Passwords and prosecutions

The curious case of Oliver Drage.

When the news broke last week that a teenager had been given a custodial sentence for failing to provide his password to the police, the details of the story appeared incomplete.

The essentials of what had happened were as follows: Oliver Drage, 19 (and so only just a teenager), did not give a password to the police when formally requested to do so. He was prosecuted under the Regulation of Investigatory Powers Act 2000 and given a custodial sentence of 16 weeks in a young offenders institution (which may or not be regarded as the same as being "jailed").

However, the widespread media coverage of this conviction seemed problematic. Some things did not add up.

Let's start with the press release from Lancashire police.

Teen jailed for four months after failing to give up computer password

A TEEN who refused to give police officers an encryption password for his computer has been jailed for four months.

The case is believed to be the first of its kind in Lancashire.

Oliver Drage, 19, formerly of Naze Lane, Freckleton, was arrested in May 2009.

Drage's computer was seized but officers could not access material stored on it as it was protected by a 50-character encryption password. Drage was then formerly requested to disclose the password, which he failed to do.

Appearing at Preston Crown Court, Drage pleaded not guilty to failing to disclose an encryption key -- an offence covered by the Regulation of Investigatory Powers Act 2000. At his trial in September a jury took less than 15 minutes to find him guilty of the offence. Yesterday (Monday Oct 4), Drage was sentenced to 16 weeks in a Young Offenders Institution.

Detective Sergeant Neil Fowler, Blackpool Police, said: "Drage was previously of good character so the immediate custodial sentence handed down by the Judge in this case shows just how seriously the courts take this kind of offence.

Computer systems are constantly advancing and the legislation used here was specifically brought in to deal with those who are using the internet to commit crime. It sends a robust message out to those intent on trying to mask their on-line criminal activities that they will be taken before the courts with the ultimate sanction, as in this case, being a custodial sentence.

This press release is troubling for both what it does and what it does not say.

It is written in a tabloid-like and sensationalised way (for example, "TEEN" in screaming capitals), which seems to me to be deeply inappropriate for an official communication about a serious matter. It also refers to "those using the internet to commit crime...those intent on trying to mask their on-line criminal activities" when, on the face of it, no such charge had been made against this particular defendant and no prosecution carried out.

But when this press release was picked up by the newspapers, certain further information about Drage was published.

From the Guardian: "Oliver Drage, 19, of Freckleton, Lancs, had originally been arrested in May last year by a team of officers from Blackpool tackling child sexual exploitation."

And from the Daily Mail: "Teenager jailed for refusing to give computer password to police investigating child sex crimes"

But the press release did not mention child sex exploitation, nor did it mention the type of police officers who arrested him. Whatever Drage may or may not have stored on his computer, he had not been either charged for or convicted of any sexual offence.

However, his (distinctive) name was now associated with the investigation of serious sex offences by several newspapers on the back of a sensationalist press release which itself mentioned nothing about any sexual offences.

So I asked for further information about this from the press office of Lancashire police. First, I received information about the police team which had arrested Drage:

The Awaken Project is a very close working partnership between Blackpool Council and Lancashire Police and other.

The team is responsible for using an intelligence led and pro active approach to protect children in Blackpool who may be at risk of sexual exploitation. Police officers and social workers on the team are responsible for jointly investigating cases and targeting suspected offenders. Staff from health and education departments supplement the team in an effort to impact upon the behaviour of young and potentially vulnerable persons.

I was also told on the telephone the nature of the offence on suspicion of which Drage was arrested (even though he was not charged nor convicted). I asked why Lancashire police thought it appropriate to link the defendant's name with child sex allegations when he was neither charged nor convicted in respect of such serious matters. The response:

You will notice that that aspect was not mentioned in the official press release and was given to you as guidance over the telephone when you rang. It is therefore your decision if you wish to make that link in print.

I then pointed out the the child sex abuse aspects had been mentioned in many newspapers, and gave the examples of the Guardian and Mail above. Was I correct in my assumption that Lancashire police was their source for this extra information? The response:

The information was given as guidance to all journalists who rang and asked why Drage had originally been arrested. As previously mentioned, it is not included in the press release - so was not in the 'brief' we gave the press - and it is down to the individual publication if they chose to print that information.

Hope this helps.

I reverted, now asking why Lancashire police believed it was appropriate to mention it as guidance. After all, the defendant was now publicly and widely associated with child sex investigations (perhaps the most serious investigations one can be associated with) when he was neither charged nor convicted of any sex offence.

I will refer you back to my previous answer. The information was given as guidance (and was not included in the press release) to assist journalists in their reporting of the matter, by clarifying why Drage was arrested and his computer seized. Failure to give this guidance could have resulted in inaccurate assumptions and reporting of the case.

All journalists were pointed to the fact that this information was not in the press release and that it was their decision should they chose to publish the information that was given to them as guidance.

In contrast, the Crown Prosecution Service responded to my queries without any reference at all to the sexual offences for which Drage had been arrested. Indeed, for the CPS the prosecution was explicable on the straightforward facts of this particular offence:

Oliver Drage was found guilty on October 5, at Preston Crown court of failing to provide his computer's password contrary to section 53 of the Regulation of Investigatory Powers Act 2000.

The CPS received a file of evidence from Lancashire Police after he was served with a court order in December 2009 section 49 of RIPA 2000, requiring him to disclose the password.

He failed to do so within the three weeks' period specified on the order. After a thorough review of the evidence, we decided that there was sufficient evidence and it was in the public interest to prosecute Oliver Drage for this offence as his failure to disclose the password has obstructed an ongoing police investigation.

Evidence showed that the defendant admitted in police interviews that he had set an encrypted password of between 40 and 50 characters containing both letters and numbers using an encryption software programme and that he had had originally relied on his memory to recall it but could not recall it when he was served with the notice.

The jury heard both the prosecution and defence case and accepted the prosecution case that the defendant must have kept a record of this very complex password, rather than relying on memory, and that he had deliberately failed to disclose it to the police. They returned a guilty verdict after 15 minutes deliberation.

As the defendant claimed to have forgotten a password that he had previously memorised, it was for the prosecution to rebut this and to prove beyond all reasonable doubt that this was not the reason for the defendant failing to disclose it.

I also asked the CPS for what guidance it had for those who also may forget passwords, and their response was:

Part III of the Regulation of Investigatory Powers Act 2000 (the Act) and Investigation of Protected Electronic Information Code of Practice came into force on the 1st October 2007. The Code of Practice provides guidance to be followed when exercising powers under the Act to require disclosure of protected electronic data in an intelligible form or to acquire the means by which protected electronic data maybe accessed or put in an intelligible form.

Overall, there are two issues about this curious case.

First, there is the narrow issue of the prosecution and conviction. On the basis of the CPS statement, one can see why a claim to have forgotten a previously memorised encrypted password of between 40 and 50 characters, and not to have written it down elsewhere, would rather strain credulity.

Second, there is the worrying way in which highly prejudicial information is provided and published about an individual charged for and convicted of an offence very different for the one for which he was arrested on being on suspicion of having committed.

It may well be that Lancashire police break the encryption code.It could be that there is sordid material yet to be revealed which may have warranted a charge and even conviction of a serious sexual offence. We simply do not know. And neither do the Lancashire police.

However, in the meantime, an individual is now publicly associated with a serious investigation in respect of which was neither charged nor convicted; a police force publishes press releases as if they were tabloid stories and also furnishes highly-prejudicial information, but passes the buck if the press publishes it (which, of course, they will do); and the rest of us are really none the wiser whether a four month custodial sentence in this case was because of the gravity of the original suspicions or just for the implausibility of not knowing or noting down a 40 to 50 character password.

There is something not right here.

 

David Allen Green is a lawyer and a writer. He was shortlisted for the George Orwell blogging prize in 2010. He blogs for the New Statesman on legal and policy matters.

David Allen Green is legal correspondent of the New Statesman and author of the Jack of Kent blog.

His legal journalism has included popularising the Simon Singh libel case and discrediting the Julian Assange myths about his extradition case.  His uncovering of the Nightjack email hack by the Times was described as "masterly analysis" by Lord Justice Leveson.

David is also a solicitor and was successful in the "Twitterjoketrial" appeal at the High Court.

(Nothing on this blog constitutes legal advice.)

Photo: Getty
Show Hide image

The rise of the green mayor – Sadiq Khan and the politics of clean energy

At an event at Tate Modern, Sadiq Khan pledged to clean up London's act.

On Thursday night, deep in the bowls of Tate Modern’s turbine hall, London Mayor Sadiq Khan renewed his promise to make the capital a world leader in clean energy and air. Yet his focus was as much on people as power plants – in particular, the need for local authorities to lead where central governments will not.

Khan was there to introduce the screening of a new documentary, From the Ashes, about the demise of the American coal industry. As he noted, Britain continues to battle against the legacy of fossil fuels: “In London today we burn very little coal but we are facing new air pollution challenges brought about for different reasons." 

At a time when the world's leaders are struggling to keep international agreements on climate change afloat, what can mayors do? Khan has pledged to buy only hybrid and zero-emissions buses from next year, and is working towards London becoming a zero carbon city.

Khan has, of course, also gained heroic status for being a bête noire of climate-change-denier-in-chief Donald Trump. On the US president's withdrawal from the Paris Agreement, Khan quipped: “If only he had withdrawn from Twitter.” He had more favourable things to say about the former mayor of New York and climate change activist Michael Bloomberg, who Khan said hailed from “the second greatest city in the world.”

Yet behind his humour was a serious point. Local authorities are having to pick up where both countries' central governments are leaving a void – in improving our air and supporting renewable technology and jobs. Most concerning of all, perhaps, is the way that interest groups representing business are slashing away at the regulations which protect public health, and claiming it as a virtue.

In the UK, documents leaked to Greenpeace’s energy desk show that a government-backed initiative considered proposals for reducing EU rules on fire-safety on the very day of the Grenfell Tower fire. The director of this Red Tape Initiative, Nick Tyrone, told the Guardian that these proposals were rejected. Yet government attempts to water down other EU regulations, such as the energy efficiency directive, still stand.

In America, this blame-game is even more highly charged. Republicans have sworn to replace what they describe as Obama’s “war on coal” with a war on regulation. “I am taking historic steps to lift the restrictions on American energy, to reverse government intrusion, and to cancel job-killing regulations,” Trump announced in March. While he has vowed “to promote clean air and clear water,” he has almost simultaneously signed an order to unravel the Clean Water Rule.

This rhetoric is hurting the very people it claims to protect: miners. From the Ashes shows the many ways that the industry harms wider public health, from water contamination, to air pollution. It also makes a strong case that the American coal industry is in terminal decline, regardless of possibile interventions from government or carbon capture.

Charities like Bloomberg can only do so much to pick up the pieces. The foundation, which helped fund the film, now not only helps support job training programs in coal communities after the Trump administration pulled their funding, but in recent weeks it also promised $15m to UN efforts to tackle climate change – again to help cover Trump's withdrawal from Paris Agreement. “I'm a bit worried about how many cards we're going to have to keep adding to the end of the film”, joked Antha Williams, a Bloomberg representative at the screening, with gallows humour.

Hope also lies with local governments and mayors. The publication of the mayor’s own environment strategy is coming “soon”. Speaking in panel discussion after the film, his deputy mayor for environment and energy, Shirley Rodrigues, described the move to a cleaner future as "an inevitable transition".

Confronting the troubled legacies of our fossil fuel past will not be easy. "We have our own experiences here of our coal mining communities being devastated by the closure of their mines," said Khan. But clean air begins with clean politics; maintaining old ways at the price of health is not one any government must pay. 

'From The Ashes' will premiere on National Geograhpic in the United Kingdom at 9pm on Tuesday, June 27th.

India Bourke is an environment writer and editorial assistant at the New Statesman.

0800 7318496