

Two convicted in U.K. for refusal to decrypt data - muriithi
http://www.securityfocus.com/news/11556

======
dryicerx
I think a good strategy for anyone who may potentially have to go through this
situation is to roll your own encryptor/encoder to combine several sets of
data in to a single dataset, and having multiple keys associated with it.
Depending on which key you use, you will get a different output. From the
outside it will look like a simple way to disguise a already encrypted
dataset.

A decoy in simple.

~~~
muriithi
I am not an expert in infosec but plausible deniability looks like a better
strategy here.See <http://www.truecrypt.org/docs/?s=plausible-deniability>

~~~
sharjeel
Or maybe they should have a feature in TrueCrypt to allow "Fake Keys". You use
your actual keys to unlock your data. You use fake keys to see pics of britney
spears

~~~
dryicerx
Well if that feature is well know, that defeats the purpose. It will only work
if you roll your own implementation of it (security through obscurity a bit).

~~~
derefr
How does it defeat the purpose? If an encrypted volume can have any number of
stored "divisions," each with a different key, how can they prove that you're
holding out on them once you've given them N keys? They know there's a
_possibility_ that you may have something extra hidden in the file, but that's
not the same thing at all as knowing that there's definitely a file that you
refuse to decrypt.

~~~
patio11
_how can they prove that you're holding out on them_

They'll bring in a forensic investigator, who will explain to the judge/jury
that TrueCrypt has a feature designed to be used by criminals to subvert the
judicial process. Then, he will present the results of his investigation,
which will show your drive to be consistent with you using that "plausible
deniability" thing. Then, he will introduce external evidence that says you
almost certainly have, I don't know, kiddie porn -- look, we can prove he
downloaded it, here are the ISP logs, and here are the 47 intercepted posts
which use the same nickname he used for his online banking, and here is the
previous complaint against him for lascivious comments made to a young lady on
Facebook.

That will probably be good enough to convict you of possession.
Circumstantial, yes, but so are most convictions.

~~~
derefr
I guess what would really be necessary is for all operating systems to build
in plausible deniability by default. Then there wouldn't be a "circumstance"
for the circumstantial evidence to pertain to, since there would be no way to
have a computer _without_ the possibility of there being something permanently
hidden inside it.

------
pmjordan
The fact that the UK government has a _Chief Surveillance Commissioner_ alone
speaks volumes. I wonder when they introduce the _ministry of truth_ \- it can
only be a matter of time.

------
sirrocco
I know I'm probably naive - but what if I forget the password ? I'm
traumatized by the whole jail thing that I forget the password. What then ?

------
pmikal
Duplicate: <http://news.ycombinator.com/item?id=756724>

------
redorb
guessing the UK doesn't have the 5th amendment? *also assuming what was on the
drive was self incriminating

~~~
RiderOfGiraffes
Given that the UK doesn't have a constitution, it clearly can't have
amendments, hence can't have a 5th amendment.

IANAL, but I believe there is no legal defence concerning self-incrimination,
but you do generally have the right to remain silent. Doing so, however, now
allows the court to draw conculsions from your silence.

Some years ago, for example, the warning given to suspects when arrested
changed to: "You do not have to say anything, but it may hurt your defence if
you do not mention something you later rely upon in court."

~~~
cstross
The UK _does_ have a constitution -- but according to a barrister of my
acquaintance it consists of thirty-one separate acts of parliament. (Think of
it as a distributed legal kernel rather than a monolithic one. Oh, and the
acts can be revised/amended by parliament without needing a constitutional
convention or equivalent.)

There's no actual fifth amendment equivalent, but there _is_ a bill of rights
(at least, since 1998). RiderOfGiraffes is exactly right about silence being a
factor that can be drawn to the attention of a jury ...

On the subject of the bits of the Regulation of Investigatory Powers Act
(2002) that make failure to hand over encryption keys an imprisonable offense,
it's worth noting that an order to hand them over has first to be made in the
process of a criminal investigation. If someone has encrypted data and refuses
to hand over the keys despite facing a maximum 5-year prison term, then it's
reasonable to presume that they consider the data to be so incriminating that
they'd pull a _longer_ sentence if they decrypted it. I believe (but am not
certain -- the powers have been used to rarely that there's little to go on)
that a plausible explanation of why the keys are unavailable ("I generated a
PGP keychain in 1996 out of curiousity, but I lost interest and stopped using
it, and that was twelve PCs ago") would probably work in court (in the absence
of evidence contradicting it).

