back to article Two convicted for refusal to decrypt data

Two people have been successfully prosecuted for refusing to provide authorities with their encryption keys, resulting in landmark convictions that may have carried jail sentences of up to five years. The government said today it does not know their fate. The power to force people to unscramble their data was granted to …

COMMENTS

This topic is closed for new posts.
  1. Simon Neill
    FAIL

    Its so wrong...

    Hand over the encryption key to your data or we give you 2 years in prison!

    hrm, lets see... 2 years in prison or decrypt my child porn and spend a lifetime on the sex offenders register etc...let me think......

  2. Patrick O'Reilly
    Coat

    Stench of desperation.

    I think is serves as good proof that the "powers that be" still can't crack AES 256. And that the encryption products currently out there really scare them.

    Mine's the one with the hardware encrypted USB key from Currys in the pocket.

  3. Anonymous Coward
    Anonymous Coward

    Pure Kafka....

    Damned if you do, damned if you don't. The surveillance state now in full swing and Rasputin himself now sitting unelected in No10...

  4. Scary

    Forgotten password

    I'd love to tell the authorities the password for my encrypted data, but it's suddenly completely slipped my mind...

  5. Michael C
    Stop

    destroying or obfuscating evidence

    you might have a knee jerk reaction and say "why should the law be able to tell me to decrypt anything I have?" but in reality, when it comes to a warrent issued to colelct specific evidence, your actions to prevent that collection are in fact criminal, and allways have been; the law passed in 2007 is simply a clarification ensuring there would be no confusion in the matter. Since the history of warents, you've been required to hand over keys to locks, passwords to systems, and remove any other obstacle preventing officers from excersizing the warrant. Why should encryption be any different?

    If a court demands you produce financial records, and you hide that information or destroy it, when the court is aware already of it's existence, you're typically imprisoned until either you produce it, or you're imprisoned up to a lenght of time equal to the maximum punishment for the specific crime you're charged with plus an additional time for continued contempt of court. People have been imprisoned for dacades for their refusal to supply properly requested data central to a case against an individual.

    This law does NOT give the courts permission to simply make you unencrypt your information on somple request, you or your company actually needs to be charged with a specific crime that would necessitate the collection of certain data or ducuments you'd be expected to have. Then the warrent is issued for the collection of JUST THAT. Should they inadvertantly discover child porn on your PC while looking for bank fraud records, they're bound by law to ignore that, and charges against you for having those files would in fact be against the law (at least here in the US it is). Now, a loophole is such that anything discovered in "plain sight" can be noted, and during the search an additional warrant could be issued to further investigate the "evidence of an additional crime," however, the initial warrant to search FOR data withing your encrypted files does not give them permission to search ALL your files, only to collect specific data associated with the case against you (or someone else), and any other evidence would in fact have to be "in plain view" and discovered under the normal course of the search for targeted evidence.

  6. Anonymous Coward
    Grenade

    To be safe...

    Make sure you not only encrypt your data, but obfuscate it as well. Would you get less of a sentence for just plain destroying data?

  7. This post has been deleted by its author

  8. Filippo Silver badge

    Forgot!

    What if one forgets (or claims to forget) his password? This happened to lots and lots of people, and it still happens on a regular basis. Can you be jailed for a memory lapse now?

  9. Stef 4
    Pint

    CSI

    I've seen 70% of the episodes of all 3 flavours of CSI, and I know that any encryption can be cracked in a matter of minutes. And in the case of NCIS it often helps to have 2 people typing on the same keyboard.

    Where is 24's Chloe O'Brien when you need her?

  10. Anonymous Coward
    Thumb Down

    Ignorance no defence then...

    Sorry M'lad I have forgotten the password...

  11. DrStrangeLug
    Thumb Up

    Use an image key

    Easy, make an image key. Require them to scan an image of a prime ministerial pardon absolving you of all crimes committed .

    Make sure your "key" includes the signature of the current prime minister.

  12. Michael C

    @Simon Neill

    People have been imprisoned for 10 years and longer for contempt of court, and those were for CIVIL cases, where general imprisonment is not usually on the table. The longest case was 14 years for a man who refused to hand over a divoce settlement to his ex-wife.

    I can't find a link for the longest criminal contempt imprisonment, I understand it;s longer. Typical contempt imprisonment is coercive, and so long as you refuse to comply, being brought into the court consecutively after each sentence to see if you will in fact comply with the court order, you can again be senteced successively. A typical contempt sentence is up to 18 months for a single act, but continued failure to comply results in additional 18 month or longer sentences, and in most states, they'll give you 2 sentences of civil contempt (even in a criminal case) and after that they become criminal contempt charges (even in a civil case) and the sentences can be more severe, up to the maximum sentence of the crime you;re charged with.

  13. ed2020

    Two words...

    1. TrueCrypt.

    2. Steganography.

    Problem solved.

  14. dunncha
    Happy

    The Scooby Doo Ending

    You would need to be pretty sure they are going to nail you to the wall to risk getting locked up for not handing the keys over...

    I'll bet the Scooby Gang could get the keys ............................................and I would have got away with it if it wasn't for you meddling kids.

  15. Stevie

    Bah!

    Difficult to see how to fix this one. On the one hand I want anyone planning the next WTC atrocity caught before people are jumping to their deaths rather than burn, on the other I have no doubt such things will be planned using the regular mails, single-use disposable phones and codes rather than encryption and that this is all about looking good in public.

  16. Jimmy Floyd
    Big Brother

    @Patrick O'Reilly

    Maybe. Equally it may be a kind of Churchillian Enigma conundrum where they CAN crack AES 256 but won't admit to it for anything so minor as child porn...

  17. Anonymous Coward
    Anonymous Coward

    Plausable deniability?

    Isn't this trivial to implement in truecrypt?

    2 passwords, 2 partitions, no way of telling that it's set up like that.

    Just give them the other password and they open it to find noting incriminating..

    They can prove there's a password protected file. But after you hand over the key, can they prove you implemented plausible deniability?

  18. Steven Jones

    Double Encryption

    There are plenty of options for the truly criminal. One is to use truecrypt which has a system of double encryption which allows for plausible deniability. There are two encryption keys. The second is optional and is used to hide a hiffen volume, the existence of which cannot be proven. So you can be forced to hand over the first key, but if you have further data hidden then it's existence in what is apparently spare space cannot be proven as it all just looks like random data.

    Most importantly, trucrypt works in memory - it's very easy to leave traces in other parts of your system (so you have to be careful of what applications are doing). There are still plenty of ways this could go wrong, and if you send a file to somebody else, you'll have to trust them not to make mistakes and reveal the presence of this hidden data. Of course just the presence of trucrypt might be enough to raise suspicion, but for a court to convict an individual for not revealing a password which they can't prove must exist would, even in these days, be a difficult one.

    Then as an alternative, you can go for steganography. There are ways of hding information, which may itself be encrypted, in apparently innocent files such as large media files. It can just look like the little bit of random noise that you get in any such image. The existence of such things can also be difficult to prove.

    Of course you need to trust the software developers - it they've made a mistake in their implementation, and the existence of such things can be detected, then you could be in serious trouble.

  19. Paul 98

    claim it's not an encrypted file

    Would it be plausible to claim that it just isn't an encrypted file? Just claim it's a dump of random data from /dev/random or something? Then it doesn't have a password to hand over it's just random data as far as you know. Don't even claim it's a TC file.

  20. Anonymous Coward
    Go

    Yes m'lud

    Here's the password. No, there's no hidden partition, honest...

  21. Anonymous Coward
    Anonymous Coward

    FEAR

    @Michael C

    The police do not need a warrant to search you, nor do they need a warrant to ask you for your decryption key/method, suspicion is enough and warrants can be obtained after the fact. It is an offense in its own right not to provide means for encryption when requested, regardless of warrant.

    RIPA can lick my sac.

  22. Roger Varley

    Its So Wrong

    >Hand over the encryption key to your data or we give you 2 years in prison!

    >

    >hrm, lets see... 2 years in prison or decrypt my child porn and spend a lifetime on the sex >offenders register etc...let me think......

    So is that 2 years and you get to keep your encrypted data, or is it 2 years and then they ask you again?

  23. JohnG

    @Michael C

    "Should they inadvertantly discover child porn on your PC while looking for bank fraud records, they're bound by law to ignore that, and charges against you for having those files would in fact be against the law (at least here in the US it is)."

    That is NOT the case in the UK. Whatever turns up during a search can get someone into to trouble entirely unrelated to the original excuse for making the search. The laws on evidence in the UK are very different from those in the USA.

  24. Anonymous Coward
    Boffin

    We shall not be beat!

    All my seceret plans to take over the world using a Giant Space based Laser cannon are kept on an Encrypted Ram Drive and battery powered Ram Pen Drive!

    That way when 007 tries to steal my TOP Seceret plans I just disconnect the battery!

    Now just to sit back and stroke my white cat while MI6 send their best agent after me!

    Activate Project Sun Burn!

    Muhahahahahahahahahaha ha ha ha

  25. CABVolunteer
    Thumb Down

    They don't know (or care) what they're doing?

    "The Home Office said NTAC does not know the outcomes of the notices it approves."

    Then how do they do quality control or monitor their own performance?

  26. Anonymous Coward
    FAIL

    Wasn't there

    a 'get out' clause about not incriminating youself?

    So if plod have charged me with possesion of CP because the letters in my name use the same alphabet that the real crims does, and I don't want them to see my goatse collection and kitting patterns, why do I then have to provide the decryption key and _prove_ myself guilty? If they have enough evidence to charge me why do they need to search for more on my PC? If someone has accused me of having CP on my PC then thats back to the "I am refusing to incriminate myself" so give me two years and fry my PC.

    Surely the (UK) plods ask the courts for a warrant to search for 'illegal files and other naughty things' rather than 'financial statements pertaining to financial years 2007/2008 and 2008/2009.'

    @Michael C

    Up to this law being passed, if documents were in code or otherwise encrypted then it was considered up to the plods to decrypt the contents. They could do this by beating the code or the owner (probably the latter) but this was seen as part of normal police work. Only now do the police try to make the public incriminate themselves. They do have lots of other legal tircks and devious means to catch the bad people, but these take real police work to implement and analyse. So too difficult for plod then.

  27. Anonymous Coward
    Paris Hilton

    @ Forgotten password # By Scary

    Oh, ok, it's slipped your mind, have five years at her majesty's pleasure to help you remember it.

    I think, correct me if I'm wrong, that it's the only piece of legislation on the books that requires you to be able to prove a negative. I.E. you have to be able to prove you haven't got the password anymore or you'll be in contempt.

    Paris, not draconian but just as bloody stupid.

  28. Adam 10
    Black Helicopters

    What if it isn't my file?

    Problem with this law is that if someone wants to have you locked up for 5 years, all he has to do is plant a few megs of random data on your hard-drive and make an anonymous tip-off to the cops.

    So, after your PC is carted off and forensics find a .TC file on your hard-drive, the court asks you to cough up the password... but you don't know it because it isn't even your file.

    No chance of an alibi, and because it isn't "physical" evidence, there isn't any real way to prove or disprove who made the file.

  29. Martin 6 Silver badge

    @Paul 98

    We had a lecture from the nice man from the police and we asked how could we prove that random numbers weren't an encrypted file? His response was that basically it would be ok genuine researchers at a university to have random numbers.

    So if you aren't one of Ross Anderson's students then it would be a good idea to delete any digital camera pictures where you left the lens cap on.

    Except that having deleted but recoverable pictures on your hard drive isn't a defence if you are a knowledgeable person (ie. know how to undelete them)

    You could scrub the drive, but having a pattern of ranom bits written to the unused blocks would also be suspicous.

    Probably safest not to have a computer or a camera these days if you live in the UK.

  30. Bumpy Cat

    Forgetting your password is not an excuse

    IIRC, the animal rights extremist claimed just that - that she didn't know anything about the PGP install on her computer and thus didn't know the password to decrypt her emails. That cut no ice with the beak, and she was banged up anyway - although not, in the end, for the failure to hand over keys.

  31. nichomach
    FAIL

    @Michael C

    I appreciate that you are well intentioned, but the law in question is not US law. There is no fruit of the forbidden tree doctrine in the UK, and your point about the specificity of searches is incorrect. Moreover, there are no warrants involved; the issue of a warrant involves the judiciary, at least at magistrate level. These are warrantless seizures of data, with no judicial oversight or involvement, and the notices are issued on the say-so of the police and security/intelligence services. All that stuff that you referred to about what the courts can or cannot do (leaving aside that you're basing that on US law which is completely inapplicable) is utterly irrelevant. RIPA is NOT a mere clarification of pre-existing laws but a massive extension of warrantless search and seizure with extraordinarily draconian punishments for failure to comply.

  32. Anonymous Coward
    Anonymous Coward

    knackard usb pen drive

    Just get yourself an old 126mb USB pen drive or even a 3.5'" floppy and break it so no data can be read off it.

    then if plod comes along and asks for the passphrase to decyrpt your encrypted files just say 'sure its a randomly generated 200 character key on this disk'

    As the disk is damaged they wont be able to recover the passphrase, but you cannot be accused of not supply the password, its just the password is unreadable to them.

    They would then have to prove that the disk didnt contain the password in the first place.

    Most police forces use encase software to read form seized drives which is fairly poor and can be overcome with stuff like zip bombs

  33. Anonymous Coward
    Boffin

    Two Machines

    Take for example the following, two machines,

    Build two machines ( A & B) with encrypted hard disk, then copy the each decryption key to the other's encrypted disk, and delete the local copy

    Machine A boots, authenticates to machine B and retrieves its own decryption key from machine B.

    Machine B boots, authenticates to machine A and retrieves its own decryption key from machine A.

    Now if both machines are ever shut down at the same time, there is no way to obtain the decryption key. Now if only you could prove this is the way the machines are setup, and prove you don't have access anymore. But you could be still be open to destruction of evidence, dunno, IMNAL.

  34. Anonymous Coward
    FAIL

    There is no encrypted data

    therefore I can't provide the key...

  35. Karim Bourouba
    Paris Hilton

    RIPA is scary

    RIPA has to be one of the scariest things in UK law at the moment.

    Aside it being a license for nosey Council employees to snoop on people, it seems to be a massive invasion of privacy. Does it mean that anyone who uses encryption is doing it because they are up to something they shouldnt be? Is this just an effort to criminalise the use of encryption in software? The mind boggles.

    Normally, I dont advocate the use of things like this, but with the rise of bot-nets and zombies, what stops a bot-farmer from holding encrypted data on someone else machine? And then add that to the sheer amount of companies that use encryption to transmit data every day of the week.

    Plod picks up said person and tries to lever the encryption key from them but to no avail. I know it sounds like something the tinfoil hat brigade might come up with, but I dont think anyone can rule it out.

    And then there is truecrypt, all some nefarious evil doer needs to do here is just employ two encrypted OS's, one hidden and one not hidden. Plod wont know any different because, well lets face it , the average intelligence of the plod is almost equal to a garden fence.

    Essentially, anyone with anything they really want to hide can do so without fear that plod will be able to find the data they are hiding.

    I'm getting all paranoid now, I know. But surely RIPA just isnt worth all the hassle? Why can't the government just hide this under layers of impenentrable legislation that will take months if not years for the scare-mongers to get through?

    Paris, well because I always use Paris. Plus, she and plod also share the same level of confusion as to what encryption means.

  36. Eric Olson
    Big Brother

    The more I read about this stuff...

    The more I think that the governments of the Western world are trying to let the criminals and terrorists win. That way, they can claim extraordinary powers on the grounds of it being a state of war. Thankfully, while the US does have it's problems and does seem to be trying to chip away at the edges of civil liberties, it's not as quick as the UKs decent in to the Orwellian nightmare. It does seems like 1984 is being read as a how-to manual rather than a warning by various members of the government class. At least as far at this goes, the US has the well-enshrined 5th Amendment, which specifically indicates that no citizen can ever be compelled to self-incriminate. And that part of it is not worded in ways that make it open to multiple interpretations, like the 1st, 2nd, and 4th, to name a few.

    "...nor shall be compelled in any criminal case to be a witness against himself, nor be deprived of life, liberty, or property, without due process of law..."

    I would suggest that all of you who don't want to live in a police state move further west, to the US or Canada, but you'd probably be detained either at the UK or US border for being undesirables in some way, shape, or form.

    If you need me, I'll be buying land in the NW Territories of Canada....

  37. Nigel 11
    Alert

    If I ever have something I really need to hide ...

    I'll use the right encryption software. Create several co-mingled encryption volumes. Stuff one with a load of mildly embarassing but legal sub-porn plus bank statements etc. Hand over the de-crypt key after protesting as much as possible.

    It's all but mathematically impossible to prove whether the other encrypted + steganographied volumes contain anything other than random bits - in fact, you can't say whether they exist at all. The software is known to create a good few of them, with random contents and decrypt keys, never known to the user!

    Also, how long before an enterprising company outside the UK sets up a network data repository and web proxy service that one can access (only) via an encrypted VPN? It soulds like the sort of thing that a Swiss should do. No use whatsoever for terrorists or people doing other things prohibited by Swiss law, but the country still believes in privacy and certainly wouldn't help any foreign government with its drive to catch "thought-criminals" or to put all our e-mails in its database. Which sadly, seems to include UK govt. these days.

    Criminals, of course, would use the service in Paraguay. (No, I don't know if it yet exists).

  38. Anonymous Coward
    Anonymous Coward

    Guilty of Privacy?

    Guilty of exercising their privacy right? Or guilty of something else PLUS failure to decrypt?

    Because if it comes down to the only thing they are prosecuted for is failure to decrypt, then in essence UK no longer accepts the right to privacy.

    Not in any sense, not in any aspect... well except when it comes to anything to do with MPs, then suddenly everything needs to be private.

  39. Anonymous Coward
    Anonymous Coward

    Another on the way ?

    http://news.bbc.co.uk/1/hi/england/devon/8192980.stm

  40. Nic 3
    Stop

    Ton Foil Hats

    Many commenters here need to drink a little less coffee, open a window and get some sun light and fresh air.

    The Man is not coming for you.

    On the subject of Warrents, I can tell you that they are not given out without serious consideration based largely on individuals right to liberty.

    Calm down dear, it's only an advert.

  41. Martin 6 Silver badge

    Remember this is plod not CSI

    For everybody describing triple level plausible deniability stenograph systems remember this is the plod - the same people that carry impounded monitors out of a raid, the ones with a 6month backlog to image harddrives but who can't deal with Macs.

    We 'volunteered' to hand over a server once for an investigation into a company we worked with. Months later I got asked for the 'administrator password' (for a Linux machine).

    I don't know we only use ssh -here is the shared key. A month later 'it doesn't work it's too long'

    I'm convinced they are still trying to logon with Administrator and type in a 255char ssh key correctly.

  42. Anonymous Coward
    Anonymous Coward

    (untitled)

    Whilst I like to see criminals caught and brought to justice I have grave reservations about being obliged to incriminate yourself under threat of imprisonment. It is one thing not to impede an investigation, but quite another not to aid it. There's something fundamentally wrong there.

  43. Joe Blogs

    Simple really.

    Put all your world domination plans on a wireless NAS device and put it in your neighbours loft (yeah, this is the hard bit, but do it while you are cat minding when they are on holiday).

    When plod come and search your house, they won't get your NAS, becuase it's not located at the propery they have a warrant for, and they won't know anything about any external data until you have had time to change the names on any documents to your neighbours names, and you can them pass the blame to them.

  44. Anonymous Coward
    Big Brother

    CPS telling lies???

    ....Crown Prosecution Service said it was unable to track down information on the legal milestones without the defendants' names.....

    so they can't retrieve precedents with a defendants names....

    so, when you commit your first murder your lawyer can say..

    "Yes your Honour, this is the first case of it's type, in fact eveything today is new to me..I've never heard of Murder."

    and we wonder why we loose faith in the State..

  45. Anonymous Coward
    Linux

    Encrypted Data

    Im wondering as how the police decide the difference between encrpypted and garbage data?

    "Police: What is this HU9hfdsoih9gguihdsfhiosudkg(*G"

    "Me: Random Data......."

    "Police: Yeah right SON, Off to the nick with ya!"

  46. Anonymous Coward
    Anonymous Coward

    What a brave new world the UK has entered

    If we do away with the privacy right, that's been a fundamental right for millennia, and a protected legal right for centuries. Then we're going to explore a lot more of these cases.

    "Sir Christopher reported that all of the 15 section 49 notices served over the year - including the two that resulted in convictions - were in "counter terrorism, child indecency and domestic extremism" cases."

    What does this mean?? When Sir Christopher says that 15 section 49 notices were issued and only 2 resulted in convictions, how can the others 13 innocent be in "counter terrorism, child indecency and domestic extremism"?. Surely they were found NOT to be terrorists, pedos or domestic 'extremists' (do you mean protestors??)

    Counter terrorism accusation means squat these days. The stop and search of suspected terrorists has been used how many times (I seem to recall 1 million plus) ? If an officer demanded decryption in those, they would be listed as counter terrorism related.

    I also don't see that a secret filter list from GCHQ passes for acceptable, or even the Judicial process if RIPA permits unchallengable secret allegations to be passed to the judge.

  47. Jockox3

    There was another one yesterday...

    The scout leader convicted yesterday of possession of indecent images of children was also charged with refusing to decrypt his data when requested by the police and convicted on that charge as well.

  48. Dex
    FAIL

    You don't have....

    .....the right to remain silent it seems

  49. OkKTY8KK5U

    @Nic 3, thank you for making me invoke Godwin's Law

    "When Hitler attacked the Jews I was not a Jew, therefore I was not concerned. And when Hitler attacked the Catholics, I was not a Catholic, and therefore, I was not concerned. And when Hitler attacked the unions and industrialists, I was not a member of the unions and I was not concerned. Then, Hitler attacked me and the Protestant church -- and there was nobody left to be concerned." - Martin Niemoeller, Berlin Lutheran pastor arrested by the Gestapo and sent to Dachau concentration camp in 1938

  50. Ermie Mercer
    Happy

    "There is no key"

    "Give us the key!" "'There is no key.'"

  51. Anonymous Coward
    Anonymous Coward

    Which is why...

    It's good to use an encryption which has an optional multiple key system like Truecrypt, you give them a key which lets them read the volume, and see all your "secret" stuff like bank account details etc... You don't give them the other key which would decrypt your bank account details and your plans for world domination.

    As the secondary key is an optional (and undetectable) step, they have no idea if you are using the feature, or if you have given them the full key or not.

  52. ohnoesohnoes

    Nice work, Big Brother

    Good to see that the Magna Carta is still going strong in the UK.

    Oh, wait, no. 1984 is the new bill of rights!

  53. Columbus

    smug mac users

    whilst I am a smug mac user, and accept filevault is not perfect, I am aware of maclockpick which is quite a useful bit of kit to get into most macs and any decent mac sysadmin could get into an ordinary mac in seconds. Luckily there is a dearth of mac people in the british police

    The point for most people is that the police don't need to get into them anyway. The evidence is presented in such a way that "we have the computer, and therefore the evidence that you are a bad person so plead guilty." Remember Operation ORE...

    @NIC3 - Some warrants are properly considered, others are sheer fishing trips requests in front of a magistrate, and others are simply arrests on spurious reason then searches conducted under PACE

  54. Anonymous Coward
    Pint

    What can you do? May as well have a beer while you still can..

    Given that it's only a matter of time before you can go to jail for not giving up the existence of (and password for) hidden encrypted volumes too (once the idiot scum who make these laws hear about this potential dodge), almost anyone with a computer and access to encryption technology will be potential criminals. So that's everyone then!

    Two steps in establishing a strong police state:

    Step 1: ensure all citizens can be held guilty until proved innocent of a crime which it is impossible to disprove having taken place.

    Step 2: bask in the glory of your unbridled power as dissenters are thrown into jail for haplessly transgressing on step #1.

    Mines a swift half before they come to take me away to room 101...

  55. Shadowfirebird
    Black Helicopters

    A quick primer on RIPA pt III

    * No, forgetting your password is not an excuse -- you go to jail.

    * Ditto claiming it's not encrypted. You have to prove it's not encrypted (I know, I know...)

    * Not only is the point about not incriminating yourself not going to work, I think there was even a case that went against the idea in the US (it was about a TSA search of a laptop, if I recall correctly).

    Since the onus is on you to prove your innocence, technically you could still be done for even with plausable deniability. "Prove that you don't have a hidden second tier!" "I can't!" "Then it's jail for you, sonny boy!"

    Believe it or not, if it weren't for the campaign against it, RIPA would actually be *worse* than it is; check the Reg's archives for details...

  56. Anonymous Coward
    Anonymous Coward

    @What if it isn't my file?

    Exactly. Hypothetically, what is the position if say you buy lots of hard drives off ebay. One or more happen to still contain encrypted data (the system is also encrypted so wont even boot) , What then ?.

  57. Anonymous Coward
    Thumb Down

    @Karim Bourouba

    >the average intelligence of the plod is almost equal to a garden fence.

    And it appears that the level of intelligence of the average commentard is even lower. If I think you mean what you didn't write then the basic flaw in your comment is that it is not your average plod who would be attempting to forensically examine a hard disc, in much the same way that your average plod does not perform an autopsy.

    You might like to gain brownie points by making such asinine comments to a bunch of budgies with new mirrors but reality is somewhat different.

    All this law has done is provide a possible short cut to prevent the forensics experts from wasting their time but if they believe you really have something to hide and it is important enough to them then they will take the time and they will find it. However, if you're sat in prison for two years at a time then they really have little incentive to look very hard.

    And as for all those comments about double partitions in TrueCrypt. It might satisfy the curiosity of your wives when she sees that you have an encrypted file but if you think for one minute it will fool a trained forensics expert then at best you've wasted a minute of your life.

  58. Steven Jones

    @nic 3

    I think the real danger with this is that somebody will get caught up in some Kafkesque saga where they are required to provide a password for some encrupted file and have genuinely forgotten it. I suspect many of us have old password protected/encrypted files that we have forgotten about or have lost their purpose. Certainly I have.

    It may be considered unlikely that people will get drawn into "serious" investigations and end up in this position, but that's far from the case. It's only necessary to look at Operation Ore where very many people had PCs seized following the discovery of credit card numbers on a web site carrying child porn. Of course it is far from the case that all of them were innocent, but there were certainly a very substantial number who were being the victims of things like stolen credit cards or frankly erroneous statements about what they must have seen.

    All it requires is a mixup on log records for somebody to be dragged into an investigation. There have been mixups over such stupid things as differences in timezones (BST vs GMT) on ISP records, not to mention the possibility of Trojans, wireless networks being hijacked and any number of other things which could end up with an innocent individual being dragged into investigations of some very serious crimes.

  59. Jockox3

    Apologies...epic fail

    I missed Anonymous Coward's post about the same case @ 15:32 and misheard the report last night and thought he had been convicted not merely remanded.

  60. Anonymous Coward
    Anonymous Coward

    The big question

    The big question is what counts as sufficient evidence that the accused is refusing to decrypt the data rather than being genuinely unable to do so.

    It's perfectly normal, I think, to have encrypted data that one can't decrypt. I frequently encrypt something in order to move it from one place to another, on a CD, an SD card, or by e-mail. I encrypt the data either with a simple passphrase that I can remember or with a randomly generated passphrase that I write down on a scrap of paper, and I decrypt the data a few hours or days later at the destination. A few weeks or months later I genuinely can't remember the passphrase, and I've lost the scrap of paper if there was one, but the encrypted data is probably still hanging around somewhere in my custody. Can they lock me up for that?

    If yes, then it's a dangerous law. If no, then it's a useless law.

    In any case, if the justification for the stupid law is child porn, then that's a stupid justification because perverts looking at pictures, however disgusting you or I might find them, is a victimless activity and shouldn't be a crime.

  61. Nomen Publicus
    Black Helicopters

    Lesson the first

    Always keep your illegal porn and plans to assassinate [insert name here] on somebody else's computer .

  62. Anonymous Coward
    Anonymous Coward

    Well, don't control data access in the UK then.

    UK laws apply to UK companies and UK located information.

    I wonder what would happen if you host your data or even just one half of a master key in a country where privacy still means something, Switzerland? They too can demand access if there is enough evidence of criminal activity (little known fact about Swiss bank secrecy - it's the bit the US tends to gloss over when they accuse Switzerland of "hiding" data), but (a) the Swiss require a proper warrant issue process instead of the weasely "I wanna" in the US/UK (especially since you're crossing borders) and (b) have demands in place to treat such disclosed information with the extra care it requires. The privilege of legally enforced access is limited to those investigating the case, and the data is destroyed if the claim proves to be without merit.

    I'm not quite sure what your position is if you CAN provide access but it would have to go through the Swiss - you're then not violating the law, just making it hard to do so improperly (IANAL, of course).

    In the UK, it appears that as soon as you have handed off your precious information (about, say, High Net Worth individuals or some celebrity) there is NO requirement imposed on police or government to treat that data as it should. Translated; if someone high up wants to ruin your business (or get a copy of your confidential information), all he needs is (a) a high friend in government, (b) a manufactured section 49 disclosure and (c) an "accident" involving "lost" CDs or memory sticks, leaving you to clean up the mess, and there will be almost no audit trail to follow back. Alternatively, the so obtained data gets handed to a fresh school leaver who can be socially engineered to hand it over for a bar of chocolate (I may be putting the "bar" too high here, har har).

    Just to clarify: I have no problem with the concept of disclosure for proper purposes - I understand the need (I was in London during the IRA years). However, there is NO excuse for the absence of proper audit, accountability and independent checks preventing abuse. If there was even a glimmer of transparency in the system it would be OK, yet that has been scrupulously avoided - thus prompting the mistrust it deserves.

    It's not the citizen who may or may not have something to hide, it's the government which must remain accountable. BTW, you have to prove your innocence here (in case you missed it). First the banks managed it (CHIP & PIN swaps liability), now the government. Wonderful.

    Well, I have TBs of storage available, and at a pinch I can also vault hard disks externally - all you need is split key encryption and you're on your way. You disclose the UK part, they'll have to work on the Swiss part (as soon as they cross the Swiss border it becomes a Swiss judicial matter, you can't just wander into another country with some plods).

    Happy to help (where it remains legal) - I saw this coming when RIPA was just in discussion..

  63. Anonymous Coward
    Big Brother

    Worrying

    About six months ago I downloaded Truecrypt and bogged about with it for a bit. Probably in response to a previous article on Reg. I created a small volume and mucked about putting a few mp3s in. For a while I had different versions of the volume on my drive with slightly different content and yes I know that's a security no no, I was experimenting see. All but one got cyberscrubbed, I got bored and never got around to putting truecrypt to use. I should as I have banking related stuff on here.

    I can't open the volume any more. I know what the pass phrase was but not the caPITalisatiON and symbol sub$titut!on I used. I really out to just scrub the lot but it's like a challenge now trying to recall the correct combination.

    Just having that on my drive could get me sent down for 2 years if someone I annoyed made a malicious accusation? Get me outta this Liebour fucked over hell hole.

  64. Anonymous Coward
    Anonymous Coward

    Been coming a LONG time....

    I first started warning colleagues in the IT/Defence Industry about RIPA way way back in 1995/96. People at the time thought I was over-reacting. It was a long time before it actually hit the statute books (in full) but what a bunch of control freaks were at the levers of power then. The same people are horrified now and can't quite understand how this happened. We live and learn...

    Plausible deniability. If you have something to hide in the UK then first of all don't - offshore it. If it HAS to be here then you need a multi-layer crypto/obsfuscation scheme. There's various Windows based apps available, there used to be Phonebook for Linux machines (think that's long dead but was a bloody good idea) and of course there's h/w tokens but not on their own eh?

    In short if you have data in the UK that is stored offline then assume that plod will be able to "persuade" you to part with the key. If the data is online then plod should already have it. You should be planning on that basis.

    With the nastier clauses in RIPA (can't disclose you've been asked for the key, etc) I see no reason why anyone with the slightest clue would choose to store ANY sort of confidential data within UK borders.

    Protect yourselves for the UK govt is only interested in protecting itself. Really. The next (Tory) govt will be the same - watch them NOT repeal the "bad" laws, but extend them in the guise of "reform".

    If you have nothing to hide then why do you have curtains?

  65. This post has been deleted by its author

  66. Anonymous Coward
    Linux

    Use a non-mainstream OS?

    No, Linux is too mainstream - and EVERYONE knows if you use that you are a criminal Haxor. Try CP/M or DOS 3.3 or some academic experiment. They probably won't realise the computer is running if they don't see "Welcome to Windows". And having the key won't help much if they don't know how to enter it!

  67. Anonymous Coward
    Stop

    Rights of the Innocent

    Whatever happened to the rights of innocent people? (Oh, I know, it's more a rhetorical question these days. That's how far we've gone down the pan.)

    When the State wants you, an innocent person, to hand over an encryption key, is it so that you will help them prove your guilt (but your innocent), or is it so that you can prove your innocence?

    Innocent people shouldn't have to help the State prove them guilty. After all, they're innocent. There is no guilt to prove. It would be truly perverse for innocent people to have to help the State prove them guilty of crimes they didn't even commit.

    Innocent people shouldn't have to prove their innocence, either. You're innocent, whether you prove it or not. As an innocent person, you have the natural, human right to be respected and treated as the innocent person that you are. And isn't all this criminal justice stuff supposed to be about protecting the innocent in the first place?

    Innocent people shouldn't have to help the State prove their nonexistent guilt, nor should they have to prove their innocence. Innocent people shouldn't have to hand over their encryption keys.

    But what about the guilty? Well, until and unless they're proved to be guilty, the State has to allow for the possibility that they're innocent. Otherwise, genuinely innocent people end up having their rights, as innocent people, taken away in the process. This is what the right to the presumption of innocence is essentially about. Until and unless proved guilty beyond all reasonable doubt, we must limit what we require of suspects and defendants to only that which can reasonably be required of entirely innocent people. Otherwise, we're failing to protect the innocent in our pursuit of the guilty. And since it's all ultimately about protecting the innocent, that would be a truly perverse outcome.

    There is a real and growing need to enshrine the rights of the innocent right at the heart of our State. It must form a fundamental part of the very foundations of the State. Without the rights of the innocent, the State ultimately has no legitimacy.

  68. Anonymous Coward
    Thumb Up

    What a load of paranoid crap.....

    >Innocent people shouldn't have to hand over their encryption keys.

    If there is reasonable suspicion of crime and its gone through the legal process, of course they should, same as they would their house keys, safe keys or shed keys......

    Bottom line is its only a problem if you've got something incriminating encrypted.

  69. Sitaram Chamarty
    Big Brother

    @Michael C Posted Tuesday 11th August 2009 13:45 GMT

    doesn't explain why you can't tell people you've been asked for the key, which apparently is also part of RIPA, per John Naismith Posted Tuesday 11th August 2009 16:35 GMT

  70. Anonymous Coward
    Big Brother

    @WTC

    >On the one hand I want anyone planning the next WTC atrocity caught before...

    Problem there of course is that the terrorists in this case, and probably most, used code and open channels rather than cryptography which (historically) has only ever provided the illusion of security from state intelligence services.

    From where I sit, a reassuring angle on this story is that tax payers cash isn't being wasted in spades on consultants and high power cryptoanalysts cracking the hard drives of wannabee child molesters and monkey fans...

  71. Anonymous Coward
    Paris Hilton

    I made the mistake of complying with the police

    to try and prove my innocence when falsely accused of assault by my ex wife and then had to sit back and watch whilst the police force involved tried to manipulate every single item of evidence.

    My 1 hour fully compliant interview was reduced to a ROTI of 2 lines and despite an order from the court during one of the 37 pre trial reviews to produce a full one they still refused.

    My clothing, worn at the time of the alleged assault which if the allegation was true would have been liberally sprayed with blood was not forensically tested as I had "admitted to being at the scene"! even though it would have come back negative for blood.

    A full medical carried out in custody showing that I didnt have a mark on my hands on body despite an allegation of a full blown fight was marked as "clearly not disclosable" even though it clearly helped my defence, had to fight to get that one out as well despite the court telling the plod they had to release it.

    Custody notes where edited, statements where changed, witness's where coached at court etc etc.

    Anyone who does anything else except say "no comment" is opening themselves up to the police positioning you for the fall. After all, we are expected to believe that DNA should be kept on people arrested as the innocent will commit further crimes!

    My advice is to say "no comment" to all questions and store your dodgy stuff on a server overseas so you dont go through 2 + years of crap until there forced to drop it as I was.

    Anyone who thinks we have nothing to fear is living in cloud cuckoo land.

    Paris - brighter than plod

  72. Henry Wertz 1 Gold badge

    self-incrimination and keys

    "If a court demands you produce financial records, and you hide that information or destroy it, when the court is aware already of it's existence, you're typically imprisoned"

    But if they got the documents and just couldn't read them, you would have been in the clear.

    "when it comes to a warrent issued to colelct specific evidence, your actions to prevent that collection are in fact criminal, and allways have been"

    Except this doesn't prevent collection, it prevents reading the evidence. I don't think there was a requirement to provide keys until this law was passed.

    Anyway, I'm just not sure that Britain has any protection against self-incrimination (the US does in the form of the 5th ammendment.) If you do have this right, then this law violates it. It's NOT like destroying or failing to provide data -- they have your data, they just can't read it. If the right against self-incrimination was just common law or tradition or whatever, well, there you go... that's why the founding fathers here in the States passed these ammendments, they figured power-hungry despots could get in power eventually and having these rights enumerated would slow them way down compared to just having it be vague case law or what have you that they could ignore.

  73. ed2020

    Title.

    "And as for all those comments about double partitions in TrueCrypt. It might satisfy the curiosity of your wives when she sees that you have an encrypted file but if you think for one minute it will fool a trained forensics expert then at best you've wasted a minute of your life."

    Oh really? Do you have any evidence to back up this assertion?

  74. Charles 9

    Re: Rights of the Innocent

    And then, as some would say, "There IS no innocence." The state is hopelessly lost. Either the freedoms it is supposed to protect end up letting the fox in the hen house (because nefarious agents are able to destroy the country with a totally innocuous phrase like, "Let's party.") or, in the process of protecting the people they're charged with defending, they end up become their very pariahs. If the state is damned if they do and damned if they don't...then they'll damned well do as they please.

  75. Omer Ozen
    Happy

    Re:Remember this is plod not CSI

    @Martin 6

    Thank you Martin, you really made me laugh out loud.

  76. Anonymous Coward
    Anonymous Coward

    Re: You don't have....

    ".....the right to remain silent it seems"

    Look back to the Criminal Justice and Public Order Act 1994: http://www.opsi.gov.uk/acts/acts1994/ukpga_19940033_en_1

    More specifically, Sections 34 to 39, "Inferences from accused’s silence": http://www.opsi.gov.uk/acts/acts1994/ukpga_19940033_en_5#pt3-pb3

    It was the Conservatives who put that piece of legislation through. The loss of our rights is not all New Labour's fault.

  77. Nic 3
    WTF?

    @Anonymous Coward -16:23 GMT

    "In any case, if the justification for the stupid law is child porn, then that's a stupid justification because perverts looking at pictures, however disgusting you or I might find them, is a victimless activity and shouldn't be a crime."

    I truly hope you are joking.

    If you are not (and I really really hope you are just trolling). Consider the basics of supply and demand

  78. Richard Smith 1

    "Domestic extremism"

    WTF is "domestic extremism"? Is it like extreme ironing?

  79. ZenCoder

    They make it illegal to forget passwords ...

    A large number of products employ encryption ... people are disorganized ... the average person is bound to have some old password protected file somewhere that they honestly can no longer decrypt.

    Laws like this are really great. You see a lot of times they want to believe someone is guilty but they have no evidence. And in a society that respects the rule of law you can't lock those people up. So you just make so many stupid laws that anyone can be found guilty of something.

    Since everyone is now a criminal you can take it a step further and collect everyone's DNA, fingerprints and put up spy camera's everywhere.

    http://www.theregister.co.uk/Design/graphics/icons/comment/big_brother_32.png

  80. Anonymous Coward
    Anonymous Coward

    Tin foil hats out in force

    You lot are so fucking paranoid. Nobody is interested in your porn nor your bank details. What makes you think you're so special that a squat team is going to come knocking down your door in the middle of the night demanding passwords to encrypted files? Sod all, that's what. In a full year 15 people were served with notice to give up their keys and that is 15 people who were already being prosecuted for a tad more than a minor offence.

    Just from the title of some articles it's easy to know what the comments are going to be, it's like winding up a bunch of clockwork sheep then watching them all head off in the same direction.

    What is wrong with people suspected of committing, and possibly planning further, heinous crimes being asked to provide a key? If you're prepared to spend a rolling two years until the end of your days in prison rather than hand over a key then you're either so pigheaded that it's better you are locked away or you have got evidence of a crime in which case fess up and accept you've been caught.

  81. Simon Langley

    Hidden partitions are proof against forensics

    @AC

    "And as for all those comments about double partitions in TrueCrypt. It might satisfy the curiosity of your wives when she sees that you have an encrypted file but if you think for one minute it will fool a trained forensics expert then at best you've wasted a minute of your life."

    That shows all you know, ask a proper cryptographer.

    The plausible deniability of Truecrypt's hidden partitions is exactly that. No matter how well trained the forensics expert is, it is not possible to prove that a Truecrypt volume contains a hidden partition unless you can decrypt the data. No-one, and I don't care who they are, how much they know or how well they are trained can prove this - it just isn't possible.

    Most steganography techniques can be overcome, but the plausible deniability of Truecrypt (and RubberHose to give another example) is exactly that. Without an encryption key or a computer powerful enough to crack strong encryption algorithms (and I don't believe even the NSA is capable of this) encrypted data can be made indistinguishable from random bits.

    Truecrypt FTW.

  82. Anonymous Coward
    Anonymous Coward

    ACPO only following orders

    ACPO's up to it's usual tricks. It is telling Chief Constables not to apply the ECHR ruling and to wait for guidance from the Home Office... sometime next year at the soonest.

    http://www.guardian.co.uk/politics/2009/aug/07/dna-database-police-advice

    As though Home Office guidance can trump ECHR final rulings, and as though Chief Constables can be outside the European Court of Human Rights ruling, just as long as they're 'only following orders' no doubt.

    They can't, ECHR rulings are binding, they're not just binding only after the country has agreed they are binding.

    And interesting those 'secret letters' have been sent 235 times. These are the times when secret claims are made against the person in a letter, and that letter is not seen or can be challenged by the individual. A secret blacklist run by the police.

    http://www.bbc.co.uk/blogs/ipm/2009/07/crb_checks_and_secret_letters.shtml

    Seems to be used far far more often than I would ever expect. I bet none of those 235 will ever be told they can't get a job because of a secret letter.

  83. Anonymous Coward
    FAIL

    re Tin Foil hats

    Nic 3 said "On the subject of Warrents, I can tell you that they are not given out without serious consideration based largely on individuals right to liberty."

    so that's all right then. nothing to see here, move along... actually no.

    the big problem with ripa and imp is there is no independent judicial scrutiny or oversight. or proper safeguards like those in the us consitution. if the cops want to search your house, they need to get a warrant first. which means convincing a beak the search is reasonable and justified. it's not much of a safeguard, but it is there. the cops just can't search whenever the mood takes them. and in the us, evidence obtained from an unsanctioned search is inadmissible in court. however with ripa and imp, the cops and council and spooks -- hi there cheltenham! -- can go on fishing trips without judicial oversight. in fact there's no way of knowing if a ripa search has been done or if it was justified. we have to take their word on that.

    a proper system of checks and balances is needed. the ones looking for information must not be the ones to decide if they can go looking for it. that decision must be made by a judge. not a cop or a politician or civil servant.

  84. bigphil9009
    FAIL

    @ John 186

    Oh do sod off mate, have you ever heard of the Parlimentary System? We don't actually have a President, you know.

  85. Anonymous Coward
    Coat

    blah Liberties blah Jackboots blah blah

    UK is buggered, get out now instead of whining on El Reg. I'm off in about 6 weeks.

    The army surplus jacket with the Ferry ticket and Ford Transit keys.

  86. Anonymous Coward
    Anonymous Coward

    chaffing

    Several years ago Ron Rivest came up with a way of circumventing this type of law: chaffing and winnowing. It only uses authentication keys, not encryption keys, so you cannot be forced to reveal them - the privacy of authentication keys is guaranteed by the law in the UK.

    It also supports deniable encryption, since you can "voluntarily" reveal one of the several keys you use to create the chaffed message, giving the authorities access to an innocuous plaintext.

  87. Pete "oranges" B.
    Grenade

    Kickin' It Old Skool

    O/S loaded from ROM into RAM with only selective writes to storage.

    Remind anyone of the Seinfeld episode in which Cramer attempts to move the arcade machine without losing his high score?

    (Grenade as metaphor of the transience of memory.)

  88. Fraggle
    FAIL

    What about self-encryption?

    ie codewords? Can you be imprisoned if you refuse to interpret? If not, how is it different?

    HMG still does not get it. They're doing all the wrong things, because they're fighting the wrong enemy.

    @AC

    "It might satisfy the curiosity of your wives"

    Surely you'd be in trouble for bigamy! ;)

  89. Anonymous Coward
    FAIL

    right to silence - self incrimination unlawful under EU law

    if you are arrested you are told you have a right to remain silent under questioning. The Human Rights Act, which is based on the European Convention on Human Rights, gives you a right to a fair trial, and European courts have read this as meaning that you can't be forced to incriminate yourself.

    further to this:

    UK law gives you your right not to incriminate yourself and a right to silence. EU law stipulates that you do have a right not to incriminate yourself and a right to silence.

    however, various laws passed since the early nineties seem to have done their damned best to undermine these basic principles....obviously because of things like serious grade encryption being available to the common criminal^H^H^H^H^H^H^H man ;-)

  90. Bounty

    Which carries a longer sentence?

    What's worse destruction of evidence or not turning over they keys? Which carries a longer sentence? "Yeah, sorry I gave you the self destruct key, now I would prefer the 2 year destruction of evidence sentence instead of holding me for 14 years for contempt. Thanks."

    What if it's a two person passcode? "My mistress, the neighbors wife, knows the rest of the password. This is where we store our favorite home movies."

    What if the key is stored in RAM? "Yeah, just open truecrypt and press ctrl+v. What you turned it off...?" Would that be destruction of evidence? What if all data was in RAM, say you use a boot CD?

    What about biometrics?

    Anyways, contempt of court = eternal damnation is a violation of double jeopardy laws in my mind. I've almost forgotten pin numbers to seldom used ATMS. I don't remember any combinations to any combination lock I've ever used.

    How about this. If Bob made an encrypted volume 5 years ago, it's totally possible he forgot the password, or that he even made it. Bob plays with all kinds of software all the time. Hell, lets say Bob is a criminal. Bob hacks consoles or something, and he has experimented with HDD encryption, and at some point makes a volume and put some mp3's in there to test but he forgot the password. He tried to get all secure and fancy, and made the password too hard to remember. Instead of a 2 year total sentence for console modding, he gets 14 years for withholding keys he can't remember?

  91. I didn't do IT.
    Alert

    RE: Tin foil hats out in force

    Ah, well then. Now that you have written that, the IMP has it in its database, and will now show up on your CRB. Why?

    When "Those that have nothing to fear have nothing to hide" fails, then its, "Methinks you do protest too much", because that's just the next step in rounding you up. Worked for McCarthy over here, after all...

    And (this time) it is not even malicious. You are just in the National Lottery of Blame(tm). Operation ORE was an educational exercise; make enough noise about the crime, and no one will care who gets swept up, even if they are innocent, as long as you don't let them talk. "We have your credit card details from that card you "reported stolen" last year - you are a fiddler! We don't need to find pictures, we have that card number!" and you are done.

    Too bad, he didn't seem like that kind, but we are safer, aren't we?

  92. Anonymous Coward
    Anonymous Coward

    Right to Remain Silent - U.K.

    http://en.wikipedia.org/wiki/Right_to_silence_in_England_and_Wales

    You've got the right to remain silent, but your silent will only incriminate you further.

  93. Fraggle
    Boffin

    And then....

    I came across this

    http://vanish.cs.washington.edu/

    which claims to be able to set data to digitally self-destruct. Is that usable as a defense ("Sorry, the data has already expired, no-one can see it now, not even me")?

  94. Havin_it
    Coat

    @Chris W

    I don't know what the hell a "squat team" is, but if they come knocking down my door I hope it's not the back one O.o

    Sorry to deflect the thrust of your argument...

  95. asdf
    Unhappy

    the irony

    Considering the whole future dystopia genre was largely invented by English writers, not recently but about the time my grand parents were born (see Huxley, Orwell, etc) it is sad even with generations of warning it is happening anyway in the West. How ironic it is that it would be the UK leading the charge.

  96. Steve Roper
    Stop

    @AC 16:23 Aug 11

    "...perverts looking at pictures, however disgusting you or I might find them, is a victimless activity..."

    Er... not quite. You see, if a pervert has PHOTOS of kids having sex with each other, then to take those photos somebody had to, you know, actually force some real kids to have sex with each other. Not exactly victimless, eh?

    What IS a victimless activity is people creating / looking at 3D rendered CG images, or cartoon drawings, of children doing "inappropriate" things. Having such pictures is still a crime both in the UK and Australia - now THAT is wrong. Since such pictures are not photos and don't harm real children in their making, banning them is political fear gone mad. Granted, if someone has a propensity to want to look at such images for sexual arousal they should be asking themselves if they have a problem. OTOH I've also seen examples where such pictures are used as black comedy or sick humour, such as the picture of Lisa Simpson blowing Bart (and I'm not talking about the London Olympics logo!), for which a guy in Sydney was convicted of possessing CP. If that isn't oppression, I don't know what is.

  97. Anonymous Coward
    Linux

    My encrypted data self-destructs...

    AC, just in case.

    If you try to decrypt my data in the usual way (but wrong info), it goes away. I use typical Linux encryption (no, I won't be specific), but hacked in a custom way that you won't notice unless you compare my binaries with all the other versions out there. Good luck with that.

    If you clone it to another drive or run it from another system, you might have a chance. There is one hole I couldn't close, but of course I won't say specifically what that is.

    Simply having the keys to my outer encryption layer won't help you with what's inside. Even if you run it from another computer, you are going to need the binaries within the outer encryption layer to get what's inside the inner layers (of which there are several inner siblings within the outer). There isn't an encryption library in the world that can decrypt my inner layers without the customized binaries inside the outer layer. There are a few interesting tweaks, but otherwise standard.

    The encryption binaries to decrypt the inner layers pay very close attention to the environment they're in. If something's strange (example: I changed a device that is being monitored), I have to do a few special things to keep it from suicide. Otherwise a valid key will cause it to self-destruct. An invalid key will always cause this, on the first try. There is no room for failure.

    It's not 100% failsafe, of course. I know of at least two ways to get around it. I don't know how to plug those two holes. There might be even more that I don't know (which is quite likely).

    In any case, random idiots that try to get at the data won't get it no matter what. They'll likely have killed it all on the first shot. If they're true idiots, they wouldn't know enough to make the backup before they tried to use it.

    I keep my data encrypted for specific reasons. None of those reasons involve anything illegal. But if someone pointed a gun at my head, I'd rather get shot than give it up. At least I could help them destroy the data before they fired. Good thing I'm not a target. :-)

    I'd like to work it in that if they used a valid key that they get valid data, but not the same data. I don't mean an alternate key like TrueCrypt does, I mean a *valid* key. I'm not there yet. I don't have time to mess with it, so I might never get there. (I do admit, I admire the way TrueCrypt does the hidden encryption area; pretty smooth.)

  98. Dusty Wilson
    Black Helicopters

    @Simon Langley

    "The plausible deniability of Truecrypt's hidden partitions is exactly that. No matter how well trained the forensics expert is, it is not possible to prove that a Truecrypt volume contains a hidden partition unless you can decrypt the data. No-one, and I don't care who they are, how much they know or how well they are trained can prove this - it just isn't possible."

    Mostly true. If they get a copy of your encrypted device/file at one point in time and then get it again in the future, they can compare the differences to see where the writes have been occurring. If there weren't any changes at all in the front, it's probably got a hidden partition within. No promises that it's always true.

    If you know that your encrypted device/file has been observed (eg: cops came to your house and grabbed your computer, but returned it later), you should wipe, reinstall, create encryption anew, and do it over again. That way they have nothing to compare it to. (and don't trust that they didn't modify your binaries! but then again, I'm paranoid)

  99. Anonymous Coward
    Paris Hilton

    encrypt then change file type

    How about taking an encrypted file and then changing its extension (like a .doc or something equally familiar). Authorities would probably overlook such a file and if the didn't they would simply try to open it with Word or some such program. File won't open, program and computer crashes, assume file corruption, continue in your nefarious ways.

    Paris, 'cause all my Paris porn hides in plain sight.

  100. Anonymous Coward
    Thumb Up

    @P Saunders

    You know, I think that would work. Personally I'd change the extension to a system file like a .dll and hide it with others like it in an installation directory.

  101. Mad Mike
    Unhappy

    What's encrypted data

    I think people here are missing the point. The issue isn't around passwords and hidden partitions etc.etc. The issue here is how you identify encrypted data. The police can hardly charge you with failure to supply a password (or whatever) unless they can prove the file/partition whatever is encrypted. So, the question to then ask is; what's a foolproof way of proving a file etc. is encrypted?

    Of course, there is no answer to this. A broken file system could be unreadable, but that doesn't mean it's encrypted. Data in a file doesn't have to be readable and doesn't have to be random to be perfectly reasonable unencrypted data. For instance, some data for statistical analysis might well look reasonably random and might not contain readable text, but that doesn't mean it's encrypted.

    So, how do the police prove something is encrypted in court? File extensions prove nothing etc.etc. There is no way of proving 'beyond a reasonable doubt' that something is encrypted and that is the level of proof required in a criminal case, so basically, the only way they can charge you is if you drop yourself in it!! Otherwise, any computer expert should be able to take them apart in court. Simply saying the balance of probabilities suggests its encrypted data is not good enough as this is a criminal case.......

  102. Mark 65

    Re:My encrypted data self-destructs...

    and after all that shit you're not keeping anything illegal in it? WTF is the point in that?

  103. David Bell 6
    FAIL

    Atlas Shrugged

    Ayn Rand summed up the UK's current Criminal Justice System beautifully when she wrote

    "Dr. Ferris smiled. . . . . ."We've waited a long time to get something on you. You honest men are such a problem and such a headache. But we knew you'd slip sooner or later - and this is just what we wanted."

    "You seem to be pleased about it."

    "Don't I have good reason to be?"

    "But, after all, I did break one of your laws."

    "Well, what do you think they're for?"

    Dr. Ferris did not notice the sudden look on Rearden's face, the look of a man hit by the first vision of that which he had sought to see. Dr. Ferris was past the stage of seeing; he was intent upon delivering the last blows to an animal caught in a trap.

    "Did you really think that we want those laws to be observed?" said Dr. Ferris. "We want them broken. You'd better get it straight that it's not a bunch of boy scouts you're up against - then you'll know that this is not the age for beautiful gestures. We're after power and we mean it. You fellows were pikers, but we know the real trick, and you'd better get wise to it. There's no way to rule innocent men. The only power any government has is the power to crack down on criminals. Well, when there aren't enough criminals, one makes them. One declares so many things to be a crime that it becomes impossible for men to live without breaking laws. Who wants a nation of law-abiding citizens? What's there in that for anyone? But just pass the kind of laws that can neither be observed nor enforced nor objectively interpreted - and you create a nation of law-breakers - and then you cash in on guilt. Now, that's the system, Mr. Rearden, that's the game, and once you understand it, you'll be much easier to deal with."

  104. Anonymous Coward
    Boffin

    Seemples

    Create a three disk RAID5 unit and if they come looking just shuffle the disks. The system will sh*t itself and probably format the drives then you can probably claim plod f****d up your machine.

    AC for obvious reasons

  105. Bod

    Re: Plausable deniability & TrueCrypt

    There are flaws even with the likes of TrueCrypt. If someone has access to the PC over time (constantly or with periodic snapshots) they can snoop on changes and infer there is something there. Not to mention they can grab the unencrypted data before it gets to the encrypted partition. The easiest way to convict people is to intercept the data before it's encrypted rather than go through costly forensics on an already encrypted system.

    With TrueCrypt it's also almost a guarantee you have a hidden inner partition even if they can't technically detect it, as that's why people use TrueCrypt. It is possible to detect the outer partition. If it's a file it's fairly easy and if it's an actual partition it's an obvious giveaway as why would you leave a chunk of your disc empty but which has random data in it?

    Another giveaway is if you give the password for the outer partition with fake files, they can easily spot it hasn't been updated regularly and suspect there must be more to it.

    Forensics can go a step further and detect physically where recent changes have been made on the disc in areas that should be empty.

  106. CD001

    yarr

    Re:My encrypted data self-destructs... #

    By Mark 65 Posted Wednesday 12th August 2009 10:34 GMT

    and after all that shit you're not keeping anything illegal in it? WTF is the point in that?

    --------

    It only BECOMES illegal when used for blackmail purposes?

  107. MinionZero
    Big Brother

    Fundamentally flawed police state law...

    Every computer has many thousands of OS and application data files stored in whatever format these programs wish to use. A lot of them are obscure to all but the programmers on that team.

    So what if the police state decides to choose one of these obscure files and asks for it to be decrypted? ... A defense of I don't know means you are sunk. You can't say you've never seen it before and you cannot open it as you have no idea about what it is. Its also extremely unlikely even expert witnesses could identify all the files. No programmer could, let alone non-technical people who wouldn't have a clue. But even programmers couldn't protect against it completely as all programmers can create data files other programmers cannot identify what they are and what is encoded within them. So a truly innocent file can be implied to be illegal simply because its obscure and that is all that is needed to lock people up these days!.

    So this law is now the perfect tool to not only silence anyone you want to choose to use the law against, (to get them locked up) plus as a bonus you also get to discredit their character by implying they are doing wrong. Great way to run a police state. It would be the perfect tool to use against political opponents, or better yet simply use it against political protesters, say protesters against the growing and rampant state corruption. Pick them up, search their computer, lock them up for a few months or even years and when they are released its too late for them to help stand against the growing corruption. Doesn't even matter if they appeal and win, all that happens is they get a very small amount of state money but the real goal was to silence them during the protests, so its money well spent. Anyway tax payers pay for locking them up and pay for the appeal payouts. So its a win win move for a police state.

    As for “the government's Chief Surveillance Commissioner, ” ... WTF!?!

    So yet again, another day and another way our ever growing police state tightens its grip once more around all our necks. Now all unknown files can be uses against us. Oh great. How many more legal and political tools do they need to run a repressive regime? Surely they have enough already, but then with greedy control freak people who seek power over others, sadly history shows no amount of power is enough for them, as they always want more because more means more personal gain from having such growing power over everyone else.

    Even more worryingly, the more the greedy power seekers clamp down on all of us, the more they create a pressure for change away from their control, but I fear this won't end once the Conservatives wipe out NuLabour at the next election. The Conservatives are very likely to just keep using what NuLabour have created and just blame Labour for the mess. In one core regard, everyone in politics (regardless of which party they are in) is at their core, the same kind of person. They all seek power over other people. Thats why they go into politics. So as they are all power seekers then they all seek the personal gain they get from having such power over us all. So this decent into a police state isn't going to stop. The better technology gets the worse they will get. They will just build on what they already have from NuLabour. All MPs seek power over others and new technology is given them ways to gain ever more power their predecessors could never have ever dreamed possible. There needs to be a line they cannot cross but they don't want to listen.

    The more they fail to listen the more this is coming down to a US vs THEM situation where its everyone in the UK against the minority of greedy control freaks who seek to rule over us all, ultimately for their own gain. Computers, the Internet, even all of technology in general are just pawns in their battle for ever more power and the more they clamp down on our lives the more they heat up that battle and the growing anger against them. So every day now I fear we are taking another step towards what was once unthinkable in the UK, a full scale revolution against the ever more corrupt and greedy political elite. The way its going it looks ever more likely the public anger against the expenses claims was just the first round of this coming battle.

    “Alas, that these evil days should be mine.“ :(

  108. scrubber
    Big Brother

    Rights

    You have the right to remain silent so as to not self-incriminate*.

    Or do you???

    * It may harm your defense if you later rely on something in court that you failed to mention now.

  109. Anonymous Coward
    Thumb Up

    @By Havin_it

    >I don't know what the hell a "squat team" is

    Hahahaaa... thanks, even now it still took me a while to figure out what was wrong with my comment.

  110. Anonymous Coward
    Anonymous Coward

    @Anonymous Coward -16:23 GMT

    "In any case, if the justification for the stupid law is child porn, then that's a stupid justification because perverts looking at pictures, however disgusting you or I might find them, is a victimless activity and shouldn't be a crime."

    I understand the sentiment behind this, while not agreeing with it 100%. I don't get why this is good for 1-2 years, whereas raping someone and pouring caustic soda on her's good for 4. Why 6 people pinning down some chap and smashing a bottle over his head gets 150 hours community service. I could cite dozens more examples, of course.

    My personal opinion is that this is simply the powers that be venting their frustration at the lack of results in shutting down CP sites. It really is pathetic. An IP address is traceable for God's sake! You'd think that a known location, where the punters go to get their 'stuff' would be easy to target. You'd think that even at the international level the government would be able to exert some pressure. Jeez, we start enough wars for less don't we?

  111. Anonymous Coward
    Anonymous Coward

    @right to silence - self incrimination unlawful under EU law

    Minor nit-pick, but the European Convention on Human Rights is nothing to do with the EU. It was enacted in 1948 under the aegis of the Council of Europe, before the EU or its predecessor the EEC existed, and it applies to all the Council of Europe countries, which is much larger than the EU.

    A quick look at Wikipedia suggests that it does not give the right not to self-incriminate, but even as a non-lawyer I'd've thought that the reversal of the burden of proof must surely be contrary to Article 6, section 2:

    "Everyone charged with a criminal offence shall be presumed innocent until proved guilty according to law."

    I'm surprised that neither of the persons convicted have appealed to the European Court of Human Rights on this ground.

  112. Freddie
    Terminator

    @Bod

    The problem with your floors in Truecrypt is that time travel isn't as easy as it used to be (or as it will used to be once it's been invented in the past). </facetiousness>. Requiring cops to get the files before they're encrypted rather defeats the object of the discussion.

    Also, stating that monitoring the tc file over time allows you to see which bits have changed and which bits haven't is meaningless. It only allows you to say "I think there's something there otherwise their behaviour is a bit weird". It doesn't let you prove anything.

    T600 as the time travel that's undergone doesn't fit either ;)

  113. Anonymous Coward
    Boffin

    times change

    technology changes the balance. get over it.

    you can't wax nostalgic for some dust covered 'due process' when criminality is so well armed.

  114. Anonymous Coward
    Anonymous Coward

    Encryption keys same as physical keys?

    "If there is reasonable suspicion of crime and its gone through the legal process, of course they should, same as they would their house keys, safe keys or shed keys......"

    I'm not aware there is a law requiring you to surrender house keys, shed keys or even safe keys. Nor is it generally illegal to destroy or hide incriminating evidence. If I shoot someone I won't get into further trouble by wiping my prints off the gun, or for refusing to tell the police where I have hidden it.

    It's a basic principle of natural justice that you shouldn't be required to incriminate yourself. It's true that businesses are required to maintain and make available certain records. But this is required whether or not they are under investigation. And individuals have more rights to privacy than public corporations..

    You are not allowed to impede police investigations but you are not required to assist them either. Except for RIPA, it seems...

  115. Anonymous Coward
    Thumb Down

    Not just kids

    "You see, if a pervert has PHOTOS of kids having sex with each other, then to take those photos somebody had to, you know, actually force some real kids to have sex with each other. Not exactly victimless, eh?"

    Bear in mind the definition of "kids" in this case is anyone under 18. If you think 14-17 year olds need any external persuasion to have sex with each other, then you're clearly not living in the real world - and some of them will record it, and some of those will even distribute the video publicly, again without any external coercion.

  116. Anonymous Coward
    Anonymous Coward

    @bigphil9009

    You are Mr Mandelson and I claim my £5...

  117. PECB

    No Obligation

    I'm not an expert on law in the U.K., but in the U.S. (who's legal traditions closely mirror the U.K.'s) you're under no obligation to provide evidence -- it's up the the government thugs to make use of what they steal & if they can't use it -- well too bad for them.

    With that said, my pedestrian understanding of U.K. legal traditions posits that the the same is suppossed to hold true there, so the law mentioned in the ariticle about requiring someone to decrypt their stuff for "Authorities" sounds like it is null and void and needs to be challenged in your legal system, because it is in direct conflict with the U.K.'s legal traditions (which your ancestors fought and died for, just as the U.S. Founders fought and died for similar ideologies).

  118. Anonymous Coward
    Anonymous Coward

    Illegal to conceal incriminating evidence

    "Nor is it generally illegal to destroy or hide incriminating evidence. If I shoot someone I won't get into further trouble by wiping my prints off the gun, or for refusing to tell the police where I have hidden it"

    Well it seems now that it's "perverting the course of justice" if you attempt to hide evidence of your crime: http://uk.news.yahoo.com/5/20090814/tuk-bbc-presenter-sacked-after-attack-on-45dbed5.html

    "The 40-year-old was also found guilty of perverting the course of justice by throwing the pole into a neighbouring garden centre in an attempt to conceal it from police."

  119. Charlie Barnes
    Black Helicopters

    How long?

    How long until we have a system with two keys? A real one and the one you tell No. 10 - which decodes as "Pat-a-cake, pat-a-cake, baker's man"?

  120. Anonymous Coward
    Anonymous Coward

    Just curious

    What if some US government contractor goes to another country already pizzed off at this type of intrusion and they're ordered to hand over their keys?

    Do you think the US Gov would stand for that?

    Hell, I've been in line in Brazil where they turned the US mindfcuk tricks back on them. Hah, fifty people in my group, the only two that got picked on was the two US Passport holders. Their comment? "You can't do that to me, I'm an American." Yeah, you and everyone else pal.

  121. PerfectBlue

    Harsh

    2 years in jail seems draconian for what amount to refusing to cooperate with search and seizure. If you refuse to hand over the keys to your safe they just get a safe cracker in and charge you with obstruction. The same if you put your hard disk in a safe deposit box and refuse to tell them where it is. The charge you with obstruction and go find the box themselves.

    This sounds like one of those nasty little laws designed to find reasons to hold people for longer or to trump up charges. They don't have the evidence to hold or charge you with the crime that they're accusing you of, so they find other charges to hold you on. This is the equivalent of charging somebody with loitering because you've waited all day and haven't seen them do a drugs deal.

  122. Anonymous Coward
    Coffee/keyboard

    @ "Domestic extremism"

    You owe my client a new keyboard =)

This topic is closed for new posts.

Other stories you might like