UK Government Can Demand You Hand Over Encryption Keys

iminplaya writes "The UK government can now demand that citizens hand over their data encryption keys - or face jailtime for obstructing justice. The law only applies to data on UK shores, and doesn't cover information transmitted via UK servers across the internet. 'The law also allows authorities to compel individuals targeted in such investigation to keep silent about their role in decrypting data ... The Home Office has steadfastly proclaimed that the law is aimed at catching terrorists, pedophiles, and hardened criminals--all parties which the UK government contends are rather adept at using encryption to cover up their activities.'"

So, lemme get this straight...

[R2.0]

A terrorist/pedophile/whatever is arrested, and his computer is seized. The authorities demand the suspect hand over the key, or he will face obstruction of justice charges and a year in jail. Does he

a) Tell them to get bent, go to jail for a year as a symbol of government run rampant (face it, some "activist" will pick up his "cause")

or

b) Immediately hand over the key, which is then used to procure the evidence of his computer, putting him in jail for 20 years as an ACTUAL terrorist/pedophile.

That's not even getting into the situation if one is NOT an actual pedorist. Terrorphile?

Solution?

[Cheesey]

For private communications, don't send encrypted emails. If the encrypted email is captured by a wiretap, the fact that the ciphertext could be decrypted by the recipient is enough to allow the authorities to force that recipient to decrypt it.

Instead, you should establish an encrypted connection, use it to exchange private information, then destroy the keys after the connection is closed. SSH is one protocol that does this automatically. That way, although a wiretap can record the ciphertext, the authorities cannot retrieve the encryption keys because they no longer exist. Your democratic right to privacy is preserved.

I wonder if any instant messaging programs have implemented this? If so, do they consider the possibility of man-in-the-middle attacks as SSH does?

Re:Old News

[Salsaman]

Thankfully, it appears it has yet to be used in a non-terrorism related case.

Since part of the law prohibits telling anyone that you have had to hand over the keys, how can you be sure about that ?

Re:Been like this for years

[Chrisq]

GnuPG has a --show-session-key command, so that when you are asked to reveal the key for an encrypted message you can comply with the law by revealing the session key that was generated for that specific message rather than your secret key. This complies with the letter of the law, so you can ask for a written order for each individual message. Of course if they are really serious at this point they will smile at your request and get out the rubber hoses....

The really evil part

[ribuck]

The really evil part is that you can be forbidden from telling anyone that you were forced to decrypt your documents, under penalty of imprisonment. Without public scrutiny, this law is inviting abuse.

Re:Hand the keys over

[itsdapead]

If a judge asked you to hand over the keys to your house.. or your car.. or your safety deposit box.. you are legally required to follow that order....

But...

1. That will typically require a court hearing "on the public record"
2. Even a technically ignorant judge should be able to decide (a) whether its your house/car/box (b) whether its plausible that you have lost the keys (c) whether the police have a reasonable justification for wanting access and (d) whether the fact that you have a lock on your door or possess a saftey deposit box is, in itself, suspicious.

Unfortunately, as soon as computer technology is involved, even some otherwise highly intelligent people instinctively turn off their brain and may be convinced that the existence of an encrypted file on your hard drive is tantamount to being found in possession of a giant underground bunker complete with piranha tank, spy-bisecting laser and fluffy white cat.