Encryption, the law, and (hopefully not) you.

Recent court rulings, laws, and media coverage have left geeks like myself extremely concerned. It seems that lately there's been a move towards forcing people to reveal their encryption passphrases. This in and of itself isn't surprising -- I can understand why prosecutors want the data that an encrypted drive might hold -- but however honorable their intentions, analogies made by a few judges, some prosecutors, and numerous reporters have been quite troubling.

To illustrate how encryption works (and how it should interact with the Fifth Amendment,) let's play a quick game of pretend.

Imagine, if you will, that I told you to pick a number between one and ten and to write it down. You write your number (let's say it's "5") on a scrap of paper and hide it in your desk drawer. Now if for some reason the government thought they needed to know that number, they could get a search warrant for that scrap of paper. Makes sense, right? You are in possession of the number, and if they have a warrant you have to surrender it. (Why they'd want to do this, I don't know. Let's pretend that the number "5" was outlawed. Hey, it's a thought experiment after all!)

Now imagine that, when I told you to write it down, you were sneaky. You didn't write down the number. Instead, you picked another, completely random number (let's say "4"), multiplied it by the number that you did pick, and wrote the result down. Now you don't have a piece of paper with the number on it. You have a piece of paper with "20" on it. The government could seize it, but since it no longer contains the number, they can't use it.

So at this point, the number that they're after no longer exists. Only you (who know the secret number that you chose) can recreate it.

The question is, do you think that you should be forced to re-create that number on command so that it can be used as evidence against you?

Many people assume that "encrypting" a file or a hard drive involves locking, or modifying the data that one is encrypting. It does not. Instead, the original data is -- like your number -- not stored anywhere. It simply does not exist any more. Instead, in its place is stored data that -- when combined with a secret number or piece of data -- may be used to re-create the original data. That is an important distinction, and it's one that Hollywood and other popular presentations of "encryption" have ignored.

Analogies to safes are inappropriate: if I put a document in a safe, the document still exists. All I've done is to put a barrier around it. If I encrypt a file, and erase the original, the data in that file (like the number "5" in our example) quite simply does not exist. It can be re-created on demand when the file is "decrypted" (or, in our example, when you divide the written number by your secret number), but until then, it is nowhere to be found.

So how does this intersect with the Fifth Amendment?

Compelling someone to decrypt or to aid in the decryption of a piece of data is to compel the person to re-create the data. In the event that the data in question is incriminating, such an act is to compel someone to create a record which may then be used against them. While the testimony is not verbal, it is equivalent to acting as a witness against oneself.

If you are arrested, you cannot be compelled to write a confession, nor can a court force you to create paper evidence during your trial for subsequent use against yourself. Why then should you be compelled to create the digital equivalent?

If you do believe that such compulsion to create evidence is acceptable, let's carry it one step further. Let's go back to our thought experiment. In our world of make-believe, you are arrested and are charged with the crime of having a written representation of the number "5" (thought experiment, remember!) You protest your innocence. The prosecution argues that you do, indeed have a number which can be turned into "5" by application of your "secret key" (i.e. your private number.) (I suppose that we should also assume them to be quite bad at simple arithmetic for the purpose of our example.)

So far so good? Now what happens if, instead of "4", your secret number was "2"? Division of the written number ("20") by the secret number no longer results in an illegal number -- in the strangeness of our fictional exemplary government, "10" is completely acceptable. If your secret number is "2", then division of the number on the paper by your secret number ("decryption") produces a completely legal piece of data. The prosecution may argue that your secret number was actually something that did produce an illegal number, but your defense will argue the opposite. What happens?

Lest you think that the above extension is overly-contrived, I should remind you that a form of encryption known as "one-time pads" work exactly this way. A message encrypted by a one time pad may be decrypted to any message of the same length by application of a different key. Without knowing the key it is impossible to prove the contents of the message -- it could quite literally be anything. Food for thought indeed.

Encryption and the law will likely collide many times in the years to come. I can only hope that the right decisions are made.

Originally published 24 January 2012. The contents of this page are licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.

Please share and distribute!