UK Government Can Demand You Hand Over Encryption Keys
Journal written by iminplaya (723125) and posted by
Zonk
on Tue Oct 02, 2007 09:06 AM
from the shh-don't-give-them-ideas dept.
from the shh-don't-give-them-ideas dept.
iminplaya writes "The UK government can now demand that citizens hand over their data encryption keys - or face jailtime for obstructing justice. The law only applies to data on UK shores, and doesn't cover information transmitted via UK servers across the internet. 'The law also allows authorities to compel individuals targeted in such investigation to keep silent about their role in decrypting data ... The Home Office has steadfastly proclaimed that the law is aimed at catching terrorists, pedophiles, and hardened criminals--all parties which the UK government contends are rather adept at using encryption to cover up their activities.'"
Related Stories
[+]
Politics: UK Voters Want To Vote Online 288 comments
InternetVoting writes "A recent UK research survey by NTL:Telewest Business found that nearly half of the younger respondents would be more likely to vote online. This year the UK government has authorized 13 local election pilots including Internet voting. ntl:Telewest Business estimates 10 million UK households have broadband and 4,789 local libraries offer public access. In the US political parties are beginning to test the Internet voting waters with the Michigan Democratic Party to offer Internet voting in their 2008 Presidential Caucus. There were some notable differences in generational interest: 'The YouGov poll of almost 2,300 people, carried out on behalf of NTL:Telewest's business unit, found that younger voters were even more positive about the idea of alternatives to the trusty ballot box. 57 per cent of 18-34 year olds liked the idea of evoting, but only a third of the over 55s were as keen.' Given security and privacy concerns in the states, how likely is this to appeal to US voters? "
[+]
UK Proposal To Restrict Internet Pornography Sparks Row 561 comments
An anonymous reader writes "The BBC reports on the row over proposals by the UK Government to criminalize possession of 'extreme' porn. The bill, published last week, would include the prohibition of fictional depictions of violence and images of acts between consenting adults. The law would also apply to screenshots taken from a legal film, if the screenshot was made for erotic purposes. The goal is to prevent disturbed individuals from accessing content online that would trigger violent behavior. From the article: 'Labour MP Martin Salter, who has worked closely ... in pushing the legislation, rejected the BDSM community's claims their civil liberties were being undermined. He said: "No-one is stopping people doing weird stuff to each other but they would be strongly advised not to put it on the internet. At the end of the day it is all too easy for this stuff to trigger an unbalanced mind."' The bill follows from plans initially announced last August."
[+]
UK Copyright Extension in Exchange for Censorship? 238 comments
Awel writes "The UK opposition leader, David Cameron, says in a speech to the British Phonographic Industry that his party would work to extend the copyright term to 70 years and crack down on piracy. But in return, labels would have to agree to bear more 'social responsibility', which appears to translate into avoiding lyrics that glorify 'an anti-learning culture, truancy, knifes, violence, guns, misogyny'. He doesn't spell out how this would be achieved in practice.
This follows the publication in December of a UK government report recommending that the standard copyright term in Europe remain at 50 years (and not be raised to 70 or 95 years)."
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
hmm (Score:4, Funny)
Life without public key cryptography (Score:3, Interesting)
People forget that the U.S. Senate ca
Re:Life without public key cryptography (Score:4, Interesting)
From: Anonymous Stranger (someone@outsidetheuk.com)
To: Patsy (someone-else@inside.co.uk)
CC: Law Enforcement HQ (help@police.co.uk)
Subject: Confession
Dear Patsy,
I was just approached by an acquaintance who says he committed a crime for you. Not believing it, I asked for proof. He showed me this picture:
(insert photo of apparent crime in progress)
I was horribly disturbed when I saw this. Apparently, according to him, it's just a screenshot from a video of the crime and him talking about all of the details of it for you. When I asked why he felt safe keeping a video around, he said it's encrypted and that only you and he have the keys. I managed to swipe his USB memory stick, and sure enough, there's some big encrypted file on it. I'm attaching it below for you. Since the police will certainly be interested in what it shows, I'd advise that you hand over your encryption key to them immediately.
Zeitgeist says it is rich people wanting control. (Score:5, Insightful)
The issue, of course, is that systems are being put into place that can be used against citizens who protest. By using "terrorism" to create fear, those who want corruption and control are building systems that can be used to give them more control. Laws that required centuries to build are now being thrown away with as little awareness by citizens as can be designed.
The movie Zeitgeist explains it: The movie Zeitgeist (2007) [zeitgeistmovie.com] claims to explain it all, from an example of how people are controlled by myths, to how people who control government use fear to get more control, to why the U.S. government is pursuing a policy of hyper-inflation of the dollar now.
The movie is free and can be downloaded using a BitTorrent client, burned to a CD (a DVD is not necessary), and most modern DVD TV players will play it.
The Zeitgeist movie is very poor in some places, such as the opening sequences, and excellent in most places.
Don't expect emerging consciousness of very difficult subjects like those in the movie Zeitgeist to be free of error. The movie correctly says that "resurrection after 3 days" is part of many ancient myths, with an astrological background. However, the movie also speculates that Jesus Christ may never have existed. That is beside the point. In fact, whether Jesus Christ existed or not, many people in the world thought that his ideas and the ideas of his follower Paul of Tarsus were an improvement over what they had before. Even many people who do not claim to be part of a religion think that.
Those who want more information about how corrupters use fear can watch the free 3-Part BBC movie: The Power Of Nightmares: The Rise Of The Politics Of Fear (2004) [moviesfoundonline.com].
For those who don't know, and want to know what is happening and why, those movies are an excellent and entertaining way to start.
For people and their friends who invest in weapons and the manipulatable parts of the oil business, such as Cheney and the Bush family, controlling the government is how they make money and get more power. People from rich families often grow up believing that it is acceptable for them to kill people to get what they want. It is difficult, however, for the average person to believe that someone who already has a lot of money would kill others simply because he wants more money.
I am surprised at how much conflict of interest is allowed in the U.S. and U.K. governments. Why are weapons and oil investors like Cheney and Bush allowed to decide about starting wars in countries that have oil? (Afghanistan may not have oil, but oil investors want to build a pipeline through Afghanistan.)
Now the U.S. and U.K. governments are planning to start a war with Iran, another oil-rich country.
TrueCrypt has "plausible deniability. I wondered why TrueCrypt [truecrypt.org] encryption software has "plausible deniability". I guess that is why. We will soon all be needing it.
Re:Zeitgeist says it is rich people wanting contro (Score:4, Interesting)
If you have Truecrypt installed it just means you're going to rot in jail till you can either:
1) Convince the police that some random file you have that they are interested in is not encrypted.
2) Decrypt the file somehow (even if it wasn't encrypted in the first place
You'd be better off downloading some legal porn (or something similarly frowned on but legal) and encrypt sets of them (without truecrypt) and write down the keys somewhere so you never forget or lose it. Then if the Gov says "hand over the keys" you hand over the keys, rather than say "I have no keys".
A Gov like that is going to presume you're guilty of something.
Its very important that we all do this. (Score:3, Funny)
After all, if you've nothing to hide then whats the problem? I for one will be printing out all of my data in hardcopy to send to the government, as I am a PATRIOT.
After all - there was no terrorismisticals before the internet.
Re: (Score:3, Insightful)
"After all, if you've nothing to hide then whats the problem? "
The problem is that people who SHOULD be hiding things, don't - like the whales on the beach (both sexes) who squeeze into too-tiny bathing suits.
As for the encryption keys - "Gee, I forgo
Re:Its very important that we all do this. (Score:5, Funny)
Re: (Score:3, Insightful)
Six months in the county lock-up will do wonders for your memory - which is what thi smart-ass response to the judge will get you.
Re:Its very important that we all do this. (Score:4, Insightful)
Six months in the county lock-up will do wonders for your memory - which is what thi smart-ass response to the judge will get you.
I happen to have something on my drive right now which for the last half year or so I have been *trying* to remember the password. I would delete it but for the slim chance I might be able to remember the password some day, or that a relevant cracking program might eventually be developed.
Nazi fuckers like you and these UK government government deserve a chainsaw enema. Being "tough on crime" is a mental defect when you are blind/unphased about imprisoning innocent people in your Crusade.
Oh wait, I forgot. Anything which makes it more difficult to catch and convict criminals must itself be made criminal. The fact that anyone ever posesses anything encrypted means they must already be a criminal.
-
Re:Its very important that we all do this. (Score:5, Interesting)
This law was passed 7 years ago, and the home office has been quietly waiting for the original outrage to die down to see if they could get away with actually using the powers they were granted before 9/11 or 7/7. Of *course* they'll only use it against terrorists and pedophiles. Nothing to fear citizen, sleep soundly in your bed, safe in the knowledge we're only imprisoning bad men. After all, only bad men use encryption then forget the password...
Of course, if you're a pedophile you're far better off taking the 2 years for failure to hand over your encrypted data, than to take the potentially decades in jail if you have incriminating photos and a sex offender offence that might well get you killed there. I don't think it'll be too long before the maximum sentence gets raised to be in line with the worst crime you might be assumed to have committed and hiding via encryption...
This is simply false (Score:4, Informative)
Re:This is simply false (Score:4, Informative)
That's not actually true. Here're the relevant sections, with added emphasis:
The only precondition for issuing a notice is reasonable belief. The only condition necessary for an offence to occur is that the recipient of the notice didn't act on it, knew what he was required to do and knew he was not doing it. The only time it is required for the prosecution to prove beyond reasonable doubt that the defendant is in posession of the key is if the defendent has produced evidence that he is not.
I believe you are in posession of a key with fingerprint 33a08b9d1e07, because somebody sent you a message that was encrypted with that key, and they wouldn't do that if they didn't think you could read it (reasonable belief). You have been issued with a section 49 notice requiring you to either decrypt the message or surrender your key. You can't do this because you don't have the key, and have no idea who sent you the encrypted message. Can you provide any evidence that you don't have the key? Because if you can't, I'm not required to prove that you do have it.
Been like this for years (Score:5, Informative)
Re:Been like this for years (Score:5, Informative)
It had setup the system so that there could never be any confidence that ALL the encryption keys have been turned over.
Re:Been like this for years (Score:4, Insightful)
Re: (Score:3, Informative)
I use a somewhat secure method to protect my personal data. Its a thing I like to call 'burning to dvd and not keeping it on my pc'.
Yes I know dvd's can be stol
Re:Been like this for years (Score:5, Interesting)
Re: (Score:3, Informative)
The legislation was passed in 2000, yes. However the l
Re:Been like this for years (Score:4, Informative)
Not exactly news (Score:5, Interesting)
Hand the keys over (Score:4, Interesting)
Are we surprised that digital keys have the same requirement?
And as for all the other (physical) keys you can refuse and let the courts (and a jury) decide.
Re:Hand the keys over (Score:5, Insightful)
Re:Hand the keys over (Score:5, Insightful)
But...
Unfortunately, as soon as computer technology is involved, even some otherwise highly intelligent people instinctively turn off their brain and may be convinced that the existence of an encrypted file on your hard drive is tantamount to being found in possession of a giant underground bunker complete with piranha tank, spy-bisecting laser and fluffy white cat.
Re: (Score:3, Informative)
Are we surprised that digital keys have the same requirement?
The requirement is not the same. If a judge
Three Words (Score:5, Insightful)
This is exactly the sort of situation that hidden volumes were created for. The government asks you to hand over your encryption keys? "Well sure officer, here's the key to my encrypted volume, but there really isn't anything on there besides some harmless porn (or anything else that might be plausibly embarrassing enough to keep hidden away)" Of course, it's probably only a matter of time before someone decides to make it illegal to possess programs that can create any sort of hidden volume, but that's another issue.
Re: (Score:3, Funny)
So, lemme get this straight... (Score:5, Insightful)
a) Tell them to get bent, go to jail for a year as a symbol of government run rampant (face it, some "activist" will pick up his "cause")
or
b) Immediately hand over the key, which is then used to procure the evidence of his computer, putting him in jail for 20 years as an ACTUAL terrorist/pedophile.
That's not even getting into the situation if one is NOT an actual pedorist. Terrorphile?
Solution? (Score:5, Insightful)
Instead, you should establish an encrypted connection, use it to exchange private information, then destroy the keys after the connection is closed. SSH is one protocol that does this automatically. That way, although a wiretap can record the ciphertext, the authorities cannot retrieve the encryption keys because they no longer exist. Your democratic right to privacy is preserved.
I wonder if any instant messaging programs have implemented this? If so, do they consider the possibility of man-in-the-middle attacks as SSH does?
Re: (Score:3, Insightful)
Not very well informed either.
Governments have a nasty habit of taking innocuous data and trying to make something sinister out of it. They can either try to make something out of the information itself directly or choos
Re: (Score:3, Informative)
Like when they spy on you in the airport for having a "bad" book [wired.com]?
Intended usage (Score:3, Insightful)
That's right, I seem to recall that Rivest, Shamir, and Adleman wrote about providing protection for pedophiles and terrorists in the motivation section of their paper on RSA.
What if...? (Score:4, Interesting)
I don't have a problem handing the keys to the authorities provided they can give me a good reason they need them (I really don't enjoy handing out trade secrets, you know...), but what if I just simply and plainly cannot?
Dead-mans handle saves (Score:4, Interesting)
When you are asked for the keys, refuse until you are arrested and unable to save the keys from being revoked.
The revocation is the trigger that you have been asked.
Sam
Variant (Score:3, Interesting)
You have the password to unencrypt your offshore keys. This password cannot be demanded of you (jurisdiction). But when you want to use your encryption keys, your application asks for the password, retrieves the key, an
How to screw someone (Score:4, Interesting)
2. Tip off the authorities to their "terrorist plans"
3. Watch them get five years for "refusing" to decrypt the "data"
Search warrants? (Score:3, Insightful)
I know everyone gets their panties in a wad about the guvmint decrypting their data, but I'm somewhat okay with it if a court is involved in the issuance of a valid search warrant. It's not fundamentally different from the court-overseen right to come into your home and search the premises.
You can't completely declaw the police or they'll be useless at any type of law enforcement.
The really evil part (Score:5, Insightful)
This law is NOT directed against terrorists (Score:3, Insightful)
If te maximum jail time for not divulging encryption keys is significantly less than the time for actually being convicted of terrorism, then it should be obvious that real terrorists would never divulge such encryption keys.
No, this law, and others like it in other jurisdictions, are simply there to give the police one more reason to force regular citizens to hand over their keys.
If you actually do have something to hide from the authorities, the best idea is probably to look into http://truecrypt.org/ [truecrypt.org] and the capability of having hidden encrypted volumes.
When forced, either by legal threats or by rubber hose interrogation, you can then divulge the primary key. On the primary volume you should store potentially embarrassing, but not really critical information. This should be sufficient to show that you had reason to hide said info, but not enough to put you in jail for a long time.
If you happen to be located in a place like Myanmar/Burma, then you should also use TrueCrypt, for exactly the same kind of reason.
Terje
"almost all programming can be viewed as an exercise in caching"
What if your password incriminates yourself? (Score:5, Interesting)
I was wondering how the court would rule if your password contained information that would incriminate you in a different crime.
For example, if your password was: "my_murder_victim_is_buried_under_my_patio" or "I_embezzeled_20million_into_account_123456789", wouldn't revealing the password violate your right against self-incrimination (at least in the US)?
Re:hidden volumes (Score:5, Informative)
This aspect of the law is routinely ignored on Slashdot to try and enhance the "evil" reputation of the law.
Re: (Score:3, Insightful)
1) They violate your rights against self incrimination. Per the US constitution, I cannot be compelled to testify or offer evidence against myself. What this law says is that I MUST testify against myself
Re:Old News (Score:5, Insightful)
Since part of the law prohibits telling anyone that you have had to hand over the keys, how can you be sure about that ?
Re: (Score:3, Insightful)
Re: (Score:3, Informative)
Re: (Score:3, Informative)
Re: (Score:3, Informative)
Remember, you should assume your adversary is fully conversant with every aspect of your encryption system except the key. Any "secret process" it rel
Re:Truecrypt (Score:5, Insightful)
The point is not that they don't know it is possible. The point is that it cannot be proven that there is a second encrypted volume within the first one.
This makes it plausible to deny that it exist at all. If store some sensitive information in the outer volume, like some very embarrassing but not illegal pornography you can make a claim that this was the sole purpose of the outer Truecrypt volume. The law enforcement agency will have a hard time getting a judge to order you hand over keys to a hidden volume they cannot prove exist.
Hidden volumes in Truecrypt got nothing at all to do with "security through obscurity", it's all about "plausible deniability". You can ask your friend in the police about that, if he has any experience with the security community at all he should be very well acquainted with this term.
Of course, if you admit or in other ways make it provable that there exist an inner volume then all bets are off
This will probably work in societies like USA and UK where the police have to follow certain procedures. In countries like Burma or China where they will just torture you until you confesses or dies, I'm not so sure about the value of this scheme.
Re: (Score:3, Insightful)
The problem is "Freedom" is a very abstract concept that can be easily twisted to mean both opposites. Speeches by infamous dictators
Re: (Score:3, Informative)