At least in the UK it will be.
According to an article over at LinuxWorld discussing the results of a recent case that found individuals may not deny access to an encryption key under the rights of self-incrimination (or the right to silence, as it's referred to in the UK). The UK court determined that:
...an encryption key is no different than a physical key and exists separately from a person's will.
"The key to the computer equipment is no different to the key to a locked drawer," the court found. "The contents of the drawer exist independently of the suspect; so does the key to it. The contents may or may not be incriminating: the key is neutral."
I've written on this blog before about encryption techniques, as well as the legal standing of compelling encryption keys in the US, but I believe this is the first time the issue has been tested in the UK.
Quick History
I wasn't sure what the legal differences were between the US right to avoid self incrimination (5th Amendment rights) and the UK right to silence. I did some quick research (and had a quick conversation with a lawyer) only to discover that your rights are actually very similar under both sets of laws. The right to remain silent under police investigation under both systems came from police forces using beatings and torture methods to force detainees to talk about alleged crimes. Both sets of self incrimination statutes were instituted to prevent police misconduct in suspect interviews.
The primary difference I found is something UK law refers to as "adverse inferences". Under US criminal law the invocation of 5th Amendment rights cannot be used against a defendant as a sign of guilt. Basically, all that means is that refusing to speak doesn't make you seem any more guilty, it just means you're refusing to speak (hypothetically). In the UK there are certain circumstances where this isn't the case, mostly focusing on a defendant changing their story or refusing to account for things that were present at the time of arrest. In those cases the jury can draw inferences from the defendant's silence (they also may choose not to).
Back To Encryption Keys
The analogy seems fairly sound. If I have a safe, or even a locked desk drawer, in my house and the police show up to arrest me with a valid warrant I can't refuse to give them the key to the desk under the 5th Amendment. There may be physical evidence in the desk, the police have followed due process to be allowed to search it, and the key is a physical object which I cannot refuse to produce. If I do refuse to produce it, then the police will just break the lock (or blowtorch the safe) to search for evidence.
Similarly, encrypted storage is like my safe. My encryption key is like the combination to my safe. The UK court has determined that there is no difference between the safe combination and my encryption key, except in ths case there is. If I refuse to give up my encryption key, there is no "blowtorch option" for the police to use. If I've chosen a long enough encryption key, then the police are out of luck figuring out what I've encrypted.
Therein lies the problem.
Forcing 21st Century Ideas Into 20th Century Shoes
There is plenty of precedent to say that a court shouldn't be able to compel an individual to give up their encryption key. For one, US law says that the court cannot compel a performance. For example, if I enter into a contract to paint someone's house, then I break the contract, the court cannot compel me to paint the house. They can have someone else paint the house and then charge me for that work, but they can't force me to do it. Regardless of analogy, an encryption key (unless written down) is not a physical object. In order to compel the key I must type it or, more likely, tell you what it is or write it down.
For another, what if I have a safe with a built-in tamper mechanism (say an acid safe pouch that disperses if the safe is tampered with)? By refusing to give the combination to police, they will force their way into it, and the acid will destroy any documents within. In that case, you're now going to be charged with destruction of evidence, obstruction of justice or something along those lines.
The real issue at hand is that encryption introduces an unsavory element into criminal investigations. Without a way for police to force their way into encrypted documents they're left with a block of impossible to reach potential evidence. There may be important elements of the case (or other cases) inside, or even evidence of other crimes.
The ruling seems unnecessary to me, as the UK already has laws in place that allow juries to draw adverse inferences about information defendants refuse to divulge. This new ruling merely adds a new punishment for refusing to divulge your encryption keys. It might just seem excessive to me, but a 2-year sentence for refusing to give up a key seems a bit much.
Of course, comments are always welcome.
Interesting analysis of the differences between the US and UK "self-incrimination" laws. The lack of adverse inferences in the US interpretation is very important, as the ability to infer guilt based on an unwillingness to speak basically nullifies the right to refuse speech.
The contrast you present between a physical key and an encryption key is also very good, and is something I was thinking of myself when I read the article on LinuxWorld. Since there is no physical entity in the case of encryption keys, would not the court also have to prove that you actually know the key? I have encrypted documents on my computer still from ages ago, the keys to which I have long since lost and forgotten the passphrases to. Obviously I could not give them up even if I was not concerned about self-incrimination. In the UK then I could be jailed for my inability to give up these keys none-the-less?
I think the law of unintended consequences is going to show itself as a result of this move by the Brits. The smarter of the criminals will merely use hidden encrypted volumes within other encrypted volumes. Thus when asked to give the keys they merely produce the key to the outer volume which may contain personal (but not incriminating) data. The inner volume will remain hidden. This would seem to make things even harder for the Brits. Where once they had a encrypted volume they could not access (but could infer guilt based on its existance and refusal to produce a key), they now have access to the seemingly innoculous data and no knowledge of the inner volume.
Posted by: Ken | October 16, 2008 at 05:44 PM
Please forgive the ignorance of one who simply stumbled upon this site... but doesn't the suggestion that encryption methods are 'knowledge' fly in the face of of the current maze of copyright laws being pressed upon us? We are told it is within our rights to make copies of a DVD, however to bypass the encryption of the DVD is illegal.
Doesn't that make the encryption process the 'property' of the company who produced the DVD? If the encryption itself is not property but is merely 'knowledge' then it should not be illegal for me to bypass encryption should it? (or perhaps I've missed something here)
Don't get me wrong, I would love for the silly copyright laws to vanish. My point is simply that I don't think it is right to allow large corporations to claim 'property' rights in their encryption methods, and at the same time allow criminals (or suspected criminals) to hide behind their encryption methods as 'self-incriminating knowledge'. I don't believe it should work both ways.
Posted by: Jason | October 16, 2008 at 11:39 PM
@Jason:
Really you're touching on several unrelated topics here. The specific implementation of an encryption algorithm may be copyrighted, and is thus owned by the corporation or individual that created it. The algorithm itself (being an idea and not a work in itself) is not copyrightable, but may be patented. If it is patented, that patent would also be owned by the corporation or individual who created it. In the case of a DVD the algorithm used is CSS (Content Scramble System) which is licensed to the movie studios to protect their DVDs.
The reason it is illegal to decrypt a DVD has nothing to do with ownership of the algorithm, but with the anti-circumvention clause of the Digital Millennium Copyright Act which states that "No person shall circumvent a technological measure that effectively controls access to a work protected under this title." and "to 'circumvent a technological measure' means to descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner." Effectively this means it is illegal to crack (or even possess tools capable of cracking) the encryption protecting a copyrighted work.
What this article is about is the UK courts requiring that people give up their encryption keys on request. Note that nobody is saying that the encryption algorithm (or methods as you put it) is knowledge, but they keys themselves, or the passwords if you will. I hope this clarifies things a bit for you.
Posted by: Ken | October 17, 2008 at 09:16 AM
@Ken:
Thanks for the comment. I wholeheartedly agree with you. I've had to delete a number of encrypted files and volumes because I've forgotten the password, so there would be no way a court could compel me to decrypt them. In the case referenced by the Linuxworld article this wouldn't be an issue as the suspect was in the process of typing in his key when the police went in to arrest him (if they'd just waited a few more seconds this case would never have even happened). But I think you're right, if you want to infer guilt from encrypted files the prosecution would also need to show that the defendant could decrypt the files if he wanted to, but is willingly refusing to do so.
You're also right about criminals using more sophisticated encryption techniques. And, worse yet, as criminals use advanced techniques the real burden gets placed on prosecutors to try and explain these techniques to a jury. Encryption technologies are hard enough for IT people to wrap their heads around, let alone a group of 12 average citizens who may have no real background in it.
@Jason:
Ken's overview of the DMCA copyright/patent infringement system is spot on. In the case in the article the "knowledge" referred to is a person's personal encryption key. A piece of personal information doesn't fit into copyright law, so this really isn't a DMCA issue. The only question is whether it's reasonable for an encryption key, which is a piece of information you have in your mind, to be compelled by a court.
Posted by: dmo | October 17, 2008 at 09:51 AM