Follow

Privacy and Self-incrimination 

Remember folks: You must provide your password to authorities in the U.K. if told to. Failing to provide your password to authorities will get you convicted of a crime.

bbc.co.uk/news/uk-england-hamp

· · Web · 8 · 10 · 4

Privacy and Self-incrimination 

@matt
That's fucked up, good thing you can render it useless with encryption containers like LUKS

Privacy and Self-incrimination 

@architect Not so. The Regulation of Investigatory Powers Act requires you to decrypt ANYTHING they ask WITHOUT a court order.

Privacy and Self-incrimination 

@matt
You can delete the LUKS headers, without which you're (at least by design) unable to decrypt the data any more. Of course that requires you had the time to anticipate such demands are coming your way.

Privacy and Self-incrimination 

@architect NOW you would be guilty of destruction of evidence, even in the US

Privacy and Self-incrimination 

@matt
No one can prove that it's not just part of your usual process. IANAL, but afaik it's not destruction of evidence if you're not currently involved in a legal dispute where that data's relevant either. So it can also be integrated into your regular routine to varying degrees

Privacy and Self-incrimination 

@architect I wouldn't test that theory myself...

Privacy and Self-incrimination 

@matt
That's really messed up! Would a corporation have to follow those rules like if you were murdered and the police want the data on your phone, pc, etc

Privacy and Self-incrimination 

@Faveing In the UK? Most definitely.

In the US? Most likely, but since IANAL I can only say I don't believe it is not settled by case law. Yet.

@omnipotens

@matt

As I understand it any enforcement of the IP Act does require a court order, however it is issued by political committee and not reviewed by the judiciary, which is i Think contrary to established methodology as it Is a criminal not civilian matter

This will only get worse post-brexit

@jason @omnipotens in the US, if it's not issued by a judge, it's not a court order (Imo, but IANAL).

On the other hand, NSLs...

@matt

Yeah, as i understand it tradionally a judge would sign off on a court order, however since the enactment of the [sarcasm]balanced and fair[/sarcasm] laws the IP Act brings to the tables the politicians decided to help out and not increase the judiciary workload and oversee such things themselves

@omnipotens

Privacy and Self-incrimination 

@matt
UK went crazy!!!

Privacy and Self-incrimination 

@matt Here's my password sir: 🖕

Privacy and Self-incrimination 

@Bit_Faced don't jest, I think emoji can be used as passwords now ;)

Privacy and Self-incrimination 

@matt So its a crime to have a bad memory?
In Sweden there has to be an intent or criminally "bad judgement" (There exist a more correct english word for it but cant remember it now) to get convicted of anything in Sweden.

Privacy and Self-incrimination 

@drobban the jury is out on that one (ie it hasn't been settled with case law yet)

@matt

This is why plausible deniability, in combination with proper #opsec hygiene, segmentation and isolation is needed. Can't convict someone of refusing to hand out the encryption keys for data that isn't there.

@h3artbl33d @matt exactly, I remember a feature of true crypt was a hidden encrypted partition, you get two password, one show a dummy partition, the other the real.

@benoitj @matt

Exactly! It should be noted that the non-hidden part shouldn't be a brand new, default OS installation as that would raise suspicion.

Another method would be using a live environment that encrypts all temporary data, whether in RAM or on disk. Having a password vault hidden and inaccessable 'somewhere' might make this more viable.

But in the end - this is mitigating a situation that shouldn't be there in the first place. Madness!

@h3artbl33d @benoitj I would be careful with that approach. At least in regards to TrueCrypt, the authorities are well versed in hidden partitions.

@matt @benoitj

True that. I think hidden partitions aren't the best means to achieve opsec. Also, one shouldn't trust a sole method. Like TOR - even if properly used, if there is a vulnerability in the browser, the user and location info could be at serious risk.

The best bet - as far as I am concerned - is to design the opsec model to the particular situation, with the assumption that everything is comprimised from the start.

@h3artbl33d @benoitj my assumption is that encryption will only thwart a casual burglar or thief. A state sponsored attacker will have means to break in (either via brute force, or drugs and a $5 wrench).

@matt @benoitj

Well spoken. Though regular users aren't in the crosshairs of a state actor, eg, the NSA TAO division - they will obtain access.

No system is 100% safe/secure.

Privacy and Self-incrimination 

@matt England is still a part of the UK? Whatever happened to Brexit?

Privacy and Self-incrimination 

@nergal Ask a Briton about Brexit (I'm an Arizonan, not a Briton), but as far as I know England is still a part of the UK.

Privacy and Self-incrimination 

@nergal you might be thinking of the U.K. (United Kingdom of Great Britain and Northern Ireland) leaving the E.U. (European Union). THAT is known as Brexit.

The U.K. consists of England, Scotland, Wales, and Northern Ireland.

Privacy and Self-incrimination 

@matt oh, thanks! That was the confusion.

Sign in to participate in the conversation
LinuxRocks.Online

Linux Geeks doing what Linux Geeks do..