Passwords and prosecutions

The curious case of Oliver Drage.

When the news broke last week that a teenager had been given a custodial sentence for failing to provide his password to the police, the details of the story appeared incomplete.

The essentials of what had happened were as follows: Oliver Drage, 19 (and so only just a teenager), did not give a password to the police when formally requested to do so. He was prosecuted under the Regulation of Investigatory Powers Act 2000 and given a custodial sentence of 16 weeks in a young offenders institution (which may or not be regarded as the same as being "jailed").

However, the widespread media coverage of this conviction seemed problematic. Some things did not add up.

Let's start with the press release from Lancashire police.

Teen jailed for four months after failing to give up computer password

A TEEN who refused to give police officers an encryption password for his computer has been jailed for four months.

The case is believed to be the first of its kind in Lancashire.

Oliver Drage, 19, formerly of Naze Lane, Freckleton, was arrested in May 2009.

Drage's computer was seized but officers could not access material stored on it as it was protected by a 50-character encryption password. Drage was then formerly requested to disclose the password, which he failed to do.

Appearing at Preston Crown Court, Drage pleaded not guilty to failing to disclose an encryption key -- an offence covered by the Regulation of Investigatory Powers Act 2000. At his trial in September a jury took less than 15 minutes to find him guilty of the offence. Yesterday (Monday Oct 4), Drage was sentenced to 16 weeks in a Young Offenders Institution.

Detective Sergeant Neil Fowler, Blackpool Police, said: "Drage was previously of good character so the immediate custodial sentence handed down by the Judge in this case shows just how seriously the courts take this kind of offence.

Computer systems are constantly advancing and the legislation used here was specifically brought in to deal with those who are using the internet to commit crime. It sends a robust message out to those intent on trying to mask their on-line criminal activities that they will be taken before the courts with the ultimate sanction, as in this case, being a custodial sentence.

This press release is troubling for both what it does and what it does not say.

It is written in a tabloid-like and sensationalised way (for example, "TEEN" in screaming capitals), which seems to me to be deeply inappropriate for an official communication about a serious matter. It also refers to "those using the internet to commit crime...those intent on trying to mask their on-line criminal activities" when, on the face of it, no such charge had been made against this particular defendant and no prosecution carried out.

But when this press release was picked up by the newspapers, certain further information about Drage was published.

From the Guardian: "Oliver Drage, 19, of Freckleton, Lancs, had originally been arrested in May last year by a team of officers from Blackpool tackling child sexual exploitation."

And from the Daily Mail: "Teenager jailed for refusing to give computer password to police investigating child sex crimes"

But the press release did not mention child sex exploitation, nor did it mention the type of police officers who arrested him. Whatever Drage may or may not have stored on his computer, he had not been either charged for or convicted of any sexual offence.

However, his (distinctive) name was now associated with the investigation of serious sex offences by several newspapers on the back of a sensationalist press release which itself mentioned nothing about any sexual offences.

So I asked for further information about this from the press office of Lancashire police. First, I received information about the police team which had arrested Drage:

The Awaken Project is a very close working partnership between Blackpool Council and Lancashire Police and other.

The team is responsible for using an intelligence led and pro active approach to protect children in Blackpool who may be at risk of sexual exploitation. Police officers and social workers on the team are responsible for jointly investigating cases and targeting suspected offenders. Staff from health and education departments supplement the team in an effort to impact upon the behaviour of young and potentially vulnerable persons.

I was also told on the telephone the nature of the offence on suspicion of which Drage was arrested (even though he was not charged nor convicted). I asked why Lancashire police thought it appropriate to link the defendant's name with child sex allegations when he was neither charged nor convicted in respect of such serious matters. The response:

You will notice that that aspect was not mentioned in the official press release and was given to you as guidance over the telephone when you rang. It is therefore your decision if you wish to make that link in print.

I then pointed out the the child sex abuse aspects had been mentioned in many newspapers, and gave the examples of the Guardian and Mail above. Was I correct in my assumption that Lancashire police was their source for this extra information? The response:

The information was given as guidance to all journalists who rang and asked why Drage had originally been arrested. As previously mentioned, it is not included in the press release - so was not in the 'brief' we gave the press - and it is down to the individual publication if they chose to print that information.

Hope this helps.

I reverted, now asking why Lancashire police believed it was appropriate to mention it as guidance. After all, the defendant was now publicly and widely associated with child sex investigations (perhaps the most serious investigations one can be associated with) when he was neither charged nor convicted of any sex offence.

I will refer you back to my previous answer. The information was given as guidance (and was not included in the press release) to assist journalists in their reporting of the matter, by clarifying why Drage was arrested and his computer seized. Failure to give this guidance could have resulted in inaccurate assumptions and reporting of the case.

All journalists were pointed to the fact that this information was not in the press release and that it was their decision should they chose to publish the information that was given to them as guidance.

In contrast, the Crown Prosecution Service responded to my queries without any reference at all to the sexual offences for which Drage had been arrested. Indeed, for the CPS the prosecution was explicable on the straightforward facts of this particular offence:

Oliver Drage was found guilty on October 5, at Preston Crown court of failing to provide his computer's password contrary to section 53 of the Regulation of Investigatory Powers Act 2000.

The CPS received a file of evidence from Lancashire Police after he was served with a court order in December 2009 section 49 of RIPA 2000, requiring him to disclose the password.

He failed to do so within the three weeks' period specified on the order. After a thorough review of the evidence, we decided that there was sufficient evidence and it was in the public interest to prosecute Oliver Drage for this offence as his failure to disclose the password has obstructed an ongoing police investigation.

Evidence showed that the defendant admitted in police interviews that he had set an encrypted password of between 40 and 50 characters containing both letters and numbers using an encryption software programme and that he had had originally relied on his memory to recall it but could not recall it when he was served with the notice.

The jury heard both the prosecution and defence case and accepted the prosecution case that the defendant must have kept a record of this very complex password, rather than relying on memory, and that he had deliberately failed to disclose it to the police. They returned a guilty verdict after 15 minutes deliberation.

As the defendant claimed to have forgotten a password that he had previously memorised, it was for the prosecution to rebut this and to prove beyond all reasonable doubt that this was not the reason for the defendant failing to disclose it.

I also asked the CPS for what guidance it had for those who also may forget passwords, and their response was:

Part III of the Regulation of Investigatory Powers Act 2000 (the Act) and Investigation of Protected Electronic Information Code of Practice came into force on the 1st October 2007. The Code of Practice provides guidance to be followed when exercising powers under the Act to require disclosure of protected electronic data in an intelligible form or to acquire the means by which protected electronic data maybe accessed or put in an intelligible form.

Overall, there are two issues about this curious case.

First, there is the narrow issue of the prosecution and conviction. On the basis of the CPS statement, one can see why a claim to have forgotten a previously memorised encrypted password of between 40 and 50 characters, and not to have written it down elsewhere, would rather strain credulity.

Second, there is the worrying way in which highly prejudicial information is provided and published about an individual charged for and convicted of an offence very different for the one for which he was arrested on being on suspicion of having committed.

It may well be that Lancashire police break the encryption code.It could be that there is sordid material yet to be revealed which may have warranted a charge and even conviction of a serious sexual offence. We simply do not know. And neither do the Lancashire police.

However, in the meantime, an individual is now publicly associated with a serious investigation in respect of which was neither charged nor convicted; a police force publishes press releases as if they were tabloid stories and also furnishes highly-prejudicial information, but passes the buck if the press publishes it (which, of course, they will do); and the rest of us are really none the wiser whether a four month custodial sentence in this case was because of the gravity of the original suspicions or just for the implausibility of not knowing or noting down a 40 to 50 character password.

There is something not right here.

 

David Allen Green is a lawyer and a writer. He was shortlisted for the George Orwell blogging prize in 2010. He blogs for the New Statesman on legal and policy matters.

David Allen Green is legal correspondent of the New Statesman and author of the Jack of Kent blog.

His legal journalism has included popularising the Simon Singh libel case and discrediting the Julian Assange myths about his extradition case.  His uncovering of the Nightjack email hack by the Times was described as "masterly analysis" by Lord Justice Leveson.

David is also a solicitor and was successful in the "Twitterjoketrial" appeal at the High Court.

(Nothing on this blog constitutes legal advice.)

Getty
Show Hide image

The 11 things we know after the Brexit plan debate

Labour may just have fallen into a trap. 

On Wednesday, both Labour and Tory MPs filed out of the Commons together to back a motion calling on the Prime Minister to commit to publish the government’s Brexit plan before Article 50 is triggered in March 2017. 

The motion was proposed by Labour, but the government agreed to back it after inserting its own amendment calling on MPs to “respect the wishes of the United Kingdom” and adhere to the original timetable. 

With questions on everything from the customs union to the Northern Irish border, it is clear that the Brexit minister David Davis will have a busy Christmas. Meanwhile, his declared intention to stay schtum about the meat of Brexit negotiations for now means the nation has been hanging off every titbit of news, including a snapped memo reading “have cake and eat it”. 

So, with confusion abounding, here is what we know from the Brexit plan debate: 

1. The government will set out a Brexit plan before triggering Article 50

The Brexit minister David Davis said that Parliament will get to hear the government’s “strategic plans” ahead of triggering Article 50, but that this will not include anything that will “jeopardise our negotiating position”. 

While this is something of a victory for the Remain MPs and the Opposition, the devil is in the detail. For example, this could still mean anything from a white paper to a brief description released days before the March deadline.

2. Parliament will get a say on converting EU law into UK law

Davis repeated that the Great Repeal Bill, which scraps the European Communities Act 1972, will be presented to the Commons during the two-year period following Article 50.

He said: “After that there will be a series of consequential legislative measures, some primary, some secondary, and on every measure the House will have a vote and say.”

In other words, MPs will get to debate how existing EU law is converted to UK law. But, crucially, that isn’t the same as getting to debate the trade negotiations. And the crucial trade-off between access to the single market versus freedom of movement is likely to be decided there. 

3. Parliament is almost sure to get a final vote on the Brexit deal

The European Parliament is expected to vote on the final Brexit deal, which means the government accepts it also needs parliamentary approval. Davis said: “It is inconceivable to me that if the European Parliament has a vote, this House does not.”

Davis also pledged to keep MPs as well-informed as MEPs will be.

However, as shadow Brexit secretary Keir Starmer pointed out to The New Statesman, this could still leave MPs facing the choice of passing a Brexit deal they disagree with or plunging into a post-EU abyss. 

4. The government still plans to trigger Article 50 in March

With German and French elections planned for 2017, Labour MP Geraint Davies asked if there was any point triggering Article 50 before the autumn. 

But Davis said there were 15 elections scheduled during the negotiation process, so such kind of delay was “simply not possible”. 

5. Themed debates are a clue to Brexit priorities

One way to get a measure of the government’s priorities is the themed debates it is holding on various areas covered by EU law, including two already held on workers’ rights and transport.  

Davis mentioned themed debates as a key way his department would be held to account. 

It's not exactly disclosure, but it is one step better than relying on a camera man papping advisers as they walk into No.10 with their notes on show. 

6. The immigration policy is likely to focus on unskilled migrants

At the Tory party conference, Theresa May hinted at a draconian immigration policy that had little time for “citizens of the world”, while Davis said the “clear message” from the Brexit vote was “control immigration”.

He struck a softer tone in the debate, saying: “Free movement of people cannot continue as it is now, but this will not mean pulling up the drawbridge.”

The government would try to win “the global battle for talent”, he added. If the government intends to stick to its migration target and, as this suggests, will keep the criteria for skilled immigrants flexible, the main target for a clampdown is clearly unskilled labour.  

7. The government is still trying to stay in the customs union

Pressed about the customs union by Anna Soubry, the outspoken Tory backbencher, Davis said the government is looking at “several options”. This includes Norway, which is in the single market but not the customs union, and Switzerland, which is in neither but has a customs agreement. 

(For what it's worth, the EU describes this as "a series of bilateral agreements where Switzerland has agreed to take on certain aspects of EU legislation in exchange for accessing the EU's single market". It also notes that Swiss exports to the EU are focused on a few sectors, like chemicals, machinery and, yes, watches.)

8. The government wants the status quo on security

Davis said that on security and law enforcement “our aim is to preserve the current relationship as best we can”. 

He said there is a “clear mutual interest in continued co-operation” and signalled a willingness for the UK to pitch in to ensure Europe is secure across borders. 

One of the big tests for this commitment will be if the government opts into Europol legislation which comes into force next year.

9. The Chancellor is wooing industries

Robin Walker, the under-secretary for Brexit, said Philip Hammond and Brexit ministers were meeting organisations in the City, and had also met representatives from the aerospace, energy, farming, chemicals, car manufacturing and tourism industries. 

However, Labour has already attacked the government for playing favourites with its secretive Nissan deal. Brexit ministers have a fine line to walk between diplomacy and what looks like a bribe. 

10. Devolved administrations are causing trouble

A meeting with leaders of Scotland, Wales and Northern Ireland ended badly, with the First Minister of Scotland Nicola Sturgeon publicly declaring it “deeply frustrating”. The Scottish government has since ramped up its attempts to block Brexit in the courts. 

Walker took a more conciliatory tone, saying that the PM was “committed to full engagement with the devolved administrations” and said he undertook the task of “listening to the concerns” of their representatives. 

11. Remain MPs may have just voted for a trap

Those MPs backing Remain were divided on whether to back the debate with the government’s amendment, with the Green co-leader Caroline Lucas calling it “the Tories’ trap”.

She argued that it meant signing up to invoking Article 50 by March, and imposing a “tight timetable” and “arbitrary deadline”, all for a vaguely-worded Brexit plan. In the end, Lucas was one of the Remainers who voted against the motion, along with the SNP. 

George agrees – you can read his analysis of the Brexit trap here

Julia Rampen is the editor of The Staggers, The New Statesman's online rolling politics blog. She was previously deputy editor at Mirror Money Online and has worked as a financial journalist for several trade magazines.