Slashdot Mirror
In UK, Two Convicted of Refusing To Decrypt Data
ACKyushu clues us to recent news out of the UK, where two people have been successfully prosecuted for refusing to provide authorities with their encryption keys, resulting in landmark convictions that may have carried jail sentences of up to five years. There is uncertainty in that the names of the people convicted were not released; and without those names, the Crown Prosecution Service said it was unable to track down details of the cases. "Failure to comply with a section 49 notice carries a sentence of up to two years jail plus fines. Failure to comply during a national security investigation carries up to five years jail. ... Of the 15 individuals served, 11 did not comply with the notices. Of the 11, seven were charged and two convicted. Sir Christopher [Rose, the government's Chief Surveillance Commissioner] did not report whether prosecutions failed or are pending against the five charged but not convicted in the period covered by his report."
This means, you can be forced to do self-incrimination. What's next? Do we remove the right to remain silent? In dubio contra reo?
One decrypts the files or filesystem while the other key overwrites the contents with random data.
I would also like to know how the authorities could possibly tell a properly encrypted file from one that only contains random data and consequently how they could prove that a filesystem is, in fact, encrypted.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
...if you lost or just really forgot the decryption key/passphrase, would it count as refusing?
That's rich. The government convicts people for keeping secrets, and then keeps secrets about who was convicted.
A hundred years ago today, if someone had a giant safe in their house, and they were suspected of any crime whatsoever, the legal authorities (of pretty much every country in the world, it would baffle me to hear about somewhere this would not be the case) would simply ask for the keys. If the person refused to hand them over, the person gets punished. The "punishment" can be of different forms - whether prison in itself, or just a lot more unfavourable treatment from a judge and the assumption of guilt going against you, but nothing at all? Never. The difference with encryption keys is not all that great.
No need to overwrite your data, which would show hard drive activity, and which would have no effect, since police always work on copies. TrueCrypt provides a hidden volume. The TrueCrypt hidden volume is not detectable.
"I would also like to know how the authorities could possibly tell a properly encrypted file from one that only contains random data and consequently how they could prove that a filesystem is, in fact, encrypted."
In every country, lawmakers with no technical knowledge whatsoever are writing extremely ignorant laws about technical issues. In fact, the UK law makes no sense.
So if I encrypt my data with an encryption mechanism that can't be inverted by today's standards and someone doesn't like it, I'll go to jail?
All this will mean is that people will stop hiding their data in "MyEncryptedDocuments" and instead hide it in plain sight. Will you check every single image on my system to detect flaws that might be hidden data? Will you parse every single document on my system to find hidden meta data (e.g. HTML attributes, Word under/redo histories, etc)? I'll just ROT13 it so you cannot look for English language.
Drug dealers use the same trick... Instead of hiding their drugs under floorboards or taped to the top of draws, they simply open a bag of flower, empty the contents, and refill it with drugs...
Suppose I have TrueCrypt installed on my machine, but I don't have anything encrypted. What stops to police from accusing me of having encrypted files and demanding a key? How do I prove random bits of data on my HD are random bits of data and not super secret encrypted files?
I doubt I even need Truecrypt installed for the police to use this to get a guaranteed 2 or 5 year conviction.
It's an appalling piece of legislation for a number of reasons:
1. It makes forgetting your decryption key/passphrase/whatever illegal. Yes, seriously. The burden of proof is on the accused to show that they can no longer decrypt the data - how the hell do you prove you don't have something?
2. The people who it was originally intended to inconvenience - the real terrorists, if you like - aren't going to be even remotely concerned by it. They know full well that there is a risk they'll be caught and spend time in jail. If it's a choice between "reveal the decryption key, thus providing the police with the only evidence they're likely to find which implicates you and a number of others for so many criminal activities you'll be in prison for 20 years and when you get out you'll get a bullet in the head for the people who you dropped in it" or "keep your mouth shut, go to prison for two years", I wonder which one they'll chose?
In the U.S., people generally cannot be required to provide encryption keys under the 5th Amendment. However, there are exceptions. There was the recent case of one man who was searched by Customs (or DHS, or whoever) at an airport. One of the agents discovered child pornography in an encrypted portion of the disk that had been (temporarily) opened for access.
Somehow, by the time authorities took possession of the computer, the encrypted drive was no longer opened. The last court decision about that case I am aware of states that a subpoena for the encryption key can be enforced, because the government was already aware of the existence of illegal material, and where it was. All they needed was a "key". This is vastly different from demanding a key first, so they can poke around in your private material.
As an analogy, imagine a shed in your yard that you keep locked. Law enforcement would, under almost all circumstances, require probable cause or a warrant based on probable cause in order to go onto your property and search that shed. However, if they already knew, with little doubt, that there was illegal material in that very shed, then they have the legal justification for a warrant, or a subpoena of whatever information is necessary to open the shed.
has a warrant and asks you to open the trunk of you car? Do you feel police is forcing you do to self-incrimination? I don't think they're forcing you to say you are guilty of anything, they want to check your property to see if you actually are guilty of anything.
Dear
To NUKE the place from orbit!!!
The solution to this and other similar "bad law" problems is making them big and visible to the common population.
1 - Get a worm that allows to save data on infected computers.
2 - Get an encrypting program that supports plausible deniability.
3 - Infect self with worm.
4 - Install encrypting program in all infected machines.
5 - Accuse random people of having criminal data in their computers. (e.g.: "I was playing a WoW game and this guy told me he had several thousand [criminal data]").
Well the Britons already shut innocents in the head for running, forget your password and be send to jail is not too heavy.
Let us put the blame where blame is really due: on the civil servants who were only following orders (TM) when they used their technical skill to establish that a computer had encrypted data on it, knowing full well that their work might be used to convict someone merely for refusing to speak when an attempt was made to force them. I am sure that some of you guys are even reading this post, angrily justifying in your head why you do your job -- for the children, against the terrorists, because it's an "intellectual challenge", to put food on the table -- but none of these justifications require you to do what you do. It is quite simple: you get a kick from that little drip of power granted to you by an abusive state when you get to contribute all your little bit toward denying the freedom of some poor sod. You trod on ants which were not in your way as a kid, it excited you but you told yourself they were pests anyway; your Day-to-day activity and contribution to society has not improved since then.
We must single you out and peacefully turn our backs on you for the traitors to freedom that you are. Don't try to justify what you are doing, don't retort with the 1% of cases that the application of your skill was justified to protect the country, because we both know why you are employed to do what you do. Resign, apologise, and join the rest of us!
Yes, the Brits might be able to find something by untrained criminals by this hard handed method, but the blowback from this strategy is going to seriously hurt them in the long run.
Trading partners will be leery to send envoys over to make agreements when at a whim, their machines can be searched, and any trade secrets copied off. If deals are done with British companies, they will be done out of the country, or via electronic means. Companies will not want to set up branch offices in the UK because their facilities can be searched at any time and trade secrets taken. Finally, where does this end? Does someone in the UK have to give up all root/Administrator/sa passwords on request that are on the remote company's VPN or else go to prison?
Of course, the true terrorists are not going to be caught. They don't bring laptops in with their super secret plans. It seems the UK is aiming the RIPA act for more of an industrial espionage type of game than anything else, intending to demand trade secrets via the heavy hand of their bobbies, then hand the results over to their domestic interests. Other countries do this too, but those are very repressive regimes, not a First World nation.
Of course, legitimate people will get around this, but it requires backflips and makes PHBs less interested in doing business with the UK. Some means that people will use:
1: TrueCrypt is the first thing. Perhaps even a TC hidden OS with the decoy OS storing some random chaff in the outer volume. This way, there are no MRU traces of anything in there.
2: BitLocker and multiple users. The laptop's owner has a non administrator user and given the password of the account with the business critical data once in the UK before the meeting. Then when it comes time to head back to the States, the user account is disabled via remote. Of course, a hardware device to grab the Bitlocker volume key can get around this. The user account with the data can be protected via EFS, so when it expires, not even an Administrator can access it. Of course, there are varying methods to recover EFS protected files, so perhaps an Administrator-only accessible script that runs that would erase the sensitive user account before hitting the airport might be needed. If the user is questioned, he could show that he had no access and likely no knowledge of that functionality, it was corporate HQ who did that.
3: VMWare ACE installations. Similar to #2 above, the laptop will have an ACE install with a complete Windows VM present that has all the information needed to access a company network. The ACE install will be valid from a certain starting time and expires before the overseas traveler boards the plane home. Also, the company will E-mail the user the password to the ACE VM once he or she checks in. This way, a traveler will pass through security, and if questioned about the ACE install, will be unable to provide any information on it. On the way back, if the laptop is seized, the ACE VM would be expired and not accessible even with the right credentials. (Of course, the ACE VM would have some security inside it so just using it wouldn't mean free reign on the home corporate VPN.)
4: The hard disk for the business stuff would be mailed to the envoy's hotel. Traveler has a decoy OS on the laptop that is being used for travel, has a hard disk with the real data sent via post (and the password to the data sent via another method). Then the user puts in the real HDD, does his/her work, and when it comes time to head home, the real HDD is either sent back via mail, erased, or physically destroyed. (2.5" laptop drives are delicate and a couple hits from a ball peen hammer have a good chance of shattering the platters.
5: Then, there is the old fashioned way of having the laptop just be a remote client with no data stored locally. The user would have network access that would start when he or she got to the hotel and called in with a coded "OK" message, and expire before he or she goes to the airport.
The alternative is to lock up everybody who has supplied keys until any legal case is over, so they cannot communicate the news. This would be worse.
Law is simply unable to keep up with the development of mass communications and freely distributable digital data. It's a simple as that. The options are to do a 16th century Japan and ban progress, or accept there will be problems en route.
From scarped cliff or quarried stone she cries "A thousand types are gone, I care for nothing, no not one."
Have nothing on your pc that you would not happily shout across the main high street.
Posts, MyBio or Sig, may contain satire, sarcasm, bolded nouns be sardonic or even witty & be Church of SD
The police "having a really good reason" has nothing to do with it.
If you have random junk on your computer - not even in a file, just random bytes of data scattered on your hard drive - and the police are looking for any reason at all to coerce you into doing something - the ONLY thing they have to do is say ENCRYPTED PARTITION, HAND US THE KEYS. Your jail sentence is signed right there. You are fucked. No recourse. No possibility of defense. No way out. It is the ultimate tool of oppression.
So even if we assume, in this case, the police "have a really good reason", there will be cases where they won't have any legitimate reason at all, but will use this law to intimidate, threaten, coerce, and imprison anybody they want. Police aren't some magical form of life that have morals and values above us mere humans. No, there are plenty of corrupt cops out there, and plenty of misguided ones too. They also act at the behest of politicians with their own agendas from time to time.
I don't care whether or not the people in these cases were being investigated for "really good reasons". The potential for abuse of this law is staggering. One cop says you have an encrypted file, which he may have planted himself - BANG. You are in jail. As fucking easy as that.
Of course, this law was never made to be enforced as a law upholding the rights of victims. It was a law specifically introduced to control and oppress the population. There is no other possible explanation for it.
Oh what's that, you don't like the way I am ruling this country? I have some computer experts that would be mighty interested in taking a... peek at your computer. I'm not sure what they'll find, but they've been known to find all manner of things... I'm sorry, I digress. What were your political opinions on my leadership again?
I'm sorry, but if you can't see why this law is so bad, then you have been brainwashed beyond all help, and should be lobotomised as quickly as possible.
That's just another way of saying "if he had nothing to hide, he would have cooperated".
The previous administration called, they want their lame excuse back.
"As an analogy, imagine a shed in your yard that you keep locked. Law enforcement would, under almost all circumstances, require probable cause or a warrant based on probable cause in order to go onto your property and search that shed."
Unless you're Arabic looking and you and your shed aren't on US land (say in Iraq, or Afghanistan).
In which circumstances they'd blow the side of your shed out, ship you off to a dodgy country outside US jurisdiction, get you tortured, lock you up in Guantanamo Bay for a few years til you go mad, tell you you'll never see your family again if you don't confess, and then ask you to talk. Allegedly.
Double OTP. The first to encrypt your data into a "fake" OTP that you store somewhere and label "OTP". Then you encrypt something incriminating but not really illegal. Maybe letters to your mistress, or some particularly kinky and/or disgusting habits. I think this can only work well if you additionally can make sure there is no history anywhere : so for example by booting on an OS which can use a RAMdisk without needing a scrap/page file. It might be slow but if you only encrypt/decrypt/use those incriminating doc there, worth it. Each time you want to use them you boot on that ram disk system, "decrypt" your kinky photo/docs, then un-OTP your real doc, use it, change it, then encrypt again with first the real OTP then with the kinky data. Copy back on disk. Make sure you wipe out the old palce where it was as analysis would show you changed your OTP (or maybe make an habit of saying it is a ONE TIME pad so I change it regularly Mr officer).
If you properly do this, it will be wiped from RAM each time, and only the double OTP'd version will stay on disk, not the real one. No history, and perfect disclosure. But you have really to make sure no disk access is written other than what you request to read/write/wipe the various OTP'd file. Otherwise history on your computer will betray you.
Now i would be interested into somebody critizing the process... Just to, intellectually, you know, refine it.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
I presume the demand is verbal and not written down. Otherwise a troupe of Citizen Muggers can forcibly take it from you, post it, then give it back.
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
It seems to me that a better solution than hidden partitions would be a hard drive which had a hardware self-destruct feature. Something like a tilt-switch which detonated a small block of thermite embedded inside the drive. If anyone steals your computer, your drive is screwed. Just make sure your backups are well hidden so they can never be found.
http://www.youtube.com/watch?v=keZlextkcDI
They can, if they want, just TAKE your laptop.
No need to give it back and they are allowed to look at ANYTHING on it.
Which is why laptops for businessmen are going in by mail rather than with the laptop owner.
And why many businesses do not let their officers into the US for meetings with a laptop AT ALL.
can you imagine what he would have to have there illegal where two years would be higher sentence? the law is useless as many similar and touches nobody it is intended to touch while making lot of collateral damage. but... people are not hungry so they don't care and it will eventually pass
God's gift to chicks
the price is high, but saying no sends a powerful message. im glad to see at least two folks in the UK standing up for what little rights they have. Thoughtcrime law disgusts me.
Good people go to bed earlier.
There's an easy way to avoid this legislation: don't store your valuable data in the UK.
The legislation does not cover any data stored outside the UK.
If I were a business or individual who wanted to keep valuable data secure, and avoid this (truly) Orwellian act, I would not store anything in the UK.
I do not have to.
If they don't have enough evidence without me handing evidence over, why are they wasting time and effort trying to convict me?
I'll dress-up as a Government investigator fake badge and all turn up at wealthy guys place and demand passwords/encryption keys etc with a few friends and abandoned warehouse could rake in millions. the potential would definitely worth investment required So how do you really know it was government officials.
Your'e all thinking it, I just said it for you
This was in the UK. Chances are there was not a really good reason for prosecuting that person. We have weekly reports of local and national government abusing loosely-defined 'rights' to surveillance and monitoring.
Had the UK government not already demonstrated a complete lack of respect for individual privacy, I think people would be more likely to feel they were justified in pressing for the passphrase.
Are murderers allowed to withhold the murder weapon? Is it an invasion of privacy for a stalker if the police looks at their phone records?
Likewise, if the police have a warrant, and they demand that you unencrypt the data they have a warrant to access, then why is there an outcry of "Woe is me, my rights have been abridged!"? It is evidence. The police collect evidence, that is what they do. When you try to hide evidence from the police, you get into trouble.
If the police are mistaken, and there is no encrypted data on the media, then you'll have the opportunity to fight that out in court.
If there is encrypted data, but you no longer have the key, at this point, everything is crackable. I think that a good lawyer could maintain your innocence in such a situation - provided you were helpful to law enforcement in every way possible. And the police would eventually get access to the encrypted data.
This doesn't work for two reasons: ... probably can be done in less than 1 day with modest hardware, much faster with the toys that they have at their disposal.
1) The definition of "key" in the law is essentially so general as to mean all the keys needed to translate the encrypted file into the readable original.
2) GCHQ are certainly competent-enough cryptanalysts to be able to break that - essentially the real key can be extracted by testig each file to which you have easy access
Andy
Have a reasonably popular O/S give everyone crypto and an encrypted "container" whether they are going to use it or not.
However, it has to be done in a way where you can use that container without leaving evidence behind that you have used it.
Something like: https://bugs.launchpad.net/ubuntu/+bug/148440
Except better :).
Then that's what I call creating real plausible deniability.
I have always thought law enforcement and governments had ways and means of cracking most encryption , and then there are all those stories of back doors in truecrypt etc obviously this isnt true they really havn,t got these ability,s ... unless maybe the people in question were using some new powerful encryption algorithm ........
What if you genuinely forgot the key?
Or, what if you wrote it down and cannot find the slip? If a system truly was just then there should be no way that anybody could do anything about that unless they can prove it's some sort of ruse...Of course we all know that is how you'd be treated whether you were being honest or not.
What if you think you know it, try it and it doesn't work....because you remember it wrong....Your word should be good enough - what are they going to do, torture it out of you? (actually, I don't even want to think about what some of these fascists would try to do if you couldn;t remember your key, but from a legal standpoint I can't see how they could prevail unless they could somehow prove that you were withholding it).
What if you had a folder encrypted and had either genuinely lost the key, or were trying to make it look that way and had emailed the software manufacturer saying "Hey,I have lost my key for this archive, what can I do?" and they email back saying "You're screwed without the key, basically" - could that email then serve to prove your point and cover your ass?
I'm also curious to learn whether the law was worth it to the UK people in this case.
Basically: how much worse things could have been for UK people if it weren't for that law, compared to how much worse things could be for the UK people because of this law.
Quote:
Sir Christopher reported that all of the 15 section 49 notices served over the year - including the two that resulted in convictions - were in "counter terrorism, child indecency and domestic extremism" cases.
I thought "counter terrorism" was fighting terrorism? So what was "child indecency" and "domestic extremism"?
If you really want to build yourself an alibi, they need to extract an extremely kinky and very ambarrassing picture of you. Otherwise you would have no reason to encrypt the data.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
https://www.ironkey.com/enterprise
I'm surprised nobody has mentioned this device yet.
What would happen if you co-operate with the persons who are asking the encryption password but you mislead them by telling a non-working password? It is obvious that the encryption will not open but if you persist that the false password *is* correct how anyone could punish you?
:)
:)
"Sir, it is the password I have been using for last twelve years, I don't know why it doesn't work. Perhaps you have damaged the media when you transferred it and it is now unusable?"
I can not think a method how to tell if the statement above is true or false. Encryption doesn't open but the person is co-operating and trying to help with the investigation. Oh well, perhaps they will transfer you to a country where they can waterboard you, and crush your limbs.
It looks like that if you want to clog/DDOS the British police just do this:
1. Buy few hundreds of usb memory key chains.
2. Put some random data to all of them and label volumes as "Child porn" / "Al Qaida files" / "MI6 employee register" .
3. Collect some random names and addresses from phone books and make a "README.TXT" containing one identity to each drive.
4. Start "losing" them to internet cafes and other public places.
5. Profit... no, wait, just watch how people start disappearing.
only if it contains self-incriminating information. Thus, a secure password for now on will have to contain numbers, capital characters, symbols and a self-incriminating sentence... something like "I think Michael Moore is right" will do... Cool, Gotta contact Ally McBeal now to confirm my theory.
Dear
There are a few encryption systems out there which provide plausible deniability
TrueCrypt does indeed offer such a feature. Not surprisingly, Microsoft's new Windows7 OS, while maintaining the ability to encrypt data, does not hide the volume.
Amusing that this piece of news should crop up so quickly after I just got through trying to explain to someone why the built-in Win7 encryption was half-assed. "Well, why would you want to hide the volume?" asks the idiot.
Because of stories like this.
Those supporting and enforcing these kinds of injustice remain inescapably rooted in the past, ruling through forceful suppression instead of discussion and debate. They create the very risks that generate their fear by deliberately removing avenues of expression for opposing views; specifically, avenues which do NOT generate violent conflict. It remains a favorite agenda-furthering tactic of contemporary despots.
This now obviously unbreakable encryption technology offers free people a way to blind oppressive authority; electronic acid sprayed directly into the prying eyes of unwarranted surveillance. Now, through its own behavior, we all know they are utterly powerless against it. And as the technological reach and power of unjust authoritarianism grows, this fact alone should give heart and hope to every human being on the planet who wants to escape the chains imposed by others.
I'm stunned, I don't know why, to see people debating this as if this is the first time the issue has crossed their consciousness. News flash: this has been in the public water supply for at least two decades now. It's important, and if you haven't given it some thought long ago, you're not taking life seriously, you're just a woodpusher in the game theory of human realpolitik.
It boils down to a very simple premise: that entropy is a munition.
If you have some large chunk (say 100MB) of random bits in a file on your computer, there is no way to prove that there isn't some password that will decrypt this block of bits into meaningful information. Any chunk of information content which looks like pure entropy can be accused of harboring munitions, if you're trying to hit the preservation of society nerve, or child pornography, if you're trying to hit the righteousness of the flesh nerve (we all care about flesh). Steganography is the art of boiling a thin soup: very small amount of pure entropy hidden in a huge amount of tedious backdrop (say 200GB of licit pink matter).
If you have a large quantity of real physical entropy, there is of course no way to produce a password, and neither is there any way to prove that the entropy is real.
The authorities find this unbearable, so we are now deep into guilt by association. Caught hanging out with random bits, go directly to jail.
Any public discussion of the matter would conclude that our social concept of judicial fairness is incompatible with this new guilt by association model. What kind of society would declare entropy a munition? How would we all go about scrubbing anything that looks like entropy from our electronic records? It's not clear it is possible to comply with the implications of this, even if greater society drank the Orwellian Spook-Aid.
Hence the secrecy. If the spooks destroy 1000 innocent lives in the course of protecting society as we know it, it appears to be a cost we're going to have to bear.
The easy way to cease to think seriously about this is to invoke Stalinist escalation: that 1000 lives is soon 30 million lives.
Don't be so hasty. Sun Tsu beheaded one giggling princess to make every other princess march with the discipline of soldiers. For his needs, one was enough.
The credit industry doesn't work on principles much better than our agents of darkness. The suits have succeeded in labeling credential fraud as identity theft. Note the slight shift in blame here: it's not the design of VISA at fault (which could hardly be worse), it's your fault for offering up your digits in the first place (well, you can't use your VISA card without doing so, but why niggle?)
I hand pieces of information about myself to thousands of institutions. If the information is gathered and used against me, somehow I'm to blame, not the thousands of institutions who regard protecting the sensitive information they demanded from me as a cost center to be outsourced to India.
The great line in Brazil is "Confess quickly, or you'll jeopardize your credit rating."
Our credit system is nearly as arbitrary and secretive as this business of guilt by entropy. Innocent before proven guilty. The credit system is exempt from our normal social protections against slander. Any merchant can file a damaging untruth about me with little basis in fact, few avenues of complaint, and no ultimate liability whatsoever. The rating agencies will then spread this slander around and I can't prosecute them for spreading damaging falsehoods about me, even if I finally prove that the original merchant lied, and no sensible agency would persist in believing the original claim.
If we're not up in arms about the violation of our social norms concerning slander implicit to the credit industry, I don't harbour much hope that cottage outrage in this forum over incrimination by entropy is going to make any dent in the real world.
Stay tuned for the next exciting chapter, where encryption keys are extracte
Item 2, terrorism is defined in UK law, and judges have to abide by that law. The definition is not "up to the authorities". It is made by Parliament. If you don't like the definition, write to your MP, join a political party or a pressure group (there are lots) and do something, don't just whine. And if you are a 16 year old posting from your bedroom, William Hague was addressing a Party conference at 16, and I was visiting Parliament several times a year at the same age. You have no excuses. We have senior MPs who get it - David Davis, Chris Huhne.
Item 3.Others have made the point that the UK has had animal rights activists every bit as bonkers and dangerous as US anti-abortion or anti-gun-control activists. But the point also needs to be made that law must be general and not have exceptions. Exceptions make bad law. If we start deciding who is or who is not a terrorist based on anything other than their actions and intentions, this is very dangerous for civil liberties.
Although I think this is an unfortunate law, it is difficult to see how it could be any different. What is your proposal to prevent organised crime using encrypted media to conceal their activities? Unless you can point to a workable alternative solution, you are just ranting.
From scarped cliff or quarried stone she cries "A thousand types are gone, I care for nothing, no not one."
Ah yes, you are another one of those people who think that if the authorities have "a really good reason", then it should be enough.
I prefer evidence.
Let me be the first to say, damn, I sure am glad my ancestor fought the British and won their independence. Granted, it is only a matter of time before we are required to do the same thing here in the US. Thus far US courts have found that giving up a passpharse to an encryption key violates the 5th Amendment right to not self-incriminate. But that hasn't gone to the Supreme Court yet, which means it is only a 5 v 4 decision away from requiring everyone to divulge their encryption keys to law enforcement.
I don't care whether or not the people in these cases were being investigated for "really good reasons". The potential for abuse of this law is staggering. One cop says you have an encrypted file, which he may have planted himself - BANG. You are in jail. As fucking easy as that.
Sure, but isn't that the case already? Aren't there lots of other laws that can be abused in exactly the same way?
Perhaps the corrupt cop "found" a stash of meth in your car. Perhaps they "found" kiddie porn on your laptop. You're just as much in trouble as you would be if the "found" an encrypted file.
What abuse does this law allow that isn't already possible using other laws (and please don't flame me for going against the flow here) ?
Refusing to hand over keys -- max 2 years. Child pron on computer -- average 3 years.
Refusing to hand over keys -- max 5 years. Planning a terrorist act -- average 15 years.
Crypting the hard disk and refusing to hand over the key looks like a good option.
Bad examples make for bad arguments. You broadly characterize "anti-gun-control activists" as "bonkers and dangerous".
That's not a good analogy. There are lots of folks on slashdot who understand that "pro-personal freedom" == "pro-owning the means to engage in justifiable violence". We're as rational and peaceful a bunch as you're ever likely to encounter.
Please be mindful that using bad analogies tends to render less impactful your otherwise insightful statements.
No Problem i will give you the keys. But you dont mention anything about the encryption algorythm how its used / read or implemented. so they still will be unable to read the data. consider the following: You also need an offset to the filesystem header. Does this classify as a password / key? You store your encrypted data in a scambled format eg interleaved to make it harder to read with standard tools. You come up with some complex block allocation scheme which requires part of this fomula to be entered. eg like a more complex reed solomans implementation but you inject errors into the valid data to start with so it looks scambled. When they then tell you the keys are invalid and your going to jail you can then prove otherwise. Since they actually fail the read the encrypted data off the block device correctly in the first place. I suppose they would just re-write the law again and call it encryption in this so called free world ...
No. By opening anything, you've demonstrated to the police that you are capable of opening that door, locker, etc. You've now thrown away any defense that relies on the idea that you don't have access (or easy access) to that space. Just by helping the search, you've implicitly provided self-incriminating testimony.
If a search warrant is being served at your location, you cannot know that you are not under suspicion. In that case, you do not talk to the police and you do not help the police in any way. Period.
The correct response when they ask is to not respond at all. You've already (if you're smart) advised the police that you will not be answering questions or assisting in the search. Now go sit in the corner, shut up, and don't move except to shake your attorney's hand when (s)he arrives.
IANAL, etc.
Hand over the Blue-Ray keys.
(my password: "ForThe100thTimeFuckYouIWillNotTellYouMyPasswordEver")
British Police: "Tell us your password."
Me: "For the 100th time, fuck you, I will not tell you my password ever."
British Police: "Oh, you want to be cheeky? Tell us your password or you're going to prison!"
Me: "For the 100th time, fuck you, I will not tell you my password ever."
British Police: "This is a matter of bloody national security, you'll get 5 years!"
Me: "For the 100th time, fuck you, I will not tell you my password ever."
British Police: "He refuses to submit, send him to jail!"
Me: "Great, I'll see you in court. You recorded that conversation, right?"
British Police: ???
Authority questions you. Return the favor.
The police (actually the csi person), will first backup your HD and *then* ask for your key. If your provided key deleted the data, you are beaten up with a stick, restore backup and GOTO 10.
-----BEGIN PGP MESSAGE-----
Version: GnuPG v2.0.11 (GNU/Linux)
Comment: Use GnuPG with Firefox : http://getfiregpg.org/ (Version: 0.7.8)
jA0ECQMCsKcP6wfPDoxg0loBWWLKcbIxLwk35Vu8Lu6+Fldnq64aqGPosMh/h1r8
IB3uDEi+UAc8JgDqZYL18qYLzQazbRDz4MZySZg/CRKf7R13UWWqbHr8fCPyyEcI
RiIXV6Qgw/US76w=
=ZYx8
-----END PGP MESSAGE-----
What is your proposal to prevent organised crime using encrypted media to conceal their activities?
I'm not sure it is possible. As has been so clearly demonstrated recently in the UK, those guilty of organised crime actually make the laws and force others to "encrypt" the data for them. They only reason they got caught out is because they couldn't even do that competently.
rename your encrypted volume to "core"
or for non-programmers, "pagefil.sys"
-SaNo
This is a very, very bad day for the British public.
I've lost count of the number of times I've seen this kind of statement on /. over the last decade.
When, exactly, will a few million of you blighters do something about it?
Item 2, terrorism is defined in UK law, and judges have to abide by that law. The definition is not "up to the authorities". It is made by Parliament.
Instead of pontificating, why don't you just actually read the law. There is a disclosure requirement if:
Those provisions are so vague that police can require you to disclose encryption keys for anything at any time.
What is your proposal to prevent organised crime using encrypted media to conceal their activities? Unless you can point to a workable alternative solution, you are just ranting.
The purpose of this law is not to prevent covert communications because that is impossible in principle.
The purpose of this law it's to give the UK government additional means to force people to obey the government even in areas where the government otherwise has no cause or legal means of forcing you. It's a totalitarian law forced through parliament under the pretext of crime and terrorism prevention.
A fundamental right in any democratic country, is the right not to provide any information that may be self-incriminating. British law now runs contrary to democratic principles, so therefore the UK is now a fascist state (as we all know, the UK population is the most monitored on earth, so I doubt that this is a surprise to anyone).
British people must rise up, and overthrow the fascists, by whatever means is necessary. It is not sufficient to just attack regime members cars! The regime members can afford lots of private security, and enough 'second homes' that we'll never know where they are.
Arise, ye workers from your slumbers,
Arise, ye prisoners of want.
For reason in revolt now thunders,
and at last ends the age of cant!
Away with all your superstitions,
Servile masses, arise, arise!
We'll change henceforth the old tradition,
And spurn the dust to win the prize!
If the police are even slightly competent, they will try you key on a copy of your hard drive.
If it deletes the data, they will still have the original, and not they will be mad.
Since the 5th amendment bars you from being compelled to testify against yourself, you cannot be compelled to aid the prosecution or to provide the evidence for them.
Another example is, if the authorities obtain a search warrant for your home and find a locked safe, you cannot be compelled to open it for them, but they are free to break into it.
Encryption is no different. They are welcome to try to decrypt it, but they cannot compel you to relinquish your keys.
Given that the lifetime of a CD-R is relatively short in the first place...
Given the problems that various CD drives have (on occasion) in reading CD-Rs made by other drives...
with apologies to Stan Freberg and Billy May...
What kind of nut would you have to be,
to lock up your data with a secure key
only to find out
bit-rot had got inside
(It's a small disk, now and it's always been...)
Uhm....if you are clever enough to use encryption -- I would also think that you would already have an encrypted code-word or phrase that you would use to notice your pals that you've been compromised ???
You're not going to run out and say "hey I'm being forced to give up my keys"
You'll instead tweet out something like "I prefer Mr. Pibb over Dr. Pepper". Because OBVIOUSLY something has gone horribly wrong......
Old age and treachery almost always overcome youth and skill.
Perhaps the corrupt cop "found" a stash of meth in your car. Perhaps they "found" kiddie porn on your laptop. You're just as much in trouble as you would be if the "found" an encrypted file.
What abuse does this law allow that isn't already possible using other laws (and please don't flame me for going against the flow here) ?
Except in this situation he doesn't have to actually plant anything, he can just imagine it's there. The officer doesn't have to commit a crime (case tampering or whatever you'd call planting evidence) to throw you in the slammer *without* evidence.
And fill it with not to offensive pornography. Of course in Britain that would be rather dull stuff.
For deniability you have to present something highly embracing but not illegal as well.
Martin
Maybe I'm missing something here, but it seems like one could surrender one's key to the government, then revoke that key and generate a new one. If them come knocking again, just repeat the process. It does not seem like one is violating the law by doing so, and it makes it impossible for the government to keep up. What are they going to do? Ban the revocation and generation keys?
I don't understand that.
If he didn't plant an encrpyted file, then the defence lawyer could demonstrate its lack of existence during the trial.
The corrupt cop would still have to commit a crime (planting of the encrypting file) in order to lock you up. Just as in the case of him "finding" a stash of meth in your car.
I don't understand what leverage this gives the corrupt cop that previous laws haven't already provided.
(Thank you for not flaming ;) )
Because you can demonstrate that the bag of bicarb in your boot is not meth, but you can't demonstrate that the random block of free space on your computer is not an encrypted video tutorial on how to build a nuke, delivered by a masturbating 14yo al-Qaeda operative.
Nothing has to be planted. Assertion that a crime has taken place is all that is required. In an extreme case, accusation=conviction (if the law is applied to the letter)... not good.
- Hey, what are you in for?
- I stole a car and shot a man in the chest, and you?
- I forgot my computer password.
Everyday it seems like the UK government is more and more invading private citizens life. I don't think they know what the word privacy means anymore. A camera on every corner, sent to jail for not decrypting your data. This is just crazy. So I wonder, if a suspect has something locked up in a safe, and refuses to open it can they be sent to jail for years + fines, or will the police just do what they can to open it? Same rules should apply to either situation. I'd be tempted to say no I'm not going to help you, just to be contrarian.
I think you misunderstood me.
Case 1: Cop plants real meth (not bicarb) in your car. You have to explain it (i.e. prove the cop committed a crime), or go to prison for a while.
Case 2: Cop plants data file filled with random data on your laptop. You have to explain it (i.e. prove the cop committed a crime, or prove it isn't an encrypted file (impossible)), or go to prison for a while.
In both cases the assertion of a crime is not enough (in case 1 he has to plant real meth in your car, in case 2 he has to plant a random file on your hdd), and in both cases the cop has to commit a crime (tampering with evidence, or whatever) in order to put you away.
I still don't understand what powers this new law gives to a corrupt cop that don't already exist.
Well let me break the Official Secrets Act 1968 (hardly logged) to 1989, modified 1990 and terrorism act 2006. I will leave my data unencrypted on trains, I might work for Mi6, but you will never know. I might work for some secret military base in Cyprus. With Nuclear missiles. I might leave data that is unencrypted in the hands of the KGB, I could be on the CIA payroll and a Double Agent or just a /.er :)
The point is clear Ladies and Gentleman. I should legally break the official secrets/terror act and let you know where our Trident Submarines are right now including co-ordinates and the names of people who have the keys and how to contact! /MOTD "I have got the key, I have got the secret".
Take a leaf out of Pink Floyd's book "hey teacher leave the encryption alone" :)
All cows eat grass!
I think you misunderstood me.
Nope, I'll demonstrate:
Case 1: Cop plants real meth (not bicarb) in your car. You have to explain it (i.e. prove the cop committed a crime), or go to prison for a while.
Parallel to this law: Cop doesn't plant anything, points at the empty boot of your car, says "that's an invisible, odourless, dimension-shifted bag of contraband we can't touch, see or otherwise detect, but I think it's there and you've just hidden it beyond the ability of our tools to reach! Get 'im, boys!"
Case 2: Cop plants data file filled with random data on your laptop. You have to explain it (i.e. prove the cop committed a crime, or prove it isn't an encrypted file (impossible)), or go to prison for a while.
In both cases the assertion of a crime is not enough (in case 1 he has to plant real meth in your car, in case 2 he has to plant a random file on your hdd), and in both cases the cop has to commit a crime (tampering with evidence, or whatever) in order to put you away.
I still don't understand what powers this new law gives to a corrupt cop that don't already exist.
And now after this law:
Case 1: Cop doesn't have to plant anything, just points at random block of free space "That's an encrypted hidden partition, get 'im boys!"
Case 2: Cop doesn't have to plant anything, points at that test container file from an encryption program you ran a trial of a year ago and forgot about, it might contain a text document with your CC# or something and that's all, but Mr. Poh-leece-man can up and assert "Omg, encrypted kiddie porn! And encrypted nuke schematics! And encrypted blueprints for the White House with drawings that say 'execute tha prezadent here'! Get 'im, boys!"