back to article UK police can now force you to reveal decryption keys

Users of encryption technology can no longer refuse to reveal keys to UK authorities after amendments to the powers of the state to intercept communications took effect on Monday (Oct 1). The Regulation of Investigatory Powers Act (RIPA) has had a clause activated which allows a person to be compelled to reveal a decryption key …

COMMENTS

This topic is closed for new posts.
  1. Sean Nevin

    Really...

    ...there's no practical difference between the police demanding you unlock your door when they have a warrant and demanding you unlock your files when they have a warrant.

    Except, I suppose, that the police are more intellectually suited to breaking down a door than breaking any form of encryption...

  2. colin cuddehay

    Colin

    Making China seem quite liberal! The thought police can't be far off!

  3. LaeMi Qian Silver badge

    Hmmmm...

    Interesting that big multinational media conglomerates have the legally enforced right to keep their encryption systems secret at all costs, but the individual has the exact reverse!

    I wonder if I could use CSS (or the modern HD equivalent) to encrypt my private data and pull whatever local laws are available in that regard - even if they have the keys, it might be illegal for the police to actually use them!

    At the very least they might have to take a long expensive trip to view the 'evidence' in a different media region ;-P

  4. Paul

    a provably dumb law

    It's a logical fallacy to convict someone for non-possession of something!

    This section of the act is clearly a stupid one: simply forge an email from an MP to another, encrypting it, hinting that the encrypted part contains state secrets and/or a terrorist plot. Then, forge a reply. Report said persons to the police. They will then demand the keys from the implicated people, but neither party will have access to the encrypted data since neither has ever had the key, however, they will still be guilty under the law fo failing to disclose something that they never had, but cannot prove it.

  5. peter

    Truecrypt.

    Use Truecrypt.

    Multiple levels of encrypted drives WITHIN encrypted drives, that are invisible unless you attempt to open them with the right password.

    So when "The Man" asks you for the password for your encrypted file/drive, you give it to him. There's no way for him to tell that you have yet another one nested within.

  6. yeah, right.

    Wow.

    The USA and Britain are really racing each other to the bottom of the barrel when it comes to creating a police state!! Only goes to show that the general voting public really does belong in a Welsh field, grazing with the other sheep waiting to be fleeced.

  7. OneArmJack

    They haven't really thought this through, have they?

    So if I want to get someone sent away for a couple of years, all I have to do now is plant a disk containing strong encrypted data? Maybe send it to them through the post then anonymously tip off the police that that person is involved with drug crime or a terrorist plot. They wouldn't be able to provide the police with the key and couldn't prove that the disk doesn't belong to them. Sounds like a great law. Until it happens to you...

  8. Anonymous Coward
    Anonymous Coward

    If you have nothing to hide, you have nothing to fear.

    Except your government.

  9. John Latham

    Lame

    This might prove effective for idiotic small time terrorists (which the UK security services seem capable of catching, but which don't pose much of a threat), but there are many obvious ways to avoid this being an issue:

    - Don't use technology.

    - Be involved with a big enough plot (or bad enough co-conspirators) that 5 years in jail is no deterrent.

    - Store all data online, so it's not provably yours.

    - Disguise the fact that you are using encryption.

    - Distribute the encrypted material and/or the keys.

    - Use some kind of "slow browser" with its own private key which decrypts pages on demand, but so slowly that bulk analysis of large volumes are impossible (cos you'd dump wikipedia into your content repository, to keep them busy and ill-educated).

    ...and that's with about 30 seconds thought and no motivation.

    Ironically, investment by the security-obsessed content industry in stealth watermarking, the consequent development of stealth P2P technology, combined with the huge data volumes now possible both on- and off-line, is probably moving the game on to where the "police" won't even know that the target content exists.

    Do the spooks have the technology to spider Flickr, YouTube etc looking for stealth-encrypted data in pictures of people's pets?

    Ultimately, if someone has the means to build/steal and transport a nuke to a city (one of the worst case scenarios for which such invasions of privacy are presumably justified), avoiding detection by electronic means will pose zero challenge, and prosecution after the event will be irrelevant.

    John

  10. Anonymous Coward
    Anonymous Coward

    multipart keys

    What happens when data is encrypted with multi-part keys and the other keyholders are outside jurisdictional reach?

  11. Anonymous Coward
    Anonymous Coward

    Ways to get around this

    Only physically data stored in the UK is subject to be decrypted or the decryption key to be handed over.

    Some other thoughts:

    It might be benificial to take the 2 years in prison than to decrypt material and then get convicted and sent to prison for more than 2 years.

    Not exaclly sure about the proper controls of this law; how about corrupt constables that could force you as a company to reveal trade secrets and then sell that intelligence to let say China or Iran.

    Would you store your data in the UK with the chance that you have to hand over your master key and open up the technical possibility for the law enforcement of the UK (or their allies the USA) to peek into your systems world wide. Just because you happen to be a bank or other financial institution and the authoroties think they're following a terrorist money trail.

  12. Anonymous Coward
    Anonymous Coward

    Render intelligable

    "Section 49 of Part III of RIPA compels a person, when served with a notice, to either hand over an encryption key or render the requested material intelligible by authorities."

    Errr, as the material is encrypted, how do the 'authorities' know whether the 'intelligable' version you provide is, actually, the material they want.

    An encryption scheme that interleaves two sets of data, one incriminating, one innocent, and each part locked by a different key wouldn't be hard to devise. For best effect, a small amount of dodgy data amongst a lot of innocent stuff (one bomb-making pdf in several GB of family snaps)

    When plod comes calling, give them the 'innocent' key and they can spend several days looking at your holiday snaps, while the bomb-making instructions remain nicely hidden.

  13. Ted Treen

    Quis custodiet................?

    And who precisely decides what constitutes "both necessary and proportionate"?

    As Orwell predicted, "Ownlife" will soon be a crime......

    We already have "Thoughtcrime" in being non-PC.

    And NuLabour's character assassination of any dissenters/protesters in no more than the accusations of "Agent of Goldstein".

    Truly, 1984 is today.

  14. Dam

    Big brother's back

    Let's hope this kind of legislation doesn't make it to the mainland...

    Although, I must say, if this was to happen and I was ordered to hand over my private key file, I think I'd instantly forget its associated pass phrase...

  15. Anonymous Coward
    Anonymous Coward

    Use True-Crypt's hidden volume

    They might force you to reveal the password of your encrypted volume (where all your semi-important files are stored) but they have no way of knowing or proving that 2nd hidden volume exists within that volume.

    If you deny it exists, they can't prove it exists. How can you hand over a password to something that doesn't exist?

  16. Anonymous Coward
    Anonymous Coward

    desperately seeking hidden messages

    so how long before steganography will be outlawed?

    are all our photos going to be scrutinised? will flickr and youtube be forced to 'process' our uploads a little bit with the hope of destroying any possible hidden information?

  17. Mycho Silver badge

    Does this mean...

    ... I can now post someone a CD containing a garbage file, anonymously tip off the police that it contains detailed plans to blow up ... oh, I don't know, Jeremy Beadle, and get them 5 years for not knowing how to decrypt it?

  18. Anonymous Coward
    Anonymous Coward

    Plausible Deniability

    Truecrypt is, for me, the most obvious way to tackle this new 'its for your own good' law. It lets you have two passwords for an encrypted file, one for the outer volume and one for a hidden volume. If pressed for your password you just give out your standard outer volume password that lets people see all the nice, normal, private, not-for-anyone's eyes, banking details and keep the WMD instructions safe in the hidden volume.

    Anyway, I ramble.. Have a read of their site if you're worried that you'll be forced into self-incrimination some day.

  19. alain williams Silver badge

    Secrecy makes it ripe for fraudulent use

    Because no one knows that it has happened to anyone else, there can be no oversight. All that we now need is a bent copper to go round collecting private commercial date (or other encrypted stuff of value) and start selling it. The copper never gets caught because the victims are not allowed to talk to other and so deduce that they are being scammed/robbed.

    Also: if you are a terrorist (one of the supposed bogey men that justifies this) then you will go down for 20 years, in innocent man will go down for 5 for refusing to disclose keys. What would you do if you were a terrorist and were asked for keys - want a 5 or 20 year spell of eating porridge ?

    The is completely stupid - it puts us good buys at risk and does little to deter the bad buys.

  20. Will

    hmmm...

    Yet more ways in which the right to remain silent has been removed.

    If police cases are starting to depend on the suspect giving evidence against themselves then this country really has gone downhill in policing standards.

  21. Anonymous Coward
    Anonymous Coward

    Paranoia or double-bluff?

    In tin-foil hat mode for a second, does this mean that they've now got a way of decrypting most commercially available algorithms and are asking for this power as a way of deflecting attention away from their banks of supercomputers?

  22. Anonymous Coward
    Anonymous Coward

    thought crimes

    Excellent. Yet another law with the punishment based on who the prosecution is, rather than anything you have done.

    If you encrypt some, "personal" photos of your partner and forget the password you could get the following responses, depending on who wants to know the file's content:

    1. From your partner: phew!

    2. From your mates: spoil-sport!

    3. From your employer: we think you're stealing information - we'd like to fire you but we can't prove it.

    4. From the police: We think you've got kiddie-porn - 2 years in the slammer! (We don't need to prove it)

    5. From the police: We think you've got you've a copy of the anarchist's cookbook - 5 years in the slammer! (We don't need to prove it)

    How good that would be for the crime statistics!

    In fact it was just your Mum's recipe for the best lemon pie which you used to test out encryption when you first started playing with it - you deleted the photos ages ago.

    Its a good job we still have Burma to make us look like a liberal democracy.

  23. Cameron Colley

    5 years for forgetting your keys?!?!

    Hmmm, emigration to North Korea looks better and better...

  24. Simon Painter

    5 Years?

    Hmmm... 5 years in jail for not revealing the encryption keys or a longer time in the slammer and a lifetime on that register when they decrypt all those photos? I wonder which the average nonce is going to choose.

  25. Anonymous Coward
    Anonymous Coward

    Use Truecrypt hidden volume for plausible deniability

    Use Truecrypt's hidden volume facility for plausible deniability. When the law asks you for the password, give them the password to a volume with some ordinary contents. Your secure content is kept in the hidden volume which no one can see exists.

  26. Matthew

    Oops.. i forgot

    Im sure you could just 'forget' it :-)

  27. Anonymous Coward
    Anonymous Coward

    Presumably then...

    If disclosing the encrypted information could land you with more than 2 years jailtime then it's still well worth keeping quiet? Um.... Or if national security terrorism related then evidence of a plot to, say, cause explosions or some other such topical activity would almost certainly get you more than 5 years so again, worth keeping quiet. I'm not sure I get this law. Do _they_ just get bored and just make up futile new laws for the sake of it?

  28. Andy

    fghrnvsodghpe9hj[sdhbrihghaldhbn'l#

    That's a random string of characters, by the way, not a code.

    Except that I can't think of a single way I could prove it in court.

    Which is my (mildly cryptic) point.

  29. Anonymous Coward
    Anonymous Coward

    Decrypt this: F*** O**!

    "...as long as the demand for decryption was both necessary and proportionate."

    How subjective is that? Especially in the minds of our terror-driven leaders and instigators. Necessary for the greater good? Proportionate to the government's lies? It's not as if we have transparent leadership; how many lies and secrets are they hiding from us?

    This is simply another blatantly manipulative step towards a police state.

    Come on folks! Rise up developers! Let's not roll over and let the government rub our little fat bellies on this one.

    What about the makers/vendors of encryption/decryption software and services?

    And finally, code-making and breaking is...well, fun. We don't want our poor little MI5/6/SIS kicking their heels do we?

    If only I could spot the irony.

    cwZjNuYCcyCWM.

  30. Anonymous Coward
    Anonymous Coward

    Typical

    Either gain the requisite skills to do the job or put some stupid half baked law in - I wonder which Labour will do!

  31. Vernon Lloyd

    Hmmmm

    Is this another excuse to take big business abroad, I mean if the encrypted files are not stored in the UK then this law does not count.

    In other words we are telling the terrorists that if you want to have data for future crimes hold them on servers abroad.

    From another point of view (and this I feel this is just as serious) I can forsee pedophiles holding GBs of data on encrypted devices. Lets face it whats 2 - 5 years in jail over a life of being a convicted pedophile. No key = less or no evidence.

    Still I must make sure that I do not carry personal ID information on my encrypted Data Stick (so if I get robbed noone can get my info).

    Can you protect your data through the Human rights/Data Protection Act?.... of course I have to have mugged or robbed someone before I can have any human rights.

    How I love to be British

  32. Anonymous Coward
    Anonymous Coward

    Blank password

    Set up a system that locks after 3 incorrect attempts and then tell them the password is "Blank" ;)

  33. jon

    this has always been the case?

    hasnt it?

  34. Ash

    How many fingers am I holding up?

    Today, The Government reduces sentences for refusing to share Encryption keys from 10 to 5 years when in relation to Terrorism charges, and from 5 to 2 years in all other cases!

    Minitrue.

  35. Joe Blogs

    Hmmm...

    kdihdndhapownmckdmsmwldposwnp oqkwlakj lkjdw. idoiwndahdidlwkjdnasdpqwoiuhjflsjdwqpojksdjfovjnfjhwocjwkncjldid w jdiodiusdjwhrnddkslkwmwwritncbz, sdlkcjakdwncicivlrtmvovitwatkivjvm.eloivv,emkjdkxzoie,mjvodifk

    [Decryption available with a court order...maybe]

  36. Neil

    non disclosure...

    --- 'Controversially, someone who receives a Section 49 notice can be prevented from telling anyone apart from their lawyer that they have received such a notice.'

    Ah. So this is aimed at online services which utilise encryption - can't tell their customers that they've been ordered to give up their keys?

  37. Robert Long

    Errr

    "UK police can now force you to reveal decryption keys"

    No, they can't.

  38. suspiciousMinds

    Plausible Deniability

    Surely this clause is simply defeated by having your valuables in an encrypted volume inside another encrypted volume. Hand over the first key, there's some guff (and a bit of pr0n for plod's reality check), and there's no way anyone can prove there's anything else to unlock.

  39. Aleph0

    They will have to PROVE there's encrypted data first...

    http://www.truecrypt.org/docs/plausible-deniability.php

  40. Anonymous Coward
    Anonymous Coward

    prevented from telling anyone apart from their lawyer...

    "Controversially, someone who receives a Section 49 notice can be prevented from telling anyone apart from their lawyer that they have received such a notice."

    How are you supposed to keep the communication with your lawyer secret? By encrypting it?

  41. Anonymous Coward
    Anonymous Coward

    we are all criminals.

    And the more we are pushed and pushed into a this police state the more people will simply flout the law.

    I for one immediately forget any decryption keys - and there is no way i am giving them to police or other powers. Also telling me to keep the request for the key secret is also going to fall on deaf ears.

    The story says they didn't expect encryption to become so popular, maybe because we are reacting to the rest of the war on privacy.

    The law in the UK is increasingly becoming irrelevant, there are so many new laws that people cannot help be guilty of something now mainly since they dont know all the laws.

    Its going to be pushed too far and the people will react. heres hoping anyway.

  42. Anonymous Coward
    Anonymous Coward

    What about....

    Being tied down by the official secrets act?

    Surely these two acts are in conflict?

    One says to reveal the information, the other says you won't!

  43. Gavin Jamie

    Can they make you lie? - Armchair lawyers please

    If I was served as section 49 notice and someone asked me "Have you been served a section 49 notice?" what do I say?

    Do I pretend to have gone deaf?

    Do I say "Unfortunately under the terms of the RIP act I am prohibited from answering that question." - which would give the game away somewhat?

    Or must I lie and say "No"?

    If either of the first two there is some potential for a security protocol which asks the question before going further.

    I haven't been served a notice by the way - or they may have already got to me.

  44. Anonymous Coward
    Anonymous Coward

    I'm off ...

    ... to Afghanistan. Bring back the fatwahs and daft edicts - they make more sense and unhold more civil and personal rights that our Western dictatorships ... erm ... conformist police states ... erm ... democratically elected governments.

  45. Rick Berry

    How about this password

    What about changing your password to the phrase "F*ck off I forgot my password"

  46. Alex Hawdon

    It's just random data

    Seen as decent encryption is supposed to make encrypted data indistinguishable from random noise, what happens if one claims that the DVD full of encrypted goodies is actually just a one-time encryption pad they made for an exercise?

    I could see that argument going on all day

    "No it's not."

    "Yes, it is."

    "No, it's not."

    "Yes it is."

    ...

  47. Cameron Colley

    Re: multipart keys.

    <quote>

    What happens when data is encrypted with multi-part keys and the other keyholders are outside jurisdictional reach?

    </quote>

    Simple, rendition to interrogation. Or, to expand, they simple have someone grab the other person and torture them until they give up the key -- or just ship you both off to South America.

  48. Steve

    Password split - easy and simple

    Folks, there is a solution. Someone mentioned multipart keys above. I don’t know if that poster meant it in the way I see password-split working, which I think is a great idea.

    Split the decryption password into multiple parts and give the separate parts to two or more people, each holds their part in confidence. Come the inevitable court order/summons/threat of custodial sentence, all each person need do is say the part of the password they relinquished was correct – one of these would be fibbing of course (perhaps all of them – who would know?). Not only can the data not be decrypted, it cannot be proven that anyone was withholding information. Mens Rea, let alone lawful infringement, cannot be demonstrated; hence all the prosecution cases must fail.

  49. Andy

    @"random data", "I forgot" etc.

    We don't believe you. You're nicked.

  50. Ted Treen

    @Alain Williams

    "...completely stupid - it puts us good buys at risk and does little to deter the bad buys."

    Alain, I think you've just described 99.99999% of NuLabour's policies, deeds & legislation.

  51. Anonymous Coward
    Anonymous Coward

    Lets lock up the goverment

    Ok,

    so next time the Chief of the Gestapo (sorry, UK Police) or a memeber of the current rulling Nazi party (sorry Labour) leaves a laptop in his car, can we have them locked up. because:

    a) They have information about crimes that will be encypted for security purposes

    or more likely

    b) Don't have them encrypted because they are too f**king stupid to use a computer.

  52. Anonymous Coward
    Anonymous Coward

    Taking this to its conclusion...

    "Anyone who refuses to decrypt material could face five years in jail if the investigation relates to terrorism or national security, or up to two years in jail in other cases."

    So, presuming they nick you randomly and you have files you can't afford them to see (say, an exposee on how they're nicking random people), we have the following:

    -Innocent of normal crimes. Two years.

    -Innocent of terrorism. Five years.

    Eh?

    It's kind of like how children are classified differently than adults in criminal proceedings because they don't have the capability to reason or understand the repercussions of their actions - unless they do something *particularly* bad, in which case obviously it's fine to treat them like adults.

    Sigh.

  53. Anonymous Coward
    Anonymous Coward

    Oh, one more thing...

    While I'm as riled as the next guy about infringement on civil liberties, could we all please, please, for god's sake stop making '1984' references! To those who agree it's either obvious or a wretched cliche (zomg teh I98A iz teh r43l!%@%55wtf); to those who don't it's seen as paranoia, which is unlikely to sway them.

    Godwin needs to move over - A plea to everyone: Don't Orwell the thread!

  54. Jacob Reid

    Truecrypt FTW

    Encrypted volume containing a second, hidden encrypted volume. Place decoy files in the first layer, give out encryption key when the .gov take you over to Guantanamo, your real data is safe.

  55. Anonymous Coward
    Anonymous Coward

    This is because the Police are too busy.

    A foolish friend of mine (yes really a friend, not me) got collared by the police for taking dubious photos of women (I think) in a public place. He spent some time being interviewed and spent a weekend in cell. The poilce took all his cameras and his laptop and desktop PC (they omitted an external drive for some odd reason) After a year or so they dropped the case as they had insufficent recources to analyse his data - I don't think it was encrypted and he admitted painfully to me that he had a fair bit of porn - not sure if adult or child. He got all his harware back untouched.

    He is/was a user of porn, not a distributor or supporter of it - probably like most people he had/has a weakness rather than a desire to be bad or support an industry which has its bad sides.

    I suspect this law is for use when required rather than for most of us, but at the same time I think this is the sort of thing which drives some people to hate 'the state' more and become terrorists.

  56. Anonymous Coward
    Anonymous Coward

    That's why we hold part crypto masterkeys in Switzerland..

    The problem isn't so much with the request for disclosure, it's how well Mr Plod protects your data once it's in the clear. And the answer is sufficiently vague to cause serious worry if you're, for instance, a private banker who has a client who the services take an interest in. Unless you have very carefully partitioned your data (and most haven't, from my experience) you end up with disclosure problems, and nobody to blame but yourself.

    It's very easy to trigger a bit of plod assistance for industrial espionage that way (which, incidentally, raises questions about those FAST audits as well, but I digress).

    My advice is NOT to host any data in the UK if you can possibly help it.

    If you do, partition it and if you have a crypto masterkey (usually essential for reasons of disaster recovery), ensure that at least 2 parts of that masterkey are held outside UK, US and EU jurisdiction so none of the anti-terrorist abuses of legal privilege will open the backdoor without substantial extra effort via Interpol and the like.

    We already hold such part keys for clients for years as this is far from a new development - it had been coming for quite a while.

  57. Slaine

    Go To Jail, go directly to Jail

    ...ah... but where are all these jail cells?

    F***ing A55H0L35.

    Do not pass go, get free B&B for a few days... be back on the streets by the end of the week.

    Pass a stupid Law, be incapable of enforcing it. It's the NuBritish Way.

  58. Slaine

    reverse psychopathy

    ...better still.

    Don't encrypt the data and claim that all the dubious material is actually a strange co-incidental effect of your data security system. When asked for the key inform the officer to go F*** him/herself and in 5 years time sue for wrongful arrest.

  59. Mycho Silver badge

    Wait a minute!

    "...render the requested material intelligible by authorities."

    So does this mean I may have to make this pdf on colour cooccurrence histograms so that PC Plod can understand what the hell it is on about?

    I've spent most of this afternoon trying to work that out myself without having to explain it to a government employee!

  60. Celtic Ferret

    To summarize:

    1) Use Truecrypt to make multiple levels of encrypted drives WITHIN encrypted drives, that are invisible unless you attempt to open them with the right password. http://www.truecrypt.org/docs/plausible-deniability.php

    2) As encryption is supposed to make encrypted data indistinguishable from random noise, claim that the media full of encrypted goodies is actually just a one-time encryption pad made for an exercise. Argument mode engage:

    Monty Python Sketch - The Argument http://www.infidels.org/library/modern/mathew/sn-python.html

    3) Encrypt the data with multi-part keys with the other key holders outside of jurisdictional reach... and these key holders are children. (Children are classified differently than adults in criminal proceedings because they don't have the capability to reason or understand the repercussions of their actions.)

    4) Use AACS / DeCSS to encrypt the keys, dragging the DMCA into the mire...

    For extra credit/fun: (Convict someone for non-possession of something!)

    Construct an email from an IP-spoofed public access point to someone you wish to accuse of witchcraft, encrypt it, imply that the encrypted part contains state secrets and/or a terrorist plot. Then, construct a reply. Report said persons to the police. They will then demand the keys from the implicated people, but neither party will have access to the encrypted data since neither has ever had the key, however, they will still be guilty under the law for failing to disclose something that they never had, but cannot prove it. (Sink=Drown, Float=Burn-at-stake)

    ---

    "Thank you for self-identifying yourself and those around you as Freedom Suspects. Rest assured, we are now forwarding your IP information and shoe size profile to a team of black hat pros at HQ. The 414s say hi."

  61. Graham Dresch

    They've got this act back to front

    The purpose of this act should be to Regulate: ie. Control and Restrict investigatory powers, not to give blanket permissions to demand encryption keys ( or anything else ).

    welcome to Tony and Gordon's Totalitarian State of Great Britain where 1984 is a Labour Party Policy Document

  62. Anonymous Coward
    Anonymous Coward

    TrueCrypt thrawts RIPA III

    The UK government is going to deprive honest an law-abiding citizens of their liberties while criminals can carry on theirs businesses as usual, with just a little software upgrade.

    Free software like TrueCrypt <http://www.truecrypt.org/>can conceal encrypted material in a way that prevent its detection.

    In case the Police forces you to reveal your password, TrueCrypt provides and supports two kinds of "plausible deniability":

    1. Hidden volumes. The principle is that a TrueCrypt volume is created within another TrueCrypt volume (within the free space on the volume). Even when the outer volume is mounted, it is impossible to prove whether there is a hidden volume within it or not, because free space on any TrueCrypt volume is always filled with random data when the volume is created* and no part of the (dismounted) hidden volume can be distinguished from random data. Note that TrueCrypt does not modify the file system (information about free space, etc.) within the outer volume in any way.

    2. It is impossible to identify a TrueCrypt volume. Until decrypted, a TrueCrypt volume appears to consist of nothing more than random data (it does not contain any kind of "signature"). Therefore, it is impossible to prove that a file, a partition or a device is a TrueCrypt volume or that it has been encrypted.

    FreeOTFE <http://www.freeotfe.org/> also offers similar features.

    Off-the-Record (OTR) <http://www.cypherpunks.ca/otr/> Messaging, offers true deniability for instant messaging.

  63. Paul

    my terrorist data in encrypted using....

    the xbox 360's game encryption key, so, please UK police, go and arrest BIll Gates and make him surrender the encryption keys!!!

  64. Anonymous Coward
    Anonymous Coward

    TrueCrypt's "aleatory" defence against RIPA

    TrueCrypt provides an "aleatory" defence against RIPA, and, indeed, against any similar legislation. This defence works because TrueCrypt makes encrypted material indistinguishable from pseudo-random data. And before the authorities can insist that you hand over an encryption key, they would first be obliged to prove to the satisfaction of a court that you were in possession of encrypted material. Depending on how TrueCrypt is set up it might be obvious that you have some pseudo-random data in an atypical location on your computer, and you might well be asked how it got there. Now, there are many computer processes that produce pseudo-random data, and you are not obliged by the legislation to account for the origins of every file on your computer that contains such data given the tens of thousands of files on the average PC this would be an impossible task. However, TrueCrypt can also provide you with an excellent and highly plausible reason as to why you possess such a file of pseudo-random data irrespective of where it is found.

  65. Anonymous Coward
    Anonymous Coward

    Off-the-Record Messaging & RIPA III

    Off-the-Record Messaging, commonly referred to as OTR, is a cryptographic protocol that provides strong encryption for instant messaging conversations. OTR provides perfect forward secrecy and deniable encryption.

    1. Perfect forward secrecy: Messages are only encrypted with temporary per-message AES keys, negotiated using the Diffie-Hellman key exchange protocol. The compromise of any long-lived cryptographic keys does not compromise any previous conversations, even if an attacker is in possession of ciphertexts.

    2. Deniable authentication: Messages in a conversation do not have digital signatures, and after a conversation is complete, anyone is able to forge a message to appear to have come from one of the participants in the conversation, assuring that it is impossible to prove that a specific message came from a specific person.

  66. A Non

    DriveCrypt Plus Pack and "plausible deniability"?

    I believe it may also be possible to use DriveCrypt Plus Pack to achieve "plausible deniability"

    DCPP is supposed to enable the user to hide an entire operating system inside the free disk space of another operating system. Two passwords are required: One password is for the visible operating system, the other for the invisible one. The first "fake" password grants access to a pre-configured operating system (outer OS), while the other gives grants access to the real working operating system. This functionality is extremely useful if the user fears that someone may force them to provide the DCPP password; in this case, the user simply gives away the first (fake) password so that the snoop will be able to boot into the system, but only see the prepared information that they wishes them to find. The attacker will not be able to see any confidential and personal data and he will also not be able to understand that the machine is storing one more hidden operating system. On the other hand, if the user enters the private password (for the invisible disk), the system will boot a different operating system (the working system) giving the user the access to all the confidential data.

    The creation of a hidden operating system is not obligatory and as such, it is not possible for anyone who does not have the hidden OS password to know or find out, if a hidden operating system exists or not.

  67. Anonymous Coward
    Anonymous Coward

    this rule wont apply at all...

    "there's no practical difference between the police demanding you unlock your door when they have a warrant and demanding you unlock your files when they have a warrant."

    FALSE!

    if there is a search warrant no one can force you to open the door. If you resist to open - which is your right by the law, police can use the force to open it.

    same is when they ask for keys for your desk. you dont have to supply it.

    happened to me once, i did full disk encryption to a laptop. Did not restart for more than one month, when I restarted I did not remember the key at all.

    do you think they ll be able to put me in jail?

    what happenes ten more people have also forgotten, what happens when a thousand?

    it kills the meaning of justice, simply thats why it wont apply.

  68. Claire Rand

    image files

    soooo let me get the right.

    say I have a png file or ooo say one of my cats.

    plod gets hold of this and decides there must be something hidden within it, and demands the key to unlock this hidden data.

    do they have to prove there is something there? or do I have to prove there isn't?

    if they have to prove the information is there this is not as bad as it could be.

    of course the idea of having a stenographed image, with two sets of data there, easy to provide the key to one, and deny the other is there.

    I think when RIPA was revealed there was a million and one ways round it thought of at the time.

    the hard part is when you do have encrypted data, and hand over the key but it wasn't what plod was looking for. now try and prove there is no more information.

    I dare say the courts will have a field day with this, and as usual the people they would really love to catch won't be and everyone else gets hastle for it.

    especially with the size of hard drives now, how hard would it be to have a file system that can 'use' unused space somehow?

    also my old linux system could encrypt drive volumes, based on hardware id combos, pull the HDD out and it won't work in another machine, I never *saw* the key so how could I hand it over?

  69. Anonymous Coward
    Anonymous Coward

    "plausible deniability"

    The problem is that if you are using Truecrypt and you DON'T have a second hidden volume you get 5 years for not providing the keys to the 2nd volume.

    Remember they don't have to prove it is encrypted you have to prove that it isn't.

    We asked the the computer crimes office at a conference how we were to prove that CCD bias frames (which are random noise) aren't an encrypted message - the answer: the law is only against terrorists so you don't have to worry.

  70. Luther Blissett

    Naivety

    Anyone who thinks Truecrypt stands a cat in hells chance is being naive. You don't really think the first thing Plod's boffin is going to do is mount the disk on an operating system like NTFS? Ha ha. Same goes for most of the other suggestions. Once they find out something's there it's just a matter of water-boarding towards the key.

    The only way to hide something bad is in full public view. And use steganography. Of course, if your are really clever (and brave) you will also Truecrypt - as a decoy.

  71. Steve Browne

    Those who have nothing to hide ..

    have definitely got something to fear now !

    I think it is cool that amnesia is now illegal in the aftermath of Bliar's Britain.

    I really LOVE the bit about making things intelligible for the plod, fancy that. They cant even understand what they write themselves, they just want to look good in the press. Now that DNA evidence has been show to be inconclusive and that finger print evidence has been similarly outed, they are just looking for a technology they may be able to use if they get someone clever enough to show them how. (I am presuming that anyone using encryption has some idea of what they are doing).

    Wonder what they will do when faced with a full schematic of a processor. What happens with several people working on different parts of a project, and you cant call anyone else to explain the but they were working on, because you might expose the fact that you have a S49 notice.

    Do you really think that someone with the IT skills to deal (even cope) with encryption and key management is working for the plod handing out parking tickets for twenty whatever thousand a year ?

    So, more likely, they wont have a clue as to whether they are looking at a new, freshly installed and unformatted disk or the nefarious secrets of yet another ne'er do well. I mean, they can't even catch people when they know where they are !

    Still, Truecrypt works fine, I tried it out on a spare disk, on a spare machine, which doubles as a test bed for whatever else I might get interested in. It is such a faff remembering the pass phrase, then again, I have nothing to fear because I hid everything !

    Oh, BTW, at a recent file count (from a virus scan), I had close to 2,500,000 files on my PC. I havent a clue as to where they originated, they appear out of the ether every few Tuesdays.

    Don't you just want to hark back to the days when ignorance was bliss ?

  72. Pat

    terrorists/criminals might want to use obvious encryption

    It's unlikely that all terrorists and criminals are stupid, so they might use this legislation:

    a - to check if recipient is being monitored

    Send a harmless encrypted message with a suspicious subject/comment to see if recipient gets a police visit. Recipient 'remembers' and gives them key when bored, media attention arranged and lawyer & civil suit ready.

    (racial discrimination compensation = terrorist funding?).

    b - to check if foreign sender is being filtered.

    Foreign sender sends an encrypted message with a suspicious subject/comment to some likely idiot so your UK contacts will know if he gets picked up.

    (maybe pick a member of a rival group or gang?)

    c - to get some media attention.

    Send encypted mail with suspicious subject to 1000+ UK email addresses.

    (also increases number of suspects to help hide your guys.)

    d - Get someone picked up and out of the way so your guy can gain access to <name your own sensitive job or data>.

    Etc.

  73. Anonymous Coward
    Anonymous Coward

    Ah, the land of the free .......

    Only it isn't really. And here we have yet another erosion of our notional freedoms.

    In the 21st Century every man woman and child in this fantasy island has become a "terrorist" suspect. Even 84 year old gentlemen who protest vocally at government rallies. And that entitles every agency in the land to demand you to drop your privacy.

    The notion, and that is all that it is these days, of being Innocent until proven Guilty is all but eradicated.

    This is all a blind alley for our elite rulers and their agents - once the masses begin to accept that we are all wicked nasty people we will more and more begin to behave like it. Psychological experiments years ago have proven the effect. We are already seeing the effect of mass criminalisation of the general public on the roads. Now that same trend is creeping into our very homes and all aspects of our lives.

    The civil backlash, when it happens, won't be pleasant.

  74. David Haworth

    Use the law against itself

    If you receive a Section 49 order, encrypt it (or rather, the fact that you have received it) immediately. Then, by the very same law, you may only give your encryption keys to your lawyer.

    :-)

  75. Anonymous Coward
    Anonymous Coward

    Use the law against itself

    As a corollary to what David said, if you want encryption that flaunts this law:

    1. Fish for a Section 49 order - i.e. get an email sent to yourself with subject "How to build a chemical bomb and destroy London terror attack terrorism porn bomb al-quaeda bomb (for good measure)" and attach a strong-encrypted text file saying "Congratulations you idiots" repeated 1 million times.

    2. Encrypt whatever you want, and claim that it's the communication to your lawyer about the Section 49 order (therefore you cannot disclose the key to anybody else).

    3. Tell them the key to the bait message

    4. Call the press

  76. Anonymous Coward
    Anonymous Coward

    PGP

    You are a touch knackered if you were using PGP and the Old Bill have already got your Hard Drives - I supose the best you can do is say you forgot and take the 2 years.

    Until all the cells are full

  77. Anonymous Coward
    Anonymous Coward

    Bye bye "innocent until proven guilty"

    The whole law is yet another farcical attempt to overturn the very basis of law.

    Has anyone noticed that FAST/BSA, the RIAA and now this approach share one common feature? All of a sudden you have to prove your innocence instead of your guilt being proven beyond reasonable doubt.

    I can see that any intelligent terrorist will probably encryption, but to use that as a basis to open up the whole nation to the threat of industrial espionage and hacking or be thrown into jail for being human (hands up who's never forgotten a password) is ridiculous. I guess it serves to keep up the fear factor: now you don't just have to worry about creative chemistry from any random idiot with a life expectancy problem, you now also have to worry about your own government even if you're not a Brazilian in the wrong place at the wrong time. I guess at least you get to live longer, and since the people who caused the prison shortage cannot be locked up (because there's a prison shortage) you won't have to worry about being locked up either.

    Just to take this into the extreme, with the nice UK/US collaboration you may end up on a flight that doesn't exist to a place that only exists outside any legal system. Not a bad way to go for forgetting a password, no? I think you may want to reconsider getting a tan from now on..

    The moment ANY government says "trust me" I know it's time to start worrying.

  78. Jon Tocker

    Government insanity

    I suppose it's only a matter of time before the Labour/National/NZ First government of this country follows suit and brings in a similar law, whereupon I'm going to need a lot more disk space so I can encrypt every data file on my hard drive and steganographically embed most of them in various pictures.

    Also switch to16-char quadruple complexity quasirandom password for login (looks random unless you know whay it's based on - you have to supply the passwords/encryption keys, it doesn't say you have to tell them what song/poem acts as a mnemonic for said password/key...)

    Let them have hours of fun decrypting gigs of totally innocuous crap looking for hidden messages - like the random blocks of "Fuck the spooks, fuck the government" embedded in the middle of large, randomly chosen, files.

    They could have a nice treasure hunt - armed with a dozen keys and my lengthy login password, they can go hunting to discover which pictures/mp3s/videos contain the master lists that list the other keys and the files they apply to...

    Bugger 'em.

    When they remove "innocent until proven guilty", it becomes the moral obligation of every citizen to make it difficult for them.

    Everyone currently in the USA and the UK is welcome to use the following as part of their email signature:

    "Bomb, Jihad, White House, Downing Street, Death to Infidels. Bomb"

  79. Steve

    Another solution....

    Really good encryption programs deliberately insert ‘redundant’ random data to help protect against brute force cracking e.g. add 1 random character every 11 – so who is to say that, once the intended message is decrypted, the additional random data (assuming there is no signature) is actually random…..?

  80. Morely Dotes

    PC Plod demands an explanation!

    "Section 49 of Part III of RIPA compels a person, when served with a notice, to either hand over an encryption key or render the requested material intelligible by authorities."

    So Dr. Hawking will be banged up almost immediately, then. Shame.

  81. Paul

    Oh but it's only to catch terrorists....

    "The government will make use of these powers only insofar as they are essential for carrying out vitally necessary measures" - Adolf Hitler

  82. John A Blackley

    So what then?

    Ah, the predictable haul of "police state", "stupid NuLab", etc. drivel.

    So, let's say - for the sake of argument - that some of the heroes who posted here are resident in that sceptred isle and let's say that, as a resident of that sceptred isle you have a vested interest in reducing crime there. (I guess that lets out all the shruggers and "not my job"ers so perhaps we're down to one or two people here).

    If you (both) have a vested interest in reducing crime and if you acknowledge that encryption of electronic data has been used in the furtherance of crime, what would you propose to help the forces of law and order combat the use of encryption in the furtherance of a crime. (And no, mumbling about police states, George Orwell and NuLab throught police doesn't count.)

  83. Anonymous Coward
    Anonymous Coward

    Title

    When your government no longer serves you...KILL IT!

  84. John PM Chappell
    IT Angle

    Aye, but what's the IT angle?

    ;¬)

    More seriously, been waiting for this. I now intend to work hard on showing it up to be ridiculous and probably illegal (in that it conflicts with other legislation with a higher priority).

    Needless to say I shall not be handing over any keys, my laptop is multiply password protected and there are encrypted files on my drives.

    Luther - TrueCrypt will work just fine, if you don't don't understand the subject don't try and venture 'expert' opinions on it. There are detailed technical explanations of how and why on their website and in their manual.

  85. John PM Chappell

    Mr Blackley

    I propose restricting food to those who can prove they have not committed crimes, as it is has been frequently "used in the furtherance of a crime" by keeping these worthless criminals alive.

    Or you could get your head out of your excretive orifice and wise up a little to reality and clear thinking.

  86. Anonymous Coward
    Dead Vulture

    Yay. More civil liberties gone to the dogs!

    This should be outlawed by the UN. Innocent until proven guilty my ass!

    Here's one for ya. Hows about putting gauss coils in hard disks? Pull 'em to bits or get the password wrong (just once) and poof! Dead drives'r'us. (i.e,superheat platters at same time)

    Time to leave this Orwellian country asap.

  87. Larry Pendarvis
    Jobs Horns

    Create TWO ways to decrypt

    What if there were a way to use TWO keys to encrypt TWO clear-texts to one encrypted output? So that if you give the bobbies one of the Decryption keys it decrypts to, say, Animal Farm, but if you use the other key you get the map to the WMD cache?

    Well, I can do that!

    Say the cleartext is A, and it is encrypted to B using key K. (A and K don't matter though.)

    Now, B looks like unintelligible garbage. So you "XOR" B with C (the text of Animal Farm, say) to get D, which will likewise look like garbage... or like a Key!

    When the jackboots ask for the Decrypt Key for B, give them D, which when XOR'd with B will give C (trust me on this, it's what I use for EZCrypt), which remember is the cleartext of "Animal Farm" or whatever red herring you wanted them to find.

    Also see my sites:

    http://signalsite.org/

    http://ezcrypt.com/

  88. Anonymous Coward
    Anonymous Coward

    @ John A Blackley

    I'm going to take the bait, despite the fact you are probably just a troll, or a policeman (which are starting to become the same thing).

    For the record - I have a bachelor's and a master's degree in law, just finishing A PhD in - guess what? - law. I teach Constitutional and Administrative law, jurisprudence, and criminal law. Thus, I know what I am talking about, and can prove that you don't!

    There is world difference between law and justice - it is justice that matters, not law. Justice requires rules to *protect* the innocent (do you recognise that last word in there? It means "someone who has not provably done anything wrong"). Hundreds of years of legal history had got us in "this sceptered isle" to the point where it was accepted that the burden of proof is on the prosecutor to prove "beyond reasonable doubt" (i.e. a very high standard of proof) that a person has done something wrong, from the starting point that the assumption is that the person has done absolutely nothing wrong. BIG hurdle. Yes, some people who actually had done the thing they were accused of may have got away with it, but that is the price of freedom. I said "had got to the point", because the latter quarter of the 20th Century, and the first decade of the 21st have taken us to a point that Richard III would have been shocked to see. The law that we are discussing here is a complete reversal of the basic rule of protection of the innocent - you can be imprisoned for NOT having done anything wrong! This makes it a bad law, because it does not fulfil its basic purpose, which is to guide behaviour (see, for instance Lon Fuller, "The Morality of Law" (1964), or Bentham - both come to the same point).

    I do not have a vested interest in reducing crime per se - I have a vested interest in creating a society in which justice (in all senses) is supreme, and in which, as a result, crime is reduced because people feel trusted and secure. That does not make me a "shrugger", but I do feel it is someone else's job *as well as mine* to change the system, because it cannot be done alone. It is difficult for people with the mentality of a Daily Mail/Express reader to comprehend, but there are worse things than being the victim of a criminal - such as being a victim of a corrupt government. You are infinitely more likely to be the victim of some unworkable law that Kafka could not have conceived of than to be the victim of a terrorist. When China starts to look like a good place to live because of its stand on civil liberties, it is time to change the governmental system in which you live.

  89. J

    Great...

    Now they will ban the use/download/possession of TrueCrypt or whatever... And say that if you do have this wretched piece of software, you get 10 years in the slammer. But only 2-5 if you have encrypted data but won't tell the key. :O)

    "but that is the price of freedom"

    Pearls to pigs there, mate. People with that troll's mentality only accept any "price of freedom" when it refers to spending billions to kill people in some place they can not locate on a world map. Anything else is "communism" or something. And the trolls never have anything to hide either, of course.

  90. Maty

    I cannot say ...

    that I have received a section 49 order. But if you had asked me yesterday, the answer would have been 'no'.

    Given that Brits have a built-in genius in reading the sub-context in any conversation, you can easily 'tell' something without doing so.

    Incidentally, I am writing this while looking thoughtfully at a 1GB SD card. You can put a heck of a lot of illegal stuff on that. Given that its about twice the size of a thumbnail its easy enough to hide. Hell, stick it in a lump of beef and give it to the dog when the police come calling. Even if they find it, THEN you can discuss encryption.

    Or, how about a wireless connection to an NDAS drive hidden in the attic? Or ...

    Actually, this law is so impractical, that there is hardly any point to it. But add it to the removal of the right to remain silent, the DNA/fingerprint database, the monitoring of our telephone and internet communications, the survelliance of our bank records, the survelliance cameras on every streetcorner, the power to detain people indefinitely without charge ...

    and suddenly 'protecting our children' becomes very important indeed. But the British people need to think very hard what the next generation needs protection from.

  91. Anonymous Coward
    Anonymous Coward

    Remember "The Prisoner" ?

    Substite "the reason for your resignation" for "your encryption key".

    Number 6, just tell us your encryption key and you'll be free to go. Why make it difficult for youself?

    I am not a number ... etc etc

  92. Chris Bradshaw

    solution

    Encrypt files of interest using a public / private key method. Then you can say with impunity 'That's something I encrypted with someone else's public key. to send to them, and I don't have an unencrypted copy. You will need their private key to decrypt it, which I don't have... :-P ' They will have a hard time proving that the public key is yours (publish it on the web somewhere), unless you have a copy of the corresponding private key somewhere (which anyway would be a problem)

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019