UK Government Can Demand You Hand Over Encryption Keys

iminplaya writes "The UK government can now demand that citizens hand over their data encryption keys - or face jailtime for obstructing justice. The law only applies to data on UK shores, and doesn't cover information transmitted via UK servers across the internet. 'The law also allows authorities to compel individuals targeted in such investigation to keep silent about their role in decrypting data ... The Home Office has steadfastly proclaimed that the law is aimed at catching terrorists, pedophiles, and hardened criminals--all parties which the UK government contends are rather adept at using encryption to cover up their activities.'"

Three Words

[ricree]

Truecrypt hidden volumes

This is exactly the sort of situation that hidden volumes were created for. The government asks you to hand over your encryption keys? "Well sure officer, here's the key to my encrypted volume, but there really isn't anything on there besides some harmless porn (or anything else that might be plausibly embarrassing enough to keep hidden away)" Of course, it's probably only a matter of time before someone decides to make it illegal to possess programs that can create any sort of hidden volume, but that's another issue.

So, lemme get this straight...

[R2.0]

A terrorist/pedophile/whatever is arrested, and his computer is seized. The authorities demand the suspect hand over the key, or he will face obstruction of justice charges and a year in jail. Does he

a) Tell them to get bent, go to jail for a year as a symbol of government run rampant (face it, some "activist" will pick up his "cause")

or

b) Immediately hand over the key, which is then used to procure the evidence of his computer, putting him in jail for 20 years as an ACTUAL terrorist/pedophile.

That's not even getting into the situation if one is NOT an actual pedorist. Terrorphile?

Solution?

[Cheesey]

For private communications, don't send encrypted emails. If the encrypted email is captured by a wiretap, the fact that the ciphertext could be decrypted by the recipient is enough to allow the authorities to force that recipient to decrypt it.

Instead, you should establish an encrypted connection, use it to exchange private information, then destroy the keys after the connection is closed. SSH is one protocol that does this automatically. That way, although a wiretap can record the ciphertext, the authorities cannot retrieve the encryption keys because they no longer exist. Your democratic right to privacy is preserved.

I wonder if any instant messaging programs have implemented this? If so, do they consider the possibility of man-in-the-middle attacks as SSH does?

Re:Its very important that we all do this.

[tomhudson]

"After all, if you've nothing to hide then whats the problem? "

The problem is that people who SHOULD be hiding things, don't - like the whales on the beach (both sexes) who squeeze into too-tiny bathing suits.

As for the encryption keys - "Gee, I forgot it." Prove otherwise. How many passwords have YOU forgotten?

Intended usage

[feed_me_cereal]

The Home Office has steadfastly proclaimed that the law is aimed at catching terrorists, pedophiles, and hardened criminals--all parties which the UK government contends are rather adept at using encryption to cover up their activities

That's right, I seem to recall that Rivest, Shamir, and Adleman wrote about providing protection for pedophiles and terrorists in the motivation section of their paper on RSA.

Re:hidden volumes

[Chrisq]

Just wait for them to ask for the key. If they don't know there's more data then they won't ask.

Re:Been like this for years

[Maximum Prophet]

If the government has no confidence that you've turned over *all* the keys, won't they just put you in jail indefinitly even after you've turned over the keys?

Re:Old News

[Salsaman]

Thankfully, it appears it has yet to be used in a non-terrorism related case.

Since part of the law prohibits telling anyone that you have had to hand over the keys, how can you be sure about that ?

Re:The difference between UK and US

[malsdavis]

"There are still people who think that freedom is too precious to be given to the people they are protecting it for. Damn."

The problem is "Freedom" is a very abstract concept that can be easily twisted to mean both opposites. Speeches by infamous dictators like Hitler and Pol Pot often feature words like 'Freedom'. Most of the time it's not that people wish to deny Freedom, but that they disagree on what freedom is.

i.e. Freedom to buy addictive drugs or Freedom from addictive drugs?

Re:Solution?

[jedidiah]

Then you simply have no imagination.

Not very well informed either.

Governments have a nasty habit of taking innocuous data and trying to make something sinister out of it. They can either try to make something out of the information itself directly or choose to draw strange inferences out of it.

Oppose the wrong law. Support the rights of the wrong types of people. Practice the wrong religion.

Search warrants?

[osgeek]

Does the UK have the concept of a search warrant?

I know everyone gets their panties in a wad about the guvmint decrypting their data, but I'm somewhat okay with it if a court is involved in the issuance of a valid search warrant. It's not fundamentally different from the court-overseen right to come into your home and search the premises.

You can't completely declaw the police or they'll be useless at any type of law enforcement.

Re:Old News

[UbuntuDupe]

You're saying, it's illegal to tell people what semiprimes the government knows the factors of?

Re:Hand the keys over

[CastrTroy]

Digital keys are not physical items. This is like them demanding that you hand over your thoughts. In the US, and many other countries, there are laws stating that you have the right to remain silent, and that you don't have to testify against yourself. If you don't hand over the keys to your house, car, or safety deposit box, there's other ways of retrieving such physical objects by just taking them from you. If you don't hand them over, and they have a search warrant, they are allowed to break the lock. They can't do that with thoughts in your head.

Re:hidden volumes

[R2.0]

2 reasons I have a problem with laws such as this.

1) They violate your rights against self incrimination. Per the US constitution, I cannot be compelled to testify or offer evidence against myself. What this law says is that I MUST testify against myself, in the form of giving up *knowledge* that I have for the state to use against me.

2) While the warrant may be issued for a small piece of information, it has the potential to lay all your secrets bare. Let's say I am accused of child pornography, and that's what the police are "looking for" in the encrypted directory marked "Private". All of the data in that directory is subject to discovery. So if they find pictures of my infant daughter without her onesie, and figure out that this is simply a divorce case gone bad, the child porn investigation dies. But now they have also seen my financial records, and discover that I've made some questionable tax deductions, and the case now gets referred to the IRS. Or they find money that I've been hiding from my ex-wife, and hand her that info.

The really evil part

[ribuck]

The really evil part is that you can be forbidden from telling anyone that you were forced to decrypt your documents, under penalty of imprisonment. Without public scrutiny, this law is inviting abuse.

Re:Hand the keys over

[itsdapead]

If a judge asked you to hand over the keys to your house.. or your car.. or your safety deposit box.. you are legally required to follow that order....

But...

1. That will typically require a court hearing "on the public record"
2. Even a technically ignorant judge should be able to decide (a) whether its your house/car/box (b) whether its plausible that you have lost the keys (c) whether the police have a reasonable justification for wanting access and (d) whether the fact that you have a lock on your door or possess a saftey deposit box is, in itself, suspicious.

Unfortunately, as soon as computer technology is involved, even some otherwise highly intelligent people instinctively turn off their brain and may be convinced that the existence of an encrypted file on your hard drive is tantamount to being found in possession of a giant underground bunker complete with piranha tank, spy-bisecting laser and fluffy white cat.

Re:Truecrypt

[49152]

I don't think you quite understand the principles behind "hidden volumes" in Truecrypt.

The point is not that they don't know it is possible. The point is that it cannot be proven that there is a second encrypted volume within the first one.

This makes it plausible to deny that it exist at all. If store some sensitive information in the outer volume, like some very embarrassing but not illegal pornography you can make a claim that this was the sole purpose of the outer Truecrypt volume. The law enforcement agency will have a hard time getting a judge to order you hand over keys to a hidden volume they cannot prove exist.

Hidden volumes in Truecrypt got nothing at all to do with "security through obscurity", it's all about "plausible deniability". You can ask your friend in the police about that, if he has any experience with the security community at all he should be very well acquainted with this term.

Of course, if you admit or in other ways make it provable that there exist an inner volume then all bets are off ;-)

This will probably work in societies like USA and UK where the police have to follow certain procedures. In countries like Burma or China where they will just torture you until you confesses or dies, I'm not so sure about the value of this scheme.

This law is NOT directed against terrorists

[Terje Mathisen]

This is in fact very easy to prove:

If te maximum jail time for not divulging encryption keys is significantly less than the time for actually being convicted of terrorism, then it should be obvious that real terrorists would never divulge such encryption keys.

No, this law, and others like it in other jurisdictions, are simply there to give the police one more reason to force regular citizens to hand over their keys.

If you actually do have something to hide from the authorities, the best idea is probably to look into http://truecrypt.org/ [truecrypt.org] and the capability of having hidden encrypted volumes.

When forced, either by legal threats or by rubber hose interrogation, you can then divulge the primary key. On the primary volume you should store potentially embarrassing, but not really critical information. This should be sufficient to show that you had reason to hide said info, but not enough to put you in jail for a long time.

If you happen to be located in a place like Myanmar/Burma, then you should also use TrueCrypt, for exactly the same kind of reason.

Terje
"almost all programming can be viewed as an exercise in caching"

Re:Its very important that we all do this.

[westlake]

As for the encryption keys - "Gee, I forgot it." Prove otherwise.

Six months in the county lock-up will do wonders for your memory - which is what thi smart-ass response to the judge will get you.

Re:How to screw someone

[JCWDenton]

No, no. You missed out an essential step
1. Place files full of random data on comptetitor's machines
2. Tip off the authorities to their "terrorist plans"
3. Watch them get five years for "refusing" to decrypt the "data"
4.Profit!

Re:Its very important that we all do this.

[Anonymous Brave Guy]

As for the encryption keys - "Gee, I forgot it." Prove otherwise.

They don't have to. If you don't provide a key they believe exists, for any reason including the fact that it doesn't really exist or that you really have forgotten it, then you are automatically guilty under the RIPA. It's a bit of law to make those behind the USA PATRIOT Act proud — and our glorious government even wrote it before 9/11.

Zeitgeist says it is rich people wanting control.

[Futurepower(R)]

"I guess when wire-tapping and CCTV just isn't enough"

The issue, of course, is that systems are being put into place that can be used against citizens who protest. By using "terrorism" to create fear, those who want corruption and control are building systems that can be used to give them more control. Laws that required centuries to build are now being thrown away with as little awareness by citizens as can be designed.

The movie Zeitgeist explains it: The movie Zeitgeist (2007) [zeitgeistmovie.com] claims to explain it all, from an example of how people are controlled by myths, to how people who control government use fear to get more control, to why the U.S. government is pursuing a policy of hyper-inflation of the dollar now.

The movie is free and can be downloaded using a BitTorrent client, burned to a CD (a DVD is not necessary), and most modern DVD TV players will play it.

The Zeitgeist movie is very poor in some places, such as the opening sequences, and excellent in most places.

Don't expect emerging consciousness of very difficult subjects like those in the movie Zeitgeist to be free of error. The movie correctly says that "resurrection after 3 days" is part of many ancient myths, with an astrological background. However, the movie also speculates that Jesus Christ may never have existed. That is beside the point. In fact, whether Jesus Christ existed or not, many people in the world thought that his ideas and the ideas of his follower Paul of Tarsus were an improvement over what they had before. Even many people who do not claim to be part of a religion think that.

Those who want more information about how corrupters use fear can watch the free 3-Part BBC movie: The Power Of Nightmares: The Rise Of The Politics Of Fear (2004) [moviesfoundonline.com].

For those who don't know, and want to know what is happening and why, those movies are an excellent and entertaining way to start.

For people and their friends who invest in weapons and the manipulatable parts of the oil business, such as Cheney and the Bush family, controlling the government is how they make money and get more power. People from rich families often grow up believing that it is acceptable for them to kill people to get what they want. It is difficult, however, for the average person to believe that someone who already has a lot of money would kill others simply because he wants more money.

I am surprised at how much conflict of interest is allowed in the U.S. and U.K. governments. Why are weapons and oil investors like Cheney and Bush allowed to decide about starting wars in countries that have oil? (Afghanistan may not have oil, but oil investors want to build a pipeline through Afghanistan.)

Now the U.S. and U.K. governments are planning to start a war with Iran, another oil-rich country.

TrueCrypt has "plausible deniability. I wondered why TrueCrypt [truecrypt.org] encryption software has "plausible deniability". I guess that is why. We will soon all be needing it.

Re:Solution?

[Hatta]

Yes, we always could and we always should. The constant reminder of the evils our (or any) government is capable of is the best protection we have against it happening again.

Re:Its very important that we all do this.

[arkhan_jg]

"Failing to provide the keys makes you guilty of breaking the law that requires you to do so."

Yes, but you fail to address the basis for that law. Encrypting your files is not illegal. However, it might as well be now.
The *purpose* of the law is to make hiding your data an offence, so that you don't hide your data, or if you do they can still nail you for something.
The *effect* of the law is that if you encrypt your files, regardless of whether you've done anything wrong - and I emphasise, encryption is still legal - you can face 5 years in jail.

I don't know where morals come into this. I expect the due process of law. I expect to be held innocent until proven guilty of a crime. I expect to be able to exercise my right to privacy. These are fundamental to our society, and our current body of law. Yes, a fascist police state can do what it likes with the law, but I supposedly don't live in one of those. Yes, you can pass a law making 'not giving over all your data when asked' a crime, but then the government could declare 'being left handed' a crime - just because they CAN doesn't mean they SHOULD, nor that it's concommitant with our existing laws.

This law basically makes me guilty and facing prison if I use encryption, regardless of what else I have and haven't done. I don't consider that just, or fair. Putting me in jail for 2 years because I've forgotten my password, with those investigating me gagged by court order, with no other law broken, makes a mockery of the justice the law is supposed to codify.

Re:Zeitgeist says it is rich people wanting contro

[TheLink]

You miss my point totally.

The gov thug comes and says "Ah you're using Truecrypt, we know about that cool feature they mention in their website, so hand us all keys".

And if you're stupid you go "Uh I only have one key".

Then:
a) If you're not telling the truth, you're in deep shit.
b) If you're telling the truth, you're in deeper shit, since there's no key #2 to give them.

Think Truecrypt is so great now? Truecrypt's "plausible deniability" feature is crap.

What I call plausible deniability would be if a very popular linux distro ALWAYS generated a 100MB (or 2% of diskspace, whichever is larger up, to a max of say 1GB) file full of random stuff and plonked it on the filesytem, and it always included encryption tools by default.

Would normal users be willing to pay the price of the "wasted" space and time?

Re:So, lemme get this straight...

[CodeBuster]

In most US states, drunk driving laws work exactly that way. Refusal to take a breathalyzer test amounts to a confession of guilt.

Yes, because no judge, without very convincing evidence, is going to believe that you *cannot* breathe into a tube to prove your innocence or guilt...ergo obstruction. However the entire thread of this discussion revolves around thoughts or knowledge in your head which is intangible and very difficult to prove or disprove. If you say, "I don't know" or "I don't remember" or "I didn't see that" then it is very difficult for the court to prove that you are not telling the truth, especially when there is no other evidence to the contrary. This is the same problem with "eye witness" testimony and why other evidence, beyond "you have my word on it", is required to prove something beyond some reasonable level of doubt. Otherwise it is just he said she said or hearsay.

Re:Its very important that we all do this.

[Alsee]

>I forgot it.

Six months in the county lock-up will do wonders for your memory - which is what thi smart-ass response to the judge will get you.

I happen to have something on my drive right now which for the last half year or so I have been *trying* to remember the password. I would delete it but for the slim chance I might be able to remember the password some day, or that a relevant cracking program might eventually be developed.

Nazi fuckers like you and these UK government government deserve a chainsaw enema. Being "tough on crime" is a mental defect when you are blind/unphased about imprisoning innocent people in your Crusade.

Oh wait, I forgot. Anything which makes it more difficult to catch and convict criminals must itself be made criminal. The fact that anyone ever posesses anything encrypted means they must already be a criminal.

-

Re:Use a file key on a mini-disk

[slash.dt]

When the police come to take your computer, pull out the disk and snap it in half before they can ask for it.

Come on, this is rediculous. First off, if they wanted to, data recovery services would be able to get the key back from the disk.

Secondly, by doing this you are moving from unable to comply to actively impeding the police in their duties. Your punishment just got upgraded.

Just say you can't recall/find the key.

Re:Search is a legitimate police tool

[mi]

I was unaware that you are required to help the police to search your house.

You are required to provide the key to your safe, so it can be searched.

Tell me, does someone accused [you mean, convicted, right?] of murder get a heavier sentence if he refuses to tell where the murder weapon is?

"Obstruction of justice" can be thrown in as an extra charge. It rarely happens, I guess, because it is a very minor offense compared to the murder itself.

Interestingly, in the US, one can, probably, refuse to provide to provide the decryption key on the 5th Amendment's ground... Not sure, if anything similar exists in the UK at all.