Key disclosure law: Difference between revisions

Key disclosure laws, also known as mandatory key disclosure, is legislation that require individuals to surrender cryptographic keys to law enforcement. The purpose is to allow access to material for confiscation or digital forensics purposes and use it either as evidence in a court of law or to enforce national security interests. Similarly, mandatory decryption laws force owners of encrypted data to supply decrypted data to law enforcement.

Nations vary widely in the specifics of how they implement key disclosure laws. Some, such as Australia, give law enforcement wide-ranging power to compel assistance in decrypting data from any party. Some, such as Belgium, concerned with self-incrimination, only allow law enforcement to compel assistance from non-suspects. Some require only specific third parties such as telecommunications carriers, certification providers, or maintainers of encryption services to provide assistance with decryption. In all cases, a warrant is generally required.

Theory and countermeasures

Mandatory decryption is technically a weaker requirement than key disclosure, since it is possible in some cryptosystems to prove that a message has been decrypted correctly without revealing the key. For example, using RSA public-key encryption, one can verify given the message (plaintext), the encrypted message (ciphertext), and the public key of the recipient that the message is correct by merely re-encrypting it and comparing the result to the encrypted message. Such a scheme is called undeniable, since once the government has validated the message they cannot deny that it is the correct decrypted message.^[1]

As a countermeasure to key disclosure laws, some personal privacy products such as BestCrypt, FreeOTFE, and TrueCrypt have begun incorporating deniable encryption technology, which enable a single piece of encrypted data to be decrypted in two or more different ways, creating plausible deniability.^[2][3] Another alternative is steganography, which hides encrypted data inside of benign data so that it is more difficult to identify in the first place.

A problematic aspect of key disclosure is that it leads to a total compromise of all data encrypted using that key in the past or future; time-limited encryption schemes such as those of Desmedt et al.^[1] allow decryption only for a limited time period.

Criticism and alternatives

Critics of key disclosure laws view them as compromising information privacy, by revealing personal information that may not be pertinent to the crime under investigation, as well as violating the right against self-incrimination and more generally the right to silence, in nations which respect these rights. In some cases, it may be impossible to decrypt the data because the key has been lost, revoked, or because the data is actually random data which cannot be effectively distinguished from encrypted data.

A proactive alternative to key disclosure law is key escrow law, where the government holds in escrow a copy of all cryptographic keys in use, but is only permitted to use them if an appropriate warrant is issued. Key escrow systems face difficult technical issues and are subject to many of the same criticisms as key disclosure law; they avoid some issues like lost keys, while introducing new issues such as the risk of accidental disclosure of large numbers of keys. The ambiguous term key recovery is applied to both types of systems.

Legislation by nation

Antigua and Barbuda

The Computer Misuse Bill, 2006, Article 21(5)(c), if enacted, would allow police with a warrant to demand and use decryption keys. Failure to comply may incur "a fine of fifteen thousand [East Caribbean] dollars" and/or "imprisonment for two years."^[4]

Australia

The Cybercrime Act 2001 No. 161, Items 12 and 28 grant police with a magistrate's order the wide-ranging power to require "a specified person to provide any information or assistance that is reasonable and necessary to allow the officer to" access computer data that is "evidential material"; this is understood to include mandatory decryption. Failing to comply carries a penalty of 6 months imprisonment. Electronic Frontiers Australia calls the provision "alarming" and "contrary to the common law privilege against self-incrimination."^[5]

Belgium

The Loi du 28 novembre 2000 relative à la criminalité informatique (Law on computer crime of 28 November 2000), Article 9 allows a judge to order both operators of computer systems and telecommunications providers to provide assistance to law enforcement, including mandatory decryption, and to keep their assistance secret; but this action cannot be taken against suspects or their families.^[6][7] Failure to comply is punishable by 6 months to 1 year in jail and/or a fine of 130 to 100,000 Euros.

Canada

Canada implements key disclosure by broad interpretation of "existing interception, search and seizure and assistance procedures";^[8] in a 1998 statement, Cabinet Minister John Manley explained, "warrants and assistance orders also apply to situations where encryption is encountered — to obtain the decrypted material or decryption keys."^[9]

Finland

The Coercive Measures Act (Pakkokeinolaki) 1987/450 (as amended by 2007/541) section 4 paragraph 4a^[10] requires a specified person to surrender the necessary "passwords and other such information" to the police in order to provide access to information stored on an information system. The suspect and some other specified persons that cannot otherwise be called as witnesses are exempt of this requirement. There is currently a proposal (Government Proposal HE 222/2010 vp^[11]) to change this and other related laws, which may result in changes as to how information systems can be searched and accessed.

France

Loi n°2001-1062 du 15 novembre 2001 relative à la sécurité quotidienne (Law #2001-1062 of 15 November 2001 on Community Safety), Article 30 allows a judge or prosecutor to compel any qualified person to decrypt or surrender keys to make available any information encountered in the course of an investigation. Failure to comply incurs three years of jail time and a fine of €45,000; if the refusal would have prevented or mitigated a crime, the penalty increases to five years of jail time and €75,000.^[12]

India

Section 69 of the Information Technology Act, as amended by the Information Technology (Amendment) Act, 2008, empowers the central and state governments to compel assistance from any "subscriber or intermediary" in decrypting information.^[13] Failure to comply is punishable by up to seven years imprisonment and/or a fine.

The Netherlands

Article 125k of the Wetboek van Strafvordering allows investigators with a warrant to access information carriers and networked systems. The same article allows the district attorney and similar officers of the court to order persons who know how to access those systems to share their knowledge in the investigation, including any knowledge of encryption of data on information carriers. However, such an order may not be given to the suspect under investigation.

United Kingdom

The Regulation of Investigatory Powers Act 2000 (RIPA), Part III, activated by ministerial order in October 2007,^[14] requires persons to supply decrypted information and/or keys to government representatives. Failure to disclose carries a maximum penalty of two years in jail. The provision was first used against animal rights activists in November 2007,^[15] and at least three people have been prosecuted and convicted for refusing to surrender their encryption keys,^[16] one of whom was sentenced to 13 months' imprisonment.^[17]

United States

The Fifth Amendment to the United States Constitution protects witnesses from being forced to incriminate themselves, and there is currently no law regarding key disclosure in the United States. However, the federal case In re Boucher may be influential as case law. In this case, a man's laptop was inspected by customs agents and child pornography was discovered. The device was seized and powered-down, at which point disk encryption technology made the evidence unavailable. The judge argued that since the content had already been seen by the customs agents, Boucher's encryption password "adds little or nothing to the sum total of the Government's information about the existence and location of files that may contain incriminating information."^[18]

In another case a appeals courth 10th circuit judge ordered a Colorado woman to decrypt her laptop so prosecutors can use the files against her in a criminal case: “I conclude that the Fifth Amendment is not implicated by requiring production of the unencrypted contents of the Toshiba Satellite M305 laptop computer,” Colorado U.S. District Judge Robert Blackburn ruled on January 23, 2012.^[19]

In United States v. Doe a federal appeals court 11th circuit ruled on feb 24 2012 that forcing decryption of ones laptop violates fifth amendment.^[20][21]

The difference between two rulings is In previous cases, the courts have held that when the government already knows of the existence of specific incriminating files, compelling a suspect to produce them does not violate the Fifth Amendment's rule against self-incrimination. On the other hand, if the government merely suspects that an encrypted hard drive contains some incriminating documents, but lacks independent evidence for the existence of specific documents, then the owner of the hard drive is entitled to invoke the Fifth Amendment. In the Colorado case, the police had intercepted a telephone conversation in which the defendant, Ramona Fricosu, acknowledged her ownership of the laptop and alluded to the existence of incriminating documents in the encrypted portions of the hard drive. The government successfully argued that this precluded her from claiming Fifth Amendment protection, since she had already acknowledged the existence of incriminating documents in the case. The Tenth Circuit let that decision stand on Wednesday, though it may consider the issue again later in the process.

In the Florida case, on the other hand, the government lacked any specific evidence about the contents of the encrypted hard drives. A forensic expert acknowledged it was theoretically possible that the drives, which were encrypted using TrueCrypt, could be completely empty. Hence, forcing the suspect to decrypt the drive would be forcing him to reveal whether any relevant documents exist, which would be inherently incriminating.

See also

• Deniable encryption

References

1. Desmedt, Yvo and Burmester, Mike and Seberry, Jennifer. Equitability in Retroactive Data Confiscation versus Proactive Key Escrow. Florida State University Department of Computer Science 206 Love Building FL 32306-4530 Tallahassee USA. Lecture Notes in Computer Science: Public Key Cryptography, pp.277-286. 2001. (Postscript), (Postscript 2)
2. Plausible Deniability
3. TrueCrypt - Free Open-Source On-The-Fly Disk Encryption Software for Windows 7/Vista/XP, Mac OS X and Linux - Hidden Volume
4. Antigua and Barbuda: The Computer Misuse Bill, 2006
5. Electronic Frontiers Australia. Privacy Laws in Australia: Security / Cybercrime. Retrieved 2010 November 8.
6. Loi du 28 novembre 2000 relative à la criminalité informatique: Article 9. 2000 November 28. Retrieved 2010 November 9.
7. Code d'instruction criminelle. Livre II, titre I, Art. 156. 1808 November 19. Retrieved 2010 November 9.
8. The Digital Economy in Canada: Summary of Canada’s Policy on Cryptography. Industry Canada. Last modified 2009-02-11. Retrieved 2010 November 19.
9. The Digital Economy in Canada: Speaking Notes for John Manley: Canada's Cryptography Policy. Presentation to the National Press Club, Ottawa. October 1, 1998. Industry Canada. Last modified 2009-02-11. Retrieved 2010 November 19.
10. Coercive Measures Act (Pakkokeinolaki)
11. Government Proposal HE 222/2010 vp on revising the acts on coercive measures and investigative powers (Hallituksen esitys eduskunnalle esitutkinta- ja pakkokeinolainsäädännön uudistamiseksi)
12. Loi n°2001-1062 du 15 novembre 2001 relative à la sécurité quotidienne. Articles 30-31. NOR: INTX0100032L. Version consolidée au 14 mai 2009. Accessed 2010 November 11.
13. The Institute of Chartered Accountants of India. Chapter 10: Information Technology (Amended) Act, 2008. Paper – 6 : Information Systems Control and Audit. Study Material - Final (New). Accessed 2010 November 19.
14. Kirk, Jeremy (October 1, 2007). "Contested UK encryption disclosure law takes effect". Washington Post. PC World. Retrieved 2009-01-05.
15. Ward, Mark (2007-11-20). "Campaigners hit by decryption law". BBC News. Retrieved 2009-01-05.
16. http://www.theregister.co.uk/2010/10/06/jail_password_ripa/
17. http://www.theregister.co.uk/2009/11/24/ripa_jfl
18. "In re Grand Jury Subpoena to Sebastien Boucher, Memorandum of Decision" (PDF). The Volokh Conspiracy. February 19, 2009. Retrieved 2009-08-29.
19. "Judge Orders Defendant to Decrypt Laptop". January 23, 2012.
20. https://www.eff.org/press/releases/appeals-court-upholds-constitutional-right-against-forced-decryption
21. http://arstechnica.com/tech-policy/news/2012/02/appeals-court-fifth-amendment-protections-can-apply-to-encrypted-hard-drives.ars

Further reading

• Bert-Jaap Koops. Bert-Jaap Koops homepage: Crypto Law Survey: Overview per country. Version 26.0. Universiteit van Tilburg. July 2010.
• Palfreyman, Brendan M. (2009). "Lessons from the British and American Approaches to Compelled Decryption". Brooklyn Law Review. 75 (1): 345.