
British authorities demand encryption keys in case with “huge implications” - jackgavigan
https://theintercept.com/2016/04/01/british-authorities-demand-encryption-keys-in-closely-watched-case/
======
cm2187
I am not sure how this would be a precedent. People have already gone to jail
in the UK under this law [1]

I wonder if "I don't remember it" is a defense against this law. How can a
court send someone to jail for not remembering a password?

[1]
[https://en.wikipedia.org/wiki/Key_disclosure_law#United_King...](https://en.wikipedia.org/wiki/Key_disclosure_law#United_Kingdom)

~~~
jakobdabo
I have a password with multiple special characters and no dictionary word
which I type on my laptop everyday and yet I genuinely don't remember it. It's
called muscle memory[1].

I haven't tried it, but I guess there are all the chances that I will "forget"
the password after a couple of weeks once I'm not typing it daily.

[1]
[https://en.wikipedia.org/wiki/Muscle_memory](https://en.wikipedia.org/wiki/Muscle_memory)

~~~
CydeWeys
I can, eventually and with many attempts, sit down in front of a keyboard and
type out passwords that I last used regularly twenty years ago. Don't sell
your muscle memory short. If it's a password that you are typing in multiple
times per day you aren't going to forget it in just a few weeks.

~~~
mike-cardwell
More than once I have forgotten the pattern to unlock my phone. The very
pattern I draw on the screen more than a dozen times a day. I usually remember
it after a few hours without thinking about it, but sometimes I just can't
recall it.

Shouldn't this law take into consideration that some people have terrible
memories?

~~~
CydeWeys
You aren't permanently forgetting it though, you're just temporarily
forgetting it, and you're blanking on it worse than most people do.

Law enforcement isn't going to care if it takes you a little bit of time to
get past your mental block and come up with the password. It's a much bigger
deal if you truly forget it and can't reconstitute it at all.

------
stegosaurus
Just another law that exists to arbitrarily criminalize people as far as I'm
concerned.

If a government agency claims that you have indecent images on your hard drive
and opens an investigation, you can be forced to give up your keys.

It doesn't matter if you're innocent - your data is out there now. Forever.

~~~
dingaling
> you can be forced to give up your keys.

The one 'escape' from RIPA key demands is in section 53:

    
    
      unless it is shown that the key was not in his possession 
      after the giving of the notice and before the time by 
      which he was required to disclose it.
    

So, for example, if the keys were automatically destroyed by a dead-man's
switch which the subject could not access due to being held in custody.

Usual caeavts apply: IANAL etc

~~~
stegosaurus
So basically it's either a game of coming up with ridiculous schemes to skirt
the law, or lying.

I'd rather have a judge say to me 'we think you're the wrong sort, go directly
to jail' than have to sit there and say 'no, you will not have my keys,
because I will not allow you to violate me in that way'.

I'm sure there are other bits of the legal system that are just as smelly.
This is just one I'm familiar with technically.

It really feels like a manifestation of some dystopian novel.

I can't imagine being in that situation, it feels so utterly absurd. I can
move some numbers through some wires, knowingly or unknowingly, or be
arbitrarily targeted, and then somehow society/the state decides that I have
to now do their tasks.

Meh. If it comes to it, I'll spend my time watching waves crashing at the
beach until you decide to lock me in a box.

RIPA is psychological torture. Give us the keys or we'll take away your life.
This is the society I live in. Bankrupt.

------
sjy
Here are some previous cases involving charges of failing to comply with a s
49 notice, under s 53 of the Regulation of Investigatory Powers Act 2000.
Unfortunately I don't know of any good comprehensive free source for recent
English cases, but I have provided the media neutral citations.

* Padellec [2012] EWCA Crim 1956. The accused's computer was seized and there was evidence that files had been deleted with filenames that suggested they were child pornography. He refused to provide a password to an encrypted volume and pleaded guilty to a s 53 offence. The Court of Appeal said that the accused's self-serving account of what would have been found on the encrypted volume should not have been accepted for sentencing purposes.

* Cutler, Morrison, Parratt & Freeman [2011] EWCA Crim 2781. This was an appeal against sentence by four members of a paedophile ring who pleaded guilty to s 53 offences.

* S & A [2008] EWCA Crim 2177. The Court of Appeal rejected a challenge to the validity of s 53 based on the privilege against self-incrimination. Available on BAILII: [http://www.bailii.org/ew/cases/EWCA/Crim/2008/2177.html](http://www.bailii.org/ew/cases/EWCA/Crim/2008/2177.html)

~~~
cm2187
The Court of Appeal judgment is very interesting but also very questionable.

If I understand it correctly, they claim that the encrypted data exist outside
of the defendant's brain and is in possession of the police, therefore it is
tangible evidence, the key is merely a way to access it. And the police can
force a defendant to provide access to tangible evidence like a DNA sample or
a pubic hair. And therefore non self-incrimination does not apply to that
evidence.

It is very questionable as one could argue that the decryption key is a
segment of the data, and that the data only becomes meaningful, and therefore
evidence if the file is complete. The police is therefore trying to get
additional evidence (the missing data segment, the key) to build a case, and
then we are 100% in the realm of self-incrimination.

I am struggling to understand #25. It seems to imply that the only reason for
the defendant to refuse to provide the key can only be because the data would
contain incriminating evidence, and therefore it would somehow weaken the
defense against self-incrimination. First there may be other reasons to refuse
to give access to the data (privacy for instance, it might be embarrassing for
a religious person to acknowledge watching gay porn!). But mostly the idea
that the defense against self incrimination is weakened because complying with
the request from the police would incriminate oneself is I think completely
circular and defeats the whole purpose of non self-incrimination.

I also find it very concerning that the justice applies extremely fuzzy
concepts like "the stability of society" to challenge basic liberties.

------
sievebrain
US jail sentences are crazy. But ... I think the UK approach here is not all
that crazy. In a world with encryption, where does the balance lie between the
need to investigate crimes and the need to stop a country becoming a police
state?

NSA style "own it all" is clearly too far towards the police state end. But
then preventing any and all investigations that involve a computer seems like
an over-reaction towards the other end; targeted high-effort investigations
have always been possible.

And if you want to make that be the balance and allow specific, warrant-based
human-driven investigations possible but block mass surveillance, then trying
to regulate the details of the technology is a bad idea. Regulators won't be
able to do that. It's the wrong approach. It's like the Clipper chip, the law
specifying too much stuff. A law that says "you have to decrypt your files
when asked" is at least simple and it doesn't scale to mass surveillance.

~~~
calgoo
Well, it does scale: Just put a guy at the airport that scans all computers
passing the check. You got nothing to hide, so why worry? The law clearly
states that you need to hand over any password / key when asked.

That is as bad or even worse then mass surveillance, because with mass
surveillance you can at least try to be "safe" offline. With this "law", they
could get to your data whenever they want. Much more of a police state that
mass surveillance (at least in my opinion).

~~~
DanBC
Here's the law:
[http://www.legislation.gov.uk/ukpga/2000/23/contents](http://www.legislation.gov.uk/ukpga/2000/23/contents)

Here's the bit we're talking about:
[http://www.legislation.gov.uk/ukpga/2000/23/part/III](http://www.legislation.gov.uk/ukpga/2000/23/part/III)

You say

> Just put a guy at the airport that scans all computers passing the check.

This fails almost every step of the law.

The person doing the asking is probably not authorised to do so; the
information found isn't found as the result of a statutory instrument; the
person doesn't have the reasonable belief that key disclosure is necessary to
exercise a statutory instrument; it's not proportionate.

> Much more of a police state that mass surveillance (at least in my opinion).

If your attacker is a well funded Government you're fucked. This law provides
some protections against abuse.

------
mirimir
Refusing to provide encryption credentials has been illegal in the UK for
years, I believe. So what's different about this case?

~~~
DanBC
The RIPA law was introduced in the year 2000. Since then there haven't been
many cases that went to court, so bits of it haven't been thoroughly tested
yet.

> So what's different about this case?

It is a case that's actually happening, which makes it newsworthy. These
specific powers under RIPA just aren't used very often. (Unlike other bits,
which are frequently used.

Wikipedia says 2 people have been prosecuted for not handing over their keys.
(This doesn't tell us how many notices were issued. The Surveillance
Commissioner probably has that information. I can't see anything in a quick
scan of the annual reports.)

[https://en.wikipedia.org/wiki/Regulation_of_Investigatory_Po...](https://en.wikipedia.org/wiki/Regulation_of_Investigatory_Powers_Act_2000#Prosecutions_under_RIPA)

(It's useful to look at who is getting prosecuted under RIPA - corrupt police
officers setting up illegal surveillance companies; councils wrongly using
surveillance to see if families are in a school catchment area).

[https://www.gov.uk/government/publications/annual-report-
of-...](https://www.gov.uk/government/publications/annual-report-of-the-chief-
surveillance-commissioner-for-2013-to-2014)

[https://osc.independent.gov.uk/protected-electronic-
informat...](https://osc.independent.gov.uk/protected-electronic-information/)

------
deepnet
I believe the precedent in this case is the accused says the file is random
data.

The defendant has stated he can't provide decryption keys and states that this
criminalises random data.

According to the article he says can't not won't.

Have the prosecutors proven what they want decrypted is encrypted and not
random noise ?

It doesn't seem they have, but we cannot know because this is a 'closed'
secret trial.

Anyway, Schneier says good encryption should be indistinguishable from random
noise.

Thus if one plants random noise and make an accusation surely this becomes a
blackmailer's charter ?

The burden should be on the authorities to prove that the bits are decryptable
and that the accused has the keys.

Suppose I wrote the key wrong ? Misremebered ? On a post-it on your monitor
lost in the raid ? Unreliable thumb drive ?

Losing data without backup is literally the most common problem ever.

Remember the very early bitcoin potential millionaire who had lost his keys -
happens evey day.

Regardless he should be tried in the UK, American prosecutorial overreach is
notorius and standard - especially when the authorities are embarrased.

The extradition damages threshold is based on false numbers - US hacking cases
always pad the numbers.

The last similar case was Gary Mackinnon, who laughably 'hacked' the pentagon
with remote desktop over dialup because port authorities had default password
and allowed trusted military access from there - it was not sophisticated - he
damaged nothing - was looking for UFO files, took only screenshots.

This was spun by US authorities as super sophisticated causing millions in
damage.

The damages were almost entirely fees to fix the embarassingly large holes
Gary had found.

These false damages are used to reach the thresh-hold for extradition.

The US seems to goto max kill when it is covering its own embarassing
mistakes.

Funny that they can only catch unsophisticated attacks by UK youth but not
Chinese spies.

What about suspicion of the old double decrypt ?

Is one off the hook if it decrypts but the authorities believe there is a
second hidden decryption possible that would satisfy them more ?

What if the encryption was by one of those encrypt your files viruses ? What
if it looked like that but the authorities didn't believe you.

What if you were to be the framed patsy, participating in minor crimes but
cops tipped, your drives are encrypted by the framer as the door kicks in ?

Seems like this law is ripe for many abuses and presumes guilt.

With the greatest respect:

Oi US, catch some real troublemakers and stop trying to cover your
incompetence by exaggerating tomfoolery and trying to lock up our native
nascent talent !

I am sure the fear and terror wrought on this bright young man is already more
than punishment enough.

Pretty much the definition of evil putting Aspies in solitary to cover ones
rear.

~~~
sjy
> The burden should be on the authorities to prove that the bits are
> decryptable and that the accused has the keys.

It is.

~~~
deepnet
[[edit] OK found a jury RIPA 49 trial against the Luton terror cell, so sjy,
above is right, after the denial one gets a jury trial.

In this case the USB stick was in the guys possesion so it was cut and dried.
[http://www.luton-dunstable.co.uk/Terrorist-plotted-attack-
Lu...](http://www.luton-dunstable.co.uk/Terrorist-plotted-attack-Luton-
Territorial-Army-centre-faces-extra-years-jail-refusing-hand-
password/story-21702104-detail/story.html)
[https://p10.secure.hostingprod.com/@spyblog.org.uk/ssl/spybl...](https://p10.secure.hostingprod.com/@spyblog.org.uk/ssl/spyblog/2014/01/15/first-
ripa-s49-encrypted-usb-devices-conviction-involving-national-security---
sy.html)

He got 5 years for planning terrorism.

Seems RIPA 49 can be used succesfully.

------
jupp0r
I think this is exactly what TrueCrypts plausible deniability feature was made
for. You should use it if it's possible you might end up in a situation like
this.

~~~
hrrsn
Would it not raise eyebrows if you say, had a 512GB drive in the machine and
when booted in the plausible deniability mode only showed a X<512GB partition?

~~~
TillE
The partition is the full size. It's just mostly empty.

------
xaduha
People should use smartcards more. When stuff hits the fan you can just
destroy it.

[https://github.com/philipWendland/IsoApplet](https://github.com/philipWendland/IsoApplet)

~~~
mindslight
Then there's destruction of evidence, complete with a physical totem to
illustrate your witchcraft - imho this idea is going the wrong way.

By their very nature (treacherous computing), smartcards will enable more
user-hostile capabilities than user-empowering ones. Not that they can't be
useful for some properties - a custom applet _could_ implement a time-delay
dead-mans switch _iff_ you can count on them remaining secure against
government thugs.

The right way is to implement and encourage popular operating systems to adopt
n-volume steganographic storage. Then there's no discernible difference
between a truthful and lying "I've given you all my keys". While this won't
really help your low-status undesirable that the government is just looking
for justification to purge, it will cause social change when upper class
people are in the same position.

(The common retort to steganography of "then they just torture you" is really
just a reversion to the underlying truth from the dawn of society, exposing
the modern farce of "the rule of law". Which means things either actually get
reformed, or we have another bog-standard revolution to overthrow the
unaccountable thugs.)

~~~
xaduha
People should use smartcards more in general, regardless of circumstances and
for perfectly legal stuff. It's not hard.

------
tehwalrus
I thought they didn't even need RIPA, I thought that it was contempt of court
to not decrypt the drive/unlock the safe when the judge asks you to?

------
studentrob
Ridiculous to pursue this in any country. I feel for the UK. They're more
behind the US in terms of educating their representatives and public about how
encryption works and the fact that it's impossible to guarantee government
access to everything, no matter what sentences are imposed.

------
x5n1
Should not have sued them bro. Always let sleeping dogs lie.

~~~
yason
It might cost you personally, but not always. Sometimes you have to drive
crazy things to the point of lunacy that is their logical conclusion, to make
a point.

The case of encryption heavily underlines the nature of information itself
which also lends to the nature of intellectual property, the idea where bits
have colors. This is all uncharted territory so far for the general society.
(The laws of information are crystal clear as interpreted _by the hacker
mindset_ but it's not at all crystal clear whether the society at large ever
wants to accept the hacker mindset.)

Demanding encryption keys is followed by dozens of logical consequences that
are anything but obvious for the uninitiated. Several have been mentioned in
this discussion already. For example, how to prove random data isn't an
encrypted blob? What are the liabilities of carrying random data? What if you
did encrypt it but with a throwaway password which you obviously don't
remember? How can bits possibly be so dangerous to warrant jailtime for you
unless you choose to reveal them? But if you store the same information in
your head, you're not required to reveal it. Then how is storing the
passphrase in your head any different from storing all the information in your
head, albeit easier?

~~~
cm2187
And we can push the argument to the absurd. I can draw a little symbol on a
post it, and that little symbol may mean something to me, it's a form of
cipher. Now can the court force me to tell them what this little symbol means,
should I really go to jail if I don't?

The other thing is that although the 5th amendment is an American concept, I
suppose there must be a provision against self incrimination in UK law. I
can't be forced to testify against myself. In France I know this how it works,
a defendant is entitled to lie or refuse to answer at his own trial. If we
follow that logic I don't see how one can force someone to speak a password.

~~~
caf
Yes, the privilege against self-incrimination is part of the English common
law (originally the defendant could not testify _at all_ in common law
courts!).

