RIPA: Passwords

RIPA: Demanding passwords for encrypted data

RIPA has been complained about by many commentators (this site included), mainly because the powers under RIPA have been repeatedly misused.

But the compaints are not just the liberals and the bloggers. Conservatives have complained, former spooks have complained, and there was an announcement that RIPA powers were to be reviewed by the government.

While complaints about the idiots in councils have been going for years, other parts of RIPA, Section 49, have been enacted, deployed, and people arrested and convicted.

Section 49 of RIPA allows police/law enforcement agencies/security services/military to demand access to encrypted data.  Section 53 allows people to be convicted if they  fail to disclose this information.

Because of the far reaching powers the laws have been considered a threat to civil liberties. While this site normally rallies against such abuses, sadly in this case, the goverment may have a point.

Encryption is easy to do. The phenonmenal tool TrueCrypt provides amazing security, with many major firms using it. The security itself is effectively impenatrable (by currently acknolwedged computering capabilities) but this does not mean that the data cannot be accessed by other methods, e.g. guessing the password, obtaining the password, etc.

In fact this tool is so easy to use that if you can’t use it you probably can’t use a computer and so don’t have anything on a computer to protect.

The security of tools like TrueCrypt, are not like the EFS, in Windows,  which is easily defeated. If the password and keys for TrueCrypt are secure then the data is protected from all eyse, the police included. Hence the invention of Section 49.

If a suspected criminal has encrypted data, and does not provide the password, then what should the police do.

Does this secenario require RIPA? (Much of the information below is based on a real case).

Two men moved into an area, where police intelligence showed that they were linked to a peadophile network. They had previous convictions for sexual assualt, ABH, GBH, and arson. One of the men’s fingerprints was found on a horrific child abuse video, recovered elsewhere.  There was nothing to show he owned it and the defence was they he could have handled it but not known what it was, e.g. at a car boot sale, in passing, at another persons house, etc.

The men were very survelliance aware. Their windows were all covered up, with paper or curtains, and had  good security systems installed. They changed their cars regulary, almost monthly. If anybody they did not know was seen in their street they would challenge them, and ask who they were. And they had toys. Lots of toys. Toys in the garden. Toys in the house. They had no children. They also met  and associated with convicted peadophiles

These men are nasty people, there convictions alone show this. But they are not, technically, doing anything wrong at the moment.

Should they be put under survellience, to see what else goes on, if anything? Should the police be pro-active or wait until there is a claim of rape by a child? The former would seem the most prudent, and this is what RIPA is for.

What if the police receive more  intelligence, prior to an actual assault, strong enough to allow a warrant on the house and the sieze a computer. While searching the computer they find the following:

  • Fragments of data showing searches relating to child abuse images
  • Use of data wiping tools
  • Fragments file names that imply child abuse images
  • A true crypt volume
  • No actual images of child abuse

At this point the police have no evidence to convict, nothing that can be used. But, if they could access the Truecrypt volume, they may have so much more.

This case is relativel clear cut, but still has moral delimas for some. They have not done anything, so why should they have to hand over information. There is an ingrained right to slience. There is a right to not self convict.  If they have to give up their rights to silence, we all have to.

The problem is that the police and councils, have individuals who chose to bend the laws, and push them to extremes, for their own agenda, and not what they were intended for.

The use of RIPA, and section 49, is not going to be wrong in all cases, but unfortunately too often it has been misused by too many people, that there is now a lack of faith in the law(s) and the government.


3 Responses to “RIPA: Passwords”

  1. Codea Says:

    A good take – you mentioned that the hypothetical alludes to a real case. Which?


  2. Mortons Solicitors Says:

    Any thoughts on say iphones locked by fingerprints?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: