In UK, Two Convicted of Refusing To Decrypt Data

ACKyushu clues us to recent news out of the UK, where two people have been successfully prosecuted for refusing to provide authorities with their encryption keys, resulting in landmark convictions that may have carried jail sentences of up to five years. There is uncertainty in that the names of the people convicted were not released; and without those names, the Crown Prosecution Service said it was unable to track down details of the cases. "Failure to comply with a section 49 notice carries a sentence of up to two years jail plus fines. Failure to comply during a national security investigation carries up to five years jail. ... Of the 15 individuals served, 11 did not comply with the notices. Of the 11, seven were charged and two convicted. Sir Christopher [Rose, the government's Chief Surveillance Commissioner] did not report whether prosecutions failed or are pending against the five charged but not convicted in the period covered by his report."

Self-incrimination becoming mandatory

[mseeger]

This means, you can be forced to do self-incrimination. What's next? Do we remove the right to remain silent? In dubio contra reo?

Re:Self-incrimination becoming mandatory

[im+just+cannonfodder]

part of the law is that if you get a demand from the police you are not allowed to tell anyone about it other than your solicitor.

so no public accountability yet again by our government.

http://www.ckwop.me.uk/Articles/article01.html

An analysis of Section 3 of the Regulation of Investigatory Powers Act 2000 The Regulation of Investigatory Powers Act 2000 is a piece of UK law that, among a range of other things, contains a section that is meant to require the surrender of cryptographic keys to certain authorised parties (which are in effect instruments of the government). If such a request is made as part of an investigation, then the party who disclosed the key is not allowed to tell anyone that the authorities have that key or they face up to two years in prison. Equally, if the party fails to disclose the key, they also face up to two years in prison.

Re:Self-incrimination becoming mandatory

[L4t3r4lu5]

That went too. Remaining silent when they ask for your encryption keys is failing to provide the encryption keys.

Besides, we all know that the new system is heavily based on proving innocence. Innocent until speculated guilty, and all that.

Re:Self-incrimination becoming mandatory

[tygerstripes]

I'd be curious to learn how many of the four who did comply were subsequently convicted of the crimes for which they were being investigated, and what sentences these convictions entailed. I'm also very curious about what prevented the conviction of the other non-compliant nine. Essentially: was it worth it?

While I can see the arguments for and against permitting Section 49 sanctions, I want to know what the practical upshot is. Hypothetically, it may be worthwhile to a potential criminal to serve up to a couple of years in prison with a note on their record akin to "refused to assist in investigation" rather than face the potentially much more damaging convictions that their cooperation might incur.

My concern is that the law will be amended to reflect this, leading to much harsher sentencing in order to prevent this kind of cost-benefit decision being made by suspected criminals.

Re:Self-incrimination becoming mandatory

[FinchWorld]

Any safe can be broken into, especially if its the police doing it, because no ones going to arrest them half way through the attempt. So key or no key, there getting what they want, though they may have something of a dim view of you come sentancing if you didn't give them the key and whatever illegal activity was in the safe. If there was nothing in said safe, and the key really had been lost, the police more or less wasted there time and your not guilty of anything, after all they never found that key either.

However, with encryption it could well take the span of several peoples life times to crack a key needed to unlock the data, hence the law brought in. However if you have genuinely lost the key, or its destroyed, and you have nothing illegal encrypted, say bank details and the like, your going to prison anyway.

Re:Self-incrimination becoming mandatory

[DigitAl56K]

The police don't know what evidence is there with certainty until they can access it. If they are given the power to break open a physical lock because they have satisfied a judge (or any other requirement) that they are likely to discover evidence by doing so, that's one thing. However, they can get to that evidence with or without your help.

If they believe that decrypting a drive or file will provide evidence and they can get to that evidence without your help fine. If they can only get to the evidence with your help then they have no evidence. And this law is basically saying that with no evidence they can send you to jail.. because you won't help them prosecute you. Which is kind of contrary to the whole concept of legal trials: how can it be mandatory for you to do the work of the prosecution when you are the defendant?

Elsewhere in the discussion others mention the right to remain silent, and when you ask "isn't this more like police demanding you unlock a door? You can't hide evidence behind a physical lock, so why should a digital lock be different?" then there are a whole bunch of slippery slope questions. Isn't this like the police demanding you tell them where you were at the time of the crime? You can't stop them finding out (but they may never unless you tell them). Who were your accessories? You can't prevent forensics from determining that so you should have to tell them!

But really, let's simplify it:

"You can't hide evidence behind a physical lock, so why should a digital lock be different?"

Because it is different? You can hide evidence behind a digital lock, and you do have the right to remain silent. Sometimes. Apparently.

BTW I am from the UK and I grow more ashamed of the people who govern it almost every day.

Re:Self-incrimination becoming mandatory

[Shakrai]

Indeed. Here's two different videos to drive the point home, one from an attorney and the other from a police officer himself.

Never ever EVER talk to the police. Nothing you can say to them is going to help you. Shut your damn mouth and ask for an attorney.

Re:What I want

[jeek]

Look into the Phonebook filesystem. Not quite what you mentioned, but almost as good.

Re:What I want

[L4t3r4lu5]

I think you're approaching this from the wrong angle.

The issue is no longer whether you can prove their is nothing incriminating in the "ecrypted file" but whether the old memory you've had for 7 months is an encrypted file or not.

Further, TrueCrypt is well known. "Hey, do you have a second 'hidden' partition on this slightly incriminating but pretty inoccuous drive?" "No." "I don't believe you. Do not collect £200."

This is a very, very bad day for the British public.

Re:Can I ask..

[FinchWorld]

Carefully crack a CD in various places, so that not data can be recovered from it, scrawl on it "Encrytion Keys - Keep Safe" and hide in a stack of CDs.

When arrested, tell them about this CD that has your keys. When they come back and inform you its damaged go psycho screaming at them for having lost your keys, and hence, years of data (cos your back ups are encrypted too right?).

Sue.

Profit!

Ok maybe not, worth a thought though.

Not very surprising historically

A hundred years ago today, if someone had a giant safe in their house, and they were suspected of any crime whatsoever, the legal authorities (of pretty much every country in the world, it would baffle me to hear about somewhere this would not be the case) would simply ask for the keys. If the person refused to hand them over, the person gets punished. The "punishment" can be of different forms - whether prison in itself, or just a lot more unfavourable treatment from a judge and the assumption of guilt going against you, but nothing at all? Never. The difference with encryption keys is not all that great.

Re:Not very surprising historically

[runlevelfour]

I think they are two different things. A safe is a physical object that holds, well physical objects. Not the same as encrypting data which is really just making information indecipherable. One hundred years ago today analogy would be closer to having a journal that the government wants to read but you wrote it in code.

A thought experiment

[ebonum]

Suppose I have TrueCrypt installed on my machine, but I don't have anything encrypted. What stops to police from accusing me of having encrypted files and demanding a key? How do I prove random bits of data on my HD are random bits of data and not super secret encrypted files?
I doubt I even need Truecrypt installed for the police to use this to get a guaranteed 2 or 5 year conviction.

Re:A thought experiment

[ebonum]

To clarify, proving that a section of random bits of data on my hard drive is NOT an encrypted file is equivalent to proving that I am NOT a witch.

This could be easily abused by the police. All they have to do is find a section of random data on a hard drive. Then, the police ask you for a key. When you don't provide one ( because there is no key ), you get convicted on "Refusing To Decrypt Data" charges.

It isn't possible to say with certainty what is random data and what is encrypted data.

It's an appalling piece of legislation

[jimicus]

It's an appalling piece of legislation for a number of reasons:

1. It makes forgetting your decryption key/passphrase/whatever illegal. Yes, seriously. The burden of proof is on the accused to show that they can no longer decrypt the data - how the hell do you prove you don't have something?

2. The people who it was originally intended to inconvenience - the real terrorists, if you like - aren't going to be even remotely concerned by it. They know full well that there is a risk they'll be caught and spend time in jail. If it's a choice between "reveal the decryption key, thus providing the police with the only evidence they're likely to find which implicates you and a number of others for so many criminal activities you'll be in prison for 20 years and when you get out you'll get a bullet in the head for the people who you dropped in it" or "keep your mouth shut, go to prison for two years", I wonder which one they'll chose?

Re:What I want

[tsotha]

I've been thinking about that for awhile. You don't want a system that will destroy the encrypted data - as others have pointed out, the cops will image your drive before they do anything, so it's sort of pointless. But I think you could do even better with a set of one time pads. I'm envisioning a system that works like this:

1. You have data you want to encrypt of a certain size. Doesn't matter how large, but you can't really add to it after it's encrypted.
2. You generate a key the size of your original data and xor the key with the data you want to encrypt. If your key is random enough it should be impossible to decrypt. They say you can get something truly random with atomic decay or cosmic background radiation. These days storage is cheap, so having a key as big as a couple gigs should be no big deal - keep it on a fob.
3. Now here's the twist. After you've encrypted your data you generate a second "key" by xor-ing the encrypted data with something innocuous. War and Peace, maybe, or cat pictures from the internet. Now you have a key you can give to the cops if they ever come calling, and the data they come up with will be recognizable as data of some sort. So it will be difficult for them to argue you haven't provided "the key".

Re:The logic is obvious

[rtb61]

The is so wrong. The logic of the law is that you are now legally liable for your memory. Can't remember something 5 years in prison, it is by far the most offensive legislation there is, hmm, what next death penalty for amnesiacs.

I have forgotten lots of passwords, I have had to rebuild data, redo secure OS installs, drop web accounts, have passwords reset and what some fucked up government and corrupt court decide that they want that information, my total by now 5 years at a time would be up around 250 years in jail. The law is bullshit, there is a profound difference between telling a lie and withholding the truth, conscious effort is required to tell the lie but withholding the truth simply requires a lapse of memory. How many people, failed to get every answer right in every test and exam they have taken, billions of people, it is the norm and in by far the majority of instances, they had been provided all the information required to get 100 percent on those tests and exams.

Now lets start holding politicians to the same standard, zero forgetfulness, zero lapses of memory, zero forgotten promises, 5 years jail for every offences, oh yeah, because it does affect national security.

Re:The logic is obvious

[digitig]

Where the definition of 'terrorist cell' is up to the authorities, and in this case means 'animal rights activist'. It could mean anything according to this corrupt, overbearing government.

Some animal rights activists do use terror tactics, including bombing campaigns, so in this case it might not just mean 'animal rights activist', it could mean everything you normally mean by 'terrorist'. Yes, there are huge problems with the law, but its being used against animal rights campaigners is not de facto one of them.

Re:The logic is obvious

[fracai]

There is actually a series problem with animal rights extremists in the UK.

Perhaps they should be tried in parallel? It would certainly speed up the process.

Re:The logic is obvious

[binaryseraph]

If it was animal rights activits, they should have just eaten hamburgers infront of them. That will get the password out quick... Then again, that might also count as torture. "burger-boarding"

Re:The logic is obvious

[rant64]

They can claim that any bunch of random data on your disk is actually hiding something encrypted

This may be technically true, and the poor, random, but arrested sod may get away with the usual blank stares. Anyone using TC, Vsoft, or any of the full disk encryption software on the other hand, will have a hard time convincing me or anybody that the random stuff on your drive is not actually data if the boot loader pops up.
As for me, the wall in my study room also happens to be, ehm, decorated with some certificates for IT courses, photos and old entrance tickets from LAN parties etc. and I have books about technical/programming stuff lying around. How are you EVER going to convince anybody that you don't know how that 'random data' ended up on your hard drive?

Unless full disk encryption is enabled by default in future operating systems, blank stares or denying the obvious are not going to get us out of trouble.

A few points perhaps need making

[Kupfernigk]

I have been around, I can tell, a lot longer than you have. I've been in countries with overbearing, corrupt Governments. Item 1, you have no idea what you are talking about. When you've failed to bribe a Mexican official or got involved with Spanish Mafia house building scams supported by corrupt local officials, or fallen foul of a South American or Russian "businessman" then you can post about it. Until then, don't exaggerate.

Item 2, terrorism is defined in UK law, and judges have to abide by that law. The definition is not "up to the authorities". It is made by Parliament. If you don't like the definition, write to your MP, join a political party or a pressure group (there are lots) and do something, don't just whine. And if you are a 16 year old posting from your bedroom, William Hague was addressing a Party conference at 16, and I was visiting Parliament several times a year at the same age. You have no excuses. We have senior MPs who get it - David Davis, Chris Huhne.

Item 3.Others have made the point that the UK has had animal rights activists every bit as bonkers and dangerous as US anti-abortion or anti-gun-control activists. But the point also needs to be made that law must be general and not have exceptions. Exceptions make bad law. If we start deciding who is or who is not a terrorist based on anything other than their actions and intentions, this is very dangerous for civil liberties.

Although I think this is an unfortunate law, it is difficult to see how it could be any different. What is your proposal to prevent organised crime using encrypted media to conceal their activities? Unless you can point to a workable alternative solution, you are just ranting.