Slashdot Mirror
UK Court Rejects Encryption Key Disclosure Defense
truthsearch writes "Defendants can't deny police an encryption key because of fears the data it unlocks will incriminate them, a British appeals court has ruled. The case marked an interesting challenge to the UK's Regulation of Investigatory Powers Act (RIPA), which in part compels someone served under the act to divulge an encryption key used to scramble data on a PC's hard drive. The appeals court heard a case in which two suspects refused to give up encryption keys, arguing that disclosure was incompatible with the privilege against self incrimination. In its ruling, the appeals court said an encryption key is no different than a physical key and exists separately from a person's will."
Memorised encryption keys exist outside of your will?
I'm sure the number exists somewhere out there, good luck finding it by brute force.
Patents Drive Free Software as Hurricanes Drive Construction Industry
How is locking somebody up for a full year in a prison cell because they do not give up the encryption key, claiming they don't know it, other than torture?
In short, how is it different?
The US has already ruled you can't be forced to give out an encryption key.
It's nice having a Bill of Rights, ain't it?
Laugh at all the British who say such a thing is unnecessary.
Our country doesn't make the same promises about liberty in a single document which all our countrymen regard as some kind of holy scripture. It is the American attitude of how you are all in the "land of freedom, better than all other nations in every way" that makes your massive overreaction to one terrorist attack so ironic. It's like a kid vowing to never go back to school again because a bully once stole his lunch money.
I don't mean any disrespect to those who died in 9/11, but people are dying all the time from accidents, disease and natural disaster. Wasting all the money you have on going to war in Iraq and Afghanistan when in fact it was a terrorist organisation and not a single country that attacked you, is pretty dumb. If you go around spending billions attacking everyone that you feel slightly threatened by, you'll end up in financial meltdown... oh, wait...
A warranted police search of your meth lab does not require any consent on your side - that's what the warrant is for. they will just break down the door and go on with the search.
same with the safe in your lab: you can either give the police the code for your safe, or refuse and watch them breaking it.
Why is your encryption key any different from the safe/door you have?
*cough*Gitmo*cough*
Yeah, we'll laugh at them as soon as we're through laughing at the US for letting their bill of rights be trampled in the name of security.
Freedom must not only be won, it must be protected. Fail to do so and what's coming to you is solely your own fault.
> Why is your encryption key any different from the safe/door you have?
It isn't. I'll just stand back and watch them break my 256-bit AES...
Not everything that can be measured matters; Not everything that matters can be measured.
It gets worse. /dev/urandom > file
Theory: with a good encryption program any encrypted data should look random.
That truecrypt volume should be impossible to tell from a file I've created with
cat
So you could type that very command and 5 years later they ask for your encryption key...
Key?
To jail with you!
same goes for any random/semirandom data you have which has so mime type.
Now I'm willing to bet there are programs which can take a photo album and hide an encrypted volume in the least significant bit of the pixels, how would law enforcement deal with that?
"GIVE US THE KEY!"
"but but but... what do you want the key to..."
Long story short, if you live in the UK and own an electronic data storage device you can now be thrown in jail for no reason at all.
I read a while back about mandatory biometric scanning of tourists
I'm really hoping you aren't a US citizen as getting into the US now requires the scanning of all your fingers and of course the answering of the 7 stupidest questions in the history of questioning.
The bio-scanning stuff is a pain in the arse, but its unfortunately not a UK invention, it started in the US for "Security" reasons. You also now have to have a printed out copy of your itinerary (like that would be hard to fake) as an electronic copy on a PDA or laptop just isn't good enough.
An Eye for an Eye will make the whole world blind - Gandhi
Can I interpret that as being a valid defense if my encryption keys are all derived from 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0..
It's nice having a Bill of Rights, ain't it?
Laugh at all the British who say such a thing is unnecessary.
Who are all these British who say such a thing?
Britain has got a 'Bill of Rights': the Human Rights Act, which guarantees free speech, right to a fair trial (including the right not to incriminate oneself), etc, etc. This act formally enshrines rights that we've had under common law for centuries (eg, Habeas Corpus).
The fact that this court (not the highest in the land, mind) has chosen to interpret an encryption key as not covered under the right not to self-incriminate does not alter the fact that we also have constitutional rights.
So laugh away at your mythical British who say they don't need anything like the Bill of Rights.
Disclaimer: I think Britain is royally fucked anyway.
This is a genuine distinction between passphrases and other information they might want you to reveal.
This is not a distinction that should ever come into play however. Punishing a person for not doing something that might be completely impossible for them to do is wrong.
Fuck the system? Nah, you might catch something.
My thoughts exactly. People seem to get all pissy when I say something like "if you don't have the balls to protect your freedoms, you don't deserve them". I'm not a regular protester at any events or anything like that, but I'd rather be shot for defending my freedom than live to see it gone. Not that I believe privacy exists anymore. The whole world was too slow to act in learning about and defending their privacy in a new technological age. Sure, there were a few technologically aware people with a small voice that was easy to push aside. Too late, privacy's gone. Only way to get it back is to lay your own global network in secret and hope the governments of the world never hear about it.
Admit it. You post strawman arguments as AC so you get modded Insightful for refuting them, rather than Troll
It's amazing how many of the draconian, rights-reducing laws drawn up by democratically elected representatives get knocked back by the House of Lords, an un-elected body.
The Lords can alter Bills before Parliament, but are also the last appeal court (before going to the European Court of Human Rights).
Let's hear it for a benevolent oligarchy!
They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.
anyways don't more people die every year due to NUTS than terrorism?
I don't see the difference between refusing to turn over an encryption key and refusing to let the police in your house when they have a valid search warrant.
It is much more like refusing to tell the police where in your house the contraband is hidden, or if there is contraband at all, and being put in jail because of your refusal.
I gotta disagree there. In the article it states:
>>>In its ruling, the appeals court said an encryption key is no different than a physical key and exists separately from a person's will.
If a presumed-innocent person drops an actual key into a hole-in-the-ground, and refuses to divulge its location, the police can't incarcerate him simply because he refuses to say where it's located. That's loss of liberty without due process. They have to let him go.
And they can't use torture to try to force the hidden location out of him either. The man might be completely innocent and have no clue where a key exists, and therefore unable to reveal the location, even under threat of one year imprisonment.
FOX NEWS.com should be BANNED from television and internet. Have the Congress take it over and give us Truespeak.
You seem to grossly miss a point: a password might easily be really forgotten. Ever happened to you?
How would you, as a lawmaker, fairly address this situation?
Put everyone in jail, just to be sure to catch the deceitful villain, too?
Exactly.
It's just a power grab.
1:Encrypted data can be hidden within random data.
2:Encrypted data can be hidden within normal data such as the least significant bit of your family photos.
3:Encrypted data can be hidden on a seemingly "empty" drive.
4:It is impossible to prove with certainty any of the above situations as opposed to 1:the data actually being random, 2:there being no data hidden within the normal data, 3: a drive really bing empty.
5:If the police think you have encrypted data you must give up the key or go to jail.
Result:If you live in the UK and own any form of electronic storage you can be jailed at at time.
The Taliban regime in Afghanistan openly supported Al Queda training camps used to prepare for the 9/11 attacks. The original Bush Doctrine (you know, before there were 30 of them) stated (more or less) that a government that supported a terrorist organization is as illegitimate at the terrorist organization itself. This was a Good Reason for removing the Taliban, and indeed we did so with strong support from the civilized world. (After 2001, of course, we threw logic out the window, but that's a different tale.)
By your logic, spending money to find a cure for a rare disease is "pretty dumb", since a lot more people die from other causes. I believe that your logic is faulty. It makes sense to address all of the causes of harm, as cash permits. To a person of my Libertarianesque perspective, that means the causes for which people are willing to spend their own cash, of course - including cash taken in taxes - but not my grandchildren's cash. A government that is trillions of dollars in debt ought to be horsewhipped and put on a very tight budget until they pay their debts - but again, that's a different tale.
It is not different. If they have a warrant, they are free to forcefully break down the encryption, just like they are free to forcefully break down the door to your house.
Lucky for us Americans, a subpoena can not force you to testify against yourself. It's a Constitutional right written in black ink and cannot be revoked by any mere subpoena.
FOX NEWS.com should be BANNED from television and internet. Have the Congress take it over and give us Truespeak.
A duress-key that wipes data is no good. Any serious investigation will take a complete copy of the data as the first step, so wiping does you no good at all.
What you can do, and which is done, is to have "plausible deniability". Truecrypt does it like this:
You have a 1GB (for example) file that contains an encrypted filesystem that contains 500MB of files.
The free space (500MB) *may*, or may not, contain a second encrypted filesystem. There is no way to tell without knowing the second "inner"-key.
So, if pressed to give up the key, you give up the outer key, giving access to 500MB of perhaps mildly embarassing, but ultimately harmless stuff. If asked about the "inner"-key you say there isn't one. The default operation of Truecrypt is for there NOT to be one.
So, it's plausible you're telling the truth; could be the volume is larger than the filesystem simply because you wanted space for more files. It's not as if a half-full filesystem as such is suspicious.
It's unlikely they could force you to give up certain information without even showing a likeliness that the information EXISTS.
That's "plausible deniability".
You can say: "There is no second key", and there is no way of figuring out if that answer is truthful or not.
It is also about avoiding catch-22s. The problem with requiring self incrimination is it can lead to a situation where they can lock people up for no reason. They charge you with a crime and say "Confess to this crime," you say "I didn't do it," they say "Refusal to testify against yourself is against the law, we are going to lock you up until you confess." So that is one important reason for the 5th amendment, it avoids situations like that.
Well encryption keys fall in that category. There are three important cases I can think of:
1) You forgot the password. This happens. I deal with many password reset requests a year and this is for computer/e-mail accounts that people use on a regular basis. If these people can't remember that, I find it extremely reasonable to assume they'd forget the password to an encryption volume they don't often use. Well, if you can go to jail for refusing to disclose your key, then you can go to jail for being forgetful.
2) A file that isn't yours. Your computer gets hacked, or someone you know uses it without your permission. Whatever the case, an encrypted file gets stuck on your computer that isn't yours. You can't had over the key, you don't know it. However there's no way to prove that so you go to jail.
3) Random data. Good crypto is nice and random. You can't distinguish it from other random or pseudo random noise. So you have a random file on your computer, or maybe just random data that there is a deleted file record for (as in there was a legit file there, it got deleted, it's space has now been overwritten by garbage). You can't prove it isn't encrypted data so you go to jail.
So I see encryption keys as very relevant under 5th amendment protection. We do not want a catch-22 situation where police can lock you up indefinitely just because they find something that looks encrypted.
You seem to grossly miss a point: a password might easily be really forgotten. Ever happened to you?
nope, because 'biscuit123' is really easy to remember, and totally secure, because letters and numbers == strong, plus no-one would ever think of it.
See, some of us have the clevers.
A learning experience is one of those things that say, 'You know that thing you just did? Don't do that.' - D. Adams
... my encryption key consists of a complete confession of my latest crime plus GPS coordinates of where I've buried the evidence. I'd definitely be incriminating myself by divulging it, so I won't.
A lot of things were lost when the use of the SSN was required in order to participate in the financial system. Interestingly enough, when the system was brought about, people protested that very thing and it was written into law that the SSN could only be used for the purposes of tracking your social security account. The IRS ignored it (though you can request a tax ID) employers ignore it, banks ignore it, the whole system ignores it.
This isn't technology at play. It's something else.
Now you can't have a normal life without participating in this system; without allowing your transactions to be tracked.
Now that's a good idea.
Evildoer:"my password your honour? you're asking for my password?"
Judge: " Yes, give me your password now!"
Evildoer: "ok, the judge can suck my cock, all lower case."
Judge: " What? I'm going to throw you in jail for contempt!"
Evildoer: " No that's my passphrase, then the second one is " The faggot judge likes to lick prisioners underwear, with a capitol T on the."
Judge: " How dare you!...."
Evildoer: " you want my email passphrases too?"
If you think you're ever going to jail, make the passphrases something that will be your own version of shock and awe in the courtroom.
Do not look at laser with remaining good eye.
I prefer a password of "I'm sorry, I can't remember it!".
So when the cops ask, I can tell them.
only if you care about civilian casualties.
as for finding terrorists, they're too useful. I don't mean in a conspiracy theory doing the governments bidding way. I mean they can be used to raise political capital.
Lets take a the example of ETA in the basque country of Spain. Every time there's a scandal or some big fuckup by senior government officials there just happens to be a crackdown on ETA members shortly after. Oil tanker disaster = crackdown. Senior official sex scandal = smaller crackdown. with lots of headlines about all the ETA members arrested pushing the sandals off the front page.
It's well known that the authorities in Spain keep tabs on most of the organisation and could probably round up most of them overnight if they really wanted.
The heavy handed way they treat it only serves to increase the number of recruits, the organisation would have faded away to almost nothing if the Spanish government didn't intern people and fuck up their lives as part of this.
Now I wonder if there are any parallels with how the US runs it's own war on terror...
Want to hold on to political power? don't even dream of getting rid of the terrorists, they're a minor threat but you can use them to demand a great deal of power.
It's too bad there wasn't an awesome program like True Crypt (http://www.truecrypt.org/) that let you have two separate keys for an encrypted volume so that you could give a "fake" key that shows "fake" data.
I'm a big retard who forgot to log out of Slashdot on Mike's computer! LOOK AT ME.
I'm not a regular protester at any events or anything like that, but I'd rather be shot for defending my freedom than live to see it gone.
But that's not how it works nowadays, is it? By and large you're not going to be given the chance to martyr yourself for liberty. You just get to watch basic freedoms slowly erode away while most people don't give a damn. Your options are either to try to effect change through the political system (good luck with that, you godless nihilist), to start an outright armed revolt (good luck with that, you godless terrorist) or to simply quietly secede and disregard the authority of "your" government to rule you. The last option will pretty much inevitably lead you into conflict with law enforcement, and ultimately you'll be faced with either giving up or taking up arms (good luck with that, you godless nutcase).
So either you're quiet and no-one notices or you're loud and your actions are used to further justify the need for increasingly draconian law enforcement.