Key Management and Passwords and the Law
Anyone with any sense is at least a wee bit frightened of encryption because of the chance of data loss: lose the key and the data is effectively gone, even if it’s sitting right there in an encrypted file. Website passwords really present the same problem: lose one, and whatever value the website represents to you is gone, at least until/unless you can recover that access through a password reset—something that’s often too easy, as we’ve read, with weak protection for the process. But for most users, that’s preferable to losing access forever!
A recurring question: If you have encrypted data, and the police or a court wants you to decrypt it, can you be legally compelled to reveal that key? Court opinions on this have varied: some hold that you can refuse, citing your Fifth Amendment (5A) right to avoid self-incrimination; more recently, in State vs Stahl, a Florida Court of Appeals held that 5A does not apply, in a case regarding unlocking a phone:
Providing the passcode does not ‘betray any knowledge [the defendant] may have about the circumstances of the offenses’ for which he is charged.
Their point is that they are not asking for specific information about the crime—”Were you present when the victim was murdered?” is specific; “Unlock the phone” is not. However, unlocking the phone can be seen as analogous to opening a safe, and in a 1988 decision, the U.S. Supreme Court ruled that a defendant cannot be forced to provide the combination to a safe. Other courts prior to Stahl sided with that SCOTUS decision when it came to phones, so it seems likely that Stahl will at least be challenged.
But let’s assume that Stahl stands: what if you really have lost the key? A Philadelphia man has spent the last two years in jail because (he says) he does not have the encryption key for his hard drives, after being charged with possessing child pornography.
It’s easy to agree with the Court that he must be guilty, and feels that indefinite time in jail is preferable to a long prison sentence. But if the accused really does not have that key, then he cannot comply with the Court’s demand. And that’s quite possible. The system in question is a Macintosh, and presumably uses Apple’s MacOS “FileVault 2” feature, which performs full-drive encryption. When you set this up, it creates a fairly long (and impossible-to-remember) “Recovery Key”, and gives you a chance to copy and save this key, or to save it to the Cloud for later recovery. But you need not do either of those things as long as the drive stays in the computer on which it was encrypted, because logging into your account on that computer causes it to unlock the drive. However, if the drive is removed and accessed on another machine, you need the Recovery Key, and this is the point at which the accused was asked to provide the key.
By claiming he does not have the means to comply, the accused is trying to avoid the 5A issue entirely. The Court took its own steps to avoid 5A problems, including saying that he need not actually reveal the key: he could just type it in himself. The Court also contends that this would not be a 5A issue anyway under the “foregone conclusion” doctrine, which provides an exception to 5A when the “existence and possession” of a document is considered a foregone conclusion and thus its production for the Court is an act of surrender, not of testimony. In this case, the contention is that because the police know that there is child pornography on the drives, he is not incriminating himself; presumably they want the files to allow further investigation of their origin, or for some other purpose.
In any case, because there’s currently no way to prove whether he’s lying or not, he sits in jail indefinitely, not convicted of any crime. This is an emerging area of privacy law, with significant possible impacts as our phones and computers become ever-more significant parts of our lives.
About the Author
Phil Smith III is Senior Architect & Product Manager, Mainframe & Enterprise, at Micro Focus, formerly HPE Software. He is the author of the popular blog series, Cryptography for Mere Mortals.