Slashdot Mirror
British Police Demand Access To Encryption Keys
flip-flop writes "In the wake of recent terrorist attacks, police here in the UK have asked for sweeping new powers they claim will help them counter the threat. Among these is making it a criminal offense for people to refuse disclosing their encryption keys when the police want to access someone's files." From the article: "The most controversial of the police proposals is the demand to be able to hold without charge a terrorist suspect for three months instead of 14 days. An Acpo spokesman said the complexity and scale of counter-terrorist operations means the 14-day maximum is often insufficient."
Innocent until proven guilty. Although that statement is ignored just as often in the US as it is in England, laws that we pass try to at least give the impression that we respect it. So, here is how things go if this passes...
...Time to get pricing on high speed internet access on the moon I guess. This planet's done for.
GoodGuy has a friend who is in some domestic trouble and is hiding some of his assets in off-shore accounts. He keeps his friends account information in an encrypted folder on his computer because his friend doesn't want to lose it and trusts him.
EvilAgentMan thinks GoodGuy is a terrorist planning on taking over the world, due to his recent purchase of a salt water aquarium, baby sharks, laser pointers and duct tape. He charges GoodGuy as being a EvilDoer(TM) and puts him in jail. While looking for evidence, he notices an encrypted folder on GoodGuy's computer. He tells GoodGuy that he must hand over his encryption keys or be charged with the crime of not handing over his encryption keys. He must decide on going to jail for something he is completely innocent of, or releasing potentially incriminating evidence on his friend.
Karma: SELECT `karma` FROM `users` WHERE `userid`=138474;
Sure, you can have my encryption key. Here it is:
01100110 01110101 01100011 01101011 00100000 01101111 01100110 01100110
"Simplify, simplify, simplify!" Thoreau
"I forgot it." Seriously. This is what we do in the U.S., and even if they hold you in contempt-- it's a darn sight better than letting them have access, and seeing what you were up to.
Fortunately we have things like StegFS. But I really shouldn't be disclosing such information, some people in the govA*$%#)D$@#$NO CARRIER
How can they prove you have or know the key? Is "I forgot" a valid defense?
"Innocent until proven guilty. Although that statement is ignored just as often in the US as it is in England, laws that we pass try to at least give the impression that we respect it."
umm, Guantanamo Bay?
I was pretty sure that the regulation of investigatory powers act (1998?) already made it an offense to refuse to disclose an encryption key?
"XML is like violence. If it doesn't solve your problem, use more." - Anonymous Coward
The real measure of a free, open and just society is how it behaves in bad times - not in good times. When difficulties arise and the authorities want sweeping powers to 'protect' the citizens, should the citizens give up important civil liberties for what is probably just an illusion of safety? When are you ever safe enough in these times? Maybe the citizens should stop and ask themselves how much they really value their civil liberties - just how far should you go? Maybe the citizens should not crow too loudly about how free, open and just their society is when they look back at how their country has behaved in difficult times..
Is to encrypt all new encryption keys.
I never spellcheck and I freely admit it. Save your karma for more worthwhile "lol erorrs" replies
I'm waiting for the suit against the UK by the US claiming ashcroft is violating his non-competition clause...
VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!
Among these is making it a criminal offense for people to refuse disclosing their encryption keys when the police want to access someone's files.
I'm not familiar with British law, but I do know American law is based on the same doctorines as the British(from a historical perspective at least).
In the U.S. the court can order you to provide encryption keys and if you do not you will be held in contempt of the court. This usually means the judge puts you in jail until you decide to provide the keys. To me(IANAL) it seems like the above just formalises the practice. Via the wikipedia reference it appears as though the U.S. did this in 1981.
Being held in contempt of the court is a very normal tool for judges to use with uncooperative court subjects, cryptographic keys aren't special or different.
- "Never let a computer tell me shit." - DelTron Zero
I use CSS encryption for all my privacy needs. I'm sorry, but I'm afraid that it would be illegal for me to provide you the software code that breaks it.
Uniting the Kingdom by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism
Public use of any portable music system is a virtually guaranteed indicator of sociopathic tendencies. -- Zoso
What is the difference between the right to prevent self-incrimination (i.e. the right to silence) and the right to not say your password?
In England and Wales, "a defendant cannot be convicted solely due to their silence" yet this is saying precisely the opposite.
I'm not happy that New Yorkers are willing to subject themselves to 'random' searches. I'm pretty sure the London terrorist attacks will be the catylst for widespread CCTV in the U.S.
"They also want to make it a criminal offence for suspects [emphasis mine] to refuse to cooperate in giving the police full access to computer files by refusing to disclose their encryption keys."
I don't see what that problem is, as long as due process is respected. Murder suspects can't turn away search warrants of their property, and if the proper warrants are filled out electronic files should be treated as physical property.
Secret warrants or police officers "going fishing" is another story.
They want encryption keys, but I dare say that not ONE of the investigators (or government officials) can point to a single connection between the recent stuff in London and encrypted information. They keep demanding solutions to problems that don't exist - that's why this stuff keeps happening. If they'd try to solve the problems that DO exist, they might get somehwere- WITHOUT becoming a police state.
Finally, if you don't trust any methods above you allways have one time pad that is provably 100% secure. Drawback is that keylength equals to message lenght and key can't be reused.
Dyslexics have more fnu.
If you don't comply with a subpoena, you go to jail for contempt of court. Of course a subpoena actually requires judicial approval, whereas a police request for encryption keys does not.
Terrorist style attacks even happen in police states. Obviously, it impossible to lock things down far enough to give real security, therefore, there is no reason to destroy privacy in a vain attempt to get there.
Necessity is the mother of invention.
Laziness is the father.
Be afraid. Be very afraid. Be British and very very very very very afraid:
Noam Chomsky
The western world is in its worst decadence since the Medieval times...
Yam, yam, uga booga, yam, yam, yade, yade, uga booga, yam, yam, yade, yade
Does it say?
TubGrrl is the shizzz?
The truth about Led Zep should never be told on
The opinions stated herein do not necessarily represent those of anybody at all. Deal with it.
And how exactly would you know this?
From the PGP FAQ:
Sure it is unlikely, but unless you have some way of proving what you say, it would be unwise to believe that no one can / will in the near future be able to crack or intercept your encrypted messages.Yeah but seriously, who wouldn't *LOVE* to threaten their userbase with that one.
"The object of war is not to die for your country, but to make the other bastard die for his." - Patton
For bonus points, see if you can get the file onto the hard drive of some politician you hate.
"When difficulties arise and the authorities want sweeping powers to 'protect' the citizens, should the citizens give up important civil liberties for what is probably just an illusion of safety? When are you ever safe enough in these times? Maybe the citizens should stop and ask themselves how much they really value their civil liberties - just how far should you go?"
You don't have liberty without security, so what's the point of talking about preserving all your civil liberties when you're not free anyway? In reality compromises must be made to maximise freedom.
Vote for Pedro
I'm going to let you in on a deep, dark, dirty secret. They aren't really trying to solve the problem. Terrorism is a boon to the US and UK governments, because it gives them an excuse to push the respective nations closer to a police state.
A police state is not a consequence of misguided attempts at preventing terrorism, but is instead an end being achieved under the cover of fighting terrorism.
Remember, Terrorism is an end to a means for the terrorists, and the governments "fighting" it.
Think the war in Iraq was about Sept 11 or WMD? Think again. It was because defense contractors have well placed connections. For corporations, your life is only worth what they can get out of it. If they can sell military ordinance by getting your children killed in Iraq, so be it. Their gods are money and power, not the ones your Priest, Rabbi, Cleric, Circle Leader or anything else are telling you about. If you think I'm being paranoid, just look up corporate environmental management. Hell, just look up what Coca-Cola is doing in India.
Human life is just another natural resource for corporations. Nothing more.
"Live Free or Die." Don't like it? Then keep out of the USA
Obviously what is needed is a method for dual encrypted files. Basically an encryption/steganography combo. When unencrypted with the 'fake' key, you just get whatever text you encrypted with that key - something uninteresting like expired credit card numbers or letters to grandma and it looks like you have complied with the order. Meanwhile the real key unlocks the data you want to keep secret.
Naturally the algorithms would require that it would be undetectable that this is what you have done.
Some alarm systems have something similar. When you open the business you use the real code. When the robber forces you to open up at gunpoint you use the fake code. The alarm does turn off as expected but it also calls the police with an "under duress" alarm.
~~~~~~~
"You are not remembered for doing what is expected of you." - Atul Chitnis
too bad I am dsylecxic my seepling is just aufful.
hire is thee key
the pass code is "My hovercraft is full of eels."
RSA key mynipplesexplodewithdelight
here is a little test message;
Ya! Ya! Ya! Ya! Do you waaaaant...do you waaaaaant...to come back to my place, bouncy bouncy? If I said you had a beautiful body, would you hold it against me? I...I am no longer infected.
Sorry about the writing. Robot fingers, you know? Cliff Steele in DOOM PATROL #23
Actually, it makes perfect sense.
The goal isn't to end terrorism, but to convert the democracies into police states.
"Live Free or Die." Don't like it? Then keep out of the USA
Then, if somebody demands/coerces the key from you, you can simply provide one of the alternate keys, which decrypts the cipertext to reveal an innocuous message.
Obviously the system would have to be designed such that it would be impossible to detect how many messages are simultaneously encoded, and no way to determine any one key using knowledge of any of the other keys. But it might be mathematically possible.
Has any work been done on this?
Remember that Great Britain was the first country to say in the Great Charter: No free man shall be arrested, or imprisoned, or deprived of his property, or outlawed, or exiled, or in any way destroyed, nor shall we go against him or send against him, unless by legal judgement of his peers, or by the law of the land. Now, they have to find a balance between this and the fight against terrorism.
Bonjour !
They may not be able to reveal the contents of the file it convict you, bit the contents of the file may point them in the right direction to get information through apparently legal means that they *CAN* use to convict you. This was the situation in WWII. From what I have read, the US and British intelligence agencies had broken the German cyphers, but they had to come up with a cover story of how they knew where the U-Boats would intercept the convoys. They would typically send out observaiton planes, and "stumble" upon the U-Boats when they were on their way to the intercept.
Unlike you - who manage to spend your tax dollars, not on your lazy sick people - but rather to build fanatic "mujahaddin" fighters, who later turn their bloodthirsty sights on the homes of their CIA paymasters!
Good shot. Americins seem to love Ameria so much, but express only contempt for many Americans themselves - as if there were some magical phantasm of "America" that were comprised of something other than the people dwelling therein.
"Flyin' in just a sweet place,
Never been known to fail..."
My encrypted drive password is "I Forgot It"
but seriously, my hobbies include random number generation, data compression, and encryption, as well as large number series (Pi, fibonucci, etc.); I have many very large files of apperently random data. But I also have sensitive data belonging to other people; I've worked for various laywers, a government agency, and a couple small businesses as a basic security advisor (among other jobs) not all the data I have is my own, and I don't know what all of it is (for the lawyers, my home is their off-site backup location, and I have copies of client paperwork that would send them to jail for a few hundred years, if it were all added up, but that is under attourny/client privelidge)
I guess I'm in a similar situation with ISP's; there should be a burden of proof that the key exists in the defendants possession in the first place.
Some of my hobby research includes 2/3rd's keys:
say the real key is '10100101'
generate a random number '00110111'
xor them '10010010'
then break it up into 3 sections
AB
BC
CA
A and B each have half the real key, so they can get in.
A and C have the first half, and can rebuild the second
B and C have the second half, and can rebuild the first
the problem is that A and B each have half the real key, square-rooting the brute force time.
I've been thinking about generating multiple sets of random numbers, and the result of xor'ing the key by each of them...
key: 01011010
rd1: 10100101
rd2: 00011100
rd3: 10110010
xr1: 11111111 (hmm, tried to be random, got the exact inverse...)
xr2: 01000110
xr3: 11101000
noone gets the root key, and they rotate which random/xor number they get, A gets rd1 and xr2, B gets rd2 and xr3, and C gets rd3 and xr1.
so A and B can get the key by rebuilding xr2 and rd2, B and C can get the key by rebuilding xr3 and rd3, and C and A can get the key by rebuilding xr1 and rd1.
if any one user is captured or turns traitor, their key alone will be of no help to cracking the master key; while the other two remaining users may be able to get together and re-key the data to a newly selected third user, effectivly excluding the old, captured key.
Please join
Britons United against Greator Govermental Executive Reform Ostensibly From Fear
B.U.G.G.E.R.O.F.F. stands with the government! We cannot allow the morons from The Society Of dissenting Organisms For Freedom to undermine the war on terra! Please write your representative and tell him your views. S.O.D.O.F.F is an extremely dangerous organization which threatens our Purity of essence. Being an american I can only lend moral support. On that note I wish to let all Britons know that the American Society for a Secure Homeland Over Liberty and Equality is here to help!
Together A.S.S.H.O.L.E. and B.U.G.G.E.R.O.F.F are a perfect match.
Service guarantees Citizenship! Questions Guarantee GITMO.... Amerika Uber Alles!
First they came for the catholics,
and I said nothing because I wasn't catholic
Then they came for the witches,
and I said nothing because I'm not a witch
Next they came for the jews,
and I said nothing because I'm not jewish
Now they've come for me,
and there is no one left to say anything for me.
-- If we don't stand up for our rights, now, there will be no right to stand up for them later.
The Americans didn't do much protecting / defending until after _their_ home _was_ attacked.
After which they went chasing the culprits round the world with as much military force as they could.
WWII or war on terror - take your pick. Not to diminish the importance, but in both cases America only got involved because it was directly provoked, not because of some altruistic / noble motive.
If the NSA were able to crack RSA or any of the other well known cryptographic algorithms, you would probably never hear about it from them.
In the case of RSA and other major algorithms, I'm not so sure this is true. The NSA is tasked with assuring national security, and that involves a lot more than just codebreaking and signals intelligence. In particular, it also involves a lot of thinking about the capabilities of others and what those capabilities might mean fo the US government and US industry -- because the health of the economy is a national security issue.
So, if the NSA can break RSA, they also have to wonder who else might be able to, and whether or not some foreign power might use the ability to break RSA to damage the US. Given the amount of use that RSA sees in both industry and government, if the NSA could break it, they would almost certainly be quietly discouraging the use of RSA, perhaps pushing elliptic curves or something else, or if they don't know of any public-key system they can't break easily, trying to encourage the US to use symmetric cipher-based sytems.
The only scenario in which the NSA would keep completely quiet about knowing how to break RSA is the one in which the NSA is also very confident that no one else in the world can do it. While that is possible, it doesn't seem very likely that the NSA is far enough ahead of everyone else to feel certain that no one else could possibly duplicate their work.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Sure seems like it - how something like this gets modded up I'll never know.
Why do they hate us? Well shit - it's not just the US/UK they hate after all! Let's compile a list shall we?
- The Russians (because of Afghanistan and Chechnya)
- The east Indians (because of Kashmir)
- The Isrealis (because of the Palistinians)
- Anyone else who dares to defy 'Allah's Will' - whatever the Imam says it is this week.
The radicalized 'religion of peace' is destoying much progress made in the Arab world. Whole governments are being held hostage by these wackjobs and there is a common thread that a lot of people from the West do not understand - it's all about control.
With Democracy, with so-called human rights, women are given more power. In radical Islam, the women have less rights than most farm animals and here's the thing: THE MEN WANT TO KEEP IT THAT WAY. It is one of the many appealing reasons why this way of life is being defended by use of terror and intimidation at every level. It all starts (or started) at home.
When you see these videos (and yes, they were on Fox News also), you need to grasp them in context. Were these shots taken from the Sunni triangle after a few soldiers found their buddies burnt bodies strung up on a bridge somewhere? Were these people themselves intimidated to put up a fleeing suspect?
The images are never enough by themselves to tell the whole story.
"...Well, there's egg and bacon; egg sausage and bacon; egg and spam; egg bacon and spam; egg bacon sausage and spam..."
"What if you just have some random garbage on your drive? (output from "cat /dev/random" as I often use for testing things) That would not be readable and might be considered "encrypted". How can they tell?"
The same thought occured to me.
Indeed, if I lived there I would consider preparing several such files and stating publically and in advance that that's exactly what I was doing. They're not encrypted, so it is impossible to provide the key. Assuming it's impossible to distinguish between an encrypted file and a random file, they can't prove that the crime of withholding a key was comitted.
I rarely criticize things I don't care about.
WHy do you think they call the department that hires and fires you HR, Human Resources :)
I used to have a boss that would refer to you as a resource to your face instead of hinting you might have a name or be a human being. Labor is just like raw materials and capital, stuff you feed in to corporation machinery to produce profit.
Needless to say the powers that be like both their labor and raw materials to be as cheap as possible, hence globalization of the work force so you have the opportunity to compete for a job against someone making 30 cents an hour in China.
The power that be also like their labor scared, obedient and drug free which is why police states are such a hot commodity with pro business governments like the U.S., U.K, China and Singapore. If you do it just right authoritarian states are very profitable, you just have to make sure workers don't start throwing their wooden shoes, sabots, in to the machinery(sabotage).
In authoritarian states you have no problems with labor unrest and you can set wages arbitrarily low and workers can't complain. If you look at the U.S. in the early 20th centurty, early attempts to organize labor, get a livable wage and a work week that wasn't 12 hours a day 6 and 7 days a week, were often met with guns and blackjacks from either the state or private security firms.
Thats how to to run an efficient economy.
@de_machina
But in all this consternation of you arresting me, bag over my head and all that. I totally forgot my passphrase.
Why are you hooking up that generator to two wires that go nowhere?
Oh
- -- Truth addict for life.
You don't have liberty without security, so what's the point of talking about preserving all your civil liberties when you're not free anyway? In reality compromises must be made to maximise freedom.
That's not insightful. That's just nonsense and doublespeak, and exactly the sort of confusion about "reality" that the current administration wants you to believe. You have it backwards. Such "compromises" as those imposed by PATRIOT, and the powers now desired by the British police really are demands that we give up freedom.
Anyone who tells you that giving up those freedoms will make you any safer is simply lying to you, or is tragically misinformed, or both. As long as terrorists have a will to attack people, and a willingness to die to achieve their objectives, they will sometimes succeed.
The only thing you achieve by giving up freedom is to allow 1) the terrorists to succeed in fundamentally altering the nature of our societies for the worse by giving in to terror, and 2) giving far too much power to a small group of people who now have no accountability to anyone else. Do not forget that it has been demonstrated time and time again that when such powers are granted, they -- are -- invariably -- abused. If you can't come up with examples of your own, try on the Jananese-American Internment during World War II, Senator MacCarthy, Herbert Hoover, Abu Ghraib, and Guantanimo Bay. If you want another, grimer example, look to the Argentinian Disaperado, as the path we're now treading rapidly leads in that direction.
You can't "protect" freedom by giving it up. We have freedoms only as long as we are willing to fight to protect them from the people who try to take them away from us. In this case, these demands are of far greater danger than what they claim to want to protect us against.
"Security" is not -- nor ever has been -- nor ever will be -- some concrete thing you either have or don't have. There is always an element of risk in anything we do, and in all things there is a point where we must simply resort to a certain amount of trust. Freedom does not require a "secured" society, but rather one that understands that freedom requires a certain amount of personal responsibility to be aware of what is going on in the world around us, and an acceptance that there are certain things that are sometimes, whether we like it or not, beyond our own personal control. If we are to be free, we must accept that we are adults, and that we bear that responsibility ourselves. We cannot simply hand over our freedoms to some arbitrary custodial parent or elder sibling to control us 'for our own good', and call that freedom.
To quote Benjamin Franklin, from the Historical Review of Pennsylvania, 1759:
"They that give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."He was right, then, and it is still true now. I would much rather maintain those essential freedoms, accepting that to maintain them does entail a certain but entirely acceptable amount of risk, rather than give them over to a small cadre of individuals who, without oversight, are empowered to remove those rights with impunity, all in the name of some false illusion of "security".
Right. I remember when Iraq attacked the U.S. I was scared to death.
Hijackers on 9/11/2001 were mostly from *SAUDI ARABIA*. Bin Ladin attracts newcommers to his cause mainly by expressing a distaste for U.S. presence in *SAUDI ARABIA*.
We invaded Afghanistan, spent 4 or 5 months there, and basically pulled out. Then we, for no justifiable reason, invaded a soverign nation and deposed the elected head of state.
Yes, we were provoked. But, it's time to ask the two critical questions:
1.) Are we attacking the right people?
2.) Why did they attack us in the first place?
Understanding the enemy is the first step to defeating him.
sig?
Just use the DVD CSS code to scramble your encrypted files. The MPAA will insist the police are not allowed to have the key, and if the police crack they key, the MPAA will sue them.
I think you miss the point of "deniability". Nobody can "prove" that they don't have a hidden secret that may or may not exist. The point of deniability is that nobody can prove that you do. Truecrypt's optional second-level encryption is different because there's no way to prove that any second-level encryption is being used, and in fact there may not be any for the majority of Truecrypt drives. That's not the same as somebody actually be able to point to a file on your system which is clearly encrypted and saying "decrypt it - or else".
This is the way it has been in Australia for ever. We are required to provide our keys if directed by warrant - wo don't have the luxury of the right of non-self-incrimination.
One answer is to use Steganography software to give plausable deniability. With a program like DriveCrypt you can have an encrypted file or bootable partition with two keys - One, that you can hand over to the police unlocks some harmless (but seemingly sensitive) files like pr0n the other which you don't disclose unlocks your real data.
While the Police can see an encrypted file it can be unlocked with the first key and they cannot prove the second key exists.
Orationem pulchram non habens, scribo ista linea in lingua Latina
You're asking about 'rubber hose encryption.' Google for it.
Vintage computer games and RPG books available. Email me if you're interested.
It was.