Posting in Government
While you consider carefully whether this sounds like a good idea for the U.S., computer security expert Bruce Schneier wrote last month there is an easy way around such a law. Encrypt the data to a key you don't know.
"I refused to decrypt my hard drive."
Two people in England face up to five years in prison for refusing to give police their personal data decryption keys.
Police there were given authority to demand keys in October, 2007, and for the year April 2008-March 2009 applied for 26 such warrants.
Of those 17 went through judicial review, 15 were served, 11 people refused to comply, 7 were charged and 2 convicted. The Register notes that no requests for warrants were refused.
The warrants are issued by the country's National Technical Assistance Center, part of the Office for Security and Counter Terrorism. They are then subject to judicial review.
Authorities there insist all these were ""counter terrorism, child indecency and domestic extremism" cases, but at least one animal rights activist was charged under the law.
Now, while you consider carefully whether this sounds like a good idea for the U.S., computer security expert Bruce Schneier wrote last month there is an easy way around such a law.
Computer data is decrypted with a two-key process. A public key, generated by a computer program, is run through a private key, one that you know.
What Schneier suggests is that, if you suspect the cops want your data store you create a new private key by pounding the keyboard a while at random. Then pass this new key to someone you trust, and forget it.
Now when the cops want to get into your stuff you can honestly say you don't know how to get into it. When the coast is clear you retrieve the private key from your friend and get back in.
Obviously there are two problems with this. First, you need a friend. Second you need to make certain the cops don't know, and can't easily guess, who this friend is.
Schneier suggests you use someone with whom you have a legally privileged relationship -- a spouse, a priest, your lawyer. If you don't have a friend copy the key to a USB drive and mail it to yourself.
One idea I just had is to place the key inside another, innocuous file, and pocket the USB drive, or give that drive to the privileged associate. Now if the cops even get the drive it becomes a very big haystack and your key a needle in that haystack.
If you're really a bad guy, involved in one of the high crimes mentioned above, this conspiracy is an easy hack. If you just distrust the government you can do this before the black helicopters descend.
So does passing a law demanding encryption keys really make any sense at all?
Aug 12, 2009
Forgot to answer your question Dana. No, the laws don't make any sense at all. Frankly, how can we expect 435 people to have anywhere near the intelligence or experience to understand 1/10 of 1 percent of the facts in this legislation. Such is the woe of most IT law out there, that it is is broad and unreachable, circumventable, convoluted, confusing, over abundant and lacking at the same time. Throw in more adjectives if you wish. Let me take a step back here, and propose a greater suggestion. If we take a look at our GDP and the amount of money that is generated by technology, can we really trust the current legal system with judgement on these matters? I believe a separate court system is needed with judges and jury's picked from certified technology professionals to delegate over these matters. The recent retarded judgement of a Texas judge in the Microsoft XML case being the latest consequence of Judicial ignorance.
Chances are, if the authorities are after you and the data you have contains incriminating evidence, you would rather never see that data ever again in your life. I think that there are few who could use this method well however, and I'd narrow it down to those involved in the US vs UBS/Swiss Bank account and tax evasion investigations.
This is what conservatives love to say when the subject is a woman's right to control her body. Suddenly you're facing a demand for potential evidence and you discover the principal. The 4th Amendment is a better argument than privacy, by the way, but that can be trumped by calls to national security or against child porn. At which point we go down the slippery slope.