Two people have been successfully prosecuted for refusing to provide authorities with their encryption keys, resulting in landmark convictions that may have carried jail sentences of up to five years. The government said today it does not know their fate. The power to force people to unscramble their data was granted to …
Its so wrong...
Hand over the encryption key to your data or we give you 2 years in prison!
hrm, lets see... 2 years in prison or decrypt my child porn and spend a lifetime on the sex offenders register etc...let me think......
Stench of desperation.
I think is serves as good proof that the "powers that be" still can't crack AES 256. And that the encryption products currently out there really scare them.
Mine's the one with the hardware encrypted USB key from Currys in the pocket.
Damned if you do, damned if you don't. The surveillance state now in full swing and Rasputin himself now sitting unelected in No10...
I'd love to tell the authorities the password for my encrypted data, but it's suddenly completely slipped my mind...
destroying or obfuscating evidence
you might have a knee jerk reaction and say "why should the law be able to tell me to decrypt anything I have?" but in reality, when it comes to a warrent issued to colelct specific evidence, your actions to prevent that collection are in fact criminal, and allways have been; the law passed in 2007 is simply a clarification ensuring there would be no confusion in the matter. Since the history of warents, you've been required to hand over keys to locks, passwords to systems, and remove any other obstacle preventing officers from excersizing the warrant. Why should encryption be any different?
If a court demands you produce financial records, and you hide that information or destroy it, when the court is aware already of it's existence, you're typically imprisoned until either you produce it, or you're imprisoned up to a lenght of time equal to the maximum punishment for the specific crime you're charged with plus an additional time for continued contempt of court. People have been imprisoned for dacades for their refusal to supply properly requested data central to a case against an individual.
This law does NOT give the courts permission to simply make you unencrypt your information on somple request, you or your company actually needs to be charged with a specific crime that would necessitate the collection of certain data or ducuments you'd be expected to have. Then the warrent is issued for the collection of JUST THAT. Should they inadvertantly discover child porn on your PC while looking for bank fraud records, they're bound by law to ignore that, and charges against you for having those files would in fact be against the law (at least here in the US it is). Now, a loophole is such that anything discovered in "plain sight" can be noted, and during the search an additional warrant could be issued to further investigate the "evidence of an additional crime," however, the initial warrant to search FOR data withing your encrypted files does not give them permission to search ALL your files, only to collect specific data associated with the case against you (or someone else), and any other evidence would in fact have to be "in plain view" and discovered under the normal course of the search for targeted evidence.
To be safe...
Make sure you not only encrypt your data, but obfuscate it as well. Would you get less of a sentence for just plain destroying data?
What if one forgets (or claims to forget) his password? This happened to lots and lots of people, and it still happens on a regular basis. Can you be jailed for a memory lapse now?
I've seen 70% of the episodes of all 3 flavours of CSI, and I know that any encryption can be cracked in a matter of minutes. And in the case of NCIS it often helps to have 2 people typing on the same keyboard.
Where is 24's Chloe O'Brien when you need her?
Ignorance no defence then...
Sorry M'lad I have forgotten the password...
Use an image key
Easy, make an image key. Require them to scan an image of a prime ministerial pardon absolving you of all crimes committed .
Make sure your "key" includes the signature of the current prime minister.
People have been imprisoned for 10 years and longer for contempt of court, and those were for CIVIL cases, where general imprisonment is not usually on the table. The longest case was 14 years for a man who refused to hand over a divoce settlement to his ex-wife.
I can't find a link for the longest criminal contempt imprisonment, I understand it;s longer. Typical contempt imprisonment is coercive, and so long as you refuse to comply, being brought into the court consecutively after each sentence to see if you will in fact comply with the court order, you can again be senteced successively. A typical contempt sentence is up to 18 months for a single act, but continued failure to comply results in additional 18 month or longer sentences, and in most states, they'll give you 2 sentences of civil contempt (even in a criminal case) and after that they become criminal contempt charges (even in a civil case) and the sentences can be more severe, up to the maximum sentence of the crime you;re charged with.
The Scooby Doo Ending
You would need to be pretty sure they are going to nail you to the wall to risk getting locked up for not handing the keys over...
I'll bet the Scooby Gang could get the keys ............................................and I would have got away with it if it wasn't for you meddling kids.
Difficult to see how to fix this one. On the one hand I want anyone planning the next WTC atrocity caught before people are jumping to their deaths rather than burn, on the other I have no doubt such things will be planned using the regular mails, single-use disposable phones and codes rather than encryption and that this is all about looking good in public.
Maybe. Equally it may be a kind of Churchillian Enigma conundrum where they CAN crack AES 256 but won't admit to it for anything so minor as child porn...
Isn't this trivial to implement in truecrypt?
2 passwords, 2 partitions, no way of telling that it's set up like that.
Just give them the other password and they open it to find noting incriminating..
They can prove there's a password protected file. But after you hand over the key, can they prove you implemented plausible deniability?
There are plenty of options for the truly criminal. One is to use truecrypt which has a system of double encryption which allows for plausible deniability. There are two encryption keys. The second is optional and is used to hide a hiffen volume, the existence of which cannot be proven. So you can be forced to hand over the first key, but if you have further data hidden then it's existence in what is apparently spare space cannot be proven as it all just looks like random data.
Most importantly, trucrypt works in memory - it's very easy to leave traces in other parts of your system (so you have to be careful of what applications are doing). There are still plenty of ways this could go wrong, and if you send a file to somebody else, you'll have to trust them not to make mistakes and reveal the presence of this hidden data. Of course just the presence of trucrypt might be enough to raise suspicion, but for a court to convict an individual for not revealing a password which they can't prove must exist would, even in these days, be a difficult one.
Then as an alternative, you can go for steganography. There are ways of hding information, which may itself be encrypted, in apparently innocent files such as large media files. It can just look like the little bit of random noise that you get in any such image. The existence of such things can also be difficult to prove.
Of course you need to trust the software developers - it they've made a mistake in their implementation, and the existence of such things can be detected, then you could be in serious trouble.
claim it's not an encrypted file
Would it be plausible to claim that it just isn't an encrypted file? Just claim it's a dump of random data from /dev/random or something? Then it doesn't have a password to hand over it's just random data as far as you know. Don't even claim it's a TC file.
Here's the password. No, there's no hidden partition, honest...
The police do not need a warrant to search you, nor do they need a warrant to ask you for your decryption key/method, suspicion is enough and warrants can be obtained after the fact. It is an offense in its own right not to provide means for encryption when requested, regardless of warrant.
RIPA can lick my sac.
Its So Wrong
>Hand over the encryption key to your data or we give you 2 years in prison!
>hrm, lets see... 2 years in prison or decrypt my child porn and spend a lifetime on the sex >offenders register etc...let me think......
So is that 2 years and you get to keep your encrypted data, or is it 2 years and then they ask you again?
"Should they inadvertantly discover child porn on your PC while looking for bank fraud records, they're bound by law to ignore that, and charges against you for having those files would in fact be against the law (at least here in the US it is)."
That is NOT the case in the UK. Whatever turns up during a search can get someone into to trouble entirely unrelated to the original excuse for making the search. The laws on evidence in the UK are very different from those in the USA.
We shall not be beat!
All my seceret plans to take over the world using a Giant Space based Laser cannon are kept on an Encrypted Ram Drive and battery powered Ram Pen Drive!
That way when 007 tries to steal my TOP Seceret plans I just disconnect the battery!
Now just to sit back and stroke my white cat while MI6 send their best agent after me!
Activate Project Sun Burn!
Muhahahahahahahahahaha ha ha ha
They don't know (or care) what they're doing?
"The Home Office said NTAC does not know the outcomes of the notices it approves."
Then how do they do quality control or monitor their own performance?
a 'get out' clause about not incriminating youself?
So if plod have charged me with possesion of CP because the letters in my name use the same alphabet that the real crims does, and I don't want them to see my goatse collection and kitting patterns, why do I then have to provide the decryption key and _prove_ myself guilty? If they have enough evidence to charge me why do they need to search for more on my PC? If someone has accused me of having CP on my PC then thats back to the "I am refusing to incriminate myself" so give me two years and fry my PC.
Surely the (UK) plods ask the courts for a warrant to search for 'illegal files and other naughty things' rather than 'financial statements pertaining to financial years 2007/2008 and 2008/2009.'
Up to this law being passed, if documents were in code or otherwise encrypted then it was considered up to the plods to decrypt the contents. They could do this by beating the code or the owner (probably the latter) but this was seen as part of normal police work. Only now do the police try to make the public incriminate themselves. They do have lots of other legal tircks and devious means to catch the bad people, but these take real police work to implement and analyse. So too difficult for plod then.
@ Forgotten password # By Scary
Oh, ok, it's slipped your mind, have five years at her majesty's pleasure to help you remember it.
I think, correct me if I'm wrong, that it's the only piece of legislation on the books that requires you to be able to prove a negative. I.E. you have to be able to prove you haven't got the password anymore or you'll be in contempt.
Paris, not draconian but just as bloody stupid.
What if it isn't my file?
Problem with this law is that if someone wants to have you locked up for 5 years, all he has to do is plant a few megs of random data on your hard-drive and make an anonymous tip-off to the cops.
So, after your PC is carted off and forensics find a .TC file on your hard-drive, the court asks you to cough up the password... but you don't know it because it isn't even your file.
No chance of an alibi, and because it isn't "physical" evidence, there isn't any real way to prove or disprove who made the file.
We had a lecture from the nice man from the police and we asked how could we prove that random numbers weren't an encrypted file? His response was that basically it would be ok genuine researchers at a university to have random numbers.
So if you aren't one of Ross Anderson's students then it would be a good idea to delete any digital camera pictures where you left the lens cap on.
Except that having deleted but recoverable pictures on your hard drive isn't a defence if you are a knowledgeable person (ie. know how to undelete them)
You could scrub the drive, but having a pattern of ranom bits written to the unused blocks would also be suspicous.
Probably safest not to have a computer or a camera these days if you live in the UK.
Forgetting your password is not an excuse
IIRC, the animal rights extremist claimed just that - that she didn't know anything about the PGP install on her computer and thus didn't know the password to decrypt her emails. That cut no ice with the beak, and she was banged up anyway - although not, in the end, for the failure to hand over keys.
I appreciate that you are well intentioned, but the law in question is not US law. There is no fruit of the forbidden tree doctrine in the UK, and your point about the specificity of searches is incorrect. Moreover, there are no warrants involved; the issue of a warrant involves the judiciary, at least at magistrate level. These are warrantless seizures of data, with no judicial oversight or involvement, and the notices are issued on the say-so of the police and security/intelligence services. All that stuff that you referred to about what the courts can or cannot do (leaving aside that you're basing that on US law which is completely inapplicable) is utterly irrelevant. RIPA is NOT a mere clarification of pre-existing laws but a massive extension of warrantless search and seizure with extraordinarily draconian punishments for failure to comply.
knackard usb pen drive
Just get yourself an old 126mb USB pen drive or even a 3.5'" floppy and break it so no data can be read off it.
then if plod comes along and asks for the passphrase to decyrpt your encrypted files just say 'sure its a randomly generated 200 character key on this disk'
As the disk is damaged they wont be able to recover the passphrase, but you cannot be accused of not supply the password, its just the password is unreadable to them.
They would then have to prove that the disk didnt contain the password in the first place.
Most police forces use encase software to read form seized drives which is fairly poor and can be overcome with stuff like zip bombs
Take for example the following, two machines,
Build two machines ( A & B) with encrypted hard disk, then copy the each decryption key to the other's encrypted disk, and delete the local copy
Machine A boots, authenticates to machine B and retrieves its own decryption key from machine B.
Machine B boots, authenticates to machine A and retrieves its own decryption key from machine A.
Now if both machines are ever shut down at the same time, there is no way to obtain the decryption key. Now if only you could prove this is the way the machines are setup, and prove you don't have access anymore. But you could be still be open to destruction of evidence, dunno, IMNAL.
There is no encrypted data
therefore I can't provide the key...
RIPA is scary
RIPA has to be one of the scariest things in UK law at the moment.
Aside it being a license for nosey Council employees to snoop on people, it seems to be a massive invasion of privacy. Does it mean that anyone who uses encryption is doing it because they are up to something they shouldnt be? Is this just an effort to criminalise the use of encryption in software? The mind boggles.
Normally, I dont advocate the use of things like this, but with the rise of bot-nets and zombies, what stops a bot-farmer from holding encrypted data on someone else machine? And then add that to the sheer amount of companies that use encryption to transmit data every day of the week.
Plod picks up said person and tries to lever the encryption key from them but to no avail. I know it sounds like something the tinfoil hat brigade might come up with, but I dont think anyone can rule it out.
And then there is truecrypt, all some nefarious evil doer needs to do here is just employ two encrypted OS's, one hidden and one not hidden. Plod wont know any different because, well lets face it , the average intelligence of the plod is almost equal to a garden fence.
Essentially, anyone with anything they really want to hide can do so without fear that plod will be able to find the data they are hiding.
I'm getting all paranoid now, I know. But surely RIPA just isnt worth all the hassle? Why can't the government just hide this under layers of impenentrable legislation that will take months if not years for the scare-mongers to get through?
Paris, well because I always use Paris. Plus, she and plod also share the same level of confusion as to what encryption means.
The more I read about this stuff...
The more I think that the governments of the Western world are trying to let the criminals and terrorists win. That way, they can claim extraordinary powers on the grounds of it being a state of war. Thankfully, while the US does have it's problems and does seem to be trying to chip away at the edges of civil liberties, it's not as quick as the UKs decent in to the Orwellian nightmare. It does seems like 1984 is being read as a how-to manual rather than a warning by various members of the government class. At least as far at this goes, the US has the well-enshrined 5th Amendment, which specifically indicates that no citizen can ever be compelled to self-incriminate. And that part of it is not worded in ways that make it open to multiple interpretations, like the 1st, 2nd, and 4th, to name a few.
"...nor shall be compelled in any criminal case to be a witness against himself, nor be deprived of life, liberty, or property, without due process of law..."
I would suggest that all of you who don't want to live in a police state move further west, to the US or Canada, but you'd probably be detained either at the UK or US border for being undesirables in some way, shape, or form.
If you need me, I'll be buying land in the NW Territories of Canada....
If I ever have something I really need to hide ...
I'll use the right encryption software. Create several co-mingled encryption volumes. Stuff one with a load of mildly embarassing but legal sub-porn plus bank statements etc. Hand over the de-crypt key after protesting as much as possible.
It's all but mathematically impossible to prove whether the other encrypted + steganographied volumes contain anything other than random bits - in fact, you can't say whether they exist at all. The software is known to create a good few of them, with random contents and decrypt keys, never known to the user!
Also, how long before an enterprising company outside the UK sets up a network data repository and web proxy service that one can access (only) via an encrypted VPN? It soulds like the sort of thing that a Swiss should do. No use whatsoever for terrorists or people doing other things prohibited by Swiss law, but the country still believes in privacy and certainly wouldn't help any foreign government with its drive to catch "thought-criminals" or to put all our e-mails in its database. Which sadly, seems to include UK govt. these days.
Criminals, of course, would use the service in Paraguay. (No, I don't know if it yet exists).
Guilty of Privacy?
Guilty of exercising their privacy right? Or guilty of something else PLUS failure to decrypt?
Because if it comes down to the only thing they are prosecuted for is failure to decrypt, then in essence UK no longer accepts the right to privacy.
Not in any sense, not in any aspect... well except when it comes to anything to do with MPs, then suddenly everything needs to be private.
Another on the way ?
Ton Foil Hats
Many commenters here need to drink a little less coffee, open a window and get some sun light and fresh air.
The Man is not coming for you.
On the subject of Warrents, I can tell you that they are not given out without serious consideration based largely on individuals right to liberty.
Calm down dear, it's only an advert.
Remember this is plod not CSI
For everybody describing triple level plausible deniability stenograph systems remember this is the plod - the same people that carry impounded monitors out of a raid, the ones with a 6month backlog to image harddrives but who can't deal with Macs.
We 'volunteered' to hand over a server once for an investigation into a company we worked with. Months later I got asked for the 'administrator password' (for a Linux machine).
I don't know we only use ssh -here is the shared key. A month later 'it doesn't work it's too long'
I'm convinced they are still trying to logon with Administrator and type in a 255char ssh key correctly.
Whilst I like to see criminals caught and brought to justice I have grave reservations about being obliged to incriminate yourself under threat of imprisonment. It is one thing not to impede an investigation, but quite another not to aid it. There's something fundamentally wrong there.
Put all your world domination plans on a wireless NAS device and put it in your neighbours loft (yeah, this is the hard bit, but do it while you are cat minding when they are on holiday).
When plod come and search your house, they won't get your NAS, becuase it's not located at the propery they have a warrant for, and they won't know anything about any external data until you have had time to change the names on any documents to your neighbours names, and you can them pass the blame to them.
CPS telling lies???
....Crown Prosecution Service said it was unable to track down information on the legal milestones without the defendants' names.....
so they can't retrieve precedents with a defendants names....
so, when you commit your first murder your lawyer can say..
"Yes your Honour, this is the first case of it's type, in fact eveything today is new to me..I've never heard of Murder."
and we wonder why we loose faith in the State..
Im wondering as how the police decide the difference between encrpypted and garbage data?
"Police: What is this HU9hfdsoih9gguihdsfhiosudkg(*G"
"Me: Random Data......."
"Police: Yeah right SON, Off to the nick with ya!"
What a brave new world the UK has entered
If we do away with the privacy right, that's been a fundamental right for millennia, and a protected legal right for centuries. Then we're going to explore a lot more of these cases.
"Sir Christopher reported that all of the 15 section 49 notices served over the year - including the two that resulted in convictions - were in "counter terrorism, child indecency and domestic extremism" cases."
What does this mean?? When Sir Christopher says that 15 section 49 notices were issued and only 2 resulted in convictions, how can the others 13 innocent be in "counter terrorism, child indecency and domestic extremism"?. Surely they were found NOT to be terrorists, pedos or domestic 'extremists' (do you mean protestors??)
Counter terrorism accusation means squat these days. The stop and search of suspected terrorists has been used how many times (I seem to recall 1 million plus) ? If an officer demanded decryption in those, they would be listed as counter terrorism related.
I also don't see that a secret filter list from GCHQ passes for acceptable, or even the Judicial process if RIPA permits unchallengable secret allegations to be passed to the judge.
There was another one yesterday...
The scout leader convicted yesterday of possession of indecent images of children was also charged with refusing to decrypt his data when requested by the police and convicted on that charge as well.
You don't have....
.....the right to remain silent it seems
@Nic 3, thank you for making me invoke Godwin's Law
"When Hitler attacked the Jews I was not a Jew, therefore I was not concerned. And when Hitler attacked the Catholics, I was not a Catholic, and therefore, I was not concerned. And when Hitler attacked the unions and industrialists, I was not a member of the unions and I was not concerned. Then, Hitler attacked me and the Protestant church -- and there was nobody left to be concerned." - Martin Niemoeller, Berlin Lutheran pastor arrested by the Gestapo and sent to Dachau concentration camp in 1938
"There is no key"
"Give us the key!" "'There is no key.'"
- Nokia: Read our Maps, Samsung – we're HERE for the Gear
- Ofcom will not probe lesbian lizard snog in new Dr Who series
- Kaspersky backpedals on 'done nothing wrong, nothing to fear' blather
- Too slow with that iPhone refresh, Apple: Android is GOBBLING up US mobile market
- Episode 9 BOFH: The current value of our IT ASSets? Minus eleventy-seven...