Feeds

back to article RIPA ruling closes encryption key loophole

A landmark ruling over the Regulation of Investigatory Powers Act 2000 (RIPA) may just have reduced our rights to refuse to self-incriminate. Or not, if you accept the arguments of the judges involved. The verdict handed down in the Criminal Division of the Court of Appeal last week, relates to a plot in which the the defendants …

COMMENTS

This topic is closed for new posts.

Encrypted = you've got something to hide ?

So how on earth did they know it was "useful to a terrorist" or not, if it was encrypted and they didn't have the key ?

Wait ... that's why all those lost MOD disks aren't encrypted .......

0
0
Stop

May I be the first.....

....to call for an immediate end to inhumane experiments on animal protesters?

0
0
Coat

Time to leave?

well time to re-read 1984 and brave new world and then remind myself of where we are today relatve to those works of fiction?

- 28 days imprisonment without trials

- CCTV everyywhere

- ANPR database linked to all the cameras (and data held for 5 years)

- National Database of every phone call

- All ISP's logging who emailed who for 2 years

- People being refused the abillity to protest/demonstrate anywhere near the House of Commons

- Man arrested and charged for writing a story (shades of thought police)

- 2 years for forgettin your encryption key..

I'll get my coat and foxtrot oscar somewhere less totalitarian...

0
0

Oh dear. Another nail informationthe privacy coffin

Given that councils have used RIPA to justify snooping on individuals then I can see that they will use this ruling to further re-inforce said snooping. We have no privacy.

0
0
Black Helicopters

Hmmm...

The obvious counter to this is to arrange that the key is automatically destroyed by the physical process of removing the encrypted device. Then one could claim that the authorities themselves have actually removed your ability to provide the requested key. A sort of "key booby trap" if you like... This is done in many hardware encryption devices already as an anti-tamper measure. My company was producing this form of self protection some 15 years ago on our smart card readers.

0
0

What a pity

... that they dont spend as much time investigating BT and Phorm under RIPA. Oh wait, the EU has to drag them kicking and screaming to investigate their cronies.

0
0
Unhappy

catch 22

You can't win. Either you give them the evidence to prove your guilt and send you to prison, or they send you to prison because you won't help them prove your guilt.

"it would be very unlikely that the police would seek to view the contents of a hard drive where they did not already have evidence to charge someone under other legislation"

Yes, because the police/government/councils would never abuse the law, such as using anti-terrorism laws for things they weren't meant for, would they?

They wouldn't, for example, use them to spy on parents or dog-walkers, or to seize assets of Icelandic banks, now would they?

0
0
Anonymous Coward

Control orders are undemocratic

In my view, they are the good guys in this. Control orders (restrictions imposed by Jacqui Smith without evidence or conviction or judicial process) have no place in Europe, they violate the ECHR, are an abomination to justice.

The threat to democracy is Jacqui Smith and Gordon Brown here. Brits have a duty to break every control order under ECHR, to enforce the right to judicial process that is a fundamental right written into British law.

Presumably if a jury finds them innocent, JS will eliminate trial by jury. She really is not fit to hold a position of power.

0
0
Anonymous Coward

Soo....

2 years for not committing a regular crime, and 5 for not committing terrorism? Nice.

0
0
Pirate

How about some extended reasoning

If the police can't get into it and they didn't know it existed then it's not important to whoever owns it and can be deleted and fully unrecoverabl-inated.

At least then the content is gone forever- and if they actually have some sort of a case against someone you'd hope it involved more than just the presence of an encrypted file.

It horrifys me that Jaqui et al are so determined to increase the number of prosecutions- apparently to the extent that they'll gladly change the law to let them convict innocent (i.e. not found guilty) people. Rather than requiring that real evidence actually exists.

@AC THAT would be impressive! "You did WHAT? Removed the hard drive?! YOU FOOL! YOU JUST REMOVED MY ABILITY TO DECRYPT IT!"

Doesn't seem too impossible to achieve either...

0
0
Joke

You bastards...

...you just put the phrase 'blowing up the Houses of Parliament' in my internet cache. Do you have any idea how many electrons will be inconvenienced in GCHQ by your loose language?

0
0
Joke

Ah Wait!!! how about this one

Everyone create an encrypted file on their drive, get arrested, refuse to give the key.

Wait until your sentence is almost over, then demand a retrial, give the key to the blank encrypted file and sue the a**e of the plod for wrongful conviction.

BTW, is it true that the store guy who reported Gary Glitter's drive was sacked for looking at it in the first place?

0
0
Ash
Happy

An encrypted what-now?

Go luser on them:

"I ran a program which said it would delete files which weren't really deleted (to stop hackers putting viruses in my Word). It said it filled my space with a file, then put random letters into the file, and this made sure anything before was deleted. When it ran, though, something about "Low hard disk space" flashed up, and "Resizing pages" too. I don't really know what It means, and didn't know what the file was. I just left it there. Did it make my Word bigger?

What's TruthCrypt?"

0
0
Flame

Proof of encryption?

How exactly can they prove something is encrypted? Encrypted data looks exactly like random data. It would seem trivial to generate a large file of random data, drop it on someone's PC and when the non-existent key is demanded they get in hot water under RIPA. Similarly there is no way to prove that a person knows the key and is willfully withholding it.

Pity this is the UK where justice no longer lives, only stupidity.

0
0
Coat

RE: I got Street Viewed

Type your comment here — plain text only, no HTML

0
0
Black Helicopters

Privacy?

All your keys are belong to us

0
0
Pirate

Will the tories restore civil liberties

I recall writing about abuse of this very act, was told to leave the country as those who had nothing to hide had nothing to fear. I wonder if anyone still believes that now? Especially when terrorism charges are trumped up to unlawfully seize assets. Do they now realise that the laws apply to everyone and not just terrorists.

Stalin would be proud.

0
0
Coat

Cogito...

Dunno if TrueCrypt does this but (with a bit of block shuffling to undermine comparison of the file with any backups)... create encrypted files with >1 part, with different passwords for each. Depending on which password is given "a" file is opened... you choose which one. How would they prove there was *another* part? As long as you give "a" password you have complied with the law.

[However, ruling a password in the same category as urine is ontologically like, so, waaay off base... it's not like a document, body-tissue etc... If I don't tell you what it is (that's my will) you can't know what I know... so telling or not telling is just like keeping my mouth shut.. I do hope there's no RIPA provision to force me to reveal the GPS coordinates of my anthrax/U235/ricin stash. Oops]

You can can take the piss but "keep out of my miiiind!"

... the one with "Ergo dweeb sum" (embossed in gold-leaf...)

BTW. Are you pondering what I'm pondering? (Key generation through hashing vocal stress patterns... it will only decrypt if I am calm... just love the thought of plods & plodesses offering me cups of tea, maybe a nice biscuit, a soothing massage, etc. etc.

0
0

proof of encryption...

its not up to them to prove there is encrypted data, its up to you to prove there isn't.

or convince the court that you have genuinely forgotten the passphrase, all they have to do is find a file they cannot read, claim its encrypted and force you to decode it for them.

note I'm assuming that if you do decode the file, and its not what they expected its now up to you to prove there isn't anything else in there as well.

wonderful law. guilty until proven innocent, and proven to a standard thats a moving target.

0
0

Natural Justice

There is still one course open to invalidate this ridiculous provision - an appeal to 'Natural Justice'.

If I keep my secret documents in a safe, the authorities can ask me for the key / combination all they like - I am perfectly free to refuse, and it is up to them to employ a competent locksmith to access the contents.

If I keep my secret documents in an encrypted file, the situation should be no different - but this ludicrous Neues Arbeit government seems to think that they can treat this as a special case.

This is manifestly unjust, and any judge worth his salary should be quick to invalidate any prosecutions on that basis alone.

0
0
Coat

so when

so when will i be required by law to hand over copies of the keys to my house and car to the police?

there is software available to encrypt files, and include a duress code.... give them the wrong code and it will decrypt the file to a harmless text file of book... George Orwell, 1984 will be a good one.

no doubt they will make it illegal to have such software...

Mines the one with the latest copy of 'newspeak' in the pocket !!!

0
0
Happy

@AC - Booby Traps?

Hmmm... small thermit charge in the hard drive? I think (whistles nonchalantly) that some people consider the only way to properly secure information - even on encrypted devices - is to fit a special port to the device... into which the barrel of a gun can be placed at short notice.

Short of physical destruction it ain't secure... but cheer up, we shall welcome our soon-to-be quantum computing overloads on the basis that passwords will be irrelevant.

0
0
Boffin

Separate existence

So I can see that a GPG private key might arguably have a separate existence, it's a block of gibberish.

But the _password_ that symmetrically(?) encrypts that GPG key and makes it usable - that surely fails the separate existence test?

And I think that this would be true of encrypted drives / files where you use a keyfile to access the contents.

0
0
Anonymous Coward

Secure Disk Drive

Hell o I'm Selling secure disk drives. The encryption is on the drive controller. It a secret encryption. It works like this, you enter the right password and every thing shows up. Enter the wrong password and all you see is dos prompt i f you boot from it, a blank drive from another OS. Enter a special password and a diamond tip blade runs across the heads.

0
0
Ash

@Secure Disk Drive (AC)

Rubbish. Drag the blade across the platters and we'll talk some more.

Ah, wait... No we won't. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9083478

0
0
Anonymous Coward

two encryption keys

what people need is an encryption system that has two keys.. one that shows the original file, another that shows photos of flowers and butterflies.

0
0
Unhappy

you really won't need to tell

They'll just ask their buddy dubya to tune you up a little bit at his caribbean hideaway and you'll tell them everything they always wanted to hear (and most likely, a lot of stuff they don't really care about). Innocent? not a chance.

0
0
Bronze badge

@ Steve Browne

"Will the Tories restore civil liberties?"

In a word, no.

There might be a bit of window dressing, but the erosion has been severe. There are too many vested interests within which Mammon is stronger than morality.

0
0
Thumb Down

Truecrypt has a usefull feature

TrueCrypt had a feature where different passwords yield different content and there is no way to prove or disprove the existence of the 2nd password.

What scares me is I encrypt some spreadsheets. I'd be hard pressed to remember the password to a file I deleted in 2002, but since it is in my personal documents folder my backup software has a copy of it.

So if I were to travel to the UK I could server 2 years for forgetting the password to a document I deleted 6 years ago, because a copy of it exists in backup form.

I wonder how many people have at lease one encrypted file whose password has been forgotten.

That is a crazy law.

0
0

2 years?

"The maximum penalty for failing to hand over an encryption key on demand is two years"

Remember folks, that's the *maximum*. First offence, previous good character, profuse apology, sincere regret... 'I really have forgotten but I can't prove it and you don't believe me'... guilty plea... you might not even get a custodial sentence at all. You don't impose the maximum sentence on first offenders unless there's some serious aggravating factors!

Mike

0
0
Bronze badge

@Ash

Damn you Ash . Guess I need to make sure the blades go down 2mm and then use an explosive charge.

0
0
Silver badge
Coat

Nothing is secure

Hah! You think physical destruction is secure? I watched an episode of CSI once where they managed to spot, in a photograph taken with a mobile phone, a reflection in the cornea of a passer-by, of the smoke from some documents that some bad guy was burning, and reconstruct the information from that.

0
0
This topic is closed for new posts.