RIPA: Passwords

RIPA: Demanding passwords for encrypted data

RIPA has been complained about by many commentators (this site included), mainly because the powers under RIPA have been repeatedly misused.

But the compaints are not just the liberals and the bloggers. Conservatives have complained, former spooks have complained, and there was an announcement that RIPA powers were to be reviewed by the government.

While complaints about the idiots in councils have been going for years, other parts of RIPA, Section 49, have been enacted, deployed, and people arrested and convicted.

Section 49 of RIPA allows police/law enforcement agencies/security services/military to demand access to encrypted data.  Section 53 allows people to be convicted if they  fail to disclose this information.

Because of the far reaching powers the laws have been considered a threat to civil liberties. While this site normally rallies against such abuses, sadly in this case, the goverment may have a point.

Encryption is easy to do. The phenonmenal tool TrueCrypt provides amazing security, with many major firms using it. The security itself is effectively impenatrable (by currently acknolwedged computering capabilities) but this does not mean that the data cannot be accessed by other methods, e.g. guessing the password, obtaining the password, etc.

In fact this tool is so easy to use that if you can’t use it you probably can’t use a computer and so don’t have anything on a computer to protect.

The security of tools like TrueCrypt, are not like the EFS, in Windows,  which is easily defeated. If the password and keys for TrueCrypt are secure then the data is protected from all eyse, the police included. Hence the invention of Section 49.

If a suspected criminal has encrypted data, and does not provide the password, then what should the police do.

Does this secenario require RIPA? (Much of the information below is based on a real case).

Two men moved into an area, where police intelligence showed that they were linked to a peadophile network. They had previous convictions for sexual assualt, ABH, GBH, and arson. One of the men’s fingerprints was found on a horrific child abuse video, recovered elsewhere.  There was nothing to show he owned it and the defence was they he could have handled it but not known what it was, e.g. at a car boot sale, in passing, at another persons house, etc.

The men were very survelliance aware. Their windows were all covered up, with paper or curtains, and had  good security systems installed. They changed their cars regulary, almost monthly. If anybody they did not know was seen in their street they would challenge them, and ask who they were. And they had toys. Lots of toys. Toys in the garden. Toys in the house. They had no children. They also met  and associated with convicted peadophiles

These men are nasty people, there convictions alone show this. But they are not, technically, doing anything wrong at the moment.

Should they be put under survellience, to see what else goes on, if anything? Should the police be pro-active or wait until there is a claim of rape by a child? The former would seem the most prudent, and this is what RIPA is for.

What if the police receive more  intelligence, prior to an actual assault, strong enough to allow a warrant on the house and the sieze a computer. While searching the computer they find the following:

  • Fragments of data showing searches relating to child abuse images
  • Use of data wiping tools
  • Fragments file names that imply child abuse images
  • A true crypt volume
  • No actual images of child abuse

At this point the police have no evidence to convict, nothing that can be used. But, if they could access the Truecrypt volume, they may have so much more.

This case is relativel clear cut, but still has moral delimas for some. They have not done anything, so why should they have to hand over information. There is an ingrained right to slience. There is a right to not self convict.  If they have to give up their rights to silence, we all have to.

The problem is that the police and councils, have individuals who chose to bend the laws, and push them to extremes, for their own agenda, and not what they were intended for.

The use of RIPA, and section 49, is not going to be wrong in all cases, but unfortunately too often it has been misused by too many people, that there is now a lack of faith in the law(s) and the government.


RIPA: Councils Powers to be Reviewed

It was announced on Thursday 16th April that councils were to be limited in the use of RIPA powers.  Sadly, there is no immediate restriction of the use of RIPA, as many sites have reported, but only a planned review, with the potentail to restrict the laws.

The fact that a review is occur comes after a major investigation in privacy and Surveillance by the House of Lords, which recommended exactly this, on the back of numerous misuses of  RIPA.

But, looking at the transcript of Jaqui Smiths statement, does not bode well for the future. Ms Smith stated, “I .. want to make sure that there is proper oversight of the use of these powers which is why I am considering creating a role for elected councillors in overseeing the way in which local authorities use RIPA techniques.”

In the same speechm she also stated “The government has absolutely no interest in spying on law-abiding people going about their everyday lives“, this statment comes from the Home Secreary of a government that introduced laws to monitor peoples emails, web activity, collect DNA, and fingerprints of innocent people, and created the most comprehensive CCTV survellience state in the world.

The idea that elected councillors, the very ones who allow this activity to occur in their councils, would provide any sort of oversight is ludicrous. Local councillors, on average, take home £4000 a year(that’s four thousand, not fourty thousand), this is hardly a financial incentive to behave responsibly, and councillors are elected with an incredibly low percentage of the public.  In fact the day after the Government stated it was going to review the use of survellience, there was a protest in Peterborough, as councillors were trying to force CCTV inside taxis.

Posted in RIPA. Tags: , , , . 1 Comment »

RIPA: Misuse contines….

According to the latest numbers reported about RIPA, the problem of counciles over stepping their remit, and possibly the law, is continuing.

This is despite the numerous reports and calls for the use of RIPA by counciles to be reduced, including: 

Some of the petty uses of RIPA include:

Some senior politicians and lawyers have even suggested that the councils use of RIPA could be illegal, but nothing changes

How Can The Police Legally “Hack” Into Computers?

On 5th January 2009, the BBC published an article stating how the  police are to be encouraged to  “hack” into personal computers, for the purposes of investigation, following an EU report on the subject. This statement raises many questions, not least of which is:

“How can the police legally hack into my computer?”

Firstly the actual EU report,that the BBC mentions, its not quite as explosive as implied by the BBC. The report, entitled “Council Conclusions on a Concerted Work Strategy and Practical Measures Against Cybercrime” states that “If necessary, the European platform could be a tool for …….facilitating remote searches if provided for under national law” (emphasis added).

The EU does not provide for covert searches and surveillance,  but instead thinks this is an effective method of investigating computer crime, and suggests  member states use whatever laws they have available.

This still leaves the question of What laws are available to the UK Police for covert computer searches?

The UK Police don’t have much to say on the issue, with very little documentation produced by the advisory body  known as the Association of Chief of Police Offices – ACPO  – on the subject of . In 2005 ACPO did release the National Intelligence Model which only has this to say about covert operations:

Covert operational teams are regularly deployed within communities and in the investigation of  serious crimes. In addition to gathering operation-specific information, unrelated information will also be generated. This must also be recorded and evaluated following the principles for managing and sanitising confidential information

ACPO has even less to say on the subject of covert searches:

“Covert searches – surveillance authorities may be required – collection of personal data by covert means.”

In 1997 the at the reading of the Police Bill in the House of Lords the subject of covert searches was discussed:

Surveillance and covert searches are likely to be authorised if a chief constable thinks that they are necessary; they would then be approved by one of the commissioners

But the Police Bill was superseed by RIPA (2000), which allows for all sorts of methods survellliance, phone tapes, and intrusive survelleiance. It these survelliance power that allow  the police to search computers remotely (i.e hack computers),  as this law providers for covert and intrusive searches.

The Home Office document, Covert Surveillance – Code of Practice, produced as a guide for the police to use RIPA, states this:

5.6 In many cases, a surveillance investigation or operation may
involve both intrusive surveillance and entry on or interference with
property or with wireless telegraphy. In such cases, both activities
need authorisation. This can be done as a combined authorisation (see
paragraph 2.11).

It then goes on to state this about who can authorize this:

5.7 An authorisation for intrusive surveillance may be issued by the Secretary of State (for the intelligence services, the Ministry of Defence, HM Forces and any other public authority designated under section 41(l)) or by a senior authorising officer (for police, NCIS, NCS and HMCE).

5.10 The senior authorising officer should generally give authorisations in writing. However, in urgent cases, they may be given orally. Urgent oral case, a statement that the senior authorising officer expressly authorised the conduct should be recorded in writing applicant as soon as is reasonably practicable.

5.11 If the senior authorising officer is absent then as provided section 12(4) of the Police Act 1996, section 5(4) of the Police (Scotland) Act 1967, section 25 of the City of London Police or sections 8 or 54 of the 1997 Act, an authorisation can be given writing or, in urgent cases, orally by the designated deputy.

5.12 In an urgent case, where it is not reasonably practicable regard to the urgency of the case for the designated deputy to consider the application, a written authorisation may be granted  person entitled to act under section 34(4) of the 2000 Act.

There is no doubt that RIPA provides the police with much needed powers, but it has also been miused many times. Both by the police and more commonly by councils. In fact there were so many occurences of RIPA being misused at a local level, the central government had to warn the councils to stop misusing the powers in this way.

This is not the issue of if the powers are needed, or if they will be misused, we know the powers are needed, but we also know they will be misused. Whenever people are given access to data and survelliance, there will always misuse it, it is, sadly a fact of life.

The issue is do we want the goverments exectuve agencies (and councils) to have these powers, knowing they will misuse them? Is that a balanced risk?

RIPA: South Wales Police (2008)

The issue of councils misusing RIPA has been reported numerous of time.

However, the South Wales police have taken it one step further. In 2008 they spent around £100,000 on following one of their fellow officer’s, while he was at home, on sick leave. South Wales Police alleged that P.c. Mark Pugh, who was on sick leave, was not really sick and so was not entitled to all the benefits.

The surveillance conducted against Pc Pugh included filming him taking out bins from his house and going to rugby matches. A total of 11 officers from South Wales and Dyfed-Powys police forces were used to spy on PC Pugh for months. This work would have required RIPA to be used.

While nobody likes a lazy person claiming benefits (not that Pc Pugh appears to have been that), is it proportional to put vans outside of somebodies home, at a cost of £100,000? The police could only do this, because they had such an array capabilities at their disposal. No normal company would ever be able to consider such an operation.

What makes this worse is that Pc Pugh was off work as he had mental health issues. After being involved in a large scale riot he had been diagnosed with depression and had been suicidal, as such he was under the supervision of a psychiatrist.

While the video footage of PC Pugh showed that he had been playing rugby, and moving around normally, this did not show he was mentally well.

You can’t measure sanity with video taken by surveillance offices, any more than you can with a thermometer! The courts thought the same and said that evidence against PC Pugh was not valid.

New Home for Where is My Data

This site has now been incorporated to the site Where is Your Data?

This blog will still remain here, but lectures, quizzes, tests, and news will be put on the parent site.

Surveillance Ruling

On 1st July 2008 at the  European Court of Human Rights in the case of Liberty & Other Organisations v. the United Kingdom (case reference 58243/00) the court found against the UK Government.

The ECHR found that UK surveillance laws lacked the necessary clarity and accountability to prevent abuses of power when used to intercept cross-border communications.

The complaint brought by Liberty stated that:

Relying on Articles 8 (right to respect for correspondence) and 13 (right to an effective remedy), the applicants complained about the interception of their communications.

The court agreed with Liberty that both the surveillance and the practice of surveillance must be tighter to protect individual privacy rights.

Decision of the Court

Article 8

The Court recalled that it had previously found that the mere existence of legislation which allowed communications to be monitored secretly had entailed a surveillance threat for all those to whom the legislation might be applied. In the applicants’ case, the Court therefore found that there had been an interference with their rights as guaranteed by Article 8.

Section 3(2) of the 1985 Act allowed the British authorities extremely broad discretion to intercept communications between the United Kingdom and an external receiver, namely the interception of “such external communications as described in the warrant”.

Indeed, that discretion was virtually unlimited. Warrants under section 3(2) of the 1985 Act covered very broad classes of communications. In their observations to the Court, the British Government accepted that, in principle, any person who sent or received any form of telecommunication outside the British Islands during the period in question could have had their communication intercepted under a section 3(2) warrant. Furthermore, under the 1985 Act, the authorities had wide discretion to decide which communications, out of the total volume of those physically captured, were listened to or read.

Under section 6 of the 1985 Act, the Secretary of State was obliged to “make such arrangements as he consider[ed] necessary” to ensure a safeguard against abuse of power in the selection process for the examination, dissemination and storage of intercepted material. Although during the relevant period there had been internal regulations, manuals and instructions to provide for procedures to protect against abuse of power, and although the Commissioner appointed under the 1985 Act to oversee its workings had reported each year that the “arrangements” were satisfactory, the nature of those “arrangements” had not been contained in legislation or otherwise made available to the public.

Lastly, the Court noted the British Government’s concern that the publication of information regarding those arrangements during the period in question might have damaged the efficiency of the intelligence-gathering system or given rise to a security risk. However, in the United Kingdom, extensive extracts from the Interception of Communications Code of Practice were now in the public domain, which suggested that it was possible for the State to make public certain details about the operation of a scheme of external surveillance without compromising national security.

In conclusion, the Court considered that the domestic law at the relevant time had not indicated with sufficient clarity, so as to provide adequate protection against abuse of power, the scope or manner of exercise of the very wide discretion conferred on the State to intercept and examine external communications. In particular, it had not set out in a form accessible to the public any indication of the procedure to be followed for examining, sharing, storing and destroying intercepted material.

The interference with the applicants’ rights had not therefore been “in accordance with the law”, in violation of Article 8.

Article 13

The Court did not consider it necessary to examine separately the complaint under Article 13.

This ruling calls into the question that fact the the UK government can monitor any communication at any time, though this is positive ruling for privacy advocates it is unlikely to systems like Echelon.

Press Release by Liberty