The Staggers

The New Statesman’s rolling politics blog

Passwords and prosecutions

The curious case of Oliver Drage.

By David Allen Green Published 13 October 2010 18:23

When the news broke last week that a teenager had been given a custodial sentence for failing to provide his password to the police, the details of the story appeared incomplete.

The essentials of what had happened were as follows: Oliver Drage, 19 (and so only just a teenager), did not give a password to the police when formally requested to do so. He was prosecuted under the Regulation of Investigatory Powers Act 2000 and given a custodial sentence of 16 weeks in a young offenders institution (which may or not be regarded as the same as being "jailed").

However, the widespread media coverage of this conviction seemed problematic. Some things did not add up.

Let's start with the press release from Lancashire police.

Teen jailed for four months after failing to give up computer password

A TEEN who refused to give police officers an encryption password for his computer has been jailed for four months.

The case is believed to be the first of its kind in Lancashire.

Oliver Drage, 19, formerly of Naze Lane, Freckleton, was arrested in May 2009.

Drage's computer was seized but officers could not access material stored on it as it was protected by a 50-character encryption password. Drage was then formerly requested to disclose the password, which he failed to do.

Appearing at Preston Crown Court, Drage pleaded not guilty to failing to disclose an encryption key -- an offence covered by the Regulation of Investigatory Powers Act 2000. At his trial in September a jury took less than 15 minutes to find him guilty of the offence. Yesterday (Monday Oct 4), Drage was sentenced to 16 weeks in a Young Offenders Institution.

Detective Sergeant Neil Fowler, Blackpool Police, said: "Drage was previously of good character so the immediate custodial sentence handed down by the Judge in this case shows just how seriously the courts take this kind of offence.

Computer systems are constantly advancing and the legislation used here was specifically brought in to deal with those who are using the internet to commit crime. It sends a robust message out to those intent on trying to mask their on-line criminal activities that they will be taken before the courts with the ultimate sanction, as in this case, being a custodial sentence.

This press release is troubling for both what it does and what it does not say.

It is written in a tabloid-like and sensationalised way (for example, "TEEN" in screaming capitals), which seems to me to be deeply inappropriate for an official communication about a serious matter. It also refers to "those using the internet to commit crime...those intent on trying to mask their on-line criminal activities" when, on the face of it, no such charge had been made against this particular defendant and no prosecution carried out.

But when this press release was picked up by the newspapers, certain further information about Drage was published.

From the Guardian: "Oliver Drage, 19, of Freckleton, Lancs, had originally been arrested in May last year by a team of officers from Blackpool tackling child sexual exploitation."

And from the Daily Mail: "Teenager jailed for refusing to give computer password to police investigating child sex crimes"

But the press release did not mention child sex exploitation, nor did it mention the type of police officers who arrested him. Whatever Drage may or may not have stored on his computer, he had not been either charged for or convicted of any sexual offence.

However, his (distinctive) name was now associated with the investigation of serious sex offences by several newspapers on the back of a sensationalist press release which itself mentioned nothing about any sexual offences.

So I asked for further information about this from the press office of Lancashire police. First, I received information about the police team which had arrested Drage:

The Awaken Project is a very close working partnership between Blackpool Council and Lancashire Police and other.

The team is responsible for using an intelligence led and pro active approach to protect children in Blackpool who may be at risk of sexual exploitation. Police officers and social workers on the team are responsible for jointly investigating cases and targeting suspected offenders. Staff from health and education departments supplement the team in an effort to impact upon the behaviour of young and potentially vulnerable persons.

I was also told on the telephone the nature of the offence on suspicion of which Drage was arrested (even though he was not charged nor convicted). I asked why Lancashire police thought it appropriate to link the defendant's name with child sex allegations when he was neither charged nor convicted in respect of such serious matters. The response:

You will notice that that aspect was not mentioned in the official press release and was given to you as guidance over the telephone when you rang. It is therefore your decision if you wish to make that link in print.

I then pointed out the the child sex abuse aspects had been mentioned in many newspapers, and gave the examples of the Guardian and Mail above. Was I correct in my assumption that Lancashire police was their source for this extra information? The response:

The information was given as guidance to all journalists who rang and asked why Drage had originally been arrested. As previously mentioned, it is not included in the press release - so was not in the 'brief' we gave the press - and it is down to the individual publication if they chose to print that information.

Hope this helps.

I reverted, now asking why Lancashire police believed it was appropriate to mention it as guidance. After all, the defendant was now publicly and widely associated with child sex investigations (perhaps the most serious investigations one can be associated with) when he was neither charged nor convicted of any sex offence.

I will refer you back to my previous answer. The information was given as guidance (and was not included in the press release) to assist journalists in their reporting of the matter, by clarifying why Drage was arrested and his computer seized. Failure to give this guidance could have resulted in inaccurate assumptions and reporting of the case.

All journalists were pointed to the fact that this information was not in the press release and that it was their decision should they chose to publish the information that was given to them as guidance.

In contrast, the Crown Prosecution Service responded to my queries without any reference at all to the sexual offences for which Drage had been arrested. Indeed, for the CPS the prosecution was explicable on the straightforward facts of this particular offence:

Oliver Drage was found guilty on October 5, at Preston Crown court of failing to provide his computer's password contrary to section 53 of the Regulation of Investigatory Powers Act 2000.

The CPS received a file of evidence from Lancashire Police after he was served with a court order in December 2009 section 49 of RIPA 2000, requiring him to disclose the password.

He failed to do so within the three weeks' period specified on the order. After a thorough review of the evidence, we decided that there was sufficient evidence and it was in the public interest to prosecute Oliver Drage for this offence as his failure to disclose the password has obstructed an ongoing police investigation.

Evidence showed that the defendant admitted in police interviews that he had set an encrypted password of between 40 and 50 characters containing both letters and numbers using an encryption software programme and that he had had originally relied on his memory to recall it but could not recall it when he was served with the notice.

The jury heard both the prosecution and defence case and accepted the prosecution case that the defendant must have kept a record of this very complex password, rather than relying on memory, and that he had deliberately failed to disclose it to the police. They returned a guilty verdict after 15 minutes deliberation.

As the defendant claimed to have forgotten a password that he had previously memorised, it was for the prosecution to rebut this and to prove beyond all reasonable doubt that this was not the reason for the defendant failing to disclose it.

I also asked the CPS for what guidance it had for those who also may forget passwords, and their response was:

Part III of the Regulation of Investigatory Powers Act 2000 (the Act) and Investigation of Protected Electronic Information Code of Practice came into force on the 1st October 2007. The Code of Practice provides guidance to be followed when exercising powers under the Act to require disclosure of protected electronic data in an intelligible form or to acquire the means by which protected electronic data maybe accessed or put in an intelligible form.

Overall, there are two issues about this curious case.

First, there is the narrow issue of the prosecution and conviction. On the basis of the CPS statement, one can see why a claim to have forgotten a previously memorised encrypted password of between 40 and 50 characters, and not to have written it down elsewhere, would rather strain credulity.

Second, there is the worrying way in which highly prejudicial information is provided and published about an individual charged for and convicted of an offence very different for the one for which he was arrested on being on suspicion of having committed.

It may well be that Lancashire police break the encryption code.It could be that there is sordid material yet to be revealed which may have warranted a charge and even conviction of a serious sexual offence. We simply do not know. And neither do the Lancashire police.

However, in the meantime, an individual is now publicly associated with a serious investigation in respect of which was neither charged nor convicted; a police force publishes press releases as if they were tabloid stories and also furnishes highly-prejudicial information, but passes the buck if the press publishes it (which, of course, they will do); and the rest of us are really none the wiser whether a four month custodial sentence in this case was because of the gravity of the original suspicions or just for the implausibility of not knowing or noting down a 40 to 50 character password.

There is something not right here.

David Allen Green is a lawyer and a writer. He was shortlisted for the George Orwell blogging prize in 2010. He blogs for the New Statesman on legal and policy matters.

More from David Allen Green

View the discussion thread.

114 comments

Mon, 2012-07-16 19:16 — 5cr47chthat1tch (not verified)

This case is troubling on so many levels it's difficult to even say.

First of all, I happen to have used ~50 character passwords for quite a bit, ones with a combination of familiar words bound together with no logical connection to a stranger, but which for me are connected. And like the name I used above, it is fairly easy to come up with a logic for substituting letters for numbers where appropriate in "l337" style (check that from wikipedia, if you don't know it).

Second, what is more troubling, is that there is no plausible evidence connecting this poor kid to anything like CP or CSE. You could have said something like "server logs that suggest" or something. It is obvious the coppers have no real evidence, and that they wanted to look for anything incriminating on the disk drive.

Third, this is an illustration of how RIPA made a travesty of reasonable privacy. Damn it, I would NOT have given that password,and I would have made it very clear in court and press why not. Because it is an outrageous invasion of privacy! If you have some server logs, etc then it's a shame on me, but then even those server logs can only be suggestive. IP sppfing is not as hard as one might like to think.

Fourth, another way coppers abuse their power. It could be that they just wanted to check for any good porn on this guy's computer, and tried to make him divulge his whole life to them, even stuff that has nothing to do with any crime, but that could be used against him. Isn't anyone thinking of that? They went as far as subpoena for the password, and threaten with jail, and then they had to come up with something, and sure enough, they cough up the magic words: "Child Porn" or "Child Sexual Exploitation" and here we are.

Even if this case had developed from this stage, the coppers have abused their powers, and you sheeple are praying for more powers for them, right? You want someone to protect you from the freedom that it took almost a thousand years to acquire, and now you want to destroy it because you're afraid of guys who look different and might be dangerous.

Sorry for the rant, this case just set me off again (I may have commented earlier here, I can't remember, honestly!).

Wed, 2010-10-13 22:49 — Homo Sapiens

I wonder what legal help Drage received. Perhaps it would be worth an appeal. The facts as you have described them make the trial sound very unsatisfactory.

Wed, 2010-10-13 23:36 — jie4v7i14

To be incarcerated for four months for just this? Bizarre. Sounds like an hysterical witch trial from the fifteenth century. Where is the any other evidence?

Thu, 2010-10-14 20:37 — James (not verified)

2 words for all of you and every potential juror: Jury Nullification

Mon, 2010-10-18 13:41 — ttl (not verified)

This case is an absolute disgrace. How on earth did they prove beyond a reasonable doubt that he had not, in fact, forgotten his password? Or is that no longer a requirement to secure a conviction in the UK any longer?

@MP Could you prove the claim that there was 'only 1 reason why he wouldn't divulge the necessary details.'? The fact is that there are numerous examples of Police falsely accusing people of such offences on the most flimsy of evidence. Child Pornography cases have become modern-day witch-hunts. All it takes is a suggestion that someone is engaged in such activity for the bumbling masses to reach for their pitchforks.

The Police and Judge in this case are the real criminals. They clearly are so used to perverting the so-called justice system that they can so brazenly behave in such an underhanded and manipulative fashion.

British justice is a joke.

Mon, 2010-10-18 14:04 — Anton (not verified)

He's merely a scapegoat for the fear mongering police and media.
I’m not saying he's innocent or guilty of having illegal material on his hard-drive, thats not for me to decide, but the fact that this case gets thrown into the limelight when there are 100s of cases like this, does make me more then suspicious.

As long as these stories pop up now and then, we are being continually conditioned and slowly but surely we'll be giving our rights and privacy away, just the same as we are because of this "War on Terror" lie/joke.

Or as Frank put it, this seems like an “Orwellian sledgehammer to crack a nut”.

Thu, 2010-10-14 10:11 — helen_back

I honestly, in my (thankfully) computer illiterate bubble, thought that any computers content could be retrieved in the event of these kind of circumstances. Clearly not. Back to my love of beastiality then..

Sun, 2010-10-17 11:52 — TonyG (not verified)

At last a sensible article on this case - it worries me because i have had jobs in the past requiring me to encrypt files with at least 25 character passwords - i haven't read those files for years, always followed the advice given of NEVER writing down a password (no one in their right mind does)and have forgotten the password - but could in theory be jailed for that according to this ludicrous guideline. Now i suppose i will have to dig up all my old memory sticks, backup drives, defunct laptops and files and erase them just in case.
Welcome to England where you are Guilty until proven innocent.

Thu, 2010-10-14 00:31 — brianlj (not verified)

If Drage had a 40-50 character password, it would be reasonable to assume that he couldn't remember it and had to rely on a note somewhere.

If he had destroyed this aide memoire *before* the police formally asked for the password, it is very unlikely that he could have been convicted under RIPA.

Mon, 2010-10-18 14:15 — Anton (not verified)

http://chiefofficers.net/888333888/cms/index.php/news/management/risk_pr...

Not my opinion, but I agree with the Power shift issue.

Thu, 2010-10-14 01:24 — wmheath

If you call an innocent person a sex offender in a press release without privilege or fair comment defence it's libel. If you merely say it over the phone it's slander. Very poor practice, naive and culpable, by the press officer concerned.

Thu, 2010-10-14 01:59 — dorn284 (not verified)

I have at least 9 different passwords I have to remember at work. At least 15 passwords for websites I use. Plus passwords for different programs I use such as game logins. All of my passwords are between 12 and 15 characters. Half the time I couldn't tell you what the password is until I sit down to type them. In a case like this, for someone to be using a 40-50 character password and not right it down it would probably be either a sentence or series of words that he would be able to remember with some numbers thrown in. That said, if the police came into my home and demanded the password to my computer the combination of fear and stress would make it incredibly easy to forget any number of my passwords. The law against self incrimination appears to have been ignored in this case.

Mon, 2010-10-18 15:11 — Neil (not verified)

I develop web sites and one of the first things required in just about every one I've ever built is a "forgotten password?" option. Most sites have them, becuase, quite simply, they are used. By us. People that don't have 50 character passwords, but more "normal" length ones... Yes, that's right, we even forget our 8 character passwords that we once used. I certainly have.

Sun, 2010-10-17 13:00 — Dave Crittenden (not verified)

I don't believe for a minute that the police, with all their resources cannot access the data on any computer especially in the current climate of global terrorism and the measures to counteract it.

Wed, 2010-10-13 19:07 — Marcus (not verified)

Are 50 character passwords accepted many places?

Wed, 2010-10-13 19:09 — gwenhwyfaer (not verified)

"...one can see why a claim to have forgotten a previously memorised encrypted password of between 40 and 50 characters, and not to have written it down elsewhere, would rather strain credulity."

Well, one might, if one (a) were particularly devoid of imagination, and (b) hadn't made a habit of doing the self-same bloody thing over several years... *goes back to trying to remember various passwords*

Thu, 2010-10-14 03:47 — Miriam (not verified)

This is all indefensable. The Police and the CPS should have waited until they could crack the encryption and gain the correct evidence, then charged him with the relevant offense or offences. Without evidence to prove without doubt, the person who is "suspected of committing a crime" is innocent until there is evidence to prove that the accused person is guilty.

I would also like to point out that a person has the right to privacy. Any invasion of that right, by the Police, had better be for a good reason, other wise we are no longer living in a democracy.

Tue, 2010-10-19 16:41 — Dave C (not verified)

Get rid of the adads1452 spam.

Tue, 2010-10-19 17:08 — Andrew Molloy (not verified)

@bernie court,
Yes it's a silly law but that's not relevant to anything else you've mentioned. We're not talking about a Windows password here. It's an encrypted drive. Copying any data will only give you encrypted data. What you're talking about is purely a password to access Windows and your drive is not encrypted. A 40 key encryption will NOT be cracked at all (certainly with modern tech) if any modern encryption method was used.

Thu, 2010-10-14 05:09 — David (not verified)

One of the provisions of the US Constitution is the right not to incriminate yourself. The reason for this is because the UK has been doing things like this for over 200 years.

Mon, 2010-10-18 16:30 — S (not verified)

I'm Spartacus

Fri, 2010-10-15 03:05 — Rolo Tamasi

Dave - using encryption can never be a reason to suspect someone, we all have thing we prefer to keep private and indeed many of us have data on others we have a duty to keep private.

David Allen Green - writing down a pass phrase is very poor practice & forgetting 50 precise characters is very easy.

Anyone - what software was he using, I want it!

Sun, 2010-10-17 16:08 — hugh markey (not verified)

Easy solution. Find out his dog's [ pet's ] name.

Duh Vinci

Mon, 2010-10-18 17:27 — ttl (not verified)

@S No, you're an idiot, but like your comment, that is beside the point.

Thu, 2010-10-14 08:05 — Rover (not verified)

I'm part of a UK police computer forensics unit, and have been following this case with some interest (and the comments on most tech news sites with rather less interest). First off, a disclaimer: I'm not from Lancashire Police and have no knowledge whatsoever of this case other than what I've read in the press.

You say that we don't have the full picture and I think you're absolutely right. The PR from Lancs is incomplete, which is pretty much expected - a police force is not a news agency, and shouldn't be treated as such either by itself or by the press. Its releases should be treated, in my opinion, as merely a heads-up for journalists that there might be a story of interest. The work in developing the story is down to the journalists, although these days many seem to be content with merely printing a PR verbatim. This isn't the fault of the police but I accept that nor does it excuse the police for releasing skewed statements.

Should the police have released the details of the nature of the offence for which Drage was arrested? I think the answer to that depends on whether or not the information could have been obtained from the Courts - if it could, then it's public record and a proper journalist would have discovered it with a couple of phone calls anyway. As the nature of the original offence affects the sentence with Section 49, I would imagine that the details would have been prominent..

We've had several cases where a suspect has been using strong encryption and has been initially reluctant to provide the password. So far we've been lucky in that we've always had a mass of evidence to indicate that the encrypted data was being regularly opened, up until shortly before the arrest. We can also usually show folder listings of the encrypted data which. in the indecent images cases. give a fair indication of the contents. Was any evidence like this provided in the Drage case? We don't know but presumably it's in the public record. if it was part of the evidence sent to CPS - remember that everything. the prosecution does is disclosable.
y
A final point - where is Drage's solicitor in all this? I may be mistaken, but all of the information so far seems to have come from the prosecution at the request of the press. If I were Drage and I had genuinely forgotten my password, I'd be making damn sure that my good name wasn't left in the hands of a random lawyer-journalist who happened to take an interest in the case.

So yes, we don't have the full picture. But is it the job of the police to keep the press informed of their every move? Should every file that goes to CPS also go to Reuters?

Wed, 2010-10-20 21:48 — Ian Huntley (not verified)

I'm a paedophile and I encrypt my data, the fucking cops will never catch me the wankers!

Thu, 2010-10-14 08:12 — Zack (not verified)

Maybe someone said it, but you all realize that the "TEEN" was capitalized because, like many other publications, they tend to put in all caps the first part of the article. This is a common thing, not as if they capitalized "TEEN" in the middle of the article. It's a style thing.

Thu, 2010-11-11 00:09 — Monty (not verified)

Surely Lancashire Police have slandered Drage?

Sat, 2010-10-16 03:22 — jdowe (not verified)

he is 19yo. if he touched his 17yo girlfriend and her dad went to police, he can be charged as sex offender.
his gf can be forced to be checked by a doctor and when he enters prison he will have to strip in front of the officers.
tell me what is more intrusive?

Sun, 2010-10-24 02:22 — James Donnelly (not verified)

Why must it strain credulity? If Oliver Drage is a touch typist, his explanation is highly plausible. A touch typist will have a kinaesthetic memory of his or her password. It’s an unconscious memory, just as an accomplished pianist doesn’t think about pressing the keys of the piano. It’s also a different memory from the ones usually associated with language, which is why some dyslexics have managed to reduce their problems with writing English by learning to touch type.

From my personal perception, kinaesthetic memory is simultaneously extremely robust and extremely fragile. So long at it’s used periodically, you can retain a lot of information, effectively indefinitely. For a fifty character password that I was using frequently, I would be able to enter it in less five seconds, without thinking about it. It’s not necessarily burdensome. But, when it goes, it can go quickly and completely; you don’t even know the first key to press. A website changing its page layout has been enough to throw me. I sat looking at the screen for five minutes hoping that it will come to me, but it didn’t. As a previous commenter asked, what was the period of time between the seizure and the section 49 notice?

People aged 19 often don’t have backups of their data. They tend to be too young to have had their first calamitous loss due to theft or hardware failure. They probably don’t have written backups of their passwords either.

I guess the jury took a disliking to him and so didn’t believe his explanation for the prosecution’s lack of evidence.

Sat, 2010-11-06 22:03 — what a plonker (not verified)

Is there a difference between not providing a password and not providing a breath, urine or blood test to the Police for driving?

---
@polleetickle
Twitter.com

Mon, 2010-10-18 18:17 — S (not verified)

Oooooooooooo.
Could you have got a couple more commas in there?

Mon, 2010-11-22 05:37 — Life (not verified)

@Quirk

You alluded to suspicion.

More importantly, when does suspicion evolve to a breach of legislation.

Most countries won't allow suspicion as a precedence to home invasion.

Do you drive a tank through the front wall of said premises based on suspicion alone?.Or do you accept that the owner of the property has every right to protect their personal autonomy & well-being in life?.

Sun, 2010-10-17 20:31 — Huge Malarkey (not verified)

Free the password one!

Sun, 2010-10-17 20:34 — Mike, London (not verified)

What I totally do not understand is that every ISP can and does log what an IP address downloads. Why can't they find out that way? Even going through a proxy server they can still find out.

Also, what ever happened to the right of personal information to be keep personal ?

Seems very heavy handed to ruib this kids life by how they have prosecuted him - turned him into a sexual predator without actual proof wtf.....

For an encryption to be affective you would need it on the root of the hard drive - unless he wrote his own software then any encryption manufacturers will have a 'back door' or a means to recover. If he's encrypted a folder then what about the rest o the stuff on his computer where information can be found like history, temp files, system files, registry ? I find it hard to believe this kid can comprehensively protect his machine that even the MOD / CID type specials can'#t even gather data from.
In fact, I think this kid is a scapeogoat and is being made an example to scare the public - the government want to be in total control
I smell a rat.

3 words - New World Order

Sun, 2010-10-17 20:41 — Aladin (not verified)

Don't be a pussy whipped society. You are entitled by being born to your personal imformation and to be able to protect it.

Fight back on principle ! Google 'pgp free' and start using encryption now in all your email correspondance and lock up your pc !

pgp = pretty good privacy

Even if you don't want to do that then at least consider it as an option. It is not widely thrust upon the home user because the government want to see and know what is happening and are not happy for people to use encryption.

Peace and good luck. Soon may this kid be freed and then takes the relevant partys back to court and sues them for gross abuse of human rights, pursecution and above all - corruption in the law

Sun, 2010-10-17 20:53 — Steve Tea (not verified)

Encryption requires that you type a certain number of characters before becoming secure. It could be a password or a sentence created with alphnumeric, special characters such as a tilde and mixed case.

All publically available encryption is monitored by governements after all they are years ahead in this field. Companies such as microsoft have to enable backdoors into their encryption to provide support for law enforcement.

The Police and CPS are both lazy in not using a brute force password charachter

Fri, 2010-10-15 10:01 — swatantra

'jurynullification' would be a good password. So would anything in Latin, because nobody speaks it these days apart from the Pope and a few cardinals.

Sun, 2010-10-17 21:05 — Simon Cook (not verified)

People are too self obsessed about privacy in this me me me society if he had nothing to hide why play games with his own integrity its a joke that he claims he forgot his password and as likely as thugs when in court for violence remembering nothing of the event

Wed, 2010-10-13 21:41 — Kate Webster (not verified)

Lancashire Police's decision to give details of an uncharged offence to the media is appalling, but also seems completely irresponsible. They've made it very clear that they suspect Drage of child sex offences (on what - if any - grounds, we don't know), but surely they've irremediably prejudiced any future trial? Were they to find evidence supporting such a charge, surely the defence would be entitled to claim that any jury would be biased by previous media coverage.
I do wonder what remedy Drage has against the police for describing him as suspected as serious offences which haven't been charged or proved. If the police decide they can brief the media on any offence they think someone may have committed, on the basis of them having been convicted if something else, that could be fairly devastating for members of the public.

Fri, 2010-10-15 10:55 — John Self (not verified)

I think the main article raises some interesting issues, but it's not of much help in relation to the offence itself since, as others have pointed out, there are many 'known unknowns', such as how much co-operation Drage gave to the police.

One group of people who do know these details is the jury that convicted him. They reached their decision in 15 minutes, which suggests that they didn't have many doubts about their verdict. They heard the evidence in the case (including evidence from Drage himself if he chose to give it), and know more about the case than we do.

Yet people in the comments above seem to pile on the police, CPS and judge but very little mention of the jury. One commenter does raise the issue of 'Jury nullification' - which is when a jury reaches a verdict contrary to the weight of the evidence.

I presume this was a satirical comment since we don't know what the weight of the evidence was, but the jury did.

Sun, 2010-10-17 21:28 — Simon (not verified)

If you agree with the blog author that it is a stretch to imagine that when the police wanted to examine his hard drive he genuinely forgot an important password he'd previously memorized, and assume that his counsel had warned him of the likely custodial sentence, then the inescapable conclusion is that he knew he would have faced a more serious sentence if he'd handed over his password.

He's played the system to his advantage.

This is, as others have pointed out, the same logic as refusing to give a breath test (excepting the fact you might be drunk then, which I find doesn't always improve my judgement.)

Presumably the police have IP evidence linking illegal activity back to his computer which is why they wanted to examine the hard drive. But, of course, that's exactly the problem - if they haven't been able to collect enough evidence to prove these allegations in court then they shouldn't have been made public. As it is, with his unusual name, these unproven allegations will resurface any time an employer or colleague looks him up in a search engine.

If the police couldn't prove the original allegations, they should have simply let his willingness to go to jail for failing to give up his encryption password speak for itself.

Fri, 2010-10-15 11:02 — John Self (not verified)

I should add that I don't have any difficulty in principle with strong sanctions being available for failure to disclose passwords or the like in certain circumstances.

This is somewhat akin to the drink driving position. Drink driving (in almost all cases) carries a mandatory 12 months+ disqualification. But to prove it, the police need a breath or urine sample. So if the suspect fails to provide one, they can't be convicted. A loophole! Which is why failure to carry out a breath test or provide a sample (without good reason) is also an offence and carries the same penalty, ie 12 months' disqualification.

Fri, 2010-10-15 11:07 — paul (not verified)

surely this is the same as someone being punished for refusing to take a breathalyzer or give a blood sample when suspected of drink driving? Or athletes getting bans for missing drug tests? And is completely justified

Sun, 2010-10-17 21:41 — bradderz (not verified)

"All publically available encryption is monitored by governements after all they are years ahead in this field. Companies such as microsoft have to enable backdoors into their encryption to provide support for law enforcement."
WRONG. Microsofts own "Bitlocker" Has no built in backdoors, And they are not adding one for goverments help- Which is absolutly right, no goverment should have "special" access to backdoor encryption.

"The Police and CPS are both lazy in not using a brute force password charachter"
The reason they are not brute forcing as it would take the top supercomputer and 4 years to crack the password.

Sun, 2010-10-17 21:54 — Peter Fyle (not verified)

I guess he used Truecrypt which is a popular free encryption software. If he'd used it propely he would not have been convicted of any offence. He should have created a hidden volume on his hard drive.

Thu, 2010-10-14 12:44 — Prakash Behanan (not verified)

How bad that he is not in Bangalore. he could hav escaped freely, without any scar from the police.But plz dont go in front of judiciary here. carry on Oliver Drage

Fri, 2010-10-15 11:37 — Jonathan (not verified)

Generally writing down passwords is problematic, although often done. That iswhy most advise is NOT to write passwords down. A 40-50 character password may not be that difficult to remember, for example choosing four dates (e.g. the start and end dates of ww1 and ww2) would give a 32 numeral password that would also be quite easy to recall (but fairly awkward to crack). Finally passwords take account of case and non-alpha-numerical characters, and as such minor recall errors can result in an apparently easy to recall long password becoming lost. In this case the Police seem to be convinced of this individuals guilt, but not been able to prove it, and decided to reveal the unproven allegations against him to the press. This must be seen as either very naive or bordering on criminally irresponsible. The police often do 'know' more than they can prove, but equally on a number of occasions we have seen people falsely convicted on the basis of cases that turn out to be little more than police suspicion. In this case I find it hard to see how prosecution could have demonstrated beyond all reasonable doubt that Gage could NOT have forgotten his 50 character password. Basically its important that the Police act, and are seen to act objectively if the public are to retain trust in them.

Sun, 2010-10-17 22:09 — s0x (not verified)

I would just like to say this is an excellent article. This case really shows that justice is not a word to be associated with the legal system in the UK.

Somehow the Judge in this case, as in many cases in the UK, has deluded themselves into thinking that they have some sort or moral high ground to stand on.

The RIPA is an orwellian piece of legislation and this case is just one in many that demonstrates the overarching reach of state oppression in this county.

I am not at all surprised by the police response either. The police in the UK are basically a violent gang that twist and manipulate events to suit their own personal grudges and agendas. There are many cases where the police have been shown to lie and even destroy evidence to obtain a conviction.

It is sad that this young man has been sent to a YOI (Young Offenders Institute), which is actually in many ways worse than prison, for forgetting his password.

What has happened here could be called many things but Justice is certainly not one of them.

My thoughts are with this young man and his family.

Sun, 2010-10-17 22:16 — the guntz

I'm pleased that this article was produced for consideration. I won't comment on the password aspect but will on the Police PR aspect. One person has mentioned the amazingly disgusting Colin Stagg polic epr campaign to discredit and help convict him. The Police PR commentator ROVER is a rubbish contribution. These Police PR press manipulations have been going on for donkeys absolutely donkeys years. I wrote at considerable length about their strategems in the "THE WAR AGAINST CRIME" on 15 March 1974 (PEACE NEWS) and have has a great interest in police media relations throughout the whole period. When the Ian Tomlinson police PR manipulations were revealed Paul Lewis fingered the Crime Reporters Ass'n as being complicite - I was specifically writing about that complicity back in the early 70's. When police themselves were making mainland bombing explosing tro cover for double agents during the 2nd world war the Police also did the covert Press Releases - its sourced in my PEACE NEWS 1970's feature. This does not mean that everything police say to journalists etc is lies but they certainly go in for extremely devious tactics when it suits their purposes.