AUCKLAND (10/29/2003) - Code-breaking legislation introduced as part of the Counter-Terrorism Act could be encouraging an "arms race" between government agents and knowledgeable Internet users.
Computer users are being quietly advised that protection of their privacy is still possible in the face of legislation which compels the release of encryption keys and passwords should law-enforcement authorities demand them, even in the case of suspected offenses not directly related to terrorism.
One Web site' that users are being advised to visit outlines the Grapevine project, a "secure, anonymous file-storage network" developed by New Zealander and InternetNZ member Stephen Blackheath. The network allows users to remotely store and retrieve files while remaining ignorant of the content or encryption key of any file they host and the original location of any files they retrieve.
Convincing claim to such ignorance in the face of investigators -- "plausible deniability" -- is one of the network's core principles.
Grapevine is functioning but is still a "work in progress", Blackheath says.
Also being suggested is Rubberhose, an encryption scheme which combines two data stores with different encryption keys, compressing the data so it looks as though only the content of one store is present. The key to the less sensitive body of data may then be given away to an investigator as though it were the only one, while the other half of the data remains private.
Rubberhose was originally developed for human rights workers in oppressive regimes, who, the site says "carry vital data on laptops through the most dangerous situations, sometimes being stopped by military patrols who would have no hesitation in torturing a suspect until he or she revealed a passphrase to unlock the data".
Rubberhose is a reference to a classic instrument of torture.
Links from the two sites mention older legislative instruments such as the European Convention on Cybercrime. This convention, drawn up in 2001 with the assistance of the U.S., Japan and South Africa, provides for encryption-key disclosure and communications interception, citing among the crimes it is designed to deter: interference with computer systems, forgery, fraud, distribution of child pornography, copyright infringement and a vaguely defined category of distributing racist and xenophobic information.
Another connected site refers to Article 5 of the OECD cryptography guidelines: "The fundamental rights of individuals to privacy, including secrecy of communications and protection of personal data, should be respected in national cryptography policies and in the implementation and use of cryptographic methods."