UK Law Requiring Di...
 
Notifications
Clear all

UK Law Requiring Disclosure of Decryption Keys in Force

10 Posts
9 Users
0 Likes
662 Views
(@minesh)
Posts: 75
Trusted Member
Topic starter
 

Users of encryption technology can no longer refuse to reveal keys to UK authorities after amendments to the powers of the state to intercept communications took effect yesterday.

The Regulation of Investigatory Powers Act (RIPA) has had a clause activated which allows a person to be compelled to reveal a decryption key. Refusal can earn someone a five-year jail term.

Part III of RIPA was in the original Act but was not activated. The Home Office said last year that it had not implemented the provision because encryption had not been as popular as quickly as it had predicted. It launched a consultation which culminated in Part III being made active on 1st October.

The measure has been criticised by civil liberties activists and security experts who say that the move erodes privacy and could lead a person to be forced to incriminate themselves.

It is also controversial because a decryption key is often a long password – something that might be forgotten. An accused person might pretend to have forgotten the password; or he might genuinely have forgotten it but struggle to convince a court to believe him.

Section 49 of Part III of RIPA compels a person, when served with a notice, to either hand over an encryption key or render the requested material intelligible by authorities.

Anyone who refuses to decrypt material could face five years in jail if the investigation relates to terrorism or national security, or up to two years in jail in other cases.

Controversially, someone who receives a Section 49 notice can be prevented from telling anyone apart from their lawyer that they have received such a notice.

The Home Office said that the process will be overseen by the Interception of Communications Commissioner, the Intelligence Services Commissioner and the Chief Surveillance Commissioner.

Complaints about demands for information must be made by the Investigatory Powers Tribunal. "The Tribunal is made up of senior members of the judiciary and the legal profession and is independent of the Government. The Tribunal has full powers to investigate and decide any case within its jurisdiction, which includes the giving of a notice under section 49 or any disclosure or use of a key to protected information," said a Home Office explanation of the process.

The Home Office said that the actions were consistent with the European Convention on Human Rights and the UK Human Rights Act as long as the demand for decryption was "both necessary and proportionate".

"The measures in Part III are intended to ensure that the ability of public authorities to protect the public and the effectiveness of their other statutory powers are not undermined by the use of technologies to protect electronic information," said the Home Office.

Source Out-Law.com (http//out-law.com/page-8515)

 
Posted : 03/10/2007 10:02 pm
(@bithead)
Posts: 1206
Noble Member
 

Great in theory, perhaps impractical in implementation. When faced with 5 years for "forgetting" a password versus possible life in prison if investigators determine what is in an encrypted file or volume which would you choose?

 
Posted : 03/10/2007 10:14 pm
Fab4
 Fab4
(@fab4)
Posts: 173
Estimable Member
 

When faced with 5 years for "forgetting" a password versus possible life in prison if investigators determine what is in an encrypted file or volume which would you choose?

Exactly my thoughts BitHead. Perhaps though it may get some dangerous people off the streets for a minimal time at least, which previously would not have been possible. In the meantime perhaps, manufacturers may agree to develop their wares with back door access for the good guys…..yeah right…..if only it were that simple! Opens up a whole new set of worries and debates. wink

 
Posted : 04/10/2007 2:36 pm
steve862
(@steve862)
Posts: 194
Estimable Member
 

Hi,

In the UK it's pretty hard to get as much as 5 years for anything. The only people likely to benefit by 'forgetting' the passwords are going to be terrorists.

It is very uncommon for child abuse related offences to get anything close to 5 years imprisonment these days. Even my most serious 'clients' who committed multiple rapes of children and had massive collections of child abuse images never got more than 6 years, with many getting 2-3 years.

On a separate note there are an increasing number of people becoming very concerned with what might be seen as the loss of freedom in the UK. With ID cards still a hot topic, suggestions that DNA samples taken by Police are retained indefinately when they should have been destroyed and that all UK citizens might be compelled to provide DNA samples as a matter of course…..

They say it's only those with something to hide that should fear but it's been 9 years since my last parking ticket and I am a little uneasy with some of these new laws.

Steve

 
Posted : 04/10/2007 3:02 pm
(@minesh)
Posts: 75
Trusted Member
Topic starter
 

That is pretty shocking Steve. And then there's the new identity given to them when they get out, and all the other things to protect them. Anyway, that's a whole different topic, and dont want to go off in too many tangents with this.

I wonder what would happen to those who have genuinely forgetten passwords. On one of my machines, I have an encrypted partition which I set up for testing purposes, which I dont remember the password (sentence) for… surely if I was ever suspected of a crime, I could not be imprisoned for that.

Minesh

 
Posted : 04/10/2007 6:26 pm
(@mas66)
Posts: 21
Eminent Member
 

Hi,

They say it's only those with something to hide that should fear but it's been 9 years since my last parking ticket and I am a little uneasy with some of these new laws.

Steve

Thats because youve never been caught not because youve never parked illegally wink

Mark

 
Posted : 05/10/2007 5:10 am
(@kovar)
Posts: 805
Prominent Member
 

Greetings,

Well, if you're using PGP, apparently you don't need to worry. PGP has an undocumented back door in their whole disk encryption because some unnamed client wanted it.

"(source Jericho)

"PGP Corporation's widely adopted Whole Disk Encryption product apparently has an encryption bypass feature that allows an encrypted drive to be accessed without the boot-up passphrase challenge dialog, leaving data in a vulnerable state if the drive is stolen when the bypass feature is enabled. The feature is also apparently not in the documentation that ships with the PGP product, nor the publicly available documentation on their website, but only mentioned briefly in the customer knowledge base.
Jon Callas, CTO and CSO of PGP Corp., responded that this feature was required by unnamed customers and that competing products have similar functionality."

Links to the articles are here

http//securology.blogspot.com/2007/10/pgp-whole-disk-encryption-barely.html

http//securology.blogspot.com/2007/10/pgp-whole-disk-encryption-barely.html
#comment-7822943064091432904

_______________________________________________
Infowarrior mailing list
Infowarrior@attrition.org
https://attrition.org/mailman/listinfo/infowarrior
"

 
Posted : 05/10/2007 5:24 am
(@crutey)
Posts: 32
Eminent Member
 

Great in theory, perhaps impractical in implementation. When faced with 5 years for "forgetting" a password versus possible life in prison if investigators determine what is in an encrypted file or volume which would you choose?

Is it not 5 years when terrorist offences are involved and 2 years for other crimes?

Granted either way it lacks the teeth that would make it truly effective.

 
Posted : 06/10/2007 11:52 pm
(@owenburnett)
Posts: 4
New Member
 

I wonder if one presents a 1TB drive with only 100GB of encrypted content using TrueCrypt that can create hidden volumes in the free space, would this due to the fact that the existence of a hidden volume can not be proven be enough to bypass the RIP Act, or would the pre suspicion that they may be something in the free space be enough to inprison someone, who genuinely may not have a hidden volume?

 
Posted : 18/10/2007 8:33 pm
(@Anonymous)
Posts: 0
Guest
 

"Privacy is dead, get over it" - Scott McNeely

I wish I could claim to be a "privacy advocate," but how does one champion a lost cause? Here in the US, we have a Constitutional right to not reveal our decryption key(s). Unfortunately, there is a de facto presumption of guilt if a subject's computer contains encryption or steganographic software. Never mind that the intended use was to restore a semblance of privacy to one's personal data.

 
Posted : 18/10/2007 10:51 pm
Share: