 On that note, welcome to Band from Encryption with Mustafa Al-Bassam and Jake Davis. Thank you. Hi, I'm Mustafa and this is Jake. Hello. And we were banned from encrypting stuff for about two years, well, I'll show you, five years. And this is something called a serious crime prevention order that we were bound to for five years from 2013, from 2018, which recently expired a few months ago. And the reason why we were bound to this serious crime prevention order is because we co-founded this hacking group called LoLSec that hacked into a whole bunch of stuff, including certainly Fox, FBA for the US Senate, too long for this to mention. So for example, one of the things we did is we put up a fake news article on the PBS website saying that Tupac Shakur was still alive in New Zealand. A lot of people still believe this is true. Yeah, we also put, this was back during the news of the World Hacking scandal. During the news of the World Hacking scandal, we hacked into the Sun newspaper to put up a fake news article that Rupert Murdoch said, Rupert Murdoch ingested a large quantity of palladium before stumbling into his famous terpira garden and passing out early in the hours of the morning. The sun didn't like that. And for some reason a lot of people found this funny. People found watching crime on Twitter funny, like as Jake says, like people watching the release of a new movie by following his hashtag on Twitter. So as a result of all of this, we were arrested in the summer of 2011. And as a condition of our bail, we were banned from using the internet. And we were on bail for about two years. And Jake, additionally, was also on electronic tag, which means he had to report to a police station. Yes, I had on top of an internet ban an electronic ankle tag from G4S, awful bastards. And then Circo, even more awful bastards, essentially enforced that I was in my home between 10 p.m. and 7 a.m. every single day. Otherwise it would start beeping and people would come around in a van. And essentially worked with just a tag and a box. And if the tag was not near the box, it went off. Allegedly, wire shark shenanigans could occur between the tag and the box. That might be another talk. So the exact thing that stayed on my bulk conditions was that I was not allowed to use any device that had the capacity of connecting to the internet. And this was when I was just starting my A-levels when I was 16. And it was really difficult to kind of do my A-levels without accessing the internet. Because, for example, all of my homework was sent over email. So I got a lot of attention because I didn't do my homework because I couldn't access my homework. And a lot of these A-level courses that actually have, for example, in the biology coursework, it says you get extra points for using internet references. So I was actually missing out on points in my grade because I couldn't use the internet. And during the time we were banned from the internet, I think it was the European courts of human rights or something that released a piece saying that it's actually against your human rights, against someone's human rights to ban them from accessing the internet. And since they released that, they stopped putting these kinds of bail conditions on people. And yeah, we were sentenced in 2013, so about two years after we were arrested in Salt Lake Crown Court. And we were also given a serious crime progression order that lasted until 2018. Because I was under 18 when I was arrested, I had 320 hours of community service in a charity shop. And I think you had a two-year sentence, but you only spent a month of that. Two-year sentence and luckily that magic electronic tag knocked off most of that. But you had the charity shop work where you sold some ice cream. No, I got free ice cream from the people who were working there. But it was a charity shop that sold clothes for deaf blind people, which is nice to be volunteering in, I guess. So this is one of the first clothes of my serious crime progression order. It says that I may possess, use or control one or more laptops, personal computers or physical devices capable of accessing the internet, provided that for each such item, where an item has the capacity to retain on this later history of internet use, such capacity is and remains enabled. So that means I can't leak my browsing history and I can't use private browsing either. And the second one is such item does not run software which is designed to prevent data from being retrieved from the unallocated space on the storage right. That means every time I delete a file, usually when you delete a file, it doesn't actually delete the contents of that file, it just deletes like an indexed file. So this is preventing me from actually deleting files properly by overwriting them with zeros. And the third one is it is not encrypted other than the fact that we installed encryption or encryption used in the course of employment or education purposes as notified. And any encryption possible must be provided to the Metropolitan Police Life Offenders Management Unit on request and I can't use hidden volumes either. Now it's quite vague what this means, like what does it mean for a device to be encrypted? Like does that mean that the communications can't be encrypted or does that mean the storage itself on the device can't be encrypted? Like personally I interpret that as the storage itself can't be encrypted but I did it anyway because it is an exception for employment or educational purposes. And so you have to keep in mind that originally when they tried to draft this serious crime progression order, the lawyers tried to put in the clause in the order saying that every time we used the cloud, we had to email them. I'm like what is the cloud even though what that means? And then they removed it when we challenged them on it. We wouldn't be able to email them without that same cloud. So in their minds there were different clouds. Yeah it would be like a recursive loop that ends forever. Every time I email them I'm using the cloud so I have to email them again. And they didn't appreciate when we explained that to them, they didn't like that. We'll get on to more of those in about five long years of that. And the fourth one is nerve-virtual computers are installed or controlled from the device save for the purposes of employment or education. And that's because when they arrested Jake, they found like 15 virtual computers on his device. And the judge found that a bit scary. The judge thought that there are 16 computers in one computer. This is not right. No, we need to stop. Can't escape this. So I guess the idea of this one was to prevent us from trying to hide our crimes or whatever. This one is quite annoying because this means I can't buy a virtual private server to host a website or to host a server. So I had to buy dedicated servers instead. It kind of defeats the purpose of the order. But anyway. I bought dedicated servers in France and I notified them that I was in France. They didn't seem to mind. It also said that every time I come to or possessed any additional laptop, personal computer, or internet-capable physical device, I must notify them within seven days and I have to give them the name and serial number of each laptop and location that it's usually kept. I don't really know what they mean by the name of the laptop, but I don't give my computer's names. Maybe they mean the network name, but I don't know. And it also says that nothing in this order is supposed to prevent my door full everyday use. Like train aircraft or cinema ticket machines, travel check-in machines, supermarket automated machines, bank machines, point of sale credit card payment facilities. I think this kind of just proves the point that when you're putting these conditions on someone, you have to realize that we live in a society now where everything we do is internet-connected or an internet-enabled or computer-enabled. And so I had to send them these emails every time I buy a new computer or destroy a computer or get rid of it. And I had to put a read receipt on them so every time they opened them, I would get a read receipt. So I would get all these read receipts from all the time they opened my emails. But then two years later, it turns out they checked their records and they had nothing on file about anything I sent. They didn't seem very competent to me because every year, the person in charge of our case, a new person is assigned. I don't think this is a kind of a job that any police officer wants. It's probably like the job that they get to be punished or something. To deal with all these orders. Check the emails from these trolls. I'll talk about them. So here are some various discrepancies in their arbitrary banning over a five-year period. I had to ask about these individually. Windows 10 is allowed, despite having inbuilt shredding functions to, again, remove files from an allocated space. Ubuntu, Mac, you just type shred. There it goes. Cubes is banned. I think Cubes was the thing they banned the most. I think they used capital letters. No, for Cubes. Kali definitely banned. They saw the dragon. Amazon EC2s. I don't think they understood the description of those and saw the word cloud, server, and banned those. VPNs are fine if I tell them which VPN it's based in the UK. Hence your dedicated server in France. Yeah, I use a VPN in my dedicated server in France. Which is tour. Definitely banned. They don't like tour. Chrome Incognito is allowed, because my clause said that I wasn't allowed to delete internet history, but it didn't say I had to generate internet history. So I think they appreciated that one, actually. And so one time I just emailed them maybe two years ago saying, what is encryption? Because HTTPS, et cetera, when we withdraw from a bank now, sometimes it's encrypted. And this is exactly what they said. They said, Blackberry with PGP. That's all they said. They said, you can't use that. I went, well, okay, fine. I won't use a Blackberry with PGP. So I mean, like, you have to realize that the people who are blinded to this have no technical computer problem. They're just saying what they think. So I think they're wrong about most of these if you actually look at the legal document. In theory, tour should be allowed, because if I'm using tour, I'm not encrypting my laptop. I'm just encrypting my communications. In theory, Chrome Incognito shouldn't be allowed, because it's said in the order that if the device has a capability to generate history, it has to be enabled. So I don't think these people really need what they're talking about. No. And because it was a five-year period, as Mustafa said earlier, the iterations, they had various iterations of the team. So the new people that came in had to deal with the sort of scraps left by the others. And by the end of the five years, you're looking at police officers that didn't even know an SCPO existed now having to pick up one of the most bizarre cases of them, because there are not many of these SCPO's around. I just think they tried to find the most severe restriction they could in through this at us. Yeah, so most of these SCPO's are usually made for computer hackers. They're usually made for people who commit large-scale fraud. And then they put conditions in there. You have to tell us about all your bank accounts. Or for example, people accused of sexual crimes, so they didn't have to report this or whatever. So some more human stories from the people behind the acronym SCPO LOMU. I had seven device disclosures in five years. So every time I bought a new phone, I had to send them. We sent the IMEI and SIM, et cetera. Except my tactic, as I'll talk about more, was to send way too much information. So I'd sent, like, the color of the phone where I bought it from, like, if I liked it, if I liked the glass screen. And because there were seven new device disclosures, that wasn't just me sort of buying seven new phones, mostly because I smashed some of them. And I would then send them pictures of the smashed phone. And I said, I can't believe it happened again. It fell out of a locker, hit the floor. You know, these Samsung screens, not very good. So they started responding in a few jokes. So you had the Samsung phone that could blow up. I had the Samsung phone. I sent them the news article. And I said, I bought a new Samsung phone. Don't worry, this is the one that does not blow up. So 13 international travel disclosures. As you can imagine, airports are very amusing. When we were arrested and years later, we tried to get our passports back. They claimed they lost them. This was the case with us and many others. And so our passports did not work at the e-passport readers. We had to go to the manual check. And they always got about nine boxes up on their screen and their face just dropped. And I don't know what they had to deal with, but it depends on the seniority of the customs officer. Usually they write something down on a piece of paper. Like, every time you... So our e-passport chips were disabled in the UK. We could use our e-passports everywhere else except for the UK. So when we go through the UK, we always have to go through the manual border control. And there's usually a queue specifically for the people whose e-passport gates doesn't work. And you can see it's full of criminals there. So every time we go through, they usually have to write something down on a piece of paper. And then when we go through, they usually close their specific booths for like five minutes. Because they have to email the Metropolitan Police every time we enter the UK. My favourite... Well, I enjoyed going through in the end because I knew what they'd see and I knew if they were an inexperienced customs officer they would quite panic and like try and buy time and ask me questions. I went through once and this guy, this grizzled guy, he'd seen it all and he just went, very impressive. Never seen... Never seen this many restrictions before. Very good. He was like, very nice and handed me my passport back. There's some sense of humour with it. But within the five year period we had ten different police contacts. I think all of whom either moved to the department or moved from another senior or junior moving up. So they don't think they knew each other and so it was a strange autonomy and we got a different answer if we emailed Monday, Tuesday, Wednesday, etc. I can tell you a few things I gleaned from them. They changed their names. The boss, Dave, likes Guinness. When I did a trip to Ireland I disclosed, again, too much information. I was going on a camping trip and I drew a physical map of all the campsites and I faxed that through. I said... And the guy there, to be fair to him, he said, I hope you have a nice pint of Guinness, so that was nice. On the other hand, the time I went to Italy one of the officers, Jason, does not like Italy. Very paranoid about my trip to Italy. I went to Venice. Explorer at Venice is beautiful. He wanted my phone number again. I said, my phone number is on your record. He said, well, I need it again, which presumably means they lost mine, too. And they don't care for the anecdotes. They don't care for the pictures I send them over the beach or the hotel room. I send them so many hotel rooms and I say, well, this one is for talks and such. And I say, well, this one has a safe. What do you guys think of the safe? We used this one. And so I started to see this trend because it was sort of a self-defense mechanism. We didn't want to be... If we broke this order, we were going to prison for five years, so we didn't want to let them have this over us completely. So it became a bit of a psychological warfare, just a mess of it. So my strategy was actually the opposite of yours. So your strategy was to jerk around with them, give them as much information as possible. But my strategy was the complete opposite. I was trying to make their job as hard as possible and give them as little information as possible. So for example, when they sent me that email saying, we have nothing on record, please send this everything again. I told them, that's not my problem, that's your problem. And the thing is, that guy was a bit scared because he has nothing to show to his boss for any records it has for me, even though I've sent them. So I think in some way they were more scared of me than I was scared of them. And I didn't want to give them extra information because I didn't think it would be right for them. It would be right to do that. We've got a few minutes left, so we can talk a little bit more about this, what I realized, compliance through rambling in the psychological warfare of hypothetical trolling. And just that, they started to ask after a few years for less information. So they left us alone. For example, because we had to disclose every new phone that we bought in vast detail, it was very a quick process for us, but for them they probably had to sit there and type it in various columns and all of this. So hypothetically we could just run a script to scrape eBay for job lots of very cheap phones and then disclose to them all of the IMEIs, hundreds of them, and they'd have to sit there all day for weeks, just inputting them over and over again. We didn't tell them we could do that, but I think they knew that we were the type of people that would do that if, you know, if for example they decided to come in like arbitrarily check our computers. So we didn't have any computer checks for five years even though they did have the power to do that. So actually I did have one. You're not trolling them enough. No, because when I told them I'm not going to give you, I'm not going to tell you any, I'm not going to send you my emails again. They said that I should, they made me bring all my devices to a police station. But then they made me bring all my devices to a police station so they could see them and check them. And then the guy told me to open my laptop. And I said, okay. And then I said, okay, what next? So he didn't know what's next because he didn't know what to check. One of the 16 VMs. So one very quick example. This is one of the emails I sent them. Oh, it's disclosed the reply. Well, never mind. This is about my Samsung phone. I said, oh, you won't believe it. The phone I disclosed to my last email, it also smashed. And this was in an email thread so they had for like four years. This time it fell out of a locker when I was grabbing my coat. One small crack in a Samsung screen is apparently enough to obliterate it. Anyway, I got another Samsung, the one that apparently overheats and sets itself on fire randomly. I hope that doesn't happen otherwise I'll have to disclose another one. I also got a pair of gear VR goggles with the phone which, don't worry, are designed to enter virtual reality, not create a virtual computer. Same sim, same number, same color, charcoal black again. About three days went by and they responded, no hello, no regards, just thanks, Jake. So, five years of these shenanigans and I think they were delighted to get rid of us, actually. So, I think we can conclude that the orders make no sense. I think that's the conclusion. I don't think... For computer hackers, at least. It doesn't seem that it's the fault, potentially, of the team behind it. I don't think they liked having to enforce these orders, either. The orders were made through a strange combination of the Crown Prosecution Service, the judge, the police, all coming together to try and define this new... In the same way we were banned from the internet and that doesn't really happen anymore, they were sort of testing all of these things on us because our case at the time was one of the first of that nature in terms of the public domain. So, all of these things were sort of just thrown as a test and they realized they don't work and they won't use them again. But I think they are now realizing even over the five-year period, as we know, the state of encryption has changed so much. And so, year on year, as weeks went by and months, it was very evident that they can't just say, no HTTPS. Yes, you can use Windows 10, but no Ubuntu and no Kali and no Amazon EC2s, but you can use a VPN if it's in the UK. And you can't use a VPS, but you can use a dedicated server in France with a non-UK VPN inside of it, et cetera, et cetera. And yes, most of... Anything to add on SCPO's make no sense? Yeah, I don't think they really make much sense for computer hackers. I don't think they were designed with computer hackers in mind. I think, as I said, they were designed for financial criminals and criminals, and that's what... Like, you have to declare all your bank accounts and stuff like that. And I think the idea isn't necessarily... I think the idea was supposed to... is to flush trade crime, like, on a subconscious level, like, you're thinking, like, if you have a serious crime information order, you'll probably think twice about committing crimes because you know that the police could ask you at any second to let them examine your laptop. Like, if they had any evidence that you committed more crimes, they wouldn't have to get a warrant. They could just examine your laptop whenever they wanted. That's the final slide. So I guess we could impart the advice, don't get an SCPO. That seems good. Yeah, that's good advice. That's a good one. I would thank you very much. That's the SCPO.