The other side of this is that enshrining encryption as something that police can't compel you to help with just creates a huge loophole for hiding incriminating documents. You can go to jail for destroying evidence, why would encrypting the data and refusing to provide the password or deleting the key be any different?
> You can go to jail for destroying evidence, why would encrypting the data and refusing to provide the password or deleting the key be any different?
Specifically encrypting incriminating data after you have evidence of a crime in an effort to cover it up should be treated as the equivalent of shredding documents. (Assuming, of course, they can prove it, just as they have to prove that you had the documents in question prior to destroying them in order to prosecute you for destroying evidence.)
That's not in any way the same thing as having your data encrypted and refusing to decrypt it.
I don't really think the timeline is meaningful in this case. Having a rule where people cannot be made to decrypt files is just legalizing document shredding with an extra step.
To avoid cases where people legitimately forgot their passwords just assume that the police have video evidence of you unlocking the files just before you were arrested. You know the passphrase and the police could prove it beyond reasonable doubt in court.
You just start with your files encrypted with a strong passphrase and refuse to provide it when you get caught. This is different than routine shredding because the moment when they become inaccessible is when you refuse, not the moment you encrypted them.
If they were instead physical documents buried somewhere hidden where the police could not possibly find them without your help the court still has the ability to hold you in contempt if you don't produce them. What makes the secret knowledge of their location any different than the secret knowledge of the password?
"If they were instead physical documents buried somewhere hidden where the police could not possibly find them without your help the court still has the ability to hold you in contempt if you don't produce them"
Are you sure this is so, this sounds awfully similar to compelling you to testify against yourself. Perhaps you are confused.
> If it is a foregone conclusion that the documents exist, the court can legally compel you to turn them over.
Are you sure? That would imply that you could be compelled to produce documents that are known to exist but were stolen from you.
It seems like a faulty premise. If they don't know where the documents are then how could they know they haven't been stolen or destroyed?
It's the same problem with encryption keys. Just because you had it yesterday doesn't mean you have it today. People actually lose or forget things, especially under stress.
That's one of the main purposes of protection against self-incrimination -- so that the government can't claim you know something that you don't and then hold you in contempt for not telling them.
Yes. A quick google for "foregone conclusion doctrine" will turn up a bunch of fairly-recent news about this.
> It's the same problem with encryption keys. Just because you had it yesterday doesn't mean you have it today. People actually lose or forget things, especially under stress.
Yes, and that's part of the problem. I'm not saying I agree with how all this works, just stating that's how it is.
There are limits, of course. If the court cannot establish that you know (or at least knew) the password/phrase/key. "I forgot" can certainly be a legitimate defense, but it of course depends on whether or not a judge believes you. If we could use "I don't remember" as an unquestioned excuse, we could get away with anything.
> That's one of the main purposes of protection against self-incrimination -- so that the government can't claim you know something that you don't and then hold you in contempt for not telling them.
That's not what we're talking about here. We're talking about things the government affirmatively knows that you either have or know. Unfortunately, of you no longer have or know that thing, the burden is on you to prove that you don't, which is difficult.
> Yes, and that's part of the problem. I'm not saying I agree with how all this works, just stating that's how it is.
You have to keep in mind that judges make rulings that conflict with the rulings of other judges all the time. It means one of them is wrong and it takes a higher court (or legislative action) to sort it out.
Pointing to lower court rulings in the news doesn't mean the issue is settled.
> If we could use "I don't remember" as an unquestioned excuse, we could get away with anything.
That is obviously nonsense. People are regularly convicted without being compelled to say or do anything. The government simply has to prove their case without the defendant's testimony.
> We're talking about things the government affirmatively knows that you either have or know. Unfortunately, of you no longer have or know that thing, the burden is on you to prove that you don't, which is difficult.
But that's the point. They should have to prove that you have it, not that you had it. And when the thing is the contents of your mind, it's impossible for them to prove that without your cooperation, and impossible for you to disprove it.
The burden that something can't be proven in a criminal proceeding is supposed to fall on the government, not the accused.
You're forgetting that the courts are human and would be sympathetic in this case. If it couldn't be shown that you have access to the documents or you could show they were stolen then you would be fine.
> Just because you had it yesterday doesn't mean you have it today
Right, which is why I prefaced the discussion with the situations where the police can prove beyond a reasonable doubt that you posses the key/password. We can make it more direct by arresting you immediately after you prove on video that you're capable of decrypting the documents.
> can't claim you know something
Right, but the difference is we're talking about a case where they can prove you know something. We're firmly in foregone conclusion territory.
> You're forgetting that the courts are human and would be sympathetic in this case. If it couldn't be shown that you have access to the documents or you could show they were stolen then you would be fine.
But that's the whole problem. How are you supposed to prove that you don't have something? It's completely reasonable that someone can have stolen it from you without you being able to prove it.
They can prove that you do have it by finding it in your possession, but if they could do that then they wouldn't need you to tell them where it is. If they don't know where it is then they can't know whether you have it or not.
> Right, which is why I prefaced the discussion with the situations where the police can prove beyond a reasonable doubt that you posses the key/password.
That's just assuming the conclusion.
Proving beyond a reasonable doubt that somebody knows something is next to impossible. You can have them on video entering the correct pass phrase and it only proves that they knew it when the video was made, not that they still remember it now.
> It's completely reasonable that someone can have stolen it from you without you being able to prove it.
I agree and if I was designing the legal theory I would make sure that the burden of proof is on the person claiming an other has knowledge.
> the correct pass phrase and it only proves that they knew it when the video was made, not that they still remember it now.
Right, which is where reasonable doubt comes into play: if the video was months ago it's completely reasonable to forget a password -- if it's two hours later they have a much tougher case to make about spontaneous amnesia.
Applying the 'you can't possibly prove knowledge under any circumstances' argument would be absurd in any other case.
"Did you know she was under 18?"
"No your honor, I forgot, it had been a few weeks since I saw her ID."
> Right, which is where reasonable doubt comes into play: if the video was months ago it's completely reasonable to forget a password -- if it's two hours later they have a much tougher case to make about spontaneous amnesia.
You're confusing less likely with unreasonable.
A pass phrase long enough not to make the whole question irrelevant is hard to remember.
You may have it in short term memory until it gets displaced by "oh crap I need to hire an attorney and a bail bondsman and call my boss and explain this to my wife" type issues. You may be able to remember it sitting in a familiar environment surrounded by your stuff but not in a jail cell without any of those cues.
It's completely reasonable to forget something you knew five minutes ago. It happens all the time.
Haven't you ever walked into a room and been unable to remember why you did? And that isn't 128 bits worth of context-free random data.
> "Did you know she was under 18?"
> "No your honor, I forgot, it had been a few weeks since I saw her ID."
I'm not sure this is making the point you want it to. The real targets of statutory rape laws are pedophiles who rape eight year olds, and in those cases it isn't a question of memory. You may not have remembered whether the child was 8 or 9 but you couldn't reasonably have thought they were above the age of consent. Which is why nobody objects to putting those pedophiles in jail, or to the laws that make it happen.
It's the cases where there could be a legitimate confusion that create exactly this problem. You can't tell if someone is one year above or below the age of consent just by looking at them, which is why those cases are extremely controversial.
How is it absurd that you could forget someone's age? Do you know the exact age of everyone you've ever been to the birthday party of? You probably knew on the day of the party.
> This is different than routine shredding because the moment when they become inaccessible is when you refuse, not the moment you encrypted them.
If it really had anything to do with when you refuse then you could just proactively refuse as soon as you encrypt so it happens at the same time. And it would imply that if you were killed before being asked to decrypt then the government would have access to the data because you never refused, which is obviously not true.
The refusal was specific to this situation. The data also becomes inaccessible the moment a person is incapable of producing the password like when they die.
When does encrypted data become inaccessible? When you encrypted them or when you forgot the password?
> When does encrypted data become inaccessible? When you encrypted them or when you forgot the password?
Inaccessible to which party? It becomes inaccessible to anyone without the key immediately and inaccessible to anyone with the key when they forget the key.
Compare the situation where a person commits a document to memory and then destroys it, but writes down some inscrutable clues to help them remember it. You have some gibberish you can't decipher, if you give them the gibberish they can recreate the original document, but it's only by application of information that exists only in their mind.
Encryption of the file should be treated as a separate step from deletion of the plain text. The latter is destruction of evidence in the case of a crime.
This is a tough sell when hard drive manufacturers use encryption to implement a secure instantaneous delete. You can't really argue that the files were deleted the moment they were encrypted.
Are you arguing you should legally have to keep a plain text copy of anything you encrypt? I mean I get your train of thought but that seems to be the conclusion
What they want is strong but backdoored. Nobody told them that backdoors are detected and leaked or cracked. A single set of powerful keys will be a really high value target. Alternatively the backdoor key schedule.
Net time, they should ask DoD if they would use the proposed scheme. Or whether the critical economical infrastructure of the US warrants less protection than DoD documents.
> Nobody told them that backdoors are detected and leaked or cracked
Many experts have told them. They have told them that 'backdoored' is contradictory to 'strong.
The impression I get - being as far away from this debate as any other non-US citizen - is this request for "strong but accessible" "encryption" is repeated by administration and echoed by media consistently. Eventually, every citizen with the limited understanding and memory that we have to spare will be asking 'why aren't our scientists giving law enforcement what they need?', instead of what does that actually mean. In a way I find myself very fortunate to be on the side of the pond where these voices still exist, but reason temporarily prevails.
> Nobody told them that backdoors are detected and leaked or cracked.
People have been telling that to politicians over and over and over and over again. They refuse to hear it.
The problem with politics is that a lot of people have this idea of how the world should work, and they think this somehow overrules how the world actually works. In the fantasy world they live in backdoors can only ever be used by the good guys.
