Mailing List Archive

Hi Adam!

You ignore a couple of major points of British law, in that the police chief
would need reasonable grounds to believe that Bob was involved somehow in a
crime. He would not be able to demand Bob's key if he believed that Bob was
having an affair with his wife. Don't forget that the police chief is also
answerable to British law. But I also understand that you were using it as
an example.

The second mistake you make is that if Bob used such a program, he would
have to hand over both sets of keys. He would not be able to say that there
was only one. Should the police chief find that the file was locked also
with a second key then Bob would be automatically guilty of failing to hand
over the keys.

Bob would not be able to claim that the files were encrypted using random
keys without his knowledge as he would have had to start the process.

My personal view is that such a bill may not happen. But if it does, it will
be mainly used for Organised Crime and Pedophile and not against the
average person on the street.

Sean


On Wed, 01 Dec 1999, Adam Lock wrote:

> I understand that it will (or might) soon be necessary in the UK to hand
> over crypto keys to the police if they so demand them. The penalty for
> not doing so is a term in prison.
>
> So here's an idea on how to defeat it.
>
> Imagine Bob is having an affair with the police chief's wife and has all
> their encrypted love letters in his possession. The police chief
> suspects the affair and is prepared to abuse his powers to obtain the
> letters for a divorce proceeding in his favour. He knows he can force
> Bob to give him the decryption key by threatening him with prison term
> for not doing so. Bob doesn't want to go to prison so he "reluctantly"
> hands over the key. The chief gleefully decrypts the message hoping at
> last for evidence of his wife's infidelity but all he sees is a cooking
> recipe! Curse that Bob!
>
> How is this done?
>
> Simple. Write a tool that encrypts two or more plaintexts each with a
> separate key and concatenates them into a single ciphertext.
>
> But there's a problem. The police chief finds out that there are
> multiple plaintexts in the ciphertext. He goes back to Bob and demands
> the proper key or he'll definitely go to prison. How can Bob claim that
> he has "truthfully" given up the correct key the first time and has no
> idea what the other key is?
>
> Again simple. Make the tool capable of encrypting one or more plaintexts
> and zero or more *random* plaintexts (with random keys) into a single
> ciphertext.
>
> Bob can't be sent to jail because he can validly claim that the other
> plaintexts in the cipher were randomly generated and so he couldn't
> possibly know what the other key was let alone hand it over. The police
> chief might *suspect* Bob was lying, but there's no way he could prove
> it short of Bob's admission. Effectively, Bob has defeated the
> requirement to hand over his key, but has still kept his secrets secret.
>
> Does this sound like a feasible idea?
>
> --
> Adam Lock
>
>
>
Sean

--
GPG ID (DSA) 92B9D0CF PGP2 ID 19592A0D Linux User: #124682 ICQ: 679813
To get my PGP Keys send me an empty email with retrieve as the subject
It said "Needs Windows 95 or better". So I installed Linux...

Message from a new crypto junkie:

Unfortunately, I don't think this fully solves the problem.

Bob still has to 'lie' (at least that is how the cops will
feel about it). Ultimately Bob still has a way to get to
the meaningful plaintext...and given only a small sampling of
cyphertexts the cops will eventually get figure that out
(meaningless faketexts, incorrect file sizes...).

It may be possible for Bob to put them off temporarily by using
"meaningful" faketexts. But I suspect that won't last...cops
(at least in movies) see to be tenacious creatures.

This scheme seems to be an elaboration of Bob saying to
the cops "I lost that key". Because Bob can still get to the
meat, but the cops cannot...and only if Bob is caught
'with his hand in the cookie jar' can he legitimately be
arrested.

Better is for Bob to encrypt his message with Alice's key
as in the two-key system. He doesn't know the key, but
can get it. Bob can't coerce Alice to give up her key
(though the cops may be able to). Of course Bob must trust
Alice to cough up the key when necessary.

Perhaps for this purpose, Alice can be a bot. When tickled
in just the right way, Alice will give up her key...not a 'key'
perse, but still some way to keep the key safe.

Just my $0.02.
Raman

__________________________________________________________________
Raman Boucher Zero G Software, Inc.
415 512 7771 x310 514 Bryant Street
http://www.ZeroG.com San Francisco CA 94107
InstallAnywhere: Installer Construction Kit for Java
No Spectators.

On Wed, 1 Dec 1999, Adam Lock wrote:

> I understand that it will (or might) soon be necessary in the UK to hand
> over crypto keys to the police if they so demand them. The penalty for
> not doing so is a term in prison.
>
> So here's an idea on how to defeat it.
>
> Imagine Bob is having an affair with the police chief's wife and has all
> their encrypted love letters in his possession. The police chief
> suspects the affair and is prepared to abuse his powers to obtain the
> letters for a divorce proceeding in his favour. He knows he can force
> Bob to give him the decryption key by threatening him with prison term
> for not doing so. Bob doesn't want to go to prison so he "reluctantly"
> hands over the key. The chief gleefully decrypts the message hoping at
> last for evidence of his wife's infidelity but all he sees is a cooking
> recipe! Curse that Bob!
>
> How is this done?
>
> Simple. Write a tool that encrypts two or more plaintexts each with a
> separate key and concatenates them into a single ciphertext.
>
> But there's a problem. The police chief finds out that there are
> multiple plaintexts in the ciphertext. He goes back to Bob and demands
> the proper key or he'll definitely go to prison. How can Bob claim that
> he has "truthfully" given up the correct key the first time and has no
> idea what the other key is?
>
> Again simple. Make the tool capable of encrypting one or more plaintexts
> and zero or more *random* plaintexts (with random keys) into a single
> ciphertext.
>
> Bob can't be sent to jail because he can validly claim that the other
> plaintexts in the cipher were randomly generated and so he couldn't
> possibly know what the other key was let alone hand it over. The police
> chief might *suspect* Bob was lying, but there's no way he could prove
> it short of Bob's admission. Effectively, Bob has defeated the
> requirement to hand over his key, but has still kept his secrets secret.
>
> Does this sound like a feasible idea?
>
> --
> Adam Lock
>
>
>

Sean Rima wrote:

> Hi Adam!
>
> You ignore a couple of major points of British law, in that the police
> chief would need reasonable grounds to believe that Bob was involved
> somehow
> in a crime. He would not be able to demand Bob's key if he believed that
> Bob
> was having an affair with his wife. Don't forget that the police chief is
> also answerable to British law. But I also understand that you were using
> it
> as an example.

Fine, the police chief concocts a phoney charge against Bob and uses that as
a pretense to get to the files.

> The second mistake you make is that if Bob used such a program, he would
> have to hand over both sets of keys. He would not be able to say that
> there was only one. Should the police chief find that the file was locked
> also
> with a second key then Bob would be automatically guilty of failing to
> hand over the keys.

This is the point. Bob may or may not know both sets of keys. The encryption
tool may have used a random plaintext and a random key or it may not. The
only person who knows for sure is Bob. The cops can't prove it either way
assuming that the encryption technique is suitably robust against any
analysis they might bring against it.

> Bob would not be able to claim that the files were encrypted using
> random keys without his knowledge as he would have had to start the
> process.

Yes but Bob can *lie*. The onus is on the police to prove he is lying. How
do they do that given that they don't know whether the second plaintext is
random or not?

--
Adam Lock

> My personal view is that such a bill may not happen. But if it does, it will
> be mainly used for Organised Crime and Pedophile and not against the
> average person on the street.

You *trust* a government that installs public spy cameras, participates
in ECHELON and other questionable exercises?

Sad.

The only way to defeat such a bill, should it happen, would be to
propagate widespread public use of crypto. Now, let them try to
lock up one millon. Or five million.

Hi Lars!

On Wed, 01 Dec 1999, Lars Hecking wrote:

>
> > My personal view is that such a bill may not happen. But if it does, it will
> > be mainly used for Organised Crime and Pedophile and not against the
> > average person on the street.
>
> You *trust* a government that installs public spy cameras, participates
> in ECHELON and other questionable exercises?

I *never* said I trust the goverment. If I trusted them, I would have said
the bill will come in :)

> Sad.
>
> The only way to defeat such a bill, should it happen, would be to
> propagate widespread public use of crypto. Now, let them try to
> lock up one millon. Or five million.

That I never see happening, sad but true. Most people are ignore of the use
and advantages of crypto and therefore it will not be as wide spread here as
it is in other places.

Sean

--
GPG ID (DSA) 92B9D0CF PGP2 ID 19592A0D Linux User: #124682 ICQ: 679813
To get my PGP Keys send me an empty email with retrieve as the subject
It said "Needs Windows 95 or better". So I installed Linux...

Hi Adam!

On Wed, 01 Dec 1999, Adam Lock wrote:

> Sean Rima wrote:
>
> > Hi Adam!
> >
> > You ignore a couple of major points of British law, in that the police
> > chief would need reasonable grounds to believe that Bob was involved
> > somehow
> > in a crime. He would not be able to demand Bob's key if he believed that
> > Bob
> > was having an affair with his wife. Don't forget that the police chief is
> > also answerable to British law. But I also understand that you were using
> > it
> > as an example.
>
> Fine, the police chief concocts a phoney charge against Bob and uses that as
> a pretense to get to the files.

Hey that *never* happens :)

> > The second mistake you make is that if Bob used such a program, he would
> > have to hand over both sets of keys. He would not be able to say that
> > there was only one. Should the police chief find that the file was locked
> > also
> > with a second key then Bob would be automatically guilty of failing to
> > hand over the keys.
>
> This is the point. Bob may or may not know both sets of keys. The encryption
> tool may have used a random plaintext and a random key or it may not. The
> only person who knows for sure is Bob. The cops can't prove it either way
> assuming that the encryption technique is suitably robust against any
> analysis they might bring against it.

It is true what you say if the tool was powerfull enough but the problem is
that should be the police have enough reasonable doubt that may be enough
for a court to find Bob guilty.

> > Bob would not be able to claim that the files were encrypted using
> > random keys without his knowledge as he would have had to start the
> > process.
>
> Yes but Bob can *lie*. The onus is on the police to prove he is lying. How
> do they do that given that they don't know whether the second plaintext is
> random or not?
>

It would be difficult to know but I hazard a guess that looking at the
source they may get an idea. As I said in my original reply, the police
would only use it for major criminals and Pedophiles, who it is known use
crypto to ensure that the stuff remains hidden from the police's eye.

Sean

--
GPG ID (DSA) 92B9D0CF PGP2 ID 19592A0D Linux User: #124682 ICQ: 679813
To get my PGP Keys send me an empty email with retrieve as the subject
It said "Needs Windows 95 or better". So I installed Linux...

> This is the point. Bob may or may not know both sets of keys. The encryption
> tool may have used a random plaintext and a random key or it may not. The
> only person who knows for sure is Bob. The cops can't prove it either way
> assuming that the encryption technique is suitably robust against any
> analysis they might bring against it.
>
> > Bob would not be able to claim that the files were encrypted using
> > random keys without his knowledge as he would have had to start the
> > process.
>
> Yes but Bob can *lie*. The onus is on the police to prove he is lying. How
> do they do that given that they don't know whether the second plaintext is
> random or not?

Several comments more-or-less at random:

1) The last time I saw these proposals there were several elements to them:
1.1) The police would have to obtain a warrent from a magistrate to
demand these keys; this would be similar to a search warrent.
1.2) Something not many people know is that any search warrent must
state the type of crime the police suspect has taken place and
what section of the appropriate Act of Parliament authorizes the
granting of the warrent.
1.3) Someone would only be required under such a warrent to reveal
keys necessary to enable data to be decrypted; keys used only
for signatures could not be obtained.
1.4) The Police and Criminal Evidence Act, 1984 (PACE) already states
in section 19 subsection 4 that "The constable may require any
information which is contained in a computer and is accessible
from the premises (to be searched) to be produced in a form in
which it can be taken away and in which it is visible and legible
if he has reasonable grounds for believing--
(a) that--
(i) it is evidence in relation to an offence which he is
investigation or any other offence ; or
(ii) it has been obtained in consequence of the commision
of an offence ; and
(b) that it is necessary to do so in order to prevent it being
concealed, lost, tampered with or destroyed."

2) The provisions in PACE are getting decidedly impractical given the
rise in capacities of hard discs since 1984.

3) I think the *intent* of the proposed law is to keep similar levels
of search available to the Police in environments where data volumes
and encryption make the existing provisions impractical. Of course,
we need to keep an eye on things to try and ensure that the proposed
Act doesn't go too far. But I'm no more paranoid about this proposal
than I am about the rest of UK law (consider that a classic British
understatement). I do consider British law a bit intrusive, but don't
consider the proposals out-of-step with the general tone of UK law.

4) When I first heard of these proposals (10 Nov 1998) I wrote requesting
thet GPG had the ability to use different passphrases for keys and
subkeys, so that it would be possible to reveal one without the other.
This was turned down with the following comment "But please don't ask
me to do this because I do not want to support such laws even by
considering how to limit the damage of the secret keys."

5) In the scenario discussed, the imfamous Police Chief would be laying
himself open to serious complaints if he obtained a warrent by lying
about his grounds (on oath!) and Bob (once the "evidence" of the love
letters had been revealed) used the facts to support a complaint that
the warrent had been obtained illegally.

6) The police do have experts available to them. These exports will
almost certainly be aware of the characteristics of any released
software products. This means they will be able to examine an
encrypted file and the derived cleartext and (knowing the software
used to produce the file) will be able to measure the proportion
of the encrypted file used to encode the clear text. This should
give them a very good clue about the existance of other text(s).

7) The proposal is really an example of steanography; and it would
probably be better to hide the "love letters", encrypted or
otherwise, using standard steanographic techniques; the *existance*
of the hidden text is far less obvious that the technique proposed
by Adam Lock. All the forensic searches of which I'm aware will
fail to find them even *without* encryption.

--
David Pick

(I'm not familiar with UK crypto laws, except for what I read on the
Net).

On Wed, Dec 01 1999 at 04:55:28pm +0000, Sean Rima wrote:
> My personal view is that such a bill may not happen. But if it does, it will
> be mainly used for Organised Crime and Pedophile and not against the
> average person on the street.
Does the bill state that it won't be used against the average person
on the street, but only for organised crima and pedophile? If it does, it
requires proof of the crime before it can be used, which would make it less
than necessary (useful, maybe, in some cases).
If it doesn't (which I believe is the case), then how can we
possibly know? We can trust law enforcement, at the most. But that's not
something I imagine "crypto-aware" people would do in good will...
In short, that's what they say, not necessarily what they'll do. We
shouldn't depend on that when divising means to protect our privacy.



rbp

________________________________________________________________________
Rodrigo Bernardo Pimentel <rbp@pobox.com>| GPG KeyID: 81F85A48
LinuxSP <http://www.linuxsp.org.br>| Fingerprint:
AirGeeks <http://www.airgeeks.org>|7E62 9CA2 C95B FC86 B334
_____________ Debian Linux User ______________|203E C011 2E4D 81F8 5A48
Your fault -- core dumped.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 01-Dec-99 Lars Hecking wrote:
>
>> My personal view is that such a bill may not happen. But if it does, it
>> will
>> be mainly used for Organised Crime and Pedophile and not against the
>> average person on the street.

I live in the UK, and have spoken to a few police officers about this. I
have been told that the use of encryption leads to suspicion of these very
things. I have also been told that if I had nothing to hide, I would have
no interest in encryption.


>
> The only way to defeat such a bill, should it happen, would be to
> propagate widespread public use of crypto. Now, let them try to
> lock up one millon. Or five million.

Exactly.

Brian

- --
- ----------------------------------
E-Mail: Brian Galbraith <brian.galbraith@bigfoot.com>
Date: 01-Dec-99
Time: 19:21:53
Powered by Suse Linux

This message was sent by XFMail 1.4.0
- ----------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: Keys from http://www.freedomhoumd.com/pgp/en/

iD8DBQE4RXVTEPpEmWPrp2URAiP1AKCJAJdq45O2QX+CLH4vHY9nSwZkbACg44Jc
Q1VVq42r7AzaB9A2cAWDC70=
=9xcS
-----END PGP SIGNATURE-----

Hi Brian!

On Wed, 01 Dec 1999, Brian Galbraith wrote:

> >> My personal view is that such a bill may not happen. But if it does, it
> >> will
> >> be mainly used for Organised Crime and Pedophile and not against the
> >> average person on the street.
>
> I live in the UK, and have spoken to a few police officers about this. I
> have been told that the use of encryption leads to suspicion of these very
> things. I have also been told that if I had nothing to hide, I would have
> no interest in encryption.

So do I and I used to work for a police service as a Civilian support
worker. So I know what you say is true. The average police man cannot
understand nor wishes to understand why the average person would use any
form of encryption.

>
> >
> > The only way to defeat such a bill, should it happen, would be to
> > propagate widespread public use of crypto. Now, let them try to
> > lock up one millon. Or five million.
>
> Exactly.
>

Maybe we should start a campaign :)

Sean

--
GPG ID (DSA) 92B9D0CF PGP2 ID 19592A0D Linux User: #124682 ICQ: 679813
To get my PGP Keys send me an empty email with retrieve as the subject
It said "Needs Windows 95 or better". So I installed Linux...

Hi Rodrigo!

On Wed, 01 Dec 1999, Rodrigo Bernardo Pimentel wrote:

> (I'm not familiar with UK crypto laws, except for what I read on the
> Net).
>
> On Wed, Dec 01 1999 at 04:55:28pm +0000, Sean Rima wrote:
> > My personal view is that such a bill may not happen. But if it does, it will
> > be mainly used for Organised Crime and Pedophile and not against the
> > average person on the street.
> Does the bill state that it won't be used against the average person
> on the street, but only for organised crima and pedophile? If it does, it
> requires proof of the crime before it can be used, which would make it less
> than necessary (useful, maybe, in some cases).

No it makes no mention of who it would be targetted towards. But as has been
said in a previous reply, the police would and do believe that anyone using
any form of encryption have something to hide.

> If it doesn't (which I believe is the case), then how can we
> possibly know? We can trust law enforcement, at the most. But that's not
> something I imagine "crypto-aware" people would do in good will...
> In short, that's what they say, not necessarily what they'll do. We
> shouldn't depend on that when divising means to protect our privacy.
>

It is a matter of educating the people in power that the average person who
uses any form of encryption has nothing to hide. I personnaly would welcome
any visit from any law enforcement agency to show that I have nothing to
hide. Even my choice of NG's would show.

Sean

--
GPG ID (DSA) 92B9D0CF PGP2 ID 19592A0D Linux User: #124682 ICQ: 679813
To get my PGP Keys send me an empty email with retrieve as the subject
It said "Needs Windows 95 or better". So I installed Linux...

Hi David!

On Wed, 01 Dec 1999, David Pick wrote:

>
> > This is the point. Bob may or may not know both sets of keys. The encryption
> > tool may have used a random plaintext and a random key or it may not. The
> > only person who knows for sure is Bob. The cops can't prove it either way
> > assuming that the encryption technique is suitably robust against any
> > analysis they might bring against it.
> >
> > > Bob would not be able to claim that the files were encrypted using
> > > random keys without his knowledge as he would have had to start the
> > > process.
> >
> > Yes but Bob can *lie*. The onus is on the police to prove he is lying. How
> > do they do that given that they don't know whether the second plaintext is
> > random or not?
>
> Several comments more-or-less at random:
>
<cut to save bandwidth>

I agree with what you say as you say it way better than I could ever try. I
am aware of the various sections of PACE although it has been a number of
years since I have referred to them :)


Sean

--
GPG ID (DSA) 92B9D0CF PGP2 ID 19592A0D Linux User: #124682 ICQ: 679813
To get my PGP Keys send me an empty email with retrieve as the subject
It said "Needs Windows 95 or better". So I installed Linux...

On 01-Dec-99 Sean Rima wrote:
> Hi Adam!
>
> You ignore a couple of major points of British law, in that the police
> chief
> would need reasonable grounds to believe that Bob was involved somehow
> in a
> crime. He would not be able to demand Bob's key if he believed that Bob
> was
> having an affair with his wife. Don't forget that the police chief is
> also
> answerable to British law. But I also understand that you were using it
> as
> an example.
>
> The second mistake you make is that if Bob used such a program, he would
> have to hand over both sets of keys. He would not be able to say that
> there
> was only one. Should the police chief find that the file was locked also
> with a second key then Bob would be automatically guilty of failing to
> hand
> over the keys.
>
> Bob would not be able to claim that the files were encrypted using
> random
> keys without his knowledge as he would have had to start the process.
>
> My personal view is that such a bill may not happen. But if it does, it
> will
> be mainly used for Organised Crime and Pedophile and not against the
> average person on the street.
>

You might be interested in reading Richard Stallman's article on this at
http://linuxtoday.com/stories/12846.html which also links to the actual
text of the bill. There is AMPLE room for this thing to be vastly abused.

It's a real case of circular logic. They need something to base their
suspicions on to invoke the law, and your use of encryption and
unwillingness to co-operate makes you suspicious, so they can invoke the
law. The court that would oversee all of this is a secret closed court,
hence their is no public accountability for their decisions and actions.

The ends don't justify the means. Sure they have concerns with child
pornography and domestic terrorism, but once the door is open to trample
on people's individual rights, that door can be forced wide open and
abused in ways it was never intended. Closing the door after the fact is
extremely hard, if not impossible.

--
William X. Walsh - DSo Internet Services
Email: william@dso.net Fax:(209) 671-7934

Hi William!

On Wed, 01 Dec 1999, William X. Walsh wrote:

> > You ignore a couple of major points of British law, in that the police
> > chief
> > would need reasonable grounds to believe that Bob was involved somehow
> > in a
> > crime. He would not be able to demand Bob's key if he believed that Bob
> > was
> > having an affair with his wife. Don't forget that the police chief is
> > also
> > answerable to British law. But I also understand that you were using it
> > as
> > an example.
> >
> > The second mistake you make is that if Bob used such a program, he would
> > have to hand over both sets of keys. He would not be able to say that
> > there
> > was only one. Should the police chief find that the file was locked also
> > with a second key then Bob would be automatically guilty of failing to
> > hand
> > over the keys.
> >
> > Bob would not be able to claim that the files were encrypted using
> > random
> > keys without his knowledge as he would have had to start the process.
> >
> > My personal view is that such a bill may not happen. But if it does, it
> > will
> > be mainly used for Organised Crime and Pedophile and not against the
> > average person on the street.
> >
>
> You might be interested in reading Richard Stallman's article on this at
> http://linuxtoday.com/stories/12846.html which also links to the actual
> text of the bill. There is AMPLE room for this thing to be vastly abused.

Will have a look.

> It's a real case of circular logic. They need something to base their
> suspicions on to invoke the law, and your use of encryption and
> unwillingness to co-operate makes you suspicious, so they can invoke the
> law. The court that would oversee all of this is a secret closed court,
> hence their is no public accountability for their decisions and actions.

It is a circular sort of thing in that if I have sensitive documents that I
encrypt then I leave myself open to suspicion as to being involved in some
crime or another. In fact I do store sensitive documents on my PC which are
encrypted but it is simply due to the fact that they are legal stuff
concerning my ex wife (long and complicated story)

> The ends don't justify the means. Sure they have concerns with child
> pornography and domestic terrorism, but once the door is open to trample
> on people's individual rights, that door can be forced wide open and
> abused in ways it was never intended. Closing the door after the fact is
> extremely hard, if not impossible.
>

I don't think that the ends should justify the means. But at some stage or
another this issue is going to have to be addressed here in the UK and
unless we are not carefull we will lose the right to have our own documents
encrypted.

Sean

--
GPG ID (DSA) 92B9D0CF PGP2 ID 19592A0D Linux User: #124682 ICQ: 679813
To get my PGP Keys send me an empty email with retrieve as the subject
It said "Needs Windows 95 or better". So I installed Linux...

On Wed, 1 Dec 1999, Sean Rima wrote:

> Hi Adam!
>
> You ignore a couple of major points of British law, in that the police chief
> would need reasonable grounds to believe that Bob was involved somehow in a
> crime. He would not be able to demand Bob's key if he believed that Bob was
> having an affair with his wife. Don't forget that the police chief is also
> answerable to British law. But I also understand that you were using it as
> an example.
>
> The second mistake you make is that if Bob used such a program, he would
> have to hand over both sets of keys. He would not be able to say that there
> was only one. Should the police chief find that the file was locked also
> with a second key then Bob would be automatically guilty of failing to hand
> over the keys.
>
> Bob would not be able to claim that the files were encrypted using random
> keys without his knowledge as he would have had to start the process.
>
> My personal view is that such a bill may not happen. But if it does, it will
> be mainly used for Organised Crime and Pedophile and not against the
> average person on the street.

There are many levels of people who are interesting to the police.
It isn't a matter of black and white, pedophile or avg-person.

This would certainly been used against Gandhi, M.L. King, Phil Zimmerman,
Tories, Sinn Fein, Communists, GreenPeace, the Pope, movie stars, and a
host of other completely responsible intellectuals and influential
(or potentially influential) public figures.

To bury your head in the sand like that is unacceptable.. I wonder
what would bring such a naive person to the GnuPG mailing list.

Unless you're a covert (or even overt) gov't. propagandist.

--
"The Funk, the whole Funk, and nothing but the Funk."
Billy Donahue
mailto:billy@escape.com
http://www.escape.com/~billy

On Wed, 1 Dec 1999, Raman Boucher wrote:

> Message from a new crypto junkie:
>
> Unfortunately, I don't think this fully solves the problem.
>
> Bob still has to 'lie' (at least that is how the cops will
> feel about it). Ultimately Bob still has a way to get to
> the meaningful plaintext...and given only a small sampling of
> cyphertexts the cops will eventually get figure that out
> (meaningless faketexts, incorrect file sizes...).
>
> It may be possible for Bob to put them off temporarily by using
> "meaningful" faketexts. But I suspect that won't last...cops
> (at least in movies) see to be tenacious creatures.
>
> This scheme seems to be an elaboration of Bob saying to
> the cops "I lost that key". Because Bob can still get to the
> meat, but the cops cannot...and only if Bob is caught
> 'with his hand in the cookie jar' can he legitimately be
> arrested.
>
> Better is for Bob to encrypt his message with Alice's key
> as in the two-key system. He doesn't know the key, but
> can get it. Bob can't coerce Alice to give up her key
> (though the cops may be able to). Of course Bob must trust
> Alice to cough up the key when necessary.
>
> Perhaps for this purpose, Alice can be a bot. When tickled
> in just the right way, Alice will give up her key...not a 'key'
> perse, but still some way to keep the key safe.

Alice could also live in Switzerland or something, and then
the Chief is shit-out-of-luck.


--
"The Funk, the whole Funk, and nothing but the Funk."
Billy Donahue
mailto:billy@escape.com
http://www.escape.com/~billy

On Wed, 1 Dec 1999, Sean Rima wrote:

> On Wed, 01 Dec 1999, Adam Lock wrote:
>
> > Sean Rima wrote:
> > >
> > > You ignore a couple of major points of British law, in that the police
> > > chief would need reasonable grounds to believe that Bob was involved somehow
> > > in a crime. He would not be able to demand Bob's key if he believed that Bob
> > > was having an affair with his wife. Don't forget that the police chief is
> > > also answerable to British law. But I also understand that you were using
> > > it as an example.
> >
> > Fine, the police chief concocts a phoney charge against Bob and uses that as
> > a pretense to get to the files.
>
> Hey that *never* happens :)

M.L.K.Jr. was thrown in jail for a few DAYS for driving 30mph in a 25mph zone
shortly after the onset of the bus boycott.

> > > Bob would not be able to claim that the files were encrypted using
> > > random keys without his knowledge as he would have had to start the
> > > process.
> >
> > Yes but Bob can *lie*. The onus is on the police to prove he is lying. How
> > do they do that given that they don't know whether the second plaintext is
> > random or not?
>
> It would be difficult to know but I hazard a guess that looking at the
> source they may get an idea. As I said in my original reply, the police
> would only use it for major criminals and Pedophiles, who it is known use
> crypto to ensure that the stuff remains hidden from the police's eye.

Nyahh... the source to the tool?
If you can tell that from knowing about the cipher, then the tool isn't
a cryptographic tool at all, it's just a fancy multiplexer.
It's certainly possible to make the ciphertext indistinguishable from
a single encrypted message.

PS: I really hope you're being sarcastic about the Pedophile and Organized Crime thing.


--
"The Funk, the whole Funk, and nothing but the Funk."
Billy Donahue
mailto:billy@escape.com
http://www.escape.com/~billy

On Wed, 1 Dec 1999, Sean Rima wrote:

> It is a matter of educating the people in power that the average person who
> uses any form of encryption has nothing to hide.

Exactly! You've got it!

> I personnaly would welcome any visit from any law enforcement agency to
> show that I have nothing to hide. Even my choice of NG's would show.

Doh! Just when I thought you were getting it...

--
"The Funk, the whole Funk, and nothing but the Funk."
Billy Donahue
mailto:billy@escape.com
http://www.escape.com/~billy

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Billy Donahue, at 17:11 on Wed, 1 Dec 1999, wrote stuff.

I don't want to step too far out of line here, but I think this thread is
starting to really get out of line with its purposes, and I
recommend that it stop here.

There are better places for these privacy-related discussions than the
GnuPG users list (e.g., cypherpunks).

Please only reply to this off list.

- --
Frank Tobin http://www.neverending.org/~ftobin/

"To learn what is good and what is to be valued,
those truths which cannot be shaken or changed." Myst: The Book of Atrus

OpenPGP: 4F86 3BBB A816 6F0A 340F 6003 56FF D10A 260C 4FA3
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (FreeBSD)
Comment: pgpenvelope - http://www.neverending.org/~ftobin/resources.html

iD8DBQE4RZ//Vv/RCiYMT6MRAm28AKCYNBBzdGsXQgyLDGYKDk2YzUORcQCffCen
lfMGjMwvIM7SnYUyJHutuOM=
=Vv9X
-----END PGP SIGNATURE-----

Hi Billy!

On Wed, 01 Dec 1999, Billy Donahue wrote:

> > My personal view is that such a bill may not happen. But if it does, it will
> > be mainly used for Organised Crime and Pedophile and not against the
> > average person on the street.
>
> There are many levels of people who are interesting to the police.
> It isn't a matter of black and white, pedophile or avg-person.

That is true, the police do like to have an interest in a lot more than they
let on.

> This would certainly been used against Gandhi, M.L. King, Phil Zimmerman,
> Tories, Sinn Fein, Communists, GreenPeace, the Pope, movie stars, and a
> host of other completely responsible intellectuals and influential
> (or potentially influential) public figures.

My examples were only examples. Given the list above and the causes they
were/are involved in, then yes they would be of interest to not only the
police but also the secret services.

> To bury your head in the sand like that is unacceptable.. I wonder
> what would bring such a naive person to the GnuPG mailing list.

I view is simple. I don't believe that it will be brought in but if there is
an attempt then I will fight against it. I do not believe that the goverment
should have the right to say that I have to do this.

> Unless you're a covert (or even overt) gov't. propagandist.
>

ROTFL, I have been called many a thing, but never one of these :)

Sean

--
GPG ID (DSA) 92B9D0CF PGP2 ID 19592A0D Linux User: #124682 ICQ: 679813
To get my PGP Keys send me an empty email with retrieve as the subject
It said "Needs Windows 95 or better". So I installed Linux...

Hi Billy!

On Wed, 01 Dec 1999, Billy Donahue wrote:

> > > > You ignore a couple of major points of British law, in that the police
> > > > chief would need reasonable grounds to believe that Bob was involved somehow
> > > > in a crime. He would not be able to demand Bob's key if he believed that Bob
> > > > was having an affair with his wife. Don't forget that the police chief is
> > > > also answerable to British law. But I also understand that you were using
> > > > it as an example.
> > >
> > > Fine, the police chief concocts a phoney charge against Bob and uses that as
> > > a pretense to get to the files.
> >
> > Hey that *never* happens :)
>
> M.L.K.Jr. was thrown in jail for a few DAYS for driving 30mph in a 25mph zone
> shortly after the onset of the bus boycott.

Notice the :)

> > > > Bob would not be able to claim that the files were encrypted using
> > > > random keys without his knowledge as he would have had to start the
> > > > process.
> > >
> > > Yes but Bob can *lie*. The onus is on the police to prove he is lying. How
> > > do they do that given that they don't know whether the second plaintext is
> > > random or not?
> >
> > It would be difficult to know but I hazard a guess that looking at the
> > source they may get an idea. As I said in my original reply, the police
> > would only use it for major criminals and Pedophiles, who it is known use
> > crypto to ensure that the stuff remains hidden from the police's eye.
>
> Nyahh... the source to the tool?
> If you can tell that from knowing about the cipher, then the tool isn't
> a cryptographic tool at all, it's just a fancy multiplexer.
> It's certainly possible to make the ciphertext indistinguishable from
> a single encrypted message.

My phrasing was wrong. I hazard a guess that looking at the source to a
program, a decent programmer could get the gist of what happens. Of course
the dificulty with PGP/GPG is the random bits.

> PS: I really hope you're being sarcastic about the Pedophile and Organized Crime thing.
>

Given the normal police man's thought, any one using any form for crypto
would be guilty of one or the other or both of the above. Otherwise why
would a decent person want to use it.

Sean

--
GPG ID (DSA) 92B9D0CF PGP2 ID 19592A0D Linux User: #124682 ICQ: 679813
To get my PGP Keys send me an empty email with retrieve as the subject
It said "Needs Windows 95 or better". So I installed Linux...

Hi Billy!

> > It is a matter of educating the people in power that the average person who
> > uses any form of encryption has nothing to hide.
>
> Exactly! You've got it!

Good.

> > I personnaly would welcome any visit from any law enforcement agency to
> > show that I have nothing to hide. Even my choice of NG's would show.
>
> Doh! Just when I thought you were getting it...
>

Yes I would welcome a visit but I would not give access to any of my keys.
At the end of the day, my local bobby could walk into my house and examine
my PC but I would not decrypt any of the documents that I have stored
encrypted without some form of court order.

Sean

--
GPG ID (DSA) 92B9D0CF PGP2 ID 19592A0D Linux User: #124682 ICQ: 679813
To get my PGP Keys send me an empty email with retrieve as the subject
It said "Needs Windows 95 or better". So I installed Linux...

Adam Lock wrote:
>
> I understand that it will (or might) soon be necessary in the UK to hand
> over crypto keys to the police if they so demand them. The penalty for
> not doing so is a term in prison.
>
> So here's an idea on how to defeat it.
>
Bob's scheme omitted:

How about if Bob just claims it's an asymetric encryption with
some key held in his memory, and the "intimidation" made him
forget the key?

Also the government probably has "tempest scanners" and if you
are suspect, they can get your key and passphrase thru tempest
type bugging. Over here in America they show TV shows on how
the Briitsh government ride around checking for unregistered
Televisions in unmarked vans. It is a small step for them to sit out in
the
street and read your keystrokes. Once they get your secret key
passphrase, or asymmetric key, they got you.
Does Bob work in a Faraday cage?

I'm old enough to remember when audio bugs were a new thing,
and nobody suspected a thing. Well computer data bugs are a new thing,
and
most users completely ignore it's implications.
When was the last time you tore apart that little modem power block
on your desk, to check for suspicious ic chips? Did the "cleaning
lady" swap yours with a look-alike with a keystroke recorder in it?
Maybe she did it for a $100 bribe.

My point is real security is hard to come by when your opponent is the
government authorities. Bob's best bet is to use something like
Stenography and deny that he even uses encryption, and force them to
prove he is using it.
I can see it now....Brits will be known for having great numbers
of jpegs on their harddrives. :-)

On Wed, Dec 01 1999 at 08:57:41pm +0000, Sean Rima wrote:
> Hi Rodrigo!
Hi, Sean :)

> No it makes no mention of who it would be targetted towards. But as has been
> said in a previous reply, the police would and do believe that anyone using
> any form of encryption have something to hide.
(...)
> It is a matter of educating the people in power that the average person who
> uses any form of encryption has nothing to hide.
Educating people is a very subjective measure. People in power may
never be educated. They may be and still use their power to their own
accord. In any case, I'm not willing to take a chance. Unless they're not
legally and objectively restricted as to what they can demand from me, I
don't trust they'll take the right attitude.

> I personnaly would welcome
> any visit from any law enforcement agency to show that I have nothing to
> hide. Even my choice of NG's would show.
Definetely, so would I. Unless "showing I have nothing to hide"
includes invading my privacy (or, in this case, giving my private encryption
keys away). That's my point: law enforcement officials should have their
rights very well defined. Any officer can come up with a "suspicion of
ilegal activities". Do you like Monty Python?
- There's a paper bag I have found on the premises! I must
confiscate it and take it for clinical examination!
- Wait a minute! You just took that out of your pocket!

Get the idea?
If they want to have the right to demand encryption private keys
(whici I oppose to, for the very reason that moves our discussion on this
subject), the same law should clearly state the cases where this applies. It
shouldn't be left for future consideration. I have seen too many cases of
police abuse not to distrust the people with the badge...


rbp

________________________________________________________________________
Rodrigo Bernardo Pimentel <rbp@pobox.com>| GPG KeyID: 81F85A48
LinuxSP <http://www.linuxsp.org.br>| Fingerprint:
AirGeeks <http://www.airgeeks.org>|7E62 9CA2 C95B FC86 B334
_____________ Debian Linux User ______________|203E C011 2E4D 81F8 5A48
Duct tape is like the Force: it has a dark side and a light side,
and it holds the Universe together.