Hacker News new | comments | ask | show | jobs | submit login
UK anti-encryption law (falkvinge.net)
356 points by timf on July 12, 2012 | hide | past | web | favorite | 191 comments

His argument is: 1) They can lock you up for refusing to decrypt something. 2) Encrypted data looks exactly like random noise. 3) Encrypted data can be hidden in any file. 4) Therefore, they can allege that nearly anything is encrypted and lock you up on that basis.

I'd say that's terrifying.

Another thought: doesn't this make it possible to frame someone by writing random data to their hard drive?


From the comments (credit to http://www.ktetch.co.uk/p/about-me.html):

"Funny thing about the RIPA act was that in 1999, when the act was first discussed, civil Liberties group Stand decided to show the problem.

They sent an email to the Home Secretary (the minister for law and justice) containing a confession (source http://www.zdnet.com/surveillance-straw-petitioned-on-commer... ). That confession was encrypted. Mr Straw had details to a crime in his posession, in an encypted file, and no way to decrypt it. He was, under the letter of the law, refusing to decrypt information relevent to a crime, and should therefore be charged under RIPA.

Guess who wasn’t charged? Yes, the law doesn’t actually apply to you is you’re the Home Secretary. Who knew that those in government consider themselves above the laws they inflict on others."

> Yes, the law doesn’t actually apply to you is you’re the Home Secretary.

Well, no. The law doesn't say 'if you have encrypted information you have to decrypt it'. It says 'if you have encrypted information you have to decrypt it if the police (or someone else with statutory powers to detain your property) require you to'. The HS wasn't required to.

You can't just email someone an encrypted file and key, snap your fingers, and have them be breaking the law. They have to actually refuse to comply with a notice.

Yes, it's a stupid law, but this stunt doesn't actually show anything.

But the email that was sent was a confession, so it was related to the open case and needed to be decrypted.

The law doesn't work like that. It doesn't matter how important it is - if the police haven't given you a notice to decrypt it, the statute isn't engaged.

So they are infringing on personal privacy, and practicing selective enforcement? If this came to America everyone would be brown from the big shit storm.

> and practicing selective enforcement?

This is really a terrible analogy for reasons laid out up above. The law says you must do X when asked. You have not been asked to do X, therefore you don't have to do X.

Search for outrage elsewhere.

Technically, no. "Selective enforcement" is when the authorities selectively choose whether to arrest and prosecute someone for breaking a law. That's not quite the case here, as there is no breach of the law unless & until a notice is sent and been refused.

Technically you are right. Essentially the difference is bullshit. They simply don't send a notice to people they want to selectively ignore.

Think of it like a stop-and-search power. It is too wide, but not choosing to stop and search everyone who they have the power to isn't really like selective enforcement - it's just a power they can choose to use if they feel they need to.

In America that is a violation of 4th amendment rights. Now clearly this applies to UK, but we didn't fight the UK in a war for nothing.

I'm not very familiar with US law, but a few moments googling suggests that that's nonsense, and the standard the police must reach to conduct a stop and search in the US, for e.g. weapons ("reasonable suspicion", per Terry v Ohio), is essentially identical to that in the UK ("reasonable grounds for suspecting"). Though the UK statute does cover a slightly wider class of items - e.g. stolen property, rather than just guns as in the US.

(It's true that the reasonable ground requirement was removed for certain areas by the Terrorism Act 2000. That provision was held incompatible with Article 8 of the ECHR (our nearest equivalent of your 4th amendment), and has consequently been repealed).

I'd also raise an eyebrow at your implication that the police are generally less prone to misuse of their powers in the US than the UK. I haven't researched it, but my impression was that in practice it's rather the other way round.

The ultra fragmented nature of the police forces in the states lends its self to this unfortunately.

What the USA needs to do is to move into the 20th century and for each state to have a single police force with uniform standards - this would save a lot of resource wasted by every city/town having its own police force plus state troopers, sheriffs and what have you

Patriot Act

That appears to be incorrect. Looking at the actual law, via the link provided on the submitted site (not just the section linked to, but also the surrounding sections), it looks like in the above situation you would be off the hook.

See section 50(3)(b). Also relevant is 53(1) and 53(4).

And the reply to that:

"This argument is ridiculous, since it’s missing the concept of intent. The Home Secretary clearly had no intent. That’s why he/she wasn’t charged."

And the reply to that is that there is no criteria requiring intent in this law.

It appears that way. Mens rea is a legal concept applied to some of common law (although not always effectively).


EDIT: British common law divides up laws between those requiring intent and those that don't.

And the reply to that:

The UK law in question does not require intent (mens rea).

So a law which you have to prove yourself innocent and can be applied to anyone - but the police get to decide who to apply it to.

nope, can't see any problem with that.

Fortunately its nowhere near that bad. The prosecution needs to prove beyond reasonable doubt that the file contains encrypted data and that you have the key. So if you did have a file of random noise then the police would not be able to prove these things. And if you had software for using that file as a random number stream then that would be evidence in your defence. Remember, its for the police to prove your guilt, not you to prove your innocence. And the law in question does actually talk about that.

If someone wrote random noise to your hard drive then they couldn't prove these things (and in that scenario it would be a lot easier to frame someone by simply writing some child porn).

Encrypted files are not usually just cyphertext: there tends to be a header file with the file type, and of course there will be associated decryption software on the disk. Time and date stamps may well coincide (e.g. the decryption program was last run at the same time the suspect file was accessed). All of this would help build a case that the suspect had in fact decrypted the data in the past, and therefore could do so again.

As for steganography, they would need some clear evidence that the alleged steganographic data existed. Merely saying "maybe" and a pound will get them a cup of tea.

> (and in that scenario it would be a lot easier to frame someone by simply writing some child porn).

Well, you'd have to get some child porn to frame someone that way. Random data is much easier to procure.

Sadly not by much.

It is several orders of magnitude easier to get random data: /dev/urandom.

Someone wanting to frame someone else is likely prepared to put in a lot of effort anyway.

Does innocent until proven guilty and beyond a reasonable doubt apply to UK criminal law?

It is right there in the section linked from the article:

(3) For the purposes of this section a person shall be taken to have shown that he was not in possession of a key to protected information at a particular time if— (a)sufficient evidence of that fact is adduced to raise an issue with respect to it; and (b)the contrary is not proved beyond a reasonable doubt.

... which makes me sad that misinformation is being used to fight a good cause.

There have been cases about this though and judges so far have not always bought this argument.

There was a case I read about where someoen was using full disk encryption. He said he gave police his password but it didn't work. The judge dismissed the charges because of the difficulty proving that the key produced wasn't correct but that the hard drive was not corrupt, among other things.

Yes, but the chances of proving such nebulous ideas change greatly if you can be demonized in the public eye.

That situation is really independent of the law. Imagine the law said that nobody could be compelled to decrypt data (using fourth amendment type reasoning), and it was leaked to the press that this person was suspected of traffic child porn, but refused to decrypt his harddrive - even when decrypting the harddrive could prove his innocence, wink wink nudge nudge.

I think refusing to decrypt a hard drive in the US is dependent on whether it is self-incrimination (5th Amendment) while police activities are more tied to the 4th Amendment.

But the point is "I gave you my password. I haven't seen the computer in a month while your forensic team was looking it over. Maybe I got it wrong, or maybe your boys screwed it up." That is not refusing to decrypt it. In fact it is very apparently cooperative.

US courts have already ruled that the 5th ammendment does not apply to crypto keys. The court said that it was like requiring someone to hand over the keys to a container, etc.

US courts have split on the issue.

I agree, and I definitely meant the fifth. But the GP talked about being demonized in the public eye - which doesn't rely on the law being one way or the other.

The argument isn't totally correct. The Police can't just make allegations and force you to surrender keys - they have to convince a judge that the allegations are true, and that getting the keys to your random noise will produce evidence.

RIPA is objectively flawed legislation, but it definitely doesn't "outlaw encryption" by anything less than a very long stretch of the imagination (as appears in this article).

Your point is usually true, when the system is working as intended.

But it's not all that unusual for the gov't to really "have it in" for someone, but not be able to pin the crime on them, as with Al Capone.

In his case, the government didn't think it could pin the true charges on him, so he was actually convicted on tax charges. The tax code is big, obscure, and no expert agrees on the detailed interpretation, so it's not too hard to find some technicality that will convict anyone.

This encryption thing could easily be misused the same way: they can't prove you're a bad guy, so they trump up some technicality charges just to get you locked up.

Uk Judges are separate from the govenment.

You would ahve to go back to the bad old days of the star chamber to find the UK law system doing anything as doddgy as Al Capone (not exactly the USAs Legal systems finest hour)

Uk Judges are separate from the govenment.

In the UK, the term "government" refers to the executive branch. Outside that use, it encompasses the legislative, executive and judiciary power of a state. Wikipedia gives the following definition:

Government consists of the legislators, administrators, and arbitrators in the administrative bureaucracy who control a state at a given time, and the system by which they are organized.

Judges are part of that by definition, even if there's some separation from the other components.

No Judges are part of the "establishment" not the "govenment" ask Tony or Dave about the judges who ruled against them over a large number of issues.

I dubt wikipedia edited by a large number of Non UK People woud get the subtle destiction I am making here.

The term "government" has multiple meanings, but the most direct and common meaning is for the entire apparatus of state power, literally "the instrument which governs". This is true in all places that speak English, the United Kingdom included.

In the United States, we use the term "administration" to refer to an executive, his cabinet, and other associated officials. However, we still recognize the (not-so-subtle) distinction between the administration and the government as a whole; our government, as yours, is divided into three separate branches, and then again into many departments, agencies, committees, circuits, districts, and other subdivisions thereof.

Err the UK does not have a tripartate separation - there is a world out side of SV and the USA

SV = El Salvador? South Vietnam?

I suppose you mean Silicon Valley, but I live on the East Coast (~3000 miles away). Also, our "tripartite separation" is based on yours, with the President taking the place of the Monarch/Prime Minister, the Congress taking the place of Parliament, and the Judiciary being roughly the same (we even use the same style of law, called common law, whereas most non-English-speaking countries use civil law).

The UK seems to have more crossover between legislative and executive functions, but the separation does exist, more or less. Parliament makes the laws. Various ministers execute the laws. The courts interpret the laws.

Here in the USA we like to periodically hold witch hunts. That's how we got Martha Stewart, for example.

Martha Stewart is a witch?

I suppose that explains the eye of newt in the recipes.

Judges, police and the people who direct the police are all socially close coworkers for the most part.

>Uk Judges are separate from the govenment.

And how did that work out for the Guildford four for example?


>> they have to convince a judge that the allegations are true, and that getting the keys to your random noise will produce evidence

You are correct. However, suppose you encrypt some data and forget the key, or you store some radio noise in a file, or whatever.

Later, you are accused of a crime. The judge issues a warrant.

The data/noise is now evidence against you. You are presumed guilty, and it is impossible to prove your innocence.

Why do you make the jump here to "you are presumed guilty"? Your guilt would have to be proved in a court just like for any other crime.

Are you suggesting that the courts would somehow just believe, with no evidence, that it's encrypted data relevant to the case and you're wilfully withholding the keys?

You are not presumed guilty. But you are found guilty of breaking the new law which comes with a 5 year prison term if you were accused of being involved with terrorism or hiding child porn. Regardless of any evidence.

> You are not presumed guilty. But you are found guilty of breaking the new law ... Regardless of any evidence.

"Being found guilty... regardless of evidence" makes no sense. Part of 'being found guilty of breaking the law' involves the prosecution giving evidence that a jury thinks proves your guilt beyond reasonable doubt (inc. proving that you were in possession of a key, and so that it was actually encrypted data). s.53(3).

No it's very easy. You claim the "key" is a one time pad, ie an XOR of the encrypted data - then you simply take the encrypted data and generate a "key" which XORs it into "the home secretary is a wonderful person and i support him"

So, perjury.

Not sure you can commit perjury if you are the accused !

In the US you can, and I'd be surprised if many other jurisdictions saw it differently. In the US you have a right against self incrimination, not a right to lie and misdirect. See Martha Stewart as an example, part of her conviction was making false statements to an investigator.

Martha "Stewart was found guilty in March 2004 of conspiracy, obstruction of an agency proceeding, and making false statements to federal investigator". The lying to investigators was most of her "crime". If she'd told them to talk to her lawyer and clammed up, she'd have been way ahead. The Feds never did prove securities fraud.


Here in Brazil is guaranteed by the constitution that no one can be forced to produce any evidence against him/herself.

Isn't there something like this in the UK? You know... if someone says that you have ilegal encrypted data, they first would have to prove that it is really encrypted data and then that it is ilegal data.

There was a case where that defense was mounted, but failed [1]. The encryption keys were deemed to exist "separate from the will of the subject" i.e. they were deemed to be "physical". You can't use the defense against self-incrimination for physical keys either and the prosecution likened the encryption key to a physical key.

What hasn't been tested in court (afaik) is the refusal to hand over a passphrase that protects the encryption key. If the passphrase exists only in your head, it could be argued that it doesn't exist separate to your will.

[1] http://www.theregister.co.uk/2008/10/14/ripa_self_incriminat...

Is it illegal to hand over passwords yet if it's self-incriminating? Because encasing the encryption key in a passworded file could get you out. You would be providing the key, but wouldn't be self-incriminating yourself.

It would be like handing over an virtually unbreakable safe and saying "open it".

If you can write data to someone's hard drive it is simpler to just dump some child pornography.

OK, but suppose you're trying to frame them for bank fraud. Coming up with incriminating data is a lot trickier than just making it look like they have something.

Refusing to decrypt under this law will be the crime. It's not proof against you in the original charge. So you won't get them for bank fraud anyway, and then it might as well have been child porn (or a stash of stolen credit card number or compromised online banking accounts etc)

If you're caught though the consequences are terrible whilst encrypted Shakespeare given names to look like something illegal would only really have you under unauthorized access charges.

I don't know. I would think that attempting to frame someone with it shows some amount of malicious intent. There's got to be something else to charge them with other then the equivalent of "breaking and entering" to plant evidence.

viola-12-hot.zip looks tasty to a police officer who thinks they found illegal images but is just a keyword + title word + one-word review of a favourite play when you find the contents are Twelfth Night ... maybe?

I'm a bit disturbed that you suggest it's easier dump child porn onto somebody's hard drive than it is to dump a random bitstream onto the drive. It implies you've got a huge cache of it hanging around ready to go.

He means simpler as in "simpler to get them locked up" rather than "simpler to execute." Having lots of child porn is a sure fire way to go to prison, whereas as has been demonstrated in this thread, the laws surrounding this entropy-of-doom attack are convoluted and highly suspect.

Me too. Also, it's not "easier" even if you have it. To dump data, you have to have and transmit data; to dump noise, you just need a tiny script.

  > It implies you've got a huge cache of it hanging
  > around ready to go.
In the US at least, just a single image is illegal, so there is no need for a huge cache.

I imagine that a single image wouldn't quite motivate the police the same way that two gigabytes' worth would.

I remember a story about the FBI going after some college kid with a single thumbnail in his browser cache, though the other circumstances were:

- Somehow they came up with his IP in a sting where a link to a file was posted somewhere. I don't know if this was posted to a kiddie porn forum (or someplace where just hanging out there is enough to make you suspicious) or just someplace like 4chan (where there's a number of people that will click the link out of curiosity).

- He had 'recently' re-installed Windows. They claimed that he had obstructed justice (or some other B.S.) b/c he had destroyed evidence. (Evidence that they couldn't prove even existed, IIRC.)

- He had a single thumbnail of kiddie porn in a browser cache.

I think that he just settled with the Feds, but cases like this stick out in my mind because it makes it seem like we're all riding the razor's edge and could fall into the Federal justice system at any moment for some random, stupid reason.

[ Plus taking down a pedophile is brownie points to local politicians, which may (or may not) be pressuring them about crime statistics. ]

Let's just say it's not especially difficult to access on the darknet. (I've never done it myself, though)

And getting onto the darknet is but a simple download away...

I think he's saying it's easier to dump unencrypted vs encrypted.

The point was that it doesn't have to be real data, just random data.

But then you'd need to be in possession of it, and that has many issues that merely writing random data to a file does not.

Encrypted data, at least that encrypted with TrueCrypt, is distinguishable from random data. [1]

[1] http://superuser.com/questions/383526/is-a-normal-truecrypt-...

Says down below that it isn't: http://news.ycombinator.org/item?id=4234959

I'm very glad I'm wrong in this case! It would be a horrible weakness in TC.

My dark side is thinking of a virus, let's call it YouGoToJail, that encrypts a file (say with gunpg - 4mb and works on all OSes) with a random very long password. The virus then deletes all traces to itself. You go to jail!

And just before it deletes itself it posts threatening messages via your twitter and facebook account, designed to trigger the automated systems presumably watching these, thereby triggering an investigation into your affairs.

YouGoToJail indeed.

Would the virus actually delete itself by writing over the data? If not, it would be possible to detect that the suspect had the virus.

It would be nice to see such a virus targeted at everyone in parliament.

Well if you find yourself being asked for the encryption key for /dev/rand then you know things are pretty messed up. Given the technology intellegence of some law makers I do wonder when that day will come about.

actually when I read /dev/urandom I get a much larger stream of data. I think /dev/random is corrupted becuase it hangs after a bit when I try to read. So please hand over the key for /dev/urandom..... ;-)

It hangs because your system entropy pool runs dry.


Isn’t it worse than that? Doesn’t it mean that, so long as you possess a reasonable amount of digital data, you could be hiding something in it and are therefore guilty.

Would be a valid defense argument for your lawyer to use. Lot of good that will do you in Gitmo (when the US implements this kind of law).

Guilty until proven innocent.

It is impossible to prove a PRNG'ed file is or is not encrypted data. TrueCrypt volumes look identical to `dd if=/dev/urandom of=file.bin bs=512`. Create a few of each and then evaluate them using ent to see this for yourself.

Edit: Link to ent http://www.fourmilab.ch/random/

You could prove the file is encrypted if it is indeed encrypted and you have the passphrase and the program to decrypt it, but outside of that, it's simply not possible to say with any level of confidence that the bits are really encrypted.

BTW, I wrote TCHunt in 2007, a program that attempts to seek out encrypted TrueCrypt volumes and I have a FAQ that covers much of this. Here's the link for anyone interested in reading more about it: http://16s.us/TCHunt/

And, there is usually much more to it than randomish bits in a file on a disk. The government agents usually have other evidence that suggests the person in question is doing illegal things and may have cause to use encryption. Finding actual encrypted data is normally just icing on the cake to them.

The wonderful thing about TrueCrypt is that you have plausible deniability. If one were worried about having to provide a key, you could provide one that revealed pictures of cats without revealing anything you wish to remain hidden, or indeed if there was anything further to reveal.

This makes this attempt at a law look even sillier.

The original UK phrasing of the law was even sillier. They had taken into account codes as well as cyphers. You could be forced to explain the meaning of any other messages such as "the geese fly south for the winter" .

But the wording was ridiculous, something about any hidden or private meaning in any otherwise innocuous text.

So if you happened to have a book of poetry around the police could compel you to explain the symbolism! Heaven help you if you had a Torah and they asked you to explain any "hidden meanings"

While it is obviously a bad law, it's not quite as bad as he's making out.


"For the purposes of this section a person shall be taken to have shown that he was not in possession of a key to protected information at a particular time if—

(a) sufficient evidence of that fact is adduced to raise an issue with respect to it; and

(b) the contrary is not proved beyond a reasonable doubt."

In other words, if there's evidence for there to be 'an issue' about whether you actually do have a key (or whether e.g. it's just random noise), it's up to the prosecution to prove beyond reasonable doubt that it is actually data, and you do have the key.

So the flowchart is:

- If the police can prove they have reasonable grounds to believe that something is encrypted data that you have the key to, then

- That raises an evidential presumption that you do have it, which you can rebut by

- adducing evidence that just has to raise an issue about whether you have a key (inc. whether it's encrypted data at all), in which case the police have to

- Prove beyond reasonable doubt that it is encrypted, and you do have the key.


This would still concern me. It isn't hard to imagine the police assuming any file they don't understand is that way because it is encrypted and, being that they are police and not scientists or engineers, that number could be quite high.

So now, you may actually know what's in that file. Great, no problems (other than the headache of dealing with explaining files in the first place).

The real danger is what if you don't know about the file, either? "I have no clue" is not going to cause reasonable doubt. The problem here is the law starts from a presumed guilt, which is problematic if you are, in fact, innocent.

But it really does come down to how the first clause of the law gets interpreted. Is it reasonably interpreted or not? I have lost faith in any chance of governments sticking to reasonableness when it comes to their threat of terrorism, protecting their "children", etc.

> It isn't hard to imagine the police assuming any file they don't understand is that way because it is encrypted

True, but they have to prove they have reasonable grounds for believing, not just that it's encrypted, but also that you have the key to it.

> "I have no clue" is not going to cause reasonable doubt

It doesn't need to cause reasonable doubt, it just has to raise an issue about whether or not you have they key. In which case the police have to prove you do beyond reasonable doubt.

But you are right - it is ambiguous, and that evidential presumption is in danger of being interpreted in a very anti-defendant way.


> I have lost faith in any chance of governments sticking to reasonableness

Thankfully, it's not up to the government to interpret legislation, it's up to the courts. And they have to interpret criminal legislation (a) in favour of the defendant (common law principle), and (b) compatibly with the human rights act.

That second one is powerful, and has resulted in anti-defendant statues being interpreted almost out of all recognition by a court happy to interpret stuff compatibly with the HRA right to a fair trial. See e.g. http://www.guardian.co.uk/uk/2001/may/18/lords.politics .

But, as mentioned in the above comment, you can't "prove" that something is an encrypted data unless you already have a valid key. And if police only required to "guess" that something is an encrypted data than Falkvinge logic applies - law will be abused (at least unintentionally).

Every digital storage device on earth should contain a randomly sized random data file called RANDOM-DATA. The user of said device could optionally replace this file with encrypted data. Once critical mass is achieved, states that do not respect individual liberty would have no way of determining the nature of every RANDOM-DATA file that they obtain by eavesdropping, theft or force.

I know the answer to this is 'easier said that done'. Certainly hardware and OS vendors can't be trusted with this task. Maybe FOSS installers could educate users and optionally create the file? How can we make this happen? I want to wear a t-shirt that says 'random numbers save lives.'

In the section of the act mentioned (Regulation of Investigatory Powers Act 2000, part III), two of the defined terms are:

“key”, in relation to any electronic data, means any key, code, password, algorithm or other data the use of which (with or without other keys)—

(a)allows access to the electronic data, or

(b)facilitates the putting of the data into an intelligible form;

-- and --

“protected information” means any electronic data which, without the key to the data—

(a)cannot, or cannot readily, be accessed, or

(b)cannot, or cannot readily, be put into an intelligible form;


At first, I thought the argument in this article was nonsense. However, whilst I'd hope common sense would prevail, the definitions above seem broad enough that a policeman could make one's life difficult for a while.

It was being discussed well before this, in the early 90s i went to a computer lab seminar about this and we asked

- we have Tb of data in our detector system that is either truely random (ie part of a Monte Carlo sim) or is essentially random (the detector noise), how do we prove this isn't encrypted.

Oh don't worry, said the nice man from the police computer unit - it's only going to be used against terrorists.

That is in practice the intention, though as it is a law on the book's it is open to be abused down the line against non-terroists.

As a rule the UK police tend to have alot of common sence, but they are also human. That all said the whole blackberry encryption affair recently arising due to the riots does highlight further shortcommings.

Still this law was instigated prior to 9/11 and in that you do wonder what it would look like if it was instigated after the event and how it may of looked.

Well, if I remember right, the UK had their "fair share" of terror (IRA), long before the US suffered from 9/11.

So this argumentation does not strike me so extraordinary. But that does not change the point, that this law really has the possibility to be misused.

Yes but remarkably after 100years of bombings and assassinations by the IRA the response was to carry on as normal, don't give in to them. The only visible sign was removing litter bins from railway stations and some checkpoints on vehicles enter the financial district of London

Yet 5 minutes after the 9/11 attacks on America the UK suddenly needed a whole raft of laws to intercept all phone calls, hold people without trial, random stop and searches etc.

IRA terrorism was pretty extensive too. They murdered close members of the UK royal family (http://en.wikipedia.org/wiki/Louis_Mountbatten,_1st_Earl_Mou...), major damage to cities (http://en.wikipedia.org/wiki/1996_Manchester_bombing) and actual mortar attacks on a sitting Prime Minister and other key high level ministers (http://en.wikipedia.org/wiki/Downing_Street_mortar_attack). Have a look at the list for London alone (http://en.wikipedia.org/wiki/List_of_terrorist_incidents_in_...).

I had no idea the IRA was this level of threat - a personal threat to the people in power. And the problem was pretty much solved through the long hard slog of getting them round a table talking (http://en.wikipedia.org/wiki/Good_Friday_Agreement).

The 'getting them round a table talking' was largely an effect of a massive intelligence and infiltration campaign that reduced the IRA's offensive capability to the point that they figured they'd be better off playing the electoral game. Make no mistake, the IRA was defeated - but it took decades, and involved the kind of subtle work that seems to have been missing in Iraq or Afghanistan.

http://en.wikipedia.org/wiki/Stakeknife is the best example - the guy who was put in charge of finding moles within the IRA had been a British agent for 20 years!

Not that you'd expect any British or Unionist pols to mention this... when they've won, no point in rubbing their opponents' noses in it.

Yip they did it all.

Personaly cost me a job, almost blown up once and had a long walk on day. But we have moved on.

Funny thing is the there was a time I was supposed to go intot he office on saturday to do a upgrade, woke up saturday and had a bit of a hangover so as it made no difference I thought I'll go in Sunday. Was lucky as the office got blown up Saturday so in all respects a hangover saved my life - literaly.

The mortar attack caused me to have a very long walk, on a very snowy day, was alot of fun and fond memories of seeing a london taxi unable to go over a bridge as the road was so snowed/iced up.

I Had a in the bag job all lined up, IRA blew that office up and as such job went up in smoke.

But hey, it's history and can laugh about it now.

Hence the slightly raised English eyebrow when American politicians - especially a Kennedy at a St Patricks Day parade in Boston - talk about supporting terrorism.

Yeah and that upto 9/11 you could go into alot of Church's in the Boston area and make donations to the IRA. That kind of stopped post 9/11.

We all learn from our mistakes eventualy.

There are 342 pages in the Patriot Act. Judging by the 1 NAY vote, Feingold was the only one to actually read the damned thing.

And considering how "comprehensive" it was, I'd say it was already written up and shelved for a crisis like that. I'm not much for the whole conspiracy theory stuff, but that just seems fairly obvious.

Damn, the UK is pretty f'ed up - the list of things that British citizens can't enjoy compared to a lot of other countries (even developing ones) is growing every day.

Meanwhile, a criminal could easily just store everything on an encrypted microSD card, then eat it if anything goes wrong - the oldest trick in the book still works in the digital age :-D...

I was under the impression that key disclosure laws are present in many countries.

Even in the US, with amendments against self-incrimination, if the authorities already know you have encrypted some incriminating data, you can be ordered to hand over the key.

  In the Colorado case, the police had intercepted a 
  telephone conversation in which the defendant, Ramona F.,
  acknowledged her ownership of the laptop and alluded to
  the existence of incriminating documents in the encrypted
  portions of the hard drive.


  I conclude that the Fifth Amendment is not implicated by 
  requiring production of the unencrypted contents of the
  Toshiba Satellite M305 laptop computer.

Though you are right that the law in the UK seems very strict. As an international banker I would be weary bringing a master key or encrypted volume into the UK.

Add this to putting missiles on top of apartment blocks for the Olympics and I really have to agree with you.

Been a while since we've had a case reminding us why we actually need the Third Amendment in the US.

I think you guys need to stop believing everything you read.

The missiles are stationed in 6 areas in London.

Whether they'll be used is another matter. People were asking "what's the difference between a plane that has been crashed into London and a plane that has been shot down over London?", to which the reply is "a plane that is shot down is, effectively, disintegrated and burnt in the air, leaving small fragments to scatter."


Well, it was confirmed by the MOD.

If they know you have it, destroying it is not really different in the eyes of the law than refusing to provide a key.

This sounds very 1984. If the police says you have encrypted data, how can they prove it really is encrypted data? Besides, how can they prove that you do have the keys for the hypothetical encrypted data?

It sounds absurd that you have to prove your innocence. It is common principle that who accuses is responsible for proving your guilty. Besides, even in the remote situation where they could prove somehow that a pile of random bits held some confidential data, no one should be acused of not deciphering it to provide proof against himself. It sounds like inquisition :) If you deny having a deal with the devil you die, and if you confess it, you die too.

I have to wonder if this would ever hold up in court. I don't know much about the UK justice system, but in America it would be pretty rare to be convicted of a crime that they can't actually prove you committed. You could be jailed for refusing to comply with a court order to decrypt the file, but if you can prove it's not actually encrypted, they can't do anything about it.

>> if you can prove it's not actually encrypted

But that's the thing: you can't prove that.

You're saying: "prove that there does not exist any decryption method or key that will turn this blob into incriminating data."

You can never prove that such a decryption method doesn't exist.

In fact, maybe it does exist? Given a blob of random data and infinite time, couldn't you find a way to "decrypt" that into pre-defined data? (I'm not really sure of that.)

It's really quite simple. Just xor it with some publicly available text, and then present the result of that xor as the "encryption key". When you xor that result with the original data, you get the publicly available text back.

And if that works, the prosecution can xor it with some incriminating text...

To all the people commenting about how you can't prove it: in America, proof means "beyond a reasonable doubt". If you really did have random radio telescope data, the prosecution would have to prove beyond a reasonable doubt that your random data is actually encrypted. The proof for the defense would be called an alibi, wherein you would just say where you downloaded it from and what you used it for.

You don't need to prove that it could never be decrypted, you need to provide an alibi and then the prosecution needs to prove beyond a reasonable doubt that your alibi doesn't hold true. Your alibi is your proof.

You can decrypt random data to anything if you want to. Say R is your random data and M is the message you want. Compute Key=R+M, then decrypt R-Key=M.

This argument is interesting because it both a) makes the law worthless and b) removes the "scary slippery slope" argument.

After all, if you can provide a key to anything, then all you have to do (whether it's encrypted financial documents or random noise) is say, "Yep, it's encrypted, here's the key, it's the text of the Wikipedia page for 'kittens.'"

Prove that's not the correct key. If the onus for producing a key (whether one exists or not) is on the defendant, isn't the onus for proving the validity of the decrypted file on the prosecution?

All this comes back to cases like the one from CA (I think) where the guy who refused to decrypt the evidence that would prove his guilt.

And from another perspective, if you're Bernie Madoff and the evidence that will convict you is encrypted, won't you refuse to decrypt with a smile and take the 2-year punishment (with $500M in the bank) over life for financial fraud (and bankruptcy)?

This is why OTP encryption is unbreakable.


Assuming the encryption method can create the bit sequence that is the random data. It very well might not. There may be gaps in the encrypted data's number space.

For any non-trivial encryption method, you'd be brute forcing your way through a bunch of them to find the key that can decrypt the random noise to that message. Typical "20 times longer than the existence of the universe" warnings apply. :)

But the encryption method doesn't need to be non-trivial, especially when you define key as anything that

  (a)allows access to the electronic data, or
  (b)facilitates the putting of the data into an intelligible form;

So, if you have a meg of random data, you're thinking you could give them a one meg XOR key that decodes it to an MP3 file of "God Save the Queen"?

Okay. :)

Only if you use a key the size of your data, which is not commonly done.

At least one person in the UK has been sent to prison for refusal to reveal passwords to encrypted data that I'm aware of: http://www.theregister.co.uk/2009/11/24/ripa_jfl/

These were PGP encrypted filesystems though, not random data.

The law's been around for quite a long time (since 2000, but it didn't come into force for a while after that). The answer to your question about unproven crime with random data is simply that it hasn't been tested in court yet. When a case comes along where the prosecution is claiming something is encrypted data, and the defendant's side is claiming it's random data, then this will be tested. Until then it's anyone's guess what'll happen.

In America a suspect can be jailed for years, even in solitary confinement, no conviction or trial required. The actual number of cases may be small but it's still scary.

Bradley Manning. Never forget.

It's very hard to prove that high-entropy random data isn't encrypted.

How do you prove something is not encrypted?

In theory the accused is innocent until proven guilty, and thus should only need to suggest that the data is random, and pass the burden of proof back to the prosecution, who now have to prove the random data is encrypted.

File headers, existence of cryptography software and manuals, etc might be useful. Admission that the data is encrypted is stronger.


How do you prove its not encrypted? How do you destroy the basics of logic by proving a negative?

In the U.S., wouldn't such a court order be in violation of your fifth amendment rights?

Isn't TrueCrypt's 'hidden volume' feature enough to make this law pointless? Just have two encoded sets of information in the same file. When you are asked to give the key it is up to you the key of which one you give.


It still requires you to give up data for which it makes sufficient sense to be encrypted otherwise someone might get the idea that you are using this feature. While this is a solution it is certainly not as easy a solution as it might seem to be.

Some very nasty (legal) porn should do it.

Or perhaps after giving the key to the main volume the police will insist that you give them the key to the hidden volume.

If you deny that there is a hidden volume then they'll just say that you're refusing to decrypt and prosecute you anyway.

Just put a hidden volume inside a hidden volume inside a hidden volume. There.

Hidden volumes.

Volume one contains hardcore porn, volume two contains bank job plans. Neither can be proved to exist with their keys.

When asked, hand over the porn keys. Plausible deniability.

More people need to know about this. Unless you're quite foolish, this right here will stymie most government attacks. It's difficult to prove that a file full of random noise is actually an encrypted container (but possible, seeing that Truecrypt is installed and other factors), but it's damn near impossible to prove that a hidden volume exists in the same noise.

Better yet, if you do anything with the outer volume without explicitly telling truecrypt about the existence of the inner volume, you will likely corrupt the inner volume and render it unusable anyways.

The only problem with this is that people are really bad liars.

I was watching 'Garrow's Law' yesterday. He said that "Laws which are passed in times of fear, are rarely removed from the statute books". Terrorists always win, because every time they attempt to strike the Government removes our basic liberties under the guise of protecting us.

Well, Norway is dealing with their attack quite well.

Encryption isn't just about hiding your documents. It is also about securing your assets and providing identification.

- The passwords on your bitcoin wallet give you the authority to spend your money.

- Your encrypted signature requires your private key so other's know your message came from you.

So, this law gives the government the ability to impersonate you and consume/use your assets in an unrecoverable way.

While the government might not have the authority to impersonate you or spend your money, they do have the authority to acquire the means to do so. And then all it takes is one dishonest person working for the government to use that information maliciously.

We are have begun to outlaw privacy. This is wrong. Speak up, while you still have a voice.

http://archive.org/details/the_hangman_1964 https://www.youtube.com/watch?v=keZlextkcDI https://en.wikipedia.org/wiki/The_Drumhead

This reminds me of this American Case:


But on the whole, the whole article is scary and slightly unsettling. On the upside I dont live in the UK - But if we were to be traveling through the UK with our encrypted HardDrives, would we be targeted by the law?

The difference with programmers/scientists/hackers and politicians/authorities/lawyers is that the former see instantly where seemingly small changes in laws and policies will ultimately lead whereas the latter will dismiss these potential problems by making remarks such as "It will only be used against bad guys", which translates to "We had a few hairy cases where this sort of law would have really helped, so we wrote one to cover similar circumstances in the future and while we don't really know how to think of what else goes out with the bathwater we will need something at our disposal."

>Yes, this is where the hairs rise on our arms: if you have a recorded file with radio noise from the local telescope that you use for generation of random numbers, and the police asks you to produce the decryption key to show them the three documents inside the encrypted container that your radio noise looks like, you will be sent to jail for up to five years for your inability to produce the imagined documents.

Of course, if you have access to the files, you could just XOR the noise with some innocuous documents, and send the result to the police saying it's a one-time-pad.

Hell, you could say the key is head -c `wc -c secret_file` /dev/urandom and they wouldn't be able to argue. It's turtles all the way down if they ask you to decrypt the result.

Please forgive my technical ignorance, but can an encrypted cookie be dropped in to my browser cache by a web site? Could an encrypted image with hidden information on a web site end up in my cache? If so, millions of people could have terrorist data in their caches and never know, nor have the key to decrypt it. Also, who has that file Wikileaks published as "insurance". Any one got the key? Any one know whats in it?

So, now Random actually /is/ Resistance? http://www.youtube.com/watch?v=aE6RtzwVdHI

Every time I listen to that song, I imagine a movie in my head where that is the theme song for a resistance movement.

Never really thought about how terrifying that might be in reality.

Assuming this article is true (which I am pretty skeptical of, I live in the UK and never hear about people being jailed for not giving up an encryption key).

What would happen if there is encrypted data on your system but you didn't set the key yourself? For example DRM systems usually work by encrypting data and trying their best to make sure you never acquire the key.

Roll on dual encryption. One key renders a dissertation on kittens, the other renders the original clear-text. Next problem?

It'll get more complicated later I'm sure, but yeah, that's the current patch. Except replace "dissertation on kittens" with "gay porn collection" (or "straight porn collection" if you're publicly gay. or whatever else makes good sense to encrypt, but is still perfectly legal).

It makes me really angry seeing protests about laws which have already passed! It seems to be lazy journalism - after Liberty et al have done the hard work while the bill passes through parliamentary stages, once it's passed, traditional media and others pick up on it and start complaining.

Prevention is better than ranting after it's set in stone.

This article is paranoid ill informed speculation, as are many of the Brit-bashing comments. The police have to show a judge they have good grounds to believe you are concealing evidence from them. Note also that if the powers that be are really determined to stitch you up then they will plant data on you, much simpler.

Can you say, "Who is John Galt?"

Eventually the preposterous laws drive those with mobility to simply leave. Follow that to it's logical conclusion; the UK will make it difficult to impossible to leave with your assets intact. Loss of privacy is a just a precursor to loss of private property altogether.

This makes me wonder why Brits prefer to courageously make jokes at Putin's regime (with which I'm fine, they're deserved), instead of just going to the Big Ben palace and giving a boot to the same kind of governors sitting there.

How does/would this affect Freenet users? As far as I know, a Freenet user's 'deniability' claim comes from the idea that the user does not know the key to the encrypted content hosted on their machine.

So does this imply that I could go to prison for having an executable file presuming I can't "decrypt" it back into its original source code?

A scary article that forgot already many "stupid" or "vague" laws exist and are never used or always used in the right context.

I live in the UK and this is the first I hear about this. Interesting how seemingly important law passes so silently.

Welcome to the future (Orwell, Minority Report, Enemy of the State, Matrix, etc.).

Anybody know where I can find a thermite-holding 5.25" bay?

I don't like or support the legislation - but I think this is a bit of an over-reaction.

The law as I understand it says that if you've got data (and the context of the law is in focussed primarily on targeting terrorism, child-porn etc) that you've encrypted but refuse to give over the encryption keys to; then if the police then convince a judge that there is valuable evidence in the encrypted data, and you still refuse, then you could ultimately go to prison.

Is this really any different to a digital search warrant?

Sure this law, like many others, could be abused. But I don't see it as anything to get to wound up about.

P.s. what kind of person has a 32GB file of satellite noise to generate random numbers with?!


> Police argue the files "could be child pornography, there could be bomb-making recipes."

Note that he was in prison -serving a sentence- but has since been transferred to a secure mental health hospital where he can be detained under the MHA until he is well.

I don't know if he had an appropriate adult with him at any police interviews. I don't know if he had any legal representation at any time. These are weaknesses in the UK system.

From that article: he Missed bail; traces of explosives; carrying home made rockets; had a stash of encrypted storage drives with him and the authorities wanted to see what was on them. In such cases the person is still innocent but the authorities have a duty to investigate.

Don't get me wrong I am a hacker and someone who has written lots of crypto code, but i don't see this as an example to support the case against the legislation.

This is the reaction that is going to destroy all of our civil liberties. "It's only a problem if you're guilty."

what kind of person has a file of random (or near enough to not be able to tell without 32gb of them) numbers?

Any cryptographer? Many astronomers? Physicists? Better lock them all up!

Me. I was just recently curious how base64 encoded data would compress (gzip) compared to non-base64 encoded data. I tried it out on a few types of input, including random bytes. It was not, of course, 32gb, but it was large enough it could have been my nefarious plans or not-tiny collection of child porn images or whatever. It doesn't have to be huge to be important - an encrypted file listing a few hundred account numbers could be vital to a money laundering investigation or whatever.

With respect, the attitude above is the problem. The point is to never give them an inch, as they'll use it to take a mile. It goes against the very foundation of modern justice, innocent until proven guilty.

Well, most people with old VHS tapes have several GB of noise lying around.

I stand by my argument that you can have a encryption key that is say 2000 characters long. Print it out 1 character per page and submit that in advance at your local police station, getting a receipt. You are then within the law.

Now question is - compression can be views as encryption. How does that pan out if you use a non-standard form of compression that does not require a key as the compression formula is the key in itself!

>> You are then within the law.

What good does your maneuver do? Now you have to work with that key, and if they really care, they can laboriously type it in. All you've done is tick them off, right?

Point being that there is a good posibility they will misfile it and in that case you have extingished your liability. Ticking of the police is not against the law and if enough people do it then the sillyness of things starts to stand out.

That all said you can have a trusted friend who lives in another counry maintain your key and vice versa, then things get messy.

Sad part about all this is criminals will find a way to get around the law, and in many cases they will way up the aspect of what charge they would get from the decrypted data compared to a maximum 5 year one and pick the easiest option.

This is silly. If they misfile it, they'll ask for it again. If you say "I already gave it to you but you lost it, nyah nyah," they'll find you in contempt of court.

For that matter, if you're in the middle of trial and give them what they asked, but in the most massively inconvenient way you can think of, they'll find you in contempt of court.

Judges are not (usually) stupid.

There is nothing saying you can't then use the defence of you forgot the encryption key. Having previously provided it your obligation to the law is extinguished.

Judges are not stupid, not the easiest job to get and takes alot of work. They may not be experts in every feild they have to deal with though and in that they depend on expert witness's.

The point being that it is a silly flawed law and the approach I outlined is one which is just as silly, yet still compitulates with the letter of the law fully.

Now if your in a situation were you are having to defend raw random encrypted looking data that is just raw data, then is the onus upon yoruself to prove it's just random data and if not anybody could say its not encyrpted its random data, could they not?

Question is how should the law actualy handle the situation were some data from a criminal activity is encrypted and would requitre 1000 years to brute force? This law was a way to cover those situations. It's not perfect and in many respects is down right offencive. But it's like this - if you have nothing to hide then why should you be made to feel like a criminal. That is the real crux of the matter, though some people may view it entirely differently. Heck a badly spelt/grammer document could be deemed as hiding encrypted data when it is just bad spelling/grammer or it could actualy be encypted/obfiscated data hidden within the document. you just can't tell and that is were it starts to get realy realy messy.

Ticking of the police is not against the law

No, but wasting police time is.

Very true but not when they waste there own time. Personly it is a silly law made out of panic and in that is flawed. My approach just highlights the sillyness of the law in itself. I love the police but there again I don't break the law.

The point being that whilst your obligated to provide the key, there is nothing saying how that key is provided and that is another flaw in a flawed law. Though some people are taking it too literaly I suspect.

Until there is a case of this law being used to actualy procecute somebody unfairly and unjustly then it is hard to argue it's flaws, but we all see those flaws and shortcommings, like many things in life. Nothing is perfect.

The legal system is not a computer program.

Nobody said it was and in that things are not always black and white and as clearcut as they could be. the case of random data - is it random data or is it encrypted being the case in point.

This is why we have resonable doubt in the UK and innocent until proven guilty. In France they have guilty until proven innocent and such a law as this over there would be alot more painful to defend in that respect. Personaly I like the Scottish system of Innocent until proven Guilty but with the added verdict of not-proven, this covers things were it is not entirely clear that your innocent and there are doubts, though not enough to convict a guilty verdict. That too me is a fairer system on balance.

> Now question is - compression can be views as encryption. How does that pan out if you use a non-standard form of compression that does not require a key as the compression formula is the key in itself!

GCHQ aren't idiots, and would be able to "decrypt" such toy crypto schemes. But, even if they couldn't be bothered to do so the law doesn't require only a key, but either a key or to make the data intelligible.

Nobody is saying GCHQ are idiots and I fail to see why you mention them.

This is not about some "toy encryption schemes" it is a observation that as this law stands it there is no real way to say what is random and what is encrypted or in the case I point out - compressed. Now the whole argument of making the data intelligible is a completely different argument and gets back to how do you prove random data is actualy just that. You can't.

Good encyption with have entropy akin to random data. Also a compressed file will have the entropy of poorly encypted data.

   Data is just that, data.  Intelligble data is information and is not data.  Big difference and in that any data set is random without meaning/interpritation.

You say this:

> Now question is - compression can be views as encryption. How does that pan out if you use a non-standard form of compression that does not require a key as the compression formula is the key in itself!

You then ask why I mention GCHQ. I mention GCHQ because they control NTAC (National Technical Assistance Centre) - this is who will attempt to decrypt the data. This will happen in parallel to RIPA notices being issued.

If a person uses a non-standard form of compression and the police are interested there are two actions from police:

1) GCHQ trivially 'break the crypto'

2) A RIPA notice to make the data intelligible is issued, forcing the user to un-compress the data.

> Now the whole argument of making the data intelligible is a completely different argument

No, it really isn't. If you've encrypted it or compressed it or used steganography or used some simple code system to hide data they issue a notice and you have a limited amount of time to make the data intelligible.

> and gets back to how do you prove random data is actualy just that. You can't.

This is a different argument, and is not what you said.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact