UK Government to force handover of encryption keys

Taylor, Corey (SAPOL) corey.taylor at police.sa.gov.au
Fri May 19 02:15:03 CST 2006


> on the face of it, so reasonable. lets stop crooks and terrorists. but
> hang on, this is the british government*, noted for its honest and
above
> board behaviour with private information. sure, you can argue that
'you
> have nothing to hide'. you can argue its only for the guilty to worry
> about. tell me this, is there no conviction of the innocent? anyone
> remember the shooting of the unarmed brazilian man on the london
> underground?
> 
> * (btw, you could call it british, australian, american, whatever)
> 
> ok, lets flip sides. do we want to stop criminals, terrorists et al?
of
> course. do we want to erode any rights we have in the process? how far
> are we willing to surrender our civil liberties to achieve a putative
> goal (that one wonders if is realistically achievable)?
> 
> *sigh* i want people like corey to have his job made easier, i truly
and
> absolutely do. but. but. do i trust my government? actually, no. do i
> have faith they will handle all data sensitively and with high regard
> for privacy? there will be no slip ups? pvt jake kovco info left in an
> airport lounge, anyone? (on a farking cd being accessed on a public
> computer? such a sensitve report? they couldnt give this woman a lappy
> ffs?)

I'm definitely one of the few people in this department who believe that
being unable to access encrypted keys isn't the end of the world. There
are many other behaviours that indicate paedo rings, for example, and if
we were absolutely unable to collect intel on a group, I would be one of
those who would advocate that the problem is a failure on our part in
collecting intel using the other indicators (and there are many others).
As far as terrorist groups go, well there are always other indicators
than encrypted emails. There was heaps of info suggesting a Sept 11-type
attack from what I've read but the failure was in putting all of the
pieces together in time. Being able to decrypt emails at the time
probably would have only been a negligible help considering the bigger
problems the communications processes between FBI/CIA/NSA/DoD had.

So yeah, demanding encryption codes straight-up indicates that our
information on these groups is missing which is total crap most of the
time. As I said, putting all of the other pieces together is where the
failure lies (and is, given, the toughest part) which is a failure on
the part of Police and intel agencies.

That said, I personally would say that if a law was to come into effect,
that every effort be made to collect all available intel on a group and
that only when all other avenues have been exhausted, encryption keys
might be demanded if there's not enough for arrests. If arrests happen,
encryption keys should be grabbed as a matter of course to collect
information of evidentiary value, info on others involved who might not
have been picked-up, etc. 

I would say that the above is how the laws will work because, in theory,
seizing encryption keys and analysing them seems easy but at the
front-line, there are a bunch of other investigative avenues which are
much easier and more timely to do so they'll get done first. There'd be
practical issues such as a backlog of checks with the local e-crime
centres which would delay the investigation. No detective would stand
for that, sitting on their hands waiting for a bunch of geeks to do the
work for them. So I'd say that, to summarise, a couple of factors would
be considered before seizing keys;

1) Number of people and nature of offending
2) Other evidence and intel would be considered first so I'd say there
would be plenty of justification before keys are seized. Probably to the
point of being overwhelming.
3) Have all other investigative/intel collection avenues been
followed-up? If not, do them first. These would probably be used later
as evidence for a jail term if the person refuses or the lost key
scenario. The below from the article is actually a critical point;

""It is, as ever, almost impossible to prove 'beyond a reasonable doubt'
that some random-looking data is in fact ciphertext, and then prove that
the accused actually has the key for it, and that he has refused a
proper order to divulge it," pointed out encryption expert Peter
Fairbrother on ukcrypto, a public email discussion list.

Clayton backed up this point. "The police can say 'We think he's a
terrorist' or 'We think he's trading in kiddie porn', and the suspect
can say, 'No, they're love letters, sorry, I've lost the key'. How much
evidence do you need [to convict]? If you can't decrypt [the data], then
by definition you don't know what it is," said Clayton."

In that case, all of the other evidence of offending would be used. I
find it extremely unlikely that someone would end up with a jail term
for merely refusing to hand over the keys/saying they lost them without
other evidence to back up that they're terrorists/sex offenders.

And from the same guy, another excellent point against the introduction
of the bill itself, really;

"Clayton, on the other hand, argues that terrorist cells do not use
master keys in the same way as governments and businesses.

"Terrorist cells use master keys on a one-to-one basis, rather than
using them to generate pass keys for a series of communications. With a
one-to-one key, you may as well just force the terrorist suspect to
decrypt that communication, or use other methods of decryption," said
Clayton."

The essence of intel collection is that evidence you're trying to
collect actually reflect the activities of the crooks. If they don't,
what's the point? It's like harassing drug crooks on the street for
whatever drugs they have on them but not collecting information on the
fact that they're actually organising shipping the stuff from South-East
Asia.

> ps what do you want for dinner;)

Ice cream.

:-)~

> Romana Branden
> Nothing - well thats something.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2.2 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFEbO/CdXQlYmpAnCIRAnGWAJ9/fT/wuXBm5QuuR9Ynhybaf2lRbwCeJIdQ
> biRDGIfQ+63sXFrd3xuDyZA=
> =n1gO
> -----END PGP SIGNATURE-----
> --
> LinuxSA WWW: http://www.linuxsa.org.au/ IRC: #linuxsa on
irc.freenode.net
> To unsubscribe or change your options:
>   http://www.netcraft.com.au/mailman/listinfo/linuxsa



More information about the linuxsa mailing list