I think a good strategy for anyone who may potentially have to go through this situation is to roll your own encryptor/encoder to combine several sets of data in to a single dataset, and having multiple keys associated with it. Depending on which key you use, you will get a different output. From the outside it will look like a simple way to disguise a already encrypted dataset.
I was thinking the same thing. It'd be really nice to get some of true crypt's functionality worked into the more popular Linux distributions. Full disk encryption is dead simple, but I'm not familiar with efforts to include more sophisticated crpyto functionality. Anyone care to enlighten me?
Or maybe they should have a feature in TrueCrypt to allow "Fake Keys". You use your actual keys to unlock your data. You use fake keys to see pics of britney spears
Well if that feature is well know, that defeats the purpose. It will only work if you roll your own implementation of it (security through obscurity a bit).
How does it defeat the purpose? If an encrypted volume can have any number of stored "divisions," each with a different key, how can they prove that you're holding out on them once you've given them N keys? They know there's a possibility that you may have something extra hidden in the file, but that's not the same thing at all as knowing that there's definitely a file that you refuse to decrypt.
how can they prove that you're holding out on them
They'll bring in a forensic investigator, who will explain to the judge/jury that TrueCrypt has a feature designed to be used by criminals to subvert the judicial process. Then, he will present the results of his investigation, which will show your drive to be consistent with you using that "plausible deniability" thing. Then, he will introduce external evidence that says you almost certainly have, I don't know, kiddie porn -- look, we can prove he downloaded it, here are the ISP logs, and here are the 47 intercepted posts which use the same nickname he used for his online banking, and here is the previous complaint against him for lascivious comments made to a young lady on Facebook.
That will probably be good enough to convict you of possession. Circumstantial, yes, but so are most convictions.
I guess what would really be necessary is for all operating systems to build in plausible deniability by default. Then there wouldn't be a "circumstance" for the circumstantial evidence to pertain to, since there would be no way to have a computer without the possibility of there being something permanently hidden inside it.
As far as I'm aware, there's no external difference between a normal Truecrypt volume and one with a hidden volume. If you could find further evidence (like download records) you could convict them using that evidence, but I doubt you'd be able to convict anyone if all you had was a hunch that they were using a hidden volume.
The fact that the UK government has a Chief Surveillance Commissioner alone speaks volumes. I wonder when they introduce the ministry of truth - it can only be a matter of time.
Given that the UK doesn't have a constitution, it clearly can't have amendments, hence can't have a 5th amendment.
IANAL, but I believe there is no legal defence concerning self-incrimination, but you do generally have the right to remain silent. Doing so, however, now allows the court to draw conculsions from your silence.
Some years ago, for example, the warning given to suspects when arrested changed to: "You do not have to say anything, but it may hurt your defence if you do not mention something you later rely upon in court."
The UK _does_ have a constitution -- but according to a barrister of my acquaintance it consists of thirty-one separate acts of parliament. (Think of it as a distributed legal kernel rather than a monolithic one. Oh, and the acts can be revised/amended by parliament without needing a constitutional convention or equivalent.)
There's no actual fifth amendment equivalent, but there _is_ a bill of rights (at least, since 1998). RiderOfGiraffes is exactly right about silence being a factor that can be drawn to the attention of a jury ...
On the subject of the bits of the Regulation of Investigatory Powers Act (2002) that make failure to hand over encryption keys an imprisonable offense, it's worth noting that an order to hand them over has first to be made in the process of a criminal investigation. If someone has encrypted data and refuses to hand over the keys despite facing a maximum 5-year prison term, then it's reasonable to presume that they consider the data to be so incriminating that they'd pull a _longer_ sentence if they decrypted it. I believe (but am not certain -- the powers have been used to rarely that there's little to go on) that a plausible explanation of why the keys are unavailable ("I generated a PGP keychain in 1996 out of curiousity, but I lost interest and stopped using it, and that was twelve PCs ago") would probably work in court (in the absence of evidence contradicting it).
The court can draw inferences from your silence, but generally there would need to be further external evidence (circumstantial, hearsay etc) for those inferences to mean anything.
Unfortunately in this case, the offence is complete when you don't say anything (don't give up the key(s)).
And just for completeness, the caution in the UK is:
"You do not have to say anything, but it may harm your defence if you do not mention, when questioned, something which you later rely on in court. Anything you do say may be given in evidence."
There was always a presumption of innocence which like a lot of classical rights has not been transferred to the digital realm. You do not have to say anything but your silence may be presumed as acknowledgement of your guilt.
It does have similar protections. If not by UK law, then by EU law. The 5th would not save you, though. See the similar discussion in the duplicate: http://news.ycombinator.com/item?id=756774
A decoy in simple.