Hacker News new | past | comments | ask | show | jobs | submit login

I think this can get you into some trouble in the UK, if not the US.

http://en.wikipedia.org/wiki/Key_disclosure_law




Oh wow (from the wikipedia article):

Australia

The Cybercrime Act 2001 No. 161, Items 12 and 28 grant police with a magistrate's order the wide-ranging power to require "a specified person to provide any information or assistance that is reasonable and necessary to allow the officer to" access computer data that is "evidential material"; this is understood to include mandatory decryption. Failing to comply carries a penalty of 6 months imprisonment. Electronic Frontiers Australia calls the provision "alarming" and "contrary to the common law privilege against self-incrimination."

I wonder how that would work if you own the server, but only the individual users held their private keys?


Hmmm. As someone under the jurisdiction of the Australian Cybercrime Act... I wonder if it's time to have policies in place for private keys - much like many corporate email retention policies. "We keep private keys for twelve months only. We create and deploy new keys every six months and securely delete all keys older than 12 months along with their passphrases - including physically destroying all drives that ever contained the key and/or backups of it. Any data not transitioned to new encryption keys before private key destruction is considered irretrievable."

"Yes Agent Smith, that's a mighty fine $5 wrench you have there - here's _both_ my current private keys. Last year's? No sorry, here's the video of those disk drives being hammered to bits then melted down to sludge. (Ouch! Why are you hitting me? This plan was _flawless!_)"


I think you could probably make the case you had no reason to believe sessions were "evidential material" because you aren't storing them and you have no reason to believe anyone else is either.

Of course, once you get a notice there's probably nothing you can do.


Probably the same as if you were renting an apartment to a criminal, and you gave him the keys and all the copies.


How would you know he's a criminal?

Also, why is it that everytime the authorities get away with making analogies with stuff in real life, like encryption compared to a locked box, or something, but when it's the other way around, say e-mail vs snail mail, suddenly they are not the same anymore, and they need to be treated differently (authorities can't look into your mail, but but get all your e-mail after 180 days).


I have found that the Crypto Law Survey is remarkably more detailed than wikipedia for crypto policy questions. Sadly the site is not as well known as wikipedia:

http://www.cryptolaw.org/


That hostname isn't resolving for me at the moment.


  $ dig www.cryptolaw.org @8.8.8.8

  ; <<>> DiG 9.8.3-P1 <<>> +nocomments www.cryptolaw.org @8.8.8.8
  ;; global options: +cmd
  ;www.cryptolaw.org.		IN	A
  www.cryptolaw.org.	1801	IN	A	77.74.54.129
  ;; Query time: 45 msec
  ;; SERVER: 8.8.8.8#53(8.8.8.8)
  ;; WHEN: Tue Jun 25 19:27:38 2013
  ;; MSG SIZE  rcvd: 51


Well, I'm not to worried about trouble in the UK.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: