Er - since April 2006...
A T-shirt would be lovely thanks if one's going...
Police have expanded their use of powers to force suspects to decrypt files by 50 per cent in the last year, figures released today reveal. In the 12 months to March 31 this year, government officials approved 38 notices under Part III of the Regulation of Investigatory Powers Act, compared to 26 in the previous year. The …
What else were they going to do than to step up their lawful use of this arguably abusive law?
Even the charge with something spectacular, obtain notice, get passwords, find naughty things to really charge with, drop frivolous charges routine is nothing but the expected from the plod these days. They clearly _need_ this law to get their conviction rates. Doesn't have much to do with what the rest of us would call justice, but that's a small price to pay to showcase a working (as in, "does something") police apparatus to the public. All y'all we'll keep safe with our new laws, honest! For your own good!
They need 17 notices to improve conviction rates? Name *any* crime (by regional force remember) where 17 conviction will not be a drop in the ocean.
Never let the facts get in the way of a hysterical rant eh? Your sentiments may be bang on - how about thinking of a less extreme way of presenting them - otherwise you are as bad as them.
Such as innocent until proven guilty and the right to silence. The RIPA obligation to handover keys violates these 2 principles by obliging a suspect to cooperate in the collection of evidence for the purpose of their own prosecution.
The possibility that a few guilty people might be locked up on account of this who otherwise wouldn't be doesn't justify locking up otherwise innocent people who refuse to cooperate in this procedure. How long it will take a case of someone who is innocent and does not cooperate to get before the European Court of Human Rights based on violation of the ECHR (European Convention on Human Rights, section 8 right to privacy and section 6 right to a fair trial) is an open question.
If you are a pedo but the only crime they can actually pin on you is "Part III of the Regulation of Investigatory Powers Act" because all the evidence they have is encrypted then from their point of view its better to go down for 2 years for that than fess up and go to prison and get the shit kicked out of you every day for being a pedo.
Still this opens up the way for someone to maliciously plant an encypted file on someones pc then report them that they may be a kiddy fiddler. the innocent person gets arrested and cant give up the encryption keys as they don't have them, and could get 2 years for it.
Ive downloaded some files from forums that were hosted on rapidshare before now that were pass protected zips and dont necessarily remember exactly which forum and which post has the password now.
I don't think you understand the full implications of not handing your password over. The two years is more for you to think about complying with the request. Once you've served the time you'll get another two to think it over and so on. The offence hasn't gone away and double indemnity no longer exists.
...and used a dummy encryption system that points to only mildly incriminating evidence. If police demanded you offer the key, wouldn't you send that key, take the slap, and count your blessings? Or were police smart enough to send repeated notices to the same person on suspicion of just such a secret secret stash?
...what about steganogrpahy? Hiding things in non-obvious places like within music, movie, or graphics files? Might not police use the concept to be able to bang on a door, any door, and insist "The picture of your gran has a hidden message inside it. Give us the key to reveal it or we'll put you away for two years." Not like you're gonna be able to do much good with a "Sod off."
...if it's a Freenet URI. You know, hide the files in the Freenet cloud and simply communicate how to reach it in a steganographic message.
And some of the worst things can come in tiny little messages. Things like...terrorist communiques? Wouldn't that get the government up in arms? As for the lack of a program on the computer, the supposition of a web- or cloud-run program takes care of that.
This is one of the reasons to use truecrypt if you don't want the authorities to pry through your stuff. With it's encrypted within encrypted security it allows plausible deniability - if you don't want them seeing your stuff, but don't want to go to jail for not giving them your password, encrypt it twice and only give them the first password and deny any other password exists
TrueCrypt allows for plausible deniability by actually having 2 volumes encrypted with different keys in the same file - one starts at the start (the throwaway one), one starts at the end of the file (the secret one).
You can either use just one volume or two - and there's no way to determine if the second volume exists
When you enter a password, it tries to decrypt a header at the start of the file. If that fails, it tries to decrypt a header at the end of the file - so using a different password accesses a different volume.
You can also use BOTH password so that TrueCrypt is aware of both volumes - which allows it to be more careful about letting one volume overwrite the other.
That said, I use TrueCrypt to secure source code from work on my home machines - Simply as a precaution. I don't bother with a hidden volume. Of course, whether they'd believe me if it ever came to that is another matter - And of course, because I know how to do it must mean I've done it, right? Isn't that how the law works nowadays? It's like being able to undelete files - If you know how to do it, you can be arrested for deleted stuff.
Prosecution now says that because you're using truecrypt they believe there is a further layer of encryption that you haven't disclosed the key to. The burden of proof is now on you to show that there is no such level of encryption, or that you don't have the key. Good luck proving a negative.
I'm just waiting for the first case of someone being asked to decrypt that suspicious looking file /dev/random
The plausible deniability relies on the hidden volume being either encrypted stuff of yours or random stuff that looks similar. - Actually, when in use, your stuff overwrites the random stuff.
There lies a weakness, there will be a seam, it is really difficult to generate proper random numbers, and whatever method is used by truecrypt, i reckon it will be detectable.
I suspect that truecrypt uses its own encryption (with an almost-random key) to make a dummy file look like 20GB of random numbers.
However, this is precisely the "offence" that will get you locked up for life, 2 years at a time, with a "suspected nonce" tag for clean happy showertime fun.
Plausible deniability might work in America, but the offence here requires you to prove that the random data is NOT an encrypted partition, by either providing the key, or the plaintext, or by going to prison.
Excellent points sir.
Could TrueCrypt have weaknesses? Yes, undoubtably. The possibilty of a seam is one; I can think of others. The forensics equipment used to examine hard drives is enormously sensitive. Could it detect that the data at the end of the primary volume has been written to far more regularly than would be expected if a hidden volume were not in use? But far the biggest weakness is simply incorrect usage. Without careful consideration, one could be leaving a trail of forensics all over the primary volume, or an unencypted one, all pointing to a volume that shouldn't exist.
I do know that its dev team take their work very seriously indeed. Being open source, there's also an active community able to pore over both the concepts and the implementation looking for just such pitfalls. IMHO, its certainly the best option yet available.
For RIPA, I would be amazed if there wasn't some element of 'reasonable grounds' necessary before a conviction could be obtained. Most UK laws, especially criminal ones, have such terms either embedded in the wording, or subsequently inferred by judges under statutory interpretation.
I suspect the only way that we'll know for sure is through a test case, specifically on PD. I'd expect massive coverage and numerous appeals before the final outcome would be reached. Whichever side wins, all that would be achieved would be an escalation in the arms race. If the prosecution won, expect the relevant exploit to be rapidly patched by the TrueCrypt team. If the defence won, expect new legislation criminalising the mere ownership of any PD capable software. Neither would settle the matter for long.
tl;dr - TrueCrypt could have weaknesses, RIPA is not carte blanche to jail those genuinely unable to decrypt any suspicious-looking file. Only a test case will answer the current questions.
Could this be one reason why some people have given up dealing with encryption? They have been forcefed stories about having to decrypt all their files and if they forgot the password then they will be locked up.
Those Daily Fail readers will be going on about how it only affects those who have committed crimes, and those who have a different skin colours. It is only when it affects white middle class people do they throw up their arms.
It seems that the police consists of rather idiotic people, and I don't mean "Tim, nice but dim", but "Plod, nasty and dim". Anonymous in case they don't feel happy about what I wrote.
the key files are only supplied via our cell phones from my office when connected to our laptops with Bluetooth whilst trvelling.
The only password I know unlocks the dummy TrueCrypt volume.
Hard to give Plod something you don't have. Besides, cloud computing really messes up their high handed demands, too, just remember to purge browser history and bookmarks - best done by using Portable Apps software and selecting shared computer options.
An aquaintance that may work for a government might have inferred that the reason the CIA et al have been able to find and launch Predator strikes against AQ leaders in Iraq and Pakistan may have alledgedly been because AQ were relying on the security of encryption products often touted as "never having been broken". Alledgedly, of course, in a purely hypothetical discussion, etc, etc, etc (no black helicopters needed, thanks, Mr NSA). Just to remind you all of the consquences of falling for security hype, just go ask your Wifi LAN admin why he's not using WEP anymore, another supposedly "unbreakable" solution.....
Either way, the Police get two years to work on your encrypted drive whilst you try not bending over in the showers, and then they simply ask you again and send you back for another two years if you decline. And you end up with a criminal record and the inference you are either an animal rights nutter, kiddie fiddler or terrorist even if they do decide to let you back into society at some point, none of which bodes well for future employment or a happy family life.
The problem with Truecrypt is its hidden volume feature. This creates two problems:
- you have a hidden volume, but give them the "clean" password so they won't find anything - will you then have complied with the directive? Problem: Johnny Terrorist and Priest the Pedophile get clean away
- you do NOT have a hidden volume set up (I personally use Truecrypt simply as encryptor) but they suspect you have one. At that point they may ask you to open up something that doesn't exist, so you will be locked up for contempt of court - despite being innocent.
As a previous commentard correctly notices, RIPA turns the basis of the legal system "innocent until proven guilty" on its head so you're at the mercy of some pretty unsavory characters..
Thank God I moved :)
"The powers, known as section 49 notices, require suspects to hand over passwords or make files intelligible to investigators on threat of a two-year jail sentence, or five years where national security is concerned."
Doesn't matter that they suspect you have a hidden volume as they can only make you "make files intelligible to investigators". Suspecting something exists just don't cut it. Given the intelligence of the average "investigator" I'm not sure what you'd have to do if you were an Assembler coder. Re-write it in VB?
I do not have a hidden volume setup. Honest.
Take your file, XOR it with the contents of War and Peace, hand the output to the police as a key. When they XOR it with your original file they'll get something intelligible.
The one-time pad using a truly random key is still unbreakable without the key, given that other apparent keys can be generated in the trivial manner above. Of course, your key is the same size as the original file so you'll need to hide it somewhere they can't find it.
Perhaps we need a random data club - every day, everyone in the club sends a file of random data to another club member - I believe there is someone in the US who does this already.
Without client-lawyer privilege there is no right to fair trial. It's always been the case that a few more people who belong in jail would be jailed if a lawyer's records aren't privileged information, but police have never had access to this information because it would undermine the whole criminal justice system.
I hope they take the case to the European Court of Human Rights because that is a fucking terrible precedent.
and so did a lawyer on the uk.legal forum back in December when I posted this there. Initially he didn't believe me, but then went and checked:
TIMES 12/3/2009 pp65 (Law Report)
STATUTE OVERRIDES LEGAL PROFESSIONAL PRIVILEGE
House of Lords
McE v Prison Service of Northern Ireland and Another
C and C v Chief Constable of the Police Service of Northern Ireland
M v Same
>Such as innocent until proven guilty and the right to silence.
In American law "innocent until proven guilty" focuses on how your case is presented to the public.
It does not give you the right to simply ignore a subpoena or otherwise stand in the way of a legitimate police investigation.
The contempt citation in an American state court sends you to county lock-up.- not so pleasant a thought if the lock-up is a tent farm in the Arizona desert. - and there you will roast on a spit until the judge says otherwise.
The right to silence doesn't go much farther than what you can be compelled to say - to speak. Your DNA is fair game. The keys to the locker room are fair game.
The geek has an unhealthy obsession with "plausible deniability." It didn't save Nixon and it won't save you.
"Plausible" is for the jury to decide - and the jury doesn't think geek.
Actually, you have a constitutional right in America to not incriminate yourself, even under subpoena. To any such request or even demand, simply reply, "I plea the 5th." Meaning you are invoking your constitutional protection against self-incrimination under the 5th Amendment.
What a strange thing that courts, police and governments should exercise quite so much punitive pressure on anyone for looking at mere photos, even to the point now, it seems, of forcing anyone accused of such an epoch-shattering crime to damn themselves for refusing to incriminate themselves.
Justice gets suspended for this crimen exceptum. Normal rules no longer apply - so we take away a person's right to not incriminate themselves and put them in prison anyway, safe in the knowledge that anyone going before a court charged with even looking at 'indecent' images stands virtually no chance of a fair outcome. You do know that, right? That it's not the prosecution that does the damage, but the mere accusation? That's what will ruin your life - that's how it's been intended, by police, courts and advocates, from the start. The prosecution is a mere formality - a necessary, if expensive, process, but not really the point.
You quite literally cannot win, once you become an Accused. The Maleificarum has stitched you up good. Confess and be damned - forever - or refuse to cooperate and be damned - forever - because the police know that the accusation IS the punishment and THAT's what will follow you around forever, while being forced to the sign the SoR is merely the Maleificarum's way of continuing to put it's boot into your face on a regular basis, just for the hell of it, while ensuring you remain jobless, homeless and socially excluded for the rest of your life. 'Rehabilitation'? That's just some people talking.
One hundred years from now, future generations will hold their heads in shame at such wretched, medieval standards of 'justice' practiced by allegedly liberal, progressive societies and perhaps the countless lives ruined by a willfully spiteful modern inquisition might at last find some measure of apology - too late for them, but perhaps enough of a warning for future generations. Perhaps.
For now, the moral panic knows no bounds - not even those of it's own laws. Front doors will be kicked down in the wee small hours by heavily armored policemen in full riot gear (and before the cameras of an invited press, no doubt) to catch these terrible, seemingly unstoppable threats to the very fabric of our apparently highly corruptible and entirely fragile society. No expense must be spared, no law too sacrosanct that it cannot be bent or broken to satiate the voracious appetite of this unstoppable modern inquisition.
"For now, the moral panic knows no bounds - not even those of it's own laws."
Modern version on inquisition and witch hunt where the accused is either guilty (for something) or guilty (for something else). There are no other options.
These moralists should be shot as a dangerous lunatics and everybody who support them put into jail as a danger to society. Much graver danger than the accused ever was.
TrueCrypt fanbois really should wake up to reality, because all this stuff about hidden files / containers within hidden files / containers is pretty much dreamland.
It takes less than a minute with even a dumb piece of freeware to analyse a hard drive's contents: no, not their nature, but most certainly, their extent. Alternatively, it takes Windows Explorer (XP) even less time to search by file size.
So here's this encrypted file which, despite its innocent-seeming name, is inexplicably 3Gigs (or more) when any fule know it should only be a few Mbs.
And here's Mr Clever Truecrypter, providing the key to open the outer container, and thinking how-brilliant-I-am, no-one will ever know there's a secret, inner container.
Only. . . the size of the outer container's contents don't remotely match up to the size overall.
Well, maybe it is possible to come up with some kind of explanation: after all, two years spent in quiet contemplation is surely long enough to be creative.
Where Truecrypt is concerned, the old saying continues to hold true: size matters. If you don't want stuff on your hard drive that might be a source of future embarrassment then. . . don't have it on your hard drive. Simple as that.
Have you ever even looked at true crypt?
True crypt is a program that creates a virtual drive of a specified size on your hard drive, and that drive is encrypted.
The hidden partition is part of the virtual drive and so appears as random data on the outer drive.
They are NOT talking about file encryption.
TrueCrypt creates a file with a fixed size by default, regardless of how much data you store on it. What isn't actual encrypted data is filled up with random bits, meaning it is impossible to tell whether you have a hidden volume or just created a big crypt file which you haven't filled up yet.
10KB worth of files on a 100GB crypt drive will still be suspicious, but that's obviously not the approach one should take in such a situation.
... to do any research before making that post? Truecrypt is volume encryption, not file encryption - it produces a file which can be mounted as a volume,
Say you create a TC volume of 20GB. It is 20GB when created, and remains 20GB as you fill it up. If you create an inner container, the volume is still 20GB. Empty space in a TC volume is encrypted. There's no way - short of cryptanalysis - of determining whether the 'empty space' in a TrueCrypt volume is empty or whether it holds an inner volume.
The best an attacker can do, unless they can break the encryption, is to consider a 25% full drive suspiciously empty, or the files within suspiciously innocent. Or torture the keyholder until they are sure. The way we are going I'm not sure the latter is necessarily ruled out.
I don't see why, for the volumes of cases cited, it wasn't possible to trojan their PCs and catch them in the act. Or install bugs in their PCs, or houses, to either capture the offending material, or the passwords to the containers. If an offence is not serious enough to merit such an approach, I don't think it's serious enough to qualify for RIPA measures over refusal to decrypt.
"......Say you create a TC volume of 20GB. It is 20GB when created, and remains 20GB as you fill it up. If you create an inner container, the volume is still 20GB......" OK, so the Police run a check on your PC (and believe me, they employ professional techies that have been working with PC forensics for years, they are not amateurs), they see you have a 20GB "file" and spot all the characteristics of a Truecrypt volume which you have not declared. They will calmly ask you if you have any hidden volumes or encrypted material on your PC. You, being a moron, reply "no" - they now have a statement showing you are obstructing a Police investigation, which can be used in court to infer guilt of a more serious crime or just passed to the CPS to get a prosecution rolling.
They then produce the system in question, say they have found the Truecrypt volume and offer you a chance to decrypt it. You, still being a moron, say "no" again. If you are lucky, the Police may point out to you the penalty of not decrypting, or they may just go ahead and ask the CPS to prosecute on the refusal if they had an otherwise weak case. They may point out that if they suspect you are hiding kiddie pr0n (why else would you have an encrypted volume?), they will have to go and interview your employer, family and friends and - unfortunately and of course unintentionally, honest - leave the implication that you are a kiddie-fiddler. Good luck explaining to them afterwards that you were just standing up for a principle.
So, by now if your solicitor hasn't explained to you what a moron you're being (presumably just to protect your encrypted copy of "The Anarchists Handbook" and your mp3z, which the Police couldn't really care about - you aren't really hiding kiddie pr0n, are you?), your family and friends will definately be (remember, in the JFL case his family were desperately trying to convince him to decrypt his files). Let's see how long that "standing on a principle lasts" when your parents are wringing their hands and crying about "their little boy" going away for a stretch.
So, you try and be even smarter and give the Police the key to the outer Truecrypt compartment. Unfortunately for you, all that does is reveal the garbage in the outer container, and the Police point out that you are not in compliance with the request and are again in obstruction. If you do not immediately hand over the inner compartment key you are now looking like you are seriously trying to hide something - you must be a kiddie-fiddler/terrorist/nutter. Have fun in court! And in prison.
Of course, the likelyhood that the Police would even be interested in you in the first place is pretty far fetched. They have more important things to do than waste time on idiots that are "standing up for a principle". Whilst you think your Bit Torrent stash of mp3z makes you a real hax0r, the truth is your just not worth their time.
"Not the case as far as I'm aware." Well, Chris, my source of the info was probably getting it fifth-or-more-hand, but he's usually reliable. If you are in direct contact with the family I'll defer to your more direct info. As I hear it, JLF is now out, off probation, and is looking to release a book of his experiences.
Criminalising the possession of random data seems like the next logical step in this.
I think it would therefore be a good exercise and test of our liberties to organise an international random data swap day, where everyone is encouraged to dd if=/dev/urandom of=[an email, USB stick, CD, fax, public speech, QR code, t-shirt] a few blocks of random data and give them to our friends, enemies, strangers, MPs, police officers...
Not all of us are stupid enough to view police officers as "enemies" due to whatever is the trendy social view in the groups they choose to mingle with. But I'm betting you'd be straight on the phone to those "enemies" if someone broke into your home and stole your PC / laptop / stash of Liberty newsletters.
TBH, anyone seriously contemplating wasting police resources in the manner you describe simply because they have nothing better to do with their time really needs to go get a clue.
First, his post makes a serious point about how easy it can be to fall foul of this type of legislation, and though you may see it as 'wasting police resources' - like those pesky photographers wasting police time by not doing anything illegal - he suggested a legal way of advertising the problem and undermining assumptions about the legislation.
"Not all of us are stupid enough to view police officers as "enemies" due to whatever is the trendy social view"
If you want to assume the police are on your side that's your business, but that doesn't make those of us who have had to take a more objective view of NuLiebore's pc police stupid. Here's an extract from NightJack's blog on 'A Survival Guide For Decent Folk':
"Never explain to the Police
If the Police arrive to lock you up, say nothing. You are a decent person and you may think that reasoning with the Police will help. “If I can only explain, they will realise it is all a horrible mistake and go away”. Wrong. We do want to talk to you on tape in an interview room but that comes later. All you are doing by trying to explain is digging yourself further in. We call that stuff a significant statement and we love it. Decent folk can’t help themselves, they think that they can talk their way out. Wrong."
NightJack archive here:
and guide here:
'Not all of us are stupid enough to view police officers as "enemies"'
"anyone seriously contemplating wasting police resources in the manner you describe "
I neither said nor implied that police were enemies, nor is there any reason that people swapping random data should waste police time - as doing so is not a crime.
I certainly wouldn't suggest spamming police mailboxes with random data, but if there is an event designed to shine a light into what are currently murky legal waters and raise awareness, you would expect that some attempt be made to inform law enforcement, as well as lawmakers and the wider public.
I saw Iron Man 2 and in that film I saw a Russian chap break into a computer from a Login prompt; now if he can do that, why piss about with this encryption malarky (I also saw a chap in a film break 256bit encryption by typing what looked like ls -l over and over again at the login prompt). Hollywood so it must be true. Encryption bollocks; basically if they are gonna stitch you then its gonna happen - our fault, we voted for the twats.
If it is a fixed size volume of say 10gb and the suspect has a second set of files taking up 5gb
and they hand over the safe key to the plod and the plod sees 3gb of not interesting stuff and clever plod then trys to fill the rest of the 10gb available with innocent pictures of his subaru pursuit car does it let them overwrite the hidden partition or does it say FULL ?
I understand why you might allow this legislation. But it should only have ever been used as an anti-terror tool were there was an impending threat. But then again a law envisaged to combat terrorism being used for other stuff, have not seen that before.
On a side note, having a terrorist or anarchy handbook on your PC is not enough to be a terrorist. I bet the British wish they had these laws when we still had the colonies. Would have sorted those independence seeking terrorists out. Americans don't seem to get the irony of all the new anti-terror laws they have. One persons terrorist, is another's freedom fighter.
And no I don't think American tactics in seeking independence are the same as the Islamic terrorist mass killing of civilians tactics. But under current legislation they are treated in a draconian way.
Sorry went a bit of topic there....
100% effective at destroying data, and even if they realise that the drive has been sabotaged the common rescue techniques just make things worse.
If you are particularly ingenious you can configure the device so that in the event it unexpectedly loses power without the shutdown code being entered first it breaks the vial.
Or better still, store all your data on n 32GB caseless pendrives encased in resin with a time/motion sensitive trigger and a small battery powered HV generator set to arc through the stack. Good luck recovering anything off that, even if one chip survives the read circuitry will be blown to hell.