Slashdot Mirror
In UK, Two Convicted of Refusing To Decrypt Data
ACKyushu clues us to recent news out of the UK, where two people have been successfully prosecuted for refusing to provide authorities with their encryption keys, resulting in landmark convictions that may have carried jail sentences of up to five years. There is uncertainty in that the names of the people convicted were not released; and without those names, the Crown Prosecution Service said it was unable to track down details of the cases. "Failure to comply with a section 49 notice carries a sentence of up to two years jail plus fines. Failure to comply during a national security investigation carries up to five years jail. ... Of the 15 individuals served, 11 did not comply with the notices. Of the 11, seven were charged and two convicted. Sir Christopher [Rose, the government's Chief Surveillance Commissioner] did not report whether prosecutions failed or are pending against the five charged but not convicted in the period covered by his report."
This means, you can be forced to do self-incrimination. What's next? Do we remove the right to remain silent? In dubio contra reo?
One decrypts the files or filesystem while the other key overwrites the contents with random data.
I would also like to know how the authorities could possibly tell a properly encrypted file from one that only contains random data and consequently how they could prove that a filesystem is, in fact, encrypted.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
...if you lost or just really forgot the decryption key/passphrase, would it count as refusing?
That's rich. The government convicts people for keeping secrets, and then keeps secrets about who was convicted.
A hundred years ago today, if someone had a giant safe in their house, and they were suspected of any crime whatsoever, the legal authorities (of pretty much every country in the world, it would baffle me to hear about somewhere this would not be the case) would simply ask for the keys. If the person refused to hand them over, the person gets punished. The "punishment" can be of different forms - whether prison in itself, or just a lot more unfavourable treatment from a judge and the assumption of guilt going against you, but nothing at all? Never. The difference with encryption keys is not all that great.
Suppose I have TrueCrypt installed on my machine, but I don't have anything encrypted. What stops to police from accusing me of having encrypted files and demanding a key? How do I prove random bits of data on my HD are random bits of data and not super secret encrypted files?
I doubt I even need Truecrypt installed for the police to use this to get a guaranteed 2 or 5 year conviction.
It's an appalling piece of legislation for a number of reasons:
1. It makes forgetting your decryption key/passphrase/whatever illegal. Yes, seriously. The burden of proof is on the accused to show that they can no longer decrypt the data - how the hell do you prove you don't have something?
2. The people who it was originally intended to inconvenience - the real terrorists, if you like - aren't going to be even remotely concerned by it. They know full well that there is a risk they'll be caught and spend time in jail. If it's a choice between "reveal the decryption key, thus providing the police with the only evidence they're likely to find which implicates you and a number of others for so many criminal activities you'll be in prison for 20 years and when you get out you'll get a bullet in the head for the people who you dropped in it" or "keep your mouth shut, go to prison for two years", I wonder which one they'll chose?
In the U.S., people generally cannot be required to provide encryption keys under the 5th Amendment. However, there are exceptions. There was the recent case of one man who was searched by Customs (or DHS, or whoever) at an airport. One of the agents discovered child pornography in an encrypted portion of the disk that had been (temporarily) opened for access.
Somehow, by the time authorities took possession of the computer, the encrypted drive was no longer opened. The last court decision about that case I am aware of states that a subpoena for the encryption key can be enforced, because the government was already aware of the existence of illegal material, and where it was. All they needed was a "key". This is vastly different from demanding a key first, so they can poke around in your private material.
As an analogy, imagine a shed in your yard that you keep locked. Law enforcement would, under almost all circumstances, require probable cause or a warrant based on probable cause in order to go onto your property and search that shed. However, if they already knew, with little doubt, that there was illegal material in that very shed, then they have the legal justification for a warrant, or a subpoena of whatever information is necessary to open the shed.
The solution to this and other similar "bad law" problems is making them big and visible to the common population.
1 - Get a worm that allows to save data on infected computers.
2 - Get an encrypting program that supports plausible deniability.
3 - Infect self with worm.
4 - Install encrypting program in all infected machines.
5 - Accuse random people of having criminal data in their computers. (e.g.: "I was playing a WoW game and this guy told me he had several thousand [criminal data]").
Yes, the Brits might be able to find something by untrained criminals by this hard handed method, but the blowback from this strategy is going to seriously hurt them in the long run.
Trading partners will be leery to send envoys over to make agreements when at a whim, their machines can be searched, and any trade secrets copied off. If deals are done with British companies, they will be done out of the country, or via electronic means. Companies will not want to set up branch offices in the UK because their facilities can be searched at any time and trade secrets taken. Finally, where does this end? Does someone in the UK have to give up all root/Administrator/sa passwords on request that are on the remote company's VPN or else go to prison?
Of course, the true terrorists are not going to be caught. They don't bring laptops in with their super secret plans. It seems the UK is aiming the RIPA act for more of an industrial espionage type of game than anything else, intending to demand trade secrets via the heavy hand of their bobbies, then hand the results over to their domestic interests. Other countries do this too, but those are very repressive regimes, not a First World nation.
Of course, legitimate people will get around this, but it requires backflips and makes PHBs less interested in doing business with the UK. Some means that people will use:
1: TrueCrypt is the first thing. Perhaps even a TC hidden OS with the decoy OS storing some random chaff in the outer volume. This way, there are no MRU traces of anything in there.
2: BitLocker and multiple users. The laptop's owner has a non administrator user and given the password of the account with the business critical data once in the UK before the meeting. Then when it comes time to head back to the States, the user account is disabled via remote. Of course, a hardware device to grab the Bitlocker volume key can get around this. The user account with the data can be protected via EFS, so when it expires, not even an Administrator can access it. Of course, there are varying methods to recover EFS protected files, so perhaps an Administrator-only accessible script that runs that would erase the sensitive user account before hitting the airport might be needed. If the user is questioned, he could show that he had no access and likely no knowledge of that functionality, it was corporate HQ who did that.
3: VMWare ACE installations. Similar to #2 above, the laptop will have an ACE install with a complete Windows VM present that has all the information needed to access a company network. The ACE install will be valid from a certain starting time and expires before the overseas traveler boards the plane home. Also, the company will E-mail the user the password to the ACE VM once he or she checks in. This way, a traveler will pass through security, and if questioned about the ACE install, will be unable to provide any information on it. On the way back, if the laptop is seized, the ACE VM would be expired and not accessible even with the right credentials. (Of course, the ACE VM would have some security inside it so just using it wouldn't mean free reign on the home corporate VPN.)
4: The hard disk for the business stuff would be mailed to the envoy's hotel. Traveler has a decoy OS on the laptop that is being used for travel, has a hard disk with the real data sent via post (and the password to the data sent via another method). Then the user puts in the real HDD, does his/her work, and when it comes time to head home, the real HDD is either sent back via mail, erased, or physically destroyed. (2.5" laptop drives are delicate and a couple hits from a ball peen hammer have a good chance of shattering the platters.
5: Then, there is the old fashioned way of having the laptop just be a remote client with no data stored locally. The user would have network access that would start when he or she got to the hotel and called in with a coded "OK" message, and expire before he or she goes to the airport.
The alternative is to lock up everybody who has supplied keys until any legal case is over, so they cannot communicate the news. This would be worse.
Law is simply unable to keep up with the development of mass communications and freely distributable digital data. It's a simple as that. The options are to do a 16th century Japan and ban progress, or accept there will be problems en route.
From scarped cliff or quarried stone she cries "A thousand types are gone, I care for nothing, no not one."
I'm stunned, I don't know why, to see people debating this as if this is the first time the issue has crossed their consciousness. News flash: this has been in the public water supply for at least two decades now. It's important, and if you haven't given it some thought long ago, you're not taking life seriously, you're just a woodpusher in the game theory of human realpolitik.
It boils down to a very simple premise: that entropy is a munition.
If you have some large chunk (say 100MB) of random bits in a file on your computer, there is no way to prove that there isn't some password that will decrypt this block of bits into meaningful information. Any chunk of information content which looks like pure entropy can be accused of harboring munitions, if you're trying to hit the preservation of society nerve, or child pornography, if you're trying to hit the righteousness of the flesh nerve (we all care about flesh). Steganography is the art of boiling a thin soup: very small amount of pure entropy hidden in a huge amount of tedious backdrop (say 200GB of licit pink matter).
If you have a large quantity of real physical entropy, there is of course no way to produce a password, and neither is there any way to prove that the entropy is real.
The authorities find this unbearable, so we are now deep into guilt by association. Caught hanging out with random bits, go directly to jail.
Any public discussion of the matter would conclude that our social concept of judicial fairness is incompatible with this new guilt by association model. What kind of society would declare entropy a munition? How would we all go about scrubbing anything that looks like entropy from our electronic records? It's not clear it is possible to comply with the implications of this, even if greater society drank the Orwellian Spook-Aid.
Hence the secrecy. If the spooks destroy 1000 innocent lives in the course of protecting society as we know it, it appears to be a cost we're going to have to bear.
The easy way to cease to think seriously about this is to invoke Stalinist escalation: that 1000 lives is soon 30 million lives.
Don't be so hasty. Sun Tsu beheaded one giggling princess to make every other princess march with the discipline of soldiers. For his needs, one was enough.
The credit industry doesn't work on principles much better than our agents of darkness. The suits have succeeded in labeling credential fraud as identity theft. Note the slight shift in blame here: it's not the design of VISA at fault (which could hardly be worse), it's your fault for offering up your digits in the first place (well, you can't use your VISA card without doing so, but why niggle?)
I hand pieces of information about myself to thousands of institutions. If the information is gathered and used against me, somehow I'm to blame, not the thousands of institutions who regard protecting the sensitive information they demanded from me as a cost center to be outsourced to India.
The great line in Brazil is "Confess quickly, or you'll jeopardize your credit rating."
Our credit system is nearly as arbitrary and secretive as this business of guilt by entropy. Innocent before proven guilty. The credit system is exempt from our normal social protections against slander. Any merchant can file a damaging untruth about me with little basis in fact, few avenues of complaint, and no ultimate liability whatsoever. The rating agencies will then spread this slander around and I can't prosecute them for spreading damaging falsehoods about me, even if I finally prove that the original merchant lied, and no sensible agency would persist in believing the original claim.
If we're not up in arms about the violation of our social norms concerning slander implicit to the credit industry, I don't harbour much hope that cottage outrage in this forum over incrimination by entropy is going to make any dent in the real world.
Stay tuned for the next exciting chapter, where encryption keys are extracte
Item 2, terrorism is defined in UK law, and judges have to abide by that law. The definition is not "up to the authorities". It is made by Parliament. If you don't like the definition, write to your MP, join a political party or a pressure group (there are lots) and do something, don't just whine. And if you are a 16 year old posting from your bedroom, William Hague was addressing a Party conference at 16, and I was visiting Parliament several times a year at the same age. You have no excuses. We have senior MPs who get it - David Davis, Chris Huhne.
Item 3.Others have made the point that the UK has had animal rights activists every bit as bonkers and dangerous as US anti-abortion or anti-gun-control activists. But the point also needs to be made that law must be general and not have exceptions. Exceptions make bad law. If we start deciding who is or who is not a terrorist based on anything other than their actions and intentions, this is very dangerous for civil liberties.
Although I think this is an unfortunate law, it is difficult to see how it could be any different. What is your proposal to prevent organised crime using encrypted media to conceal their activities? Unless you can point to a workable alternative solution, you are just ranting.
From scarped cliff or quarried stone she cries "A thousand types are gone, I care for nothing, no not one."
Bad examples make for bad arguments. You broadly characterize "anti-gun-control activists" as "bonkers and dangerous".
That's not a good analogy. There are lots of folks on slashdot who understand that "pro-personal freedom" == "pro-owning the means to engage in justifiable violence". We're as rational and peaceful a bunch as you're ever likely to encounter.
Please be mindful that using bad analogies tends to render less impactful your otherwise insightful statements.
(my password: "ForThe100thTimeFuckYouIWillNotTellYouMyPasswordEver")
British Police: "Tell us your password."
Me: "For the 100th time, fuck you, I will not tell you my password ever."
British Police: "Oh, you want to be cheeky? Tell us your password or you're going to prison!"
Me: "For the 100th time, fuck you, I will not tell you my password ever."
British Police: "This is a matter of bloody national security, you'll get 5 years!"
Me: "For the 100th time, fuck you, I will not tell you my password ever."
British Police: "He refuses to submit, send him to jail!"
Me: "Great, I'll see you in court. You recorded that conversation, right?"
British Police: ???
Authority questions you. Return the favor.
Item 2, terrorism is defined in UK law, and judges have to abide by that law. The definition is not "up to the authorities". It is made by Parliament.
Instead of pontificating, why don't you just actually read the law. There is a disclosure requirement if:
Those provisions are so vague that police can require you to disclose encryption keys for anything at any time.
What is your proposal to prevent organised crime using encrypted media to conceal their activities? Unless you can point to a workable alternative solution, you are just ranting.
The purpose of this law is not to prevent covert communications because that is impossible in principle.
The purpose of this law it's to give the UK government additional means to force people to obey the government even in areas where the government otherwise has no cause or legal means of forcing you. It's a totalitarian law forced through parliament under the pretext of crime and terrorism prevention.