Discussion in 'privacy general' started by CloneRanger, Oct 5, 2010.
The UK is particularly draconian on this issue, no? It's not like there's a Bill of Rights. And, for the Americans in the audience, recall that the Bill of Rights doesn't apply while you're outside the USA
If the police had such a shoddy case that they had to resort to information gleaned from the suspect himself....well, that's pretty bad....like you said, Hierophant, in the USA we have a 5th amendment that keeps one from being a witness against himself.
I, too, am curious how they know the password length.
It's not so cut and dry here in the USA. For instance, even though we have the 5th amendment, courts routinely force people to give up the passwords to safes and to provide DNA samples. Safe combinations and hair and DNA samples are not protected under the 5th. Therefore, prosecutors have argued it should be the case with encryption keys too.
There was one case in Vermont where a guy was suspected of child porn.  The prosecutors told him to give up his encryption keys but the judge ruled that the key is protected under the 5th. Later, the case went to an appeals court, and that court reversed the decision and said he must give up his key or face contempt. So, I guess current case law is unclear about this sort of thing, which is why it will probably take a Supreme Court ruling before we can put it to rest.
1. The original judge in that case is the same guy who has been really "compassionate" toward child predators in the past. For instance, he gave an extremely light sentence to a man convicted of raping a girl under the age of 10 (like 30 days or something) which caught the ire of many on the cable news circuit.
I understand that the courts can hold you in contempt if you refuse to divulge your password. One solution is to use a keyfile on a USB stick, and conveniently destroy/lose the USB stick at the first sign of trouble. If the keyfile is an unknown random set of characters, there's no way they can hold you in contempt.
You don't have the password
Of course, you've lost your data, but if you're in this sort of position, that's the least of your worries.
Okay, the main differences between fingerprints, DNA, etc. and the passwords....is that forcing someone to give up information you know rather than what you possess physically are two very different things. One is available whether you want to give it up or not - what's in your mind is clearly asking one to incriminate themselves and has been considered a violation of the Fifth Amendment. I'm aware of the current case working its way through the courts; meanwhile, prosecutors nowhere in America are challenging 5th Amendment claims to password information. So you're right in that it will eventually be settled - legally. I also agree with 'Simply The Best' that's it's an absurd thing to request and expect given his/her arguments about the password being correct or not. How would you prove in the U.S. court system that somebody is lying about the password? How could a jury not have reasonable doubt?
BTW, combination safes ARE protected by the 5th amendment. Physical keys to a safe ARE NOT. So again, it comes down to a physical thing versus what's in the mind.
I don't think you can just claim a dvd has corrupt data. I believe they use a fair amount of error correction, and if the raw data isn't showing as corrupt or having some bit errors, you will have a tough time convincing anyone that every block, or even most, on the dvd has corrupted bits which just happen to read back as blocks with no errors at all. Especially if every time they read the raw data, it is exactly the same.
DiskCryptor seems more useful in these cases. With DiskCryptor he could have given them the password (or any password) to a fake OS.
The same applies to TrueCrypt aswell.
Come on guys, post about the issues or technical points, but, leave the personally direct, inflammatory words out of it. Refute the arguments, if they are flawed. However, there's no need to insult the posters.
Some good points are raised above. I would also add the following. According to the police spokesperson:
So they are presuming that he was carrying out crime, a variation of the 'if you weren't doing anything wrong why were you hiding' phony argument. Whatever happened to the presumption of innocence? He went down for failing to disclose a key not the crime he was investigated for (distribution of indecent images of children or whatever the appropriate charges would have been)
It also seems draconian to me that all they need under s.49(2) is reasonable grounds to think that you have the key but are failing to disclose it http://www.legislation.gov.uk/ukpga/2000/23/part/III/crossheading/power-to-require-disclosure
Note: not even deliberately trying to conceal it but only failing to disclose it. That is a very low threshold and thus generating spam/dud containers that you don't remember the password to could actually get you in even more trouble under this lovely law introduced by Labour
Agreed. The cat is out of the bag and it ain't going back in. And the legislators would have a very hard time completely outlawing encryption. There would be a first amendment issue (like was the case with Phil Zimmerman) and any such legislation is guaranteed to be overturned by the courts.
Saying that people couldn't write their own crypto software for personal use would be a huge infringement on the 1st amendment (in my lay opinion).
I agree. There's too many legitimate uses for encryption - even mandated by law - for anybody to stand for outlawing or backdooring. Not going to happen.
According to the various articles I have read, he was entering the USA and went through a border search where they asked to see his laptop's contents. He (for some odd reason) voluntarily decrypted the drive and they found the images. Then they confiscated his laptop and (stupidly) turned it off. When they tried to turn it back on later, they couldn't access it because of PGP disk. That's where it all began.
Yeah, but this seems to be exactly what they were planning on doing here -- relying on the testimony of the border agents.
OK, so what's the solution? Let's say I'm going to be in Amsterdam for a month (don't I wish). So I create a TrueCrypt volume, and put all my stuff in it. Then I csplit it into several pieces. Perhaps I then encrypt each piece. Then I put overlapping subsets of those pieces on several cloud storage sites, with nowhere near a complete set on any one site. If relevant, I do that via several VPNs. When I get to Amsterdam, I buy a netbook, download the requisite pieces, and reassemble them. If I were really paranoid, I could do multiple layers of the encryption and splitting.
When I have some time, I believe that I'll test that -- this weekend, perhaps. Any bets?
It would be a real pain in the a$$ for most users to access their data. I guess it would depend on how often you need to access your data.
I predict the high possibility of a screwup. Encrypted data can be very fussy. If the reassembly is not perfect, if even a single bit (or more) is excluded or shifted out of place then the decryption will fail from that point onwards.
I sure wouldn't want you to waste a weekend on it. Computer screens are so darned ... flat! And they just sit there. Why not go for a nice healthy hike instead?
Yes, that is a serious concern. Also, just to be upfront, that's a manual/simplified version of CleaverSafe.
Hey, I'm a geek
Excellent point. And there is no rational argument to the contrary.
Haha! I don't know what csplit is but I know how to use hjsplit and winrar. You could put everything into a truecrypt folder, split it into several pieces, encrypt a piece with winrar, then axcrypt, and use rapidshare, hotfile, mediafire and maybe an email attachment...
Right, caspian. And could you put it back together again? We shall see.
FWIW, csplit is an old-school Unix file splitter.
Edit: Make that lxsplit, which seems to be Ubuntu's default. I gather that it's compatible with hjsplit.
So, anyway, I created the 300 KB TrueCrypt volume "test.tc", and split it into three 100 KB pieces -- "test.tc.001", "test.tc.002" and "test.tc.003". Then I compressed each piece ("001.tar.gz" etc) and put them on www.megaupload.com. Then I downloaded them, extracted the pieces, and "unsplit" them. Worked just fine. Perhaps that was obvious. And it was fun. Anyway, the pieces are at "/?d=XJKUAOPH", "/?d=CB74673X" and "/?d=BUBPPY6K" if you want to see for yourself. The password is "foo".
What do we do when most evidence may soon be digital?
We make good money helping clients to hide it.
We make good money helping clients to discover it.
We use some of that money to ensure that ours is well-hidden.
Have I missed anything?
Kinda where I was going.
But I think the endgame is that the courts will apply the privacy "penumbras" of the US Constitution to the internet. Your "house" is your solitude, generally speaking, but when you go out, we'll tap the crap out of you! I don't know if it can be any other way.
In/out it makes no difference to "Them" Don't think you're safe in/on your own home/land even if you own Every part of it, not these days i'm afraid
Separate names with a comma.