UK Decryption Law Pushed Through

Joel Rowbottom writes, "After all the lobbying and protests from the 'Net community over the past year, the UK government has still published The Regulation of Investigatory Powers Bill. If this becomes law then you could be sent to prison if your data is encrypted and you refuse to either supply the key, or the plaintext versions. If you're in the UK and you haven't done so yet, write to your MP and let them know your feelings on the subject! "

Everything to hide.

[cruise]

I think that once this gets to the types of folks who have everything to hide (IE, the people who would sign this into law) it would be killed.

Not that you shouldnt go right now and complain to someone about this. You should!


They are a threat to free speech and must be silenced! - Andrea Chen

Re:Everything to hide.

[hobbit]

In the UK, there is no right of free speech or right to silence.

There is a right to silence - but it may harm your defence if you do not say anything which you later rely on in court.

In the UK, being Irish is a criminal offense punishable by being held without trial.

Quite. And it is also a criminal offence not to practise archery on Sundays.

In the UK, Nationalism is the same as being a thick racist thug.

Which type of Nationalism? Do you know the difference between the BNP, the SNP and Plaid Cymru?

In the UK, racism is an institutionalised way of life.

What a helpful generalisation.

Hamish

How's this work?

[Cuthalion]

If this becomes law then you could be sent to prison if your data is encrypted and you refuse to either supply the key, or the plaintext versions.

I guess if I knew a lot about encryption, I'd know the answer to this, but is there any way to verify that the plaintext version you supplied matches what's been encrypted? Certainly if this law were algorithm agnostic, then there would be no way to verify this.. (just say "I used a one-time pad, which I will not supply. Instead I will provide you with a plaintext version of it.") That seems to me to remove all of the teeth from this otherwise god-awful law.. am I mistaken?

Re:How's this work?

[dattaway]

That's an interesting idea. Have two passwords. One that will decrypt the real data and the next will decrypt random preselected harmless junk. When the papers are served, watch them not able to find those family secret cooking recepies.

Re:How's this work?

[348]

Actually you are really on to something there. Sort of like a sig, have a couple of paragraphs or however much you want appended under a "second key" to everything you encript. I can see it now.

Govt Rep.:Mr. L33t H4x0r decrypt these files or you will go to prison!
L33t H4x0r: OK

Mr. L33t H4x0r runs key number two and out pours the text to the last opensource man and natalie portman saga.

Re:How's this work?

[Chalst]

No: if a message was encrypted using a public key system, and the
prosecutors knowthe public key, then obviously they can check the
message.

This is probably the kind of case the police are most concerned
about: criminals using cryptography to communicate, and not be
understood by the police. The other kind of case would use symmetric
key cryptology: eg. the accounting details of a fraud are held locally
on a hard drive, and here it wouldn't be able to verify the plain text
matches the cypher text.

Re:How's this work?

[Wellspring]

(just say "I used a one-time pad, which I will not supply. Instead I will provide you with a plaintext version of it.") That seems to me to remove all of the teeth from this otherwise god-awful law.. am I mistaken?

(IMHO, IANAL) Yes! Because, place yourself as a law enforcement agency, and ask yourself, "how can I enforce this law". The answer isn't and can't be, "Well, I guess we don't." Instead, they will have to be more invasive and confrontational to make certain that you aren't dancing around it.

This is a terrible development-- much worse than the cameras and monitoring devices that the British are also implementing to monitor their citizen's activities. We have the potential to live in a world where virtually everything we do is subject to observation, review and regulation-- where we become terminals and peripherals to a central social control. Or this technology will let us be distributed, parallel, and at liberty to make our own decisions.

Massive parallelism, neural networks, distributed systems, genetic algorithms, Open Source development models-- my feeling is that these technologies should be the model for our social system-- a world of individuals with as much of the decision-making offloaded to the 'client side' as possible. (Excuse me if I am stretching the metaphor too far, but I think it still holds.)

In a parliamentary system, you have less direct say over your government, since you have to deal with a party rather than a person. But you still should fight this tooth and nail. Once the burden of proof is on you to prove that you aren't hiding something, you'll never be able to escape that.

Re:How's this work?

[Robert+Link]

The investigators may know your public key, but that doesn't do them much good; in order to verify the ciphertext they need the session key for the symmetric cipher used to encrypt the message. Maybe they could declare this key the "plaintext" for purposes of the law. It's hard to say. In any case, all of this presumes that your public key is truly public, which need not be the case. If you truly were worried about this law you could always secretly exchange "public" keys with the people with whom you intend to communicate.

Actually, the more I think about it, the more peculiar the clause about plaintext seems. Any putative plaintext that comes from the hand of the person being investigated is untrustworthy, and therefore unhelpful at best. Seeing this clause in the legislation makes one doubt whether the lawmakers truly understand the issues involved here. Viewed in that light, this law should at least provide a useful counterargument the next time someone claims that the US has a monopoly on clueless government (which, judging from recent Slashdot posts, should be sometime within the next 24 hours.)

-r

Re:How's this work?

[Weezul]

I'd know the answer to this, but is there any way to verify that the plaintext version you supplied matches what's been encrypted?

Yes, they can force you to give them the key so that they can decrypt it, but there is hope: StegFS is an encrypted/stenographic filesystem for Linux (based on ext2) which provides plausable deniablility, i.e. it has n levels of access (diffrent passwords) and you may encrypt data at any level of access, but there is _no_way_ to prove that a higher level exists from a lower level. This means that when the cops make you give them the password you just give them the passwords to the lower levels, but not the higher levels.

The only hole in this system is that the cops may know you posses some information which you have not yeat shown them, so they could assume that their are unrevieled levels.

I would really like to see the linear algebra based plausable denaiablility algorithm implemented for PGP key files. It would make your key files 16 times larger, but would allow you to have n It might be possible to have a psychological solution to the password problem, i.e. use long passwords which you can remember, but which you can also force yourself to forget (by chanting simmilar sounding things hundreds of times). It is an interesting idea.

Re:How's this work?

[ralphclark]

D'oh! You did it again.

Consciousness is not what it thinks it is
Thought exists only as an abstraction

Re:How's this work?

[Robert+Link]

Yes, it is odd. I believe the Parliament has a publication similar to the Congressional Record that is accessible from the Parliament web site. It might be worth digging through it to see if there is any mention of what they were thinking. One possibility is that they were concerned about a possible "I destroyed the key" defense, so this gives them the opportunity to respond with, "Well, just give us the plaintext, then." There is a little logic there, since it would be hard to whip up a believable bogus plaintext on a moment's notice if you didn't already have one prepared. However, competent criminals will realize this, and they will just prepare their alternate plaintext in advance. Criminals have been using a similar tactic with accounting books for decades, so I don't imagine they will have much trouble adapting the practice to email correspondence.

Re:How's this work?

[Cuthalion]

you to have n It might

Was this n IS GREATER THAN blah blah blah? I bet it thought it was an HTML tag and stripped it out.

Re:How's this work?

[Chalst]

I had a look at Hansard and found the relevant section. It's available at:


Hansard: Regulation of investigatory Powers Bill

It clearly states that it is not `reasonably practicable' for the
investigated party to provide the key or plaintext, then that is a
defence. Section 47 is about providing information in lieu of a key,
which says nothing about verifying that the decrypted information
matches the ciphertext.

Re:How's this work?

[Chalst]

More digging: nothing significant was debated in the Commons, but
there was a select committee which discussed feedback to the draft
bill.

Available at

Hansard: Trade and Industry Select Committee Report #14

Very nice site, BTW: a lot of information, well organised, and with
the most helpful site specific search engine I have used
(automatically looks for words with similar roots to those specified,
and explains what it is doing).

It looks as if the plaintext requirement was tagged on in response to
concerns that (i) users might have legitimate reasons not to possess
the key, (ii) concerns that the police might use keys to obtain more
information than authorised, or to hoard keys. They seem not to have
thought of the problem of verification at all.

Stego!

[Sloppy]

Now is the time for everyone in U.K. to brush up on Steganography.
---

Re:Stego!

[PigleT]

Time to doubly-encrypt things, I think. Then the real message underneath... is also meaningless! Seriously, the threats to e-commerce in the UK are extremely high; if I can't trust someone's web server because the government will require them to decrypt stuff, it's just as bad as everything having a hidden backdoor key in it too. Everyone in the UK should sign up with Stand and send a letter to their MP immediately, IMNSHO.

Re:Reasonable?

[larien]

Combination safes can be blown open, sawed through or otherwise broken into. Strong encryption takes a lot of compute power which quite simply isn't available.

In any case, the problem is more that it is a crime to hold encrypted data and not handing over the decryption key even if you never had the key!. That is why the bill is ill thought out.
--

Why is cryptography so terribly important?

[slashdot-terminal]

/* Disclaimer anything said in the below post is something that I personally believe and as such may offend persons who have vested interests in the concept of cryptography. If this offends you realize that it is indeed a valid opinion */

I would think that in fact the average person has no use for cryptography in their daily lives. I don't mostly because I really don't know anyone and have never had the need to use communications media to interact with individuals in a private way. Generally I think that if I have a choice between using cryptography or going to prison I will choice to not use it.

The ultimate question is why would anyone really care about you so much that you need encrypted data anyway? If you are being monitered that closely you should run far, far away and never return.

Cryptography is only useful if you happen to be a spy or have an actual internet connection (ie the use of pgp to sign, encrypt, or both messages with it). Most data that you have is not really that interesting.

Re:Why is cryptography so terribly important?

[Plasmic]

Your question (and opinions) have been responded to on approximately 4,392 occassions here on Slashdot. You should search the archives where you will find a plethora of intelligent responses that rationally explain why you are wrong. That's not to say that I don't understand where you're coming from or from where your doubts stem as I much felt the same way as you did until I took the initiative to educate myself (rather than waiting for people to educate me).

I will simply point you to the recent story, Northwest Searches Employees' Home Computers and see if you can extrapolate why this particular case might be relevant even though it only points out one specific utility for encryption among average folks.

Re:Why is cryptography so terribly important?

[Ralph+Bearpark]

I would think that in fact the average person has no use for cryptography in their daily lives.

Well, my wife and I have to routinely refer to "McDonalds" as "M.C.D.s" to avoid over-exciting our 3yr old.

More seriously, I wouldn't like to do any online shopping if there wasn't at least a rudimentary form of cryptography going on.

Basically, you don't have to be a spy to need encrypted data.

Regards, Ralph.

Re:Why is cryptography so terribly important?

[slashdot-terminal]

I will simply point you to the recent story, Northwest Searches Employees' Home Computers and see if you can extrapolate why this particular case might be relevant even though it only points out one specific utility for encryption
among average folks.

Reminds me of a simpson's episode where Homer is leader of the Union at the nuclear power plant. One night he hears a knock on the door.

*Knock* *Knock* *Knock*

Homer: Who's There?
Man at door: Goons
Homer: Who?
Man at door: Hired Goons
Homer: *opens door*
Man at door: *grabs Homer*

In your own home you do not have the need to open the door to anyone unless they have a search warrant. That is how it works at least in the USA. Now if they did do such a thing I would have every reason to physically beat their brains out with a club in keeping them off my property. If I buy the computer then I have free access to it. If they want to look at the computer fine! I'll just delete very thourally (about 1,000 times for each sector of the hd that had the files). Or more exactly take the hd out of the machine completely delete it and then use some thermite on the hd. Then have another hd that I could swap back in without any data that they want. Simple problem solved.

Even with encryption if I have a directory called

C:\my_evil_secret_plans_for_Northwest
and has files like:

bomb_making_plans.doc
strikes_and_how_they_work.doc
...

etc then perhaps that is still incriminating and especially so if you have the data encrypted.

Re:Why is cryptography so terribly important?

[slashdot-terminal]

Because you might want to order stuff on-line? People (especially those in card companies) really care about credit card fraud. Encrypting your card number before you send it is the most pragmatic way to prevent financial loss and the
hassles of cancelling your card etc.

Yeah but as an average person you don't need to build a credit card transaction system. Online processing dosn't really force the user to care about encryption except having an https url prefixed to the site.

Besides, most people now assume that an actual internet connection is soon going to be as ubiquitous as electricity or water supply is today. Cryptography will be useful for everyone and should therefore be available and adequately
strong.

Also a really, really, really, big assumption. Not everyone will be online. And ceternally not everyone will need cryptography. This still dosn't invalidate my argument.

Re:Why is cryptography so terribly important?

[slashdot-terminal]

If you are living in anything but abject poverty, there are certain people who would be very interested in things like your credit card numbers, bank account numbers, social security numbers, etc., especially in combination.

That's what we have fraud protection for. Consumer protection prevents law breakers from totally wiping you out when you don't want to. If you take the ideas that many of the people here everything will be monitered and tracked. If that happens it will make law breakers especially vulnerable to capture and arrest. Cryptography will be rendered moot and the government dosn't matter in areas of commercial interest as I illustrate below.

And I also have to mention that, while many FSF true believers may find this objectionable, I do have to mention that there were times when I had, on my home system, source code that sold for something like $100,000, in the
course of some consulting projects. (That's what the source license cost. I wouldn't have paid a nickle for it though. It was crap.)

Well I don't object to charging although you admit that the code was crap and you sold it for $100,000. That's the kind of thing you keep the recipt for the refund.

Perhaps not a common situation, but then, it is not uncommon for managerial types to have data on their systems that would be of great interest to their competitors.

Unless over 50% of the people in the US are managers of something and have such data then there is no problem. Usually such data is secured on machines that are physically located within a building or in a system that is essentially secure to begin with. You would have to have a group of terrorists or militia groups to break through some buildings.

Cryptography is not important just as a means to keep data from the government.

Since the government can basically do what it wants because it makes the rules protecting your data from the government is pointless unless you want to try to escape the problem. The government dosn't want to or does not actually engage in commercial or industrial espionage because it has essentially nothing to gain.

Re:Why is cryptography so terribly important?

[r2ravens]

I used to teach Introduction to the Internet classes at a community college where I also ran the open student lab. I would tell the students that they should not send anything in email that they wouldn't want to see in the headline of tomorrows newspaper. If I'm having a private email conversation with a friend about a third party, there may be information that I don't want the third party to know I said and information I don't want made public.

Assume I am a psychiatrist consulting with a colleague in another place about a client. I wouldn't want anyone but the intended recipient to see the information about the patients condition.

Just these facts are enough to make encryption worthwhile for me.

And what about business plans? If I was working on developing a new product, the exposure of that information could give someone else (with more money - like M/$) the idea to develop before I could get all my ducks in a row.

Other than that, is just simply the fact that I have a right to be secure in my possessions and particulary, my information. That was the whole point to forming this country (USA). For my government to force me to give them the encryption key to data is the same as demanding that I incriminate myself (also prohibited by the US Constitution.)

I realize the article is about the law in the UK, but the encryption issue is truly international.

Governments are chipping away at our rights to privacy (at whatever level) in many countries around the world. If we don't stop it now, nothing about our private lives will be beyond the reach of Government, and then corporations as they further lobby the Government (become the Government?)

Why is cryptography so terribly important?

Those reasons are enough for me.

Russ

Re:Why is cryptography so terribly important?

[SEWilco]

I see that the first letter of each line of your message on my browser is "DHIRPUTACE", which in Portuguese is an insult. Who were you sending this message to? Talk! TALK!

Re:Why is cryptography so terribly important?

[slashdot-terminal]

I used to teach Introduction to the Internet classes at a community college where I also ran the open student lab. I would tell the students that they should not send anything in email that they wouldn't want to see in the headline of
tomorrows newspaper. If I'm having a private email conversation with a friend about a third party, there may be information that I don't want the third party to know I said and information I don't want made public.

Ahh however if you remember that there are certain laws that take such behavior as criminal on many levels. Eventually they will end up in a court room.

Assume I am a psychiatrist consulting with a colleague in another place about a client. I wouldn't want anyone but the intended recipient to see the information about the patients condition.

The individual who obtained the information was breaking the law. If they steal the data they can be prosecuted. I doubt that many psychiatrists actually use encryption anyway.

And what about business plans? If I was working on developing a new product, the exposure of that information could give someone else (with more money - like M/$) the idea to develop before I could get all my ducks in a row.

Most of communication about projects in any reasonably secure company is done internally. Email is usually intraoffice variety and as such would not fall to foul play from people wanting to get it unless you have a leak; and really that's an internal security issue best solved internally.

Other than that, is just simply the fact that I have a right to be secure in my possessions and particulary, my information. That was the whole point to forming this country (USA). For my government to force me to give them the
encryption key to data is the same as demanding that I incriminate myself (also prohibited by the US Constitution.)

You already do that. If I have a computer someone has to be able to retrieve that computer. You have a lock on your door however do you happen to live in a bomb shelter, do you have 30 feet of concrete surrounding your house? Some things are overkill.

I realize the article is about the law in the UK, but the encryption issue is truly international.

If you notice the countries that do not have policies against some form of crypto are usually countries that are not really that totally powerful, or are not as ecconomically massive?

Governments are chipping away at our rights to privacy (at whatever level) in many countries around the world. If we don't stop it now, nothing about our private lives will be beyond the reach of Government, and then corporations as
they further lobby the Government (become the Government?)

The government has various laws that restrict the flow of information. The federal government cares more about people's rights than most. Where you find all the massive breaches of privacy are usually on State and local levels. Garbage that the states do are usually 10x worse than what the national government does because they are held to a higher standard of responsibility.

Re:Why is cryptography so terribly important?

[0xdeadbeef]

And that all assumes that you are able to convice the powers that be that something happened. There are many, many horror stories floating around about "identity theft"

Which widespread encryption will make an ever greater hell: "Whadda mean you did buy this stuff, send this threat, etc. It was cryptographically signed by you. Oh, secret keys stoken? Prove it."

All problems with identity theft occur because businesses and government are lazy, cheap, or stupid (choose at least two). You think the use of encryption is going to prevent them from screwing up? Without consumer protection laws and the ability to repudiate transactions, they'd be even more sloppy, because then they could get away with it.

Re:Why is cryptography so terribly important?

[slashdot-terminal]

n the mid-nineties I was involved with a political campaign in a Southern California town. We were opposing the powers that be, who were backed by big money (developers pushing a very unpopular $2,000,000,000 development, among others). Encryption proved to be the only way we could communicate in private. Interesting how this works. It seems that California has the largest percentage of people who have dynamically opposed interests. Every liberally minded group in the country usually has a large contingent in California. More natzi like pollution and environmental laws and such. Let me say that the number of people who can afford to be political dissidents is probably much higher today than it was in times past because more people want to be communists and rebel against the government. This will subside just like it did when they were present in the 60's. I certainly can't afford to just randomly decide to rebel and risk life and limb. Unless I have a steady stream of money comming in I have a little problem. Influence and power in society never come to a group of radicals but people who work within the system. We had death threats. Our phones were tapped. "Private" conversations conducted in my house ended up not being private. Strategies we developed (over phone conversations) were implemented by the competition first. Video rental records were stolen and given to reporters (never published though -- nothing incriminating.) Postal employees postponed the delivery of our mailers until after the election. Private investigators asked our neighbors about any unsavory habits they thought we might have (say, does her son do drugs? Is he homosexual? What about the daughter -- does she sleep around?) It was a very ugly place to be, and it killed most of my idealism. I have actually theorized about one could easily defeat opponents like this. I have reached the conclusion that anti-terrorist tactics are the most helpful. Essentially this involves a tactical strike team of individuals who can essentially dismantle the enemy's actions with relative ease. Use of say "natural" poisons and weapons which utilize silencers are the most effective. Trust me any inviduals who think they can get you are usually deluding themselves. People have brute threats but with a little thinking you can perservere. My ultimate question is why didn't anyone contact the feds? The FBI is quite good about stopping silly little State oriented shit like that. Oh well I guess people have fooled themselves into thinking that the States can do a better job. This illustrates that they most certainly cannot. I don't know what world you live in, but here in the US of A we see government officials breaking the law regularly. We see people with political influence (read "money") get away with anything, while the people who truly care and want to make a difference are assaulted from every angle. We see the courts used to get around the law, rather than enforce it. We can't depend on the media to report the truth. These lessons were all learned in the same election cycle, in one small town on the west coast. I'm frightened to think what it must be like on higher levels. Well I really haven't seen anything on slashdot that indicates any other reaction other than something the Lone Gunmen or Fox Mulder would do. Ranting and raving about the evil government will not change. I have advocated infiltration and change within. However most people don't care for that sort of thing. PGP ended up being the only way we could communicate privately (over a private BBS). It was a PITA to explain text-based encryption tool use to Win 3.1 users who didn't understand DOS, but we did it. And it made a difference. Explain in a system that has adequate security protections how something could happen like that? If I run a tight ship and only allow people in that I want in via password protected access and login times strictly monitered how does that matter? Back in the good old days (ie before widespread encryption and pgp and all those fanatical Fox Mulder types out there really got a pick me up with the internet) people could keep things reasonably secret. What did those people do? They used common sence. They never had really, really, bad problems with anything of the sort you are describing here. I genuinely think that people have become more lazy and generally more trusting of their little electronic toys. Encryption is important if you ever choose to be involved in something political that has real consequences. You're buying the government's line if you think it's only for kiddie pr0n peddlers and terrorists. I am the not the sort of person who actually has done anything with a higher level of security clearance than probably anyone out there. I have never had data that hardly anyone has ever wanted. I do not have a credit card or anything that I personally paid for online. This makes issues like this a little more out of my reach of caring. As far as political consequences I do wish I could get a job with a 3 letter organization and actually need encryption like that however I am realistic. The day I manage to actually have data like that needing protection I will think then and only then about using some form of encryption.

Re:Why is cryptography so terribly important?

[slashdot-terminal]

n the mid-nineties I was involved with a political campaign in a Southern California town. We were opposing the powers that be, who were backed by big money (developers pushing a very unpopular $2,000,000,000
development, among others). Encryption proved to be the only way we could communicate in private.

Interesting how this works. It seems that California has the largest percentage of people who have dynamically opposed interests. Every liberally minded group in the country usually has a large contingent in California. More natzi like pollution and environmental laws and such.

Let me say that the number of people who can afford to be political dissidents is probably much higher today than it was in times past because more people want to be communists and rebel against the government. This will subside just like it did when they were present in the 60's.

I certainly can't afford to just randomly decide to rebel and risk life and limb. Unless I have a steady stream of money comming in I have a little problem. Influence and power in society never come to a group of radicals but people who work within the system.

We had death threats. Our phones were tapped. "Private" conversations conducted in my house ended up not being private. Strategies we developed (over phone conversations) were implemented by the competition first.
Video rental records were stolen and given to reporters (never published though -- nothing incriminating.) Postal employees postponed the delivery of our mailers until after the election. Private investigators asked our
neighbors about any unsavory habits they thought we might have (say, does her son do drugs? Is he homosexual? What about the daughter -- does she sleep around?) It was a very ugly place to be, and it killed most of
my idealism.

I have actually theorized about one could easily defeat opponents like this. I have reached the conclusion that anti-terrorist tactics are the most helpful. Essentially this involves a tactical strike team of individuals who can essentially dismantle the enemy's actions with relative ease. Use of say "natural" poisons and weapons which utilize silencers are the most effective.

Trust me any inviduals who think they can get you are usually deluding themselves. People have brute threats but with a little thinking you can perservere.

My ultimate question is why didn't anyone contact the feds? The FBI is quite good about stopping silly little State oriented shit like that. Oh well I guess people have fooled themselves into thinking that the States can do a better job. This illustrates that they most certainly cannot.

I don't know what world you live in, but here in the US of A we see government officials breaking the law regularly. We see people with political influence (read "money") get away with anything, while the people who
truly care and want to make a difference are assaulted from every angle. We see the courts used to get around the law, rather than enforce it. We can't depend on the media to report the truth. These lessons were all
learned in the same election cycle, in one small town on the west coast. I'm frightened to think what it must be like on higher levels.

Well I really haven't seen anything on slashdot that indicates any other reaction other than something the Lone Gunmen or Fox Mulder would do. Ranting and raving about the evil government will not change. I have advocated infiltration and change within. However most people don't care for that sort of thing.

PGP ended up being the only way we could communicate privately (over a private BBS). It was a PITA to explain text-based encryption tool use to Win 3.1 users who didn't understand DOS, but we did it. And it
made a difference.

Explain in a system that has adequate security protections how something could happen like that? If I run a tight ship and only allow people in that I want in via password protected access and login times strictly monitered how does that matter? Back in the good old days (ie before widespread encryption and pgp and all those fanatical Fox Mulder types out there really got a pick me up with the internet) people could keep things reasonably secret. What did those people do? They used common sence. They never had really, really, bad problems with anything of the sort you are describing here.

I genuinely think that people have become more lazy and generally more trusting of their little electronic toys.

Encryption is important if you ever choose to be involved in something political that has real consequences. You're buying the government's line if you think it's only for kiddie pr0n peddlers and terrorists.


I am the not the sort of person who actually has done anything with a higher level of security clearance than probably anyone out there. I have never had data that hardly anyone has ever wanted. I do not have a credit card or anything that I personally paid for online. This makes issues like this a little more out of my reach of caring.

As far as political consequences I do wish I could get a job with a 3 letter organization and actually need encryption like that however I am realistic. The day I manage to actually have data like that needing protection I will think then and only then about using some form of encryption.

Re:Why is cryptography so terribly important?

[David+Gould]

If you are living in anything but abject poverty, there are certain people who would be very interested in things like your credit card numbers, bank account numbers, social security numbers, etc., especially in combination.

That's what we have fraud protection for. Consumer protection prevents law breakers from totally wiping you out when you don't want to. If you take the ideas that many of the people here everything will be monitered and tracked.

That only helps if fraud is what you're worried about. I understood "certain people" in the previous post to include, for just one example, direct marketers, who could correlate all that information into massive profiles of what sort of stuff you buy, i.e., what your interests are, so they can bombard you with junk mail and/or spam, and how much money you have / spend, so they can know whether marketing at you is worthwhile.

Parsing your last sentence quoted above as well as I can (though it's not very intelligible), I get the idea that you're aware of the tracking / monitoring potential of this stuff, yet you seem unconcerned about it. In fact, you seem to be saying it as a good thing. Of course you're free to feel that way, but you can't read Slashdot for long without realizing that a lot of us don't like it, and think that protecting our privacy is plenty of reason to want to be able to use cryptography.

My major problem with monitoring / tracking is a matter of simple dignity: advertising in general, but most especially direct marketing, makes me feel that the companies trying to sell me things are treating me as a resource to be exploited. The thought of the marketing being backed by a huge database of everything I've ever bought just makes it worse -- I don't like being viewed as a consumer in a petri dish.


David Gould

Human rights?

[CormacJ]

Doesn't this conflict with the Human Rights? I would treat my encrypted data the same as the right not to answer questions (although looking at thier anti-terrorist laws that didn't stop them removing the right to silence and juryed trials.)

Re:Human rights?

[Chalst]

No the encrypted data is evidence. Refusing to decrypt it is like refusing a properly authorised search of your premises.

Re:Human rights?

[GregWebb]

Refusing to decrypt the data when you're able to is certainly a failure to allow a legal search, but that's not the real problem with this law.

As it stands, you're required to produce the key and thrown in jail if you don't - regardless of whether you even posess the key in the first place. The only thing that counts is the police opinion on whether you posess the key, with the defendant required to prove their innocence, contrary to UK law elsewhere where prosecution are required to prove guilt. Speaking personally, I've got something like 1,000 floppy disks and several Spectrum data cassettes. The idea of having to prove that none of them held a key is a little worrying.

On top of that, my memory is that it's now an offence to tell anyone that you're being prosecuted under this law. Truly terrifying.

Anyway, two good URLs here:

• The bill. Whether the act contains any significant amendments, I don't know but none have been reported so make your own mind up...
• Secondly, some background information

.While it's good to get worried about this, there is hope yet. It's probably in breach of the European convention on Human Rights, which Britain has incorprated into its law. So hopefully it'll get struck down by the High Court as soon as any case on this law gets taken to them.

Greg

Re:Human rights?

[GregWebb]

Whoops, I'm not awake.

That's the old bill, which is merely very similar to the new one. Does anyone know where that can be found?

Greg

Re:Human rights?

[ralphclark]

I just emailed my MP (the Rt Hon Joan Ryan) to tell her what I think of this bill _and_ what I think of a government that abuses its majority and ignores the upper house whenever it wants to (which is every time).

Consciousness is not what it thinks it is
Thought exists only as an abstraction

Overridden by EU Law?

[Ralph+Bearpark]

Heard on the news yesterday the the Scottish courts have rendered the law on speed cameras obsolete (in Scotland anyhow).

AFAIR the argument went as follows: If your car gets caught on a speed camera the UK law requires the owner to identify the driver at the time so that the fine/license points can be levied at the appropriate person. If you refuse then the owner gets the punishment.

However, the Scottish courts (which are independent of the rest of the UK legal system) have noticed that the European laws say that no-one is obliged to incriminate themselves - it's the responsibility of the accusers to gather enough evidence to find them guilty.

Thus, in Scotland at least, if you get snapped by a speed camera, then the right defence is to not to deny you were the driver but simply to refuse to incriminate yourself. Then under Euro law they have no right to fine you.

Now this has to also apply to this data encryption business doesn't it? Just tell you refuse to incriminate yourself (by giving them the key) then they'll have to try and crack it themselves, not just punish you anyhow.

(I guess this is equivalent of "pleading the 5th" in US?)

Regards, Ralph.

Re:Overridden by EU Law?

[Ed+Avis]

Can somebody explain why a right not to self-incriminate is actually a good idea? I'm sure there's a good reason, just not sure what it is.

Store your data on DVDs

[arivanov]

Store your data on DVD's. Encrypted with the MPA keys. And lose them regularly.

Re:Store your data on DVDs

[ralphclark]

Yeah, but even a 16-year-old Norwegian boy could crack that key in a few seconds. Duh!

Consciousness is not what it thinks it is
Thought exists only as an abstraction

Or even better...

[guran]

Or even better (if you really have something to hide, that is):
One password that will decrypt the real data and one that will decrypt harmless cooking recipies AND destroy the original.

Obviously this would only be intresting for the real criminal, that stand more to lose from his files being decrypted than from losing them altogether.

Yes, I'm sure that the really ugly guys(tm) won't get caught by this law, only innocent geeks refusing to decrypt as a matter of principle and the clueless criminals.

Perhaps starting rumours about how a few MP's have suspicious material on their computers wouldn't be too bad. ;-)

Re:Or even better...

[guran]

How is this meant to work? Presumably the police are smart enough to keep multiple copies of the cypher text...

Why not use something along the lines of those "secure digital music formats"

Perhaps the files cannot be read from any other media than the original hard disk (or whatever). Perhaps that will make CSS illegal? Oh what a sad moment that would be.

Could you blame spam?

[lovebyte]

Why not put all your encrypted data in your mail box. You could then claim that you received these (encrypted) emails by mistake and never deleted them. Basically blame spam!

Re:Could you blame spam?

[Col.+Klink+(retired)]

The real problem is proving that you even know the key to an encrypted file on your computer.

I remember seeing a web page that made an MP a criminal. The web site author claimed to have commited an unspecified crime, confessed to the crime, encrypted his confession (I think he even made a deal about having his confession notarized), and emailed the key to the MP. The MP then had evidence of a crime encrypted on his computer that, if he failed to decrypt, he would be liable for.

I've undoubtedly got some details wrong and would appreciate it if anyone knew the link to the site.

Re:Could you blame spam?

[Col.+Klink+(retired)]

> if anyone knew the link

Sorry to follow up to my own post, but I found the link: http://www.stand.org.uk/

Look on the bright Side (This Law and DeCSS)

[JamesSharman]

This law effectively makes DeCSS legal in the UK. Since the law requires that (on demand) we hand over encryption keys to any encrypted data in our possession, they can hardly justify putting us in jail for having the key in the first place.
I quote the relevant part:

"And, as a result, the Bill proposes that the police or the security services should have the power to force someone to hand over decryption keys or the plain text of specified materials, such as e-mails, and jail those who refuse."

This is scary.

[jd]

But not in and of itself. In itself, it's just an extension of existing laws of search, which are well-established and not terribly unreasonable.

It's when you combine it with other things, that problems arise. The European Privacy Laws, for example, dictate that you cannot export data to a country with weaker privacy protection. On that basis, the Government is entitled to export information seized from individuals to other nations, WITHOUT legal reason or basis but for commercial gain.

(This follows, as the ability to seize personal information on a computer by the Government, without due process, is tantamount to saying that the data is not protected by privacy laws. Thus, it may be exported freely.)

Then, combine it with the CCTV cameras, now filling England. These images can (and are) sold to commercial enterprises. Information from the cameras is index-linked to the national criminal databases. Imagine being able to demand of your ISP all encrypted data in and for your account (such as your password), and being able to tie all that information with everything on your harddrive and THEN everything about your movements in the country.

THAT is when it gets scary. Someone with protest e-mails who happens to be heading in the direction of a town in which the Government knows nuclear material is illegally being transported could end up being arrested under the Criminal Justice Act, or even the Terrorism Prevention Act, with the e-mails used as evidence against them, even if their sole purpose for driving there was to pick up a bar of soap.

The combination of the loop-hole in the privacy laws, the CJA, the TPA and the 24/7 surveilance lead me to believe that Britain is plunging towards being a totalitarian state. And, to be honest, I don't think it's the Government's fault.

This attitude was shared by the previous Conservative Government, just as feverently. Indeed, it was they who put all the pieces in place to allow this new law to be abused.

This leads me to believe that it's actually the Civil Service that's actually running the show. They are now in a supremely powerful position, with absolute, dictatorial powers of monitoring, searching, and arresting, with NO due process taking place. In short, the Civil Service in England would be capable of seizing total power over England, at this point, and there would be no realistic way to stop them.

Re:This is scary.

[jd]

Wasn't Ludwig a chequered egg? :)

So give it to them

[Jeffrey+Baker]

Yeah, give them the plaintext of anything they ask for. The govt might wonder why you have so many copies of the GNOME README file, but they'll get over it eventually.

-jwb

How to get someone thrown in jail

[jbrw]

Look at http://www.stand.org.uk/ - this is an important site.

They show how to get Jack Straw (important government chap in the UK) guilty of committing a crime. That is, they encrypted a confession to an actual (undisclosed) crime, destroyed the key, and sent him the encrypted data. Jack Straw is now in possession of some information that would pressumably be of interest to the police, but he is unable to provide the decryption key (because he never had it in the first place), but, ofcourse, as many people are pointing out, how do you prove you don't have the key...

While the example of the above site is, considering the circumstances, a fairly light-heated example, consider this: lots of politicans/business people (or anyone, really) are accussed, and investigated, of serious crimes regularly. How easy will it become to provide encrypted data to the person under investigation, without their knowledge, and then inform the police that that person is in possession of encrypted data that may (or may not? who can tell?) be of interest to their investigations. Police find data, ask for key, person is flung in jail.

Ooops.

I really hope Mark Thomas can squeeze a show in about this before the current season ends - I believe the shows are still being taped. (Mark Thomas is similar to Michael Moore, for you US people - only much, much better at what he does.)

...j

Re:How to get someone thrown in jail

[redhog]

Or just send him/her some random data, and you know for sure they can not crack it to provide the police with the key...

But I think I've heard this debate here at v/. before, with exactly this argument, and the arguments of the commented...
--The knowledge that you are an idiot, is what distinguishes you from one.

Re:A thought

[theonetruekeebler]

Except that a well-encrypted file is indistinguishable from white noise. I wonder how many people will be imprisoned for refusing to turn the white noise they e-mailed someone into plain text?

Somehow it's making more and more sense that Orwell's novels were set in England. Yes, I know he's English, went to Eton, all that, but he made a point of setting his novels there, rather than in some made-up country, first to make his message particularly poignant to his homeland's readers, but also because he saw the real possibility of it happening there. Shame people stopped listening about twenty years ago.

English police don't need a search warrant to enter a home. Private ownership of guns of any sort is strictly controlled. The government has granted itself the right to read any electronic message and imprison you for years if they can't read it. God help you if it's white noise or if the file got corrupted. And there is legislation in the works to require every subject (interesting word, that) to submit a DNA sample to a national database.

.uk Slashdot readers, I offer you my sympathies and moral support. I sincerely hope your government starts exercising some self-control. But once the checks and balances of constitutional democracy have been subverted, they are hardly ever restored.

--

Re:So what?

[gorilla]

All they would need to do is encrypt your "plaintext" version with the key you supplied and compare it with the message they are holding.

With PGP, and no doubt many other encryption schemes, this would not prove anything. The encryption program chooses a random session key to encrypt the data, and encrypts this session key with the user's key.

Of course the real flaw is that it would require both the plaintext & the key, while the OP was suggesting giving only a bogus plaintext.

Re:How is this different...

[guran]

If you're a journalist who refuses to give up the name of your source in a critical case, you can also be thrown in jail for contempt of court.

Here (Sweden) it is actually *illegal* to even try to find out who a journalist's source is.

The real problem (as you pointed out) is that you can never prove that you do *not* have encrypted information. Hey, there might be a secret message hidden in this post. Perhaps I made the arrangement that "Start selling those drugs to children the moment I post three messages on the same subject on /."

The obvious conflict (and now my rant alert is flashing) is that the openness of the "net culture" makes it more motivated to encrypt and hide personal data. I might not want the whole world to see my private mail, however innocent.

Perfect crypto vs total freedom of information. It is just like that "Irresistable force vs unmovable object" question.

Re:A thought

[gorilla]

The US isn't doing to well on 'innocent until proven gulity' either. If a cop decides that it's suspicious that you take money to Las Vegas to gamble with, or that it's possible to use an innocent item in a drug related way, then you can loose all your assets.

Are you an idiot, or do you play one on slashdot?

[Wakko+Warner]

Okay, say you're buying something online.

Say I'm in the next room running a packet sniffer.

Say you're _not_ using encryption, like a dumbass.

Say I steal your credit card info.

Cest la vie.

- A.P.

--

"One World, one Web, one Program" - Microsoft promotional ad

Re:Dear Sir,

[odaiwai]

I object strongly to the lack of content for parrots on your site. I myself feel that (pieces of eight!) content for parrots on you service tends towards the token (polly want a cracker!) spouting of stereotypical (it is no more!) garbage and inane humourous sketches (it has shuffled off this mortal coil!) designed to elicit cheap laughs from the lowest common denominator (show us yer knickers!) which reads this excuse for a site.

Yours most sincerely,
Kevin Phillips *Bong*

Re:Right not to answer questions?

[odaiwai]

There is no right to silence in UK.

dave

Misunderstanding

[Awel]

I see a misunderstanding in several of the comments here. The bill has not yet passed, and is not yet made law. It is, as yet, still legal to store encrypted data on our computers. But the bill has been drawn up, and it will be debated in parliament, and in the current social climate, is likely to be passed without a murmur. So it is of the utmost urgency that we write, calmly and sensibly, to our MPs to stress the unfairness, unfeasibility, and sheer stupidity of the bill as it presently stands.

Guilty until proven innocent.

[Robert+S+Gormley]

That's the kicker. You have to *prove* you have no/there is no key to the data. Or else you are legally determined to be hiding the key.

Posting modes

[David+Gould]

Will somone please fix the damn Extrans posting mode!

Will ucblockhead please figure out how the damn Extrans posting mode works!
(Oh, and try using "Preview", too.)

The posting modes are tricky, but here's how they work, near as I can tell:

Extrans (Extended Translation) converts everything, including automatically replacing angle brackets with "<" or ">" escapes, so that it all shows up exactly as you type it and nothing gets interpreted as HTML tags.

HTML Formatted is the opposite: it doesn't interfere with what you type, so any tags are interpreted as HTML, and there is no formatting except for your tags. Note that newlines are ignored, which is why people so often complain that their paragraph breaks got lost.

Plain Old Text (which I use and which is probably the one you want) is in between: despite the (perhaps misleading) name, it does interpret HTML tags, but it also adds some formatting information. Specifically, it adds a <BR> tag wherever it sees a newline, so you get a paragraph break wherever you hit return. As far as I can tell, this is the only thing it adds.

I just now noticed that they seem to have fixed a bug that's been irritating me forever: When I would use "&amp;", "&lt;", or "&gt;" escapes to prevent ampersands or angle brackets from being interpreted, it would work, but each I previewed, the text box would get the interpreted results, so the next time through, they would get eaten. This doesn't seem to happen anymore, though. Maybe now I can go play with my user preferences without having to redo the escapes in my sig (painful).

No offence, right? I see you got it straightened out further down. You'll also see me agreeing with you regarding the actual topic of this thread.

David Gould