±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36459
New Yesterday: 3 Visitors: 102

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

UK Law Requiring Disclosure of Decryption Keys in Force

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

Minesh
Senior Member
 

UK Law Requiring Disclosure of Decryption Keys in Force

Post Posted: Oct 03, 07 22:02

Users of encryption technology can no longer refuse to reveal keys to UK authorities after amendments to the powers of the state to intercept communications took effect yesterday.

The Regulation of Investigatory Powers Act (RIPA) has had a clause activated which allows a person to be compelled to reveal a decryption key. Refusal can earn someone a five-year jail term.

Part III of RIPA was in the original Act but was not activated. The Home Office said last year that it had not implemented the provision because encryption had not been as popular as quickly as it had predicted. It launched a consultation which culminated in Part III being made active on 1st October.

The measure has been criticised by civil liberties activists and security experts who say that the move erodes privacy and could lead a person to be forced to incriminate themselves.

It is also controversial because a decryption key is often a long password – something that might be forgotten. An accused person might pretend to have forgotten the password; or he might genuinely have forgotten it but struggle to convince a court to believe him.

Section 49 of Part III of RIPA compels a person, when served with a notice, to either hand over an encryption key or render the requested material intelligible by authorities.

Anyone who refuses to decrypt material could face five years in jail if the investigation relates to terrorism or national security, or up to two years in jail in other cases.

Controversially, someone who receives a Section 49 notice can be prevented from telling anyone apart from their lawyer that they have received such a notice.

The Home Office said that the process will be overseen by the Interception of Communications Commissioner, the Intelligence Services Commissioner and the Chief Surveillance Commissioner.

Complaints about demands for information must be made by the Investigatory Powers Tribunal. "The Tribunal is made up of senior members of the judiciary and the legal profession and is independent of the Government. The Tribunal has full powers to investigate and decide any case within its jurisdiction, which includes the giving of a notice under section 49 or any disclosure or use of a key to protected information," said a Home Office explanation of the process.

The Home Office said that the actions were consistent with the European Convention on Human Rights and the UK Human Rights Act as long as the demand for decryption was "both necessary and proportionate".

"The measures in Part III are intended to ensure that the ability of public authorities to protect the public and the effectiveness of their other statutory powers are not undermined by the use of technologies to protect electronic information," said the Home Office.

Source: Out-Law.com (http://out-law.com/page-8515)  
 
  

BitHead
Senior Member
 

Re: UK Law Requiring Disclosure of Decryption Keys in Force

Post Posted: Oct 03, 07 22:14

Great in theory, perhaps impractical in implementation. When faced with 5 years for "forgetting" a password versus possible life in prison if investigators determine what is in an encrypted file or volume which would you choose?  
 
  

Fab4
Senior Member
 

Re: UK Law Requiring Disclosure of Decryption Keys in Force

Post Posted: Oct 04, 07 14:36

- BitHead
When faced with 5 years for "forgetting" a password versus possible life in prison if investigators determine what is in an encrypted file or volume which would you choose?


Exactly my thoughts BitHead. Perhaps though it may get some dangerous people off the streets for a minimal time at least, which previously would not have been possible. In the meantime perhaps, manufacturers may agree to develop their wares with back door access for the good guys.....yeah right.....if only it were that simple! Opens up a whole new set of worries and debates. Wink  
 
  

steve862
Senior Member
 

Re: UK Law Requiring Disclosure of Decryption Keys in Force

Post Posted: Oct 04, 07 15:02

Hi,

In the UK it's pretty hard to get as much as 5 years for anything. The only people likely to benefit by 'forgetting' the passwords are going to be terrorists.

It is very uncommon for child abuse related offences to get anything close to 5 years imprisonment these days. Even my most serious 'clients' who committed multiple rapes of children and had massive collections of child abuse images never got more than 6 years, with many getting 2-3 years.

On a separate note there are an increasing number of people becoming very concerned with what might be seen as the loss of freedom in the UK. With ID cards still a hot topic, suggestions that DNA samples taken by Police are retained indefinately when they should have been destroyed and that all UK citizens might be compelled to provide DNA samples as a matter of course.....

They say it's only those with something to hide that should fear but it's been 9 years since my last parking ticket and I am a little uneasy with some of these new laws.

Steve
_________________
Forensic Computer Examiner, London, UK 


Last edited by steve862 on Oct 04, 07 18:40; edited 1 time in total
 
  

Minesh
Senior Member
 

Re: UK Law Requiring Disclosure of Decryption Keys in Force

Post Posted: Oct 04, 07 18:26

That is pretty shocking Steve. And then there's the new identity given to them when they get out, and all the other things to protect them. Anyway, that's a whole different topic, and dont want to go off in too many tangents with this.

I wonder what would happen to those who have genuinely forgetten passwords. On one of my machines, I have an encrypted partition which I set up for testing purposes, which I dont remember the password (sentence) for... surely if I was ever suspected of a crime, I could not be imprisoned for that.

Minesh  
 
  

mas66
Member
 

Re: UK Law Requiring Disclosure of Decryption Keys in Force

Post Posted: Oct 05, 07 05:10

- steve862
Hi,

They say it's only those with something to hide that should fear but it's been 9 years since my last parking ticket and I am a little uneasy with some of these new laws.

Steve


Thats because youve never been caught not because youve never parked illegally Wink

Mark
_________________
Mark Stevens
Principal Forensic Investigator
Microsoft Ltd
Network Security Investigations & Forensics 
 
  

kovar
Senior Member
 

Re: UK Law Requiring Disclosure of Decryption Keys in Force

Post Posted: Oct 05, 07 05:24

Greetings,

Well, if you're using PGP, apparently you don't need to worry. PGP has an undocumented back door in their whole disk encryption because some unnamed client wanted it.

"(source Jericho)

"PGP Corporation's widely adopted Whole Disk Encryption product apparently has an encryption bypass feature that allows an encrypted drive to be accessed without the boot-up passphrase challenge dialog, leaving data in a vulnerable state if the drive is stolen when the bypass feature is enabled. The feature is also apparently not in the documentation that ships with the PGP product, nor the publicly available documentation on their website, but only mentioned briefly in the customer knowledge base.
Jon Callas, CTO and CSO of PGP Corp., responded that this feature was required by unnamed customers and that competing products have similar functionality."

Links to the articles are here:

securology.blogspot.co...arely.html

securology.blogspot.co...arely.html
#comment-7822943064091432904


_______________________________________________
Infowarrior mailing list
Infowarrior @ attrition.org
attrition.org/mailman/...nfowarrior
"  
 

Page 1 of 2
Page 1, 2  Next