Stories
Slash Boxes
Comments

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

First Use of RIPA to Demand Encryption Keys

Posted by samzenpus on Thu Nov 15, 2007 01:22 AM
from the tell-us-everything dept.
kylehase writes "The Regulation of Investigatory Powers Act (RIPA) is being used for the first time to force an animal activist to reveal encryption keys for encrypted files she claims to have no knowledge of. According to the article, she could face up to two years if she doesn't comply."
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More
Loading... please wait.
  • solution (Score:5, Informative)

    by User 956 (568564) on Thursday November 15 2007, @01:27AM (#21359889) Homepage
    The Regulation of Investigatory Powers Act (RIPA) is being used for the first time to force an animal activist to reveal encryption keys for encrypted files she claims to have no knowledge of.

    That's why you use an encrypted file system with a duress key. In the event of coercion, you give them a key that *oops* results in the destruction of the data.
    • Re:solution (Score:5, Informative)

      by PhrostyMcByte (589271) <phrosty@gmail.com> on Thursday November 15 2007, @01:36AM (#21359953) Homepage
      any forensic team with an ounce of competence will copy the original HDD and work off the copy, so that just won't work.
      • Re:solution (Score:5, Funny)

        by Anonymous Coward on Thursday November 15 2007, @01:46AM (#21360005)
        that is, of course, assuming that the police forensics team has an ounce of competence.
          • Re:solution (Score:5, Funny)

            by Anonymous Coward on Thursday November 15 2007, @03:23AM (#21360705)
            Because private companies are the pinnacle of competence and government is the pit of deepest stupidity.

            Let me guess: you're either American, Israeli or Australian.
        • Re:solution (Score:5, Interesting)

          by Zemran (3101) on Thursday November 15 2007, @03:30AM (#21360739) Homepage Journal
          Speaking as someone that used to teach Computer Forensics to the SFO, British Customs, the USA's FBI etc (they now have their own courses). I can assure you that the first thing that was covered was disk imaging and that you should always work from the image. The original is evidence and any damage (read change) renders that evidence inadmisable. All you have to do is turn on and the OS is likely to make a change. This is taken to the degree of not using windows as the OS for imagining as windows likes to write to secondary drives when they are mounted. If you use Linux you can more easily mount as read only. It is best to make a couple of good primary images and then work from images of them rather than continually reverting to the original drive/s when you mess up so as to minimise the risk of damage and a lost case.
    • Re:solution (Score:5, Informative)

      by mlts (1038732) * on Thursday November 15 2007, @01:47AM (#21360023)
      Having a known self destruct switch may cause a person to end up even worse trouble. This is a discussion that occurs periodically on a number of cryptography forums.

      Almost all police departments will image the drive, then present the person with the image to decrypt. If the image gets stung by a self destruct Trojan, then the police will know that its not a forgotten password, and then proceed to use rubber hose decryption to obtain the contents of the drive.
    • Better solution (Score:5, Interesting)

      by Whiney Mac Fanboy (963289) * <whineymacfanboy@gmail.com> on Thursday November 15 2007, @01:49AM (#21360035) Homepage Journal
      A Better solution is plausible deniability [truecrypt.org].

      One password gives your uber-secret-plans-for-world-conquest, the other password gives a few hundred meg of soft porn (or whatever).

      That way, you appear to not be resisting their demands.
      • by drgonzo59 (747139) on Thursday November 15 2007, @03:05AM (#21360603)
        Exactly!


        Encrypting your data and not hiding it is the same as getting a $100k super secure safe, locking your stuff in it, but leaving it in the middle of the living room. Any { law enforcement agency / criminal gang / anyone with more resources and more muscles that you } will just force you to give them the key. In other words, they see the super secure safe and automatically assume there must be at least $1M in there and then they force you to give them the key. The govt will cite all kinds of stupid idiotic laws, the criminals will start cutting of the fingers (yours or your loved ones').


        The solution is to use something like steganography and hide the data such that nobody even will suspect anything. The best secrets are the ones that are not even known to exist.


        If the adversary is convinced that you do have the data and knows the data type, then create a similar but fake data set to be substituted for the real one.

        • Re:Better solution (Score:5, Interesting)

          by jd (1658) <<moc.oohay> <ta> <kapimi>> on Thursday November 15 2007, @02:19AM (#21360309) Homepage Journal
          Most are. There again, the former British Home Secretary changed the UK law to allow plausible denial when he got bombarded with encrypted files, followed by demands he turn over the decryption key. Has this been tried in the US? If not, why not? Seems like if it worked once, it should work other times. Might also try claiming that handing over the key would violate the DMCA and that you can't be ordered to commit a crime. (Not sure if that's strictly the case, but unless that event has been specifically covered, it might create enough doubt that the sentence is partially or entirely suspended, or even - unlikely as it is - the case thrown out. That's not perfect but it would be better than the pre-trial misery of Kevin Mitnick.)
        • Re:Better solution (Score:5, Informative)

          by LurkerXXX (667952) on Thursday November 15 2007, @02:23AM (#21360347)
          Filesize arithmetic?

          You never used Truecrypt eh? It's not a zip file. It acts as a virtual hard drive partition that can be mounted as a drive.

          When you create the volume it generates random bits throughout the virtual partition. You can copy whatever files you want onto the virtual partition, the rest of it is random noise. You may or may not choose to have additional hidden encrypted partitions within that noise. Adding up the size of know files tells you nothing about what may or may not lurk in the rest of the space on the virtual partition.
  • Heh. (Score:5, Interesting)

    by Renraku (518261) on Thursday November 15 2007, @01:28AM (#21359895) Homepage
    Acquire virus.

    Virus encrypts hard drive with unknown key.

    Virus forwards CP to authorities.

    Authorities bust you for having CP, for not revealing those encrypted files, AND for probably having more CP. Most likely will be averaged..say..15k is a picture..you have 200GB. The media will say that you were arrested with 100k+ pieces of child pornography.

    Five years later, turns out that it really was a virus. Sorry about that..here's your freedom again.
  • by definate (876684) on Thursday November 15 2007, @01:29AM (#21359911)
    Are you telling me, that I could output /dev/random to a file, place it on my friends hard drive, say it contains valuable information pertaining to a case and he could go to jail or be fined for not revealing the password/key?

    This gives me an idea!

    Either way, if you need to you can get around this with TrueCrypt by taking some precautions such as:

    1) Not naming it with the default extension (.tc)
    2) Put it somewhere inconspicuous and name it appropriately
    3) Making sure that it's a hidden encrypted volume
    4) Open it through TrueCrypt and don't save the history, or passwords, or as automount, or similar

    Shit, that was a typo, I meant to type FIRST POST!!!
        • by Twanfox (185252) on Thursday November 15 2007, @02:43AM (#21360467)
          Of course, this makes me wonder something from a 'thought police' perspective. With the file in question being a common TrueCrypt encrypted volume that doesn't really contain anything incriminating:

          TP: Give us the passphrase!
          Suspect: It's HotSmokinBabes
          TP: Now give us the hidden volume passphrase!
          Suspect: It doesn't have a hidden volume.
          TP: LIAR, give us the passphrase!

          Just because the possibility exists, the authority in question might ask for something he cannot prove isn't there. If you have nothing to give, this leads to the problem of lying to authorities to give them what they think they want, when you've already given them what they asked for and it proves you innocent. Aren't these going to be fun times to live in.
  • huh (Score:5, Insightful)

    by Anonymous Coward on Thursday November 15 2007, @01:31AM (#21359919)
    how can you be put in jail for not knowing something?
  • by GoatRavisher (779902) on Thursday November 15 2007, @01:43AM (#21359981)

    Historically, the legal protection against self-incrimination is directly related to the question of torture for extracting information and confessions.[citation needed] The legal shift from widespread use of torture and forced confession dates to turmoil of the late 16th and early 17th centuries in England. Anyone refusing to take the oath ex-officio (confessions or swearing of innocence, usually before hearing any charges) was taken for guilty. Suspected Puritans were pressed to take the oath and then reveal names of other Puritans. Coercion and torture were commonly employed to compel "cooperation." Puritans, who were at the time fleeing to the New World, began a practice of refusing to cooperate with interrogations. In the most famous case, John Lilburne refused, in 1637, to take the oath. His case and his call for "freeborn rights" were rallying points for reforms against forced oaths, forced self-incrimination, and other kinds of coercion. Oliver Cromwell's revolution overturned the practice and incorporated protections, in response to a popular group of English citizens known as the Levellers. The Levellers presented The Humble Petition of Many Thousands to Parliament in 1647 with thirteen demands, of which, the right against self-incrimination (in criminal cases only), was listed at number three. These protections were brought to the American shores by Puritans, and were later incorporated into the United States Constitution through its Bill of Rights.
    http://en.wikipedia.org/wiki/Fifth_Amendment_to_the_United_States_Constitution [wikipedia.org]
  • New Act (Score:5, Funny)

    by Soporific (595477) on Thursday November 15 2007, @01:50AM (#21360049)
    Why don't they just sign the "We'll Do Whatever The Fuck We Want Anytime We Want Act" and just get it over with already?

    ~S
  • by paulthomas (685756) on Thursday November 15 2007, @01:58AM (#21360117) Journal
    If such a law were enacted in the US, we would be protected, ostensibly, by the 5th amendment to the Constitution. I say ostensibly because apparently the Constitution is "just a piece of paper" now, and we (some of us) have forgotten about the rule of law.

    So, this could happen here. Easily. We need to find some way to restore the rule of law here lest we become like that other large country just across the Bering Strait from us.

    Hmmm...
  • by niceone (992278) * on Thursday November 15 2007, @03:13AM (#21360647) Journal
    You will find that it is not clear that RIPA is actually being used - in fact it probably is not:

    It's unclear if the woman was given an official Section 49 notice or simply "invited" to hand over the data voluntarily as part of a bluff by the authorities.

    Richard Clayton, a security researcher at Cambridge University and long-time contributor to UK security policy working groups, said that only the police are authorised to issue Section 49 notices. "What seems to have happened is that the CPS (who couldn't issue a notice anyway) have written asking the person to volunteer their key," he adds.

    "Should they refuse this polite request, they are being threatened with the subsequent issuing of a notice, which might or might not require the key to be produced (it might of course just require the putting into an intelligible form of the data)."

    • by mrbluze (1034940) on Thursday November 15 2007, @01:34AM (#21359935) Journal
      Put her in a lead vest and throw her into the sea. If she drowns, it means she didn't have the keys, but if she swims, she's a wicked witch and deserves to be punished.
    • by hedwards (940851) on Thursday November 15 2007, @01:43AM (#21359987)
      There are a number of problems with these sorts of laws. One is if the person lost the keyfile which is required to open the file, or if the encrypted volume got corrupted or if the keyfile became corrupt the file can't be decrypted without cracking it. There just isn't any good way of knowing for sure if the person gave a bad password or if there was a genuine problem with it.

      Two is that there isn't genuinely any way of knowing what has been encrypted, it could be evidence of wrong doing, or it could be just some sort of embarassing, but legal, porn.

      Three is that there is a tendency of these sorts of laws to end up sending innocent people to prison for not being able to reveal the information in a virus or malware encrypted file.

      It is a tough situation, increasingly people engaged in illicit activities are turning to encryption as a means of keeping evidence secret, and from a technical standpoint refusing to decrypt the information is obstruction of justice.
    • Torture a fish in front of her. She'll talk if she knows the answer.
      • by 0123456 (636235) on Thursday November 15 2007, @01:55AM (#21360091)
        "I don't see why encrypted files should be any different than hardcopy or anything else that could be seized under sub poena."

        The police already _have_ the files. They're free to try to crack the encryption on those files.

        While I intensely dislike the animal rights nutters, this is a stupid and oppressive law which should never have been passed. And I can quite believe that the police she was raided by are 'thugs'; ask that guy they shot eight times in the head a while back if that's a good description... oops, you can't, he's dead.