[hijack]
Aren’t there encryption systems where it’s impossible to prove that encrypted information exists at all? For example, if I use the last 4 bits per pixel of a 24 bbp bitmap to contain encrypted information, how can anyone prove that it isn’t simply a noisy bitmap?
Or how about this:
Cops: Give us your encryption key!
Me: Here you go!
Cops: That’s not the right key! It’s still gibberish!
Me: Of course. I encrypted some gibberish.
[/hijack]
How does one stop a government passing such restrictive laws ?
I would think that in the UK it would be possible to take this to the European court of human rights along with proof that governments themselves had acted illegally and that citizens needed protection.
The Data Protection act does place an obligation on those who hold data of just about any type, but only on individuals to keep that data secure so there would be an avenue worth exploring there.
The problem of course then comes with the threat of sanctions from the US which might take a differant view.
matt, it’s called steganography. It hides the info but you can still prove it is there. It just makes it not evident. You are just hiding one file inside another, much larger file. It has its drawbacks but it can be done.
Re you second statement, if the key is not the correct key, the program tells you so, it does not just decode gibberish. Like if you enter the wrong password at a website.
I am no expert, but one difference I see is that they would not search your files–rather, the court would subopeana the files and you would be ordered to provide them by such and such a date in a readable fashion. If the court subopeanas your files you can’t shred them, then turn them in and say “The info is all there if you all can figure out how to put them back together”. I think this is a much closer analogy than the house search.
Well, why couldn’t somebody write a program that does just as matt said? It would make it very difficult to prove that there is non-gibberish in any given chunk of data at all.
>> Well, why couldn’t somebody write a program that does just as matt said? It would make it very difficult to prove that there is non-gibberish in any given chunk of data at all.
Well, yes, that is how it would work basically but programs then are more sophisticated and ask for a password even before they begin decyphering. The reason there is no need for this is because judges are not entirely dumb, and I think you would have a hard time convincing one that you pass the time by encyphering strings of random characters.
True, but I think there could be a good reason for encrypting random data on occassion.
By encrypting the occassional random data, you keep your real data a bit safer because anyone who had access to your system would have to weed through junk to find anything usefull. Not really extra security, per se, but it would slow someone down, and who wouldn’t want to piss off and annoy someone trying to get their real data? I think this reason might fly.
So you could have a program that when given the real password outputs the true decrypted file, and when given a particular incorrect password outputs some form of gibberish. Any other wrong password would still give some sort of error message and the program would refuse to continue, so that things don’t look too fishy. When you’re ordered to give the password, you reveal that particular incorrect password, but tell them that you routinely encode junk just to piss off any enemies of yours that might be after your real data. They try it, and get gibberish. You grin and say “See? I was telling the truth. I love encrypting the occassional gibberish. Keeps people on their toes.”
Of course, for best results you’d have to have some files that do decrypt regularly, because it would be difficult to get someone to believe that everything you encode is gibberish. You could just have these files be unimportant information, or (even more deviously) disinformation.
I know, I know, pretty risky. But I think it could work in the right situation.
Actually, instead of gibberish it could print out “Ha ha! You just wasted your time decrypting a stupid message like this.”
yeah, yeah, sure, … tell it to the judge if you think it’ll help your case. I wouldn’t count on it.
Well, I probably wouldn’t count on it either. Might work though, and if it did it would be very clever. Besides, I have been odd enough to encrypt random data for the sole purpose of pissing off anyone trying to decrypt it. So the idea isn’t that far-out. 
I can’t remember my PINs for my cards so I have to carry them with me. So, I have a long list of names and phone numbers but a few of the names are phony and the Pins are part of the phone number. For example my account with the Bank of America would look something like: Bob Amey 5374563 and the last four or first four digits would be the pin.
Not that it would fool the cops or the judge but I think it would fool the thieves who stole my credit card.
sailor, I can clear that up rather quickly for you: We aren’t (or weren’t; our big problem was Singapore, which used to ban all encryption) concernedprimarily concerned about government inspection of our documents. We were concerned that anything originating in Singapore would have to have been transmitted without encryption, therefore potentially exposing it to examination by anyone who could get a copy - hackers, industrial spies, people looking to manipulate the stock, whatever. The policy in Singapore exposed us to risk globally. That is why we ended up shipping certain things to New Zealand in a box rather than send them out of Singapore electronically.
(I should point out that I work for a large retail company, in a comparatively low-level position (store-level), so I only know the fact of the situation existing, and the repercussions down the line - don’t mistakenly get the impression that I had any input into the situation, or could have.)
Restrictions on encryption have many more implications than government snooping - that’s just the most offensive one.
some guy, gotcha. The French, knuckleheads that they are had a similar law. It seems they thought they’d get to snoop on all the foreign companies and steal their secrets. When they found out the foreign companies were not so dumb and were preferring to go to other countries, the French government had to backpedal quite fast. It may be the case with Singapore pretty soon if they have also not backpedaled already.
I find it is quite stupid and shortsighted to ban companies from encrypting their documents. OTOH, I cannot see how they could catch you if you use a phone call and modem. They’re not supposed to be listening… Also, by using steganography you could quite easily encrypt and hide the information and send it over the net. “Dear Boss, please find attached a video of my new secretary filing her nails…”
Re: fourth amendment
The 4th amendment only applies to criminal investitions, so if you’re being sued, the government would be on good footing demanding that you give them the keys. Also, the encrypting gibberish idea is not as silly as sailor seems to believe. In fact, not doing it in certain circumstances is rather silly. After all, every time you send an encrypted message, no matter how good your encryption is, part of the message will be obvious to anyone that’s listening: the “I have somthing important to tell you”. A strategy to counter that is to send a continuous stream of encrypted information, sending gibberish if you don’t need to send anything useful.
[QUOTE]
*Originally posted by Manda JO *
“I am no expert, but one difference I see is that they would not search your files–rather, the court would subopeana the files and you would be ordered to provide them by such and such a date in a readable fashion.”
Thanks Manda, I suspect that IS a better analogy. Legal techniques continue to be a complete mystery to me. If a judge may subpoena documents then why not other evidence as well, the murder weapon, the drugs, or whatever they happen to need to convict a person?
Taking another tack on keeping information secure, aside from steganography, is there any other method of concealing that the information exists at all?
Thanks.
Testy.
The 5th Amendment protection against self-incrimination is not limited to actual testimony in court. People who are legally disallowed from owning firearms are not bound by gun registration laws. Because if you, a felon, are forced to register a firearm, then you are telling the government that you are in possession illegally, thus incriminating yourself. This was an actual ruling by the Supreme Court.
IMO, being ordered to give up an encryption key (or rather the passphrase to your key) is not a physical object that is subject to a search warrant. It is information that is privately held, inside your head and nowhere else. Being forced to tell somebody a password is basically being compelled to testify. (I’m making the assumption that the case in question is against you, and of course, IANAL)
>> IMO, being ordered to give up an encryption key (or rather the passphrase to your key) is not a physical object that is subject to a search warrant. It is information that is privately held, inside your head and nowhere else. Being forced to tell somebody a password is basically being compelled to testify. (I’m making the assumption that the case in question is against you, and of course, IANAL)
Well, the courts seem to disagree with you and repeatedly hold in contempt people for not revealing things which are inside their heads. Two examples that come to mind are Susan McDougal and that women who spent time in jail because she would not reveal where her daughter was.
Um, sailor? htat why he said
In both those cases the court was looking to convict someone else.
Point taken