Slashdot Mirror

← Back to Stories (view on slashdot.org)

UK Government Can Demand You Hand Over Encryption Keys

Posted by Zonk on from the shh-don't-give-them-ideas dept.

iminplaya writes "The UK government can now demand that citizens hand over their data encryption keys - or face jailtime for obstructing justice. The law only applies to data on UK shores, and doesn't cover information transmitted via UK servers across the internet. 'The law also allows authorities to compel individuals targeted in such investigation to keep silent about their role in decrypting data ... The Home Office has steadfastly proclaimed that the law is aimed at catching terrorists, pedophiles, and hardened criminals--all parties which the UK government contends are rather adept at using encryption to cover up their activities.'"

7 of 426 comments (clear)

  1. Been like this for years by CRCulver · · Score: 4, Informative

    This law has been around for years. In fact, back when PGP was big, some UK residents on Usenet would have sigs saying something like, "If I revoke a key without explaining why, it is due to that law".

    1. Re:Been like this for years by mikelieman · · Score: 4, Informative

      And the idea is why Rubberhose Crypto was developed.

      It had setup the system so that there could never be any confidence that ALL the encryption keys have been turned over.

      --
      Technology -- No Place For Wimps! Grateful Dead and Jerry Garcia Chatroom -- http://www.wemissjerry.org
    2. Re:Been like this for years by julesh · · Score: 3, Informative

      Yes, here it is. It passed in july.

  2. Re:hidden volumes by malsdavis · · Score: 4, Informative

    Because the law wasn't designed to work like that. The police can't demand "hand over all your passwords so we can route around for anything illegal", it has to be a specific key to a specific piece of suspected evidence (e.g. Database or file). If you had hidden volumes on an encrypted disk they would have no way to know there was potential evidence there and therefore could not demand you hand over the password.

    This aspect of the law is routinely ignored on Slashdot to try and enhance the "evil" reputation of the law.

  3. Re:Zeitgeist says it is rich people wanting contro by Chosen+Reject · · Score: 3, Informative

    TrueCrypt's plausible deniability is more than that. With it you can have two encrypted volumes within the same volume only with different keys. If you are asked for a key, you give them one. They unencrypt the volume you gave them a key for and they find nothing. More information (and probably a much better description) here.

    --
    Stop Global Warming!
    Just say no to irreversible processes!
  4. This is simply false by nasor · · Score: 3, Informative

    That's the problem - forgetting the password is not a defence. This is simply false. In fact, one of the biggest criticisms of the law from U.K. law enforcement is that it's almost impossible to enforce in most cases because the burden is on the police to prove that the suspect does actually have the keys and has not simply lost/forgotten them. The law quite explicitly states that the police must demonstrate beyond a reasonable doubt that the person actually has a key before any violation of this law can occur.
    1. Re:This is simply false by julesh · · Score: 3, Informative
      The law quite explicitly states that the police must demonstrate beyond a reasonable doubt that the person actually has a key before any violation of this law can occur.

      That's not actually true. Here're the relevant sections, with added emphasis:

      49 (2) If any person with the appropriate permission under Schedule 2 believes, on reasonable grounds--

      (a) that a key to the protected information is in the possession of any person

      [...]

      53 Failure to comply with a notice

      (1) A person to whom a section 49 notice has been given is guilty of an offence if he knowingly fails, in accordance with the notice, to make the disclosure required by virtue of the giving of the notice.

      (2) In proceedings against any person for an offence under this section, if it is shown that that person was in possession of a key to any protected information at any time before the time of the giving of the section 49 notice, that person shall be taken for the purposes of those proceedings to have continued to be in possession of that key at all subsequent times, unless it is shown that the key was not in his possession after the giving of the notice and before the time by which he was required to disclose it.

      (3) For the purposes of this section a person shall be taken to have shown that he was not in possession of a key to protected information at a particular time if--

      (a) sufficient evidence of that fact is adduced to raise an issue with respect to it; and

      (b) the contrary is not proved beyond a reasonable doubt.


      The only precondition for issuing a notice is reasonable belief. The only condition necessary for an offence to occur is that the recipient of the notice didn't act on it, knew what he was required to do and knew he was not doing it. The only time it is required for the prosecution to prove beyond reasonable doubt that the defendant is in posession of the key is if the defendent has produced evidence that he is not.

      I believe you are in posession of a key with fingerprint 33a08b9d1e07, because somebody sent you a message that was encrypted with that key, and they wouldn't do that if they didn't think you could read it (reasonable belief). You have been issued with a section 49 notice requiring you to either decrypt the message or surrender your key. You can't do this because you don't have the key, and have no idea who sent you the encrypted message. Can you provide any evidence that you don't have the key? Because if you can't, I'm not required to prove that you do have it.