Slashdot Mirror

← Back to Stories (view on slashdot.org)

In UK, Two Convicted of Refusing To Decrypt Data

Posted by kdawson on from the no-pleading-the-fifth dept.

ACKyushu clues us to recent news out of the UK, where two people have been successfully prosecuted for refusing to provide authorities with their encryption keys, resulting in landmark convictions that may have carried jail sentences of up to five years. There is uncertainty in that the names of the people convicted were not released; and without those names, the Crown Prosecution Service said it was unable to track down details of the cases. "Failure to comply with a section 49 notice carries a sentence of up to two years jail plus fines. Failure to comply during a national security investigation carries up to five years jail. ... Of the 15 individuals served, 11 did not comply with the notices. Of the 11, seven were charged and two convicted. Sir Christopher [Rose, the government's Chief Surveillance Commissioner] did not report whether prosecutions failed or are pending against the five charged but not convicted in the period covered by his report."

12 of 554 comments (clear)

  1. What I want by petes_PoV · · Score: 4, Interesting
    is an encryption system with 2 keys.

    One decrypts the files or filesystem while the other key overwrites the contents with random data.

    I would also like to know how the authorities could possibly tell a properly encrypted file from one that only contains random data and consequently how they could prove that a filesystem is, in fact, encrypted.

    --
    politicians are like babies' nappies: they should both be changed regularly and for the same reasons
    1. Re:What I want by tsotha · · Score: 5, Interesting

      I've been thinking about that for awhile. You don't want a system that will destroy the encrypted data - as others have pointed out, the cops will image your drive before they do anything, so it's sort of pointless. But I think you could do even better with a set of one time pads. I'm envisioning a system that works like this:

      1. You have data you want to encrypt of a certain size. Doesn't matter how large, but you can't really add to it after it's encrypted.
      2. You generate a key the size of your original data and xor the key with the data you want to encrypt. If your key is random enough it should be impossible to decrypt. They say you can get something truly random with atomic decay or cosmic background radiation. These days storage is cheap, so having a key as big as a couple gigs should be no big deal - keep it on a fob.
      3. Now here's the twist. After you've encrypted your data you generate a second "key" by xor-ing the encrypted data with something innocuous. War and Peace, maybe, or cat pictures from the internet. Now you have a key you can give to the cops if they ever come calling, and the data they come up with will be recognizable as data of some sort. So it will be difficult for them to argue you haven't provided "the key".
  2. Can I ask.. by eexaa · · Score: 4, Interesting

    ...if you lost or just really forgot the decryption key/passphrase, would it count as refusing?

    1. Re:Can I ask.. by FinchWorld · · Score: 5, Interesting

      Carefully crack a CD in various places, so that not data can be recovered from it, scrawl on it "Encrytion Keys - Keep Safe" and hide in a stack of CDs.

      When arrested, tell them about this CD that has your keys. When they come back and inform you its damaged go psycho screaming at them for having lost your keys, and hence, years of data (cos your back ups are encrypted too right?).

      Sue.

      Profit!

      Ok maybe not, worth a thought though.

      --
      "I may be full of crap about this game, and I may be wrong, and that's fine." -Jack Thompson
  3. Re:Self-incrimination becoming mandatory by im+just+cannonfodder · · Score: 5, Interesting
    part of the law is that if you get a demand from the police you are not allowed to tell anyone about it other than your solicitor.

    so no public accountability yet again by our government.

    http://www.ckwop.me.uk/Articles/article01.html

    An analysis of Section 3 of the Regulation of Investigatory Powers Act 2000 The Regulation of Investigatory Powers Act 2000 is a piece of UK law that, among a range of other things, contains a section that is meant to require the surrender of cryptographic keys to certain authorised parties (which are in effect instruments of the government). If such a request is made as part of an investigation, then the party who disclosed the key is not allowed to tell anyone that the authorities have that key or they face up to two years in prison. Equally, if the party fails to disclose the key, they also face up to two years in prison.

    --
    The Truth Is Out There:
  4. Re:Self-incrimination becoming mandatory by tygerstripes · · Score: 5, Interesting

    I'd be curious to learn how many of the four who did comply were subsequently convicted of the crimes for which they were being investigated, and what sentences these convictions entailed. I'm also very curious about what prevented the conviction of the other non-compliant nine. Essentially: was it worth it?

    While I can see the arguments for and against permitting Section 49 sanctions, I want to know what the practical upshot is. Hypothetically, it may be worthwhile to a potential criminal to serve up to a couple of years in prison with a note on their record akin to "refused to assist in investigation" rather than face the potentially much more damaging convictions that their cooperation might incur.

    My concern is that the law will be amended to reflect this, leading to much harsher sentencing in order to prevent this kind of cost-benefit decision being made by suspected criminals.

    --
    Meta will eat itself
  5. Remember this is the UK by Jane+Q.+Public · · Score: 4, Interesting

    In the U.S., people generally cannot be required to provide encryption keys under the 5th Amendment. However, there are exceptions. There was the recent case of one man who was searched by Customs (or DHS, or whoever) at an airport. One of the agents discovered child pornography in an encrypted portion of the disk that had been (temporarily) opened for access.

    Somehow, by the time authorities took possession of the computer, the encrypted drive was no longer opened. The last court decision about that case I am aware of states that a subpoena for the encryption key can be enforced, because the government was already aware of the existence of illegal material, and where it was. All they needed was a "key". This is vastly different from demanding a key first, so they can poke around in your private material.

    As an analogy, imagine a shed in your yard that you keep locked. Law enforcement would, under almost all circumstances, require probable cause or a warrant based on probable cause in order to go onto your property and search that shed. However, if they already knew, with little doubt, that there was illegal material in that very shed, then they have the legal justification for a warrant, or a subpoena of whatever information is necessary to open the shed.

  6. The solution by Thanshin · · Score: 4, Interesting

    The solution to this and other similar "bad law" problems is making them big and visible to the common population.

    1 - Get a worm that allows to save data on infected computers.
    2 - Get an encrypting program that supports plausible deniability.
    3 - Infect self with worm.
    4 - Install encrypting program in all infected machines.
    5 - Accuse random people of having criminal data in their computers. (e.g.: "I was playing a WoW game and this guy told me he had several thousand [criminal data]").

  7. Re:Self-incrimination becoming mandatory by badfish99 · · Score: 4, Interesting

    Not any more. Now it is:

    "You do not have to say anything. But it may harm your defence if you do not mention when questioned something which you later rely on in court. Anything you do say may be given in evidence."

    The reason for the change is that the "right to silence" has gone: if you don't immediately tell the police your defence when you are arrested, the court may ignore anything you say in your trial, and convict you anyway.

  8. Re:The logic is obvious by damburger · · Score: 4, Interesting

    And is there any indication that these people were dangerous bomb-wielding psychos, based on what the government is saying? No.

    --
    If we can put a man on the moon, why can't we shoot people for Apollo-related non-sequiturs?
  9. Re:The logic is obvious by Anonymous Coward · · Score: 4, Interesting

    My wife's boss had death threats and faeces shoved in his mailbox by these terrorists because his company does IT work for the London office of a large Japanese conglomerate with a partly owned subsidiary that was once a supplier (not of animals) to Huntingdon Life Sciences. They use exactly the same twisted mentality as Al Qaeda to justify their attacks on the most vaguely related of targets.

  10. Excuse me? by BenEnglishAtHome · · Score: 4, Interesting

    Bad examples make for bad arguments. You broadly characterize "anti-gun-control activists" as "bonkers and dangerous".

    That's not a good analogy. There are lots of folks on slashdot who understand that "pro-personal freedom" == "pro-owning the means to engage in justifiable violence". We're as rational and peaceful a bunch as you're ever likely to encounter.

    Please be mindful that using bad analogies tends to render less impactful your otherwise insightful statements.