Two convicted for refusal to decrypt data

What can you do? May as well have a beer while you still can..

Given that it's only a matter of time before you can go to jail for not giving up the existence of (and password for) hidden encrypted volumes too (once the idiot scum who make these laws hear about this potential dodge), almost anyone with a computer and access to encryption technology will be potential criminals. So that's everyone then!

Two steps in establishing a strong police state:

Step 1: ensure all citizens can be held guilty until proved innocent of a crime which it is impossible to disprove having taken place.

Step 2: bask in the glory of your unbridled power as dissenters are thrown into jail for haplessly transgressing on step #1.

Mines a swift half before they come to take me away to room 101...

A quick primer on RIPA pt III

* No, forgetting your password is not an excuse -- you go to jail.

* Ditto claiming it's not encrypted. You have to prove it's not encrypted (I know, I know...)

* Not only is the point about not incriminating yourself not going to work, I think there was even a case that went against the idea in the US (it was about a TSA search of a laptop, if I recall correctly).

Since the onus is on you to prove your innocence, technically you could still be done for even with plausable deniability. "Prove that you don't have a hidden second tier!" "I can't!" "Then it's jail for you, sonny boy!"

Believe it or not, if it weren't for the campaign against it, RIPA would actually be *worse* than it is; check the Reg's archives for details...

@Karim Bourouba

>the average intelligence of the plod is almost equal to a garden fence.

And it appears that the level of intelligence of the average commentard is even lower. If I think you mean what you didn't write then the basic flaw in your comment is that it is not your average plod who would be attempting to forensically examine a hard disc, in much the same way that your average plod does not perform an autopsy.

You might like to gain brownie points by making such asinine comments to a bunch of budgies with new mirrors but reality is somewhat different.

All this law has done is provide a possible short cut to prevent the forensics experts from wasting their time but if they believe you really have something to hide and it is important enough to them then they will take the time and they will find it. However, if you're sat in prison for two years at a time then they really have little incentive to look very hard.

And as for all those comments about double partitions in TrueCrypt. It might satisfy the curiosity of your wives when she sees that you have an encrypted file but if you think for one minute it will fool a trained forensics expert then at best you've wasted a minute of your life.

Lesson the first

Always keep your illegal porn and plans to assassinate [insert name here] on somebody else's computer .

Worrying

About six months ago I downloaded Truecrypt and bogged about with it for a bit. Probably in response to a previous article on Reg. I created a small volume and mucked about putting a few mp3s in. For a while I had different versions of the volume on my drive with slightly different content and yes I know that's a security no no, I was experimenting see. All but one got cyberscrubbed, I got bored and never got around to putting truecrypt to use. I should as I have banking related stuff on here.

I can't open the volume any more. I know what the pass phrase was but not the caPITalisatiON and symbol sub$titut!on I used. I really out to just scrub the lot but it's like a challenge now trying to recall the correct combination.

Just having that on my drive could get me sent down for 2 years if someone I annoyed made a malicious accusation? Get me outta this Liebour fucked over hell hole.

Use a non-mainstream OS?

No, Linux is too mainstream - and EVERYONE knows if you use that you are a criminal Haxor. Try CP/M or DOS 3.3 or some academic experiment. They probably won't realise the computer is running if they don't see "Welcome to Windows". And having the key won't help much if they don't know how to enter it!

Rights of the Innocent

Whatever happened to the rights of innocent people? (Oh, I know, it's more a rhetorical question these days. That's how far we've gone down the pan.)

When the State wants you, an innocent person, to hand over an encryption key, is it so that you will help them prove your guilt (but your innocent), or is it so that you can prove your innocence?

Innocent people shouldn't have to help the State prove them guilty. After all, they're innocent. There is no guilt to prove. It would be truly perverse for innocent people to have to help the State prove them guilty of crimes they didn't even commit.

Innocent people shouldn't have to prove their innocence, either. You're innocent, whether you prove it or not. As an innocent person, you have the natural, human right to be respected and treated as the innocent person that you are. And isn't all this criminal justice stuff supposed to be about protecting the innocent in the first place?

Innocent people shouldn't have to help the State prove their nonexistent guilt, nor should they have to prove their innocence. Innocent people shouldn't have to hand over their encryption keys.

But what about the guilty? Well, until and unless they're proved to be guilty, the State has to allow for the possibility that they're innocent. Otherwise, genuinely innocent people end up having their rights, as innocent people, taken away in the process. This is what the right to the presumption of innocence is essentially about. Until and unless proved guilty beyond all reasonable doubt, we must limit what we require of suspects and defendants to only that which can reasonably be required of entirely innocent people. Otherwise, we're failing to protect the innocent in our pursuit of the guilty. And since it's all ultimately about protecting the innocent, that would be a truly perverse outcome.

There is a real and growing need to enshrine the rights of the innocent right at the heart of our State. It must form a fundamental part of the very foundations of the State. Without the rights of the innocent, the State ultimately has no legitimacy.

What a load of paranoid crap.....

>Innocent people shouldn't have to hand over their encryption keys.

If there is reasonable suspicion of crime and its gone through the legal process, of course they should, same as they would their house keys, safe keys or shed keys......

Bottom line is its only a problem if you've got something incriminating encrypted.

@Michael C Posted Tuesday 11th August 2009 13:45 GMT

doesn't explain why you can't tell people you've been asked for the key, which apparently is also part of RIPA, per John Naismith Posted Tuesday 11th August 2009 16:35 GMT

@WTC

>On the one hand I want anyone planning the next WTC atrocity caught before...

Problem there of course is that the terrorists in this case, and probably most, used code and open channels rather than cryptography which (historically) has only ever provided the illusion of security from state intelligence services.

From where I sit, a reassuring angle on this story is that tax payers cash isn't being wasted in spades on consultants and high power cryptoanalysts cracking the hard drives of wannabee child molesters and monkey fans...

I made the mistake of complying with the police

to try and prove my innocence when falsely accused of assault by my ex wife and then had to sit back and watch whilst the police force involved tried to manipulate every single item of evidence.

My 1 hour fully compliant interview was reduced to a ROTI of 2 lines and despite an order from the court during one of the 37 pre trial reviews to produce a full one they still refused.

My clothing, worn at the time of the alleged assault which if the allegation was true would have been liberally sprayed with blood was not forensically tested as I had "admitted to being at the scene"! even though it would have come back negative for blood.

A full medical carried out in custody showing that I didnt have a mark on my hands on body despite an allegation of a full blown fight was marked as "clearly not disclosable" even though it clearly helped my defence, had to fight to get that one out as well despite the court telling the plod they had to release it.

Custody notes where edited, statements where changed, witness's where coached at court etc etc.

Anyone who does anything else except say "no comment" is opening themselves up to the police positioning you for the fall. After all, we are expected to believe that DNA should be kept on people arrested as the innocent will commit further crimes!

My advice is to say "no comment" to all questions and store your dodgy stuff on a server overseas so you dont go through 2 + years of crap until there forced to drop it as I was.

Anyone who thinks we have nothing to fear is living in cloud cuckoo land.

Paris - brighter than plod

Re:Remember this is plod not CSI

@Martin 6

Thank you Martin, you really made me laugh out loud.

@Anonymous Coward -16:23 GMT

"In any case, if the justification for the stupid law is child porn, then that's a stupid justification because perverts looking at pictures, however disgusting you or I might find them, is a victimless activity and shouldn't be a crime."

I truly hope you are joking.

If you are not (and I really really hope you are just trolling). Consider the basics of supply and demand

re Tin Foil hats

Nic 3 said "On the subject of Warrents, I can tell you that they are not given out without serious consideration based largely on individuals right to liberty."

so that's all right then. nothing to see here, move along... actually no.

the big problem with ripa and imp is there is no independent judicial scrutiny or oversight. or proper safeguards like those in the us consitution. if the cops want to search your house, they need to get a warrant first. which means convincing a beak the search is reasonable and justified. it's not much of a safeguard, but it is there. the cops just can't search whenever the mood takes them. and in the us, evidence obtained from an unsanctioned search is inadmissible in court. however with ripa and imp, the cops and council and spooks -- hi there cheltenham! -- can go on fishing trips without judicial oversight. in fact there's no way of knowing if a ripa search has been done or if it was justified. we have to take their word on that.

a proper system of checks and balances is needed. the ones looking for information must not be the ones to decide if they can go looking for it. that decision must be made by a judge. not a cop or a politician or civil servant.

@ John 186

Oh do sod off mate, have you ever heard of the Parlimentary System? We don't actually have a President, you know.

blah Liberties blah Jackboots blah blah

UK is buggered, get out now instead of whining on El Reg. I'm off in about 6 weeks.

The army surplus jacket with the Ferry ticket and Ford Transit keys.

Kickin' It Old Skool

O/S loaded from ROM into RAM with only selective writes to storage.

Remind anyone of the Seinfeld episode in which Cramer attempts to move the arcade machine without losing his high score?

(Grenade as metaphor of the transience of memory.)

What about self-encryption?

ie codewords? Can you be imprisoned if you refuse to interpret? If not, how is it different?

HMG still does not get it. They're doing all the wrong things, because they're fighting the wrong enemy.

@AC

"It might satisfy the curiosity of your wives"

Surely you'd be in trouble for bigamy! ;)

right to silence - self incrimination unlawful under EU law

if you are arrested you are told you have a right to remain silent under questioning. The Human Rights Act, which is based on the European Convention on Human Rights, gives you a right to a fair trial, and European courts have read this as meaning that you can't be forced to incriminate yourself.

further to this:

UK law gives you your right not to incriminate yourself and a right to silence. EU law stipulates that you do have a right not to incriminate yourself and a right to silence.

however, various laws passed since the early nineties seem to have done their damned best to undermine these basic principles....obviously because of things like serious grade encryption being available to the common criminal^H^H^H^H^H^H^H man ;-)

RE: Tin foil hats out in force

Ah, well then. Now that you have written that, the IMP has it in its database, and will now show up on your CRB. Why?

When "Those that have nothing to fear have nothing to hide" fails, then its, "Methinks you do protest too much", because that's just the next step in rounding you up. Worked for McCarthy over here, after all...

And (this time) it is not even malicious. You are just in the National Lottery of Blame(tm). Operation ORE was an educational exercise; make enough noise about the crime, and no one will care who gets swept up, even if they are innocent, as long as you don't let them talk. "We have your credit card details from that card you "reported stolen" last year - you are a fiddler! We don't need to find pictures, we have that card number!" and you are done.

Too bad, he didn't seem like that kind, but we are safer, aren't we?

And then....

I came across this

http://vanish.cs.washington.edu/

which claims to be able to set data to digitally self-destruct. Is that usable as a defense ("Sorry, the data has already expired, no-one can see it now, not even me")?

@Chris W

I don't know what the hell a "squat team" is, but if they come knocking down my door I hope it's not the back one O.o

Sorry to deflect the thrust of your argument...

the irony

Considering the whole future dystopia genre was largely invented by English writers, not recently but about the time my grand parents were born (see Huxley, Orwell, etc) it is sad even with generations of warning it is happening anyway in the West. How ironic it is that it would be the UK leading the charge.

@AC 16:23 Aug 11

"...perverts looking at pictures, however disgusting you or I might find them, is a victimless activity..."

Er... not quite. You see, if a pervert has PHOTOS of kids having sex with each other, then to take those photos somebody had to, you know, actually force some real kids to have sex with each other. Not exactly victimless, eh?

What IS a victimless activity is people creating / looking at 3D rendered CG images, or cartoon drawings, of children doing "inappropriate" things. Having such pictures is still a crime both in the UK and Australia - now THAT is wrong. Since such pictures are not photos and don't harm real children in their making, banning them is political fear gone mad. Granted, if someone has a propensity to want to look at such images for sexual arousal they should be asking themselves if they have a problem. OTOH I've also seen examples where such pictures are used as black comedy or sick humour, such as the picture of Lisa Simpson blowing Bart (and I'm not talking about the London Olympics logo!), for which a guy in Sydney was convicted of possessing CP. If that isn't oppression, I don't know what is.

My encrypted data self-destructs...

AC, just in case.

If you try to decrypt my data in the usual way (but wrong info), it goes away. I use typical Linux encryption (no, I won't be specific), but hacked in a custom way that you won't notice unless you compare my binaries with all the other versions out there. Good luck with that.

If you clone it to another drive or run it from another system, you might have a chance. There is one hole I couldn't close, but of course I won't say specifically what that is.

Simply having the keys to my outer encryption layer won't help you with what's inside. Even if you run it from another computer, you are going to need the binaries within the outer encryption layer to get what's inside the inner layers (of which there are several inner siblings within the outer). There isn't an encryption library in the world that can decrypt my inner layers without the customized binaries inside the outer layer. There are a few interesting tweaks, but otherwise standard.

The encryption binaries to decrypt the inner layers pay very close attention to the environment they're in. If something's strange (example: I changed a device that is being monitored), I have to do a few special things to keep it from suicide. Otherwise a valid key will cause it to self-destruct. An invalid key will always cause this, on the first try. There is no room for failure.

It's not 100% failsafe, of course. I know of at least two ways to get around it. I don't know how to plug those two holes. There might be even more that I don't know (which is quite likely).

In any case, random idiots that try to get at the data won't get it no matter what. They'll likely have killed it all on the first shot. If they're true idiots, they wouldn't know enough to make the backup before they tried to use it.

I keep my data encrypted for specific reasons. None of those reasons involve anything illegal. But if someone pointed a gun at my head, I'd rather get shot than give it up. At least I could help them destroy the data before they fired. Good thing I'm not a target. :-)

I'd like to work it in that if they used a valid key that they get valid data, but not the same data. I don't mean an alternate key like TrueCrypt does, I mean a *valid* key. I'm not there yet. I don't have time to mess with it, so I might never get there. (I do admit, I admire the way TrueCrypt does the hidden encryption area; pretty smooth.)

@Simon Langley

"The plausible deniability of Truecrypt's hidden partitions is exactly that. No matter how well trained the forensics expert is, it is not possible to prove that a Truecrypt volume contains a hidden partition unless you can decrypt the data. No-one, and I don't care who they are, how much they know or how well they are trained can prove this - it just isn't possible."

Mostly true. If they get a copy of your encrypted device/file at one point in time and then get it again in the future, they can compare the differences to see where the writes have been occurring. If there weren't any changes at all in the front, it's probably got a hidden partition within. No promises that it's always true.

If you know that your encrypted device/file has been observed (eg: cops came to your house and grabbed your computer, but returned it later), you should wipe, reinstall, create encryption anew, and do it over again. That way they have nothing to compare it to. (and don't trust that they didn't modify your binaries! but then again, I'm paranoid)

encrypt then change file type

How about taking an encrypted file and then changing its extension (like a .doc or something equally familiar). Authorities would probably overlook such a file and if the didn't they would simply try to open it with Word or some such program. File won't open, program and computer crashes, assume file corruption, continue in your nefarious ways.

Paris, 'cause all my Paris porn hides in plain sight.

@P Saunders

You know, I think that would work. Personally I'd change the extension to a system file like a .dll and hide it with others like it in an installation directory.