First Use of RIPA to Demand Encryption Keys

kylehase writes "The Regulation of Investigatory Powers Act (RIPA) is being used for the first time to force an animal activist to reveal encryption keys for encrypted files she claims to have no knowledge of. According to the article, she could face up to two years if she doesn't comply."

solution

[User 956 (568564)]

The Regulation of Investigatory Powers Act (RIPA) is being used for the first time to force an animal activist to reveal encryption keys for encrypted files she claims to have no knowledge of.

That's why you use an encrypted file system with a duress key. In the event of coercion, you give them a key that *oops* results in the destruction of the data.

Re:solution

[PhrostyMcByte (589271)]

any forensic team with an ounce of competence will copy the original HDD and work off the copy, so that just won't work.

Re:solution

[by Anonymous Coward]

that is, of course, assuming that the police forensics team has an ounce of competence.

Re:solution

[by Anonymous Coward]

Because private companies are the pinnacle of competence and government is the pit of deepest stupidity.

Let me guess: you're either American, Israeli or Australian.

TrueCrypt is the best for Windows and Linux.

[Futurepower(R) (558542)]

TrueCrypt [truecrypt.org] allows hidden volumes [truecrypt.org], indistinguishable from one volume. The file size is constant.

TrueCrypt works very, very well. I use it with just one volume to protect passwords and other files.

When you don't want to encrypt a volume, but just a file, Gnu Privacy Guard [gnupg.org] is best.

TrueCrypt: Open Source and Free.

[Futurepower(R) (558542)]

I forgot to say that TrueCrypt is open source and free, and, in my experience, perfectly reliable. There are Windows and Linux versions, and a Mac OS X version is planned.

Don't forget to donate if you use TrueCrypt extensively.

The present government corruption in both the U.S. and U.K. started when secret violence was authorized as a way of protecting oil investments of British and U.S. investors. Tending toward outlawing privacy is a way of continuing that corruption. Any government that can act in secret cannot be a democracy, because citizens cannot participate in things that are unknown to them.

This is a good site to read about the corruption, and to contribute links: U.S. Government corruption TimeLines [cooperativeresearch.org]. Example: Complete 911 Timeline, 3895 events.

Re:solution

[Nazlfrag (1035012)]

Just blind them with goatse as the first file, they won't go near the rest.

Re:solution

[Zemran (3101)]

Speaking as someone that used to teach Computer Forensics to the SFO, British Customs, the USA's FBI etc (they now have their own courses). I can assure you that the first thing that was covered was disk imaging and that you should always work from the image. The original is evidence and any damage (read change) renders that evidence inadmisable. All you have to do is turn on and the OS is likely to make a change. This is taken to the degree of not using windows as the OS for imagining as windows likes to write to secondary drives when they are mounted. If you use Linux you can more easily mount as read only. It is best to make a couple of good primary images and then work from images of them rather than continually reverting to the original drive/s when you mess up so as to minimise the risk of damage and a lost case.

Re:solution

[mlts (1038732)]

Having a known self destruct switch may cause a person to end up even worse trouble. This is a discussion that occurs periodically on a number of cryptography forums.

Almost all police departments will image the drive, then present the person with the image to decrypt. If the image gets stung by a self destruct Trojan, then the police will know that its not a forgotten password, and then proceed to use rubber hose decryption to obtain the contents of the drive.

Better solution

[Whiney Mac Fanboy (963289)]

A Better solution is plausible deniability [truecrypt.org].

One password gives your uber-secret-plans-for-world-conquest, the other password gives a few hundred meg of soft porn (or whatever).

That way, you appear to not be resisting their demands.

Don't just encrypt -- Hide!

[drgonzo59 (747139)]

Exactly!

Encrypting your data and not hiding it is the same as getting a $100k super secure safe, locking your stuff in it, but leaving it in the middle of the living room. Any { law enforcement agency / criminal gang / anyone with more resources and more muscles that you } will just force you to give them the key. In other words, they see the super secure safe and automatically assume there must be at least $1M in there and then they force you to give them the key. The govt will cite all kinds of stupid idiotic laws, the criminals will start cutting of the fingers (yours or your loved ones').

The solution is to use something like steganography and hide the data such that nobody even will suspect anything. The best secrets are the ones that are not even known to exist.

If the adversary is convinced that you do have the data and knows the data type, then create a similar but fake data set to be substituted for the real one.

Re:Better solution

[jd (1658)]

Most are. There again, the former British Home Secretary changed the UK law to allow plausible denial when he got bombarded with encrypted files, followed by demands he turn over the decryption key. Has this been tried in the US? If not, why not? Seems like if it worked once, it should work other times. Might also try claiming that handing over the key would violate the DMCA and that you can't be ordered to commit a crime. (Not sure if that's strictly the case, but unless that event has been specifically covered, it might create enough doubt that the sentence is partially or entirely suspended, or even - unlikely as it is - the case thrown out. That's not perfect but it would be better than the pre-trial misery of Kevin Mitnick.)

Re:Better solution

[LurkerXXX (667952)]

Filesize arithmetic?

You never used Truecrypt eh? It's not a zip file. It acts as a virtual hard drive partition that can be mounted as a drive.

When you create the volume it generates random bits throughout the virtual partition. You can copy whatever files you want onto the virtual partition, the rest of it is random noise. You may or may not choose to have additional hidden encrypted partitions within that noise. Adding up the size of know files tells you nothing about what may or may not lurk in the rest of the space on the virtual partition.

Heh.

[Renraku (518261)]

Acquire virus.

Virus encrypts hard drive with unknown key.

Virus forwards CP to authorities.

Authorities bust you for having CP, for not revealing those encrypted files, AND for probably having more CP. Most likely will be averaged..say..15k is a picture..you have 200GB. The media will say that you were arrested with 100k+ pieces of child pornography.

Five years later, turns out that it really was a virus. Sorry about that..here's your freedom again.

So lemme get this straight

[definate (876684)]

Are you telling me, that I could output /dev/random to a file, place it on my friends hard drive, say it contains valuable information pertaining to a case and he could go to jail or be fined for not revealing the password/key?

This gives me an idea!

Either way, if you need to you can get around this with TrueCrypt by taking some precautions such as:

1) Not naming it with the default extension (.tc)
2) Put it somewhere inconspicuous and name it appropriately
3) Making sure that it's a hidden encrypted volume
4) Open it through TrueCrypt and don't save the history, or passwords, or as automount, or similar

Shit, that was a typo, I meant to type FIRST POST!!!

Re:So lemme get this straight

[Twanfox (185252)]

Of course, this makes me wonder something from a 'thought police' perspective. With the file in question being a common TrueCrypt encrypted volume that doesn't really contain anything incriminating:

TP: Give us the passphrase!
Suspect: It's HotSmokinBabes
TP: Now give us the hidden volume passphrase!
Suspect: It doesn't have a hidden volume.
TP: LIAR, give us the passphrase!

Just because the possibility exists, the authority in question might ask for something he cannot prove isn't there. If you have nothing to give, this leads to the problem of lying to authorities to give them what they think they want, when you've already given them what they asked for and it proves you innocent. Aren't these going to be fun times to live in.

huh

[by Anonymous Coward]

how can you be put in jail for not knowing something?

I guess torture is will be next... oh wait...

[GoatRavisher (779902)]

Historically, the legal protection against self-incrimination is directly related to the question of torture for extracting information and confessions.[citation needed] The legal shift from widespread use of torture and forced confession dates to turmoil of the late 16th and early 17th centuries in England. Anyone refusing to take the oath ex-officio (confessions or swearing of innocence, usually before hearing any charges) was taken for guilty. Suspected Puritans were pressed to take the oath and then reveal names of other Puritans. Coercion and torture were commonly employed to compel "cooperation." Puritans, who were at the time fleeing to the New World, began a practice of refusing to cooperate with interrogations. In the most famous case, John Lilburne refused, in 1637, to take the oath. His case and his call for "freeborn rights" were rallying points for reforms against forced oaths, forced self-incrimination, and other kinds of coercion. Oliver Cromwell's revolution overturned the practice and incorporated protections, in response to a popular group of English citizens known as the Levellers. The Levellers presented The Humble Petition of Many Thousands to Parliament in 1647 with thirteen demands, of which, the right against self-incrimination (in criminal cases only), was listed at number three. These protections were brought to the American shores by Puritans, and were later incorporated into the United States Constitution through its Bill of Rights.

http://en.wikipedia.org/wiki/Fifth_Amendment_to_the_United_States_Constitution [wikipedia.org]

New Act

[Soporific (595477)]

Why don't they just sign the "We'll Do Whatever The Fuck We Want Anytime We Want Act" and just get it over with already?

~S

Fortunately in the US...

[paulthomas (685756)]

If such a law were enacted in the US, we would be protected, ostensibly, by the 5th amendment to the Constitution. I say ostensibly because apparently the Constitution is "just a piece of paper" now, and we (some of us) have forgotten about the rule of law.

So, this could happen here. Easily. We need to find some way to restore the rule of law here lest we become like that other large country just across the Bering Strait from us.

Hmmm...

If you read to the bottom...

[niceone (992278)]

You will find that it is not clear that RIPA is actually being used - in fact it probably is not:

It's unclear if the woman was given an official Section 49 notice or simply "invited" to hand over the data voluntarily as part of a bluff by the authorities.

Richard Clayton, a security researcher at Cambridge University and long-time contributor to UK security policy working groups, said that only the police are authorised to issue Section 49 notices. "What seems to have happened is that the CPS (who couldn't issue a notice anyway) have written asking the person to volunteer their key," he adds.

"Should they refuse this polite request, they are being threatened with the subsequent issuing of a notice, which might or might not require the key to be produced (it might of course just require the putting into an intelligible form of the data)."

There is a way of finding out..

[mrbluze (1034940)]

Put her in a lead vest and throw her into the sea. If she drowns, it means she didn't have the keys, but if she swims, she's a wicked witch and deserves to be punished.

Re:What if she doesn't actually know?

[hedwards (940851)]

There are a number of problems with these sorts of laws. One is if the person lost the keyfile which is required to open the file, or if the encrypted volume got corrupted or if the keyfile became corrupt the file can't be decrypted without cracking it. There just isn't any good way of knowing for sure if the person gave a bad password or if there was a genuine problem with it.

Two is that there isn't genuinely any way of knowing what has been encrypted, it could be evidence of wrong doing, or it could be just some sort of embarassing, but legal, porn.

Three is that there is a tendency of these sorts of laws to end up sending innocent people to prison for not being able to reveal the information in a virus or malware encrypted file.

It is a tough situation, increasingly people engaged in illicit activities are turning to encryption as a means of keeping evidence secret, and from a technical standpoint refusing to decrypt the information is obstruction of justice.

Re:What if she doesn't actually know?

[Harmonious Botch (921977)]

Torture a fish in front of her. She'll talk if she knows the answer.

Re:What if she doesn't actually know?

[0123456 (636235)]

"I don't see why encrypted files should be any different than hardcopy or anything else that could be seized under sub poena."

The police already _have_ the files. They're free to try to crack the encryption on those files.

While I intensely dislike the animal rights nutters, this is a stupid and oppressive law which should never have been passed. And I can quite believe that the police she was raided by are 'thugs'; ask that guy they shot eight times in the head a while back if that's a good description... oops, you can't, he's dead.