John, I am not a lawyer ("but I play one on the Internet"). However, I
am an associate member of the American Bar Association's Information
Security Committee, and I raised exactly that question on that list.
(Please don't shoot the messenger for what follows. Philosophically, I
tend to belong to the Charlton Heston school of key management - "You'll
get my keys when you pry them from my cold, dead hands.")
But Virginia already has a law that compels the production of a key on
demand, and apparently, several other states do as well. And in
Virginia, at least, the refusal to hand over the key is in and of itself
a separate crime, so even if they can't convict you of the alleged act
itself, then can convict you of the second crime. And if they do get a
conviction of the first allegation without your cooperation, the refusal
to turn over the key might be considered "aggravating circumstances"
with even more time added on.
Now, does this violate the Fourth Amendment? One might think or hope
so, but perhaps not.
The legal argument is that disclosing a key is not in and of itself
"testimony," as it is simply a bunch of random bits. The fact that it
may enable the police to access something that you might prefer to keep
secret is irrelevant (according to this argument).
This is one possible exception, and that would be if the key itself WERE
testimonial in nature and self-incriminating as well. As a result, if
your key were something like "I hereby confess to the crime of omitting
my poker winnings on my income tax return" and you could convince the
judge that disclosing the key itself would be incriminating, you might
get away with not having to turn over the key.
The danger, of course, is that the prosecutor will say to the jury, "Not
only did the defendant commit the crime we are charging him with, as we
will prove by circumstantial and other evidence, but he has apparently
confessed to having committed yet another crime as well!"
Unfortunately, there is still an all too common presumption that only
bad guys have anything to hide that requires strong encryption. (This
reminds me a little of trial by drowning of witches. If the person
really wasn't a witch, then "Oops" and we trust that God will sort
things out on the other side.)
This presumption may be changing - the mere possession of encryption
technology (similar to the possession of burglary tools such as
lock-picks) may no longer be proof of evil intent or actions, because
even innocent people need to protect their data against identity
thieves. Nonetheless, the "He must be guilty, otherwise why won't he
disclose the keys" kind of logic is likely to be very persuasive to most
juries.
Of course, there is still the "I forgot" option. (It seems to work for
Presidents and other major figures.) But now there is another serious
risk, and that is perjury. If the prosecutor can prove that you knew
and used the key just last night, your claim that you can't remember it
today is likely to ring hollow. And now you are at risk of "three
strikes and you're out."
It would be interesting to consider what would happen if the defendant
used a hardware token to protect the key, and then were to "lose" the
token, e.g., in the ocean, when it appears that the cops are onto him.
Don't do that after having been subpoenaed, however - deliberate
destruction of evidence is called spoliation, and is a serious crime
itself.
Finally, it is my understanding that the Fourth Amendment only applies
to natural persons, and not companies or other organizations.
I hope this is helpful. If so, please let me know where to send my
legal bill!
Bob
Robert Jueneman
Message: 1
Date: Mon, 1 Oct 2007 17:00:06 -0500
From: "John Washburn" <[EMAIL PROTECTED]>
Subject: Re: [FDE] Contested UK encryption disclosure law takes effect
To: <[email protected]>
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset="us-ascii"
Would this be prevented in the USA because of the fourth and fifth
amendments of the current US Constitution?
My theory (untested in the courts) is that providing decryption keys
would
be providing testimony. This is because the government is asking you to
say
something, write something, or otherwise communicate information to the
investigators. Forcing testimony you consider self-incriminating is
prohibited by the fifth amendment.
The analogy is my shed in the back yard which is locked by a combination
lock and the police have presented me with a valid, judge-signed search
warrant. I am under no obligation to unlock the shed nor can I be
compelled
to recite the lock combination. If the police want to search fine, they
can
get out the bolt cutters and search the shed named in the warrant.
This is analogous to when the search warrant calls for the seizure of my
hard disk and the data therein. I am under no obligation to decrypt the
data nor am I under any obligation to recite the description key. Let
the
police use the access technology and programs (electronic version of
bolt
cutters) on the market to access the hard disk named in the warrant.
But, as I said earlier this theory is untested by the 9 demi-gods in
black
dresses, so relying on the protection that their interpretation of the
fifth
amendment is substantially similar to mine is a dicey proposition at
best.
BTW, did you notice in the article that Blackberry seems to be the only
internet PDA device which routinely encrypts your email traffic while
the
message is en route? Does the section 49 directives only target
Blackberry
because the other PDA software (e.g. iPhone, eMailMan, etc.) send your
email
traffic in the clear so all the police need to do is go to your ISP for
the
emails of interest?
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On
Behalf Of Saqib Ali
Sent: Monday, October 01, 2007 12:58 PM
To: [email protected]
Subject: [FDE] Contested UK encryption disclosure law takes effect
British law enforcement gained new powers on Monday to compel
individuals
and businesses to decrypt data wanted by authorities for investigations.
......
Failure to comply could mean a prison sentence of up to two years for
cases
not involving national security or five years for those that do.
Read the entire story at:
http://www.washingtonpost.com/wp-dyn/content/article/2007/10/01/AR200710
0100
511.html
_______________________________________________
FDE mailing list
[email protected]
http://www.xml-dev.com/mailman/listinfo/fde
_______________________________________________
FDE mailing list
[email protected]
http://www.xml-dev.com/mailman/listinfo/fde
