Users of encryption technology can no longer refuse to reveal keys to UK authorities after amendments to the powers of the state to intercept communications took effect on Monday (Oct 1). The Regulation of Investigatory Powers Act (RIPA) has had a clause activated which allows a person to be compelled to reveal a decryption key …
...there's no practical difference between the police demanding you unlock your door when they have a warrant and demanding you unlock your files when they have a warrant.
Except, I suppose, that the police are more intellectually suited to breaking down a door than breaking any form of encryption...
Making China seem quite liberal! The thought police can't be far off!
Interesting that big multinational media conglomerates have the legally enforced right to keep their encryption systems secret at all costs, but the individual has the exact reverse!
I wonder if I could use CSS (or the modern HD equivalent) to encrypt my private data and pull whatever local laws are available in that regard - even if they have the keys, it might be illegal for the police to actually use them!
At the very least they might have to take a long expensive trip to view the 'evidence' in a different media region ;-P
a provably dumb law
It's a logical fallacy to convict someone for non-possession of something!
This section of the act is clearly a stupid one: simply forge an email from an MP to another, encrypting it, hinting that the encrypted part contains state secrets and/or a terrorist plot. Then, forge a reply. Report said persons to the police. They will then demand the keys from the implicated people, but neither party will have access to the encrypted data since neither has ever had the key, however, they will still be guilty under the law fo failing to disclose something that they never had, but cannot prove it.
Multiple levels of encrypted drives WITHIN encrypted drives, that are invisible unless you attempt to open them with the right password.
So when "The Man" asks you for the password for your encrypted file/drive, you give it to him. There's no way for him to tell that you have yet another one nested within.
The USA and Britain are really racing each other to the bottom of the barrel when it comes to creating a police state!! Only goes to show that the general voting public really does belong in a Welsh field, grazing with the other sheep waiting to be fleeced.
They haven't really thought this through, have they?
So if I want to get someone sent away for a couple of years, all I have to do now is plant a disk containing strong encrypted data? Maybe send it to them through the post then anonymously tip off the police that that person is involved with drug crime or a terrorist plot. They wouldn't be able to provide the police with the key and couldn't prove that the disk doesn't belong to them. Sounds like a great law. Until it happens to you...
If you have nothing to hide, you have nothing to fear.
Except your government.
This might prove effective for idiotic small time terrorists (which the UK security services seem capable of catching, but which don't pose much of a threat), but there are many obvious ways to avoid this being an issue:
- Don't use technology.
- Be involved with a big enough plot (or bad enough co-conspirators) that 5 years in jail is no deterrent.
- Store all data online, so it's not provably yours.
- Disguise the fact that you are using encryption.
- Distribute the encrypted material and/or the keys.
- Use some kind of "slow browser" with its own private key which decrypts pages on demand, but so slowly that bulk analysis of large volumes are impossible (cos you'd dump wikipedia into your content repository, to keep them busy and ill-educated).
...and that's with about 30 seconds thought and no motivation.
Ironically, investment by the security-obsessed content industry in stealth watermarking, the consequent development of stealth P2P technology, combined with the huge data volumes now possible both on- and off-line, is probably moving the game on to where the "police" won't even know that the target content exists.
Do the spooks have the technology to spider Flickr, YouTube etc looking for stealth-encrypted data in pictures of people's pets?
Ultimately, if someone has the means to build/steal and transport a nuke to a city (one of the worst case scenarios for which such invasions of privacy are presumably justified), avoiding detection by electronic means will pose zero challenge, and prosecution after the event will be irrelevant.
What happens when data is encrypted with multi-part keys and the other keyholders are outside jurisdictional reach?
Ways to get around this
Only physically data stored in the UK is subject to be decrypted or the decryption key to be handed over.
Some other thoughts:
It might be benificial to take the 2 years in prison than to decrypt material and then get convicted and sent to prison for more than 2 years.
Not exaclly sure about the proper controls of this law; how about corrupt constables that could force you as a company to reveal trade secrets and then sell that intelligence to let say China or Iran.
Would you store your data in the UK with the chance that you have to hand over your master key and open up the technical possibility for the law enforcement of the UK (or their allies the USA) to peek into your systems world wide. Just because you happen to be a bank or other financial institution and the authoroties think they're following a terrorist money trail.
"Section 49 of Part III of RIPA compels a person, when served with a notice, to either hand over an encryption key or render the requested material intelligible by authorities."
Errr, as the material is encrypted, how do the 'authorities' know whether the 'intelligable' version you provide is, actually, the material they want.
An encryption scheme that interleaves two sets of data, one incriminating, one innocent, and each part locked by a different key wouldn't be hard to devise. For best effect, a small amount of dodgy data amongst a lot of innocent stuff (one bomb-making pdf in several GB of family snaps)
When plod comes calling, give them the 'innocent' key and they can spend several days looking at your holiday snaps, while the bomb-making instructions remain nicely hidden.
And who precisely decides what constitutes "both necessary and proportionate"?
As Orwell predicted, "Ownlife" will soon be a crime......
We already have "Thoughtcrime" in being non-PC.
And NuLabour's character assassination of any dissenters/protesters in no more than the accusations of "Agent of Goldstein".
Truly, 1984 is today.
Big brother's back
Let's hope this kind of legislation doesn't make it to the mainland...
Although, I must say, if this was to happen and I was ordered to hand over my private key file, I think I'd instantly forget its associated pass phrase...
Use True-Crypt's hidden volume
They might force you to reveal the password of your encrypted volume (where all your semi-important files are stored) but they have no way of knowing or proving that 2nd hidden volume exists within that volume.
If you deny it exists, they can't prove it exists. How can you hand over a password to something that doesn't exist?
desperately seeking hidden messages
so how long before steganography will be outlawed?
are all our photos going to be scrutinised? will flickr and youtube be forced to 'process' our uploads a little bit with the hope of destroying any possible hidden information?
Does this mean...
... I can now post someone a CD containing a garbage file, anonymously tip off the police that it contains detailed plans to blow up ... oh, I don't know, Jeremy Beadle, and get them 5 years for not knowing how to decrypt it?
Truecrypt is, for me, the most obvious way to tackle this new 'its for your own good' law. It lets you have two passwords for an encrypted file, one for the outer volume and one for a hidden volume. If pressed for your password you just give out your standard outer volume password that lets people see all the nice, normal, private, not-for-anyone's eyes, banking details and keep the WMD instructions safe in the hidden volume.
Anyway, I ramble.. Have a read of their site if you're worried that you'll be forced into self-incrimination some day.
Secrecy makes it ripe for fraudulent use
Because no one knows that it has happened to anyone else, there can be no oversight. All that we now need is a bent copper to go round collecting private commercial date (or other encrypted stuff of value) and start selling it. The copper never gets caught because the victims are not allowed to talk to other and so deduce that they are being scammed/robbed.
Also: if you are a terrorist (one of the supposed bogey men that justifies this) then you will go down for 20 years, in innocent man will go down for 5 for refusing to disclose keys. What would you do if you were a terrorist and were asked for keys - want a 5 or 20 year spell of eating porridge ?
The is completely stupid - it puts us good buys at risk and does little to deter the bad buys.
Yet more ways in which the right to remain silent has been removed.
If police cases are starting to depend on the suspect giving evidence against themselves then this country really has gone downhill in policing standards.
Paranoia or double-bluff?
In tin-foil hat mode for a second, does this mean that they've now got a way of decrypting most commercially available algorithms and are asking for this power as a way of deflecting attention away from their banks of supercomputers?
Excellent. Yet another law with the punishment based on who the prosecution is, rather than anything you have done.
If you encrypt some, "personal" photos of your partner and forget the password you could get the following responses, depending on who wants to know the file's content:
1. From your partner: phew!
2. From your mates: spoil-sport!
3. From your employer: we think you're stealing information - we'd like to fire you but we can't prove it.
4. From the police: We think you've got kiddie-porn - 2 years in the slammer! (We don't need to prove it)
5. From the police: We think you've got you've a copy of the anarchist's cookbook - 5 years in the slammer! (We don't need to prove it)
How good that would be for the crime statistics!
In fact it was just your Mum's recipe for the best lemon pie which you used to test out encryption when you first started playing with it - you deleted the photos ages ago.
Its a good job we still have Burma to make us look like a liberal democracy.
5 years for forgetting your keys?!?!
Hmmm, emigration to North Korea looks better and better...
Hmmm... 5 years in jail for not revealing the encryption keys or a longer time in the slammer and a lifetime on that register when they decrypt all those photos? I wonder which the average nonce is going to choose.
Use Truecrypt hidden volume for plausible deniability
Use Truecrypt's hidden volume facility for plausible deniability. When the law asks you for the password, give them the password to a volume with some ordinary contents. Your secure content is kept in the hidden volume which no one can see exists.
Oops.. i forgot
Im sure you could just 'forget' it :-)
If disclosing the encrypted information could land you with more than 2 years jailtime then it's still well worth keeping quiet? Um.... Or if national security terrorism related then evidence of a plot to, say, cause explosions or some other such topical activity would almost certainly get you more than 5 years so again, worth keeping quiet. I'm not sure I get this law. Do _they_ just get bored and just make up futile new laws for the sake of it?
That's a random string of characters, by the way, not a code.
Except that I can't think of a single way I could prove it in court.
Which is my (mildly cryptic) point.
Decrypt this: F*** O**!
"...as long as the demand for decryption was both necessary and proportionate."
How subjective is that? Especially in the minds of our terror-driven leaders and instigators. Necessary for the greater good? Proportionate to the government's lies? It's not as if we have transparent leadership; how many lies and secrets are they hiding from us?
This is simply another blatantly manipulative step towards a police state.
Come on folks! Rise up developers! Let's not roll over and let the government rub our little fat bellies on this one.
What about the makers/vendors of encryption/decryption software and services?
And finally, code-making and breaking is...well, fun. We don't want our poor little MI5/6/SIS kicking their heels do we?
If only I could spot the irony.
Either gain the requisite skills to do the job or put some stupid half baked law in - I wonder which Labour will do!
Is this another excuse to take big business abroad, I mean if the encrypted files are not stored in the UK then this law does not count.
In other words we are telling the terrorists that if you want to have data for future crimes hold them on servers abroad.
From another point of view (and this I feel this is just as serious) I can forsee pedophiles holding GBs of data on encrypted devices. Lets face it whats 2 - 5 years in jail over a life of being a convicted pedophile. No key = less or no evidence.
Still I must make sure that I do not carry personal ID information on my encrypted Data Stick (so if I get robbed noone can get my info).
Can you protect your data through the Human rights/Data Protection Act?.... of course I have to have mugged or robbed someone before I can have any human rights.
How I love to be British
Set up a system that locks after 3 incorrect attempts and then tell them the password is "Blank" ;)
this has always been the case?
How many fingers am I holding up?
Today, The Government reduces sentences for refusing to share Encryption keys from 10 to 5 years when in relation to Terrorism charges, and from 5 to 2 years in all other cases!
kdihdndhapownmckdmsmwldposwnp oqkwlakj lkjdw. idoiwndahdidlwkjdnasdpqwoiuhjflsjdwqpojksdjfovjnfjhwocjwkncjldid w jdiodiusdjwhrnddkslkwmwwritncbz, sdlkcjakdwncicivlrtmvovitwatkivjvm.eloivv,emkjdkxzoie,mjvodifk
[Decryption available with a court order...maybe]
--- 'Controversially, someone who receives a Section 49 notice can be prevented from telling anyone apart from their lawyer that they have received such a notice.'
Ah. So this is aimed at online services which utilise encryption - can't tell their customers that they've been ordered to give up their keys?
"UK police can now force you to reveal decryption keys"
No, they can't.
Surely this clause is simply defeated by having your valuables in an encrypted volume inside another encrypted volume. Hand over the first key, there's some guff (and a bit of pr0n for plod's reality check), and there's no way anyone can prove there's anything else to unlock.
They will have to PROVE there's encrypted data first...
prevented from telling anyone apart from their lawyer...
"Controversially, someone who receives a Section 49 notice can be prevented from telling anyone apart from their lawyer that they have received such a notice."
How are you supposed to keep the communication with your lawyer secret? By encrypting it?
we are all criminals.
And the more we are pushed and pushed into a this police state the more people will simply flout the law.
I for one immediately forget any decryption keys - and there is no way i am giving them to police or other powers. Also telling me to keep the request for the key secret is also going to fall on deaf ears.
The story says they didn't expect encryption to become so popular, maybe because we are reacting to the rest of the war on privacy.
The law in the UK is increasingly becoming irrelevant, there are so many new laws that people cannot help be guilty of something now mainly since they dont know all the laws.
Its going to be pushed too far and the people will react. heres hoping anyway.
Being tied down by the official secrets act?
Surely these two acts are in conflict?
One says to reveal the information, the other says you won't!
Can they make you lie? - Armchair lawyers please
If I was served as section 49 notice and someone asked me "Have you been served a section 49 notice?" what do I say?
Do I pretend to have gone deaf?
Do I say "Unfortunately under the terms of the RIP act I am prohibited from answering that question." - which would give the game away somewhat?
Or must I lie and say "No"?
If either of the first two there is some potential for a security protocol which asks the question before going further.
I haven't been served a notice by the way - or they may have already got to me.
I'm off ...
... to Afghanistan. Bring back the fatwahs and daft edicts - they make more sense and unhold more civil and personal rights that our Western dictatorships ... erm ... conformist police states ... erm ... democratically elected governments.
How about this password
What about changing your password to the phrase "F*ck off I forgot my password"
It's just random data
Seen as decent encryption is supposed to make encrypted data indistinguishable from random noise, what happens if one claims that the DVD full of encrypted goodies is actually just a one-time encryption pad they made for an exercise?
I could see that argument going on all day
"No it's not."
"Yes, it is."
"No, it's not."
"Yes it is."
Re: multipart keys.
What happens when data is encrypted with multi-part keys and the other keyholders are outside jurisdictional reach?
Simple, rendition to interrogation. Or, to expand, they simple have someone grab the other person and torture them until they give up the key -- or just ship you both off to South America.
Password split - easy and simple
Folks, there is a solution. Someone mentioned multipart keys above. I don’t know if that poster meant it in the way I see password-split working, which I think is a great idea.
Split the decryption password into multiple parts and give the separate parts to two or more people, each holds their part in confidence. Come the inevitable court order/summons/threat of custodial sentence, all each person need do is say the part of the password they relinquished was correct – one of these would be fibbing of course (perhaps all of them – who would know?). Not only can the data not be decrypted, it cannot be proven that anyone was withholding information. Mens Rea, let alone lawful infringement, cannot be demonstrated; hence all the prosecution cases must fail.
@"random data", "I forgot" etc.
We don't believe you. You're nicked.
"...completely stupid - it puts us good buys at risk and does little to deter the bad buys."
Alain, I think you've just described 99.99999% of NuLabour's policies, deeds & legislation.
- 'Windows 9' LEAK: Microsoft's playing catchup with Linux
- Infosec geniuses hack a Canon PRINTER and install DOOM
- Game Theory Half a BILLION in the making: Bungie's Destiny reviewed
- Review A SCORCHIO fatboy SSD: Samsung SSD850 PRO 3D V-NAND
- Was Earth once covered in HELLFIRE? No – more like a wet Sunday night in Iceland