Slashdot Mirror
British Police Demand Access To Encryption Keys
flip-flop writes "In the wake of recent terrorist attacks, police here in the UK have asked for sweeping new powers they claim will help them counter the threat. Among these is making it a criminal offense for people to refuse disclosing their encryption keys when the police want to access someone's files." From the article: "The most controversial of the police proposals is the demand to be able to hold without charge a terrorist suspect for three months instead of 14 days. An Acpo spokesman said the complexity and scale of counter-terrorist operations means the 14-day maximum is often insufficient."
Innocent until proven guilty. Although that statement is ignored just as often in the US as it is in England, laws that we pass try to at least give the impression that we respect it. So, here is how things go if this passes...
...Time to get pricing on high speed internet access on the moon I guess. This planet's done for.
GoodGuy has a friend who is in some domestic trouble and is hiding some of his assets in off-shore accounts. He keeps his friends account information in an encrypted folder on his computer because his friend doesn't want to lose it and trusts him.
EvilAgentMan thinks GoodGuy is a terrorist planning on taking over the world, due to his recent purchase of a salt water aquarium, baby sharks, laser pointers and duct tape. He charges GoodGuy as being a EvilDoer(TM) and puts him in jail. While looking for evidence, he notices an encrypted folder on GoodGuy's computer. He tells GoodGuy that he must hand over his encryption keys or be charged with the crime of not handing over his encryption keys. He must decide on going to jail for something he is completely innocent of, or releasing potentially incriminating evidence on his friend.
Karma: SELECT `karma` FROM `users` WHERE `userid`=138474;
"I forgot it." Seriously. This is what we do in the U.S., and even if they hold you in contempt-- it's a darn sight better than letting them have access, and seeing what you were up to.
How can they prove you have or know the key? Is "I forgot" a valid defense?
Big Brother is watching, and is protecting you from terrorism.
They keep increasing police powers and surveillance, yet terrorism keeps happening, and false positives keep creeping up.
But so long as people are scared enough, they'll allow for more and more erosions of their rights.
The people who benefit the most from terrorism are the "intelligence community", the more they fail to do their job, the more power they gain. It's beautifull, in a creepy, depressing way.
What is the difference between the right to prevent self-incrimination (i.e. the right to silence) and the right to not say your password?
In England and Wales, "a defendant cannot be convicted solely due to their silence" yet this is saying precisely the opposite.
They want encryption keys, but I dare say that not ONE of the investigators (or government officials) can point to a single connection between the recent stuff in London and encrypted information. They keep demanding solutions to problems that don't exist - that's why this stuff keeps happening. If they'd try to solve the problems that DO exist, they might get somehwere- WITHOUT becoming a police state.
I don't know where I've read this (/.?) but the problem with "onion layers" steganography is when they torture you: How do they know you gave them ALL the passwords? Maybe there is "just one more" that will reveal everything? The torture never ends if they know there are multiple layers. (yes, I'm paranoid but I wouldn't like this to happen to me)
Personally I say they should be jailed according to the customs of the societies they were plucked from, have to respect their culture sright? Let's see how many would choose to stay in Guantanamo.
I'm going to let you in on a deep, dark, dirty secret. They aren't really trying to solve the problem. Terrorism is a boon to the US and UK governments, because it gives them an excuse to push the respective nations closer to a police state.
A police state is not a consequence of misguided attempts at preventing terrorism, but is instead an end being achieved under the cover of fighting terrorism.
Remember, Terrorism is an end to a means for the terrorists, and the governments "fighting" it.
Think the war in Iraq was about Sept 11 or WMD? Think again. It was because defense contractors have well placed connections. For corporations, your life is only worth what they can get out of it. If they can sell military ordinance by getting your children killed in Iraq, so be it. Their gods are money and power, not the ones your Priest, Rabbi, Cleric, Circle Leader or anything else are telling you about. If you think I'm being paranoid, just look up corporate environmental management. Hell, just look up what Coca-Cola is doing in India.
Human life is just another natural resource for corporations. Nothing more.
"Live Free or Die." Don't like it? Then keep out of the USA
Obviously what is needed is a method for dual encrypted files. Basically an encryption/steganography combo. When unencrypted with the 'fake' key, you just get whatever text you encrypted with that key - something uninteresting like expired credit card numbers or letters to grandma and it looks like you have complied with the order. Meanwhile the real key unlocks the data you want to keep secret.
Naturally the algorithms would require that it would be undetectable that this is what you have done.
Some alarm systems have something similar. When you open the business you use the real code. When the robber forces you to open up at gunpoint you use the fake code. The alarm does turn off as expected but it also calls the police with an "under duress" alarm.
~~~~~~~
"You are not remembered for doing what is expected of you." - Atul Chitnis
Remember that Great Britain was the first country to say in the Great Charter: No free man shall be arrested, or imprisoned, or deprived of his property, or outlawed, or exiled, or in any way destroyed, nor shall we go against him or send against him, unless by legal judgement of his peers, or by the law of the land. Now, they have to find a balance between this and the fight against terrorism.
Bonjour !
They may not be able to reveal the contents of the file it convict you, bit the contents of the file may point them in the right direction to get information through apparently legal means that they *CAN* use to convict you. This was the situation in WWII. From what I have read, the US and British intelligence agencies had broken the German cyphers, but they had to come up with a cover story of how they knew where the U-Boats would intercept the convoys. They would typically send out observaiton planes, and "stumble" upon the U-Boats when they were on their way to the intercept.
My encrypted drive password is "I Forgot It"
but seriously, my hobbies include random number generation, data compression, and encryption, as well as large number series (Pi, fibonucci, etc.); I have many very large files of apperently random data. But I also have sensitive data belonging to other people; I've worked for various laywers, a government agency, and a couple small businesses as a basic security advisor (among other jobs) not all the data I have is my own, and I don't know what all of it is (for the lawyers, my home is their off-site backup location, and I have copies of client paperwork that would send them to jail for a few hundred years, if it were all added up, but that is under attourny/client privelidge)
I guess I'm in a similar situation with ISP's; there should be a burden of proof that the key exists in the defendants possession in the first place.
Some of my hobby research includes 2/3rd's keys:
say the real key is '10100101'
generate a random number '00110111'
xor them '10010010'
then break it up into 3 sections
AB
BC
CA
A and B each have half the real key, so they can get in.
A and C have the first half, and can rebuild the second
B and C have the second half, and can rebuild the first
the problem is that A and B each have half the real key, square-rooting the brute force time.
I've been thinking about generating multiple sets of random numbers, and the result of xor'ing the key by each of them...
key: 01011010
rd1: 10100101
rd2: 00011100
rd3: 10110010
xr1: 11111111 (hmm, tried to be random, got the exact inverse...)
xr2: 01000110
xr3: 11101000
noone gets the root key, and they rotate which random/xor number they get, A gets rd1 and xr2, B gets rd2 and xr3, and C gets rd3 and xr1.
so A and B can get the key by rebuilding xr2 and rd2, B and C can get the key by rebuilding xr3 and rd3, and C and A can get the key by rebuilding xr1 and rd1.
if any one user is captured or turns traitor, their key alone will be of no help to cracking the master key; while the other two remaining users may be able to get together and re-key the data to a newly selected third user, effectivly excluding the old, captured key.
The Americans didn't do much protecting / defending until after _their_ home _was_ attacked.
After which they went chasing the culprits round the world with as much military force as they could.
WWII or war on terror - take your pick. Not to diminish the importance, but in both cases America only got involved because it was directly provoked, not because of some altruistic / noble motive.
"That must explain why we still haven't caught bin Laden."
Yeah... You know they still haven't found that Holloway girl in Aruba either - and I assure you, that country's a LOT smaller.
Let's cut to the chase - Bin Laden is being assisted by people - a LOT of people. A guy can hide for a lifetime with that kind of help.
"...Well, there's egg and bacon; egg sausage and bacon; egg and spam; egg bacon and spam; egg bacon sausage and spam..."
If the NSA were able to crack RSA or any of the other well known cryptographic algorithms, you would probably never hear about it from them.
In the case of RSA and other major algorithms, I'm not so sure this is true. The NSA is tasked with assuring national security, and that involves a lot more than just codebreaking and signals intelligence. In particular, it also involves a lot of thinking about the capabilities of others and what those capabilities might mean fo the US government and US industry -- because the health of the economy is a national security issue.
So, if the NSA can break RSA, they also have to wonder who else might be able to, and whether or not some foreign power might use the ability to break RSA to damage the US. Given the amount of use that RSA sees in both industry and government, if the NSA could break it, they would almost certainly be quietly discouraging the use of RSA, perhaps pushing elliptic curves or something else, or if they don't know of any public-key system they can't break easily, trying to encourage the US to use symmetric cipher-based sytems.
The only scenario in which the NSA would keep completely quiet about knowing how to break RSA is the one in which the NSA is also very confident that no one else in the world can do it. While that is possible, it doesn't seem very likely that the NSA is far enough ahead of everyone else to feel certain that no one else could possibly duplicate their work.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
WHy do you think they call the department that hires and fires you HR, Human Resources :)
I used to have a boss that would refer to you as a resource to your face instead of hinting you might have a name or be a human being. Labor is just like raw materials and capital, stuff you feed in to corporation machinery to produce profit.
Needless to say the powers that be like both their labor and raw materials to be as cheap as possible, hence globalization of the work force so you have the opportunity to compete for a job against someone making 30 cents an hour in China.
The power that be also like their labor scared, obedient and drug free which is why police states are such a hot commodity with pro business governments like the U.S., U.K, China and Singapore. If you do it just right authoritarian states are very profitable, you just have to make sure workers don't start throwing their wooden shoes, sabots, in to the machinery(sabotage).
In authoritarian states you have no problems with labor unrest and you can set wages arbitrarily low and workers can't complain. If you look at the U.S. in the early 20th centurty, early attempts to organize labor, get a livable wage and a work week that wasn't 12 hours a day 6 and 7 days a week, were often met with guns and blackjacks from either the state or private security firms.
Thats how to to run an efficient economy.
@de_machina
You don't have liberty without security, so what's the point of talking about preserving all your civil liberties when you're not free anyway? In reality compromises must be made to maximise freedom.
That's not insightful. That's just nonsense and doublespeak, and exactly the sort of confusion about "reality" that the current administration wants you to believe. You have it backwards. Such "compromises" as those imposed by PATRIOT, and the powers now desired by the British police really are demands that we give up freedom.
Anyone who tells you that giving up those freedoms will make you any safer is simply lying to you, or is tragically misinformed, or both. As long as terrorists have a will to attack people, and a willingness to die to achieve their objectives, they will sometimes succeed.
The only thing you achieve by giving up freedom is to allow 1) the terrorists to succeed in fundamentally altering the nature of our societies for the worse by giving in to terror, and 2) giving far too much power to a small group of people who now have no accountability to anyone else. Do not forget that it has been demonstrated time and time again that when such powers are granted, they -- are -- invariably -- abused. If you can't come up with examples of your own, try on the Jananese-American Internment during World War II, Senator MacCarthy, Herbert Hoover, Abu Ghraib, and Guantanimo Bay. If you want another, grimer example, look to the Argentinian Disaperado, as the path we're now treading rapidly leads in that direction.
You can't "protect" freedom by giving it up. We have freedoms only as long as we are willing to fight to protect them from the people who try to take them away from us. In this case, these demands are of far greater danger than what they claim to want to protect us against.
"Security" is not -- nor ever has been -- nor ever will be -- some concrete thing you either have or don't have. There is always an element of risk in anything we do, and in all things there is a point where we must simply resort to a certain amount of trust. Freedom does not require a "secured" society, but rather one that understands that freedom requires a certain amount of personal responsibility to be aware of what is going on in the world around us, and an acceptance that there are certain things that are sometimes, whether we like it or not, beyond our own personal control. If we are to be free, we must accept that we are adults, and that we bear that responsibility ourselves. We cannot simply hand over our freedoms to some arbitrary custodial parent or elder sibling to control us 'for our own good', and call that freedom.
To quote Benjamin Franklin, from the Historical Review of Pennsylvania, 1759:
"They that give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."He was right, then, and it is still true now. I would much rather maintain those essential freedoms, accepting that to maintain them does entail a certain but entirely acceptable amount of risk, rather than give them over to a small cadre of individuals who, without oversight, are empowered to remove those rights with impunity, all in the name of some false illusion of "security".
Let's cut to the chase - Bin Laden is being assisted by people - a LOT of people. A guy can hide for a lifetime with that kind of help.
Agreed. This is one of the *only* points I'll let Bush slide on. Everyone is repeating the soundbite about outsourcing the hunt for Bin Laden to Pakistan, but no one is actually trying to take the time to understand the political climate in Pakistan. The government is not a long-lived, well established affair, and power in Pakistan is very decentralized. There are a number of places in Pakistan where the central government is unneeded and has no influence whatsoever. The central government is relatively pro-american; however, even that support is fleeting, based on our willingness to support Israel, invade Iraq, and keep troops stationed in Saudi Arabia. Out in the provinces, there's enough people that detest America to:
1.) Hide bin Laden, and
2.) Overthrow the relatively weak central government.
So, when we say "outsourcing the search for bin Laden to Pakistan", what we mean is "we're on thin ice, and they're really doing us a favor by looking for him at all. If we screw this one up, we'll have made another state an enemy".
So, we let them do their thing. They probably won't ever find him. But, if we go in and start lobbing missles around, it's going to piss off a lot of Pakistanis.
~Will
sig?
I think you miss the point of "deniability". Nobody can "prove" that they don't have a hidden secret that may or may not exist. The point of deniability is that nobody can prove that you do. Truecrypt's optional second-level encryption is different because there's no way to prove that any second-level encryption is being used, and in fact there may not be any for the majority of Truecrypt drives. That's not the same as somebody actually be able to point to a file on your system which is clearly encrypted and saying "decrypt it - or else".