'something to hide?', Dave? Yeah, we've all got something to hide- our personal stuff; legal, normal, inoffensive stuff that we don't want to share with every Tom, Dick & Harry. And especially not the police. Last time I looked, we were a free society where you're innocent til PROVEN guilty and just saying 'no' to the coppers isn't a good enough reason to assume someone's up to no good. The police want lots of things...longer detention, freedom from prosecution, more powers...I don't want to give it to them when this is how they behave. Seems to me that 'someone' within the force 'let slip' some inaccurate & damaging (to this guy) info in order to blacken his name & provoke the kind of reaction that people like you have. Let them dig around in your (innocent) details if you want, but don't expect to get any sympathy when they spray some shite your way...and remember, it won't be YOUR explanation that anyone listens to, it'll be THEIRS and it might not be pretty, or even true.

or if the don't know how the don;t punctuate either,never mind use capital letters jeeeeeeeeeez

The fact is he had a trial and was found guilty of this offence, ie a jury of his peers found that he had not forgotten the password but that he had deliberately refused to comply with a lawful order to reveal it.
It's similar to refusing a breath test. You get sentenced on the basis that you were probably drink driving rather than that you refused to comply with the Police orders. So the offence that was being investigated is relevant. FFS, kiddie porn SHOULD be investigated with all the rigour the Police have at their command and I really don't see why you're up in arms about someone pretending he can't remember his password to protect a hard drive probably swarming with gross porn.

Sadly gone are the days of the police being independent.

They are no longer interested in finding the truth, but are simply working to establish a prima facie case on behalf of the Crown Prosecution Service.

I hope that they bring the case back to court either as an appeal or under the 'slip rule'.

There is so much wrong with this legislation and this case. Since the Lisbon Treaty came into force last year, all EU member states are legally bound by the ECHR. Under the ECHR, citizens be forced to incriminate themselves and they must be presumed innocent until proven guilty. The case looks like something from the 13th century: once the Police associated their suspect with "child sex allegations", it was acceptable to make all kinds of assumptions about the person's guilt, rather than actually proving anything.

As regards forgetting encryption keys: I have forgotten the passwords to ZIP files on a few occasions and certainly would not be able to remember the passphrase I used when experimenting with PGP some years ago.

@Kenneth Bowry
"What nonesence,the Police once again prove they are thick as two short planks,takeout the hard drive and scan it using a special programe,the Met and MI5 can do it,why cann't the village idiots up north do it,and the Magistrate isn't fit for purpose."

The Whole point of Encrypting your hard-drive is exactly this reason. If your hard-drive is encrypted with a 50 character password. How do you scan a hard-drive? When you encrypt a system it takes your data (all of it or selected) Encrypts it, places it in a new encrypted volume, then erase's the old data using different pass's. The whole point of encrypting it is so someone doesn't do exactly that, it would be completely pointless.

@Neil
"develop web sites and one of the first things required in just about every one I've ever built is a "forgotten password?" option. Most sites have them, becuase, quite simply, they are used. By us. People that don't have 50 character passwords, but more "normal" length ones... Yes, that's right, we even forget our 8 character passwords that we once used. I certainly have."

What does that have anything to do with this article.
A password on a website is completely different to a password on computer system. Are you saying that they should put in a "forgot your password" feature within the software that encrypts your data.
"Where was your birthplace" or "Please enter and 50 character password consisting of letters,numbers,punctuation,Upper and lowercase".

@bradderz I think the point Neil was trying to make is that it is so common for people to forget even short passwords that practically every website has to have a "forgotten password" option.

Although the encrypted drive can still be copied using a program such as dd, that copy would still be pretty useless without the password.

I can't understand that if this guy was using a 50 character password why he didn't also use a hidden partition and just give up a dummy one, it would have saved him a lot of hassle.

@S Grow up and contribute something useful.

Yes.

1) As Nick Sharratt points out above. You'll only get such a blood alcohol test if you're driving a vehicle, but the police can demand a password in a much wider set of circumstances.

2) Breath/blood/urine tests *only* reveal the presence of the relevant substances. Passwords could reveal anything and everything, whether it's relevant to the inquiry or not. Consider a hypothetical roadside blood test which also revealed to the police officer whether you were HIV positive, anaemic, pregnant, using sports-performance enhancers, viagra, steroids, etc. etc. Such a test would be a huge invasion of privacy. It's just the same with passwords.

What is the strength of evidence that led them to want to look at his computer in the first instance?

Also worrying that they don;t know the difference between "formally" and "formerly"

I also use very long passwords, and yes, there is something I'm trying to hide, namely my bank details.

That is a total disgrace. INNOCENT until proven beyond reasonable doubt. That lable will follow him for a very long time. There should be disciplinary action for the press officer.

Yes i would argue that being deprived of your freedom and liberty for 16 weeks is the same as jail.

Also i would argue that it is entirely plausible for a person to have an password of however long, to not right it down and to feel confident enough to remember it and then under the right conditions of stress etc. to not remember it.

Shocking.

If Drage had claimed that he had written the password down but had destroyed the piece of paper in the time between the computer being seized and being served with the RIPA order would it have been possible to prosecute him?

I agree with your wider point, there does seem to be something not right here.

"As the defendant claimed to have forgotten a password that he had previously memorised, it was for the prosecution to rebut this and to prove beyond all reasonable doubt that this was not the reason for the defendant failing to disclose it."

Good grief. How on earth can you possibly PROVE that someone else has NOT forgotten something?

If you look at Lancashire Police’s news section (http://www.lancashire.police.uk/news) you’ll see that every story they put out has the first world capitalised including: “SHOPPERS and store owners in St Annes are being kept safe by an Archangel in the run up to Christmas”. This is fairly standard practice in print media and even if you suggest it is generally inappropriate for a police force it is hardly a stick to beat Lancashire Police with in relation to this case alone.
This is a very good and interesting article which makes some important points which is why it's important it is completely correct.

The briefing out of the child pornography allegations was clearly wrong. If there was enough evidence that he was involved, using internet protocol addresses or similary, then he should have been charged and without that there is no excuse for the off the record briefing and the distinction between 'we put it in the press release' and 'we are telling you and you decide whether to print it' is embarrassingly flimsy.

The other fundamental issue seems to be the assumption, made by the law and the police, that by refusing to give the password Mr Drage has something to hide.
Is this akin to the assumption that someone refusing to provide a breath or blood sample is de facto a drink driver?
This kind of law feels fairly illiberal and it is a natural consequence that there will be an underlying offence which the accused is 'avoiding' by refusing to co-operate and to some extent it is inevitable that people will draw conclusions from it as they would with someone who refused to provide a sample

All that said, there is no excuse for Lancashire Police to be not-too-subtly pointing the way.

Quote Mirian " Miriam
14 October 2010 at 02:47

This is all indefensible. The Police and the CPS should have waited until they could crack the encryption and gain the correct evidence, then charged him with the relevant offense or offenses. Without evidence to prove without doubt, the person who is "suspected of committing a crime" is innocent until there is evidence to prove that the accused person is guilty".

Unfortunately 'suspicion' of wrongdoing reigns supreme over all else.That's called a Totalitarian Society.

Never mind that he was never charged with dissemination of unlawful media.

I'd love to know how the original search warrant was granted,because it has supposition written all over it.

To punish a human being for the lawful right to encrypt ones personal possessions,is tantamount to rape.

To punish him effectively for not disclosing his thoughts in binary form,as a presumptive issue, seems bizarre to say the least.

There are many case when complex passwords are generated from simple ones, e.g. when you 'secure' your wireless router's WiFi access point you may pick a 3 letter password which can be used to generate a much longer one. You may even see this long password - but are still highly likely to forget it. Does failing to disclose it to police on demand mean you are illicitly downloading copyright protected material?

And another thing, many people have DVDs which contain encrypted material. The password is stored on the DVD player. What happens if the police request this password from you? You have it, but you've 'forgotten' where you put it...

If you are an MP and an 'Al Quaeda' operative sends you an e-mail which is encrypted, but to which you don't have the password, what if a policeman asks it from you? Will they believe you if you say you never knew it and thought the encrypted e-mail was spam? It was on your computer...

The solution is that either encryption is banned (impossible), or that EVERYONE ensures that they have encrypted material on their PC to which they don't know the password. And then we have to worry about a law that can imprison anyone for being unable to remember a password which they have never known - not just delinquent youths easily 'taught a lesson' by smearing them with an insinuation they engage in paedophilia.

One more, and then I'll go away. The CPS said:

"As the defendant claimed to have forgotten a password that he had previously memorised, it was for the prosecution to rebut this and to prove beyond all reasonable doubt that this was not the reason for the defendant failing to disclose it."

Now it seems to me that the way to do that would be to produce the record of that password, or some evidence that a record might have existed - or alternatively, at a pinch, to provide evidence that the defendant's memory was nowhere near good enough to remember such a password. From the information provided here, they didn't do that; they merely said "the defendant must have written such a long password down". It seems to me that any direction from the judge which did not point to this as being somewhat less than "proved beyond reasonable doubt" is open to question. Moreover, I wonder whether it would be prudent to start giving juries training before they're allowed to hear court cases - at the very least, training in basic logical fallacies, such as an argument from incredulity - which is what this is.

My password is unbreakable and very long and I use truecrypt. I'm a fast typer and I will never forget it. All I store on it is emails, personal files, etc as I have several residences and leave a pc in each house / apartment when I'm not there - each pc contains a full copy of my data and I sync it as I move around the world. I occasionally allow other people to stay in these places, I don't want them going through my personal files, etc.

If the police asked me for the password I would never reveal it to them, well perhaps I would do so after I'd been imprisoned just to embarrass them beyond belief when they find nothing, however I might just take a moral stance depending on my current work load at the time of conviction.

One very key point here - would the sentence be the same whatever the seriousness of the suspected offence being investigated (and, was it anything more than a fishing expedition by the police)?

It would be interesting to know if the judge took this into account in sentencing. Of course, if there was something really serious to hide, a sentence of that sort could look like the easier option. However, making that assumption is, itself, part of the poison.

I beleive that it is the case that no prosecution like this would be possible in the US as the constitution effectively prevents it.

Oh yes - and the police communication on this with the press appears to have been a disgrace. It has all the characteristics of a nod and a wink to the journalists to convey the story the police wish to see in the press.

Of course it would hardly be a new thing. There was the horrible Colin Stagg where there was something only slightly short of a campaign by the police and certain unscrupulous journalists to convict him, even after the judge quite rightly threw the case out. For that case the culprits in the CPS and police should have been sacked instead of just landing us poor tax payers with a compensation bill.

nb. for those that are more sophisticated, there are methods of hiding encrypted data with "plausible deniability" using various forms of steganography or dual-layer encryption using TrueCrypt. How long before there is a case for not giving out a password for a hidden volume that is suspected to be there but the existence of which cannot be technically proved?

I am rather concerned that if I password-protect a file, the police have the ability to put me in prison.

The police are inviting criticism by being secretive. We have no idea how obstructive he was being - if he gave a flat "No" it's different to sitting down in front of a PC for hours with the Police and trying to remember it. That in itself would be an indication of co-operation that may have provided mitigation when it came to sentencing. There is no doubt, though, that whatever the facts of the password issue itself, to besmirch his name with 'off-the-record, not our responsibility' comments is the wrong way for a body which purports to preserve the Rule of Law to act.

Well, what this means is that we are not safe any longer with our passwords as explained by this guy in his blog. http://17inchlaptopbackpack.blogspot.com

The missing information which interests me is when the drive was last accessed prior to it being confiscated, and the time between that and questioning.

If it's only a matter of weeks i can see there being some doubt, but for all we know this could be a drive that hasn't been used for months, if not years, which is easily reasonable time to have forgotten a password.

That and the fact there are many things, both better and worse than indecent images of children, you could feel the need to hide/encrypt.

I just feel there is still a lot more to this than meets the eye.

@s0x

"Grow up"
Well ok, but that usually takes a bit of time and I'm probably older than you already.

"and contribute something useful."
If by that you mean smugly dispute the points others have made without adding anything that hasn't already been said, in much the same way as your completely superfluous contribution, then that would really just be self aggrandisement so I shan't bother. But thanks anyway.