Dear Mr. Straw

Stand.org.uk has taken issue with the UK's proposed new e-commerce bill in a novel fashion. The Bill includes an assortment of new powers for law enforcement to combat the spread of that dread menace, cryptography. Police can demand that you decrypt and provide the keys for any encrypted communications in your possession - with a penalty of two years in jail. But what if you don't have the key? An excellent letter and even more excellent photo-essay. -- michael

Huge files of random data to become probable cause

I have huge files containing random data on my hard drive. They are the output of several RNGs I am doing statistical analyses on. Of course, one of the files MIGHT be an encrypted filesystem. So when MI6 kicks down the door and demands the "key" to decode the random data that they think is hidden information, what will happen? Floggings day and night until I "talk"? Jail time for "not cooperating"? But it's just random data! Really! But since I cannot "prove" this in any way (they can't "prove" me guilty either so there's no crime, but I am ruled in contempt of court and jailed on that. Oh Loverly!

Re:Civil Rights in the UK

One could make a strong arguement that the forcing one to divulge crypto keys IS a violation of the fifth amendment. In the US you have the right to not give ANY information that can incriminate you in a criminal case. You can not be compelled to testify against yourself. If a key is considered information, you can't be forced to give information that can incriminate you. Period. When you get arrested in the US you must be read your Miranda rights. The first of whice is "You have the right to remail silent." That means shut the fsck up! If you're innocent, they have to find evidence that proves otherwise. You have NO obligation to give it to them. The prosecution can't subpoena you to testify at your own trial. They can hit you with warrants and subpoenas all day long. You don't have to give them squat. If you have a padlock on your shed (yes the one with the bodies) they can't force you to give them the combination. They have to either hire a locksmith to get it or break in. They can legally break into that shed. Just as they can legally attempt to brute force your crypto. >>Sure the cops should be able to gather evidence, but they should have a warrant first. (The easy of getting a warrant is another issue, that deals with judical oversight (or lack there of).) The warrant would only give them the permission to legally attempt to crack your crypto. Nothing more, anything else would be unconstitutional. >>Personally I have no problem with the cops forcing me to decrypt a message. Then you don't get it. You can't be compelled to give ANY information that you don't want to. >>I don't like it, but it's no different than forcing me to unlock a safe. In the US you don't have to unlock your safe in a criminal matter. They can break it open, but you can't be forced to open it. They can brute force crack your crypto, but you don't have to give them anything. Know your rights under the US constitution, or kiss them goodbye. Anonymous because on this one I want to post AND moderate.

Re:US version?

[Fastolfe]

You're not testifying. You're permitting law enforcement access to information. In the US, refusing would be equivalent to not allowing law enforcement access to your home, in spite of the court order/search warrant.

This has nothing at all to do with 5th amendment protections against self-incrimination.

Well Said.

[Amphigory]

That's what I love about the British -- on average, they are much better spoken and written than those of us on the western side of the Atlantic. They also have a gift for poetic understatement that is probably one of the funniest things on the planet.

But I wouldn't want to live there. In the US, I could challenge such a bill on a number of constitutional grounds. I could claim that it violated due process, unreasonable search and ceisure, freedom of speech, and unnenumerated rights such as privacy. It wouldn't last six months (much like the late CDA did not). However, my understanding is that in Britain their are no such consitutional protections -- don't I remember hearing that they don't even have a formal consitution?

On /., a lot of people criticize the US. And that's a good thing: there are many areas where the US deserves to be criticized. But let's not forget that in some areas at least we are far ahead of the competition.

Re:Can't even complain?

[kraut]

Basically this relates to tipping off people about communication interception being illegal. I.e. if the police demand that you decrypt the email I have been sending you, you can't tell me (or anyone else) about it - otherwise it's straight to jail without passing go.

In itself that is fair enough - after all you don't want to allow one of the proverbial peadophiles/drug traffickers/international terrorists to tip off their colleagues. What is insidiuous is that the government under the current proposals will not be required to reveal the interception / decryption request even after the fact - not even in summary form. In other words, the government can claim that this law is very effective in preventing crime without ever having to prove it ...

I don't usually subscribe to conspiracy theories, but this is beginning to suck. But at least we still have the European Court of Human Rights to fall back on.

What are the implications for ISPs?

[aphrael]

Depending on how "possession" is defined, it would seem that this bill essentially requires providers of hosting space for web pages to have access to the private keys of any encrypted data that they are hosting.

Not a good thing for the relationship between web hosting companies and their customers, I would imagine.

Re:Deniable encryption

[brad.hill]

You could probably look it up in the library. I found some abstracts on AltaVista by Ran Canetti, Cynthia Dwork, Moni Naor and Rafi Ostrovsky.

There was also a short piece on it in 2600 a few issues back, I think in enough detail to implement it if you know basic crypto programming. I think it mentioned some prototypical crypto-stego filesystems already available that use this idea.

IIRC, you divide the cyphertext into blocks, which are either chaff or real data. You use the key to scan along, decoding blocks until you get a decrypt that checks out, and then that block has some of the data and the key to the next valid block. Thus, depending on what key you start with, you can pull out any one of many embedded plaintexts. You can set the ratio of chaffing to be whatever you want, but it generally needs to be pretty high for it to be truly effective. I think, for example, that if you wanted a secure 2 GB filesystem, you'd want an 8 GB disk, with 2 GB of filesystem, 2 GB of alternate plaintext and 4 GB of random chaff. Not very effective or fast, but when you need to be secure...

Deniable encryption

[brad.hill]

There are systems out there that use "deniable encryption". They chaff the data to a high degree, and allow you to encrypt multiple messages within the same cyphertext using multiple keys.

So if Mr. Fed demands a key, you give him one, and it pulls a couple of porn pictures and some old issues of Phrack out of the cyphertext. You gave him a key, it produced plaintext from a cypertext- get out of jail free.

That there's another key that decrypts entirely other information from the file is impossible to prove, due to the chaffing.

Any sensible criminal would just use this type of encryption.

Freedom of Thought, and When Society Can Go F* Off

[Alex+Pennace]

Your brain. Lovely little thing, isn't it? You have every expectation that the thoughts contained therein are yours alone, and you don't have to account for your thoughts to anyone, only your actions. Thoughts hurt no one by themselves.

Your hard drive. When you can't readily remember everything, you use your handy dandy computer to store it. At this point you have various expectations of privacy, but chances are anyone encountering a file that is encrypted will realize that it isn't for them to see.

Freedom of thought is an individual right, and it is no one's business but the thinkee what is being thought about. But like the schoolyard bully, the powers that be do not wish to be humbled by anything beyond their purview. Encryption is just one of the many tools available to the individual to protect this absolute right against oppressive forces, whether or not they operate under the banner of law.

Civil Rights in the UK

[coaxial]

First off, I'm an American, so I don't know jack about the civil rights one has in the UK. I do know this, they're not enumerated and can be withdrawn by an act of parlament. (Just one of the many grievences that led to the American Revolution.)

Since I've already admitted that I'm not qualified to speak about British law, let's suppose that this law was passed in the United States. (Which isn't unlikely.) This law would be perfectly legal. When the government suppeanas information from you via a search warrant, you have to give it.

Turning over a crypto-key is no different than turning over the key to you shed where you stashed the dismembered corpses of your wife and children. (Claiming privacy for stashing a body doesn't cut it, and it doesn't for encrypting a document either.) It doesn't violate the 5th amendment (Freedom from self-incrimination, for all our non-American friends) because it's evidence gathering, not testamony.

Imprisonment for not retrieving the key is where American and UK law start to diverge. INAL, but I belive the governement can still imprison you under some sort of conspiracy law, but I'm not sure. (I really don't know alot about conspiracy law, except that they only have to prove intent, which has a very low threshhold. Also they don't need physical evidence, (thus the "Conspiracty to ______" charge rather than for "_______ing".)

I understand law enforcement's predicament when it comes to crypto, but it's no different than any other civil-rights vs. law-enforcement issue. Basically the crypto-issue reduces down to Search. Sure having cops rabndomly raid someone's home will prevent crime, but is it to much of a price to pay? Sure key-escrow/recovery will allow the cops to evesdrop on you and the criminals, but is it too much of a price to pay?

It's a classic predicament, and there isn't an easy answer. A long time ago, society decided "No, you can't let the cops barge in and search. They need warrant to do that." Later society decided, "No, you can't just let the cops evesdrop on phone conversations, they need a warrant to do that." Sure the cops should be able to gather evidence, but they should have a warrant first. (The easy of getting a warrant is another issue, that deals with judical oversight (or lack there of).)

Personally I have no problem with the cops forcing me to decrypt a message. I don't like it, but it's no different than forcing me to unlock a safe. (However. I would kind of like to see the FBI crack the crypto.) I also feel the US crypto-export laws should be repealed, because they're completly ineffective against curbing the spread of strong crypto, and only serves to hold back the software industry and e-commerce.

--
The following was just random line noise.

Work-arounds

[PigleT]

There are several interesting clauses in it, to my eyes, to be found at http://www.dti.gov.uk/cii/el ec/ecbill_part_III.htm onwards.
In particular, I notice sections 10 (2) where (a) and (b) might give grounds for defence / opting-out, but "require" towards the end stamps on our freedom & privacy.
(3) (b) seems to allow for any means the requirer sees fit - I wonder what happens if they choose PGP-signed mail?

(11)(2) and (3) appear to leave a loop-hole; if you're required to release information believed to be held under a key system, might you only have to release "useful information" ('in an intelligible form'), not necessarily the *actual* information you've encrypted.

Big deal? Why've I gone to the trouble of looking all this up?
Because while it will only apply if the police demand it, which will probably only happen if they suspect you of something, the problem is that if we don't *exert* the basic human right to *privacy*, then someone will trample all over it later and you'll wake up powerless to fix things.

Canada Crypto Policy

[DanaL]

Time and time again, I get to think, "Yay, I live in Canada". Here is an excerpt from John Manley (Canada's Industry Minister) outlining his governments crypto policy:


The policy allows Canadians to develop, import and use whatever cryptography
products they wish and does not impose mandatory key recovery requirements or
a licensing regime. "This policy is good for the Canadian economy," said Minister
Manley. "It supports the increased use of electronic commerce products and
services in Canada, as well as the export of Canadian information technologies to
other countries."


Wow! A consumer/industry friendly approach! The full article is here

Dana

Hurrah for Stand, A Silver Lining?

[Logos]

One bright spot here. I am a US citizen, and while I am disturbed by the almost daily threats to privacy and other civil rights in this country, what struck me while reading this is the resonance between the British citizens' problems and our own with similar attempts.

If nothing else, we at least are truly starting to talk about issues in this world without regard to traditional borders. It is becoming more of an attack on OUR rights, as opposed to their rights. Once people are the same side of the fence, they work together. What affects the rights of people "over there" affects people everywhere. With forums like this, the position of the world's repressionists is becoming more difficult. We must continue to think in terms of we, regardless of outdated borders and outdated ways of viewing people that many of us have grown up being taught (by our societies, families, churches, etc.). The purpose of free speach has always been to keep unpopular (to the gov't or to the people) opinions flowing so we don't stagnate in our thinking.

Hurrah for Stand, for doing something. As long as we keep discussing and acting on these attempts to limit freedom, those who are afraid of everyone having the same freedom they have, will be unable to succeed. The more we incorporate the people of the world into the "we" of our mindsets, the more we move toward the world we all want.

Love it, but...

[Ledge+Kindred]

Why do I have the feeling that the only thing this will accomplish is to have the politicians put a clause in stating that any persons currently holding law enforcement and/or political offices are exempt from prosecution because of this law...

Does the UK have anything akin to the U.S. "Freedom of Information Act?" I wonder if an entire Gov't agency could get into trouble for having information that's encrypted that the public should have access to but won't give up the decryption key?

-=-=-=-=-

Interesting..

[Kitsune+Sushi]

"This is why such sober organisations as British Telecom, Hewlett Packard and Microsoft have publicly criticised the Bill at each stage of its development."

Microsoft doing some good in the world besides giving us the WAV format? Nifty. I'm still not sure I would refer to them as "sober" (they seem to prefer free beer to free speech.. most of the time, anyway ;).