UK Government Wants Private Encryption Keys 822
An anonymous reader writes "Businesses and individuals in Britain may soon have to give their encryption keys to the police or face imprisonment. The UK government has said it will bring in the new powers to address a rise in the use of encryption by criminals and terrorists." From the article: "Some security experts are concerned that the plan could criminalise innocent people and drive businesses out of the UK. But the Home Office, which has just launched a consultation process, says the powers contained in Part 3 are needed to combat an increased use of encryption by criminals, paedophiles, and terrorists. 'The use of encryption is... proliferating,' Liam Byrne, Home Office minister of state told Parliament last week. 'Encryption products are more widely available and are integrated as security features in standard operating systems, so the Government has concluded that it is now right to implement the provisions of Part 3 of RIPA... which is not presently in force.'"
Re:Simple solution. (Score:2, Informative)
How about SSH (Secure Shell) keys, which are routinely recreated every so often?
The software isn't really configured to divulge these keys.
VPNs (Virtual Private Networks) are another case where keys are routinely generated and then discarded, with no mechanism to divulge them.
There are many other examples of the same thing.
Actually it is easy to avoid (Score:2, Informative)
All you need is TrueCrypt [truecrypt.org], which is open source on-the-fly disk encryption software for Windows and Linux.
The software provides something called Plausible Deniability and it is further enhanced by the so-called hidden volume method.
Basically, it is impossible to prove that you have TrueCrypt-encrypted data and you can even supply a key to decrypt a decoy volume containing some not-really-sensitive data. The bottom line, you comply with the law (order to decrypt) and your data stay private.
Re:odd request (Score:2, Informative)
Re:odd request (Score:5, Informative)
Summary is not complete (Score:5, Informative)
The basic argument is that the purpose of a search warrant is defeated by encryption. Now I think that's wrong, or at least part wrong, and I think an alternative would be to make material held by the defendant which he does not choose to decrypt something that the jury can take account of, just as refusal to testify is now, under limited circumstances, something the judge can point to during summing up. And the alternative of forcing decryption isn't offered (although quite how someone would demonstrate that plain text they offered really _was_ the decryption is a whole other question).
The is bad, illiberal law, and those of us involved in campaigning against it have been in correspondance with our MPs for some years. But it's not just Britain that is tearing up its freedoms in the face of minor terrorism: the USA collectively shat its pants and ripped up a century of jurisprudence on the 12th of September. It makes far more sense for people with a desire for freedom to work together, rather than to assume that we're a bunch of proto-fascists while Bush Jr defends your constituional rights.
ian
Re:My God (Score:4, Informative)
IIRC, the Brits wanted to extend the length 'terrorists' could be arrested & held without charge (from 14 to 90 days) so that the police could have more time to try and break encrypted data.
Here's the previous
http://yro.slashdot.org/article.pl?sid=05/11/04/1
I'm pretty sure that idea died a Horrifying death
Nah, you have *partitions* of random characters (Score:3, Informative)
1984 news (Score:5, Informative)
You're behind the times.
The UK is already (planning) installing a system of automatic licence plate recognising camera's throughout the country. The resulting database will allow a very comprehensive following of cars and thus persons.
The next step is of course that you have to report to the police whenever you've driven an other car but your own...
How do they know for sure? (Score:3, Informative)
Re:Stop giving the US gov't ideas (Score:5, Informative)
Even with a warrant they can not force you to give up your encryption keys. There is this thing called the 5th amendment to the constitution.
No person shall be held to answer for a capital, or otherwise infamous crime, unless on a presentment or indictment of a Grand Jury, except in cases arising in the land or naval forces, or in the Militia, when in actual service in time of War or public danger; nor shall any person be subject for the same offense to be twice put in jeopardy of life or limb; nor shall be compelled in any criminal case to be a witness against himself, nor be deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use, without just compensation.
You can take the 5th when questioned about your keys. No matter what they do they can not compell you to give them that information.
Re:Actually it is easy to avoid (Score:3, Informative)
You should at least understand the terminology of the software you are using. TrueCrypt has a feature called hidden volumes that provide plausible deniability.
Plausible deniability means just that: You can plausibly deny that there is some encrypted data beyond the first level, i.e. the other party cannot prove that there is such data.
Since you can nest hidden volumes, there can always be another hidden volume behind the one you just gave up.
Re:Who needs encryption? (Score:2, Informative)
Re:My God (Score:5, Informative)
There are current encryption technologies already deployed in the market that allow for two sets of data to be encrypted with two keys into a single file. This allows a user to encrypt a sensitive file with an innocuous one, so that when required to disclose a private key the user can just give the one that decrypts the innocent data.
Again, these new laws will only deteriorate the right to privacy of innocent people, while the real criminals will be allowed to roam free doing their dirty deeds with little more trouble then a software upgrade.
Nothing compared to Tuesday's Dictatorship Bill (Score:5, Informative)
Or the human cattle ID cards Act [no2id.net], which creates by far the world's most intrusive Big Brother database on citizens by linking up 5+ previously unconnected databases...
The Dictatorship Bill, also called the Abolition of Parliament Bill [timesonline.co.uk], Totalitarianism Bill [impactnottingham.com] or (by the Govt) the Legislative and Regulatory Reform Bill is nothing less than a naked grab for power. After being amended 3x, the Bill was passed in the form described here [thebusinessonline.com].
LRRB [parliament.uk] enables ministers to rewrite our constitution with only rudimentary scrutiny. Consider the extraordinary mass surveillance / coersion [bristol-no2id.org.uk] implications of the ID Cards Act. Even the well-organised opposition [no2id.net] could not stop this legislation.
What chance then of:
1. Spotting obscure but deeply damaging clauses hidden in the boring legislation?
2. Motivating the Tories, LibDems and enough New Labour drones to subsequently block it?
LRRB is then carte blanche for Blair to do what he will with this country. What can we deduce of his plans?
New Labour already rejected [libertycentral.org.uk] an amendment to stop LRRB re-writing our most important constitutional laws. They then promised to introduce new amendments fulfilling the same thing. Our skepticism was once again justified [spy.org.uk]. This is more than enough evidence that Blair wants dictatorial powers.
LRRB is obviously a precursor to passing laws which Parliament wouldn't otherwise pass.
Considering the deeply scary laws he's got through Parliament, the likelihood is that he wants something so badly, and so unpalatable that he won't even risk presenting it for proper Parliamentary scrutiny.
- He does not need Parliamentary approval to invade Iran
- He already has Hitler's Enabling Act [blogspot.com].
- He has already passed RIPA [magnacartaplus.org] and the ID Cards Act for more Big Brother snooping than anything China or North Korea have.
- He already has locked up people for 3 years without trial or even being questioned - although he has been twice been 'told off' for breaching the Human Rights Act in this way.
I did not believe that he needs LRRB to repeal the HRA - indeed one welcome amendment [spy.org.uk] was to exclude the HRA from being amended. When every other explanation has been ruled out, whatever remains, however unlikely, must be considered. I think something much worse is coming although I dread to think what.
Re:New encryption scheme (Score:4, Informative)
Re:Simple solution. (Score:5, Informative)
"Methinks the UK government doesn't know that what it wants is technologically infeasible...."
Methinks you didn't RTFA.
They are not asking that all keys be submitted. They are simply asking to give the police the power to force you to submit keys on request. In other words, after they've already confiscated your computer and discovered that there are encrypted files, they demand that you hand over the key, and if you don't, then they can throw you in jail.
I'm not saying I agree with it, just trying to clarify the misconception that everyone in this thread seems to be having about this.
Re:odd request (Score:3, Informative)
But with hidden volumes, the header at the end is - just as the normal header at the beginning - indistinguishable from random data. TrueCrypt tries decrypting the hidden header "blindly". There is no header that says "here be hidden volume".
Telling someone hoe hidden volumes work helps him nothing to _prove_ that you actually used that feature.
If you actually read RIPA (Score:2, Informative)
>"key", in relation to any electronic data, means any key, code,
> password, algorithm or other data the use of which (with or
> without other keys)-
>
> (a) allows access to the electronic data, or
> (b) facilitates the putting of the data into an intelligible
> form;
Also, to give the people stating the obvious a break, this was also a proviso in the bill:
> (d) that it is not reasonably practicable for the person with the
> appropriate permission to obtain possession of the protected
> information in an intelligible form without the giving of a notice
> under this section
So, if its easier to get the information another way, that's taken care of. It's also not a case of needing to send all your keys to the government either. Not that I don't think this bill is a problem, but its the smallest of problems we have right now - people can already be arrested and detained if an officer suspects they might probably, possibly, do something illegal.
However, I also can't see a police officer understanding that you don't actually have the key needed to decrypt that SSH session you made 3 months ago to that web server that was also used to host a site suspected of being used by terrorists or paedophiles, which you had no idea existed.
Re:My God (Score:3, Informative)
Uh, don't tell that to a taxpayer who lived here during the New Deal or a citizen with a German last name in the run up to WWI. Those rights were in the kitty a LONG time ago.
Re:My God (Score:2, Informative)
Nope. It expired in 1798 [lexrex.com]
Plausiable Deniability (Score:2, Informative)
One can deny the knowledge or the existence of encrypted data using the following.
http://www.truecrypt.org/ [truecrypt.org]
Another interesting concept of plausiable deniability.
http://it.slashdot.org/article.pl?sid=04/12/16/19
Re:What if you legitimately forget your passphrase (Score:2, Informative)
What if they cannot recall every single passphrase? If they forget just one, are they going to jail until they can remember?
Potentially yes they are.
Think about that, I've got PCs sitting around from years back. I've used different password systems over time, and often I cannot remember very old passwords. If I were living in the UK and were to get raided (I have no reason to, I don't even download TV shows or have MP3, just OGGs of stuff I own, so move along), I'd be sitting in jail, I suppose.
You suppose right.
What if, because you cannot recall a password, you reformat a hard drive? Then they find the drive and want the password because they can recover the data?
You are SOL, unless you can prove your innocence.
That is one of the problems with this law. You have to prove that you are innocent and have forgotten your passphrase or key.
Kinda tricky.
What if someone send you an email with an encrypted content (whatever the method), and you don't legitimately have the means to decrypt it? Sounds like a great way to set up a suspected criminal. "Yes, we see you have several emails in your trash with encrypted contents. Tell us how to decrypt it or you're going to rot in jail."
See previous comments.
How about amnesia?
Prove it, or you are going to become a guest of Her Majesty's Government.
Then all a real criminal has to do is play ignorant.
And end up inside for a couple of years. Remember, you have to prove you are innocent. If you refuse to hand over the keys - automatic jail time. After that and they ask you again - Refuse again, back inside for another term.
If the keys did not exist, as per your example with dodgy e-mails, and obviously you couldn't hand the keys over - Jail time unless you can prove they didn't exist.
Re:More like "Horribly Bad Joke." (Score:4, Informative)
The export control rules for USA exports of crypto have been all but eliminated (done in the last year of the Clinton Administration). To export open source crypto from a web site, you just email the Feds telling them you are doing that. To sell binaries, you apply for a retail designation of your software, and can export with virtual impunity. Most or all OECD nations have followed suit.