Tuesday, December 26, 2006

Give Up Your Encryption Key or Go to Jail

I've been reading about the British government’s plans to implement a provision of the Regulation of Investigatory Powers (or RIPA) Act.

RIPA was enacted in 2000, but the government has held off on implementing Part 3 of the Act. Under British law, Part III must be activated by a ministerial order before it goes into effect.

Part 3 of RIPA gives police the authority to order someone to give their encryption key to the police. If the person refuses to hand over the key, it is a crime.

Section 53 of RIPA makes it an offense, punishable by up to two years in prison, to knowingly refuse to surrender an encryption key after having been directed to do so by police.

The only defense the person can raise under the provisions of RIPA is that they did not have the key at the time they were ordered to turn it over. If they raise that defense, then the prosecution has to prove beyond a reasonable doubt that they did, in fact, have the key when they were ordered to produce it.

The possibility the British government will implement Part III apparently has many concerned, especially, according to one article, those in the financial industry. The author of that article quotes various sources as saying that bankers and others in the financial industry would be concerned about bringing master encryption keys into the United Kingdom, for fear they would be seized by police, for whatever reason.

Under Part III of RIPA, to get an order requiring disclosure of an encryption key police only need believe “on reasonable grounds” that the key is in the possession of a specific person and that its disclosure is “necessary” (i) in “the interests of national security,” (ii) for the purpose of preventing or detective crime” or (iii) “in the interests of the economic well-being of the United Kingdom.” (I assume (iii) goes to investigating possible economic espionage.)

The British police claim they need the ability to require the production of encryption keys to be able to effectively investigate terrorism, child abuse and other serious crimes. One detective was quoted as saying police had “over 200 PCs” containing encrypted data “sitting in property cupboards,” the inference being that the encrypted data includes evidence of crimes (or terrorism). So, police argue that unless they have the power to obtain encryption keys any clever criminal or terrorist can stymie an investigation by encrypting critical evidence.

There is no statutory analogue of Part III of RIPA in the United States, for what I think is a very good reason: the Fifth Amendment privilege against self-incrimination. The Fifth Amendment protects individuals (not corporations or other artificial entities) from being “compelled” to be a “witness against” themselves. The Supreme Court has construed this as meaning that you cannot be compelled to testify against yourself, but you can be compelled to give up physical evidence – samples of your blood, hair, etc.

The Supreme Court’s reasoning is that witnesses “testify,” so the historical meaning of the Fifth Amendment is rather narrow: You can’t be forced to testify against yourself, but you can be forced to cooperate with an investigation as long as you don’t have to testify.

In the U.S., police have no way to force someone to give up an encryption key – they can ask for it, but if the person refuses to give up the key, that’s that. A prosecutor can, however, use a grand jury subpoena (state or federal) to compel someone to give up an encryption key. If the person does not give up the key in compliance with the subpoena, they will be held in civil contempt and incarcerated until they do. (Think Judith Miller, the NY Times reporter who refused to identify a source when ordered to by a grand jury, and who then served time in jail for contempt.)

Could you take the Fifth and refuse to give up your encryption key if a grand jury issued a subpoena ordering you to do so? You can if giving up the key is “testimony,” but you can’t if it’s only the act of producing physical evidence (like handing over a gun).

If you have memorized the key (which is unlikely), then providing it to law enforcement should clearly be testimony. The dynamic would be as follows: The grand jury issues a subpoena ordering you to appear before the grand jury and give them the key. You show up on the date and time ordered. The prosecutor asks you what the key is and you recite it. I don’t think anyone would dispute that this would be testimony, which means you could invoke the Fifth and refuse to comply.

But what if, as is far more likely, you have recorded the very long and complicated key somewhere? Now instead of reciting it you’d be handing it over. That could be dicey. Under the Supreme Court’s interpretation of the Fifth Amendment privilege, you can take the Fifth for the act of handing over evidence to the government if, in doing so, you “tell” them something they don’t know. You can’t take the Fifth if they already know you have the thing; here, you’re not “telling” them anything.

Much as I’d like to say that you could take the Fifth and refuse to hand over the recorded key, I’m not sure that’s true. The government wouldn’t be asking for it if they didn’t know it existed and didn’t know you have it . . . so it doesn’t seem you tell them much if you hand it over. Now, I suppose you could argue that you do “tell” them something, in that you give them the data – the characters – the constitute the key. A prosecutor would respond to that argument by pointing out that you already “testified” to that information when you recorded it – you’re not, as in the previous instance, being asked to “speak” the information. You’re merely being asked to hand over information you wrote – information you “spoke” – at an earlier time. If a court buys that argument, then we would have, in effect, the same result in the U.S. as will exist if and when Part III of the RIPA goes into effect in Britain.

It’s a very difficult set of issues. On the one hand, encryption is an essential component in preserving privacy in an increasingly-automated world. On the other hand, what the British police said is quite true: criminals and terrorists can use encryption to put data outside the reach of law enforcement.

This may be a transient issue. I understand U.S. intelligence agencies are able to break even very sophisticated encryption. If and when that ability migrates to local police, they won’t need the power to coerce someone into giving up their encryption key . . . at least not unless and until someone comes up with a mode of encryption that cannot be broken or with some other way of securing data in an unbreakable way.

1 comment:

Anonymous said...

What do you think of
http://law.richmond.edu/jolt/v2i1/sergienko.html ?

Why do you think US intelligence agencies can break modern encryption? What were the escrow policy wars of the 1990s wars about if they could?