Thinking Tech

Jail if you do not decrypt your personal files

Posting in Government

While you consider carefully whether this sounds like a good idea for the U.S., computer security expert Bruce Schneier wrote last month there is an easy way around such a law. Encrypt the data to a key you don't know.

"So what did they get you for?"

"I refused to decrypt my hard drive."

Two people in England face up to five years in prison for refusing to give police their personal data decryption keys.

Police there were given authority to demand keys in October, 2007, and for the year April 2008-March 2009 applied for 26 such warrants.

Of those 17 went through judicial review, 15 were served, 11 people refused to comply, 7 were charged and 2 convicted. The Register notes that no requests for warrants were refused.

The warrants are issued by the country's National Technical Assistance Center, part of the Office for Security and Counter Terrorism. They are then subject to judicial review.

Authorities there insist all these were ""counter terrorism, child indecency and domestic extremism" cases, but at least one animal rights activist was charged under the law.

Now, while you consider carefully whether this sounds like a good idea for the U.S., computer security expert Bruce Schneier wrote last month there is an easy way around such a law.

Encrypt the data to a key you don't know.

Computer data is decrypted with a two-key process. A public key, generated by a computer program, is run through a private key, one that you know.

What Schneier suggests is that, if you suspect the cops want your data store you create a new private key by pounding the keyboard a while at random. Then pass this new key to someone you trust, and forget it.

Now when the cops want to get into your stuff you can honestly say you don't know how to get into it. When the coast is clear you retrieve the private key from your friend and get back in.

Obviously there are two problems with this. First, you need a friend. Second you need to make certain the cops don't know, and can't easily guess, who this friend is.

Schneier suggests you use someone with whom you have a legally privileged relationship -- a spouse, a priest, your lawyer. If you don't have a friend copy the key to a USB drive and mail it to yourself.

One idea I just had is to place the key inside another, innocuous file, and pocket the USB drive, or give that drive to the privileged associate. Now if the cops even get the drive it becomes a very big haystack and your key a needle in that haystack.

If you're really a bad guy, involved in one of the high crimes mentioned above, this conspiracy is an easy hack. If you just distrust the government you can do this before the black helicopters descend.

So does passing a law demanding encryption keys really make any sense at all?

Share this

Dana Blankenhorn

Contributing Editor

Contributing Editor Dana Blankenhorn has written for the Chicago Tribune, Advertising Age's "NetMarketing" supplement and founded the Interactive Age Daily for CMP Media. He holds degrees from Rice and Northwestern universities. He is based in Atlanta. Follow him on Twitter. Disclosure