Key disclosure law

From Wikipedia, the free encyclopedia
Jump to: navigation, search

Key disclosure laws, also known as mandatory key disclosure, is legislation that requires individuals to surrender cryptographic keys to law enforcement. The purpose is to allow access to material for confiscation or digital forensics purposes and use it either as evidence in a court of law or to enforce national security interests. Similarly, mandatory decryption laws force owners of encrypted data to supply decrypted data to law enforcement.

Nations vary widely in the specifics of how they implement key disclosure laws. Some, such as Australia, give law enforcement wide-ranging power to compel assistance in decrypting data from any party. Some, such as Belgium, concerned with self-incrimination, only allow law enforcement to compel assistance from non-suspects. Some require only specific third parties such as telecommunications carriers, certification providers, or maintainers of encryption services to provide assistance with decryption. In all cases, a warrant is generally required.

Theory and countermeasures[edit]

Mandatory decryption is technically a weaker requirement than key disclosure, since it is possible in some cryptosystems to prove that a message has been decrypted correctly without revealing the key. For example, using RSA public-key encryption, one can verify given the message (plaintext), the encrypted message (ciphertext), and the public key of the recipient that the message is correct by merely re-encrypting it and comparing the result to the encrypted message. Such a scheme is called undeniable, since once the government has validated the message they cannot deny that it is the correct decrypted message.[1]

As a countermeasure to key disclosure laws, some personal privacy products such as BestCrypt, FreeOTFE, and TrueCrypt have begun incorporating deniable encryption technology, which enable a single piece of encrypted data to be decrypted in two or more different ways, creating plausible deniability.[2][3] Another alternative is steganography, which hides encrypted data inside of benign data so that it is more difficult to identify in the first place.

A problematic aspect of key disclosure is that it leads to a total compromise of all data encrypted using that key in the past or future; time-limited encryption schemes such as those of Desmedt et al.[1] allow decryption only for a limited time period.

Criticism and alternatives[edit]

Critics of key disclosure laws view them as compromising information privacy, by revealing personal information that may not be pertinent to the crime under investigation, as well as violating the right against self-incrimination and more generally the right to silence, in nations which respect these rights. In some cases, it may be impossible to decrypt the data because the key has been lost, forgotten or revoked, or because the data is actually random data which cannot be effectively distinguished from encrypted data.

A proactive alternative to key disclosure law is key escrow law, where the government holds in escrow a copy of all cryptographic keys in use, but is only permitted to use them if an appropriate warrant is issued. Key escrow systems face difficult technical issues and are subject to many of the same criticisms as key disclosure law; they avoid some issues like lost keys, while introducing new issues such as the risk of accidental disclosure of large numbers of keys, theft of the keys by hackers or abuse of power by government employees with access to the keys. It would also be nearly impossible to prevent the government from secretly using the key database to aid mass surveillance efforts such as those exposed by Edward Snowden. The ambiguous term key recovery is applied to both types of systems.

Legislation by nation[edit]

Antigua and Barbuda[edit]

The Computer Misuse Bill, 2006, Article 21(5)(c), if enacted, would allow police with a warrant to demand and use decryption keys. Failure to comply may incur "a fine of fifteen thousand [East Caribbean] dollars" and/or "imprisonment for two years."[4]

Australia[edit]

The Cybercrime Act 2001 No. 161, Items 12 and 28 grant police with a magistrate's order the wide-ranging power to require "a specified person to provide any information or assistance that is reasonable and necessary to allow the officer to" access computer data that is "evidential material"; this is understood to include mandatory decryption. Failing to comply carries a penalty of 6 months imprisonment. Electronic Frontiers Australia calls the provision "alarming" and "contrary to the common law privilege against self-incrimination."[5]

Belgium[edit]

The Loi du 28 novembre 2000 relative à la criminalité informatique (Law on computer crime of 28 November 2000), Article 9 allows a judge to order both operators of computer systems and telecommunications providers to provide assistance to law enforcement, including mandatory decryption, and to keep their assistance secret; but this action cannot be taken against suspects or their families.[6][7] Failure to comply is punishable by 6 months to 1 year in jail and/or a fine of 130 to 100,000 Euros.

Canada[edit]

Canada implements key disclosure by broad interpretation of "existing interception, search and seizure and assistance procedures";[8] in a 1998 statement, Cabinet Minister John Manley explained, "warrants and assistance orders also apply to situations where encryption is encountered — to obtain the decrypted material or decryption keys."[9]

Finland[edit]

The Coercive Measures Act (Pakkokeinolaki) 1987/450 (as amended by 2007/541) section 4 paragraph 4a[10] requires a specified person to surrender the necessary "passwords and other such information" to the police in order to provide access to information stored on an information system. The suspect and some other specified persons that cannot otherwise be called as witnesses are exempt of this requirement. There is currently a proposal (Government Proposal HE 222/2010 vp[11]) to change this and other related laws, which may result in changes as to how information systems can be searched and accessed.

France[edit]

Loi no 2001-1062 du 15 novembre 2001 relative à la sécurité quotidienne, article 30 (Law #2001-1062 of 15 November 2001 on Community Safety) allows a judge or prosecutor to compel any qualified person to decrypt or surrender keys to make available any information encountered in the course of an investigation. Failure to comply incurs three years of jail time and a fine of €45,000; if the compliance would have prevented or mitigated a crime, the penalty increases to five years of jail time and €75,000.[12]

India[edit]

Section 69 of the Information Technology Act, as amended by the Information Technology (Amendment) Act, 2008, empowers the central and state governments to compel assistance from any "subscriber or intermediary or any person in charge of the computer resource" in decrypting information.[13][14] Failure to comply is punishable by up to seven years imprisonment and/or a fine.

Poland[edit]

In relatively few known cases in which police or prosecutor requested cryptographic keys from those formally accused and these requests were not fulfilled, no further consequences were imposed on the accused. There's no specific law in this matter, as e.g. in the UK. It is generally assumed that the Polish Criminal Procedure Code (Kodeks Postępowania Karnego Dz.U. 1997 nr 89 poz. 555.) provides means of protecting against self-incrimination, including lack of penalization for refusing to answer any question which would enable law enforcement agencies to obtain access to potential evidence, which could be used against testifying person.[15]

South Africa[edit]

Under the RICA Act of 2002, refusal to disclose a cryptographic key in your possession could result in a fine up to ZAR 2 Million or up to 10 years imprisonment. This requires a judge to issue a decryption direction to a person believed to hold the key.[citation needed]

Sweden[edit]

There are currently no laws that force the disclosure of cryptographic keys. However, there is legislation proposed on the basis that the Council of Europe has already adopted a convention on cyber-crime related to this issue. The proposed legislation would allow police to require an individual to disclose information, such as passwords and cryptographic keys, during searches. The proposal has been introduced to make it easier for police and prosecutors. The proposal has been criticized by The Swedish Data Inspection Board.[16][17]

The Netherlands[edit]

Article 125k of the Wetboek van Strafvordering allows investigators with a warrant to access information carriers and networked systems. The same article allows the district attorney and similar officers of the court to order persons who know how to access those systems to share their knowledge in the investigation, including any knowledge of encryption of data on information carriers. However, such an order may not be given to the suspect under investigation.

United Kingdom[edit]

The Regulation of Investigatory Powers Act 2000 (RIPA), Part III, activated by ministerial order in October 2007,[18] requires persons to supply decrypted information and/or keys to government representatives with a court order. Failure to disclose carries a maximum penalty of two years in jail. The provision was first used against animal rights activists in November 2007,[19] and at least three people have been prosecuted and convicted for refusing to surrender their encryption keys,[20] one of whom was sentenced to 13 months' imprisonment.[21]

United States[edit]

The Fifth Amendment to the United States Constitution protects witnesses from being forced to incriminate themselves, and there is currently no law regarding key disclosure in the United States. However, the federal case In re Boucher may be influential as case law. In this case, a man's laptop was inspected by customs agents and child pornography was discovered. The device was seized and powered-down, at which point disk encryption technology made the evidence unavailable. The judge argued that since the content had already been seen by the customs agents, Boucher's encryption password "adds little or nothing to the sum total of the Government's information about the existence and location of files that may contain incriminating information."[22][23]

In another case, a district court judge ordered a Colorado woman to decrypt her laptop so prosecutors can use the files against her in a criminal case: "I conclude that the Fifth Amendment is not implicated by requiring production of the unencrypted contents of the Toshiba Satellite M305 laptop computer," Colorado U.S. District Judge Robert Blackburn ruled on January 23, 2012.[24] In Commonwealth v. Gelfgatt,[25] the court ordered a suspect to decrypt his computer, citing exception to Fifth Amendment can be invoked because "an act of production does not involve testimonial communication where the facts conveyed already are known to the government...".[26]

However, in United States v. Doe, the United States Court of Appeals for the Eleventh Circuit ruled on 24 February 2012 that forcing the decryption of one's laptop violates the Fifth Amendment.[27][28]

The Federal Bureau of Investigation may also issue national security letters that require the disclosure of keys for investigative purposes.[29] One company, Lavabit, chose to shut down rather than surrender its master private keys.

See also[edit]

References[edit]

  1. ^ a b Desmedt, Yvo and Burmester, Mike and Seberry, Jennifer. Equitability in Retroactive Data Confiscation versus Proactive Key Escrow. Florida State University Department of Computer Science 206 Love Building FL 32306-4530 Tallahassee USA. Lecture Notes in Computer Science: Public Key Cryptography, pp.277-286. 2001. (Postscript), (Postscript 2)
  2. ^ Plausible Deniability
  3. ^ TrueCrypt - Free Open-Source On-The-Fly Disk Encryption Software for Windows 7/Vista/XP, Mac OS X and Linux - Hidden Volume
  4. ^ Antigua and Barbuda: The Computer Misuse Bill, 2006
  5. ^ Electronic Frontiers Australia. Privacy Laws in Australia: Security / Cybercrime. Retrieved 2010 November 8.
  6. ^ Loi du 28 novembre 2000 relative à la criminalité informatique: Article 9. 2000 November 28. Retrieved 2010 November 9.
  7. ^ Code d'instruction criminelle. Livre II, titre I, Art. 156. 1808 November 19. Retrieved 2010 November 9.
  8. ^ The Digital Economy in Canada: Summary of Canada’s Policy on Cryptography. Industry Canada. Last modified 2009-02-11. Retrieved 2010 November 19.
  9. ^ The Digital Economy in Canada: Speaking Notes for John Manley: Canada's Cryptography Policy. Presentation to the National Press Club, Ottawa. October 1, 1998. Industry Canada. Last modified 2009-02-11. Retrieved 2010 November 19.
  10. ^ Coercive Measures Act (Pakkokeinolaki)
  11. ^ Government Proposal HE 222/2010 vp on revising the acts on coercive measures and investigative powers (Hallituksen esitys eduskunnalle esitutkinta- ja pakkokeinolainsäädännön uudistamiseksi)
  12. ^ Articles 30–31, loi no</sup> 2001-1062 du 15 novembre 2001 relative à la sécurité quotidienne (in French)
  13. ^ Information Technology (Amended) Act, 2008 (PDF); Government of India – Ministry of Law, Justice and Company Affairs (Legislative Department); XI (69) pp. 27–8.
  14. ^ Paper – 6 : Information Systems Control and Audit (PDF) 10 pp. 42–3. Study Material - Final (New) The Institute of Chartered Accountants of India.
  15. ^ Webhosting.pl - W jaki sposób służby mogą uzyskać dostęp do zaszyfrowanych danych
  16. ^ [1]
  17. ^ [2]
  18. ^ Kirk, Jeremy (October 1, 2007). "Contested UK encryption disclosure law takes effect". Washington Post. PC World. Retrieved 2009-01-05. 
  19. ^ Ward, Mark (2007-11-20). "Campaigners hit by decryption law". BBC News. Retrieved 2009-01-05. 
  20. ^ Oates, John (6 October 2010). "Youth jailed for not handing over encryption password". The Register. 
  21. ^ Williams, Christopher (24 November 2009). "UK jails schizophrenic for refusal to decrypt files". The Register. 
  22. ^ "In re Grand Jury Subpoena to Sebastien Boucher, Memorandum of Decision" (PDF). The Volokh Conspiracy. February 19, 2009. Archived from the original on July 16, 2014. Retrieved 2009-08-29. 
  23. ^ McCullagh, Declan (December 14, 2007). "Judge: Man can't be forced to divulge encryption passphrase". CNET. Retrieved October 19, 2014. 
  24. ^ Kravets, David (January 23, 2012). "Judge Orders Defendant to Decrypt Laptop". WIRED. 
  25. ^ Commonwealth v. Gelfgatt (Report). 468. Supreme Judicial Court of Massachusetts. June 25, 2014. p. 512. http://scholar.google.com/scholar_case?q=GELFGATT&hl=en&as_sdt=2006&case=13313310379620456644&scilh=0. Retrieved October 19, 2014.
  26. ^ Farivar, Cyrus (June 26, 2014). "Massachusetts high court orders suspect to decrypt his computers". Ars Technica. Retrieved October 19, 2014. 
  27. ^ Hofmann, Marcia; Fakhoury, Hanni (February 24, 2012). "Appeals Court Upholds Constitutional Right Against Forced Decryption". Electronic Frontier Foundation. Retrieved October 19, 2014. 
  28. ^ Lee, Timothy B. (February 25, 2012). "Appeals court: Fifth Amendment protections can apply to encrypted hard drives". Ars Technica. Retrieved October 19, 2014. 
  29. ^ http://nakedsecurity.sophos.com/2014/01/29/lavabit-appeals-contempt-of-court-ruling-surrounding-handover-of-ssl-keys

Further reading[edit]