Slashdot Mirror
UK Government Wants Private Encryption Keys
An anonymous reader writes "Businesses and individuals in Britain may soon have to give their encryption keys to the police or face imprisonment. The UK government has said it will bring in the new powers to address a rise in the use of encryption by criminals and terrorists." From the article: "Some security experts are concerned that the plan could criminalise innocent people and drive businesses out of the UK. But the Home Office, which has just launched a consultation process, says the powers contained in Part 3 are needed to combat an increased use of encryption by criminals, paedophiles, and terrorists. 'The use of encryption is... proliferating,' Liam Byrne, Home Office minister of state told Parliament last week. 'Encryption products are more widely available and are integrated as security features in standard operating systems, so the Government has concluded that it is now right to implement the provisions of Part 3 of RIPA... which is not presently in force.'"
I believe we are in need of a new Slashdot section: Horrifying
Just stick a computer in the corner churning out encryption keys and mailing them to the UK government all day every day untill you break their database.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
Encryption keys don't kill people, people kill people.
If owning (not divulging) encryption keys is criminalized, only criminals will own encryption keys.
These "rules" will only push the envelope of how and what criminals (or terrorists, etc.) use to hide their activities. And at the same time, they will add one more burden to the general population to manage and ensure the government is informed of their encryption infrastructure. Nuts.
The most effective infiltration into terrorist infrastructure is still social engineering. I'd rather the money spent creating and managing something like this spent training and hiring translators, covert agents, etc.
A convincing point about the futility of this proposed rule comes from the article:
How will they know that they have the correct private keys without "testing" them on the owners' encrypted communications every so often? Oh well, it is England after all. Living on an island can do odd things to living things.
It's a good thing that, as an American citizen, I don't have to worry about these violations of my privacy.
My encryption key is:
1.....2.....3.....4.....5
Damn facist Americans! I am so glad that I live in Europe where such things never happen!
So is it that they want the criminals to hand over their passwords before they commit a crime? This should go well with the anti bank-robbery legislation requiring all would-be robbers to call in a schedule before they pull off a heist.
Luck favors the prepared, darling.
I assume that the there is a simmaler rule for safes/lockbox combinations.
Britain's use of anti-privacy situational crime prevention measures are a means of targeting petty crimes and the innocent while displacing more professional and semi-professional crime into other areas. These techniques do not stop the criminal, as he is already committing a crime, what would he care if you added "refused to give up private key" to his list of crimes?
The UK needs to wake up and realize that these forms of crime control only waste money and create more crime, than stop crime from happening.
If this goes into effect it would make it a very dangerous thing to have files of random characters .... you'd have a lot of trouble explaining them.
Most major companies have offices all around the world, presumably. So now they'll have to have a separate (pretty much disposable) encryption method just for the UK?
What about communication between offices on the internet? A japanese analyst creates some research, but due to technical problems the only Compliance office up is in Europe. So every program or service that can comminicate with Britain has to check if a request is going to/through the UK before applying the "approved" encryption.
To quote, "this is madness"
"Oh, yeah, you think that telephone call database is slick, check this sh*t out. We're gonna make our subjects give up their crypto keys or go to jail"
"Oooh, good one!" (high five)
Welcome to the Panopticon. Used to be a prison, now it's your home.
Time for steganographic file systems where your private data can be hidden inside innocent looking files. They can't force you to disclose your key if they don't know and/or can't prove that you have one.
http://en.wikipedia.org/wiki/Steganography
I'll probably be modded down for this...
- cameras are used by criminals, paedophiles, and terrorists - we need access to your negatives/memory disks.
- houses are used by criminals, paedophiles, and terrorists - we need access to your house keys.
- cars are used by criminals, paedophiles, and terrorists - we need copies of your car keys.
- ATM machines are used by criminals, paedophiles, and terrorists - we need to know your PINs.
- Online email services are used by criminals, paedophiles, and terrorists - we need to know your username/passwords.
- Computers are used by criminals, paedophiles, and terrorists - we need to install a backdoor on your computer.
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
"England Prevails"
Parliment better watch out... hear there's a train heading there loaded with fireworks and other things that go boom.
-zariok-
Simple solution: You have a new encryption scheme where there are 2 private keys. The first one allows decryption, the second wipes the drive. Guess which one you give to the police?
Coding with assembly is like playing with Legos. Coding an application in assembly is like building a car with Legos.
If they want to force someone to expose their private data, they should get a warrant to do that once you are suspected of a crime not before. As others have said, this treats everyone like a criminal.
There was no crime, because the secret police would carry you off and shoot you in the head if you were even suspected of a crime. Wiretaps were the norm and the government could do whatever it wanted. Privacy didn't exist. And they were safer from criminals for it. Well, safer if we define criminals as ones that weren't in the KGB.
Yeah, no "In Soviet Russia" Joke here.
This is frightening. It's like we're becoming the very thing we fought in the cold war. A totalitarian government.
But at least we have 37 types of cereal.
A criminal that rapes someone may have talked during the rape -- it is the rape that was evil.
A criminal that shoots someone in the head used a gun -- it is the shooting that is evil. He could have used a baseball bat.
A criminal that blows up a building might use a cell phone -- it is the building exploding that is evil. He could have used e-mail or writing a big X on a tree.
We have to stop government from criminalizing actions that are part of our right to speech. This right is not something Constitutional or created out of any government document -- it is a natural right that all humans share, no matter what the laws say.
I'll continue to encrypt, and I'll dare the government to try to restrict me. If I have to, I'll encrypt by using an encryption program that hides my real text to make it look like readable language. Let them try to stop that. Or I'll use my own spoken code. Will they find a way to criminalize it?
Don't criminalize tools, criminalize criminal actions.
I'm sure the criminals, paedophiles, and terrorists will just be lining up to hand over their keys, too.
That's the odd thing about this. You can get up to 2 or 5 years in the can (depending on if they think you're a terrorist). So if you have gigs of terrorist info that could get you sent away for life, just say you lost your keys and go away for 5 years max.
Trolling is a art,
Encryption may not be a must for most people, but keeping the government out of one's private business is a must for all people, everywhere.
English is easier said than done.
The basic argument is that the purpose of a search warrant is defeated by encryption. Now I think that's wrong, or at least part wrong, and I think an alternative would be to make material held by the defendant which he does not choose to decrypt something that the jury can take account of, just as refusal to testify is now, under limited circumstances, something the judge can point to during summing up. And the alternative of forcing decryption isn't offered (although quite how someone would demonstrate that plain text they offered really _was_ the decryption is a whole other question).
The is bad, illiberal law, and those of us involved in campaigning against it have been in correspondance with our MPs for some years. But it's not just Britain that is tearing up its freedoms in the face of minor terrorism: the USA collectively shat its pants and ripped up a century of jurisprudence on the 12th of September. It makes far more sense for people with a desire for freedom to work together, rather than to assume that we're a bunch of proto-fascists while Bush Jr defends your constituional rights.
ian
People; don't say "This can't be done."
This is referred to as a "catch-all" type of law. Beware the wonders of selective enforcement.
The idea here is that if you find a suspected terrorist, and they use encryption, you don't even need to bust them for terrorism OR for not providing their encryption keys when demanded. You can just go to step A, look up their name in the government encryption key database, find out that no, they did not provide their encryption key to , and take them directly to jail.
Regardless of whether or not the are a terrorist, regardless of whether or not they are willing to turn over their encryption keys when asked, you can find them guilty.
This is not about collecting everyone's encryption keys (at least not at first). Initially, this will be used as a blunt stick to smack anyone the government doesn't like. Think of the way seat belt laws are enforced; cops won't stop you for not wearing your seat belt, but they'll sure as hell issue a ticket for it even if you aren't speed, have all your paperwork in order, and have done nothing else wrong. It's a sort of standby crime they can get you on.
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
Just an example of astoundingly ignorant politicians who don't realize they're effectively criminalizing the use of cellular phones, the constantly changing keys of which would amass petabytes of data within a year, in just the UK--and that's just the keys, not the data they encrypted...and that's just the cellphones.
What absolute morons.
You're behind the times.
The UK is already (planning) installing a system of automatic licence plate recognising camera's throughout the country. The resulting database will allow a very comprehensive following of cars and thus persons.
The next step is of course that you have to report to the police whenever you've driven an other car but your own...
"The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
...I know that's like asking to be lied to, but I would like to know how often criminal investigations are hampered or even prevented because communications or information had been encrypted.
Like so many others, I see this as nothing more than an attack on privacy and not as an aid to criminal investigations. Criminals are not going to turn over their keys. People who turn over their keys aren't likely engaged in criminal acts. "honest" people who believe in the right to privacy will become criminals, however.
I'm not sure "police state" is the right word, but we're certainly talking about criminalizing the general population to the point that only people "in office" can have the right to privacy under the guise of "national security." And a funny thing happens to your rights when you become "a criminal." You lose them along with your ability to run for public office and all manner of other things.
The use of illegal government spying on innocent citizens is proliferating.
Your move now.
...(and no, you may not have my encryption keys).
This is an example of the government passing bad laws which have no real effect on terrorism, it's just posturing. It'll be impossible to prove that a person really knows the encryption key or if the key that was coerced from them is the real key.
These days encryption software like truecrypt have multiple levels of "plausible deniability" so even if a key was coerced out of someone you don't know if the data that is decrypted is the real deal or just another decoy.
These so called government security advisers really don't know anything about security. The UK Government can't even remember to deport foreign criminals after they server their sentence. The country will be a lot safer if the Government fixed their own incompetence rather than pass TROLL laws which deprive the real law abiding citizens of their liberties whilst allowing the terrorists to carry on business as usual.
Just wait until they finish decrypting all the data files on my PC.
"You mean we spent four days decrypting Gigs upon Gigs of vacation photos??"
"Well, they have an 8 Megapixel camera, lots of memory cards and use RAW format..."
"But that's all you found? There aren't even any racy photos in the bunch?"
"Should we start decrypting the second RAID array?"
"The one labeled 'Project Gutenberg text to speech files in WAV format'?'
"Yes, that one."
"Go for it. I don't know what this 'Project Gutenberg' is, but it's got to be seditious. Plebeians don;t label anything a 'Project' unless they have delusions of being all 'Cloak and Dagger.'"
"Live Free or Die." Don't like it? Then keep out of the USA
I think this will increase the proliferation of encryption technologies which provide a certain level of plausible deniability. Things like TrueCrypt (http://truecrypt.org/) provide an encrypted container which has a basic access and a secondary access. The container cannot be detected as being an encrypted anything - it is just a bunch of random data. If you use the basic access mechanism, you get your data. If you use the secondary access, you get an alternate contents, which can be seemingly important, but relatively benign data you put there to look like soemone got something important. However, you cannot tell which one is which, or even that the alternate access isn't the primary one.
TrueCrypt lets you mount the container as a filesystem, which is a convenient way to go. This sort of thing allows you to:
a) Deny that there is anything encrypted for which you have not proffered a key. "Oh yeah, show me what I have encrypted and I'll show you the key."
b) If that's not enough, proffer the false key that gives them the alternative access. "Ok, here you go. Let me know if you find anything incriminating. (tee hee)"
Lastly, if you use things like encrypted swap on a unix device, you can plausably say that what is there is just an encrypted swap file, and you don't have a key because the key is never saved to the disk. Why isn't it mounted now? You only set it up temporarily and forgot to delete the file when it was done. (for 1Gb files or larger...) If you have a 20Gb file, you're probably going to have to explain it... and go for option (b) above.
Of course, if your 20Gb file is not a file, but is just an "empty" partition... well there you go.
Please note - I'm not advocating breaking any law here - just outlining what this will drive people who care enough to do.
i - This sig provided by
Why not get right to the root of the matter, then, and simply criminalize any attempt to engage in a private conversation? After all, speaking to someone face-to-face in a secure setting is functionally the same as using encryption in a remote communication. No more walks in the woods, unless you immediately file a synopsis of everything you talked about with the proper authorities...
Or the human cattle ID cards Act, which creates by far the world's most intrusive Big Brother database on citizens by linking up 5+ previously unconnected databases...
The Dictatorship Bill, also called the Abolition of Parliament Bill, Totalitarianism Bill or (by the Govt) the Legislative and Regulatory Reform Bill is nothing less than a naked grab for power. After being amended 3x, the Bill was passed in the form described here.
LRRB enables ministers to rewrite our constitution with only rudimentary scrutiny. Consider the extraordinary mass surveillance / coersion implications of the ID Cards Act. Even the well-organised opposition could not stop this legislation.
What chance then of:
1. Spotting obscure but deeply damaging clauses hidden in the boring legislation?
2. Motivating the Tories, LibDems and enough New Labour drones to subsequently block it?
LRRB is then carte blanche for Blair to do what he will with this country. What can we deduce of his plans?
New Labour already rejected an amendment to stop LRRB re-writing our most important constitutional laws. They then promised to introduce new amendments fulfilling the same thing. Our skepticism was once again justified. This is more than enough evidence that Blair wants dictatorial powers.
LRRB is obviously a precursor to passing laws which Parliament wouldn't otherwise pass.
Considering the deeply scary laws he's got through Parliament, the likelihood is that he wants something so badly, and so unpalatable that he won't even risk presenting it for proper Parliamentary scrutiny.
- He does not need Parliamentary approval to invade Iran
- He already has Hitler's Enabling Act.
- He has already passed RIPA and the ID Cards Act for more Big Brother snooping than anything China or North Korea have.
- He already has locked up people for 3 years without trial or even being questioned - although he has been twice been 'told off' for breaching the Human Rights Act in this way.
I did not believe that he needs LRRB to repeal the HRA - indeed one welcome amendment was to exclude the HRA from being amended. When every other explanation has been ruled out, whatever remains, however unlikely, must be considered. I think something much worse is coming although I dread to think what.
Better yet: One key decrypts your regular files. Letters to grandma, pictures of your baby, etc. And the other decrypts your super secret terrorist plans. Both from the same encrypted volume.
Good idea. Then you can give up the key showing your terrorist plans and just get a few years in jail. They will never find your photo collection and your secret letters.
I'll probably be modded down for this...
Catching up? That's so unfair. Its not like the British are newcomers at this -- if they hadn't done it first, there likely wouldn't be a US.
In america we have whats called the 5th amendment. Which should mean that I have protection under the law to not be forced to answer questions that incriminate myself. What is your password? and what is your encryption key? should be similiar to Where were you the night the victim was shot? I don't have to answer if i believe that in answering the question it will incriminate me in a crime.
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
I'm a political scientist by education.
Where does that put me in your example?
Switching a few words around in a famous bit of prose: (-1, Douchebag)
Knowing which words to switch: (+5, Interesting)
Some things (+1, Funny) can't buy. For everything else, there's metamod.
Statist indoctrination trumps. There may be disagreement about how a state is run, but my guess is that everyplace you were educated, the absolute nessicity of a strong central state was a given. One country might justify the need for a state in order to protect itself from foriegn enemies, another might justify the state in order to provide social services, another might justify the state for other reasons. But they all agree on the supremecy of the modern centralized state. They disagree on the way a state should be run, the principles the state should abide by... but they all see the state as an institution that is intrinsicly "good". I very highly doubt that anywhere in the world, you were taught to question the government itself as an institution (and I don't mean to question the current political regime, or the current party in power... but I mean to question the state in itself).
The criminals using encryption are already breaking the law and obviously wont turn in their keys to the police. The only people who will be caught up in this legislation are the good people who follow laws. Whomever thought this up should be sacked for pure stupidity.
I was crazy back when being crazy really meant something. (Charles Manson)
Just create a couple gigs of nothing but encryption keys on your hard disk, then choose an arbitrary number of them randomly whenever you want to encrypt something. When they want the keys... give them the entire contents of that partition.
Non sequitur: Your facts are uncoordinated.