In a few hours time Part III of the Regulation of Investigatory Powers Act 2000 will come into effect. The commencement order means that as of October 1st a section 49 notice can be served which requires that encrypted data be “put into an intelligible form” (what you and I might call “decrypted”). Extended forms of such a notice may, under the provisions of s51, require you to hand over your decryption key, and/or under s54 include a “no tipping off” provision.
If you fail to comply with a notice (or breach a tipping off requirement by telling someone about it) then you will have committed an offence, for which the maximum penalty is two years and a fine or both. It’s five years for “tipping off” and also five years (an amendment in s15 of the Terrorism Act 2006) if the case relates to “national security”.
By convention, laws in the UK very seldom have retrospective effect, so that if you do something today, Parliament is very loth to pass a law tomorrow to make your actions illegal. However, the offences in Part III relate to failing to obey a s49 notice and that notice could be served on you tomorrow (or thereafter), but the material may have been encrypted by you today (or before).
Potentially therefore, the police could start demanding the putting into an intelligible form, not only of information that they seize in a raid tomorrow morning, but also of material that they seized weeks, months or years ago. In the 1995 Smith case (part of Operation Starburst), the defendant only received a suspended sentence because the bulk of the material was encrypted. In this particular example, the police may be constrained by double jeopardy or the time that has elapsed from serving a notice on Mr Smith, but there’s nothing in RIP itself, or the accompanying Code of Practice, to prevent them serving a s49 notice on more recently seized encrypted material if they deem it to be necessary and proportionate.
In fact, they might even be nipping round to Jack Straw’s house demanding a decryption key — as this stunt from 1999 makes possible (when the wording of a predecessor bill was rather more inane than RIP was (eventually) amended to).
There are some defences in the statute to failing to comply with a notice — one of which is that you can claim to have forgotten the decryption key (in practice, the passphrase under which the key is stored). In such a case the prosecution (the burden of proof was amended during the passage of the Bill) must show beyond a reasonable doubt that you have not forgotten it. Since they can’t mind-read, the expectation must be that they would attempt to show regular usage of the passphrase, and invite the jury to conclude that the forgetting has been faked — and this might be hard to manage if a hard disk has been in a police evidence store for over a decade.
However, if you’re still using such a passphrase and still have access to the disk, and if the contents are going to incriminate you, then perhaps a sledgehammer might be a suitable investment.
21 thoughts on “Time to forget?”
If you used a randomly generated key instead of a passphrase, and stored that key on some removable media, and that media got destroyed (probably with a sledge hammer), would that be an acceptable defence, or would that be considered destruction of evidence or something?
Of course, you’d still face the problem of having to keep it away from the police long enough for you to destroy it, but I was wondering if its a workable defence at all.
Wow. Anti-hack tool legislation coming up; must provide decryption (i guess most geeks don’t want to work for the forensics teams?), cctv cams everwhere. If it’s not in your community, it’s coming soon! When will the global first world — yanks and brits and germans wake up? France, the only first world i’ve seen resort to civil disobedience in some time (rather successfully, iirc?) rioted in the streets when unfair laws regarding youth and work were introduced; we hand over our rights as well as liberties on a platter and ask if they want fries with that. 😥
I think they hate people that are smarter than them.
How much a society can take when people realize that its not THEY that decide what is going on (with laws…)
But then again the brits still have royals, so what up anyway … 😉
kuza55: As to defences — if you can convince the jury that you are unable to comply with the s49 notice then you will not be convicted. However, if you hit the media with the sledgehammer AFTER you were served with the notice, then you will be convicted.
Hehe, I guess truecrypts hidden volume feature will now become really really useful in the UK!
P.S.: With the hidden volume you have actually two partitions in one container. One is a fake one which contains a few prepared things you want to show and a lot of free space. In that free space you find hidden the real partition. Without anything to identify it of course and as good encryption is undistinguishable from random noise one cannot tell if there is a hidden volume or not.
And now the clue. You have two passwords for the container. You use the right one and it mounts through to the hidden container where your real data is. You give the fake password and it opens only the outer part of it and you see only the prepared data you want to show. Nothing else. No way to tell if the password was fake or not.
This is called a “plausible deniability feature”
TrueCrypt thrawts RIPA III
The UK government is going to deprive honest an law-abiding citizens of their liberties while criminals can carry on theirs businesses as usual, with just a little software upgrade.
Free software like TrueCrypt can conceal encrypted material in a way that prevent its detection.
In case the Police forces you to reveal your password, TrueCrypt provides and supports two kinds of “plausible deniability”:
1. Hidden volumes. The principle is that a TrueCrypt volume is created within another TrueCrypt volume (within the free space on the volume). Even when the outer volume is mounted, it is impossible to prove whether there is a hidden volume within it or not, because free space on any TrueCrypt volume is always filled with random data when the volume is created* and no part of the (dismounted) hidden volume can be distinguished from random data. Note that TrueCrypt does not modify the file system (information about free space, etc.) within the outer volume in any way.
2. It is impossible to identify a TrueCrypt volume. Until decrypted, a TrueCrypt volume appears to consist of nothing more than random data (it does not contain any kind of “signature”). Therefore, it is impossible to prove that a file, a partition or a device is a TrueCrypt volume or that it has been encrypted.
FreeOTFE also offers similar features.
Off-the-Record (OTR) Messaging, offers true deniability for instant messaging.
TrueCrypt’s “aleatory” defence against RIPA
TrueCrypt provides an “aleatory” defence against RIPA, and, indeed, against any similar legislation. This defence works because TrueCrypt makes encrypted material indistinguishable from pseudo-random data. And before the authorities can insist that you hand over an encryption key, they would first be obliged to prove to the satisfaction of a court that you were in possession of encrypted material. Depending on how TrueCrypt is set up it might be obvious that you have some pseudo-random data in an atypical location on your computer, and you might well be asked how it got there. Now, there are many computer processes that produce pseudo-random data, and you are not obliged by the legislation to account for the origins of every file on your computer that contains such data given the tens of thousands of files on the average PC this would be an impossible task. However, TrueCrypt can also provide you with an excellent and highly plausible reason as to why you possess such a file of pseudo-random data irrespective of where it is found.
Off-the-Record Messaging, commonly referred to as OTR, is a cryptographic protocol that provides strong encryption for instant messaging conversations. OTR provides perfect forward secrecy and deniable encryption.
1. Perfect forward secrecy: Messages are only encrypted with temporary per-message AES keys, negotiated using the Diffie-Hellman key exchange protocol. The compromise of any long-lived cryptographic keys does not compromise any previous conversations, even if an attacker is in possession of ciphertexts.
2. Deniable authentication: Messages in a conversation do not have digital signatures, and after a conversation is complete, anyone is able to forge a message to appear to have come from one of the participants in the conversation, assuring that it is impossible to prove that a specific message came from a specific person.
DriveCrypt Plus Pack and “plausible deniability”?
I believe it may also be possible to use DriveCrypt Plus Pack to achieve “plausible deniability”
DCPP is supposed to enable the user to hide an entire operating system inside the free disk space of another operating system. Two passwords are required: One password is for the visible operating system, the other for the invisible one. The first “fake” password grants access to a pre-configured operating system (outer OS), while the other gives grants access to the real working operating system. This functionality is extremely useful if the user fears that someone may force them to provide the DCPP password; in this case, the user simply gives away the first (fake) password so that the snoop will be able to boot into the system, but only see the prepared information that they wishes them to find. The attacker will not be able to see any confidential and personal data and he will also not be able to understand that the machine is storing one more hidden operating system. On the other hand, if the user enters the private password (for the invisible disk), the system will boot a different operating system (the working system) giving the user the access to all the confidential data.
The creation of a hidden operating system is not obligatory and as such, it is not possible for anyone who does not have the hidden OS password to know or find out, if a hidden operating system exists or not.
Regarding OTR for VoIP you may also have a look to Phil Zimmermann’s ZRTP protocol specification and his new Zfone project.
A compliant open source implementation is available for GNU ccRTP use by the Twinkle VoIP client (www.twinklephone.com).
If you use a ZRTP enabled VoIP client then you can’t tell the password because you don’t know it. Thus if some black hats recorded your VoIP streams they are not able to decrypt the streams (not even you can do it once the VoIP session is closed 🙂 ).
Possibly I’m being naive, but surely FreeOTFE / TrueCrypt / DriveCrypt Plus don’t actually provide any kind of plausible deniability with cunning dual password strategies, because the very fact that you have them installed indicates that you are probably using this feature. There are plenty of more common drive encryption systems which don’t use this technique and you as a user would surely have to provide a very good reason why you used software that did offer the ability to have a second password but you chose not to use it, particularly on a hard drive which appeared to have a large amount of free space…
HeyHo from germany,
Its quite shocking for me to read this. I was not aware of this law until i saw it on telepolis. (german it-news-site)
I strongly recommand to use Truecrypt. The it-specialists of the police are well aware of the possibility of the second hidden container, but as you said already, you are out of the line, because of the “plausible deniability feature”.
Please use L2P and TOR. The more users, the more security.
Good luck in UK, i fear our goverment is making this come true too. As you perhaps know, the german goverment is creating a ‘Bundestrojaner’ and govemental software spyware, which get illegaly on your machine to spy you.
Re: the very fact that you have them installed indicates that you are probably using this feature
Anyone with a Windows PC has probably never used most of the applications installed there. The “Microsoft Office Tools” for starters. So this claim needn’t be a problem.
The problem I see with the hidden OS in DCPP in particular (as I use this product) is you cannot actually USE the fake OS or it can damage the hidden OS. So it would seem if you installed the hidden OS and never used the fake OS – timestamps would give you away. I bypassed the option after reading the very limited documentation that came with the program (and the nearly mirror image support site) because it appears to me that if you hand over your “fake” password and it is quickly discovered that nothing in the OS has been used or modified for 6 months – or 5 years – there is obviously reason to believe there is a hidden operating system involved. As I do not have anything on my computer that I would worry about the authorities per se looking at I opted against the overkill. But if someone DOES have data that they are concerned about, they should also be concerned about this obvious flaw in the “plausible deniability” claims these companies are making.
The first s49/s51 ante-hoc RIP request is in re animal rights activists and material seized in May 2007. The BBC article below even mentions TrueCrypt
Is TrueCrypt volume distinguishable as a TrueCrypt volume just by analyzing the file? I think not. And TrueCrypt can be used from thumb drive or any other removable media or even network share that technically is out of the country in concern.
Re: the very fact that you have them installed indicates that you are probably using this feature
The fact that I have installed truecrypt possibly indicates that I use truecrypt (if we ingore the fact that people don’t use a lot of software they have installed), but not that I use a particular feature of that program.
As a law-abiding citicen I have the right to protect my privacy against illegal, private spies, and for this purpose truecrypt is a good choice. Without the necessity to use its hidden volumes.
RIPA could be challenged on human rights
The government’s new powers to force the handover of encryption keys could be vulnerable to a legal challenge under the Human Rights Act’s guarantee to a fair trial. People who refuse keys or passwords face up to five years in jail.
I’m thinking for this dual OS setup, if the encryption software can do this:
for example a 100G hdd, first 10G partition for the save OS, the rest 90G parition for the data drive of the save OS.
a password on bootup will boot to the safe OS, then mount the data partition. Put some dummy files on the data partition.
The 90G data partition actually contain a safe inner zone and a large (80G for example) outer private zone with the real private OS, and private data.
In that setup, the user can boot the safe OS from time to time and play around. Just remember not to mess with the other large data partition.
With the other password in bootup, the system will start the real private OS for protected usage.
Since the whole 90G data partition is random data (besides those few dummy files when mounted), there is no way to tell if there is a hidden OS. And the user can safely play around the fake OS anytime to avoid the “long time no use” problem of the fake OS.
Maybe starting an elecrical fire in your tower would do well in this case. If your home insurance covers that, and you have the receipt for all your parts (like I do!) Mwahaha.
I believe that it’s time for us to have a remotely triggerable device built into our hard drives. On suspecting that the contents of your drive are about to be compromised by Police burglars, etc., you trigger the device. Then, the device sprays a light mist of serious acid all over every micron of all faces of the platters of the hard drive, destroying the information on board.
Even a “mobile” phone numbered device could be used. The Police are scum and must be kept from our lives as much as possible – they are the enemy. The sooner we get rid of the Police, the sooner we can make a start on stopping crime.