- Spitfire List - http://spitfirelist.com -

Knock, Knock? Who’s There? Either a Strongbox or a Wall Safe. It’s Undecided.

In this post we’re going to take a look at the recent Supreme Court rul­ing on 4th amend­ment rights and smart­phones and how this rul­ing could impact the ongo­ing debate over NSA spy­ing. We’re also going to look at the oth­er side of the coin: the 5th Amend­ment right against self-incrim­i­na­tion dur­ing a time when encryp­tion tools strong enough to thwart law enforce­ment and the NSA are becom­ing [1] increas­ing­ly main­stream [2]. Is encryp­tion like a strong­box or a wall safe? You might be sur­prised by just how impor­tant that ques­tion has become [3].

————-

The Supreme Court made an impor­tant, and unan­i­mous, rul­ing recent­ly regard­ing the legal­i­ty of law enforce­ment offi­cers search­ing some­one’s smart­phones dur­ing an arrest. The rul­ing: War­rants are required. The rea­son­ing: Smart­phones con­tain so much infor­ma­tion about peo­ple’s lives that you can poten­tial­ly learn more about an indi­vid­ual by search­ing their smart­phone than you would learn while search­ing their house [4]:

Los Ange­les Times
Supreme Court rul­ing affirms the aston­ish­ing pow­er of smart­phones

Robin Abcar­i­an

June 25, 2014, 2:34 PM

Wednesday’s unan­i­mous Supreme Court rul­ing [5] – that offi­cers must obtain war­rants in order to search cell­phones obtained dur­ing the course of arrests – shows the jus­tices’ pro­found under­stand­ing of the way these ubiq­ui­tous lit­tle devices have prac­ti­cal­ly become appendages of the human body.

Chief Jus­tice John R. Roberts even got a lit­tle car­ried away with that metaphor when he wrote in his enter­tain­ing opin­ion [6] that mod­ern cell­phones “are now such a per­va­sive and insis­tent part of dai­ly life that the prover­bial vis­i­tor from Mars might con­clude they were an impor­tant fea­ture of human anato­my.”

Giv­ing police the abil­i­ty to search a cell­phone with­out a war­rant, the court said, is as offen­sive as the intru­sions that led the birth of this coun­try and the cre­ation of its Con­sti­tu­tion.

The 4th Amend­ment, with its pro­tec­tion against unrea­son­able search­es, Roberts said, “was the found­ing generation’s response to the reviled ‘gen­er­al war­rants’ and ‘writs of assis­tance’ of the colo­nial era, which allowed British offi­cers to rum­mage through homes in an unre­strained search for evi­dence of crim­i­nal activ­i­ty. Oppo­si­tion to such search­es was in fact one of the dri­ving forces behind the Rev­o­lu­tion itself.”

As the chief jus­tice not­ed, today’s smart­phones are not “just anoth­er tech­no­log­i­cal con­ve­nience.” They are indis­pens­able repos­i­to­ries for exceed­ing­ly pri­vate details about an individual’s life.

(How indis­pens­able? He cit­ed one poll in which 3/4 of phone own­ers said they were nev­er more than five feet away from their devices, while 12% admit­ted bring­ing their phones into the show­er with them. That is an image I could have done with­out.)

You can actu­al­ly learn more about a per­son by exam­in­ing their phone, Roberts said, than you can in “the most exhaus­tive search” of a house.

“A phone not only con­tains in dig­i­tal form many sen­si­tive records pre­vi­ous­ly found in the home; it also con­tains a broad array of pri­vate infor­ma­tion nev­er found in a home in any form,” he wrote — unless a smart­phone is also found in the home.

Giv­ing police offi­cers access to a person’s apps — Roberts said the aver­age user has 33 — gives them the abil­i­ty to cre­ate “a reveal­ing mon­tage” of a subject’s life.

...

The court rec­og­nized that its rul­ing may impose a bur­den on law enforce­ment offi­cers at the time of an arrest. But, as Roberts point­ed out, tech­no­log­i­cal advances cut both ways.

In some juris­dic­tions, he said, police offi­cers can email war­rant requests to judges’ iPads, and judges, for their part, have been known to sign war­rants and email them back to offi­cers in less than 15 min­utes.

Not sur­pris­ing­ly, the rul­ing has prompt­ed a great deal of spec­u­la­tion over what it could mean for pend­ing law­suits against the NSA. But if you were expect­ing that this rul­ing sug­gests the the Supreme Court if poised to rule against, say, the NSA col­lec­tion of meta­da­ta you might be dis­ap­point­ed [7]:

Politi­co
SCOTUS cell­phone rul­ing res­onates in NSA fight

By JOSH GERSTEIN | 6/25/14 8:15 PM EDT

The Supreme Court’s blunt and unequiv­o­cal deci­sion Wednes­day giv­ing Amer­i­cans strong pro­tec­tion against arrest-relat­ed search­es of their cell phones could also give a boost to law­suits chal­leng­ing the Nation­al Secu­ri­ty Agency’s vast col­lec­tion of phone call data.

Chief Jus­tice John Roberts’s 28-page paean to dig­i­tal pri­va­cy was like music to the ears of crit­ics of the NSA’s meta­da­ta pro­gram, which sweeps up details on bil­lions of calls and search­es them for pos­si­ble links to ter­ror­ist plots.

“This is a remark­ably strong affir­ma­tion of pri­va­cy rights in a dig­i­tal age,” said Marc Roten­berg of the Elec­tron­ic Pri­va­cy Infor­ma­tion Cen­ter. “The court found that dig­i­tal data is dif­fer­ent and that has con­sti­tu­tion­al sig­nif­i­cance, par­tic­u­lar­ly in the realm of [the] Fourth Amendment…I think it also sig­nals the end of the NSA pro­gram.”

...

For the NSA debate, the most sig­nif­i­cant idea in the court’s Wednes­day opin­ion may be the notion that scale mat­ters. Roberts and his col­leagues sound­ly reject­ed argu­ments from the Oba­ma admin­is­tra­tion that because police can search a few print­ed pho­tographs found in someone’s wal­let, offi­cers were free to search thou­sands of images and the troves of oth­er per­son­al data con­tained on a typ­i­cal smart­phone.

...

“It’s very impor­tant that the court is rec­og­niz­ing that quan­ti­ty mat­ters,” said Geor­gia Tech pro­fes­sor Peter Swire, a pri­va­cy expert and mem­ber of a pan­el Pres­i­dent Barack Oba­ma set up to review the NSA’s call meta­da­ta pro­gram. “The court has said that quan­ti­ty mat­ters when it comes to the con­tent of cell phones. And I believe the court will feel the same way when it comes to mas­sive data­bas­es of tele­phone calls or com­put­er com­mu­ni­ca­tions.”

A for­mer cyber­crime pros­e­cu­tor said the jus­tices also seemed to rec­og­nize that scale of the col­lec­tion not only gives the gov­ern­ment more data, but also the abil­i­ty to be much more intru­sive than in ear­li­er eras.

“The dis­tinc­tion here is more than just the capac­i­ty of the device to hold pic­tures,” said Alex South­well, now with law firm Gib­son, Dunn & Crutch­er. “A cell phone is orders of mag­ni­tude dif­fer­ent, not just in terms of num­bers of items held but also in terms of the intru­sive­ness if searched. The mosa­ic of infor­ma­tion avail­able from see­ing the whole of the data is trans­for­ma­tive, just like the call records at issue in the NSA pro­gram.”

The Supreme Court’s rul­ing Wednes­day in Riley v. Cal­i­for­nia doesn’t say any­thing explic­it­ly about the NSA’s meta­da­ta, nor did the jus­tices men­tion nation­al secu­ri­ty con­cerns or intel­li­gence gath­er­ing.

How­ev­er, in one some­what opaque foot­note to Roberts’s major­i­ty opin­ion, the jus­tices seem to be say­ing they are leav­ing the issue of bulk col­lec­tion of data for anoth­er day. “These cas­es do not impli­cate the ques­tion whether [sic] the col­lec­tion or inspec­tion of aggre­gat­ed dig­i­tal infor­ma­tion amounts to a search under oth­er cir­cum­stances,” Roberts wrote.

Even if the jus­tices were to deem the NSA pro­gram a war­rant­less search that goes well beyond trac­ing calls made on a spe­cif­ic phone line, that wouldn’t mean the ter­ror­ism-focused effort is uncon­sti­tu­tion­al. Instead, the court would have to con­sid­er whether the search is rea­son­able in light of the nation­al secu­ri­ty and pub­lic safe­ty con­cerns involved — and jus­tices are often extra­or­di­nary def­er­en­tial to such argu­ments.

...

Ana­lysts on both sides said the cell phone rul­ing is not a one-off, but seems to be part of a pat­tern of the court’s efforts to square pri­va­cy rights with the new chal­lenges posed by emerg­ing tech­nol­o­gy. Two years ago, in U.S. v. Jones, the jus­tices reject­ed argu­ments that GPS track­ing should not require a war­rant because police have always been free to fol­low sus­pects around with­out get­ting one.

“What’s significant…is the jus­tices, like the rest of us, are ful­ly alive to the fact that tech­nol­o­gy is gen­er­at­ing large quan­ti­ties of data about us and putting it in places where it didn’t used to be,” Bak­er said.

Pres­i­dent Barack Oba­ma ini­tial­ly dis­missed the pri­va­cy impact of the meta­da­ta pro­gram as “mod­est,” but in recent months he has acknowl­edged that it is trou­bling to many Amer­i­cans. Ear­li­er this year, he pro­posed shut­ting down the NSA pro­gram and replac­ing it with one in which tele­phone com­pa­nies store the call infor­ma­tion and make it read­i­ly avail­able for the gov­ern­ment to search. The pres­i­dent also imple­ment­ed a pro­ce­dure in which a judge approves most queries in advance, but the stan­dard is low­er than that for a search war­rant.

The Oba­ma admin­is­tra­tion has made much of safe­guards it has imposed on the NSA pro­gram. How­ev­er, the court’s cell phone search opin­ion sug­gests the jus­tices might not find such self-reg­u­la­tion suf­fi­cient to address pri­va­cy con­cerns.

“The Gov­ern­ment pro­pos­es that law enforce­ment agen­cies ‘devel­op pro­to­cols to address’ con­cerns raised by cloud com­put­ing,” the chief jus­tice wrote. “Prob­a­bly a good idea, but the Founders did not fight a rev­o­lu­tion to gain the right to gov­ern­ment agency pro­to­cols.”

...

As the arti­cle indi­cates, while it’s unclear how direct­ly this rul­ing by the Supreme Court could impact rul­ings on bulk meta­da­ta col­lec­tion, observers on all sides agree that this cell phone rul­ing “is not a one-off , but seems to be part of a pat­tern of the court’s efforts to square pri­va­cy rights with the new chal­lenges posed by emerg­ing tech­nol­o­gy”. And that’s good news because, at the end of the day, the only real solu­tion to these increas­ing­ly dif­fi­cult issues of bal­anc­ing pri­va­cy and secu­ri­ty in an ever chang­ing tech­no­log­i­cal land­scape is a nev­er end­ing cycle of court cas­es, leg­is­la­tion, and lots and lots of peo­ple spend­ing time to real­ly think thought the impli­ca­tions how we progress through the Infor­ma­tion Age.

But as the arti­cle also high­lights, it’s unclear from this rul­ing which way the court is lean­ing on the issue of bulk meta­da­ta col­lec­tion because, as Chief Jus­tice Roberts put it, “these cas­es do not impli­cate the ques­tion whether [sic] the col­lec­tion or inspec­tion of aggre­gat­ed dig­i­tal infor­ma­tion amounts to a search under oth­er cir­cum­stances,” while also assert­ing that “the Gov­ern­ment pro­pos­es that law enforce­ment agen­cies ‘devel­op pro­to­cols to address’ con­cerns raised by cloud computing...Probably a good idea, but the Founders did not fight a rev­o­lu­tion to gain the right to gov­ern­ment agency pro­to­cols.”. What Chief Jus­tice Roberts appears to be allud­ing to is the idea that address­ing issues like this can’t be han­dled by self-reg­u­la­tions and pro­to­cols alone and that seems to sug­gest that Roberts is of the opin­ion that in order to bal­ance the pri­va­cy and secu­ri­ty (in a age where cell phones might hold more per­son­al infor­ma­tion about you than the con­tents of your home) we’re prob­a­bly going to need a pol­i­cy solu­tions and a tech­no­log­i­cal solu­tions. And he’s quite right. When tech­nol­o­gy cre­ates new legal conun­drums, a look at chang­ing the tech­nol­o­gy or chang­ing how it’s used is clear­ly part of the solu­tion.

What Would Snow­den and the Cypher­punks Say?
But, of course, it’s also worth point­ing out that sim­ply say­ing “we need pol­i­cy solu­tions and tech­nol­o­gy solu­tions” is a lot eas­i­er said than done. For instance, take Edward Snow­den’s “pol­i­cy + tech­nol­o­gy” solu­tions that he has con­sis­tent­ly rec­om­mend­ed to glob­al audi­ence. As Snow­den puts it, we need pol­i­cy solu­tions but we also need tech­nol­o­gy solu­tions like unbreak­able end-to-end encryp­tion and the use of sys­tems like TOR to ensure that bulk data col­lec­tion becomes impos­si­ble [8]:

The Inquir­er
Edward Snow­den wants easy to use encryp­tion every­where
Com­mu­ni­ty must do more
By Dave Neal
Mon Mar 10 2014, 18:0

SURVEILLANCE WHISTLEBLOWER Edward Snow­den has tak­en part in a video con­ver­sa­tion at the South By South­west (SXSW) con­fer­ence and called for more acces­si­ble encryp­tion tools.

The sub­ject of the con­ver­sa­tion, which was host­ed by the Amer­i­can Civ­il Lib­er­ties Union, was whether com­mu­ni­ca­tions are secure and if they can be trust­ed. They can, said Snow­den, but only with some third par­ty help and the use of end to end, machine to machine encryp­tion.

The use of strong encryp­tion is key and the pan­el agreed that Snow­den’s rev­e­la­tions have improved the secu­ri­ty land­scape. The whistle­blow­er said that tech­nol­o­gy com­pa­nies need to help make encryp­tion more acces­si­ble and less com­plex. “Encryp­tion does work,” he said, call­ing it “the defence against the dark arts for the dig­i­tal realm.”

Snow­den said that the US Nation­al Secu­ri­ty Agency (NSA) has cre­at­ed an “adver­sar­i­al inter­net”. He added that while pol­i­cy changes are need­ed, tech­no­log­i­cal changes will be the most effec­tive.

“[We must] craft solu­tions that are safe”, he said. “End to end encryp­tion makes bulk sur­veil­lance impos­si­ble. There is more over­sight, and they won’t be able to pitch exploits at every com­put­er in the world with­out get­ting caught.”

...

As Snow­den said, “End to end encryp­tion makes bulk sur­veil­lance impos­si­ble. There is more over­sight, and they won’t be able to pitch exploits at every com­put­er in the world with­out get­ting caught.” So, if Snow­den is cor­rect, we can sim­ply devel­op easy-to-use unbreak­able encryp­tion tech­nol­o­gy and bulk sur­veil­lance will be made impos­si­ble and there­fore all sur­veil­lance will be forced to shift towards tar­get­ed sur­veil­lance where “there is more over­sight”. No more bulk sur­veil­lance but still room for tar­get­ed sur­veil­lance. Prob­lem solved, right?

Well, if the elim­i­na­tion of bulk data col­lec­tion is some­thing that soci­ety wants to pri­or­i­tize then, yes, strong end-to-end encryp­tion and the use of tools like TOR (because strong encryp­tion still won’t actu­al­ly hide all the meta­da­ta, you’d need some­thing like TOR) would indeed force sur­veil­lance to become much more tar­get­ed. Assum­ing a spy­ware­poca­lypse [9] does­n’t take place.

But what about that tar­get­ed sur­veil­lance that Snow­den claims to sup­port? Will that still be pos­si­ble once strong end-to-end encryp­tion tools are made wide­ly avail­able? Well, here’s where it get messy in ways that Snow­den and the Cypher­punks don’t like to talk about [10] and in ways that relate to the Supreme Court’s recent cell­phone rul­ing: Once you have easy-to-use strong encryp­tion tools that make com­mu­ni­ca­tions unbreak­able, it’s prob­a­bly not going to take too long before sim­i­lar tools (or the very same tools) are also used make the local files on your com­put­er strong­ly encrypt­ed too. That means that when there’s a legit­i­mate law enforce­ment or nation­al secu­ri­ty need to view the con­tents of some­one’s com­put­er or smart­phone, a war­rant won’t be enough. The per­son under inves­ti­ga­tion is sim­ply going to have to decrypt the soft­ware or hand over a pass­word under threat of con­tempt of court. And when law enforce­ment has to rely on the per­son being inves­ti­gat­ed to pro­vide access to incrim­i­nat­ing evi­dence, it means we might be see­ing a lot more 5th amend­ment sto­ries like this [1]:

Extreme­Tech
US Appeals court upholds Fifth Amend­ment right to not decrypt hard dri­ves

By Joel Hrus­ka on Feb­ru­ary 24, 2012 at 1:31 pm

The 11th Cir­cuit Appeals Court has issued an impor­tant rul­ing on the ques­tion of whether or not a defen­dant can be forced to decrypt a hard dri­ve when its con­tents could pro­vide addi­tion­al incrim­i­nat­ing evi­dence. The case in ques­tion refers to the actions of a John Doe who was com­pelled to tes­ti­fy before a grand jury in exchange for immu­ni­ty from pros­e­cu­tion. Doe was ordered to decrypt the con­tents of his lap­top as part of that tes­ti­mo­ny, but was told that his immu­ni­ty would not extend to the deriv­a­tive use of such mate­r­i­al as evi­dence against him. Doe refused to decrypt the True­Crypt-locked dri­ves, claim­ing that to do so would vio­late his Fifth Amend­ment right against self-incrim­i­na­tion.
...

Note that this case involves the use of True­Crypt, one of the tools used by Snow­den to encrypt his NSA doc­u­ments that he strong­ly advo­cates [11] (before it mys­te­ri­ous­ly shut down [12] about a week before the Heart­bleed rev­e­la­tions [13] ). Not only can True­Crypt encrypt data in ways that the NSA can’t break, but it also allows you to cre­ate hid­den vol­umes with­in your encrypt­ed vol­umes [14] so if you are asked to hand over the pass­word you can sim­ply give the “fake” top-lay­er pass­word that only decrypts the non-hid­den fold­ers.

Con­tin­u­ing...

...
The 11th Circuit’s rul­ing revers­es the low­er court’s deci­sion [15] to hold Doe in con­tempt and affirms that forc­ing him to decrypt the dri­ves would be unlaw­ful. It also states that the dis­trict court erred in lim­it­ing the immu­ni­ty it grant­ed Doe to only apply to grand jury tes­ti­mo­ny and not the deriv­a­tive use of the evi­dence in ques­tion. The rul­ing on mis­ap­plied immu­ni­ty means that the 11th Cir­cuit could’ve punt­ed on the Fifth Amend­ment issue, but the court opt­ed not to do so.

The applic­a­bil­i­ty of the Fifth Amend­ment rests on the ques­tion of what the gov­ern­ment knew and how it knew it. Fed­er­al pros­e­cu­tors admit­ted at tri­al that while the amount of stor­age encrypt­ed exceed­ed 5TB, there was no way to deter­mine what data was on the hard dri­ve — indeed, if there was any data what­so­ev­er. Plain­tiffs were reduced to hold­ing up numer­i­cal print­outs of encryp­tion code that they said “rep­re­sent­ed” the data they want­ed, but were forced to admit that there was no way to dif­fer­en­ti­ate what might be ille­gal mate­r­i­al vs. legal.

The ques­tion at hand is whether or not decrypt­ing the con­tents of a lap­top dri­ve is tes­ti­mo­ny or sim­ply the trans­fer of exis­tent infor­ma­tion. The court acknowl­edges that the drive’s files are not tes­ti­mo­ny of them­selves, but writes “What is at issue is whether the act of pro­duc­tion may have some tes­ti­mo­ni­al qual­i­ty suf­fi­cient to trig­ger Fifth Amend­ment pro­tec­tion when the pro­duc­tion explic­it­ly or implic­it­ly con­veys some state­ment of fact.” (empha­sis orig­i­nal)

Pre­vi­ous court cas­es have estab­lished that mere­ly com­pelling a phys­i­cal act, such as requir­ing a defen­dant to pro­vide the key to a safe, is not tes­ti­mo­ni­al. Actions are also non-tes­ti­mo­ni­al if the gov­ern­ment can invoke the “fore­gone con­clu­sion” doc­trine by show­ing with “rea­son­able par­tic­u­lar­i­ty” that it already knew that cer­tain mate­ri­als or con­tent exist­ed.

By decrypt­ing the dri­ves, Doe is admit­ting “his knowl­edge of the exis­tence and loca­tion of poten­tial­ly incrim­i­nat­ing files; of his pos­ses­sion, con­trol, and access to the encrypt­ed por­tions of the dri­ves; and of his capa­bil­i­ty to decrypt the files.” The court dis­miss­es the argu­ment that the con­tents of Doe’s hard dri­ves are a fore­gone con­clu­sion, not­ing that “Noth­ing… reveals that the Gov­ern­ment knew whether any files exist or the loca­tion of those files on the hard dri­ves; what’s more, noth­ing in the record illus­trates that the Gov­ern­ment knew with rea­son­able par­tic­u­lar­i­ty that Doe was even capa­ble of access­ing the encrypt­ed por­tions of the dri­ves.

“The Gov­ern­ment has not shown, how­ev­er, that the dri­ves actu­al­ly con­tain any files, nor has it shown which of the esti­mat­ed twen­ty mil­lion files the dri­ves are capa­ble of hold­ing may prove use­ful… we are not per­suad­ed by the sug­ges­tion that sim­ply because the devices were encrypt­ed nec­es­sar­i­ly means that Doe was try­ing to hide some­thing. Just as a vault is capa­ble of stor­ing moun­tains of incrim­i­nat­ing doc­u­ments, that alone does not mean that it con­tains incrim­i­nat­ing doc­u­ments, or any­thing at all.”

Not exact­ly carte blanche

The strength of this deci­sion is the bal­ance it strikes between the rights of the gov­ern­ment and the indi­vid­ual. Rather than focus­ing on the nature of the pass phrase defen­dants are ordered to pro­vide, it empha­sizes the issue of what the pros­e­cu­tion knows and how it learned it. If the pros­e­cu­tors had had suf­fi­cient data to indi­cate that ille­gal mate­ri­als were pstored on Doe’s hard dri­ves, forc­ing him to tes­ti­fy would’ve been valid under the fore­gone con­clu­sion prin­ci­ple.

...

This deci­sion doesn’t make it impos­si­ble for the gov­ern­ment to use the con­tents of an encrypt­ed dri­ve, but it requires that the pros­e­cu­tion demon­strate a knowl­edge of the con­tents and data con­tained there­in before being allowed to issue a blan­ket demand. It’s a fair call, and giv­en the increas­ing num­ber of sim­i­lar cas­es, an impor­tant one.

There’s a lot to digest there: Ok, so it appears that “John Doe” was stay­ing in a hotel room with an inter­net IP addressed that was caught access­ing child porn over YouTube. But it was­n’t the only hotel room with that IP address so it could­n’t be specif­i­cal­ly tied to his com­put­er. The pros­e­cu­tors offer him immu­ni­ty for his tes­ti­mo­ny if he decrypts the True­Crypt-encrypt­ed files on his com­put­er but they don’t offer him immu­ni­ty for the “deriv­a­tive use of such mate­r­i­al as evi­dence against him”. So Doe refus­es to decrypt the dri­ve, cit­ing the 5th amend­ment right against self incrim­i­na­tion. And 11th Cir­cuit Appeals Court argued that:

...
By decrypt­ing the dri­ves, Doe is admit­ting “his knowl­edge of the exis­tence and loca­tion of poten­tial­ly incrim­i­nat­ing files; of his pos­ses­sion, con­trol, and access to the encrypt­ed por­tions of the dri­ves; and of his capa­bil­i­ty to decrypt the files.

The court dis­miss­es the argu­ment that the con­tents of Doe’s hard dri­ves are a fore­gone con­clu­sion, not­ing that “Noth­ing… reveals that the Gov­ern­ment knew whether any files exist or the loca­tion of those files on the hard dri­ves; what’s more, noth­ing in the record illus­trates that the Gov­ern­ment knew with rea­son­able par­tic­u­lar­i­ty that Doe was even capa­ble of access­ing the encrypt­ed por­tions of the dri­ves.
...

In oth­er words, the 11th Cir­cuit appeals court ruled that pro­vid­ing the decryp­tion key is basi­cal­ly a tes­ti­mo­ny that says “yes, I have access to those files” and thus con­sti­tutes a self-incrim­i­nat­ing tes­ti­mo­ny when the gov­ern­ment could­n’t actu­al­ly pro­vide evi­dence that they knew any incrim­i­nat­ing evi­dence was on the dri­ve (since mul­ti­ple hotel rooms shared the same IP). If this seems like a stretch, keep in mind that it’s entire­ly pos­si­ble for some­one to pos­sess a com­put­er or smart­phone that con­tains encrypt­ed files that some­one else put there and con­trols.

Is Encryp­tion Like a Strong­box or a Wall Safe? Who Cares? The Courts
Also keep in mind that the Supreme Court has yet to rule on this case or sim­i­lar cas­es, so a very big Supreme Court rul­ing on forced decryp­tion is just a mat­ter of time [16]:

DuqCrim.com
Crim­i­nal Jus­tice Pro­gram of Duqesne Uni­ver­si­ty School of Law

The catch 22 of forced decryp­tion.
Post­ed by Frank Spinel­li on May 7, 2014 at 7:14 AM

Should forced decryp­tion of a hard dri­ve be pro­hib­it­ed under the Fifth Amend­ment?

Some back­ground: In cryp­tog­ra­phy, encryp­tion is the process of encod­ing mes­sages or infor­ma­tion in such a way that only autho­rized par­ties can read it. Encryp­tion has been around for a very long time, and has his­tor­i­cal­ly been used fre­quent­ly dur­ing wartime.

...

Mean­while, the Fifth Amend­ment states that no per­son, “shall be com­pelled in any crim­i­nal case to be a wit­ness against him­self.” The Fifth Amend­ment is designed to pre­vent the accused from being forced to divulge incrim­i­nat­ing evi­dence from with­in his or her own mind, to be used against him or her self. A per­son may invoke the Fifth Amend­ment once three fac­tor have been estab­lished: com­pul­sion, a tes­ti­mo­ni­al com­mu­ni­ca­tion or act, and incrim­i­na­tion. The law also requires that the infor­ma­tion sought still retain tes­ti­mo­ni­al val­ue, and con­se­quent­ly be worth being con­sti­tu­tion­al­ly pro­tect­ed. The infor­ma­tion sought out can­not already be a for­gone con­clu­sion, which the Gov­ern­ment already con­crete­ly knows, or has proven exists by inde­pen­dent means.

Com­pul­sion, and incrim­i­na­tion are rel­a­tive­ly straight­for­ward where an accused is asked by a court to decrypt a hard dri­ve.

The court is com­pelling the accused to divulge the con­tents that are encrypt­ed in one of two ways. First­ly, by either decrypt­ing the infor­ma­tion by pro­vid­ing the pass­word required to decrypt the infor­ma­tion, enabling author­i­ties to do just the same. Or, sec­ond­ly, by pro­vid­ing the infor­ma­tion sought, in a decrypt­ed and intel­li­gi­ble form.

Incrim­i­na­tion mere­ly refers to the fact that the infor­ma­tion sought to be gained, and com­pelled to be revealed by the accused, is in fact incrim­i­nat­ing.

The issue that is cur­rent­ly unde­cid­ed is whether or not the act of pro­duc­tion, or enabling the decrypt­ing, is tes­ti­mo­ni­al, and whether or not the tes­ti­mo­ni­al sta­tus extends beyond the act of decrypt­ing, to the actu­al con­tents revealed, or decrypted.l

The supreme court has yet to rule on this issue. The high­est court to rule on the issue has pro­vid­ed some inter­est­ing insight regard­ing the issue. The Eleventh Cir­cuit has held that an accused may not be forced to decrypt the files on an encrypt­ed hard dri­ve, due to the nature of encryp­tion.

The court explained that whether an act is tes­ti­mo­ni­al, and is cov­ered by the pro­tec­tions of invok­ing the Fifth Amend­ment, or mere­ly a com­pelled phys­i­cal act, which remains unpro­tect­ed by the Fifth amend­ment, can be best analo­gized to the dif­fer­ence between a strong­box and a wall safe. The court relied on pre­vi­ous Supreme Court deci­sions con­cern­ing the Fifth Amend­ment, point­ing out that the forced pro­duc­tion of a phys­i­cal key to a strong box would not gen­er­al­ly con­sid­ered to be a tes­ti­mo­ni­al act. Where­as, the forced pro­duc­tion of a com­bi­na­tion to a wall safe would be con­sid­ered a pro­tect­ed tes­ti­mo­ni­al com­mu­ni­ca­tion or act, as it requires an accused to reveal a truth from with­in his or her mind. The rev­e­la­tion of which would lead to the pro­duc­tion of incrim­i­nat­ing evi­dence, from with­in the wall safe, or at least sup­port a link in the chain of evi­dence, strength­en­ing the case against the accused. Some­thing that Fifth Amend­ment was specif­i­cal­ly added to the bill of rights to pro­tect against.

For exam­ple, in regards to the pre­vi­ous­ly men­tioned his­tor­i­cal events, hypo­thet­i­cal­ly, an accused per­son would be unable to invoke the Fifth Amend­ment in a case where a court issued a sub­pe­na forc­ing the pro­duc­tion of an enig­ma machine to decrypt a file. This would be anal­o­gous to the phys­i­cal key in the strong­box anal­o­gy, because the act of pro­duc­ing the enig­ma machine, would be requir­ing a phys­i­cal act. How­ev­er, if a court issued a sub­poe­na forc­ing an accused per­son, flu­ent in Nava­jo and Eng­lish, to reveal the con­tents of a file, writ­ten in Nava­jo, it would like­ly be con­sid­ered to be a tes­ti­mo­ni­al act, and pro­tect­ed under the invo­ca­tion of the Fifth Amend­ment. The sec­ond sub­poe­na requires the accused to reveal encrypt­ed infor­ma­tion by uti­liz­ing a men­tal skill, and essen­tial­ly com­pel the pro­duc­tion of encrypt­ed, and incrim­i­nat­ing evi­dence from with­in his or her mind.

Fur­ther­more, because of the nature of encryp­tion, the “fore­gone con­clu­sion” doc­trine is gen­er­al­ly inap­plic­a­ble to infor­ma­tion sought, unless cor­rob­o­rat­ed from oth­er evi­dence, or non-encrypt­ed data on the dri­ve. This is sim­ply because, as the court point­ed out, until a hard dri­ve is decrypt­ed it is usu­al­ly extreme­ly dif­fi­cult to tell what type of file, or files, if any, are being stored on a hard dri­ve until it is decrypt­ed. Con­se­quent­ly, it is gen­er­al­ly not a “for­gone con­clu­sion,” since it is dif­fi­cult to tell if an encrypt­ed hard dri­ve con­tains zero data, or is filled com­plete­ly with encrypt­ed data, as emp­ty space and record­ed data appear gen­er­al­ly the same before decryp­tion. The court there­fore rea­soned that the decrypt­ed infor­ma­tion should also be pro­tect­ed, not just the act of pro­duc­tion of the pass­word, but the decrypt­ed data as well.

Con­se­quent­ly, a broad­er grant of immu­ni­ty would have to be grant­ed, one which extend­ed the data even­tu­al­ly decrypt­ed, not just the act of pro­duc­tion, before a court may com­pel an accused to decrypt data.

The issue remains unclear for now in the oth­er cir­cuits, and most states, until the Supreme Court hears a case con­cern­ing this issue, and rules deci­sive­ly on it.

...

“The issue remains unclear for now in the oth­er cir­cuits, and most states, until the Supreme Court hears a case con­cern­ing this issue, and rules deci­sive­ly on it.” Yep, the issue does remain unclear. But if the Supreme Court is poised to issue a series of rul­ings on pri­va­cy-relat­ed issues it seems pret­ty like­ly that we’re going to see a rul­ing on this top­ic of forced decryp­tion pret­ty soon because the growth in both the num­ber and pop­u­lar­i­ty of encryp­tion tools means 5th amend­ment fights over forced decryp­tion are only going become increas­ing­ly fre­quent. And that means the “Strong­box vs Wall safe” debate is going to become quite a hot top­ic because, as groups like the Cypher­punk-lean­ing Elec­tron­ic Fron­tier Foun­da­tion [17] (EFF) and the ACLU argued last Octo­ber, if you’re ever forced to decrypt your data it is clear­ly a “wall safe” and not a “strong­box” sce­nario and there­fore you should get blan­ket immu­ni­ty for any­thing found [2]:

Threat­post

EFF Makes Case That Fifth Amend­ment Pro­tects Against Com­pelled Decryp­tion
by Michael Mimoso
Octo­ber 31, 2013 , 2:08 pm

With new leaks about the extent of U.S. gov­ern­ment sur­veil­lance com­ing almost dai­ly, one con­stant remains among all the deter­rents to the NSA’s pry­ing eyes: encryp­tion tech­nol­o­gy works. As far as we know, the math behind encryp­tion is sol­id, despite the specter of some unnamed break­through [18] made by the spy agency some years ago.

...

Tan­gen­tial­ly, the gov­ern­ment con­tin­ues to try to make a case for the abil­i­ty to force some­one alleged to have com­mit­ted a crime to decrypt their hard dri­ves and turn over evi­dence. On a num­ber of pre­vi­ous occa­sions, the courts have upheld Fifth Amend­ment pro­tec­tions against self-incrim­i­na­tion [19] in such cas­es.

In a case start­ing on Mon­day in Mass­a­chu­setts Supreme Judi­cial Court, an appeal of a pre­vi­ous deci­sion against Leon Gelf­gatt, 49, of Mar­ble­head, Mass., an attor­ney, was indict­ed in a mort­gage fraud scam [20] in which he is alleged to have stolen more than $1.3 mil­lion. The gov­ern­ment, in try­ing to make its case against Gelf­gatt, tried to com­pel him to decrypt his hard dri­ve. The judge in the case, how­ev­er, denied the request say­ing that such an action would vio­late the Fifth Amend­ment.

Dig­i­tal advo­ca­cy group the Elec­tron­ic Fron­tier Foun­da­tion, along with the Amer­i­can Civ­il Lib­er­ties Union, filed an ami­cus brief [21] yes­ter­day explain­ing the Fifth Amend­ment priv­i­lege against self-incrim­i­na­tion pro­hibits com­pelled decryp­tion. Han­ni Fakhoury, staff attor­ney with the EFF, wrote in a blog­post [22] that the Fifth Amend­ment pro­tects an indi­vid­ual from unveil­ing the “con­tents of his mind” and that the gov­ern­ment through this action would be learn­ing new facts in the case beyond the encryp­tion key.

“By forc­ing Gelf­gatt to trans­late the encrypt­ed data it can­not read into a read­able for­mat, it would be learn­ing what the unen­crypt­ed data was (and whether any data exist­ed),” Fakhoury wrote. “Plus, the gov­ern­ment would learn per­haps the most cru­cial of facts: that Gelf­gatt had access to and domin­ion and con­trol of files on the devices.”

The government’s argu­ment is that the decryp­tion is akin to pro­vid­ing the com­bi­na­tion to unlock a safe, rather than com­pelling the pro­duc­tion of decrypt­ed files.

“That asser­tion is incor­rect,” the brief says. “Just as encrypt­ing a dri­ve encrypts each and every one of its files, decrypt­ing the dri­ve makes avail­able copies of all of its files.” The con­tention is that because the data is trans­formed and scram­bled, decryp­tion is more than a key, safe com­bi­na­tion or pass­word, the brief said.

...

“In the sur­veil­lance envi­ron­ment, the need for encryp­tion is espe­cial­ly strong because it often seems that strong tech­nol­o­gy is our last refuge from the government’s pry­ing eyes,” Fakhoury said. “We’ve seen in all the leaks the government’s effort to under­mine web encryp­tion and so we must make sure they can’t under­mine the phys­i­cal device encryp­tion here.”

So in this case involv­ing $1.3 mil­lion stolen through mort­gage fraud, the gov­ern­ment tried to com­pel the defen­dant to decrypt his data by argu­ing that decryp­tion is anal­o­gous to a hand­ing over a key to a strong­box. But the EFF and ACLU assert the oppo­site [19], that decryp­tion is an act of reveal­ing a piece of your inner mind and there­fore pro­tect­ed by the 5th Amend­ment. So when the Supreme Court even­tu­al­ly rules in this top­ic, THAT’s one of the key legal dis­tinc­tions it’s going to have to resolve: Is encryp­tion like a strong­box or a wall safe? Wel­come to the fun world of unbreak­able encryp­tion and legal right.

The Mass­a­chu­setts Supreme Court Ruled on that $1.3 mil­lion mort­gage fraud case just days ago. In that instance, the court found, the gov­ern­ment could com­pel decryp­tion. Why? Well, basi­cal­ly because the per­son under inves­ti­ga­tion told the police that he could indeed decrypt the data, but he won’t. So, in this case, court ordered forced decryp­tion was deemed con­sti­tu­tion. But that’s just for Mass­a­chu­setts. Until the US Supreme Court rules on this top­ic, the con­sti­tu­tion­al­i­ty of forced decryp­tion will depend on not only your legal cir­cum­stances, but also your locale [23]:

Ars tech­ni­ca
Mass­a­chu­setts high court orders sus­pect to decrypt his com­put­ers
Sus­pect told cops: “Every­thing is encrypt­ed and no one is going to get to it.”

by Cyrus Fari­var — June 25 2014, 7:00pm CST

Mass­a­chu­setts’ top court ruled, in a 5–2 deci­sion [24] on Wednes­day, that a crim­i­nal sus­pect can be ordered to decrypt his seized com­put­er.

The Mass­a­chu­setts Supreme Judi­cial Court (MSJC) rul­ing only applies to the state. Var­i­ous oth­er courts at the state and fed­er­al lev­el have dis­agreed as to whether being forced to type in a decryp­tion pass­word is a vio­la­tion of the Fifth Amend­ment right to pro­tect against self-incrim­i­na­tion and its state equiv­a­lents (such as Arti­cle Twelve of the Mass­a­chu­setts Dec­la­ra­tion of Rights). For exam­ple, more than two years ago, the 11th Cir­cuit Court of ruled [25] ruled that a defen­dant was not oblig­ed to decrypt his hard dri­ve, as doing so would vio­late his Fifth Amend­ment rights. How­ev­er, that rul­ing only took effect in the 11th Cir­cuit, which cov­ers parts of the south­east­ern Unit­ed States. Just last year, a fed­er­al judge refused [26] to force a Wis­con­sin child pornog­ra­phy sus­pect to decrypt his lap­top. Over­all, cas­es involv­ing decryp­tion are still rel­a­tive­ly new [27] and rare. The first known one only dates back to 2007 [28].

Pri­va­cy advo­cates lament­ed the MSJC’s new rul­ing, dis­agree­ing with the court’s judg­ment that an excep­tion to the Fifth Amend­ment rule, such as a “fore­gone con­clu­sion,” applies here.

“The defen­dant is only telling the gov­ern­ment what it already knows”

hori­ties that he was able to decrypt his com­put­ers but would not do so.

As the MSJC ruled [29]:

Dur­ing his postar­rest inter­view with State police Troop­er Patrick M. John­son, the defen­dant stat­ed that he had per­formed real estate work for Bay­lor Hold­ings, which he under­stood to be a finan­cial ser­vices com­pa­ny. He explained that his com­mu­ni­ca­tions with this com­pa­ny, which pur­port­ed­ly was owned by Russ­ian indi­vid­u­als, were high­ly encrypt­ed because, accord­ing to the defen­dant, “[that] is how Rus­sians do busi­ness.” The defen­dant informed Troop­er John­son that he had more than one com­put­er at his home, that the pro­gram for com­mu­ni­cat­ing with Bay­lor Hold­ings was installed on a lap­top, and that “[e]verything is encrypt­ed and no one is going to get to it.” The defen­dant acknowl­edged that he was able to per­form decryp­tion. Fur­ther, and most sig­nif­i­cant­ly, the defen­dant said that because of encryp­tion, the police were “not going to get to any of [his] com­put­ers,” there­by imply­ing that all of them were encrypt­ed.

When con­sid­er­ing the entire­ty of the defen­dan­t’s inter­view with Troop­er John­son, it is appar­ent that the defen­dant was engaged in real estate trans­ac­tions involv­ing Bay­lor Hold­ings, that he used his com­put­ers to alleged­ly com­mu­ni­cate with its pur­port­ed own­ers, that the infor­ma­tion on all of his com­put­ers per­tain­ing to these trans­ac­tions was encrypt­ed, and that he had the abil­i­ty to decrypt the files and doc­u­ments. The facts that would be con­veyed by the defen­dant through his act of decryption—his own­er­ship and con­trol of the com­put­ers and their con­tents, knowl­edge of the fact of encryp­tion, and knowl­edge of the encryp­tion key—already are known to the gov­ern­ment and, thus, are a “fore­gone con­clu­sion.” The Com­mon­wealth’s motion to com­pel decryp­tion does not vio­late the defen­dan­t’s rights under the Fifth Amend­ment because the defen­dant is only telling the gov­ern­ment what it already knows.

A step back for pri­va­cy

Because Gelf­gatt already admit­ted to police that he owned and con­trolled the seized com­put­ers and had the abil­i­ty to decrypt them, the court found that the act of decryp­tion would not reveal any­thing new to the police. There­fore, the act of com­pelled decryp­tion was not “tes­ti­mo­ni­al [30].” Nor­mal­ly, the Fifth Amend­ment priv­i­lege pre­vents the gov­ern­ment from forc­ing a wit­ness to dis­close incrim­i­nat­ing infor­ma­tion in his mind (like a pass­word not writ­ten down any­where else)—but only if that is infor­ma­tion the police do not already know.

Jessie Ross­man [31], an attor­ney with the Amer­i­can Civ­il Lib­er­ties Union of Mass­a­chu­setts, told Ars that her orga­ni­za­tion is “dis­ap­point­ed in the deci­sion.”

“For exam­ple, an indi­vid­ual can be forced to hand over a key to a locked safe if the gov­ern­ment already knows that’s your safe—the doc­u­ments in there have already been cre­at­ed,” she said.

“Your open­ing that safe, the doc­u­ments are already there. That’s not new tes­ti­mo­ni­al. But encrypt­ed data needs to be trans­formed into some­thing new when decrypt­ed. A num­ber of encrypt­ed tech­nol­o­gy works such that when you look at [a hard dri­ve] you can’t even tell what is emp­ty space or what is not emp­ty space. When you decrypt that com­put­er it’s cre­at­ing some­thing new and if you didn’t have any knowl­edge, the act of decrypt­ing tells you some­thing you didn’t know before­hand. We believe that the Fifth Amend­ment and Arti­cle 12 needs to pro­tect not only the act of enter­ing a code but the act of pro­duc­ing decrypt­ed files to the gov­ern­ment.”

...

Fred Cate [32], a law pro­fes­sor at Indi­ana Uni­ver­si­ty, told Ars that this rul­ing could come with an unfor­tu­nate con­se­quence. If some­one admits to own­ing a com­put­er and asserts that they pos­sess the pass­word, “its only like­ly effect is to encour­age future defen­dants to be less forth­com­ing with police.”

“This seems to be an issue like­ly to head to the Supreme Court where, despitetoday’s sweep­ing 9–0 vic­to­ry for pri­va­cy [33] involv­ing search­es of cell­phones, the out­come is not at all cer­tain,” he added. “His­tor­i­cal­ly, the high court has tak­en a dim view of efforts to expand the Fifth Amend­ment priv­i­lege against self-incrim­i­na­tion or to apply it in nov­el ways. In the mean­time, we should expect to see both fed­er­al and state courts con­tin­u­ing to reach diver­gent results when faced with this impor­tant ques­tion.”

As sug­gest­ed at the end, “this seems to be an issue like­ly to head to the Supreme Court where, despitetoday’s sweep­ing 9–0 vic­to­ry for pri­va­cy [33] involv­ing search­es of cell­phones, the out­come is not at all cer­tain.” Should that uncer­tain­ty be sur­pris­ing? Well, we aren’t just look­ing at the emer­gence of a new tech­no­log­i­cal phe­nom­e­na (pock­et-sized com­put­ers) requir­ing a review of 4th amend­ment right. We’re real­ly look­ing at the inter­sec­tion of two inter­twined tech­nolo­gies. Until the last decade or so, you did­n’t have peo­ple car­ry­ing around a home­’s worth of per­son­al­ly reveal­ing (and poten­tial­ly incrim­i­nat­ing) infor­ma­tion in your pock­et. And yet, as the arti­cle points out, pre-2007 [34] we did­n’t real­ly see cas­es involve court-forced decryp­tion where [28] which is to be expect­ed since strong encryp­tion is noto­ri­ous­ly non-user-friend­ly. And the Supreme Court’s recent rul­ing on the 4th Amend­ment did­n’t real­ly address the issue of forced decryp­tion at all, so yes, quite a bit of uncer­tain­ty should be prob­a­bly be expect­ed in the area.

At the same time, notice the over­whelm­ing­ly neg­a­tive respons­es to this Mass­a­chu­setts Supreme Court rul­ing by groups like the ACLU and EFF even when the defen­dant basi­cal­ly tells the police that, yes, the encrypt­ed dri­ves are his and, yes, he can decrypt them. So one thing we can prob­a­bly be pret­ty sure of is that this issue is going to be con­tentious for a long long time and the debate over forced encryp­tion is only going to grow. In sit­u­a­tions like this where there isn’t a clear ‘right’ and ‘wrong’ but instead a dif­fi­cult bal­anc­ing of pri­or­i­ties, a drawn out fight is pret­ty much guar­an­teed.

So get ready for more Supreme Court rul­ings on these top­ics. But also get ready for more con­fus­ing debates over “what did the gov­ern­ment know and when did they know it” and a far more detailed exam­i­na­tion of the dis­tinc­tions between strong­box­es and wall safes than you ever expect­ed to endure. Is decryp­tion “an act of pro­duc­tion” war­rant­i­ng 5th Amend­ment pro­tec­tions or just “a phys­i­cal act”? We’ll find out!

But the fact that these strange­ly nuanced legal dis­tinc­tion have to be made in the first place is actu­al­ly a great exam­ple of the sys­tem work­ing. Life is com­plex and the law should reflect that com­plex­i­ty. And as tech­nol­o­gy pro­gress­es those com­plex­i­ties are only going to grow so this is the kind of legal morass that we should be some­what pleased to see emerg­ing. That legal morass is a reflec­tion of a real­i­ty morass and it has to be tack­led. Tack­led over and over as tech­nol­o­gy changes. But that legal morass is also a strong reminder that the pri­va­cy, secu­ri­ty, and ever-chang­ing tech­nol­o­gy is far more com­plex than the ver­sion of real­i­ty pre­sent­ed by Edward Snow­den and his allies like the EFF.

Much of the acco­lades giv­en to the Supreme Court’s recent rul­ing is about how it for­mal­ized a recog­ni­tion that the scale of tech­nol­o­gy can qual­i­ta­tive­ly change its nature and neces­si­tate a legal rebal­anc­ing of pri­va­cy and secu­ri­ty. The sim­ple cell­phones of yes­ter­year are quite dif­fer­ent from the smart­phones of today. As the Supreme Court put it, search­ing some­one’s cell­phone might be more infor­ma­tive than search­ing their home. That’s an impor­tant recog­ni­tion because if tech­nol­o­gy sud­den­ly allows us all to walk around with a home­’s worth of per­son­al infor­ma­tion in our pock­ets we prob­a­bly don’t want to allow full access to that when some­one is sim­ply under arrest. But as we saw with tools like True­Crypt, if our smart­phones are homes, they’re increas­ing­ly homes that can­not be entered at all by law enforce­ment with­out the per­mis­sion of the home own­er regard­less of cir­cum­stance because it will be math­e­mat­i­cal­ly impos­si­ble (and maybe phys­i­cal­ly impos­si­ble [35] some­day).

If a court issues a war­rant to allow a search of your home, some­one is going to search your home whether want to let them in or not. Phys­i­cal­ly impen­e­tra­ble homes aren’t phys­i­cal­ly pos­si­ble. But impen­e­tra­ble smart­phones via encryp­tion, on the oth­er hand, are now being aggres­sive­ly devel­oped and pro­mot­ed (by Ger­many) in the post-Snow­den era for use by the mass­es [36] (although they’ll still pre­sum­ably be hack­able by the BND [37] or whichev­er gov­ern­ment spon­sors them).

Sure, you can still be sent to jail for con­tempt of court if you refuse to com­ply with a valid court order to decrypt, but that just means that the jail time for con­tempt of court could now sud­den­ly become a much more avail­able legal option in a grow­ing num­ber of cas­es for peo­ple fac­ing far more seri­ous crimes. And don’t for­get that peo­ple can be assigned the role of the data mule or data ‘fall guy’ in a larg­er crim­i­nal orga­ni­za­tion. That might be a lot eas­i­er to do going for­ward. We should still pri­or­i­tize pro­tect­ing our 4th Amend­ment rights, but we should also rec­og­nize the new real costs that arise when pro­tect­ing them as we’re forced to adapt those legal pro­tect­ing to chang­ing tech­no­log­i­cal land­scapes. Strong encryp­tion is an incred­i­bly use­ful tool, for good or ill. And that means strong encryp­tion is going to lead to new costs in pro­tect­ing those rights at the same time that it’s being used in help­ful ways. It is what it is.

Beware of Lib­er­tar­i­ans Bear­ing Non-Solu­tions
So let’s be relieved that the Supreme Court is intent on tack­ing the increas­ing­ly com­plex issues sur­round­ing pri­va­cy, secu­ri­ty, and tech­nol­o­gy because the legal ambi­gu­i­ty on these issues is only going to grow. Unbreak­able encryp­tion is just a mat­ter of time because it already exists. Edward Snow­den may have dra­mat­i­cal­ly accel­er­at­ed strong encryp­tion’s adop­tion, but it was just a mat­ter of time before some encryp­tion “killer app” brought strong encryp­tion for both data trans­mis­sions and local data stor­age to the mass­es. These super-encryp­tion tools were already grow­ing in pop­u­lar­i­ty long before Snow­den came along and turned the glob­al focus onto them. Some sort of legal clar­i­ty was going to be nec­es­sary soon­er or lat­er.

And let’s also be relieved that the recent 4th amend­ment rul­ing sig­ni­fies that the Supreme Court jus­tices are keen­ly aware that changes in the scope and capac­i­ty of tech­nol­o­gy can neces­si­tates sig­nif­i­cant rethink­ing in how soci­ety estab­lish­es the rules and safe­guards for both the tech­nol­o­gy itself and that ever-chang­ing tech­nol­o­gy inter­faces with our nev­er-chang­ing human sit­u­a­tion of all hav­ing to live togeth­er under uni­form set of laws. It was a great rul­ing on the 4th that was over­due.

But with tools like True­Crypt and Tor becom­ing increas­ing­ly pop­u­lar, let’s not be relieved about the fact that folks like Edward Snow­den, Julian Assange, Jacob Appel­baum, and the rest of Cypherpunk/Cyberlibertarian move­ment have large­ly seized con­trol of the inter­na­tion­al debates over these issues. Bal­anc­ing pri­va­cy, secu­ri­ty, and tech­nol­o­gy is tough enough as is and it’s only going to get more and more com­pli­cat­ed. That’s why you don’t want extrem­ist ide­olo­gies dom­i­nat­ing the debate. The Cypher­punks make many valid points when high­light­ing the dan­gers of a creep­ing tech­nol­o­gy-enabled sur­veil­lance states (it’s not hard). But Snow­den and the Cypher­punks also casu­al­ly dis­miss or ignore the dark­er impli­ca­tions of the solu­tions they sug­gest [38].

If soci­ety wants to go down the path of adopt­ing ubiq­ui­tous unbreak­able encryp­tion and tools that allow for lay­ers and lay­ers of “hid­den vol­umes” along with gen­er­ous 5th Amend­ments inter­pre­ta­tions that give blan­ket immu­ni­ty for forced decryp­tion, well, ok, soci­ety should have the right to go down that path. And it might even be the best path over­all. We’ll find out because it’s kind of inevitable that super encryp­tion goes main­stream. But we should at least be try­ing to pre­dict the neg­a­tive impli­ca­tions that come with going down that path and you don’t see any real attempts to do that by the move­ments that are cur­rent­ly dom­i­nat­ing the glob­al debate. That’s pre­car­i­ous.

It’s true that Edward Snow­den and the Cypher­punks says things like “not all spy­ing is bad [39]” and things like “we need both pol­i­cy solu­tions and tech­ni­cal solu­tion”, but that’s about it. The rest of what he’s been advo­cat­ing is large­ly a Cyper­punk agen­da that makes pol­i­cy solu­tions moot. Let’s take anoth­er quick look at Snow­den’s sug­ges­tions at the SXSW fes­ti­val [40]:

Wired
Edward Snow­den Urges SXSW Crowd to Thwart NSA With Tech­nol­o­gy

By Kim Zetter
03.10.14 |
3:48 pm

With law­mak­ers slow to pass leg­is­la­tion curb­ing NSA sur­veil­lance, it’s up to the tech­nol­o­gy com­mu­ni­ty to step in and devise solu­tions that will bet­ter pro­tect online com­mu­ni­ca­tions from snoops, said Edward Snow­den, speak­ing today from Moscow at the South by South­west con­fer­ence in Austin.

“[T]he peo­ple who are in the room at Austin right now, they’re the folks who can real­ly fix things, who can enforce our rights for tech­ni­cal stan­dards even when Con­gress hasn’t yet got­ten to the point of cre­at­ing leg­is­la­tion that pro­tect our rights in the same man­ner…,” he said. “There’s a pol­i­cy response that needs to occur, but there’s also a tech­ni­cal response that needs to occur. And it’s the mak­ers, the thinkers, the devel­op­ing com­mu­ni­ty that can real­ly craft those solu­tions to make sure we’re safe.”

The mas­sive sur­veil­lance being done by the NSA and oth­er gov­ern­ments has cre­at­ed “an adver­sar­i­al inter­net,” he said, “a sort of a glob­al free-fire zone for gov­ern­ments, that’s noth­ing that we ever asked [for]; it’s not what we want­ed. It’s some­thing we need to pro­tect against….

“[T]hey’re set­ting fire to the future of the inter­net. And the peo­ple who are in this room now, you guys are all the fire­fight­ers. And we need you to help us fix this.”

One solu­tion he high­light­ed, that would make it more dif­fi­cult for the U.S. and oth­er gov­ern­ments to con­duct pas­sive sur­veil­lance, is the imple­men­ta­tion of end-to-end encryp­tion that would pro­tect com­mu­ni­ca­tions from user to user, rather than as it’s cur­rent­ly done by Google and oth­er ser­vices, which only encrypt the com­mu­ni­ca­tion from user to ser­vice, leav­ing it vul­ner­a­ble to col­lec­tion from the ser­vice provider.

“End-to-end encryp­tion … makes mass sur­veil­lance impos­si­ble at the net­work lev­el,” he says, and pro­vides a more con­sti­tu­tion­al­ly pro­tect­ed mod­el of sur­veil­lance, because it forces the gov­ern­ment to tar­get the end­points — the indi­vid­ual users — through hack­ing, rather than con­duct mass col­lec­tion.

...

End-to-end encryp­tion … makes mass sur­veil­lance impos­si­ble at the net­work lev­el,” he says, and pro­vides a more con­sti­tu­tion­al­ly pro­tect­ed mod­el of sur­veil­lance, because it forces the gov­ern­ment to tar­get the end­points — the indi­vid­ual users — through hack­ing, rather than con­duct mass col­lec­tion.

That’s the claim made over and over by Snow­den: if we just all imple­ment end-to-end strong encryp­tion than the gov­ern­ment will just tar­get indi­vid­ual users “through hack­ing”. So it will be hard­er for the gov­ern­ment to spy on indi­vid­u­als, but not impos­si­ble. But as we’ve seen, there’s real­ly no way to “hack” strong­ly-encrypt­ed local­ly stored data. Espe­cial­ly if it’s in a hid­den vol­ume that can’t be detect­ed. And then there’s the fact that much of Snow­den’s leaks have revealed have been tar­get­ed sur­veil­lance meth­ods [41].

Snow­den’s words have enor­mous influ­ence on these top­ics and, unfor­tu­nate­ly, that means the glob­al pol­i­cy debate that needs to emerge in response to ubiq­ui­tous super encryp­tion tech­nol­o­gy is start­ing off in a warped man­ner. We get end­less debates over whether or not meta­da­ta col­lec­tion helps stop ‘ter­ror’ and yet, as we also saw above, it was­n’t ter­ror­ism that peo­ple were using strong encryp­tion to car­ry out. It was every­day crimes. This isn’t just about ter­ror­ism and the abuse of gov­ern­ment pow­er.

So we real­ly have to keep ask­ing our­selves if the anti-NSA back­lash is going to used by folks with a lib­er­tar­i­an agen­da to weak­en the gov­ern­ment in ways that go far beyond bulk sur­veil­lance [42]. If we accept the the lib­er­tar­i­an assump­tion that gov­ern­ment sim­ply can’t work, the kind of bal­ance even­tu­al­ly struck on issues like the 4th and 5th amend­ments may results in the kind of soci­ety where things like legit­i­mate law enforce­ment increas­ing­ly can’t work too. Is that part of the agen­da? It sure would fit the cur­rent anti-gov­ern­ment fever [43] afflict­ing an increas­ing­ly far-right GOP. Just imag­ine the kinds of cor­po­rate abus­es that could be enabled with end-to-end encryp­tion, “hid­den vol­umes”, and the kind of 5th Amend­ment inter­pre­ta­tion that basi­cal­ly views any forced decryp­tion as a vio­la­tion of the 5th Amend­ment.

These lurk­ing dan­gers are one of the rea­sons why the Supreme Court’s 4th Amend­ment rul­ing was great but it was also only part of the over­all solu­tion to bal­anc­ing pri­va­cy and secu­ri­ty in this cur­rent­ly tech­no­log­i­cal envi­ron­ment. Now that strong encryp­tion for the mass­es is becom­ing a real­i­ty, a 5th Amend­ment rul­ing on forced decryp­tion is going to be need­ed too before we can real­ly assess to the new legal land­scape. And as we saw above, that’s not an easy or obvi­ous ruling...not near­ly as easy as this 4th amend­ment case. In fact, it looks pret­ty dif­fi­cult. Is encryp­tion like a strong­box or wall safe? What a strange con­cept to have legal immu­ni­ty hinge upon.

But anoth­er rea­son we need to be on guard against an anti-NSA back­lash mor­ph­ing into an attack on the legit­i­ma­cy of gov­ern­ment is because the ‘Lit­tle Broth­er’ sur­veil­lance state that every­one wants to live in — and it’s not just lib­er­tar­i­ans desire that [44] — might require a ‘Big Help­ful Broth­er’ gov­ern­ment for fix­ing the kinds of big prob­lems that don’t get fixed on their own or by “the mar­ket” or char­i­ty. And that means *gasp* build­ing a gov­ern­ment you can trust and that’s empow­ered to get things done! Not the lib­er­tar­i­an vision of a gov­ern­ment that you can trust because it’s been sys­tem­at­i­cal­ly dis­em­pow­ered, but a real demo­c­ra­t­i­cal­ly elect­ed gov­ern­ment that does­n’t accept pover­ty or oppres­sion in any form and does­n’t sim­ply wait for the pri­vate sec­tor to fix those prob­lems.

We can’t rely on tech­nol­o­gy as shield against bad pol­i­cy or bad gov­ern­ments. If we’re going to get seri­ous about address­ing the weird and ever more exot­ic threats fac­ing for soci­ety one of the most pow­er­ful tools for pro­tect­ing our pri­va­cy is, quite sim­ply, a high­ly com­pe­tent soci­ety. Com­pe­tent in the sense that it’s a soci­ety that is active­ly engaged in learn­ing about the threats around it, emerg­ing and exist­ing threats, while also being sane enough to deal with these threats in a man­ner that does­n’t lead to some sort of night­mare sit­u­a­tion. That’s how we pro­tect our pri­va­cy most effec­tive­ly: by iden­ti­fy­ing and solv­ing the kinds of open­ly vis­i­ble prob­lems like pover­ty and oppres­sion that encour­age indi­vid­u­als to secret­ly engage in ter­ror­ism or harm­ful crimes. There’s sim­ply going to be less dan­ger to look out for the more we make a bet­ter world.

But we’re not going to be able to build that com­pe­tent soci­ety capa­ble of help­ing if the only gov­ern­ments we can trust are those with­out the pow­er to harm. Gov­ern­ment, it turns out, is a lot like tech­nol­o­gy: Gov­ern­ments with the pow­er to help can also hurt, just like tech­nol­o­gy. Pow­er­ful gov­ern­ment aren’t inher­ent­ly a “good” or “bad” thing, as the lib­er­tar­i­ans assert. It depends on how you use it. If you have a weak gov­ern­ment, it may not direct­ly harm you but it’s not going to help either. Just like tech­nol­o­gy. This is why ensur­ing that we don’t pro­tect our rights at the expense of a com­pe­tent help­ful gov­ern­ment is going to be increas­ing­ly impor­tant and chal­leng­ing going for­ward. The sim­ple fact that few enti­ties are more empow­ered by tech­nol­o­gy than a gov­ern­ment cre­ates impulse to dis­em­pow­er gov­ern­ment as a form of civic self-defense. And that impulse is only going to grow with each tech­no­log­i­cal advanced that enhances that pow­er. How we strike that bal­ance between pri­va­cy and secu­ri­ty with­out turn­ing gov­ern­ments into either a beast or a worth­less joke isn’t obvi­ous. Maybe empow­er­ing crim­i­nals with super encryp­tion tools and 5th Amend­ment rights is a rea­son­able price to pay to avoid the costs asso­ci­at­ed it gov­ern­ment abuse? Or maybe it’ll fos­ter a crime explo­sion? Maybe both. No mat­ter which path is cho­sen we’ll see the con­se­quences. Even­tu­al­ly. But we’re not going to see all of the oth­er option­al paths for­ward if the Cypher­punk [45]/Libertarian per­spec­tive con­tin­ues to be dom­i­nant per­spec­tive on these kinds of issues.

Enough With the Insane Insan­i­ty. Sane Insan­i­ty is Required
To some extent, if we real­ly want to get seri­ous about grap­pling with these mutu­al­ly con­tra­dic­to­ry issues we, by def­i­n­i­tion, need to go some­what insane in terms of our world­view. Insane in the sense that we real­ly do need to hold mul­ti­ple, mutu­al­ly con­tra­dic­to­ry ideas in our minds simul­ta­ne­ous­ly in order to grap­ple with them indi­vid­u­al­ly. Sane insan­i­ty. In oth­er words, you can’t sim­ply be a “pri­va­cy advo­cate” with­out being a “secu­ri­ty advo­cate”. Pri­va­cy and secu­ri­ty are inter­twined because our lives our inter­twined. I have to care about your secu­ri­ty too if I real­ly want to pro­tect my pri­va­cy and vice ver­sa.

But you also can’t achieve that inter­twined state by sim­ply defin­ing “privacy=security”, as we often hear from folks like Snow­den or Assange. That just does­n’t make sense when “pri­va­cy” includes super encryp­tion and “hid­den vol­umes” and legal regimes that can poten­tial­ly pro­vide an incred­i­ble shield against legit­i­mate law enforce­ment or nation­al secu­ri­ty tasks. At the same time, because real­i­ty is some­what insane we can’t kid our­selves about the incred­i­ble dan­gers that could poten­tial­ly arise from tech­no­log­i­cal­ly enabled mass sur­veil­lance, espe­cial­ly cryp­to-mass sur­veil­lance (the Panop­ti­con [46]). Sane insan­i­ty is need­ed on a vari­ety of top­ics and that need is only going to grow.

Ter­ri­fied of a gov­ern­ment with the pow­er to track us all? Great. It’s a healthy sense of ter­ror. Gov­ern­ments can become crim­i­nal. But also be ter­ri­fied of a gov­ern­ment that can’t real­ly track or pros­e­cute crim­i­nals, even when it’s impor­tant. So embrace the cog­ni­tive dis­so­nance that comes with these issues. Embrac­ing the tech­nol­o­gy-enhanced cog­ni­tive dis­so­nance and lack of easy and obvi­ous answers is the answer. That’s how the kinds of long-term solu­tions we need are going to be found and it’s a lot bet­ter than the alter­na­tive [47].