"Give us your password or go to jail"

Our Ministry of Justice is planning something: The police can order you to give up your passwords if they think it's necessary.

What's the problem? Well - since cryptography aims to make your data look as much as random noise as possible, you can pick any file containing noise (like any random JPEG file), and claim that it contains encrypted data. And because there is no password, you go to jail. There is a well-known cryptographic technique called steganography that specializes in hiding data in obvious places.

The British version (RIPA) is even worse: you must prove that you don't know a password for a system. Normally, in court, if you say you don't remember something, that's not illegal. But forgetting a password in Britain is (would be? I'm not sure). However, looking through the Finnish proposal, I don't see anything like that mentioned there. You would be questioned rather deeply, I'm sure.

Pakkokeinolakiin lisättäisiin uudet datan säilyttämismääräystä ja tietojärjestelmän haltijan tietojenantovelvollisuutta koskevat säännökset. Tavoitteena on helpottaa esitutkintaviranomaisten työtä ja kansainvälistä yhteistyötä. Tietojärjestelmän haltija olisi velvollinen antamaan esitutkintaviranomaiselle tämän pyynnöstä tiedossaan olevat datan takavarikoimiseksi tarpeelliset salasanat ja vastaavat tiedot.

The good thing is that if you're suspected of a crime, you don't - obviously - have to give up the passwords. As far as I can see, this is really meant to concern administrators and other maintainers of computer systems. Keeping your own hard drive encrypted would still be okay - just make sure you're the only person with the password, and don't store anyone else's stuff on it.

(Via avs online. The entire text is available in the Ministry of Justice website (and in Finnish, obviously).)


Of course there is also the solution of encrypting and mixing two different sets of data, one "criminal" and one "clean", and then provide the "clean" password when asked.

It's not a perfect solution, of course, and might still get you into trouble, but at least you can give a password which decrypts something from that data.

Sure, that's not very efficient for, let's say, big ISPs. :)

--Pare, 29-Sep-2006

More info...     Comments?   Back to weblog
"Main_blogentry_280906_4" last changed on 28-Sep-2006 21:52:00 EEST by JanneJalkanen.