Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Encryption Security Your Rights Online

UK Decryption Law Pushed Through 312

Joel Rowbottom writes, "After all the lobbying and protests from the 'Net community over the past year, the UK government has still published The Regulation of Investigatory Powers Bill. If this becomes law then you could be sent to prison if your data is encrypted and you refuse to either supply the key, or the plaintext versions. If you're in the UK and you haven't done so yet, write to your MP and let them know your feelings on the subject! "
This discussion has been archived. No new comments can be posted.

UK Decryption Law Pushed Through

Comments Filter:
  • Stenographic cryptography.
  • Could I encrypt the encryption key before supplying it to them?

    kwsNI
  • Just keep a standard boilerplate business text around and whenever they want a "key or the plain text", just give them the standard boilerplate text and say that you have lost the key.
  • STAND [stand.org.uk] has been campaigning against this for a while now.
  • I think that once this gets to the types of folks who have everything to hide (IE, the people who would sign this into law) it would be killed.

    Not that you shouldnt go right now and complain to someone about this. You should!


    They are a threat to free speech and must be silenced! - Andrea Chen
  • If this becomes law then you could be sent to prison if your data is encrypted and you refuse to either supply the key, or the plaintext versions.

    I guess if I knew a lot about encryption, I'd know the answer to this, but is there any way to verify that the plaintext version you supplied matches what's been encrypted? Certainly if this law were algorithm agnostic, then there would be no way to verify this.. (just say "I used a one-time pad, which I will not supply. Instead I will provide you with a plaintext version of it.") That seems to me to remove all of the teeth from this otherwise god-awful law.. am I mistaken?
  • Now is the time for everyone in U.K. to brush up on Steganography.
    ---
  • I'm a US citizen, (and unaware of UK laws) but if a warrant is issued, isn't it normally standard procedure that if the person refuses to be searched, they'll be jailed? I'm not supporting people unlawfully rummaging through my data, but isn't this just an extention of an already existing law?
  • Very little on the upside of these issues lately, it's really depressing. What's worse is that the mainstream folks don't really care because they think it doesn't affect them.

    Let's add this to our list of sad things:

    • RIAA/MP3 circus
    • DVDCSS/DeCSS/MPAA circus
    • D.O.S. attacks
    • Internet filtering software
    I'm very sad.
    ----------
  • Haha that's great...How much time did you spend writing that?
  • That's an interesting idea. Have two passwords. One that will decrypt the real data and the next will decrypt random preselected harmless junk. When the papers are served, watch them not able to find those family secret cooking recepies.
  • First off, don't use a computer. Politicians get piles and piles of mass-produced letters and a hand-written letter, which cannot be mass-produced in this way, is litterally worth hundreds of print-outs. So blow the dust off your pen, and get scrawling as neatly as you can (unless you've forgotten how).

    Secondly, be forceful. State specifically that you are 'very seriously concerned' or words to that effect. The people who vet what the MP actually reads generally throw the more wishy-washy fare straight in the bin.

    Thirdly, write a reasonable amount - not too long, or it will be judged as a waste of time, but not too short or they won't take you seriously.

    Fourthly, focus on one specific area. Don't above all express a general grievance with the MP's or his party's policy, just make it absolutely clear what you're trying to say.

    Fifth, if you know of any good references on the subject (preferably not net-based) stick them in - the MP is unlikely to look them up, but they will make you sound like you know what you're talking about.

    I know this seems really obvious, but you wouldn't believe how many people just print off half-thought out letters which could never, ever, get through the system.

  • I wouln't wan't to suggest that this Labour government is of double standards but does anybody remember their fully disclosure policy; the one that said we could find out *anything* we wanted to about the government. That didn't last long, "You can see everything and anything....er....except for that"

    But now, lo and behold! We can now go to jail for keeping our own confidentiallity.

    WELL, HERES A WAY AROUND THIS NEW LAW

    Simply claim when you are quizzed about an 'encrypted' file, that the file is in its native data format and has no other format: as far as I can see that should stand up all the way in court and would make quite a nice test case.

    BTW what is the official European view on encryption (does anyone know?)
  • If steganography gains too much public knowledge, what will happen is as follows:

    A nice, friendly policeman comes over to your house, points at any image you have on your hard drive, and say that you should give the encryption keys to decode the steganographic information in that file.

    If you don't have any steganographic data in your random data file, then you'll basically be screwed, and thrown to jail for not providing the decrypting keys. Hooray.

    In the end, moving over to steganography will not - in the long run - help the situation. However, the above scenario might well be used as a weapon against the law itself. I don't think anybody wants to give the power to throw anybody who owns a computer to jail at a whim over to your government...
  • If you've not seen it, check out stand.org.uk [stand.org.uk], they have a whole site on this issue, with the arguments very clearly explained.
  • Combination safes can be blown open, sawed through or otherwise broken into. Strong encryption takes a lot of compute power which quite simply isn't available.

    In any case, the problem is more that it is a crime to hold encrypted data and not handing over the decryption key even if you never had the key!. That is why the bill is ill thought out.
    --

  • I know jack about UK laws too, despite being born and living there until I got wise and got to the Netherlands.

    But in my personal experience if you refuse to be searched you are arrested, taken to a station and forcibly searched, then they dont find anything, and you're told to piss off and not given an apology. At which point I finally stopped polightly saying 'No' and told the policemen what I though of them. At which point I was officially cautioned for 'offensive behaviour'! I did make them aware of their double standards in this respect.

    Not that I'm bitter or anything.


    EZ
    -'Press Ctrl-Alt-Del to log in..'
  • /* Disclaimer anything said in the below post is something that I personally believe and as such may offend persons who have vested interests in the concept of cryptography. If this offends you realize that it is indeed a valid opinion */

    I would think that in fact the average person has no use for cryptography in their daily lives. I don't mostly because I really don't know anyone and have never had the need to use communications media to interact with individuals in a private way. Generally I think that if I have a choice between using cryptography or going to prison I will choice to not use it.

    The ultimate question is why would anyone really care about you so much that you need encrypted data anyway? If you are being monitered that closely you should run far, far away and never return.

    Cryptography is only useful if you happen to be a spy or have an actual internet connection (ie the use of pgp to sign, encrypt, or both messages with it). Most data that you have is not really that interesting.

  • Time to doubly-encrypt things, I think. Then the real message underneath... is also meaningless! Seriously, the threats to e-commerce in the UK are extremely high; if I can't trust someone's web server because the government will require them to decrypt stuff, it's just as bad as everything having a hidden backdoor key in it too. Everyone in the UK should sign up with Stand [stand.org.uk] and send a letter to their MP immediately, IMNSHO.
  • by Anonymous Coward
    Is not it against human rights [un.org]?
    Article 12. No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation Everyone has the right to the protection of the law against such interference or attacks.
  • Doesn't this conflict with the Human Rights? I would treat my encrypted data the same as the right not to answer questions (although looking at thier anti-terrorist laws that didn't stop them removing the right to silence and juryed trials.)
  • This issue could get tricky. If the authorities have a warrant to search your premises I dont believe you have an obligation to "assit" as in give them a tour of your computer files and such. If the police are searching your home and ask where such and such is. You dont have to tell them. They can just ignore it and the police have to go about looking for it (of course now you have pissed off the police and they'll make the search/seizure all the more unpleasant for you).

    You also might have 5th amendment issues here. You can not be forced to incriminate yourself.

    I wouldnt be suprised if congress tried and passed a law like this in the US. But I would think that the ACLU would have not to hard of a time taking this to the supreme court and challening it. Anyway it sounds like a minefield for the lawyers and legislators to traverse. No doubt some will get their legs blown off in the process.
  • How is this different from any legislation, for example, currently in the U.S. which mandates individuals are required to provide information to the court on demand?

    If you're a journalist who refuses to give up the name of your source in a critical case, you can also be thrown in jail for contempt of court. Whether the secret is a name in your head or an encrypted piece of information, it's still information the court is requesting in order to determine a verdict.

    I like the idea of using encryption to protect my privacy as much as anyone else, but at some point we have to expect that our own legal system should force the provision of information.

    From what I understand, the real problem with this law is the safeguard, that the burden of proof of not having the decryption key remains on the defendant. That's a problem clearly because an individual is presumed guilty until proven innocent. How many times have our leaders said that they couldn't remember key information? It is up to the courts, again, to prove whether or not an individual is withholding information necessary to the legal process.

  • Of course. But you'd have to give them the decryption key for the encryption key...
  • I realise that we're all supposed to hate this and rally against it, but I'm not going to. I *do* have reservations, but it's not a bad balance.

    Against is that the powers could be abused, but then you can abuse just about any law that involves raiding peoples property or possessions. It does happen, but not very often. (Or at least you don't hear about it very often. That's another story.)

    In its favour, it doesn't try to outlaw the technology, the legitimate use or development of it. And it's not escrow. If it's implemented like a warrant, the police already need some evidence against you before they're allowed to go ahead.

    It sounds like a reasonable compromise to me.
  • by Ralph Bearpark ( 2819 ) on Thursday February 10, 2000 @05:47AM (#1288616) Homepage
    Heard on the news yesterday the the Scottish courts have rendered the law on speed cameras obsolete (in Scotland anyhow).

    AFAIR the argument went as follows: If your car gets caught on a speed camera the UK law requires the owner to identify the driver at the time so that the fine/license points can be levied at the appropriate person. If you refuse then the owner gets the punishment.

    However, the Scottish courts (which are independent of the rest of the UK legal system) have noticed that the European laws say that no-one is obliged to incriminate themselves - it's the responsibility of the accusers to gather enough evidence to find them guilty.

    Thus, in Scotland at least, if you get snapped by a speed camera, then the right defence is to not to deny you were the driver but simply to refuse to incriminate yourself. Then under Euro law they have no right to fine you.

    Now this has to also apply to this data encryption business doesn't it? Just tell you refuse to incriminate yourself (by giving them the key) then they'll have to try and crack it themselves, not just punish you anyhow.

    (I guess this is equivalent of "pleading the 5th" in US?)

    Regards, Ralph.
  • by Anonymous Coward
    How about this... Mr X has files on his PC which are really just corrupted junk, maybe left over from a filesystem recovery, but that the police are convinced are encrypted illegal pictures. He can't hand over the key - there isn't one. He then gets found guilty of whatever the police suspect the file to be. It's like some bad Orwellian parody, only for real...

    floorten.com

  • Store your data on DVD's. Encrypted with the MPA keys. And lose them regularly.
  • ... the UCITA bill being pushed through in s state near you!

  • --Smart A$$ mode on--

    Okay, Mr. UK policeperson, I'd like to give you the keys to this information which I have conveniently burned onto this here handy dandy DVD and which I conveniently encoded using the same codes which allow it to play only on my licensed DVD player. But I can't because the MPAA has this thing that says that if I turn over the key, I'll be sued. And since I'm a US citizen, I'd be in violation of the DCMA if we used the DeCSS source code to let you look at it.

    Sigh...

    --Smart A$$ mode off--

  • Actually you are really on to something there. Sort of like a sig, have a couple of paragraphs or however much you want appended under a "second key" to everything you encript. I can see it now.

    Govt Rep.:Mr. L33t H4x0r decrypt these files or you will go to prison!
    L33t H4x0r: OK

    Mr. L33t H4x0r runs key number two and out pours the text to the last opensource man and natalie portman saga.

  • What is more concerning is that data that other companies hold about you, and keep encrypted for your own privacy (and under the Data Protection Act) would be in effect forced to disclose your personal information to the authorities.

    I'm concerned over the implications and contradictions with the DPA. Could anyone with more knowledge of British law throw any light on the subject.
  • Writing your MP is not like writing your US Congressman. In the US, Congressmen are indepdenent entities who can vote their conscience. In the UK, MP's are facless minions of their party, who would probably get themselves expelled from it and ostracized if they voted against their party leader. In a parliamentary country like the UK, control of the government is totally dependent on maintaining a majority in parliament, thus party discipline tends to be very strong.
  • this is an illegal item of information and has been used to plan and commit a range of crimes:

    -----BEGIN PGP MESSAGE-----
    Version: PGPfreeware 6.0.2i

    qANQR1DBwU4DPy7LL9KP0KEQCACdkb1OXbizR+pJ9frwI9Z7 cNjIgG2OpDtOBDZn
    eMG/uNIJQe+C0By+WNSqBHnMnTCD0aFgZQR6UMo/qzF+EtHj Flq8LxwzCCblHTs1
    Vu9bFlg5usmPFh2v409hiFwxJNDTVEw5AjMj/gnNSi+Rt5uy f1lKshnva7und+Az
    WfePdqcqVlGANn7EjnpEzGKAr2cW58IBFTEJQOusu88MYIuB jLBsGZ7sqz7rY6Ib
    BxoRHIpD255CTNK0jWGZ9Lx0O6dWv0qDs04SnUkUoFjMED2N FzcsSbzEocdTI6hp
    nCGviqTQ3n3RHMqZbtaYdP0hAs04h+rfaokDGGoESGYLMM2U CADg05wgyiY2jOxZ
    WKN+4smT0Yp2W5z01BeXPfWPKGQi56FaskcWXcJQeFeST5y9 h0oviJuDcsFT3q3W
    3h3kT648MLUE9qbhOYTTsHMcYIpQivItQkz/YQ5Hy2gcxNG7 DbhKPu6hiNHhbCu4
    YSWaeYkn8J6aY16k75jICZ6vbaFT9a5Y8zzdZZE5sDyDGudo +sS0AaspPWYTF2qw
    EmZmhAqmLMIMhuD1BAK+ZD1IvGhpB1LLC7ABmX6U+3PATvOZ VKj3SJd//tCHqVIU
    cro2MUnhipXmLuP0Lf40uyQR2gKl1Zz/cOos/k26dxTJb4y9 zlSgsVSVdH4xZSEN
    Q1kaKsgLycAHHwD2cM/dmadx2hmbxlQV6dcZJsmvM2jK0ikN WyBa6Vh6Y6GhQBT9
    wZi+U5I/DSIwNLCcKjnXAfHKRfyXsF7KswtkZ3UH/0/murBi 5qCkpoqKd4iABNbl
    /rOWSiiGYilGnyzqIiA0VjNLI7Atbj+1xSw/Cug9S9yTo2I7 grnm4nIHBOJ4gtIx
    m2oaOgVrwajLR2X0K14lSAmcMyE9GWNisUFI4aJ5Cs4HrTHU IwdZr/mGFH/bQHMf
    kLpUHsBpGoJFPcqvH10J6g==
    =bJG/
    -----END PGP MESSAGE-----

    On a more serious note, this is highly annoying and opens the way for law enforcement authorities to make up evidence. If you don't want to give them a key then you give them free reign to make up a XOR key of their choice.

    Coupled with the recent changes in the right to jury trial, I almost begin to wish I lived in a country where I had an inalienable right to be shot by all and sundry.

    On a random historical note though, Mary Queen of Scots was caught and sucessfully tried for treason by Queen Elizabeth I after one of her advisors was able to break the simple substitution cypher she was using to communicate with her coconspirators on the continent. This sort of thing is clearly not new, but now moves into a different sphere of influence, you and me (or just me, if you live in an enlightened country).
  • Your question (and opinions) have been responded to on approximately 4,392 occassions here on Slashdot. You should search the archives where you will find a plethora of intelligent responses that rationally explain why you are wrong. That's not to say that I don't understand where you're coming from or from where your doubts stem as I much felt the same way as you did until I took the initiative to educate myself (rather than waiting for people to educate me).

    I will simply point you to the recent story, Northwest Searches Employees' Home Computers [slashdot.org] and see if you can extrapolate why this particular case might be relevant even though it only points out one specific utility for encryption among average folks.

  • Also a US citizen type, so know my comment doesn't apply to UK which doesn't have a Constitution with 4th and 5th amendments. And also a non-lawyer, so take that comment as you will.

    The UK proposal seems so totally screwed. What happens if someone sends a person (like an MP?) encrypted mail that he's NEVER had a key to decrypt. Does that mean unless he can PROVE he never had a key to decrypt email, he can go to jail if he fails to turn over something he never had and has no way of proving? How in hell is one suppossed to prove THAT?
  • Simply claim when you are quizzed about an 'encrypted' file, that the file is in its native data format and has no other format:

    Good point. Stick a JPEG or ELF header at the top, and hey, that may look like a PGP header buried in the code, but it's just a coincedence. After all, encrypted data and unencrypted data all look the same in hex.
  • Create a program that appends 10k of completely random data to a file. Run that program on as many files in your system as you can. (Can this be done on an executable? I don't know enough about the ELF and a.out formats to know. I'd imagine this wouldn't make a difference.)

    Any encrypted data can then be appended in 10k chunks to a file or two of your choice.

    Retain the program that appends the random data. If anyone demands you decrypt some of the encrypted information appended to these files, just say "there is no encrypted data. I appended random info to these files to annoy people like you". (Which, AFAIK, is not illegal.)

    Wouldn't they then have to prove that you actually had encrypted data? ("Innocent until proven guilty", at least in the states.)
  • just say "I used a one-time pad, which I will not supply. Instead I will provide you with a plaintext version of it.") That seems to me to remove all of the teeth from this otherwise god-awful law.. am I mistaken?

    That might work, but somehow I doubt that practice would be trusted for long. It would be obvious that people would practice this, and of course it would be illegal too.

    The idea I have is two-fold: one, popularize the use of encryption such that everyone's using it. At this point, if enough people refused to comply, then the authorities would have a promlem on their hands. The second portion is more insidious: if a great number of people had possession of encrypted data that belonged to other people (and thus have no keys), had a lot of data that was just garbage (and looks like it could be encrypted), and also kept great amounts of encrypted garbage (i.e. cat /dev/urandom | xor 19q8 > /someplace/file) then there would be no way of verifying whether any data was real or not.

    The problem with this is that it all requires mass-participation, which can be difficult to orchestrate with the majority -- those who need it the most. Sigh.
    ---
  • In principle I agree. If you are doing nothing wrong, then you shouldn't have anything to worry about. It is necessary for the authorities to have access to certain things when investigating crimes.

    However, I too wish to maintain my privacy and feel any law like this has to be carefully considered. The original article mentions the case of paedophiles. It would be very easy for them to disguise what they are doing using encryption. Without material evidence, someone like this could get off. That would be unfortunate.

    I would prefer to see this law enacted with very strict rules about how it is applied. i.e. There has to be enough evidence to support getting a warrant to supply the encryption key (or plain text versions) of documents in the first place. Also, the nature of the evidence or data being requested should be specified beforehand. i.e. If a warrant is issued because of suspected illegal activity of a certain nature, then documents which may be incriminating for other charges become in-admissable.

    My documents plead the fifth on the grounds that they may incriminate me!

    ....Paul
    /uni0/milw/sol01/pl03 7340032 6774917 529948 93% /Earth
  • Wonderful. Now, instead of being tortured by British police until you give them the key, they simply send you to prison. I'm glad to see the progress in the Fascist, Draconian government that now makes up the British Empire. It's like taking Clinton, and mixing in Hitler's tactics. Quite ammusing, if you don't have to live there...
  • I would think that in fact the average person has no use for cryptography in their daily lives.

    Well, my wife and I have to routinely refer to "McDonalds" as "M.C.D.s" to avoid over-exciting our 3yr old.

    More seriously, I wouldn't like to do any online shopping if there wasn't at least a rudimentary form of cryptography going on.

    Basically, you don't have to be a spy to need encrypted data.

    Regards, Ralph.

  • One of the main, and most scary, problems is that Part III of the bill says that YOU have to prove that you don't have the key or the original plain text, otherwise they can imprison you for up to two years.

    As is correctly pointed out on the STAND web site (links in previous comments) this is in direct breech of the European Human Rights Act that the UK will sign to in October. In particular, this is a reversal of the burden of proof, i.e. you are no longer guilty until proven innocent. Not only that, but you cannot logically prove your innocence, and you are forced to self-incriminate. So much for the right to silence. Oh, I forgot, we lost that in the UK a few years ago.

    However, just because this law won't stand up in court does not mean we should not complain to our MPs right now. I'm going to dust off my pen and paper like another poster suggested. Then maybe one day the establishment will stop trying to pass such rediculous legislation.

  • Or even better (if you really have something to hide, that is):
    One password that will decrypt the real data and one that will decrypt harmless cooking recipies AND destroy the original.

    Obviously this would only be intresting for the real criminal, that stand more to lose from his files being decrypted than from losing them altogether.

    Yes, I'm sure that the really ugly guys(tm) won't get caught by this law, only innocent geeks refusing to decrypt as a matter of principle and the clueless criminals.

    Perhaps starting rumours about how a few MP's have suspicious material on their computers wouldn't be too bad. ;-)

  • CARE THAT I CARE? I'm getting tired of you paranoid oversensitive couch potatoes moaning and groaning that someone ruined the peacefulness of what might have been an otherwise serene slashdot front page.

    Cryptography is only useful if you happen to be a spy or have an actual internet connection (ie the use of pgp to sign, encrypt, or both messages with it).

    Good God, you're full of X-Files hype. Agents good. People civilized. Criminals encrypt. Two words. Blow me.
  • > isn't it normally standard procedure that if the person refuses to be searched, they'll be jailed?

    Yes, but with this idiot law the police don't need a warrant, just a suspicion. Then you have to prove yourself innocent rather than them proving you guilty. With luck the European Court will throw it out, but that needs some poor guy to go through the wringer first.
  • Since when is it acceptable for a law to be passed allowing government bodies to force handing over *any* document they desire? I can understand a situation such as bank fraud - where they may be wish access to financial documents, or even an email-threat sent by a stalker, but in general anything that they need for proof in court can be obtained by non-intrusive acceptable legal means through the *other* party involved; ie the bank or victim etc.. The very idea that a govenment can force legislation allowing them access to one's personal's on a pc is ridiculous. Encryption of data is no different from writing in one's own personal code, which by the way shorthand is an example of. Well hey- there's the solution. Invent your own form of shorthand and then encrypt that! The bastards will see nothing but gibberish and by the time they work out the meaning of the message you will have re-encypted it with a new stronger algorith..
  • If you're not sure who to write to then a list of all the MP's in the UK, along with Email addresses for some (though you should consider a hand written letter which is more likely to be read) can be obtained at This site [keele.ac.uk]

    Perhaps, if your MP doesn't have an email address, you can consider asking how they can assume they know enough to vote on an issue involving technical issues like this when they're apparently not informed enough to register a hotmail account. Actually don't, it'll just rile them.

    Pre.......
  • You're onto something - this is the basic idea of Steganographic File Systems (more or less). Someone in the UK is working on one for Linux right now (just search the net) - this is just the kind of thing we need to defend ourselves against this stupid law.

  • I haven't looked through the text of the bill, so I don't know whether it includes the problem that's just occurred to me. I hope it does, really, because that ought to blow it out of the water, somewhat.
    Credit cards (and bank cards etc)! I use them in my daily life, and yet I have no way of (personally) finding out what data is on them.
    I'll admit that the data is standardised, and that a sufficiently power organisation (such as the police) could demand that the issuing body reveal the information, but I can't access it myself.
    Does that mean I'm liable for imprisonment?
    --
    Too stupid to live.
  • Now this has to also apply to this data encryption business doesn't it? Just tell you refuse to incriminate yourself (by giving them the key) then they'll have to try and crack it themselves, not just punish you anyhow

    Yes, but the rest of the UK has not signed up to the European Human Rights Act yet. The good news, however, is that this should be happening in October. So no encrypting till then, OK?

  • "It is not exactly as if the police would come knocking at your door and asking for codes if you have done nothing wrong now is it?" And the Nazi's had a right to search and arrest people as well.....those crazy jews, gypsy, homosexuals, invalids, mentally handicapped, and others were ALL suspicious. As well as the asians who were put in detention centers IN AMERICA during WWII. As well as people in china who get arrested and search for their heinous actions of such things like free thought and political action. As well as the former soviet union, iran, iraq, yemen, cuba, etc. Hmm it seems its fair if they have a reason. But with that mentality...What are the qualifications for those suspicions and reasons? You've already lost your right to secure encryption and well....if they want to see your encrypted documents, they must have a good reason. But you would probably reply (since you are an idiot) That things like this are not the same as those past and present activities. You can't equate this to Nazi germany... But...was Nazi germany built in one day? Did they wake up one morning and decide that the gov't/police state should have all rights over citizens in all affairs? Was it as bad in 1936 as it was in 1939? as it was in 1941? remember...Freedom is a binary type concept. You either have it or you don't. More freedom and less freedom are meaningless and incorrect terms. Freedom entails no control from the outside. If ANY control is lost, then that thing does not have FREEDOM. You could say less restrictive, but by no means FREE. Bend over...here comes the government! Bend over...here comes the corporate sector! If you have nothing to hide...load up smbd or file/sharing in 'doze and give read access to all for all your data. You have nothing to hide right? It shouldn't be a problem.
  • Because you might want to order stuff on-line? People (especially those in card companies) really care about credit card fraud. Encrypting your card number before you send it is the most pragmatic way to prevent financial loss and the hassles of cancelling your card etc.

    Besides, most people now assume that an actual internet connection is soon going to be as ubiquitous as electricity or water supply is today. Cryptography will be useful for everyone and should therefore be available and adequately strong.
    +++++
  • I can see a big flaw in this law (;-)

    If you can get away with supplying a plain-text version of your
    encrypted message, you could give them any plain text.

    Provided you used a sophisticated encryption algorithm with long
    keys, even a known-plaintext attack would be too hard for
    the officials to do on everyone who happily supplies a plain-text.

    To me, this looks as if whoever proposed and accepted this
    law does not know anything about cryptology.

    If they insist on the keys however, you are severly screwed...

    This would be a good reason to leave the island for good.
    (its only Rain and BSE anyway... ;-)


    --
  • Why not put all your encrypted data in your mail box. You could then claim that you received these (encrypted) emails by mistake and never deleted them. Basically blame spam!

  • I will simply point you to the recent story, Northwest Searches Employees' Home Computers and see if you can extrapolate why this particular case might be relevant even though it only points out one specific utility for encryption
    among average folks.


    Reminds me of a simpson's episode where Homer is leader of the Union at the nuclear power plant. One night he hears a knock on the door.

    *Knock* *Knock* *Knock*

    Homer: Who's There?
    Man at door: Goons
    Homer: Who?
    Man at door: Hired Goons
    Homer: *opens door*
    Man at door: *grabs Homer*

    In your own home you do not have the need to open the door to anyone unless they have a search warrant. That is how it works at least in the USA. Now if they did do such a thing I would have every reason to physically beat their brains out with a club in keeping them off my property. If I buy the computer then I have free access to it. If they want to look at the computer fine! I'll just delete very thourally (about 1,000 times for each sector of the hd that had the files). Or more exactly take the hd out of the machine completely delete it and then use some thermite on the hd. Then have another hd that I could swap back in without any data that they want. Simple problem solved.

    Even with encryption if I have a directory called

    C:\my_evil_secret_plans_for_Northwest
    and has files like:

    bomb_making_plans.doc
    strikes_and_how_they_work.doc
    ...

    etc then perhaps that is still incriminating and especially so if you have the data encrypted.
  • by JamesSharman ( 91225 ) on Thursday February 10, 2000 @06:06AM (#1288657)

    This law effectively makes DeCSS legal in the UK. Since the law requires that (on demand) we hand over encryption keys to any encrypted data in our possession, they can hardly justify putting us in jail for having the key in the first place.
    I quote the relevant part:

    "And, as a result, the Bill proposes that the police or the security services should have the power to force someone to hand over decryption keys or the plain text of specified materials, such as e-mails, and jail those who refuse."

  • Because you might want to order stuff on-line? People (especially those in card companies) really care about credit card fraud. Encrypting your card number before you send it is the most pragmatic way to prevent financial loss and the
    hassles of cancelling your card etc.


    Yeah but as an average person you don't need to build a credit card transaction system. Online processing dosn't really force the user to care about encryption except having an https url prefixed to the site.

    Besides, most people now assume that an actual internet connection is soon going to be as ubiquitous as electricity or water supply is today. Cryptography will be useful for everyone and should therefore be available and adequately
    strong.


    Also a really, really, really, big assumption. Not everyone will be online. And ceternally not everyone will need cryptography. This still dosn't invalidate my argument.
  • But not in and of itself. In itself, it's just an extension of existing laws of search, which are well-established and not terribly unreasonable.

    It's when you combine it with other things, that problems arise. The European Privacy Laws, for example, dictate that you cannot export data to a country with weaker privacy protection. On that basis, the Government is entitled to export information seized from individuals to other nations, WITHOUT legal reason or basis but for commercial gain.

    (This follows, as the ability to seize personal information on a computer by the Government, without due process, is tantamount to saying that the data is not protected by privacy laws. Thus, it may be exported freely.)

    Then, combine it with the CCTV cameras, now filling England. These images can (and are) sold to commercial enterprises. Information from the cameras is index-linked to the national criminal databases. Imagine being able to demand of your ISP all encrypted data in and for your account (such as your password), and being able to tie all that information with everything on your harddrive and THEN everything about your movements in the country.

    THAT is when it gets scary. Someone with protest e-mails who happens to be heading in the direction of a town in which the Government knows nuclear material is illegally being transported could end up being arrested under the Criminal Justice Act, or even the Terrorism Prevention Act, with the e-mails used as evidence against them, even if their sole purpose for driving there was to pick up a bar of soap.

    The combination of the loop-hole in the privacy laws, the CJA, the TPA and the 24/7 surveilance lead me to believe that Britain is plunging towards being a totalitarian state. And, to be honest, I don't think it's the Government's fault.

    This attitude was shared by the previous Conservative Government, just as feverently. Indeed, it was they who put all the pieces in place to allow this new law to be abused.

    This leads me to believe that it's actually the Civil Service that's actually running the show. They are now in a supremely powerful position, with absolute, dictatorial powers of monitoring, searching, and arresting, with NO due process taking place. In short, the Civil Service in England would be capable of seizing total power over England, at this point, and there would be no realistic way to stop them.

  • If you are living in anything but abject poverty, there are certain people who would be very interested in things like your credit card numbers, bank account numbers, social security numbers, etc., especially in combination.

    That's what we have fraud protection for. Consumer protection prevents law breakers from totally wiping you out when you don't want to. If you take the ideas that many of the people here everything will be monitered and tracked. If that happens it will make law breakers especially vulnerable to capture and arrest. Cryptography will be rendered moot and the government dosn't matter in areas of commercial interest as I illustrate below.

    And I also have to mention that, while many FSF true believers may find this objectionable, I do have to mention that there were times when I had, on my home system, source code that sold for something like $100,000, in the
    course of some consulting projects. (That's what the source license cost. I wouldn't have paid a nickle for it though. It was crap.)


    Well I don't object to charging although you admit that the code was crap and you sold it for $100,000. That's the kind of thing you keep the recipt for the refund.

    Perhaps not a common situation, but then, it is not uncommon for managerial types to have data on their systems that would be of great interest to their competitors.

    Unless over 50% of the people in the US are managers of something and have such data then there is no problem. Usually such data is secured on machines that are physically located within a building or in a system that is essentially secure to begin with. You would have to have a group of terrorists or militia groups to break through some buildings.

    Cryptography is not important just as a means to keep data from the government.

    Since the government can basically do what it wants because it makes the rules protecting your data from the government is pointless unless you want to try to escape the problem. The government dosn't want to or does not actually engage in commercial or industrial espionage because it has essentially nothing to gain.
  • No: if a message was encrypted using a public key system, and the
    prosecutors knowthe public key, then obviously they can check the
    message.

    This is probably the kind of case the police are most concerned
    about: criminals using cryptography to communicate, and not be
    understood by the police. The other kind of case would use symmetric
    key cryptology: eg. the accounting details of a fraud are held locally
    on a hard drive, and here it wouldn't be able to verify the plain text
    matches the cypher text.

  • by r2ravens ( 22773 ) on Thursday February 10, 2000 @06:21AM (#1288673)
    I used to teach Introduction to the Internet classes at a community college where I also ran the open student lab. I would tell the students that they should not send anything in email that they wouldn't want to see in the headline of tomorrows newspaper. If I'm having a private email conversation with a friend about a third party, there may be information that I don't want the third party to know I said and information I don't want made public.

    Assume I am a psychiatrist consulting with a colleague in another place about a client. I wouldn't want anyone but the intended recipient to see the information about the patients condition.

    Just these facts are enough to make encryption worthwhile for me.

    And what about business plans? If I was working on developing a new product, the exposure of that information could give someone else (with more money - like M/$) the idea to develop before I could get all my ducks in a row.

    Other than that, is just simply the fact that I have a right to be secure in my possessions and particulary, my information. That was the whole point to forming this country (USA). For my government to force me to give them the encryption key to data is the same as demanding that I incriminate myself (also prohibited by the US Constitution.)

    I realize the article is about the law in the UK, but the encryption issue is truly international.

    Governments are chipping away at our rights to privacy (at whatever level) in many countries around the world. If we don't stop it now, nothing about our private lives will be beyond the reach of Government, and then corporations as they further lobby the Government (become the Government?)

    Why is cryptography so terribly important?

    Those reasons are enough for me.

    Russ
  • Yeah, give them the plaintext of anything they ask for. The govt might wonder why you have so many copies of the GNOME README file, but they'll get over it eventually.

    -jwb

  • No the encrypted data is evidence. Refusing to decrypt it is like refusing a properly authorised search of your premises.
  • I see that the first letter of each line of your message on my browser is "DHIRPUTACE", which in Portuguese is an insult. Who were you sending this message to? Talk! TALK!
  • by jbrw ( 520 ) on Thursday February 10, 2000 @06:29AM (#1288685) Homepage
    Look at http://www.stand.org.uk/ [stand.org.uk] - this is an important site.

    They show how to get Jack Straw (important government chap in the UK) guilty of committing a crime. That is, they encrypted a confession to an actual (undisclosed) crime, destroyed the key, and sent him the encrypted data. Jack Straw is now in possession of some information that would pressumably be of interest to the police, but he is unable to provide the decryption key (because he never had it in the first place), but, ofcourse, as many people are pointing out, how do you prove you don't have the key...

    While the example of the above site is, considering the circumstances, a fairly light-heated example, consider this: lots of politicans/business people (or anyone, really) are accussed, and investigated, of serious crimes regularly. How easy will it become to provide encrypted data to the person under investigation, without their knowledge, and then inform the police that that person is in possession of encrypted data that may (or may not? who can tell?) be of interest to their investigations. Police find data, ask for key, person is flung in jail.

    Ooops.

    I really hope Mark Thomas [channel4.com] can squeeze a show in about this before the current season ends - I believe the shows are still being taped. (Mark Thomas is similar to Michael Moore, for you US people - only much, much better at what he does.)

    ...j
  • How is this meant to work? Presumably the police are smart enough to keep multiple copies of the cypher text...

    Why not use something along the lines of those "secure digital music formats"

    Perhaps the files cannot be read from any other media than the original hard disk (or whatever). Perhaps that will make CSS illegal? Oh what a sad moment that would be.

  • Except that a well-encrypted file is indistinguishable from white noise. I wonder how many people will be imprisoned for refusing to turn the white noise they e-mailed someone into plain text?

    Somehow it's making more and more sense that Orwell's novels were set in England. Yes, I know he's English, went to Eton, all that, but he made a point of setting his novels there, rather than in some made-up country, first to make his message particularly poignant to his homeland's readers, but also because he saw the real possibility of it happening there. Shame people stopped listening about twenty years ago.

    English police don't need a search warrant to enter a home. Private ownership of guns of any sort is strictly controlled. The government has granted itself the right to read any electronic message and imprison you for years if they can't read it. God help you if it's white noise or if the file got corrupted. And there is legislation in the works to require every subject (interesting word, that) to submit a DNA sample to a national database.

    .uk Slashdot readers, I offer you my sympathies and moral support. I sincerely hope your government starts exercising some self-control. But once the checks and balances of constitutional democracy have been subverted, they are hardly ever restored.

    --

  • The real problem is proving that you even know the key to an encrypted file on your computer.

    I remember seeing a web page that made an MP a criminal. The web site author claimed to have commited an unspecified crime, confessed to the crime, encrypted his confession (I think he even made a deal about having his confession notarized), and emailed the key to the MP. The MP then had evidence of a crime encrypted on his computer that, if he failed to decrypt, he would be liable for.

    I've undoubtedly got some details wrong and would appreciate it if anyone knew the link to the site.
  • I used to teach Introduction to the Internet classes at a community college where I also ran the open student lab. I would tell the students that they should not send anything in email that they wouldn't want to see in the headline of
    tomorrows newspaper. If I'm having a private email conversation with a friend about a third party, there may be information that I don't want the third party to know I said and information I don't want made public.


    Ahh however if you remember that there are certain laws that take such behavior as criminal on many levels. Eventually they will end up in a court room.

    Assume I am a psychiatrist consulting with a colleague in another place about a client. I wouldn't want anyone but the intended recipient to see the information about the patients condition.

    The individual who obtained the information was breaking the law. If they steal the data they can be prosecuted. I doubt that many psychiatrists actually use encryption anyway.

    And what about business plans? If I was working on developing a new product, the exposure of that information could give someone else (with more money - like M/$) the idea to develop before I could get all my ducks in a row.

    Most of communication about projects in any reasonably secure company is done internally. Email is usually intraoffice variety and as such would not fall to foul play from people wanting to get it unless you have a leak; and really that's an internal security issue best solved internally.

    Other than that, is just simply the fact that I have a right to be secure in my possessions and particulary, my information. That was the whole point to forming this country (USA). For my government to force me to give them the
    encryption key to data is the same as demanding that I incriminate myself (also prohibited by the US Constitution.)


    You already do that. If I have a computer someone has to be able to retrieve that computer. You have a lock on your door however do you happen to live in a bomb shelter, do you have 30 feet of concrete surrounding your house? Some things are overkill.

    I realize the article is about the law in the UK, but the encryption issue is truly international.

    If you notice the countries that do not have policies against some form of crypto are usually countries that are not really that totally powerful, or are not as ecconomically massive?

    Governments are chipping away at our rights to privacy (at whatever level) in many countries around the world. If we don't stop it now, nothing about our private lives will be beyond the reach of Government, and then corporations as
    they further lobby the Government (become the Government?)


    The government has various laws that restrict the flow of information. The federal government cares more about people's rights than most. Where you find all the massive breaches of privacy are usually on State and local levels. Garbage that the states do are usually 10x worse than what the national government does because they are held to a higher standard of responsibility.

  • > if anyone knew the link

    Sorry to follow up to my own post, but I found the link: http://www.stand.org.uk/ [stand.org.uk]

  • Wasn't Ludwig a chequered egg? :)
  • All they would need to do is encrypt your "plaintext" version with the key you supplied and compare it with the message they are holding.

    With PGP, and no doubt many other encryption schemes, this would not prove anything. The encryption program chooses a random session key to encrypt the data, and encrypts this session key with the user's key.

    Of course the real flaw is that it would require both the plaintext & the key, while the OP was suggesting giving only a bogus plaintext.

  • Refusing to decrypt the data when you're able to is certainly a failure to allow a legal search, but that's not the real problem with this law.

    As it stands, you're required to produce the key and thrown in jail if you don't - regardless of whether you even posess the key in the first place. The only thing that counts is the police opinion on whether you posess the key, with the defendant required to prove their innocence, contrary to UK law elsewhere where prosecution are required to prove guilt. Speaking personally, I've got something like 1,000 floppy disks and several Spectrum data cassettes. The idea of having to prove that none of them held a key is a little worrying.

    On top of that, my memory is that it's now an offence to tell anyone that you're being prosecuted under this law. Truly terrifying.

    Anyway, two good URLs here:

    • The bill [dti.gov.uk]. Whether the act contains any significant amendments, I don't know but none have been reported so make your own mind up...
    • Secondly, some background information [stand.org]
    .While it's good to get worried about this, there is hope yet. It's probably in breach of the European convention on Human Rights [www.coe.fr], which Britain has incorprated into its law. So hopefully it'll get struck down by the High Court as soon as any case on this law gets taken to them.

    Greg

  • Whoops, I'm not awake.

    That's the old bill, which is merely very similar to the new one. Does anyone know where that can be found?

    Greg
  • If you're a journalist who refuses to give up the name of your source in a critical case, you can also be thrown in jail for contempt of court.

    Here (Sweden) it is actually *illegal* to even try to find out who a journalist's source is.

    The real problem (as you pointed out) is that you can never prove that you do *not* have encrypted information. Hey, there might be a secret message hidden in this post. Perhaps I made the arrangement that "Start selling those drugs to children the moment I post three messages on the same subject on /."

    The obvious conflict (and now my rant alert is flashing) is that the openness of the "net culture" makes it more motivated to encrypt and hide personal data. I might not want the whole world to see my private mail, however innocent.

    Perfect crypto vs total freedom of information. It is just like that "Irresistable force vs unmovable object" question.

  • (just say "I used a one-time pad, which I will not supply. Instead I will provide you with a plaintext version of it.") That seems to me to remove all of the teeth from this otherwise god-awful law.. am I mistaken?

    (IMHO, IANAL) Yes! Because, place yourself as a law enforcement agency, and ask yourself, "how can I enforce this law". The answer isn't and can't be, "Well, I guess we don't." Instead, they will have to be more invasive and confrontational to make certain that you aren't dancing around it.

    This is a terrible development-- much worse than the cameras and monitoring devices that the British are also implementing to monitor their citizen's activities. We have the potential to live in a world where virtually everything we do is subject to observation, review and regulation-- where we become terminals and peripherals to a central social control. Or this technology will let us be distributed, parallel, and at liberty to make our own decisions.

    Massive parallelism, neural networks, distributed systems, genetic algorithms, Open Source development models-- my feeling is that these technologies should be the model for our social system-- a world of individuals with as much of the decision-making offloaded to the 'client side' as possible. (Excuse me if I am stretching the metaphor too far, but I think it still holds.)

    In a parliamentary system, you have less direct say over your government, since you have to deal with a party rather than a person. But you still should fight this tooth and nail. Once the burden of proof is on you to prove that you aren't hiding something, you'll never be able to escape that.

  • The US isn't doing to well on 'innocent until proven gulity' either. If a cop decides that it's suspicious that you take money to Las Vegas to gamble with [detnews.com], or that it's possible to use an innocent item in a drug related way [fear.org], then you can loose all your assets.
  • Or just send him/her some random data, and you know for sure they can not crack it to provide the police with the key...

    But I think I've heard this debate here at v/. before, with exactly this argument, and the arguments of the commented...
    --The knowledge that you are an idiot, is what distinguishes you from one.
  • The investigators may know your public key, but that doesn't do them much good; in order to verify the ciphertext they need the session key for the symmetric cipher used to encrypt the message. Maybe they could declare this key the "plaintext" for purposes of the law. It's hard to say. In any case, all of this presumes that your public key is truly public, which need not be the case. If you truly were worried about this law you could always secretly exchange "public" keys with the people with whom you intend to communicate.


    Actually, the more I think about it, the more peculiar the clause about plaintext seems. Any putative plaintext that comes from the hand of the person being investigated is untrustworthy, and therefore unhelpful at best. Seeing this clause in the legislation makes one doubt whether the lawmakers truly understand the issues involved here. Viewed in that light, this law should at least provide a useful counterargument the next time someone claims that the US has a monopoly on clueless government (which, judging from recent Slashdot posts, should be sometime within the next 24 hours.)


    -r

  • Okay, say you're buying something online.

    Say I'm in the next room running a packet sniffer.

    Say you're _not_ using encryption, like a dumbass.

    Say I steal your credit card info.

    Cest la vie.

    - A.P.

    --


    "One World, one Web, one Program" - Microsoft promotional ad

  • <i>And that all assumes that you are able to convice the powers that be that something happened. There are many, many horror stories floating around about "identity theft"</i>

    Which widespread encryption will make an ever greater hell: "Whadda mean you did buy this stuff, send this threat, etc. It was cryptographically signed by you. Oh, secret keys stoken? Prove it."

    All problems with identity theft occur because businesses and government are lazy, cheap, or stupid (choose at least two). You think the use of encryption is going to prevent them from screwing up? Without consumer protection laws and the ability to repudiate transactions, they'd be even more sloppy, because then they could get away with it.
  • In the UK, there is no right of free speech or right to silence.

    There is a right to silence - but it may harm your defence if you do not say anything which you later rely on in court.

    In the UK, being Irish is a criminal offense punishable by being held without trial.

    Quite. And it is also a criminal offence not to practise archery on Sundays.

    In the UK, Nationalism is the same as being a thick racist thug.

    Which type of Nationalism? Do you know the difference between the BNP, the SNP and Plaid Cymru?

    In the UK, racism is an institutionalised way of life.

    What a helpful generalisation.

    Hamish

  • I object strongly to the lack of content for parrots on your site. I myself feel that (pieces of eight!) content for parrots on you service tends towards the token (polly want a cracker!) spouting of stereotypical (it is no more!) garbage and inane humourous sketches (it has shuffled off this mortal coil!) designed to elicit cheap laughs from the lowest common denominator (show us yer knickers!) which reads this excuse for a site.

    Yours most sincerely,
    Kevin Phillips *Bong*
  • There is no right to silence in UK.

    dave
  • n the mid-nineties I was involved with a political campaign in a Southern California town. We were opposing the powers that be, who were backed by big money (developers pushing a very unpopular $2,000,000,000 development, among others). Encryption proved to be the only way we could communicate in private. Interesting how this works. It seems that California has the largest percentage of people who have dynamically opposed interests. Every liberally minded group in the country usually has a large contingent in California. More natzi like pollution and environmental laws and such. Let me say that the number of people who can afford to be political dissidents is probably much higher today than it was in times past because more people want to be communists and rebel against the government. This will subside just like it did when they were present in the 60's. I certainly can't afford to just randomly decide to rebel and risk life and limb. Unless I have a steady stream of money comming in I have a little problem. Influence and power in society never come to a group of radicals but people who work within the system. We had death threats. Our phones were tapped. "Private" conversations conducted in my house ended up not being private. Strategies we developed (over phone conversations) were implemented by the competition first. Video rental records were stolen and given to reporters (never published though -- nothing incriminating.) Postal employees postponed the delivery of our mailers until after the election. Private investigators asked our neighbors about any unsavory habits they thought we might have (say, does her son do drugs? Is he homosexual? What about the daughter -- does she sleep around?) It was a very ugly place to be, and it killed most of my idealism. I have actually theorized about one could easily defeat opponents like this. I have reached the conclusion that anti-terrorist tactics are the most helpful. Essentially this involves a tactical strike team of individuals who can essentially dismantle the enemy's actions with relative ease. Use of say "natural" poisons and weapons which utilize silencers are the most effective. Trust me any inviduals who think they can get you are usually deluding themselves. People have brute threats but with a little thinking you can perservere. My ultimate question is why didn't anyone contact the feds? The FBI is quite good about stopping silly little State oriented shit like that. Oh well I guess people have fooled themselves into thinking that the States can do a better job. This illustrates that they most certainly cannot. I don't know what world you live in, but here in the US of A we see government officials breaking the law regularly. We see people with political influence (read "money") get away with anything, while the people who truly care and want to make a difference are assaulted from every angle. We see the courts used to get around the law, rather than enforce it. We can't depend on the media to report the truth. These lessons were all learned in the same election cycle, in one small town on the west coast. I'm frightened to think what it must be like on higher levels. Well I really haven't seen anything on slashdot that indicates any other reaction other than something the Lone Gunmen or Fox Mulder would do. Ranting and raving about the evil government will not change. I have advocated infiltration and change within. However most people don't care for that sort of thing. PGP ended up being the only way we could communicate privately (over a private BBS). It was a PITA to explain text-based encryption tool use to Win 3.1 users who didn't understand DOS, but we did it. And it made a difference. Explain in a system that has adequate security protections how something could happen like that? If I run a tight ship and only allow people in that I want in via password protected access and login times strictly monitered how does that matter? Back in the good old days (ie before widespread encryption and pgp and all those fanatical Fox Mulder types out there really got a pick me up with the internet) people could keep things reasonably secret. What did those people do? They used common sence. They never had really, really, bad problems with anything of the sort you are describing here. I genuinely think that people have become more lazy and generally more trusting of their little electronic toys. Encryption is important if you ever choose to be involved in something political that has real consequences. You're buying the government's line if you think it's only for kiddie pr0n peddlers and terrorists. I am the not the sort of person who actually has done anything with a higher level of security clearance than probably anyone out there. I have never had data that hardly anyone has ever wanted. I do not have a credit card or anything that I personally paid for online. This makes issues like this a little more out of my reach of caring. As far as political consequences I do wish I could get a job with a 3 letter organization and actually need encryption like that however I am realistic. The day I manage to actually have data like that needing protection I will think then and only then about using some form of encryption.
  • n the mid-nineties I was involved with a political campaign in a Southern California town. We were opposing the powers that be, who were backed by big money (developers pushing a very unpopular $2,000,000,000
    development, among others). Encryption proved to be the only way we could communicate in private.


    Interesting how this works. It seems that California has the largest percentage of people who have dynamically opposed interests. Every liberally minded group in the country usually has a large contingent in California. More natzi like pollution and environmental laws and such.

    Let me say that the number of people who can afford to be political dissidents is probably much higher today than it was in times past because more people want to be communists and rebel against the government. This will subside just like it did when they were present in the 60's.

    I certainly can't afford to just randomly decide to rebel and risk life and limb. Unless I have a steady stream of money comming in I have a little problem. Influence and power in society never come to a group of radicals but people who work within the system.

    We had death threats. Our phones were tapped. "Private" conversations conducted in my house ended up not being private. Strategies we developed (over phone conversations) were implemented by the competition first.
    Video rental records were stolen and given to reporters (never published though -- nothing incriminating.) Postal employees postponed the delivery of our mailers until after the election. Private investigators asked our
    neighbors about any unsavory habits they thought we might have (say, does her son do drugs? Is he homosexual? What about the daughter -- does she sleep around?) It was a very ugly place to be, and it killed most of
    my idealism.


    I have actually theorized about one could easily defeat opponents like this. I have reached the conclusion that anti-terrorist tactics are the most helpful. Essentially this involves a tactical strike team of individuals who can essentially dismantle the enemy's actions with relative ease. Use of say "natural" poisons and weapons which utilize silencers are the most effective.

    Trust me any inviduals who think they can get you are usually deluding themselves. People have brute threats but with a little thinking you can perservere.

    My ultimate question is why didn't anyone contact the feds? The FBI is quite good about stopping silly little State oriented shit like that. Oh well I guess people have fooled themselves into thinking that the States can do a better job. This illustrates that they most certainly cannot.

    I don't know what world you live in, but here in the US of A we see government officials breaking the law regularly. We see people with political influence (read "money") get away with anything, while the people who
    truly care and want to make a difference are assaulted from every angle. We see the courts used to get around the law, rather than enforce it. We can't depend on the media to report the truth. These lessons were all
    learned in the same election cycle, in one small town on the west coast. I'm frightened to think what it must be like on higher levels.


    Well I really haven't seen anything on slashdot that indicates any other reaction other than something the Lone Gunmen or Fox Mulder would do. Ranting and raving about the evil government will not change. I have advocated infiltration and change within. However most people don't care for that sort of thing.

    PGP ended up being the only way we could communicate privately (over a private BBS). It was a PITA to explain text-based encryption tool use to Win 3.1 users who didn't understand DOS, but we did it. And it
    made a difference.


    Explain in a system that has adequate security protections how something could happen like that? If I run a tight ship and only allow people in that I want in via password protected access and login times strictly monitered how does that matter? Back in the good old days (ie before widespread encryption and pgp and all those fanatical Fox Mulder types out there really got a pick me up with the internet) people could keep things reasonably secret. What did those people do? They used common sence. They never had really, really, bad problems with anything of the sort you are describing here.

    I genuinely think that people have become more lazy and generally more trusting of their little electronic toys.

    Encryption is important if you ever choose to be involved in something political that has real consequences. You're buying the government's line if you think it's only for kiddie pr0n peddlers and terrorists.


    I am the not the sort of person who actually has done anything with a higher level of security clearance than probably anyone out there. I have never had data that hardly anyone has ever wanted. I do not have a credit card or anything that I personally paid for online. This makes issues like this a little more out of my reach of caring.

    As far as political consequences I do wish I could get a job with a 3 letter organization and actually need encryption like that however I am realistic. The day I manage to actually have data like that needing protection I will think then and only then about using some form of encryption.

  • I see a misunderstanding in several of the comments here. The bill has not yet passed, and is not yet made law. It is, as yet, still legal to store encrypted data on our computers. But the bill has been drawn up, and it will be debated in parliament, and in the current social climate, is likely to be passed without a murmur. So it is of the utmost urgency that we write, calmly and sensibly, to our MPs to stress the unfairness, unfeasibility, and sheer stupidity of the bill as it presently stands.
  • I'd know the answer to this, but is there any way to verify that the plaintext version you supplied matches what's been encrypted?

    Yes, they can force you to give them the key so that they can decrypt it, but there is hope: StegFS [cam.ac.uk] is an encrypted/stenographic filesystem for Linux (based on ext2) which provides plausable deniablility, i.e. it has n levels of access (diffrent passwords) and you may encrypt data at any level of access, but there is _no_way_ to prove that a higher level exists from a lower level. This means that when the cops make you give them the password you just give them the passwords to the lower levels, but not the higher levels.

    The only hole in this system is that the cops may know you posses some information which you have not yeat shown them, so they could assume that their are unrevieled levels.

    I would really like to see the linear algebra based plausable denaiablility algorithm implemented for PGP key files. It would make your key files 16 times larger, but would allow you to have n It might be possible to have a psychological solution to the password problem, i.e. use long passwords which you can remember, but which you can also force yourself to forget (by chanting simmilar sounding things hundreds of times). It is an interesting idea.
  • D'oh! You did it again.

    Consciousness is not what it thinks it is
    Thought exists only as an abstraction
  • I just emailed my MP (the Rt Hon Joan Ryan) to tell her what I think of this bill _and_ what I think of a government that abuses its majority and ignores the upper house whenever it wants to (which is every time).

    Consciousness is not what it thinks it is
    Thought exists only as an abstraction
  • Yeah, but even a 16-year-old Norwegian boy could crack that key in a few seconds. Duh!

    Consciousness is not what it thinks it is
    Thought exists only as an abstraction
  • That's the kicker. You have to *prove* you have no/there is no key to the data. Or else you are legally determined to be hiding the key.

  • If you are living in anything but abject poverty, there are certain people who would be very interested in things like your credit card numbers, bank account numbers, social security numbers, etc., especially in combination.

    That's what we have fraud protection for. Consumer protection prevents law breakers from totally wiping you out when you don't want to. If you take the ideas that many of the people here everything will be monitered and tracked.


    That only helps if fraud is what you're worried about. I understood "certain people" in the previous post to include, for just one example, direct marketers, who could correlate all that information into massive profiles of what sort of stuff you buy, i.e., what your interests are, so they can bombard you with junk mail and/or spam, and how much money you have / spend, so they can know whether marketing at you is worthwhile.

    Parsing your last sentence quoted above as well as I can (though it's not very intelligible), I get the idea that you're aware of the tracking / monitoring potential of this stuff, yet you seem unconcerned about it. In fact, you seem to be saying it as a good thing. Of course you're free to feel that way, but you can't read Slashdot for long without realizing that a lot of us don't like it, and think that protecting our privacy is plenty of reason to want to be able to use cryptography.

    My major problem with monitoring / tracking is a matter of simple dignity: advertising in general, but most especially direct marketing, makes me feel that the companies trying to sell me things are treating me as a resource to be exploited. The thought of the marketing being backed by a huge database of everything I've ever bought just makes it worse -- I don't like being viewed as a consumer in a petri dish.


    David Gould

  • Will somone please fix the damn Extrans posting mode!

    Will ucblockhead please figure out how the damn Extrans posting mode works!
    (Oh, and try using "Preview", too.)

    The posting modes are tricky, but here's how they work, near as I can tell:

    Extrans (Extended Translation) converts everything, including automatically replacing angle brackets with "&lt;" or "&gt;" escapes, so that it all shows up exactly as you type it and nothing gets interpreted as HTML tags.

    HTML Formatted is the opposite: it doesn't interfere with what you type, so any tags are interpreted as HTML, and there is no formatting except for your tags. Note that newlines are ignored, which is why people so often complain that their paragraph breaks got lost.

    Plain Old Text (which I use and which is probably the one you want) is in between: despite the (perhaps misleading) name, it does interpret HTML tags, but it also adds some formatting information. Specifically, it adds a <BR> tag wherever it sees a newline, so you get a paragraph break wherever you hit return. As far as I can tell, this is the only thing it adds.

    I just now noticed that they seem to have fixed a bug that's been irritating me forever: When I would use "&amp;", "&lt;", or "&gt;" escapes to prevent ampersands or angle brackets from being interpreted, it would work, but each I previewed, the text box would get the interpreted results, so the next time through, they would get eaten. This doesn't seem to happen anymore, though. Maybe now I can go play with my user preferences without having to redo the escapes in my sig (painful).

    No offence, right? I see you got it straightened out further down. You'll also see me agreeing with you regarding the actual topic of this thread.

    David Gould
  • Can somebody explain why a right not to self-incriminate is actually a good idea? I'm sure there's a good reason, just not sure what it is.
  • Yes, it is odd. I believe the Parliament has a publication similar to the Congressional Record that is accessible from the Parliament web site. It might be worth digging through it to see if there is any mention of what they were thinking. One possibility is that they were concerned about a possible "I destroyed the key" defense, so this gives them the opportunity to respond with, "Well, just give us the plaintext, then." There is a little logic there, since it would be hard to whip up a believable bogus plaintext on a moment's notice if you didn't already have one prepared. However, competent criminals will realize this, and they will just prepare their alternate plaintext in advance. Criminals have been using a similar tactic with accounting books for decades, so I don't imagine they will have much trouble adapting the practice to email correspondence.
  • you to have n It might

    Was this n IS GREATER THAN blah blah blah? I bet it thought it was an HTML tag and stripped it out.
  • I had a look at Hansard and found the relevant section. It's available at:

    [the-statio...fice.co.uk]
    Hansard: Regulation of investigatory Powers Bill

    It clearly states that it is not `reasonably practicable' for the
    investigated party to provide the key or plaintext, then that is a
    defence. Section 47 is about providing information in lieu of a key,
    which says nothing about verifying that the decrypted information
    matches the ciphertext.
  • More digging: nothing significant was debated in the Commons, but
    there was a select committee which discussed feedback to the draft
    bill.

    Available at
    [the-statio...fice.co.uk]
    Hansard: Trade and Industry Select Committee Report #14

    Very nice site, BTW: a lot of information, well organised, and with
    the most helpful site specific search engine I have used
    (automatically looks for words with similar roots to those specified,
    and explains what it is doing).

    It looks as if the plaintext requirement was tagged on in response to
    concerns that (i) users might have legitimate reasons not to possess
    the key, (ii) concerns that the police might use keys to obtain more
    information than authorised, or to hoard keys. They seem not to have
    thought of the problem of verification at all.

We must believe that it is the darkest before the dawn of a beautiful new world. We will see it when we believe it. -- Saul Alinsky

Working...