Legal Context

Before we get onto Truecrypt, Tor and Tails, let's look at the legal context for using those things. Many thanks to Steven Price and John Edwards for their help and advice on this section.

The main protection for journalists comes from s68 of the Evidence Act, which says that journalists and their employers cannot be compelled to give evidence, answer questions or produce documents which would reveal the identity of confidential sources, unless:

A judge decides that the public interest in naming the source outweighs the potential harm to the source and the public interest in keeping sources confidential

Note that s68 of the Evidence Act is quite limited:

It does not cover third-parties (such as cellphone or email providers), only journalists and their employers
It does not cover cases which doesn't involve confidential sources (though s69 provides more general protection for confidential information)

When journalistic privilege might apply, Police have to give the media outlet a reasonable opportunity to claim privilege. It is therefore much easier for investigators to target known service providers (i.e. Phone numbers and emails associated with the journalist) rather than try to seize information directly from a journalist.

Surveillance vs Search

Data in transit (e.g. Phone calls, internet traffic) can only be legally captured with a surveillance warrant, which can only be obtained for offences which are punishable by sentences of 7 years or more, or for offences related to restricted weapons.

Data at rest (e.g. Text messages, logs of phone calls, anything on your computer) can be obtained with a search warrant or production order, which can be obtained for any imprisonable offence.

By definition, it is only possible to retrospectively obtain data at rest. This means if an investigation is only likely to occur after a story becomes public, only data at rest will be available.

As an example, in the Bradley Ambrose (“Tea Pot Tapes”) case, even if the Police were interested in ongoing communications, the offence he was being investigated for did not qualify for a surveillance warrant; even if they could get a surveillance warrant, it would've been impossible for them to retroactively capture the period they were interested in. They were, however, able to obtain his texts and call records directly from his phone provider.

Norwich Pharmacal Orders

While private individuals can't get warrants, they can apply for a Norwich Pharmacal Order. These are pre-trial or interim orders against a third party, which can be used to reveal the identity of a person to allow legal action to proceed.

For example, a plaintiff might file papers against an unknown person in court, then apply for an NPO against a third party (e.g. An ISP or telco) for information that would reveal that person's identity. That third party would have a legal obligation to provide that information (or be in contempt of court), and they would not be able to claim privilege, since they would not necessarily know there was a journalist-source relationship there.

Encryption Passwords

Harddisk encyption such as the operating system's default encryption would protect you against hackers and thieves, but it may not help you against law enforcement.

Under s178 of the Search & Survelliance Act, anyone who:

Fails without reasonable excuse to assist a person exercising a search power under section 130(1) when requested to do so (relates to searches of computer systems or data storage devices - a person may be required to assist with access to data).

..will be committing an offence, and can face up to 3 months of imprisonment.

Nor would the right against self-incrimination help you or your source. Self-incrimination doesn't protect against search and seizure, and the Police Search Manual specifically states:

A specified person may not be required to give any information tending to incriminate themselves. However, this does not prevent you from requiring them to provide information or assistance that is reasonable and necessary to allow you to access data held in, or accessible from, a computer system or other data storage device that contains or may contain information tending to incriminate the person.

This means that if they are able to seize your computers, they'll also be able to force you to give up the password, on threat of 3 months imprisonment. Unless, somehow... more on this next time.

TL;DNR

Journalists and their employers are protected by the Evidence Act.
The minute data goes to a third-party (such as your ISP or telco) it's not protected.
Sources aren't protected.
Search warrants are easier to obtain than surveillance warrants.
Private individuals (including companies) can use Norwich Pharmacal Orders to root out sources.
Normal encryption doesn't help, as you can be legally compelled to give up the password.

Matthew Poole, 16:20 Sep 19, 2013

Normal encryption doesn’t help, as you can be legally compelled to give up the password.

However, if the penalty for conviction on whatever charges the encryption is delaying is higher than the two-year maximum for failing to release a password, you're better to stay mum and face the music (which will probably be home-D music at that) for withholding your password.

Auckland • Since Mar 2007 • 4097 posts Report

Rich of Observationz, 16:54 Sep 19, 2013

Would the use of some sort of duress alarm to destroy data (or encryption keys) be contempt?

Back in Wellington • Since Nov 2006 • 5550 posts Report

Nick Russell, in reply to Rich of Observationz, 19:25 Sep 19, 2013

Yes. You might also be liable for damages for despoiling evidence. If a Court orders you to deliver up evidence the only valid defence is privilege. If the evidence isn't privileged, you cannot avoid the order by uttering magic words or destroying the evidence.

Wellington • Since Jul 2008 • 129 posts Report

Thomas Goodfellow, in reply to Rich of Observationz, 19:30 Sep 19, 2013

Ignoramus response: actively using a duress password seems like contempt at best or plausibly destruction of evidence (since that surely includes materials due for searching, not merely materials already known to contain relevant evidence). But of course the penalty may still be less than that which may be due for the offense being investigated.

But how about a deadman's switch, i.e. a self-powered drive that makes itself physically corrupt if not properly unlocked within some interval? It might be harder to show that stalling on the unlock ("I need to talk to my company lawyer first") was deliberate vandalism than using a corrupting password since it can be seen that the drive says "DEAD" before starting password entry, as opposed to password entry appearing to succeed and then yielding a reset drive. Of course such a needy device would be an utter pain to live with, since the deadman interval needs to be short enough to prevent it being recognised and countermeasures applied (remove power, freeze, ablate chip housings, have Superman fly backwards around world until the drive is unlocked again...)

But it will take scrupulous discipline to ensure that the only solid evidence is on that drive - many a hacker has been bagged for tradecraft slips. However unless a conviction for evidence destruction is served in addition to sentence the underlying offence attracts then it could be a sensible gamble (practically, not morally - given this I hope such sentences are consecutive?)

Germany • Since May 2012 • 12 posts Report

Ross Mason, 22:19 Sep 19, 2013

“At rest” huh? So, traveling through space at a gizillion miles per hour counts as not at rest? I’ll give Einstein a call on that one.

So if I had 2, 3 or many more “clouds” that constantly shuffled my data around so it was never “at rest”, would that count? What constitutes the “minimum time” of “at rest”? It might be an interesting discussion.

Does a letter sitting in a letter box constitute it being “at rest”? In the postie’s bike bag? Sitting on my table unopened? Opened, read and put on the table?

Are the words sitting on the screen in front of me “at rest”? Oops…they’ve gone again….

Bizarre. And its a nightmare.

Upper Hutt • Since Jun 2007 • 1590 posts Report

Ian Dalziel, in reply to Ross Mason, 23:32 Sep 19, 2013

restive missive or Shrodinger's catalogue entry?

Neither particle, nor wave, the letter exists at all points in the journey (alpha to omega) and none of them...

yrs Half-full Glasshopper

Christchurch • Since Dec 2006 • 7953 posts Report

Moz, 04:54 Sep 20, 2013

So does a search warrant require you to obtain stuff for the police? In other words, if your data is in the cloud are you required to download it for them? Or do they have to run off to the cloud and get it from the cloud provider? I'm specifically thinking of the encrypted, distributed storage schemes. No one person or location has all the data, none of it is in your house, but it's all accessible to you.

Sydney, West Island • Since Nov 2006 • 1233 posts Report

Stephen R, 09:48 Sep 20, 2013

I have some pgp keys and files encrypted with them on one or other of my hard-disks, which time and the fallibility of memory have erased the passphrases from my memory.

If my hard disks were searched and a theoretical investigator asked for the passwords, I'm assuming that since none of those files are less than 4 or 5 years old, claiming to have forgotten the passphrase is a plausible defence against charges of contempt for failure to decrypt?

I've occasionally forgotten the passphrase to a key that's merely days old. I guess it's less plausible in that case, though still (obviously) it has happened to me.

What level of evidence does a court need to decide if you're showing them contempt in this sort of situation? What possible evidence could you use to prove that you really have forgotten?

Wellington • Since Jul 2009 • 259 posts Report

Ross Mason, in reply to Stephen R, 10:21 Sep 20, 2013

I’ve occasionally forgotten the passphrase to a key that’s merely days old. I guess it’s less plausible in that case, though still (obviously) it has happened to me.

Oh you mean like writing the password down on a piece of paper and swallowing it.

I presume that means you are safe as it is not at rest, rather, it is in motion....

Ross Mason, 16:31 Sep 20, 2013

Norwich Pharmacal order

Ouch!

Ross Mason, 16:34 Sep 20, 2013

From the wiki link:

In the same year the High Court also clarified that Norwich Pharmacal orders should not be granted for "fishing expeditions". In Arab Satellite Communications Organisation v Saad Fagih & Anr [2008] Middle Eastern inter-governmental organisations applied for an order against a Saudi dissident for the identification of individuals that "may have been involved" in the broadcast of political material. The High Court refused to grant an order which would compel a third party to make a judgement about who "may have" done something, and ruled that "Norwich Pharmacal does not give claimants a general licence to fish for information that will do not more than potentially assist them to identify a claim or a defendant".[17]

Does this mean that this could be the reason Kim Dotcom has't been served with one of these to find those "culprits" who might have used Mega to "hide" their music???

nzlemming, in reply to Ross Mason, 01:09 Sep 21, 2013

It's more likely because he hasn't had access to the servers since the raid.

Waikanae • Since Nov 2006 • 2937 posts Report

tussock, 20:30 Sep 21, 2013

It seems kinda silly to have a law that only protects sources and journalists who don't own cellphones or computers, eh. Almost like someone should be thinking of some amendments there, sometime.

Not that it'll matter once the GCSB's running the infrastructure. It's not like they bothered about warrants before they had all that power.

Still, enjoy your attempts at cloak & dagger folks, and good luck picking software, operating systems, and hardware that the NSA hasn't built any backdoors into for the whole world to browse.

Since Nov 2006 • 611 posts Report

Paul Campbell, 12:48 Sep 23, 2013

Surely what we've found out in the past few weeks is that the NSA is running the infrastructure, even in places here in NZ, the GCSB has already lost control.

Frankly I don't think we can trust any of them, their interests are not aligned with ours - we have to build our own

Dunedin • Since Nov 2006 • 2623 posts Report

OnPoint by Keith Ng

14 responses to this post