Police force more suspects to give up crypto keys Police have expanded their use of powers to force suspects to decrypt files by 50 per cent in the last year, figures released today reveal. In the 12 months to March 31 this year, government officials approved 38 notices under Part III of the Regulation of Investigatory Powers Act, compared to 26 in the previous year. The …
What else were they going to do than to step up their lawful use of this arguably abusive law?
Even the charge with something spectacular, obtain notice, get passwords, find naughty things to really charge with, drop frivolous charges routine is nothing but the expected from the plod these days. They clearly _need_ this law to get their conviction rates. Doesn't have much to do with what the rest of us would call justice, but that's a small price to pay to showcase a working (as in, "does something") police apparatus to the public. All y'all we'll keep safe with our new laws, honest! For your own good!
They need 17 notices to improve conviction rates? Name *any* crime (by regional force remember) where 17 conviction will not be a drop in the ocean.
Never let the facts get in the way of a hysterical rant eh? Your sentiments may be bang on - how about thinking of a less extreme way of presenting them - otherwise you are as bad as them.
Such as innocent until proven guilty and the right to silence. The RIPA obligation to handover keys violates these 2 principles by obliging a suspect to cooperate in the collection of evidence for the purpose of their own prosecution.
The possibility that a few guilty people might be locked up on account of this who otherwise wouldn't be doesn't justify locking up otherwise innocent people who refuse to cooperate in this procedure. How long it will take a case of someone who is innocent and does not cooperate to get before the European Court of Human Rights based on violation of the ECHR (European Convention on Human Rights, section 8 right to privacy and section 6 right to a fair trial) is an open question.
If you are a pedo but the only crime they can actually pin on you is "Part III of the Regulation of Investigatory Powers Act" because all the evidence they have is encrypted then from their point of view its better to go down for 2 years for that than fess up and go to prison and get the shit kicked out of you every day for being a pedo.
Still this opens up the way for someone to maliciously plant an encypted file on someones pc then report them that they may be a kiddy fiddler. the innocent person gets arrested and cant give up the encryption keys as they don't have them, and could get 2 years for it.
Ive downloaded some files from forums that were hosted on rapidshare before now that were pass protected zips and dont necessarily remember exactly which forum and which post has the password now.
I don't think you understand the full implications of not handing your password over. The two years is more for you to think about complying with the request. Once you've served the time you'll get another two to think it over and so on. The offence hasn't gone away and double indemnity no longer exists.
...and used a dummy encryption system that points to only mildly incriminating evidence. If police demanded you offer the key, wouldn't you send that key, take the slap, and count your blessings? Or were police smart enough to send repeated notices to the same person on suspicion of just such a secret secret stash?
...what about steganogrpahy? Hiding things in non-obvious places like within music, movie, or graphics files? Might not police use the concept to be able to bang on a door, any door, and insist "The picture of your gran has a hidden message inside it. Give us the key to reveal it or we'll put you away for two years." Not like you're gonna be able to do much good with a "Sod off."
...if it's a Freenet URI. You know, hide the files in the Freenet cloud and simply communicate how to reach it in a steganographic message.
And some of the worst things can come in tiny little messages. Things like...terrorist communiques? Wouldn't that get the government up in arms? As for the lack of a program on the computer, the supposition of a web- or cloud-run program takes care of that.
This is one of the reasons to use truecrypt if you don't want the authorities to pry through your stuff. With it's encrypted within encrypted security it allows plausible deniability - if you don't want them seeing your stuff, but don't want to go to jail for not giving them your password, encrypt it twice and only give them the first password and deny any other password exists
TrueCrypt allows for plausible deniability by actually having 2 volumes encrypted with different keys in the same file - one starts at the start (the throwaway one), one starts at the end of the file (the secret one).
You can either use just one volume or two - and there's no way to determine if the second volume exists
When you enter a password, it tries to decrypt a header at the start of the file. If that fails, it tries to decrypt a header at the end of the file - so using a different password accesses a different volume.
You can also use BOTH password so that TrueCrypt is aware of both volumes - which allows it to be more careful about letting one volume overwrite the other.
That said, I use TrueCrypt to secure source code from work on my home machines - Simply as a precaution. I don't bother with a hidden volume. Of course, whether they'd believe me if it ever came to that is another matter - And of course, because I know how to do it must mean I've done it, right? Isn't that how the law works nowadays? It's like being able to undelete files - If you know how to do it, you can be arrested for deleted stuff.
Prosecution now says that because you're using truecrypt they believe there is a further layer of encryption that you haven't disclosed the key to. The burden of proof is now on you to show that there is no such level of encryption, or that you don't have the key. Good luck proving a negative.
I'm just waiting for the first case of someone being asked to decrypt that suspicious looking file /dev/random
The plausible deniability relies on the hidden volume being either encrypted stuff of yours or random stuff that looks similar. - Actually, when in use, your stuff overwrites the random stuff.
There lies a weakness, there will be a seam, it is really difficult to generate proper random numbers, and whatever method is used by truecrypt, i reckon it will be detectable.
I suspect that truecrypt uses its own encryption (with an almost-random key) to make a dummy file look like 20GB of random numbers.
However, this is precisely the "offence" that will get you locked up for life, 2 years at a time, with a "suspected nonce" tag for clean happy showertime fun.
Plausible deniability might work in America, but the offence here requires you to prove that the random data is NOT an encrypted partition, by either providing the key, or the plaintext, or by going to prison.
Excellent points sir.
Could TrueCrypt have weaknesses? Yes, undoubtably. The possibilty of a seam is one; I can think of others. The forensics equipment used to examine hard drives is enormously sensitive. Could it detect that the data at the end of the primary volume has been written to far more regularly than would be expected if a hidden volume were not in use? But far the biggest weakness is simply incorrect usage. Without careful consideration, one could be leaving a trail of forensics all over the primary volume, or an unencypted one, all pointing to a volume that shouldn't exist.
I do know that its dev team take their work very seriously indeed. Being open source, there's also an active community able to pore over both the concepts and the implementation looking for just such pitfalls. IMHO, its certainly the best option yet available.
For RIPA, I would be amazed if there wasn't some element of 'reasonable grounds' necessary before a conviction could be obtained. Most UK laws, especially criminal ones, have such terms either embedded in the wording, or subsequently inferred by judges under statutory interpretation.
I suspect the only way that we'll know for sure is through a test case, specifically on PD. I'd expect massive coverage and numerous appeals before the final outcome would be reached. Whichever side wins, all that would be achieved would be an escalation in the arms race. If the prosecution won, expect the relevant exploit to be rapidly patched by the TrueCrypt team. If the defence won, expect new legislation criminalising the mere ownership of any PD capable software. Neither would settle the matter for long.
tl;dr - TrueCrypt could have weaknesses, RIPA is not carte blanche to jail those genuinely unable to decrypt any suspicious-looking file. Only a test case will answer the current questions.
Could this be one reason why some people have given up dealing with encryption? They have been forcefed stories about having to decrypt all their files and if they forgot the password then they will be locked up.
Those Daily Fail readers will be going on about how it only affects those who have committed crimes, and those who have a different skin colours. It is only when it affects white middle class people do they throw up their arms.
It seems that the police consists of rather idiotic people, and I don't mean "Tim, nice but dim", but "Plod, nasty and dim". Anonymous in case they don't feel happy about what I wrote.
the key files are only supplied via our cell phones from my office when connected to our laptops with Bluetooth whilst trvelling.
The only password I know unlocks the dummy TrueCrypt volume.
Hard to give Plod something you don't have. Besides, cloud computing really messes up their high handed demands, too, just remember to purge browser history and bookmarks - best done by using Portable Apps software and selecting shared computer options.
An aquaintance that may work for a government might have inferred that the reason the CIA et al have been able to find and launch Predator strikes against AQ leaders in Iraq and Pakistan may have alledgedly been because AQ were relying on the security of encryption products often touted as "never having been broken". Alledgedly, of course, in a purely hypothetical discussion, etc, etc, etc (no black helicopters needed, thanks, Mr NSA). Just to remind you all of the consquences of falling for security hype, just go ask your Wifi LAN admin why he's not using WEP anymore, another supposedly "unbreakable" solution.....
Either way, the Police get two years to work on your encrypted drive whilst you try not bending over in the showers, and then they simply ask you again and send you back for another two years if you decline. And you end up with a criminal record and the inference you are either an animal rights nutter, kiddie fiddler or terrorist even if they do decide to let you back into society at some point, none of which bodes well for future employment or a happy family life.
The problem with Truecrypt is its hidden volume feature. This creates two problems:
- you have a hidden volume, but give them the "clean" password so they won't find anything - will you then have complied with the directive? Problem: Johnny Terrorist and Priest the Pedophile get clean away
- you do NOT have a hidden volume set up (I personally use Truecrypt simply as encryptor) but they suspect you have one. At that point they may ask you to open up something that doesn't exist, so you will be locked up for contempt of court - despite being innocent.
As a previous commentard correctly notices, RIPA turns the basis of the legal system "innocent until proven guilty" on its head so you're at the mercy of some pretty unsavory characters..
Thank God I moved :)
"The powers, known as section 49 notices, require suspects to hand over passwords or make files intelligible to investigators on threat of a two-year jail sentence, or five years where national security is concerned."
Doesn't matter that they suspect you have a hidden volume as they can only make you "make files intelligible to investigators". Suspecting something exists just don't cut it. Given the intelligence of the average "investigator" I'm not sure what you'd have to do if you were an Assembler coder. Re-write it in VB?
I do not have a hidden volume setup. Honest.
Take your file, XOR it with the contents of War and Peace, hand the output to the police as a key. When they XOR it with your original file they'll get something intelligible.
The one-time pad using a truly random key is still unbreakable without the key, given that other apparent keys can be generated in the trivial manner above. Of course, your key is the same size as the original file so you'll need to hide it somewhere they can't find it.
Perhaps we need a random data club - every day, everyone in the club sends a file of random data to another club member - I believe there is someone in the US who does this already.
Without client-lawyer privilege there is no right to fair trial. It's always been the case that a few more people who belong in jail would be jailed if a lawyer's records aren't privileged information, but police have never had access to this information because it would undermine the whole criminal justice system.
I hope they take the case to the European Court of Human Rights because that is a fucking terrible precedent.
and so did a lawyer on the uk.legal forum back in December when I posted this there. Initially he didn't believe me, but then went and checked:
TIMES 12/3/2009 pp65 (Law Report)
STATUTE OVERRIDES LEGAL PROFESSIONAL PRIVILEGE
House of Lords
McE v Prison Service of Northern Ireland and Another
C and C v Chief Constable of the Police Service of Northern Ireland
M v Same
>Such as innocent until proven guilty and the right to silence.
In American law "innocent until proven guilty" focuses on how your case is presented to the public.
It does not give you the right to simply ignore a subpoena or otherwise stand in the way of a legitimate police investigation.
The contempt citation in an American state court sends you to county lock-up.- not so pleasant a thought if the lock-up is a tent farm in the Arizona desert. - and there you will roast on a spit until the judge says otherwise.
The right to silence doesn't go much farther than what you can be compelled to say - to speak. Your DNA is fair game. The keys to the locker room are fair game.
The geek has an unhealthy obsession with "plausible deniability." It didn't save Nixon and it won't save you.
"Plausible" is for the jury to decide - and the jury doesn't think geek.
Actually, you have a constitutional right in America to not incriminate yourself, even under subpoena. To any such request or even demand, simply reply, "I plea the 5th." Meaning you are invoking your constitutional protection against self-incrimination under the 5th Amendment.
What a strange thing that courts, police and governments should exercise quite so much punitive pressure on anyone for looking at mere photos, even to the point now, it seems, of forcing anyone accused of such an epoch-shattering crime to damn themselves for refusing to incriminate themselves.
Justice gets suspended for this crimen exceptum. Normal rules no longer apply - so we take away a person's right to not incriminate themselves and put them in prison anyway, safe in the knowledge that anyone going before a court charged with even looking at 'indecent' images stands virtually no chance of a fair outcome. You do know that, right? That it's not the prosecution that does the damage, but the mere accusation? That's what will ruin your life - that's how it's been intended, by police, courts and advocates, from the start. The prosecution is a mere formality - a necessary, if expensive, process, but not really the point.
You quite literally cannot win, once you become an Accused. The Maleificarum has stitched you up good. Confess and be damned - forever - or refuse to cooperate and be damned - forever - because the police know that the accusation IS the punishment and THAT's what will follow you around forever, while being forced to the sign the SoR is merely the Maleificarum's way of continuing to put it's boot into your face on a regular basis, just for the hell of it, while ensuring you remain jobless, homeless and socially excluded for the rest of your life. 'Rehabilitation'? That's just some people talking.
One hundred years from now, future generations will hold their heads in shame at such wretched, medieval standards of 'justice' practiced by allegedly liberal, progressive societies and perhaps the countless lives ruined by a willfully spiteful modern inquisition might at last find some measure of apology - too late for them, but perhaps enough of a warning for future generations. Perhaps.
For now, the moral panic knows no bounds - not even those of it's own laws. Front doors will be kicked down in the wee small hours by heavily armored policemen in full riot gear (and before the cameras of an invited press, no doubt) to catch these terrible, seemingly unstoppable threats to the very fabric of our apparently highly corruptible and entirely fragile society. No expense must be spared, no law too sacrosanct that it cannot be bent or broken to satiate the voracious appetite of this unstoppable modern inquisition.
"For now, the moral panic knows no bounds - not even those of it's own laws."
Well put.
Modern version on inquisition and witch hunt where the accused is either guilty (for something) or guilty (for something else). There are no other options.
These moralists should be shot as a dangerous lunatics and everybody who support them put into jail as a danger to society. Much graver danger than the accused ever was.
TrueCrypt fanbois really should wake up to reality, because all this stuff about hidden files / containers within hidden files / containers is pretty much dreamland.
It takes less than a minute with even a dumb piece of freeware to analyse a hard drive's contents: no, not their nature, but most certainly, their extent. Alternatively, it takes Windows Explorer (XP) even less time to search by file size.
So here's this encrypted file which, despite its innocent-seeming name, is inexplicably 3Gigs (or more) when any fule know it should only be a few Mbs.
And here's Mr Clever Truecrypter, providing the key to open the outer container, and thinking how-brilliant-I-am, no-one will ever know there's a secret, inner container.
Only. . . the size of the outer container's contents don't remotely match up to the size overall.
Well, maybe it is possible to come up with some kind of explanation: after all, two years spent in quiet contemplation is surely long enough to be creative.
Where Truecrypt is concerned, the old saying continues to hold true: size matters. If you don't want stuff on your hard drive that might be a source of future embarrassment then. . . don't have it on your hard drive. Simple as that.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
