Forgot your password?
typodupeerror
Privacy Encryption Security Government Politics

UK Government Can Demand You Hand Over Encryption Keys 426

Posted by Zonk
from the shh-don't-give-them-ideas dept.
iminplaya writes "The UK government can now demand that citizens hand over their data encryption keys - or face jailtime for obstructing justice. The law only applies to data on UK shores, and doesn't cover information transmitted via UK servers across the internet. 'The law also allows authorities to compel individuals targeted in such investigation to keep silent about their role in decrypting data ... The Home Office has steadfastly proclaimed that the law is aimed at catching terrorists, pedophiles, and hardened criminals--all parties which the UK government contends are rather adept at using encryption to cover up their activities.'"
This discussion has been archived. No new comments can be posted.

UK Government Can Demand You Hand Over Encryption Keys

Comments Filter:
  • hmm (Score:4, Funny)

    by pak9rabid (1011935) on Tuesday October 02, 2007 @09:09AM (#20822543)
    I guess when wire-tapping and CCTV just isn't enough
    • by Anonymous Coward
      Yeah. The U.K. (along with most countries) has always impressed me as a country designed by the bureaucrats, of the bureaucrats, and for the bureaucrats. Unfortunately the U.S. has been heading the same way for a while.

      People forget that the U.S. Senate came close to outlawing Public Key Crypto back in September of 1991. This is why there was a rush to release PGP back in the summer of that year. It negated anything the Senate could do.

      One has to wonder what life would be like without public key crypto toda
      • by Rei (128717) on Tuesday October 02, 2007 @11:34AM (#20824755) Homepage
        Weren't the British planning to pass something like this years ago? I remember reading about it at the time. This law seems like it'd be either unenforcable (if the person can argue that they don't have or forgot the key), or asking for people to be set up (if they can't). Perhaps a less obvious version of the following:

        From: Anonymous Stranger (someone@outsidetheuk.com)
        To: Patsy (someone-else@inside.co.uk)
        CC: Law Enforcement HQ (help@police.co.uk)
        Subject: Confession

        Dear Patsy,

        I was just approached by an acquaintance who says he committed a crime for you. Not believing it, I asked for proof. He showed me this picture:

        (insert photo of apparent crime in progress)

        I was horribly disturbed when I saw this. Apparently, according to him, it's just a screenshot from a video of the crime and him talking about all of the details of it for you. When I asked why he felt safe keeping a video around, he said it's encrypted and that only you and he have the keys. I managed to swipe his USB memory stick, and sure enough, there's some big encrypted file on it. I'm attaching it below for you. Since the police will certainly be interested in what it shows, I'd advise that you hand over your encryption key to them immediately.
    • "I guess when wire-tapping and CCTV just isn't enough"

      The issue, of course, is that systems are being put into place that can be used against citizens who protest. By using "terrorism" to create fear, those who want corruption and control are building systems that can be used to give them more control. Laws that required centuries to build are now being thrown away with as little awareness by citizens as can be designed.

      The movie Zeitgeist explains it: The movie Zeitgeist (2007) [zeitgeistmovie.com] claims to explain it all, from an example of how people are controlled by myths, to how people who control government use fear to get more control, to why the U.S. government is pursuing a policy of hyper-inflation of the dollar now.

      The movie is free and can be downloaded using a BitTorrent client, burned to a CD (a DVD is not necessary), and most modern DVD TV players will play it.

      The Zeitgeist movie is very poor in some places, such as the opening sequences, and excellent in most places.

      Don't expect emerging consciousness of very difficult subjects like those in the movie Zeitgeist to be free of error. The movie correctly says that "resurrection after 3 days" is part of many ancient myths, with an astrological background. However, the movie also speculates that Jesus Christ may never have existed. That is beside the point. In fact, whether Jesus Christ existed or not, many people in the world thought that his ideas and the ideas of his follower Paul of Tarsus were an improvement over what they had before. Even many people who do not claim to be part of a religion think that.

      Those who want more information about how corrupters use fear can watch the free 3-Part BBC movie: The Power Of Nightmares: The Rise Of The Politics Of Fear (2004) [moviesfoundonline.com].

      For those who don't know, and want to know what is happening and why, those movies are an excellent and entertaining way to start.

      For people and their friends who invest in weapons and the manipulatable parts of the oil business, such as Cheney and the Bush family, controlling the government is how they make money and get more power. People from rich families often grow up believing that it is acceptable for them to kill people to get what they want. It is difficult, however, for the average person to believe that someone who already has a lot of money would kill others simply because he wants more money.

      I am surprised at how much conflict of interest is allowed in the U.S. and U.K. governments. Why are weapons and oil investors like Cheney and Bush allowed to decide about starting wars in countries that have oil? (Afghanistan may not have oil, but oil investors want to build a pipeline through Afghanistan.)

      Now the U.S. and U.K. governments are planning to start a war with Iran, another oil-rich country.

      TrueCrypt has "plausible deniability. I wondered why TrueCrypt [truecrypt.org] encryption software has "plausible deniability". I guess that is why. We will soon all be needing it.
      • by TheLink (130905) on Tuesday October 02, 2007 @12:00PM (#20825223) Journal
        Truecrypt's plausible deniability is worthless or even dangerous.

        If you have Truecrypt installed it just means you're going to rot in jail till you can either:
        1) Convince the police that some random file you have that they are interested in is not encrypted.
        2) Decrypt the file somehow (even if it wasn't encrypted in the first place ;) ).

        You'd be better off downloading some legal porn (or something similarly frowned on but legal) and encrypt sets of them (without truecrypt) and write down the keys somewhere so you never forget or lose it. Then if the Gov says "hand over the keys" you hand over the keys, rather than say "I have no keys".

        A Gov like that is going to presume you're guilty of something.
        • Re: (Score:3, Informative)

          by Chosen Reject (842143)
          TrueCrypt's plausible deniability is more than that. With it you can have two encrypted volumes within the same volume only with different keys. If you are asked for a key, you give them one. They unencrypt the volume you gave them a key for and they find nothing. More information (and probably a much better description) here. [wikipedia.org]
    • I guess when wire-tapping and CCTV just isn't enough

      No, it is when search [wikipedia.org] — the practice long accepted as a legitimate law-enforcement tool — is not enough.

      If we allow police to search houses (including safes — demanding keys, when needed), it is only logical to allow them to also decrypt data (demanding keys, when needed).

  • by TechnoBunny (991156) on Tuesday October 02, 2007 @09:11AM (#20822565)
    Unless we let the government have access to all our data then the terrorismists will WIN.

    After all, if you've nothing to hide then whats the problem? I for one will be printing out all of my data in hardcopy to send to the government, as I am a PATRIOT.

    After all - there was no terrorismisticals before the internet.
    • Re: (Score:2, Funny)

      by Anonymous Coward
      I'm sure they'll appreciate all the porn :)
    • Re: (Score:3, Insightful)

      by tomhudson (43916)

      "After all, if you've nothing to hide then whats the problem? "

      The problem is that people who SHOULD be hiding things, don't - like the whales on the beach (both sexes) who squeeze into too-tiny bathing suits.

      As for the encryption keys - "Gee, I forgot it." Prove otherwise. How many passwords have YOU forgotten?

      • by UbuntuDupe (970646) on Tuesday October 02, 2007 @09:38AM (#20822959) Journal
        Hm, I generally go with: "Oh, you don't need the key; just factor the semiprime. What, you bad at math or something?"
      • Re: (Score:3, Insightful)

        by westlake (615356)
        As for the encryption keys - "Gee, I forgot it." Prove otherwise.

        Six months in the county lock-up will do wonders for your memory - which is what thi smart-ass response to the judge will get you.

        • by Alsee (515537) on Tuesday October 02, 2007 @04:19PM (#20829259) Homepage
          >I forgot it.

          Six months in the county lock-up will do wonders for your memory - which is what thi smart-ass response to the judge will get you.


          I happen to have something on my drive right now which for the last half year or so I have been *trying* to remember the password. I would delete it but for the slim chance I might be able to remember the password some day, or that a relevant cracking program might eventually be developed.

          Nazi fuckers like you and these UK government government deserve a chainsaw enema. Being "tough on crime" is a mental defect when you are blind/unphased about imprisoning innocent people in your Crusade.

          Oh wait, I forgot. Anything which makes it more difficult to catch and convict criminals must itself be made criminal. The fact that anyone ever posesses anything encrypted means they must already be a criminal.

          -
      • by arkhan_jg (618674) on Tuesday October 02, 2007 @10:51AM (#20824105)
        That's the problem - forgetting the password is not a defence. Failing to hand it over when asked carries up to a 5 year jail sentence, as it's assumed whatever you're 'hiding' would cause you to be imprisoned. The basic premise, if you use encryption, is that you are guilty of something and it's up to *you* to prove otherwise by letting the police rifle through *all* your data looking for something incriminating. Failure to do so is evidence itself of guilt!

        This law was passed 7 years ago, and the home office has been quietly waiting for the original outrage to die down to see if they could get away with actually using the powers they were granted before 9/11 or 7/7. Of *course* they'll only use it against terrorists and pedophiles. Nothing to fear citizen, sleep soundly in your bed, safe in the knowledge we're only imprisoning bad men. After all, only bad men use encryption then forget the password...

        Of course, if you're a pedophile you're far better off taking the 2 years for failure to hand over your encrypted data, than to take the potentially decades in jail if you have incriminating photos and a sex offender offence that might well get you killed there. I don't think it'll be too long before the maximum sentence gets raised to be in line with the worst crime you might be assumed to have committed and hiding via encryption...
        • As far as I can see, and I'm not a lawyer, this new section of RIPA breaches the right to silence and against self-incrimination - which have been judged in the courts to be intrinsic aspects of a 'fair trial'. This is in addition to reversing the burden of proof.

          It seems to me that anyone banged up for 'forgetting' their pass phrase would have excellent grounds for appeal, and overturning the law. And let's face it, this morally corrupt, authoritarian Labour government has had it's nefarious laws overturne

        • This is simply false (Score:4, Informative)

          by nasor (690345) on Tuesday October 02, 2007 @01:42PM (#20826691)

          That's the problem - forgetting the password is not a defence.
          This is simply false. In fact, one of the biggest criticisms of the law from U.K. law enforcement is that it's almost impossible to enforce in most cases because the burden is on the police to prove that the suspect does actually have the keys and has not simply lost/forgotten them. The law quite explicitly states that the police must demonstrate beyond a reasonable doubt that the person actually has a key before any violation of this law can occur.
          • by julesh (229690) on Tuesday October 02, 2007 @04:07PM (#20829039)
            The law quite explicitly states that the police must demonstrate beyond a reasonable doubt that the person actually has a key before any violation of this law can occur.

            That's not actually true. Here're the relevant sections, with added emphasis:

            49 (2) If any person with the appropriate permission under Schedule 2 believes, on reasonable grounds--

            (a) that a key to the protected information is in the possession of any person

            [...]

            53 Failure to comply with a notice

            (1) A person to whom a section 49 notice has been given is guilty of an offence if he knowingly fails, in accordance with the notice, to make the disclosure required by virtue of the giving of the notice.

            (2) In proceedings against any person for an offence under this section, if it is shown that that person was in possession of a key to any protected information at any time before the time of the giving of the section 49 notice, that person shall be taken for the purposes of those proceedings to have continued to be in possession of that key at all subsequent times, unless it is shown that the key was not in his possession after the giving of the notice and before the time by which he was required to disclose it.

            (3) For the purposes of this section a person shall be taken to have shown that he was not in possession of a key to protected information at a particular time if--

            (a) sufficient evidence of that fact is adduced to raise an issue with respect to it; and

            (b) the contrary is not proved beyond a reasonable doubt.


            The only precondition for issuing a notice is reasonable belief. The only condition necessary for an offence to occur is that the recipient of the notice didn't act on it, knew what he was required to do and knew he was not doing it. The only time it is required for the prosecution to prove beyond reasonable doubt that the defendant is in posession of the key is if the defendent has produced evidence that he is not.

            I believe you are in posession of a key with fingerprint 33a08b9d1e07, because somebody sent you a message that was encrypted with that key, and they wouldn't do that if they didn't think you could read it (reasonable belief). You have been issued with a section 49 notice requiring you to either decrypt the message or surrender your key. You can't do this because you don't have the key, and have no idea who sent you the encrypted message. Can you provide any evidence that you don't have the key? Because if you can't, I'm not required to prove that you do have it.
      • Re: (Score:3, Insightful)

        As for the encryption keys - "Gee, I forgot it." Prove otherwise.

        They don't have to. If you don't provide a key they believe exists, for any reason including the fact that it doesn't really exist or that you really have forgotten it, then you are automatically guilty under the RIPA. It's a bit of law to make those behind the USA PATRIOT Act proud — and our glorious government even wrote it before 9/11.

  • by CRCulver (715279) <crculver@christopherculver.com> on Tuesday October 02, 2007 @09:12AM (#20822583) Homepage
    This law has been around for years. In fact, back when PGP was big, some UK residents on Usenet would have sigs saying something like, "If I revoke a key without explaining why, it is due to that law".
    • by mikelieman (35628) on Tuesday October 02, 2007 @09:15AM (#20822627) Homepage
      And the idea is why Rubberhose Crypto was developed.

      It had setup the system so that there could never be any confidence that ALL the encryption keys have been turned over.
      • by Maximum Prophet (716608) on Tuesday October 02, 2007 @09:20AM (#20822709)
        If the government has no confidence that you've turned over *all* the keys, won't they just put you in jail indefinitly even after you've turned over the keys?
        • This is the UK government, not the US one. I can't think of any recent instances where the UK has detained someone indefinitely without coaxing from the US.
        • Re: (Score:3, Informative)

          by rucs_hack (784150)
          not so long as the keys they have allow access to all your encrypted data that they know about.

          I use a somewhat secure method to protect my personal data. Its a thing I like to call 'burning to dvd and not keeping it on my pc'.

          Yes I know dvd's can be stolen, but they have to find them first. Anyway, most of what I'm worried about isn't ephemorous threats of government snooping, but the far more likely possibility of my machine being hijacked by criminal types over the tubes.
    • by Chrisq (894406) on Tuesday October 02, 2007 @09:26AM (#20822801)
      GnuPG has a --show-session-key command, so that when you are asked to reveal the key for an encrypted message you can comply with the law by revealing the session key that was generated for that specific message rather than your secret key. This complies with the letter of the law, so you can ask for a written order for each individual message. Of course if they are really serious at this point they will smile at your request and get out the rubber hoses....
      • Re: (Score:3, Interesting)

        by internewt (640704)
        In a past discussion like this one, here on slashdot, I saw talk of a system that might potentially bypass this kind of law.

        You have 2 computers, A and B. The HDD's in both are encrypted, the two systems network boot off each other, with the encryption key stored on the other machine. i.e. A's key is on B, and B's key is on A. You'd obviously need a third computer whilst building this system, but once built, as long as A and B aren't powered off at the same time you would have 2 fully encrypted servers with
    • Re: (Score:3, Informative)

      by julesh (229690)
      This law has been around for years. In fact, back when PGP was big, some UK residents on Usenet would have sigs saying something like, "If I revoke a key without explaining why, it is due to that law".

      The legislation was passed in 2000, yes. However the law was phrased so that it wouldn't become active until parliament provided a code of practice and announced a date for it to become active on. The last I heard there was a draft code planning to commence the law on 1 October 2007. I hadn't heard about th
  • hidden volumes (Score:2, Interesting)

    by kalpol (714519)
    I'm curious to see how they handle hidden volumes on encrypted disks. Sure you can give up the first key, but if you don't give up the second (or the x-th, how far can you nest these?) who's to know?
    • Re:hidden volumes (Score:5, Informative)

      by malsdavis (542216) on Tuesday October 02, 2007 @09:19AM (#20822699)
      Because the law wasn't designed to work like that. The police can't demand "hand over all your passwords so we can route around for anything illegal", it has to be a specific key to a specific piece of suspected evidence (e.g. Database or file). If you had hidden volumes on an encrypted disk they would have no way to know there was potential evidence there and therefore could not demand you hand over the password.

      This aspect of the law is routinely ignored on Slashdot to try and enhance the "evil" reputation of the law.
      • Re: (Score:3, Insightful)

        by R2.0 (532027)
        2 reasons I have a problem with laws such as this.

        1) They violate your rights against self incrimination. Per the US constitution, I cannot be compelled to testify or offer evidence against myself. What this law says is that I MUST testify against myself, in the form of giving up *knowledge* that I have for the state to use against me.

        2) While the warrant may be issued for a small piece of information, it has the potential to lay all your secrets bare. Let's say I am accused of child pornography, and tha
        • Re: (Score:3, Informative)

          by OrangeTide (124937)
          In a civil court you have no protection from self incrimination. So when the RIAA demands you hand over your secret keys, you have little choice.

          For criminal court, the charge for not handing over the keys, like claiming you forgot what the key was, due to all of the emotional stress of these accusations, is generally a lesser charge than the real crime (pedophilia, embezzlement, murder, copyright violation, whatever). of course if you're held in contempt you can be kept in a local jail indefinitely until y
      • If you had hidden volumes on an encrypted disk they would have no way to know there was potential evidence there and therefore could not demand you hand over the password.

        Not true.

        The warrant will be for a search of your hard drive.

        The consequences won't be pleasant when a judge asks why you withheld the key to a hidden volume that was known to others or was exposed in forensic analysis.

    • Re: (Score:2, Insightful)

      by Chrisq (894406)
      Just wait for them to ask for the key. If they don't know there's more data then they won't ask.
  • Not exactly news (Score:5, Interesting)

    by TheRaven64 (641858) on Tuesday October 02, 2007 @09:13AM (#20822613) Journal
    RIPA has had a lot of negative coverage since the idea was first raised. Someone at the time proposed emailing the Home Secretary with a few MBs of random data and the text 'here is the information on your opium import operation. The key is as we agreed' and then sending a tip to the police. If the Home Secretary does not disclose the key (which he doesn't have) then he is liable for 5 years of jail time. Or, the government could see how silly the act is and repeal it. Since the law just went into force, I expect civil liberties groups will start trying this soon.
  • Hand the keys over (Score:4, Interesting)

    by DuncanE (35734) * on Tuesday October 02, 2007 @09:15AM (#20822635) Homepage
    If a judge asked you to hand over the keys to your house.. or your car.. or your safety deposit box.. you are legally required to follow that order....

    Are we surprised that digital keys have the same requirement?

    And as for all the other (physical) keys you can refuse and let the courts (and a jury) decide.

    • A judge is one thing. If they have a warrant, then that's fine. This story is talking about the police demanding that people hand over their encryption keys.
      • No it says authorities can demand that the keys be handed over. Authorities can also demand someone be arrested, show up at court and serve a sentence in jail. It doesn't say whether or not a court order is required in this particular article, but I don't think its overly naieve to assume that it would be covered by the same laws that cover searching people's physical premises.
    • by nasor (690345)
      People use "key" as a metaphor for "the information that you need to decrypt the data," but it's not clear that a cryptographic key is really analogous to a physical key. Suppose I try to keep my information private by writing in some obscure language that almost no one knows and that the police can't find a translator for. Would forcing me to explain the language so that the police can read my diary really be analogous to forcing me to hand over the key to my shed?
    • by CastrTroy (595695) on Tuesday October 02, 2007 @09:49AM (#20823145) Homepage
      Digital keys are not physical items. This is like them demanding that you hand over your thoughts. In the US, and many other countries, there are laws stating that you have the right to remain silent, and that you don't have to testify against yourself. If you don't hand over the keys to your house, car, or safety deposit box, there's other ways of retrieving such physical objects by just taking them from you. If you don't hand them over, and they have a search warrant, they are allowed to break the lock. They can't do that with thoughts in your head.
      • Re: (Score:3, Funny)

        by Prof.Phreak (584152)
        ...they are allowed to break the lock. They can't do that with thoughts in your head.

        I'd imagine that depends on the punishment (and whether they can get away with it or not)---they can certainly break your head, just as easily as they break locks.
    • by itsdapead (734413) on Tuesday October 02, 2007 @09:52AM (#20823199)

      If a judge asked you to hand over the keys to your house.. or your car.. or your safety deposit box.. you are legally required to follow that order....

      But...

      1. That will typically require a court hearing "on the public record"
      2. Even a technically ignorant judge should be able to decide (a) whether its your house/car/box (b) whether its plausible that you have lost the keys (c) whether the police have a reasonable justification for wanting access and (d) whether the fact that you have a lock on your door or possess a saftey deposit box is, in itself, suspicious.

      Unfortunately, as soon as computer technology is involved, even some otherwise highly intelligent people instinctively turn off their brain and may be convinced that the existence of an encrypted file on your hard drive is tantamount to being found in possession of a giant underground bunker complete with piranha tank, spy-bisecting laser and fluffy white cat.

    • Re: (Score:3, Informative)

      by julesh (229690)
      If a judge asked you to hand over the keys to your house.. or your car.. or your safety deposit box.. you are legally required to follow that order....

      Are we surprised that digital keys have the same requirement?


      The requirement is not the same. If a judge orders you to do something, and you state that you cannot, it is usually up to the judge (or prosecution) to show beyond reasonable doubt that you could do it before you can be punished for that offence. Under the RIPA, it is up to you to show that you c
  • Truecrypt (Score:2, Informative)

    by Anonymous Coward
    Encrypt using Truecrypt, which supports plausible-deniability [truecrypt.org]. Allows you to have an encrypted volume and then a "hidden" encrypted volume within that. If you're ever forced to give up your key due to extortion or torture, you only need to reveal the key to the outer volume and the inner hidden volume remains encrypted.
    • Re: (Score:3, Informative)

      by TheRaven64 (641858)
      I have a few friends who work in police forensics. Trust me, they know about Trucrypt. Interestingly, security by obscurity doesn't work when you tell everyone about it...
      • Re: (Score:3, Informative)

        by jesdynf (42915)
        Doesn't matter that they know about it. That's the *point*. They may "know" it, but they can't *prove* it.

        Remember, you should assume your adversary is fully conversant with every aspect of your encryption system except the key. Any "secret process" it relies on is a good sign that you don't have an encryption system, you have a filing cabinet with a very expensive picture of a padlock painted on the side.

        Your friends know about it. That's not the point. What they can *do about it* is the point.
      • Re:Truecrypt (Score:5, Insightful)

        by 49152 (690909) on Tuesday October 02, 2007 @09:58AM (#20823289)
        I don't think you quite understand the principles behind "hidden volumes" in Truecrypt.

        The point is not that they don't know it is possible. The point is that it cannot be proven that there is a second encrypted volume within the first one.

        This makes it plausible to deny that it exist at all. If store some sensitive information in the outer volume, like some very embarrassing but not illegal pornography you can make a claim that this was the sole purpose of the outer Truecrypt volume. The law enforcement agency will have a hard time getting a judge to order you hand over keys to a hidden volume they cannot prove exist.

        Hidden volumes in Truecrypt got nothing at all to do with "security through obscurity", it's all about "plausible deniability". You can ask your friend in the police about that, if he has any experience with the security community at all he should be very well acquainted with this term.

        Of course, if you admit or in other ways make it provable that there exist an inner volume then all bets are off ;-)

        This will probably work in societies like USA and UK where the police have to follow certain procedures. In countries like Burma or China where they will just torture you until you confesses or dies, I'm not so sure about the value of this scheme.
        • Re: (Score:3, Funny)

          by soulsteal (104635)
          Of course, if you admit or in other ways make it provable that there exist an inner volume then all bets are off ;-)

          My God, it's brilliant. A matryoshka-doll-like layered encryption scheme full of porn!
  • Three Words (Score:5, Insightful)

    by ricree (969643) on Tuesday October 02, 2007 @09:17AM (#20822661)
    Truecrypt hidden volumes

    This is exactly the sort of situation that hidden volumes were created for. The government asks you to hand over your encryption keys? "Well sure officer, here's the key to my encrypted volume, but there really isn't anything on there besides some harmless porn (or anything else that might be plausibly embarrassing enough to keep hidden away)" Of course, it's probably only a matter of time before someone decides to make it illegal to possess programs that can create any sort of hidden volume, but that's another issue.
  • by R2.0 (532027) on Tuesday October 02, 2007 @09:17AM (#20822665)
    A terrorist/pedophile/whatever is arrested, and his computer is seized. The authorities demand the suspect hand over the key, or he will face obstruction of justice charges and a year in jail. Does he

    a) Tell them to get bent, go to jail for a year as a symbol of government run rampant (face it, some "activist" will pick up his "cause")

    or

    b) Immediately hand over the key, which is then used to procure the evidence of his computer, putting him in jail for 20 years as an ACTUAL terrorist/pedophile.

    That's not even getting into the situation if one is NOT an actual pedorist. Terrorphile?

    • Here's a bet: I predict a law as soon as someone does that, which says that whoever refuses to hand in keys will be treated like someone who admitted what he allegedly did. I.e. you are accused to be a terrorist and refuse to hand over the keys to your files, you're a terrorist by default, because only if you are what you're accused to be, you would refuse to cooperate.
      • by Calinous (985536)
        This goes all against the need of the accuser to prove you are wrong. Remember "innocent until proven guilty"?
              The fact that you refuse to obey to a law is not proof that you are breaking other laws.
  • Solution? (Score:5, Insightful)

    by Cheesey (70139) on Tuesday October 02, 2007 @09:17AM (#20822671)
    For private communications, don't send encrypted emails. If the encrypted email is captured by a wiretap, the fact that the ciphertext could be decrypted by the recipient is enough to allow the authorities to force that recipient to decrypt it.

    Instead, you should establish an encrypted connection, use it to exchange private information, then destroy the keys after the connection is closed. SSH is one protocol that does this automatically. That way, although a wiretap can record the ciphertext, the authorities cannot retrieve the encryption keys because they no longer exist. Your democratic right to privacy is preserved.

    I wonder if any instant messaging programs have implemented this? If so, do they consider the possibility of man-in-the-middle attacks as SSH does?
    • I can't think of any e-mails I'd want to send that I'd want to encrypt from the authorities in such a way. It boggles the mind that so many here at slashdot do send such e-mails, or are at least willing to hide trivial things.
      • Re: (Score:3, Insightful)

        by jedidiah (1196)
        Then you simply have no imagination.

        Not very well informed either.

        Governments have a nasty habit of taking innocuous data and trying to make something sinister out of it. They can either try to make something out of the information itself directly or choose to draw strange inferences out of it.

        Oppose the wrong law. Support the rights of the wrong types of people. Practice the wrong religion.

        • Governments have a nasty habit of taking innocuous data and trying to make something sinister out of it. They can either try to make something out of the information itself directly or choose to draw strange inferences out of it.
          Citation needed.

          Practice the wrong religion.
          Funny, the US not having these laws sure isn't helping Muslims in guantanmo bay.
          • Re: (Score:3, Interesting)

            by Deagol (323173)
            I'm too busy to track down a good link, but google "salt lake city winter olympics propane teddy bear". I don't know if the guy was ever found to have a nefarious purpose for the purchase, but the government can and does correlate innocuous things together to form suspicions about people. Still, it's pretty scary that stuff like this happens (the correlation of people's behavior, not the purchase of teddy bears, that is).
        • Re: (Score:3, Informative)

          by Hoi Polloi (522990)

          Governments have a nasty habit of taking innocuous data and trying to make something sinister out of it.


          Like when they spy on you in the airport for having a "bad" book [wired.com]?

      • by mrcparker (469158)
        I worked in health care for years, and it was easier to encrypt all emails rather than picking through the sensitive ones. I think that a lot of people are less concerned with the government and more concerned with non-government people reading their emails. I imagine that a lot of people that read Slashdot have to encrypt their email, either through company policy or legal concerns.
      • by quanticle (843097)

        Ah, yes. The old "I have nothing to hide, so I don't mind you violating my privacy argument". My response is that this assumes that the government is perfect, i.e. competent enough to interpret all information correctly, 100% of the time, without bias. I don't want to be placed on a no-fly list because of something inopportune I might have said to a friend.

      • by MightyYar (622222)
        Look at the silly things we all do that are illegal and would be used to pin us against the wall if someone in an authority position were so inclined. I'd have a hard time finding someone who has:
        • never used "pirated" software,
        • never smoked a joint,
        • never drank while under age,
        • never downloaded a "pirated" song (or for that matter made a mix tape)

        For an example of how the government can get completely out of control over absolutely nothing, look at those kids in Florida who were arrested for distributing kiddi

      • Re: (Score:3, Informative)

        by Cheesey (70139)
        It's a matter of principle. I say that you should have a right to privacy, and your privacy shouldn't be violated by anyone unless you give explicit permission. Encryption gives you the ability to hide information from the authorities, and forces them to go through a legal process in order to gain access to the information. They can't read your messages without your help. The decision of whether to help them or not is up to you.
    • You might want to look at SILC. It's not exactly instant messaging, although it can be used for IM. It meets the requirements you describe.
    • by Kr3m3Puff (413047) *
      Yes, but how do you address storage of private data? Because it isn't all about communicating securely.

      Saying you forgot the key, as someone mentioned, only gets you put in jail for perverting the course of justice.

      Truecrypt Hidden Volumes can possible give you plausible deniability. I guess that is the only way.
      • by Cheesey (70139)
        Indeed, that is another problem.

        I regard the keys to my encrypted filesystems as being secret, but I would still produce them if I was forced to do so by the UK police. So the layer of encryption doesn't provide security against the Government, but it does protect the data from thieves and tampering, and it forces officials to ask me for the keys if they want to see what's on the disk. I think that's about as good as things can get.
    • Re: (Score:3, Informative)

      by Jtheletter (686279)

      I wonder if any instant messaging programs have implemented this? If so, do they consider the possibility of man-in-the-middle attacks as SSH does?
      While I don't offhand know the encryption level or if it is susceptible to man-in-the-middle attacks I can tell you that the IM client GAIM has a plugin called OTR - Off The Record - that encrypts conversations. Googling for OTR + GAIM should get you the info you need.
  • Intended usage (Score:3, Insightful)

    by feed_me_cereal (452042) on Tuesday October 02, 2007 @09:18AM (#20822685)

    The Home Office has steadfastly proclaimed that the law is aimed at catching terrorists, pedophiles, and hardened criminals--all parties which the UK government contends are rather adept at using encryption to cover up their activities


    That's right, I seem to recall that Rivest, Shamir, and Adleman wrote about providing protection for pedophiles and terrorists in the motivation section of their paper on RSA.
  • What if...? (Score:4, Interesting)

    by Opportunist (166417) on Tuesday October 02, 2007 @09:35AM (#20822905)
    What if I don't have the keys but only store the data (i.e. I'm a backup service provider who stores data for people he doesn't even know by name or anything but IP address, which is fleeting at best)? What if I simply cannot remember the keys or, in case of keydisk/keyfile systems, have lost either (or destroyed because the archives are old backups no longer needed)? What if I don't remember which version of which cypher program was used to encrypt the keys (I tend to have that problem, actually, with a few archives...)?

    I don't have a problem handing the keys to the authorities provided they can give me a good reason they need them (I really don't enjoy handing out trade secrets, you know...), but what if I just simply and plainly cannot?
  • by samjam (256347) on Tuesday October 02, 2007 @09:35AM (#20822909) Homepage Journal
    Have an off-shore cron job to revoke your keys if you don't touch them often enough.

    When you are asked for the keys, refuse until you are arrested and unable to save the keys from being revoked.

    The revocation is the trigger that you have been asked.

    Sam
    • Variant (Score:3, Interesting)

      by jbeaupre (752124)
      Keep your encryption keys offshore.

      You have the password to unencrypt your offshore keys. This password cannot be demanded of you (jurisdiction). But when you want to use your encryption keys, your application asks for the password, retrieves the key, and performs your data decryption (locally or remote?).

      Decidedly more trouble than it's worth, but an interesting thought exercise.
  • How to screw someone (Score:4, Interesting)

    by linuxwrangler (582055) on Tuesday October 02, 2007 @09:37AM (#20822943)
    1. Place files full of random data on their machines

    2. Tip off the authorities to their "terrorist plans"

    3. Watch them get five years for "refusing" to decrypt the "data"
  • ...when you pry it from my cold, dead, mouse hand.

  • Search warrants? (Score:3, Insightful)

    by osgeek (239988) on Tuesday October 02, 2007 @09:41AM (#20823007) Homepage Journal
    Does the UK have the concept of a search warrant?

    I know everyone gets their panties in a wad about the guvmint decrypting their data, but I'm somewhat okay with it if a court is involved in the issuance of a valid search warrant. It's not fundamentally different from the court-overseen right to come into your home and search the premises.

    You can't completely declaw the police or they'll be useless at any type of law enforcement.
  • Those aren't encrypted files. I just like to keep a few multi-gigabyte files of random data on my system at all times -- it's a fetish of mine.
  • by ribuck (943217) on Tuesday October 02, 2007 @09:52AM (#20823197) Homepage
    The really evil part is that you can be forbidden from telling anyone that you were forced to decrypt your documents, under penalty of imprisonment. Without public scrutiny, this law is inviting abuse.
  • by Terje Mathisen (128806) on Tuesday October 02, 2007 @10:11AM (#20823479)
    This is in fact very easy to prove:

    If te maximum jail time for not divulging encryption keys is significantly less than the time for actually being convicted of terrorism, then it should be obvious that real terrorists would never divulge such encryption keys.

    No, this law, and others like it in other jurisdictions, are simply there to give the police one more reason to force regular citizens to hand over their keys.

    If you actually do have something to hide from the authorities, the best idea is probably to look into http://truecrypt.org/ [truecrypt.org] and the capability of having hidden encrypted volumes.

    When forced, either by legal threats or by rubber hose interrogation, you can then divulge the primary key. On the primary volume you should store potentially embarrassing, but not really critical information. This should be sufficient to show that you had reason to hide said info, but not enough to put you in jail for a long time.

    If you happen to be located in a place like Myanmar/Burma, then you should also use TrueCrypt, for exactly the same kind of reason.

    Terje
    "almost all programming can be viewed as an exercise in caching"
  • by Bender0x7D1 (536254) on Tuesday October 02, 2007 @10:32AM (#20823781)

    I was wondering how the court would rule if your password contained information that would incriminate you in a different crime.


    For example, if your password was: "my_murder_victim_is_buried_under_my_patio" or "I_embezzeled_20million_into_account_123456789", wouldn't revealing the password violate your right against self-incrimination (at least in the US)?

  • Provable deniability (Score:3, Interesting)

    by gweihir (88907) on Tuesday October 02, 2007 @11:45AM (#20824925)
    I use the followinf procedure to securely erase HDDs:

    1. Setup fil disk encryption with a random password (Linux dm-crypt)
    2. Overwrite mounted encrypted volume with random data (not cryptogtaphically strong)

    The result cannot be distinguished from an ordinary encrypted disk, and that can be mathematically demonstrated. Also there is no way I can prove there is really no data there. Again mathematically proovable that I cannot demonstrate this.

    May other secure deletion utilities produce results much like this, i.e. not distinguishable from encrypted files or whole disks.

    So, everybody that does secure deletion of this type now goes to prison? I don't think so. What I think is that it requires a conclusive explanation of this impossibility to get this law restricted to cases were the authorities first can proove the presence of encrypted data. This will be the cases where the users do not understand crypto. All eth others will szucessfully evade this exceedingly incompetent law.

Things equal to nothing else are equal to each other.

Working...