Police go slow with encryption key terror powers

what password?

"Tell us the password/encryption key"

"I have no idea , could it be jimbob?"

"Tell us"

"I cant remember"

"You will go to prison for 5 years"

"I don't have a clue"

I am sorry but who is capable of proving whether you can remember or not? Personally I struggle remembering the 200 odd passwords I have now, for banking (of which I have at least 7 passwords across two accounts), my works passwords for the network (where I have 6 all of which need to be different) all of which have to change every 40 days, and cant have more than three letters occuring the same in the last 24 attempts, etc, etc

Jeepers the chances of me remembering a file password I have on my pc is pretty bloody low, especially if the file is more than about 3 months old and I haven't used it.

Increased use jeopardizes the push for 42 days

One of the reasons punted around to justify the Government's ambition to increase maximum holding time without charge to six weeks is that it gives them time to crack encrypted hard drives (USB sticks, floppy disks, punched tape, whatever).

However, S.49 destroys that argument.

Plod: I see you have an *encrypted* partition, sir, care to tell me what it contains?

Scally: Not really.

Plod: I fear that I must charge you with failing to disclose encryption keys, tsk, what a nuisance. Nevertheless, I shall have no difficulty in knowing just where you are for the next five years, as our enquiries progress. Good morning.

I'd take my chances with a jury

They've got to prove beyond all reasonable doubt that I am withholding the keys and that I simply haven't just forgotten them.

And even if I was convicted... five years, out in two and a half. Still might be out before GCHQ cracked the keys in the first place.

what is encryption anyway?

OK, so the cops smash down your door, ransack the house, kick the dog and take away your PC.

On the disk they find several files with names like "plan1.enc" and since they can't read the format, they assume the files are encrypted. While you're in the cell, suspended by your toes from the rafters the head interrogator comes in and demands to know your password. Assuming he means the login password, you tell him there isn't one (as is most frequently the case). He assumes you're lying and beats you up a bit more. After you regain conciousness, he asks again - this time actually saying what he meant: the passwords for the encrypted files. Again you deny any knowledge and tell him there aren't any encrypted files. Sometime later, you some back around.

After your period of detention without trial, when you actually get before the beak, the accusation is made that you refused to disclose your passwords and can the court impose an extra 5 year sentence for this heinous crime, too, please? Since the cops - with all their fine equipment have been unable to break the encryption using a brute-force method, they assume you're a terrorist and that the data contained within is therefore a threat to national security and you're to be shipped off to somewhere dark and secluded for the rest of your natural - to safeguard the law-abiding population - of course.

Enter a newbie recruit into the police's all-encompassing security division. She is going through your PC as a training exercise and notices the odd files, with the .enc extensions. She gets out an old copy of Lotus 1-2-3 and starts reading your household accounts. Over coffee, later that morning she mentions this to her boss, who then reports to his boss and so it goes up the ladder: your .enc files weren;t encrypted, just as you had always claimed.

IT'S JUST THAT THE POLICE WERE UNABLE TO READ THEM

and therefore assumed the worst. This is a case of having to prove yourself innocent. You're very lucky, because the person in the next cell tells a similar story - except in their case, the files didn't contain any content at all. They were just blocks of truly random numbers that he was using to test a random number generator - hence no decryption algorithm in the world could extract plaintext from the "ciphertext"

Moral: just because you can't read a file, doesn't mean it's encrypted. Just because the "criminal" doesn't give you the password, doens't mean a file is encrypted, just because a block of data looks like encrypted data doesn't mean it is.

This is a very dangerous area as the only way to prove that data is harmless is to decrypt it - which is not always possible.

Deciphering Powers

Encryption is still new and a bit confusing to many non-technical individuals. Using encryption will become more common in the future, and therefore will be needed/used when it does. For once, a law is in place before it is desperately needed.

Reading a related article, and the HO guidelines

regarding this damn RIPPER act....I see that EITHER you must provide them with the key, OR give them the file in plain text. No need to do both, it seems - see below. So, give 'em some loada bollox like (certainly in my case ;-) your CV, saying you wanted to send it protected, then give the key to the prospective employer "by another means". Yep, Guv, that's the file. Honest, Injun.

See: 50 Effect of notice imposing disclosure requirement

Subject to the following provisions of this section, the effect of a section 49 notice imposing a disclosure requirement in respect of any protected information on a person who is in possession at a relevant time of both the protected information and a means of obtaining access to the information and of disclosing it in an intelligible form is that he—

(a) shall be entitled to use any key in his possession to obtain access to the information or to put it into an intelligible form; and

(b) shall be required, in accordance with the notice imposing the requirement, to make a disclosure of the information in an intelligible form.

One other thing, is correspondence with a solicitor/legal representative exempt? Bloody should be!

6 out of 8 refused to release the key

Yet only 2 have been charged. Hence the law is selectively applied, which is death to any law.

shared secrets

what if I use a secret sharing scheme to encrypt my laptop drive, and split the key between myself and my mate? Both of us have to be present to access my files, so can my mate be forced to provide the missing key info if the gubmint finds out I've been using the laptop for nefarious purposes?

alzheimers and encryption code

what happens if someone has alzheimers and forgot their encryption code or had misplaced where they put their password? are they bound by section 49?

right to silence

i thought when presented with a demand for data its not so much a right to silence as a right to have your fingers broken if *you* tell anyone?

there are ways round it of course, but i'd have thought the people they are probably using this against don't want or are scared out of talking about it.

after all the mere threat from plod of disclosing they are searchng your computer for 'possibly indecent pictures' (implying they are of kids/animals/people being lightly spanked/etc) but in practice could be anything...

would *you* go to the papers over that, and for bonus points: would they be interested in your story if they did?

this is one of them laws thats pointless, if you have some serious data encrypted and need it hidden from the plod the 2-5 years is nothing compared to giving them the key. so they don't get the data. otherwise they do get the data but can't nick you for it.

*yawn* another tool aimed at 'terrorists and child abusers' that in practice will be used against protesters of one sort or another the guv don't like.

pass word fun

Were I work at we have four systems that have shared logins.

Our new sysadmin dint find the passwords to funny so he changed them. They use to be, I dont know, fuk u, high times dirty bastard.

I can see it now. what the password. I dont know, tell me the password I dont know .

@shared secrets, @what if

They ask the other guy for the password. Or they ask you for whatever it takes to unlock the files if it's not a password.

This isn't something that can be defeated trivially. Either they get the data, or you get prosecuted under the act.

Perhaps if the only password was held by some person or machine outside the US, that might work.

Perhaps if we all made a point of sending each other streams of random characters, then the act would be seen as useless. "There is no password, it's just random data" ::prison door slams:: (repeat n times)

I don't know about you, though, but I'm not brave enough to be the first to start.

Missing Something...?

I must be missing something obvious. I mean, disregarding the bulk of the comments that have been essentially just another run-through of all the original complaints about this law, something strikes me as odd.

Obviously, I know that the police are EVIL. Without exception, they're all corrupt, violent and racist and want to take over the country. I know that, 'cos people on the Reg tell me so with some regularity. And I know it was EVIL of the police to pass this law in the first place, and they got rightly slammed for doing so.

But... but now we have a report that seems - at least as I read it, which is no doubt wrongly - to be saying that the police haven't used that law very much... and they're getting slammed for that too?

So let me get this right: if they use it, they're evil. If they don't use it, we *assume* that they're threatening people with it and they're evil anyway.

Are there other possibilities, I wonder? Such as that they're not finding the law all that useful? That they're applying it only in cases where they genuinely think it's required (as opposed to the 'hit everyone with it' technique that was widely predicted)? Or possibly that they don't generally think along those lines when they nick someone? Are any of these conceivable? Or do they just not fit in with the predetermined image?

Re: This act is rather concerning

One well known example of a system that uses encrypted files to which you do not have the key is PerfectDark and other anonymising P2P systems, that use the technique of spreading data across multiple clients in encrypted form to hide its origin. For all anyone knows, you could have encrypted kiddie porn in the PerfectDark cache and never know it; nor would you have the ability to unlock the cache to check it. It would be interesting to see how the act would apply in such a case.

garbage

This is of course all garbage. Just as aircraft bombers now know that the best way to get explosives on a plane is to put them in your silly plastic bag and wave them at a security guard, who will ignore them. Downside risk - you get caught and get life in jail, but hey, you were planning DEATH anyway, so where's the problem? So the true file hider will just work with the system, and put the data in plain old word files deep on a disk labeled "Archived documents 2000 - 5", kept with a hundred similar CDs of any old random files, or do the really SMART thing - move it all onto ..... wait for it ..... paper.

Steam

Save the files as an encrypted archive of a game preloaded on steam but never activated.

You don't have the key, you can't access the data, PC Farquit can sit and swivel :D

Maybe it is just fear...

Police seem very afraid of technology. Maybe they are just scared of this "new" tech.

We once had a server hacked at a company I worked for in Stoke. They sent two officers down to collect finger prints and determine a point of entry to the server room, it didn't occur to them that this could be done remotely and they needed more electronic methods to see what had happened.

They went a lovely shade of red when we explained what a hack was and what DDOS attack meant...

Re: Missing Something...?

"Are there other possibilities, I wonder? Such as that they're not finding the law all that useful? That they're applying it only in cases where they genuinely think it's required (as opposed to the 'hit everyone with it' technique that was widely predicted)? Or possibly that they don't generally think along those lines when they nick someone? Are any of these conceivable? Or do they just not fit in with the predetermined image?"

It's not a "predetermined image", it's a reasonable expectation based on prior behaviour.

Also, don't think we can rely on the government's figures for how often it's been used as I know of at least two occasions where this has been used against animal rights protesters - so that's at least a 25% discrepancy in the figures. This shows that they are obviously only reporting when it was used to charge someone as opposed just used as a threat.

If they say "We can send you to prison if you don't give us the key," and you give them the key, they haven't actually "used" the legislation. They have simply let you know that it exists should they wish to use it later.

Re: "Missing Something...? "

Where did you get all that straw???

There's only a minority of corrupt. However, the police have a code of silence that is very similar to omerta from the Mafia. And so they close ranks and back each other up "because we're all fighing the scum, right?". And that makes the entire police force responsible for the acts of the minority.

Quite different from "they're all corrupt", isn't it.

And as to the law, well if it isn't needed, how about getting rid of it? And that ALSO closes the ability of councils (who never were supposed to use it) to wheelde information out of people.

ANY encrypted file?

What about ones where you don't have the key? I.e. DVDs, iTunes or protected audio? How about company documents, or ones that, if MS's marketing bumph is correct, cannot be read without the proper AD systems in place authorising access (and what if the data has expired? No decrypt possible!).

@ Steve

@ Steve:

<< It's not a "predetermined image", it's a reasonable expectation based on prior behaviour. >>

And that's a different thing, is it? There have been corrupt police officers in the past, and no doubt still are some, and therefore all police are corrupt?

@ Mark:

<< Where did you get all that straw??? >>

I had to shop around. Most places had sold out. Now I see where it'd all gone.

<< code of silence ... close ranks ... back each other up ... >>

Oh, aye, sure they do... It's amazing, though, considering all that, how whenever one of them is accused of anything, they're left in the middle of a widening empty space, with bobbies on every side running for cover and denying they ever knew the guy... Either that or they're suspended pending an investigation, which can go on for years, throughout which they're generally treated like criminals, prohibited from contacting their workmates, and if and when they're found not guilty of whatever it was, they're grudgingly allowed back to work, usually without even an apology. Or both.

Anecdote? Rhetoric? Sure, I guess. But not really any worse than yours.

This article told us one thing: police have used this new power very few times.

After that, it's all assumption. It's assumption by the Privacy International guy that, if they're not actually *using* the law, they must be *threatening* people with it; and it seems that's an assumption a lot of people are happy to take as fact. In my view, this guy's opinion doesn't constitute news.

As a matter of fact, I don't like this law either. I'm wary of any law concerning IT that's passed by a government that quite clearly has no understanding of IT methods and mechanisms (witness the recent idea about forcing paedophiles to register email addresses). In fact, I'm wary of any fiddly little law that requires so much 'interpretation' and has no obvious purpose beyond expanding the surveillance state.

Yes - surprise - I'm a bit of a libertarian myself.

But let's not forget who's the *source* of the surveillance state: the Government, made up of supposed 'representatives' that *WE ELECT*. I don't go for the people whose duty it is to ENFORCE the laws that those uncontrolled, unaccountable 'representatives' create.

I'm not saying don't attack the police when they do something wrong, which I willingly acknowledge they do from time to time. And I'm not saying don't vilify officers who prove to be corrupt. You should. I'm just saying let's focus on the real problem, instead of wasting our energy tilting at windmills; albeit windmills with CS gas and batons. You can't have it both ways. If enforcing this law in large numbers would make the police evil, then you can't call them evil for NOT enforcing it. If it's the *existence* of the law we're worried about, then that's the fault of our politicians, not the police - and in theory, WE decide who our politicians are and what they're like. As the tired old homily goes, people get the government they deserve. So perhaps we ought to stop casting the blame at the easy target, take some responsibility, and actually utilise the democracy we reckon to be living in?

Privilege against self-incrimination

The classic rule is "...that no one is bound to answer any question if the answer thereto would, in the opinion of the judge, have a tendency to expose the deponent to any criminal charge, penalty or forfeiture which the judge regards as reasonably likely to be preferred or sued for."

Say, you have have a disc full of encrypted grossly obscene and disgusting JPEGs (say, pics from Dr. Gillian McKeith dietary guides) posession of which will soon become illegal. Surely, giving away the key to the CPS will have a "tendency to expose the deponent" to a criminal charge...

@Tasksis

Fair enough on your second post, but it does leave your first one flapping in the wind.

Because the main reason for it was to say that the police aren't using it, so it's not being abused and so don't worry about it.

That's what I took away from it anyway.

And your second post was correct. It just didn't say how the three things are connected. Why is the law there if the police won't use it? Why is the police not abusing it mean that the law is OK? And why is it OK to have a law that CAN be abused, even if the police aren't using it (because they'd have to use it before it can be abused).

@ Mark

<< Because the main reason for it was to say that the police aren't using it, so it's not being abused and so don't worry about it. >>

Not quite what I meant. I meant that it seems inconsistent to me to imply first that the police are tyrannical oppressors because they're *expected* to abuse this law; then, when it becomes apparent that for the moment at least they're *not* abusing it, to accuse them of being oppressors on the basis of an *assumption* (apparently) that, well, they *must* be threatening people with it instead.

As I said, I can't see how those of an anti-police persuasion can have it both ways - it seems a bit doublethink to me.

<< Why is the law there if the police won't use it? >>

Well, nobody picked up on my earlier comment about the police passing the law... But that was intended to make the point that, despite the pre-emptive accusations being levelled at the police, it *isn't* actually them that pass laws: it's government. The police are simply duty-bound to *enforce* the laws. But, where the law is more a tool, like this one, it seems a positive thing to me that the police aren't (for the moment at least) taking the opportunity to exploit it.

<< Why is the police not abusing it mean that the law is OK? >>

It doesn't, at all. This particular law is very far from okay. But the bulk of the criticisms here - at least the ones I'm responding to - are being levelled at the 'pigs'. But if the law is created by our supposed 'representatives', and the police don't use it (at least as much as we feared they might, and at least at the moment), then the criticism should surely be directed at those who *made* the law.

<< And why is it OK to have a law that CAN be abused, even if the police aren't using it >>

Again, it's not okay. And again, the criticism that I'm responding to is that preemptive variety that's largely based on generalised prejudice against the police and a presumption that, as a law enforcement agency, they must be automatons bent on subjugating the population under the unyielding rule of a totalitarian dictatorship. I see no reason to assume that most of them (bearing in mind I accept that they have their share of idiots and crooks, just as every group does) are just honest, taxpaying citizens trying to make the best of a bad lot, but without the political rights that the rest of us have.

Maybe I am living in fluffy bunny land, at that: but if I'm going to err, I'd rather err towards extending someone the benefit of the doubt until I've reason to assume them guilty. That goes for all citizens, including those who work as police officers.

Again, my only real point is that if you want to criticise law, criticise those who MAKE it, not those who're duty- and mortgage-bound to comply with it.

That's pretty much all I can say on the subject, and since I must've used up a year's worth of comment space already, I'll bow out.