British Police Demand Access To Encryption Keys

flip-flop writes "In the wake of recent terrorist attacks, police here in the UK have asked for sweeping new powers they claim will help them counter the threat. Among these is making it a criminal offense for people to refuse disclosing their encryption keys when the police want to access someone's files." From the article: "The most controversial of the police proposals is the demand to be able to hold without charge a terrorist suspect for three months instead of 14 days. An Acpo spokesman said the complexity and scale of counter-terrorist operations means the 14-day maximum is often insufficient."

Oh yeah, that's why we threw their tea away

[SeanTobin (138474)]

Innocent until proven guilty. Although that statement is ignored just as often in the US as it is in England, laws that we pass try to at least give the impression that we respect it. So, here is how things go if this passes...

GoodGuy has a friend who is in some domestic trouble and is hiding some of his assets in off-shore accounts. He keeps his friends account information in an encrypted folder on his computer because his friend doesn't want to lose it and trusts him.

EvilAgentMan thinks GoodGuy is a terrorist planning on taking over the world, due to his recent purchase of a salt water aquarium, baby sharks, laser pointers and duct tape. He charges GoodGuy as being a EvilDoer(TM) and puts him in jail. While looking for evidence, he notices an encrypted folder on GoodGuy's computer. He tells GoodGuy that he must hand over his encryption keys or be charged with the crime of not handing over his encryption keys. He must decide on going to jail for something he is completely innocent of, or releasing potentially incriminating evidence on his friend. ...Time to get pricing on high speed internet access on the moon I guess. This planet's done for.

Re:Oh yeah, that's why we threw their tea away

[Spad (470073)]

Worse than that, what happens if your friend is storing the encrypted information on your PC and you *don't have* the decryption key?

Are the police really going to believe "I don't have it, they're not my files"?

Re:Oh yeah, that's why we threw their tea away

[gstoddart (321705)]

Worse than that, what happens if your friend is storing the encrypted information on your PC and you *don't have* the decryption key?

Then you'll be found to be aiding and abetting.

If you're holding data for someone that you don't know what it is or how to decrypt it, you will be perceived as an accomplice. Or, just summarily assumed to be the original source of the data and just recalcitrant.

Interesting to see would be if you can have your lawyer hold onto these things and have them covered under privelege.

It's scary that in so-called free societies it can become a crime to keep (possibly legal and innocuous) secrets from the government.

Re:Oh yeah, that's why we threw their tea away

[afidel (530433)]

You just gave me a truely evil idea. Make a worm which copies and randomly encrypts files from the infected computer, then email a copy of the encrypted file along with a copy of the worm to random people in the address book. Would make life hell for sigint people and just might give someone plausible deniability against this type of idiotic law.

Re:Oh yeah, that's why we threw their tea away

[dheltzel (558802)]

Or what if the encrypted data was put there by a virus or some other source?

If you really want to hide something under the new rules, encrypt it and store it on a network of zombie computers, or a p2p network. That will cause real problems for others, but you'll never have possession to be charged with not providing the keys.

Or, just compromise your enemy's computer and store some encrypted files there and then turn them in as a concerned citizen. Even if they manage to get aquitted, the implied guilt during the process will destroy their lives. It's sort of scary if they're gonna assume you are the one who did the encryption simply because you possess the file.

Re:Oh yeah, that's why we threw their tea away

[ScentCone (795499)]

He must decide on going to jail for something he is completely innocent of, or releasing potentially incriminating evidence on his friend

Because there's no friend like a friend who talks you into criminal complicity, I always say. I mean, what are friends for, if not to help you launder money or hide assets? And what ever happened to the bad guys just writing down the key, laminating, and burying it in a coffee can three paces south of the big oak tree on old man Smith's back forty? You know, where you used to go and smoke pot and dream of the days when you'd have enough ill-gotten assets to have to hide them from the court? Ah, those were the days.

Incidentally, what would you have the cops do while they're sitting there looking at the hard drive from a guy they just arrested, who yesterday was having some trouble blowing himself up? Ask him ever so nicely? OK, so he was willing to die in order to kill you and your kids, so he's probably not going to be big on cooperating, but the owner of the cyber cafe where he often runs chats with his equally inept fellow bombers - is it worth being able to crack his encrypted leavings so that maybe we can stop his buddies from smearing more innocent people all over the inside of a tunnel? You are aware that actual people are actually spending their days actually thinking up and acting on ways to kill people that run yogurt stores, work at rehab clinics, build web servers, teach grade school, and have families that depend on them... right? This isn't a game, it's actually happening. And as the prime minister of Autstralia put it so eloquently yesterday, we're using 19th century approaches to dealing with bad guys happy to use 21st century technologies (um, even as these twits condemn modernity - always a telling little bit of confusion on their part).

Re:Guantanamo Bay?

[SeanTobin (138474)]

umm, Guantanamo Bay?

Yeah.... sorry about that one.
There is at least one additional rule that goes along with innocent until proven guilty. It's guilty until proven American.

Encryption key

[bigwavejas (678602)]

Sure, you can have my encryption key. Here it is:
01100110 01110101 01100011 01101011 00100000 01101111 01100110 01100110

Re:Encryption key

[randm.ca (901207)]

That's amazing, I've got the same combination on my luggage!

Encryption Keys?

[Taevin (850923)]

Fortunately we have things like StegFS [cam.ac.uk]. But I really shouldn't be disclosing such information, some people in the govA*$%#)D$@#$NO CARRIER

Re:Encryption Keys?

[nkh (750837)]

I don't know where I've read this (/.?) but the problem with "onion layers" steganography is when they torture you: How do they know you gave them ALL the passwords? Maybe there is "just one more" that will reveal everything? The torture never ends if they know there are multiple layers. (yes, I'm paranoid but I wouldn't like this to happen to me)

Already an offense?

[moderators_are_w*nke (571920)]

I was pretty sure that the regulation of investigatory powers act (1998?) already made it an offense to refuse to disclose an encryption key?

Where are civil liberties truly valued?

[dd (15470)]

The real measure of a free, open and just society is how it behaves in bad times - not in good times. When difficulties arise and the authorities want sweeping powers to 'protect' the citizens, should the citizens give up important civil liberties for what is probably just an illusion of safety? When are you ever safe enough in these times? Maybe the citizens should stop and ask themselves how much they really value their civil liberties - just how far should you go? Maybe the citizens should not crow too loudly about how free, open and just their society is when they look back at how their country has behaved in difficult times..

demand encryption keys ? *yawn*

[dwbryson (104783)]

Among these is making it a criminal offense for people to refuse disclosing their encryption keys when the police want to access someone's files.

I'm not familiar with British law, but I do know American law is based on the same doctorines as the British(from a historical perspective at least).

In the U.S. the court can order you to provide encryption keys and if you do not you will be held in contempt of the court [wikipedia.org]. This usually means the judge puts you in jail until you decide to provide the keys. To me(IANAL) it seems like the above just formalises the practice. Via the wikipedia reference it appears as though the U.S. did this in 1981.

Being held in contempt of the court is a very normal tool for judges to use with uncooperative court subjects, cryptographic keys aren't special or different.

DeCSS

[Henry V .009 (518000)]

I use CSS encryption for all my privacy needs. I'm sorry, but I'm afraid that it would be illegal for me to provide you the software code that breaks it.

Won't be long now

[Slightly Askew (638918)]

Uniting the Kingdom by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism

The Right to Prevent Self-Incrimination

[westcoaster004 (893514)]

What is the difference between the right to prevent self-incrimination (i.e. the right to silence) and the right to not say your password?

In England and Wales, "a defendant cannot be convicted solely due to their silence [wikipedia.org]" yet this is saying precisely the opposite.

It's already an offense

[Albanach (527650)]

I'm not sure why they would demand the right to access encryption keys when they already appear to have the power through Section III of the Regulation of Investigatory Powers Act Link here [homeoffice.gov.uk].

Rights of the accused

[Sneftel (15416)]

The most controversial of the police proposals is the demand to be able to hold without charge a terrorist suspect for three months instead of 14 days. An Acpo spokesman said the complexity and scale of counter-terrorist operations means the 14-day maximum is often insufficient. "The complexities and timescales surrounding forensic examination of [crime] scenes merely add to the burden and immense time pressures on investigating officers," he said. Three-month periods would help to ensure the charge could be sustained in court.

Wow. "Civil liberties are a pain in the arse for us to respect... so could we get rid of them?" In my opinion, the only humane way to look at the rights of the accused is to look at a rhetorical someone who has been wrongly accused. How would Mr. Jones feel about being imprisoned for three months so that police could take their sweet time figuring out what, if anything, to charge him with?

Incrimination for fun and profit...

[SpecBear (769433)]

1. Wait for Annoying Coworker (AC) to leave desk
2. Place encrypted file PlansToBlowUpParliament.zip on AC's computer.
3. Report AC to authorities.
4. Authorities ask AC for password, but of course he can't give it.
5. Authorities can't verify the contents of the file, so they can't charge him with a crime. Without revealing the contents of the file, AC can't prove his innocence. AC rots in jail for three months without charges filed against him.
6. AC loses his job while imprisoned, you loot his cubicle for snacks.
7. Profit!

For bonus points, see if you can get the file onto the hard drive of some politician you hate.

Dual Encryption Now Needed

[linuxwrangler (582055)]

Obviously what is needed is a method for dual encrypted files. Basically an encryption/steganography combo. When unencrypted with the 'fake' key, you just get whatever text you encrypted with that key - something uninteresting like expired credit card numbers or letters to grandma and it looks like you have complied with the order. Meanwhile the real key unlocks the data you want to keep secret.

Naturally the algorithms would require that it would be undetectable that this is what you have done.

Some alarm systems have something similar. When you open the business you use the real code. When the robber forces you to open up at gunpoint you use the fake code. The alarm does turn off as expected but it also calls the police with an "under duress" alarm.

Re:This is a major point

[symbolic (11752)]

They want encryption keys, but I dare say that not ONE of the investigators (or government officials) can point to a single connection between the recent stuff in London and encrypted information. They keep demanding solutions to problems that don't exist - that's why this stuff keeps happening. If they'd try to solve the problems that DO exist, they might get somehwere- WITHOUT becoming a police state.

LOL! That's cute

[doublem (118724)]

I'm going to let you in on a deep, dark, dirty secret. They aren't really trying to solve the problem. Terrorism is a boon to the US and UK governments, because it gives them an excuse to push the respective nations closer to a police state.

A police state is not a consequence of misguided attempts at preventing terrorism, but is instead an end being achieved under the cover of fighting terrorism.

Remember, Terrorism is an end to a means for the terrorists, and the governments "fighting" it.

Think the war in Iraq was about Sept 11 or WMD? Think again. It was because defense contractors have well placed connections. For corporations, your life is only worth what they can get out of it. If they can sell military ordinance by getting your children killed in Iraq, so be it. Their gods are money and power, not the ones your Priest, Rabbi, Cleric, Circle Leader or anything else are telling you about. If you think I'm being paranoid, just look up corporate environmental management. Hell, just look up what Coca-Cola is doing in India.

Human life is just another natural resource for corporations. Nothing more.

Re:Safe or private?

[Sylver Dragon (445237)]

Terrorist style attacks even happen in police states. Obviously, it impossible to lock things down far enough to give real security, therefore, there is no reason to destroy privacy in a vain attempt to get there.

Re:pfft

[Albanach (527650)]

not even NSA can decrypt them.

And how exactly would you know this?

From the PGP FAQ:

Q: Can the NSA crack PGP (or RSA, DSS, IDEA, 3DES,...)?

A: This question has been asked many times. If the NSA were able to crack RSA or any of the other well known cryptographic algorithms, you would probably never hear about it from them. Now that RSA and the other algorithms are very widely used, it would be a very closely guarded secret.

The best defense against this is the fact the algorithms are known worldwide. There are many competent mathematicians and cryptographers outside the NSA and there is much research being done in the field right now. If any of them were to discover a hole in one of the algorithms, I'm sure that we would hear about it from them via a paper in one of the cryptography conferences.

For this reason, when you read messages saying that "someone told them" that the NSA is able to break PGP, take it with a grain of salt and ask for some documentation on exactly where the information is coming from. In particular, the story called NSA Can Break PGP Encryption is a joke.

Sure it is unlikely, but unless you have some way of proving what you say, it would be unwise to believe that no one can / will in the near future be able to crack or intercept your encrypted messages.