> Yes, this is where the hairs rise on our arms: if you have a recorded file with radio noise from the local telescope that you use for generation of random numbers, and the police ask you to produce the decryption key to show them the three documents inside the encrypted container that your radio noise looks like, you will be sent to jail for up to five years for your inability to produce the imagined documents.
Alarmist and inaccurate. If you read the statute that Mr. Falkvinge links[0], it turns out that if there's a serious question about whether you have the key to some piece of supposedly encrypted data, the burden of proof is on the prosecution to prove you do have the key to it (and therefore that it is encrypted data) beyond reasonable doubt, just as you'd expect. s.53(3).
What counts as proof? Will a jury understand what doesn't count as proof? If a very official and nice looking prosecutor stands up and makes an argument that is slightly too complicated for the average juror to understand, claiming that Mr. Smith's "random" file is actually an encrypted information, is the Jury going to believe him?
It is not uncommon for juries to accept flimsy and circumstantial arguments no matter how hard the defense tries to explain that the Prosecutor is spewing nonsense. The scenario the author lays out is not certain, but it is plausible.
> What counts as proof? Will a jury understand what doesn't count as proof? ... It is not uncommon for juries to accept flimsy and circumstantial arguments no matter how hard the defense tries to explain that the Prosecutor is spewing nonsense.
You're right, those are problems. But they're not problems with this law, they're problems with jury-based criminal justice systems. And the system's had 900 years to evolve solutions -- judges summing up, "No case to answer" / directed verdicts, etc.
There's room for disagreement about how effective those solutions are. Point is, as the main objection to this law, that complaint 'proves too much' -- since essentially the same objections apply to all but the most trivial criminal offences, the solution then becomes scrap juries and go for a Germany-style professional/inquisitorial justice system. (And maybe we should, I don't know).
(btw, this is very, very far from being the most complicated law or subject matter that juries have to face, compared to e.g. complex fraud trials)
(To be clear, I think this is a terrible law! But just because I agree with TFA's conclusions doesn't justify his fearmongering, IMO)
Yes, and in fact, for that (radio telescope data) case, there is a pretty obvious null 'key' you can hand over - or rather, load the data file into JodrellBank.exe and show them what it is. If, on the other hand, you have been trying to troll the police and MI5 with:
But really, stop doing that; it's not as clever as you think. In fact, the provocative filename gives reasonable suspicion you are an (incompetent) terrorist, and the police and security services don't like their time being wasted while you try and prove a point.
In my first month of high school (c. 1993), similar trolling (renaming a README.TXT to VIRUS.EXE on a floppy disk) got me kicked out of any computer classes and banned from touching any of the school's computers for the remainder of my high school career.
That was when I learned that the "powers that be" don't like you fucking with them.
> the burden of proof is on the prosecution to prove you do have the key to it (and therefore that it is encrypted data).
If they know that you have the key, they could simply confiscate it from you to decrypt it. But how would you even prove or disprove that someone has the key?
If they arrest someone with a laptop encrypted with ransomware, will they force this person to pay? Let's say he pays or the police and gov authorities pay and the outcome would be that it's not decrypted, would it prove that this person encrypted it themselves or could it be that ransomware decryption didn't work. Does it really matter if we would be jailing potentially innocent person, I mean the terrorists and pedophiles are rampant right!?
> But how would you even prove or disprove that someone has the key?
The same way you 'prove' anything in criminal law: by adducing evidence that convinces a jury beyond reasonable doubt. If they don't have any evidence, the accused has no case to answer.
> If they arrest someone with a laptop encrypted with ransomware, will they force this person to pay?
Which provision are you thinking they could do that under? s.49 and 53 aren't relevant, they're only if someone is in possession of the key. With ransomware, some third party bad actor is in possession of the key.
Wait. So if I am suspected of being a terrorist or a pedophile, I can refuse to give my encryption key, go away for 5 years then get out without charges?
The onus of providing evidence is,and always should be, on the accuser - so if the police is suspecting you of being a terrorist/pedophile, they should produce evidence that you are. In ideal world, you should be able to refuse to hand over your encryption key and go home without any charges, not a stupid 5 year sentence for not giving out a key to data which might/might not be encrypted.
It's not a valid defense, because usually, if the police is investigating you, they probably already have some evidence on you. Finding out some random data on your drive usually comes later.
I haven't read the statute, but I got the impression from the link that the law reads like the laws in the US compelling you to give a breath or blood test when suspected of DUI. If you refuse, you receive punishment whether or not you were actually guilty.
Why should encryption even matter? The principle is, you may not keep any secrets. If the government suspect you know the time and place of a planned terror bombing, then logically, they should argue you be punished if you don't tell them some plans, even if they don't claim you ever committed encrypted plans to paper or bits.
The process has a few stages. NTAC (GCHQ) approves the issue of a Section 49 Notice ("decrypt or jail"); a Section 49 Notice is issued; and it's then either complied with or not.
Eight Section 49 Notices had been issued up to April 2008. Since then the rate has increased steadily; 37 were issued in 2014/15 (latest year of data).
(Note that Wikipedia has some of it a bit wrong. WP suggests that councils started snooping on citizens after RIPA. In fact, councils were always doing this, and RIPA brought it into a regulatory regime and stopped some of the worst excesses.)
Probably nothing. Groups like the Pirate Party work themselves into a fit over meaningless affronts to privacy because of some combination of a) a lack of real politics, and b) actually having something serious to hide.
This significantly pre-dates the Assange/Guardian/Greenwald stuff. The purpose of the law was to stop being able to get off child pornography and terrorism charges by refusing to provide an encryption key.
Now, I think the law is misguided in principle and potentially malicious in practice, but it was never about prosecuting journalists.
Write your key into 2 pieces of paper. Mark one as part 1 out of 2, the other as part 2 of 2. Make you write something like "please note that if I am not served with the appropriate RIPA key disclosure when this equipment is seized I will destroy the other part of the key and this piece of paper proves beyond reasonable doubt that I am not in possession of said key"
Keep one piece with you at all times and be ready to destroy it. Write a post on Hacker News explaining what you would do.
Now you don't go to jail. And you can live like Jason Bourne.
I don't suppose, if you're not aware of any investigation against you. Besides that you don't have to testify against yourself (in a functioning democracy that is)
Alarmist and inaccurate. If you read the statute that Mr. Falkvinge links[0], it turns out that if there's a serious question about whether you have the key to some piece of supposedly encrypted data, the burden of proof is on the prosecution to prove you do have the key to it (and therefore that it is encrypted data) beyond reasonable doubt, just as you'd expect. s.53(3).
[0] http://www.legislation.gov.uk/ukpga/2000/23/section/53