Slashdot Mirror
UK Government Can Demand You Hand Over Encryption Keys
iminplaya writes "The UK government can now demand that citizens hand over their data encryption keys - or face jailtime for obstructing justice. The law only applies to data on UK shores, and doesn't cover information transmitted via UK servers across the internet. 'The law also allows authorities to compel individuals targeted in such investigation to keep silent about their role in decrypting data ... The Home Office has steadfastly proclaimed that the law is aimed at catching terrorists, pedophiles, and hardened criminals--all parties which the UK government contends are rather adept at using encryption to cover up their activities.'"
This law has been around for years. In fact, back when PGP was big, some UK residents on Usenet would have sigs saying something like, "If I revoke a key without explaining why, it is due to that law".
Encrypt using Truecrypt, which supports plausible-deniability. Allows you to have an encrypted volume and then a "hidden" encrypted volume within that. If you're ever forced to give up your key due to extortion or torture, you only need to reveal the key to the outer volume and the inner hidden volume remains encrypted.
Because the law wasn't designed to work like that. The police can't demand "hand over all your passwords so we can route around for anything illegal", it has to be a specific key to a specific piece of suspected evidence (e.g. Database or file). If you had hidden volumes on an encrypted disk they would have no way to know there was potential evidence there and therefore could not demand you hand over the password.
This aspect of the law is routinely ignored on Slashdot to try and enhance the "evil" reputation of the law.
This laws was implemented years ago. The article author seems to know very little about the law in this respect, especially as it has barely changed since introduction in its 2000/20001. Thankfully, it appears it has yet to be used in a non-terrorism related case.
:(
No, the law was *made* years ago. It has yet to be used because it first entered into force yesterday. Give them time!
Like when they spy on you in the airport for having a "bad" book?
It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
But that's the point of plausible deniability with something like Truecrypt. They cannot prove that you have a hidden volume, or a hidden volume within another, even with forensics. See the replies below.
If a judge asked you to hand over the keys to your house.. or your car.. or your safety deposit box.. you are legally required to follow that order....
Are we surprised that digital keys have the same requirement?
The requirement is not the same. If a judge orders you to do something, and you state that you cannot, it is usually up to the judge (or prosecution) to show beyond reasonable doubt that you could do it before you can be punished for that offence. Under the RIPA, it is up to you to show that you cannot. There is also a right of appeal against a court order like the one you describe; there is no right of appeal against a section 49 notice under the RIPA 2000.
Yes actually. If you'd lived through 10 years of new labour then you would too.
It's a matter of principle. I say that you should have a right to privacy, and your privacy shouldn't be violated by anyone unless you give explicit permission. Encryption gives you the ability to hide information from the authorities, and forces them to go through a legal process in order to gain access to the information. They can't read your messages without your help. The decision of whether to help them or not is up to you.
>north
You're an immobile computer, remember?
In a civil court you have no protection from self incrimination. So when the RIAA demands you hand over your secret keys, you have little choice.
For criminal court, the charge for not handing over the keys, like claiming you forgot what the key was, due to all of the emotional stress of these accusations, is generally a lesser charge than the real crime (pedophilia, embezzlement, murder, copyright violation, whatever). of course if you're held in contempt you can be kept in a local jail indefinitely until you comply or until a judge just gives up. You don't get to have a hearing or even a formal arrest when you are in contempt of court, the judge just throws you in a cell and leaves you there.
hidden volumes, secret file system, etc. Will not fool someone in data forensics. It will just give them probable cause to get court orders for the rest of the keys.
“Common sense is not so common.” — Voltaire
-- I'm not a pessimist, I'm a realist. It's not my fault that life sucks so much. --
TrueCrypt's plausible deniability is more than that. With it you can have two encrypted volumes within the same volume only with different keys. If you are asked for a key, you give them one. They unencrypt the volume you gave them a key for and they find nothing. More information (and probably a much better description) here.
Stop Global Warming!
Just say no to irreversible processes!
No, it is when search — the practice long accepted as a legitimate law-enforcement tool — is not enough.
If we allow police to search houses (including safes — demanding keys, when needed), it is only logical to allow them to also decrypt data (demanding keys, when needed).
In Soviet Washington the swamp drains you.
It's often how laws get made. "We have a moral imperative to protect the children! Only pedophiles and terrorists use encryption!"
Fortunately, here in the U.S. (chuckle) we have a Constitution (ha ha) that strictly limits government powers (ho ho ho) and guarantees the right to not testify against one's self (chortle guffaw ROTFLMA).
Tom Swiss | the infamous tms | my blog
You cannot wash away blood with blood