Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

In UK, Two Convicted of Refusing To Decrypt Data

kdawson posted more than 5 years ago | from the no-pleading-the-fifth dept.

Encryption 554

ACKyushu clues us to recent news out of the UK, where two people have been successfully prosecuted for refusing to provide authorities with their encryption keys, resulting in landmark convictions that may have carried jail sentences of up to five years. There is uncertainty in that the names of the people convicted were not released; and without those names, the Crown Prosecution Service said it was unable to track down details of the cases. "Failure to comply with a section 49 notice carries a sentence of up to two years jail plus fines. Failure to comply during a national security investigation carries up to five years jail. ... Of the 15 individuals served, 11 did not comply with the notices. Of the 11, seven were charged and two convicted. Sir Christopher [Rose, the government's Chief Surveillance Commissioner] did not report whether prosecutions failed or are pending against the five charged but not convicted in the period covered by his report."

cancel ×

554 comments

Sorry! There are no comments related to the filter you selected.

Self-incrimination becoming mandatory (5, Insightful)

mseeger (40923) | more than 5 years ago | (#29035161)

This means, you can be forced to do self-incrimination. What's next? Do we remove the right to remain silent? In dubio contra reo?

Re:Self-incrimination becoming mandatory (5, Interesting)

im just cannonfodder (1089055) | more than 5 years ago | (#29035257)

part of the law is that if you get a demand from the police you are not allowed to tell anyone about it other than your solicitor.

so no public accountability yet again by our government.

http://www.ckwop.me.uk/Articles/article01.html [ckwop.me.uk]

An analysis of Section 3 of the Regulation of Investigatory Powers Act 2000 The Regulation of Investigatory Powers Act 2000 is a piece of UK law that, among a range of other things, contains a section that is meant to require the surrender of cryptographic keys to certain authorised parties (which are in effect instruments of the government). If such a request is made as part of an investigation, then the party who disclosed the key is not allowed to tell anyone that the authorities have that key or they face up to two years in prison. Equally, if the party fails to disclose the key, they also face up to two years in prison.

The logic is obvious (4, Insightful)

Kupfernigk (1190345) | more than 5 years ago | (#29035665)

If you are part of a terrorist cell (or a criminal gang) and the police obtain your encryption keys, telling the rest of your cell or gang will enable them to destroy their own compromised data before PC Plod arrives. That is the logic behind the law.

The alternative is to lock up everybody who has supplied keys until any legal case is over, so they cannot communicate the news. This would be worse.

Law is simply unable to keep up with the development of mass communications and freely distributable digital data. It's a simple as that. The options are to do a 16th century Japan and ban progress, or accept there will be problems en route.

Re:Self-incrimination becoming mandatory (5, Insightful)

L4t3r4lu5 (1216702) | more than 5 years ago | (#29035263)

That went too. Remaining silent when they ask for your encryption keys is failing to provide the encryption keys.

Besides, we all know that the new system is heavily based on proving innocence. Innocent until speculated guilty, and all that.

Re:Self-incrimination becoming mandatory (5, Interesting)

tygerstripes (832644) | more than 5 years ago | (#29035345)

I'd be curious to learn how many of the four who did comply were subsequently convicted of the crimes for which they were being investigated, and what sentences these convictions entailed. I'm also very curious about what prevented the conviction of the other non-compliant nine. Essentially: was it worth it?

While I can see the arguments for and against permitting Section 49 sanctions, I want to know what the practical upshot is. Hypothetically, it may be worthwhile to a potential criminal to serve up to a couple of years in prison with a note on their record akin to "refused to assist in investigation" rather than face the potentially much more damaging convictions that their cooperation might incur.

My concern is that the law will be amended to reflect this, leading to much harsher sentencing in order to prevent this kind of cost-benefit decision being made by suspected criminals.

Re:Self-incrimination becoming mandatory (0)

Anonymous Coward | more than 5 years ago | (#29035563)

"Guilty as charged until proven innocent." There, that was easy.

Re:Self-incrimination becoming mandatory (1)

thbigr (514105) | more than 5 years ago | (#29035355)

Do the same laws of self incrimination apply in the UK?

Re:Self-incrimination becoming mandatory (1, Interesting)

Anonymous Coward | more than 5 years ago | (#29035559)

"You do not have to say anything, but anything you do say will be taken down and may be used as evidence against you" is the standard line for UK police. Either that, or "you're nicked".

Re:Self-incrimination becoming mandatory (4, Interesting)

badfish99 (826052) | more than 5 years ago | (#29035659)

Not any more. Now it is:

"You do not have to say anything. But it may harm your defence if you do not mention when questioned something which you later rely on in court. Anything you do say may be given in evidence."

The reason for the change is that the "right to silence" has gone: if you don't immediately tell the police your defence when you are arrested, the court may ignore anything you say in your trial, and convict you anyway.

Re:Self-incrimination becoming mandatory (0)

Anonymous Coward | more than 5 years ago | (#29035663)

> "You do not have to say anything, but anything you do say will be taken down and may be used as evidence against you" is the standard line for > UK police.

Its not been that for a long, long time. The caution is now "You do not have to say anything, but it may harm your defence if you do not mention when questioned something which you later reply on in court. Anything you do say may be given in evidence."

I.e. the court can legally infer things from your silence.

Re:Self-incrimination becoming mandatory (4, Informative)

Anonymous Coward | more than 5 years ago | (#29035409)

This means, you can be forced to do self-incrimination. What's next? Do we remove the right to remain silent? In dubio contra reo?

This is the UK. They already have removed the right to remain silent [urban75.org] in the Justice and Public Order Act 1994.

Re:Self-incrimination becoming mandatory (3, Insightful)

maxwell demon (590494) | more than 5 years ago | (#29035435)

This means, you can be forced to do self-incrimination. What's next? Do we remove the right to remain silent? In dubio contra reo?

This is the UK. They already have removed the right to remain silent [urban75.org] in the Justice and Public Order Act 1994.

I'm I the only one who at first misread the second 9 for an 8?

How about if a Policeman... (1)

viraltus (1102365) | more than 5 years ago | (#29035447)

has a warrant and asks you to open the trunk of you car? Do you feel police is forcing you do to self-incrimination? I don't think they're forcing you to say you are guilty of anything, they want to check your property to see if you actually are guilty of anything.

Re:How about if a Policeman... (2, Insightful)

kaladorn (514293) | more than 5 years ago | (#29035541)

I'm unaware of any case where you can be given 5 years for not opening the trunk of your car. You could probably be charged with something, but it wouldn't be five years in jail.

Re:How about if a Policeman... (2, Interesting)

arbiter1 (1204146) | more than 5 years ago | (#29035651)

Opening a trunk and encrypted data are 2 different things, as for US's 5th amendment. If said data is stored in like safes or such with a physical key you have to give it up (they could get in to the truck easy anyway), if the information is stored in your head its protected via the 5th, but with that being said its been debated lately if say data encrypted with military encryption and the only key is stored in your head is protected by the 5th. since giving the key will consistute giving up 5th. When data is encrypted with say 256bit SSL, it would take a super computer many years to break the decyption key and by then you could ask for speedy trial and they couldn't have their key evidence.
As for laws in UK i am not sure, but for US its been in debate cause a guy that crossed in the US from canada had encrypted data and they tried to make him give the key up.

Re:How about if a Policeman... (2, Insightful)

ZekeSpeak (947670) | more than 5 years ago | (#29035615)

has a warrant and asks you to open the trunk of you car? Do you feel police is forcing you do to self-incrimination? I don't think they're forcing you to say you are guilty of anything, they want to check your property to see if you actually are guilty of anything.

If a policeman has a warrant to open the boot of my car then I will assume that if I don't comply then the policeman will break it open and damage my car in the process. There's no point to resistance in this situation but in the case of an encrypted file they won't be able to break in without your assistance. It's a matter of practicality, not legality.

Re:Self-incrimination becoming mandatory (2, Insightful)

TheVelvetFlamebait (986083) | more than 5 years ago | (#29035471)

Wait, isn't this more like police demanding you unlock a door? You can't hide evidence behind a physical lock, so why should a digital lock be different?

Re:Self-incrimination becoming mandatory (5, Insightful)

FinchWorld (845331) | more than 5 years ago | (#29035511)

Any safe can be broken into, especially if its the police doing it, because no ones going to arrest them half way through the attempt. So key or no key, there getting what they want, though they may have something of a dim view of you come sentancing if you didn't give them the key and whatever illegal activity was in the safe. If there was nothing in said safe, and the key really had been lost, the police more or less wasted there time and your not guilty of anything, after all they never found that key either.

However, with encryption it could well take the span of several peoples life times to crack a key needed to unlock the data, hence the law brought in. However if you have genuinely lost the key, or its destroyed, and you have nothing illegal encrypted, say bank details and the like, your going to prison anyway.

Re:Self-incrimination becoming mandatory (0)

Anonymous Coward | more than 5 years ago | (#29035527)

Because you actually dont have to unlock a door, when asked. You just are not allowed to actively prevent the police to get through the locked door.

Re:Self-incrimination becoming mandatory (1)

arbiter1 (1204146) | more than 5 years ago | (#29035687)

The problem is they are making you provide evidence to convict yourself and send yourself to prison. its everything the 5th amendment is made to protect you from, at least in the US. They have the Data but you gotta provide the info to access it, this has president to remove all 5th amendment rights at some point, They get you to give up that key then next they will be asking you for more since you gave up that why not more

Re:Self-incrimination becoming mandatory (0)

Anonymous Coward | more than 5 years ago | (#29035625)

Oh, you still have the right. It's just that exercising that right comes at the potential cost of a jail sentence. Therefore you would balance the jail sentence you would get from providing the keys to the data you are hiding against not providing it. For certain types of data, it's a good trade-off.

It's the same as allowing juries to use silence from a suspect as a factor in their deliberations. Or exercising your rights as a journalist to not name your sources.

However there are other aspects in the UK law that are dubious, such as the first response to your post. Certainly there are V for Vendetta issues with the current government's laws, which are ill-thought-out by people who don't have the qualifications to actually make laws that a whole and complete, with checks and balances.

And certainly there are issues if it comes down to fishing expeditions. If you want to decrypt a file to look for, e.g., child porn, and instead you find accounts detailing drug dealing finances, or dodgy tax stuff, there should be nothing the police can do.

Re:Self-incrimination becoming mandatory (1)

Pvt_Ryan (1102363) | more than 5 years ago | (#29035671)

What's next? Do we remove the right to remain silent?

Already done for motoring convictions.

Re:Self-incrimination becoming mandatory (1, Interesting)

Anonymous Coward | more than 5 years ago | (#29035691)

In the UK the right to remain silent has effectively now been removed - the police no longer say

"You have the right to remain silent, but anything you do say will be taken down and may be used in evidence against you"

but instead say

"You do not have to say anything, but it may harm your defence if you do not mention, when questioned, something which you later rely on in court. Anything you do say may be given in evidence."

The Criminal Justice and Public Order Act 1994 provide statutory rules under which adverse inferences may be drawn from silence.

Adverse inferences may be drawn in certain circumstances where before or on being charged, the accused:

        * fails to mention any fact which he later relies upon and which in the circumstances at the time the accused could reasonably be expected to mention;
        * fails to give evidence at trial or answer any question;
        * fails to account on arrest for objects, substances or marks on his person, clothing or footwear, in his possession, or in the place where he is arrested; or
        * fails to account on arrest for his presence at a place.

Essentially, shutting up and saying nothing will be actively harmful to your defence.

What I want (4, Interesting)

petes_PoV (912422) | more than 5 years ago | (#29035165)

is an encryption system with 2 keys.

One decrypts the files or filesystem while the other key overwrites the contents with random data.

I would also like to know how the authorities could possibly tell a properly encrypted file from one that only contains random data and consequently how they could prove that a filesystem is, in fact, encrypted.

Re:What I want (5, Informative)

jeek (37349) | more than 5 years ago | (#29035197)

Look into the Phonebook filesystem. Not quite what you mentioned, but almost as good.

Re:What I want (2, Informative)

CarpetShark (865376) | more than 5 years ago | (#29035205)

I would also like to know how the authorities could possibly tell a properly encrypted file from one that only contains random data and consequently how they could prove that a filesystem is, in fact, encrypted.

There are a few encryption systems out there which provide plausible deniability, and would work something like this (in theory). However, most have pretty clear information, like standard file headers. I've never bothered to actually look at one for encrypted files, but I imagine the file headers essentially say something like "This is a file from APP. It's version X.Y. It's N bytes long. Encryption algorithm is A. Hash method is H. Data follows..."

Re:What I want (1)

petes_PoV (912422) | more than 5 years ago | (#29035381)

Yes, I've see systems like truecrypt. However, in this case it's possession of encrypted dfata (and the unwillingness / inability to disclose the password) which is the crime. The only solution is to have an encryption mechanism that is indistinguishable from a block of random data. No doubt, then random number generators will be considered "munitions" and made illegal, too.

Re:What I want (1)

hany (3601) | more than 5 years ago | (#29035487)

Aren't they already?

Because, there was a story, that if you look (hard enough) into say Pi, you find your latest favourite Hollywood flick in there somewhere. So DMCA or something similar might be used to forbid you from even possessing a Pi number computed to a big fraction.

I guess (I have to, I do not have mathematical proof) that similar argument can be made also for any big enough random number.

So, RNG generator are not only "munitions" but also a "devices for creating copies of copyrighted works".

note: Yes, I'm joking here. But in some court rooms it might not be taken as a joke. I guess.

Re:What I want (1)

Plunky (929104) | more than 5 years ago | (#29035573)

Because, there was a story, that if you look (hard enough) into say Pi, you find your latest favourite Hollywood flick in there somewhere. So DMCA or something similar might be used to forbid you from even possessing a Pi number computed to a big fraction.

I understand the technical aspects of this, but I wonder if Pi has been computed sufficently to reveal any actual messages longer than say, a word?

Re:What I want (3, Interesting)

maxwell demon (590494) | more than 5 years ago | (#29035499)

However, in this case it's possession of encrypted dfata (and the unwillingness / inability to disclose the password) which is the crime.

So in the UK it is a crime to possess DRMed media? :-)

Re:What I want (0)

Anonymous Coward | more than 5 years ago | (#29035539)

What's the problem? Plausible Deniability features solve that.

Re:What I want (0)

Anonymous Coward | more than 5 years ago | (#29035383)

You're quite wrong. Most encrypted data is just that: a big binary blob. You are expected to know which program/algorithm/key to open it with. Obviously.

Re:What I want (1)

sakari (194257) | more than 5 years ago | (#29035575)

Actually, for example files crypted with Truecrypt seem only like data, they are indistinguishable from random blabber. Probably.

Re:What I want (0)

Anonymous Coward | more than 5 years ago | (#29035643)

Actually, TC volumes tend to fall exactly on 4096 byte borders. Yes, the contents are random and finding anything out about what is inside isn't going to happen, but not that many data blobs have this issue.

Fix: TC should have the option to add 0-4095 bytes to the end of volumes that are ignored by the program.

Re:What I want (1)

ls671 (1122017) | more than 5 years ago | (#29035579)

There is also systems that duplicate data on empty blocks in the file system.

If you look at the file system, it looks like a normal one, encrypted or not (at your convenience).

The algorithm writes encrypted data in "officially" empty blocks on that file system. It duplicates the data in several spots to make sure the "real" file system doesn't trash the information when it writes files.

All encrypted information kept by those systems is stored in "officially" empty blocks.

So give them the key for your encrypted file system, but keep your sensitive information in empty blocks on that file system. The hidden data is encrypted with yet another key. Keep the software needed to read the hidden data on a flash drive so there is no trace that you are using such a thing on the machine ;-))

And no, if you look at the empty blocks, you won't see: "This is a file from APP. It's version X.Y. It's N bytes long. Encryption algorithm is A. Hash method is H. Data follows..."

Only random data ;-))

Re:What I want (5, Informative)

L4t3r4lu5 (1216702) | more than 5 years ago | (#29035225)

I think you're approaching this from the wrong angle.

The issue is no longer whether you can prove their is nothing incriminating in the "ecrypted file" but whether the old memory you've had for 7 months is an encrypted file or not.

Further, TrueCrypt is well known. "Hey, do you have a second 'hidden' partition on this slightly incriminating but pretty inoccuous drive?" "No." "I don't believe you. Do not collect £200."

This is a very, very bad day for the British public.

Re:What I want (1)

maxwell demon (590494) | more than 5 years ago | (#29035273)

For convicting you, they would have to prove that there's a hidden partition.

Re:What I want (1)

Yogiz (1123127) | more than 5 years ago | (#29035485)

For now.

Re:What I want (2, Interesting)

mlts (1038732) | more than 5 years ago | (#29035667)

That is easily done. A quick search of history of accessed programs might be able to turn up a volume with information in it that is not present on the system.

In fact, most programs have a most recently used list. So, an adversary who looks at the MRU traces would just resume questioning even if the user gave all passwords to any TC volumes on the system.

To get around this, the best bet would be to use TC's decoy OS functionality, where a user can boot the decoy OS, mount the outer volume of partition where the hidden OS is present, and show that the volume is just a large place for storing private files. Using a hidden/decoy OS system ensures that there are no suspicious traces to files.

Re:What I want (1)

petes_PoV (912422) | more than 5 years ago | (#29035501)

Yes, it's also quite easy to detect. Presumably all you need to do is scan each block and do some sort of correlation function on the data you find there. If the result is that a block shows up as random data AND it's inside a TC. partition, then presume it's a hidden filesystem. Just reapply the thumbscrews until yo get an admission.

Re:What I want (1)

Chatterton (228704) | more than 5 years ago | (#29035571)

In TC, empty sectors are encrypted too and by that fact undistinguisable from a sector used by the potential hidden partition.

Re:What I want (-1)

Anonymous Coward | more than 5 years ago | (#29035581)

Wrong.

Re:What I want (2, Insightful)

Clairvoyant (137586) | more than 5 years ago | (#29035245)

Or just use Plausible deniability, like Rubberhose: http://iq.org/~proff/rubberhose.org/

Re:What I want (1)

L4t3r4lu5 (1216702) | more than 5 years ago | (#29035297)

That's not an encryption feature, that's an app feature. The application would have to recognise the "destruct" key and wipe the date; The encrypted file wouldn't recognise it automatically.

This is why the most fundamental aspect of forensic computing is "read-only."

Re:What I want (1)

petes_PoV (912422) | more than 5 years ago | (#29035461)

Yes, it is. However make the decryption app a part of the encrypted filesystem (or file). That way there can be no third party application available to perform the decryption. The decryption process would therefore be a two-stage affair:
1.) supply one or other of the passwords to the publicly available decryption system
2.) this runs and decrypts something like a bootstrap, which checks the password it was given and either decides to decrypt the rest of the data, or to overwrite it (without ever decrypting it) or otherwise corrupt the files headers.

Now this wouldn't work in cases where the disk was write-inhibited, in a forensic lab. But for situations where the investigator was either stupid/lazy/unaware of the underlying mechanism, the self-destruct would be good enough.

Re:What I want (1)

crashumbc (1221174) | more than 5 years ago | (#29035561)

why even do that? the decrypt program wouldn't need to destroy the data, in-fact that may be illegal itself, it just needs return garbage or "fake" data.

Re:What I want (1)

mlts (1038732) | more than 5 years ago | (#29035699)

This is always discussed on the TrueCrypt forums. Any decent adversary will be pulling out a hardware write blocker and doing their work on an image of the disk in question. So, if the user has a modified TC version which has self destruct functionality, the adversary just rolls back changes, and depending on the civility of the country, either adds another criminal charge, or just chops another finger off their victim (or their travelling companions), and then asks for another key that works.

If you want limited access to brute forcing, TrueCrypt supports smart cards. If someone guesses the password on an eToken too many times, the device will permanently block access, and is resistant to tampering even for well heeled adversaries with a spare SEM at their disposal. If you are confident you will never mistype your passphrase, you can set the maximum wrong guesses to zero, so the smart card would lock after the first try.

Re:What I want (1)

haeger (85819) | more than 5 years ago | (#29035309)

That's assuming that the police are drooling morons that have no clue what they're doing.
Obviously they'll copy the drive before trying anything on it. You hand over the "wrong" key, data gets scrambled, the restore it from the copy they took and asks for the correct key.

Contrary to popular belief the police are quite capable. At least when you get one step up from the patroling officers.

Re:What I want (3, Interesting)

PeterBrett (780946) | more than 5 years ago | (#29035419)

That's assuming that the police are drooling morons that have no clue what they're doing. Obviously they'll copy the drive before trying anything on it. You hand over the "wrong" key, data gets scrambled, the restore it from the copy they took and asks for the correct key.

This sounds like a good application for a TPM, don't you think? Isn't that supposed to stop anyone being able to remove data from the machine? (Unless the TPM is backdoored...)

Do modern TPMs have a "suicide" feature that allows them to destroy the secret and create a new one on operating system request? If not, they should have.

Re:What I want (1)

Thor Ablestar (321949) | more than 5 years ago | (#29035315)

Our Russian law states that the expert should make an exact copy of HDD in question and operate with it, having original HDD intact. British law should have the same provision. So they shall immediately find the self-destruction key and retry.

I sincerely believe that Russia under You Know Who has more freedom than Britain.

TrueCrypt (1)

Futurepower(R) (558542) | more than 5 years ago | (#29035321)

No need to overwrite your data, which would show hard drive activity, and which would have no effect, since police always work on copies. TrueCrypt [truecrypt.org] provides a hidden volume. The TrueCrypt hidden volume is not detectable.

"I would also like to know how the authorities could possibly tell a properly encrypted file from one that only contains random data and consequently how they could prove that a filesystem is, in fact, encrypted."

In every country, lawmakers with no technical knowledge whatsoever are writing extremely ignorant laws about technical issues. In fact, the UK law makes no sense.

Re:What I want (1)

b4upoo (166390) | more than 5 years ago | (#29035367)

And how can they decide if a password has simply faded from human memory? Most people have probably lost a file or two simply be forgetting the password.

Re:What I want (0)

Anonymous Coward | more than 5 years ago | (#29035371)

If they ask for the password once and don't get what they want they will ask for the second, or third.... while forcing you to hold stress positions... in a third county... while in the spirit of running man asking "is it safe".

By the time they know who you are and where you live its game over.

"If saves just one childs life"

Re:What I want (5, Interesting)

tsotha (720379) | more than 5 years ago | (#29035533)

I've been thinking about that for awhile. You don't want a system that will destroy the encrypted data - as others have pointed out, the cops will image your drive before they do anything, so it's sort of pointless. But I think you could do even better with a set of one time pads. I'm envisioning a system that works like this:

  1. You have data you want to encrypt of a certain size. Doesn't matter how large, but you can't really add to it after it's encrypted.
  2. You generate a key the size of your original data and xor the key with the data you want to encrypt. If your key is random enough it should be impossible to decrypt. They say you can get something truly random with atomic decay or cosmic background radiation. These days storage is cheap, so having a key as big as a couple gigs should be no big deal - keep it on a fob.
  3. Now here's the twist. After you've encrypted your data you generate a second "key" by xor-ing the encrypted data with something innocuous. War and Peace, maybe, or cat pictures from the internet. Now you have a key you can give to the cops if they ever come calling, and the data they come up with will be recognizable as data of some sort. So it will be difficult for them to argue you haven't provided "the key".

Re:What I want (1)

Znork (31774) | more than 5 years ago | (#29035609)

Overwriting the data is pointless; anyone wanting you to decrypt the data will clone the disk before trying out anything you volunteer on it.

Plausible deniability with multiple decryptions is pretty much the only way to get around the rubber hose attack. Give them one key and it decrypts to one thing. Give them another and it decrypts to something else. Put something you might plausibly want encrypted in the first one (pictures of naked cats or whatever would be reasonably innocent but perhaps slightly embarrasing), and the real stuff in the secondary encryption. This could of course be done in multiple layers too, with the end result that they can never know or prove that you have not disclosed the complete key.

Re:What I want (1)

El_Muerte_TDS (592157) | more than 5 years ago | (#29035613)

is an encryption system with 2 keys.

One decrypts the files or filesystem while the other key overwrites the contents with random data.

If they're doing it right they will not mess with the original data, but with a copy. So your idea is quite useless.

Re:What I want (0, Redundant)

Godji (957148) | more than 5 years ago | (#29035633)

Google TrueCrypt.

Re:What I want (0)

Anonymous Coward | more than 5 years ago | (#29035669)

Elementary misunderstanding. Proof is not required. The doctrine is beyond -reasonable- doubt.

Re:What I want (1)

Atrox666 (957601) | more than 5 years ago | (#29035695)

A forensic investigator usually only works from a copy of the machine to preserve the chain of evidence. You're better off using the false partition and hope the cops are stupid (usually works). Another option is to give them a made up password and tell them the file is corrupt. You're kind of grasping at straws at that point. Unfortunately justice has nothing to do with policing and they'll lie, cheat and steal to get a conviction. Technology hasn't changed that.

Can I ask.. (4, Interesting)

eexaa (1252378) | more than 5 years ago | (#29035169)

...if you lost or just really forgot the decryption key/passphrase, would it count as refusing?

Re:Can I ask.. (3, Informative)

FluffyWithTeeth (890188) | more than 5 years ago | (#29035209)

Obviously, yes.

Re:Can I ask.. (0)

Anonymous Coward | more than 5 years ago | (#29035439)

It is obviously not obvious.

Re:Can I ask.. (5, Interesting)

FinchWorld (845331) | more than 5 years ago | (#29035241)

Carefully crack a CD in various places, so that not data can be recovered from it, scrawl on it "Encrytion Keys - Keep Safe" and hide in a stack of CDs.

When arrested, tell them about this CD that has your keys. When they come back and inform you its damaged go psycho screaming at them for having lost your keys, and hence, years of data (cos your back ups are encrypted too right?).

Sue.

Profit!

Ok maybe not, worth a thought though.

Re:Can I ask.. (0)

Anonymous Coward | more than 5 years ago | (#29035415)

As with toasted HDs, you'd be surprised what can be recovered from cracked CDs.

Re:Can I ask.. (2, Insightful)

ledow (319597) | more than 5 years ago | (#29035433)

If it got to the point where you're in court, they will happily pay the £1000 or so that it would cost to read even a cracked CD. And when they found it was blank, they would impose a harsher sentence for lying in the first place.

It's much harder to "destroy" the entire CD that just cracking it. You would almost literally have to set it on fire in order that they couldn't say "well, we recovered 90% of the data from the various shards and found nothing but zeroes".

Re:Can I ask.. (2, Interesting)

Yogiz (1123127) | more than 5 years ago | (#29035523)

You can always write a single text file containing something that looks like encryption keys and then when they discover that none of the keys work, you can say that they have corrupted the disk. Whatever, write a corrupt disk in the first place. I have a half-broken cd-writer that writes half broken cds all the time.

Re:Can I ask.. (0)

Anonymous Coward | more than 5 years ago | (#29035529)

"well, we recovered 90% of the data from the various shards and found nothing but zeroes"

Easy enough to fix. You just need to have enough random data on it to make it look as if there was something there.

Re:Can I ask.. (4, Insightful)

YeeHaW_Jelte (451855) | more than 5 years ago | (#29035587)

So? Don't use an empty CD but one with the actual keys. Flip a bit somewhere in the keys.

If they try to decrypt your drive with the key and fail, blame the recovery process.

I think they'd have a pretty hard time proving that the recovery of the keys from the damaged CD was 100% correct. They might get so far as to make it probable, but I know if no way to prove it 100% accurate without the original data to verify it with.

Hmmm, maybe I shouldn't have posted this ... if they find this message and link it to an IP I frequently use ... /me engages in paranoid episode.

Re:Can I ask.. (4, Insightful)

sakdoctor (1087155) | more than 5 years ago | (#29035479)

What if, what if, what if...

No cute little work-around is going to help, because the RIP act was designed as a tool of authoritarianism.
Recently in historical terms, encryption has became essentially unbreakable [wikipedia.org] , and this is the backdoor to it all.

Re:Can I ask.. (1)

91degrees (207121) | more than 5 years ago | (#29035569)

No.

Although it would probably help to have some sort of plausible evidence that you no longer have the key.

That's rich (4, Insightful)

CarpetShark (865376) | more than 5 years ago | (#29035181)

There is uncertainty in that the names of the people convicted were not released

That's rich. The government convicts people for keeping secrets, and then keeps secrets about who was convicted.

Re:That's rich (1)

martas (1439879) | more than 5 years ago | (#29035249)

step 3: claim nobody was ever convicted
step 4: 1984
step 5: profit!

Re:That's rich (4, Funny)

L4t3r4lu5 (1216702) | more than 5 years ago | (#29035275)

If the names are stored in an encrypted database, we have them by the balls!

Oh, wait, this is the government. It's probably currently being mailed Second Class to a royal heir in Nigeria.

Re:That's rich (1)

ojintoad (1310811) | more than 5 years ago | (#29035423)

Yeah, I was thinking that when I read this line:

The government said today it does not know their fate.

and

GCHQ didn't immediately respond to a request for further information on the convictions. The Home Office said NTAC does not know the outcomes of the notices it approves.

Funny that the google search for "left hand doesn't kknow what the right hand is doing" [google.com] returns a .co.uk [phrases.org.uk] site.

Re:That's rich (0, Troll)

pbhj (607776) | more than 5 years ago | (#29035455)

Yeah those bastards, trying to stop children from being abused, people from being battered and the general populus from being blown up. What are they thinking.

I wonder in how many of the cases the guys at GCHQ could crack the encryption but weren't allowed to let on.

Re:That's rich (0)

Anonymous Coward | more than 5 years ago | (#29035675)

Usually that's for the protection of the accused. I'm sure their families (the only ones who really need to know) have been informed.

Not very surprising historically (5, Insightful)

Anonymous Coward | more than 5 years ago | (#29035285)

A hundred years ago today, if someone had a giant safe in their house, and they were suspected of any crime whatsoever, the legal authorities (of pretty much every country in the world, it would baffle me to hear about somewhere this would not be the case) would simply ask for the keys. If the person refused to hand them over, the person gets punished. The "punishment" can be of different forms - whether prison in itself, or just a lot more unfavourable treatment from a judge and the assumption of guilt going against you, but nothing at all? Never. The difference with encryption keys is not all that great.

Re:Not very surprising historically (1)

rastos1 (601318) | more than 5 years ago | (#29035653)

If the person refused to hand them over,

... they would search the house for the key and if not found they would get a locksmith to crack open it. No safe will stop a determined person with lots of time and right tools. The difference is that they can't crack your skull (yet) to find the keys and they can't break the encryption either.

Re:Not very surprising historically (1, Insightful)

Anonymous Coward | more than 5 years ago | (#29035681)

Two points.

It's not necessary to be suspected of a crime. Read section 49 [opsi.gov.uk] . It countenances industrial espionage, for example.

In your example, complaining loudly after the event, in the market square or in a newspaper, would not have been a criminal offence with a maximum sentence of 5 years in prison and a fine. See section 54 (same link).

One-way encryption (2, Informative)

indre1 (1422435) | more than 5 years ago | (#29035335)

So if I encrypt my data with an encryption mechanism that can't be inverted by today's standards and someone doesn't like it, I'll go to jail?

Re:One-way encryption (1)

dotgain (630123) | more than 5 years ago | (#29035445)

Store a megabyte of random data, and if somebody doesn't like it you go to jail.

Hell, what am I saying, this is the UK we're talking about. Paint your roof. Somebody doesn't like it? You're going to jail.

Useless laws are useless... (0)

Anonymous Coward | more than 5 years ago | (#29035347)

All this will mean is that people will stop hiding their data in "MyEncryptedDocuments" and instead hide it in plain sight. Will you check every single image on my system to detect flaws that might be hidden data? Will you parse every single document on my system to find hidden meta data (e.g. HTML attributes, Word under/redo histories, etc)? I'll just ROT13 it so you cannot look for English language.

Drug dealers use the same trick... Instead of hiding their drugs under floorboards or taped to the top of draws, they simply open a bag of flower, empty the contents, and refill it with drugs...

A thought experiment (5, Insightful)

ebonum (830686) | more than 5 years ago | (#29035361)

Suppose I have TrueCrypt installed on my machine, but I don't have anything encrypted. What stops to police from accusing me of having encrypted files and demanding a key? How do I prove random bits of data on my HD are random bits of data and not super secret encrypted files?
I doubt I even need Truecrypt installed for the police to use this to get a guaranteed 2 or 5 year conviction.

Re:A thought experiment (1)

maxwell demon (590494) | more than 5 years ago | (#29035411)

You probably should always keep some encrypted porn on your computer. It's easily explained why you encrypted it (no one should find out that you have porn on your computer), and you can safely give the key to the police (as long as it's allowed porn of course, kiddy porn wouldn't work well :-)).

Re:A thought experiment (1)

GeorgeStone22 (1532191) | more than 5 years ago | (#29035413)

2-5 years might be less than you'd get for disclosing the data.

Re:A thought experiment (1)

maxwell demon (590494) | more than 5 years ago | (#29035453)

His assumption was that there is no data.

Re:A thought experiment (5, Insightful)

ebonum (830686) | more than 5 years ago | (#29035619)

To clarify, proving that a section of random bits of data on my hard drive is NOT an encrypted file is equivalent to proving that I am NOT a witch.

This could be easily abused by the police. All they have to do is find a section of random data on a hard drive. Then, the police ask you for a key. When you don't provide one ( because there is no key ), you get convicted on "Refusing To Decrypt Data" charges.

It isn't possible to say with certainty what is random data and what is encrypted data.

Re:A thought experiment (1, Interesting)

Anonymous Coward | more than 5 years ago | (#29035629)

Well, Truecrypt doesn't NEED to be installed. You can have it on a flashdisk/CD etc.

Also, it allows the creation of a fake directory with fake encrypted data which shows when the specific password for that (which differs from your "real" password) is entered.

It's an appalling piece of legislation (5, Insightful)

jimicus (737525) | more than 5 years ago | (#29035385)

It's an appalling piece of legislation for a number of reasons:

1. It makes forgetting your decryption key/passphrase/whatever illegal. Yes, seriously. The burden of proof is on the accused to show that they can no longer decrypt the data - how the hell do you prove you don't have something?

2. The people who it was originally intended to inconvenience - the real terrorists, if you like - aren't going to be even remotely concerned by it. They know full well that there is a risk they'll be caught and spend time in jail. If it's a choice between "reveal the decryption key, thus providing the police with the only evidence they're likely to find which implicates you and a number of others for so many criminal activities you'll be in prison for 20 years and when you get out you'll get a bullet in the head for the people who you dropped in it" or "keep your mouth shut, go to prison for two years", I wonder which one they'll chose?

Re:It's an appalling piece of legislation (2, Informative)

velen (1198819) | more than 5 years ago | (#29035597)

You raise a valid point. It is easy for people with incriminating data to spend a couple of years in the rig instead of screwing themselves and their organizations over. The UK is bat-shit crazy.

Remember this is the UK (4, Interesting)

Jane Q. Public (1010737) | more than 5 years ago | (#29035427)

In the U.S., people generally cannot be required to provide encryption keys under the 5th Amendment. However, there are exceptions. There was the recent case of one man who was searched by Customs (or DHS, or whoever) at an airport. One of the agents discovered child pornography in an encrypted portion of the disk that had been (temporarily) opened for access.

Somehow, by the time authorities took possession of the computer, the encrypted drive was no longer opened. The last court decision about that case I am aware of states that a subpoena for the encryption key can be enforced, because the government was already aware of the existence of illegal material, and where it was. All they needed was a "key". This is vastly different from demanding a key first, so they can poke around in your private material.

As an analogy, imagine a shed in your yard that you keep locked. Law enforcement would, under almost all circumstances, require probable cause or a warrant based on probable cause in order to go onto your property and search that shed. However, if they already knew, with little doubt, that there was illegal material in that very shed, then they have the legal justification for a warrant, or a subpoena of whatever information is necessary to open the shed.

Re:Remember this is the UK (2, Insightful)

Yogiz (1123127) | more than 5 years ago | (#29035589)

As an analogy, imagine a shed in your yard that you keep locked. Law enforcement would, under almost all circumstances, require probable cause or a warrant based on probable cause in order to go onto your property and search that shed. However, if they already knew, with little doubt, that there was illegal material in that very shed, then they have the legal justification for a warrant, or a subpoena of whatever information is necessary to open the shed.

It's a funny law in this case, as you can be arrested and convicted for not letting the police into that shed in your back yard even if you have no shed in your back yard. Everyone with a back yard (hard drive) could be convicted to jail without any proof. Convenient.

I'm afraid to travel to the U.K. even with my laptop's harddrive overwritten with /dev/urandom because if they say it's an encrypted drive, how will I prove it's not?

Re:Remember this is the UK (1)

Takichi (1053302) | more than 5 years ago | (#29035603)

What I don't understand is why people can't say that they forgot the key? It would seem very difficult to prove that they in fact knew and weren't sharing the information.
What happens if the person says they've lost the key to their shed? I'm guessing that the police would break the door down. Would they also have the option to leave the shed intact and prosecute the owner for forgetting where the key is?

The time has come... (1, Troll)

distantbody (852269) | more than 5 years ago | (#29035481)

To NUKE the place from orbit!!!

Re:The time has come... (0)

Anonymous Coward | more than 5 years ago | (#29035637)

To NUKE the place from orbit!!!

Terrorist!

We have laws for people like you, the moment you forget your encryption keys it is you who will be nuked from orbit!

The solution (4, Interesting)

Thanshin (1188877) | more than 5 years ago | (#29035483)

The solution to this and other similar "bad law" problems is making them big and visible to the common population.

1 - Get a worm that allows to save data on infected computers.
2 - Get an encrypting program that supports plausible deniability.
3 - Infect self with worm.
4 - Install encrypting program in all infected machines.
5 - Accuse random people of having criminal data in their computers. (e.g.: "I was playing a WoW game and this guy told me he had several thousand [criminal data]").

They already shut innocents (0, Flamebait)

Anonymous Coward | more than 5 years ago | (#29035531)

Well the Britons already shut innocents in the head for running, forget your password and be send to jail is not too heavy.

on ostracism (0)

Anonymous Coward | more than 5 years ago | (#29035607)

Let us put the blame where blame is really due: on the civil servants who were only following orders (TM) when they used their technical skill to establish that a computer had encrypted data on it, knowing full well that their work might be used to convict someone merely for refusing to speak when an attempt was made to force them. I am sure that some of you guys are even reading this post, angrily justifying in your head why you do your job -- for the children, against the terrorists, because it's an "intellectual challenge", to put food on the table -- but none of these justifications require you to do what you do. It is quite simple: you get a kick from that little drip of power granted to you by an abusive state when you get to contribute all your little bit toward denying the freedom of some poor sod. You trod on ants which were not in your way as a kid, it excited you but you told yourself they were pests anyway; your Day-to-day activity and contribution to society has not improved since then.

  We must single you out and peacefully turn our backs on you for the traitors to freedom that you are. Don't try to justify what you are doing, don't retort with the 1% of cases that the application of your skill was justified to protect the country, because we both know why you are employed to do what you do. Resign, apologise, and join the rest of us!

The UK can suffer serious blowback for this (3, Interesting)

Anonymous Coward | more than 5 years ago | (#29035611)

Yes, the Brits might be able to find something by untrained criminals by this hard handed method, but the blowback from this strategy is going to seriously hurt them in the long run.

Trading partners will be leery to send envoys over to make agreements when at a whim, their machines can be searched, and any trade secrets copied off. If deals are done with British companies, they will be done out of the country, or via electronic means. Companies will not want to set up branch offices in the UK because their facilities can be searched at any time and trade secrets taken. Finally, where does this end? Does someone in the UK have to give up all root/Administrator/sa passwords on request that are on the remote company's VPN or else go to prison?

Of course, the true terrorists are not going to be caught. They don't bring laptops in with their super secret plans. It seems the UK is aiming the RIPA act for more of an industrial espionage type of game than anything else, intending to demand trade secrets via the heavy hand of their bobbies, then hand the results over to their domestic interests. Other countries do this too, but those are very repressive regimes, not a First World nation.

Of course, legitimate people will get around this, but it requires backflips and makes PHBs less interested in doing business with the UK. Some means that people will use:

1: TrueCrypt is the first thing. Perhaps even a TC hidden OS with the decoy OS storing some random chaff in the outer volume. This way, there are no MRU traces of anything in there.

2: BitLocker and multiple users. The laptop's owner has a non administrator user and given the password of the account with the business critical data once in the UK before the meeting. Then when it comes time to head back to the States, the user account is disabled via remote. Of course, a hardware device to grab the Bitlocker volume key can get around this. The user account with the data can be protected via EFS, so when it expires, not even an Administrator can access it. Of course, there are varying methods to recover EFS protected files, so perhaps an Administrator-only accessible script that runs that would erase the sensitive user account before hitting the airport might be needed. If the user is questioned, he could show that he had no access and likely no knowledge of that functionality, it was corporate HQ who did that.

3: VMWare ACE installations. Similar to #2 above, the laptop will have an ACE install with a complete Windows VM present that has all the information needed to access a company network. The ACE install will be valid from a certain starting time and expires before the overseas traveler boards the plane home. Also, the company will E-mail the user the password to the ACE VM once he or she checks in. This way, a traveler will pass through security, and if questioned about the ACE install, will be unable to provide any information on it. On the way back, if the laptop is seized, the ACE VM would be expired and not accessible even with the right credentials. (Of course, the ACE VM would have some security inside it so just using it wouldn't mean free reign on the home corporate VPN.)

4: The hard disk for the business stuff would be mailed to the envoy's hotel. Traveler has a decoy OS on the laptop that is being used for travel, has a hard disk with the real data sent via post (and the password to the data sent via another method). Then the user puts in the real HDD, does his/her work, and when it comes time to head home, the real HDD is either sent back via mail, erased, or physically destroyed. (2.5" laptop drives are delicate and a couple hits from a ball peen hammer have a good chance of shattering the platters.

5: Then, there is the old fashioned way of having the laptop just be a remote client with no data stored locally. The user would have network access that would start when he or she got to the hotel and called in with a coded "OK" message, and expire before he or she goes to the airport. Of course, duress code functionality would be available in case the user is demanded the passwords to the VPN and such, so the passwords work, but the company the user is working for would know that they are under gunpoint or being controlled by a hostile party. Because the user can be held until they provide domain creds, even a domain administrator or other high IT person might need to have their access temporarily restricted until they are back from the trip.

If it were up to me to send someone to the UK to close a business deal, I'd probably go with a laptop that had BitLocker, and two user accounts. One user account would have the business data, one the user's normal stuff. In the business account, the home directory would be EFS protected (recovery key stored at corporate HQ and erased from the machine), and there would be a VMWare ACE install. The user does his business in the ACE VM (which protects against spillover of sensitive data to the machine). Then when it is time to come home, both the account and the ACE VM expire before hitting the airport.

Of course, while the user is overseas, all administrative and sensitive access is closed off unless it relates to the business at hand.

moral of the story... (1)

vorlich (972710) | more than 5 years ago | (#29035685)

Have nothing on your pc that you would not happily shout across the main high street.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?