Slashdot Mirror

← Back to Stories (view on slashdot.org)

UK Government Can Demand You Hand Over Encryption Keys

Posted by Zonk on from the shh-don't-give-them-ideas dept.

iminplaya writes "The UK government can now demand that citizens hand over their data encryption keys - or face jailtime for obstructing justice. The law only applies to data on UK shores, and doesn't cover information transmitted via UK servers across the internet. 'The law also allows authorities to compel individuals targeted in such investigation to keep silent about their role in decrypting data ... The Home Office has steadfastly proclaimed that the law is aimed at catching terrorists, pedophiles, and hardened criminals--all parties which the UK government contends are rather adept at using encryption to cover up their activities.'"

11 of 426 comments (clear)

  1. Not exactly news by TheRaven64 · · Score: 4, Interesting

    RIPA has had a lot of negative coverage since the idea was first raised. Someone at the time proposed emailing the Home Secretary with a few MBs of random data and the text 'here is the information on your opium import operation. The key is as we agreed' and then sending a tip to the police. If the Home Secretary does not disclose the key (which he doesn't have) then he is liable for 5 years of jail time. Or, the government could see how silly the act is and repeal it. Since the law just went into force, I expect civil liberties groups will start trying this soon.

    --
    I am TheRaven on Soylent News
  2. Hand the keys over by DuncanE · · Score: 3, Interesting

    If a judge asked you to hand over the keys to your house.. or your car.. or your safety deposit box.. you are legally required to follow that order....

    Are we surprised that digital keys have the same requirement?

    And as for all the other (physical) keys you can refuse and let the courts (and a jury) decide.

  3. Re:Been like this for years by Chrisq · · Score: 5, Interesting

    GnuPG has a --show-session-key command, so that when you are asked to reveal the key for an encrypted message you can comply with the law by revealing the session key that was generated for that specific message rather than your secret key. This complies with the letter of the law, so you can ask for a written order for each individual message. Of course if they are really serious at this point they will smile at your request and get out the rubber hoses....

  4. What if...? by Opportunist · · Score: 3, Interesting

    What if I don't have the keys but only store the data (i.e. I'm a backup service provider who stores data for people he doesn't even know by name or anything but IP address, which is fleeting at best)? What if I simply cannot remember the keys or, in case of keydisk/keyfile systems, have lost either (or destroyed because the archives are old backups no longer needed)? What if I don't remember which version of which cypher program was used to encrypt the keys (I tend to have that problem, actually, with a few archives...)?

    I don't have a problem handing the keys to the authorities provided they can give me a good reason they need them (I really don't enjoy handing out trade secrets, you know...), but what if I just simply and plainly cannot?

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  5. Dead-mans handle saves by samjam · · Score: 3, Interesting

    Have an off-shore cron job to revoke your keys if you don't touch them often enough.

    When you are asked for the keys, refuse until you are arrested and unable to save the keys from being revoked.

    The revocation is the trigger that you have been asked.

    Sam

    --
    blog.sam.liddicott.com
  6. How to screw someone by linuxwrangler · · Score: 3, Interesting

    1. Place files full of random data on their machines

    2. Tip off the authorities to their "terrorist plans"

    3. Watch them get five years for "refusing" to decrypt the "data"

    --

    ~~~~~~~
    "You are not remembered for doing what is expected of you." - Atul Chitnis
  7. What if your password incriminates yourself? by Bender0x7D1 · · Score: 4, Interesting

    I was wondering how the court would rule if your password contained information that would incriminate you in a different crime.


    For example, if your password was: "my_murder_victim_is_buried_under_my_patio" or "I_embezzeled_20million_into_account_123456789", wouldn't revealing the password violate your right against self-incrimination (at least in the US)?

    --
    Reading code is like reading the dictionary - you have to read half of it before you can go back and understand it.
  8. Life without public key cryptography by Anonymous Coward · · Score: 3, Interesting

    Yeah. The U.K. (along with most countries) has always impressed me as a country designed by the bureaucrats, of the bureaucrats, and for the bureaucrats. Unfortunately the U.S. has been heading the same way for a while.

    People forget that the U.S. Senate came close to outlawing Public Key Crypto back in September of 1991. This is why there was a rush to release PGP back in the summer of that year. It negated anything the Senate could do.

    One has to wonder what life would be like without public key crypto today, or the interest in it which the prosecution of Phil Z. spurred.

    Two things which come to mind are Bill Clinton's Clipper chip, and a lot weaker Web-based business. And certainly not the ability to keep things private via PGP or TrueCrypt.

    1. Re:Life without public key cryptography by Rei · · Score: 3, Interesting

      Weren't the British planning to pass something like this years ago? I remember reading about it at the time. This law seems like it'd be either unenforcable (if the person can argue that they don't have or forgot the key), or asking for people to be set up (if they can't). Perhaps a less obvious version of the following:

      From: Anonymous Stranger (someone@outsidetheuk.com)
      To: Patsy (someone-else@inside.co.uk)
      CC: Law Enforcement HQ (help@police.co.uk)
      Subject: Confession

      Dear Patsy,

      I was just approached by an acquaintance who says he committed a crime for you. Not believing it, I asked for proof. He showed me this picture:

      (insert photo of apparent crime in progress)

      I was horribly disturbed when I saw this. Apparently, according to him, it's just a screenshot from a video of the crime and him talking about all of the details of it for you. When I asked why he felt safe keeping a video around, he said it's encrypted and that only you and he have the keys. I managed to swipe his USB memory stick, and sure enough, there's some big encrypted file on it. I'm attaching it below for you. Since the police will certainly be interested in what it shows, I'd advise that you hand over your encryption key to them immediately.

      --
      Kneel Before Christ!
  9. Re:Its very important that we all do this. by arkhan_jg · · Score: 4, Interesting

    That's the problem - forgetting the password is not a defence. Failing to hand it over when asked carries up to a 5 year jail sentence, as it's assumed whatever you're 'hiding' would cause you to be imprisoned. The basic premise, if you use encryption, is that you are guilty of something and it's up to *you* to prove otherwise by letting the police rifle through *all* your data looking for something incriminating. Failure to do so is evidence itself of guilt!

    This law was passed 7 years ago, and the home office has been quietly waiting for the original outrage to die down to see if they could get away with actually using the powers they were granted before 9/11 or 7/7. Of *course* they'll only use it against terrorists and pedophiles. Nothing to fear citizen, sleep soundly in your bed, safe in the knowledge we're only imprisoning bad men. After all, only bad men use encryption then forget the password...

    Of course, if you're a pedophile you're far better off taking the 2 years for failure to hand over your encrypted data, than to take the potentially decades in jail if you have incriminating photos and a sex offender offence that might well get you killed there. I don't think it'll be too long before the maximum sentence gets raised to be in line with the worst crime you might be assumed to have committed and hiding via encryption...

    --
    Remember kids, it's all fun and games until someone commits wholesale galactic genocide.
  10. Re:Zeitgeist says it is rich people wanting contro by TheLink · · Score: 3, Interesting

    Truecrypt's plausible deniability is worthless or even dangerous.

    If you have Truecrypt installed it just means you're going to rot in jail till you can either:
    1) Convince the police that some random file you have that they are interested in is not encrypted.
    2) Decrypt the file somehow (even if it wasn't encrypted in the first place ;) ).

    You'd be better off downloading some legal porn (or something similarly frowned on but legal) and encrypt sets of them (without truecrypt) and write down the keys somewhere so you never forget or lose it. Then if the Gov says "hand over the keys" you hand over the keys, rather than say "I have no keys".

    A Gov like that is going to presume you're guilty of something.

    --