Sunday, 23 August 2015

0000

I have a friend who has a lock PIN on his phone of 0000.

What does that mean? Well, for a start, it means he does not really care too much about the data on the phone being used by someone else, but it means more than that.

It is about boundaries.

He has in fact "locked' his phone. Someone trying to get in, even if they know or guess 0000, is breaking through that lock.

I think morally, and possibly even legally, "breaking in" is massively different to being let in. The lock says that you are "not authorised", so things like Computer Misuse Act kick in if you go passed that point.

If someone wanders in to your house through an open door, it is not the same as someone using a very simple lock pick to get passed a really poor quality lock and opening your front door.

I started wondering if this had wider implications. E.g. if someone like Apple have a backup of your data, including a backup of your private keys used by iMessage and the like, protected by a relatively low entropy key like a 4 digit PIN for example, what happens if asked for that data. Well, they can honestly say they do not have the data as it is encrypted. I am not sure if existing laws allow authorities to request that they "hack" what they have (e.g. trying all 10,000 four digit PINs). Expecting a company to hack in to their customer's data would be a heck of a step legally and morally, but having a good reason not to disclose it because of the protection may be enough?

We can only hope that laws do maintain some concept of boundaries in the future - not just in the real world, where it matters if you invite a bailiff in to your house or he forces his way past you, and the same in the computer world where it matters if you break passed a 0000 PIN or do not try to.

9 comments:

  1. Huh! That's the same code as my luggage!

    ReplyDelete
  2. I wouldn't have thought authorities could request a company 'hack' the data they hold, but they might be able to request a copy of the (encrypted) data, and attempt to 'hack' it themselves - which, with a low entropy key, probably wouldn't take very long.

    ReplyDelete
    Replies
    1. The question then becomes whether the decrypted data is admissible evidence, given that the authorities 'hacked' it to get access. Under English law, for example, PACE section 78 (http://www.legislation.gov.uk/ukpga/1984/60/section/78 ) gives the judge wide-ranging powers to throw evidence out if the manner in which it was obtained would make the trial unfair.

      If we continue with the real world analogies here, it matters whether the police break into my house by mistake (e.g. warrant for next door), *then* find a letter from my drug dealing buddies detailing the next shipment they're sending me, or whether they believed I was involved in dealing drugs, broke into my house, didn't find drugs but did find the letter from my drug dealing buddies detailing the next shipment.

      In the first case, the police had no reason to be in my house at all, and if you allow such evidence, you give the police an incentive to make "mistakes" like breaking into a suspect's house without a warrant, in the hope of finding evidence. In the second case, the police already had reason to suspect me, so the fact that they found different evidence to the evidence they expected isn't a problem.

      Delete
    2. What if they break into your house because they suspect you of a different crime and then find the drugs letter? I suspect that's allowed, but I'm not sure it should be since it encourages police to try to pin you for *any* crime just as an excuse to break into your house to gain evidence for something completely different. And with the way the laws are going, it seems that everyone's guilty of *something* that could be used against them.

      Another thing that concerns me about allowing the authorities to crack computer systems is that if they execute a search warrant on your home, they tell you that it's happening - is that the case when they crack your computer system, or do they do it quietly so you may never find out about it? What about if they leave some spyware on your computer after they've left (pretty sure a search warrant wouldn't allow them to bug your home while they're searching it)?

      Delete
    3. It'd normally depend on the severity of the crime they were investigating - and note that the suspicion has to be reasonable (i.e. it can't just be "Simon talked about letters from drug dealers on the Internet, he must be a dealer himself") to get a warrant to break in.

      So a judge is likely to throw out evidence where they got a warrant to break in because a car registered to you was seen doing 31 in a 30 limit - even if the crime in question is major. Similarly, if they don't tell you about what they've done to your computer system, and rely on evidence found after they crack it, they risk a judge deciding that it was a dragnet operation, and therefore unfair.

      Of course, nothing stops the police acting on the information they've obtained that can't be introduced as evidence, in the hope that their actions lead to something they can introduce as evidence. For example, if the letter said "you need to kidnap Adrian Kennard on the 31st April to make the next delivery happen", and the police "happened" to be around me all day on the 31st, and thus saw me attempt to kidnap Adrian, they'd have the evidence of the kidnap attempt itself to bring into court, even though the letter might not be permissible.

      The key point is that judges are already forced to think about this sort of thing and throw out evidence where the state's behaviour in getting it is unreasonable. There's no reason yet to think that they'd not do the same in the computer sphere.

      Delete
  3. In English Law "breaking" refers to breaking the integrity of the boundary, and doesn't actually require any kind of violence or subterfuge -- simply opening a gate and walking in is sufficient for "breaking and entering".

    So by that analogy the "swipe screen to unlock" on my phone is sufficient to count...

    ReplyDelete
    Replies
    1. Is there actually a crime of "breaking and entering" in England? I had thought it was just a colloquial name for burglary, being trespass + one of a number of crimes?

      Delete
    2. I'm sure this would be a civil matter only

      Delete
    3. Unauthorised access to a computer (e.g. mobile phone) is a criminal matter.

      Delete