Should governments have the RIGHT to ban serious encryption?

Governments, almost all governments, hate serious encryption. The US disallowed export of effective encryption technology for years before finally caving-in to business pressure and reality. (The US has no monopoly on encryption technology or mathematics.) The UK has a fairly recent law on the books requiring someone to give up their keys or face jail. Some developing countries employ “rubber-hose” decryption where they either imprison or beat someone until they get clear-text messages.

The justification is “Terrorists and child-pornographers use encryption.” This is usually an assertion with few statistics to back it up. There is also an implication that if someone DOES use encryption he is a terrorist, chld pornographer, or some other kind of shady character that bears watching.

So, two questions:

a) Should governments be granted the authority to ban/restrict encryption technology?

b) If not, then what can be done about it?

Anyone else care about this?

Testy.

TheUS government, at least, should not. It’s a first amendment issue: freedom of speech and freedom of the press (the two possible issues here) explicitly don’t allow prior restraint of content.

That means no laws against discussing whether, say, drugs should be legalized, but it also means no laws against talking in Spanish, or in gobbledygook, or in a mode of expression that only two people happen to be able to understand at once.

Terrorists and child pornographers could talk to each other in a $20 motel room with the TV turned all the way up, but there’s no law against cheap motels. The real reason gummint wants the ability to read encrypted messages is that they want to be able to decrypt anything that falls into their hands.

As you might get from the above, I’m definitely pro-crypto.

Banning encryption on the grounds that terrorists or child pornographers might use it strikes me as being like banning locks (or opaque walls, for that matter), on the grounds that terrorists or child pornographers might use them. After all, if you’re an honest citizen, what have you got to hide? Now, to be sure, if the police have evidence good enough to convince a judge they can bust down your door and search your house, so as far as it goes, “rubber hose” decryption techniques might have some merit: not in the sense of literally beating the code key out of someone, but certainly someone could be imprisoned for contempt of court, if the authorities have probable cause to search their files, and they won’t give up the key.

Could they? Wouldn’t being forced to give them the key violate my right against self incrimination?

Marc

Well, so much for the debate! S I’m an avid fan of crypto and no, I’m neither a terrorist OR a child pornographer. So, on to the NEXT question. What can be done to avoid or neutralize a government’s power to ban or restrict crypto?

If serious crypto became a standard it would help. A government’s ability to read messages on the fly would be seriously hampered. However, most crypto packages worth using require some thought as well as knowledge, not just point and click. PGP is about the easiest but I can see someone easily screwing up and dumping their private key all over the net. Other commercial/built-in products such as the infamous clipper chip have been deliberately compromised so those are out as well.

And thanks, glad to see someone else cares about this.

Testy.

I agree, it might very well violate any right you had against self-incrimination. I’m not sure whether the equivilent of “taking the fifth” exists in the UK or not. I’m positive it doesn’t exist in other countries.

Testy.

Interesting OP. To answer simply:

  1. No
  2. Not a whole lot, other than making your voice heard and voting.

Government should not be able to restrict encryption for the same reason they can’t tell you you’re not allowed to speak in spanish, lock your front door, or use an envelope for your normal mail. It’s a violation of both the 1st Amendment protection of speech, and the 4th Amendment protection of privacy.

The solution? Vote against any politician who advocates restriction of your rights. Speak openly and let people around you know that’s WHY you’re voting the way you are. Encourage others to use encryption (there are a number of nearly transparent encryption packages for e-mail, ex: PGP). And encrypt every e-mail you send, the same way you put every normal mail into an envelope. If enough people do it consistently, there won’t be any way to stop it.

The only valid reason for a government to restrict use of encryption is to be able to eavesdrop on, and by extension suppress, communication that is not to its liking. In other words, to censor and oppress the population. Just like guns, governments vilify and criminalize use of encryption, giving the impression that only criminals and people with something to hide will not allow us to read their private e-mail. If you don’t have anything to hide, you won’t mind if we search your house arbitrarily. But you don’t have to allow it unless presented with a warrant. Thank the 4th Amendment for that.

An honest government has nothing to fear from citizens who are armed or whose privacy is intact.

And yes, being forced to give up encryption keys is also a violation of the 5th Amendment protection against self-incrimination.

The current U.S. laws banning the export of strong encryption technology are a hold-over from the Cold War. We were afraid the Commies would get ahold of these techniques and use them to send secret messages that our government couldn’t decipher.

By now, of course, this law is a joke. Every government on Earth has access to the RSA encryption algorithm, and can use as many bits as its wants for generating public and private keys. Do you think a real spy, or terrorist, is going to say, “We’d better not use 128-bit RSA encryption to send this message to Headquarters, it might be illegal”? No, of course not. The real criminals are going to use, and continue to use, strong encryption, no matter what the local government says. The only people that will be limping along using weak encryption will be the law-abiding citizens – the ones the anti-strong-encryption laws are supposed to be protecting in the first place!

Hmmm…I hadn’t thought of the 5th Amendment angle with respect to being forced to give up encryption keys. Is that self-incrimination? If the police come knocking on your door with a search warrant, you can’t legally resist them on self-incrimination grounds.

Now I’m confused. Any constitutional scholars out there reading this thread?

**

I don’t have to give them a key to my safe either. But they’re allowed to break into it if they have a search warrant.

Marc

So, police executing a search warrant can’t compel you to give them the combination to your safe (although they can get some dynamite or a drill and blow the thing open themselves)? In that case, I withdraw my remarks above about compelling someone to give up an encryption key.

For quite some time I have had an interest in this issue. I recommend some sites:
http://www.cdt.org/
http://www.gilc.org/
http://www.gilc.org/crypto/crypto-survey.html
http://www.epic.org/
http://www.nsa.com

My (humble but very strong) opinion is that no government should have any authority to in any way restrict the use of encryption by individuals. Making it a crime to use encryption is a breach of the most basic human dignity and the right to privacy. Any government which restricts the use of encription by private people is very suspect.

Now, about the second question: whether a judge upon probable cause should be allowed to order a defendant to give up the key or face contempt of court charges.

This is not an easy issue to decide but prima facie I would say “yes”, it should be allowed.

We can think of similar situations which would not involve encription. Imagine an accountant accused of fraud and embezzlement. He has hidden the documents which would prove or disprove his guilt and the judge tells him to declare where the documents are or face contempt of court charges. Could he say this infringes on his right not to incriminate himself? I don’t think so. I think this example is very close conceptually to what we are discussing… But it is an interesting point and I would like to hear more opinions.

I think if the cops are after me and I purposefully destroy my encryption keys so they cannot access the information they are searching, I could well be charged with obstruction of justice.

By the way, I regularly use PGP with a number of people. I use it every time and as a matter of course, not just when I am sending something sensitive.

Another observation I would make is how often when this subject comes up among the general public, when I ask if the government should be allowed to restrict the use of encryption, many people would say “yes, because if not the bad guys can use it for their purposes”. I cringe every time I hear this and have to refrain from telling these people that I think they are ignorant idiots. Using that argument you could restrict any freedom and give the government complete control of your life. That is not how western countries are supposed to work!

The fifth amendment thing also assumes that the information you are hiding would be self-incriminating: say I have incrypted information that hte court has probable cause to believe would lead to the convition of a third party. Can they compel me to give up the key then?

If a court subopeaned your files (which happens all the time) and you did something deliberatly to make them hard to read (printed them in yellow on yellow paper,say) I suspect you would get a contempt of court charge slapped on you so fast it would make your head spin–and you would be ordered to resubmit them in a legible fashion. How is this any different?

I agree, I think the right to not testify, which is recognised AFAIK in all western, democratic, countries, only affects your right not to answer in a court of law questions which may incriminate you but this is not an absolute right to not answer any questions, only those thay may incriminate you directly. Courts routinely hold in contempt people who refuse to testify (McDougal).

Answering questions which do not incriminate you directly but may lead to the discovery of further evidence… That is a tough one but I believe a judge (not the police, a judge) can order you to disclose such information or face contempt of court, obstruction of justice or other charges. On this basis I think refusing to provide an encryption key when ordered by a judge would not presently be subject of immunity.

There have been a few cases recently where various governments have been caught out using eavesdropping techniques to pass commercially sensitive information from foreign companies to companies based in their own country.

France is the latest one that has been accused, and yet this is one nation that quite specifiaclly makes industrial espionage a criminal offence.

Insider trading is against the law in the UK and US and I’d imagine it’s the same elswhere, yet govermaents themselves are guilty of this by their illegal tapping of communications.

I would think that criminals and terrorists do not worry about restricting themselves to applying the law in their communications so my conclusion is that companies should have the right to use strong encryption with the caveat that they could be compelled to make this available if court proceedings allow, subject to appeal and always on the basis that investigations cannot be merely a fishing exercise and that the investigation has to have clearly defined parameters.

Okay. I don’t necessarily think there’s any presumption in the law that says you can’t force someone to turn over their encryption keys. I agree that, while you can’t force someone to testify against himself, you can certainly use any documentation available (plaintext or not) that they recorded about their criminal activities. Likewise refusing a judge’s order to turn over your encryption keys is likely to be viewed in about the same way as if you just took a hammer to your hard drive: contempt of court.

Nothingg in the above justifies prior restraint of the right to use any encryption scheme they want. Nothing in the above justifies any abrogation of the ability of people and businesses to keep their own personal data arbitrarily secure until (and only if) it’s needed in a court of law.

It isn’t just people wanting to be private, either. The company I work for has stores in several countries (as well as a whole bunch in the US). Inside the U.S., we use encryption to send sales reports and similar confidential data over the net. Outside the U.S., we can’t necessarily do that - so, sometimes, we end up having to send lockboxes full of documents on a plane ride. Needless to say, it’s rather expensive to do it that way just because we might theoretically be harboring international terrorists or something.

Casdave, illegal is illegal, whether done by private persons or by the government. I think we all agree the government should respect the laws as should the rest of us. That is not the point we are discussing in this thread.

The point here is whether the use of encryption should be limited by law and your last paragraph I think pretty much reflects the general consensus.

We also all agree that it should be the courts who would authorize or mandate decryption, not the police, subject to the usual rules.

Some Guy, I cannot see how sending a guy with a lock box protects you from any government who bans encryption. When you arrive at their border they have the legal right to inspect your stuff as much as they like.

I may add that this is true in every country including the USA. When you arrive at the border you have ZERO right to or expectation of privacy. There was a very good series of articles (in a Seattle newspaper IIRC) documenting the pattern of abuses by the INS.

Any paper you have with you can be read by the customs people without any need for any kind of warrant. If you fall in the hands of some psycho (like I did once) he can make your life very miserable indeed. It was a very traumatic experience for me and I still hope the guy is enjoying a miserable life and gets hit by a speeding bus.

So, taking documents with your person in the belief they cannot be examined is just not true.

France is a country which had to change its stance on encryption. They tried to severely restrict it but had to change because foreign companies were not willing to play by those rules.

OK, it seems that the consensus is that a judge in the US CAN order you to turn over encryption keys and have you jailed for contempt if you refuse to comply or delete the keys to make the data un-recoverable.
My (very limited) understanding of the law is that while an official may legally search your house, car, or computer, you aren’t required to actually assist them in their search. How is turning over your private keys different from actually helping in your own incrimination? There may be a difference here but frankly it escapes me.

Joe_Cool.
Yes, voting some jerk out of office that wants unrestricted access to my communication is a good thing and I do so at every opportunity. The problem is with public education. As Sailor and I mentioned earlier, the general assumption is that anyone using encryption is up to no good. Until public perception of strong encryption is improved use of it will not become popular.
Sailor.
Thanks for the sites. Like you, I use PGP on a regular basis regardless of whether the information is sensitive. If you’re interested in encryption you might also try counterpane.com. They have a free monthly newsletter that I enjoy.

An associated item is the FBI’s frequent doomsday predictions about the use of strong encryption and their generally obstructive attitude. This makes me wonder just how much intelligence gathering they do via wire-taps and email monitoring. And how much of that is legitimate?

Thanks.

Testy.