cr> Encryption and the law


(Posted with the permission of the author.--Andy)

To: •••@••.•••
From: "Timothy C. May" <•••@••.•••>
Subject: Re: So, what crypto legislation (if any) is necessary?
Sender: •••@••.•••
Precedence: bulk

At 4:14 PM 3/25/96, Simon Spero wrote:
>If the Leahy bill is unacceptable, what legistlation is necessary? I
>can't see how the use of cryptography in the commission of a crime needs
>to be a separate offence, but I could see how it could be treated as a
>special circumstance - that doesn't really needed a new law though.

I don't see any compelling need for U.S. legislation. And given the
pressures to attach all sorts of language to bills, I think it best that no
legislation happen.

Consider a few areas in turn:

* DOMESTIC USE OF ENCRYPTION: Currently, no restrictions whatsoever. No
laws saying messages can't be encrypted, no laws saying keys must be
escrowed, no laws about permissable strength of ciphers, no special laws
covering disclosure of keys. Just silence, blessed silence. The
Constitution says there shall be no laws about permissable speech (what
language one speaks in, or writes in), and other provisions about compelled
testimony seem adequate.

* EXPORT OF CRYPTO BEYOND U.S.: This is indeed a thorn in the sides of U.S.
companies, but is not _per se_ an issue I worry about. So long as I have
strong crypto, I don't really care too much about export. It would be nice
to get the ITARs modified, but not at the risk of adding language (such as
Leahy did) making use of encryption a possible crime (we've debated this,
so I won't elaborate here). Besides, I think the best way to overturn the
ITARs is through a court challenge; as I have noted, even the NSA's lawyers
felt that the ITARs would not withstand court scrutiny.

* KEY ESCROW: A matter of contract law, nothing more. If I want to give a
copy of my key to my lawyer, fine. If I want to give a copy to Vince's
Offshore Key Repository, no current U.S. laws stops me from doing so, and I
can even get it to him securely without violating any ITARs by using the
cipher that _he_ uses and then importing it here!

(Michael Froomkin speculated in one of his articles, I don't recall which,
that there might need to be certain guidelines or laws if a key escrow
protocol were to invoke the U.S. court system. Maybe. But I think ordinary
contract law, about what a contract says and what it means, is adequate. If
I pay Joe's Key Warehouse a fee to store my key and it loses it, or gives
it to another party, then damages can be collected.)

IMPORTANT NOTE: It is often said, in a correct interpretation I think, that
a third party holding a key (Joe's Key Warehouse) is _not_ covered by the
5th Amendment's protections against self-incrimination, and so must honor a
subpoena. Sounds accurate to me. However, what if Joe is _also_ one's
lawyer? Does attorney-client privilege apply here? Perhaps. A better
solution is also fully legal at this time: use only offshore key storage. A
U.S. subpoena to Vince's Offshore Key Repository will carry no weight in
Anguilla. (Can I be compelled to ask Vince to send my key? Sure. But Vince
and I could have a stipulation that such "duress requests" will not be
honored, no matter how loudly I squawk.)

* DIGITAL MONEY. Well, this is such a confusing muddle of competing
systems, unclear interpretations, and hyped claims, that I won't address
it. Nor do any of the current bills being considered address it.

In conclusion, things are fine as they are. I see no compelling need to
write a special law confirming the rights we already are enjoying. If the
Congress wants to relax the ITARs (fat chance), they can direct that the
language of specific sections be redrafted. (I'm not even sure when and how
the original language was crafted, though it is part, I believe, of the
ancient Munitions Act and/or Trading with the Enemy Act. The enabling
legislation for the ITARs, and especially for the specific items actually
ON the "Munitions List" could be trivially changed. Were this Leahy's
intent, an easy thing to write a bill for. I doubt this was his intent,

Last point:

>I do feel that it should be possible for courts to sub poena crypto keys,
>but that doesn't really need new law either (4th and 5th ammendments
>become _really_ important though (hmmm- there advantages to writing down a
>constitution after all :)

I agree that subpoenas for keys are legit. While I may dislike giving up my
key, in a criminal matter it seems like "just another document." If they
can subpoena my diary, my phone records, my dentist bills, why not another
this document? Nothing in the Constitution giving it special status.

Still, one can store spare copies of keys with one's lawyer, which _may_
protect it against retrieval by subpoena, and one can store spare copies of
keys in foreign jurisdictions, which almost certainly will protect against
the retrieval (unless an international treaty on such things is passed!).

Obviously things get more complicated when a private key or set of keys "is
one's identity." That is, at some future time, when a key or set of keys is
literally the key to one's identity, then this document is no longer "just
another document." A law enforcement agency or court that obtains these
keys could do much damage, beyond just the matter being investigated or
tried in court. The release of the key cannot be undone. A thorny problem.

--Tim May

Boycott "Big Brother Inside" software!
We got computers, we're tapping phone lines, we know that that ain't allowed.
Timothy C. May              | Crypto Anarchy: encryption, digital money,
•••@••.•••  408-728-0152 | anonymous networks, digital pseudonyms, zero
W.A.S.T.E.: Corralitos, CA  | knowledge, reputations, information markets,
Higher Power: 2^756839 - 1  | black markets, collapse of governments.
"National borders aren't even speed bumps on the information superhighway."

 Posted by Andrew Oram  - •••@••.••• - Moderator: CYBER-RIGHTS (CPSR)
   CyberJournal:  (WWW or FTP) -->
 Materials may be reposted in their _entirety_ for non-commercial use.