Forced password defense

In some countries, e.g. Britain, refusal to disclose a password to the 'proper authorities' upon request is a felony. This is still working its way through the US courts as 'self incrimination', but I'm not optimistic.

Suppose some standard encryption app allowed the user to encrypt a file in the usual manner with a password, then upon request scrambled the password, in a way the user didn't know and couldn't recover, then stored the encrypted, unreadable file (or didn't scramble by choice.) Info as to whether the password had been scrambled totally erased so no external authority could tell the difference.

If enough people did this wouldn't that give enough legal doubt so as to avoid persecution for not revealing when ordered, especially if that particular file, and many others on many other computers, were indeed unrecoverable. Might need some standard disclaimer on all encrypted files.

You probably don't want to be the only one to do this.

 

That's why steganography (OpenPuff) and TrueCrypt Hidden Volume exist. Although sector overwriting (Eraser) is the only surefire way, the above options may be enough to fool them.

 

This is called "Plausible Deniability". Someone may possess data that has been encrypted and may have some additional encrypted data nested in the first encrypted file. That "someone" may give one of the keys away (as if that was the only key that existed) in order to reveal only a part of the data to make it look as if they are co-operating and after that deny they have any other keys. This statement cannot be said to be false unless one possess knowledge that a specific number of additional keys exist. If this is the case the further encrypted data nested within the first encrypted folder cannot then be proven to exist thus deniable in a most plausible sense.

 

Not trying to fool anybody. "!Nothing to hide!"; file could be info or meaningless don't matter. Never able to be read again (undecryptable), and there for all to see.

A critical mass of these floating around if indistinguishable from decryptable files then who's to say that a valid password is in the hands of the owner? Reasonable doubt I would think.

And what if a botnet dumped a few million into random computers? Read-only files, encrypted, inactive. It's hard enough to root out trojans, viruses when they're dicking with you. They just need to dup the output of some of the standard privacy apps, and perhaps inactive traces that the app has been deleted.