British Police Demand Access To Encryption Keys

flip-flop writes "In the wake of recent terrorist attacks, police here in the UK have asked for sweeping new powers they claim will help them counter the threat. Among these is making it a criminal offense for people to refuse disclosing their encryption keys when the police want to access someone's files." From the article: "The most controversial of the police proposals is the demand to be able to hold without charge a terrorist suspect for three months instead of 14 days. An Acpo spokesman said the complexity and scale of counter-terrorist operations means the 14-day maximum is often insufficient."

Oh yeah, that's why we threw their tea away

[SeanTobin]

Innocent until proven guilty. Although that statement is ignored just as often in the US as it is in England, laws that we pass try to at least give the impression that we respect it. So, here is how things go if this passes...

GoodGuy has a friend who is in some domestic trouble and is hiding some of his assets in off-shore accounts. He keeps his friends account information in an encrypted folder on his computer because his friend doesn't want to lose it and trusts him.

EvilAgentMan thinks GoodGuy is a terrorist planning on taking over the world, due to his recent purchase of a salt water aquarium, baby sharks, laser pointers and duct tape. He charges GoodGuy as being a EvilDoer(TM) and puts him in jail. While looking for evidence, he notices an encrypted folder on GoodGuy's computer. He tells GoodGuy that he must hand over his encryption keys or be charged with the crime of not handing over his encryption keys. He must decide on going to jail for something he is completely innocent of, or releasing potentially incriminating evidence on his friend. ...Time to get pricing on high speed internet access on the moon I guess. This planet's done for.

Re:Oh yeah, that's why we threw their tea away

[Spad]

Worse than that, what happens if your friend is storing the encrypted information on your PC and you *don't have* the decryption key?

Are the police really going to believe "I don't have it, they're not my files"?

Re:Oh yeah, that's why we threw their tea away

[gstoddart]

Worse than that, what happens if your friend is storing the encrypted information on your PC and you *don't have* the decryption key?

Then you'll be found to be aiding and abetting.

If you're holding data for someone that you don't know what it is or how to decrypt it, you will be perceived as an accomplice. Or, just summarily assumed to be the original source of the data and just recalcitrant.

Interesting to see would be if you can have your lawyer hold onto these things and have them covered under privelege.

It's scary that in so-called free societies it can become a crime to keep (possibly legal and innocuous) secrets from the government.

Re:Oh yeah, that's why we threw their tea away

[ScentCone]

He must decide on going to jail for something he is completely innocent of, or releasing potentially incriminating evidence on his friend

Because there's no friend like a friend who talks you into criminal complicity, I always say. I mean, what are friends for, if not to help you launder money or hide assets? And what ever happened to the bad guys just writing down the key, laminating, and burying it in a coffee can three paces south of the big oak tree on old man Smith's back forty? You know, where you used to go and smoke pot and dream of the days when you'd have enough ill-gotten assets to have to hide them from the court? Ah, those were the days.

Incidentally, what would you have the cops do while they're sitting there looking at the hard drive from a guy they just arrested, who yesterday was having some trouble blowing himself up? Ask him ever so nicely? OK, so he was willing to die in order to kill you and your kids, so he's probably not going to be big on cooperating, but the owner of the cyber cafe where he often runs chats with his equally inept fellow bombers - is it worth being able to crack his encrypted leavings so that maybe we can stop his buddies from smearing more innocent people all over the inside of a tunnel? You are aware that actual people are actually spending their days actually thinking up and acting on ways to kill people that run yogurt stores, work at rehab clinics, build web servers, teach grade school, and have families that depend on them... right? This isn't a game, it's actually happening. And as the prime minister of Autstralia put it so eloquently yesterday, we're using 19th century approaches to dealing with bad guys happy to use 21st century technologies (um, even as these twits condemn modernity - always a telling little bit of confusion on their part).

Re:Oh yeah, that's why we threw their tea away

[Alphabet+Pal]

What if they find a file they can't associate with an application, assume that it's encrypted, and insist that you give them the encryption keys for a file that's actually a corrupted Word document? Crypto documents are designed so that they're not supposed to look like crypto documents.

Re:Oh yeah, that's why we threw their tea away

[kailoran]

The Brits don't have a constitution. Yes you can live without one.

Re:Oh yeah, that's why we threw their tea away

[afidel]

You just gave me a truely evil idea. Make a worm which copies and randomly encrypts files from the infected computer, then email a copy of the encrypted file along with a copy of the worm to random people in the address book. Would make life hell for sigint people and just might give someone plausible deniability against this type of idiotic law.

Re:Oh yeah, that's why we threw their tea away

[dheltzel]

Or what if the encrypted data was put there by a virus or some other source?

If you really want to hide something under the new rules, encrypt it and store it on a network of zombie computers, or a p2p network. That will cause real problems for others, but you'll never have possession to be charged with not providing the keys.

Or, just compromise your enemy's computer and store some encrypted files there and then turn them in as a concerned citizen. Even if they manage to get aquitted, the implied guilt during the process will destroy their lives. It's sort of scary if they're gonna assume you are the one who did the encryption simply because you possess the file.

Re:Oh yeah, that's why we threw their tea away

[arkanes]

Don't be a fucking retard. Iraq was one of the most prosperous nations in the Middle East before 10 years of sanctions destroyed it's economy. Right or wrong, a lot of Iraqi lay the blame for that at the feet of America.

There are a lot of people who're more comfortable with the monster we know. Hell, look at US foreign policy.

Islamic extremists are hardly the only people killing anyone in Iraq. Iraq was *not* a misogynist medieval theocracy under Saddam! Get your blind prejudice out of your ass and actually take a look around!

The US are not the good guys here. There aren't any good guys here. Especially when ignorant fucks like you spread this same diseased prejudice about the state of Iraq before the war, and especially before the sanctions. I half expect to start hearing people talking about the White Mans Burden. Current US policy is to play legal games so that we can torture and hold people in ways that should be illegal, but duck out through loopholes (gitmo, civilian (read: mercenary) "interrogation specialists", shipping suspects to Syria).

History will show whether or not the Iraqi invasion was better or worse for the country as a whole. I'm not prepared to make that judgement, and I'd pity our president for having made it if I thought the import of it actually touched him. The average Iraqi is substantially worse off today than he was before the invasion. Some (Kurds, most obviously) are much better off. Some are worse off but believe it's for the better and move on. A great many are just pissed off.

Are you seriously going to tell people that the US is better because we don't kill and torture as many people? Thats our big claim to fame as the moral guiding light who will bring true democracy to Iraq?

Re:Oh yeah, that's why we threw their tea away

[Richard_at_work]

It's kind of amusing that we defended Brittain against the fascists sixty years ago and now we're encouraging them to adopt our fascism.

The US entered the second world war in the December of 1941, a full year and a half after the Battle of Britain in summer 1940. Hitler abandoned Operation Sealion, the invasion of Britain, when the RAF defeated the Luftwaffe for control of Britains skies during that long summer.

As the other poster says, you didnt defend us, you fought with us.

Re:Oh yeah, that's why we threw their tea away

[Laxitive]

Turn on the TV...look at the situation they were in. The only ones prosperous were the ones in power. That $$ (even the oil for food $$) went straight to Hussein and was not spent on food or upkeep of utilities. And don't do like the rest of the left and leave out all of the facts except the ones that support your case. He ATTACKED A NEIGHBORING COUNTRY. He left the oilfields burning when he realized he couldn't keep it for himself. He murdered so many they may never find all the mass graves. He fired upon allied airplanes in the no-fly zone more times than most people know. The list goes on and on.

If America cared so much about Hussein killing Iraqis, then why did they give him weapons to do it with? The United States never, ever, cared about the livelyhood of Iraqis. That's why they supported Saddam until he got uppity, and then (with the help of the UN) imposed sanctions that strangled the nation.

Don't give me a song and dance about how you helped free the Iraqi people by deposing Hussein. You helped subjugate them in the first place by propping him up.

Why were you propping him up? Because just a little while back, the other murdering dictator you propped up in Iran got overthrown.

Who else were you funding around that time? Oh, right.. your good friend Osama Bin Laden the freedom fighter.

Your country has its dirty, grubby little fingers all over the mess in the middle east. Why is that? Because the middle east has the substance that you need like a crackhead needs crack. You'll do anything to get it. You'll support dictators, you'll support terrorists, and you'll be friends with the country that the terrorists who attacked you came from.

And now I'm sure you'll be prepared with justifications for why it was OK for the US to support Saddam, and why it was OK for the US to support Osama - but then, people who do horrible things always have justifications for the things they do. Osama has a justification for flying planes into buildings full of civilans, and you have yours for supporting mass murderers.

But aside from tube junkies in America, few people in the rest of the world buy your story. You had an opportunity to show you had changed. You had an opportunity to gain the support of the world after 9/11. You blew it.

Have fun fighting your old friends.

-Laxitive

Re:Oh yeah, that's why we threw their tea away

[Phil+Karn]

Turn on the TV? Which channel? Fox News, our very own version of Pravda, with red, white and blue text banners and pundits foaming at the mouth about how it's treason to disagree with our Leader in time of war, a war which conveniently will never end? If that's all you watch, I can see why your view of the world is so screwed up.

Check out Al Jazeera, if you can find it. Then you might see a sampling of what's really going on over there: shot after shot of dead civilians, including many kids. Many more shots of civilians, barely alive, lying in squalid hospital beds, the remains of their arms and legs wrapped in bandages after being blown off by bombs. Innocent civilians being harassed and humiliated at roadblocks, or worse if they panic and fail to comply with a shouted command they can't understand because it's in English.

You'll see footage of heavily armed US troops kicking in doors of houses, pointing their weapons at civilians, shouting (again in English!) at women and childen cowering in the corners and crying. You'll see picture after picture of abuse of prisoners in US prison camps and hear about people, most of them completely innocent even by admission of the US commanders, who disappear into them for years without charges, without lawyers and without any chance to defend themselves.

Every other day there seems to be yet another suicide bombing in Iraq that kills as many people as the one in London two weeks ago. That attack is still getting saturation coverage on the US networks, but the bombings in Iraq rate, at most, a brief mention each.

Arab culture is quite different from ours, and we can't assume they share our more abstract values like our Bill of Rights (that is, if we actually practiced them ourselves). But they belong to the very same species as we, so it does seem somewhat reasonable to believe that they, no more than we, like being killed or maimed or abused or imprisoned, or having that happen to our friends and families.

Still can't figure out why they hate us? Or are you going to tell me that all that footage is faked somehow?

Re:Oh yeah, that's why we threw their tea away

[TCM]

There is also the option of using an encrypted container and filling it half-way with some innocent-looking stuff that would still be worth encrypting. In the remaining space, you place another container with the real stuff.

TrueCrypt can do this to provide "plausible deniability". The second container does not appear in the filesystem of the first container. That's why you have to be careful to not modify the outer container once the inner container is created. Since the free space of any container will be filled with random data, an additional container inside the free space will be undistinguishable from random noise. Read the manual for more info.

Encryption key

[bigwavejas]

Sure, you can have my encryption key. Here it is:
01100110 01110101 01100011 01101011 00100000 01101111 01100110 01100110

Re:Encryption key

[Jeff+DeMaagd]

One.
Two.
Three.
Four.
Five.

Re:Encryption key

[randm.ca]

That's amazing, I've got the same combination on my luggage!

Simple Solution

[USSJoin]

"I forgot it." Seriously. This is what we do in the U.S., and even if they hold you in contempt-- it's a darn sight better than letting them have access, and seeing what you were up to.

Encryption Keys?

[Taevin]

Fortunately we have things like StegFS. But I really shouldn't be disclosing such information, some people in the govA*$%#)D$@#$NO CARRIER

Re:Encryption Keys?

[nkh]

I don't know where I've read this (/.?) but the problem with "onion layers" steganography is when they torture you: How do they know you gave them ALL the passwords? Maybe there is "just one more" that will reveal everything? The torture never ends if they know there are multiple layers. (yes, I'm paranoid but I wouldn't like this to happen to me)

Guantanamo Bay?

[fantomas]

"Innocent until proven guilty. Although that statement is ignored just as often in the US as it is in England, laws that we pass try to at least give the impression that we respect it."
umm, Guantanamo Bay?

Re:Guantanamo Bay?

[SeanTobin]

umm, Guantanamo Bay?

Yeah.... sorry about that one.
There is at least one additional rule that goes along with innocent until proven guilty. It's guilty until proven American.

Re:Guantanamo Bay?

[SatanicPuppy]

Um no, actually.

In all criminal prosecutions, the accused shall enjoy the right to a speedy and public trial, by an impartial jury of the State and district wherein the crime shall have been committed....

Either you have to charge them or you have to let them go. This crap isn't even legal under the geneva convention, not that this administration seems to give a damn.

Already an offense?

[moderators_are_w*nke]

I was pretty sure that the regulation of investigatory powers act (1998?) already made it an offense to refuse to disclose an encryption key?

Re:Already an offense?

[Thwomp]

Yeah, that was my immediate thought also. The RIP act was actually past in 2000.

One interesting point I remember from it was that if you were no longer in possession of the key then you had to prove you didn't have it. In other words proving a negative! Besides, I'm sure any criminal wouldn't disclose the keys and take a shorter prison sentence if what they were encrypting was more damaging.

I'd advise anybody working in the computing profession, in the U.K., to be aware of this law and others.

Where are civil liberties truly valued?

[dd]

The real measure of a free, open and just society is how it behaves in bad times - not in good times. When difficulties arise and the authorities want sweeping powers to 'protect' the citizens, should the citizens give up important civil liberties for what is probably just an illusion of safety? When are you ever safe enough in these times? Maybe the citizens should stop and ask themselves how much they really value their civil liberties - just how far should you go? Maybe the citizens should not crow too loudly about how free, open and just their society is when they look back at how their country has behaved in difficult times..

Employers are competing for Ashcroft?

[plasmacutter]

I'm waiting for the suit against the UK by the US claiming ashcroft is violating his non-competition clause...

demand encryption keys ? *yawn*

[dwbryson]

Among these is making it a criminal offense for people to refuse disclosing their encryption keys when the police want to access someone's files.

I'm not familiar with British law, but I do know American law is based on the same doctorines as the British(from a historical perspective at least).

In the U.S. the court can order you to provide encryption keys and if you do not you will be held in contempt of the court. This usually means the judge puts you in jail until you decide to provide the keys. To me(IANAL) it seems like the above just formalises the practice. Via the wikipedia reference it appears as though the U.S. did this in 1981.

Being held in contempt of the court is a very normal tool for judges to use with uncooperative court subjects, cryptographic keys aren't special or different.

DeCSS

[Henry+V+.009]

I use CSS encryption for all my privacy needs. I'm sorry, but I'm afraid that it would be illegal for me to provide you the software code that breaks it.

Re:DeCSS

[logic+hack]

When I want to break CSS I just view the document in IE.

Won't be long now

[Slightly+Askew]

Uniting the Kingdom by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism

The Right to Prevent Self-Incrimination

[westcoaster004]

What is the difference between the right to prevent self-incrimination (i.e. the right to silence) and the right to not say your password?

In England and Wales, "a defendant cannot be convicted solely due to their silence" yet this is saying precisely the opposite.

It's already an offense

[Albanach]

I'm not sure why they would demand the right to access encryption keys when they already appear to have the power through Section III of the Regulation of Investigatory Powers Act Link here.

Re:This is a major point

[symbolic]

They want encryption keys, but I dare say that not ONE of the investigators (or government officials) can point to a single connection between the recent stuff in London and encrypted information. They keep demanding solutions to problems that don't exist - that's why this stuff keeps happening. If they'd try to solve the problems that DO exist, they might get somehwere- WITHOUT becoming a police state.

Isn't a subpoena good enough?

[temojen]

If you don't comply with a subpoena, you go to jail for contempt of court. Of course a subpoena actually requires judicial approval, whereas a police request for encryption keys does not.

Re:Safe or private?

[Sylver+Dragon]

Terrorist style attacks even happen in police states. Obviously, it impossible to lock things down far enough to give real security, therefore, there is no reason to destroy privacy in a vain attempt to get there.

Well Chomsky is in order here...

[presarioD]

Be afraid. Be very afraid. Be British and very very very very very afraid:

Noam Chomsky

The western world is in its worst decadence since the Medieval times...

Re:Well Chomsky is in order here...

[presarioD]

Chomsky's beliefs can be summed up quite simply. USA = bad.

That would rather be:

USA government = bad

and it is not a matter of belief but of fact. He doesn't tell nice feel-good patriotic stories of heroes and scoundrels but presents steel arguments and ice cold facts to make his case.

Do you have any objection to the facts? Can you point to an inaccuracy? Most likely not. Now if his views do not settle right with your feel-good ideas that is a problem you have to deal with...

Rights of the accused

[Sneftel]

The most controversial of the police proposals is the demand to be able to hold without charge a terrorist suspect for three months instead of 14 days. An Acpo spokesman said the complexity and scale of counter-terrorist operations means the 14-day maximum is often insufficient. "The complexities and timescales surrounding forensic examination of [crime] scenes merely add to the burden and immense time pressures on investigating officers," he said. Three-month periods would help to ensure the charge could be sustained in court.

Wow. "Civil liberties are a pain in the arse for us to respect... so could we get rid of them?" In my opinion, the only humane way to look at the rights of the accused is to look at a rhetorical someone who has been wrongly accused. How would Mr. Jones feel about being imprisoned for three months so that police could take their sweet time figuring out what, if anything, to charge him with?

Re:pfft

[Albanach]

not even NSA can decrypt them.

And how exactly would you know this?

From the PGP FAQ:

Q: Can the NSA crack PGP (or RSA, DSS, IDEA, 3DES,...)?

A: This question has been asked many times. If the NSA were able to crack RSA or any of the other well known cryptographic algorithms, you would probably never hear about it from them. Now that RSA and the other algorithms are very widely used, it would be a very closely guarded secret.

The best defense against this is the fact the algorithms are known worldwide. There are many competent mathematicians and cryptographers outside the NSA and there is much research being done in the field right now. If any of them were to discover a hole in one of the algorithms, I'm sure that we would hear about it from them via a paper in one of the cryptography conferences.

For this reason, when you read messages saying that "someone told them" that the NSA is able to break PGP, take it with a grain of salt and ask for some documentation on exactly where the information is coming from. In particular, the story called NSA Can Break PGP Encryption is a joke.

Sure it is unlikely, but unless you have some way of proving what you say, it would be unwise to believe that no one can / will in the near future be able to crack or intercept your encrypted messages.

Incrimination for fun and profit...

[SpecBear]

1. Wait for Annoying Coworker (AC) to leave desk
2. Place encrypted file PlansToBlowUpParliament.zip on AC's computer.
3. Report AC to authorities.
4. Authorities ask AC for password, but of course he can't give it.
5. Authorities can't verify the contents of the file, so they can't charge him with a crime. Without revealing the contents of the file, AC can't prove his innocence. AC rots in jail for three months without charges filed against him.
6. AC loses his job while imprisoned, you loot his cubicle for snacks.
7. Profit!

For bonus points, see if you can get the file onto the hard drive of some politician you hate.

~Security - ~Liberty

[geekee]

"When difficulties arise and the authorities want sweeping powers to 'protect' the citizens, should the citizens give up important civil liberties for what is probably just an illusion of safety? When are you ever safe enough in these times? Maybe the citizens should stop and ask themselves how much they really value their civil liberties - just how far should you go?"

You don't have liberty without security, so what's the point of talking about preserving all your civil liberties when you're not free anyway? In reality compromises must be made to maximise freedom.

LOL! That's cute

[doublem]

I'm going to let you in on a deep, dark, dirty secret. They aren't really trying to solve the problem. Terrorism is a boon to the US and UK governments, because it gives them an excuse to push the respective nations closer to a police state.

A police state is not a consequence of misguided attempts at preventing terrorism, but is instead an end being achieved under the cover of fighting terrorism.

Remember, Terrorism is an end to a means for the terrorists, and the governments "fighting" it.

Think the war in Iraq was about Sept 11 or WMD? Think again. It was because defense contractors have well placed connections. For corporations, your life is only worth what they can get out of it. If they can sell military ordinance by getting your children killed in Iraq, so be it. Their gods are money and power, not the ones your Priest, Rabbi, Cleric, Circle Leader or anything else are telling you about. If you think I'm being paranoid, just look up corporate environmental management. Hell, just look up what Coca-Cola is doing in India.

Human life is just another natural resource for corporations. Nothing more.

Dual Encryption Now Needed

[linuxwrangler]

Obviously what is needed is a method for dual encrypted files. Basically an encryption/steganography combo. When unencrypted with the 'fake' key, you just get whatever text you encrypted with that key - something uninteresting like expired credit card numbers or letters to grandma and it looks like you have complied with the order. Meanwhile the real key unlocks the data you want to keep secret.

Naturally the algorithms would require that it would be undetectable that this is what you have done.

Some alarm systems have something similar. When you open the business you use the real code. When the robber forces you to open up at gunpoint you use the fake code. The alarm does turn off as expected but it also calls the police with an "under duress" alarm.

Happy to help

[infonography]

too bad I am dsylecxic my seepling is just aufful.

hire is thee key

the pass code is "My hovercraft is full of eels."
RSA key mynipplesexplodewithdelight

here is a little test message;

Ya! Ya! Ya! Ya! Do you waaaaant...do you waaaaaant...to come back to my place, bouncy bouncy? If I said you had a beautiful body, would you hold it against me? I...I am no longer infected.

what we need is a multi-key system

[pclminion]

We need a dual-key cryptosystem which allows the user to encrypt multiple messages, using multiple keys, and output the result as a single encrypted block.

Then, if somebody demands/coerces the key from you, you can simply provide one of the alternate keys, which decrypts the cipertext to reveal an innocuous message.

Obviously the system would have to be designed such that it would be impossible to detect how many messages are simultaneously encoded, and no way to determine any one key using knowledge of any of the other keys. But it might be mathematically possible.

Has any work been done on this?

coming to take you away

[minion]

First they came for the catholics,
and I said nothing because I wasn't catholic
Then they came for the witches,
and I said nothing because I'm not a witch
Next they came for the jews,
and I said nothing because I'm not jewish
Now they've come for me,
and there is no one left to say anything for me.

Re:russian front

[ray-auch]

The Americans didn't do much protecting / defending until after _their_ home _was_ attacked.

After which they went chasing the culprits round the world with as much military force as they could.

WWII or war on terror - take your pick. Not to diminish the importance, but in both cases America only got involved because it was directly provoked, not because of some altruistic / noble motive.

Re:russian front

[zerocool^]

Right. I remember when Iraq attacked the U.S. I was scared to death.

//oh wait.

Hijackers on 9/11/2001 were mostly from *SAUDI ARABIA*. Bin Ladin attracts newcommers to his cause mainly by expressing a distaste for U.S. presence in *SAUDI ARABIA*.

We invaded Afghanistan, spent 4 or 5 months there, and basically pulled out. Then we, for no justifiable reason, invaded a soverign nation and deposed the elected head of state.

Yes, we were provoked. But, it's time to ask the two critical questions:
1.) Are we attacking the right people?
2.) Why did they attack us in the first place?

Understanding the enemy is the first step to defeating him.

Sunset: May 26, 2005

[MacDork]

It was.