[stevetrewick]

"To ensure they do not succeed, we do not comment publicly on the methods or capabilities available to the security and intelligence agencies."

Oh but you don't need to, because it's obvious. All my encrypted traffic to my overseas based VPN will be logged (legal). Then you'll demand my keys so that you can decrypt it. If I don't or can't comply then I will be - by definition - a criminal and potentially a terror suspect.

Which is why 'just use a VPN' is not really a satisfactory response to this kind of legislative landscape. Just doing so paints a target on you.

Which is not to say I don't appreciate the VPN providers stepping up, the more VPN users there are the more expensive it is to persecute them individually.

[cesarb]

> All my encrypted traffic to my overseas based VPN will be logged (legal). Then you'll demand my keys so that you can decrypt it.

If the VPN connection uses ephemeral keys (IIRC, at least IPSEC, SSH, and TLS 1.3 always use ephemeral keys, while older TLS uses them when possible), by then it's too late: the keys are gone.

[CydeWeys]

You can imagine someone being locked up for this though. If you are required by law to decrypt your data, and you chose technology that does not allow this, then that's on you. To use an analogy, if you choose to ride a bike that doesn't have lights, and then get pulled over for riding without lights, the lack of lights is not a defense because you were required to have them in order to be on the road at night.

[TheGrumpyBrit]

The law as written protects you against this:

RIPA S49(2) (http://www.legislation.gov.uk/ukpga/2000/23/part/III/crosshe...):

If any person with the appropriate permission under Schedule 2 believes, on reasonable grounds—

(a)that a key to the protected information is in the possession of any person,

(b)that the imposition of a disclosure requirement in respect of the protected information is—

(i)necessary on grounds falling within subsection (3), or

(ii)necessary for the purpose of securing the effective exercise or proper performance by any public authority of any statutory power or statutory duty,

(c)that the imposition of such a requirement is proportionate to what is sought to be achieved by its imposition, and

(d)that it is not reasonably practicable for the person with the appropriate permission to obtain possession of the protected information in an intelligible form without the giving of a notice under this section,

the person with that permission may, by notice to the person whom he believes to have possession of the key, impose a disclosure requirement in respect of the protected information.

If the technology by implementation never gives you the keys and doesn't retain them, then there can't be a reasonable belief that you're in possession of the keys, so the requirement fails at the first hurdle.

[JustSomeNobody]

I can see one of those situations where you get held indefinitely because they obviously cannot charge you but don't want to let you go to a) prove a point and b) hopefully let the law "catch up" to this situation.

[pbhjpbhj]

If "they" are going to hold you indefinitely and contramand the rule of law then it doesn't matter what the law says.

IIRC the UK government was defeated in the UK courts over extending the time a terrorism suspect could be held without charge.

[stevetrewick]

Cool. Now all I have to do is prove that to the satisfaction of the investigation while they crawl all over the rest of my life looking for clues as to what it is I'm so keen on hiding. The process is the punishment.

[wlll]

I wonder if we can mitigate this by rolling keys regularly. Daily perhaps? As far as I know there's no requirement to store encryption keys personally, only to give up the keys on request if available. Something that you can't do if you never store them on physical media.

[jk563]

Surely self-incrimination laws make this a non-starter?

[wlll]

Unfortunately in the UK you can be prosecuted for not handing over an encryption key the authorities think you have:

http://www.theregister.co.uk/2008/10/14/ripa_self_incriminat...

It is up to you to prove you don't have it anymore too.

[Senji]

Are perfect forward security protocols then illegal? What if it's physically impossible for you to give them a key that doesn't exist anymore?

[stevetrewick]

Guess we're about to find out. The current government (albeit with a different (arguably more liberal) PM) has already revealed it has a desire to criminalise any crypto it can't decrypt. Because paedos and terrorists. That kind of legislation seems a natural outgrowth of this, once they find a 'think of the children' case to use as leverage. That's why we worry about the 'thin end of the wedge'.

[EdHominem]

If this was currently being developed in the UK, my money would be on illegal.

Thankfully it's a well-known concept now, and a foreign-invented technology you need to interoperate with the rest of the world.

Nothing stops them from throwing the law at you though, even if they know if won't work. You literally can't be punished as a prosecutor for anything less than deliberately throwing the trial for money. If they feel they won't win they'll intentionally ruin your life anyways.

[pmyteh]

If you can prove (on the balance of probabilities) that you don't have the key - because it doesn't exist or otherwise - then you are not guilty of the offence. Of course, that's not entirely straightforward.

[gambiting]

In UK you can already go to prison for 2 years if you refuse to hand over your encryption keys.

[jk563]

In case anyone wanted to read more: https://en.wikipedia.org/wiki/Key_disclosure_law#United_King...