
In UK, Two Convicted of Refusing To Decrypt Data - aj
http://it.slashdot.org/story/09/08/11/2340221/In-UK-Two-Convicted-of-Refusing-To-Decrypt-Data?from=rss
======
0wned
TCHunt is a free program that finds (for the most part) TrueCrypt volumes.
(Modulo 512, chi-square stream analysis, etc). The scary thing is that it's
not 100% positive as it cannot differentiate between random data and AES data,
but in general testing, it finds 100% of TrueCrypt files. I wonder if
something such as TCHunt could be used to accuse someone of having an
encrypted TrueCrypt file or not? I doubt it, but some folks argue otherwise.

------
gradschool
No problem.

1) Encrypt sensitive data by the method of your choice, and store it in a
filesystem X.

2) Generate a plain text filesystem Y full of disinformation, the same size as
X.

3) When the key to decrypt X is demanded, compute Z = (X xor Y), and provide Z
to the police on a DVD with instructions to the forensic cryptologist that
it's a one-time pad.

~~~
DenisM
The beauty of the one-time pad is that one can not tell the "random" key from
the payload. Clever.

------
ErrantX
It's interesting to see the responses on /. compared to here.

The thing is were fogetting (or they're forgetting) is that this is, what, 2
people prosecuted out of 11 refusals over the course of 1 year. That's maybe
0.001% ( _this is a typo - I meant 0.01%, see below_ ) of all the encrypted
material investigated in a year (very rough figures, I only have a tiny
portion of the data: it could be lower still).

I dont think it's "panties in a twist" material yet :)

~~~
pmichaud
So we shouldn't worry because the secret police don't have the manpower to
prosecute "that many" of us yet?

Seriously?

~~~
ErrantX
well that only works if this was the most they COULD prosecute. Im fairly sure
in a year a few hundred wouldnt be too much difficulty (considering the sheer
number of computer related prosecutions anyway).

Anyway my main point was that the other 99.99% you generally dont need the
access keys for: either there is sufficient evidence elsewhere, or not enough
data/evidence to warrant a (uh) warrant [this one being the main factor] or
you can break throuhg the encryption in some way.

Secret Police?

------
naz
They should have used a Truecrypt random partition in which case it cannot be
proved that they have encrypted anything at all.

~~~
TheCondor
What are you considering "provable?" You know, a judge and prosecutor don't
get involved because of suspicion that you have encrypted data that might be
useful for solving a crime, there are usually a long string of events and
circumstances that brings you to that point. The actual encryption keys are
just a formality by that point.

Whether or not you can plausibly deny the existence of encrypted data in a
convincing manner probably isn't going to be that important. Everyone draws a
line somewhere and that might be the stand you wish to take, I suspect you'll
end up in jail regardless though.

~~~
a-priori
Exactly. Any time someone suggests fancy crypto as a solution to a legal
problem, it reminds me of this XKCD comic: <http://xkcd.com/538/>

Except replace "Drug him and hit him with this $5 wrench..." with "Charge him
with contempt and throw him in jail...".

