Passwords and prosecutions

The curious case of Oliver Drage.

When the news broke last week that a teenager had been given a custodial sentence for failing to provide his password to the police, the details of the story appeared incomplete.

The essentials of what had happened were as follows: Oliver Drage, 19 (and so only just a teenager), did not give a password to the police when formally requested to do so. He was prosecuted under the Regulation of Investigatory Powers Act 2000 and given a custodial sentence of 16 weeks in a young offenders institution (which may or not be regarded as the same as being "jailed").

However, the widespread media coverage of this conviction seemed problematic. Some things did not add up.

Let's start with the press release from Lancashire police.

Teen jailed for four months after failing to give up computer password

A TEEN who refused to give police officers an encryption password for his computer has been jailed for four months.

The case is believed to be the first of its kind in Lancashire.

Oliver Drage, 19, formerly of Naze Lane, Freckleton, was arrested in May 2009.

Drage's computer was seized but officers could not access material stored on it as it was protected by a 50-character encryption password. Drage was then formerly requested to disclose the password, which he failed to do.

Appearing at Preston Crown Court, Drage pleaded not guilty to failing to disclose an encryption key -- an offence covered by the Regulation of Investigatory Powers Act 2000. At his trial in September a jury took less than 15 minutes to find him guilty of the offence. Yesterday (Monday Oct 4), Drage was sentenced to 16 weeks in a Young Offenders Institution.

Detective Sergeant Neil Fowler, Blackpool Police, said: "Drage was previously of good character so the immediate custodial sentence handed down by the Judge in this case shows just how seriously the courts take this kind of offence.

Computer systems are constantly advancing and the legislation used here was specifically brought in to deal with those who are using the internet to commit crime. It sends a robust message out to those intent on trying to mask their on-line criminal activities that they will be taken before the courts with the ultimate sanction, as in this case, being a custodial sentence.

This press release is troubling for both what it does and what it does not say.

It is written in a tabloid-like and sensationalised way (for example, "TEEN" in screaming capitals), which seems to me to be deeply inappropriate for an official communication about a serious matter. It also refers to "those using the internet to commit crime...those intent on trying to mask their on-line criminal activities" when, on the face of it, no such charge had been made against this particular defendant and no prosecution carried out.

But when this press release was picked up by the newspapers, certain further information about Drage was published.

From the Guardian: "Oliver Drage, 19, of Freckleton, Lancs, had originally been arrested in May last year by a team of officers from Blackpool tackling child sexual exploitation."

And from the Daily Mail: "Teenager jailed for refusing to give computer password to police investigating child sex crimes"

But the press release did not mention child sex exploitation, nor did it mention the type of police officers who arrested him. Whatever Drage may or may not have stored on his computer, he had not been either charged for or convicted of any sexual offence.

However, his (distinctive) name was now associated with the investigation of serious sex offences by several newspapers on the back of a sensationalist press release which itself mentioned nothing about any sexual offences.

So I asked for further information about this from the press office of Lancashire police. First, I received information about the police team which had arrested Drage:

The Awaken Project is a very close working partnership between Blackpool Council and Lancashire Police and other.

The team is responsible for using an intelligence led and pro active approach to protect children in Blackpool who may be at risk of sexual exploitation. Police officers and social workers on the team are responsible for jointly investigating cases and targeting suspected offenders. Staff from health and education departments supplement the team in an effort to impact upon the behaviour of young and potentially vulnerable persons.

I was also told on the telephone the nature of the offence on suspicion of which Drage was arrested (even though he was not charged nor convicted). I asked why Lancashire police thought it appropriate to link the defendant's name with child sex allegations when he was neither charged nor convicted in respect of such serious matters. The response:

You will notice that that aspect was not mentioned in the official press release and was given to you as guidance over the telephone when you rang. It is therefore your decision if you wish to make that link in print.

I then pointed out the the child sex abuse aspects had been mentioned in many newspapers, and gave the examples of the Guardian and Mail above. Was I correct in my assumption that Lancashire police was their source for this extra information? The response:

The information was given as guidance to all journalists who rang and asked why Drage had originally been arrested. As previously mentioned, it is not included in the press release - so was not in the 'brief' we gave the press - and it is down to the individual publication if they chose to print that information.

Hope this helps.

I reverted, now asking why Lancashire police believed it was appropriate to mention it as guidance. After all, the defendant was now publicly and widely associated with child sex investigations (perhaps the most serious investigations one can be associated with) when he was neither charged nor convicted of any sex offence.

I will refer you back to my previous answer. The information was given as guidance (and was not included in the press release) to assist journalists in their reporting of the matter, by clarifying why Drage was arrested and his computer seized. Failure to give this guidance could have resulted in inaccurate assumptions and reporting of the case.

All journalists were pointed to the fact that this information was not in the press release and that it was their decision should they chose to publish the information that was given to them as guidance.

In contrast, the Crown Prosecution Service responded to my queries without any reference at all to the sexual offences for which Drage had been arrested. Indeed, for the CPS the prosecution was explicable on the straightforward facts of this particular offence:

Oliver Drage was found guilty on October 5, at Preston Crown court of failing to provide his computer's password contrary to section 53 of the Regulation of Investigatory Powers Act 2000.

The CPS received a file of evidence from Lancashire Police after he was served with a court order in December 2009 section 49 of RIPA 2000, requiring him to disclose the password.

He failed to do so within the three weeks' period specified on the order. After a thorough review of the evidence, we decided that there was sufficient evidence and it was in the public interest to prosecute Oliver Drage for this offence as his failure to disclose the password has obstructed an ongoing police investigation.

Evidence showed that the defendant admitted in police interviews that he had set an encrypted password of between 40 and 50 characters containing both letters and numbers using an encryption software programme and that he had had originally relied on his memory to recall it but could not recall it when he was served with the notice.

The jury heard both the prosecution and defence case and accepted the prosecution case that the defendant must have kept a record of this very complex password, rather than relying on memory, and that he had deliberately failed to disclose it to the police. They returned a guilty verdict after 15 minutes deliberation.

As the defendant claimed to have forgotten a password that he had previously memorised, it was for the prosecution to rebut this and to prove beyond all reasonable doubt that this was not the reason for the defendant failing to disclose it.

I also asked the CPS for what guidance it had for those who also may forget passwords, and their response was:

Part III of the Regulation of Investigatory Powers Act 2000 (the Act) and Investigation of Protected Electronic Information Code of Practice came into force on the 1st October 2007. The Code of Practice provides guidance to be followed when exercising powers under the Act to require disclosure of protected electronic data in an intelligible form or to acquire the means by which protected electronic data maybe accessed or put in an intelligible form.

Overall, there are two issues about this curious case.

First, there is the narrow issue of the prosecution and conviction. On the basis of the CPS statement, one can see why a claim to have forgotten a previously memorised encrypted password of between 40 and 50 characters, and not to have written it down elsewhere, would rather strain credulity.

Second, there is the worrying way in which highly prejudicial information is provided and published about an individual charged for and convicted of an offence very different for the one for which he was arrested on being on suspicion of having committed.

It may well be that Lancashire police break the encryption code.It could be that there is sordid material yet to be revealed which may have warranted a charge and even conviction of a serious sexual offence. We simply do not know. And neither do the Lancashire police.

However, in the meantime, an individual is now publicly associated with a serious investigation in respect of which was neither charged nor convicted; a police force publishes press releases as if they were tabloid stories and also furnishes highly-prejudicial information, but passes the buck if the press publishes it (which, of course, they will do); and the rest of us are really none the wiser whether a four month custodial sentence in this case was because of the gravity of the original suspicions or just for the implausibility of not knowing or noting down a 40 to 50 character password.

There is something not right here.


David Allen Green is a lawyer and a writer. He was shortlisted for the George Orwell blogging prize in 2010. He blogs for the New Statesman on legal and policy matters.

David Allen Green is legal correspondent of the New Statesman and author of the Jack of Kent blog.

His legal journalism has included popularising the Simon Singh libel case and discrediting the Julian Assange myths about his extradition case.  His uncovering of the Nightjack email hack by the Times was described as "masterly analysis" by Lord Justice Leveson.

David is also a solicitor and was successful in the "Twitterjoketrial" appeal at the High Court.

(Nothing on this blog constitutes legal advice.)

Show Hide image

We're racing towards another private debt crisis - so why did no one see it coming?

The Office for Budget Responsibility failed to foresee the rise in household debt. 

This is a call for a public inquiry on the current situation regarding private debt.

For almost a decade now, since 2007, we have been living a lie. And that lie is preparing to wreak havoc on our economy. If we do not create some kind of impartial forum to discuss what is actually happening, the results might well prove disastrous. 

The lie I am referring to is the idea that the financial crisis of 2008, and subsequent “Great Recession,” were caused by profligate government spending and subsequent public debt. The exact opposite is in fact the case. The crash happened because of dangerously high levels of private debt (a mortgage crisis specifically). And - this is the part we are not supposed to talk about—there is an inverse relation between public and private debt levels.

If the public sector reduces its debt, overall private sector debt goes up. That's what happened in the years leading up to 2008. Now austerity is making it happening again. And if we don't do something about it, the results will, inevitably, be another catastrophe.

The winners and losers of debt

These graphs show the relationship between public and private debt. They are both forecasts from the Office for Budget Responsibility, produced in 2015 and 2017. 

This is what the OBR was projecting what would happen around now back in 2015:

This year the OBR completely changed its forecast. This is how it now projects things are likely to turn out:

First, notice how both diagrams are symmetrical. What happens on top (that part of the economy that is in surplus) precisely mirrors what happens in the bottom (that part of the economy that is in deficit). This is called an “accounting identity.”

As in any ledger sheet, credits and debits have to match. The easiest way to understand this is to imagine there are just two actors, government, and the private sector. If the government borrows £100, and spends it, then the government has a debt of £100. But by spending, it has injected £100 more pounds into the private economy. In other words, -£100 for the government, +£100 for everyone else in the diagram. 

Similarly, if the government taxes someone for £100 , then the government is £100 richer but there’s £100 subtracted from the private economy (+£100 for government, -£100 for everybody else on the diagram).

So what implications does this kind of bookkeeping have for the overall economy? It means that if the government goes into surplus, then everyone else has to go into debt.

We tend to think of money as if it is a bunch of poker chips already lying around, but that’s not how it really works. Money has to be created. And money is created when banks make loans. Either the government borrows money and injects it into the economy, or private citizens borrow money from banks. Those banks don’t take the money from people’s savings or anywhere else, they just make it up. Anyone can write an IOU. But only banks are allowed to issue IOUs that the government will accept in payment for taxes. (In other words, there actually is a magic money tree. But only banks are allowed to use it.)

There are other factors. The UK has a huge trade deficit (blue), and that means the government (yellow) also has to run a deficit (print money, or more accurately, get banks to do it) to inject into the economy to pay for all those Chinese trainers, American iPads, and German cars. The total amount of money can also fluctuate. But the real point here is, the less the government is in debt, the more everyone else must be. Austerity measures will necessarily lead to rising levels of private debt. And this is exactly what has happened.

Now, if this seems to have very little to do with the way politicians talk about such matters, there's a simple reason: most politicians don’t actually know any of this. A recent survey showed 90 per cent of MPs don't even understand where money comes from (they think it's issued by the Royal Mint). In reality, debt is money. If no one owed anyone anything at all there would be no money and the economy would grind to a halt.

But of course debt has to be owed to someone. These charts show who owes what to whom.

The crisis in private debt

Bearing all this in mind, let's look at those diagrams again - keeping our eye particularly on the dark blue that represents household debt. In the first, 2015 version, the OBR duly noted that there was a substantial build-up of household debt in the years leading up to the crash of 2008. This is significant because it was the first time in British history that total household debts were higher than total household savings, and therefore the household sector itself was in deficit territory. (Corporations, at the same time, were raking in enormous profits.) But it also predicted this wouldn't happen again.

True, the OBR observed, austerity and the reduction of government deficits meant private debt levels would have to go up. However, the OBR economists insisted this wouldn't be a problem because the burden would fall not on households but on corporations. Business-friendly Tory policies would, they insisted, inspire a boom in corporate expansion, which would mean frenzied corporate borrowing (that huge red bulge below the line in the first diagram, which was supposed to eventually replace government deficits entirely). Ordinary households would have little or nothing to worry about.

This was total fantasy. No such frenzied boom took place.

In the second diagram, two years later, the OBR is forced to acknowledge this. Corporations are just raking in the profits and sitting on them. The household sector, on the other hand, is a rolling catastrophe. Austerity has meant falling wages, less government spending on social services (or anything else), and higher de facto taxes. This puts the squeeze on household budgets and people are forced to borrow. As a result, not only are households in overall deficit for the second time in British history, the situation is actually worse than it was in the years leading up to 2008.

And remember: it was a mortgage crisis that set off the 2008 crash, which almost destroyed the world economy and plunged millions into penury. Not a crisis in public debt. A crisis in private debt.

An inquiry

In 2015, around the time the original OBR predictions came out, I wrote an essay in the Guardian predicting that austerity and budget-balancing would create a disastrous crisis in private debt. Now it's so clearly, unmistakably, happening that even the OBR cannot deny it.

I believe the time has come for there be a public investigation - a formal public inquiry, in fact - into how this could be allowed to happen. After the 2008 crash, at least the economists in Treasury and the Bank of England could plausibly claim they hadn't completely understood the relation between private debt and financial instability. Now they simply have no excuse.

What on earth is an institution called the “Office for Budget Responsibility” credulously imagining corporate borrowing binges in order to suggest the government will balance the budget to no ill effects? How responsible is that? Even the second chart is extremely odd. Up to 2017, the top and bottom of the diagram are exact mirrors of one another, as they ought to be. However, in the projected future after 2017, the section below the line is much smaller than the section above, apparently seriously understating the amount both of future government, and future private, debt. In other words, the numbers don't add up.

The OBR told the New Statesman ​that it was not aware of any errors in its 2015 forecast for corporate sector net lending, and that the forecast was based on the available data. It said the forecast for business investment has been revised down because of the uncertainty created by Brexit. 

Still, if the “Office of Budget Responsibility” was true to its name, it should be sounding off the alarm bells right about now. So far all we've got is one mention of private debt and a mild warning about the rise of personal debt from the Bank of England, which did not however connect the problem to austerity, and one fairly strong statement from a maverick columnist in the Daily Mail. Otherwise, silence. 

The only plausible explanation is that institutions like the Treasury, OBR, and to a degree as well the Bank of England can't, by definition, warn against the dangers of austerity, however alarming the situation, because they have been set up the way they have in order to justify austerity. It's important to emphasise that most professional economists have never supported Conservative policies in this regard. The policy was adopted because it was convenient to politicians; institutions were set up in order to support it; economists were hired in order to come up with arguments for austerity, rather than to judge whether it would be a good idea. At present, this situation has led us to the brink of disaster.

The last time there was a financial crash, the Queen famously asked: why was no one able to foresee this? We now have the tools. Perhaps the most important task for a public inquiry will be to finally ask: what is the real purpose of the institutions that are supposed to foresee such matters, to what degree have they been politicised, and what would it take to turn them back into institutions that can at least inform us if we're staring into the lights of an oncoming train?