UK Court Rejects Encryption Key Disclosure Defense 708
truthsearch writes "Defendants can't deny police an encryption key because of fears the data it unlocks will incriminate them, a British appeals court has ruled. The case marked an interesting challenge to the UK's Regulation of Investigatory Powers Act (RIPA), which in part compels someone served under the act to divulge an encryption key used to scramble data on a PC's hard drive. The appeals court heard a case in which two suspects refused to give up encryption keys, arguing that disclosure was incompatible with the privilege against self incrimination. In its ruling, the appeals court said an encryption key is no different than a physical key and exists separately from a person's will."
I wish the US Supreme Court was that smart. (Score:3, Insightful)
I wish the US Supreme Court was that smart.
Protection from self incrimination was to prevent confesions under duress or torture.
I don't see the difference between refusing to turn over an encryption key and refusing to let the police in your house when they have a valid search warrant.
Oh noes! You police can't come into my meth lab. Me letting you in would be self incrimination!
Re:I wish the US Supreme Court was that smart. (Score:5, Insightful)
How is locking somebody up for a full year in a prison cell because they do not give up the encryption key, claiming they don't know it, other than torture?
In short, how is it different?
Re: (Score:3, Interesting)
So, by YOUR theory, subpoenas would be completely unenforcable.
A subpoena ad testificandum orders a person to testify before the ordering authority or face punishment.
Sorry Judge, I forgot.
A subpoena duces tecum orders a person to bring physical evidence before the ordering authority or face punishment.
Sorry, Judge, I lost it.
Unless you're just stupid and say "No" instead of "I forgot"
Re:I wish the US Supreme Court was that smart. (Score:5, Insightful)
You seem to grossly miss a point: a password might easily be really forgotten. Ever happened to you?
How would you, as a lawmaker, fairly address this situation?
Put everyone in jail, just to be sure to catch the deceitful villain, too?
Re:I wish the US Supreme Court was that smart. (Score:5, Funny)
You seem to grossly miss a point: a password might easily be really forgotten. Ever happened to you?
nope, because 'biscuit123' is really easy to remember, and totally secure, because letters and numbers == strong, plus no-one would ever think of it.
See, some of us have the clevers.
Re:I wish the US Supreme Court was that smart. (Score:5, Funny)
I prefer a password of "I'm sorry, I can't remember it!".
So when the cops ask, I can tell them.
Re: (Score:3, Insightful)
Re:I wish the US Supreme Court was that smart. (Score:5, Funny)
It's probably the extremely rare case where encryption keys kill people.
Re:I wish the US Supreme Court was that smart. (Score:5, Informative)
Lucky for us Americans, a subpoena can not force you to testify against yourself. It's a Constitutional right written in black ink and cannot be revoked by any mere subpoena.
Re: (Score:3, Insightful)
You think nobody's ever confessed to something they didn't do under torture?
I'd say a false confession qualifies as "making up sh*t"
Re:I wish the US Supreme Court was that smart. (Score:5, Insightful)
This is a genuine distinction between passphrases and other information they might want you to reveal.
This is not a distinction that should ever come into play however. Punishing a person for not doing something that might be completely impossible for them to do is wrong.
Re:I wish the US Supreme Court was that smart. (Score:5, Insightful)
I gotta disagree there. In the article it states:
>>>In its ruling, the appeals court said an encryption key is no different than a physical key and exists separately from a person's will.
If a presumed-innocent person drops an actual key into a hole-in-the-ground, and refuses to divulge its location, the police can't incarcerate him simply because he refuses to say where it's located. That's loss of liberty without due process. They have to let him go.
And they can't use torture to try to force the hidden location out of him either. The man might be completely innocent and have no clue where a key exists, and therefore unable to reveal the location, even under threat of one year imprisonment.
Re:I wish the US Supreme Court was that smart. (Score:5, Insightful)
Exactly.
It's just a power grab.
1:Encrypted data can be hidden within random data.
2:Encrypted data can be hidden within normal data such as the least significant bit of your family photos.
3:Encrypted data can be hidden on a seemingly "empty" drive.
4:It is impossible to prove with certainty any of the above situations as opposed to 1:the data actually being random, 2:there being no data hidden within the normal data, 3: a drive really bing empty.
5:If the police think you have encrypted data you must give up the key or go to jail.
Result:If you live in the UK and own any form of electronic storage you can be jailed at at time.
Comment removed (Score:4, Insightful)
Re:I wish the US Supreme Court was that smart. (Score:5, Interesting)
only if you care about civilian casualties.
as for finding terrorists, they're too useful. I don't mean in a conspiracy theory doing the governments bidding way. I mean they can be used to raise political capital.
Lets take a the example of ETA in the basque country of Spain. Every time there's a scandal or some big fuckup by senior government officials there just happens to be a crackdown on ETA members shortly after. Oil tanker disaster = crackdown. Senior official sex scandal = smaller crackdown. with lots of headlines about all the ETA members arrested pushing the sandals off the front page.
It's well known that the authorities in Spain keep tabs on most of the organisation and could probably round up most of them overnight if they really wanted.
The heavy handed way they treat it only serves to increase the number of recruits, the organisation would have faded away to almost nothing if the Spanish government didn't intern people and fuck up their lives as part of this.
Now I wonder if there are any parallels with how the US runs it's own war on terror...
Want to hold on to political power? don't even dream of getting rid of the terrorists, they're a minor threat but you can use them to demand a great deal of power.
The ain't no escape from a hole in the ground (Score:3, Insightful)
.
No they don't.
The procedure is the same:
The judge will decide whether the demand for the key is legitimate. The judge will decide whether it is reasonable to believe you can produce it.
That is "due process."
If his answer to both questions
Re:I wish the US Supreme Court was that smart. (Score:5, Insightful)
The US has already ruled you can't be forced to give out an encryption key.
It's nice having a Bill of Rights, ain't it?
Laugh at all the British who say such a thing is unnecessary.
Re:I wish the US Supreme Court was that smart. (Score:5, Insightful)
*cough*Gitmo*cough*
Re:I wish the US Supreme Court was that smart. (Score:5, Insightful)
Yeah, we'll laugh at them as soon as we're through laughing at the US for letting their bill of rights be trampled in the name of security.
Freedom must not only be won, it must be protected. Fail to do so and what's coming to you is solely your own fault.
Re:I wish the US Supreme Court was that smart. (Score:5, Interesting)
My thoughts exactly. People seem to get all pissy when I say something like "if you don't have the balls to protect your freedoms, you don't deserve them". I'm not a regular protester at any events or anything like that, but I'd rather be shot for defending my freedom than live to see it gone. Not that I believe privacy exists anymore. The whole world was too slow to act in learning about and defending their privacy in a new technological age. Sure, there were a few technologically aware people with a small voice that was easy to push aside. Too late, privacy's gone. Only way to get it back is to lay your own global network in secret and hope the governments of the world never hear about it.
Re:I wish the US Supreme Court was that smart. (Score:5, Insightful)
A lot of things were lost when the use of the SSN was required in order to participate in the financial system. Interestingly enough, when the system was brought about, people protested that very thing and it was written into law that the SSN could only be used for the purposes of tracking your social security account. The IRS ignored it (though you can request a tax ID) employers ignore it, banks ignore it, the whole system ignores it.
This isn't technology at play. It's something else.
Now you can't have a normal life without participating in this system; without allowing your transactions to be tracked.
Re:I wish the US Supreme Court was that smart. (Score:5, Insightful)
I'm not a regular protester at any events or anything like that, but I'd rather be shot for defending my freedom than live to see it gone.
But that's not how it works nowadays, is it? By and large you're not going to be given the chance to martyr yourself for liberty. You just get to watch basic freedoms slowly erode away while most people don't give a damn. Your options are either to try to effect change through the political system (good luck with that, you godless nihilist), to start an outright armed revolt (good luck with that, you godless terrorist) or to simply quietly secede and disregard the authority of "your" government to rule you. The last option will pretty much inevitably lead you into conflict with law enforcement, and ultimately you'll be faced with either giving up or taking up arms (good luck with that, you godless nutcase).
So either you're quiet and no-one notices or you're loud and your actions are used to further justify the need for increasingly draconian law enforcement.
Re: (Score:3, Insightful)
Re:I wish the US Supreme Court was that smart. (Score:5, Insightful)
It's nice having a Bill of Rights, ain't it?
Laugh at all the British who say such a thing is unnecessary.
Who are all these British who say such a thing?
Britain has got a 'Bill of Rights': the Human Rights Act [opsi.gov.uk], which guarantees free speech, right to a fair trial (including the right not to incriminate oneself), etc, etc. This act formally enshrines rights that we've had under common law for centuries (eg, Habeas Corpus).
The fact that this court (not the highest in the land, mind) has chosen to interpret an encryption key as not covered under the right not to self-incriminate does not alter the fact that we also have constitutional rights.
So laugh away at your mythical British who say they don't need anything like the Bill of Rights.
Disclaimer: I think Britain is royally fucked anyway.
Re:I wish the US Supreme Court was that smart. (Score:5, Informative)
Them claiming that hey dont need it is exactally why it becomes nothing and the court can step all over it like in this instance.
Where are these British people who claim they don't need a Bill of Rights?
In my experience, British people fall into one of three camps:
I have never heard a British person claim they don't need a Bill of Rights. I lived in Britain for 37 years.
One of the things that upholds the US constitution is its terseness, saneness, and closeness to the chartering of the national government itsself, although certainly its constant defence is the most critical.
[my italics]
I absolutely agree, and despair at the lack of outrage in Britain. If you could compare the justified anger on the Brits behalf here on Slashdot with the deafening silence in Britain you would be amazed.
If the british in this thread and in general dont respond to such a claim then is it any differnt than them not having a Bill of Rights in the first place?
I responded. I think that is one more person than has claimed that Britain doesn't need a Bill of Rights.
Re: (Score:3, Insightful)
Yeah it is. We've had one since 1689 and we've had the Magna Carta since 1215.
Re: (Score:3, Insightful)
Re:I wish the US Supreme Court was that smart. (Score:5, Insightful)
A warranted police search of your meth lab does not require any consent on your side - that's what the warrant is for. they will just break down the door and go on with the search.
same with the safe in your lab: you can either give the police the code for your safe, or refuse and watch them breaking it.
Why is your encryption key any different from the safe/door you have?
Re:I wish the US Supreme Court was that smart. (Score:5, Funny)
> Why is your encryption key any different from the safe/door you have?
It isn't. I'll just stand back and watch them break my 256-bit AES...
Re:I wish the US Supreme Court was that smart. (Score:5, Insightful)
Re:I wish the US Supreme Court was that smart. (Score:5, Interesting)
What about when there's no key to hand over [theregister.co.uk]?
Re:I wish the US Supreme Court was that smart. (Score:5, Insightful)
I don't see the difference between refusing to turn over an encryption key and refusing to let the police in your house when they have a valid search warrant.
It is much more like refusing to tell the police where in your house the contraband is hidden, or if there is contraband at all, and being put in jail because of your refusal.
Re: (Score:3, Insightful)
If they don't announce properly they have a search warrant, you can shoot them. You also have a right to refuse to unlock doors. They have a right to get a locksmith. The problem with encrypted data is almost no entity (unless you're the NSA) has a locksmith.
Re: (Score:3, Interesting)
No, that argument doesn't fly.
The physical lock might as well be a combination lock, and thus the combination would consist of "knowledge" just the same as for an encryption key. It is perfectly legal for the police to require you to divulge the combination to your locker.
"Something you know" isn't what counts when it comes to protecting you from self incrimination; it is whether the "something you know" is incriminating you. And unless your combination isn't a crime in itself, you wouldn't directly incrimi
Re:I wish the US Supreme Court was that smart. (Score:5, Funny)
Re: (Score:3, Insightful)
"Something you know" isn't what counts when it comes to protecting you from self incrimination; it is whether the "something you know" is incriminating you.
This leads to an interesting idea. Claim that you passphrase is a confession. If you plan ahead, you can even make that claim true. Encrypt your plan to assassinate the president with "I plan to assassinate the president OV:}A7MC".
Re:I wish the US Supreme Court was that smart. (Score:4, Insightful)
You can be forced to testify to things that indicate you committed a crime, you just can't be made to incriminate yourself.
The difference is subtle but one part of it is that a judge can give you immunity for your testimony, e.g., tell us X and we promise not to use it to prosecute you, and then you can no longer refuse on 5th ammendment grounds since it would no longer incriminate you.
Thus while this is a neat idea it wouldn't work. The prosecution would just offer you immunity for the contents of your passphrase but not the data it unlocks. Well in the US, but in the US you might not have to reveal the passphrase anyway.
Re:I wish the US Supreme Court was that smart. (Score:5, Insightful)
Unless the passphrase is the incriminating data.
Re:I wish the US Supreme Court was that smart. (Score:5, Funny)
Now that's a good idea.
Evildoer:"my password your honour? you're asking for my password?"
Judge: " Yes, give me your password now!"
Evildoer: "ok, the judge can suck my cock, all lower case."
Judge: " What? I'm going to throw you in jail for contempt!"
Evildoer: " No that's my passphrase, then the second one is " The faggot judge likes to lick prisioners underwear, with a capitol T on the."
Judge: " How dare you!...."
Evildoer: " you want my email passphrases too?"
If you think you're ever going to jail, make the passphrases something that will be your own version of shock and awe in the courtroom.
No (Score:5, Insightful)
It is also about avoiding catch-22s. The problem with requiring self incrimination is it can lead to a situation where they can lock people up for no reason. They charge you with a crime and say "Confess to this crime," you say "I didn't do it," they say "Refusal to testify against yourself is against the law, we are going to lock you up until you confess." So that is one important reason for the 5th amendment, it avoids situations like that.
Well encryption keys fall in that category. There are three important cases I can think of:
1) You forgot the password. This happens. I deal with many password reset requests a year and this is for computer/e-mail accounts that people use on a regular basis. If these people can't remember that, I find it extremely reasonable to assume they'd forget the password to an encryption volume they don't often use. Well, if you can go to jail for refusing to disclose your key, then you can go to jail for being forgetful.
2) A file that isn't yours. Your computer gets hacked, or someone you know uses it without your permission. Whatever the case, an encrypted file gets stuck on your computer that isn't yours. You can't had over the key, you don't know it. However there's no way to prove that so you go to jail.
3) Random data. Good crypto is nice and random. You can't distinguish it from other random or pseudo random noise. So you have a random file on your computer, or maybe just random data that there is a deleted file record for (as in there was a legit file there, it got deleted, it's space has now been overwritten by garbage). You can't prove it isn't encrypted data so you go to jail.
So I see encryption keys as very relevant under 5th amendment protection. We do not want a catch-22 situation where police can lock you up indefinitely just because they find something that looks encrypted.
Re:I wish the US Supreme Court was that smart. (Score:5, Interesting)
It gets worse. /dev/urandom > file
Theory: with a good encryption program any encrypted data should look random.
That truecrypt volume should be impossible to tell from a file I've created with
cat
So you could type that very command and 5 years later they ask for your encryption key...
Key?
To jail with you!
same goes for any random/semirandom data you have which has so mime type.
Now I'm willing to bet there are programs which can take a photo album and hide an encrypted volume in the least significant bit of the pixels, how would law enforcement deal with that?
"GIVE US THE KEY!"
"but but but... what do you want the key to..."
Long story short, if you live in the UK and own an electronic data storage device you can now be thrown in jail for no reason at all.
Re:I wish the US Supreme Court was that smart. (Score:5, Insightful)
"New" Labour, Old Communist party
Yes, keep on using this term "communist" willy nilly. It lets you tar any lefties at the same time as you tar the repressive policies of Labour. New labour are in social and economic policies a centrist-right party, very far from "socialist" or "communist".
Their policies on detention, warrantless searches, etc. are, however, quite repressive.
Since they protect the status quo and the interest of the wealthy, they are far more facist than communist.
Re: (Score:3, Insightful)
Re: (Score:3, Informative)
I hadn't noticed this in the artical when I made the last post but
"The woman, who claims to have not used encryption"
Huh? (Score:5, Insightful)
Memorised encryption keys exist outside of your will?
I'm sure the number exists somewhere out there, good luck finding it by brute force.
Re:Huh? (Score:5, Funny)
Reminds me of this failed pick-up scenario:
guy: Hey baby, what's your phone number?
girl: It's in the phone book, look it up!
guy: But I don't know your name.
girl: That's in the phone book too.
Re:Huh? (Score:5, Informative)
I wonder if it's illegal now to just forget. "I'd love to help you officer, but I guess I just forgot it!"
IIRC, that's been the case since the RIPA was first proposed. If the police come knocking and say "Give us the key", the burden of proof is on you to be able to show that you can't. (How on Earth you're meant to prove that you can't give them something like that is your problem).
Failure to give them the key can lead to 3 years in prison. There was also talk of a proposal whereby if you discuss the order to hand over the key with anyone, you can get 5 years in prison.
(All of this is based on several-year-old memories from articles in The Register, YMMV, IANAL, OMGWTFBBQ).
Re:Huh? (Score:4, Funny)
I wonder if it's illegal now to just forget. "I'd love to help you officer, but I guess I just forgot it!"
IIRC, that's been the case since the RIPA was first proposed. If the police come knocking and say "Give us the key", the burden of proof is on you to be able to show that you can't. (How on Earth you're meant to prove that you can't give them something like that is your problem).
Failure to give them the key can lead to 3 years in prison. There was also talk of a proposal whereby if you discuss the order to hand over the key with anyone, you can get 5 years in prison.
(All of this is based on several-year-old memories from articles in The Register, YMMV, IANAL, OMGWTFBBQ).
I'd just say the password is "the name of the second gunman on the grassy knoll". When the agent instantly types, you know there was one.
oh, that's right. It's actually the name of the town where Elvis is under witness protection...
Re:Huh? (Score:4, Insightful)
Someone sent encrypted files to the Home Secretary once, which included details of a crime (reported by someone outside the UK). I expect it was driving over the speed limit or littering or something minor, but even so they could then genuinely inform the police that he home secretary had an encrypted email detailing a crime.
Re: (Score:3, Interesting)
Its NOT illegal to say i forgot. The government uses it all the time to justify its continuous laptop losses...
So cite that in court. Plus add that the Government thinks the court is stupid. That will rile the judges enough to judge in your favor.
Nothing irritates a judge more than the Government arrogantly claiming they are bigger than the court.
Re: (Score:3, Insightful)
I think it is safe to assume they will make a copy of your HD. Your thumb 'trick' is a great way to get screwed for attempting to destroy evidence or something like that.
Re: (Score:3, Insightful)
The first thing a computer forensics person would do is take one or more copies of your hard drive and work from that - for the very reason you were talking about, in case there's some logic bomb they don't defuse.
So you wipe the files, they make another copy from their backup, waterboard you for a while, and try again :)
Disclosing a key is disclosing knowledge (Score:5, Interesting)
Suppose some incriminating evidence exists but it is hidden in a secret location. Can you be forced to disclose that location?
If not, then why not store your encrypted data on a huge partition of random data. To get it you need both the key and the location of the data. The latter you can simply refuse to disclose.
Re: (Score:3, Interesting)
Hand out the second one.
Re:Disclosing a key is disclosing knowledge (Score:5, Informative)
It's too bad there wasn't an awesome program like True Crypt (http://www.truecrypt.org/) that let you have two separate keys for an encrypted volume so that you could give a "fake" key that shows "fake" data.
Re: (Score:3, Interesting)
Why these jokers didn't say i forgot.... (Score:5, Insightful)
Why these jokers didn't say i forgot i will never know.
I mean how hard is it to NOT self-incriminate oneself: Say you forgot. Just like every other government official says after losing a laptop full of Witness Protection persons or intelligence officers, etc.
They can't compel you to recall something you don't remember.
Simply say "iam sorry i can't remember: my memory is a bit hazy from all the manhandling the cops did, your honor."
What's the worst? Gitmo? I don't think so (although Britain has a track record of renditioning suspects to US).
At a time when courts and the government make a combined assault on our privacy and rights, while being more secretive themselves, it is up to us protect ourselves. Call me paranoid, but am the Burt Gummer type.
The Government has NO right to force me to divulge my self-secrets just like i can't force a government of the people, by the people and for the people to divulge its dirty secrets.
I can't be transparent when the Government wants to be opaque.
After all it has been proven that the Government cannot be trusted even with the most basic secrets.
What is the criminal penalty for jokers who lost various laptops holding government secrets and OUR data? NONE.
What is the financial and criminal penalty the Government will pay if it causes me harm by leaking my secrets? NONE.
Until the Government pays for its mistakes(and heavily), am not going to divulge anything more to it. After all the Government am not trusty enough to know about its secrets, so why should i trust Government.
Ben Franklin, Hamilton and Mark Twain were absolutely right: You CANNOT and SHOULD NOT trust the government, if it doesn't trust you.
You can take my keys from my cold dead hands.
Re: (Score:3)
They don't say they forgot because there's usually other evidence that they know the key.
For example, timestamps on the encrypted file, unencrypted corroborating data in a swapfile, or evidence that the machine was switched on at some recent point in time.
By the way, everyone gets it wrong, but RIPA does not require that you reveal your key. It requires that you make the data available in "intelligible form". You can read the details here [opsi.gov.uk].
Rich.
Re:Why these jokers didn't say i forgot.... (Score:5, Interesting)
It is interesting to note than while section 53 states criminal penalties for non-disclosure on part of defendant, section 55 does NOT state any criminal penalties against misuse/abuse of such information.
The Government has covered its shiny metal a$$ well with this section.
So the courts can sentence you to 6 months imprisonment for NOT revealing the key, but if you reveal the key and some government official loses it in the next train (which happens monthly), the CP or the government official cannot be imprisoned for the loss or any such loss caused to you by that loss.
Brilliant!
All the more reason for me to NOT give out my key.
Until such time i see a CP or a minister sentenced to jail for loss of residents' confidential information, am not comfortable with providing ANY information to this orwellian government.
I WILL claim memory loss for this. let them prove am lying
So anyone want to do this.... (Score:3, Interesting)
Re:So anyone want to do this.... (Score:5, Interesting)
Is there a system which will allow the use of a 'duress' key? If the duress key is given instead of the real key the encrypted data is erased. This would be easy enough to defeat by a suitably motivated investigator, but they'd have to have figured out what was going to happen first...
Re: (Score:3, Informative)
Re:So anyone want to do this.... (Score:4, Informative)
Re:So anyone want to do this.... (Score:4, Informative)
Yes and no. :-)
The "duress" key cannot possibly guarantee to erase the encrypted data - after all someone can make a copy of the encrypted data before entering the duress key.
However, OTP has a "duress" key (actually it has many). The real key decrypts the data to whatever you stored. But the duress key decrypts the same data to war and peace (or whatever you think appropriate). The duress key has to be regenerated every time the real data is changed.
One problem is that the two keys are each as large as the original data. So the fundamental problem becomes keeping the two keys secure and being able to supply the duress key without revealing the real key.
If you managed it sufficiently well, OTP is unconditionally secure in this way. Truecrypt attempts to do the same without the key management problem. As a result it's usable but there are possibly hints that will show that there is another key.
There are some other possible defenses - for example consider a disk encrypted with a key. If you shut down the computer correctly, the key is written to the disk (or a usb stick etc) before shutdown. If the computer is shutdown inappropriately then the key is lost. When the computer starts up again it reads the key but then generates a new one and proceeds to reencrypt the entire disk with the new key.
Of course, you're a bit screwed if the power fails.
I've actually considered trying to implement something like this using fr1 and network block devices to have a RAID1 setup on two computers. That way you're protected if one computer crashes for any reason. Put them on a UPS and you can decide whether you want to auto-shutdown when the battery gets low or whether you will require a special action otherwise the data is lost.
AIUI, in the UK when the police do a raid they're allowed to move the mouse to wake up the screen in case there's anything on it but after that the first thing they do is pull the power. So a UPS solution would be ok.
It's all a rather academic interest for me. I do have a small encrypted partition where I keep a record of usernames/passwords/secret information etc including banking information. I have a cron job that unmounts the encrypted partition every hour, so I don't forget and leave it mounted. But while it would be an enormous pain for me to have to disclose the key it's not something I need plausible deniability of knowing the key. (The partition is only 10Mb - initially at least I might try to withhold the key by arguing that whatever they were looking for could not possibly be just 10Mb but I'd not go to jail over it)
More concerning is that I've played with gpg, encrypted partitions etc and I've got stuff scattered around that is encrypted that I've no idea what the key is or was. Mostly I try and delete experiments like that but I do a nightly backup and I can go back several years so some of these experiments will be on backups somewhere. Unless the key is something like test, test1234, hello, fred then I'm never going to be able to decrypt it. (Of course, the emails I've encrypted have always just had the text "test", "test1234" etc so they're going to be a big disappointment to whoever manages to decrypt them :-)
Tim.
Re:So anyone want to do this.... (Score:5, Interesting)
A duress-key that wipes data is no good. Any serious investigation will take a complete copy of the data as the first step, so wiping does you no good at all.
What you can do, and which is done, is to have "plausible deniability". Truecrypt does it like this:
You have a 1GB (for example) file that contains an encrypted filesystem that contains 500MB of files.
The free space (500MB) *may*, or may not, contain a second encrypted filesystem. There is no way to tell without knowing the second "inner"-key.
So, if pressed to give up the key, you give up the outer key, giving access to 500MB of perhaps mildly embarassing, but ultimately harmless stuff. If asked about the "inner"-key you say there isn't one. The default operation of Truecrypt is for there NOT to be one.
So, it's plausible you're telling the truth; could be the volume is larger than the filesystem simply because you wanted space for more files. It's not as if a half-full filesystem as such is suspicious.
It's unlikely they could force you to give up certain information without even showing a likeliness that the information EXISTS.
That's "plausible deniability".
You can say: "There is no second key", and there is no way of figuring out if that answer is truthful or not.
Two things to bear in mind... (Score:3, Insightful)
Firstly, this doesn't mean that the police can come and demand your encryption keys at any time. This isn't the US, where the police can kick your door in at any time for any reason, just because they feel like having a look at your stuff and maybe relieving you of a few high-value items. If they're looking for an encryption key, it's pretty much going to be because they've already had a warrant to search your property. It really *is* no different to being forced to hand over the key to the basement dungeon where you keep your step-daughter - chances are that they already know what they're looking for and where to look for it.
Of course, if you don't feel like handing it over, you can always say you left it on a bus, or in a taxi, or you posted it somewhere and it was never seen again...
Re: (Score:3, Interesting)
There are certain books that would get you in trouble. If they concern, for instance, highly exothermic chemistry, certain political movements especially in the Middle East and in Ireland, or exotic erotic practices, then you could be arrested for possession of 'material likely to be useful to terrorists' or 'obscenity'.
Technical measures for key destruction (Score:4, Interesting)
I am not a lawyer and this is not advice, but I did consult on the RIPA.
If the encryption key is destroyed by a pre-configured ``technical measure'' then by my reading of the Act one cannot be held in contempt for failure to disclose.
For example, a dead-man's switch that destroys all traces of keys if the owner does not log-in for a pre-arranged number of days.
Note that *all* traces must be destroyed. The Act can compel other parties ( e.g. work colleagues or holders of back-ups ) to disclose even if they are not directly involved in the case.
So what's worse? (Score:4, Insightful)
If I'm the defendant, I'm simply going to assess which is worse:
1. The punishment you'll get for not divulging your encryption key
2. The punishment you'll get when you divulge your encryption key and they find 18 gigs of child porn on your computer
Depending on the encrypte data in question, the decision whether to divulge your key could an easy one.
Re:So what's worse? (Score:5, Interesting)
This is the precise argument that They will be using for lenghtening the prison terms for NOT divulging the key once we've swallowed the fact that not-remembering something can get you in prison.
And then They just need to send a collection of /dev/random with a filename suggesting underage pornography to your email address and keep you imprisoned for decades. Your ex-girlfriend could do and call the police. Your enemies from the cubicle farm could do, too. Your competing business and even blackmailing spammers could.
I smell serious blackmailing business: pay up and we'll send you the key you need to prove yourself innocent.
Re:So what's worse? (Score:4, Insightful)
Re:So what's worse? (Score:4, Informative)
Because it's not real CP, it's random binary gibberish with a note attached saying 'Here is your encrypted CP'. The police will pick up that email (in other news today, they're going to be monitoring all emails) and go 'Oho, we have caught ourselves a paedophile and will soon look good in the newspapers when we lock him up for ever and always', and come around and arrest you. The they demand you decrypt the file so they can present you along with the CP to the court and get you sent to prison.
No CP exists - no key exists - it's not encrypted data at all, just noise. But you can't prove that. And so you go to jail for failing to provide the key.
Re: (Score:3, Interesting)
Well, remember the OJ trial?
Good defense lawyers do two things with evidence: they either discredit it, or they interpret it in a benign context.
When the Big Box O' Porn is produced in court, a competent defense lawyer demands the police produce a chain of custody showing how the box allegedly got from the defendant's home to the court. If the police can't show that, it's not evidence any longer. If the police can't prove the DNA sample analyzed actually came from the crime scene, it's not credible any l
Physical = digital? (Score:5, Insightful)
An encryption key is separate from a physical key, because no one can reliably prove if I still have it or not. Physical keys I may have hidden or swallowed can be found or the locks picked open. But for strong encryption, this is not feasible and the defendant might very well have forgotten the passphrase and never remember it.
What will They do when the defendant claims to have forgotten their key? (capital "They" intentional for Them being Orwellian monsters) - No one can ever prove or disprove that the passphrase still exists in the defendants brain cells, not the accuser and not the accused.
And then? Sleep deprivation? Torture? Guilty unless proven innocent? In dubio contra reo?
Releasing the defendant is under this view obviously unfeasible, because otherwise EVERY defendant would claim to have forgotten the passphrase, which would render this judicial scheme moot. But NOT releasing a possibly innocent defendant because they really have forgotten their passphrase - and no one knows whats inside the encrypted files - is a serious crime in itself.
I doubt there's a possible solution to this problem. Keeping people in prison for even one day because of abstract words that *possibly* exist in their minds (and only there) is pretty laughable - and pretty dangerous.
Something that no human and no machine can reliably prove or disprove cannot be the basis of a prison sentence. In the Western civilized society after the Renaissance era anyway.
Also, this is stuff from the darkest dystopian novels and can be misused in thousands of ways. We've all heard rumors about cops who place contraband in a defendants pocket or house. But that takes at least physical access to a contraband item.
But encryption keys that may not even exist anywhere? It is ridiculously easy to incriminate people that way, say for example to create a file containing several megabytes from /dev/random. Name it "pre-teen_volume_320.7z" and send it via mail to the defendant with a fake note "here's the 320th delivery of your stuff, you pervert and the password is the same as last time. the photos of your kids were nice, too".
And then? No one can distinguish between random data and well-encrypted data. No one can prove the defendant does NOT know the "password" to this "encrypted" file. Will They let them go or will they be imprisoned and tortured forever until they "remember" the nonexisting password or simply confess to having had intercourse with the devil?
Re: (Score:3, Insightful)
Self-incrimination defence - not the brightest? (Score:3, Insightful)
Perhaps this was the crux of the problem, they used a defence of suggesting if they hand it over it would be self-incriminating?
Wouldn't a better defence have been to suggest that the data encrypted was entirely irrelevant to the case. Wouldn't it then be up to the police to actually do some police work and prove otherwise?
By using a self-incrimination defence it's effectively admitting, yeah you've got some data that's evidence locked up but you're not handing it over. Surely it's better to simply just deny the encrypted data is relevant to the case or even that you've no idea what that encrypted data is. Hell, claim it's your own personal copyrighted works or some trade secrets and get them to prove to a court either that it's not or that they need access to said private content. I'd have thought both of these would put the burden on the police to do police work in an ideal scenario.
That said, Labour's totalitarian regime doesn't follow the ideal scenario mindset and innocent until proven guilty means nothing anymore so I guess either way these people were screwed.
If the people are guilty then it's great they've been caught, but the way they go about reach the goal is entirely unacceptable and comes down to one thing - the police are too damn lazy to actually do any police work nowadays. It's all about abusing various laws and technologies Labour has handed them which they really shouldn't have.
What the fuck happened to Britain? (Score:4, Interesting)
Exactly when did they start to go insane?
Once I would have like to go there. Now it sounds like an Orwellian nightmare. Cameras everywhere (that happen to be "malfunctioning" when police hold down an unarmed, ticketed Brazillian subway passenger and shoot him in the head multiple times). Laws passed monitoring all communications. No privacy. Jail sentences if you will not or cannot tell them an encryption key.
This is the kind of shit they would tell us about Russia during the cold war.
Who's getting rich and who's gaining power through this?
Lords will overrule (Score:5, Insightful)
It's amazing how many of the draconian, rights-reducing laws drawn up by democratically elected representatives get knocked back by the House of Lords, an un-elected body.
The Lords can alter Bills before Parliament, but are also the last appeal court (before going to the European Court of Human Rights).
Let's hear it for a benevolent oligarchy!
Re: (Score:3, Insightful)
It's amazing how many of the draconian, rights-reducing laws drawn up by democratically elected representatives get knocked back by the House of Lords, an un-elected body.
The reason the elected people are more problem is because quite frankly most people aren't educated enough to vote properly. The house of Lords don't have to answer to half-wits who believe in the "if you have nothing to hide" ideology.
Sure they could abuse that power but luckily they've proven to generally be a sensible bunch and I think that's why the government has been trying to destroy the house of Lords and make their positions electable by the public as well.
Unfortunately ... (Score:5, Funny)
... my encryption key consists of a complete confession of my latest crime plus GPS coordinates of where I've buried the evidence. I'd definitely be incriminating myself by divulging it, so I won't.
Re:Oh Joy (Score:4, Funny)
I would suggest employing >i>steganography, instead.
Re: (Score:3, Interesting)
Yeah. Go fetch the key without my help.
As I've been saying, what we need is better plausible deniability.
https://bugs.launchpad.net/ubuntu/+bug/148440 [launchpad.net]
Then they can't go around asking everyone for their keys - because most really wouldn't have them :).
The Truecrypt proponents don't get it. Hidden container or not, you have to voluntarily install Truecrypt, so that's sufficient cause for them to target and trouble you.
Re:Fuck the British equivalent of Homeland securit (Score:5, Insightful)
Our country doesn't make the same promises about liberty in a single document which all our countrymen regard as some kind of holy scripture. It is the American attitude of how you are all in the "land of freedom, better than all other nations in every way" that makes your massive overreaction to one terrorist attack so ironic. It's like a kid vowing to never go back to school again because a bully once stole his lunch money.
I don't mean any disrespect to those who died in 9/11, but people are dying all the time from accidents, disease and natural disaster. Wasting all the money you have on going to war in Iraq and Afghanistan when in fact it was a terrorist organisation and not a single country that attacked you, is pretty dumb. If you go around spending billions attacking everyone that you feel slightly threatened by, you'll end up in financial meltdown... oh, wait...
Re:Fuck the British equivalent of Homeland securit (Score:5, Insightful)
They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.
anyways don't more people die every year due to NUTS than terrorism?
In every country ... (Score:5, Insightful)
Unfortunately most people fail to see the connection between lists and any danger. The lists are being made to influence people who speaking out against the ones in power. But most people fail to see the danger of giving the power seekers ever more data to mine on everyone. Knowledge is power and the ones in power seek the use that knowledge to prevent people standing against their point of view.
With ever more detailed lists on peoples views, soon we end up with people fearful of what they say on the phone and in emails, for fear of their views could even just risk being taken out of context and in any way critical of the people in power. At that point, the ones in power are influencing people directly.
At that point, we live in a police state, where freedom is gone and replaced by fear of the ones in power. Problem is, we are getting there now, and from here on out, its simply a matter of consolidation of ever more detailed data mining. The central reason why centuries ago votes were made in secret, was to prevent the ones in power, from seeking to influence the voters. Yet the power seekers are forever seeking to game the system to gain ever more information on peoples opinions. Now the ones in power are building automated systems to influence people.
Throughout history its been shown time and time again that the ones in power become ever more corrupt over time without any feedback on how they are behaving. Its been show so many times through history.
Most people don't realise the game people in power are playing. People in power are not so interested in individuals. The ones in power are interested in adding everyone to different lists so they can then control and profiling groups of people, so they can then use divide and conquer tactics, to break groups of people up. The goal is that the fragmented groups cannot then stand and oppose the point of view of the ones in power. That is why they data mine.
The lessons of history have not been learned by enough people. Looks like the world is seeking to repeat the mistakes of the past. Freedom and democracy are constantly undermined by a minority of people in power for their own gain. Its just a matter of time and how far we are going to let them all game the system to push the excesses ever more unfairly in their favour. After all, its not as if they are robbing hundreds of billions of tax payers money to keep their rich lifestyles while millions risk loosing everything.
Anyway, if the millions of people can't buy bread, then let them eat cake.
The world will never change until everyone worldwide realises that people who constantly seek power over others have a recognisable cluster B personality disorder. All cluster B personality disorders are ultimately driven by fear. And the ones with the disorder constantly seek to control that fear and control everyone around them based on their fear. (There are multiple fears, two examples are lack of a
Re: (Score:3, Insightful)
Now I've had some more time to think about this news, (and adding this password news to the news about them wanting access to every phone call and email etc..., then its occured to me, how long will it be, before we have to send our passwords to the government, whenever we send an
Re:Well, there's just this one tiny detail ... (Score:4, Insightful)
The word "progressive" is a PR way of implying improvement and governments are getting very good at using PR to manipulate perceptions. The goal of any "improvement" is simply an improvement for the ones in power, to gain a greater control over the ones they seek to lead. They consider more control an improvement. Ultimately its about Cluster B Personality Disorders and how they behave. They relentlessly seek power over others. Normal people do not seek power so relentlessly, not matter what the people who seek power say or even think. Because people who seek power, think others are like them and so assume they think the same way as them. People who seek power fear the loss of power and constantly seek to gain ever more power. Over time, they bias things ever further in their faviour. This pattern of behaviour has been shown throughout history.
Comment removed (Score:5, Funny)
Plausible deniability (Score:4, Insightful)
That's why it's far better to create hidden, encrypted containers, using Truecrypt's plausible deniability. If the cops see your whole HD is encrypted, it's pretty obvious, and they will want to see what's on it because then they start suspecting you have something to hide. But if you have a file called C:\Documents and Settings\Application Data\kb2357334.dat which is in fact a hidden Truecrypt volume, first they'd have to find the file, and then think that it may be encrypted, which is a chance in a million, so you're so much safer.
Re: (Score:3, Funny)
They're complementary. Help yourself.
Re: (Score:3, Funny)
Maybe the situation here is more dire in the UK, but I don't think your claim holds true for the US (and, absent statistics, it makes me doubt that it holds true for the UK):
Ah, but he said "falling" vending machines.
That would not be classified as a vending machine fatality, but rather an industrial freight fatality. The real statistics are hidden.
I blame the labour party : )
Afghanistan in Perspective (Score:5, Insightful)
The Taliban regime in Afghanistan openly supported Al Queda training camps used to prepare for the 9/11 attacks. The original Bush Doctrine (you know, before there were 30 of them [wikipedia.org]) stated (more or less) that a government that supported a terrorist organization is as illegitimate at the terrorist organization itself. This was a Good Reason for removing the Taliban, and indeed we did so with strong support [wikipedia.org] from the civilized world. (After 2001, of course, we threw logic out the window, but that's a different tale.)
By your logic, spending money to find a cure for a rare disease is "pretty dumb", since a lot more people die from other causes. I believe that your logic is faulty. It makes sense to address all of the causes of harm, as cash permits. To a person of my Libertarianesque perspective, that means the causes for which people are willing to spend their own cash, of course - including cash taken in taxes - but not my grandchildren's cash. A government that is trillions of dollars in debt ought to be horsewhipped and put on a very tight budget until they pay their debts - but again, that's a different tale.
Re:Afghanistan in Perspective (Score:5, Interesting)
AFAICT, President Bush had 4 options with Afghanistan after 9/11.
(1) Ignore it. This was the Clinton strategy, and had resulted in slowly escalating attacks on American and European soil over the previous decade or so. Whether it ultimately succeeded would have depended on whether momentum could be regained on a host of other fronts to make radical Islam irrelevant in the Muslim world - a questionable assumption. Nevertheless, it may have been the second most effective option available IMHO.
(2) Take out the Taliban, disrupt Al Queda, then leave. Depending on your perspective, this would have stirred up the ant's nest (causing a rash of new attacks) or reset the clock by ten years (a cold war-like strategy that worked pretty well against an aggressive Soviet Union). This may have been the best option for the US in retrospect, although it would do nothing to help the Afghan's who were brutally oppressed by the Taliban (and most previous regimes :-/ ).
(3) Take out the Taliban, evict Al Queda, and stick around for nation-building. As you mention, this would almost certainly be disastrous. If you're planning to fight radical Islam, this is the least favorable ground on the planet.
(4) Take out the Taliban, evict Al Queda, then move the field of battle somewhere else. This was the Bush option, with "somewhere else" set to Iraq. This approach successfully set back Al Queda by 10 years (and counting), but cost the US and Britain the good will of most of its allies in the world. I suspect the president was counting on the Iraqi people embracing freedom and democracy, rapidly establishing a stable government, and joining the fight, which would have made this the winning option. If so, he miscalculated.
You advocate waiting them out, and that has worked thus far with a pretty darned significant list of anti-democracy types. Not with Libya, though - they settled down only after a bombing run that killed Khadafi's daughter (among 45 military and 15 civilian casualties) - similar to option 2 above. It also failed most notably in the prelude to WWII, as has been endlessly rehashed over the past 7 years, so there are no guarantees.
In retrospect, though, and with full 20/20 hindsight, and recognizing the high cost to the long-suffering Afghan people, overthrowing the Taliban and scattering the ants before a token nation-building exercise with the Northern Alliance amid steady get-the-heck-out-of-Dodge withdrawal was probably our best option - and a lesson to be learned for the future, if we're smart.
Re:Afghanistan in Perspective (Score:4, Insightful)
Your suggestion that the war in afghanistan is popular worldwide is ridiculous. It's unfortunate, but that's the truth.
Yes it's given lip-service of supposedly being more "just" (what does just mean in this age of postmodernism ? In "modern" times it meant that Christianity was in a better position after the war, which is the doctrine (wars for ideology) that built the world we live in. What does a "just" war mean in a world without meaning (=postmodernism) ? Nothing. All wars are just. All wars are unjust. It's just a fashion, a feeling, nothing more, which boils down to "wars that benefit me financially or politically are just, the rest are unjust"). But support ? It has no support.
Not a single "American" war has any real support in Europe (outside of, ironically, Turkey and the ex-USSR states, even though both have radically different reasons for the popular support)
The sad thing is, if the USSR had lasted 10 more years (perhaps even a mere 2 years), the taliban would have been exterminated to the last man. As soon as the Russians realize this trivial truth, the USSR will (I think) resurrect itself.
The real problem is deeper for the American republic. Just like the problem was deeper for the Roman republic before it. Obama, imho, plays the role of Catiline [wikipedia.org].
Europe hates America because America is living proof that the "democrat-social" states of Western Europe are at best suboptimal, and probably doomed to succomb to the social part of their states, and America appears not to be. An essential part of the "social" ideology is that everybody is a socialist, and those that aren't are really criminals. Therefore America, and any war they're involved in, is criminal.
Obama's popularity in Europe comes from his promise to change America into an equally doomed "social" "democracy" (which will obviously neither be social, nor democratic).
It has nothing whatsoever to do with who attacked who and who is "guilty".
Re:Fuck the British equivalent of Homeland securit (Score:5, Interesting)
Over here in Sweden TV8 showed "The Anti-American" talking about how various european saw at USA. They talked with people in Poland, France and the UK. Maybe there was some italians or something to.
Very interesting and it somewhat made me feel bad for saying stupid things about USA sometimes. Then french people was the most funny one talking about how everyone in USA except in NY was rasists and also how to keep the american culture and english words and influences out of their country.
Yeah right, because french people are so open minded when it comes to influences themself? And they don't think everyone should learn french? Hillarous.
The polish people really liked you and looked up against you, seeing america as the saviour against everyone invading poland. And the UK as your strongest ally obviously like you to except they want to be the imperial worlds #1 force and not just follow lead as it is now :)
Sure we complain about your wars and playing world police, but in the end us europeans and everyone else always wait to long and do to little so I guess it's good that USA step in and fix up the crap, even if it's not a really democratic decision.
The sad part is that you just step in where you have something to gain from stepping in, so problems in countries where you don't gain anything from interfering nothing will happen. But that's fairly understandable in general to.
Oh, and they talked about how Europe, china (?) and especially japan needed the oil from the middle east region much more than USA but didn't helped to keep it political stable and keep the oil flowing. We just took the benefit without helping. Japan can always blame it on how they are pacifists. And also how you could have got the oil real cheap anyway so they argued that wasn't the factor, at least not egoistic and just for your own sake.
Anyway, interesting program.
Re: (Score:3, Insightful)
Don't think so (Score:5, Insightful)
Your logic is flawed, my locking/hiding the door to my dungeon where I keep my daughter is to stop me incrimincating myself by her being found. ALL criminals hide data from the sight of others to stop them from showing their criminal activities.
If you accept that the police under the rules of law can demand access to things then this includes digital data. I have always been loath to see the internet and computers in general as some kind of new world where we can have a different set of rules. If I can be ordered to hand over my swiss bank account number (just a number for a service) then so can I be ordered to hand over the key to my encrypted files.
If you want to change it, chance ALL the laws related to the gathering of evidence. No cyber laws, just laws.
Bio scanning a US import (Score:5, Informative)
I read a while back about mandatory biometric scanning of tourists
I'm really hoping you aren't a US citizen as getting into the US now requires the scanning of all your fingers and of course the answering of the 7 stupidest questions in the history of questioning.
The bio-scanning stuff is a pain in the arse, but its unfortunately not a UK invention, it started in the US for "Security" reasons. You also now have to have a printed out copy of your itinerary (like that would be hard to fake) as an electronic copy on a PDA or laptop just isn't good enough.
Re:Wow... (Score:4, Insightful)
This equation is true all over the world.
Re: (Score:3, Insightful)
Don't be ridiculous. The problem isn't that people can't resist, the problem is that they don't. They don't care. Giving every person in the UK a gun is not going to change anything.