UK Government Can Demand You Hand Over Encryption Keys 426
iminplaya writes "The UK government can now demand that citizens hand over their data encryption keys - or face jailtime for obstructing justice. The law only applies to data on UK shores, and doesn't cover information transmitted via UK servers across the internet. 'The law also allows authorities to compel individuals targeted in such investigation to keep silent about their role in decrypting data ... The Home Office has steadfastly proclaimed that the law is aimed at catching terrorists, pedophiles, and hardened criminals--all parties which the UK government contends are rather adept at using encryption to cover up their activities.'"
Comment removed (Score:5, Informative)
Re:Been like this for years (Score:5, Informative)
It had setup the system so that there could never be any confidence that ALL the encryption keys have been turned over.
Truecrypt (Score:2, Informative)
Re:hidden volumes (Score:5, Informative)
This aspect of the law is routinely ignored on Slashdot to try and enhance the "evil" reputation of the law.
Re:Truecrypt (Score:3, Informative)
Re:Been like this for years (Score:3, Informative)
I use a somewhat secure method to protect my personal data. Its a thing I like to call 'burning to dvd and not keeping it on my pc'.
Yes I know dvd's can be stolen, but they have to find them first. Anyway, most of what I'm worried about isn't ephemorous threats of government snooping, but the far more likely possibility of my machine being hijacked by criminal types over the tubes.
Re:Truecrypt (Score:3, Informative)
Remember, you should assume your adversary is fully conversant with every aspect of your encryption system except the key. Any "secret process" it relies on is a good sign that you don't have an encryption system, you have a filing cabinet with a very expensive picture of a padlock painted on the side.
Your friends know about it. That's not the point. What they can *do about it* is the point.
Re:Been like this for years (Score:3, Informative)
The legislation was passed in 2000, yes. However the law was phrased so that it wouldn't become active until parliament provided a code of practice and announced a date for it to become active on. The last I heard there was a draft code planning to commence the law on 1 October 2007. I hadn't heard about this passing parliament, though, so thought it was going to happen. I may be wrong, though.
Re:Truecrypt (Score:1, Informative)
So how can they prove you have a hidden volume? Or even better, a hidden volume in the hidden volume? And as for volume size, just make them all 750MB isos for convenient backup burning, for all your encrypted files. Who knows how much is really used or what's really in there? And, for most of your encrypted files, you could probably honestly say there are no hidden volumes, because you are just protecting normal data and there's no need for a hidden volume, which is probably how 99% of Truecrypt users use it anyway. I don't see anyway around this for the gov't except (1) assume guilt a priori for anyone who uses Truecrypt, or (2) make the use of Truecrypt illegal.
Re:Been like this for years (Score:4, Informative)
Re:Old News (Score:3, Informative)
No, the law was *made* years ago. It has yet to be used because it first entered into force yesterday. Give them time!
Re:Solution? (Score:3, Informative)
Like when they spy on you in the airport for having a "bad" book [wired.com]?
Re:Slashdot law (Score:1, Informative)
Re:Hand the keys over (Score:3, Informative)
Are we surprised that digital keys have the same requirement?
The requirement is not the same. If a judge orders you to do something, and you state that you cannot, it is usually up to the judge (or prosecution) to show beyond reasonable doubt that you could do it before you can be punished for that offence. Under the RIPA, it is up to you to show that you cannot. There is also a right of appeal against a court order like the one you describe; there is no right of appeal against a section 49 notice under the RIPA 2000.
Re:Troll. So easy to threadjack. (Score:3, Informative)
Re:More stupidity (Score:1, Informative)
Re:Solution? (Score:3, Informative)
Re:hidden volumes (Score:3, Informative)
For criminal court, the charge for not handing over the keys, like claiming you forgot what the key was, due to all of the emotional stress of these accusations, is generally a lesser charge than the real crime (pedophilia, embezzlement, murder, copyright violation, whatever). of course if you're held in contempt you can be kept in a local jail indefinitely until you comply or until a judge just gives up. You don't get to have a hearing or even a formal arrest when you are in contempt of court, the judge just throws you in a cell and leaves you there.
hidden volumes, secret file system, etc. Will not fool someone in data forensics. It will just give them probable cause to get court orders for the rest of the keys.
Re:Solution? (Score:3, Informative)
Re:Zeitgeist says it is rich people wanting contro (Score:3, Informative)
Search is a legitimate police tool (Score:3, Informative)
No, it is when search [wikipedia.org] — the practice long accepted as a legitimate law-enforcement tool — is not enough.
If we allow police to search houses (including safes — demanding keys, when needed), it is only logical to allow them to also decrypt data (demanding keys, when needed).
Re:Its very important that we all do this. (Score:2, Informative)
It's often how laws get made. "We have a moral imperative to protect the children! Only pedophiles and terrorists use encryption!"
Fortunately, here in the U.S. (chuckle) we have a Constitution (ha ha) that strictly limits government powers (ho ho ho) and guarantees the right to not testify against one's self (chortle guffaw ROTFLMA).
This is simply false (Score:4, Informative)
Re:This is simply false (Score:4, Informative)
That's not actually true. Here're the relevant sections, with added emphasis:
The only precondition for issuing a notice is reasonable belief. The only condition necessary for an offence to occur is that the recipient of the notice didn't act on it, knew what he was required to do and knew he was not doing it. The only time it is required for the prosecution to prove beyond reasonable doubt that the defendant is in posession of the key is if the defendent has produced evidence that he is not.
I believe you are in posession of a key with fingerprint 33a08b9d1e07, because somebody sent you a message that was encrypted with that key, and they wouldn't do that if they didn't think you could read it (reasonable belief). You have been issued with a section 49 notice requiring you to either decrypt the message or surrender your key. You can't do this because you don't have the key, and have no idea who sent you the encrypted message. Can you provide any evidence that you don't have the key? Because if you can't, I'm not required to prove that you do have it.