|
Home > Archive > Anonymous Servers > October 2007 > UK Police Can Now Demand Encryption Keys
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
UK Police Can Now Demand Encryption Keys
|
|
| Anonymous 2007-10-16, 1:12 am |
| Under a new law that went into effect this month, it is now a crime to
refuse to turn a decryption key over to the police.
I'm not sure of the point of this law. Certainly it will have the
effect of spooking businesses, who now have to worry about the police
demanding their encryption keys and exposing their entire operations.
>From the ArsTechnica article:
"Cambridge university security expert Richard Clayton said in May of
2006 that such laws would only encourage businesses to house their
cryptography operations out of the reach of UK investigators,
potentially harming the country's economy. 'The controversy here [lies
in] seizing keys, not in forcing people to decrypt. The power to seize
encryption keys is spooking big business, ' Clayton said.
"'The notion that international bankers would be wary of bringing master
keys into UK if they could be seized as part of legitimate police
operations, or by a corrupt chief constable, has quite a lot of
traction,' he added. 'With the appropriate paperwork, keys can be
seized. If you're an international banker you'll plonk your headquarters
in Zurich.'"
But if you're guilty of something that can only be proved by the
decrypted data, you might be better off refusing to divulge the key (and
facing the maximum five-year penalty the statue provides) instead of
being convicted for whatever more serious charge you're actually guilty of.
I think this is just another skirmish in the "war on encryption" that
has been going on for the past fifteen years. (Anyone remember the
Clipper chip?) The police have long maintained that encryption is an
insurmountable obstacle to law and order:
"The Home Office has steadfastly proclaimed that the law is aimed at
catching terrorists, pedophiles, and hardened criminals -- all parties
which the UK government contents are rather adept at using encryption to
cover up their activities."
We heard the same thing from FBI Director Louis Freeh in 1993. I called
them "The Four Horsemen of the Information Apocalypse" -- terrorists,
drug dealers, kidnappers, and child pornographers -- and they have been
used to justify all sorts of new police powers.
http://arstechnica.com/news.ars/pos...-jail-time.html
or http://tinyurl.com/3btatf
http://ct.techrepublic.com.com/clic...221-bf&s=5&fs=0
or http://tinyurl.com/2o9545
http://www.theregister.co.uk/2007/1...ion_keys_power/
| |
| Anonymous 2007-10-16, 1:12 am |
| Anonymous <nobody@mixmin.net> wrote in
news:45b2125d4876d42fa74d7c983a08f479@an
on.mixmaster.mixmin.net:
> Under a new law that went into effect this month, it is now a crime to
> refuse to turn a decryption key over to the police.
>
> I'm not sure of the point of this law. Certainly it will have the
> effect of spooking businesses, who now have to worry about the police
> demanding their encryption keys and exposing their entire operations.
>
>
> "Cambridge university security expert Richard Clayton said in May of
> 2006 that such laws would only encourage businesses to house their
> cryptography operations out of the reach of UK investigators,
> potentially harming the country's economy. 'The controversy here [lies
> in] seizing keys, not in forcing people to decrypt. The power to seize
> encryption keys is spooking big business, ' Clayton said.
>
> "'The notion that international bankers would be wary of bringing
> master keys into UK if they could be seized as part of legitimate
> police operations, or by a corrupt chief constable, has quite a lot of
> traction,' he added. 'With the appropriate paperwork, keys can be
> seized. If you're an international banker you'll plonk your
> headquarters in Zurich.'"
>
> But if you're guilty of something that can only be proved by the
> decrypted data, you might be better off refusing to divulge the key
> (and facing the maximum five-year penalty the statue provides) instead
> of being convicted for whatever more serious charge you're actually
> guilty of.
>
> I think this is just another skirmish in the "war on encryption" that
> has been going on for the past fifteen years. (Anyone remember the
> Clipper chip?) The police have long maintained that encryption is an
> insurmountable obstacle to law and order:
>
> "The Home Office has steadfastly proclaimed that the law is aimed at
> catching terrorists, pedophiles, and hardened criminals -- all parties
> which the UK government contents are rather adept at using encryption
> to cover up their activities."
>
> We heard the same thing from FBI Director Louis Freeh in 1993. I
> called them "The Four Horsemen of the Information Apocalypse" --
> terrorists, drug dealers, kidnappers, and child pornographers -- and
> they have been used to justify all sorts of new police powers.
>
> http://arstechnica.com/news.ars/pos...-demand-data-de
> cryption-on-penalty-of-jail-time.html or http://tinyurl.com/3btatf
> http://ct.techrepublic.com.com/clic...60a0400a9a01bdf
> 730f084221-bf&s=5&fs=0 or http://tinyurl.com/2o9545
> http://www.theregister.co.uk/2007/1...ion_keys_power/
>
Interestingly, the fear in general is that this power could be used
to purposely intimidate innocent people.
It has not been established exactly how one would know that a file is
encrypted. If a file is random, but the person having the file is
accused of having an encrypted file (e.g. random.bin or file00001.chk)
then the police could threaten 5 years in jail for failure to divulge
the keys, OR the accused could - dance to whatever tune the police
wanted.
The occurrence of a file on a computer, even if encrypted, would not
necessarily mean that it was encrypted by the computer owner or that
he/she has the encryption keys. Files placed during installation or
during the running of a program, including temp files that cannot be
specifically attributible to one program, would fall into this
category.
Receiving a file via email encrypted to some third party could be
used to implicate the recipient even if the recipient has no knowledge
of the file's contents. Someone sent such a file to a figure in
government to illustrate how this could be used to implicate
an innocent person.
There is no way under most circumstances to distinguish between
being unwilling or *unable* to divulge the "keys".
Along these same lines, if the "person" in possession of the keys is
a company with branches or headquarters in another country, could the
entire company be put into jail for 5 years for failure (or inability)
to release the keys? What if the actual person in possession of the
keys is an employee who resides in another country and is a citizen
of the other country? Surely this law could not be used to extradite
people from foreign countries - or could it? And then, how does one
go about determining who, exactly, is responsible for the keys?
Imagine a scene where 5 people each have an individual password, and
all 5 are necessary to obtain a key. And further assume that everyone
in the company has a password, but no one knows exactly which of these
is essential and which might be superfluous.
Well, perhaps it's a bit of a stretch, but until the laws are actually
enforced it will be difficult to tell what it all means.
I would suggest, however, that if you tend to keep your files in
"containers" that are the product of a program that creates them
in ways that make the containers easily identifiable as "encrypted"
then you may wish to switch to a program that allows one to
disguise containers as some other kind of data.
Proving a file is encrypted should have to be the first step in
enforcing this law.
Anonymous
| |
| Anonymous 2007-10-16, 7:14 am |
| Anonymous wrote:
<snippage>
> Interestingly, the fear in general is that this power could be used
> to purposely intimidate innocent people.
I submit that it's the *only* way in which this power could be wielded.
Only those who are not guilty, or at least "less guilty" than what the
penalty for not disclosing would define them as, would have any
motivation to give up their encrypted data. The *truly* guilty aren't
subject to this alleged power in any way. To some it may even appear to
be advantageous.
> It has not been established exactly how one would know that a file is
> encrypted. If a file is random, but the person having the file is
> accused of having an encrypted file (e.g. random.bin or file00001.chk)
> then the police could threaten 5 years in jail for failure to divulge
> the keys, OR the accused could - dance to whatever tune the police
> wanted.
There's several real world things that can prove a random file to be an
encrypted volume beyond any rational doubt. Things like the existence
of encryption software, stray log/registry entries and command
histories, and the investigation that leads to the point where law
enforcement is asking for the keys.
> The occurrence of a file on a computer, even if encrypted, would not
> necessarily mean that it was encrypted by the computer owner or that
A lob of random looking data on a machine in a vacuum isn't going to be
subject to this law at all. For it to even become an issue there has to
be some sort of evidence that a crime has occurred.
The flip side is that an evil police officer could incriminate an
innocent person by planting an encrypted file. Still, the investigation
would have to exist independent of that. It's a little more difficult
to show probable cause when talking about computer files than it is
drugs for example. They just don't smell as strongly. ;)
> I would suggest, however, that if you tend to keep your files in
> "containers" that are the product of a program that creates them
> in ways that make the containers easily identifiable as "encrypted"
> then you may wish to switch to a program that allows one to
> disguise containers as some other kind of data.
I think that's an exercise in futility. If the police are scrutinizing
you at that level there's nothing in the world you can do that will
sufficiently "camouflage" an encrypted volume. They'll probably laready
lknow it exists, or at least have knowledge of the sort of things that
are in it. Trying to joejob your way through it by claiming your
Truecrypt volume is a "temp file" of some sort will just piss them
off. ;)
> Proving a file is encrypted should have to be the first step in
> enforcing this law.
I say that's the easy part. 
| |
| Thomas J. Boschloo 2007-10-16, 7:14 am |
| -----BEGIN PGP SIGNED MESSAGE-----
Anonymous schreef:
[snip]
> I think that's an exercise in futility. If the police are scrutinizing
> you at that level there's nothing in the world you can do that will
> sufficiently "camouflage" an encrypted volume. They'll probably laready
> lknow it exists, or at least have knowledge of the sort of things that
> are in it. Trying to joejob your way through it by claiming your
> Truecrypt volume is a "temp file" of some sort will just piss them
> off. ;)
So you have two truecrypt files of which one is a "temp file"
Problem solved :-)
Thomas
- --
A society with suicide bombers
is a polite society
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQB5AwUBRxSn2AEP2l8iXKAJAQEyIgMfeijoFBYs
eSF0Wjr63QeYZmdCRUd9iLvN
wj25lAl3mZe/qyvM994Wf2RZwTzQLoi0LRa5eMtKHYmEd/YxG/fby5GktB6KY7E+
/kRfdv+4ZRWN8+8e1mQAoRZBef+VZZPA1TLJ4Q==
=rqy3
-----END PGP SIGNATURE-----
| |
| Thomas J. Boschloo 2007-10-16, 7:14 am |
| -----BEGIN PGP SIGNED MESSAGE-----
Anonymous schreef:
[snip]
> It has not been established exactly how one would know that a file is
> encrypted. If a file is random, but the person having the file is
> accused of having an encrypted file (e.g. random.bin or file00001.chk)
> then the police could threaten 5 years in jail for failure to divulge
> the keys, OR the accused could - dance to whatever tune the police
> wanted.
There is a solution to every problem. And the solution to this one is to
increase the jail time of a convict, should the media publish articles
that hurt the image of the ruling democratic party.
Thomas
- --
A society with suicide bombers
is a polite society
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQB5AwUBRxSoaAEP2l8iXKAJAQGCXQMdETGvY/ob2hdHZqccM9WyR9yOHv5O8KzY
F9c0UCKxvF7m/ Pq6rwbxgkWExaBa9U86ouPH98msUsc47ih82HVk4
0n6JFUQ8z0E
lf0tpNXtH015jvsz2uxZOwRHCLg3bTzTrywThw==
=JtbF
-----END PGP SIGNATURE-----
| |
| Anonymous Sender 2007-10-16, 1:14 pm |
| Thomas J. Boschloo wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>
> Anonymous schreef:
> [snip]
>
> So you have two truecrypt files of which one is a "temp file"
No, they'd both be truecrypt files.
>
> Problem solved :-)
Twice the problem. 
>
> Thomas
> - --
> A society with suicide bombers
> is a polite society
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iQB5AwUBRxSn2AEP2l8iXKAJAQEyIgMfeijoFBYs
eSF0Wjr63QeYZmdCRUd9iLvN
> wj25lAl3mZe/qyvM994Wf2RZwTzQLoi0LRa5eMtKHYmEd/YxG/fby5GktB6KY7E+
> /kRfdv+4ZRWN8+8e1mQAoRZBef+VZZPA1TLJ4Q==
> =rqy3
> -----END PGP SIGNATURE-----
| |
| Borked Pseudo Mailed 2007-10-16, 7:12 pm |
| On Tue, 16 Oct 2007 12:29:30 +0200 (CEST)
Anonymous <cripto@ecn.org> wrote:
> There's several real world things that can prove a random file to be an
> encrypted volume beyond any rational doubt. Things like the existence
> of encryption software, stray log/registry entries and command
> histories, and the investigation that leads to the point where law
> enforcement is asking for the keys.
This has been gone over before. As I understand it, hiding the
encryption is difficult or impossible, but convincing a judge that
you do not have the key is possible by using something like the
diceman method.
That is where you create a 5x5 matrix of numbers and letters on a
card, and memorize a path through it. The numbers and letters in the
path make up the key. If you start to memorize the key, you change
it.
It is a reasonable enough method that it might convince a judge
that you really do not know the key.
The tricky part is getting rid of the card before the police have
you in handcuffs, and be convincing to the judge who will ask you
how you managed to destroy the card, since the cops will testify
that they found you sound asleep and slapped the cuffs on before
you had a chance to destroy anything.
Offsite storage of the card image, encrypted, at a 'deadman'
facility might work but is so awkward it is probably unworkable.
You would have to remember to ping the facility every x hours or
the facility would destroy the encrypted file containing the card
image. And you would have to trust the facility to really destroy
the file and not to keep backups.
| |
| anonymous@remailer.hastio.org 2007-10-17, 1:13 am |
| "Borked Pseudo Mailed" <nobody@pseudo.borked.net> wrote in message
news:39457739350a86247dd7c8654fc663c0@ps
eudo.borked.net...
> On Tue, 16 Oct 2007 12:29:30 +0200 (CEST)
> Anonymous <cripto@ecn.org> wrote:
>
>
> This has been gone over before. As I understand it,
> hiding the encryption is difficult or impossible,
> but convincing a judge that you do not have the key
> is possible by using something like the diceman method.
>
It seems to me that this is one of the reasons that we
declared independence from you fellows. ("You fellows"
meaning "Brits", of course.) We have the right not to
self-incriminate in the U.S. All we would have to say,
in our thickest Italian gangster accent, is "I
respeckfully decline ta answer dat question, b'cause
da information in dat file would ten' ta incinerate me.
An' da prosecutin' attorney is a fargin' bassett an'
a icehole."
More likely on dis side o' da Atlantic, is dat dey offers
yuh a plea bargain, whereby yuh rats on yerz buds, an'
dey gives yuh a reduced sentence or da witness protecksion
program. I seen it in da movies a hunert times.
Cheers,
Guido
~~~~~~~~~~~~~~~~~~~~~
This message was posted via one or more anonymous remailing services.
The original sender is unknown. Any address shown in the From header
is unverified.
| |
| George Orwell 2007-10-17, 1:13 am |
| anonymous@remailer.hastio.org wrote:
> It seems to me that this is one of the reasons that we
> declared independence from you fellows. ("You fellows"
> meaning "Brits", of course.) We have the right not to
> self-incriminate in the U.S. All we would have to say,
> in our thickest Italian gangster accent, is "I
> respeckfully decline ta answer dat question, b'cause
Unfortunately that right doesn't extend to keeping encryption keys
secret any more than it extends to the keys for a door or subpoenaed
documents.
Self incrimination is only applicable to direct testimony.
Il mittente di questo messaggio|The sender address of this
non corrisponde ad un utente |message is not related to a real
reale ma all'indirizzo fittizio|person but to a fake address of an
di un sistema anonimizzatore |anonymous system
Per maggiori informazioni |For more info
https://www.mixmaster.it
|
|
|
|
|