Re: GAK news - Windows guru requested - Securing Windows


Peter Fairbrother wrote:
Today the UK Home Office announced the public consultation on the Code of
Practice of Part 3 of RIPA. This is the first stage of the process by which
it can be brought into force. Part III of RIPA is the
"policeman-say-gimme-all-your-keys-or-go-to-jail-(and-don't-tell-anybody)"
law passed 6 years ago but not yet brought into force.


There's a couple of points to be aware of:

1.) RIPA only covers encryption keys. Keys used for authentication are
not covered by the act.

2.) Many protocols, like SSH and SSL sign key exchange parameters to
avoid Man-In-The-Middle attack. Despite the fact the signing keys are
signing encryption parameters, there is still no legal basis for them
to ask for your keys.

3.) The act says that if you don't know the key and never have done you
can't be charged. This follows from Human Rights law; you can't be
punished for not performing the impossible.

Given these three points, instant messages that are encrypted with a
key established by signed Diffie-Helman exchange are completely
"RIPA-secure", as I call it.

Truecrypt, with it's plausible deniability feature, is probably
RIPA-secure. The legal argument would go something like this:

"The Defendant has submitted the key to you as requested by the act. We
know that Truecrypt has this plausible deniability feature. However, it
is up to the Prosecution to prove that he did not give us the right
key, since the burden of proof rests with them. Since they can give no
evidence to establish this conjecture, I submit that there is no case
to answer."

My Brother is a lawyer and has used a similiar legal argument
drink-drive cases with great affect. I'd say that this argument would
either have the case dismissed before the Jury is sworn in or that
you'd win the case on appeal after conviction.

Basically, the act is a waste of paper and a waste of everybodies time.
Any serious criminal would have legal contacts who could give them
analysis simliar to this.

I wouldn't worry about it.

Simon.

.

Relevant Pages

  • Re: "New powers for police to hack your PC"
    ... equipment seized by the police. ... Based on that single incident and a bit of reasoning, ... Section 3 of RIPA, which allows the police to demand a person to ... I'm not an expert in encryption, ...
    (uk.legal)
  • Re: "New powers for police to hack your PC"
    ... The person was told that the police were ... Based on that single incident and a bit of reasoning, ... Section 3 of RIPA, which allows the police to demand a person to ... Truecrypt encryption is involved. ...
    (uk.legal)
  • Re: [OT] Is open sourcing a good idea?
    ... Permissible acts of encryption research.--Notwithstanding the ... the course of an act of good faith encryption research if-- ... of encryption technology, versus whether it was disseminated in a manner ...
    (comp.programming)
  • Re: 15 year old "terrorist" for photographing a train station
    ... the Act in effect takes a lot of organisations (including minor ... brought *into* the regulation of surveillance regime. ... The SPoC scheme predates RIPA by many years. ...
    (uk.railway)
  • Re: Best class decompiler?
    ... DMCA with respect to the "no circumventing encryption" clause. ... not through the use of the decompiler itself. ... aide the person in the act of commiting a crime) does not matter. ...
    (comp.lang.java.programmer)