The Duty to Decrypt: One of the Most Useless Measures Ever Invented
In the digital age, criminals like to encrypt their business-sensitive data just as much as all other people do. Albeit that the latter commonly encrypts their sensitive data as protection against the former, and the former simply prefers to stay out of jail. This resulted in a call for a duty to decrypt. However, such measures are not only useless, they typically effect normal citizens more than criminals and are harmful to our legal system.
It may be one of the most frustrating moments in the life of a digital policeman: you have confiscated a computer with all sorts of detailed information on some serious criminal offences, but it is strongly encrypted and you did not manage to secure the key. Given that the encryption algorithm is safe and the password is well chosen, there is very little you can do. In this context, it is only logical that politicians came up with the idea of a duty to decrypt. However, a duty to decrypt is not a viable measure for both social and technical reasons.
Would You Cooperate?
Imagine the following: you have a set of encrypted files on your disk that could result in twelve years of time in jail for you. However, the police is unable to decrypt them and you are unwilling to tell them the key. If there were a duty to decrypt, the police could put this in use. Nevertheless, what would happen if you said “No”? Presumably, you would get a large fine or possibly some time in jail, but most probably not as much as those twelve years you would get if these files were decrypted.
So, if you want to use a duty to decrypt to catch the most serious offenders – those that put the time in for putting near perfect encryption in place –, you have to put a very large punishment on not complying. This will inevitably result in punishments that are even unexplainable for the most tough politicians. You cannot reasonably give someone a lifetime of jail for not giving a key, as if he committed one of the most unspeakable offences the world knows.
Nemo Tenetur: You Shall NOT Be Required To Help Getting Yourself Convicted
In our legal system, we have the so-called nemo tenetur. Although this principle of “Nemo tenetur prodere se ipsum” – one is not required to burden himself –, is not written down in law, the European Court on Human Rights deduced it from the right on fair trial. This principle stipulates that a person under trial does not have to cooperate in getting himself convicted.
If we were to put a duty to decrypt in place, we would dishonour the principle of the nemo tenetur – actually, we would not be allowed to use it, because of it being in conflict with the European Convention on Human Rights. Additionally, if it were possible, it would weaken the legal protection a suspect gets and thereby weaken the well-balanced nature of our legal system.
One could also use a decryption duty to get keys from persons that are not under suspicion, such as contacts or family of the suspect. Nevertheless, this would make it interesting to only start “suspecting” your suspects on a later point in the investigation, thereby trying to circumvent the legal protection of the suspect. Furthermore, this makes it possible to start asking keys from and invading the privacy of persons that are only vaguely related to the case, but do not play a part – which we actually already do with wiretaps.
Perfectly Encrypted Data: It Cannot Be Recognised
Encryption has, of course, a mathematical background. Basically, encryption is an algorithm that transforms data to something that is completely random, but can be transformed back to the original input by using the decryption algorithm with the correct key. The randomness is fundamental to encryption, because it ensures that no information can be deduced from the ciphertext – the encrypted data. If it was not random, one could deduce certain information from it, e.g. the length of the original input.
As encrypted text is fully random, one can theoretically not prove that it is, in fact, encrypted data. For what you know, your suspect just has a hard disk full of random data. It is true that common solutions for encryption add extra data that explains the type of encryption in use for convenience, but one would expect that, if there were a duty to decrypt, criminals make sure they have to remember this information. Therefore, there is plausible deniability of the existence of encrypted information.
A Duty to Decrypt: Let’s Annoy the Normal Citizens
Due to all the practical problems with using a duty to decrypt on criminals, such a legal duty causes a large invasion in the privacy and legal protection of normal citizens. Criminals, on the other hand, are easily able to circumvent the measures by implementing there systems wisely or by accepting the lower punishment for not giving away their passwords. It should be noted that there are countries in this world that have a duty to decrypt, such as the United Kingdom. However, it is, in principle, a useless measure.
2 Responses to The Duty to Decrypt: One of the Most Useless Measures Ever Invented
Leave a Reply Cancel reply
Tags
Academia Anonymity Banking Security Chip and PIN Cloud Computing Cookies Copyright Cryptography Cybercrime Data Protection DDoS Decentralisation Decryption Duty Deep Packet Inspection Democracy Digital Activism Digital Voting E-mail Election Security EMV Encryption European Regulation on Data Protection Fundamental Rights Game Theory Het Heerengymnasium Identity Protection Internet Nemo Tenetur Netneutrality Passwords Police Privacy Profiling Remote Search Science Service Oriented Computing Signatures Smart Cards Spam Technocracy Tor Transparency Transport Layer Security Trust VotingRecent Comments
- Lydia Duijvestijn on Het Heerengymnasium: eerste deel
- Patrick Schreurs on Wanneer gebeurt er eindelijk iets aan het auteursrecht?
- Open Access: Unlock Science for the 21st Century | Information Security and Digital Liberalism « All around Open Knowledge on Open Access: Unlock Science for the 21st Century
- Open Access: Unlock Science for the 21st Century | Information Security and Digital Liberalism | Open Knowledge | Scoop.it on Open Access: Unlock Science for the 21st Century
- Beverly on Security + Security = Insecurity
Archives
- May 2017 (1)
- April 2017 (2)
- March 2017 (3)
- February 2017 (3)
- January 2017 (4)
- September 2016 (1)
- November 2015 (1)
- July 2014 (1)
- June 2014 (1)
- April 2014 (1)
- January 2014 (1)
- September 2013 (2)
- August 2013 (1)
- July 2013 (2)
- June 2013 (1)
- March 2013 (1)
- February 2013 (4)
- January 2013 (4)
- December 2012 (2)
- November 2012 (7)
- October 2012 (9)
- September 2012 (9)
- August 2012 (10)
- July 2012 (10)
- June 2012 (10)
- May 2012 (2)
- November 2011 (2)
- July 2011 (2)
- June 2011 (1)
- May 2011 (2)
- January 2011 (2)
- November 2010 (1)
- June 2010 (1)
- May 2010 (1)
- March 2010 (1)
Categories
- Collaborative Efforts (25)
- Bas Wallage (15)
- Beer Sijpesteijn (1)
- Hugo Ideler (2)
- Jeroen Slobbe (18)
- Lukas de Sonnaville (1)
- Mark van Beek (1)
- Nick Leoné (1)
- Paul Oudshoorn (1)
- Paul Stapersma (2)
- Robbert van den Berg (1)
- English (64)
- Fiction (14)
- Nederlands (Dutch) (42)
- Publications (30)
- Books (1)
- Computerrecht (1)
- DEMO (6)
- Forum of EthnoGeoPolitics (1)
- I/O Vivat (1)
- ICT Update (1)
- Internetrecht door Arnoud Engelfriet (1)
- Joop.nl (7)
- Liberaal Geluid (1)
- Nederlands Juristenblad (1)
- NRC Handelsblad (3)
- Proceedings of the TSConIT (1)
- The Post Online (1)
- UT Nieuws (3)
- Volkskrant (1)
- Scientific Papers (12)
- Stories (13)
- Het Heerengymnasium (13)
- Topics (54)
- On Academia (1)
- On Computer Science (1)
- On Cybercrime (3)
- On Democracy (6)
- On Information Security (33)
- On Liberalism (3)
- On Privacy (7)
- Views (47)
- Collaborative Efforts (25)
[…] some time ago, I wrote about plausible deniability concerning cryptography (30 July 2012). Due to the mathematical properties of encryption, the fact that a certain random sequence of bytes […]
[…] Data Is Fully Opaque As one may recall from my comments on a decryption duty (30 July 2012), encrypted data looks like random bytes. This also means it is, to the unknowing eye, a completely […]