For context, French law doesn’t have a “5th”: you were already required to expose decryption keys of encrypted data if requested (e.g: give a password for a locked zip file)
This specific ruling is about wether the lock screen of the phone was subjected to this law as well. Basically, is the lockscreen password a decryption key ?
The Cassation court judgement comes from the disk encryption mechanism being now attached to the phone locking mechanism: full disc encryption is only unlocked when the phone unlocks, so the passcode screen can be seen as a mean to unlock the disk.
As always, the country known for its human rights (or so they advertise themselves as), is gonna get reprimanded by the european court for not respecting the human rights.
Times were different, it's hard to understand how people really felt unless you have been subjected to something similar under similar circumstances.
But since you brought it up, do you think that the way the French behaved back then, is in any way still indicative of their behavior today? Is the same culture so to speak, still relevant, breathing and alive? What survives of the peoples zeitgeist through centuries? What is relevant to bring up, and what is just history?
That is a very selective and incomplete view of history. They were more than one faction and “France” was far from being of one mind. Several of the liberals responsible for the Declaration were the ones being guillotined.
The people who wrote the declaration were monarchists or (later) Bonapartists. Obviously they were quite liberal compared to the Count of Artois. But to me they seem much closer to modern centre-right/conservatives (obviously Liberal conservatism is a thing..)
Yes, I mostly agree. But they were constitutional monarchists, not absolutists. And usually their fascination for Bonaparte ended when he actually took power. They wanted something like Elizabeth II, not Louis XIV.
They were liberal in the sense that they supported individual freedoms, and they called themselves liberals. It makes no sense to call them otherwise. They were on the left because the original left-right divide was about individual rights, not socialism. Though the Overton window moved fast and radicals one day often ended up moderates the next week without having changed their ideas.
But they were not conservatives at all; even though their constitution kept a king, it had pretty much nothing to do with how the ancien régime worked. Nowadays they would be centre-right more or less like the UK’s Liberal Democrats or the French centrist parties.
What’s interesting is that the American use of “liberal” to mean “radical” is at odds with the historical meaning of the word, and how it is used in some other languages. That’s why some people are confused with neo-liberalism being a right-wing ideology.
Anyone in a position to be sent to prison isn’t currently being oppressive.
The Terror (1793-1794) really was more about political opponents than addressing past oppression. Approximately 2% of the population was arrested and about 1/8th of them where executed including many aristocrats but also a high percentage being clergy etc. Basically anyone labeled as counter-revolutionary was killed off, a classic culling of political opponents after a revolution.
Do you even Wikipedia?
Just going through the list:
1. Notable figure of the French Revolution
2. Duchess
3. Politician, member of the French Convention
4. Officer
5. Aristocrat, lawyer, public official
6. Noblewoman, court official
7. Hairdresser
Wikipedia is not the Truth. That list is incomplete and selective. Seriously, there are much better sources that paint a much better picture of the grandeur, glory, and absurdity of the French Revolution. I would start with the Revolution podcast, which is itself imperfect but still presents a lot of the nuance missing in this sort of discussions.
No. The started with the aristocrats (though most of them ran away to Austria before mass murder even started), then they started killing other radicals like the Girondins, mass exterminating peasants and too moderate Jacobins (and random people in general). Finally Robespierre and his ilk got their own heads chopped off. Then you had the Thermidorian reaction where conservative liberals were killing the more radical ones (it wasn’t as extreme as the res terror though).
They didn’t have enough space in prisons. Also the Guillotine was reserved for political opponents ordinary people were loaded on to rafts which were sunk in the middle of a river..
There’s this old quote from Surcouf (a French privateer from the late 18th and early 19th century). When an English captain told him “you Frenchmen fight merely for money. Whereas us Englishmen fight for Honour”, he answered “well, everyone fights for what he lacks”.
Their justification for colonizing countries was that France had a "civilizing mission." Maybe you've heard of that? I realize that's not necessarily identical to "human rights."
I think that has more to do with Christianity - that political narrative of "civilising" people was a common binding thread between all the imperialists. It was thus common for Christian missionaries to be some of the first settlers in any new colony.
To be noted, there is a subtile nuance with the meaning of this ruling.
It does not really says that "it is a crime" but that "it might be a crime under certain Circumstances".
In the current case it is like there is a password, it is known, it is needed to unlock a phone, not encrypted data itself. And the guy is plainly refusing to give it. This is the case that was judged.
But hundreds of variations of this still might or might not be a crime in a future case.
>In the current case it is like there is a password, it is known, it is needed to unlock a phone, not encrypted data itself.
I'm not seeing the distinction here. Don't all modern phones have encryption enabled by default, and the encryption keys are partly derived from the passcode?
I'm not sure on the technical ruling details, but it looks like something like that:
They did not care about the data, officially. As they have already recording, sms, ...
They just wanted to access the home of his phone that his restricted by the passcode.
And he explicitly refused.
Nothing say that once they would accessed, they would have been allowed to access private data or being able to use any of that in the trial.
It is like a 2 steps process. First they should be granted access, then there is the question of incriminating data that could encrypted or not.
It looks dubious, but it is how it is presented to be able to get such a ruling.
As an equivalent, imagine that cops ask you to unlock the steal bar reinforced door of your entrance because they have a warrant and you refuse. And you claim that their might be naked pictures of you inside of your home this is why you refuse.
In Saunders v United Kingdom the ECHR said that the right to not self-incriminate "does not extend to the use in criminal proceedings of material which may be obtained from the accused through the use of compulsory powers but which has an existence independent of the will of the suspect".
Even if the evidence is not properly encrypted, in which case you could argue the data is indistinguishable from randomness and does not exist unless it's decrypted, a password would likely fall under a similar category.
If I understand correctly Saunders vs UK, if you killed someone and hide the body you have to show the body when you are asked to, even if you are just suspected and not confessed. The phone and the body is the parallel here, they suspect there is something in the phone so you have to produce proof of guilt - that is exactly self-incrimination.
I think it’s too subtle to be a practical difference: the circumstances are wether it’s _suspected_ to be related to a crime. That’s a low enough bar to be almost non-existent.
Then you get additional fines if your refusal can be seen as preventing current crime from being dealt with, or helping further crimes. Which also comes down to perception.
Not exactly the same functionality, but veracrypt/truecrypt supports key files and multiple hidden volumes for plausible deniability. Overwrite a key file used to unlock "your stuff" and there goes the data.
Would it be possible to construct a file/system encryption scheme where you have a read-write passcode and a read-only passcode? Such that when given the read-only passcode it would allow (legal/valid) searches by law enforcement, but not (easily) allow fabrication of evidence by planting incriminating files?
I suppose you could make it part of a signature scheme for files (file written by passcode X) so that your defense could point to the discrepancy in your favour.
Any backdoor made for law enforcement will eventually land in the hands of bad actors, and sometimes those backdoors will be used illegally by law enforcement.
It's a practical feature in general, to allow anyone to poke through your phone without installing/posting/reconfiguring anything, occasionally nice to have. Then again, it would also slightly increase the social normalcy of being able to ask to snoop through other people's phones.
So they can use the banking app to transfer money away from your account because that's not stored locally on your phone? Or to look at your private photos?
I'm a little bit skeptical about the claim that refusing access to a phone falls under the right of not self incriminating. There is such a thing as a lawful search of property, and when someone comes to you with a warrant to search your car in particular if it involves an ongoing crime you certainly cannot refuse, and pretending you forgot the keys isn't going to do you much good either.
I don't think phones are particularly special in that regard. The bigger issue seems to be that phone searches are often attempted in unlawful manner.
I do not believe that it is acceptable to consider as equivalent actions the search through a house or other property, or a body search, with reading the memory of a computer or of a smartphone or even with the reading of a (possibly encrypted) notebook.
Any external memory, regardless whether it is a flash memory, a magnetic disk, an optical disc, or just a piece of paper, is just an extension of the memory from your brain.
Admitting that there is a reason for anyone else but the owner to read a memory device is the same with admitting that they have the right to obtain any information that is stored inside your brain.
Even if for now the only technical means for obtaining the information stored in the brain is torture, that may change any time, if someone will ever discover how the biological memories are stored.
When that will happen, it will be too late to claim that physical search is not the same thing with reading memories, if this is not already established now.
Even this French court decision is just a method of using torture for obtaining the information stored in the brain memory of a person.
Because they can no longer use a good beating with "nerf de boeuf" for obtaining the information from the suspect, the beating is replaced as a torture method with the threat of imprisonment and of a huge fine, this being supposedly a more civilized technique.
The logical conclusion from that would be that destroying a persons notebook would be equivalent to violence causing brain damage, and so assault on a person. I’m aware of the theory of extended mind this notion is based on, and that’s not going to fly in any real world legal system any time soon. Even Clark and Chalmers that came up with the concept of extended mind don’t think that actually makes practical sense.
What do you make of the argument that if you give the police your phone, you are in fact fully cooperating by giving them all data on that phone, and it's not your fault if they don't have sufficient information to interpret that data? To take a different example, if Bob is writing things down in a notebook, but using some kind of secret language or code that he made up, it seems pretty clear that while the police have the right to seize the notebook, Bob correspondingly has the right to refuse to translate for law enforcement. Similarly, maybe Bob's code is a little more complicated, and requires using a calculator to compute what each codeword should be. It still seems like Bob has a right not to answer. Is using a computer rather than a calculator to do the encryption the final straw?
this is true but you don't have to actively help/participate in the search. giving out a password is - to me - actively helping vs just standing by and watching what the cops are doing.
"if you pretend to lose your keys, it's not illegal to avoid helping the cops find them."
I would be careful with that assertion - that likely depends on the jurisdiction, but I'm quite convinced that this would be obstruction of justice. It may be hard to prove that you're doing that, but if they manage to do that, it would actually be a crime - once you're aware that there's a criminal proceeding, actually disposing of these keys so that cops wouldn't access the evidence would be obstruction of justice, and so would be intentionally asserting to the cops that you don't have the physical keys if you actually do have them (the right to remain silent does not protect making false statements). For example, there's quite a lot of precedent for obstruction of justice by hiding a gun that was being sought by an investigation; I seem to recall reading about a case where the actual murder could not be proven in court but the likely culprit was convicted for obstruction of justice by throwing the murder weapon into the river which was captured by cameras.
However, I would say that you are quite likely to get away with this - just not because it's legal but rather because the circumstances making the difference between fair play and felony may be very hard to prove and prosecution might not bother unless they want to make a point by doing that.
I'm not convinced that's true because I feel like I'm getting hit with obstruction next, also depending on the country in question of course.
But the important point is this isn't about self-incrimination. If you accept that a search of property can be ordered then that implies that authority can compel you to actually see the search through. In the physical world the police would just break your lock. Can't do that with encryption, but that's not a legal argument. If someone was screaming in a trunk and cars had unbreakable locks, that wouldn't be a justification to not compel the driver to open it.
Oh yes they can force you to see a search through. I had a federal search warrant executed where a judge explicitly gave permission for medical personnel to "internally search" my body. They're unable to do that without your cooperation.
How, exactly, does this work? Forgetting your phone's password potentially becomes a life sentence.
In the US, a defendant was held in contempt of court. Eventually the courts decided that 18 months is the maximum incarceration period to try and force someone to give up a password [1]. Which still does seem pretty chilling: forgetting your password can land you a year and a half in prison.
The law is not executed by computers. It is executed by people operating via tradition and common sense. These have their own problems, and sometimes the law is bad, but this is a case where it works the way we’d hope given the law.
Nobody is going to believe that you “forgot” the password to your phone that you use multiple times a day or at least a week. Your lawyer is not even going to mention that as an argument and he’s going to strongly advise you don’t because it sounds prima facie absurd.
Now, if the case was about an encrypted hard drive you kept in your bank’s safety deposit box that you put there two years ago, it might work, because that sounds much more reasonable.
Ed: and apply this to the very case you linked: the guy was held for the maximum contempt length possible because the evidence was so strong; they got his laptop, which indicated he downloaded illegal files to the external drives; they got his phone, which had illegal material; they have witnesses testifying that he showed them illegal material. If the encrypted drives had been their ONLY evidence, he almost certainly wouldn’t have been in jail for contempt.
> the guy was held for the maximum contempt length possible because the evidence was so strong
He was held for nearly 3 times the maximum contempt length because prosecutors argued he was not a witness even when they were holding in contempt for his refusal to give testimony. It's also in contradiction of existing precedence [1]. If you have a safe locked with a key, the government can demand you give them the key if it's in your possession. A safe locked with a combination, the government cannot ask you to produce the code.
And to be clear, there's probably enough evidence to convict even without the contents of the encrypted drives. But that makes the imprisonment on contempt even more dubious: they don't need these contents and the defendant attempted to decrypt the drives and failed (intentionally or not, we can't know without a mind-reading device).
And yet I have multiple emailboxes and gaming accounts that I used for years - but can't login into now, because I forgot the password and sometimes even the username and registration email. Is that not normal?
It's trivial to find if a hidden volume is in use or not. It's a good defence against an abusive family member who isn't very tech-savvy, but it's useless against law enforcement.
In all fairness, there is a lot of documentation in veracrypt's manual about how to properly hide a hidden partition, and how it's circumvented.
Most of them rely on knowledge of the encrypted container over time. A single point in time is unlikely to reveal a hidden partition, but if you are being monitored that is possible.
Please note that backups or wear leveling on an SSD, or just the TRIM command not deleting stored data can provide those points in time. Hidden partitions work best on magnetic drives.
The hidden volume set up by Truecrypt has different offsets between the headers and the actual encrypted data.
It's possible to move the encrypted volume 50GB from the header and fill the disk with random bytes, but it's not doable through the standard GUI.
In an encrypted state, it's impossible to tell the difference between the hidden volume and random data. When you use your real passphrase, the primary header is decrypted and the hidden volume may just be random-data empty space. If the key you entered decrypts the random bytes between the first Truecrypt header and the first partition, it's clear that the key belongs to the secret header and not the normal partition.
You can try to cover your tracks; you can use your hidden volume as the main volume and enter the main volume key when forced to come up with a password.
However, you'll have to make sure the activity logs on the PC line up with the other logs available (i.e. increments in power on hours, external drive logs and timestamps, external access logs, etc.) that can prove that the partition you've unlocked doesn't contain the OS that caused all kinds of side effects. Hell, you can probably find something related to relocated sectors/wear levelling statistics to find the clusters that are in use.
When the passphrase for the hidden volume has been entered, you can find the physical offsets of the encrypted data and find out that the first half the drive (or less, or more, depending on your setup) isn't mapped to your booted partition.
A completely read-only OS with no logging outside RAM or connections to the outside might be used securely if you use the hidden volume as your main OS, but such a system would be too difficult to use properly.
As always, opsec is crucial for security even if your software algorithms are absolutely perfect. If you follow the guidelines set forth by Veracrypt, it should be very difficult to prove the presence of a hidden partition. That does mean you should be using your secondary OS as often as your hidden OS and analysis from external devices (such as network traffic) should not be able to tell the difference between the two.
You're totally right, but "we suspect there's a hidden volume" and "this machine is clearly locked, unlock it" are two very different situations. The prosecution and even the judge might be convinced that it's extremely likely that you have a hidden volume, but that's not the same as compelling you to unlock a phone. It's the difference between "you are ordered to open the secret safe we suspect exists."
So having a read-only USB-media OS to boot into the either the-50G-in displacement of Truecrypt-hidden or just the unmoved regular standard-filesystem volume on a standard OS boot onboard magnetic media ... is best?
Sounds like it is an OpSec risk to do the "resecuring of 50G re-displacement upon orderly shutdown" for "safest" traveling mode. One could forget or didn't have time to do that proper shutdown sequence.
> A completely read-only OS with no logging outside RAM or connections to the outside might be used securely if you use the hidden volume as your main OS, but such a system would be too difficult to use properly.
With Tails it'd be feasible. You'd have your user data on a hidden volume.
Civil law as in not common law, not civil law as in not penal law.
Countries with civil law systems tend not to have contempt of court (or very limited versions). Of course, that's variable from country to country, civil and common law being more akin to trend than hard categories.
The case was a person who was arrested for drug possession and trafficking, they were requested to give their passcode to unlock 2 phones allegedly used for trafficking, they refused then were further charged for not giving their password.
1) 15th May 2018 - First court ruled on drug trafficking but rejected the charges for not giving the passcode to unlock the phone, considering that a screen passcode is not a cryptographic mean to make the data on the phone unreadable or inaccessible.
2) 11th July 2019 - Escalated to the court of Appeal, same result.
3) 13th October 2020 - Escalated to the cour de cassation, who ruled that the law was incorrectly applied and sent back the case to the court. The cour de cassation doesn't rule cases, it only rules on whether a specific law was correctly applied by the court. (A decision of the court de cassation, like this one, explains how a law is meant to be interpreted and applied by the courts).
4) 20th April 2021 - The court of Appeal, repeated the initial result (home screen passcode is not a cryptographic mean to protect data) and dismissed the charges AGAIN.
5) Yesterday - Escalated to the cour de cassation AGAIN, who ruled that the law was incorrectly applied AGAIN, and sent back the case to the court AGAIN.
6) Future - This is pending another trial, from the court of appeal.
My understanding of the cour de cassation explanations, the home screen may or may not constitute a cryptographic mean to make the data unreadable or inaccessible, that depends on the phone. The court needs to rule on whether it is for that specific phone in that specific case.
For the HN audience who is technical and some of you actually make the phones. Most modern phones including all Apple and most Android have cryptographic means to protect all the data on the phone, it's effectively not possible to access contacts, messages, photos, storage, etc without having the home screen password. (Please consider that historically, it was often possible to take out the sim card or the storage SD card or use other tools to read the content of the phone, but not anymore)
My understanding is that the next ruling will have to consider whether these technical protections render the data inaccessible to the police. If yes and the data is deemed required for a criminal investigation, the suspect is required by law to disclose their passcode, or risk up to 3 year of prison and 270 000 euros.
Wait, is refusing to give up your encryption keys actually a crime in France (not only the UK)? I thought (though it’s been several years since I’ve looked that up) it was only an aggravating circumstance if the encrypted material in question has been used to commit a different crime and you have been convicted of that.
It can be, under the article 434-15-2 that is about that. The decision today is an explanation to French courts about how to interpret and apply this law. The context is a person formally arrested for drug possession and trafficking, who was formally requested under this law to unlock their phones (allegedly used for drug trafficking) and refused.
Rough quick translation: "Is punished by 3 years of prison and 270 000 euros fine, the action, for whoever has the knowledge of the secret means to decrypt cryptographic means likely to have been used to prepare, facilitate or carry out a crime, to refuse to submit said ways to authorities or apply them, upon official request under II and III of criminal code.
If refused, and providing or applying said means would have allowed to prevent a crime or reduce harm, punishment is increased to 5 years and 450 000 euro fines".
French: "Est puni de trois ans d'emprisonnement et de 270 000 € d'amende le fait, pour quiconque ayant connaissance de la convention secrète de déchiffrement d’un moyen de cryptologie susceptible d'avoir été utilisé pour préparer, faciliter ou commettre un crime ou un délit, de refuser de remettre ladite convention aux autorités judiciaires ou de la mettre en oeuvre, sur les réquisitions de ces autorités délivrées en application des titres II et III du livre Ier du code de procédure pénale.
Si le refus est opposé alors que la remise ou la mise en oeuvre de la convention aurait permis d'éviter la commission d'un crime ou d'un délit ou d'en limiter les effets, la peine est portée à cinq ans d'emprisonnement et à 450 000 € d'amende."
> the lower court (Cour d'Appel) ruled that the passcode is not a "cryptographic convention" (which both the Algorithm and Private Key would classify as), and consequently that the person is not guilty.
> The general prosecutor, not happy with this verdict, appealed to the higher court (Cour de Cassation), arguing that the lower court violated the law by insufficiently researching IF on the concerned iPhone 4, does the passcode is a "cryptographic convention"
Because when a Cour d'Appel applies a law, in this case, without not even research if this specific law is applicable to this specific element, it can be broken by the high court.
The Cour d'Appel did not even have to be "right" or sufficiently technically competent.
The Cour d'Appel only had to declare that it researched IF on this phone, the passcode was a "cryptographic convention".
If the Cour d'Appel declared such a thing, EVEN IF IT WERE BLATANTLY FALSE (I'm not arguing myself for the correctness here of this statement), then the Cour d'Appel would be deemed to have stated its sovereign judgment on this matter.
On such a task, The Cour d'Appel could not be overridden by the higher Cour de Cassation.
(the Cour de Cassation cannot re-evaluate the sobering judgment of the Cour d'Appel).
BUT, the Cour d'Appel intended to apply the "refusing to yield the cryptographic convention == bad" law, without even researching IF beforehand this was REALLY a "cryptographic convention".
The general prosecutor leveraged this oversight by asking the Cour de Cassation to break the lower court jugement.
He won. The Cour de Cassation break the lower court ruling, and sent them back to court again.
The break ruling is :
> By affirming that the passcode is not a "cryptographic convention", WITHOUT analysing the technical characteristics of the concerned iPhone4, yet essential to figure out a decision, the lower court insufficiently justified its decision
==== What I have to say on this matter
It's an old iPhone. I'm a bit lazy to Google what's the passcode is doing on the range of iOS versions supported on such an old phone.
A 4-8 digits passcode is not enough not be secure. That's weak as hell.
That's only 10^8 possibilities, and the Private Key can be brute-forced in 1 second.
Still, IF on this old iPhone the weak-as-hell passcode was the Private Key of encrypted data, then it could be deemed a "cryptographic convention", and the person could be deemeded guilty.
On a RECENT iPhone, I think that this person could escape being guilty for not giving its homescreeen password or code.
On RECENT iPhone, those weak (4-8 digits) are NOT part of a "convention de déchiffrement"
The passcode is neither the crypto algorithm, nor the Private Key to the data.
on recent iPhone, the password is ONLY a key to a safe : the Secure Enclave (T2 chip).
The Secure Enclave, even in rescue mode, has an API, and only accepts ~10 passcode attempts.
When you succeed, you are giving a mean to decipher data. I don't even know if :
- the Secure Enclave yields back the Private Key
- or just provides an hardware API to further decrypt data.
What I mean is that on recent iPhone, the passcode is NOT part of the "cryptographic convention".
It only unlocks a safe : the Secure Enclave.
That would be the same thing as storing the Private Key in a safe.
On iPhone4, probably the passcode IS used as a seed to regenerate the Private Key, and as such refusing to give it to police is breaching the law.
On iPhone with Secure Enclave + T2, probably the passcode is not used as a seed, because that would be weak as hell. refusing to give it to police is possibly not a breach of law.
> That would be the same thing as storing the Private Key in a safe.
Same thing with LUKS. Password just unlocks the encrypted master key stored on the disk, which is then used to decrypt actual data.
Not sure why this one layer of indirection would matter to purpose of the law.
If you erase the LUKS header (by some tamper detection mechanism), then you will not be able to provide any means to decrypting the actual data, even if you give up the password. That may matter to the law, since nothing it does may ever yield the decrypted data.
But this same effect can be achieved with direct password->key transformation. Tamper detection can erase the data itself instead of the master key.
Your example of 10^8 combination, a 8 digit passcode on an iPhone 4, means a policeman would have to sit on a desk and try combinations for hundreds of years. This is likely to be determined as unbreakable protection by a court.
The document in page 11-12 goes into what may constitute cryptographic conventions.
It considers all recent iPhone and Android phones to be. It considers all systems for unlocking a mobile phone to be, as there is no other ways to access data on the phone otherwise, given normal technical knowledge and no specific software or hardware.
> Your example of 10^8 combination, a 8 digit passcode on an iPhone 4, means a policeman would have to sit on a desk and try combinations for hundreds of years. This is likely to be determined as unbreakable protection by a court.
In my opinion, one of the most fundamental human rights, maybe even the most important human right, is the right to refuse to answer to a question.
Any law that says that there are circumstances when humans must answer to a question otherwise they will be punished is wrong and abusive.
Obviously, when people are suspected to have done something illegal, but they refuse to give answers that might dis-incriminate them, then that can be used in conjunction with evidence that makes probable that they are guilty to conclude that they are indeed guilty and sentence them accordingly.
However, in such cases any punishment should be for the crime whose authors they are believed to be and not for refusing to answer any question.
I do not care if a bunch of mean or stupid people claim to "represent the will of the people" and they make Draconian laws that punish those who do not answer questions. I will never recognize that they have any right to make such laws and I pity the people that are so naive that they accept the existence of such laws.
I have been born and I have grown up in a country which was governed by a criminal organization which had received the political power from a foreign invading army, even if they also claimed that they have been elected democratically and they "represent the will of the people".
To maintain their power, the government imprisoned and killed any opponents, which were identified through mass surveillance.
Any honest citizen did not have any greater wish than to get rid of the government, but it was impossible to organize any kind of opposition, due to the mass surveillance and due to the confidential informers who infiltrated any institution or company.
In such a country, answering the truth to any question of a law enforcement officer could lead to grave consequences for other innocent people, from destroying their professional careers, up to even death.
A similar history was shared by all the countries in the Eastern Europe, but there are also many other such countries.
It worries me that after a decade when it seemed that the political conditions have greatly improved in many countries, after 2000 the actions of the governments from North America, Western Europe and Australia have become each year more and more similar to the actions of the former communist governments that they previously loved to criticize for their disregard of human rights, and the legal rights of the citizens of these countries have become more and more restricted, under various pretexts, such as "war on terror" or "save the children".
> Law enforcement authorities may compel suspects to provide the passcode to their mobile device under threat of a legal sanction pursuant to Article 434-15-2 paragraph 1 of the French Criminal Code, [...]. The request must be
sanctioned by a judicial authority.
What is this sanction by judicial authority? A court order? Can it be appealed against? Can i get a lawyer participate in the hearing for the sanction?
Sanction here does not mean punishment, it means approved (the law itself says "upon request")
That article of the Criminal Code refers to two chapters of the Code of Criminal Procedure, which covers the two types of criminal investigations in France and their respective judicial authority: the prosecutor, and the judge of instruction (an investigative magistrate).
An order/request by the judge can be appealed against, I don't think the orders/requests of the prosecutor can be appealed.
I raised the question, because i want to understand, how much police in France needs to do to issue an order to unlock a phone. It does not sound too bad to me, if they have to go through a judge and a hearing to issue the order.
The problem is that the prosecutor can issue a blanket order that forces any person, company or organization to hand over to the police any and all digital information and data that may be related to the investigation. And as with all blanket orders, this gives a lot of leeway to the police.
A neat question is whether it would be illegal for Apple to refuse to write software to unlock the iPhone of someone who illegally refuses to disclose their passcode.
Interesting. Doesn't France have a legal system that leans more towards Civil Law than Common Law? So how much legal validity does this judgement have?
It doesn't "lean more" towards civil law, it is a civil law legal system. Nevertheless, precedent ("jurisprudence") is still part of the legal framework.
The cour de cassation, the highest court of appeals, has rendered a judgement about something which is ambiguous in the law. This is a judgment about a particular case in a particular situation, and judges are explicitly forbidden from writing anything in their judgment that would look like a general statement. Lower courts are independent and can render different judgments in similar cases if they interpret the law and the situation presented to them differently. So why does it matter that the cour de cassation created this precedent? Well, it's the highest court of appeal. Any lower court who judges differently sees clearly the "risk" that their judgment is appealed, passed on to the cour de cassation, overturned, and needed to be judged again. We have professional judges in France, and they recognize there is little point in wasting the State's resources on such things without good reason.
But because we are in a civil law country, it is quite likely that the existing law will be clarified and supplant the precedent. In a civil law country, precedent is always subordinate to codified law.
Thanks for the clarification. I just recently became aware of how different the French legal system is when I started watching "Murder in Provence" and was confused when a judge himself got involved the investigation of criminal cases.
No, the cour de cassation is not the equivalent of the supreme court in many ways.
* It doesn't judge the constitutionality of laws. That's the constitutional court.
* It doesn't judge cases related to complaints against the administration. That's for the council of state.
* Its precedents don't bind lower courts, who are free to rule differently.
* In France, judges are explicitly forbidden to write a judgement that seems to hold in a general manner (article 5 of the penal procedure code) - we have a much stricter separation between the legislative and judiciary. They always judge specific cases. This applies to the cour de cassation as well.
It's just not useful to try and compare the US and French legal systems. They're too different.
> we have a much stricter separation between the legislative and judiciary.
Could you clarify more? You also said, "In a civil law country, precedent is always subordinate to codified law." That would imply that there is less room for judges to interpret the law more freely. (In India, for example, constitutional courts can even expand or contract the law, by striking down or adding provisions to it through the power of judicial reviews.)
Indeed, this is a decision of the "Cour de Cassation", which is the highest court and which does not judge guilt in specific cases (edited to clarify), but whether the law was correctly applied. So by judging that this is a criminal offence (actually they have only confirmed previous legal decisions so it was expected) they have ruled that French Law states that this is a criminal offence, including based on jurisprudence (previous decisions). So that rather settles it.
The cour de cassation does judge specific cases. They don't make the law and lower courts are not bound to their precedent. I wrote a more complete explanation in a sibling comment.
"En effet, son rôle n’est pas de rejuger les affaires. Elle juge le droit exclusivement. De ce fait, la Cour de cassation ne s’attache pas aux faits d’un arrêt ou d’un jugement, mais elle vérifie la bonne application de la loi à la décision attaquée. Autrement dit, elle ne se prononce pas sur les litiges, mais seulement sur les décisions qui concernent les litiges." [1]
It only checks that the law was correctly applied, it is not an appeal where the guilt is re-assessed (that's what I meant, obviously not very clearly).
friendly reminder for those in the USA, or visiting it:
face, blood, fingerprint, and other biometrics on your mobile device are not protected by the 5th amendment and can be secured from your person by force if necessary and compelled by a warrant. If you fail to submit to a DUI test for example, your blood can be forcibly drawn against your consent in the presence of a warrant.
strong passphrases (not passwords) however are vital to your security and protected under the united states 5th amendment. you can be compelled to surrender your device, but not its password.
failure to disclose a password cannot be used as reasonable suspicion to detain you for a crime.
Related for iPhone users: if you press and hold the lock and volume up buttons until the "slide to power off" screen appears, FaceID will be disabled until the next successful passcode entry.
You can press "cancel" after the "power off" screen appears, or you can power it off, faceID will be disabled regardless.
Seems passcode should be obtainable too then, as it is represented in the physical configuration of your brain's biological system and thusly could technically be considered biometrics.
The fed's didn't have much trouble getting a warrant to have my internals x-rayed last time I crossed the border, even though that was all internal configuration of the body.
I would argue forcing someone to put their finger on a phone or otherwise provide their physical self in a compulsory manner is self-incrimination. Your body is part of your 'self.'
Physically forcing someone to do something isn't self-anything. If it were, the electric chair would be assisted suicide. You don't even need to be alive to put your finger on a phone.
physically forcing someone to incriminate themselves is self incrimination. Why would it not be self-incrimination once they are forced? Your statement makes zero sense.
The whole point of laws regarding self incrimination is not to stop people from being electively able to incriminate themselves, but to stop the government from being able to force them to incriminate themselves.
Almost everyone but you is familiar with self-incrimination as the word(s) used in modern English as a concept that includes things like testifying against yourself whether you were physically forced to to or not.
------------
RE to below: (due to timeout)
>Again, the government cannot force people to incriminate themselves.
force : coercion or compulsion, especially with the use or threat of violence.
>It can threaten people in order to convince them to incriminate themselves,
You literally used an example of force.
In classic HN autistic pedantry, if someone puts a gun to my head and demands my wallet and I hand it over -- well your honor they were never forced to do it! You see they were just threatened to be convinced to hand the wallet over!
--------------
>I really have to bail, because this is stupid. The government can take your wallet. You are not allowed to keep your wallet because the things inside it can incriminate you. By your own tortured reasoning, self-incrimination would include someone else physically holding you down and taking your wallet.
I claimed it (someone compelling you to hand over your wallet) was an example of force, not an example of self-incrimination. Keep your thoughts straight. At least we finally figured out you have no idea what force means, and that was the root of your misunderstandings. For the record, wallet is not part of your 'self' but your finger is generally understood to be. Dead men aren't prosecuted in the US so it's moot to debate handing over a dead man's finger for his own criminal case.
>There's no timeout. It takes a little while for a reply link to appear on the main page, but if you click directly through to the comment, you can reply.
There is a timeout on my account, I'm limited to ~5 posts per 3 hours.
There's no timeout. It takes a little while for a reply link to appear on the main page, but if you click directly through to the comment, you can reply.
> In classic HN autistic pedantry, if someone puts a gun to my head and demands my wallet and I hand it over -- well your honor they were never forced to do it! You see they were just threatened to be convinced to hand the wallet over!
I'm going to take a last run at explaining this to you. I'm not telling you that the government cannot force you to do things. I'm telling you that the government cannot force you to testify against yourself, because that's how justice once worked: you chose somebody you thought did something, then tortured them until they admitted it. This is the beginning and the end of self-incrimination. It doesn't give you the ability to refuse to give your photograph, it doesn't give you the ability to refuse fingerprint or DNA collection. It, in fact, doesn't give you any ability. It restrains the ability of the government to punish you for not testifying against yourself.
> In classic HN autistic pedantry, if someone puts a gun to my head and demands my wallet and I hand it over -- well your honor they were never forced to do it!
I really have to bail, because this is stupid. The government can take your wallet. You are not allowed to keep your wallet because the things inside it can incriminate you. By your own tortured reasoning, self-incrimination would include someone else physically holding you down and taking your wallet.
Nothing can be self-incrimination that doesn't require you to be alive to participate in. Any inability to understand this is willful, and you're only hurting yourself.
> physically forcing someone to incriminate themselves is self incrimination.
You can't physically force someone to testify. It's not a thing that is possible, unless you kill them and attach electrodes to the muscles of their mouth, throat, and diaphragm. The testimony that results from that method will not be convincing.
> The whole point of laws regarding self incrimination is not to stop people from being electively able to incriminate themselves, but to stop the government from being able to force them to incriminate themselves.
Again, the government cannot force people to incriminate themselves. It can threaten people in order to convince them to incriminate themselves, it can punish people if they refuse to incriminate themselves, but it can't force people to incriminate themselves. It can put their finger on a phone. You can put their finger on a phone, if you're bigger than them, or they are asleep.
The point of laws about self-incrimination is to declare that refusal to self-incriminate cannot be punished.
If it's a federal crime they'll charge you with conspiracy to commit a crime and you're a felon by default. That's what they did to crypto drug sellers.
You have 5A rights at the border but I can tell you from firsthand experience after exercising them, I now get tossed in a cell every time I cross including spending 16+ hours in detention. IMO it's best not to have a phone at the border, I don't take anything across the border I don't want destroyed and documented and examined to the Nth degree. If you're not a citizen or green card holder they'll also send you packing for invoking the few constitutional rights you have at the border.
Oddly they have always been incredibly scrupulous in returning money as long as its under the 10k limit, thoroughly counting it in front of me and placing it in chain of custody.
It's a valid point, which is why I argue you don't really have a right to trial either because the punitive plea-deal system horribly punishes people who attempt to invoke their right to be proven guilty (or not).
In reality I enter my phone passcode very infrequently because I use a fingerprint reader. I have set a long PIN since I don't want it to be brute forced. Because of the horror stories I hear of law enforcement and abuse of power, if I have a run in with a cop, turning off my phone is one of the first things I do. In a stressful situation where I am facing potential harm to my body or my family I can very easily see myself forgetting what that long, infrequently typed PIN is.
In the U.S. generally [0] a court can force [1] disclosure of a password or location of a physical key or whatever unlocks access to documents whose existence and contents is a "foregone conclusion".
The idea is that "we know you have contraband <details>" so your being made to produce that contraband is not a violation of the 5th amendment right to not self-incriminate.
This idea seems rather twisted to me, but this is what the courts have gone with. There might be some protection against other incriminating documents being found this way than those that were being sought, but I'm not sure.
Looping back to your comment, if it is a foregone conclusion that you do know the password, then "I forgot it" won't be a defense. But if it can be shown that you haven't used that password in a long time, then it might be a defense (but idk really).
IANAL. Do not rely on any of this.
[0] This may vary by state, but I believe in Federal court it works this way.
[1] Via the threat of contempt of court incarceration until the defendant or witness complies.
Does pressing the power button five times still disable biometrics?
Edit from sibling comment link with alternate easier method to hard lock: “Just press and hold the buttons on both sides. Remember that. Try it now. Don’t just memorize it, internalize it, so that you’ll be able to do it without much thought while under duress, like if you’re confronted by a police officer. Remember to do this every time you’re separated from your phone, like when going through the magnetometer at any security checkpoint, especially airports. As soon as you see a metal detector ahead of you, you should think, “Hard-lock my iPhone”.”
This doesn't seem to work on my iphone 7 with ios 15.7.1. If the screen is off, nothing happens. Or if I happen to push the power button slightly before or after the volume key, the screen will turn on and touch id works as usual. If the screen is on, but the phone is locked, nothing happens either. The screen will just turn off at some point. The phone can still be unlocked normally.
What does work is pushing only the power button when the screen is on for a few seconds. This is a dual press (1. turn on screen; 2. start shut down procedure). Or pressing the power button five times, whatever the screen state. But that also activates the emergency call countdown.
It’s worth mentioning here that as long as long as you have a few seconds notice you can force your Face ID enabled iPhone to require a passcode the next time it’s unlocked.
I don't have an iPhone with FaceID to test this, but supposedly you need to be looking at the phone as well, so it should be fairly easy to avoid unlocking the phone under duress (consequences notwithstanding).
(not a lawyer or french) but generally yes - it's your responsibility to give the password to the police, forgetting it would be equivalent to forgetting to pay at a store or forgetting to put on a seatbelt while driving - it may be accidental but still illegal. I don't know of any laws where you can legitimately claim ignorance
That is a looong shot! The responsibility for my passwords is mine and sole mine!
Other thing is being negligent with password security, and a breach leading to damage of property of life... but forgetting a password is not a crime! never.
Is this your belief of the law as it stands or how you feel the law should be?
"forgetting a password is not a crime" is a statement of fact, and the only thing required to make it a crime is a law saying it is a crime. "Crime" is not some universal absolute, what is and is not can obviously change drastically over time.
Yeah I'm not saying this is what I think it correct - it's just how the law seems like it works. Ultimately you'd have to convince a jury and I don't think most people would believe "I just happened to forget it when the police asked for it". In the US you aren't required to give the police your passcode, but they do have a legal right to use your face/fingerprints without your permission, so they can freely search if there's only a biometric lock but not a passcode. Very weird but that's how the laws were written
"Btw. with new iPhone they just need to hold it close to his face while handcuffed."
Honest question. Do people on HN actually travel with this enabled on their iphone? Like, the ability to just hold you to a wall with your phone and open it?
It can always go to that, due to nothing you’ve done.
Mistaken identity, planted evidence (from someone else, like drugs put in your bag by a handler for picking up by a compatriot in the destination, but caught before then, or by bored police!), political targeting (like you’re the ‘wrong’ nationality, and the country you’re traveling to wants some leverage), etc.
Muggers or bandits also don’t exactly ask if today is a good day either.
> Do people on HN actually travel with this enabled on their iphone?
I have nothing to hide, but I travel with a secondary phone that I wipe before crossing international borders, to which I’ll happily give law enforcement access.
The EU is so protective of consumer rights, but not of personal rights with respect to governments. Seems odd, but is a result of socialist influence. In the US we have more protection against government abuse and less corporate. But it ends up being the worst of all worlds because the government just uses the corporations to provide the data they could/would never have access to.
From your own link: "The European Court of Human Rights is an international court of the Council of Europe"
The Council of Europe* predates the European Union by half a century (depending on which origin you choose -- the European Union in its current form was established in 1993). It is much narrower in scope and has much wider membership than the EU. Even Russia was a member of the Council of Europe until the Ukraine war, when they were expelled. The UK also is still a member (a founding member, at that) even though they left the EU.
The only relation between the ECHR and the EU is that EU nations are required to join the Council of Europe as part of the accession process, and the EU can bind a member nation to adhere to rulings of the ECHR. Outside the European Union, the ECHR can render judgements but cannot enforce them.
*Not to be confused with the European Council, which is one of the strategic bodies of the EU. Don't ask...
The US has uniquely good protections against abuse by government officials. Things like the fruit of the poisonous tree doctrine, explicitly designed to keep prosecutors from overstepping their boundaries, simply don't exist in most of the world. Admissibility is complex and important in the US and basically not a concern outside the US at all, virtually everything is admissible in court. For example, it has been established at the highest level of jurisprudence in the EU that you can torture suspects and you can prosecute them with evidence acquired through their forced confession. That's because at a fundamental level, the prosecutors/court determining the truth far outweighs the right to a fair trial in most of the world. The idea outside the US being that you'll just prosecute investigators and prosecutors who overstep legal boundaries.
> has been established at the highest level of jurisprudence in the EU that you can torture suspects and you can prosecute them with evidence acquired through their forced confession.
This sounds like complete tosh - what is the highest level of. EU, ECHR? I dont believe they ever made such a ruling
Additionally, there was no EU equivalent to Guantanamo Bay level of toture and extrajudicial kidnapping.
I was thinking about ECHR application number 22978/05, but the case turns out to be significantly more subtle. The ECHR ruled the opposite of what I claimed in principle - so evidence gathered through a forced confession is generally inadmissible as an exceptional rule, however, in the specific case the admission of the evidence wasn't seen as rendering the trial unfair, specifically because he confessed in the trial and the admitted evidence was then used to confirm the confession. The ECHR argues the confession-at-trial "broke" the otherwise straight chain of forced confession => evidence => conviction, even though that confession was arguably predicated on the inadmissible (per ECHR) evidence admitted by the original criminal court. 6/17 judges dissented with this part of the ruling.
I suspect the ECHR tried to do two things at once here:
1. establish a rule that torturing people does result in all resulting evidence to be excluded from trial, and if that leaves authorities with no evidence, then there can be no trial. Reading the ruling it clearly ECHR considers the "just prosecute the prosecutors" approach insufficient when article 3 (torture) is concerned - you can't have a trial based on torture and call it fair, basically.
2. not letting Gaefgen get off because there is no doubt at all that he murdered the child.
doi 10.1017/S2071832200020290 is of interest for this.
> Additionally, there was no EU equivalent to Guantanamo Bay level of toture and extrajudicial kidnapping.
Why do you think Gitmo is in Cuba and not actual US territory?
Does it really, in practice? Looking at the two systems, I would genuinely trust the US system less.
Also, you are wrong about admissibility. It is not true that everything is allowed, it depends on context. Also, what happens even when the thing is admitted is that police can be punished for breaking rules. Not by changing result of the court, but by punishing the police. And that is super big one.
Plus, most case in US are not even going through court. 96% or so are done by guilty plea. Going through court is super expensive and you risk much higher punishment.
US courts are notoriously deferential to cops and prodecutors. It just does not strikes me a system to trust all that much.
What compels non-Americans to deny the obvious truth? I guess they are just idiots who don't study history. You need to read some more. The way Socialist ideas played out in the American and European context are widely different. For Europe socialist ideas more directly influenced government policies and parties. In the US the effect was most directly seen in the labor union movement. Many people credit the labor unions as a reason there was no large communist party in the US. Saying Socialist ideas had/have greater influence in Europe is just obvious.
The Red scare left a lasting cultural imprint. Ask any socalist what they think socialism is and compare it to what an American[1] thinks socialism is. Note the differences.
Also, Glenn Beck had a lot to do with it. He gave a bizarre version of 20c history that stuck, to a lot of angry people who don't read. It used to be that right-wingers would target the New Deal as socialism, now they think the banks and consumer rights are socialism.
If you can convince people the banks are socialist, you've created a Schrödinger's Premise where the banks primarily exist to destroy the banks; any premise that is both true and not true at the same time can be used to prove anything.
Some countries have enacted laws to create an obligation to disclose encryption keys, etc. during criminal investigations in response to new technologies because now everyone has access to encryption methods that are essentially unbreakable without knowing the key. So while people have and should have the right not to incriminate themselves it is also reasonable to ensure that criminal investigations can still be (fairly) carried out... It was much easier when people could only hide their secrets in a safe.
I believe even in the US one may be obligated to disclose keys.
One big question is whether this should require a court order, which implies that the police must convince a judge that this is necessary and useful, or whether (as seems the case here?) the police themselves have that power, which is indeed more contentious.
The law: https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI00003...
This specific ruling is about wether the lock screen of the phone was subjected to this law as well. Basically, is the lockscreen password a decryption key ?
The Cassation court judgement comes from the disk encryption mechanism being now attached to the phone locking mechanism: full disc encryption is only unlocked when the phone unlocks, so the passcode screen can be seen as a mean to unlock the disk.