

UK anti-encryption law - timf
http://falkvinge.net/2012/07/12/in-the-uk-you-will-go-to-jail-not-just-for-encryption-but-for-astronomical-noise-too/

======
nathan_long
His argument is: 1) They can lock you up for refusing to decrypt something. 2)
Encrypted data looks exactly like random noise. 3) Encrypted data can be
hidden in any file. 4) Therefore, they can allege that nearly anything is
encrypted and lock you up on that basis.

I'd say that's terrifying.

Another thought: doesn't this make it possible to frame someone by writing
random data to their hard drive?

~~~
adrianN
If you can write data to someone's hard drive it is simpler to just dump some
child pornography.

~~~
hemancuso
I'm a bit disturbed that you suggest it's easier dump child porn onto
somebody's hard drive than it is to dump a random bitstream onto the drive. It
implies you've got a huge cache of it hanging around ready to go.

~~~
pyre

      > It implies you've got a huge cache of it hanging
      > around ready to go.
    

In the US at least, just a single image is illegal, so there is no need for a
huge cache.

~~~
pavel_lishin
I imagine that a single image wouldn't quite motivate the police the same way
that two gigabytes' worth would.

~~~
pyre
I remember a story about the FBI going after some college kid with a single
thumbnail in his browser cache, though the other circumstances were:

\- Somehow they came up with his IP in a sting where a link to a file was
posted somewhere. I don't know if this was posted to a kiddie porn forum (or
someplace where just hanging out there is enough to make you suspicious) or
just someplace like 4chan (where there's a number of people that will click
the link out of curiosity).

\- He had 'recently' re-installed Windows. They claimed that he had obstructed
justice (or some other B.S.) b/c he had destroyed evidence. (Evidence that
they couldn't prove even existed, IIRC.)

\- He had a single thumbnail of kiddie porn in a browser cache.

I think that he just settled with the Feds, but cases like this stick out in
my mind because it makes it seem like we're all riding the razor's edge and
could fall into the Federal justice system at any moment for some random,
stupid reason.

[ Plus taking down a pedophile is brownie points to local politicians, which
may (or may not) be pressuring them about crime statistics. ]

------
16s
It is impossible to prove a PRNG'ed file is or is not encrypted data.
TrueCrypt volumes look identical to `dd if=/dev/urandom of=file.bin bs=512`.
Create a few of each and then evaluate them using ent to see this for
yourself.

Edit: Link to ent <http://www.fourmilab.ch/random/>

You could prove the file is encrypted _if_ it is indeed encrypted _and_ you
have the passphrase _and_ the program to decrypt it, but outside of that, it's
simply not possible to say with any level of confidence that the bits are
really encrypted.

BTW, I wrote TCHunt in 2007, a program that attempts to seek out encrypted
TrueCrypt volumes and I have a FAQ that covers much of this. Here's the link
for anyone interested in reading more about it: <http://16s.us/TCHunt/>

And, there is usually much more to it than randomish bits in a file on a disk.
The government agents usually have other evidence that suggests the person in
question is doing illegal things and may have cause to use encryption. Finding
actual encrypted data is normally just icing on the cake to them.

~~~
Jabbles
The wonderful thing about TrueCrypt is that you have plausible deniability. If
one were worried about having to provide a key, you could provide one that
revealed pictures of cats without revealing anything you wish to remain
hidden, or indeed if there was anything further to reveal.

This makes this attempt at a law look even sillier.

------
SEMW
While it is obviously a bad law, it's not _quite_ as bad as he's making out.

s.53(3):

" _For the purposes of this section a person shall be taken to have shown that
he was not in possession of a key to protected information at a particular
time if—_

 _(a) sufficient evidence of that fact is adduced to raise an issue with
respect to it; and_

 _(b) the contrary is not proved beyond a reasonable doubt._ "

In other words, if there's evidence for there to be 'an issue' about whether
you actually do have a key (or whether e.g. it's just random noise), it's up
to the prosecution to prove beyond reasonable doubt that it _is_ actually
data, and you _do_ have the key.

So the flowchart is:

\- If the police can prove they have _reasonable grounds to believe_ that
something is encrypted data that you have the key to, then

\- That raises an _evidential presumption_ that you do have it, which you can
rebut by

\- adducing evidence that just has to _raise an issue_ about whether you have
a key (inc. whether it's encrypted data at all), in which case the police have
to

\- Prove beyond reasonable doubt that it is encrypted, and you _do_ have the
key.

(IANAL)

~~~
SoftwareMaven
This would still concern me. It isn't hard to imagine the police assuming any
file they don't understand is that way because it is encrypted and, being that
they are police and not scientists or engineers, that number could be quite
high.

So now, you may actually know what's in that file. Great, no problems (other
than the headache of dealing with explaining files in the first place).

The real danger is what if you don't know about the file, either? "I have no
clue" is not going to cause reasonable doubt. The problem here is the law
starts from a presumed guilt, which is problematic if you are, in fact,
innocent.

But it really does come down to how the first clause of the law gets
interpreted. Is it reasonably interpreted or not? I have lost faith in any
chance of governments sticking to reasonableness when it comes to their threat
of terrorism, protecting their "children", etc.

~~~
SEMW
> It isn't hard to imagine the police assuming any file they don't understand
> is that way because it is encrypted

True, but they have to prove they have reasonable grounds for believing, not
just that it's encrypted, but also that you have the key to it.

> "I have no clue" is not going to cause reasonable doubt

It doesn't need to cause reasonable doubt, it just has to raise an issue about
whether or not you have they key. In which case the police have to prove you
_do_ beyond reasonable doubt.

But you are right - it is ambiguous, and that evidential presumption is in
danger of being interpreted in a very anti-defendant way.

But:

> I have lost faith in any chance of governments sticking to reasonableness

Thankfully, it's not up to the government to interpret legislation, it's up to
the courts. And they have to interpret criminal legislation (a) in favour of
the defendant (common law principle), and (b) compatibly with the human rights
act.

That second one is powerful, and has resulted in anti-defendant statues being
interpreted almost out of all recognition by a court happy to interpret stuff
compatibly with the HRA right to a fair trial. See e.g.
<http://www.guardian.co.uk/uk/2001/may/18/lords.politics> .

------
mootothemax
In the section of the act mentioned (Regulation of Investigatory Powers Act
2000, part III), two of the defined terms are:

 _“key”, in relation to any electronic data, means any key, code, password,
algorithm or other data the use of which (with or without other keys)—

(a)allows access to the electronic data, or

(b)facilitates the putting of the data into an intelligible form;_

\-- and --

 _“protected information” means any electronic data which, without the key to
the data—

(a)cannot, or cannot readily, be accessed, or

(b)cannot, or cannot readily, be put into an intelligible form;_

<http://www.legislation.gov.uk/ukpga/2000/23/part/III>

At first, I thought the argument in this article was nonsense. However, whilst
I'd hope common sense would prevail, the definitions above seem broad enough
that a policeman could make one's life difficult for a while.

~~~
excuse-me
It was being discussed well before this, in the early 90s i went to a computer
lab seminar about this and we asked

\- we have Tb of data in our detector system that is either truely random (ie
part of a Monte Carlo sim) or is essentially random (the detector noise), how
do we prove this isn't encrypted.

Oh don't worry, said the nice man from the police computer unit - it's only
going to be used against terrorists.

~~~
Zenst
That is in practice the intention, though as it is a law on the book's it is
open to be abused down the line against non-terroists.

As a rule the UK police tend to have alot of common sence, but they are also
human. That all said the whole blackberry encryption affair recently arising
due to the riots does highlight further shortcommings.

Still this law was instigated prior to 9/11 and in that you do wonder what it
would look like if it was instigated after the event and how it may of looked.

~~~
sdoering
Well, if I remember right, the UK had their "fair share" of terror (IRA), long
before the US suffered from 9/11.

So this argumentation does not strike me so extraordinary. But that does not
change the point, that this law really has the possibility to be misused.

~~~
excuse-me
Yes but remarkably after 100years of bombings and assassinations by the IRA
the response was to carry on as normal, don't give in to them. The only
visible sign was removing litter bins from railway stations and some
checkpoints on vehicles enter the financial district of London

Yet 5 minutes after the 9/11 attacks on America the UK suddenly needed a whole
raft of laws to intercept all phone calls, hold people without trial, random
stop and searches etc.

~~~
polymatter
IRA terrorism was pretty extensive too. They murdered close members of the UK
royal family
([http://en.wikipedia.org/wiki/Louis_Mountbatten,_1st_Earl_Mou...](http://en.wikipedia.org/wiki/Louis_Mountbatten,_1st_Earl_Mountbatten_of_Burma)),
major damage to cities
(<http://en.wikipedia.org/wiki/1996_Manchester_bombing>) and actual mortar
attacks on a sitting Prime Minister and other key high level ministers
(<http://en.wikipedia.org/wiki/Downing_Street_mortar_attack>). Have a look at
the list for London alone
([http://en.wikipedia.org/wiki/List_of_terrorist_incidents_in_...](http://en.wikipedia.org/wiki/List_of_terrorist_incidents_in_London)).

I had no idea the IRA was this level of threat - a personal threat to the
people in power. And the problem was pretty much solved through the long hard
slog of getting them round a table talking
(<http://en.wikipedia.org/wiki/Good_Friday_Agreement>).

~~~
excuse-me
Hence the slightly raised English eyebrow when American politicians -
especially a Kennedy at a St Patricks Day parade in Boston - talk about
supporting terrorism.

~~~
Zenst
Yeah and that upto 9/11 you could go into alot of Church's in the Boston area
and make donations to the IRA. That kind of stopped post 9/11.

We all learn from our mistakes eventualy.

------
shill
Every digital storage device on earth should contain a randomly sized random
data file called RANDOM-DATA. The user of said device could optionally replace
this file with encrypted data. Once critical mass is achieved, states that do
not respect individual liberty would have no way of determining the nature of
every RANDOM-DATA file that they obtain by eavesdropping, theft or force.

I know the answer to this is 'easier said that done'. Certainly hardware and
OS vendors can't be trusted with this task. Maybe FOSS installers could
educate users and optionally create the file? How can we make this happen? I
want to wear a t-shirt that says 'random numbers save lives.'

------
jakeonthemove
Damn, the UK is pretty f'ed up - the list of things that British citizens
can't enjoy compared to a lot of other countries (even developing ones) is
growing every day.

Meanwhile, a criminal could easily just store everything on an encrypted
microSD card, then eat it if anything goes wrong - the oldest trick in the
book still works in the digital age :-D...

~~~
theklub
Add this to putting missiles on top of apartment blocks for the Olympics and I
really have to agree with you.

~~~
mibbitier
I think you guys need to stop believing everything you read.

~~~
DanBC
The missiles are stationed in 6 areas in London.

Whether they'll be used is another matter. People were asking "what's the
difference between a plane that has been crashed into London and a plane that
has been shot down over London?", to which the reply is "a plane that is shot
down is, effectively, disintegrated and burnt in the air, leaving small
fragments to scatter."

<http://www.bbc.co.uk/news/uk-18766547>

------
freehunter
I have to wonder if this would ever hold up in court. I don't know much about
the UK justice system, but in America it would be pretty rare to be convicted
of a crime that they can't actually prove you committed. You could be jailed
for refusing to comply with a court order to decrypt the file, but if you can
prove it's not actually encrypted, they can't do anything about it.

~~~
nathan_long
>> if you can prove it's not actually encrypted

But that's the thing: you _can't_ prove that.

You're saying: "prove that there does not exist any decryption method or key
that will turn this blob into incriminating data."

You can never prove that such a decryption method doesn't exist.

In fact, maybe it _does_ exist? Given a blob of random data and infinite time,
couldn't you find a way to "decrypt" that into pre-defined data? (I'm not
really sure of that.)

~~~
adrianN
You can decrypt random data to anything if you want to. Say R is your random
data and M is the message you want. Compute Key=R+M, then decrypt R-Key=M.

~~~
crusso
Assuming the encryption method can create the bit sequence that is the random
data. It very well might not. There may be gaps in the encrypted data's number
space.

For any non-trivial encryption method, you'd be brute forcing your way through
a bunch of them to find the key that can decrypt the random noise to that
message. Typical "20 times longer than the existence of the universe" warnings
apply. :)

~~~
jgeralnik
But the encryption method doesn't need to be non-trivial, especially when you
define key as anything that

    
    
      (a)allows access to the electronic data, or
      (b)facilitates the putting of the data into an intelligible form;

~~~
crusso
So, if you have a meg of random data, you're thinking you could give them a
one meg XOR key that decodes it to an MP3 file of "God Save the Queen"?

Okay. :)

------
theaeolist
Isn't TrueCrypt's 'hidden volume' feature enough to make this law pointless?
Just have two encoded sets of information in the same file. When you are asked
to give the key it is up to you the key of which one you give.

<http://www.truecrypt.org/docs/?s=plausible-deniability>

~~~
DasIch
It still requires you to give up data for which it makes sufficient sense to
be encrypted otherwise someone might get the idea that you are using this
feature. While this is a solution it is certainly not as easy a solution as it
might seem to be.

~~~
theaeolist
Some very nasty (legal) porn should do it.

------
shocks
Hidden volumes.

Volume one contains hardcore porn, volume two contains bank job plans. Neither
can be proved to exist with their keys.

When asked, hand over the porn keys. Plausible deniability.

~~~
Karunamon
More people need to know about this. Unless you're quite foolish, this right
here will stymie most government attacks. It's difficult to prove that a file
full of random noise is actually an encrypted container (but possible, seeing
that Truecrypt is installed and other factors), but it's damn near impossible
to prove that a hidden volume exists in the same noise.

Better yet, if you do anything with the outer volume without explicitly
telling truecrypt about the existence of the inner volume, you will likely
corrupt the inner volume and render it unusable anyways.

~~~
javajosh
The only problem with this is that people are really bad liars.

------
MRonney
I was watching 'Garrow's Law' yesterday. He said that "Laws which are passed
in times of fear, are rarely removed from the statute books". Terrorists
always win, because every time they attempt to strike the Government removes
our basic liberties under the guise of protecting us.

~~~
biomechanica
Well, Norway is dealing with their attack quite well.

------
prsutherland
Encryption isn't just about hiding your documents. It is also about securing
your assets and providing identification.

\- The passwords on your bitcoin wallet give you the authority to spend your
money.

\- Your encrypted signature requires your private key so other's know your
message came from you.

So, this law gives the government the ability to impersonate you and
consume/use your assets in an unrecoverable way.

While the government might not have the authority to impersonate you or spend
your money, they do have the authority to acquire the means to do so. And then
all it takes is one dishonest person working for the government to use that
information maliciously.

------
vy8vWJlco
We are have begun to outlaw privacy. This is wrong. Speak up, while you still
have a voice.

<http://archive.org/details/the_hangman_1964>
<https://www.youtube.com/watch?v=keZlextkcDI>
<https://en.wikipedia.org/wiki/The_Drumhead>

------
Albuca
This reminds me of this American Case:

<http://www.wired.com/threatlevel/2012/02/forgotten-password/>

But on the whole, the whole article is scary and slightly unsettling. On the
upside I dont live in the UK - But if we were to be traveling through the UK
with our encrypted HardDrives, would we be targeted by the law?

------
yason
The difference with programmers/scientists/hackers and
politicians/authorities/lawyers is that the former see instantly where
seemingly small changes in laws and policies will ultimately lead whereas the
latter will dismiss these potential problems by making remarks such as "It
will only be used against bad guys", which translates to " _We had a few hairy
cases where this sort of law would have really helped, so we wrote one to
cover similar circumstances in the future and while we don't really know how
to think of what else goes out with the bathwater we will need_ something _at
our disposal._ "

------
mistercow
>Yes, this is where the hairs rise on our arms: if you have a recorded file
with radio noise from the local telescope that you use for generation of
random numbers, and the police asks you to produce the decryption key to show
them the three documents inside the encrypted container that your radio noise
looks like, you will be sent to jail for up to five years for your inability
to produce the imagined documents.

Of course, if you have access to the files, you could just XOR the noise with
some innocuous documents, and send the result to the police saying it's a one-
time-pad.

~~~
qxcv
Hell, you could say the key is head -c `wc -c secret_file` /dev/urandom and
they wouldn't be able to argue. It's turtles all the way down if they ask you
to decrypt the result.

------
alan_cx
Please forgive my technical ignorance, but can an encrypted cookie be dropped
in to my browser cache by a web site? Could an encrypted image with hidden
information on a web site end up in my cache? If so, millions of people could
have terrorist data in their caches and never know, nor have the key to
decrypt it. Also, who has that file Wikileaks published as "insurance". Any
one got the key? Any one know whats in it?

------
ivanmilles
So, now Random actually /is/ Resistance?
<http://www.youtube.com/watch?v=aE6RtzwVdHI>

~~~
pavel_lishin
Every time I listen to that song, I imagine a movie in my head where that is
the theme song for a resistance movement.

Never really thought about how terrifying that might be in reality.

------
jiggy2011
Assuming this article is true (which I am pretty skeptical of, I live in the
UK and never hear about people being jailed for not giving up an encryption
key).

What would happen if there is encrypted data on your system but you didn't set
the key yourself? For example DRM systems usually work by encrypting data and
trying their best to make sure you never acquire the key.

~~~
jrabone
<http://www.theregister.co.uk/2009/11/24/ripa_jfl/>

------
switch007
It makes me really angry seeing protests about laws which have already passed!
It seems to be lazy journalism - after Liberty et al have done the hard work
while the bill passes through parliamentary stages, once it's passed,
traditional media and others pick up on it and start complaining.

Prevention is better than ranting after it's set in stone.

------
antoinevg
Roll on dual encryption. One key renders a dissertation on kittens, the other
renders the original clear-text. Next problem?

~~~
LarrySDonald
It'll get more complicated later I'm sure, but yeah, that's the current patch.
Except replace "dissertation on kittens" with "gay porn collection" (or
"straight porn collection" if you're publicly gay. or whatever else makes good
sense to encrypt, but is still perfectly legal).

------
epo
This article is paranoid ill informed speculation, as are many of the Brit-
bashing comments. The police have to show a judge they have good grounds to
believe you are concealing evidence from them. Note also that if the powers
that be are really determined to stitch you up then they will plant data on
you, much simpler.

------
zaroth
Can you say, "Who is John Galt?"

Eventually the preposterous laws drive those with mobility to simply leave.
Follow that to it's logical conclusion; the UK will make it difficult to
impossible to leave with your assets intact. Loss of privacy is a just a
precursor to loss of private property altogether.

------
yyyt
This makes me wonder why Brits prefer to courageously make jokes at Putin's
regime (with which I'm fine, they're deserved), instead of just going to the
Big Ben palace and giving a boot to the same kind of governors sitting there.

------
Feoj
How does/would this affect Freenet users? As far as I know, a Freenet user's
'deniability' claim comes from the idea that the user does not know the key to
the encrypted content hosted on their machine.

------
short_circut
So does this imply that I could go to prison for having an executable file
presuming I can't "decrypt" it back into its original source code?

------
baby
A scary article that forgot already many "stupid" or "vague" laws exist and
are never used or always used in the right context.

------
muyuu
I live in the UK and this is the first I hear about this. Interesting how
seemingly important law passes so silently.

------
chris123
Welcome to the future (Orwell, Minority Report, Enemy of the State, Matrix,
etc.).

------
rashomon
Anybody know where I can find a thermite-holding 5.25" bay?

------
adamt
I don't like or support the legislation - but I think this is a bit of an
over-reaction.

The law as I understand it says that if you've got data (and the context of
the law is in focussed primarily on targeting terrorism, child-porn etc) that
you've encrypted but refuse to give over the encryption keys to; then if the
police then convince a judge that there is valuable evidence in the encrypted
data, and you still refuse, then you could ultimately go to prison.

Is this really any different to a digital search warrant?

Sure this law, like many others, could be abused. But I don't see it as
anything to get to wound up about.

P.s. what kind of person has a 32GB file of satellite noise to generate random
numbers with?!

~~~
DanBC
([http://www.computerweekly.com/blogs/the-data-trust-
blog/2009...](http://www.computerweekly.com/blogs/the-data-trust-
blog/2009/11/ripa-tears-up-the-right-to-rem.html))

> Police argue the files "could be child pornography, there could be bomb-
> making recipes."

Note that he was in prison -serving a sentence- but has since been transferred
to a secure mental health hospital where he can be detained under the MHA
until he is well.

I don't know if he had an appropriate adult with him at any police interviews.
I don't know if he had any legal representation at any time. These are
weaknesses in the UK system.

~~~
adamt
From that article: he Missed bail; traces of explosives; carrying home made
rockets; had a stash of encrypted storage drives with him and the authorities
wanted to see what was on them. In such cases the person is still innocent but
the authorities have a duty to investigate.

Don't get me wrong I am a hacker and someone who has written lots of crypto
code, but i don't see this as an example to support the case against the
legislation.

------
Zenst
I stand by my argument that you can have a encryption key that is say 2000
characters long. Print it out 1 character per page and submit that in advance
at your local police station, getting a receipt. You are then within the law.

Now question is - compression can be views as encryption. How does that pan
out if you use a non-standard form of compression that does not require a key
as the compression formula is the key in itself!

~~~
nathan_long
>> You are then within the law.

What good does your maneuver do? Now you have to work with that key, and if
they really care, they can laboriously type it in. All you've done is tick
them off, right?

~~~
Zenst
Point being that there is a good posibility they will misfile it and in that
case you have extingished your liability. Ticking of the police is not against
the law and if enough people do it then the sillyness of things starts to
stand out.

That all said you can have a trusted friend who lives in another counry
maintain your key and vice versa, then things get messy.

Sad part about all this is criminals will find a way to get around the law,
and in many cases they will way up the aspect of what charge they would get
from the decrypted data compared to a maximum 5 year one and pick the easiest
option.

~~~
nathan_long
This is silly. If they misfile it, they'll ask for it again. If you say "I
already gave it to you but you lost it, nyah nyah," they'll find you in
contempt of court.

For that matter, if you're in the middle of trial and give them what they
asked, but in the most massively inconvenient way you can think of, they'll
find you in contempt of court.

Judges are not (usually) stupid.

~~~
Zenst
There is nothing saying you can't then use the defence of you forgot the
encryption key. Having previously provided it your obligation to the law is
extinguished.

Judges are not stupid, not the easiest job to get and takes alot of work. They
may not be experts in every feild they have to deal with though and in that
they depend on expert witness's.

The point being that it is a silly flawed law and the approach I outlined is
one which is just as silly, yet still compitulates with the letter of the law
fully.

Now if your in a situation were you are having to defend raw random encrypted
looking data that is just raw data, then is the onus upon yoruself to prove
it's just random data and if not anybody could say its not encyrpted its
random data, could they not?

Question is how should the law actualy handle the situation were some data
from a criminal activity is encrypted and would requitre 1000 years to brute
force? This law was a way to cover those situations. It's not perfect and in
many respects is down right offencive. But it's like this - if you have
nothing to hide then why should you be made to feel like a criminal. That is
the real crux of the matter, though some people may view it entirely
differently. Heck a badly spelt/grammer document could be deemed as hiding
encrypted data when it is just bad spelling/grammer or it could actualy be
encypted/obfiscated data hidden within the document. you just can't tell and
that is were it starts to get realy realy messy.

