of removing that danger. Data stored on a
| phone are not dangerous to nearby people, and so there is no
| corresponding danger that needs to be removed.
|
| * Pockets can be verified to be empty, and so it can be
| verified that the person has complied with the order. There
| is no way to verify that all information accessible from a
| computer has been revealed. A police officer can demand that
| a suspect produce passwords that they don't have, then use
| the "noncompliance" as a way to add additional charges.
|
| * Emptied pockets can be returned to their original state. If
| my pockets contain a driver's license, $5 and lip balm, those
| items can be returned to me. If I reveal a password, the
| reveal of that password cannot be undone, and that account
| must be assumed to be compromised.
|
| * (For the US only) I have the enumerated right for my papers
| and effects to be secure against unreasonable search and
| seizure. A full investigation of accounts to which I have
| access, done at the site of an arrest, by untrained officers,
| with no checks for data security, no limits on the breadth of
| the search, with no basis of reducing external harm, and no
| right to contest the disclosure until after it has occurred,
| is entirely unreasonable.
|
| I agree with your conclusions, that information security is
| important and should be more widely practiced. I disagree
| strongly with how you reached that conclusion, as a physical
| search of pockets is entirely unlike a search of one's phone
| or connected devices.
| Sebb767 wrote:
| > this is no different than making someone "empty their
| pockets."
|
| Except they can take your key, search your house, take your
| work key from there and drive with your car to you workplace
| and search everything there you can access, as well. So
| metaphorically as well as actually (home server etc.), your
| home is not safe.
| mysterydip wrote:
| I wonder what would happen in the event of a person working for
| a foreign government (diplomat, etc on assignment) being forced
| to log in to their govt laptop and access confidential info.
| Mauricebranagh wrote:
| "I assert diplomatic immunity "
| mysterydip wrote:
| Can regular government workers do that, or just actual
| diplomats? If the latter, just go for their assistant.
| 35fbe7d3d5b9 wrote:
| Under the Vienna Conventions, only people with diplomatic
| rank have full diplomatic immunity. Administrative and
| technical agents _do_ have diplomatic immunity, but only
| for actions taken "in the course of their duties."
|
| But it wouldn't matter: documents and archives of the
| state are inviolable no matter where they are. And the
| property of a diplomatic mission must remain free of
| search and seizure.
| coldacid wrote:
| I can't wait for some Irish cop to start a massive
| diplomatic incident because some embassy worker happened
| to be in the wrong neighbourhood.
| repsilat wrote:
| I think this is more likely to bite as it pertains to
| Ireland as a friendly business environment than it does
| to Ireland as a diplomatic partner.
| xvector wrote:
| This is nuts.
| rapht wrote:
| I'd be interested in the reaction of all the folks who put
| their datacentres in Ireland (for tax or other purposes :p).
| TX0098812 wrote:
| It seems every time that England and its neighboring countries
| create any form of legislation regarding the internet, it's in an
| authoritarian direction. It's distasteful and gives me a bad
| feeling about these places.
|
| People should get on a ship somewhere and build a colony with
| freedom as an ideal. Something like that.
| young_unixer wrote:
| > People should get on a ship somewhere and build a colony with
| freedom as an ideal. Something like that.
|
| https://en.wikipedia.org/wiki/Liberland
| Sebb767 wrote:
| > People should get on a ship somewhere and build a colony with
| freedom as an ideal
|
| Somebody tried that. Did not fare that much better [0].
|
| [0]
| https://en.wikipedia.org/wiki/Mass_surveillance_in_the_Unite...
| mdavis6890 wrote:
| I think he was talking about Seasteading:
| https://www.seasteading.org/
|
| (j/k, kinda)
| Kim_Bruning wrote:
| Ireland is currently a country that is very friendly towards
| large corporations, and a lot of EU data is stored in Ireland. I
| don't see how these rules safeguard such data; and I don't see
| how GDPR is complied with.
| bennyp101 wrote:
| I guess that if you have PII on your device/machine that is
| extra sensitive, you probably also have a decent size company
| behind you, in which case you could refuse until the legal team
| gets to you and challenges the warrant or asks for an actual
| forensics team to do the investigation - of course you may just
| give it up and let the company deal with the fallout after.
|
| If as another commentor has said, it is based on location,
| rather than specific devices, then I can't see a lot of these
| warrants holding up once it affects someone with a lot of
| classified stuff on there. Eg. You pop round a friends house
| from work, you do contracting work for the MOD and have your
| work laptop with you, turns out your friend is involved in some
| financial "bad stuff" and you happen to be there.
| lbriner wrote:
| GDPR explicitly permits data to be accessed for legal purposes.
| I'm sure most judges would be well aware that their warrants
| shouldn't be overly broad but there is also a trust in legal
| officers to be discreet enough not to disclose anything they
| might have accidentally seen.
| blakebreeder wrote:
| What's to stop someone from "forgetting" their password?
| ww520 wrote:
| How well does the I can't remember excuse work in this case?
|
| This actually is pretty bad. Password is not just for information
| revealing. It's for proof of ownership and control of the
| accounts. Revealing the password means ceasing control of the
| accounts to police.
| lucideer wrote:
| Whatever the likelihood of this passing, the BBC's coverage here
| seems poor: right now this is a Bill. It's far from being made
| law.
|
| Some good analyses from actual informed Irish-based perspectives
| here:
|
| https://twitter.com/Tupp_Ed/status/1404380471186821122
| rusk wrote:
| Thanks for this, I've been looking for a good run thru like
| this all day. There's a lot (70 odd tweets) in that linked
| thread anyone looking for the summation can look here
| https://twitter.com/drvconway/status/1404425167699382278?s=2...
|
| There is little in the analysis that gives me comfort. FG are
| the law and order party but paradoxically they have a history
| of passing poorly conceived laws presumably because they don't
| feel the downsides will ever apply to them, and to provide
| enough legal ambiguity for those well connected to wriggle
| free. Ambiguity also good for the legal folk that constitute
| the rank and file of their membership.
|
| They are currently shored up in coalition with another
| establishment party (FF) and the greens so it's conceivable
| that much of this could get through without challenge.
|
| Of course it's important to remember that it is kite flying
| season and there is a battle for hearts and minds with the main
| opposition party (Sinn Fein) so it might just be a matter of
| whipping up their conservative base.
| sys_64738 wrote:
| Last time I was in Ireland, we only saw a Guarda at the airport
| and nowhere else. I mean, nowhere else at all. No police cars on
| any road and none in any towns. It was very quiet so how would
| they enforce this?
| PhasmaFelis wrote:
| Just because you didn't see any police on your visit doesn't
| mean there are none.
| mandmandam wrote:
| Organise a protest against being taxed a third time for water,
| or protest against a large fashion company pulling out with
| giving you your contractually obligated severance pay, and the
| Gardai will show up 40 strong.
|
| Landlords have gotten Gardai to assist evictions multiple
| times, even without cause or paperwork being shown.
|
| In contrast, a week ago or so it came out that Gardai were
| ignoring thousands of domestic abuse calls to emergency
| services - just deleting them without follow-up.
|
| I could go on and on but let there be no doubt, these are not
| people you would want to trust with your phone - and if you are
| crossing them they absolutely will show up and stand by as you
| get pulled around by your ears by balaclavaed thugs, etc.
| abstractbarista wrote:
| It's better to live life in prison for not giving up a password,
| than to be convicted of whatever they might find. (Not all will
| agree with this mentality, and that's fine.)
| gowld wrote:
| Why? Isn't life in prison effectively the conviction?
|
| I could see, "better than to reveal a secret", but that's not
| "conviction"
| adamauckland wrote:
| There's different types of prison
| BitwiseFool wrote:
| What is the deal with the governments of the British Isles being
| so intrusive and privacy hostile? I'm always hearing about new
| laws that intrude on personal privacy while also establishing an
| extensive surveillance capability. What is it about the cultures
| of that place that make the people so accepting of such
| government overreach?
| dehrmann wrote:
| Random thought: they all have terrorist attacks in recent-ish
| memory.
| Macha wrote:
| It's Limerick criminal gangs and the typical "think of the
| children" approach of using pedophiles to limit everyone's
| freedom that are used in rhetoric here way more than
| terrorists
| ploika wrote:
| The Limerick gangs were more or less dealt with about a
| decade ago. It's the likes of the Kinahans, and possibly
| some of the various dissident republican groups, who are
| much more of a target for this bill.
| Sebb767 wrote:
| The US is not much better. Germany [0] is not much better. This
| seems to be a general trend right now.
|
| If I had to guess, police has a hard time accessing anything on
| smartphones and PCs - which probably _is_ a major holdback for
| them - and hardly anybody involved in the making of the
| legislature has enough technical understanding and /or
| political stake to defend the privacy side of things.
|
| [0] https://www.heise.de/news/Cyberbunker-Klausel-in-StPO-
| Durchs...
| s_dev wrote:
| >What is the deal with the governments of the British Isles
| being so intrusive and privacy hostile?
|
| I don't consider Ireland to be a "British Isle" -- 26 counties
| out of 32 on the island are Irish.
|
| How and ever -- we see the US in the same light. You're so
| hostile to privacy laws like GDPR and we aren't etc.
| adventured wrote:
| > You're so hostile to privacy laws like GDPR and we aren't
| etc.
|
| You're arguing about an entirely different context. One
| involves private corporations, one involves the powers of the
| government. It's critical to make a distinction between those
| things, they are not the same issue at all.
|
| Facebook, fortunately, doesn't have taxing authority,
| regulatory authority, law-passing authority or a private
| militia. I can banish Facebook from my existence, I can
| choose never to use their services, and I can legally use
| numerous options for blocking their ability to track me (and
| do so quite easily). Try doing that with a government that
| passes a very invasive law, just tell them to right piss off
| with their laws, refuse to obey their laws.
|
| It's fine to argue for restrictions on privacy invasion re
| private corporations. However these are two separate matters
| to be argued, what should be allowed in the private sphere vs
| the public/government sphere.
| acta_non_verba wrote:
| Bizarre comment. British isles is a geographic term, which is
| correct in this case.
|
| No one for a moment is suggesting that because of that you
| have to drink tea or invent the computer or anything else
| that is considered British.
| sdflhasjd wrote:
| The "British Isles" is a geographic term encompassing Great
| Britain and Ireland, plus some smaller islands.
| OJFord wrote:
| You're correct, and I'm British, but it's not surprising to
| me that an Irishman would object to it.
|
| Besides, to us 'English Channel' is a geographic term; in
| France it's La Manche ('the sleeve'). (Having said that we
| do say 'Irish Sea'.)
| lucideer wrote:
| This is technically correct, but no context is devoid of
| political overtones and there's very reasonable arguments
| for decolonising the terminology.
|
| "British Isles" is the widely accepted term internationally
| in large part due to the historical dominance of the
| British Empire, coupled with the ongoing influence of the
| British state internationally (particularly in the
| anglosphere). It is however not a generally preferred term
| within Ireland, which is worth noting alongside any
| technical facts about geography.
| borvo wrote:
| Quite correct. Just like "GB" ("Great Britain" or "Grand
| Bretagne" in the original French) means "large Brittany".
| lbriner wrote:
| Most people are not accepting but there is only so much power
| you have over an elected government. Previous suggestions have
| been stopped though so you can kick up a stink sometimes and
| have the right results.
|
| I also don't think it is that unique to the UK. It was a multi-
| national attack that broke EncroChat and the Australians
| breaking An0m (maybe with US help). Some countries love privacy
| at all costs like Germany and Scandinavia, some don't even
| assume they have privacy like Iran and China and those in the
| middle, like the UK, want to pretend they have privacy and are
| principled until they need to solve a crime and then it goes
| out the window!
| ploika wrote:
| Just for the avoidance of doubt, Ireland is not part of the
| UK.
| lucideer wrote:
| > _cultures of that place_
|
| Aside from sensitivity around the (technically correct but the
| status quo should always be open to question) term "British
| Isles", even accepting that term geographically, conflating the
| islands culturally demonstrates a certain level of ignorance on
| the subject.
| AlphaSite wrote:
| I think it's partly down to more visibility since these are
| English speaking countries, so the dark underside is more
| exposed.
| prepend wrote:
| I've wondered the same thing but chalked it up to some sort of
| selection bias.
|
| I always remember Pink Floyd's Another Brick in the Wall Part 2
| [0] and the story of how authoritarian British schools were. I
| guess there some sort of contingent for making lots of rules
| and demanding adherence.
|
| There's a pretty great book called Albion's Seed [1] by Fischer
| that goes into the four groups of British people that founded
| America. The "border" peoples of Scotland/north England were
| pretty anarchistic and moved to the colonies fleeing British
| rule. And I think there was quite a bit of rule that resulted
| in the people who don't follow rules leaving Britain for the
| US/Australia/other colonies. So after a few hundred years, that
| perhaps had an effect on the type of people who stayed.
|
| [0] https://youtu.be/HrxX9TBj2zY
|
| [1] https://en.wikipedia.org/wiki/Albion%27s_Seed
| LatteLazy wrote:
| English law has basically no protections against search and
| seizure (no posion tree doctrine). So police are used to doing
| as they please and politicians like it too. The mathematical
| impossibility of breaking hard encryption is an afront to
| literally hundreds of years of entitlement.
| reedjosh wrote:
| I can't really speak for them, but I keep seeing this in the US
| too. Individuals just don't seem to have any real recourse.
| These laws and systems are kafkaesque--there's just some system
| out there that determines the rules, and good luck finding a
| functioning way to push back.
|
| Also, here's one of my favorite fairly relevant quotes:
|
| > "We operate under the rule of law and are accountable for it.
| In some countries secret intelligence is used to control their
| people. In ours, it only exists to protect their freedoms."
|
| - William Hague (UK Politician)
|
| https://www.bbc.com/news/uk-politics-23053691
| BitwiseFool wrote:
| Maybe this is just my inner American, but what the Irish
| government is doing is tyrannical. The idea that you must
| render your secrets to the government just seems anathema to
| personal liberty. This must run afoul of some human rights
| commitments the UK has made, no? And, the doublespeak of the
| quote you mentioned is absolutely repugnant.
|
| Edit: I wrote UK government... I was mistaken and thought of
| Northern Ireland instead of the Republic of Ireland.
| reedjosh wrote:
| It really isn't just the UK (or Ireland) though.
| Governments everywhere are slowly closing in on privacy and
| freedom.
|
| Unelected global institutions are rising, and their vision
| of the future is not promising.
|
| https://mises.org/wire/no-privacy-no-property-
| world-2030-acc...
| rand49an wrote:
| While I'm sure UK police are after the same powers (or
| already have them!) Ireland isn't a part of the UK.
| bitdivision wrote:
| The UK does indeed already have similar powers under RIPA
| [0].
|
| 0: https://en.wikipedia.org/wiki/Regulation_of_Investigat
| ory_Po...
| BitwiseFool wrote:
| My apologies, for some reason my mind went to 'Northern
| Ireland' as I've come to expect this sort of thing from
| the UK.
| HeckFeck wrote:
| Easily done. The ROI aren't as different from the the UK
| as they like to think.
| rusk wrote:
| England is a very different kind of place to most places
| I think you'll find!
| varispeed wrote:
| It's the "If you have nothing to hide, then you have nothing to
| fear" culture. People still trust authorities with their
| information and believe that nobody cares what kind of
| illnesses they have or what kind of porn they are into or how
| their body looks like or what they talked about with mates.
| foreigner wrote:
| Maybe it's socialism? It creates the feeling that we're all in
| it together.
| anigbrowl wrote:
| Look into the history. Rebellions of all kinds have been
| ruthlessly and brutally suppressed. The aristocracy is not as
| important as it used to be in Britain, but but it's still a
| power-centric society where those without have few choices open
| to them. Despite winning independence from Britain a century
| ago and having a clearly written constitution, Ireland kept a
| great deal of the legal and some of the social culture;
| following independence the informal power just moved towards
| the catholic church and (as always, everywhere) toward money.
| melesian wrote:
| Ireland is not a British isle. Irish police are unarmed and the
| country is not a surveillance state. However, there have been
| some high profile cases of murders committed by drug gangs who
| have used encrypted phones to put their communications beyond
| scrutiny / use in evidence. Ireland is a democracy and the
| public is perfectly able and willing to change govt if it sees
| fit (and it does so regularly). I think you'll find that in
| Ireland the people wonder WTF is wrong with the US that it
| could elect a cretin like Donald Trump to its highest office,
| denies healthcare to its citizens, tolerates vote suppression,
| electoral gerrymandering, mass shootings, endless racially
| motivated police assassinations, unlimited corporate
| expenditure in political campaigns etc. Ireland is fully signed
| up to the EU's GDPR which puts citizen's data rights on a far
| firmer footing than those of Americans.
| CountDrewku wrote:
| >Donald Trump to its highest office, denies healthcare to its
| citizens, tolerates vote suppression, electoral
| gerrymandering, mass shootings, endless racially motivated
| police assassinations, unlimited corporate expenditure in
| political campaigns
|
| You're attributing those to Trump? I guess that's what
| happens when all you get is government controlled media....
| haunter wrote:
| https://en.wikipedia.org/wiki/British_Isles
|
| >The British Isles are a group of islands in the North
| Atlantic off the north-western coast of continental Europe,
| consisting of the islands of Great Britain, Ireland, the Isle
| of Man, the Hebrides and over six thousand smaller islands.
| fitblipper wrote:
| I understand how "clever law hacks" like warrant canaries are not
| clever when faced against actual law enforcement practices. I say
| this to try to explain that the following isn't meant to be a
| clever trick and instead is meant as a reason why I worry about
| these kinds of law.
|
| I have a very long passphrase that I only have to enter at
| machine boot up time. After entering the pw once the password
| manager remains open in cache and can be opened with a much
| shorter and easier to remember password. Because I do not restart
| my phone or devices frequently I don't need to enter my password
| often and so my very long complicated password isn't used often.
| My practice has been to automatically restart my phone whenever I
| am approached by a police officer. This has happened maybe once
| in the last year or 2.
|
| If I live in Ireland, am I screwed when the stress of being
| detained causes me to forget my very long, complicated, and
| infrequently entered password?
| fragbait65 wrote:
| Yes, I honestly think you are screwed.
| version_five wrote:
| I wonder if its possible to easily set up a phone or other
| device with a multiple password/ login system that depending on
| the credentials could either show something benign or wipe the
| device. I'd expect such systems to become more popular (and
| make the main result of these new powers be that police have a
| new tool to harass unsophisticated and already downtrodden
| folks, rather than actually to disrupt any serious crime)
| noman-land wrote:
| Check out the rubberhose file system.
|
| https://en.wikipedia.org/wiki/Rubberhose_%28file_system%29
| RealStickman_ wrote:
| Is there some more modern version of this?
| BitwiseFool wrote:
| I'm genuinely wondering how someone could implement a system
| that functions like a dead man's hand where the key to recovery
| (despite entering the valid password as required by law) which
| lies outside of the jurisdiction of that government, or relies
| on the data being unavailable for a long stretch of time.
|
| >"If I live in Ireland, am I screwed when the stress of being
| detained causes me to forget my very long, complicated, and
| infrequently entered password? "
|
| As for this part, I've become a cynic after learning so much
| about how courts _actually_ function on a daily basis. There
| really isn 't anything stopping a judge from simply finding you
| in contempt of court - even if you legitimately did lose your
| password. Ultimately, if the judge wants to, they can easily
| drag you through the mud and you have virtually no recourse.
|
| Edit: I know Apple has a feature that disables FaceID that acts
| like a 'panic' button. How do the courts deal with that?
| jfoutz wrote:
| Sometime during quarantine I had an evening thought excercise
| about clever password choices in this context. It was a fun
| game, and would be a cute scene in a movie or a book.
|
| Ultimately the password `fuck you cop I'll never tell` is a fun
| idea, but little value. Complying without appearing to comply
| might change up the game a bit, but you're still screwed.
|
| _edit_ it is kind of fun to think of a password so offensive
| that it doesn't matter who asks you, they won't believe that's
| your password. Technically might buy you some time before they
| figure it out.
| cge wrote:
| The way the law is worded (see my other comment), the police
| can force _you_ to do whatever is necessary to unlock the
| device by any means at your disposal, not just disclose your
| password. While this would be technically a terrible idea on
| their part for a number of reasons, having a clever password
| would not be helpful.
| dane-pgp wrote:
| > a password so offensive that it doesn't matter who asks
| you, they won't believe that's your password.
|
| If they don't believe it's your password, then you haven't
| really avoided the punishment for not disclosing your
| password (although you might take some comfort from a kind of
| moral victory, having told the truth and complied with the
| letter of the law).
|
| Instead of coming up with a password that offends the police,
| a better approach is to come up with one that _interests_
| them, specifically a detailed admission of a crime. For
| example, the password could be of the form "I killed John
| Doe, and buried the body in my garden".
|
| Assuming your jurisdiction has protections against self-
| incrimination, and you can convince a judge that your
| password really does contain such information, they may have
| to choose between not learning your password, and giving you
| some sort of immunity deal.
|
| Of course, if this approach leads to innocent citizens
| routinely committing crimes just to come up with a unique
| password (or worse, criminals baiting police into giving them
| immunity in return for access to dummy encrypted data) then
| the only law that will be followed is the Law of Unintended
| Consequences.
| pbhjpbhj wrote:
| I'm assuming the offensive password works in a situation
| where you have a deadman's handle. So then a month later
| you can say "I told you my password was '$offensive-phrase'
| and can prove it was, now you need to release me"
| (presumably after your lawyer acquires the audio from the
| interview to back up your assertion).
| garblegarble wrote:
| >Assuming your jurisdiction has protections against self-
| incrimination, and you can convince a judge that your
| password really does contain such information, they may
| have to choose between not learning your password, and
| giving you some sort of immunity deal.
|
| I think it's quite unlikely they'd give immunity,
| especially when they could just instruct you to unlock the
| device and hand it over without telling them the password
| TameAntelope wrote:
| Okay, I know it's _very_ keyboard-warrior-eqsue, and I don 't
| know how I'd really react if actually faced with this
| situation, but I think this is something I'd be proud to sit in
| jail over.
|
| Ask me after a month/week/day/hour of course, but I hope I'd be
| strong enough to deal with this appropriately.
| themolecularman wrote:
| > My practice has been to automatically restart my phone
| whenever I am approached by a police officer. This has happened
| maybe once in the last year or 2.
|
| In the United States (where I live) this seems risky. I think
| most here would prefer their phone to be on and readily
| available for filming in case they need to film the police
| encounter. We have a lot of cops spazzing out on people.
| varispeed wrote:
| You can use TC hidden volumes that will log you into different
| volume depending on entered password. It is not possible to
| detect that a volume has hidden volumes.
|
| Something like this should exist natively in Android and other
| operating systems, but obviously there would be a push back
| from governments.
| XorNot wrote:
| We're going to start needing "burn the battery on demand" mods.
| CoastalCoder wrote:
| Please don't bring these on airplanes.
| failwhaleshark wrote:
| "Sorry sir, I've been trying to remember it all day. I think 10
| more times might do it."
|
| Fuck giving testimony against yourself.
| cronix wrote:
| it would be great if phones allowed you to store 2 different
| passwords. One to unlock the phone as normal, and the other would
| actually wipe the phone. Sure, officer, my password is
| "deleteitall"
| anigbrowl wrote:
| I keep seeing this suggestion, and it seems not to occur to the
| proponents that it would simply land someone with destruction-
| of-evidence charges.
|
| What I want is a system that has two passwords that unlock two
| wholly separate partitions, one of which is anodyne and the
| other which is where I keep my private opinions about Big
| Brother.
|
| Of course, astute investigators might wonder why the accessible
| partition only uses half the storage capacity of the device;
| you might wish to make your secret space very small and perhaps
| use some compression scheme as well. If you have a large amount
| of information that you wish to keep private, you're probably
| best storing it somewhere else entirely and only accessing it
| remotely.
| rapht wrote:
| > I keep seeing this suggestion, and it seems not to occur to
| the proponents that it would simply land someone with
| destruction-of-evidence charges.
|
| Only if someone can prove the data was there in the first
| place.
| cronix wrote:
| Yes, the same applies to the current existing functionality
| of iPhone and Android to remotely wipe your device. How is
| this different?
| anonymousDan wrote:
| So what is being done (if anything) to push back against this?
| Are there any Irish civil liberties organisations kicking up a
| fuss?
| lucideer wrote:
| The bill's only been very recently published (HN is picking up
| on this quite quickly), so there hasn't been very much official
| commentary on this just yet.
|
| The Irish Council for Civil Liberties are in the process of
| analysing it
| https://twitter.com/ICCLtweet/status/1404417358135971841
|
| Otherwise though, there has been widespread backlash. The govt.
| absolutely have the votes to push this through parliament if
| they want to, but public sentiment could definitely give them
| pause.
|
| Given the scale of the bill, and it being accompanied by
| another related bill which apparently reduces oversight of the
| Garda (police), my suspicion is that this is a strategic
| strawman bill, with the intent being to push through a watered-
| down-but-still-pretty-terrible version of it after some
| "consultation" & amendments to remove the most publicly-
| objectionable highlights.
| anonymousDan wrote:
| Thanks. What's the underlying motive behind the push do you
| think? Political pressure to do something about the
| kinahan/hutch gangland killings? Can't see how this would be
| particularly effective for that but it seems to have come
| from nowhere no?
| Dedime wrote:
| For Irish people who wish to subvert this order, there's a handy
| concept in cryptography known as deniable encryption.
| Essentially, users (you) may convincingly deny that a plaintext
| version of encrypted data exists.
|
| VeraCrypt, a source-available encryption program, supports this
| form of encryption, such that you can create an encryption file,
| say 1GB. You place a password on the "outer" volume, so that when
| you enter the password, it mounts the encrypted volume and it
| appears unencrypted. However, you also put into place an "inner"
| hidden volume. When you enter the password for the inner volume,
| it mounts a separate encrypted volume. Adversaries cannot detect
| this inner volume, and when they twist your arm to unlock the
| encrypted veracrypt file, you can enter the password for the
| outer volume, keeping the secrets of the inner volume safe.
| steelframe wrote:
| Great. Now they don't know when to stop twisting your arm.
| tcoff91 wrote:
| so let's say the encrypted volume is 1GB. let's say there's
| 250MB stored in the hidden volume. Can't you reveal the
| existence of the hidden volume by writing data to the 'outer'
| volume until it is full? If you can't fit 1GB of data in the
| 'outer' volume doesn't that mean there must exist a hidden
| volume?
| CGamesPlay wrote:
| When mounting, you must provide the outer volume password and
| you may provide the inner volume password. If you mount the
| inner volume, you must provide the inner volume password.
|
| If you are plausibly denying the existence of the inner
| volume, you mount the outer volume without the inner volume
| password. The driver happily overwrites the "free space"
| where the inner volume keeps its data. It is in fact unsafe
| to modify the outer volume at all without providing the inner
| volume password (if an inner volume exists).
|
| [edit] VeraCrypt it seems only accepts the outer volume
| password when _creating_ the hidden volume, but here 's more
| about it: https://www.veracrypt.fr/en/Protection%20of%20Hidde
| n%20Volum...
___________________________________________________________________
(page generated 2021-06-14 23:01 UTC)