Forgot your password?
typodupeerror
Privacy Encryption Security Government The Courts News

British Police Demand Access To Encryption Keys 814

Posted by Zonk
from the among-other-things dept.
flip-flop writes "In the wake of recent terrorist attacks, police here in the UK have asked for sweeping new powers they claim will help them counter the threat. Among these is making it a criminal offense for people to refuse disclosing their encryption keys when the police want to access someone's files." From the article: "The most controversial of the police proposals is the demand to be able to hold without charge a terrorist suspect for three months instead of 14 days. An Acpo spokesman said the complexity and scale of counter-terrorist operations means the 14-day maximum is often insufficient."
This discussion has been archived. No new comments can be posted.

British Police Demand Access To Encryption Keys

Comments Filter:
  • by SeanTobin (138474) * <byrdhuntr@nOspam.hotmail.com> on Friday July 22, 2005 @02:15PM (#13137323)
    Innocent until proven guilty. Although that statement is ignored just as often in the US as it is in England, laws that we pass try to at least give the impression that we respect it. So, here is how things go if this passes...

    GoodGuy has a friend who is in some domestic trouble and is hiding some of his assets in off-shore accounts. He keeps his friends account information in an encrypted folder on his computer because his friend doesn't want to lose it and trusts him.

    EvilAgentMan thinks GoodGuy is a terrorist planning on taking over the world, due to his recent purchase of a salt water aquarium, baby sharks, laser pointers and duct tape. He charges GoodGuy as being a EvilDoer(TM) and puts him in jail. While looking for evidence, he notices an encrypted folder on GoodGuy's computer. He tells GoodGuy that he must hand over his encryption keys or be charged with the crime of not handing over his encryption keys. He must decide on going to jail for something he is completely innocent of, or releasing potentially incriminating evidence on his friend. ...Time to get pricing on high speed internet access on the moon I guess. This planet's done for.
    • Worse than that, what happens if your friend is storing the encrypted information on your PC and you *don't have* the decryption key?

      Are the police really going to believe "I don't have it, they're not my files"?
      • What is the situation if I store my encrypted information on a computer in the United States?
      • by gstoddart (321705) on Friday July 22, 2005 @02:29PM (#13137525) Homepage
        Worse than that, what happens if your friend is storing the encrypted information on your PC and you *don't have* the decryption key?

        Then you'll be found to be aiding and abetting.

        If you're holding data for someone that you don't know what it is or how to decrypt it, you will be perceived as an accomplice. Or, just summarily assumed to be the original source of the data and just recalcitrant.

        Interesting to see would be if you can have your lawyer hold onto these things and have them covered under privelege.

        It's scary that in so-called free societies it can become a crime to keep (possibly legal and innocuous) secrets from the government.
        • So WTF? You are allowed to refuse them access to your property or house until they get a warrant or whatever, but you are not allowed the same rights over you electronic property since it is a computer? (I am talking about the physical device, not some version of IP though that may apply as well)
          • by infonography (566403) on Friday July 22, 2005 @03:02PM (#13137933) Homepage
            too bad I am dsylecxic my seepling is just aufful.

            hire is thee key

            the pass code is "My hovercraft is full of eels."
            RSA key mynipplesexplodewithdelight

            here is a little test message;

            Ya! Ya! Ya! Ya! Do you waaaaant...do you waaaaaant...to come back to my place, bouncy bouncy? If I said you had a beautiful body, would you hold it against me? I...I am no longer infected.
        • by afidel (530433) on Friday July 22, 2005 @02:50PM (#13137780)
          You just gave me a truely evil idea. Make a worm which copies and randomly encrypts files from the infected computer, then email a copy of the encrypted file along with a copy of the worm to random people in the address book. Would make life hell for sigint people and just might give someone plausible deniability against this type of idiotic law.
      • by Alphabet Pal (895900) on Friday July 22, 2005 @02:36PM (#13137608)

        What if they find a file they can't associate with an application, assume that it's encrypted, and insist that you give them the encryption keys for a file that's actually a corrupted Word document? Crypto documents are designed so that they're not supposed to look like crypto documents.

        • Oh that's easy.

          You're screwed.

          Remember, you're guilty until proven innocent. If you have data files on your computer that look suspicious or the cops can't read, then you must be trying to hide something. Therefore, you're guilty of something.
        • No, that's steganography, not cryptography.
      • by dheltzel (558802) on Friday July 22, 2005 @02:54PM (#13137821)
        Or what if the encrypted data was put there by a virus or some other source?

        If you really want to hide something under the new rules, encrypt it and store it on a network of zombie computers, or a p2p network. That will cause real problems for others, but you'll never have possession to be charged with not providing the keys.

        Or, just compromise your enemy's computer and store some encrypted files there and then turn them in as a concerned citizen. Even if they manage to get aquitted, the implied guilt during the process will destroy their lives. It's sort of scary if they're gonna assume you are the one who did the encryption simply because you possess the file.

    • Guantanamo Bay? (Score:3, Insightful)

      by fantomas (94850)
      "Innocent until proven guilty. Although that statement is ignored just as often in the US as it is in England, laws that we pass try to at least give the impression that we respect it."
      umm, Guantanamo Bay? [amnesty.org]
      • Re:Guantanamo Bay? (Score:3, Insightful)

        by ejdmoo (193585)
        That's in Cuba, silly. :)
      • by SeanTobin (138474) * <byrdhuntr@nOspam.hotmail.com> on Friday July 22, 2005 @02:22PM (#13137425)
        umm, Guantanamo Bay?
        Yeah.... sorry about that one.
        There is at least one additional rule that goes along with innocent until proven guilty. It's guilty until proven American.
    • by temojen (678985) on Friday July 22, 2005 @02:26PM (#13137488) Journal
      If you don't comply with a subpoena, you go to jail for contempt of court. Of course a subpoena actually requires judicial approval, whereas a police request for encryption keys does not.
    • by ScentCone (795499) on Friday July 22, 2005 @02:33PM (#13137575)
      He must decide on going to jail for something he is completely innocent of, or releasing potentially incriminating evidence on his friend

      Because there's no friend like a friend who talks you into criminal complicity, I always say. I mean, what are friends for, if not to help you launder money or hide assets? And what ever happened to the bad guys just writing down the key, laminating, and burying it in a coffee can three paces south of the big oak tree on old man Smith's back forty? You know, where you used to go and smoke pot and dream of the days when you'd have enough ill-gotten assets to have to hide them from the court? Ah, those were the days.

      Incidentally, what would you have the cops do while they're sitting there looking at the hard drive from a guy they just arrested, who yesterday was having some trouble blowing himself up? Ask him ever so nicely? OK, so he was willing to die in order to kill you and your kids, so he's probably not going to be big on cooperating, but the owner of the cyber cafe where he often runs chats with his equally inept fellow bombers - is it worth being able to crack his encrypted leavings so that maybe we can stop his buddies from smearing more innocent people all over the inside of a tunnel? You are aware that actual people are actually spending their days actually thinking up and acting on ways to kill people that run yogurt stores, work at rehab clinics, build web servers, teach grade school, and have families that depend on them... right? This isn't a game, it's actually happening. And as the prime minister of Autstralia put it so eloquently yesterday, we're using 19th century approaches to dealing with bad guys happy to use 21st century technologies (um, even as these twits condemn modernity - always a telling little bit of confusion on their part).
    • Dear A. Victim:

      Attached to this email is a file containing the details and photographs of the series of crimes that we are in the process of committing. Be careful, it has personal idenfiying information, documents, and photos that could send us both to jail for a long time! You've got the encryption key already, so you should be able to access it. Also, attached is an unencrypted photo of the most recent crime (all personal identifying information is cropped off, as you'll notice - that's all in the e
    • He must decide on going to jail for something he is completely innocent of, or releasing potentially incriminating evidence on his friend.

      Actually he would be guilty of not releasing the encryption key and that's what he would go to jail for. Not the aquarium, baby sharks, laser pointers, and duct tape. So he's not completely innocent.

      GoodGuy has probably already broken the law anyway (to some degree) by helping his friend hide the information. It's just he wasn't caught yet.
    • Innocent until proven guilty. Although that statement is ignored just as often in the US as it is in England, laws that we pass try to at least give the impression that we respect it. So, here is how things go if this passes...

      So let's compare. UK wants 90 days. US wants Guantanamo, military tribunals, zero access to lawyers for suspects, indeterminate holding periods without convictions of crimes...

      UK wants encryption keys. US makes it illegal to break any encryption, unless it's the government, wh
  • by bigwavejas (678602) * on Friday July 22, 2005 @02:15PM (#13137324) Journal
    Sure, you can have my encryption key. Here it is:
    01100110 01110101 01100011 01101011 00100000 01101111 01100110 01100110
  • Simple Solution (Score:4, Interesting)

    by USSJoin (896766) on Friday July 22, 2005 @02:17PM (#13137351) Homepage
    "I forgot it." Seriously. This is what we do in the U.S., and even if they hold you in contempt-- it's a darn sight better than letting them have access, and seeing what you were up to.
    • Who do you help?

      Those innocent till proven guilty

      OR

      Those craving for a UK Patriot act

    • Time to create some encrypted files on my harddrive with suggestive names and whose keys I generated with my eyes closed. Give them something to think about...
    • Re:Simple Solution (Score:3, Interesting)

      by homer_ca (144738)
      The other way is to store the key on removable media that's easily destroyed (Zip disks? haha), like a GPG private key with passphrase. Maybe they'll charge you with destroying evidence, but wouldn't they have to prove the encrypted files actually contained evidence?
  • Encryption Keys? (Score:5, Informative)

    by Taevin (850923) * on Friday July 22, 2005 @02:17PM (#13137358)
    Fortunately we have things like StegFS [cam.ac.uk]. But I really shouldn't be disclosing such information, some people in the govA*$%#)D$@#$NO CARRIER
  • How can they prove you have or know the key? Is "I forgot" a valid defense?
  • "I forgot my password" gets you 20 years in jail?

    This sounds so awful and stupid I don't want to even think about it.
  • Already an offense? (Score:5, Informative)

    by moderators_are_w*nke (571920) on Friday July 22, 2005 @02:19PM (#13137385) Journal
    I was pretty sure that the regulation of investigatory powers act (1998?) already made it an offense to refuse to disclose an encryption key?
    • by Thwomp (773873)

      Yeah, that was my immediate thought also. The RIP act [homeoffice.gov.uk] was actually past in 2000.

      One interesting point I remember from it was that if you were no longer in possession of the key then you had to prove you didn't have it. In other words proving a negative! Besides, I'm sure any criminal wouldn't disclose the keys and take a shorter prison sentence if what they were encrypting was more damaging.

      I'd advise anybody working in the computing profession, in the U.K., to be aware of this law and others.

    • Sunset: May 26, 2005 (Score:4, Informative)

      by MacDork (560499) on Friday July 22, 2005 @11:39PM (#13141943) Journal
      It was. [theregister.co.uk]
  • by dd (15470) * on Friday July 22, 2005 @02:20PM (#13137389) Homepage
    The real measure of a free, open and just society is how it behaves in bad times - not in good times. When difficulties arise and the authorities want sweeping powers to 'protect' the citizens, should the citizens give up important civil liberties for what is probably just an illusion of safety? When are you ever safe enough in these times? Maybe the citizens should stop and ask themselves how much they really value their civil liberties - just how far should you go? Maybe the citizens should not crow too loudly about how free, open and just their society is when they look back at how their country has behaved in difficult times..
    • by geekee (591277) on Friday July 22, 2005 @02:54PM (#13137825)
      "When difficulties arise and the authorities want sweeping powers to 'protect' the citizens, should the citizens give up important civil liberties for what is probably just an illusion of safety? When are you ever safe enough in these times? Maybe the citizens should stop and ask themselves how much they really value their civil liberties - just how far should you go?"

      You don't have liberty without security, so what's the point of talking about preserving all your civil liberties when you're not free anyway? In reality compromises must be made to maximise freedom.
      • How far must we go then, to have "security"? Should we all be strip searched before entering an airplane? What about buses and trains? What about public buildings? At some point, you have to trust that the vast majority of people are not terrorists out to get you.

        Inmates in prison are very secure.. are they free? What you propose will make us all inmates in our very own police state.

        Is it better to live a life of safety, watched by a suspicious government every second of your life? Not allowed to do anyt
  • Is to encrypt all new encryption keys.
  • by plasmacutter (901737) on Friday July 22, 2005 @02:21PM (#13137409)
    I'm waiting for the suit against the UK by the US claiming ashcroft is violating his non-competition clause...
  • by dwbryson (104783) <mutex&cryptobackpack,org> on Friday July 22, 2005 @02:21PM (#13137411) Journal
    Among these is making it a criminal offense for people to refuse disclosing their encryption keys when the police want to access someone's files.

    I'm not familiar with British law, but I do know American law is based on the same doctorines as the British(from a historical perspective at least).

    In the U.S. the court can order you to provide encryption keys and if you do not you will be held in contempt of the court [wikipedia.org]. This usually means the judge puts you in jail until you decide to provide the keys. To me(IANAL) it seems like the above just formalises the practice. Via the wikipedia reference it appears as though the U.S. did this in 1981.

    Being held in contempt of the court is a very normal tool for judges to use with uncooperative court subjects, cryptographic keys aren't special or different.
  • DeCSS (Score:5, Funny)

    by Henry V .009 (518000) on Friday July 22, 2005 @02:22PM (#13137423) Journal
    I use CSS encryption for all my privacy needs. I'm sorry, but I'm afraid that it would be illegal for me to provide you the software code that breaks it.
  • "The most controversial of the police proposals is the demand to be able to hold without charge a terrorist suspect for three months instead of 14 days. An Acpo spokesman said the complexity and scale of counter-terrorist operations means the 14-day maximum is often insufficient."

    Why not just stick them on a plane heading to the US where they can call them an "enemy combatant" and hold them until the end of time.
  • It's the PATRIOT Act, UK edition.
  • by Slightly Askew (638918) on Friday July 22, 2005 @02:22PM (#13137430) Journal
    Uniting the Kingdom by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism
  • by westcoaster004 (893514) on Friday July 22, 2005 @02:23PM (#13137441)
    What is the difference between the right to prevent self-incrimination (i.e. the right to silence) and the right to not say your password?

    In England and Wales, "a defendant cannot be convicted solely due to their silence [wikipedia.org]" yet this is saying precisely the opposite.
  • Doesn't the UK have some sort of protection against being forced to disclose information that would cause you to incriminate yourself? In the US we have this as part of the constitution. (For what that's worth . . . . . )

    I would think disclosing the key to your encrypted data would qualify.
  • by krbvroc1 (725200) on Friday July 22, 2005 @02:23PM (#13137448)
    The thing that upsets me the most is not that the gov't tries for this power grab. Instead, it is that the people allow it. There will be a news montage of interviewed commoners says 'I've got to give up my freedoms/rights to fight terrorists'. With that misguided green-light, law enforcement is more than willing to grab powers that were previously unattainable.

    I'm not happy that New Yorkers are willing to subject themselves to 'random' searches. I'm pretty sure the London terrorist attacks will be the catylst for widespread CCTV in the U.S.

  • by Albanach (527650) on Friday July 22, 2005 @02:23PM (#13137449) Homepage
    I'm not sure why they would demand the right to access encryption keys when they already appear to have the power through Section III of the Regulation of Investigatory Powers Act Link here [homeoffice.gov.uk].

  • From TFA (Score:3, Insightful)

    by travail_jgd (80602) on Friday July 22, 2005 @02:24PM (#13137459)
    "They also want to make it a criminal offence for suspects [emphasis mine] to refuse to cooperate in giving the police full access to computer files by refusing to disclose their encryption keys."

    I don't see what that problem is, as long as due process is respected. Murder suspects can't turn away search warrants of their property, and if the proper warrants are filled out electronic files should be treated as physical property.

    Secret warrants or police officers "going fishing" is another story.
  • by presarioD (771260) on Friday July 22, 2005 @02:27PM (#13137502)


    Be afraid. Be very afraid. Be British and very very very very very afraid:

    Noam Chomsky [zmag.org]

    The western world is in its worst decadence since the Medieval times...
  • by Sneftel (15416) on Friday July 22, 2005 @02:29PM (#13137528)
    The most controversial of the police proposals is the demand to be able to hold without charge a terrorist suspect for three months instead of 14 days. An Acpo spokesman said the complexity and scale of counter-terrorist operations means the 14-day maximum is often insufficient. "The complexities and timescales surrounding forensic examination of [crime] scenes merely add to the burden and immense time pressures on investigating officers," he said. Three-month periods would help to ensure the charge could be sustained in court.
    Wow. "Civil liberties are a pain in the arse for us to respect... so could we get rid of them?" In my opinion, the only humane way to look at the rights of the accused is to look at a rhetorical someone who has been wrongly accused. How would Mr. Jones feel about being imprisoned for three months so that police could take their sweet time figuring out what, if anything, to charge him with?
  • by SpecBear (769433) on Friday July 22, 2005 @02:44PM (#13137697)
    1. Wait for Annoying Coworker (AC) to leave desk
    2. Place encrypted file PlansToBlowUpParliament.zip on AC's computer.
    3. Report AC to authorities.
    4. Authorities ask AC for password, but of course he can't give it.
    5. Authorities can't verify the contents of the file, so they can't charge him with a crime. Without revealing the contents of the file, AC can't prove his innocence. AC rots in jail for three months without charges filed against him.
    6. AC loses his job while imprisoned, you loot his cubicle for snacks.
    7. Profit!

    For bonus points, see if you can get the file onto the hard drive of some politician you hate.
  • by linuxwrangler (582055) on Friday July 22, 2005 @03:02PM (#13137921)
    Obviously what is needed is a method for dual encrypted files. Basically an encryption/steganography combo. When unencrypted with the 'fake' key, you just get whatever text you encrypted with that key - something uninteresting like expired credit card numbers or letters to grandma and it looks like you have complied with the order. Meanwhile the real key unlocks the data you want to keep secret.

    Naturally the algorithms would require that it would be undetectable that this is what you have done.

    Some alarm systems have something similar. When you open the business you use the real code. When the robber forces you to open up at gunpoint you use the fake code. The alarm does turn off as expected but it also calls the police with an "under duress" alarm.
  • by pclminion (145572) on Friday July 22, 2005 @03:19PM (#13138117)
    We need a dual-key cryptosystem which allows the user to encrypt multiple messages, using multiple keys, and output the result as a single encrypted block.

    Then, if somebody demands/coerces the key from you, you can simply provide one of the alternate keys, which decrypts the cipertext to reveal an innocuous message.

    Obviously the system would have to be designed such that it would be impossible to detect how many messages are simultaneously encoded, and no way to determine any one key using knowledge of any of the other keys. But it might be mathematically possible.

    Has any work been done on this?

  • fortunetly (Score:3, Interesting)

    by Kaenneth (82978) on Friday July 22, 2005 @04:03PM (#13138648) Homepage Journal
    My encrypted drive password is "I Forgot It"

    but seriously, my hobbies include random number generation, data compression, and encryption, as well as large number series (Pi, fibonucci, etc.); I have many very large files of apperently random data. But I also have sensitive data belonging to other people; I've worked for various laywers, a government agency, and a couple small businesses as a basic security advisor (among other jobs) not all the data I have is my own, and I don't know what all of it is (for the lawyers, my home is their off-site backup location, and I have copies of client paperwork that would send them to jail for a few hundred years, if it were all added up, but that is under attourny/client privelidge)

    I guess I'm in a similar situation with ISP's; there should be a burden of proof that the key exists in the defendants possession in the first place.

    Some of my hobby research includes 2/3rd's keys:

    say the real key is '10100101'

    generate a random number '00110111'

    xor them '10010010'

    then break it up into 3 sections

    AB
    BC
    CA

    A and B each have half the real key, so they can get in.

    A and C have the first half, and can rebuild the second

    B and C have the second half, and can rebuild the first

    the problem is that A and B each have half the real key, square-rooting the brute force time.

    I've been thinking about generating multiple sets of random numbers, and the result of xor'ing the key by each of them...

    key: 01011010
    rd1: 10100101
    rd2: 00011100
    rd3: 10110010
    xr1: 11111111 (hmm, tried to be random, got the exact inverse...)
    xr2: 01000110
    xr3: 11101000

    noone gets the root key, and they rotate which random/xor number they get, A gets rd1 and xr2, B gets rd2 and xr3, and C gets rd3 and xr1.

    so A and B can get the key by rebuilding xr2 and rd2, B and C can get the key by rebuilding xr3 and rd3, and C and A can get the key by rebuilding xr1 and rd1.

    if any one user is captured or turns traitor, their key alone will be of no help to cracking the master key; while the other two remaining users may be able to get together and re-key the data to a newly selected third user, effectivly excluding the old, captured key.
  • by isotope23 (210590) on Friday July 22, 2005 @04:32PM (#13138993) Homepage Journal
    Please join

    Britons United against Greator Govermental Executive Reform Ostensibly From Fear

    B.U.G.G.E.R.O.F.F. stands with the government! We cannot allow the morons from The Society Of dissenting Organisms For Freedom to undermine the war on terra! Please write your representative and tell him your views. S.O.D.O.F.F is an extremely dangerous organization which threatens our Purity of essence. Being an american I can only lend moral support. On that note I wish to let all Britons know that the American Society for a Secure Homeland Over Liberty and Equality is here to help!

    Together A.S.S.H.O.L.E. and B.U.G.G.E.R.O.F.F are a perfect match.

  • by minion (162631) on Friday July 22, 2005 @04:40PM (#13139088)
    First they came for the catholics,
    and I said nothing because I wasn't catholic
    Then they came for the witches,
    and I said nothing because I'm not a witch
    Next they came for the jews,
    and I said nothing because I'm not jewish
    Now they've come for me,
    and there is no one left to say anything for me.
  • by doc modulo (568776) on Friday July 22, 2005 @06:05PM (#13139945)
    But in all this consternation of you arresting me, bag over my head and all that. I totally forgot my passphrase.

    Why are you hooking up that generator to two wires that go nowhere?

    Oh

How many QA engineers does it take to screw in a lightbulb? 3: 1 to screw it in and 2 to say "I told you so" when it doesn't work.

Working...