Join Us!

How should the law ...
 
Notifications
Clear all

How should the law deal with strong encryption?  

  RSS
Jamie
(@jamie)
Community Legend

Those with an interest in the way legislation should be drafted in response to the challenges of strong encryption may enjoy Neil Barrett's latest article at silicon.com

http//software.silicon.com/security/0,39024655,39153438,00.htm

Kind regards,

Jamie

Quote
Posted : 02/11/2005 5:24 pm
fatrabbit
(@fatrabbit)
Active Member

Thanks Jamie, very informative.

ReplyQuote
Posted : 02/11/2005 7:28 pm
cblume
(@cblume)
New Member

I'm not familiar at all with the UK legal system …

Are there criminal laws in place that force the defendant to produce keys, combinations, or other such access devices in the case of a physical lockdown on evidence? If so, then the concept of forcing a defendant to do the same with virtual evidence seems clear enough, and would follow the same lines.

ReplyQuote
Posted : 02/11/2005 9:51 pm
arashiryu
(@arashiryu)
Active Member

I stumbled on the information below but haven't tried it yet.

It is towards the middle of the page.

http//www.techpathways.com/

"Ever worry that the system you are seizing uses whole disk encryption?
Use ZeroViewTM freeware to find out.
Download your free copy of ZeroView from http//toorcon.techpathways.com/uploads/zeroview.zip today.

Burn it to a CD then pop it into the CD drive of the suspect machine and it will load into memory only and display the contents of Sector 0 allowing you to determine if whole disk encryption is employed on the suspect system. Once you know, then you can take the appropriate steps to capture and preserve the data you need. "

ReplyQuote
Posted : 02/11/2005 11:00 pm
yey365
(@yey365)
New Member

Under the terms of the UK RIPA Act the suspect can be compelled to divulge paswwords of face a 2 year prison sentence. Depending on what is being protected a 2 year term may be worthwhile!

Jim

ReplyQuote
Posted : 03/11/2005 5:50 pm
T_Oliver
(@t_oliver)
New Member

I know that was on the original plans for RIPA Jim, but are you sure it ever got implemented?

ReplyQuote
Posted : 07/11/2005 6:20 pm
bjgleas
(@bjgleas)
Active Member

I know that was on the original plans for RIPA Jim, but are you sure it ever got implemented?

It appears that the Regulation of Investigatory Powers Act (RIPA), was passed in the UK in July 2000. Here is a nice website detailing the act

http//www.hbinfo.org/menu2/acts/ripa00contents.shtml

bj

ReplyQuote
Posted : 08/11/2005 6:59 am
bjgleas
(@bjgleas)
Active Member

Under the terms of the UK RIPA Act the suspect can be compelled to divulge paswwords of face a 2 year prison sentence. Depending on what is being protected a 2 year term may be worthwhile!

Jim

I've always had a sneaking admiration for this law.

While it can (and probably will) be abused, I've always viewed it as being similar to someone refusing to take a drunk-driving test in the US. You can refuse, but it is an automatic loss of license for an extended period of time. This section of the RIPA seems very similar. As one other poster said, it may be worth it to take the 2 years.

But my question is if you refused to cooperate and go to jail, would that halt the investigation? If, during the 2 years you are in prison, the police crack the code and find illegal activities, can you still be charged for the new crime, as well as for failing to surrender your password? It would not appear to be double jeopardy, since the 2 years is for failing to turn over the password, and not for the crime that was hidden.

Can any of our UK members address that?

bj

ReplyQuote
Posted : 08/11/2005 7:10 am
Andy
 Andy
(@andy)
Active Member

As far as I am aware (Tristan is correct), legislation relating to liability for failure to disclose a password/passphrase under part 3 of the RIP Act was not included. It may be that it is implimented in some future update of the act.

Andy

ReplyQuote
Posted : 08/11/2005 3:45 pm
jlloyd
(@jlloyd)
New Member

I've always been very concerned about the potential for a miscarriage of justice inherent in this proposal.

Think about it, should an encrypted file be found on a machine, the owner or operator of that machine may be jailed for failing to produce the relevant key.

As you are all aware, it is not always possible to prove provenance of a file. Clearly, the owner/operator may legitimately have no knowledge of the existence of the encrypted file or, having knowledge of the file, may not know the decryption key. The file could have been downloaded, emailed, uploaded maliciously, encrypted by a work colleague etc.

In this case, that lack of knowledge provides no defence and would directly lead to a jail term.

In essence, the existence of any encrypted file on a machine, to which the defendant could not provide a decryption key, would provide a mechanism by which to ensure a jail term for that suspect. That may be great news for the prosecutor but it's not so great for those concerned with civil liberties.

Justin.

ReplyQuote
Posted : 08/12/2005 4:55 pm
Share: