Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

UK Government Can Demand You Hand Over Encryption Keys

Zonk posted more than 6 years ago | from the shh-don't-give-them-ideas dept.

Privacy 426

iminplaya writes "The UK government can now demand that citizens hand over their data encryption keys - or face jailtime for obstructing justice. The law only applies to data on UK shores, and doesn't cover information transmitted via UK servers across the internet. 'The law also allows authorities to compel individuals targeted in such investigation to keep silent about their role in decrypting data ... The Home Office has steadfastly proclaimed that the law is aimed at catching terrorists, pedophiles, and hardened criminals--all parties which the UK government contends are rather adept at using encryption to cover up their activities.'"

cancel ×

426 comments

Ha HA (-1, Troll)

Anonymous Coward | more than 6 years ago | (#20822527)

I'm a bored housewife....I need to talk to spark my life up.
call me!!!
(740) 354-2095
(740) 352-0322 (Private Celly)

Mention my myspace page, and I just might show you my ( . )( . )!!!!

http://profile.myspace.com/index.cfm?fuseaction=user.viewprofile&friendID=108370887 [myspace.com]

Troll. So easy to threadjack. (2, Interesting)

Corwn of Amber (802933) | more than 6 years ago | (#20822955)

The Home Office has steadfastly proclaimed that the law is aimed at catching terrorists, pedophiles, and hardened criminals--all parties which the UK government contends are rather adept at using encryption to cover up their activities.


Yay! The Four Horsemen! But they forgot the Money-Launderers.

This reminds me, some guys had sent a PGP-encrypted email to the (Autstralian?) Prime Minister, then reported him to the police. His house was searched for the crypto keys; the next day the law project was put under the rug.

What are you UKsians waiting for?

hmm (4, Funny)

pak9rabid (1011935) | more than 6 years ago | (#20822543)

I guess when wire-tapping and CCTV just isn't enough

Its very important that we all do this. (3, Funny)

TechnoBunny (991156) | more than 6 years ago | (#20822565)

Unless we let the government have access to all our data then the terrorismists will WIN.

After all, if you've nothing to hide then whats the problem? I for one will be printing out all of my data in hardcopy to send to the government, as I am a PATRIOT.

After all - there was no terrorismisticals before the internet.

Re:Its very important that we all do this. (2, Funny)

Anonymous Coward | more than 6 years ago | (#20822609)

I'm sure they'll appreciate all the porn :)

Re:Its very important that we all do this. (2, Insightful)

tomhudson (43916) | more than 6 years ago | (#20822673)

"After all, if you've nothing to hide then whats the problem? "

The problem is that people who SHOULD be hiding things, don't - like the whales on the beach (both sexes) who squeeze into too-tiny bathing suits.

As for the encryption keys - "Gee, I forgot it." Prove otherwise. How many passwords have YOU forgotten?

Re:Its very important that we all do this. (4, Funny)

UbuntuDupe (970646) | more than 6 years ago | (#20822959)

Hm, I generally go with: "Oh, you don't need the key; just factor the semiprime. What, you bad at math or something?"

Re:Its very important that we all do this. (1)

Chrisq (894406) | more than 6 years ago | (#20822675)

I for one will be printing out all of my data in hardcopy to send to the government

Actually it would be a really good protest if you could get everyone to do that for a week, or even a day. Imagine all the mail sacks arriving at No. 10, and all the real letters getting mixed up with data reports!

Re:Its very important that we all do this. (0)

Anonymous Coward | more than 6 years ago | (#20822907)

After all - there was no terrorismisticals before the internet.
Nor gun ownership prohibition in the UK.
Unarmed ... SAFER?

Been like this for years (4, Informative)

CRCulver (715279) | more than 6 years ago | (#20822583)

This law has been around for years. In fact, back when PGP was big, some UK residents on Usenet would have sigs saying something like, "If I revoke a key without explaining why, it is due to that law".

Re:Been like this for years (4, Informative)

mikelieman (35628) | more than 6 years ago | (#20822627)

And the idea is why Rubberhose Crypto was developed.

It had setup the system so that there could never be any confidence that ALL the encryption keys have been turned over.

Re:Been like this for years (3, Insightful)

Maximum Prophet (716608) | more than 6 years ago | (#20822709)

If the government has no confidence that you've turned over *all* the keys, won't they just put you in jail indefinitly even after you've turned over the keys?

Re:Been like this for years (1)

speaker of the truth (1112181) | more than 6 years ago | (#20822823)

This is the UK government, not the US one. I can't think of any recent instances where the UK has detained someone indefinitely without coaxing from the US.

Re:Been like this for years (2, Informative)

rucs_hack (784150) | more than 6 years ago | (#20822879)

not so long as the keys they have allow access to all your encrypted data that they know about.

I use a somewhat secure method to protect my personal data. Its a thing I like to call 'burning to dvd and not keeping it on my pc'.

Yes I know dvd's can be stolen, but they have to find them first. Anyway, most of what I'm worried about isn't ephemorous threats of government snooping, but the far more likely possibility of my machine being hijacked by criminal types over the tubes.

Re:Been like this for years (5, Interesting)

Chrisq (894406) | more than 6 years ago | (#20822801)

GnuPG has a --show-session-key command, so that when you are asked to reveal the key for an encrypted message you can comply with the law by revealing the session key that was generated for that specific message rather than your secret key. This complies with the letter of the law, so you can ask for a written order for each individual message. Of course if they are really serious at this point they will smile at your request and get out the rubber hoses....

Re:Been like this for years (2, Informative)

julesh (229690) | more than 6 years ago | (#20822985)

This law has been around for years. In fact, back when PGP was big, some UK residents on Usenet would have sigs saying something like, "If I revoke a key without explaining why, it is due to that law".

The legislation was passed in 2000, yes. However the law was phrased so that it wouldn't become active until parliament provided a code of practice and announced a date for it to become active on. The last I heard there was a draft code planning to commence the law on 1 October 2007. I hadn't heard about this passing parliament, though, so thought it was going to happen. I may be wrong, though.

Re:Been like this for years (3, Informative)

julesh (229690) | more than 6 years ago | (#20823047)

Yes, here it is. It passed in july [legislation.gov.uk] .

Old News (0)

malsdavis (542216) | more than 6 years ago | (#20822603)

This laws was implemented years ago. The article author seems to know very little about the law in this respect, especially as it has barely changed since introduction in its 2000/20001. Thankfully, it appears it has yet to be used in a non-terrorism related case.

Re:Old News (5, Insightful)

Salsaman (141471) | more than 6 years ago | (#20822757)

Thankfully, it appears it has yet to be used in a non-terrorism related case.

Since part of the law prohibits telling anyone that you have had to hand over the keys, how can you be sure about that ?

Re:Old News (1)

malsdavis (542216) | more than 6 years ago | (#20822893)

Because this sort of thing is documented quite clearly in reports and statistics. Maybe their government illegally fails to report the use of the law, but then why bother making the law in the first place?

Re:Old News (0)

Anonymous Coward | more than 6 years ago | (#20823363)

New here, are you?

Re:Old News (2, Insightful)

UbuntuDupe (970646) | more than 6 years ago | (#20823045)

You're saying, it's illegal to tell people what semiprimes the government knows the factors of?

You're missing the point. (-1, Troll)

Anonymous Coward | more than 6 years ago | (#20823099)

This is Slashdot, it only matters when it's too late because that's the best time to whine about it. Whining when it was still in the planning stages would mean people would have to get off their arses and actually do something like, you know, write to their local MP.

Frankly, this story just about sums up what the internet has become, a place for people to whine and bitch and moan about the things they could have done something about if they hadn't all become so god damn lazy.

The whole MediaDefender thing was fantastic because it showed that there were still some out there who cared enough about our right to freedom to do something unfortunately however they are the absolute minority.

Re:You're missing the point. (1)

julesh (229690) | more than 6 years ago | (#20823223)

Frankly, this story just about sums up what the internet has become, a place for people to whine and bitch and moan about the things they could have done something about if they hadn't all become so god damn lazy.

Actually, a lot of us did do things about this at the right time, thank you. Lot of good it did us, of course, but at least we tried rather than just complaining about people who aren't trying.

Re:Old News (2, Informative)

julesh (229690) | more than 6 years ago | (#20823177)

This laws was implemented years ago. The article author seems to know very little about the law in this respect, especially as it has barely changed since introduction in its 2000/20001. Thankfully, it appears it has yet to be used in a non-terrorism related case.

No, the law was *made* years ago. It has yet to be used because it first entered into force yesterday. Give them time! :(

hidden volumes (2, Interesting)

kalpol (714519) | more than 6 years ago | (#20822605)

I'm curious to see how they handle hidden volumes on encrypted disks. Sure you can give up the first key, but if you don't give up the second (or the x-th, how far can you nest these?) who's to know?

Re:hidden volumes (4, Informative)

malsdavis (542216) | more than 6 years ago | (#20822699)

Because the law wasn't designed to work like that. The police can't demand "hand over all your passwords so we can route around for anything illegal", it has to be a specific key to a specific piece of suspected evidence (e.g. Database or file). If you had hidden volumes on an encrypted disk they would have no way to know there was potential evidence there and therefore could not demand you hand over the password.

This aspect of the law is routinely ignored on Slashdot to try and enhance the "evil" reputation of the law.

Re:hidden volumes (3, Insightful)

R2.0 (532027) | more than 6 years ago | (#20823187)

2 reasons I have a problem with laws such as this.

1) They violate your rights against self incrimination. Per the US constitution, I cannot be compelled to testify or offer evidence against myself. What this law says is that I MUST testify against myself, in the form of giving up *knowledge* that I have for the state to use against me.

2) While the warrant may be issued for a small piece of information, it has the potential to lay all your secrets bare. Let's say I am accused of child pornography, and that's what the police are "looking for" in the encrypted directory marked "Private". All of the data in that directory is subject to discovery. So if they find pictures of my infant daughter without her onesie, and figure out that this is simply a divorce case gone bad, the child porn investigation dies. But now they have also seen my financial records, and discover that I've made some questionable tax deductions, and the case now gets referred to the IRS. Or they find money that I've been hiding from my ex-wife, and hand her that info.

Slashdot law (1)

westlake (615356) | more than 6 years ago | (#20823241)

If you had hidden volumes on an encrypted disk they would have no way to know there was potential evidence there and therefore could not demand you hand over the password.

Not true.

The warrant will be for a search of your hard drive.

The consequences won't be pleasant when a judge asks why you withheld the key to a hidden volume that was known to others or was exposed in forensic analysis.

Re:hidden volumes (2, Insightful)

Chrisq (894406) | more than 6 years ago | (#20822707)

Just wait for them to ask for the key. If they don't know there's more data then they won't ask.

Re:hidden volumes (0, Offtopic)

Library Spoff (582122) | more than 6 years ago | (#20822737)

That's why I've got Gay Pron on my hidden volume.
Yeah - that's right i'm gay, it's my secret...

Re:hidden volumes (0, Flamebait)

Library Spoff (582122) | more than 6 years ago | (#20823163)

offtopic... you fuckwits. You mean -5 Unfunny..

Not exactly news (4, Interesting)

TheRaven64 (641858) | more than 6 years ago | (#20822613)

RIPA has had a lot of negative coverage since the idea was first raised. Someone at the time proposed emailing the Home Secretary with a few MBs of random data and the text 'here is the information on your opium import operation. The key is as we agreed' and then sending a tip to the police. If the Home Secretary does not disclose the key (which he doesn't have) then he is liable for 5 years of jail time. Or, the government could see how silly the act is and repeal it. Since the law just went into force, I expect civil liberties groups will start trying this soon.

Re:Not exactly news (0)

Anonymous Coward | more than 6 years ago | (#20822927)

Very interesting.

BTW, here's the data you requested on our dastardly plans to infiltrate and incapacitate GCHQ.

4d34badc31c53 a11595147421
c e31f65ca97574 891edcfe194
2e c71d4f15f7ab2 437c805af2
6e1 786a62170671b 6962ba536
e3c8 2ff107971f937 a9ec445a
615b5 ca993c82e9970 a79ee47
c0c067 78c3d9d7203b2 14c946
0e4f2cb 28c9f31c6e546 84937
a734c94a e3caff3c8209e 684a
edf816399 753bf2fcdfb0b 32b
d1255d43cc 43fdd6202232e 01
91dd39a5b0b 84e5028005636 9
5ab3addbaaf3 44e5f79dda06a
0c132b9d6c83a 3d431980e778
5 526bd77fbaa47 11f4b32074a
f4 87c1c143c1a41 5eba6db627
947 0810da79b3a07 611a379f1
0cd6 e403c1be19882 4cc43365
e9c78 e74ce30e6df2b 0b48d85
9d8c3e ada259aa58d67 4366f6
13fec58 9d5db0a6300da 568cd
c043fb43 b3f0c8e159200 5003
b6933703c 337862b638f19 5bb
5b15c413e5 665a29da14ddb 05
a1ffcb58cb5 1c8f1f6798072 2
bf06f61161e1 66e2c0f4f1458
de941c00c7038 2990b07933a2
7 93bfc9d5df1ef e501d2b7368
a0 bdad54103da12 704603b148
3f0 768163e013424 8fea26a7c
ba7c f00f17598cd7c ea11fa0d
433fb 0a5875874afa3 860f3fa
409e17 35a20bc533bcb f6a9a2
0b13ac7 a56cc917c1387 6c238
2a2c45cf 7fa3759e1573d 340c
c79ea1044 c9999083309ce a26
dfa206e70d 21d66a0f49fcd 3c
60b131f3b13 20b2dd4b4a64a a
ea7be32ef320 25b49e540225e
604baf94652a8 19b39e953338
7 4baa90aeb5d59 3bcd3e6f20
You can decrypt it with the key in your possession ref "black Tuesday".

Good luck.

More stupidity (0)

Anonymous Coward | more than 6 years ago | (#20822631)

> The law only applies to data on UK shores

So an offshore shell account renders this law useless? What a bunch of morons!

Hand the keys over (3, Interesting)

DuncanE (35734) | more than 6 years ago | (#20822635)

If a judge asked you to hand over the keys to your house.. or your car.. or your safety deposit box.. you are legally required to follow that order....

Are we surprised that digital keys have the same requirement?

And as for all the other (physical) keys you can refuse and let the courts (and a jury) decide.

Re:Hand the keys over (1)

Conspiracy_Of_Doves (236787) | more than 6 years ago | (#20822925)

A judge is one thing. If they have a warrant, then that's fine. This story is talking about the police demanding that people hand over their encryption keys.

Re:Hand the keys over (1)

speaker of the truth (1112181) | more than 6 years ago | (#20823013)

No it says authorities can demand that the keys be handed over. Authorities can also demand someone be arrested, show up at court and serve a sentence in jail. It doesn't say whether or not a court order is required in this particular article, but I don't think its overly naieve to assume that it would be covered by the same laws that cover searching people's physical premises.

Re:Hand the keys over (0)

Anonymous Coward | more than 6 years ago | (#20823015)

Yeah, go figure. It has been this way in the US forever and there have been cases where folks have say in jail rather than hand over their encryption keys (it's contempt of court or obstruction depending on the official order that was handed to you)


The key is to not end up in a court, you've already lost if you're expecting encryption to save your ass at that point. They already know what you did or didn't do. Everybody is tough and willing to "fight the power" when it's not them, when a judge orders you to do something and you don't and you get to sit in jail until you decide to do it the idealism tends to fade. There is no encryption or obfuscation that will work, if a judge believes you have data and requests it and you can provide it, regardless of the format, encryption, etc.. you will most likely provide it or go to jail.


One thing I would be worried of is required compliance without a lawful order or if federal investigators were some how granted the ability to give lawful orders to civilians.

Re:Hand the keys over (1)

nasor (690345) | more than 6 years ago | (#20823103)

People use "key" as a metaphor for "the information that you need to decrypt the data," but it's not clear that a cryptographic key is really analogous to a physical key. Suppose I try to keep my information private by writing in some obscure language that almost no one knows and that the police can't find a translator for. Would forcing me to explain the language so that the police can read my diary really be analogous to forcing me to hand over the key to my shed?

Re:Hand the keys over (4, Insightful)

CastrTroy (595695) | more than 6 years ago | (#20823145)

Digital keys are not physical items. This is like them demanding that you hand over your thoughts. In the US, and many other countries, there are laws stating that you have the right to remain silent, and that you don't have to testify against yourself. If you don't hand over the keys to your house, car, or safety deposit box, there's other ways of retrieving such physical objects by just taking them from you. If you don't hand them over, and they have a search warrant, they are allowed to break the lock. They can't do that with thoughts in your head.

Re:Hand the keys over (5, Insightful)

itsdapead (734413) | more than 6 years ago | (#20823199)

If a judge asked you to hand over the keys to your house.. or your car.. or your safety deposit box.. you are legally required to follow that order....

But...

  1. That will typically require a court hearing "on the public record"
  2. Even a technically ignorant judge should be able to decide (a) whether its your house/car/box (b) whether its plausible that you have lost the keys (c) whether the police have a reasonable justification for wanting access and (d) whether the fact that you have a lock on your door or possess a saftey deposit box is, in itself, suspicious.

Unfortunately, as soon as computer technology is involved, even some otherwise highly intelligent people instinctively turn off their brain and may be convinced that the existence of an encrypted file on your hard drive is tantamount to being found in possession of a giant underground bunker complete with piranha tank, spy-bisecting laser and fluffy white cat.

Re:Hand the keys over (0)

Anonymous Coward | more than 6 years ago | (#20823365)

the existence of an encrypted file on your hard drive is tantamount to being found in possession of a giant underground bunker complete with piranha tank, spy-bisecting laser and fluffy white cat.

Way to stereotype us. I'll have you know that we modern supervillains favour pedigree Siamese and Burmese. Fluffy white cats are sooo last millennium...

Truecrypt (2, Informative)

Anonymous Coward | more than 6 years ago | (#20822643)

Encrypt using Truecrypt, which supports plausible-deniability [truecrypt.org] . Allows you to have an encrypted volume and then a "hidden" encrypted volume within that. If you're ever forced to give up your key due to extortion or torture, you only need to reveal the key to the outer volume and the inner hidden volume remains encrypted.

Re:Truecrypt (2, Informative)

TheRaven64 (641858) | more than 6 years ago | (#20822769)

I have a few friends who work in police forensics. Trust me, they know about Trucrypt. Interestingly, security by obscurity doesn't work when you tell everyone about it...

Re:Truecrypt (2, Informative)

jesdynf (42915) | more than 6 years ago | (#20822891)

Doesn't matter that they know about it. That's the *point*. They may "know" it, but they can't *prove* it.

Remember, you should assume your adversary is fully conversant with every aspect of your encryption system except the key. Any "secret process" it relies on is a good sign that you don't have an encryption system, you have a filing cabinet with a very expensive picture of a padlock painted on the side.

Your friends know about it. That's not the point. What they can *do about it* is the point.

Re:Truecrypt (1, Informative)

Anonymous Coward | more than 6 years ago | (#20823003)

I have a few friends who work in police forensics. Trust me, they know about Trucrypt. Interestingly, security by obscurity doesn't work when you tell everyone about it...

So how can they prove you have a hidden volume? Or even better, a hidden volume in the hidden volume? And as for volume size, just make them all 750MB isos for convenient backup burning, for all your encrypted files. Who knows how much is really used or what's really in there? And, for most of your encrypted files, you could probably honestly say there are no hidden volumes, because you are just protecting normal data and there's no need for a hidden volume, which is probably how 99% of Truecrypt users use it anyway. I don't see anyway around this for the gov't except (1) assume guilt a priori for anyone who uses Truecrypt, or (2) make the use of Truecrypt illegal.

Re:Truecrypt (4, Insightful)

49152 (690909) | more than 6 years ago | (#20823289)

I don't think you quite understand the principles behind "hidden volumes" in Truecrypt.

The point is not that they don't know it is possible. The point is that it cannot be proven that there is a second encrypted volume within the first one.

This makes it plausible to deny that it exist at all. If store some sensitive information in the outer volume, like some very embarrassing but not illegal pornography you can make a claim that this was the sole purpose of the outer Truecrypt volume. The law enforcement agency will have a hard time getting a judge to order you hand over keys to a hidden volume they cannot prove exist.

Hidden volumes in Truecrypt got nothing at all to do with "security through obscurity", it's all about "plausible deniability". You can ask your friend in the police about that, if he has any experience with the security community at all he should be very well acquainted with this term.

Of course, if you admit or in other ways make it provable that there exist an inner volume then all bets are off ;-)

This will probably work in societies like USA and UK where the police have to follow certain procedures. In countries like Burma or China where they will just torture you until you confesses or dies, I'm not so sure about the value of this scheme.

Meh (1, Interesting)

Anonymous Coward | more than 6 years ago | (#20822653)

This is why you need to use something steganographic not just encrypted - just give them the fake key rather than the real one and it'll decrypt to some mockup installation full of boring crap. To my mind, the main risk is evil British intelligence services (I'm Irish, suffice to say my race has reason to call those people evil) wanting to grab your gpg key or similar in order to impersonate you, so planting a dummy key in the fake installation is also smart - if anyone uses the key to sign a message, your cell can know the enemy are on to you.

Re:Meh (0, Offtopic)

kevin.fowler (915964) | more than 6 years ago | (#20822683)

Or a false key that causes the tape to self destruct.

I'll get you, Gadget.

Three Words (4, Insightful)

ricree (969643) | more than 6 years ago | (#20822661)

Truecrypt hidden volumes

This is exactly the sort of situation that hidden volumes were created for. The government asks you to hand over your encryption keys? "Well sure officer, here's the key to my encrypted volume, but there really isn't anything on there besides some harmless porn (or anything else that might be plausibly embarrassing enough to keep hidden away)" Of course, it's probably only a matter of time before someone decides to make it illegal to possess programs that can create any sort of hidden volume, but that's another issue.

Re:Three Words (1)

kpainter (901021) | more than 6 years ago | (#20822913)

Truecrypt hidden volumes
Officer: That's nice. Thanks for the boring crap. Now, lets have the REAL key! *SMACK!* Bzzzzzztttttt!!! Bzzzzzzzzzzzz!! You: *screams of agony as they electrocute your balls* Ten minutes later... You: 09-f9-11-02-9d-74-e3-5b-d8-41-56-c5-63-56-88-c0

Re:Three Words (2, Funny)

cryptoguy (876410) | more than 6 years ago | (#20823053)

When they outlaw hidden volumes, only outlaws will have hidden volumes.

So, lemme get this straight... (5, Insightful)

R2.0 (532027) | more than 6 years ago | (#20822665)

A terrorist/pedophile/whatever is arrested, and his computer is seized. The authorities demand the suspect hand over the key, or he will face obstruction of justice charges and a year in jail. Does he

a) Tell them to get bent, go to jail for a year as a symbol of government run rampant (face it, some "activist" will pick up his "cause")

or

b) Immediately hand over the key, which is then used to procure the evidence of his computer, putting him in jail for 20 years as an ACTUAL terrorist/pedophile.

That's not even getting into the situation if one is NOT an actual pedorist. Terrorphile?

Re:So, lemme get this straight... (1)

Opportunist (166417) | more than 6 years ago | (#20822861)

Here's a bet: I predict a law as soon as someone does that, which says that whoever refuses to hand in keys will be treated like someone who admitted what he allegedly did. I.e. you are accused to be a terrorist and refuse to hand over the keys to your files, you're a terrorist by default, because only if you are what you're accused to be, you would refuse to cooperate.

Re:So, lemme get this straight... (0)

Anonymous Coward | more than 6 years ago | (#20823001)

Guilty until proven innocent?

Re:So, lemme get this straight... (1)

Calinous (985536) | more than 6 years ago | (#20823085)

This goes all against the need of the accuser to prove you are wrong. Remember "innocent until proven guilty"?
      The fact that you refuse to obey to a law is not proof that you are breaking other laws.

Solution? (5, Insightful)

Cheesey (70139) | more than 6 years ago | (#20822671)

For private communications, don't send encrypted emails. If the encrypted email is captured by a wiretap, the fact that the ciphertext could be decrypted by the recipient is enough to allow the authorities to force that recipient to decrypt it.

Instead, you should establish an encrypted connection, use it to exchange private information, then destroy the keys after the connection is closed. SSH is one protocol that does this automatically. That way, although a wiretap can record the ciphertext, the authorities cannot retrieve the encryption keys because they no longer exist. Your democratic right to privacy is preserved.

I wonder if any instant messaging programs have implemented this? If so, do they consider the possibility of man-in-the-middle attacks as SSH does?

Re:Solution? (1)

speaker of the truth (1112181) | more than 6 years ago | (#20822781)

I can't think of any e-mails I'd want to send that I'd want to encrypt from the authorities in such a way. It boggles the mind that so many here at slashdot do send such e-mails, or are at least willing to hide trivial things.

Re:Solution? (2, Insightful)

jedidiah (1196) | more than 6 years ago | (#20822979)

Then you simply have no imagination.

Not very well informed either.

Governments have a nasty habit of taking innocuous data and trying to make something sinister out of it. They can either try to make something out of the information itself directly or choose to draw strange inferences out of it.

Oppose the wrong law. Support the rights of the wrong types of people. Practice the wrong religion.

Re:Solution? (1)

speaker of the truth (1112181) | more than 6 years ago | (#20823093)

Governments have a nasty habit of taking innocuous data and trying to make something sinister out of it. They can either try to make something out of the information itself directly or choose to draw strange inferences out of it.
Citation needed.

Practice the wrong religion.
Funny, the US not having these laws sure isn't helping Muslims in guantanmo bay.

Re:Solution? (1)

BgJonson79 (129962) | more than 6 years ago | (#20823215)

What makes you think those guys in Gitmo are followers of Islam?

Re:Solution? (1)

speaker of the truth (1112181) | more than 6 years ago | (#20823361)

Because some of them have been released and spoken with the media. Or are we going to get really paranoid here? By the way the fact that they're muslim or not muslim doesn't make it okay to imprison them. I am quite disappointed that not only have the courts not done anything to stop them, but that none of the major candidates running for president have talked about getting rid of it.

Re:Solution? (2, Informative)

Hoi Polloi (522990) | more than 6 years ago | (#20823217)

Governments have a nasty habit of taking innocuous data and trying to make something sinister out of it.


Like when they spy on you in the airport for having a "bad" book [wired.com] ?

Re:Solution? (1)

mrcparker (469158) | more than 6 years ago | (#20823079)

I worked in health care for years, and it was easier to encrypt all emails rather than picking through the sensitive ones. I think that a lot of people are less concerned with the government and more concerned with non-government people reading their emails. I imagine that a lot of people that read Slashdot have to encrypt their email, either through company policy or legal concerns.

Re:Solution? (1)

quanticle (843097) | more than 6 years ago | (#20823095)

Ah, yes. The old "I have nothing to hide, so I don't mind you violating my privacy argument". My response is that this assumes that the government is perfect, i.e. competent enough to interpret all information correctly, 100% of the time, without bias. I don't want to be placed on a no-fly list because of something inopportune I might have said to a friend.

Re:Solution? (0)

Anonymous Coward | more than 6 years ago | (#20823117)

Earthlink read my email based off keywords apparently. I sent an email to a mailing list with phrases like 'data loss' and 'strange error' and 'bring it to your attention' and received a response from Earthlink saying "We understand that your computer loses data [details from my email]. Unfortunately, the issue you are having is related to your system rather than the Internet connection via EarthLink."

Some people may not care what the authorities see, but don't really want some random shmoe reading their emails.

Re:Solution? (1)

speaker of the truth (1112181) | more than 6 years ago | (#20823313)

So why keep the encryption from the authorities when asked to hand it over? This is what the majority of posts have been about.

Re:Solution? (1)

Gr8Apes (679165) | more than 6 years ago | (#20823203)

I think it's more of a "I want my privacy" issue than any need for "secrecy". Basically, don't stick your nose into my business. If I wanted you to read my super secret double delicious chocolate chip cookie recipe, I would have Cc'd you.

After all, why do you send anything in an envelope instead of on postcards? You don't have anything to hide, do you?

Re:Solution? (1)

speaker of the truth (1112181) | more than 6 years ago | (#20823251)

Basically, don't stick your nose into my business. If I wanted you to read my super secret double delicious chocolate chip cookie recipe, I would have Cc'd you.
Wow, well I guess it takes all kinds really. Personally I'd want to help the police in an investigation anyway I can (as I have no plans on breaking any of the current laws. If future laws are enacted I felt the need to break my voluntary aid might come to a halt) so they can eliminate me as a suspect and move onto catching the real criminal.

After all, why do you send anything in an envelope instead of on postcards?
1) I don't send letters. I have however sent postcards
2) You can fit more onto letters
3) Postcards can be read by anyone (including the mail staff). I might not feel like the whole world knowing what I write, now the police on the other hand I wouldn't care if they read.

Re:Solution? (1)

MightyYar (622222) | more than 6 years ago | (#20823267)

Look at the silly things we all do that are illegal and would be used to pin us against the wall if someone in an authority position were so inclined. I'd have a hard time finding someone who has:
  • never used "pirated" software,
  • never smoked a joint,
  • never drank while under age,
  • never downloaded a "pirated" song (or for that matter made a mix tape)

For an example of how the government can get completely out of control over absolutely nothing, look at those kids in Florida who were arrested for distributing kiddie porn - of themselves! [news.com]

You never know how the government is going to screw you - being careful is prudent even if you aren't going to run for president someday. Hell, even my innocent search on Google for that news article probably raised a flag in some government kiddie porn office.

Re:Solution? (1)

TheRaven64 (641858) | more than 6 years ago | (#20822797)

You might want to look at SILC. It's not exactly instant messaging, although it can be used for IM. It meets the requirements you describe.

Re:Solution? (1)

Kr3m3Puff (413047) | more than 6 years ago | (#20822903)

Yes, but how do you address storage of private data? Because it isn't all about communicating securely.

Saying you forgot the key, as someone mentioned, only gets you put in jail for perverting the course of justice.

Truecrypt Hidden Volumes can possible give you plausible deniability. I guess that is the only way.

Re:Solution? (1)

Cheesey (70139) | more than 6 years ago | (#20823151)

Indeed, that is another problem.

I regard the keys to my encrypted filesystems as being secret, but I would still produce them if I was forced to do so by the UK police. So the layer of encryption doesn't provide security against the Government, but it does protect the data from thieves and tampering, and it forces officials to ask me for the keys if they want to see what's on the disk. I think that's about as good as things can get.

Intended usage (2, Insightful)

feed_me_cereal (452042) | more than 6 years ago | (#20822685)

The Home Office has steadfastly proclaimed that the law is aimed at catching terrorists, pedophiles, and hardened criminals--all parties which the UK government contends are rather adept at using encryption to cover up their activities


That's right, I seem to recall that Rivest, Shamir, and Adleman wrote about providing protection for pedophiles and terrorists in the motivation section of their paper on RSA.

Just do what the USA administration does (-1, Redundant)

svendsen (1029716) | more than 6 years ago | (#20822689)

Claim you:

1. Can not recall your key
2. You have no recollection of ever setting up encryption
3. By them asking for the keys they are letting the terrorists win
4. Give them the key after you have declassified it (aka all black lines)

Re:Just do what the USA administration does (1)

julesh (229690) | more than 6 years ago | (#20823263)

Claim you:

1. Can not recall your key
2. You have no recollection of ever setting up encryption


Unfortunately they seem to have thought of this. Not being able to recall your key is not a defence, unless you can provide evidence that you've forgotten it. And they only have to show reasonable grounds to believe you ever had it, not that you actually did.

The difference between UK and US (0, Offtopic)

Tiger4 (840741) | more than 6 years ago | (#20822733)

In the UK, the rights of the people are what the Parliament decides. Tradition is what holds them back from being tyrants. Unwritten constitution and all that.

In the US, the rights of the people are written into the Constitution and it explicitly says there might be more. Traditionally, Congress ignores this and runs wherever the political wind blows them. They wait for the courts to save them, or for the political winds to shift again.

Either way, the only real saving grace is staying engaged politically. Keep the politicians from stealing everything you have in an effort to save it for you. There are still people who think that freedom is too precious to be given to the people they are protecting it for. Damn.

Re:The difference between UK and US (2, Insightful)

malsdavis (542216) | more than 6 years ago | (#20822837)

"There are still people who think that freedom is too precious to be given to the people they are protecting it for. Damn."

The problem is "Freedom" is a very abstract concept that can be easily twisted to mean both opposites. Speeches by infamous dictators like Hitler and Pol Pot often feature words like 'Freedom'. Most of the time it's not that people wish to deny Freedom, but that they disagree on what freedom is.

i.e. Freedom to buy addictive drugs or Freedom from addictive drugs?

Re:The difference between UK and US (1)

OdinOdin_ (266277) | more than 6 years ago | (#20823063)

Freedom is both. Freedom is the ability to act on your own free will (not as others desire you to do) providing the acts you commit are not detrimental to another.

All that remains is for common law to decide what acts are detrimental and what are not.

So you are correct, with freedom you can buy addictive drugs if that is your will or you can refuse addictive drugs if that is also your will (as opposed to being pushed them by a dealer). But at the end of the day it create a society of strong willed and morally balanced people which is exactly the world I'd like to live in.

Freedom from Self-Incrimination (1)

Nymz (905908) | more than 6 years ago | (#20823153)

Most of the time it's not that people wish to deny Freedom, but that they disagree on what freedom is.
From the 5th Amendment: "nor shall be compelled in any criminal case to be a witness against himself". So jailing someone, because you think they could unlock some data, that would incriminate them, would violate their rights. Of course this is from the USA Consitiution, but UK citizens might have something similiar.

Re:The difference between UK and US (1)

drsmithy (35869) | more than 6 years ago | (#20823239)

There are still people who think that freedom is too precious to be given to the people they are protecting it for. Damn.

Indeed. Look no further than any GPL vs BSD discussion for evidence of that.

/Couldn't resist.

Re:The difference between UK and US (0)

Anonymous Coward | more than 6 years ago | (#20823295)

The two English speaking countries that start with a "U" are in a contest to see who can take away more of their citizens' liberties and gain the most governmental power.

So far it's a really close race.

The English speaking countries that start with "A" and "C" are way, way, way behind; so far behind that they don't even count. Hiel WTA, comrade!

-mcgrew [kuro5hin.org] (old linked K5FP article is a rant explaining why the bill of rights is no longer meaningful)

Re:The difference between UK and US (1)

julesh (229690) | more than 6 years ago | (#20823351)

In the UK, the rights of the people are what the Parliament decides. Tradition is what holds them back from being tyrants. Unwritten constitution and all that.

Bullshit. We have plenty of written documents that provide our rights, dating back to the Magna Carta [wikipedia.org] and most recently the Human Rights Act 1998 [wikipedia.org] (which forms part of several international treaties so is not something the government can back out of easily). Most of the British constitution [wikipedia.org] is written, however it isn't written in a single document like the US constitution. This makes it harder to understand in full, but doesn't really diminish its power.

Dear U.K. Government: (0)

Anonymous Coward | more than 6 years ago | (#20822773)

Protest the U.K. Government: Don't visit the bastards.

Yours sincerely,
Kilgore Trout

P.S. : Defend Democracy: Fuck Bush [shoutfile.com]

ah (0)

Anonymous Coward | more than 6 years ago | (#20822819)

The law only applies to data on UK shores, and doesn't cover information transmitted via UK servers across the internet.
so of course any real encrypting being done will be exactly what the law doesn't cover. hurray for ineffective anti-privacy laws.

I like money (1)

spleen_blender (949762) | more than 6 years ago | (#20822887)

I smell a budding market rife with desire for custom made encryptions. Such a black market could make some clever and morally grey individuals quite a bit of money. Gotta love the free market :)

What if...? (3, Interesting)

Opportunist (166417) | more than 6 years ago | (#20822905)

What if I don't have the keys but only store the data (i.e. I'm a backup service provider who stores data for people he doesn't even know by name or anything but IP address, which is fleeting at best)? What if I simply cannot remember the keys or, in case of keydisk/keyfile systems, have lost either (or destroyed because the archives are old backups no longer needed)? What if I don't remember which version of which cypher program was used to encrypt the keys (I tend to have that problem, actually, with a few archives...)?

I don't have a problem handing the keys to the authorities provided they can give me a good reason they need them (I really don't enjoy handing out trade secrets, you know...), but what if I just simply and plainly cannot?

Re:What if...? (0)

Anonymous Coward | more than 6 years ago | (#20823341)

Exactly. What if that random block of data isn't encrypted, it's really just random data? How can you give keys to something that's not even encrypted in the first place? What's the difference between random data and encrypted data?

Dead-mans handle saves (3, Interesting)

samjam (256347) | more than 6 years ago | (#20822909)

Have an off-shore cron job to revoke your keys if you don't touch them often enough.

When you are asked for the keys, refuse until you are arrested and unable to save the keys from being revoked.

The revocation is the trigger that you have been asked.

Sam

Variant (2, Interesting)

jbeaupre (752124) | more than 6 years ago | (#20823327)

Keep your encryption keys offshore.

You have the password to unencrypt your offshore keys. This password cannot be demanded of you (jurisdiction). But when you want to use your encryption keys, your application asks for the password, retrieves the key, and performs your data decryption (locally or remote?).

Decidedly more trouble than it's worth, but an interesting thought exercise.

12345 (0)

Anonymous Coward | more than 6 years ago | (#20822919)

But then they will know my luggage combination.

How to screw someone (3, Interesting)

linuxwrangler (582055) | more than 6 years ago | (#20822943)

1. Place files full of random data on their machines

2. Tip off the authorities to their "terrorist plans"

3. Watch them get five years for "refusing" to decrypt the "data"

You can have my encryption key... (1)

Billosaur (927319) | more than 6 years ago | (#20822993)

...when you pry it from my cold, dead, mouse hand.

Re:You can have my encryption key... (1)

CRiMSON (3495) | more than 6 years ago | (#20823089)

I'm sure they'd be happy to say you resist and taser the living shit out of you. You die? Oh well, 1 more terrorist dead. You complain about being tasered.. But think of the children!

Search warrants? (2, Insightful)

osgeek (239988) | more than 6 years ago | (#20823007)

Does the UK have the concept of a search warrant?

I know everyone gets their panties in a wad about the guvmint decrypting their data, but I'm somewhat okay with it if a court is involved in the issuance of a valid search warrant. It's not fundamentally different from the court-overseen right to come into your home and search the premises.

You can't completely declaw the police or they'll be useless at any type of law enforcement.

Plausible deniability (1)

glindsey (73730) | more than 6 years ago | (#20823083)

Those aren't encrypted files. I just like to keep a few multi-gigabyte files of random data on my system at all times -- it's a fetish of mine.

Here is my key... (1, Funny)

Anonymous Coward | more than 6 years ago | (#20823169)

... "it is Pi to 10 billion places"

Wake me up 3 life times form now , when you are done inputting the key passphrase.

Data or Junk? (1)

Nomen Publicus (1150725) | more than 6 years ago | (#20823191)

It's a very clever government if it can tell the difference between well encrypted data and a block of random bytes. Perhaps they will make having a USB drive full of random numbers illegal.

The really evil part (5, Insightful)

ribuck (943217) | more than 6 years ago | (#20823197)

The really evil part is that you can be forbidden from telling anyone that you were forced to decrypt your documents, under penalty of imprisonment. Without public scrutiny, this law is inviting abuse.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...