Slashdot Log In
UK Government Wants Private Encryption Keys
Posted by
Zonk
on Thu May 18, 2006 11:18 AM
from the my-keys-not-yours dept.
from the my-keys-not-yours dept.
An anonymous reader writes "Businesses and individuals in Britain may soon have to give their encryption keys to the police or face imprisonment. The UK government has said it will bring in the new powers to address a rise in the use of encryption by criminals and terrorists." From the article: "Some security experts are concerned that the plan could criminalise innocent people and drive businesses out of the UK. But the Home Office, which has just launched a consultation process, says the powers contained in Part 3 are needed to combat an increased use of encryption by criminals, paedophiles, and terrorists. 'The use of encryption is... proliferating,' Liam Byrne, Home Office minister of state told Parliament last week. 'Encryption products are more widely available and are integrated as security features in standard operating systems, so the Government has concluded that it is now right to implement the provisions of Part 3 of RIPA... which is not presently in force.'"
Related Stories
[+]
UK Law May Criminalize IT Pros 514 comments
An anonymous reader writes "More worrying news from the UK. This time, a bill meant to fight cybercrime may make it illegal to use or make available network security tools available, just because they could be used by hackers." From the article: "Clayton cited the Perl scripting language, created by Larry Wall in 1987, as an example of a useful technology that could fall foul of the law. 'Perl is almost universally used on a daily basis to permit the Internet to function,' said Clayton. 'I doubt if there is a sysadmin on the planet who hasn't written a Perl program at some time or another. Equally, almost every hacker who commits an offense under section 1 or section 3 of the CMA will use Perl as part of their toolkit. Unless Larry is especially stupid, and there is very little evidence for that, he will form the opinion that hackers are likely to use his Perl system. Locking Larry up is surely not desirable.'" A note that this is equally confusing but separate from yesterday's story about the UK government wanting private encryption keys.
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading ... Please wait.

My God (Score:5, Insightful)
Re:My God (Score:5, Insightful)
Or how about a new
This is nasty. You can always tell when there are no reasons that would fly with the public when they have to invoke the paedophiles. US government has War on Terror, the UK has paedophiles.
E-mail was a god-send for the intelligence services. Automated scanning and copies of everything to look back on if they ever chose. Encryption means the free party is coming to an end. GPG is turning off the stereo and saying "GO HOME!"
They managed without it before. They can manage without it again. And if that means the Government can't achieve omniscience over the population... good!
Re:My God (Score:5, Funny)
More like "Horribly Bad Joke." (Score:5, Insightful)
What absolute morons.
Re:More like "Horribly Bad Joke." (Score:5, Insightful)
Most people don't even realize how many keys they use. They could default on a law like this without even knowing it.
Re:More like "Horribly Bad Joke." (Score:5, Insightful)
RTFA
Despite the poorly worded title, the UK govt. isn't about to ask you to submit every single key you ever generate.
It just wants the ability to 'force' you to hand over the keys if and when it asks for them.
Granted, this causes problems of it's own. I mean, I don't keep a list of every key i've used...
Re:More like "Horribly Bad Joke." (Score:5, Insightful)
They're talking about private keys (as in the private half of the public/private key pair in public key cryptography), not private keys (as in the only key in private key cryptography).
This is a huge difference. Private key cryptography is used as the underlying scheme for protocols like SSH, SSL, etc, but public key cryptography is used to ensure the secure exchange of that key. of the private half of the key pair is known, that initial exchange is not secure, and thus there is no need to be TOLD the private key cryptosystem's key: it is handed to any listener who knows the private key that goes with the public key used to initiate the session.
Oh, and the cell phone companies almost certainly already hand over the key pairs for the phones (or are issued them).
Obligatory Ayn Rand (Score:5, Insightful)
Just wait. (Score:5, Funny)
"You mean we spent four days decrypting Gigs upon Gigs of vacation photos??"
"Well, they have an 8 Megapixel camera, lots of memory cards and use RAW format..."
"But that's all you found? There aren't even any racy photos in the bunch?"
"Should we start decrypting the second RAID array?"
"The one labeled 'Project Gutenberg text to speech files in WAV format'?'
"Yes, that one."
"Go for it. I don't know what this 'Project Gutenberg' is, but it's got to be seditious. Plebeians don;t label anything a 'Project' unless they have delusions of being all 'Cloak and Dagger.'"
Re:More like "Horribly Bad Joke." (Score:5, Insightful)
You are probably an expert on computers/encryption, being a part of the Slashdot crowd, that you can understand how messed up these rules are. But if you were a doctor, you would probably think these rules are reasonable, and instead would think that the laws on health care are messed up. You are critical of these laws, because you have the knowledge to understand what is wrong with them... and you are probably don't really question the laws on subjects which you might not understand.
So you must understand, the vast majority of the population who doesn't understand encryption, will think these laws are reasonable and nessicary, the same way you probably think the laws on education, or enviornment, or whatever are reasonable and nessicary. The average person is not going to take you any more seriously complaining about this, than you take the complaints from factory owners about enviornmental laws.
At some point you are going to have to realize it isn't "idiotic" leaders who are making "idiotic" policies that are the problem... that our leaders are very very smart and competent... but that it is the idiotic concept that a handful of experts and technocrats can manage virtually every aspect of a huge diverse society. It is the concept that society can be centrally planned / regulated / and managed by lawmakers that is the problem, not with the specific "central planning".
Actually... (Score:5, Funny)
Where does that put me in your example?
Re:Actually... (Score:5, Interesting)
It means that you have been fully indoctrinated to accept the political and social assumptions of your society, and you now indoctrinate others into those assumptions... in such a way that it perpetuates the current political system. You are to the modern state what a priest is in Catholisism.
An example of a political assumption in a society would be something like the debate over government's role in health care in Europe. There are those who argue that equality of care (everyone is entitled to equal care) is why health care should be provided and controled by the government... and those that disagree. There are those who argue that no-one should be without health care, and therefore the state should provide it to everyone... and there are those that disagree. BUT, no one questions the idea that the government can or will provide truly equal care, or that the government can or will provide the care to everyone. The political assumption is that government never fails to provide people with services, and that government always provides those services in a manner that is equal to everyone. Even the people who are against the state's intervention into health care don't question that government will provide health care, and they don't question that the government will do it with absolute equality.
In a reasonable debate, you would hear people argue that states have engaged in terrible acts of inequality... in fact the worst acts of inequality, such as mass genocide, have been commited by the state. In a reasonable debate one would argue that states have often commited horrible failures in providing services to it's citizens, in some cases resulting in millions of deaths. Yet, in modern mainstream political debate, it is unheard of and inconceivable that someone could support universal and equal health care for everyone, and also not support state control of health care. In mainstream politics, if you support equal and universal health care, YOU MUST SUPPORT STATE RUN HEALTHCARE. Through political "scientists" such as yourself, and many years of indoctrination and government controlled education, you have been able to control people's thoughs as such that THE STATE = EQUALITY, and THE STATE = PROVIDING FOR THE NEEDS OF SOCIETY... and to be against the state is to be against equality and providing for the needs of everyone. As a "scientist", you should be able to step out of your views for a second and see that is a very powerful form of brainwashing!
Your job, as a political scientist, is to maintain a faith in the state and political process. You may question a specific government policy (but that is like questioning what type of sandwich I should eat for dinner... there is a big assumption that I should be eating dinner, and that my dinner should be a sandwich), but your job is to make sure all debate about the political sytem preserves the political system.
Now, I will admit I am stereotyping political science people. I suppose there are few token anarchists or libertarians or classical liberals in the political science field. But I think that you would probably agree, that anarchists or libertarians or classical liberals are probably few and far between in the field of political science. You wouldn't expect a political scientists to be against the political system, any more than you would expect a carpenter to be against wood.
Re:More like "Horribly Bad Joke." (Score:5, Insightful)
I'm not a food scientist, but I think labeling laws and food safety inspection regulations are very necessary. Who doesn't think that? The food industry that doesn't want me to know that their product contains transfats and which would be happy to sell me contaminated meat.
I'm not a chemical engineer, but I support regulation of gasoline additives. Who doesn't support that? The oil companies who understand that lead is a very cheap way to increase octane levels.
The real question is why you think the laws on education, civil planning, economy, enviornment, health care, or anything else are more reasonable that these laws on encryption.
Because most regulations are designed to establish the bounderies of various property rights. Who owns the air -- you or the oil companies? In this case, the regs define the limits of what an individual or company can do with a common resource. Should a food company have the property right to sell unlabled food? Here, the regs are designed to put buyer and seller on more even terms -- they reduce the transaction costs of buying and selling food.
But mandatory government access to private keys does nothing except make it easier for governments to invade personal privacy. In no way do such regs reduce the costs of transacting commerce or establish property rights boundries on common resources. These regs are fundamentally different from food, health, and environmental regulations.
Re:My God (Score:5, Informative)
There are current encryption technologies already deployed in the market that allow for two sets of data to be encrypted with two keys into a single file. This allows a user to encrypt a sensitive file with an innocuous one, so that when required to disclose a private key the user can just give the one that decrypts the innocent data.
Again, these new laws will only deteriorate the right to privacy of innocent people, while the real criminals will be allowed to roam free doing their dirty deeds with little more trouble then a software upgrade.
Re:My God (Score:5, Insightful)
v'z fher v'yy trg zbqqrq qbja sbe guvf fvapr v'z rkcerffvat n ceb-crefbany-svernezf ivrjcbvag, ohg naljnl...
Indeed, there is a very strong parallel between this and gun control schemes. The honest people give up their guns/keys to the government, the people who are already criminals have no reason to do so. The bad guys simply get smarter at hiding what they do. Who gets screwed in the end? It's always the honest, law-abiding citizens.
Oh yeah, dear UK government, you can pry the encryption key for this post from my cold, dead hands, along with my firearm... (Although in this particular case I think it will be more difficult to get the gun than the key.)
Doesn't seem like Orwell and friends really accomplished much, does it? They showed us the future but we're just walking right smack into it anyway, eyes wide shut.
Re:My God (Score:5, Funny)
Oh... wait a minute. This just in: Neither do the people in the United States, apparently. This appears to have expired somtime between Nov 2000 and Sept 2001.
Re:My God (Score:5, Insightful)
Wishful thinking, they extended it to 28 days without trial/evidence instead. Blair was still spouting on that the country's security had been compromised. Because police and security services had some power removed, right?
One of Blair's favourite lines went something like this,
"I don't understand why people seem to think that the rights of terrorist suspects should be more important than those of innocent people."
Re:What the hell? (Score:5, Funny)
Switching a few words around in a famous bit of prose: (-1, Douchebag)
Knowing which words to switch: (+5, Interesting)
Some things (+1, Funny) can't buy. For everything else, there's metamod.
Simple solution. (Score:5, Funny)
Re:Simple solution. (Score:5, Interesting)
Methinks the UK government doesn't know that what it wants is technologically infeasible....
Re:Simple solution. (Score:5, Informative)
"Methinks the UK government doesn't know that what it wants is technologically infeasible...."
Methinks you didn't RTFA.
They are not asking that all keys be submitted. They are simply asking to give the police the power to force you to submit keys on request. In other words, after they've already confiscated your computer and discovered that there are encrypted files, they demand that you hand over the key, and if you don't, then they can throw you in jail.
I'm not saying I agree with it, just trying to clarify the misconception that everyone in this thread seems to be having about this.
Re:On the other hand (Score:5, Insightful)
key turning point in government relations (Score:5, Insightful)
Encryption keys don't kill people, people kill people.
If owning (not divulging) encryption keys is criminalized, only criminals will own encryption keys.
These "rules" will only push the envelope of how and what criminals (or terrorists, etc.) use to hide their activities. And at the same time, they will add one more burden to the general population to manage and ensure the government is informed of their encryption infrastructure. Nuts.
The most effective infiltration into terrorist infrastructure is still social engineering. I'd rather the money spent creating and managing something like this spent training and hiring translators, covert agents, etc.
A convincing point about the futility of this proposed rule comes from the article:
Re:key turning point in government relations (Score:5, Insightful)
Re:key turning point in government relations (Score:5, Insightful)
Besides, there are already horribly injust mechanisms for detaining people in Britain without the need for a trial. Thats what we should be getting worked up about (although the Human Rights Act is doing for them, fortunately).
But this far more measured Act (which involves warrants, Section 49 orders, actual trials, and the need for evidence and all that) is what slashdotters choose to get worked up about. And why? Because it involves computers.
Frankly, thats pretty pathetic.
Stop giving the US gov't ideas (Score:5, Funny)
Re:Stop giving the US gov't ideas (Score:5, Informative)
Even with a warrant they can not force you to give up your encryption keys. There is this thing called the 5th amendment to the constitution.
No person shall be held to answer for a capital, or otherwise infamous crime, unless on a presentment or indictment of a Grand Jury, except in cases arising in the land or naval forces, or in the Militia, when in actual service in time of War or public danger; nor shall any person be subject for the same offense to be twice put in jeopardy of life or limb; nor shall be compelled in any criminal case to be a witness against himself, nor be deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use, without just compensation.
You can take the 5th when questioned about your keys. No matter what they do they can not compell you to give them that information.
Spaceballs: (Score:5, Funny)
1.....2.....3.....4.....5
I RTFA, but I don't get it... (Score:5, Funny)
Warning (Score:5, Insightful)
What about global corporations? (Score:5, Interesting)
What about communication between offices on the internet? A japanese analyst creates some research, but due to technical problems the only Compliance office up is in Europe. So every program or service that can comminicate with Britain has to check if a request is going to/through the UK before applying the "approved" encryption.
To quote, "this is madness"
This is bizarre (Score:5, Funny)
"Oh, yeah, you think that telephone call database is slick, check this sh*t out. We're gonna make our subjects give up their crypto keys or go to jail"
"Oooh, good one!" (high five)
Steganography (Score:5, Insightful)
http://en.wikipedia.org/wiki/Steganography [wikipedia.org]
In other news... (Score:5, Insightful)
- cameras are used by criminals, paedophiles, and terrorists - we need access to your negatives/memory disks.
- houses are used by criminals, paedophiles, and terrorists - we need access to your house keys.
- cars are used by criminals, paedophiles, and terrorists - we need copies of your car keys.
- ATM machines are used by criminals, paedophiles, and terrorists - we need to know your PINs.
- Online email services are used by criminals, paedophiles, and terrorists - we need to know your username/passwords.
- Computers are used by criminals, paedophiles, and terrorists - we need to install a backdoor on your computer.
1984 news (Score:5, Informative)
You're behind the times.
The UK is already (planning) installing a system of automatic licence plate recognising camera's throughout the country. The resulting database will allow a very comprehensive following of cars and thus persons.
The next step is of course that you have to report to the police whenever you've driven an other car but your own...
England Prevails (Score:5, Interesting)
Parliment better watch out... hear there's a train heading there loaded with fireworks and other things that go boom.
New encryption scheme (Score:5, Interesting)
In Soviet Russia... (Score:5, Insightful)
Yeah, no "In Soviet Russia" Joke here.
This is frightening. It's like we're becoming the very thing we fought in the cold war. A totalitarian government.
But at least we have 37 types of cereal.
Actions are criminal, not tools (Score:5, Insightful)
A criminal that shoots someone in the head used a gun -- it is the shooting that is evil. He could have used a baseball bat.
A criminal that blows up a building might use a cell phone -- it is the building exploding that is evil. He could have used e-mail or writing a big X on a tree.
We have to stop government from criminalizing actions that are part of our right to speech. This right is not something Constitutional or created out of any government document -- it is a natural right that all humans share, no matter what the laws say.
I'll continue to encrypt, and I'll dare the government to try to restrict me. If I have to, I'll encrypt by using an encryption program that hides my real text to make it look like readable language. Let them try to stop that. Or I'll use my own spoken code. Will they find a way to criminalize it?
Don't criminalize tools, criminalize criminal actions.
Summary is not complete (Score:5, Informative)
The basic argument is that the purpose of a search warrant is defeated by encryption. Now I think that's wrong, or at least part wrong, and I think an alternative would be to make material held by the defendant which he does not choose to decrypt something that the jury can take account of, just as refusal to testify is now, under limited circumstances, something the judge can point to during summing up. And the alternative of forcing decryption isn't offered (although quite how someone would demonstrate that plain text they offered really _was_ the decryption is a whole other question).
The is bad, illiberal law, and those of us involved in campaigning against it have been in correspondance with our MPs for some years. But it's not just Britain that is tearing up its freedoms in the face of minor terrorism: the USA collectively shat its pants and ripped up a century of jurisprudence on the 12th of September. It makes far more sense for people with a desire for freedom to work together, rather than to assume that we're a bunch of proto-fascists while Bush Jr defends your constituional rights.
ian
Implementation (Score:5, Insightful)
This is referred to as a "catch-all" type of law. Beware the wonders of selective enforcement.
The idea here is that if you find a suspected terrorist, and they use encryption, you don't even need to bust them for terrorism OR for not providing their encryption keys when demanded. You can just go to step A, look up their name in the government encryption key database, find out that no, they did not provide their encryption key to , and take them directly to jail.
Regardless of whether or not the are a terrorist, regardless of whether or not they are willing to turn over their encryption keys when asked, you can find them guilty.
This is not about collecting everyone's encryption keys (at least not at first). Initially, this will be used as a blunt stick to smack anyone the government doesn't like. Think of the way seat belt laws are enforced; cops won't stop you for not wearing your seat belt, but they'll sure as hell issue a ticket for it even if you aren't speed, have all your paperwork in order, and have done nothing else wrong. It's a sort of standby crime they can get you on.
I'd like to see some stats... (Score:5, Insightful)
Like so many others, I see this as nothing more than an attack on privacy and not as an aid to criminal investigations. Criminals are not going to turn over their keys. People who turn over their keys aren't likely engaged in criminal acts. "honest" people who believe in the right to privacy will become criminals, however.
I'm not sure "police state" is the right word, but we're certainly talking about criminalizing the general population to the point that only people "in office" can have the right to privacy under the guise of "national security." And a funny thing happens to your rights when you become "a criminal." You lose them along with your ability to run for public office and all manner of other things.
Cat. Mouse. Cat. Mouse. Cat. Mouse. (Score:5, Insightful)
The use of illegal government spying on innocent citizens is proliferating.
Your move now.
...(and no, you may not have my encryption keys [gnu-designs.com]).
Plausible Deniability (Score:5, Interesting)
TrueCrypt lets you mount the container as a filesystem, which is a convenient way to go. This sort of thing allows you to:
a) Deny that there is anything encrypted for which you have not proffered a key. "Oh yeah, show me what I have encrypted and I'll show you the key."
b) If that's not enough, proffer the false key that gives them the alternative access. "Ok, here you go. Let me know if you find anything incriminating. (tee hee)"
Lastly, if you use things like encrypted swap on a unix device, you can plausably say that what is there is just an encrypted swap file, and you don't have a key because the key is never saved to the disk. Why isn't it mounted now? You only set it up temporarily and forgot to delete the file when it was done. (for 1Gb files or larger...) If you have a 20Gb file, you're probably going to have to explain it... and go for option (b) above.
Of course, if your 20Gb file is not a file, but is just an "empty" partition... well there you go.
Please note - I'm not advocating breaking any law here - just outlining what this will drive people who care enough to do.
Nothing compared to Tuesday's Dictatorship Bill (Score:5, Informative)
Or the human cattle ID cards Act [no2id.net], which creates by far the world's most intrusive Big Brother database on citizens by linking up 5+ previously unconnected databases...
The Dictatorship Bill, also called the Abolition of Parliament Bill [timesonline.co.uk], Totalitarianism Bill [impactnottingham.com] or (by the Govt) the Legislative and Regulatory Reform Bill is nothing less than a naked grab for power. After being amended 3x, the Bill was passed in the form described here [thebusinessonline.com].
LRRB [parliament.uk] enables ministers to rewrite our constitution with only rudimentary scrutiny. Consider the extraordinary mass surveillance / coersion [bristol-no2id.org.uk] implications of the ID Cards Act. Even the well-organised opposition [no2id.net] could not stop this legislation.
What chance then of:
1. Spotting obscure but deeply damaging clauses hidden in the boring legislation?
2. Motivating the Tories, LibDems and enough New Labour drones to subsequently block it?
LRRB is then carte blanche for Blair to do what he will with this country. What can we deduce of his plans?
New Labour already rejected [libertycentral.org.uk] an amendment to stop LRRB re-writing our most important constitutional laws. They then promised to introduce new amendments fulfilling the same thing. Our skepticism was once again justified [spy.org.uk]. This is more than enough evidence that Blair wants dictatorial powers.
LRRB is obviously a precursor to passing laws which Parliament wouldn't otherwise pass.
Considering the deeply scary laws he's got through Parliament, the likelihood is that he wants something so badly, and so unpalatable that he won't even risk presenting it for proper Parliamentary scrutiny.
- He does not need Parliamentary approval to invade Iran
- He already has Hitler's Enabling Act [blogspot.com].
- He has already passed RIPA [magnacartaplus.org] and the ID Cards Act for more Big Brother snooping than anything China or North Korea have.
- He already has locked up people for 3 years without trial or even being questioned - although he has been twice been 'told off' for breaching the Human Rights Act in this way.
I did not believe that he needs LRRB to repeal the HRA - indeed one welcome amendment [spy.org.uk] was to exclude the HRA from being amended. When every other explanation has been ruled out, whatever remains, however unlikely, must be considered. I think something much worse is coming although I dread to think what.
Re:Brilliant idea... (Score:5, Interesting)
I'm sure the criminals, paedophiles, and terrorists will just be lining up to hand over their keys, too.
That's the odd thing about this. You can get up to 2 or 5 years in the can (depending on if they think you're a terrorist). So if you have gigs of terrorist info that could get you sent away for life, just say you lost your keys and go away for 5 years max.
Re:odd request (Score:5, Informative)