Slashdot Mirror
UK Government Can Demand You Hand Over Encryption Keys
iminplaya writes "The UK government can now demand that citizens hand over their data encryption keys - or face jailtime for obstructing justice. The law only applies to data on UK shores, and doesn't cover information transmitted via UK servers across the internet. 'The law also allows authorities to compel individuals targeted in such investigation to keep silent about their role in decrypting data ... The Home Office has steadfastly proclaimed that the law is aimed at catching terrorists, pedophiles, and hardened criminals--all parties which the UK government contends are rather adept at using encryption to cover up their activities.'"
I guess when wire-tapping and CCTV just isn't enough
Unless we let the government have access to all our data then the terrorismists will WIN.
After all, if you've nothing to hide then whats the problem? I for one will be printing out all of my data in hardcopy to send to the government, as I am a PATRIOT.
After all - there was no terrorismisticals before the internet.
This law has been around for years. In fact, back when PGP was big, some UK residents on Usenet would have sigs saying something like, "If I revoke a key without explaining why, it is due to that law".
RIPA has had a lot of negative coverage since the idea was first raised. Someone at the time proposed emailing the Home Secretary with a few MBs of random data and the text 'here is the information on your opium import operation. The key is as we agreed' and then sending a tip to the police. If the Home Secretary does not disclose the key (which he doesn't have) then he is liable for 5 years of jail time. Or, the government could see how silly the act is and repeal it. Since the law just went into force, I expect civil liberties groups will start trying this soon.
I am TheRaven on Soylent News
If a judge asked you to hand over the keys to your house.. or your car.. or your safety deposit box.. you are legally required to follow that order....
Are we surprised that digital keys have the same requirement?
And as for all the other (physical) keys you can refuse and let the courts (and a jury) decide.
Truecrypt hidden volumes
This is exactly the sort of situation that hidden volumes were created for. The government asks you to hand over your encryption keys? "Well sure officer, here's the key to my encrypted volume, but there really isn't anything on there besides some harmless porn (or anything else that might be plausibly embarrassing enough to keep hidden away)" Of course, it's probably only a matter of time before someone decides to make it illegal to possess programs that can create any sort of hidden volume, but that's another issue.
A terrorist/pedophile/whatever is arrested, and his computer is seized. The authorities demand the suspect hand over the key, or he will face obstruction of justice charges and a year in jail. Does he
a) Tell them to get bent, go to jail for a year as a symbol of government run rampant (face it, some "activist" will pick up his "cause")
or
b) Immediately hand over the key, which is then used to procure the evidence of his computer, putting him in jail for 20 years as an ACTUAL terrorist/pedophile.
That's not even getting into the situation if one is NOT an actual pedorist. Terrorphile?
"As God is my witness, I thought turkeys could fly." A. Carlson
For private communications, don't send encrypted emails. If the encrypted email is captured by a wiretap, the fact that the ciphertext could be decrypted by the recipient is enough to allow the authorities to force that recipient to decrypt it.
Instead, you should establish an encrypted connection, use it to exchange private information, then destroy the keys after the connection is closed. SSH is one protocol that does this automatically. That way, although a wiretap can record the ciphertext, the authorities cannot retrieve the encryption keys because they no longer exist. Your democratic right to privacy is preserved.
I wonder if any instant messaging programs have implemented this? If so, do they consider the possibility of man-in-the-middle attacks as SSH does?
>north
You're an immobile computer, remember?
Because the law wasn't designed to work like that. The police can't demand "hand over all your passwords so we can route around for anything illegal", it has to be a specific key to a specific piece of suspected evidence (e.g. Database or file). If you had hidden volumes on an encrypted disk they would have no way to know there was potential evidence there and therefore could not demand you hand over the password.
This aspect of the law is routinely ignored on Slashdot to try and enhance the "evil" reputation of the law.
Since part of the law prohibits telling anyone that you have had to hand over the keys, how can you be sure about that ?
What if I don't have the keys but only store the data (i.e. I'm a backup service provider who stores data for people he doesn't even know by name or anything but IP address, which is fleeting at best)? What if I simply cannot remember the keys or, in case of keydisk/keyfile systems, have lost either (or destroyed because the archives are old backups no longer needed)? What if I don't remember which version of which cypher program was used to encrypt the keys (I tend to have that problem, actually, with a few archives...)?
I don't have a problem handing the keys to the authorities provided they can give me a good reason they need them (I really don't enjoy handing out trade secrets, you know...), but what if I just simply and plainly cannot?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Have an off-shore cron job to revoke your keys if you don't touch them often enough.
When you are asked for the keys, refuse until you are arrested and unable to save the keys from being revoked.
The revocation is the trigger that you have been asked.
Sam
blog.sam.liddicott.com
1. Place files full of random data on their machines
2. Tip off the authorities to their "terrorist plans"
3. Watch them get five years for "refusing" to decrypt the "data"
~~~~~~~
"You are not remembered for doing what is expected of you." - Atul Chitnis
2 reasons I have a problem with laws such as this.
1) They violate your rights against self incrimination. Per the US constitution, I cannot be compelled to testify or offer evidence against myself. What this law says is that I MUST testify against myself, in the form of giving up *knowledge* that I have for the state to use against me.
2) While the warrant may be issued for a small piece of information, it has the potential to lay all your secrets bare. Let's say I am accused of child pornography, and that's what the police are "looking for" in the encrypted directory marked "Private". All of the data in that directory is subject to discovery. So if they find pictures of my infant daughter without her onesie, and figure out that this is simply a divorce case gone bad, the child porn investigation dies. But now they have also seen my financial records, and discover that I've made some questionable tax deductions, and the case now gets referred to the IRS. Or they find money that I've been hiding from my ex-wife, and hand her that info.
"As God is my witness, I thought turkeys could fly." A. Carlson
The really evil part is that you can be forbidden from telling anyone that you were forced to decrypt your documents, under penalty of imprisonment. Without public scrutiny, this law is inviting abuse.
Paid Q&A/Research
I don't think you quite understand the principles behind "hidden volumes" in Truecrypt.
;-)
The point is not that they don't know it is possible. The point is that it cannot be proven that there is a second encrypted volume within the first one.
This makes it plausible to deny that it exist at all. If store some sensitive information in the outer volume, like some very embarrassing but not illegal pornography you can make a claim that this was the sole purpose of the outer Truecrypt volume. The law enforcement agency will have a hard time getting a judge to order you hand over keys to a hidden volume they cannot prove exist.
Hidden volumes in Truecrypt got nothing at all to do with "security through obscurity", it's all about "plausible deniability". You can ask your friend in the police about that, if he has any experience with the security community at all he should be very well acquainted with this term.
Of course, if you admit or in other ways make it provable that there exist an inner volume then all bets are off
This will probably work in societies like USA and UK where the police have to follow certain procedures. In countries like Burma or China where they will just torture you until you confesses or dies, I'm not so sure about the value of this scheme.
I was wondering how the court would rule if your password contained information that would incriminate you in a different crime.
For example, if your password was: "my_murder_victim_is_buried_under_my_patio" or "I_embezzeled_20million_into_account_123456789", wouldn't revealing the password violate your right against self-incrimination (at least in the US)?
Reading code is like reading the dictionary - you have to read half of it before you can go back and understand it.
Yeah. The U.K. (along with most countries) has always impressed me as a country designed by the bureaucrats, of the bureaucrats, and for the bureaucrats. Unfortunately the U.S. has been heading the same way for a while.
People forget that the U.S. Senate came close to outlawing Public Key Crypto back in September of 1991. This is why there was a rush to release PGP back in the summer of that year. It negated anything the Senate could do.
One has to wonder what life would be like without public key crypto today, or the interest in it which the prosecution of Phil Z. spurred.
Two things which come to mind are Bill Clinton's Clipper chip, and a lot weaker Web-based business. And certainly not the ability to keep things private via PGP or TrueCrypt.
"I guess when wire-tapping and CCTV just isn't enough"
The issue, of course, is that systems are being put into place that can be used against citizens who protest. By using "terrorism" to create fear, those who want corruption and control are building systems that can be used to give them more control. Laws that required centuries to build are now being thrown away with as little awareness by citizens as can be designed.
The movie Zeitgeist explains it: The movie Zeitgeist (2007) claims to explain it all, from an example of how people are controlled by myths, to how people who control government use fear to get more control, to why the U.S. government is pursuing a policy of hyper-inflation of the dollar now.
The movie is free and can be downloaded using a BitTorrent client, burned to a CD (a DVD is not necessary), and most modern DVD TV players will play it.
The Zeitgeist movie is very poor in some places, such as the opening sequences, and excellent in most places.
Don't expect emerging consciousness of very difficult subjects like those in the movie Zeitgeist to be free of error. The movie correctly says that "resurrection after 3 days" is part of many ancient myths, with an astrological background. However, the movie also speculates that Jesus Christ may never have existed. That is beside the point. In fact, whether Jesus Christ existed or not, many people in the world thought that his ideas and the ideas of his follower Paul of Tarsus were an improvement over what they had before. Even many people who do not claim to be part of a religion think that.
Those who want more information about how corrupters use fear can watch the free 3-Part BBC movie: The Power Of Nightmares: The Rise Of The Politics Of Fear (2004).
For those who don't know, and want to know what is happening and why, those movies are an excellent and entertaining way to start.
For people and their friends who invest in weapons and the manipulatable parts of the oil business, such as Cheney and the Bush family, controlling the government is how they make money and get more power. People from rich families often grow up believing that it is acceptable for them to kill people to get what they want. It is difficult, however, for the average person to believe that someone who already has a lot of money would kill others simply because he wants more money.
I am surprised at how much conflict of interest is allowed in the U.S. and U.K. governments. Why are weapons and oil investors like Cheney and Bush allowed to decide about starting wars in countries that have oil? (Afghanistan may not have oil, but oil investors want to build a pipeline through Afghanistan.)
Now the U.S. and U.K. governments are planning to start a war with Iran, another oil-rich country.
TrueCrypt has "plausible deniability. I wondered why TrueCrypt encryption software has "plausible deniability". I guess that is why. We will soon all be needing it.
Truecrypt's plausible deniability is worthless or even dangerous.
;) ).
If you have Truecrypt installed it just means you're going to rot in jail till you can either:
1) Convince the police that some random file you have that they are interested in is not encrypted.
2) Decrypt the file somehow (even if it wasn't encrypted in the first place
You'd be better off downloading some legal porn (or something similarly frowned on but legal) and encrypt sets of them (without truecrypt) and write down the keys somewhere so you never forget or lose it. Then if the Gov says "hand over the keys" you hand over the keys, rather than say "I have no keys".
A Gov like that is going to presume you're guilty of something.
TrueCrypt's plausible deniability is more than that. With it you can have two encrypted volumes within the same volume only with different keys. If you are asked for a key, you give them one. They unencrypt the volume you gave them a key for and they find nothing. More information (and probably a much better description) here.
Stop Global Warming!
Just say no to irreversible processes!