Encryption and the road to hell

This morning’s BBC report has brought to light the ongoing debate over how to enforce the UK Regulation of Investigatory Powers (RIP) Act from 2000.

Part III of RIPA gives law enforcement agencies the decryption powers and, provided some conditions are met, makes it a serious offence to refuse to turn scrambled files into an “intelligible” form. Those refusing could see their sentence increased as a result.

The government is holding a consultation exercise on the code of conduct that those using these powers will have to abide by.

The code was debated at a public meeting organised by digital rights group the Foundation for Information Policy Research (FIPR).

This debate seems to start from the age old issue of whether people are required to incriminate themselves when police are unable to find evidence against them. This situation, however, is slightly more complicated because encryption keys are so easily hidden and/or destroyed. Moreover, encryption is so frustratingly easy for law enforcement to find precisely because it can be so difficult for them to decipher. In theory you can leave encrypted files lying about without fear of them being used as evidence against you, unlike a smoking gun or a bloody knife, so to speak.

So, just at the time when encryption is starting to really be adopted on the personal computer the police are demanding that they need either special privileges such as a back-door or the right to inflict severe penalties on anyone refusing to decrypt data on demand. It is interesting to read that the US government seems to be moving ahead (“VA to spend $3.7M on encryption tools”) since the adopters must be curiously watching the UK to see what kind of liabilities they could bring to themselves. They spend money trying to avoid liability, and could just end up with a different set (e.g. will internal investigators be able to access VA data without alerting suspects or demanding decryption?).

Mr Bowden [former head of FIPR] also questioned the wisdom of making it an offence to refuse to unscramble evidence. He said there were many scenarios that made it possible for a suspect to deny they ever had the key that unlocked encrypted data.

Already, he said, there had been one court case in which a suspect was acquitted after claiming a computer virus under someone else’s control had caused the offences for which he faced trial. Mr Bowden speculated that other suspects could use the same tactic or would fake a virus infection to get themselves off the hook.

There is certainly no silver bullet here so it is good to see the debate taking place. Unfortunately finding common ground is complicated by a lack of experience and examples to help everyone find an appropriate balance.

Key management systems and encryption that I have deployed have always encountered resistance primarily from those who are the least familiar with what it can and will do for them. I usually tell people that encryption, like other tools, is a double-edged sword that needs careful guidance and legislation/policy to help ensure proper use and to prevent misuse. Many people feel strongly about these issues and so it is important to review the possibilities early to avoid unpleasant surprises. Or as Lord Philips of Sudbury put it:

“You do not secure the liberty of our country and value of our democracy by undermining them,” he said. “That’s the road to hell.”

The Battle for Control of Schools

Lawrence M. Krauss, professor of physics and astronomy at Case Western Reserve University, has an interesting essay in the NYT about the changing landscape in the battle between creationists and schools:

With their changing political tactics, creationists are an excellent example of evolution at work. Creation science evolved into intelligent design, which morphed into “teaching the controversy,� and after its recent court loss in Dover, Pa., and political defeats in Ohio and Kansas, it will no doubt change again. The most recent campaign slogan I have heard is “creative evolution.�

But perhaps more worrisome than a political movement against science is plain old ignorance. The people determining the curriculum of our children in many states remain scientifically illiterate. And Kansas is a good case in point.

[…]

As we continue to work to improve the abysmal state of science education in our schools, we will continue to battle those who feel that knowledge is a threat to faith.

But when we win minor skirmishes, as we did in Kansas, we must remember that the issue is far deeper than this. We must hold our elected school officials to certain basic standards of knowledge about the world. The battle is not against faith, but against ignorance.

That’s what people do when they see a tourist attraction

Correction, that’s what people used to do. It’s ok to look, just don’t record images as it might be interpreted as intent to cause harm. Information has literally become power. The Register has the scoop:

The FBI said Monday that it had no information to indicate that the men in custody had any ties to terrorist organisations, the Associated Press reports. Nevertheless, the local police and prosecutors seem persuaded that they’ve foiled a dastardly plot, and appear prepared, for now, to go through with the prosecutions.

Additionally, photos of the five-mile long Mackinac Bridge were found in a digital camera belonging to one of the suspects, prompting local authorities to imagine it was a target.

A lawyer defending the men told the AP that the photos were tourist snapshots taken while the men were stuck in traffic. “That’s what people do when they see a tourist attraction: they take pictures,” the wire service quotes him as saying.

Microsoft drops price, paints target

Only a few days after the AusCERT announced that the top antivirus firms are the ones least able to find viruses, Microsoft has catapulted itself into the #2 sales position with…wait for it…agressive pricing. Selling for $19.99 instead of $49.99/year seems to make more people buy your software. Who would have thought? Microsoft was quoted saying:

“We see our comprehensive ‘PC Care’ approach as a new and important direction for consumer PC services and are encouraged to see that more consumers are taking steps to effectively protect and maintain their PCs,” Samantha McManus, a business strategy manager at Microsoft, said in an e-mailed statement.

Yes, it is good to see that they can sell more units at half-price the price of their competitor’s product, but do we believe they are selling better units? Can someone find anything to show that “effectively protect and maintain” translates to a reasonable boost in user safety with One Care versus other products (e.g. fair competition on quality/price) or is this just about distribution targets and sales numbers for Microsoft (e.g. price alone)? In other words, will they consider themselves most successful when they have reached the #1 antivirus product by number of users even though they are found to be the least effective against virus infections? Something about the AusCERT warning tells me the whole AV “industry-leader” ranking system needs an overhaul…