Raobert: You are correct. I must point out that just because Virginia has a statute that does not make the statute constitutional (and thus Law) under either the Virginia Constitution (Section 8) or the US Constitution (Amendment 5)
Here are competing theories on this: The US DOJ thinks (http://www.cybercrime.gov/cryptfaq.htm#16c) your crypto key is not "testimonial" and, thus, not protected by the Fifth Amendment to the US Constitution. Mr. Sergienko disagrees in this Law Journal article and backs up (http://law.richmond.edu/jolt/v2i1/sergienko.html) his analysis with case law citations the DOJ paper lacks. Sergienko's position is that your crypto keys are testimonial (protected) because the keys are both communicative (makes gibberish sensible) and can be used for authentication (must be your document because you have the key to it). His opinion is either property (communicative or authenticating) makes an utterance testimonial. Both (US DOJ and Sergienko) though agree that the matter rests squarely on the testimonial, compelled, and incriminating nature of the plain text recovered. But, as I said earlier neither theory (DOJ nor Sergienko's) has been test before by the Supremes of either Virginia or the USA. So relying on the fifth amendment or Section 8 for protection is dicey at best and certainly to take years to resolve. In the meantime, you are in a Virginia prison. The simple answer is this matter will not be settled until some person decides to be the 21st century "Man for All Seasons" (http://www.imdb.com/title/tt0060665/) and suffer significant privation at the hands of the empire for not disclosing his crypto keys. I am sure I don't want to be the guy who sticks his arm into that gear works nor could I in good conscience recommend anyone else does it. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Jueneman Sent: Thursday, October 04, 2007 11:57 AM To: [email protected] Subject: [FDE] Compelling key disclosure John, I am not a lawyer ("but I play one on the Internet"). However, I am an associate member of the American Bar Association's Information Security Committee, and I raised exactly that question on that list. (Please don't shoot the messenger for what follows. Philosophically, I tend to belong to the Charlton Heston school of key management - "You'll get my keys when you pry them from my cold, dead hands.") But Virginia already has a law that compels the production of a key on demand, and apparently, several other states do as well. And in Virginia, at least, the refusal to hand over the key is in and of itself a separate crime, so even if they can't convict you of the alleged act itself, then can convict you of the second crime. And if they do get a conviction of the first allegation without your cooperation, the refusal to turn over the key might be considered "aggravating circumstances" with even more time added on. Now, does this violate the Fourth Amendment? One might think or hope so, but perhaps not. The legal argument is that disclosing a key is not in and of itself "testimony," as it is simply a bunch of random bits. The fact that it may enable the police to access something that you might prefer to keep secret is irrelevant (according to this argument). This is one possible exception, and that would be if the key itself WERE testimonial in nature and self-incriminating as well. As a result, if your key were something like "I hereby confess to the crime of omitting my poker winnings on my income tax return" and you could convince the judge that disclosing the key itself would be incriminating, you might get away with not having to turn over the key. The danger, of course, is that the prosecutor will say to the jury, "Not only did the defendant commit the crime we are charging him with, as we will prove by circumstantial and other evidence, but he has apparently confessed to having committed yet another crime as well!" Unfortunately, there is still an all too common presumption that only bad guys have anything to hide that requires strong encryption. (This reminds me a little of trial by drowning of witches. If the person really wasn't a witch, then "Oops" and we trust that God will sort things out on the other side.) This presumption may be changing - the mere possession of encryption technology (similar to the possession of burglary tools such as lock-picks) may no longer be proof of evil intent or actions, because even innocent people need to protect their data against identity thieves. Nonetheless, the "He must be guilty, otherwise why won't he disclose the keys" kind of logic is likely to be very persuasive to most juries. Of course, there is still the "I forgot" option. (It seems to work for Presidents and other major figures.) But now there is another serious risk, and that is perjury. If the prosecutor can prove that you knew and used the key just last night, your claim that you can't remember it today is likely to ring hollow. And now you are at risk of "three strikes and you're out." It would be interesting to consider what would happen if the defendant used a hardware token to protect the key, and then were to "lose" the token, e.g., in the ocean, when it appears that the cops are onto him. Don't do that after having been subpoenaed, however - deliberate destruction of evidence is called spoliation, and is a serious crime itself. Finally, it is my understanding that the Fourth Amendment only applies to natural persons, and not companies or other organizations. I hope this is helpful. If so, please let me know where to send my legal bill! Bob Robert Jueneman Message: 1 Date: Mon, 1 Oct 2007 17:00:06 -0500 From: "John Washburn" <[EMAIL PROTECTED]> Subject: Re: [FDE] Contested UK encryption disclosure law takes effect To: <[email protected]> Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset="us-ascii" Would this be prevented in the USA because of the fourth and fifth amendments of the current US Constitution? My theory (untested in the courts) is that providing decryption keys would be providing testimony. This is because the government is asking you to say something, write something, or otherwise communicate information to the investigators. Forcing testimony you consider self-incriminating is prohibited by the fifth amendment. The analogy is my shed in the back yard which is locked by a combination lock and the police have presented me with a valid, judge-signed search warrant. I am under no obligation to unlock the shed nor can I be compelled to recite the lock combination. If the police want to search fine, they can get out the bolt cutters and search the shed named in the warrant. This is analogous to when the search warrant calls for the seizure of my hard disk and the data therein. I am under no obligation to decrypt the data nor am I under any obligation to recite the description key. Let the police use the access technology and programs (electronic version of bolt cutters) on the market to access the hard disk named in the warrant. But, as I said earlier this theory is untested by the 9 demi-gods in black dresses, so relying on the protection that their interpretation of the fifth amendment is substantially similar to mine is a dicey proposition at best. BTW, did you notice in the article that Blackberry seems to be the only internet PDA device which routinely encrypts your email traffic while the message is en route? Does the section 49 directives only target Blackberry because the other PDA software (e.g. iPhone, eMailMan, etc.) send your email traffic in the clear so all the police need to do is go to your ISP for the emails of interest? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Saqib Ali Sent: Monday, October 01, 2007 12:58 PM To: [email protected] Subject: [FDE] Contested UK encryption disclosure law takes effect British law enforcement gained new powers on Monday to compel individuals and businesses to decrypt data wanted by authorities for investigations. ...... Failure to comply could mean a prison sentence of up to two years for cases not involving national security or five years for those that do. Read the entire story at: http://www.washingtonpost.com/wp-dyn/content/article/2007/10/01/AR200710 0100 511.html _______________________________________________ FDE mailing list [email protected] http://www.xml-dev.com/mailman/listinfo/fde _______________________________________________ FDE mailing list [email protected] http://www.xml-dev.com/mailman/listinfo/fde _______________________________________________ FDE mailing list [email protected] http://www.xml-dev.com/mailman/listinfo/fde
