Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


The UK is coming for your forums and comments sections - Page 2
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

The UK is coming for your forums and comments sections

2»

Comments

  • emgemg Veteran

    @yoursunny said:
    What if the person doesn't have the key to decrypt data?
    I can make a group crypto system where decryption is possible only when at least M group members approve to decrypt the data.
    As long as fewer than M members reside in UK, the UK government cannot decrypt the data.

    I wish I could answer this question for you, but I do not know the answer.

    TREAT THE FOLLOWING AS SPECULATION, NOT FACT!!

    I assume that if you can prove that you do not have the means to decrypt the data, you will not be charged, or if charged, you will be found innocent. That may match your use case (secret sharing protocol) above. Legally proving that you cannot decrypt the data may not be so easy. It may be helpful if you name the other keyholders and specify how many are required to decrypt the data, assuming that you can answer those questions.

    Do RIPA charges lead to trial by jury? If so, it may come down to convincing them, and this subject may be difficult for a jury to understand.

    -> The harder problem is when there is a password or passphrase or some other memorized key. How do you prove that you do not know or remember the information needed to decrypt the data?

    It is my opinion that it comes down to forensics, coupled with human judgement. Example: If the encrypted files in question were last "touched" only a day before your arrest, it would be difficult to convince law enforcement, prosecutors, or a jury that you forgot the password a day later. The same would be true if the authorities can show that your criminal activities that depended on the encrypted data were ongoing at the time of arrest.

    If the encrypted data seems untouched for years and you have been diagnosed with Alzheimer's Disease, I doubt the authorities would bring charges under RIPA.

    -> What if you are convicted and sent to prison under RIPA, but while in prison you change your mind and provide access to the decrypted data? Are you freed from prison? Is the conviction expunged? I do not know. I wonder whether the timeliness of the information makes a difference.

    Example: You are aware of a conspiracy to commit a crime but are not directly involved. The information is encrypted. You are arrested under RIPA for refusing to decrypt the information. While you are under arrest (or in prison), the criminals commit the planned crime. A day after the crime happens, you provide the key to decrypt the data, which is now useless since the crime has occurred. Are you released because you decrypted the data?

    REMINDER: THE CONTENTS OF THIS POST ARE NOT FACTS. THEY ARE REASONABLE ASSUMPTIONS BASED ON PREVIOUS CONVERSATIONS WITH THOSE WHO HAVE A DEEPER KNOWLEDGE OF THIS TOPIC.

  • MaouniqueMaounique Host Rep, Veteran

    @emg said: A day after the crime happens, you provide the key to decrypt the data, which is now useless since the crime has occurred. Are you released because you decrypted the data?

    Even if you would be released for providing the key you would be on for a much longer sentence as an accessory to the crime, so I think this point is moot. You would not provide the key either way.

  • yoursunnyyoursunny Member, IPv6 Advocate

    @emg said:

    @yoursunny said:
    What if the person doesn't have the key to decrypt data?
    I can make a group crypto system where decryption is possible only when at least M group members approve to decrypt the data.
    As long as fewer than M members reside in UK, the UK government cannot decrypt the data.

    I wish I could answer this question for you, but I do not know the answer.

    TREAT THE FOLLOWING AS SPECULATION, NOT FACT!!

    I assume that if you can prove that you do not have the means to decrypt the data, you will not be charged, or if charged, you will be found innocent. That may match your use case (secret sharing protocol) above. Legally proving that you cannot decrypt the data may not be so easy. It may be helpful if you name the other keyholders and specify how many are required to decrypt the data, assuming that you can answer those questions.

    Crypto protocols are all open design.
    The attorney can hire a cryptographer who would explain that decrypting the data requires at least M keyholders.

    It may or may not be possible to name the other keyholders.
    The person may know the online ID of other keyholders, but not their real world identities.

    On the other hand, it's also possible that the person actually owns all M sub keys, but the police only located one of them.
    Now, the police needs to approve that the person has more than enough sub keys, so that they can force the person to reveal the rest of the sub keys.

  • @yoursunny said: Crypto protocols are all open design.

    The attorney can hire a cryptographer who would explain that decrypting the data requires at least M keyholders.

    Just because the literature talks about a 'jury of your peers' doesn't mean they're as smart as you. Just remember that in your design process. You'd do better referencing movies they may have seen.

  • raindog308raindog308 Administrator, Veteran

    @Arkas said: You do know that the Queen is not involved directly in politics right?

    I know how it works but...if the Brits get to call everything "Her Majesty's ____" then we get to say it's the Queen doing it.

  • @cold said: we don't care, we are EU, we don't give a shit about the Queen's wishes

    Seeing recent EU actions I can say you both are shit.

  • coldcold Member

    @Boogeyman said:

    @cold said: we don't care, we are EU, we don't give a shit about the Queen's wishes

    Seeing recent EU actions I can say you both are shit.

    still we don't care !

  • emgemg Veteran

    @raindog308 said:

    You would fail. It's Britain.

    In the US this is still at the appellate level. There have been several Federal and state Supreme Courts that have ruled that forcing someone to disclose the key violates the Fifth Amendment (right against self-incrimination).

    There are a variety of legal subtleties: https://en.wikipedia.org/wiki/Key_disclosure_law#United_States

    The wikipedia article is helpful, but may be incomplete.

    The following applies in the USA:

    As raindog points out, whether you can be compelled to decrypt your data after you have asserted your Fifth Amendment rights is not fully settled law. The Fifth Amendment can protect you from self-incrimination, but how it may be applied to encrypted data is still being resolved by the courts.

    It has long been established that you can be compelled under lawful authority to provide your fingerprints and other biometric information without your consent. When the police finger

    It has long been established that you cannot be compelled to provide the memorized combination to a safe under Fifth Amendment protections. Of course, if you do not, the authorities can break into the safe to get at its contents. They may damage the safe in the process, so you may want

    The current thinking with encrypted data is that you can be compelled to unlock a device with your fingerprint or your face or other biometric features, but you cannot be compelled to provide passwords or anything else that you know in your head. "You have the right to remain silent."

    Thanked by 1skorous
  • emgemg Veteran
    edited July 2022

    @yoursunny said: Crypto protocols are all open design.
    The attorney can hire a cryptographer who would explain that decrypting the data requires at least M keyholders.

    Let us assume the attorney hires a competent cryptographer, the only information given to the cryptographer is the encrypted data, and the encryption was done correctly.

    In that case, the cryptographer would not be able to say anything about the data, how it was encrypted, which algorithms were used, whether the decryption requires one or more keys, or anything else about it. The encrypted data should be indistinguishable from truly random data.

    The defendant may assert that the data is encrypted using a secret sharing algorithm, and the cryptographer can explain what that means to the jury, but they have no means to prove the assertion.

    In real life, the investigators, cryptographer, or the defendant may find circumstantial evidence about how the data was encrypted, such as software tools in the defendant's possession at the time of arrest that were likely used to perform the task, etc. Absolute proof may not be available.

    Often the encrypted data comes with a plaintext header or is wrapped in some way to reveal which tool was used and other information about how the encryption was performed. That would be information leakage through an alternate channel, but not directly from the encrypted data.

    I have had encrypted data brought to me with the simple question, "Which algorithm was used to encrypt this data?" All I can do is give the questioner a friendly smile and explain what I just wrote above. :-)

    (In real life, I frequently saw "encrypted data" that I immediately recognized as not properly encrypted. If you notice any pattern or something appears at a higher or lower frequency than its peers, then the data is not properly encrypted. It happens all the time.)

    P.S. Not all cryptographic protocols and algorithms are open design. The Skipjack block cipher was not an open design. It remained classified for a long time. It did not work out so well for the NSA after they declassified it.

    https://en.wikipedia.org/wiki/Skipjack_(cipher)

    Thanked by 1yoursunny
  • emgemg Veteran
    edited July 2022

    @Maounique said:

    @emg said: A day after the crime happens, you provide the key to decrypt the data, which is now useless since the crime has occurred. Are you released because you decrypted the data?

    Even if you would be released for providing the key you would be on for a much longer sentence as an accessory to the crime, so I think this point is moot. You would not provide the key either way.

    You may have misinterpreted my example, and it probably needs refinement. Here is the scenario I had in mind:

    Pretend that you know nothing about the future crime and are not liable if it happens. You are in possession of encrypted data that could lead investigators to the conspirators before the crime happens.

    The decrypted data might reveal very embarrassing information about your love affairs or whatever. The data exposes nothing illegal, but exposure could cause irreparable harm in finance or politics, so you refuse to decrypt it, resulting in RIPA charges.

    Once the crime happens, you understand more (and those love affairs are no longer so embarrassing), so you offer to decrypt the data.

    This post is a little sloppy, but I hope you get the idea and understand the difference between our two versions of the scenario.

  • adlyadly Veteran

    I'm more concerned about the "I could care less" comment than potential UK laws. 😬

    Thanked by 1bulbasaur
  • raindog308raindog308 Administrator, Veteran

    An electronic text copy of the works of Shakespeare + applying the right one-time pad = child pornography. In fact, it's trivial to calculate what the OTP is - you just find some CP image, encode it in ASCII, and subtract a suitable length of The Merchant of Venice.

    So is it the key that's the CP or Shakespeare? It can't be Shakespeare, but a string of numbers (the pad) is not child pornography, and it's no truly a "decryption key" either...

    Or suppose I have a few EB of digits of pi at home. (Who has EB at home? I remember when no one had TB on the planet. Anyway...) If I want to store a secret, I just need to find the part of the sequence that can be transformed with a key to produce my data. And anyone can find any image they want in that datastream just by applying the OTP of their choice.

    Thanked by 1Maounique
  • MaouniqueMaounique Host Rep, Veteran
    edited July 2022

    @raindog308 said: And anyone can find any image they want in that datastream just by applying the OTP of their choice.

    Exactly my point. Also, you can use movies and encode a second stream within some unused channel or even within the datastream per se. It would look just like random corruption or you can simply apply some delta algorithm, for example the colour of every 100th pixel would be a bit off as well as brightness and sharpness of every other 100th pixel(s) (different sets of pixels for each change). If you store Blue-Ray movies in mpg you have a huge chunk of data to hide within.

    Those things will never work against criminals, they will just harass regular people, same way the war on drugs or the war on immigration does not work, make something illegal and you turn people into criminals, some people can't escape drugs no matter what, some can't live in Russia or Venezuela or Syria, they have to flee or they die. People will still smuggle drugs, will still risk their lives to avoid a certain death, they will get more and more adept at it, no matter what laws we put in place.

  • emgemg Veteran

    The discussion has strayed somewhat. I do not deny the truth of the remarks from @raindog308 and @Maounique above, but the concepts they suggest must translate into something practical and realistic that can serve as a "Get out of jail free" card for RIPA or similar laws in other countries.

    Various steganography concepts and ideas, including alternate decrypts, have been discussed for many years. Many steganography schemes have been broken through a variety of means. I won't elaborate on the details. For a successful prosecution under RIPA, you don't have to decrypt the hidden data. All you must do is show that it exists. I freely acknowledge the possibility that there may be successful schemes that remain unknown and undetected.

    Think about the necessary requirements for a successful and practical steganography scheme that can withstand forensic scrutiny and still avoid prosecution under RIPA. Keep in mind that your scheme must include a way to access the decrypted (plaintext) data when required.

    I understand one time pad (OTP) encryption very well, and I know how and when it is used in practice. It is true that alternate OTPs can be created to "decrypt" to any desired "plaintext" from the encrypted data, but such a scheme would depend on the authorities not being able to locate or access the actual key that decrypts into the "correct" plaintext. Keep in mind that the key must as large or larger than the plaintext. You must also convince the investigators, prosecutors (and possibly judge and jury) that the alternate decryption is the correct one. They know about OTPs too. I need to see the specific details of how an OTP scheme would work in practice to escape RIPA. My hunch is that someone trained in the art will find issues quickly.

    While you are designing your get-out-of-RIPA-free schemes, keep in mind that you must also cover up all the artifacts and other data leakage on a system where you can "prove" that no encrypted data remains hidden, and anything encrypted has been unlocked in a way that satisfies investigators that you are being forthright and open. Adding "robust, easy to use, and forensic resistant" to your list of requirements complicates the matter. You may also be forced to train your operatives to memorize complex procedures and never make a mistake. Most criminals struggle with basic encryption, let alone something like this. By the way, people who do forensics for investigations can be very smart.

    (If you never need to access the decrypted data, it would be better to wipe or physically destroy the storage device, which removes all risk of prosecution under RIPA.)

  • HxxxHxxx Member
    edited July 2022

    @stevewatson301 Haven't read the legislation or proposed change that you described. But from the summary you gave it looks like something positive.

    However this looks like the case of GDPR.
    US businesses / projects, etc will not follow unless they have interests in that location (i.e. customers, legal presence, etc.).

    For instance your thread title, you make it sounds like it is something threating to a website hosted and founded in USA for example. While it might look like that, reality might be different. A website can decide to block certain visitors or not focus on that segment if they choose to.

    Most websites , specially with user generated content, has a ToS. In there it probably says you have to be 18+ of age, that the service is not for minors, that they are not responsible for the content and the usual legal verbose that protects the entity or is believed to. Content moderation is always required , as we have seen with major social media services, it is a huge part of the operation.

  • @raindog308 said:
    An electronic text copy of the works of Shakespeare + applying the right one-time pad = child pornography. In fact, it's trivial to calculate what the OTP is - you just find some CP image, encode it in ASCII, and subtract a suitable length of The Merchant of Venice.

    So is it the key that's the CP or Shakespeare? It can't be Shakespeare, but a string of numbers (the pad) is not child pornography, and it's no truly a "decryption key" either...

    Or suppose I have a few EB of digits of pi at home. (Who has EB at home? I remember when no one had TB on the planet. Anyway...) If I want to store a secret, I just need to find the part of the sequence that can be transformed with a key to produce my data. And anyone can find any image they want in that datastream just by applying the OTP of their choice.

    Everyone has a copy of the Brotli dictionary

  • chihcherngchihcherng Veteran
    edited July 2022

    @stevewatson301 said: if you have a website with any user-generated content which is accessible in the UK

    Make your website inaccessible in the UK.

Sign In or Register to comment.