Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

UK Court Rejects Encryption Key Disclosure Defense

samzenpus posted more than 5 years ago | from the do-not-pass-go dept.

Security 708

truthsearch writes "Defendants can't deny police an encryption key because of fears the data it unlocks will incriminate them, a British appeals court has ruled. The case marked an interesting challenge to the UK's Regulation of Investigatory Powers Act (RIPA), which in part compels someone served under the act to divulge an encryption key used to scramble data on a PC's hard drive. The appeals court heard a case in which two suspects refused to give up encryption keys, arguing that disclosure was incompatible with the privilege against self incrimination. In its ruling, the appeals court said an encryption key is no different than a physical key and exists separately from a person's will."

cancel ×

708 comments

Sorry! There are no comments related to the filter you selected.

First of many, methinks (4, Funny)

citizen_senior (1372475) | more than 5 years ago | (#25396127)

Hey ho

Fuck the British equivalent of Homeland security (0, Flamebait)

Anonymous Coward | more than 5 years ago | (#25396147)

You guys point at us and laugh? Wait'll you see what your gov't is aiming for in the same country where 1984 was written.

Re:Fuck the British equivalent of Homeland securit (5, Insightful)

Anonymous Coward | more than 5 years ago | (#25396387)

Our country doesn't make the same promises about liberty in a single document which all our countrymen regard as some kind of holy scripture. It is the American attitude of how you are all in the "land of freedom, better than all other nations in every way" that makes your massive overreaction to one terrorist attack so ironic. It's like a kid vowing to never go back to school again because a bully once stole his lunch money.

I don't mean any disrespect to those who died in 9/11, but people are dying all the time from accidents, disease and natural disaster. Wasting all the money you have on going to war in Iraq and Afghanistan when in fact it was a terrorist organisation and not a single country that attacked you, is pretty dumb. If you go around spending billions attacking everyone that you feel slightly threatened by, you'll end up in financial meltdown... oh, wait...

I wish the US Supreme Court was that smart. (3, Insightful)

Tyrannicalposter (1347903) | more than 5 years ago | (#25396149)

I wish the US Supreme Court was that smart.

Protection from self incrimination was to prevent confesions under duress or torture.

I don't see the difference between refusing to turn over an encryption key and refusing to let the police in your house when they have a valid search warrant.

Oh noes! You police can't come into my meth lab. Me letting you in would be self incrimination!

Re:I wish the US Supreme Court was that smart. (5, Insightful)

Anonymous Coward | more than 5 years ago | (#25396219)

How is locking somebody up for a full year in a prison cell because they do not give up the encryption key, claiming they don't know it, other than torture?

In short, how is it different?

Re:I wish the US Supreme Court was that smart. (1, Interesting)

Anonymous Coward | more than 5 years ago | (#25396443)

Because you can't be tortured into making up shit that would incriminate you. The key provides the same set of evidence, regardless of your state of mind.

It's that simple.

Re:I wish the US Supreme Court was that smart. (2, Insightful)

DrVxD (184537) | more than 5 years ago | (#25396497)

You think nobody's ever confessed to something they didn't do under torture?
I'd say a false confession qualifies as "making up sh*t"

Re:I wish the US Supreme Court was that smart. (1)

Richard_at_work (517087) | more than 5 years ago | (#25396629)

Well, for a start, its not torture, its incarceration - if you can't tell the difference between intentional acts of pain or suffering and simple denial of liberty, then you can't take part in this discussion.

Re:I wish the US Supreme Court was that smart. (3, Interesting)

Tyrannicalposter (1347903) | more than 5 years ago | (#25396635)

So, by YOUR theory, subpoenas would be completely unenforcable.

A subpoena ad testificandum orders a person to testify before the ordering authority or face punishment.
Sorry Judge, I forgot.

A subpoena duces tecum orders a person to bring physical evidence before the ordering authority or face punishment.
Sorry, Judge, I lost it.

Unless you're just stupid and say "No" instead of "I forgot"

Re:I wish the US Supreme Court was that smart. (1)

ObsessiveMathsFreak (773371) | more than 5 years ago | (#25396727)

It doesn't leave any visible marks of course!

Re:I wish the US Supreme Court was that smart. (5, Insightful)

ShakaUVM (157947) | more than 5 years ago | (#25396249)

The US has already ruled you can't be forced to give out an encryption key.

It's nice having a Bill of Rights, ain't it?

Laugh at all the British who say such a thing is unnecessary.

Re:I wish the US Supreme Court was that smart. (5, Insightful)

Anonymous Coward | more than 5 years ago | (#25396421)

*cough*Gitmo*cough*

Re:I wish the US Supreme Court was that smart. (5, Insightful)

Kokuyo (549451) | more than 5 years ago | (#25396479)

Yeah, we'll laugh at them as soon as we're through laughing at the US for letting their bill of rights be trampled in the name of security.

Freedom must not only be won, it must be protected. Fail to do so and what's coming to you is solely your own fault.

Re:I wish the US Supreme Court was that smart. (5, Insightful)

Koim-Do (552500) | more than 5 years ago | (#25396409)

A warranted police search of your meth lab does not require any consent on your side - that's what the warrant is for. they will just break down the door and go on with the search.

same with the safe in your lab: you can either give the police the code for your safe, or refuse and watch them breaking it.

Why is your encryption key any different from the safe/door you have?

Re:I wish the US Supreme Court was that smart. (5, Funny)

DrVxD (184537) | more than 5 years ago | (#25396505)

> Why is your encryption key any different from the safe/door you have?
It isn't. I'll just stand back and watch them break my 256-bit AES...

Re:I wish the US Supreme Court was that smart. (1)

bluephone (200451) | more than 5 years ago | (#25396439)

Well, it's also different because with a warrant they can gain access to your house and safe and such without your cooperation, worst case they call a locksmith and open the safe without your help. But an encryption key can be considered testimony, since it's something you know as opposed to a physical object. Further, theoretically they can brute force your encryption if it's important enough.

Re:I wish the US Supreme Court was that smart. (2, Interesting)

bigmouth_strikes (224629) | more than 5 years ago | (#25396637)

No, that argument doesn't fly.

The physical lock might as well be a combination lock, and thus the combination would consist of "knowledge" just the same as for an encryption key. It is perfectly legal for the police to require you to divulge the combination to your locker.

"Something you know" isn't what counts when it comes to protecting you from self incrimination; it is whether the "something you know" is incriminating you. And unless your combination isn't a crime in itself, you wouldn't directly incriminate yourself by divulging it, which is what the self incrimination protection is about.

Re:I wish the US Supreme Court was that smart. (1)

Rakishi (759894) | more than 5 years ago | (#25396709)

It is perfectly legal for the police to require you to divulge the combination to your locker.

Not true in the US from what I can tell. They can force you to hand over a physical key but not a combination.

Re:I wish the US Supreme Court was that smart. (5, Funny)

Devalia (581422) | more than 5 years ago | (#25396733)

Can I interpret that as being a valid defense if my encryption keys are all derived from 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0..

Re:I wish the US Supreme Court was that smart. (4, Interesting)

me at werk (836328) | more than 5 years ago | (#25396441)

What about when there's no key to hand over [theregister.co.uk] ?

Re:I wish the US Supreme Court was that smart. (1)

Rakishi (759894) | more than 5 years ago | (#25396523)

No problem then, the police can't prove that someone remembers the encryption key thus by your own argument this law is BS. Or do you in fact mean to assume that no one ever forgets a password?

In other words are you actually saying you think it's right to send someone to jail because they honestly forgot the key to some 5 year old encrypted volume they don't even remember exists?

Re:I wish the US Supreme Court was that smart. (5, Interesting)

HungryHobo (1314109) | more than 5 years ago | (#25396661)

It gets worse.
Theory: with a good encryption program any encrypted data should look random.
That truecrypt volume should be impossible to tell from a file I've created with
cat /dev/urandom > file

So you could type that very command and 5 years later they ask for your encryption key...
Key?
To jail with you!

same goes for any random/semirandom data you have which has so mime type.

Now I'm willing to bet there are programs which can take a photo album and hide an encrypted volume in the least significant bit of the pixels, how would law enforcement deal with that?

"GIVE US THE KEY!"
"but but but... what do you want the key to..."

Long story short, if you live in the UK and own an electronic data storage device you can now be thrown in jail for no reason at all.

Re:I wish the US Supreme Court was that smart. (2, Informative)

HungryHobo (1314109) | more than 5 years ago | (#25396677)

I hadn't noticed this in the artical when I made the last post but

"The woman, who claims to have not used encryption"

Re:I wish the US Supreme Court was that smart. (0)

Anonymous Coward | more than 5 years ago | (#25396555)

Your looking for the simple answer of... The quality of my memory is inversely proportional to my stress level. I can tell you it has a "1" in it.. or was that an "I" or maybe it was a "l" .. where was I, oh yeah it was a "7", no wait it was a "1".

I think the judge is wrong. Your encryption key is not a key like a house key. Its information and not physical. You dont have to self incriminate yourself by telling which lake you dropped the gun in and you shouldnt have to incriminate your self this way either.

Besides, if the investigation is carried out correctly, your key and enough evidence to convict you has been gathered already and you dont need to give them the key. If they need the key its because the botched their job. Take this from a guy with an MSc in Computer forensics. The need to force people to give up keys is more indicative of poor investigatory standards and practices than it is a willingness to infringe on basic rights.

If you really want to have a laugh tie your encryption into hardware,software and correct shutdown details on your machine so the decryption only works on your own machine in normal circumstances. Standard operating procedures call for a "pull the plug" approach to evidence seizure and evidence is never examined in its original form. It is copied and analysed on another machine.

willpower (2, Insightful)

ritalinvillain (780156) | more than 5 years ago | (#25396153)

if it is physical, can't they just take it off them? i guess it is will. that barrister sucks.

Re:willpower (2, Interesting)

TheLink (130905) | more than 5 years ago | (#25396309)

Yeah. Go fetch the key without my help.

As I've been saying, what we need is better plausible deniability.

https://bugs.launchpad.net/ubuntu/+bug/148440 [launchpad.net]

Then they can't go around asking everyone for their keys - because most really wouldn't have them :).

The Truecrypt proponents don't get it. Hidden container or not, you have to voluntarily install Truecrypt, so that's sufficient cause for them to target and trouble you.

That link is a brilliant idea (1)

Chrisq (894406) | more than 5 years ago | (#25396529)

Its a pity it will never be implemented

Wow... (1, Funny)

MorderVonAllem (931645) | more than 5 years ago | (#25396157)

...I really don't want to visit Britain anymore. I read a while back about mandatory biometric scanning of tourists and from there it just gets progressively worse. Shame too since it really seems like a nice place to visit in terms of history. Oh well...

Re:Wow... (1)

freedom_india (780002) | more than 5 years ago | (#25396251)

Not like US. It appears to be bad, but the immigration is not that bad like US. If you are from a commonwealth country you really have less to worry.
Once inside, i learnt to ride the Tube in just a day. I visited the British Museum, Naval Observatory, the Greenwich stuff, all by myself.
I mean they are not that paranoid like in US where they strip-search you for visiting the USS Constitution and refuse any pics to be taken.
Secondly their intelligence is amazing. So if you don't have a record, you really don't have to be afraid of the orwellian eyes.

Re:Wow... (2, Insightful)

Anonymous Coward | more than 5 years ago | (#25396659)

Um, I'm A UK citizen and on my last visit to the US (september 2007) I had my fingerprint scanned. So the US is also using biometric scanning of visitors.

Re:Wow... (2, Insightful)

Anonymous Coward | more than 5 years ago | (#25396689)

Hmmm, you must be American or you have never travelled to America. "Mandatory biometric scanning" would include taking your fingerprints or a photograph? Both have been in place for visitors to America for years now: "US-VISIT".

Bio scanning a US import (5, Informative)

MosesJones (55544) | more than 5 years ago | (#25396721)

I read a while back about mandatory biometric scanning of tourists

I'm really hoping you aren't a US citizen as getting into the US now requires the scanning of all your fingers and of course the answering of the 7 stupidest questions in the history of questioning.

The bio-scanning stuff is a pain in the arse, but its unfortunately not a UK invention, it started in the US for "Security" reasons. You also now have to have a printed out copy of your itinerary (like that would be hard to fake) as an electronic copy on a PDA or laptop just isn't good enough.

Oh Joy (0)

Anonymous Coward | more than 5 years ago | (#25396159)

So now, in the UK, with the government inspecting everyone's e-mail [slashdot.org] , even encryption won't protect privacy anymore.

Re:Oh Joy (2, Interesting)

Maguscrowley (1291130) | more than 5 years ago | (#25396221)

Stenography is the ultimate answer. If they start calling people on information that they think could be there but cannot be proved: we might as well just all move to friendlier pastures and watch the collapse of that nation from a TV far far away.

Then again, if it goes so far as a steno witch hunt then some of us might very well become terrorists. The US and UK are good at producing their own enemies.

Re:Oh Joy (3, Funny)

jesdynf (42915) | more than 5 years ago | (#25396307)

I would suggest employing >i>steganography, instead.

Re:Oh Joy (2, Funny)

Anonymous Coward | more than 5 years ago | (#25396377)

Tsk. I would suggest to you employing the Preview feature to ferret out HTML errors.

Huh? (5, Insightful)

someone1234 (830754) | more than 5 years ago | (#25396169)

Memorised encryption keys exist outside of your will?
I'm sure the number exists somewhere out there, good luck finding it by brute force.

Re:Huh? (0)

Anonymous Coward | more than 5 years ago | (#25396199)

lol this reminds me of the films where they scan your brain for the answers...

It's not as long away as you think ;)

Re:Huh? (1)

oodaloop (1229816) | more than 5 years ago | (#25396235)

I wonder if it's illegal now to just forget. "I'd love to help you officer, but I guess I just forgot it!"

Re:Huh? (5, Informative)

jimicus (737525) | more than 5 years ago | (#25396371)

I wonder if it's illegal now to just forget. "I'd love to help you officer, but I guess I just forgot it!"

IIRC, that's been the case since the RIPA was first proposed. If the police come knocking and say "Give us the key", the burden of proof is on you to be able to show that you can't. (How on Earth you're meant to prove that you can't give them something like that is your problem).

Failure to give them the key can lead to 3 years in prison. There was also talk of a proposal whereby if you discuss the order to hand over the key with anyone, you can get 5 years in prison.

(All of this is based on several-year-old memories from articles in The Register, YMMV, IANAL, OMGWTFBBQ).

Re:Huh? (1)

jamesh (87723) | more than 5 years ago | (#25396435)

There was also talk of a proposal whereby if you discuss the order to hand over the key with anyone, you can get 5 years in prison.

That goes against every UK and US cop show I've ever watched. I thought you were always allowed to insist on legal representation before answering any questions.

Surely you'd have to be allowed to discuss with a lawyer whether the cops finding the kid you have tied up in the basement of a secret location is going to land you a worse sentence than not handing over the encryption keys...

Re:Huh? (3, Funny)

russ1337 (938915) | more than 5 years ago | (#25396647)

I wonder if it's illegal now to just forget. "I'd love to help you officer, but I guess I just forgot it!"

IIRC, that's been the case since the RIPA was first proposed. If the police come knocking and say "Give us the key", the burden of proof is on you to be able to show that you can't. (How on Earth you're meant to prove that you can't give them something like that is your problem).

Failure to give them the key can lead to 3 years in prison. There was also talk of a proposal whereby if you discuss the order to hand over the key with anyone, you can get 5 years in prison.

(All of this is based on several-year-old memories from articles in The Register, YMMV, IANAL, OMGWTFBBQ).

I'd just say the password is "the name of the second gunman on the grassy knoll". When the agent instantly types, you know there was one.

oh, that's right. It's actually the name of the town where Elvis is under witness protection...

Re:Huh? (3, Insightful)

Chrisq (894406) | more than 5 years ago | (#25396675)

This of course leaves a brilliant way to set someone up. Send them an encrypted email. Anonymous tip off to police. Wait until police ask them for the keys. Of course they cannot prove that they don't know the key so off to jail they go.

Someone sent encrypted files to the Home Secretary once, which included details of a crime (reported by someone outside the UK). I expect it was driving over the speed limit or littering or something minor, but even so they could then genuinely inform the police that he home secretary had an encrypted email detailing a crime.

Re:Huh? (2, Interesting)

freedom_india (780002) | more than 5 years ago | (#25396375)

Its NOT illegal to say i forgot. The government uses it all the time to justify its continuous laptop losses...
So cite that in court. Plus add that the Government thinks the court is stupid. That will rile the judges enough to judge in your favor.
Nothing irritates a judge more than the Government arrogantly claiming they are bigger than the court.

Re:Huh? (0)

Anonymous Coward | more than 5 years ago | (#25396547)

I wonder if it's illegal now to just forget.

I believe in the UK RIPA act, saying you forgot is not an allowable defence unless the judge believes you're telling the truth, otherwise you're still just withholding your key.

Re:Huh? (5, Funny)

jamesh (87723) | more than 5 years ago | (#25396373)

Reminds me of this failed pick-up scenario:

guy: Hey baby, what's your phone number?
girl: It's in the phone book, look it up!
guy: But I don't know your name.
girl: That's in the phone book too.

Fingerprint (1)

russ1337 (938915) | more than 5 years ago | (#25396613)

What if the key is your fingerprint over the scanner? are they going to give you physical access to the machine?

Left thumb = open files
Right thumb = runs script that overwrites encrypted blob with random data 5 times while appearing to unlock....

Re:Huh? (1)

Yvanhoe (564877) | more than 5 years ago | (#25396627)

Well, yes, mathematically, it can be defined in another way than "the number you memorized" because it actually is "the encryption key that makes this seemingly random data look like a FAT32 or ext3 filesystem"

Disclosing a key is disclosing knowledge (4, Interesting)

Ed Avis (5917) | more than 5 years ago | (#25396189)

Suppose some incriminating evidence exists but it is hidden in a secret location. Can you be forced to disclose that location?

If not, then why not store your encrypted data on a huge partition of random data. To get it you need both the key and the location of the data. The latter you can simply refuse to disclose.

Re:Disclosing a key is disclosing knowledge (1)

Artraze (600366) | more than 5 years ago | (#25396425)

> If not, then why not store your encrypted data on a huge partition of random data. To get it you
> need both the key and the location of the data. The latter you can simply refuse to disclose.

That's (mostly) a no-go. Denying the police access to evidence (when the court says they are entitled to it) is always going to get you in trouble for hindering an investigation. Of course, this is only if they can prove you have some encrypted data, but are unable to determine where it's hidden. This is rather unlikely, so the hiding is either going to be useless or prevent them from asking for the key in the first place.

> Suppose some incriminating evidence exists but it is hidden in a secret location.
> Can you be forced to disclose that location?

I believe the answer is 'yes', but I could be wrong (as destroying evidence is illegal). The thing is that they have to be able to prove the evidence exists and that you know where it is. That's not trivial. You can't charge a murder suspect for not answering "Where's the body" since you have no basis on which to claim he knows (he's innocent until proven guilty).

Re:Disclosing a key is disclosing knowledge (1)

Yvanhoe (564877) | more than 5 years ago | (#25396717)

Of course, this is only if they can prove you have some encrypted data, but are unable to determine where it's hidden. This is rather unlikely, so the hiding is either going to be useless or prevent them from asking for the key in the first place.

Last time I gave this opinion here, I was retorted with a smart argument involving truecrypt : have an encrypted volume with personal but not so important data on it, then put an encrypted hidden volume inside the already encrypted volume. If you give the first key to law enforcement officers, they won't be able to determine if the data in the unallocated part of your first TC volume is really random or hides other data.

Re:Disclosing a key is disclosing knowledge (2, Interesting)

MadKeithV (102058) | more than 5 years ago | (#25396495)

Just have two keys. The real key, and a key that when used de-scrambles all the data as 18th century political tracts.
Hand out the second one.

Hide your data (plausible deniability+ physically) (2, Interesting)

apathy maybe (922212) | more than 5 years ago | (#25396201)

Obviously then, the way to prevent the cops from knowing about your encrypted data is to hide it from them. If they don't know about the encrpyted file, they can't ask for the password.

Two ways, plausible deniability (if you haven't heard of TrueCrypt [truecrypt.org] yet, check it out>) is the way that most of you will use.

The other way is physically hiding the disk. Have a garden that you use, and store your data in multiple plastic bags and bury it.

The other thing you could do, have a strong magnetic field that is triggered in certain scenarios that will wipe your box of floppy disks/hard drive. Example scenarios include the cops breaking down the door, or the door being opened without a button being pressed.

Re:Hide your data (plausible deniability+ physical (1)

dredwerker (757816) | more than 5 years ago | (#25396259)

Plausible Deniability Has to be the way forward from the TC website.

In case an adversary forces you to reveal your password, TrueCrypt provides and supports two kinds of plausible deniability:
1. Hidden volumes (for more information, see the section Hidden Volume).
2. It is impossible to identify a TrueCrypt volume. Until decrypted, a TrueCrypt volume appears to consist of nothing more than random data (it does not contain any kind of "signature"). Therefore, it is impossible to prove that a file, a partition or a device is a TrueCrypt volume or that it has been encrypted. However, note that for system encryption, the first drive track contains the (unencrypted) TrueCrypt Boot Loader, which can be easily identified as such (for more information, see the chapter System Encryption). In such cases, plausible deniability can be achieved by creating a hidden operating system (see the section Hidden Operating System).

Re:Hide your data (plausible deniability+ physical (1)

Deaddy (1090107) | more than 5 years ago | (#25396267)

Thermite would probably be the better and easier choice, because as far as I know, the magnetic fields you'd need to wipe out a disk are very strong (guess some T). Furthermore, it's much easier to set off a fuse without external power than a electricity powered coil.
However, it's not guranteed, that they x-ray your case before they open it, so some additional security layers would be needed.

Why these jokers didn't say i forgot.... (4, Insightful)

freedom_india (780002) | more than 5 years ago | (#25396207)

Why these jokers didn't say i forgot i will never know.
I mean how hard is it to NOT self-incriminate oneself: Say you forgot. Just like every other government official says after losing a laptop full of Witness Protection persons or intelligence officers, etc.
They can't compel you to recall something you don't remember.
Simply say "iam sorry i can't remember: my memory is a bit hazy from all the manhandling the cops did, your honor."
What's the worst? Gitmo? I don't think so (although Britain has a track record of renditioning suspects to US).
At a time when courts and the government make a combined assault on our privacy and rights, while being more secretive themselves, it is up to us protect ourselves. Call me paranoid, but am the Burt Gummer type.
The Government has NO right to force me to divulge my self-secrets just like i can't force a government of the people, by the people and for the people to divulge its dirty secrets.
I can't be transparent when the Government wants to be opaque.
After all it has been proven that the Government cannot be trusted even with the most basic secrets.
What is the criminal penalty for jokers who lost various laptops holding government secrets and OUR data? NONE.
What is the financial and criminal penalty the Government will pay if it causes me harm by leaking my secrets? NONE.
Until the Government pays for its mistakes(and heavily), am not going to divulge anything more to it. After all the Government am not trusty enough to know about its secrets, so why should i trust Government.
Ben Franklin, Hamilton and Mark Twain were absolutely right: You CANNOT and SHOULD NOT trust the government, if it doesn't trust you.

You can take my keys from my cold dead hands.

Re:Why these jokers didn't say i forgot.... (1)

clarkkent09 (1104833) | more than 5 years ago | (#25396333)

I mean how hard is it to NOT self-incriminate oneself: Say you forgot.

Sure, it's done all the time. You are opening yourself to perjury though, which could be a more serious charge than the original crime. As far as I know you need a certain amount of time to pass before "i forgot" can be taken seriously by the judge/jury. You can't open a combination lock one day and claim that you forgot the key the next day.

Re:Why these jokers didn't say i forgot.... (2)

Richard W.M. Jones (591125) | more than 5 years ago | (#25396449)

They don't say they forgot because there's usually other evidence that they know the key.

For example, timestamps on the encrypted file, unencrypted corroborating data in a swapfile, or evidence that the machine was switched on at some recent point in time.

By the way, everyone gets it wrong, but RIPA does not require that you reveal your key. It requires that you make the data available in "intelligible form". You can read the details here [opsi.gov.uk] .

Rich.

Re:Why these jokers didn't say i forgot.... (4, Interesting)

freedom_india (780002) | more than 5 years ago | (#25396619)

It is interesting to note than while section 53 states criminal penalties for non-disclosure on part of defendant, section 55 does NOT state any criminal penalties against misuse/abuse of such information.
The Government has covered its shiny metal a$$ well with this section.
So the courts can sentence you to 6 months imprisonment for NOT revealing the key, but if you reveal the key and some government official loses it in the next train (which happens monthly), the CP or the government official cannot be imprisoned for the loss or any such loss caused to you by that loss.
Brilliant!
All the more reason for me to NOT give out my key.
Until such time i see a CP or a minister sentenced to jail for loss of residents' confidential information, am not comfortable with providing ANY information to this orwellian government.
I WILL claim memory loss for this. let them prove am lying

Re:Why these jokers didn't say i forgot.... (1)

amck (34780) | more than 5 years ago | (#25396699)

Because saying "I forgot" is specifically NOT a defense under the UK Act.

One of the big 'weaknesses' of the act, as argued before it was passed, is that if someone was to spam you with a block of random data,
the police could demand that you hand over the encryption key or face 5 years jail. You don't know anything about it, so you don't
have the key ...

Oh, and under the bill currently going through Parliament, they (the govt) get all a copy of all email.

Logic ? (0)

Anonymous Coward | more than 5 years ago | (#25396209)

In its ruling, the appeals court said an encryption key is no different than a physical key and exists separately from a person's will.

Ummm ... an encryption key that exists only in someone's memory is clearly 'different' than a physical key ... choosing to divulge (or not) a memorized key is clearly a demonstration of 'will' ...

Re:Logic ? (1)

clarkkent09 (1104833) | more than 5 years ago | (#25396291)

Well I guess a parallel can be made with a physical lock that is opened with a number combination. You would have to open it if the police have a warrant, even though the combination is stored only in your memory.

dude (0)

Anonymous Coward | more than 5 years ago | (#25396217)

you know where i can find a free whitepaper?

forget it? (0)

Anonymous Coward | more than 5 years ago | (#25396261)

What if you claim (perhaps even honestly) that you forgot it? Can they prove you are being dishonest? What is the punishment? I am guessing detention for some period of time.

Make the key physical (0)

Anonymous Coward | more than 5 years ago | (#25396271)

Do not memorize the key, write it on a peace of paper. Then kill someone and hide the paper with the body.

So anyone want to do this.... (3, Interesting)

91degrees (207121) | more than 5 years ago | (#25396279)

Create an encrypted file. A lolcat or something. Encrypt it. Encrypt it again. Encrypt it again. Encrypt it again. Encrypt it again. And so on... See how long it takes for the police to get bored. You would need some decent legal representation to make sure to keep a loophole open so they can't demand all encryption keys.

Re:So anyone want to do this.... (4, Interesting)

jamesh (87723) | more than 5 years ago | (#25396401)

Is there a system which will allow the use of a 'duress' key? If the duress key is given instead of the real key the encrypted data is erased. This would be easy enough to defeat by a suitably motivated investigator, but they'd have to have figured out what was going to happen first...

Re:So anyone want to do this.... (3, Informative)

scientus (1357317) | more than 5 years ago | (#25396653)

truecrypt [truecrypt.org]

Re:So anyone want to do this.... (1)

meringuoid (568297) | more than 5 years ago | (#25396703)

Is there a system which will allow the use of a 'duress' key? If the duress key is given instead of the real key the encrypted data is erased. This would be easy enough to defeat by a suitably motivated investigator, but they'd have to have figured out what was going to happen first...

The first thing they do is take a backup of the evidence. Then they work from that, not the original. If they do anything at all to the original other than taking a faithful bit-for-bit copy, the defence can claim they planted the evidence there.

Instead, make the duress key decrypt to a volume full of really kinky but not illegal porn, and the real key decrypt to what it is you really want hidden. That'll satisfy the police, as you have a good reason to encrypt that stuff. I believe TrueCrypt supports this kind of trick.

a difference (1)

BradMajors (995624) | more than 5 years ago | (#25396283)

A difference between a physical key and an encryption key is that if you do not provide a key to a door or to a safe the police are capable of opening any door or any safe without the key.

Re:a difference (1)

apathy maybe (922212) | more than 5 years ago | (#25396349)

And funny thing, that's exactly why (as I understand it) that the law was passed to force divulgence of encryption keys.

Of course, they can't get it if I've forgotten. (For example, I have some photos of my SO that I've put in a folder that I subsequently encrypted. I subsequently forget the password (who needs to look at photos when you can look at the real thing?) and now can no longer get in. I would love to be able to remember the password, but I can't. Sorry officer, even if I could help you access photos of my partner, I can't. And you taking me to jail for 2 years isn't going to make me remember.)

Thinking about the whole two years thing, it reminds me of that fellow in the USA who refused to tell the cops (and subsequently a jury?) the names of people in a movie he took at a demonstration. He was put away to teach him a lesson... (Can someone remember more details about that and link to them?)

Re:a difference (1, Insightful)

Anonymous Coward | more than 5 years ago | (#25396489)

I have some photos of my SO that I've put in a folder that I subsequently encrypted. I subsequently forget the password

Don't worry, I made backups for you, just like everyone else on the internet.

Re:a difference (1)

apathy maybe (922212) | more than 5 years ago | (#25396705)

Bullshit you did. You cannot get a hold of these photos. At all.

Two things to bear in mind... (2, Insightful)

Gordonjcp (186804) | more than 5 years ago | (#25396297)

Firstly, this doesn't mean that the police can come and demand your encryption keys at any time. This isn't the US, where the police can kick your door in at any time for any reason, just because they feel like having a look at your stuff and maybe relieving you of a few high-value items. If they're looking for an encryption key, it's pretty much going to be because they've already had a warrant to search your property. It really *is* no different to being forced to hand over the key to the basement dungeon where you keep your step-daughter - chances are that they already know what they're looking for and where to look for it.

Of course, if you don't feel like handing it over, you can always say you left it on a bus, or in a taxi, or you posted it somewhere and it was never seen again...

Re:Two things to bear in mind... (1)

freedom_india (780002) | more than 5 years ago | (#25396361)

It really *is* no different to being forced to hand over the key to the basement dungeon where you keep your step-daughter - chances are that they already know what they're looking for and where to look for it.

Chances are i know exactly the illegal bribes were paid to S.Arabia prince for arms and oil, so i can go knocking at 10, Downing street, enter the specific room and compel Brown to testify?
Hurts doesn't it?
Your kind of logic was already used by Goebbels and Himmler. Fear-mongering.
Take an excellent example: logical real one: like finding who bribed the prince, who killed the scientist who opposed the Iraq war, etc.
Now once the cops have solved all those crimes, they can come to my house, break open my door and seize my books and the beer my 17-year old drinks.
Why don't the courts FORCE the government to continue the bribes investigation? Are they afraid of the Government? Now that would be interesting isn't it?

Re:Two things to bear in mind... (1)

Gordonjcp (186804) | more than 5 years ago | (#25396403)

Chances are i know exactly the illegal bribes were paid to S.Arabia prince for arms and oil, so i can go knocking at 10, Downing street, enter the specific room and compel Brown to testify?

Great! Got enough evidence to get a warrant? No? Oh well, you're SOL then. Sorry, thanks for playing.

Now once the cops have solved all those crimes, they can come to my house, break open my door and seize my books and the beer my 17-year old drinks.

Any reason why they'd do that? Nothing illegal about having books, and you can drink beer at home when you're 8 in the UK. I think it's 4, for wine only.

Re:Two things to bear in mind... (1)

freedom_india (780002) | more than 5 years ago | (#25396643)

Great! Got enough evidence to get a warrant? No? Oh well, you're SOL then. Sorry, thanks for playing.

The Scotland Yard had enough evidence to nail everyone involved, until such time the PM intervened and stopped the investigation forcefully after the Prince threatened diplomatic retaliation.
My argument is why the courts where silent on this one: Why didn't they order scotland yard to continue? Can i get the same lenience from the courts?

Re:Two things to bear in mind... (2, Interesting)

meringuoid (568297) | more than 5 years ago | (#25396667)

Any reason why they'd do that? Nothing illegal about having books

There are certain books that would get you in trouble. If they concern, for instance, highly exothermic chemistry, certain political movements especially in the Middle East and in Ireland, or exotic erotic practices, then you could be arrested for possession of 'material likely to be useful to terrorists' or 'obscenity'.

Same as Service vs Commodity problem (2, Interesting)

slashmais (1041620) | more than 5 years ago | (#25396301)

We have not yet sorted out if software is a service or a commodity: if it is the latter then the '==physical key"-conjecture might hold; if a service then it is all in the mind...

It seems the judge did not ask for, nor got sufficient evidence, which points to ($#@$ stupid) lawyers/barristers representing the cases.

My gut feel is, apart from this miscarriage of justice, that the issue can only be resolved by investigating the intentions for encryption: if that intention was to protect the data from perusal by others, then this falls clearly under the gambit of "the privilege against self incrimination".

Re:Same as Service vs Commodity problem (1)

jimicus (737525) | more than 5 years ago | (#25396417)

It seems the judge did not ask for, nor got sufficient evidence, which points to ($#@$ stupid) lawyers/barristers representing the cases.

I doubt it. The whole point of this particular part of the Regulation of Investigatory Powers Act was to overcome with legal force the issue that it is now possible to store a bunch of information - potentially information which reveals criminal activity - in a safe to which physical access is literally impossible without the key (which is essentially what an encrypted file is).

Of course, depending on the crime in question, if that's the only evidence that exists you may be better off just telling the police that you're not giving them the key, they will never get it from you, please go forth and multiply. You'd be facing up to 3 years in prison but if you're hiding information which would get you life in prison, it seems like the only sensible option.

Don't think so (4, Insightful)

SmallFurryCreature (593017) | more than 5 years ago | (#25396525)

Your logic is flawed, my locking/hiding the door to my dungeon where I keep my daughter is to stop me incrimincating myself by her being found. ALL criminals hide data from the sight of others to stop them from showing their criminal activities.

If you accept that the police under the rules of law can demand access to things then this includes digital data. I have always been loath to see the internet and computers in general as some kind of new world where we can have a different set of rules. If I can be ordered to hand over my swiss bank account number (just a number for a service) then so can I be ordered to hand over the key to my encrypted files.

If you want to change it, chance ALL the laws related to the gathering of evidence. No cyber laws, just laws.

Technical measures for key destruction (3, Interesting)

Lincolnshire Poacher (1205798) | more than 5 years ago | (#25396303)

I am not a lawyer and this is not advice, but I did consult on the RIPA.

If the encryption key is destroyed by a pre-configured ``technical measure'' then by my reading of the Act one cannot be held in contempt for failure to disclose.

For example, a dead-man's switch that destroys all traces of keys if the owner does not log-in for a pre-arranged number of days.

Note that *all* traces must be destroyed. The Act can compel other parties ( e.g. work colleagues or holders of back-ups ) to disclose even if they are not directly involved in the case.

So what's worse? (4, Insightful)

Anonymous Coward | more than 5 years ago | (#25396357)

If I'm the defendant, I'm simply going to assess which is worse:

1. The punishment you'll get for not divulging your encryption key

2. The punishment you'll get when you divulge your encryption key and they find 18 gigs of child porn on your computer

Depending on the encrypte data in question, the decision whether to divulge your key could an easy one.

Re:So what's worse? (4, Interesting)

phoenix321 (734987) | more than 5 years ago | (#25396473)

This is the precise argument that They will be using for lenghtening the prison terms for NOT divulging the key once we've swallowed the fact that not-remembering something can get you in prison.

And then They just need to send a collection of /dev/random with a filename suggesting underage pornography to your email address and keep you imprisoned for decades. Your ex-girlfriend could do and call the police. Your enemies from the cubicle farm could do, too. Your competing business and even blackmailing spammers could.

I smell serious blackmailing business: pay up and we'll send you the key you need to prove yourself innocent.

Physical = digital? (4, Insightful)

phoenix321 (734987) | more than 5 years ago | (#25396411)

An encryption key is separate from a physical key, because no one can reliably prove if I still have it or not. Physical keys I may have hidden or swallowed can be found or the locks picked open. But for strong encryption, this is not feasible and the defendant might very well have forgotten the passphrase and never remember it.

What will They do when the defendant claims to have forgotten their key? (capital "They" intentional for Them being Orwellian monsters) - No one can ever prove or disprove that the passphrase still exists in the defendants brain cells, not the accuser and not the accused.

And then? Sleep deprivation? Torture? Guilty unless proven innocent? In dubio contra reo?

Releasing the defendant is under this view obviously unfeasible, because otherwise EVERY defendant would claim to have forgotten the passphrase, which would render this judicial scheme moot. But NOT releasing a possibly innocent defendant because they really have forgotten their passphrase - and no one knows whats inside the encrypted files - is a serious crime in itself.

I doubt there's a possible solution to this problem. Keeping people in prison for even one day because of abstract words that *possibly* exist in their minds (and only there) is pretty laughable - and pretty dangerous.

Something that no human and no machine can reliably prove or disprove cannot be the basis of a prison sentence. In the Western civilized society after the Renaissance era anyway.

Also, this is stuff from the darkest dystopian novels and can be misused in thousands of ways. We've all heard rumors about cops who place contraband in a defendants pocket or house. But that takes at least physical access to a contraband item.

But encryption keys that may not even exist anywhere? It is ridiculously easy to incriminate people that way, say for example to create a file containing several megabytes from /dev/random. Name it "pre-teen_volume_320.7z" and send it via mail to the defendant with a fake note "here's the 320th delivery of your stuff, you pervert and the password is the same as last time. the photos of your kids were nice, too".

And then? No one can distinguish between random data and well-encrypted data. No one can prove the defendant does NOT know the "password" to this "encrypted" file. Will They let them go or will they be imprisoned and tortured forever until they "remember" the nonexisting password or simply confess to having had intercourse with the devil?

Re:Physical = digital? (3, Insightful)

scientus (1357317) | more than 5 years ago | (#25396603)

The key is not digital, it does not exist on any machine. It *may* exist, and then only in the mind of the defendant. It only becomes digital when it is typed in, and then is erased after, it is like knowing where a treasure is hidden, and the right to refuse to tell of that is solidly defended, both in physical reality and in law (at least here in the us). By ruling that he (or anybody) has to give up a key he (or anybody) may or may not have (only those on trial truly know) the law becomes guilty until proven innocent, a system that can only yield to oppression.

*Could* just be random data? (1)

CyrusOmega (1261328) | more than 5 years ago | (#25396431)

Most encrypted data looks random right? How is one to know if the data is a meaningful arrangements of bits hidden behind a key? I am thinking in terms of truecrypt where you don't even know if the file is a truecrypt file or not without poking it with the correct password first.

So *my* defense would be to be silent about the file(s) in the first place (since that seems to be an option in this case). If they can't tell it's even encrypted then they certainly can't accuse me of not handing over a key.

A Rebuttal (1, Funny)

Anonymous Coward | more than 5 years ago | (#25396509)

-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.8

hQEOA8MMd15mSaRoEAQA7v49OwHzXQ0vbzGru17meXPx0j0azurW1eypb4Ene8n3
FUCK YOU
tMOLJhDfAdJgYZPOhJZeMPqqtyBanLIOtrzHP8S2dxfh6WAiiCPHFymvFtK7S4g4

-----END PGP MESSAGE-----

The judge also pointed out... (1, Interesting)

Anonymous Coward | more than 5 years ago | (#25396511)

...that this isn't self-incrimination, as they are not being forced to reveal information that will incriminate them.

Simplified massively, the principle says that if someone asks "did you kill him?", you are not bound to answer "yes". That disclosure would incriminate yourself. In this case, the police demanded a copy of the decryption key; answering that question - admitting that you possess the encryption key - does not incriminate you. It is not illegal to possess an encryption key. Well, not in most circumstances.

He goes further to state that even in cases where admitting that you possessed the encryption key would incriminate you, a judge could surpress the fact that you provided the key, thereby avoiding incrimination. For example, if you have encrypted child porn on your computer, admitting that you possess the key could imply that you have viewed child porn, thereby incriminating youself. A judge could, however, allow the decrypted images to be used as evidence, while refusing to allow the fact that you provided the key to be used as evidence, thereby avoiding self-incrimination.

In essence, what they're saying is that you don't have to say "I killed him"; but if you write down "I killed him", then you have already disclosed the information. Once you have disclosed the information, they are at liberty to compel you to remove any protection you have placed around that information. There is a difference.

Oh, and to the posters that suggested he use the defence "I forgot it", the police arrested the guy while he was halfway through typing the key in. It's kind of hard to convincingly say you didn't know it at that point...

Re:The judge also pointed out... (1)

Dr. Donuts (232269) | more than 5 years ago | (#25396735)

"Oh, and to the posters that suggested he use the defence "I forgot it", the police arrested the guy while he was halfway through typing the key in. It's kind of hard to convincingly say you didn't know it at that point..."

I expect the police to say something like that. Now stop and think of how probable that actually is.

suddenly im glad i live in the us (1)

scientus (1357317) | more than 5 years ago | (#25396527)

suddenly im glad i live in the us

the right against self-incrimination is one firmly seated in reality. One can always not give the incription key, one can always say one does not remember it, there is nothing they can do to ge tit out of you, so if you are legally binded to give it then there is nothing preventing the government from saying and person has a key to something that they actually dont have and locking them up for that. with that right there is no line in the sand constantly moved and there is a good defense against tyerany, the man should not give up the key he should proclaim he forgot it weather he did or not, that is the only sane defense against tyranny.

There is nothing preventing the prosecurion and jury from believing bad stuff is behind that encryption wall but there is nothing, and it should be illegal to proclaim or legislate otherwise, that forces him to give up incriminating evidence. What the British court ruled is a downright lie and yields to tyranny, yields to guilty until proven innocent.

Re:suddenly im glad i live in the us (1)

jcr (53032) | more than 5 years ago | (#25396587)

Don't kid yourself. All of our rights depend first and foremost on our willingness to insist on them, and the people in the USA have been just as docile as anyone else for a very long time.

-jcr

Too bad you can't resist. (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#25396575)

We warned you that this kind of thing could happen when the British public surrendered its capacity for armed resistance to governmental power-grabs.

Now that's funny... (1)

CuteSteveJobs (1343851) | more than 5 years ago | (#25396579)

> "Defendants can't deny police an encryption key because of fears the data it unlocks will incriminate them, a British appeals court has ruled.

As soon as I started reading this sentence, before I was halfway through, I *KNEW* this was about Britain!

Wow... (1)

arotenbe (1203922) | more than 5 years ago | (#25396593)

This complements the last story about the UK really well. (By a definition of "well" that I don't even want to think about...)

Contrast with this [slashdot.org] . New tag: thankgodiliveintheus

Honeypot (1)

BountyX (1227176) | more than 5 years ago | (#25396595)

If you have an encrypted hardrive, always have a honeypot. Then give away your honeypot keys. Seems like the UK is brewing something with these combination of laws...

Self-incrimination defence - not the brightest? (2, Insightful)

Xest (935314) | more than 5 years ago | (#25396621)

Perhaps this was the crux of the problem, they used a defence of suggesting if they hand it over it would be self-incriminating?

Wouldn't a better defence have been to suggest that the data encrypted was entirely irrelevant to the case. Wouldn't it then be up to the police to actually do some police work and prove otherwise?

By using a self-incrimination defence it's effectively admitting, yeah you've got some data that's evidence locked up but you're not handing it over. Surely it's better to simply just deny the encrypted data is relevant to the case or even that you've no idea what that encrypted data is. Hell, claim it's your own personal copyrighted works or some trade secrets and get them to prove to a court either that it's not or that they need access to said private content. I'd have thought both of these would put the burden on the police to do police work in an ideal scenario.

That said, Labour's totalitarian regime doesn't follow the ideal scenario mindset and innocent until proven guilty means nothing anymore so I guess either way these people were screwed.

If the people are guilty then it's great they've been caught, but the way they go about reach the goal is entirely unacceptable and comes down to one thing - the police are too damn lazy to actually do any police work nowadays. It's all about abusing various laws and technologies Labour has handed them which they really shouldn't have.

What if the actual passphrase was illegal to say? (2, Interesting)

hotrodent (1017236) | more than 5 years ago | (#25396655)

Say the passphrase was something like "I am going to kill the Queen", or maybe just something against a company policy eg if the passphrase was "my company's root admin password is JaBB3erw0cky". (I can't think of better examples right now, I'm sure something must be illegal to say in the UK? - other than "Lloyds is pants" of course)

By being forced to say the passphrase, in effect the government is forcing you to break the law, or reveal company secrets. I wonder what would happen....?

Making Encryption Worthless (1)

RAMMS+EIN (578166) | more than 5 years ago | (#25396693)

In other words, they are making encryption worthless, as far as protecting you from the government goes. Sure, you can encrypt your data with a good key and cipher and they won't be able to read it. But then they can just arrest you, charge you with something, and force you to disclose your data to them. Even if there is nothing among your data that relates to what you have been charged with, the government now has access to all your data.

All that may be acceptable as long as the government is going after the people you want them to go after. But there's no guarantee that this will always be the case. Governments work for the people sometimes, but they can also work against the people. This is why some smart people have written down rules the government must play by, restrictions on what the government is allowed to do. These restrictions are there for your protection: if the government plays by the rules, they are limited in what they can do to you, should they decide to come after you. When the government breaks these rules, that's a bad sign. It means they are crossing the line between working for the people and working against the people. It means they have a problem, and they are willing to violate your rights to deal with that problem.

The defendants are right. Their encrypted data may or may not contain evidence against them. They don't have to tell the government anything about it, and they certainly don't have to give the government access to all of it. Even if the defendants are guilty of the crime they are charged with, they have rights. They are innocent until proven guilty, and they have the right to remain silent. A judge (or jury, as the case may be) has the right to make inferences as to why a defendant choses to remain silent, of course.

This all makes me very scared (1)

taucross (1330311) | more than 5 years ago | (#25396695)

Have you noticed how no matter how much we're discussing this, no matter how many opinions come out, they inevitably CAN'T make everyone happy? This is a fact of life. Why is this? If science has taught us anything, it's that there's things in reality that we don't understand. There are laws of nature. At the moment we are defining them relatively to each other - but never actually understanding or perceiving the force behind them. When the government tries to make everyone happy with crap like this (and they DO think they're helping, however misguided that may be) it always fails. It doesn't matter if you live in the US, UK, or you're an aussie like me. We are all going to be touched by this. Look how close we are, how absolutely interconnected our money is, our internets, our ideas and feelings. Saying "i'm glad i live in the UK" won't shield you from it. As long as we keep trying to make a better world through influencing our physical reality, it is always at the expense of something else. We rob peter to pay paul over and over again (conservation, energy, mass, anyone?) And look how the government does their thing. They try to make us happy, or sad, with their laws and they fail every time. And eventually the laws turn into fascism because there's so fucking many of them. In terms of energy, the horse as left the gate by the time we perceive that it exists. So how can we expect to change things? Check out Bnei Baruch, it at least attempts to answer the real question.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>