Slashdot Mirror
UK Court Rejects Encryption Key Disclosure Defense
truthsearch writes "Defendants can't deny police an encryption key because of fears the data it unlocks will incriminate them, a British appeals court has ruled. The case marked an interesting challenge to the UK's Regulation of Investigatory Powers Act (RIPA), which in part compels someone served under the act to divulge an encryption key used to scramble data on a PC's hard drive. The appeals court heard a case in which two suspects refused to give up encryption keys, arguing that disclosure was incompatible with the privilege against self incrimination. In its ruling, the appeals court said an encryption key is no different than a physical key and exists separately from a person's will."
Hey ho
I wish the US Supreme Court was that smart.
Protection from self incrimination was to prevent confesions under duress or torture.
I don't see the difference between refusing to turn over an encryption key and refusing to let the police in your house when they have a valid search warrant.
Oh noes! You police can't come into my meth lab. Me letting you in would be self incrimination!
if it is physical, can't they just take it off them? i guess it is will. that barrister sucks.
Memorised encryption keys exist outside of your will?
I'm sure the number exists somewhere out there, good luck finding it by brute force.
Patents Drive Free Software as Hurricanes Drive Construction Industry
Suppose some incriminating evidence exists but it is hidden in a secret location. Can you be forced to disclose that location?
If not, then why not store your encrypted data on a huge partition of random data. To get it you need both the key and the location of the data. The latter you can simply refuse to disclose.
-- Ed Avis ed@membled.com
Obviously then, the way to prevent the cops from knowing about your encrypted data is to hide it from them. If they don't know about the encrpyted file, they can't ask for the password.
Two ways, plausible deniability (if you haven't heard of TrueCrypt yet, check it out>) is the way that most of you will use.
The other way is physically hiding the disk. Have a garden that you use, and store your data in multiple plastic bags and bury it.
The other thing you could do, have a strong magnetic field that is triggered in certain scenarios that will wipe your box of floppy disks/hard drive. Example scenarios include the cops breaking down the door, or the door being opened without a button being pressed.
I wank in the shower.
Why these jokers didn't say i forgot i will never know.
I mean how hard is it to NOT self-incriminate oneself: Say you forgot. Just like every other government official says after losing a laptop full of Witness Protection persons or intelligence officers, etc.
They can't compel you to recall something you don't remember.
Simply say "iam sorry i can't remember: my memory is a bit hazy from all the manhandling the cops did, your honor."
What's the worst? Gitmo? I don't think so (although Britain has a track record of renditioning suspects to US).
At a time when courts and the government make a combined assault on our privacy and rights, while being more secretive themselves, it is up to us protect ourselves. Call me paranoid, but am the Burt Gummer type.
The Government has NO right to force me to divulge my self-secrets just like i can't force a government of the people, by the people and for the people to divulge its dirty secrets.
I can't be transparent when the Government wants to be opaque.
After all it has been proven that the Government cannot be trusted even with the most basic secrets.
What is the criminal penalty for jokers who lost various laptops holding government secrets and OUR data? NONE.
What is the financial and criminal penalty the Government will pay if it causes me harm by leaking my secrets? NONE.
Until the Government pays for its mistakes(and heavily), am not going to divulge anything more to it. After all the Government am not trusty enough to know about its secrets, so why should i trust Government.
Ben Franklin, Hamilton and Mark Twain were absolutely right: You CANNOT and SHOULD NOT trust the government, if it doesn't trust you.
You can take my keys from my cold dead hands.
"Doing what i can, with what i have." ~ Burt Gummer
Create an encrypted file. A lolcat or something. Encrypt it. Encrypt it again. Encrypt it again. Encrypt it again. Encrypt it again. And so on... See how long it takes for the police to get bored. You would need some decent legal representation to make sure to keep a loophole open so they can't demand all encryption keys.
Firstly, this doesn't mean that the police can come and demand your encryption keys at any time. This isn't the US, where the police can kick your door in at any time for any reason, just because they feel like having a look at your stuff and maybe relieving you of a few high-value items. If they're looking for an encryption key, it's pretty much going to be because they've already had a warrant to search your property. It really *is* no different to being forced to hand over the key to the basement dungeon where you keep your step-daughter - chances are that they already know what they're looking for and where to look for it.
Of course, if you don't feel like handing it over, you can always say you left it on a bus, or in a taxi, or you posted it somewhere and it was never seen again...
We have not yet sorted out if software is a service or a commodity: if it is the latter then the '==physical key"-conjecture might hold; if a service then it is all in the mind...
It seems the judge did not ask for, nor got sufficient evidence, which points to ($#@$ stupid) lawyers/barristers representing the cases.
My gut feel is, apart from this miscarriage of justice, that the issue can only be resolved by investigating the intentions for encryption: if that intention was to protect the data from perusal by others, then this falls clearly under the gambit of "the privilege against self incrimination".
time time everywhere and not a second to spare
I am not a lawyer and this is not advice, but I did consult on the RIPA.
If the encryption key is destroyed by a pre-configured ``technical measure'' then by my reading of the Act one cannot be held in contempt for failure to disclose.
For example, a dead-man's switch that destroys all traces of keys if the owner does not log-in for a pre-arranged number of days.
Note that *all* traces must be destroyed. The Act can compel other parties ( e.g. work colleagues or holders of back-ups ) to disclose even if they are not directly involved in the case.
I would suggest employing >i>steganography, instead.
Yahoo! Pipes are awesome. How awesome? http://pipes.yahoo.com/jesdynf/slashdot
If I'm the defendant, I'm simply going to assess which is worse:
1. The punishment you'll get for not divulging your encryption key
2. The punishment you'll get when you divulge your encryption key and they find 18 gigs of child porn on your computer
Depending on the encrypte data in question, the decision whether to divulge your key could an easy one.
Tsk. I would suggest to you employing the Preview feature to ferret out HTML errors.
Our country doesn't make the same promises about liberty in a single document which all our countrymen regard as some kind of holy scripture. It is the American attitude of how you are all in the "land of freedom, better than all other nations in every way" that makes your massive overreaction to one terrorist attack so ironic. It's like a kid vowing to never go back to school again because a bully once stole his lunch money.
I don't mean any disrespect to those who died in 9/11, but people are dying all the time from accidents, disease and natural disaster. Wasting all the money you have on going to war in Iraq and Afghanistan when in fact it was a terrorist organisation and not a single country that attacked you, is pretty dumb. If you go around spending billions attacking everyone that you feel slightly threatened by, you'll end up in financial meltdown... oh, wait...
An encryption key is separate from a physical key, because no one can reliably prove if I still have it or not. Physical keys I may have hidden or swallowed can be found or the locks picked open. But for strong encryption, this is not feasible and the defendant might very well have forgotten the passphrase and never remember it.
What will They do when the defendant claims to have forgotten their key? (capital "They" intentional for Them being Orwellian monsters) - No one can ever prove or disprove that the passphrase still exists in the defendants brain cells, not the accuser and not the accused.
And then? Sleep deprivation? Torture? Guilty unless proven innocent? In dubio contra reo?
Releasing the defendant is under this view obviously unfeasible, because otherwise EVERY defendant would claim to have forgotten the passphrase, which would render this judicial scheme moot. But NOT releasing a possibly innocent defendant because they really have forgotten their passphrase - and no one knows whats inside the encrypted files - is a serious crime in itself.
I doubt there's a possible solution to this problem. Keeping people in prison for even one day because of abstract words that *possibly* exist in their minds (and only there) is pretty laughable - and pretty dangerous.
Something that no human and no machine can reliably prove or disprove cannot be the basis of a prison sentence. In the Western civilized society after the Renaissance era anyway.
Also, this is stuff from the darkest dystopian novels and can be misused in thousands of ways. We've all heard rumors about cops who place contraband in a defendants pocket or house. But that takes at least physical access to a contraband item.
But encryption keys that may not even exist anywhere? It is ridiculously easy to incriminate people that way, say for example to create a file containing several megabytes from /dev/random. Name it "pre-teen_volume_320.7z" and send it via mail to the defendant with a fake note "here's the 320th delivery of your stuff, you pervert and the password is the same as last time. the photos of your kids were nice, too".
And then? No one can distinguish between random data and well-encrypted data. No one can prove the defendant does NOT know the "password" to this "encrypted" file. Will They let them go or will they be imprisoned and tortured forever until they "remember" the nonexisting password or simply confess to having had intercourse with the devil?
Your logic is flawed, my locking/hiding the door to my dungeon where I keep my daughter is to stop me incrimincating myself by her being found. ALL criminals hide data from the sight of others to stop them from showing their criminal activities.
If you accept that the police under the rules of law can demand access to things then this includes digital data. I have always been loath to see the internet and computers in general as some kind of new world where we can have a different set of rules. If I can be ordered to hand over my swiss bank account number (just a number for a service) then so can I be ordered to hand over the key to my encrypted files.
If you want to change it, chance ALL the laws related to the gathering of evidence. No cyber laws, just laws.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Perhaps this was the crux of the problem, they used a defence of suggesting if they hand it over it would be self-incriminating?
Wouldn't a better defence have been to suggest that the data encrypted was entirely irrelevant to the case. Wouldn't it then be up to the police to actually do some police work and prove otherwise?
By using a self-incrimination defence it's effectively admitting, yeah you've got some data that's evidence locked up but you're not handing it over. Surely it's better to simply just deny the encrypted data is relevant to the case or even that you've no idea what that encrypted data is. Hell, claim it's your own personal copyrighted works or some trade secrets and get them to prove to a court either that it's not or that they need access to said private content. I'd have thought both of these would put the burden on the police to do police work in an ideal scenario.
That said, Labour's totalitarian regime doesn't follow the ideal scenario mindset and innocent until proven guilty means nothing anymore so I guess either way these people were screwed.
If the people are guilty then it's great they've been caught, but the way they go about reach the goal is entirely unacceptable and comes down to one thing - the police are too damn lazy to actually do any police work nowadays. It's all about abusing various laws and technologies Labour has handed them which they really shouldn't have.
Say the passphrase was something like "I am going to kill the Queen", or maybe just something against a company policy eg if the passphrase was "my company's root admin password is JaBB3erw0cky". (I can't think of better examples right now, I'm sure something must be illegal to say in the UK? - other than "Lloyds is pants" of course)
By being forced to say the passphrase, in effect the government is forcing you to break the law, or reveal company secrets. I wonder what would happen....?
Um, I'm A UK citizen and on my last visit to the US (september 2007) I had my fingerprint scanned. So the US is also using biometric scanning of visitors.
Hmmm, you must be American or you have never travelled to America. "Mandatory biometric scanning" would include taking your fingerprints or a photograph? Both have been in place for visitors to America for years now: "US-VISIT".
I read a while back about mandatory biometric scanning of tourists
I'm really hoping you aren't a US citizen as getting into the US now requires the scanning of all your fingers and of course the answering of the 7 stupidest questions in the history of questioning.
The bio-scanning stuff is a pain in the arse, but its unfortunately not a UK invention, it started in the US for "Security" reasons. You also now have to have a printed out copy of your itinerary (like that would be hard to fake) as an electronic copy on a PDA or laptop just isn't good enough.
An Eye for an Eye will make the whole world blind - Gandhi
"A warranted police search of your meth lab does not require any consent on your side - that's what the warrant is for. they will just break down the door and go on with the search."
That's true, but....
If my door was two inches thick steel and required an hour or so with a cutting torch to open...
Then you'd be looking at obstruction of justice, disobeying a lawful order, and destruction of evidence because they ain't finding a damn thing after two hours.
Exactly when did they start to go insane?
Once I would have like to go there. Now it sounds like an Orwellian nightmare. Cameras everywhere (that happen to be "malfunctioning" when police hold down an unarmed, ticketed Brazillian subway passenger and shoot him in the head multiple times). Laws passed monitoring all communications. No privacy. Jail sentences if you will not or cannot tell them an encryption key.
This is the kind of shit they would tell us about Russia during the cold war.
Who's getting rich and who's gaining power through this?
I think it is safe to assume they will make a copy of your HD. Your thumb 'trick' is a great way to get screwed for attempting to destroy evidence or something like that.
It's amazing how many of the draconian, rights-reducing laws drawn up by democratically elected representatives get knocked back by the House of Lords, an un-elected body.
The Lords can alter Bills before Parliament, but are also the last appeal court (before going to the European Court of Human Rights).
Let's hear it for a benevolent oligarchy!
The first thing a computer forensics person would do is take one or more copies of your hard drive and work from that - for the very reason you were talking about, in case there's some logic bomb they don't defuse.
So you wipe the files, they make another copy from their backup, waterboard you for a while, and try again :)
They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.
anyways don't more people die every year due to NUTS than terrorism?
"They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety" ... sadly very true... So now we have two UK Big Brother bits of news in one morning. Oh what a time to live in the UK. But in the end, it doesn't just affect the UK. It will eventually apply to every country, because...
... My point is, the names in history change and the names of their ideologies change. But what remains is basic human psychology and that doesn't change. The lack of empathy of the ones in power over their powerless minions never changes. For all their words, its only their actions which count and millions now face loosing their jobs and millions are treated unfairly by the ones in power. In such a world, its no surprise that the ones in power would want to watch their minions very closely. After all, people could start to complain its getting all to unfair. But we cannot have that. We need ever more laws to protect the ones in power and ever more laws to keep the minions down and away from power.
Unfortunately most people fail to see the connection between lists and any danger. The lists are being made to influence people who speaking out against the ones in power. But most people fail to see the danger of giving the power seekers ever more data to mine on everyone. Knowledge is power and the ones in power seek the use that knowledge to prevent people standing against their point of view.
With ever more detailed lists on peoples views, soon we end up with people fearful of what they say on the phone and in emails, for fear of their views could even just risk being taken out of context and in any way critical of the people in power. At that point, the ones in power are influencing people directly.
At that point, we live in a police state, where freedom is gone and replaced by fear of the ones in power. Problem is, we are getting there now, and from here on out, its simply a matter of consolidation of ever more detailed data mining. The central reason why centuries ago votes were made in secret, was to prevent the ones in power, from seeking to influence the voters. Yet the power seekers are forever seeking to game the system to gain ever more information on peoples opinions. Now the ones in power are building automated systems to influence people.
Throughout history its been shown time and time again that the ones in power become ever more corrupt over time without any feedback on how they are behaving. Its been show so many times through history.
Most people don't realise the game people in power are playing. People in power are not so interested in individuals. The ones in power are interested in adding everyone to different lists so they can then control and profiling groups of people, so they can then use divide and conquer tactics, to break groups of people up. The goal is that the fragmented groups cannot then stand and oppose the point of view of the ones in power. That is why they data mine.
The lessons of history have not been learned by enough people. Looks like the world is seeking to repeat the mistakes of the past. Freedom and democracy are constantly undermined by a minority of people in power for their own gain. Its just a matter of time and how far we are going to let them all game the system to push the excesses ever more unfairly in their favour. After all, its not as if they are robbing hundreds of billions of tax payers money to keep their rich lifestyles while millions risk loosing everything.
Anyway, if the millions of people can't buy bread, then let them eat cake.
The world will never change until everyone worldwide realises that people who constantly seek power over others have a recognisable cluster B personality disorder. All cluster B personality disorders are ultimately driven by fear. And the ones with the disorder constantly seek to control that fear and control everyone around them based on their fear. (There are multiple fears, two examples are lack of a
There are 10 kinds of people in the world... those who understand binary and those who don't.
The Taliban regime in Afghanistan openly supported Al Queda training camps used to prepare for the 9/11 attacks. The original Bush Doctrine (you know, before there were 30 of them) stated (more or less) that a government that supported a terrorist organization is as illegitimate at the terrorist organization itself. This was a Good Reason for removing the Taliban, and indeed we did so with strong support from the civilized world. (After 2001, of course, we threw logic out the window, but that's a different tale.)
By your logic, spending money to find a cure for a rare disease is "pretty dumb", since a lot more people die from other causes. I believe that your logic is faulty. It makes sense to address all of the causes of harm, as cash permits. To a person of my Libertarianesque perspective, that means the causes for which people are willing to spend their own cash, of course - including cash taken in taxes - but not my grandchildren's cash. A government that is trillions of dollars in debt ought to be horsewhipped and put on a very tight budget until they pay their debts - but again, that's a different tale.
Don't be ridiculous. The problem isn't that people can't resist, the problem is that they don't. They don't care. Giving every person in the UK a gun is not going to change anything.
This equation is true all over the world.
They're complementary. Help yourself.
It is also about avoiding catch-22s. The problem with requiring self incrimination is it can lead to a situation where they can lock people up for no reason. They charge you with a crime and say "Confess to this crime," you say "I didn't do it," they say "Refusal to testify against yourself is against the law, we are going to lock you up until you confess." So that is one important reason for the 5th amendment, it avoids situations like that.
Well encryption keys fall in that category. There are three important cases I can think of:
1) You forgot the password. This happens. I deal with many password reset requests a year and this is for computer/e-mail accounts that people use on a regular basis. If these people can't remember that, I find it extremely reasonable to assume they'd forget the password to an encryption volume they don't often use. Well, if you can go to jail for refusing to disclose your key, then you can go to jail for being forgetful.
2) A file that isn't yours. Your computer gets hacked, or someone you know uses it without your permission. Whatever the case, an encrypted file gets stuck on your computer that isn't yours. You can't had over the key, you don't know it. However there's no way to prove that so you go to jail.
3) Random data. Good crypto is nice and random. You can't distinguish it from other random or pseudo random noise. So you have a random file on your computer, or maybe just random data that there is a deleted file record for (as in there was a legit file there, it got deleted, it's space has now been overwritten by garbage). You can't prove it isn't encrypted data so you go to jail.
So I see encryption keys as very relevant under 5th amendment protection. We do not want a catch-22 situation where police can lock you up indefinitely just because they find something that looks encrypted.
... my encryption key consists of a complete confession of my latest crime plus GPS coordinates of where I've buried the evidence. I'd definitely be incriminating myself by divulging it, so I won't.
That's why it's far better to create hidden, encrypted containers, using Truecrypt's plausible deniability. If the cops see your whole HD is encrypted, it's pretty obvious, and they will want to see what's on it because then they start suspecting you have something to hide. But if you have a file called C:\Documents and Settings\Application Data\kb2357334.dat which is in fact a hidden Truecrypt volume, first they'd have to find the file, and then think that it may be encrypted, which is a chance in a million, so you're so much safer.
Most people don't realise the game people in power are playing. People in power are not so interested in individuals. The ones in power are interested in adding everyone to different lists so they can then control and profiling groups of people, so they can then use divide and conquer tactics, to break groups of people up. The goal is that the fragmented groups cannot then stand and oppose the point of view of the ones in power. That is why they data mine.
Now replace "the people in power" with "everyone". Give a few days thought for the very obvious but highly non-trivial fact that you yourself are part of "the people in power", and how you, nor anyone else, will do better.
Because let's not kid ourselves. The more "progressive" a government, the more it progressed in the UK in placing surveillance. This is not to say the tories did not do it too.
They did it less, and that's all we can hope for in the real world.
.
No they don't.
The procedure is the same:
The judge will decide whether the demand for the key is legitimate. The judge will decide whether it is reasonable to believe you can produce it.
That is "due process."
If his answer to both questions is "Yes" then you can either cough up the key or reconsider your options from inside a 6x8 cell.
Comment removed based on user account deletion
Over here in Sweden TV8 showed "The Anti-American" talking about how various european saw at USA. They talked with people in Poland, France and the UK. Maybe there was some italians or something to.
Very interesting and it somewhat made me feel bad for saying stupid things about USA sometimes. Then french people was the most funny one talking about how everyone in USA except in NY was rasists and also how to keep the american culture and english words and influences out of their country.
Yeah right, because french people are so open minded when it comes to influences themself? And they don't think everyone should learn french? Hillarous.
The polish people really liked you and looked up against you, seeing america as the saviour against everyone invading poland. And the UK as your strongest ally obviously like you to except they want to be the imperial worlds #1 force and not just follow lead as it is now :)
Sure we complain about your wars and playing world police, but in the end us europeans and everyone else always wait to long and do to little so I guess it's good that USA step in and fix up the crap, even if it's not a really democratic decision.
The sad part is that you just step in where you have something to gain from stepping in, so problems in countries where you don't gain anything from interfering nothing will happen. But that's fairly understandable in general to.
Oh, and they talked about how Europe, china (?) and especially japan needed the oil from the middle east region much more than USA but didn't helped to keep it political stable and keep the oil flowing. We just took the benefit without helping. Japan can always blame it on how they are pacifists. And also how you could have got the oil real cheap anyway so they argued that wasn't the factor, at least not egoistic and just for your own sake.
Anyway, interesting program.
Yeah right, because french people are so open minded when it comes to influences themself?
The French have a cultural inferiority complex regarding anything from the Anglosphere. They feel that the French language and culture deserve the same recognition on the World stage as the Anglo-Saxon language and culture. They can be amazingly hypocritical at times -- our actions as the "world cop" don't even come close to the atrocities committed by the French in Algeria or Vietnam. I do always find it amusing that they accuse us of imperialism while forgetting about their own history though.
Oh, and they talked about how Europe, china (?) and especially japan needed the oil from the middle east region much more than USA but didn't helped to keep it political stable and keep the oil flowing.
This is the part that amuses me the most. We get most of our oil from Canada, Mexico and Venezuela. Keeping the Middle East stable is less for our benefit and more for the benefit of the countries that you mentioned. Funny how people never that.
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
Maybe the situation here is more dire in the UK, but I don't think your claim holds true for the US (and, absent statistics, it makes me doubt that it holds true for the UK):
Ah, but he said "falling" vending machines.
That would not be classified as a vending machine fatality, but rather an industrial freight fatality. The real statistics are hidden.
I blame the labour party : )
VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!
Back on topic... (where I Will Be Read)
I remember some years ago, a hacker group forged an e-mail that seemed to come from the minister who had proposed that very same law. It was ncrypted in RSA-512 or something that level, and then they reported the minister to the police, saying he was in touch with criminals (that word had not been replaced by "terrorists" yet). He evidently could NOT prouce the key, and the law was scrapped.
With politicians having no memory whatsoever, I think someone has to do the very same thing every time... Let's try the judge who ruled this.
Making laws based on opinions that stem up from false informations leads to witch hunts.
Wasting all the money you have on going to war in Iraq and Afghanistan when in fact it was a terrorist organisation and not a single country that attacked you, is pretty dumb.
That is blatantly unfair. We are not wasting all the money we have. We don't have nearly that much money - We're wasting money we don't have.
He's getting rather old, but he's a good mouse.
Mental note: Use a key that gets distributed among several confederates and that I retain no personal knowledge of, other than a small piece. It will at least distribute the risk. Retain only a small portion of the key for myself, and store it in an obscure place.
Program Intellivision!