Forgot your password?
typodupeerror
Encryption Security Government News Your Rights Online

In UK, Two Convicted of Refusing To Decrypt Data 554

Posted by kdawson
from the no-pleading-the-fifth dept.
ACKyushu clues us to recent news out of the UK, where two people have been successfully prosecuted for refusing to provide authorities with their encryption keys, resulting in landmark convictions that may have carried jail sentences of up to five years. There is uncertainty in that the names of the people convicted were not released; and without those names, the Crown Prosecution Service said it was unable to track down details of the cases. "Failure to comply with a section 49 notice carries a sentence of up to two years jail plus fines. Failure to comply during a national security investigation carries up to five years jail. ... Of the 15 individuals served, 11 did not comply with the notices. Of the 11, seven were charged and two convicted. Sir Christopher [Rose, the government's Chief Surveillance Commissioner] did not report whether prosecutions failed or are pending against the five charged but not convicted in the period covered by his report."
This discussion has been archived. No new comments can be posted.

In UK, Two Convicted of Refusing To Decrypt Data

Comments Filter:
  • by mseeger (40923) on Wednesday August 12, 2009 @05:36AM (#29035161)
    This means, you can be forced to do self-incrimination. What's next? Do we remove the right to remain silent? In dubio contra reo?
    • by im just cannonfodder (1089055) on Wednesday August 12, 2009 @05:51AM (#29035257) Homepage
      part of the law is that if you get a demand from the police you are not allowed to tell anyone about it other than your solicitor.

      so no public accountability yet again by our government.

      http://www.ckwop.me.uk/Articles/article01.html [ckwop.me.uk]

      An analysis of Section 3 of the Regulation of Investigatory Powers Act 2000 The Regulation of Investigatory Powers Act 2000 is a piece of UK law that, among a range of other things, contains a section that is meant to require the surrender of cryptographic keys to certain authorised parties (which are in effect instruments of the government). If such a request is made as part of an investigation, then the party who disclosed the key is not allowed to tell anyone that the authorities have that key or they face up to two years in prison. Equally, if the party fails to disclose the key, they also face up to two years in prison.

      • by Kupfernigk (1190345) on Wednesday August 12, 2009 @06:48AM (#29035665)
        If you are part of a terrorist cell (or a criminal gang) and the police obtain your encryption keys, telling the rest of your cell or gang will enable them to destroy their own compromised data before PC Plod arrives. That is the logic behind the law.

        The alternative is to lock up everybody who has supplied keys until any legal case is over, so they cannot communicate the news. This would be worse.

        Law is simply unable to keep up with the development of mass communications and freely distributable digital data. It's a simple as that. The options are to do a 16th century Japan and ban progress, or accept there will be problems en route.

        • by damburger (981828) on Wednesday August 12, 2009 @07:00AM (#29035751)
          Where the definition of 'terrorist cell' is up to the authorities, and in this case means 'animal rights activist'. It could mean anything according to this corrupt, overbearing government.
          • by digitig (1056110) on Wednesday August 12, 2009 @07:25AM (#29035899)

            Where the definition of 'terrorist cell' is up to the authorities, and in this case means 'animal rights activist'. It could mean anything according to this corrupt, overbearing government.

            Some animal rights activists do use terror tactics, including bombing campaigns [latimes.com], so in this case it might not just mean 'animal rights activist', it could mean everything you normally mean by 'terrorist'. Yes, there are huge problems with the law, but its being used against animal rights campaigners is not de facto one of them.

            • by damburger (981828) on Wednesday August 12, 2009 @08:04AM (#29036195)
              And is there any indication that these people were dangerous bomb-wielding psychos, based on what the government is saying? No.
              • by jabuzz (182671) on Wednesday August 12, 2009 @08:42AM (#29036561) Homepage

                Actually the UK has a problem with extremist animal rights activists who do go round bombing things. Some of these are now behind bars and rightly so.

                • Re: (Score:3, Insightful)

                  by blueskies (525815)

                  But why punish more people then? So if you didn't happen to get bombed by an extremist, you also get an opportunity to be arrested for having encryption too?

                  I'm not sure how it is a net positive for people. Is it better to catch a criminal and send 5 other people to jail or to have all 6 of them out of jail?

              • Re: (Score:3, Insightful)

                Erm, from TFA:

                The Register has established that the woman served with the first section 49 notice, as part of an animal rights extremism investigation, was not one of those convicted for failing to comply. She was later convicted and jailed on blackmail charges.

                There is actually a series problem with animal rights extremists in the UK. Some of them are terrorists in every sense of the word.

              • by Anonymous Coward on Wednesday August 12, 2009 @09:34AM (#29037235)
                My wife's boss had death threats and faeces shoved in his mailbox by these terrorists because his company does IT work for the London office of a large Japanese conglomerate with a partly owned subsidiary that was once a supplier (not of animals) to Huntingdon Life Sciences. They use exactly the same twisted mentality as Al Qaeda to justify their attacks on the most vaguely related of targets.
              • by digitig (1056110) on Wednesday August 12, 2009 @10:06AM (#29037713)
                No. Nor is there any evidence that they weren't, because the government is keeping everything secret. That is a problem, I agree. But you seemed to be suggesting they were animal rights activists rather than terrorists, and that this was a case of terrorist legislation being used on non-terrorists, which happens, but not necessarily in this case. The union of the sets "Animal rights activist" and "Terrorist" is not empty.
            • by binaryseraph (955557) on Wednesday August 12, 2009 @09:32AM (#29037189)
              If it was animal rights activits, they should have just eaten hamburgers infront of them. That will get the password out quick... Then again, that might also count as torture. "burger-boarding"
            • by xappax (876447) on Wednesday August 12, 2009 @12:55PM (#29040351)
              You might be interested in the "Animal Enterprise Terorism Act" (AETA), a new US law which specifically targets animal rights activists. It basically defines activities that most would consider protected speech as terrorism, and punishable with long jail sentences - specifically if those activities are connected with animal rights activism. For example, activists in the US are currently being tried under AETA for holding (admittedly loud and obnoxious) rallies outside upscale fur stores and the homes of high-profile vivisectionists while wearing masks. No weapons, nobody harmed, nothing even broken, and yet everyone expects they will be convicted of what amounts to domestic terrorism. They may already have been, I haven't followed it closely.

              The lesson here is that just like with child pornography, governments start out using unpopular groups to introduce new repressive methods. If we don't speak up in their defense now, even if we don't care about the groups being targeted, we'll almost assuredly be next ourselves.
          • by Kupfernigk (1190345) on Wednesday August 12, 2009 @09:47AM (#29037425)
            I have been around, I can tell, a lot longer than you have. I've been in countries with overbearing, corrupt Governments. Item 1, you have no idea what you are talking about. When you've failed to bribe a Mexican official or got involved with Spanish Mafia house building scams supported by corrupt local officials, or fallen foul of a South American or Russian "businessman" then you can post about it. Until then, don't exaggerate.

            Item 2, terrorism is defined in UK law, and judges have to abide by that law. The definition is not "up to the authorities". It is made by Parliament. If you don't like the definition, write to your MP, join a political party or a pressure group (there are lots) and do something, don't just whine. And if you are a 16 year old posting from your bedroom, William Hague was addressing a Party conference at 16, and I was visiting Parliament several times a year at the same age. You have no excuses. We have senior MPs who get it - David Davis, Chris Huhne.

            Item 3.Others have made the point that the UK has had animal rights activists every bit as bonkers and dangerous as US anti-abortion or anti-gun-control activists. But the point also needs to be made that law must be general and not have exceptions. Exceptions make bad law. If we start deciding who is or who is not a terrorist based on anything other than their actions and intentions, this is very dangerous for civil liberties.

            Although I think this is an unfortunate law, it is difficult to see how it could be any different. What is your proposal to prevent organised crime using encrypted media to conceal their activities? Unless you can point to a workable alternative solution, you are just ranting.

            • Excuse me? (Score:4, Interesting)

              by BenEnglishAtHome (449670) on Wednesday August 12, 2009 @11:06AM (#29038603)

              Bad examples make for bad arguments. You broadly characterize "anti-gun-control activists" as "bonkers and dangerous".

              That's not a good analogy. There are lots of folks on slashdot who understand that "pro-personal freedom" == "pro-owning the means to engage in justifiable violence". We're as rational and peaceful a bunch as you're ever likely to encounter.

              Please be mindful that using bad analogies tends to render less impactful your otherwise insightful statements.

            • by speedtux (1307149) on Wednesday August 12, 2009 @12:53PM (#29040321)

              Item 2, terrorism is defined in UK law, and judges have to abide by that law. The definition is not "up to the authorities". It is made by Parliament.

              Instead of pontificating, why don't you just actually read the law [opsi.gov.uk]. There is a disclosure requirement if:

              (a) in the interests of national security;

              (b) for the purpose of preventing or detecting crime; or

              (c) in the interests of the economic well-being of the United Kingdom.

              Those provisions are so vague that police can require you to disclose encryption keys for anything at any time.

              What is your proposal to prevent organised crime using encrypted media to conceal their activities? Unless you can point to a workable alternative solution, you are just ranting.

              The purpose of this law is not to prevent covert communications because that is impossible in principle.

              The purpose of this law it's to give the UK government additional means to force people to obey the government even in areas where the government otherwise has no cause or legal means of forcing you. It's a totalitarian law forced through parliament under the pretext of crime and terrorism prevention.

          • Re: (Score:3, Insightful)

            by EatHam (597465)

            and in this case means 'animal rights activist'

            Yes, well, it's all about the animals isn't it? I mean, really, if I were to bomb things, burn things down, physically intimidate and threaten people, indoctrinate other people into a cult-like society of violence and terror, but it was for the animals, certainly I could not be called a terrorist, could I?

        • by rtb61 (674572) on Wednesday August 12, 2009 @07:01AM (#29035757) Homepage

          The is so wrong. The logic of the law is that you are now legally liable for your memory. Can't remember something 5 years in prison, it is by far the most offensive legislation there is, hmm, what next death penalty for amnesiacs.

          I have forgotten lots of passwords, I have had to rebuild data, redo secure OS installs, drop web accounts, have passwords reset and what some fucked up government and corrupt court decide that they want that information, my total by now 5 years at a time would be up around 250 years in jail. The law is bullshit, there is a profound difference between telling a lie and withholding the truth, conscious effort is required to tell the lie but withholding the truth simply requires a lapse of memory. How many people, failed to get every answer right in every test and exam they have taken, billions of people, it is the norm and in by far the majority of instances, they had been provided all the information required to get 100 percent on those tests and exams.

          Now lets start holding politicians to the same standard, zero forgetfulness, zero lapses of memory, zero forgotten promises, 5 years jail for every offences, oh yeah, because it does affect national security.

          • Re: (Score:3, Insightful)

            by Kentaree (1078787)

            Now lets start holding politicians to the same standard, zero forgetfulness, zero lapses of memory, zero forgotten promises, 5 years jail for every offences, oh yeah, because it does affect national security.

            You could get elected if you went into politics with that agenda, before not implementing it with no consequences! :p

          • Re: (Score:3, Informative)

            by MBGMorden (803437)

            Absolutely true. I'll admit that this isn't even my original Slashdot user ID. The original one I forgot the password to and it's email is set to a long dead account, so I'm certainly not getting any hints or resets via email.

            I've forgotten tons of others too. Just because someone can't give you the password to an encrypted container or file doesn't mean they're withholding it. Heck I've setup plenty of Truecrypt volumes for sending data back and forth to vendors at work. Lord knows I've forgotten most

          • Re: (Score:3, Insightful)

            by instagib (879544)

            I don't think the authorities involved are that stupid. You can be sure they deduced from the suspect that they do remember the keys, and that they hide significant information relevant to the prosecution. It's not 1984 everytime someone has to give up information to the police.

        • by schon (31600) on Wednesday August 12, 2009 @09:15AM (#29037013)

          If you are part of a terrorist cell (or a criminal gang) and the police obtain your encryption keys, telling the rest of your cell or gang will enable them to destroy their own compromised data before PC Plod arrives. That is the logic behind the law.

          Umm, that's not logic. That's anti-logic.

          Logic would be the realization that a terrorist or organized criminal break laws by definition. Did the people who wrote this honestly think that a terrorist would say "oh, no - our plot to murder thousands of innocent people has been discovered - I'd tell my co-conspirators, but there's that pesky law preventing me!"?!?!

        • by phoenix321 (734987) * on Wednesday August 12, 2009 @11:34AM (#29039001)

          Replacing "keys" with "incriminating documents":

          "If you a part of a criminal gang and the police obtains incriminating documents, telling the rest of your gang will enable them to destroy their own compromised data before the cops arrive. That is the logic behind this law."

          And then:

          "The alternative is to lock up everybody where incriminating documents have been found until the case is over, so they cannot communicate the news. That is the logic behind this idea, which would mean no calls to a lawyer therefore being declared unconstitutional for decades."

          One suspected criminal is arrested and the police has to catch all other pieces of evidence before the rest of the gang destroys them. Nobody would declare that law is unable to keep up with that and nobody would ever dare to abolish due process, in dubio pro reo and all that which make the primary and most important differences between Law Enforcement under the Rule of Law and the Mafia themselves.

          Simply because documents are electronic and not paper should not change one iota of due process. Criminals have been able to destroy evidence since the dawn of mankind and definetly since the dawn of Western democracies, when we decided to rather let some of the guilty be unpunished than to punish any single innocent.

          Forcing suspects to incriminate themselves is organized thuggery, not law enforcement.

          Digital crimes are hard to prove as they were and easy enough to incriminate the innocent, with USB sticks of only a few grams and millimeters capable of holding hundreds of thousands of the most grotesque and heineous pictures known to man - and no humanly way for the defendant to prove they're not his/her own. -

          Now imagine
          - a tiny USB stick found in your jacket after arrest.
          - a 4gig blob of /dev/random but an extension .gpg on it.
          - you facing 2 years of jail for not revealing a password neither you nor God ever knew because neither you nor Bruce Schneier can prove it is random and NOT encrypted data.

          or even without intervention of a malicious police officer who framed you because he's after your wife

          - you are the suspect of some crime, for whatever reasons, but you are innocent.
          - police search and seize your property, lawfully and with a legal warrant.
          - police finds a nondescript CD-R, hidden deep in your closet that contains data that looks suspicious AND encrypted
          - it really IS encrypted data which you yourself encrypted. It is raunchy, but harmless (read: legal) stuff from college times.
          - you produced this material several years ago, while in college in Alpha Beta Gamma frat and wanted to never ever have your roommates watch it.
          - you kept the CD for sentimental reasons and summarily forgot the password and the fact that it ever existed. It was just sitting in the bottom drawer and went along the other stuff when you moved.
          - you really forgot the password, in fact, you didn't remember that you even had the CD at all

          - when the district attorney presents this CD as exhibit XY, you remember what it was and become nervous because your wife and kids are in the courtroom. You still don't remember the password as it was really long.
          - the judge noticed you became nervous and will now never believe any story you tell unless you present the password as proof.
          - result: you are innocent, but you are probably facing a 2 year non-commutable sentence for not revealing the password

          Hands up who thinks that's a good law.

    • by L4t3r4lu5 (1216702) on Wednesday August 12, 2009 @05:51AM (#29035263)
      That went too. Remaining silent when they ask for your encryption keys is failing to provide the encryption keys.

      Besides, we all know that the new system is heavily based on proving innocence. Innocent until speculated guilty, and all that.
      • Re: (Score:3, Funny)

        by The_Quinn (748261)

        Besides, we all know that the new system is heavily based on proving innocence. Innocent until speculated guilty, and all that.

        That is a debatable statement, and therefore considered illegal under the new Stop Misinformation Act. I am forwarding this to the Internet Snitch Brigade.

    • by tygerstripes (832644) on Wednesday August 12, 2009 @06:02AM (#29035345)

      I'd be curious to learn how many of the four who did comply were subsequently convicted of the crimes for which they were being investigated, and what sentences these convictions entailed. I'm also very curious about what prevented the conviction of the other non-compliant nine. Essentially: was it worth it?

      While I can see the arguments for and against permitting Section 49 sanctions, I want to know what the practical upshot is. Hypothetically, it may be worthwhile to a potential criminal to serve up to a couple of years in prison with a note on their record akin to "refused to assist in investigation" rather than face the potentially much more damaging convictions that their cooperation might incur.

      My concern is that the law will be amended to reflect this, leading to much harsher sentencing in order to prevent this kind of cost-benefit decision being made by suspected criminals.

      • by Rogerborg (306625) on Wednesday August 12, 2009 @08:02AM (#29036171) Homepage

        I'd be curious to learn how many of the four who did comply were subsequently convicted of the crimes for which they were being investigated

        Bear in mind that the State can force Alice to hand over keys in relation to an investigation on Bob, so it's not even a case of prosecuting the guilty, just the forgetful.

    • by Anonymous Coward on Wednesday August 12, 2009 @06:10AM (#29035409)

      This means, you can be forced to do self-incrimination. What's next? Do we remove the right to remain silent? In dubio contra reo?

      This is the UK. They already have removed the right to remain silent [urban75.org] in the Justice and Public Order Act 1994.

      • Re: (Score:3, Insightful)

        by maxwell demon (590494)

        This means, you can be forced to do self-incrimination. What's next? Do we remove the right to remain silent? In dubio contra reo?

        This is the UK. They already have removed the right to remain silent [urban75.org] in the Justice and Public Order Act 1994.

        I'm I the only one who at first misread the second 9 for an 8?

    • Re: (Score:3, Insightful)

      Wait, isn't this more like police demanding you unlock a door? You can't hide evidence behind a physical lock, so why should a digital lock be different?

      • by FinchWorld (845331) on Wednesday August 12, 2009 @06:26AM (#29035511) Homepage

        Any safe can be broken into, especially if its the police doing it, because no ones going to arrest them half way through the attempt. So key or no key, there getting what they want, though they may have something of a dim view of you come sentancing if you didn't give them the key and whatever illegal activity was in the safe. If there was nothing in said safe, and the key really had been lost, the police more or less wasted there time and your not guilty of anything, after all they never found that key either.

        However, with encryption it could well take the span of several peoples life times to crack a key needed to unlock the data, hence the law brought in. However if you have genuinely lost the key, or its destroyed, and you have nothing illegal encrypted, say bank details and the like, your going to prison anyway.

      • by DigitAl56K (805623) * on Wednesday August 12, 2009 @07:00AM (#29035747)

        The police don't know what evidence is there with certainty until they can access it. If they are given the power to break open a physical lock because they have satisfied a judge (or any other requirement) that they are likely to discover evidence by doing so, that's one thing. However, they can get to that evidence with or without your help.

        If they believe that decrypting a drive or file will provide evidence and they can get to that evidence without your help fine. If they can only get to the evidence with your help then they have no evidence. And this law is basically saying that with no evidence they can send you to jail.. because you won't help them prosecute you. Which is kind of contrary to the whole concept of legal trials: how can it be mandatory for you to do the work of the prosecution when you are the defendant?

        Elsewhere in the discussion others mention the right to remain silent, and when you ask "isn't this more like police demanding you unlock a door? You can't hide evidence behind a physical lock, so why should a digital lock be different?" then there are a whole bunch of slippery slope questions. Isn't this like the police demanding you tell them where you were at the time of the crime? You can't stop them finding out (but they may never unless you tell them). Who were your accessories? You can't prevent forensics from determining that so you should have to tell them!

        But really, let's simplify it:

        "You can't hide evidence behind a physical lock, so why should a digital lock be different?"

        Because it is different? You can hide evidence behind a digital lock, and you do have the right to remain silent. Sometimes. Apparently.

        BTW I am from the UK and I grow more ashamed of the people who govern it almost every day.

  • What I want (Score:5, Interesting)

    by petes_PoV (912422) on Wednesday August 12, 2009 @05:37AM (#29035165)
    is an encryption system with 2 keys.

    One decrypts the files or filesystem while the other key overwrites the contents with random data.

    I would also like to know how the authorities could possibly tell a properly encrypted file from one that only contains random data and consequently how they could prove that a filesystem is, in fact, encrypted.

    • Re:What I want (Score:5, Informative)

      by jeek (37349) <<jeek> <at> <jeek.net>> on Wednesday August 12, 2009 @05:42AM (#29035197) Homepage

      Look into the Phonebook filesystem. Not quite what you mentioned, but almost as good.

    • Re: (Score:3, Informative)

      by CarpetShark (865376)

      I would also like to know how the authorities could possibly tell a properly encrypted file from one that only contains random data and consequently how they could prove that a filesystem is, in fact, encrypted.

      There are a few encryption systems out there which provide plausible deniability, and would work something like this (in theory). However, most have pretty clear information, like standard file headers. I've never bothered to actually look at one for encrypted files, but I imagine the file headers

      • by petes_PoV (912422)
        Yes, I've see systems like truecrypt. However, in this case it's possession of encrypted dfata (and the unwillingness / inability to disclose the password) which is the crime. The only solution is to have an encryption mechanism that is indistinguishable from a block of random data. No doubt, then random number generators will be considered "munitions" and made illegal, too.
        • by hany (3601)

          Aren't they already?

          Because, there was a story, that if you look (hard enough) into say Pi, you find your latest favourite Hollywood flick in there somewhere. So DMCA or something similar might be used to forbid you from even possessing a Pi number computed to a big fraction.

          I guess (I have to, I do not have mathematical proof) that similar argument can be made also for any big enough random number.

          So, RNG generator are not only "munitions" but also a "devices for creating copies of copyrighted works".

          note

        • Re: (Score:3, Interesting)

          by maxwell demon (590494)

          However, in this case it's possession of encrypted dfata (and the unwillingness / inability to disclose the password) which is the crime.

          So in the UK it is a crime to possess DRMed media? :-)

    • Re:What I want (Score:5, Informative)

      by L4t3r4lu5 (1216702) on Wednesday August 12, 2009 @05:46AM (#29035225)
      I think you're approaching this from the wrong angle.

      The issue is no longer whether you can prove their is nothing incriminating in the "ecrypted file" but whether the old memory you've had for 7 months is an encrypted file or not.

      Further, TrueCrypt is well known. "Hey, do you have a second 'hidden' partition on this slightly incriminating but pretty inoccuous drive?" "No." "I don't believe you. Do not collect £200."

      This is a very, very bad day for the British public.
      • Re: (Score:3, Interesting)

        by Hatta (162192) *

        Further, TrueCrypt is well known. "Hey, do you have a second 'hidden' partition on this slightly incriminating but pretty inoccuous drive?" "No." "I don't believe you. Do not collect £200."

        What this means is that if you run Truecrypt, they can send you to jail, even if you honestly do not have a hidden partition. There's no way for you to prove that there is no hidden partition. Anybody running Truecrypt in the UK could go to jail for this reason.

    • Re: (Score:2, Insightful)

      by Clairvoyant (137586)

      Or just use Plausible deniability, like Rubberhose: http://iq.org/~proff/rubberhose.org/

    • That's not an encryption feature, that's an app feature. The application would have to recognise the "destruct" key and wipe the date; The encrypted file wouldn't recognise it automatically.

      This is why the most fundamental aspect of forensic computing is "read-only."
      • by petes_PoV (912422)
        Yes, it is. However make the decryption app a part of the encrypted filesystem (or file). That way there can be no third party application available to perform the decryption. The decryption process would therefore be a two-stage affair:
        1.) supply one or other of the passwords to the publicly available decryption system
        2.) this runs and decrypts something like a bootstrap, which checks the password it was given and either decides to decrypt the rest of the data, or to overwrite it (without ever decrypting
    • by haeger (85819)

      That's assuming that the police are drooling morons that have no clue what they're doing.
      Obviously they'll copy the drive before trying anything on it. You hand over the "wrong" key, data gets scrambled, the restore it from the copy they took and asks for the correct key.

      Contrary to popular belief the police are quite capable. At least when you get one step up from the patroling officers.

      • Re:What I want (Score:4, Interesting)

        by PeterBrett (780946) on Wednesday August 12, 2009 @06:11AM (#29035419) Homepage

        That's assuming that the police are drooling morons that have no clue what they're doing. Obviously they'll copy the drive before trying anything on it. You hand over the "wrong" key, data gets scrambled, the restore it from the copy they took and asks for the correct key.

        This sounds like a good application for a TPM, don't you think? Isn't that supposed to stop anyone being able to remove data from the machine? (Unless the TPM is backdoored...)

        Do modern TPMs have a "suicide" feature that allows them to destroy the secret and create a new one on operating system request? If not, they should have.

    • No need to overwrite your data, which would show hard drive activity, and which would have no effect, since police always work on copies. TrueCrypt [truecrypt.org] provides a hidden volume. The TrueCrypt hidden volume is not detectable.

      "I would also like to know how the authorities could possibly tell a properly encrypted file from one that only contains random data and consequently how they could prove that a filesystem is, in fact, encrypted."

      In every country, lawmakers with no technical knowledge whatsoever are w
    • by b4upoo (166390)

      And how can they decide if a password has simply faded from human memory? Most people have probably lost a file or two simply be forgetting the password.

    • Re:What I want (Score:5, Interesting)

      by tsotha (720379) on Wednesday August 12, 2009 @06:29AM (#29035533)

      I've been thinking about that for awhile. You don't want a system that will destroy the encrypted data - as others have pointed out, the cops will image your drive before they do anything, so it's sort of pointless. But I think you could do even better with a set of one time pads. I'm envisioning a system that works like this:

      1. You have data you want to encrypt of a certain size. Doesn't matter how large, but you can't really add to it after it's encrypted.
      2. You generate a key the size of your original data and xor the key with the data you want to encrypt. If your key is random enough it should be impossible to decrypt. They say you can get something truly random with atomic decay or cosmic background radiation. These days storage is cheap, so having a key as big as a couple gigs should be no big deal - keep it on a fob.
      3. Now here's the twist. After you've encrypted your data you generate a second "key" by xor-ing the encrypted data with something innocuous. War and Peace, maybe, or cat pictures from the internet. Now you have a key you can give to the cops if they ever come calling, and the data they come up with will be recognizable as data of some sort. So it will be difficult for them to argue you haven't provided "the key".
  • Can I ask.. (Score:4, Interesting)

    by eexaa (1252378) on Wednesday August 12, 2009 @05:38AM (#29035169) Homepage
    ...if you lost or just really forgot the decryption key/passphrase, would it count as refusing?
    • Re:Can I ask.. (Score:4, Informative)

      by FluffyWithTeeth (890188) on Wednesday August 12, 2009 @05:44AM (#29035209)

      Obviously, yes.

    • Re:Can I ask.. (Score:5, Interesting)

      by FinchWorld (845331) on Wednesday August 12, 2009 @05:49AM (#29035241) Homepage

      Carefully crack a CD in various places, so that not data can be recovered from it, scrawl on it "Encrytion Keys - Keep Safe" and hide in a stack of CDs.

      When arrested, tell them about this CD that has your keys. When they come back and inform you its damaged go psycho screaming at them for having lost your keys, and hence, years of data (cos your back ups are encrypted too right?).

      Sue.

      Profit!

      Ok maybe not, worth a thought though.

      • Re: (Score:3, Insightful)

        by ledow (319597)

        If it got to the point where you're in court, they will happily pay the £1000 or so that it would cost to read even a cracked CD. And when they found it was blank, they would impose a harsher sentence for lying in the first place.

        It's much harder to "destroy" the entire CD that just cracking it. You would almost literally have to set it on fire in order that they couldn't say "well, we recovered 90% of the data from the various shards and found nothing but zeroes".

        • Re: (Score:3, Interesting)

          by Yogiz (1123127)

          You can always write a single text file containing something that looks like encryption keys and then when they discover that none of the keys work, you can say that they have corrupted the disk. Whatever, write a corrupt disk in the first place. I have a half-broken cd-writer that writes half broken cds all the time.

        • Re:Can I ask.. (Score:5, Insightful)

          by YeeHaW_Jelte (451855) on Wednesday August 12, 2009 @06:36AM (#29035587) Homepage

          So? Don't use an empty CD but one with the actual keys. Flip a bit somewhere in the keys.

          If they try to decrypt your drive with the key and fail, blame the recovery process.

          I think they'd have a pretty hard time proving that the recovery of the keys from the damaged CD was 100% correct. They might get so far as to make it probable, but I know if no way to prove it 100% accurate without the original data to verify it with.

          Hmmm, maybe I shouldn't have posted this ... if they find this message and link it to an IP I frequently use ... /me engages in paranoid episode.

      • Re:Can I ask.. (Score:5, Insightful)

        by sakdoctor (1087155) on Wednesday August 12, 2009 @06:21AM (#29035479) Homepage

        What if, what if, what if...

        No cute little work-around is going to help, because the RIP act was designed as a tool of authoritarianism.
        Recently in historical terms, encryption has became essentially unbreakable [wikipedia.org], and this is the backdoor to it all.

        • by iworm (132527)

          No mod points. So here to say to you "Spot on". Totally and completely correct.

  • That's rich (Score:5, Insightful)

    by CarpetShark (865376) on Wednesday August 12, 2009 @05:39AM (#29035181)

    There is uncertainty in that the names of the people convicted were not released

    That's rich. The government convicts people for keeping secrets, and then keeps secrets about who was convicted.

  • by Anonymous Coward on Wednesday August 12, 2009 @05:54AM (#29035285)

    A hundred years ago today, if someone had a giant safe in their house, and they were suspected of any crime whatsoever, the legal authorities (of pretty much every country in the world, it would baffle me to hear about somewhere this would not be the case) would simply ask for the keys. If the person refused to hand them over, the person gets punished. The "punishment" can be of different forms - whether prison in itself, or just a lot more unfavourable treatment from a judge and the assumption of guilt going against you, but nothing at all? Never. The difference with encryption keys is not all that great.

  • One-way encryption (Score:2, Informative)

    by indre1 (1422435)
    So if I encrypt my data with an encryption mechanism that can't be inverted by today's standards and someone doesn't like it, I'll go to jail?
  • by ebonum (830686) on Wednesday August 12, 2009 @06:04AM (#29035361)

    Suppose I have TrueCrypt installed on my machine, but I don't have anything encrypted. What stops to police from accusing me of having encrypted files and demanding a key? How do I prove random bits of data on my HD are random bits of data and not super secret encrypted files?
    I doubt I even need Truecrypt installed for the police to use this to get a guaranteed 2 or 5 year conviction.

    • by ebonum (830686) on Wednesday August 12, 2009 @06:39AM (#29035619)

      To clarify, proving that a section of random bits of data on my hard drive is NOT an encrypted file is equivalent to proving that I am NOT a witch.

      This could be easily abused by the police. All they have to do is find a section of random data on a hard drive. Then, the police ask you for a key. When you don't provide one ( because there is no key ), you get convicted on "Refusing To Decrypt Data" charges.

      It isn't possible to say with certainty what is random data and what is encrypted data.

  • by jimicus (737525) on Wednesday August 12, 2009 @06:07AM (#29035385)

    It's an appalling piece of legislation for a number of reasons:

    1. It makes forgetting your decryption key/passphrase/whatever illegal. Yes, seriously. The burden of proof is on the accused to show that they can no longer decrypt the data - how the hell do you prove you don't have something?

    2. The people who it was originally intended to inconvenience - the real terrorists, if you like - aren't going to be even remotely concerned by it. They know full well that there is a risk they'll be caught and spend time in jail. If it's a choice between "reveal the decryption key, thus providing the police with the only evidence they're likely to find which implicates you and a number of others for so many criminal activities you'll be in prison for 20 years and when you get out you'll get a bullet in the head for the people who you dropped in it" or "keep your mouth shut, go to prison for two years", I wonder which one they'll chose?

  • by Jane Q. Public (1010737) on Wednesday August 12, 2009 @06:12AM (#29035427)
    In the U.S., people generally cannot be required to provide encryption keys under the 5th Amendment. However, there are exceptions. There was the recent case of one man who was searched by Customs (or DHS, or whoever) at an airport. One of the agents discovered child pornography in an encrypted portion of the disk that had been (temporarily) opened for access.

    Somehow, by the time authorities took possession of the computer, the encrypted drive was no longer opened. The last court decision about that case I am aware of states that a subpoena for the encryption key can be enforced, because the government was already aware of the existence of illegal material, and where it was. All they needed was a "key". This is vastly different from demanding a key first, so they can poke around in your private material.

    As an analogy, imagine a shed in your yard that you keep locked. Law enforcement would, under almost all circumstances, require probable cause or a warrant based on probable cause in order to go onto your property and search that shed. However, if they already knew, with little doubt, that there was illegal material in that very shed, then they have the legal justification for a warrant, or a subpoena of whatever information is necessary to open the shed.
    • Re: (Score:3, Insightful)

      by Yogiz (1123127)

      As an analogy, imagine a shed in your yard that you keep locked. Law enforcement would, under almost all circumstances, require probable cause or a warrant based on probable cause in order to go onto your property and search that shed. However, if they already knew, with little doubt, that there was illegal material in that very shed, then they have the legal justification for a warrant, or a subpoena of whatever information is necessary to open the shed.

      It's a funny law in this case, as you can be arrested and convicted for not letting the police into that shed in your back yard even if you have no shed in your back yard. Everyone with a back yard (hard drive) could be convicted to jail without any proof. Convenient.

      I'm afraid to travel to the U.K. even with my laptop's harddrive overwritten with /dev/urandom because if they say it's an encrypted drive, how will I prove it's not?

  • To NUKE the place from orbit!!!
  • The solution (Score:5, Interesting)

    by Thanshin (1188877) on Wednesday August 12, 2009 @06:21AM (#29035483)

    The solution to this and other similar "bad law" problems is making them big and visible to the common population.

    1 - Get a worm that allows to save data on infected computers.
    2 - Get an encrypting program that supports plausible deniability.
    3 - Infect self with worm.
    4 - Install encrypting program in all infected machines.
    5 - Accuse random people of having criminal data in their computers. (e.g.: "I was playing a WoW game and this guy told me he had several thousand [criminal data]").

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      The common population is too stupid and lazy to understand or care about the problem until the ruling class and the media which feed at their trough devote time and airplay telling them that it's important.

      No, the real solution is to drop the people that created the problem right in their own mess. These happen to be the same people who could correct the problem. I am of course talking about politicians.

      Say, hypothetically, you're a computer tech and you happen to be servicing some MPs computer one day. It'

  • by Anonymous Coward on Wednesday August 12, 2009 @06:39AM (#29035611)

    Yes, the Brits might be able to find something by untrained criminals by this hard handed method, but the blowback from this strategy is going to seriously hurt them in the long run.

    Trading partners will be leery to send envoys over to make agreements when at a whim, their machines can be searched, and any trade secrets copied off. If deals are done with British companies, they will be done out of the country, or via electronic means. Companies will not want to set up branch offices in the UK because their facilities can be searched at any time and trade secrets taken. Finally, where does this end? Does someone in the UK have to give up all root/Administrator/sa passwords on request that are on the remote company's VPN or else go to prison?

    Of course, the true terrorists are not going to be caught. They don't bring laptops in with their super secret plans. It seems the UK is aiming the RIPA act for more of an industrial espionage type of game than anything else, intending to demand trade secrets via the heavy hand of their bobbies, then hand the results over to their domestic interests. Other countries do this too, but those are very repressive regimes, not a First World nation.

    Of course, legitimate people will get around this, but it requires backflips and makes PHBs less interested in doing business with the UK. Some means that people will use:

    1: TrueCrypt is the first thing. Perhaps even a TC hidden OS with the decoy OS storing some random chaff in the outer volume. This way, there are no MRU traces of anything in there.

    2: BitLocker and multiple users. The laptop's owner has a non administrator user and given the password of the account with the business critical data once in the UK before the meeting. Then when it comes time to head back to the States, the user account is disabled via remote. Of course, a hardware device to grab the Bitlocker volume key can get around this. The user account with the data can be protected via EFS, so when it expires, not even an Administrator can access it. Of course, there are varying methods to recover EFS protected files, so perhaps an Administrator-only accessible script that runs that would erase the sensitive user account before hitting the airport might be needed. If the user is questioned, he could show that he had no access and likely no knowledge of that functionality, it was corporate HQ who did that.

    3: VMWare ACE installations. Similar to #2 above, the laptop will have an ACE install with a complete Windows VM present that has all the information needed to access a company network. The ACE install will be valid from a certain starting time and expires before the overseas traveler boards the plane home. Also, the company will E-mail the user the password to the ACE VM once he or she checks in. This way, a traveler will pass through security, and if questioned about the ACE install, will be unable to provide any information on it. On the way back, if the laptop is seized, the ACE VM would be expired and not accessible even with the right credentials. (Of course, the ACE VM would have some security inside it so just using it wouldn't mean free reign on the home corporate VPN.)

    4: The hard disk for the business stuff would be mailed to the envoy's hotel. Traveler has a decoy OS on the laptop that is being used for travel, has a hard disk with the real data sent via post (and the password to the data sent via another method). Then the user puts in the real HDD, does his/her work, and when it comes time to head home, the real HDD is either sent back via mail, erased, or physically destroyed. (2.5" laptop drives are delicate and a couple hits from a ball peen hammer have a good chance of shattering the platters.

    5: Then, there is the old fashioned way of having the laptop just be a remote client with no data stored locally. The user would have network access that would start when he or she got to the hotel and called in with a coded "OK" message, and expire before he or she goes to the airport.

  • ritual umbrage (Score:5, Informative)

    by epine (68316) on Wednesday August 12, 2009 @09:43AM (#29037363)

    I'm stunned, I don't know why, to see people debating this as if this is the first time the issue has crossed their consciousness. News flash: this has been in the public water supply for at least two decades now. It's important, and if you haven't given it some thought long ago, you're not taking life seriously, you're just a woodpusher in the game theory of human realpolitik.

    It boils down to a very simple premise: that entropy is a munition.

    If you have some large chunk (say 100MB) of random bits in a file on your computer, there is no way to prove that there isn't some password that will decrypt this block of bits into meaningful information. Any chunk of information content which looks like pure entropy can be accused of harboring munitions, if you're trying to hit the preservation of society nerve, or child pornography, if you're trying to hit the righteousness of the flesh nerve (we all care about flesh). Steganography is the art of boiling a thin soup: very small amount of pure entropy hidden in a huge amount of tedious backdrop (say 200GB of licit pink matter).

    If you have a large quantity of real physical entropy, there is of course no way to produce a password, and neither is there any way to prove that the entropy is real.

    The authorities find this unbearable, so we are now deep into guilt by association. Caught hanging out with random bits, go directly to jail.

    Any public discussion of the matter would conclude that our social concept of judicial fairness is incompatible with this new guilt by association model. What kind of society would declare entropy a munition? How would we all go about scrubbing anything that looks like entropy from our electronic records? It's not clear it is possible to comply with the implications of this, even if greater society drank the Orwellian Spook-Aid.

    Hence the secrecy. If the spooks destroy 1000 innocent lives in the course of protecting society as we know it, it appears to be a cost we're going to have to bear.

    The easy way to cease to think seriously about this is to invoke Stalinist escalation: that 1000 lives is soon 30 million lives.

    Don't be so hasty. Sun Tsu beheaded one giggling princess to make every other princess march with the discipline of soldiers. For his needs, one was enough.

    The credit industry doesn't work on principles much better than our agents of darkness. The suits have succeeded in labeling credential fraud as identity theft. Note the slight shift in blame here: it's not the design of VISA at fault (which could hardly be worse), it's your fault for offering up your digits in the first place (well, you can't use your VISA card without doing so, but why niggle?)

    I hand pieces of information about myself to thousands of institutions. If the information is gathered and used against me, somehow I'm to blame, not the thousands of institutions who regard protecting the sensitive information they demanded from me as a cost center to be outsourced to India.

    The great line in Brazil is "Confess quickly, or you'll jeopardize your credit rating."

    Our credit system is nearly as arbitrary and secretive as this business of guilt by entropy. Innocent before proven guilty. The credit system is exempt from our normal social protections against slander. Any merchant can file a damaging untruth about me with little basis in fact, few avenues of complaint, and no ultimate liability whatsoever. The rating agencies will then spread this slander around and I can't prosecute them for spreading damaging falsehoods about me, even if I finally prove that the original merchant lied, and no sensible agency would persist in believing the original claim.

    If we're not up in arms about the violation of our social norms concerning slander implicit to the credit industry, I don't harbour much hope that cottage outrage in this forum over incrimination by entropy is going to make any dent in the real world.

    Stay tuned for the next exciting chapter, where encryption keys are extracte

    • Re:ritual umbrage (Score:4, Insightful)

      by smellsofbikes (890263) on Wednesday August 12, 2009 @01:48PM (#29041165) Journal
      >there is no way to prove that there isn't some password that will decrypt this block of bits into meaningful information.

      To be more precise, *every* large random block of information, when XORed with a specific key, is child porn, or nuke designs, or the text of the Bible. It's an equation with two unknown variables. Not only is it impossible to prove that the data isn't illegal, it is possible to prove that any string of data *is* illegal. You just have to choose your key.

      The Bible is a string of random data that when correctly XORed, provides complete plans to make nerve gas, just the same as every other chunk of data.

  • by AmigaHeretic (991368) on Wednesday August 12, 2009 @11:30AM (#29038927) Journal
    Hand over the Blue-Ray keys.
  • by d474 (695126) on Wednesday August 12, 2009 @11:32AM (#29038965)
    (my password: "ForThe100thTimeFuckYouIWillNotTellYouMyPasswordEver")

    British Police: "Tell us your password."
    Me: "For the 100th time, fuck you, I will not tell you my password ever."
    British Police: "Oh, you want to be cheeky? Tell us your password or you're going to prison!"
    Me: "For the 100th time, fuck you, I will not tell you my password ever."
    British Police: "This is a matter of bloody national security, you'll get 5 years!"
    Me: "For the 100th time, fuck you, I will not tell you my password ever."
    British Police: "He refuses to submit, send him to jail!"
    Me: "Great, I'll see you in court. You recorded that conversation, right?"
    British Police: ???

"Silent gratitude isn't very much use to anyone." -- G. B. Stearn

Working...