Security quotes of the week [LWN.net]

Security quotes of the week

Posted Jul 20, 2012 13:04 UTC (Fri) by james (subscriber, #1325)
In reply to: Security quotes of the week by jake
Parent article: Security quotes of the week

This is something that really would need a qualified English or Welsh lawyer (which I am not), but reading the sections of the Act (linked to in the original post), it strikes me that

Section 49 notices only "appl[y] where ... protected information has come into the possession of any person" with suitable statutory powers: it would be for the prosecution to prove beyond all reasonable doubt that this was a Section 49 notice, and if the data was not "protected information", then the alleged Section 49 notice was not a Section 49 notice;
"a person shall be taken to have shown that he was not in possession of a key to protected information at a particular time if—
(a) sufficient evidence of that fact is adduced to raise an issue with respect to it; and
(b) the contrary is not proved beyond a reasonable doubt",
which appears to be a very weak standard for the defence to meet: I would presume that the defendant would merely have to give evidence that he or she did not possess the key to "raise an issue".

In any case, the offence would be an "either-way" case, triable either before three lay magistrates with a maximum six month prison sentence, or before a jury in the Crown Court. In "either way" cases, the defendant can always elect to be tried by jury.

(Log in to post comments)

Security quotes of the week

Posted Jul 20, 2012 16:16 UTC (Fri) by nybble41 (subscriber, #55106) [Link]

> I would presume that the defendant would merely have to give evidence that he or she did not possess the key to "raise an issue".

You make that sound so easy. What would count as evidence that you did _not_ possess a key capable of decrypting an arbitrary random-looking binary file? The key could be anything; the only real evidence that you _didn't_ have it is all in your head.

The requirement should be the other way around: they should have to prove that you did have the key, i.e. that you've decrypted the same file before, _and_ that the key is still in your possession. Even then, I would support your right to refuse to provide the key (without penalty), but then I've never been a fan of forced testimony, self-incriminating or otherwise.

Security quotes of the week

Posted Jul 20, 2012 16:28 UTC (Fri) by james (subscriber, #1325) [Link]

Sorry, I can see how that wasn't clear.

Try this: I would presume that the defendant would merely have to testify under oath that he or she did not possess the key to "raise an issue".

Security quotes of the week

Posted Jul 26, 2012 11:50 UTC (Thu) by farnz (guest, #17727) [Link]

Certainly in the UK, and I believe in the US (whose system derives from ours), a simple statement under oath is evidence, and has to be countered by stronger evidence.

So, if you were in court under Section 49, and said under oath "I do not possess the key", it would be up to the prosecution to demonstrate that your statement was not believable (for example, by showing evidence that you had decrypted the file recently).

It's one of the things that, until a recent discussion with a lawyer, confused me about the legal system here; "sufficient evidence" apparently just means "will swear under oath, and has convincing explanations that counter any evidence presented by the other side". So, the police claim "nybble41 has hidden encrypted terror instructions in his photographs of a cat"; you can literally say to that "no, I didn't", and you've presented sufficient evidence.

It gets more complex if the police have more than just a bald statement; for example, if the police said "we saw nybble41 run 'convert catphoto.jpg -cdl 42.txt catphoto.png' and we believe that he was inserting encrypted instructions from 42.txt into catphoto.png". You could then explain about ImageMagick color description lists, and still convince a judge you didn't have the key.