Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Privacy Security

Irish Police To Be Given Powers Over Passwords (bbc.com) 164

Posted by msmash from the tough-luck dept.
Irish police will have the power to compel people to provide passwords for electronic devices when carrying out a search warrant under new legislation. From a report: The change is part of the Garda Siochana Bill published by Irish Justice Minister Heather Humphreys on Monday. Gardai will also be required to make a written record of a stop and search. This will enable data to be collected so the effectiveness and use of the powers can be assessed. Special measures will be introduced for suspects who are children and suspects who may have impaired capacity. The bill will bring in longer detention periods for the investigation of multiple offences being investigated together, for a maximum of up to 48 hours. It will also allow for a week's detention for suspects in human trafficking offences, which are currently subject to a maximum of 24 hours detention.
This discussion has been archived. No new comments can be posted.

Irish Police To Be Given Powers Over Passwords More

Irish Police To Be Given Powers Over Passwords

Comments Filter:

  • Since device backups are encrypted in the cloud (Score:5, Insightful)

    by saloomy ( 2817221 ) on Monday June 14, 2021 @07:38PM (#61487694)
    And you can restore them pretty easily now, the tripwire low volume + lock button should wipe your phone if you click it 10 times. Also, it would be great to have a "distress password" that wipes the phone when entered.

    • Re:Since device backups are encrypted in the cloud (Score:5, Interesting)

      by Bourdain ( 683477 ) on Monday June 14, 2021 @07:43PM (#61487700)

      Well, instead of a distress password per se that wipes the phone which would be obvious and potentially/likely illegal, perhaps one which unlocks the phone but to preestablished harmless state while letting the true encrypted phone hide inside (i.e., like a hidden OS in vera/truecrypt)

      • What happens if you just forgot your password?

        • "What happens if you just forgot your password?"

          You go directly to jail, do not collect $200 :-(

        • Re: (Score:2)

          by Luckyo ( 1726890 )

          Unless you have a really, REALLY good argument that you actually did, you're going to go to jail for concealing evidence that court has ordered to be shown.

          • What would qualify as a really good argument? How do they prove that you couldn't have forgotten it?

            • Yep. Here in a mostly free first world country, (USA) you cannot be compelled to produce a password in case it is truly forgotten. (assuming its not a cell phone, but something possibly seldom used, but a daily use cell phone is still considered off limits due to the ruling) After all, we believe in "innocent until proven guilty".

              But biometrics are another animal entirely. Here in the US you cannot be compelled to produce a password from memory, but you CAN be compelled to produce fingers for fingerprint re

              • Re: (Score:2)

                by tippen ( 704534 )

                Yep. Here in a mostly free first world country, (USA) you cannot be compelled to produce a password in case it is truly forgotten.

                While it's true that you can't be compelled to produce a password in the USA, that's not why. It's Fifth Amendment that provides that protection: "nor shall be compelled in any criminal case to be a witness against himself, "

                • Yep - that's the whole point of the Miranda rights being read so that people are aware of that, and the first statement is "You have the right to remain silent".

                  You are not required to give up any information or answer any questions. Now that doesn't mean silence is always the best choice, just a legal option. If you're accused of killing someone last night and you know very well that you were elsewhere and have a witness, then by all means its in your best interest to answer "Where were you last night?".

                • While it's true that you can't be compelled to produce a password in the USA, that's not why. It's Fifth Amendment that provides that protection:
                  "nor shall be compelled in any criminal case to be a witness against himself, "

                  Yes, it is rooted in the 5th amendment. But courts have ruled that passwords are not always covered by that and have compelled defendants to disclose passwords because giving a password is considered an act, not testimony. (that idea is disputed) Which is troublesome because they cannot always guarantee you actually have the information. What if you set the password once and forgot it? I mean TRULY forgot it. Like the dude who lost the password for his encrypted bitcoin wallet drive? It would REALLY suck t

      • Re: (Score:2)

        by Luckyo ( 1726890 )

        If discovered, this would basically send perpetrator to jail for a long time. This would be concealing/destroying evidence with bonus points added in court for "he prepared for this event to such a degree, can you imagine what he must've had on that phone?"

        There's a reason why even massive corporations like Google and Apple don't fuck around with evidence that court subpoenaed by a Western court with jurisdiction to do so, even when it's very harmful to their case.

      • Re: (Score:2)

        by gweihir ( 88907 )

        None of these work against reasonable forensic procedures. They are obvious though and hence a really bad idea.

      • That's called deniable encryption

      • Re: (Score:2)

        by mjwx ( 966435 )

        Well, instead of a distress password per se that wipes the phone which would be obvious and potentially/likely illegal, perhaps one which unlocks the phone but to preestablished harmless state while letting the true encrypted phone hide inside (i.e., like a hidden OS in vera/truecrypt)

        If you're worried about data security, the easiest solution is simply not to keep the data on a device that can be compromised. Nor allow that device to store the credentials of any server that stores sensitive data.

        I do admire how imaginative some slashdotters are when coming up with these solutions but the problems have been largely solved. Never store sensitive (or incriminating) data on a device that could be stolen (or confiscated/seized by the authorities). I've worked with a few industries that re

        • The Irish bill appears to allow Guardi to compel you to give up passwords used to access remotely stored information also. Storing remotely doesn't help you. You could be compelled to turn over VPN passwords and remote logins.

    • VeraCrypt (drive/container encryption) has another option. You can select two passwords for your container. One is a standard password which unlocks the container as normal. The second is a "hidden" partition which is stored encrypted in the empty space of the encrypted container. If you just open the standard container you'd have no idea it was there, and could even accidentally overwrite it with enough data written to the standard container. But enter the "hidden" password and the inner container is mount

      • Re: (Score:2)

        by Dwedit ( 232252 )

        It would look very suspicious if the partition didn't use all available space, or if unallocated space was not all zeroes. This is the era of the TRIM command, and unallocated space is zeroes.

        • By default, VeraCrypt uses all available space for a volume when formatting it. Inside the volume, it doesn't use TRIM, so all free space is random. Of course, one could use a quick format command, which some filesystems accept, that creates a volume with holes in it, but that isn't a default.

      • Re: (Score:2)

        by gweihir ( 88907 )

        The police takes a forensic image first and then they do not suspect, they know what you did after looking what is the the outer container.

      • Re: (Score:3)

        by truedfx ( 802492 )
        If the police do suspect you're using such a hidden container, what happens then if you are unable to convince them you aren't?

        • Re: (Score:2)

          by AmiMoJo ( 196126 )

          Ultimately it's a jury that you have to convince. Or rather you have to cast doubt on it, the standard of proof for the police is "beyond reasonable doubt" in most places. At least in theory, most juries in the UK take the police's word for any old nonsense.

    • You want to avoid anything that destroys evidence, that just digs a deeper hole. Having a second password that unlocks an account made to look real or that hides most of your files is much better. It's a real password that unlocks your phone, and it doesn't destroy evidence.

      • Concealing evidence is the same crime as destroying evidence in many jurisdictions. Both are equally obstructive to investigation. Unless you are really in deep criminal waters if you unlock the phone, anything that you do to obstruct just makes your eventual punishment way worse, as far as I can tell. YMMV by jurisdiction, obviously.

    • Now you have a charge of destruction of evidence.

    • Re: (Score:2)

      by Luckyo ( 1726890 )

      Destruction of evidence when evidence is subpoenaed under court order is a serious crime pretty much everywhere.

  • treatment? Maybe some other mild torture to extract the passwords? Asking for a friend.

    • treatment? Maybe some other mild torture to extract the passwords? Asking for a friend.

      Well, the rest of us, call it "waterboarding".

      Not sure if that counts though, since they call that a "drinking game".

  • The fascination with storing their lives on a portable device is what makes phones tempting targets, so I don't. It really is that easy.

    • Works even better when one doesn't have a life to store.

      • I think his username summarizes the situation succinctly.

        Meanwhile the rest of us have to text wife and kids, have email for work and personal, have multifactor auth app, chat/workgroup thing for work and etc.

        • If you're an employee, there is zero valid reason to have anything work related on your phone, beside maybe the phone numbers of colleagues. If your employer needs to you to work on a phone, he can give you one. Even if you are self employed, it would be better to have a dedicated work phone.

          There is no email urgent enough that it can't wait until the evening to be read on my pc. If something is that urgent, people can call me.

          Photos and videos should be backed up and erased from the phone regularly, same f

          • Your phone still contains the VPN app and the remote access app for these things. Those passwords are covered by the warrant as well. Storing remotely doesn't help you. If the phone can access the information, then the information is compromised by the warrant. Local/remote storage is irrelevant.

  • How does this effect 'Irish' entities (Score:4, Interesting)

    by ccham ( 162985 ) on Monday June 14, 2021 @08:32PM (#61487802)

    that run cloud services and are 'Irish' for tax purposes and have encryption keys to all their customer data?

  • Vacation Elsewhere (Score:3)

    by BrendaEM ( 871664 ) on Monday June 14, 2021 @10:09PM (#61487950) Homepage
    I should think that tourism is a major industry, that matters, just as much as values.

    • Re: (Score:2)

      by Celt ( 125318 )

      I'd take my chances with the Gardai in Ireland then the police in the USA any day of the week, USA has far more powers to retain and make your life hell.

      • I'd be more worried about the Department of Homeland (in)Security when travelling to and from America, than either american Police or the irish Garda.

    • Nice punctuation, mouth-breather. Your television is THAT way.

      (I'd go easy on you if you were a foreigner but with ignorance that extreme, I know you don't speak more than one language - a third of one is more like it.)

    • Re: (Score:2)

      by mjwx ( 966435 )

      I should think that tourism is a major industry, that matters, just as much as values.

      To be fair, this is going to be like the US where it's not a law to target tourists, rather a law to be used against citizens. If Ireland or the US suspects you enough to want to prevent you from visiting, you'll be denied an ESTA or whatever the European one being introduced in 2022 is called. If that fails you'll be turned away at the border.

      Still not a good law, but ultimately not one that will affect tourists.

  • Problematic. (Score:5, Insightful)

    by Gravis Zero ( 934156 ) on Monday June 14, 2021 @10:52PM (#61488040)

    The problem with being able to compel someone to reveal highly specific information is that they may not know the information even if they knew it at some point in the past. If you have an old device you don't use anymore and no longer are able to recall the password, can they just throw you in jail for years for being unable to remember? If not then it seems obvious that people who do remember will claim to not which brings you to the point of trying to discern if they really know the password or not.

    This path is fraught with danger.

    • Re: (Score:2)

      by gweihir ( 88907 )

      This path is fraught with danger.

      It is. But this slide deeper into removing individual protections is part of a general trend.

    • Re: (Score:2)

      by dryeo ( 100693 )

      For an old device, you should be able to argue that you forgot, especially if there are no recent telco records of it being used. For a phone in your possession, with an active sim card and telco records showing that you were using it recently, not so much.
      You are right that it is a slippery slope.

      • 1) I use long passwords. For my phone, my computers, my password manager, or anything else that I have to type in from memory. Even though most of them haven’t changed in years, I’ll occasionally forget them. I’ll just blank. They always come back to me later, or else muscle memory kicks in and I can type them when I can’t recite them, but I could easily imagine a scenario where I wasn’t able to provide my password upon request, particularly so if it was a stressful situation o

        • To avoid these problems when dealing with the police, I recommend using the same password for all accounts on all devices. Then get that password tattooed on your arm. :-)

          • Re:Problematic. (Score:4, Interesting)

            by Anubis IV ( 1279820 ) on Tuesday June 15, 2021 @03:52PM (#61490926)

            At my last job, there was a mission critical server belonging to our clients, to which I had remote access. I set my admin account up with a 128-character, randomly generated password because it didn't make a difference to me how long it was, given that they all copy/paste the same way from my password manager.

            Well, to make a long story short circumstances conspired against me and the very next month I found myself in a position where I had to type that password in manually, not once, not twice, but five times, each of which was while on a series of calls with the client as they patiently waited for me to finish typing. Thankfully, I got to be the hero in the story who saved the day after the client locked themselves out of a mission critical machine.

            FYI, it takes me about three minutes to type a 128-character randomly-generated password. Talk about some awkward silence on conference calls as no one wants to cause you to lose your place because everything is riding on you.

            All of which is to say, depending on your workplace's rules about tattoos, you may not be able to fit your password on your arm while wearing long sleeves.

    • Re: (Score:2, Informative)

      by AmiMoJo ( 196126 )

      The law in the UK is similar, you can be forced to divulge passwords. To prosecute you for failing to do so they have to prove that you know the password, which usually just means showing that you recently used it.

      As you say, there is a very great danger that someone may legitimately have forgotten it. When forced to change passwords by work I always write them down because otherwise I'll usually forget them by the day after.

  • I do not think it means what you think it means.

    I mean, they can punish you for not revealing your password, but that's all. It's not the same as how they can compel you to come to the police station. It would be more accurate to say that they have the power to coerce people to hand over their passwords.

    • The legal definition of "compel" is different from the common vernacular. In this context, compel means to apply coercive pressure and to levy fines/prison/other punishment if not obeyed. The legal assumption is that you are compelled to obey because the punishments are stiff enough to deter disobedience, even if those punishments are not sufficient in practice.

  • Safe (Score:3)

    by CohibaVancouver ( 864662 ) on Tuesday June 15, 2021 @05:16AM (#61488628)
    What I find interesting about this is if you had a safe in your office full of files, and the police executed a search on your office you'd be obligated to open the safe so they could have access to the files.

    If you refused, a judge would order you to do, and if you refused the judge's order you'd be locked up for contempt.

    So it's not really a stretch to argue here that a password to a file container is not a lot different from the safe in your office.

  • That will compromise the workplace, and might be the end of hybrid work/private devices. Police should not have this possibility to ask for private and secret information.

  • Because eventually, you can tie your password to what you are thinking. Laws can at best only compel you what to *DO*, they have absolutely no ability to compel you what to think. Any express or implied threats of any negative consequences if you were to not comply would themselves alter what you were thinking about in trying to use the password, because you are cognizant of them. This might in turn impede even your own ability to unlock any such protected device under duress, making any efforts they mi

  • Right to silence (Score:3)

    by k2r ( 255754 ) on Tuesday June 15, 2021 @10:04AM (#61489416)

    It will be interesting to see how this is compatible with the right to silence:
    https://www.whitecase.com/publ... [whitecase.com]

Slashdot Top Deals

Many people are unenthusiastic about their work.

Close