Slashdot Mirror
First Use of RIPA to Demand Encryption Keys
kylehase writes "The Regulation of Investigatory Powers Act (RIPA) is being used for the first time to force an animal activist to reveal encryption keys for encrypted files she claims to have no knowledge of. According to the article, she could face up to two years if she doesn't comply."
The Regulation of Investigatory Powers Act (RIPA) is being used for the first time to force an animal activist to reveal encryption keys for encrypted files she claims to have no knowledge of.
That's why you use an encrypted file system with a duress key. In the event of coercion, you give them a key that *oops* results in the destruction of the data.
The theory of relativity doesn't work right in Arkansas.
Acquire virus.
Virus encrypts hard drive with unknown key.
Virus forwards CP to authorities.
Authorities bust you for having CP, for not revealing those encrypted files, AND for probably having more CP. Most likely will be averaged..say..15k is a picture..you have 200GB. The media will say that you were arrested with 100k+ pieces of child pornography.
Five years later, turns out that it really was a virus. Sorry about that..here's your freedom again.
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
The biggest problem I see with these kinds of "give it up or else" laws is how do you account for the situations when someone genuinely doesn't know the information you are seeking? Should someones ignorance be a jailable offense?
Are you telling me, that I could output /dev/random to a file, place it on my friends hard drive, say it contains valuable information pertaining to a case and he could go to jail or be fined for not revealing the password/key?
This gives me an idea!
Either way, if you need to you can get around this with TrueCrypt by taking some precautions such as:
1) Not naming it with the default extension (.tc)
2) Put it somewhere inconspicuous and name it appropriately
3) Making sure that it's a hidden encrypted volume
4) Open it through TrueCrypt and don't save the history, or passwords, or as automount, or similar
Shit, that was a typo, I meant to type FIRST POST!!!
This is my footer. There are many like it, but this one is mine.
how can you be put in jail for not knowing something?
Put her in a lead vest and throw her into the sea. If she drowns, it means she didn't have the keys, but if she swims, she's a wicked witch and deserves to be punished.
Do it yourself, because no one else will do it yourself. [beta blockade 10-17 Feb]
How many times have I created an account so I could download something or other. Can I remember what my user name for those accounts is? Can I remember what my password is? No bleeping way.
...
If there's some password for some WordPerfect file I created in 1997, I'm sorry but I couldn't remember it if I tried really hard. I guess that in GB, that would send me to jail for a couple of years.
My gut reaction to this law is really really rude and I won't slime you with it. If I call the authorities facist pigs, you can fill in the blanks.
My ancestors gave their lives to protect me from what my political masters are doing to me now. Let's just say that I deeply resent it.
I often find that the captcha is strangely appropriate for my posts. In this case it is 'queasy'
Man will never be free until the last king is strangled with the entrails of the last priest. --Denis Diderot
1) Generate a file with whatever you like in it (anything believable and non-incriminating). Make sure the file's lenght matches the encrypted file.
2) Reverse-engineer a one-time pad using this file and the encrypted file.
3) Supply the one-time pad to authorities with instructions on how to use it.
Ta dah!
1) IANAL.
2) I am not familiar with the details of this case.
That said, I believe that there *is* a time and place where this sort of activity counts as reasonable search & seizure. Say the cops get a warrant to search your house, and you have a safe, and you say, "gee, officer, I have *no* idea how that safe got mounted behind that picture," nobody will believe you and you'll get subpoena'd for the combo. Encryption keys shouldn't be treated any differently from a combination to a safe. If there's a reasonable suspicion for evidence to be hidden somewhere, the cops have a duty to search it.
Can't a court order someone to provide a physical key as part of a subpoena or a warrant? Why does law treat encryption keys differently?
A Better solution is plausible deniability.
One password gives your uber-secret-plans-for-world-conquest, the other password gives a few hundred meg of soft porn (or whatever).
That way, you appear to not be resisting their demands.
There are shills on slashdot. Apparently, I'm one of them.
Why don't they just sign the "We'll Do Whatever The Fuck We Want Anytime We Want Act" and just get it over with already?
~S
If such a law were enacted in the US, we would be protected, ostensibly, by the 5th amendment to the Constitution. I say ostensibly because apparently the Constitution is "just a piece of paper" now, and we (some of us) have forgotten about the rule of law.
So, this could happen here. Easily. We need to find some way to restore the rule of law here lest we become like that other large country just across the Bering Strait from us.
Hmmm...
The difference is that with a physical object, all these things are pretty clear-cut: either there is a safe or there isn't, either it contains drugs or counterfeit money or it doesn't. And if you insist that you forgot the combo to the safe, no big deal, they will simply force it open, and that will settle the matter.
With encryption, you can't even tell whether there is a safe there. I might well keep big files of random numbers on my machine, and just because a UK cop with a two digit IQ is incapable of figuring out why and suspects some nefarious purpose, that shouldn't be illegal. Furthermore, with encryption, the government simply cannot force the issue: in general, they just can't decrypt the data.
In the United States, you could never be compelled to turn over an encryption key as that is a violation of the 5th amendment
I wouldn't be so sure. The 5th amendment only protects against self-incrimination, but the search may be for evidence against a third party, in which case you may be compelled to comply.
It's also not clear that giving up your encryption keys would be considered "testimonial", so it might not be protected under the 5th amendment according to US courts. See here (somewhat outdated in other aspects, but an accurate reflection of US policy on the legal hair splitting):
http://www.cybercrime.gov/cryptfaq.htm
TrueCrypt allows hidden volumes, indistinguishable from one volume. The file size is constant.
TrueCrypt works very, very well. I use it with just one volume to protect passwords and other files.
When you don't want to encrypt a volume, but just a file, Gnu Privacy Guard is best.
This is an outrage. Here, we have a case where a person claims she does not know something, but the government is demanding of her to comply. But let's suppose, for a moment, that she is telling the truth and she has no knowledge of these encryption keys. How could she prove it? There is no way to prove a negative. It is impossible to prove that you DON'T have something; you can prove that you DO have it by producing it. There, you see, I have it. But if you don't have it, there's no way to prove it. They should let her go.
These protections were brought to the American shores by Puritans, and were later incorporated into the United States Constitution through its Bill of Rights.
Thomas Jefferson was not a Puritian.
People throughout history have realized that torture is like a mirror. Under duress, people will say whatever the person in control wants to hear. Tacitus wrote as much in the second century AD. Only the ignorant, thoughtless or cruel believe torture is useful for investigation. People who practice tortue know the results better than anyone else but they too are pawns. Those who advocate torture do not seek information, they seek control through terror. Nothing is more terrifying than a crowd of cruel halfwits who are so self righteous they demand torture. Their hatefilled faces are echoed by the agony of their victims, but all of it is a reflection of their leader's twisted souls.
It is a tool of tyrants, religious fanatics and other evil people who think of themselves as better than you. It is always a crime.
Friends don't help friends install M$ junk.
I forgot to say that TrueCrypt is open source and free, and, in my experience, perfectly reliable. There are Windows and Linux versions, and a Mac OS X version is planned.
Don't forget to donate if you use TrueCrypt extensively.
The present government corruption in both the U.S. and U.K. started when secret violence was authorized as a way of protecting oil investments of British and U.S. investors. Tending toward outlawing privacy is a way of continuing that corruption. Any government that can act in secret cannot be a democracy, because citizens cannot participate in things that are unknown to them.
This is a good site to read about the corruption, and to contribute links: U.S. Government corruption TimeLines. Example: Complete 911 Timeline, 3895 events.
Encrypting your data and not hiding it is the same as getting a $100k super secure safe, locking your stuff in it, but leaving it in the middle of the living room. Any { law enforcement agency / criminal gang / anyone with more resources and more muscles that you } will just force you to give them the key. In other words, they see the super secure safe and automatically assume there must be at least $1M in there and then they force you to give them the key. The govt will cite all kinds of stupid idiotic laws, the criminals will start cutting of the fingers (yours or your loved ones').
The solution is to use something like steganography and hide the data such that nobody even will suspect anything. The best secrets are the ones that are not even known to exist.
If the adversary is convinced that you do have the data and knows the data type, then create a similar but fake data set to be substituted for the real one.
It is all well and good to discuss technical ways to escape such requests. But we need to move _towards_ not needing to encrypt your important data and not towards better ways to do the encryption. Ie. I prefer not to have to encrypt that perfect encryption.
"Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
ccalam - acoustic versions of new songs.
I am now convinced it's time to leave the country.
The fact that this law was essentially used 14 days (iirc) of it becoming a law proves beyond reasonable doubt that it's not a law to protect the people, but to protect the government and their commercial interests.
Animal activism, while often extreme is nowhere near the same scale as terrorism, and never has been. While I have no support for activists who go out of their way to try to force their targets to stop doing what they're doing - they certainly should not face time at her majesties' leisure for merely having an encrypted file on their PC. CCTV in the UK has always rendered public privacy moot, but now an individual's privacy is a decision between surrendering your rights, or jail for refusing to do so.
Does anyone know if Japan accepts political refugees? (yes, the state's probably just as onerous in some way or another, but it's always been a far more welcoming place to me than the land of my birth, now becoming an Orwellian nightmare state made real)
Baka Drew
Giving up keys would be spitting on the graves of our boys who died on the beaches of Normandy. Simple as that.
It should be noticed that the particular groups of people who campaign against Huntingdon Life Sciences are terrorists:
They use threats of force to induce fear in people at HLS;
They have used actual violent force, at the work and at the homes, of people who work at HLS;
They threaten anyone involved with HLS, their suppliers, etc, with the same degree of violence;
They have placed bombs, which exploded, under the cars of people who work at HLS or are involvd with HLS;
They claim their actions are justifiable, that they are engaged in a violent struggle, that their violence is justified because they must achieve their aims by any means possible.
These are not nice people we are talking about. They are not the innocent defenders of the fluffy bunnies. They are aggressive, violent people and they are familiar with the tools and techniques of covert violence. Curiously they fail to mention their devotion to violence in their own article about this case.
RIPA, like any other "anti-terrorism law", will one day be used against people who have nothing to do with terrorism.
Today is not that day.
"For a successful technology, reality must take precedence over public relations, for Nature cannot be fooled"
Several animal rights groups in the UK are officially designated terrorist organisations, because frankly they engage in acts of terror.
By the same principle, all you have to do to avoid being a terrorist target as a US citizen is leave the country, renounce your belief in a free democratic non-religious government (whatever the truth of the matter may be under GWB), and become a devout Muslim. Easy isn't it ? (/sarcasm)
"Choice" is an interesting word. People are trained to do jobs and sometimes take years to learn the skills to do that specific job. Choosing to leave that job for another one probably would involve severe loss of income.
In short, HLS is performing a legitimate activity and therefore should be protected. It is also legitimate to campaign for banning of experiments on animals; but such campaigning should not involve violence and intimidation.
Donte Alistair Anderson Roberts - hi son!
Karma: Chameleon
Linux-based imaging is good only if you are interested in recovery. On the legal side of things, it will not do:
- Please explain to the court how you made a copy of this piece of evidence...
- I connected the drive to our forensic machine and...
- You mean, you connected this hard disk... to your machine?
- Yes of course, then I...
- Did you use a hardware write block?
- Er... I used Linux and mounted the...
- Please, just answer the question. Did you or did you not use a hardware write blocker device to connect the disk to your machine?
- I did not, but...
- Thank you, no further question. I now call for the evidence to be declared tainted and inadmissible in court, since the forensic team failed to use the proper hardware to ensure that no changes would be made to the disk.
There is a whole range of forensic-specific hardware available: write blockers, hardware disk imagers... Use them, or loose your case.
I code, therefore I am.
Them: Give us the key or else!
You: Else what?
Them: Else its 2 years in the pen.
You: Eeek! Alright, but it is a very complicated key...
Them: Give us the key!
You: Alright alright, let me at my PC and I will open it.
Them: This is a copy and we are watching.
You: OK, first I need an internet connection.
Them: OK, but don't try anything funny.
You: OK, now I have to play BF2 for two weeks solid, then I got to level a Priest in WoW to 59 and as close to 60 as I can get, lets hope I don't go too far by accident, oh and I will be needing a copy of UT3 as soon as it comes out, and a copy of Crysis I need to work on both those too. But first I need to be in the right frame of mind, so a case of red bull, cheetos, and pizza from flown in hot from Chicago. Oh, and if Ms Sexy-with-a-badge over there isn't doing anything important I could use some *personal* help if you get my meaning. Now lets talk...er...decrypting video cards, I hear the new NVidia one is out and....
Slashdot, where armchair scientists get shouted down and armchair theologians get modded up.
If I were doing this kind of thing, I would probably store the sensitive files on an encrypted volume on a remote server in another jurisdiction, accessed via a proxy in a third, with a script that would securely erase it if I didn't log in for two days. Or, better, store it in battery-backed volatile RAM so that the whole thing can be completely erased with a single command as soon as it detects any kind of tampering.
I am TheRaven on Soylent News
That's actually pretty much a stretch. Your 'decent' lawyer would have to give some sort of proof that there was a second partition there. Something that TrueCrypt is pretty much designed to prevent. You can easily show the existence of the first truecrypt partition - it's there in the open. You can't prove the existence of the second partition.
I'm not sure a judge will buy 'because we didn't find what we were looking for' as a reasonable showing of proof that a second partition exists, and unfortunately, that's all the proof that exists. The formatting method and the processing method result in random data covering the entire partition block, as data is written to both the shown & hidden partitions, that data changes from random to encrypted. However the whole goal of the crypto data is to make it look random.
So you have potentially 3 blocks of random data each constructed with the same randomizing algorythm. How exactly do you show where one begins & one ends? How do you even show that the 3rd block exists? The whole purpose of the hidden block is to make it almost impossible to prove the existence of that third block. You literally are more likely to brute force the key than you are to prove the existence of the hidden partition.
Use them, or loose your case.
And it runs around free! Wreaking havoc! Smashing in windows and stealing car stereos! Eating whole bags of Cheetos and vomiting them up into your dress shoes! I'll tell you -- there's nothing worse than a case that has been loosed upon the world. Those things are wild.
With any new law, it's always useful to ask yourself "How could someone abuse this, and victimize innocent people?" In this case, it's quite easy.
First, ask yourself whether you may have any files on your machine that you don't know about, or which you couldn't decrypt. For most people, the answer is quite simple: "Yes." For example, do you run a browser? That browser has a cache. That cache contains files in an assortment of formats. It's quite likely that you've never seen some of those files' contents (maybe just because you didn't scroll far enough down the page to see the content). And if presented with only the file without any context, you'd have no idea what app to use to display its content, or even whether you have such an app installed.
On my web site, I have a demo of a bit of javascript that downloads files but doesn't display their contents. The intended use is to "preload" files used in the rest of the web site while you're looking at the main page, so that subsequent pages render faster. I also point out how this can be abused: My demo page downloads a file that is never used in subsequent pages. This "hidden" file can contain anything I like, from any web site. It could contain child porn, copyrighted MP3 music, a proprietary program that you haven't paid for - or an encrypted text for which you don't have a key.
As far as I can tell, this law doesn't distinguish this situation. The contents of your browser's cache are on your disk. This will be "proof" to most judges and juries that you downloaded them. So by merely viewing my web page or any other that uses such javascript, you could be framed for possession of such files. What would be your defense?
The obvious defense would be to try to convince the court that you could have been framed in this fashion. But even if you succeed at this, similar things could be done to you by any number of other means. Do you have anything installed that contains "auto-update" code? Note that most browsers now do this. Firefox asks you if you want an update installed, and it's probably trustworthy. But we recently learned that Microsoft software sometimes installs updates silently, even when you have turned auto-update off. An auto-update routine doesn't install its files in a labelled "cache" directory. Files can easily (and reasonably) be installed in any directory that you can write. So if anything at all on your machine has an auto-update feature, anyone who knows how to trigger it can install any files they like on your machine. And you could be prosecuted for failure to deliver the keys to decrypt these files that you didn't know about.
Almost every government contains people whose job includes finding ways to frame perceived "enemies" when the top people want. They won't have that as their job description, of course, and usually they are really working for the top officials or for a political party. This sort of law makes their job really easy, especially now that we have widely-used software such as browsers with caches, auto-update packages, and other things that download files without always telling the user about it.
To comply with this law, you had better be prepared to decode every file on your disks, including those that belong to any proprietary apps that you may have installed. If there's a single file anywhere on your disk that you can't convert to a human-readable form, you can be jailed for violating this law.
It's always a good idea to ask yourself "How can this be abused?"
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
How can this result in any problem for anyone since you could easily say: I can't give you the encryption key as that information would incriminate me. This is in fact why we have the 5th amendment(in the US anyway).
Because private companies are the pinnacle of competence and government is the pit of deepest stupidity.
Well, duh. Private companies make money, government takes money. It's a perverted extension of "If you can't do, teach."
But, you could argue that the "takers" are the really smart people...
DATABASE WOW WOW
No person shall be held to answer for a capital, or otherwise infamous crime, unless on a presentment or indictment of a Grand Jury, except in cases arising in the land or naval forces, or in the Militia, when in actual service in time of War or public danger; nor shall any person be subject for the same offense to be twice put in jeopardy of life or limb; nor shall be compelled in any criminal case to be a witness against himself, nor be deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use, without just compensation.
I believe that somebody got off the hook by using this few weeks - a month ago.
So I'm going to be put in jail because i forgot my key due to all the emotional stress of being investigated?
---- Booth was a patriot ----
If you have that kind of access to the computer, then you would have also had enough access to do keylogging for the password, and the issue would be moot.
The only scenario I can possibly see where that would help you is if you had incremental backups. But then again, you may just be blowing away the partition & rebuilding it as you change projects/finish getting your latest pre-release movie/etc.
When you initialize your encrypted disk space, you tell Truecrypt how many containers you want. Say that you choose 2. When you mount your Truecrypt drive, you must always mount both containers. In this way, Truecrypt knows and can maintain integrity between the two--they won't start to overwrite or corrupt each other, because they are both known about and available. If you ever only give the first key (you can't just give the second key, as the second container is entirely within the first) then you run the risk of corrupting the second container--in fact, any write operation will probably do it.
Now you can choose more than just two containers, and the same applies. One thing I'm not sure of is whether the third container is fully within the second. None of this, however, helps in hiding the existence of a PGP key. If your opponent has access to your email servers and can see you sending messages encrypted by PGP you're gonna have some explaining to do when it comes to investigation time. I don't know of any steganographic programs with plausible deniability that are out at this time. If anyone's heard of any please let us know. Even this has some subtle nuances.
If I am sending encrypted mail using PGP, I'm using someone else's PGP key. I don't have to have a PGP key myself in order to do this. If someone else is sending me encrypted messages, they could be sending it using anyone's PGP key--it's only obviously my key if it's provable that I've read the messages. For example, Alice could encrypt a message using Bob's public key, and then send that message to Charlie in an effort to frame him. Charlie gets the junk message and deletes it, but the feds who were wiretapping Charlie come in and demand to know what was in the message. Charlie can't answer--he has no idea. So he gets 2 years in prison from the RIPA act.