Feeds

back to article RIPA could be challenged on human rights

The government's new powers to force the handover of encryption keys could be vulnerable to a legal challenge under the Human Rights Act's guarantee to a fair trial. People who refuse keys or passwords face up to five years in jail. The Regulation of Investigatory Powers Act (RIPA) was changed last autumn to allow police to …

COMMENTS

This topic is closed for new posts.
Thumb Down

The UK

Protecting your rights by removing them all, after all if you have no rights then they will be protected forevermore.

0
0
Anonymous Coward

The right to privacy

In the case of the penalty of 2 years to 5 years, which bad deed is being punished? Surely there's nothing wrong with encryption itself, it's even a GOOD THING he has a right to privacy, a right defined in the Human Rights Act. Article 8.

Assumptions.

1. Exercising your rights under the human rights act is not a crime.

2. Privacy is covered by Article 8

3. Encryption he is entitled to under Article 8.1

4. He is innocent until proven guilty.

5. Article 8.2 exception sets conditions which are not met simply by exercising your right under 8.1, because step 1).

6. So in the absence of evidence that can convict him, by default he is a person exercising his Human Rights of Privacy.

7. Hence you cannot be forced to decrypt the data, unless you're convicted of a crime in which that data may be relevent. At which point you lose your right of privacy, by 8.2 and can subsequently be forced to disclose on further penalty.

The refusal to hand over a key is only a multiplier to the crime he's being convicted of. But if there is no crime committed then the failure to release the key is not a bad thing. He's entitled to privacy under article 8, and the right to lose that privacy stems from him being a criminal. But if he's not a criminal then he's just a citizen exercising his protected rights under article 8.

And he's innocent until proven guilty.

You see my point? i.e. He has the right to exercise Article 8 rights. His loss of Article 8 protection has to stem from the exception 8.2

"(2) There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others."

But if he's not a criminal and you can't get a conviction you think unless there is something special in that file, then you are just fishing for evidence. But he has the right to prevent such fishing expeditions, under article 8. There's nothing in the encryption itself that can prevent 'CRIME' because he is not a criminal if you can't get a conviction absence your .

So you think he's a terrorist and have reasonable evidence to support that. You'd like to look at his files, but he won't decrypt them. But you get a conviction anyway. The court says the penalty is 10 years, and the withholding of the key makes the crime 20% worse.

penalty * penalty_for_not_decrypting =

10 *1.2 =12

So you think he's guilty of being a terrorist but have no evidence and he won't hand over the key. The court find he is not a terrorist and hence sets penalty=0.

penalty * penalty_for_not_decrypting =

0 * 1.2 = 0

Not releasing the files only exasperates a crime, it is not itself a crime, it's not even a bad thing, it's a protected right. In the abscence of a crime, it is a good thing! He is entitled to privacy, even from the police fishing expeditions, and the key ensures that.

0
0
Anonymous Coward

Give me them and keep quiet.

Since you're also not allowed to tell anyone that you've been forced to hand over the passwords/keys how the hell could you challenge it in any court.

0
0
Paris Hilton

???WTF

"Obviously the more evidence against the defendant, the more reasonable it is to expect him to corroborate with the inquiry."

Surely they mean

"Obviously the more evidence against the defendant, the less likely it is for him to corroborate with the inquiry."

Paris icon because [just because :) ]

0
0
Boffin

Declaration of Human Rights

Article 18: "Everyone has the right to freedom of thought, conscience and religion; this right includes freedom to change his religion or belief, and freedom, either alone or in community with others and in public or private, to manifest his religion or belief in teaching, practice, worship and observance"

Article 19: "Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers."

0
0
Anonymous Coward

@???WTF

Surely they mean "cooperate", not "corroborate"?

Anyway, I'm more worried that it is against the law to reveal that you have been asked to hand over your password. Why, exactly, is this? You can go to prison for five years (for not knowing something which you actually don't know) and you're not allowed to tell anybody why?

0
0
Black Helicopters

re: declaration of human rights, etc

Unfortunately I think you'll find the rider on "security considerations" applies, as with much of the convention on human rights.

So, if you're a "suspected terrorist", those rights probably don't apply.

0
0
Stop

...as always

... this law will only apply to the law-abiding. The real crims/terrorists/kiddie fiddlers will simply set up an encrypted wireless hard drive, bury it in a wall, and ensure they configure their software (which probably won't be windows in that case) to use that for it's cache and main storage.

When plod knocks (I believe "swoops" is the current vernacular) , let them seize the PC, take it back to the lab, and discover nothing incriminating (or indeed encrypted). In the meantime, the hidden wireless drive has a sudden accident involving a pair of pliers and a blowtorch.

Besides, I forsee a bright future for hardware based encryption where the user doesn't know the key to start with.

0
0
Flame

Artical 19

Article 19: "Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers."

Err, I dont think that holds anymore in the UK, start printing bits of a4 paper holding *your personally held opinion* that <insert favorite ethnic minority or sexual sub group> are scum, and see how long it takes the police to arrest you, of course you could tell the police its your opinion, and section 19 allows you to impart it to others.........

/devils advocate + coat

0
0
Bronze badge
Thumb Up

@Peter

"the more evidence against the defendant, the more reasonable it is to expect him to corroborate (co-operate?) with the inquiry" - this from a legal expert?

Ah - on second reading he is first described as a "criminal law specialist" but then a bit later as a "criminal law academic" - I'd bet the second descrioption is more accurate.

PS - can someone explain to me how you tell the difference between an encrypted file and a non-encrypted file? What if Mr Terrorist just said - it's not encrypted - it's just computer doodle?

0
0
Go

I think we're ok because

>It said that courts should decide whether or not to force someone to disclose information which might be self-incriminating they should assess what the nature of the compulsion to disclose is, the number of safeguards which exist and the use to which the information might be put

The UK government has comprehensively demonstrated that all information that it gathers on individuals is either sold, lost, or given away. So there's the "What safeguards?" question. I also suspect most courts would not accept that "identity theft" is a valid "use to which the information might be put"

0
0

re: declaration of human rights, etc

The "prevention of crime and disorder" also removes the need to convict someone first as they only need to believe that you *might* commit a crime in the future and that the encrypted information *might* contain information about that hypothetical future crime.

0
0
Thumb Down

Sloppy, El Reg, sloppy

For "European Court of Justice (ECJ)", read "European Court of Human Rights (ECtHR)". The former (based in Luxembourg) decides cases under European Union law, and spends most of its time on trade disputes. The latter (based in Strasbourg) is a body of the Council of Europe (which is twice the size of and pre-dates the EU) set up under the European Convention on Human Rights; that's where Mr O'Halloran took and lost his case. You'd think a bunch of lawyers contributing on this would get something as simple as that right.

0
0
Anonymous Coward

"use to which the information might be put"

Er, if you don't reveal the information, how can they assess the use to which it might be put?

0
0
Black Helicopters

They can have my encryption password if they ask.

I'd have no problem handing over my encryption password to that there government if requested.

There's a README.TXT that says "nothing here, now sod off"

The hidden encrypted volume, however, is another matter. *whistles innocently*

Truecrypt + plausible deniability = happy me.

0
0
Flame

We should all refuse to co-operate on principal.

No-one, innocent or guilty should ever give the authorities the private keys to their data. RIPA is fundamentally unjust, and every conscientious person should help to resist it.

0
0
Thumb Up

more articles please

I always liked the idea that US citizens have a duty to resist unjustified taxes, and feel that in the EU a responsible citizen should be required to resist silly laws.

This one is right up there with taking all liquids away from air travellers - which needs resisting badly now as the EU commission are reviewing security. Even MEPs see the futility, but who listens to them.

0
0
Anonymous Coward

"Prevention of crime and disorder"

"The "prevention of crime and disorder" also removes the need to convict someone first as they only need to believe that you *might* commit a crime in the future and that the encrypted information *might* contain information about that hypothetical future crime."

I don't think it does. You can't be punished without judicial process ("Everyone has the right to liberty and security of person"), and to remove a human right (removal of Article 8.1 right of privacy) is clearly a punishment to "security of person" and hence requires a judicial process first, or an exception in the basics human rights laws.

Without that evidence (separate from the decryption ) I think it's just a pure fishing expedition.

e.g. Police demand decryption of a file, hypothesize 'serious crime'. man refuses to decrypt, police prosecute the refusal, man decrypts the file, nothing prosecutable found.

In that case he's been prosecuted for exercising his rights under Article 8 pure and simple.

There are exceptions to the 'prepunishment' rule, (e.g. detention prior to trial) but they're spelled out in article 5.

i.e.

Article 5, 1a doesn't apply because they haven't been convicted yet when they're required to give up their Article 8 rights.

1b. doesn't apply because the detention for exercising a human right isn't a lawful order. All lawful order must necessarily comply with the Human rights legilsation!

1c. Doesn't apply, because that's only for 'pre-trial' detention, not for 2-5 years in prison.

1d, 1e, 1f etc. don't apply.

So there's no exception in the Human Rights laws that lets them 'prepunish' by removal of their Article 8 rights, someone on the basis of a future conviction they 'hypothesize' they might be able to obtain.

So I think they have to first obtain the conviction in order to be able to force the convict to then remove his article 8 rights.

Put it conversely, what level of proof is needed to put someone away for 2-5 years? A balance of evidence? Beyond reasonable doubt? Or a hypothesis of a police officer?

The way the law is worded, none of the above is needed. The officer/civil servant/political appointee doesn't even have to prove a plausible (or implausible) hypothesis to issue a section 49 notice. The breach of which has a 2-5 year penalty.

We're talking about keys here, but RIPA is a privacy disaster all the way through. The secrecy clause is a dead giveaway. The ability to keep them secret indefinitely can's possibly be compatible with the human rights legislation. It was a sort of creepy Blair thing that should be thrown out and redone from scratch.

I wonder how many times elReg has been served with RIPA notices?

0
0
tom

If innocent people have nothing to hide...

Why doesn't the government want anyone to know that you were "forcibly requested" to give up your encryption key?

0
0
Coat

Nothing to hide

Well obviously if you have done nothing wrong you have nothing to hide therefore you don't need to encrypt anything.

/mines the special coat that does up round the back...

(Hopefully the coat icon as the radio buttons don't line up with the icons on my crackberry)

0
0

keeping quiet

they don't want you to be able to tell anyone, directly or otherwise you have been asked to hand the key over, since they will want to continue to monitor things, and are still thinking a whole group will use the same password.

they way round that is to just rotate keys say weekly, that way they get a weeks worth of stuff and nothing more.

note they can force the issue througha court, but apparently they tend to try and use the 'hand the key over or else' argument without going to a court. its a bit like a copper asking to search a house because he could get a warrant anyway. i.e. we have a legal right but we don't want to follow the process and if you are 'giving us' information as opposed to use demanding it there will be rules governing what can be done with it that will not apply.

the whole law is pointless and anyone with half a brain can find ways round it. thankfully the sort of people they will actually use this against tend to be stupid enough it will work.

i.e. 'doctors' who can make a bomb, animal rights types who didn't think things through etc.

its not hard to hide stuff AND encrypt it. you won't be asked for a key to a file they don't have.

the other way of course is to make the filename part of the key, i.e. you have a 'key' but decoding the file requires 'key' + 'filename' now you can hand the key over, but its no use directly. also you can decode a specific file for them, but they will need another request, via a court, for the next file etc.

anyway I have a linux box somewhere that can encrypt the hard drive and I won't ever see the the key, or need it. it will work in my machine but swap the drive out etc and it won't. and if they have any sense they won't use my machine, not knowing what it may do.

besides how do they actually search the Tb of data people may have these days for a few bytes they may want?

I would assume they 'know' the file is there 'know' what it contains its a matter of proving it.

RIPA is a joke, as are the idiots who drafted it. just about any law related to computers tends to be out dated by the time it has been drafted & passed. drafting it by people who don't know what they are talking about won't help either.

0
0
Anonymous Coward

Senior Police officer ?

You say "senior police officer" as if they are a breed of officer that is beyond reproach,but believe me they are as big a bunch of shits ,if not bigger, that the lower ranks. Amazes me how everyone thinks they are all so great ,if only they knew the truth about many.

0
0
Pirate

TrueCrypt thrawts RIPA III

The UK government is going to deprive honest an law-abiding citizens of their liberties while criminals can carry on theirs businesses as usual, with just a little software upgrade.

Free software like TrueCrypt http://www.truecrypt.org/ can conceal encrypted material in a way that prevent its detection.

In case the Police forces you to reveal your password, TrueCrypt provides and supports two kinds of "plausible deniability":

1. Hidden volumes. The principle is that a TrueCrypt volume is created within another TrueCrypt volume (within the free space on the volume). Even when the outer volume is mounted, it is impossible to prove whether there is a hidden volume within it or not, because free space on any TrueCrypt volume is always filled with random data when the volume is created* and no part of the (dismounted) hidden volume can be distinguished from random data. Note that TrueCrypt does not modify the file system (information about free space, etc.) within the outer volume in any way.

2. It is impossible to identify a TrueCrypt volume. Until decrypted, a TrueCrypt volume appears to consist of nothing more than random data (it does not contain any kind of "signature"). Therefore, it is impossible to prove that a file, a partition or a device is a TrueCrypt volume or that it has been encrypted.

FreeOTFE http://www.freeotfe.org/ also offers similar features.

Off-the-Record (OTR) Messaging, http://www.cypherpunks.ca/otr/ offers true deniability for instant messaging.

0
0

TrueCrypt's "aleatory" defence against RIPA

TrueCrypt http://www.truecrypt.org/ provides an "aleatory" defence against RIPA, and, indeed, against any similar legislation. This defence works because TrueCrypt makes encrypted material indistinguishable from pseudo-random data. And before the authorities can insist that you hand over an encryption key, they would first be obliged to prove to the satisfaction of a court that you were in possession of encrypted material. Depending on how TrueCrypt is set up it might be obvious that you have some pseudo-random data in an atypical location on your computer, and you might well be asked how it got there. Now, there are many computer processes that produce pseudo-random data, and you are not obliged by the legislation to account for the origins of every file on your computer that contains such data given the tens of thousands of files on the average PC this would be an impossible task. However, TrueCrypt can also provide you with an excellent and highly plausible reason as to why you possess such a file of pseudo-random data irrespective of where it is found.

0
0
Pirate

RE: Comment by 'Anonymous Coward'

RE: Comment by 'Anonymous Coward'

Posted Friday 25th January 2008 12:16 GMT

".. this law will only apply to the law-abiding. The real crims/terrorists/kiddie fiddlers will simply set up an encrypted wireless hard drive, bury it in a wall, and ensure they configure their software (which probably won't be windows in that case) to use that for it's cache and main storage."

An external hard drive is not even necessary. Encrypted files can simply be stored safely on the Internet.

One such system is the OFFSYSTEM the Owner Free File System

"As in any local File System, you can store and retrieve files. In the OFFSYSTEM is that done online, which means, any user having access to the Internet, can store or upload and download own, foreign or public files".

"All files, which you upload to the OFFSYSTEM, are cutted into a kind of small pieces, bits and bytes - called them Blocks -, which are then stored by peer-to-peer-technology into the machines of other users".

"That is all absolutely safe and secure, the Block has no reference to the original file, because in the OFFSYSTEM a byte-range of several different original-files perform one Block. The Block has nothing to do anymore with the original file. You can imagine it as encrypted, though it is not encrypted, but it is data, which was "mixed" out of several original files. One Fragment can have multiple, contingent meaning - as they are build out of different original files".

"So you can store as well your private files in the OFFSYSTEM, no peer will ever be able to read them. The peers share only hundreds of small and mixed together Blocks - "white nose data". Blocks are algorhythm generated random data, which no one owns".

http://offsystem.sourceforge.net/index.html

Of course, a simpler option would simply to use the 2Gb of storage space provided with a GMail email account and only connect via TOR.

0
0
Bronze badge
Coat

Password schmashword

What is to stop someone writing a code to make the hard drive erase if a certain word or phrase is used?

If the drive is half full of pictures, all it has to do is copy them once on top of a quick erase. Or am I being silly?

But why would anyone want to keep something incriminatory on an hard drive? If they were intelligent enough to thwart the law, they'd be mad.... to... err....

OK, I see.

0
0
This topic is closed for new posts.