First Use of RIPA to Demand Encryption Keys

kylehase writes "The Regulation of Investigatory Powers Act (RIPA) is being used for the first time to force an animal activist to reveal encryption keys for encrypted files she claims to have no knowledge of. According to the article, she could face up to two years if she doesn't comply."

huh

[Anonymous Coward]

how can you be put in jail for not knowing something?

Re:What if she doesn't actually know?

[snl2587]

It's easy! Send her to Gitmo. Then civil rights no longer matter!

Re:What if she doesn't actually know?

[hedwards]

There are a number of problems with these sorts of laws. One is if the person lost the keyfile which is required to open the file, or if the encrypted volume got corrupted or if the keyfile became corrupt the file can't be decrypted without cracking it. There just isn't any good way of knowing for sure if the person gave a bad password or if there was a genuine problem with it.

Two is that there isn't genuinely any way of knowing what has been encrypted, it could be evidence of wrong doing, or it could be just some sort of embarassing, but legal, porn.

Three is that there is a tendency of these sorts of laws to end up sending innocent people to prison for not being able to reveal the information in a virus or malware encrypted file.

It is a tough situation, increasingly people engaged in illicit activities are turning to encryption as a means of keeping evidence secret, and from a technical standpoint refusing to decrypt the information is obstruction of justice.

Re:What if she doesn't actually know?

[0123456]

"I don't see why encrypted files should be any different than hardcopy or anything else that could be seized under sub poena."

The police already _have_ the files. They're free to try to crack the encryption on those files.

While I intensely dislike the animal rights nutters, this is a stupid and oppressive law which should never have been passed. And I can quite believe that the police she was raided by are 'thugs'; ask that guy they shot eight times in the head a while back if that's a good description... oops, you can't, he's dead.

Fortunately in the US...

[paulthomas]

If such a law were enacted in the US, we would be protected, ostensibly, by the 5th amendment to the Constitution. I say ostensibly because apparently the Constitution is "just a piece of paper" now, and we (some of us) have forgotten about the rule of law.

So, this could happen here. Easily. We need to find some way to restore the rule of law here lest we become like that other large country just across the Bering Strait from us.

Hmmm...

Re:What if she doesn't actually know?

[Anonymous Coward]

It is a tough situation, increasingly people engaged in illicit activities are turning to encryption as a means of keeping evidence secret, and from a technical standpoint refusing to decrypt the information is obstruction of justice.

Is it obstruction of justice? I always thought that you were under no obligation to incriminate yourself or help the police/prosecution with their investigation (of you). The right to be silent and all that liberal mumbo-jumbo... (I guess the RIPA begs to differ)
For instance, if the cops come to raid my house i don't have to give them my spare set of keys so they can get in. The difference I guess is that it's easier to break a door down than it is to decrypt something that's been encrypted properly.

Re:Better solution

[Anonymous Coward]

More along the lines of the actual question, when given only one password, the "throwaway" part of the volume appears to take up the entire file, and will corrupt any other data if you actually attempt to write to all of it.

More along the lines of "plausible deniability", the government's just going to come in and say "I see you're using truecrypt. Now, what's the other other password?"

Re:solution

[Anonymous Coward]

That's why you'll get busted. Underestimating your adversary is the straight path to the valley of tears.

Re:So lemme get this straight

[Twanfox]

Of course, this makes me wonder something from a 'thought police' perspective. With the file in question being a common TrueCrypt encrypted volume that doesn't really contain anything incriminating:

TP: Give us the passphrase!
Suspect: It's HotSmokinBabes
TP: Now give us the hidden volume passphrase!
Suspect: It doesn't have a hidden volume.
TP: LIAR, give us the passphrase!

Just because the possibility exists, the authority in question might ask for something he cannot prove isn't there. If you have nothing to give, this leads to the problem of lying to authorities to give them what they think they want, when you've already given them what they asked for and it proves you innocent. Aren't these going to be fun times to live in.

this blows

[rice_burners_suck]

This is an outrage. Here, we have a case where a person claims she does not know something, but the government is demanding of her to comply. But let's suppose, for a moment, that she is telling the truth and she has no knowledge of these encryption keys. How could she prove it? There is no way to prove a negative. It is impossible to prove that you DON'T have something; you can prove that you DO have it by producing it. There, you see, I have it. But if you don't have it, there's no way to prove it. They should let her go.

no one has ever thought toture was useful.

[twitter]

These protections were brought to the American shores by Puritans, and were later incorporated into the United States Constitution through its Bill of Rights.

Thomas Jefferson was not a Puritian.

People throughout history have realized that torture is like a mirror. Under duress, people will say whatever the person in control wants to hear. Tacitus wrote as much in the second century AD. Only the ignorant, thoughtless or cruel believe torture is useful for investigation. People who practice tortue know the results better than anyone else but they too are pawns. Those who advocate torture do not seek information, they seek control through terror. Nothing is more terrifying than a crowd of cruel halfwits who are so self righteous they demand torture. Their hatefilled faces are echoed by the agony of their victims, but all of it is a reflection of their leader's twisted souls.

It is a tool of tyrants, religious fanatics and other evil people who think of themselves as better than you. It is always a crime.

Re:solution

[krazytekn0]

That is a relatively safe assumption, since most computer forensics people actually work for private companies and aren't direct employees of the government. At least that is how it is where I live.

Don't just encrypt -- Hide!

[drgonzo59]

Exactly!

Encrypting your data and not hiding it is the same as getting a $100k super secure safe, locking your stuff in it, but leaving it in the middle of the living room. Any { law enforcement agency / criminal gang / anyone with more resources and more muscles that you } will just force you to give them the key. In other words, they see the super secure safe and automatically assume there must be at least $1M in there and then they force you to give them the key. The govt will cite all kinds of stupid idiotic laws, the criminals will start cutting of the fingers (yours or your loved ones').

The solution is to use something like steganography and hide the data such that nobody even will suspect anything. The best secrets are the ones that are not even known to exist.

If the adversary is convinced that you do have the data and knows the data type, then create a similar but fake data set to be substituted for the real one.

As a reminder

[pembo13]

It is all well and good to discuss technical ways to escape such requests. But we need to move _towards_ not needing to encrypt your important data and not towards better ways to do the encryption. Ie. I prefer not to have to encrypt that perfect encryption.

Re:Reasonable Search & Seizure

[arkhan_jg]

The difference is, they didn't make a special law of 'failure to open a safe on demand' with up to 5 years in jail if they suspect the safe contains terrorist materials (2 years for everything else). "reasonable suspicion of evidence" is the important point; there's no such requirement under RIPA.

There are already laws against perverting the course of justice and hiding or tampering with evidence. The difference is that they have to show some evidence that there's relevant evidence in the safe. If RIPA applied to safes, they'd just have to show you have a safe and won't open it. They only have to have a 'reasonable belief' that you can open it, and having it on your property, or on property in any way associated with you is enough to meet that criteria. That's sufficient to carry up to 5 years in jail, regardless of what's actually in the safe, or what they can demonstrate might be in the safe.

The law is intended to allow them to put suspected terrorists and pedophiles in jail, even when they have no evidence they did anything illegal, and don't have the capability to brute force their encrypted files, and don't have sufficient grounds to charge them with something else. As we can see, once the british justice system get an 'anti-terrorism' power, it immediately becomes a tool to use against everyone.

As a Brit...

[AndyboyH]

I am now convinced it's time to leave the country.

The fact that this law was essentially used 14 days (iirc) of it becoming a law proves beyond reasonable doubt that it's not a law to protect the people, but to protect the government and their commercial interests.

Animal activism, while often extreme is nowhere near the same scale as terrorism, and never has been. While I have no support for activists who go out of their way to try to force their targets to stop doing what they're doing - they certainly should not face time at her majesties' leisure for merely having an encrypted file on their PC. CCTV in the UK has always rendered public privacy moot, but now an individual's privacy is a decision between surrendering your rights, or jail for refusing to do so.

Does anyone know if Japan accepts political refugees? (yes, the state's probably just as onerous in some way or another, but it's always been a far more welcoming place to me than the land of my birth, now becoming an Orwellian nightmare state made real)

Re:Better solution

[Anonymous Coward]

What if there is no other password and you only put a little bit of stuff on the drive? With no way to prove that's not the case, I can't see how you can be charged with any foul play.

Not going to happen for me

[monkaru]

Giving up keys would be spitting on the graves of our boys who died on the beaches of Normandy. Simple as that.

Re:TrueCrypt is the best for Windows and Linux.

[irc.goatse.cx troll]

Or at lest giving them a false sense if security.

If they're the type that need you holding their hand like that, do you really trust them with a system wherein they type a password then any app on the system is free to dump the entire volume? What good will that do when someone (govt or otherwise) sends them an exe in their mail that they happily run that just waits for you to decrypt the volume?

Maybe they're smart enough to not run exes so blatantly, but theres plenty of other potential code execution like software that autoupdates (+ big enough power forcing someone to sign their code so it validates), exploits, backdoors, etc.

Then theres the operating system holes in your security. Filenames and content will still end up in "recently accessed" lists in common software, that alone can be more than enough info. Theres the cleartext copy that ends up sitting in your swap file if the app swaps out. Backup/temp files saved outside the secured drive, etc.

TrueCrypt is useful for what it is, and I certainly use it daily, you just have to be careful with helping people into the world of security as they're looking for a panacea to do everything for them.

Re:huh

[zazzel]

The best is: IF you know, and IF the encrypted material really IS incriminating, how does that NOT invoke your right to remain silent, as you as a defendant cannot be forced to give incriminating information?

Or does this basic rule of justice not apply here, for some reason I (IANAL) cannot imagine?

Re:Heh.

[Anonymous Coward]

>>Five years later, turns out that it really was a virus. Sorry about that..oops, you're already dead, shanked in a prison shower.

fix'd

Even felons are taught to hate supposed pedophiles. Registered as a sex offender but turns out you're innocent? Too late, pariah for life. Registered for public indecency for pissing in a bush? Not our fault the us has no public bathrooms.

Re:enryption keys = keys?

[Anonymous Coward]

Or it could have something to do with this being a UK [wikipedia.org] law, and thus the US constituion is completely irrelevant here.

And on a side note - after the events of the past 7 years, I wouldn't hold up the Constitution as any particularly strong piece of legislation anymore.

Re:solution

[PhilHibbs]

Well the problem is.. you're talking about how to hide evidence of a crime, when the real issue is how to preserve privacy in non-crime but potentially embarrassing cases, or just to keep your financial data as private as possible.

No, they're talking about hiding information on animal rights activism and civil disobedience activities from the authorities who are trying to create a police state. I don't accept the "if you aren't a criminal then you have nothing to hide" position.

Re:Better solution

[vidarh]

And that is exactly the problem with RIPA in the first place. The assumption is that if there's encrypted data you have the key and is liable if you can't produce it. Never mind if you don't have the key, or if there's no key to be had in the first place.

We'll see if this actually ends up in court and a judge actually upholds this provision, though, there's constant complaints about how "activist" British judges are when it comes to reinterpreting or setting aside laws they don't agree with.

Re:solution

[gweihir]

Correct- TrueCrypt has support for hidden and public volumes, both of which can use entirely seperate keys/keyfiles.

And again, this does only help against incompetent computer forensics people. Detectin the presence of such a hidden, encrypted volume is easy. Proving that it is encrypted and not cryptographically strong randomness is hard. But that applies to encrypted things that are not hidden as well and the attack here is not technological, but legal.

Come to think of it, I have a few disks that I wiped using cryptologically strong random data. There is no information on them, but I cannot prove that. In fact such a proof is fundamentally impossible in a very strong, mathematical sense.

Re:TrueCrypt is the best for Windows and Linux.

[gweihir]

It's sad when you have to rely on TrueCrypt's plausible deniability to protect yourself from these things.

I agree. And AFAIK this law does not respect plausible deniability. Which also means that if the data is really random, they can throw you in prison and you cannot defend yourself.

Re:Heh.

[Kjella]

Of course, there's no reason why you'd need an encrypted disk and missing keys to do any of that screwing over. Just distribute the CP and wipe itself, he'll be plenty fucked already.

Re:solution

[CastrTroy]

You don't have to prove you're innocent, they have to prove you are guilty. If the data is cryptographically random, they can't prover there's any data there. This works for the hidden truecrypt partition, as well as the random data you wrote over your hard drive with.

Re:Reasonable Search & Seizure

[swilver]

There's a fundamental difference. The police doesn't need your help to open doors, or even to open your safe. If you refuse to cooperate, the police can break down a door or crack a safe. You donot have to help them at all, it will just result in more damage than necessary to your property.

With encrypted files though, the police cannot get at them without your help. If you refuse to help, they cannot just "crack" the encryption (not even your equivalent of a secret service can crack it -- nobody can crack it in any reasonable amount of time, which is what scares the authorities). So realising they have no hope in hell of ever cracking a decent encryption scheme, they think they can just create a law that says your required to give up your keys. If they knew what they were dealing with, they'd realise however that such a law is complete nonsense. Since you cannot proof that a file is encrypted (since it looks like random data) you have the rather large problem that the authorities can claim any file with random garbage must be encrypted.

Re:solution

[Kjella]

I don't think you understand how a hidden container works, it's not the same as a hidden partition. A hidden container is contained within another container, and looks just like random data.

During normal operation, you mount both the outer container and the hidden container using both the outer and hidden key. This enables truecrypt to see the hidden container and move around hidden data as you write to the outer container.

When you are arrested, you provide the key to the outer container, but not to the hidden one. In this mode, it's as if the hidden container doesn't exist and can of course be overwritten. There's absolutely nothing to prove that the hidden container exists, as long as you have a plausible outer container and can say "Look, this is what I was trying to hide".

Re:TrueCrypt: Open Source and Free.

[Red Flayer]

The present government corruption in both the U.S. and U.K. started when secret violence was authorized as a way of protecting oil investments of British and U.S. investors.

I'm a cynic, so that colors what I have to say... but I disagree.

The present government corruption began as soon as our hairy forebears realized that people in positions of power would abuse those positions of power when given gifts. This can probably be traced back to the first time Ogg gave more meat to Oggette and her little Oglodytes simply because she was willing to grab her ankles for him.

It's human nature to try to twist the political structure to one's own ends, and it's a failure of modern society that 'the people' don't insist upon fairer means of government.

Any government that can act in secret cannot be a democracy, because citizens cannot participate in things that are unknown to them.

Very good point. However, I'd add that far too many people are willing to let this happen -- how many people follow the order, "Pay no attention to the man behind the curtain!" without question?

In addition to a secretive government being undemocratic, a population disinterested in the workings of government cannot produce a democratic government.

Re:TrueCrypt is the best for Windows and Linux.

[Anonymous Brave Guy]

The problem is, the law doesn't seem to place the burden of proof on the prosecution when it comes to showing whether there is or isn't any meaningful data present. Any old bits on a hard drive are (unqualified) electronic data.

On your point about circumstantial evidence, we really need not to set a precedent that says use of encryption can be treated as any sort of evidence, circumstantial or otherwise, that you are storing data of dubious legality. The implications of giving any legal weight to drawing that conclusion are horrible.

Re:Better solution

[NoPantsJim]

Just how many maps and blueprints are in your porn collection?

Re:TrueCrypt's method is not detectable

[TheRaven64]

And how do you mount the volume? If you mount it using TrueCrypt, then this only gives you deniability if the forensics people don't know about TrueCrypt. If they do, then a decent lawyer could convince a court that there was a second key that the suspect was not divulging and get them convicted under RIPA. The only solution that would be immune to this would be having an infinite number of potential hidden volumes in a single file/partition, so there was no way of telling when you had given up all of them. I can think of a couple of ways in which this might be implemented, but none are particularly satisfactory.

If I were doing this kind of thing, I would probably store the sensitive files on an encrypted volume on a remote server in another jurisdiction, accessed via a proxy in a third, with a script that would securely erase it if I didn't log in for two days. Or, better, store it in battery-backed volatile RAM so that the whole thing can be completely erased with a single command as soon as it detects any kind of tampering.

Re:They are, however, terrorists...

[ObsessiveMathsFreak]

Everyone working for Huntingdon Life Sciences does so by choice. They are Legitimate Targets.

Government Officials. Security services. Former security services. Informers.

That was the list of "Legitimate Targets" when last I heard it. If you think for one instant that people working at a private medical research lab qualify, your standards are absurdly lax. Even if the mistreatment of animals qualified as a cause for violent struggle (it doesn't), regular employees of Huntingdon don't qualify for retaliation.

Its funny. Animal right activists always wage their violent protests and hate campaigns against scientists and business people. Where are the hate campaigns against slaughterhouse workers and farmers? Much if not most of the practices of these people are at least on the same level as animal research.

The fact is this. Violent animal rights activists are not committing these actions because they care about animals. They are committing these actions because they enjoy committing these actions. They enjoy harassing and threatening push over scientists and businessmen. They enjoy vandalism, petty crime and shouting people down. They enjoy it, it's that simple.

These people are middle and upper class thugs who have latched onto animal rights as an excuse to engage in violence. They need an excuse because their upbringings will not allow them to simply engage in it randomly.

Activists would never attempt any of their antics outside a slaughterhouse, because they would be quickly intimidated by the altogether more straightforward meat workers. Can you imagine what would happen if a violent animal rights protester spat on a slaughterhouse worker, or shoted abuse to them outside their home? I'd pay to see the results.

Vandalism, threats, pretending to be a terrorist movement, designating "Legitimate Target" (LOL), it's how they get their kicks. It's a giant LARP for these people, except that real people doing real research on real problems are getting seriously hurt by it. They're having their fun, and the animals have nothing to do with it.

Violent animal rights workers are simply bullies who pick soft targets, i.e. scientists, who they proceed to harass and abuse to make themselves feel better. They are not a legitimate movement. They are not a cause. They don't have a point of view. They are a rich kids' street gang, too afraid to actually walk the streets.

I don't approve of animals suffering needlessly. I find experiments like this one [wikipedia.org], or this [wikipedia.org] contemptible, and if I was a research lab director, I wouldn't have approved them. I would however have approved less severe variations of such experiments. Ones in which while I knew animals might suffer somewhat, that they would not suffer needlessly or excessively. Animal research is necessary, and I defend its use, but only under the condition that the animals are treated with respect, and that their suffering and sacrifice is acknowledged. It's funny how more "primitive" cultures seem to follow such rules as a matter of fact, but our more "modern" scientists have to be reminded of it.

We need science, but we also need our consciences. Animal rights activists have neither.

Re:huh

[theCoder]

Since the case (and the RIP law) are in the UK, I'd imagine that our (the United States) Bill of Rights doesn't apply. You can draw your own conclusions as to whether that means the basic rule of justice applies.

Every time I think that the US government has gone off the deep end, it seems like the UK government is several steps ahead showing how much worse it could get.

Re:TrueCrypt is the best for Windows and Linux.

[marcansoft]

Given enough time, and access to powerful computers, I could design a tool that would convert the random numbers you see there into any given text.

Tool = XOR
Key = RandomData XOR Magna Carta

Doesn't take much time, or access to powerful computers.

Re:solution

[Sponge Bath]

You don't have to prove you're innocent, they have to prove you are guilty.

That kind of thinking is *so* pre 9-11.

How to abuse this

[jc42]

With any new law, it's always useful to ask yourself "How could someone abuse this, and victimize innocent people?" In this case, it's quite easy.

First, ask yourself whether you may have any files on your machine that you don't know about, or which you couldn't decrypt. For most people, the answer is quite simple: "Yes." For example, do you run a browser? That browser has a cache. That cache contains files in an assortment of formats. It's quite likely that you've never seen some of those files' contents (maybe just because you didn't scroll far enough down the page to see the content). And if presented with only the file without any context, you'd have no idea what app to use to display its content, or even whether you have such an app installed.

On my web site, I have a demo of a bit of javascript that downloads files but doesn't display their contents. The intended use is to "preload" files used in the rest of the web site while you're looking at the main page, so that subsequent pages render faster. I also point out how this can be abused: My demo page downloads a file that is never used in subsequent pages. This "hidden" file can contain anything I like, from any web site. It could contain child porn, copyrighted MP3 music, a proprietary program that you haven't paid for - or an encrypted text for which you don't have a key.

As far as I can tell, this law doesn't distinguish this situation. The contents of your browser's cache are on your disk. This will be "proof" to most judges and juries that you downloaded them. So by merely viewing my web page or any other that uses such javascript, you could be framed for possession of such files. What would be your defense?

The obvious defense would be to try to convince the court that you could have been framed in this fashion. But even if you succeed at this, similar things could be done to you by any number of other means. Do you have anything installed that contains "auto-update" code? Note that most browsers now do this. Firefox asks you if you want an update installed, and it's probably trustworthy. But we recently learned that Microsoft software sometimes installs updates silently, even when you have turned auto-update off. An auto-update routine doesn't install its files in a labelled "cache" directory. Files can easily (and reasonably) be installed in any directory that you can write. So if anything at all on your machine has an auto-update feature, anyone who knows how to trigger it can install any files they like on your machine. And you could be prosecuted for failure to deliver the keys to decrypt these files that you didn't know about.

Almost every government contains people whose job includes finding ways to frame perceived "enemies" when the top people want. They won't have that as their job description, of course, and usually they are really working for the top officials or for a political party. This sort of law makes their job really easy, especially now that we have widely-used software such as browsers with caches, auto-update packages, and other things that download files without always telling the user about it.

To comply with this law, you had better be prepared to decode every file on your disks, including those that belong to any proprietary apps that you may have installed. If there's a single file anywhere on your disk that you can't convert to a human-readable form, you can be jailed for violating this law.

It's always a good idea to ask yourself "How can this be abused?"

Duh

[Z34107]

Because private companies are the pinnacle of competence and government is the pit of deepest stupidity.

Well, duh. Private companies make money, government takes money. It's a perverted extension of "If you can't do, teach."

But, you could argue that the "takers" are the really smart people...

Re:solution

[cayenne8]

Can truecrypt and these hidden partitions be used somehow to mask/hide you swap partitions, etc....I mean, it doesn't do any good to hide all your files with plausible denyability, and just let them look over your swap space for damaging evidence. Windows and MS applications are notorious for swapping stuff around isn't it?

How do you make sure nothing is left in the open, even residual info from application usage?

5 Amendment

[Anonymous Coward]

No person shall be held to answer for a capital, or otherwise infamous crime, unless on a presentment or indictment of a Grand Jury, except in cases arising in the land or naval forces, or in the Militia, when in actual service in time of War or public danger; nor shall any person be subject for the same offense to be twice put in jeopardy of life or limb; nor shall be compelled in any criminal case to be a witness against himself, nor be deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use, without just compensation.

I believe that somebody got off the hook by using this few weeks - a month ago.

Re:Duh

[mccabem]

Teacher hating very often fits into that same way of thinking.

Business and government are similar in that they are all staffed and run by people (that is, greedy grafty nasty people). They are different in that we elect our government people and there is some oversight of the work and the results - sometimes late, and sometimes shoddy, but the oversight is there.. A business on the other hand, involves no community decision, is run as a dictatorship and there is minimal oversight (less and less every day since the 80's).

I'm not anti-business, just honest. The problems come from the people, not the organizational method. The organizational method is supposed to be a way of compensating for the problems while minimizing the bad side-effects.

Being anti-gov't or anti-teacher is just a way of parroting something you heard from someone else -- it's not a legitimate position to argue from.

Re:TrueCrypt's method is not detectable

[tinkerghost]

There is one way to fairly strongly demonstrate the existence of a hidden volume, and that's to have access to the file over a period of usage without the owner's knowledge.

If you have that kind of access to the computer, then you would have also had enough access to do keylogging for the password, and the issue would be moot.

The only scenario I can possibly see where that would help you is if you had incremental backups. But then again, you may just be blowing away the partition & rebuilding it as you change projects/finish getting your latest pre-release movie/etc.

Re:TrueCrypt's method is not detectable

[Sancho]

I don't have the best understanding of how it all works, but I know that there are some errors here.

There are a couple of drawbacks to this method, one being that you can have two encrypted volumes start to corrupt each other if you fill the entire partition. If you plan ahead for this scenario you can avoid it, though. The other drawback is that you have to encrypt an entire partition to use it.

That's not how it works.

When you initialize your encrypted disk space, you tell Truecrypt how many containers you want. Say that you choose 2. When you mount your Truecrypt drive, you must always mount both containers. In this way, Truecrypt knows and can maintain integrity between the two--they won't start to overwrite or corrupt each other, because they are both known about and available. If you ever only give the first key (you can't just give the second key, as the second container is entirely within the first) then you run the risk of corrupting the second container--in fact, any write operation will probably do it.

Now you can choose more than just two containers, and the same applies. One thing I'm not sure of is whether the third container is fully within the second.

None of this, however, helps in hiding the existence of a PGP key. If your opponent has access to your email servers and can see you sending messages encrypted by PGP you're gonna have some explaining to do when it comes to investigation time. I don't know of any steganographic programs with plausible deniability that are out at this time. If anyone's heard of any please let us know.

Even this has some subtle nuances.

If I am sending encrypted mail using PGP, I'm using someone else's PGP key. I don't have to have a PGP key myself in order to do this. If someone else is sending me encrypted messages, they could be sending it using anyone's PGP key--it's only obviously my key if it's provable that I've read the messages. For example, Alice could encrypt a message using Bob's public key, and then send that message to Charlie in an effort to frame him. Charlie gets the junk message and deletes it, but the feds who were wiretapping Charlie come in and demand to know what was in the message. Charlie can't answer--he has no idea. So he gets 2 years in prison from the RIPA act.