Slashdot Mirror
UK Government Can Demand You Hand Over Encryption Keys
iminplaya writes "The UK government can now demand that citizens hand over their data encryption keys - or face jailtime for obstructing justice. The law only applies to data on UK shores, and doesn't cover information transmitted via UK servers across the internet. 'The law also allows authorities to compel individuals targeted in such investigation to keep silent about their role in decrypting data ... The Home Office has steadfastly proclaimed that the law is aimed at catching terrorists, pedophiles, and hardened criminals--all parties which the UK government contends are rather adept at using encryption to cover up their activities.'"
I guess when wire-tapping and CCTV just isn't enough
Unless we let the government have access to all our data then the terrorismists will WIN.
After all, if you've nothing to hide then whats the problem? I for one will be printing out all of my data in hardcopy to send to the government, as I am a PATRIOT.
After all - there was no terrorismisticals before the internet.
This law has been around for years. In fact, back when PGP was big, some UK residents on Usenet would have sigs saying something like, "If I revoke a key without explaining why, it is due to that law".
This laws was implemented years ago. The article author seems to know very little about the law in this respect, especially as it has barely changed since introduction in its 2000/20001. Thankfully, it appears it has yet to be used in a non-terrorism related case.
I'm curious to see how they handle hidden volumes on encrypted disks. Sure you can give up the first key, but if you don't give up the second (or the x-th, how far can you nest these?) who's to know?
12:50 - press return.
RIPA has had a lot of negative coverage since the idea was first raised. Someone at the time proposed emailing the Home Secretary with a few MBs of random data and the text 'here is the information on your opium import operation. The key is as we agreed' and then sending a tip to the police. If the Home Secretary does not disclose the key (which he doesn't have) then he is liable for 5 years of jail time. Or, the government could see how silly the act is and repeal it. Since the law just went into force, I expect civil liberties groups will start trying this soon.
I am TheRaven on Soylent News
> The law only applies to data on UK shores
So an offshore shell account renders this law useless? What a bunch of morons!
If a judge asked you to hand over the keys to your house.. or your car.. or your safety deposit box.. you are legally required to follow that order....
Are we surprised that digital keys have the same requirement?
And as for all the other (physical) keys you can refuse and let the courts (and a jury) decide.
Encrypt using Truecrypt, which supports plausible-deniability. Allows you to have an encrypted volume and then a "hidden" encrypted volume within that. If you're ever forced to give up your key due to extortion or torture, you only need to reveal the key to the outer volume and the inner hidden volume remains encrypted.
This is why you need to use something steganographic not just encrypted - just give them the fake key rather than the real one and it'll decrypt to some mockup installation full of boring crap. To my mind, the main risk is evil British intelligence services (I'm Irish, suffice to say my race has reason to call those people evil) wanting to grab your gpg key or similar in order to impersonate you, so planting a dummy key in the fake installation is also smart - if anyone uses the key to sign a message, your cell can know the enemy are on to you.
Truecrypt hidden volumes
This is exactly the sort of situation that hidden volumes were created for. The government asks you to hand over your encryption keys? "Well sure officer, here's the key to my encrypted volume, but there really isn't anything on there besides some harmless porn (or anything else that might be plausibly embarrassing enough to keep hidden away)" Of course, it's probably only a matter of time before someone decides to make it illegal to possess programs that can create any sort of hidden volume, but that's another issue.
A terrorist/pedophile/whatever is arrested, and his computer is seized. The authorities demand the suspect hand over the key, or he will face obstruction of justice charges and a year in jail. Does he
a) Tell them to get bent, go to jail for a year as a symbol of government run rampant (face it, some "activist" will pick up his "cause")
or
b) Immediately hand over the key, which is then used to procure the evidence of his computer, putting him in jail for 20 years as an ACTUAL terrorist/pedophile.
That's not even getting into the situation if one is NOT an actual pedorist. Terrorphile?
"As God is my witness, I thought turkeys could fly." A. Carlson
For private communications, don't send encrypted emails. If the encrypted email is captured by a wiretap, the fact that the ciphertext could be decrypted by the recipient is enough to allow the authorities to force that recipient to decrypt it.
Instead, you should establish an encrypted connection, use it to exchange private information, then destroy the keys after the connection is closed. SSH is one protocol that does this automatically. That way, although a wiretap can record the ciphertext, the authorities cannot retrieve the encryption keys because they no longer exist. Your democratic right to privacy is preserved.
I wonder if any instant messaging programs have implemented this? If so, do they consider the possibility of man-in-the-middle attacks as SSH does?
>north
You're an immobile computer, remember?
That's right, I seem to recall that Rivest, Shamir, and Adleman wrote about providing protection for pedophiles and terrorists in the motivation section of their paper on RSA.
"Question with boldness even the existence of a god." - Thomas Jefferson
In the UK, the rights of the people are what the Parliament decides. Tradition is what holds them back from being tyrants. Unwritten constitution and all that.
In the US, the rights of the people are written into the Constitution and it explicitly says there might be more. Traditionally, Congress ignores this and runs wherever the political wind blows them. They wait for the courts to save them, or for the political winds to shift again.
Either way, the only real saving grace is staying engaged politically. Keep the politicians from stealing everything you have in an effort to save it for you. There are still people who think that freedom is too precious to be given to the people they are protecting it for. Damn.
Behold, this dreamer cometh. Come now, and let us slay him... and we shall see what will become of his dreams.
Protest the U.K. Government: Don't visit the bastards.
Yours sincerely,
Kilgore Trout
P.S. : Defend Democracy: Fuck Bush
I smell a budding market rife with desire for custom made encryptions. Such a black market could make some clever and morally grey individuals quite a bit of money. Gotta love the free market :)
What if I don't have the keys but only store the data (i.e. I'm a backup service provider who stores data for people he doesn't even know by name or anything but IP address, which is fleeting at best)? What if I simply cannot remember the keys or, in case of keydisk/keyfile systems, have lost either (or destroyed because the archives are old backups no longer needed)? What if I don't remember which version of which cypher program was used to encrypt the keys (I tend to have that problem, actually, with a few archives...)?
I don't have a problem handing the keys to the authorities provided they can give me a good reason they need them (I really don't enjoy handing out trade secrets, you know...), but what if I just simply and plainly cannot?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Have an off-shore cron job to revoke your keys if you don't touch them often enough.
When you are asked for the keys, refuse until you are arrested and unable to save the keys from being revoked.
The revocation is the trigger that you have been asked.
Sam
blog.sam.liddicott.com
But then they will know my luggage combination.
1. Place files full of random data on their machines
2. Tip off the authorities to their "terrorist plans"
3. Watch them get five years for "refusing" to decrypt the "data"
~~~~~~~
"You are not remembered for doing what is expected of you." - Atul Chitnis
Yay! The Four Horsemen! But they forgot the Money-Launderers.
This reminds me, some guys had sent a PGP-encrypted email to the (Autstralian?) Prime Minister, then reported him to the police. His house was searched for the crypto keys; the next day the law project was put under the rug.
What are you UKsians waiting for?
Making laws based on opinions that stem up from false informations leads to witch hunts.
...when you pry it from my cold, dead, mouse hand.
GetOuttaMySpace - The Anti-Social Network
Does the UK have the concept of a search warrant?
I know everyone gets their panties in a wad about the guvmint decrypting their data, but I'm somewhat okay with it if a court is involved in the issuance of a valid search warrant. It's not fundamentally different from the court-overseen right to come into your home and search the premises.
You can't completely declaw the police or they'll be useless at any type of law enforcement.
Why are you letting these clowns ruin our country?
Those aren't encrypted files. I just like to keep a few multi-gigabyte files of random data on my system at all times -- it's a fetish of mine.
... "it is Pi to 10 billion places"
Wake me up 3 life times form now , when you are done inputting the key passphrase.
It's a very clever government if it can tell the difference between well encrypted data and a block of random bytes. Perhaps they will make having a USB drive full of random numbers illegal.
The really evil part is that you can be forbidden from telling anyone that you were forced to decrypt your documents, under penalty of imprisonment. Without public scrutiny, this law is inviting abuse.
Paid Q&A/Research
Frankly, this story just about sums up what the internet has become, a place for people to whine and bitch and moan about the things they could have done something about if they hadn't all become so god damn lazy.
Actually, a lot of us did do things about this at the right time, thank you. Lot of good it did us, of course, but at least we tried rather than just complaining about people who aren't trying.
Not true.
The warrant will be for a search of your hard drive.
The consequences won't be pleasant when a judge asks why you withheld the key to a hidden volume that was known to others or was exposed in forensic analysis.
Claim you:
1. Can not recall your key
2. You have no recollection of ever setting up encryption
Unfortunately they seem to have thought of this. Not being able to recall your key is not a defence, unless you can provide evidence that you've forgotten it. And they only have to show reasonable grounds to believe you ever had it, not that you actually did.
Keep your encryption keys offshore.
You have the password to unencrypt your offshore keys. This password cannot be demanded of you (jurisdiction). But when you want to use your encryption keys, your application asks for the password, retrieves the key, and performs your data decryption (locally or remote?).
Decidedly more trouble than it's worth, but an interesting thought exercise.
The world is made by those who show up for the job.
This is in fact very easy to prove:
If te maximum jail time for not divulging encryption keys is significantly less than the time for actually being convicted of terrorism, then it should be obvious that real terrorists would never divulge such encryption keys.
No, this law, and others like it in other jurisdictions, are simply there to give the police one more reason to force regular citizens to hand over their keys.
If you actually do have something to hide from the authorities, the best idea is probably to look into http://truecrypt.org/ and the capability of having hidden encrypted volumes.
When forced, either by legal threats or by rubber hose interrogation, you can then divulge the primary key. On the primary volume you should store potentially embarrassing, but not really critical information. This should be sufficient to show that you had reason to hide said info, but not enough to put you in jail for a long time.
If you happen to be located in a place like Myanmar/Burma, then you should also use TrueCrypt, for exactly the same kind of reason.
Terje
"almost all programming can be viewed as an exercise in caching"
"almost all programming can be viewed as an exercise in caching"
Hmmm.
Strongly encript your sensitive stuff, keep the key far from your computer, and depending of the size, name it after a few popular songs or prOnstars and let it live on the mule, then recover it only as needed. "Hey, it's not my data, just a fake download". Bonus point, you can recover it anytime and anywhere.
The solution: http://en.wikipedia.org/wiki/Plausable_deniability
Implementation: http://en.wikipedia.org/wiki/True_crypt Have a nice day..
www.tribalnetworks.org - helping tribal people around the world to own their own means of high-tech communications
I was wondering how the court would rule if your password contained information that would incriminate you in a different crime.
For example, if your password was: "my_murder_victim_is_buried_under_my_patio" or "I_embezzeled_20million_into_account_123456789", wouldn't revealing the password violate your right against self-incrimination (at least in the US)?
Reading code is like reading the dictionary - you have to read half of it before you can go back and understand it.
Does the UK not have some equivalent of our Fifth Amendment? In the U.S., you cannot be forced to testify against yourself. Giving up encryption keys would definitely qualify as "self-incrimination".
Yeah. The U.K. (along with most countries) has always impressed me as a country designed by the bureaucrats, of the bureaucrats, and for the bureaucrats. Unfortunately the U.S. has been heading the same way for a while.
People forget that the U.S. Senate came close to outlawing Public Key Crypto back in September of 1991. This is why there was a rush to release PGP back in the summer of that year. It negated anything the Senate could do.
One has to wonder what life would be like without public key crypto today, or the interest in it which the prosecution of Phil Z. spurred.
Two things which come to mind are Bill Clinton's Clipper chip, and a lot weaker Web-based business. And certainly not the ability to keep things private via PGP or TrueCrypt.
So long as it also means "carte blanche" for the public to encrypt all communications by default.
Mass encryption would mean and end to all those illegal wiretaps. By requiring you to hand over your keys you'll know for sure whether or not they're eavesdropping.
The "only with a court order" system will be enforced by technology.
No sig today...
Federal Rules of Civil Procedure 26-36 are perfectly clear - the US can demand your crypto keys as part of discovery in litigation, end of story. Fed. R. Civ. P. 37 spells out what happens if you don't comply, and the basic idea is that you get the choice that Steve James offers the unnamed punching bag in The Soldier: "Duck or bleed." If you get served with a subpoena or ordered to comply with discovery, you can comply (duck) or resist (bleed).
Having said that, I'm immune. I have numerous files and directories on my computer that are encrypted with strong crypto and to which I do not have the password. I created them, assigned them random passwords that I never knew, filled them with random garbage that I never saw, and there they sit. I do not need to produce decrypted versions of those files or directories in court or anywhere else because they are not under my control.
So far, so good, but who cares about files with no useful information? I do. Ordinarily, the fact that there's a decrypted file on my computer establishes a ludicrously-hard-to-rebut presumption that I have "possession, custody, or control" of the data therein. (Fed. R. Civ. P. 34(a)(1)) However, because I can establish that I have many files and directories that are not in my possession, custody, or control (for decryption purposes), that presumption does not apply to me. The party seeking disclosure must establish, file by file, that I can decrypt the file. And that's damned hard to do.
A few notes: if you do this to circumvent judicial process, you're not going to get away with it. The judge is just going to allow the other party to draw the worst reasonable inferences about the contents of the file and force you to rebut. I, however, am not doing this to circumvent the law; I am doing it to make it hard for hackers who break into my system to figure out what they have to crack to get my important business data. The fact that the net result is that it has the potential to make discovery harder is only a side-effect for which I cannot be sanctioned.
Second, if someone can establish that you should be able to produce something, this system isn't going to protect you. Crypto is just a high-tech shovel and a hard drive is just a high-tech back yard. Saying that you aren't going to produce an encrypted document is no different than saying that you aren't going to tell someone where in the back yard you buried that document. The court is not without tools to deal with uncooperative parties.
Last, if you get involved with subpoenas or discovery, seek advice from something stronger than this posting.
So the media companies have to hand over the specs and keys to the HD or BlueRay DRM encryption? (Otherwise, they could be hiding secret information on the discs to overthrow the government.)
1: XOR your encrypted database with 2GB of appropriate "art". ...
2: Explain to the police that your data is encrypted with a OTP
3:
4: Profit!
Plausible deniability is not half as fun as plausible Goatse baiting...
No need for the sneer quotes, unless you are a nanny-stater who condones this type of governmental intrusiveness.
"This aspect of the law is routinely ignored on Slashdot to try and enhance the "evil" reputation of the law."
I think the law, just on a general level, earns its evil reputation well enough. So they used a condom, but they still buggered you.
damaged by dogma
Honest question, I am curious: what happens if you claim you don't remember the password/key? Wouldn't the burden on proof that you in fact DO remember it be on the shoulders of prosecution? Because I don't really see how the prosecution could provide evidence for what you do or don't remember.
I remember when this was first up in front of parliament in 1999/2000, but I didn't know they had passed the thing.
There was considerable concern in the banking industry at the time (noted in the article) about whether they'd have to release their keys. The original proposal said that the authorities could:-
a.) approach anyone with access to the keys and demand that they release them (including secretaries for example) on penalty of gaol,
b.) silence that person from discussing the approach or forced release with their employer (ie. the real owner), again on penalty of gaol.
Another slight concern was the role of SSL where there is an exchange of keys and whether this could open a backdoor to a class-break by keys forcing out of multiple customers, while keeping those people silent.
Does anyone know if the legislation actually enacted does that stuff?
The New Labour government has been obstructing justice for 10 years, what with whitewashed reports and "it was an honest mistake" and all that. How long do the public have to wait before the government (ex)ministers are finally put in prison themselves for their crooked ways?
If I am not mistaken (I am not a lawyer), *IF* U.S. law enforcement were aware that a specific document or file existed in an encrypted archive, and that it had relevance to the case, then they might be able to subpoena that document. The recipient of the subpoena would be legally required to produce the document in question, and the subpoena can be enforced in the usual manner. However, any other content of the encrypted archive need not be revealed.
They may NOT engage in "fishing expeditions", and demand that one give them keys to encrypted archives so that they might look around for incriminating evidence. There has to be a "probable cause", prior to subpoena.
Check out the "Moot" project: http://www.zenadsl6186.zen.co.uk/ Hopes to make RIPA act moot...
"I guess when wire-tapping and CCTV just isn't enough"
The issue, of course, is that systems are being put into place that can be used against citizens who protest. By using "terrorism" to create fear, those who want corruption and control are building systems that can be used to give them more control. Laws that required centuries to build are now being thrown away with as little awareness by citizens as can be designed.
The movie Zeitgeist explains it: The movie Zeitgeist (2007) claims to explain it all, from an example of how people are controlled by myths, to how people who control government use fear to get more control, to why the U.S. government is pursuing a policy of hyper-inflation of the dollar now.
The movie is free and can be downloaded using a BitTorrent client, burned to a CD (a DVD is not necessary), and most modern DVD TV players will play it.
The Zeitgeist movie is very poor in some places, such as the opening sequences, and excellent in most places.
Don't expect emerging consciousness of very difficult subjects like those in the movie Zeitgeist to be free of error. The movie correctly says that "resurrection after 3 days" is part of many ancient myths, with an astrological background. However, the movie also speculates that Jesus Christ may never have existed. That is beside the point. In fact, whether Jesus Christ existed or not, many people in the world thought that his ideas and the ideas of his follower Paul of Tarsus were an improvement over what they had before. Even many people who do not claim to be part of a religion think that.
Those who want more information about how corrupters use fear can watch the free 3-Part BBC movie: The Power Of Nightmares: The Rise Of The Politics Of Fear (2004).
For those who don't know, and want to know what is happening and why, those movies are an excellent and entertaining way to start.
For people and their friends who invest in weapons and the manipulatable parts of the oil business, such as Cheney and the Bush family, controlling the government is how they make money and get more power. People from rich families often grow up believing that it is acceptable for them to kill people to get what they want. It is difficult, however, for the average person to believe that someone who already has a lot of money would kill others simply because he wants more money.
I am surprised at how much conflict of interest is allowed in the U.S. and U.K. governments. Why are weapons and oil investors like Cheney and Bush allowed to decide about starting wars in countries that have oil? (Afghanistan may not have oil, but oil investors want to build a pipeline through Afghanistan.)
Now the U.S. and U.K. governments are planning to start a war with Iran, another oil-rich country.
TrueCrypt has "plausible deniability. I wondered why TrueCrypt encryption software has "plausible deniability". I guess that is why. We will soon all be needing it.
theres no law against self incrimination.
Yep, I wrote to my MP about it, she said she agreed with me but all the other party drone MPs voted for it anyway.
the time for citizens of the uk to start saying no may be overdue. the abuse of their privacy hurts us all. the uk lowers the bar, and allows other governments to take a little privacy here and there and then point their figure at the UK and say at least its not that bad. When the government wants to take things, Charelton Heston likes to say, "...from my cold dead hands." I am not a fan of Heston nor the NRA, but I do encourage the uk to employ honest descent from policies that take privacy/freedom in an attempt to provide security.
I use the followinf procedure to securely erase HDDs:
1. Setup fil disk encryption with a random password (Linux dm-crypt)
2. Overwrite mounted encrypted volume with random data (not cryptogtaphically strong)
The result cannot be distinguished from an ordinary encrypted disk, and that can be mathematically demonstrated. Also there is no way I can prove there is really no data there. Again mathematically proovable that I cannot demonstrate this.
May other secure deletion utilities produce results much like this, i.e. not distinguishable from encrypted files or whole disks.
So, everybody that does secure deletion of this type now goes to prison? I don't think so. What I think is that it requires a conclusive explanation of this impossibility to get this law restricted to cases were the authorities first can proove the presence of encrypted data. This will be the cases where the users do not understand crypto. All eth others will szucessfully evade this exceedingly incompetent law.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
I've heard of an interesting tactic used in a relatively high-profile case here in the US (use Google to search for "David LaMacchia") to prevent the divulging of decryption keys and passwords: make the court-demanded information contain the text of a confession to a crime. By engaging the US Constitution's Fifth Amendment protecting against self-incrimination, the defendant in question was successfully able to avoid divulging the pertinent data. Naturally, this strategy creates the liability of being charged with obstruction of justice, but that's potentially a far lesser crime. IANAL, and this is not legal advice, so take this information for entertainment value only.
Put my fist through my alarm clock with its ding-dong death inside my ear. - The Blackjacks.
Truecrypt's plausible deniability is worthless or even dangerous.
;) ).
If you have Truecrypt installed it just means you're going to rot in jail till you can either:
1) Convince the police that some random file you have that they are interested in is not encrypted.
2) Decrypt the file somehow (even if it wasn't encrypted in the first place
You'd be better off downloading some legal porn (or something similarly frowned on but legal) and encrypt sets of them (without truecrypt) and write down the keys somewhere so you never forget or lose it. Then if the Gov says "hand over the keys" you hand over the keys, rather than say "I have no keys".
A Gov like that is going to presume you're guilty of something.
I was astounded to find that the govt. can search your house if they get a warrant. If you don't let them in, they'll break in!!!!! We live in a police state!!!!!
TrueCrypt's plausible deniability is more than that. With it you can have two encrypted volumes within the same volume only with different keys. If you are asked for a key, you give them one. They unencrypt the volume you gave them a key for and they find nothing. More information (and probably a much better description) here.
Stop Global Warming!
Just say no to irreversible processes!
In which case your attempt to appease them with legal porn is probably not going to help. A government like that will find something to charge you with no matter what you do, so why give in so damned easily?
We are the fire that lights our world.. and we are the fire that consumes it.
I think you mean root around.
No really.
"Can demand now"? I remember hearing long time ago that you face up to 2 years of jail if you don't give up your encryption keys to police in UK. I'm pretty confident about that - I rarely hear any UK news at all...
There is one way to show that an inner volume likely exists. Check the 'recent files' list of the programs on the computer if there are references to files not on the outer volume. If you have a lot of those, it should be reasonable to assume that there is an inner volume. Sure, you may just have deleted a lot of files from the outer volume, but it's not very likely if the other files haven't been touched for some time.
Wrong- TC will let you make a disk which is actually two disks (It's impossible to tell which is which). The thing there is that you hide stuff in one part which isn't too hot (legal porn, etc) and then use the other part of the disk to store the really hot stuff, and select which you want to access by using one key or the other. So when the cops come you just give them one set and they go 'Oh. OK.'
Could not open
When they say that you need to hand it over, couldn't you give them the encryption the encryption key with a second key? Then when they ask for THAT key, you encryt that second key with a third key. etc etc. Could this postpone giving them any info ever at all?
IOW. Does the law say anything about the format of the encryption key?
the uk is a police state but they are just not as open about it as the usa!
http://www.noliberties.com/
http://www.thedossier.ukonline.co.uk/
The Truth Is Out There:
I don't really understand the hubbub. The government can already get you to hand over your real keys. They can get a court order to open your safe deposit box. This is just an extension into virtual space of governmental power which ALREADY exists in physical space.
Statistically speaking, there's a 99.998% chance that my IQ is higher than yours. Get over it.
It seems to me that anyone banged up for 'forgetting' their pass phrase would have excellent grounds for appeal, and overturning the law. And let's face it, this morally corrupt, authoritarian Labour government has had it's nefarious laws overturned before.
Corporation, n. An ingenious device for obtaining individual profit without individual responsibility. - Ambrose Bierce
No, it is when search — the practice long accepted as a legitimate law-enforcement tool — is not enough.
If we allow police to search houses (including safes — demanding keys, when needed), it is only logical to allow them to also decrypt data (demanding keys, when needed).
In Soviet Washington the swamp drains you.
A computer is not a house, but rather like an enhancement of your brain.
You cannot be forced to tell what you think and what you know,
and giving them a key means telling what you know
and the computer (your brain 2.0) knows.
Yes there is - it was established by the European Court of Human Rights that the right to silence and the right to not incriminate oneself were intrinsic aspects of a fair trial. http://rechten.uvt.nl/koops/casi-faq.htm#2.
Corporation, n. An ingenious device for obtaining individual profit without individual responsibility. - Ambrose Bierce
You miss my point totally.
The gov thug comes and says "Ah you're using Truecrypt, we know about that cool feature they mention in their website, so hand us all keys".
And if you're stupid you go "Uh I only have one key".
Then:
a) If you're not telling the truth, you're in deep shit.
b) If you're telling the truth, you're in deeper shit, since there's no key #2 to give them.
Think Truecrypt is so great now? Truecrypt's "plausible deniability" feature is crap.
What I call plausible deniability would be if a very popular linux distro ALWAYS generated a 100MB (or 2% of diskspace, whichever is larger up, to a max of say 1GB) file full of random stuff and plonked it on the filesytem, and it always included encryption tools by default.
Would normal users be willing to pay the price of the "wasted" space and time?
I didn't expect to have to explain in detail how stupid it was but anyway:
http://slashdot.org/comments.pl?sid=314757&cid=20826495
Yep, I wrote to my MP about it, she said she agreed with me but all the other party drone MPs voted for it anyway.
And I bet that those 'other party drone MPs' all said the same thing to the people that wrote to them about it.
In the free world the media isn't government run; the government is media run.
After reading the article it applies only to on disk storage of information rather than encrypted data transiting the network which typically use dynamic encryption keys.
... Can you still go to jail for distroying the only physical key that can gain access to the vault containing said master key?
I guess this is precisely why truecrypt and others provide a way of hiding information on disk (plausable deniability) and what duress keys are for.
Anyway what if you honestly loose your key or forget a passphrase?
Lets say you locked your Master key up in a vault and intentionally distroy the only key that can open it fearing some shadowy figures (unrelated to the authorities request) were after you. You tell the authorities where the information is
What happens if the computers disks are rigged to fry if someone attempts to force their way through said vault. Would you be held liable for that?
What if the government finds an old hard disk drive laying around using an old encryption key that hasn't been used in years that was destroyed/long since forgotten you don't have any clue about.
What if a friend gives you a hard disk drive with data encrypted that you have no knowledge of. Does your friend go to jail for refusing to help or do you for being ignorant.
What if you buy a disk drive used on ebay the authorities find data on they want decrypted?
I think comparison with your house is more apt than comparison with your brain.
All your key are belong to us!
The vast majority of social and enviromental impacts regarding crime (Meaning, the type of crimes that really effects us all) stem from Murder, Rape and Phsyical Thieft. Although a percentage of criminals use a PC to lure a victim, it is so remotely negotibale compared to ones who do it without a PC.
How much money was spent on the bill/law/admentment for this new practice to pass?
How much money is spent inforcing this?
How many Murders, Rapest and Phsycial Thiefts did this new practice reduce?
Did the overall cost + 1 annual year of resources = spending the money on more physical resources in the field to reduce true enviromental criminal impacts? The answer will be NO.
This is nothing more then big government wasting money on low resulted solutions and using scare/fear tatics to justice its use to making more money doing almost nothing.
The Home Office has steadfastly proclaimed that the law is aimed at catching terrorists, pedophiles, and hardened criminals--all parties which the UK government contends are rather adept at using encryption to cover up their activities
...then why don't they craft the law to focus the demand to be available by law enforcement only when the case falls into any of the above classifications...instead of creating this insanely overgeneralized law with an insanely high potential for abuse by insane megalomaniacal law enforcement officials.
Once they have your data there is actually nothing I can detect which demands they pay attention how such confidential data is handled and how use of it is audited. If I'm wrong I'd love to be corrected but I can't find it.
To translate that into reality: if you're a private banker who has the misfortune to have a client who the US is interested in, the collaboration between UK and US means that your client confidential data may well end up in the hands of a junior policeman who has freshly fallen out of school. You have no recourse, and you cannot tell the client, but if the client finds out his confidential data has leaked it's your problem - the Home Office won't help you rescuing your reputation..
We use a service which vaults two parts of a split masterkey outside the EU. It won't stop the masterkey being demanded and supplied, but it will enforce the use of Interpol which creates different compliance demands.
We saw this coming a good 7 years back. 1984 has almost arrived.
Think of it this way - police get Mafia bosses on tape speaking in code. The speakers use words like "package" or whatever to describe their stolen goods. The "key" to that code is in the heads of the speakers in the conversation. By your reasoning, those bosses should be forced to divulge the "key", i.e explain what they were referring to when they used the word "package". But that isn't allowed - the tape is played in court, and the jury decides what they think is meant.
I can see it now - a law that states that refusing to explain the codewords used in conversations is obstructing justice and punishable by jail time. It wouldn't make it past the first District court judge who encountered it, much less the Supreme's.
"As God is my witness, I thought turkeys could fly." A. Carlson
I often keep blocks of random numbers on my computer so I can repeat tests. Now Plod can demand the decryption key. It doesn't matter that there isn't one. So I accept my sentence or give him a "key" that XORs to a picture of the Queen.
"Not good enough!", cries Plod. "I demand *another* key!"
So I give him the XOR for goatse.
"Better...", says Plod, smacking his chops, "But you can do better than that or I'll have you..."
So I give in and provide the XOR for Edwina Currie and John Major doing it on nylon sheets.
"Sickening!" he cries, "That will do nicely!"
There's a serious point here - the Act implicitly requires that the encryption be performed to Plod's satisfaction, but Plod doesn't know what he wants, or he wouldn't be asking. Analogies with physical search don't apply, because there we have a physical test - can Gil Grissom account for every cubic inch of the property? Some things simply cannot be legislated, some are not best handled through legislation. In this case, conventional interrogation and allowing the jury to draw their own conclusions as normal would have sufficed. If it's urgent, like preventing a bomb going off or rescueing a kidnap victim, the suspect is already in very deep trouble. Another grounds for nicking him will hardly matter. A law which denies mathematical reality has been passed in a hysteria of knee-jerk legislation, and serves only to enhance the *mood* of a Police State.
I would like to ask all people who don't give a ***** about privacy why they have curtains in their bedrooms !
That's a lot of text, maybe you could spell out the exact text that regarding passwords for encrypted information. I'm not seeing any difference between (a) compelling a murder suspect to disclose the body's location, and (b) compelling a pedophile to disclose his encryption keys. Not any difference, that is, in terms of self-incrimination. So where in the rules does (b) hold true but (a) is exempted?
I can just see UK police demanding to see the "sauce" for your porn collection.
You obviously didn't hear the part about plausible deniability. One cannot be compelled to produce what does not exist or cannot be proven to exist. The judge receives the keys to the outer volume decrypts it and looks at your files but he cannot compel you to give up the keys to a volume which does not exist. When asked, you simply reply, "that is all there is, sir" and they cannot prove otherwise. You have cooperated and they cannot throw you in jail indefinitely merely because they "think" you *might* be holding something back, especially if they cannot prove it even in the slightest. The whole point of hidden volumes is that they can be neither proved nor disproved...plausible deniability.
It does depend on the document. There are docs that can be kept from the court with or without encryption. However, on point with your question, Federal Rule of Civil Procedure 34(a) states that "[a]ny party may [cause any other party to cough up] any designated documents (including writings, drawings, graphs, charts, photographs, phono-records, and other data compilations from which information can be obtained, translated, if necessary, by the respondent through detection devices into reasonably usable form)". (This is a rule of civil procedure; I don't have my crim proc book handy and of course criminal procedure would be directly on point here.)
As to disclosing the location of a body versus providing encryption keys, I'd think along these lines: People have to surrender potentially incriminating evidence against themselves all the time (contrary text in the Fourth Amendment notwithstanding). For example, it is well-established that even before being charged, people may often (but not always) have to allow their fingerprints to be taken even though that will place them at the scene of a crime; hand over their IDs, even though that will establish that they are the ones who jumped bail; and occasionally surrender DNA samples even though that will tend to incriminate them in various ways. Once the court knows that you've got something interesting, the court will often want to take a peek. Some things (e.g., privileged communications with an attorney) are off-limits, but a surprising amount is not.
If the court knows that you know where the body is, the court will try to compel you to tell and bad things will happen to you if you do not. However, if the court merely strongly suspects, even US courts will not punish you until you produce the body because of the possibility that you actually don't know where it is.
So you can see if Truecrypt has been used?
Error: No error occurred
All we hear about from the Europeans and their American Left Wing Lackeys (no doubt paid) is that Bush is a wanna be Hitler, hell bent on exterminating everyone's civil rights, whereas Europe is the enlighted fount of all freedom to the world. I think a critical examination will reveal that George Bush is the most pro-freedom head of state of any of the major industrialized nations. If Europeans and Americans value freedom, then we need to amend the US Constitution so that he can have a third term, or, perhaps make Mr. Bush the President of the European Union.
Bush draws criticism for the USA PATRIOT Act, but, in the United Kingdom, I think, has more cameras in the city of London than the USA has on the North American Continent. Now we find that the UK will throw people in jail for refusing to turn over keys, something that is unconstitutional under the American Bill of Rights (The 5th Amendment). George Bush wouldn't do that, unless they were islamic, and the vast majority of Christian citizens of the west need not be concerned.
In France, an investigating judge has essentially the same powers as an American prosecutor and a judge rolled in together, and no major European country has the American notion of double jeopardy - where a person cannot be tried twice for the same crime. In fact, George Bush's appointees to the Supreme Court have NEVER tried a criminal case twice for the prosecution.
European lawmakers contemplate banning all engines over 3 liters in displacement, but in America, a 6 liter V8 is a constitutional right, thanks to George Bush.
Europe does not have the fundamental right to keep and bear arms. Go ahead and try a Bushmaster XM15E2S in France or the United Kingdom. But, you can buy one in Delaware, USA, thanks to George Bush's timely repeal of the oppressive assault weapons ban.
The record on taxes too, is all Bush. George Bush has consistently pushed for lower taxes - meaning more freedom, lower environmental regulations (meaning more freedom). George Bush is condemned for his sphinx-like opposition to silly carbon taxes, but those same critics never seem to say exactly what machine will be built to clean up the atmosphere with that money. They know that their brothers are going to get new decks with that money.
Honestly, if I have to choose freedom, I would prefer George Bush any day of the week over any head of European State. I don't like what Bush did with the USA Patriot act, but I think any balanced opinion over civil rights and freedoms for the majority people will find, upon any serious examination, that the majority will get more freedom under George Bush and the Republican Party than any other European Party or State would.
My advice to Europeans, then, would be to assert your freedom in the most fundamental way : break out your confederate flag, and wear a nice t-shirt with a picture of George Bush, and proudly say in solidarity, "I'm a Republican Too"
Here's the song you need to learn. Put some gasoline in the rag and pass it along.
Sweet Home Alabama
Big wheels keep on turning
Carry me home to see my kin
Singing songs about the Southland
I miss Alabamy once again
And I think its a sin, yes
Well I heard mister Young sing about her
Well, I heard ole Neil put her down
Well, I hope Neil Young will remember
A Southern man don't need him around anyhow
Sweet home Alabama
Where the skies are so blue
Sweet Home Alabama
Lord, I'm coming home to you
In Birmingham they love the governor
Now we all did what we could do
Now Watergate does not bother me
Does your conscience bother you?
Tell the truth
Sweet home Alabama
Where the skies are so blue
Sweet Home Alabama
Lord, I'm coming home to you
Here I come Alabama
Now Muscle Shoals has got the Swampers
And they've been known to pick a song or two
Lord they get me off so much
They pick me up when I'm feeling blue
Now how about you?
Sweet home Alabama
Where the skies are so blue
Sweet Home Alabama
Lord, I'm coming home to you
Sweet home Alabama
Oh sweet home baby
Where the skies are so blue
And the governor's true
Sweet Home Alabama
Lordy
Lord, I'm coming home to you
This is my sig.
And the same reply that you got there deserves to be posted here: how is anyone going to tell that TrueCrypt is being used in the first place? That's why TrueCrypt advertises itself as having two levels of plausible deniability. Maybe you should learn how it works before spreading FUD.
The gov thug comes and says "Ah you're using Truecrypt, we know about that cool feature they mention in their website, so hand us all keys".
And if you're stupid you go "Uh I only have one key".
Then:
a) If you're not telling the truth, you're in deep shit.
b) If you're telling the truth, you're in deeper shit, since there's no key #2 to give them.
(1) both a) and b) are the same amount of shit, whatever happens.
(2) The law we're discussing here requires the police to show reasonable grounds to believe that you have the second key. I don't see any reasonable grounds here. Truecrypt is just about the most commonly used encrypted disk image system for Windows. Many people use it for only one volume.
The United States doesn't NEED to do this in order to decrypt your data. The UK law is the lazy way
of going about it. In the US, if you're under investigation and the powers that be believe you
encrypt your data, you can expect to be the recipient of a key logger in some form or another in the
near future.
Your PI to the Nth power key is worth squat once the key logger has done it's job.
So yes, we might FEEL like our data is safe, but in reality who checks their system and / or hardware
on a daily basis to look for things the FBI likes to leave behind while you're at work ?
Just a thought.
What it really comes down to is whether you are capable of standing up to a police interrogation.
The higher the technology, the sharper that two-edged sword.
The only problem with truecrypt is the two encrypted volumes feature is extremely well known and the obvious reason for choosing truecrypt is this feature.
In other words anyone who knows anything about encryption will expect a second encrypted volume. Especially when the first volume holds nothing incriminating. You can't even realistically act dumb, since you knew enough to install truecrypt in the first place.
If i really wanted something accessible but secure then it would be easiest hidden in a jpeg in an attachment to an email on a webmail service. or possibly in an iso of a popular torrent.
Blarney Quality Restaurant, Plants
You're obliged to hand over the key? No problem, phone your friend, give him the passphrase, and get him to print out the contents, and mail the printout to them.
Then why doesn't it say that explicitly in the law? Why not say that these rules can be used only to enforce those specific charges in that group, and not just to spy on the rest of us, who make up 99.99+% of the people?
--
make install -not war
Your point, is only the point that anyone who has been interested in privacy protection in the last several thousand years has discovered and brought up. It boils down to the fact that if you are using encryption to protect your privacy, and you are one of a very few people doing so, then it is very obvious that you are hiding something. To anyone interested in you, they are naturally going to wonder what you are hiding, and try to force you to reveal it.
One of the very first PGP How-Tos I ever read mentioned that sending regular emails was like sending all your messages written on postcards, and PGP was like putting it in an envelope. It went on to discuss the hazard of being the only person mailing envelopes, when everyone else was content with postcards, and used that illustration to try to get the reader to get everyone on their address book using PGP for every message.
Your complaint, and proposed solution, is just that there be ubiquitous encryption so that one person who really wants or needs it doesn't stand out from the crowd by using something that is obviously different from "normal". You, just like the original writer of that long-ago How-To, are completely correct, however, just like him, you are doomed to disappointment. Until you can either get the majority of people to stop using Microsoft OS, or get Microsoft to include secure encryption, with no government back-door, turned on by default, anyone using any form of encryption is going to stand out when investigators come knocking. And yes, you can build your own linux distro with these features, but as you point out, could you even get a significant number of linux users to move to it, let alone the masses of people it would take for it to be consideered 'normal'? Not only that, but even if everyone was using envelopes, they would still know that you used an envelope, and would want the key to open it.
So, is the solution to just sit back and whine that you can't use encryption, because all the other poopy-heads won't use it, or can you do something else to allow yourself some privacy, and ability to deny wrong doing?
That is where Truecrypt comes in. Plausible deniability does not mean that they can't tell you are using encryption. No one has come up with a reliable way to do that (steganography) that doesn't still need something at either end to encode and decode that message, and that is a tip off to outsiders. You can hide the encryption in transit, but at the write and read points, you will have to have something to interpret it. Yes, TrueCrypt will be a tip off that you are using encryption, and it may be known for having the ability for hidden volumes. The key is that there is no way to prove there is a hidden volume. No matter what you do, you can't hide that you are using encryption. They can always prove that you are using it, and force you to reveal your key. But they can not prove you have a hidden volume. Thus you have the ability to plausibly deny that there is a hidden volume, and they cannot know if you are lying or not, unlike any attempt to deny using cryptography at all.
In addition, with the tools TrueCrypt gives you, and some intelligent planning, you can go a long way to increase your deniability. Your encrypted volume can be named anything... say... pagefile.sys on a secondary drive. Yes, someone who is really looking for things, and is good, may check your windows settings to see, if in fact, you have a multigig pagefile setup on that drive, but in itself it would not raise red flags. And you can always claim that you had that pagefile setup in a previous OS installation and it never got removed when you re-installed (I haven't yet found any other common, multigig binary file that would work). Run Truecrypt off a USB drive, or CD labeled as something completely different. Is an investigator going to scan everything on every CD near your computer? NSA probably, but not your local cop shop. The
"Unheard of means only it's undreamed of yet,
Impossible means not yet done." ~~ Julia Ecklar
The law gives unique status to your brain.
You can harbor thoughts of genocide, mass rape & pillage, terrorism, torture etc.
Whatever you want and as long as they stay inside your head you won't suffer any consequences.
Lie detectors exist but they can't be used to directly incriminate in court.
There is no chance the government of any country are going to extend this privilege to computers.
It's all potential evidence against you just as diary notes are or even confessions to a closest friend.
what encryption?
boycott slashdot February 10th - 17th check out: altSlashdot.org
This being /. it's strange not to see anyone posting these famous words recollecting the era...
Do you trust Truecrypt? Is it free of bugs? Is it secure? Does your mp3-player's/browser's record of having accessed files inside hidden volumes reveal the existence of the latter? Ever wondered why the source code is developed by so few developers? It has had and by my estimation almost certainly still has serious vulnerabilities.
Thats true, you are talking about the government. You can hide stuff in plain sight with those morons.
However truecrypt is good enough, the hidden volume only appears to be random data so I don't think there would be any way to tell.
Personally if it was me.. I'd just tell them no and go to jail, Didn't Josh Wolfe do that, go to jail for nothing because he wouldn't turn over a video tape, after he got out of jail he put the tape on the web and there was nothing on it. Someone once said you only have the rights you are willing to fight for.
Bringing liberty to the masses. - http://freetalklive.com/
When this law came in I had to explain to a representative of a 'British' election candidate for a 'National' political 'Party' who had experience of the UK Police seizing computers with details of local members, funds etc. I explained how online email accounts worked and how to use them to store data, a system I have used for backups of important files since before 9/11 as there is little chance of major online providers losing all their data. Erase data from a HDD? I thought that's what magnets and microwave ovens were invented for!!!
Put simply, if your law enforcement agency can't tell if TrueCrypt's being used, then they have two options: (a) assume that everyone using any form of encryption is using TrueCrypt, and keep everyone in jail until they release two keys for their encrypted volume (which would get extremely messy, since most people probably aren't using TrueCrypt) or (b) let you go.
So
Why are criminals always "hardened"?
Why aren't there any "softened" criminals?
I am anarch of all I survey.
I wonder whether any innocent person is going to be jailed or face other consequences for a forgotten decryption key.
It is not inconceivable to think that this fictional story may become reality sometime as a result of such a law: Mr X downloads an encryption program from the Net and tries it by encrypting a text file of random data, just for fun and curiosity. After a year he buys a new disk and leaves the old disk, which has the encrypted text file in it, in a small box on the bookcase. He didn't bother deleting anything, and the encrypted text file is still there. Needless to say, he couldn't remember the decryption key even to save his own life. Time passes and after 6 months his house is being investigated as he is suspect for a crime because he was in the wrong place in the wrong time and his beard makes him look like the real criminal. The police gets his PC and finds nothing but the occassional pinup girl photo, holiday videos, and some work spreadsheets. Considering that he has a very long beard and his skin is not as white as the police officer would like it to be, the police searches his house a bit more thouroughly and finally finds that old disk on the bookcase. The police officer managing the investigation says "aha! a hard disk hidden inside a box on the bookcase, cleverly camouflaged as a book! here is what we are looking for, here is my chance for getting a promotion after putting a dangerous criminal in prison!". The police copies the disk and then finds the encrypted text file. It is so small, only a few bytes (actually random keystrokes Mr X typed to test the program), and randomly placed inside a directory full of unrelated non-encrypted personal and work data (that's My Documents), that the police starts to believe that this is some form of steganography or attempt to hide the fact that encrypted data were there. Since the program Mr X downloaded was very good, the police cannot break the encryption so they ask him what the decryption key is. Mr X says he does not remember, and the police officer tells him he has to remember or be jailed for obstruction of justice. As Mr X has no idea what he typed one and a half year ago during testing an encryption program, he is thrown in a prison cell for "refusing" to hand over the key. A combination of factors, being in the wrong place at the wrong time, having a beard and not so white skin, and possessing an encrypted file without handing over the key resulted in the conviction of an innocent person who if remained free would be a useful professional in society. All that is fictional, of course, but I am afraid that sometime innocent people will face consequences for not remembering decryption keys.
And I can think of other stories as well... Mr Y is being given a hard disk as a gift from his sweetheart, and the disk contains an encrypted file. Mr Y never bothers to delete it and he does not even know it is encrypted or what it is, and when his PC is being investigated by the police on suspicion of a crime, he is requested to hand over the decryption key of a file he does not know what it is and had no idea was encrypted. Likewise this is a fictional story as well, but what if it becomes reality?
A law like this effectivelly forces people to remember decryption keys, assuming that everyone who is in possession of encrypted data knows how to decrypt them.
How many innocents will have to be destroyed before we catch the real terrorists? Shoudln't lawmakers take the potential toll on innocents into account before signing a new law?
I don't know about you, but for me even one innocent person being charged means that a law has to be made more specific, or its application by a court was not made correctly. Having the power to put people in prison (which is a form of violence) must come with a great sense of responsibility and willingness to avoid damaging any innocent people.
I've thought about this a lot recently, and am now periodically running MD5 hashes across all the executables on my machine and storing the results on a USB stick. Every week, just check to make sure nothing has changed (except where there are valid cases - e.g. I've installed a software update or a new application).
As for hardware? Get a laptop and don't let it out of your sight. Figure out how to do a temporary password suspend*. Call me paranoid, but if I need to go to the toilet, I lock my machine. If I go for a drink, I lock my machine. Paranoia in security is just another name for good practice.
* if you are an OS X user, execute "/System/Library/CoreServices/Menu Extras/User.menu/Contents/Resources/CGSession -suspend" whenever you leave your machine - stick it in an AppleScript, call it Lock and then make it executable from QuickSilver and you are only a key press or two away. You can also add a few other conveniences to the AppleScript - tell iTunes to pause, lock your keychains and tell Adium or iChat to set an away message etc. If you carry a mobile phone on your person, you can also set it up with one of the Bluetooth presence utilities to run the Lock script whenever you go out of range of your machine.
catch (HumourFailureException e) { e.user.send("You, sir, are a humourless idiot."); }
Want to prove you no longer have the key? Carry around a mini disk with a large, randomized file on it. When the police come to take your computer, pull out the disk and snap it in half before they can ask for it.
"Yeah, I had the key, it's right there. Take it if you want."
You could also setup the disk in a way that if removed from a device you made, the recoded side gets scratched beyond repair. Such as a slotted box with razors inside. If the disk is removed, the razors scratch the recorded side. You didn't damage it, and you would have told them how to remove if they had asked for it.
All this hurts is those of us that just want to keep our personal nude photos of our wife or girlfriend private. If you committed a crime, it's easier to do the time for not cooperating.
"That's so plausible, I can't believe it!" - Leela
Isn't that always the published 'intent' of these kinds of laws? Unfortunately, it's the capricious application of the law to other parties that really makes it bad.
So basically, now Britain is more of a police state, and the US is a police state, China is a police state, Mexico is a police state, France is a police state, Russia is a police state.
You say you want a revolution?
Might be time to start dumping tea into the proverbial harbor all over the world.
Message contains 1 attachment: spam.gif
The statement from wikipedia is irrelevant to the "plausible deniability" problem.
The last I checked:
1) Truecrypt is not a default install on any popular operating system
2) The container requires Truecrypt software to work.
And so if in UK (or other countries with similar laws, like mine) they ever find truecrypt software in your possession, you'll be in for a very long interrogation. If you can hide the truecrypt software so well that nobody else can find it, then your need for truecrypt is quite low isn't it?
Whereas as I mentioned before, what I call plausible deniability is if a popular operating system by _default_ includes a big random file (or two) and crypto tools that might or might not decrypt it.
1) I didn't put the big random file there (the distro did)
2) I didn't put the tools there (the distro did)
3) Crypto keys? Whazzat? You mean these? (Holds up physical keychain)
4) "Move along now"
Another thing: you have to be very careful about backups if you do use encryption and you do update the encrypted stuff once in a while. If people have access to the backed up container file even if it's encrypted they could compare them and if they find differences you have a problem.
Lastly, as far as I can tell, I don't use any crypto stuff, so don't take my advice on it.
There are ways around it, using Truecrypt for example.
http://www.truecrypt.org/
You can have a hidden encrypted volume inside another volume. Without the key to the hidden volume there's absolutely no way to detect it (that volume can even be destroyed when using the first volume without providing the keys to the hidden one). If the authorities ask for your keys you give only those for the first volume and they'll never know there's another.
That doesn't help much for things like encrypted emails unless you manage to make one-time keys and shred the private key after saving the decrypted version to a hidden volume.
I just hope they won't make illegal the act of shredding a private key...
I wonder if there is a way to encrypt two pieces of data to the same location, but using different passphrases. I tried googling, but I wasn't sure what terms to search for. So far, all my results have been about re-encrypting the encrypted data, not adding new encrypted data over the existing data.
For example, let's say I have two files, SUPERSECRET and PSEUDOSECRET. The first one is the one I want to protect, and the second is just a dummy file that I might reasonably want to protect, but is actually a diversion. Perhaps SUPERSECRET is something a government might want to oppress me for, and PSEUDOSECRET is my tax information that I wouldn't want casual snoopers to find.
Is there a way to encrypt SUPERSECRET and PSEUDOSECRET to the same physical disk space (not separate space like TrueCrypt hidden volumes), but use different passwords? That way if some "adversary" (as the TrueCrypt docs refer to it) comes after me for the key, I give them PSEUDOKEY, which will only show them my tax info, while SUPERSECRET stays safe.
It would be interesting to be able to layer as much data as desired over the space. It would be the encryption equivalent of storing information in a holographic crystal and pulling out what I want by aiming the laser at the proper angle.
bytesmythe
Hypocrisy is the resin that holds the plywood of society together.
-- Scott Meyer
I'm too lazy to look up the source, but the appropriate quote goes something along the lines of "Do what you will, lock him up, torture him, but a man's thoughts are his own until he chooses to reveal them."
There's no place like
1) Truecrypt is not a default install on any popular operating system
2) The container requires Truecrypt software to work.
And so if in UK (or other countries with similar laws, like mine) they ever find truecrypt software in your possession, you'll be in for a very long interrogation. If you can hide the truecrypt software so well that nobody else can find it, then your need for truecrypt is quite low isn't it? Well, I'm not an expert in this myself, but as I understand it, the ability to have a hidden volume within the encrypted volume is not the primary purpose of truecrypt, which aims to provide a real-time encrypted filesystem. Say, for example, I have
The thing is, nobody is going to be able to tell
That said, the truecrypt website also explains the completely undetectable use of truecrypt via a bootable cdrom
As a developer for a few large corps, I sign a lot of NDAs. Since these NDAs (and the code of conduct within my won company) requires me to encrypt all data traffic (email, FTP, p2p, what have you) between myself and our customers, this provides a contradiction for me. On one hand, I could be branded a terrorist for not allowing the government access to my encryption keys. On the other hand, I could be fired and prosecuted for breach of contract by my company (or our customers) if I do.
Why, yes! I AM new here.
" Otherwise you've got a police-state situation where people are permanently incarcerated merely on the suspicion of having material that they're not revealing ... and if that becomes reality then the use of truecrypt will be the least of your worries"
;).
They don't have to suspect everyone, they only have to suspect the _very_few_ who have truecrypt.
We're all within 48 hours from Guantanamo Bay. The USA/CIA has kidnapped people in other countries (e.g. Italy) officially without the consent of those countries.
I may be wrong but Truecrypt only supports 2 such volumes per volume. So they'll just ask you for both keys for every volume.
"completely undetectable use of truecrypt via a bootable cdrom"
If you can hide that cdrom so well, you might as well put the data on the cdrom (or USB drive) and hide it. If you do it well enough, even if they find it they may be interrogating someone else instead
Well quite possibly but since I can see what stuff my MP is voting for I can confirm that she was on the side of the righteous.
the DMCA was about protecting copyrighted works in the digital domain. Not to ensure that someone cannot make a universal garage opener.
It still got pulled in for that duty...
To neutralise this invasion of privacy, we need someone to write an encryption program that will place two or more different files (or messages) in a single encrypted document - with two different passwords. Enter one password, the first file comes out; Enter the other password, the second file is returned. But at no time should the decryption program reveal just how many files are encrypted.
To preserve plausible deniability, if one only stores one file in the encrypted file then the program should encrypt random characters of a similar length to the file with a very long, random password. (or some similar means of obfuscation).
We're all within 48 hours from Guantanamo Bay. The USA/CIA has kidnapped people in other countries (e.g. Italy) officially without the consent of those countries. And Guantanamo, as my orange protest badge says, is state terrorism. But at least we hope that the countries we live in aren't like that
One additional thing you could do is actually use encryption openly for everyday use so you appear just generally paranoid. Keep your tin-foil hat close by your PC.
Then you don't have to explain the presence of encryption software on your machine, and it doesn't look like you have anything nasty to hide. Salt your hard drive with a series of test volumes, some of which you've forgotten the passwords/deleted the keys to...