Wednesday, October 29, 2008

Unlawful Use of Encryption

I’ve written a few times about encryption issues; those posts were about legal rules that facilitate or restrict your ability to use encryption to protect your data. This post is about something different: making it a crime to use encryption.

Six states – Arkansas, Illinois, Iowa, Minnesota, Nevada and Virginia – have statutes that make the “unlawful use of encryption” a crime. The statutes are relatively new; a couple of them date from 1999, others were adopted between 2001 and 2005 and Illinois’ statute is brand new. It goes into effect on January 1, 2009.

Illinois’ adding such a statute makes me wonder if we will see more states doing the same.

Perhaps because Illinois’ statute is the most recent, it is the most detailed. Since it is the most detailed, I’m going to use it to illustrate what these statutes do; then I’ll speculate a bit about why they’re being adopted and how effective they are likely to be in doing whatever it is they’re supposed to do. So here’s the Illinois statute (sans the boilerplate definitions in section (a)):
(b) A person shall not knowingly use or attempt to use encryption, directly or indirectly, to:

(1) commit, facilitate, further, or promote any criminal offense;
(2) aid, assist, or encourage another person to commit any criminal offense;
(3) conceal evidence of the commission of any criminal offense; or
(4) conceal or protect the identity of a person who has committed any criminal offense.

(c) Telecommunications carriers and information service providers are not liable under this Section, except for willful and wanton misconduct, for providing encryption services used by others in violation of this Section.

(d) A person who violates this Section is guilty of a Class A misdemeanor, unless the encryption was used or attempted to be used to commit an offense for which a greater penalty is provided by law. If the encryption was used or attempted to be used to commit an offense for which a greater penalty is provided by law, the person shall be punished as prescribed by law for that offense.

(e) A person who violates this Section commits a criminal offense that is separate and distinct from any other criminal offense and may be prosecuted and convicted under this Section whether or not the person or any other person is or has been prosecuted or convicted for any other criminal offense arising out of the same facts as the violation of this Section.
720 Illinois Compiled Statutes § 16D-5.5.

(The Arkansas, Minnesota and Nevada statutes are similar, but shorter. The Iowa and Virginia statutes consist of a single sentence, like this “Any person who willfully uses encryption to further any criminal activity shall be guilty of an offense which is separate . . . from the predicate criminal activity and punishable as a Class 1 misdemeanor.” Virginia Code § 18.2-152.15.)

Let’s begin by parsing what I consider to be the essential provisions of the statute: (b) and (e). Note that section (b) not only makes it a crime to use encryption in committing, aiding and abetting or concealing a crime, it makes it a crime to ATTEMPT to do any of these things.

As I’ve noted before, the primary reason we criminalize attempts – crimes that were, by definition, never actually committed -- is to give law enforcement the ability to step in and make an arrest without having to wait until the criminal actually carries out his or her evil plans. How would that work here? I’m having a little difficulty coming up with situations in which law enforcement could step in and arrest you for using encryption in an attempt to commit a crime.
There are two kinds of attempts: In one, police interrupt you before you commit your target crime (murder, theft, etc.); in the other, you do everything you can do commit the crime but fail.

The second category of attempts are known as “impossible” attempts; you fail because something makes it impossible for you to actually inflict the “harm” you tried to inflict. The classic example of that is someone who, say, wants to kill his neighbor (with whom he’s feuding); our perpetrator sneaks over to the neighbor’s house with a rifle, sees the neighbor sitting on the couch and shoots him. The shot would have killed the neighbor had he not died of a heart attack a few hours before; here, the perpetrator did everything he could to commit murder but failed. He can only be charged with an attempt to commit murder.

How would that work with attempts to use encryption to commit a crime? Assume John X works for a government agency that handles classified information; he decides to steal some of the information and sell it to whoever would be willing to buy it (A spy? A terrorist?). He copies what he believes to be classified information onto a thumb drive and encrypts the data to ensure no one can read it when he takes the thumb drive with him on his way home. He puts the thumb drive in his bad as he leaves work; FBI agents arrest him on his way out. What he doesn’t know is that the FBI has been suspicious of him for some time, and the “classified information”on the thumb drive is, in fact, not classified. He therefore can’t be charged with stealing classified information; he is charged with attempting to steal classified information AND with using encryption in his attempt to commit that crime.

Does that make sense? Does anyone have a better example of what the use encryption in an attempt to commit a crime offense might encompass? (I am not, by the way, even going to attempt to parse out what “indirectly using encryption in an attempt to commit a crime” might mean. I have neither the space nor the patience to do that here; maybe another time.)

I can see how the attempt option might apply to concealing a crime. Here’s an example: You encrypt your hard drive to keep police from finding the child pornography you then download onto it. Officers show up with warrants, arrest you and seize your computer. They find the encryption key, search the hard drive and find the child pornography. Your goal was to use encryption to conceal the commission of the crime of possessing child pornography; you didn’t succeed, so you could be charged with attempting to use it for that purpose.

I can also see how the using encryption in an attempt to aid and abet the commission of a crime option might work. Assume you and I are old friends; you’re broke and I work in a bank. You ask me to help you rob the bank; you want me to get you codes you can use, say, to access the bank vault at a time when it is not normally open. I agree. So over the course of a couple of workdays I locate and copy the codes; I save them in an encrypted file and email the file to you.

Unfortunately for us, I send it to the wrong email address; I send it to your old email address, the one you and your former husband (with whom you are involved in a very contentious divorce) use. He gets the email, figures out what we’re up to, goes to the police and turns us in. I did my best to aid and abet your robbing the bank, but I failed. So I could be charged with using encryption in an attempt to aid and abet bank robbery, as well with an attempt to aid and abet the robbery.

That brings me to the other notable aspect of the Illinois statute (and the other, similar statutes): section (e). It reiterates what I would argue is already clearly established: The “unlawful use of encryption” crime is a crime separate and distinct from other crimes; I think the purpose of this provision is to make it clear that this crime doesn’t merge into a completed substantive crime.

Some crimes merge, others do not. An attempt to commit a crime (murder, say) merges into the completed crime (murder) because an attempt has fewer elements and inflicts less “harm” than the completed crime the attempt was trying to achieve. So you cannot be charged with both (i) attempt to commit murder and (ii) committing murder if you kill someone. You can only be charged with murder; the attempt merges into the completed crime.

Section (e) of the Illinois statute (and comparable provisions in the other state statutes) is apparently intended to make it very clear that if you use encryption to commit, abet or conceal a crime that becomes an additional charge that can be brought against you. I assume it is intended to underscore the fact that using encryption ratchets up the liability and penalties you face if you are apprehended and prosecuted.

All this is speculation because I can’t find any cases in which someone was charged with violating one of these statutes. The Illinois statute hasn’t gone into effect yet, so it obviously hasn’t been used but some of the statutes are nearly a decade old. You’d think someone would have been prosecuted under one of them by now. Maybe the lack of prosecutions to date is due to people’s – criminals’ and aspiring criminals’ – not using encryption. I suspect that will change, if it has not already changed.

One more scenario before I quit: I did a post last year about a district court’s holding that a man could take the 5th Amendment and refuse to give up his encryption key. The man’s laptop was seized when he crossed the U.S.-Canadian border. Federal agents suspected there was child pornography on the laptop, but its hard drive was encrypted. So, the man can take the 5th Amendment and refuse to give them the key, which means they can’t access the files to confirm that child pornography is on the laptop. They know he encrypted his hard drive, which MAY contain child pornography. If they had access to a statute like the Illinois statute, could prosecutors charge him with using encryption to conceal his possession of child pornography?

The answer is no: If they have probable cause to believe there’s child pornography on the hard drive, prosecutors could charge him; but unless they can get into the hard drive, they would not be able to prove beyond a reasonable doubt that he actually used encryption to conceal his possession of child pornography. There would, therefore, be no point in charging him.

I came up with that scenario when I was trying to figure out if these “unlawful use of encryption” statutes would give prosecutors a way to go after someone who has encrypted evidence or contraband (something it is a crime to possess). By encrypting the evidence or contraband, she has effectively prevented the state from being able to use that data to prosecute her for a substantive crime (child pornography, terrorism, fraud). The prosecution can prove beyond any reasonable doubt that she encrypted the data; the problem, insofar as using the “unlawful use of encryption” laws is concerned, is that the prosecution suspects – but cannot prove – that the encrypted data proves she committed, attempted to commit, abetting, attempted to abet, concealed or attempted to conceal the commission of a crime.

No comments: