• Search:

The Chief Officers' Network - your business advantage / Management / Risk Professional / The Risk Professional: if you can't remember your computer passwords, you go to jail

The story begins not with the teenage computer user in question, nor even with the police investigation in which he was caught up. Instead it starts with the decade-long attack on personal freedoms under the UK's Tony Blair and Gordon Brown, as (mis)guided by the hand of the USA in the post-11 September 2001 paranoia.

Are there bad people? Yes. Do those bad people do awful things? Sometimes. Do those "sometimes" justify an extraordinary expansion of powers exercisable by state agencies without the intervention of a court? Probably not.

But in a wide range of areas, during the last decade, there has been a significant shift towards, literally and figuratively, a police state. The powers which have been devolved to the police (and other state agencies such as HM Revenue and Customs The Financial Services Agency) are far more intrusive than at any time other than under emergency powers.

The difficulty that the UK population faces is that, under a barrage of laws generated over a decade, they are still bound by the old maxim that everyone is presumed to know the law. That would be fine if it were properly debated and that debate properly reported. Instead, by manipulating the news agenda (as it has become known) to focus on one thing about which synthetic rage can be generated, the big, surprising stuff slips through.

Regulation of Investigatory Powers Act 2000 sounds like a good thing - in that it appears to more closely constrain the excesses of certain styles of investigation. But just as The Bank Secrecy Act is about abolishint bank secrecy, so RIPA is about expanding powers.

One of those powers provides that, if an officer demands access to a computer, then he must be granted that access.

This is, in effect, a search warrant. Note: no court order is required for this search of your computer. A senior police officer can sign off on it if he is satisfied that there is or may be evidence of a crime on the computer.

19 year old Oliver Drage became entangled in an investigation relating to something we don't need to discuss here. When the police turned up at his home, having traced him through an IP address, they found that his computer was secured using strong (ish) encryption. An officer demanded his password.

Drage told the police that he could not remember it: it was somewhere between 40 and 50 characters long. He had not, he said, wrtten it down.

He was prosecuted for failing to provide the necessary information within the time allowed.

The Court was told that it was ridiculous that anyone would create a password of as many as 50 characters and not write it down. And that was the basis of the conviction. Grage, who is technically a minor, will spend the time in juvenile detention instead of jail.

For those in business, for whom IT security is a big issue, the story is worrying.

Staff will be faced with a choice: write down the password or get something easy to guess. Or else - particulaly those travelling to the UK with a laptop - be ready to face jail if you can't turn it on e.g. when a customs officer at Heathrow asks you to.

Bookmark and Share