Hacker News new | past | comments | ask | show | jobs | submit login

Not necessarily. For example, let's say I have a safe, and I've hidden the key. The police get a warrant to search my safe. I am then legally obligated to allow them to search my safe, which means that I am legally obligated to reveal the location of the key.

In the case of the safe, if I refuse they'll just break it open. Strong encryption is not so easily broken so it may not be in my best interest to cooperate (whereas with the safe, it probably is).

Personally I think encryption passwords should be protected by the 5th amendment, but I understand the logic in saying it's not.




In this example your safe is the medium in which the data is stored. If the police get's a warrant to search my safe, they may do so, but when they find a notebook full of enciphered text or a tape with "noise" in it I'm not obligated to provide them with means to decipher them. Hell I could just say I forgot the key, how is anyone going to prove I'm lying?

Personally I agree with you. My data is my data, and I should be able to do whatever I want with it.


Hell I could just say I forgot the key

I had the opportunity to attend a public gathering with Jack Straw during the public consultation of this bill (he was the MP who introduced this law).

The issue of "what if you forget your password" is covered in the law, which basically says you have to know and keep control/ability to decrypt all encrypted media you own.

Forgetting the password isn't a defense.

(don't shoot the messenger, I think it's crap too, but I'm just saying they already covered that 'defense').


Oh no really I understand the implications and everything... but let's say you do forget the password, what can they do realistically? It seems highly immoral to throw you in jail because you forgot a password.

Now let's say you're in the middle of a murder case, and it is about to be thrown away because of lack of evidence. So they ask you to provide the key to your encrypted drive, but you've forgotten the key... So now do you go to jail on a life in prison sentence because of it? Do they let you go? Do they keep you in prison while they try to decrypt it which might take millions of years?

I can always say "I forgot, this whole ordeal has affected me psychologically and I can't seem to recall the key because of it". Then what happens? I go to jail for 4 months? Which might be a total injustice since there's a possibility it's actually true. Or maybe it's a loophole for a crook because he might have had to serve life in prison, and now he's only doing 4 months thanks to encryption.

A judge can easily send you to jail if there's proof you did something. The same way your girlfriend can easily send you packing because she has proof you cheated. The question is, can you send your girlfriend packing for cheating if you have no proof? If you have no proof then you're sending her packing because of an idea on your head (not real fact and you might be wrong), which is hardly fair and will probably be looked at with contempt and frowned upon by peers (read the rest of the world). Now can the state send you to jail because it thinks that you have child porn on your hard drive, without ever proving you have it?

What happens then when the state has the power to lock you up without proof?


<i>I understand the implications and everything</i>

I don't think you do.

<i>I can always say "I forgot[...]" Then what happens? I go to jail for 4 months?</i>

No, you go to jail for a few months and then they take you back to court to see if your memory has improved. If you don't have the key or if you produce a key that doesn't reveal the data they wanted it to, you go back to jail for longer.

If you can't produce the data the state demands, either because it isn't there or never existed, or because you really forgot, then you can stay in jail the rest of your life.

That is the purpose, goal, and implication that so-called law enforcement wished for and got from data investigation rules.


I said realistically. From what I've seen this "lost my password" is in the US a non issue, and in the UK it warrants a few months of jail time (treated as a misdemeanor depending on the severity of the charges). In any case, it's almost impossible to prove intent in cases like this. It can't be treated as obstruction of justice because the drives were not encrypted after the fact. And intent can't be proven, so at max you get a misdemeanor charge, fines and a year in jail (using us law as a basis for time served).


I'm pretty sure that there is a limit to the amount of time you can spend in jail for that (only a few months), at least for criminal cases.

I remember reading about a guy who was basically given an indefinite jail sentence in a civil case because the judge didn't believe that he really lost all his money is poor investments.

However I remember that the article highlighted the distinction between criminal and civil cases.


Wow, that's an interesting point of view (as enshrined in law). For example, I own some DVDs or say Blu-Ray discs. Shouldn't the company provide me the key to decrypt them in case the police want to decrypt them? I suspect those companies wouldn't appreciate that.

Also, since encrypted data, if done properly is very hard to distinguish between random noise, and people often use writes with random noise as a secure erasure technique, it could also be that you erased that data? That is a thorny issue as well.

Is "I erased the data on that drive securely using random bits" a valid defense?


It is a valid defense if you deleted the data before the investigation took place. If you did so with the intent of destroying evidence (of course, after the investigation starts) your obstructing justice which carries a maximum sentence of 20 years in the U S of A.


> The issue of "what if you forget your password" is covered in the law, which basically says you have to know and keep control/ability to decrypt all encrypted media you own.

Heh. Would love to see them take that at face value. "But officer, I need this list of Blu-Ray disk keys. Otherwise, I can't decrypt all my movies the way I'm legally required to!"

And that would explain why I heard of people emailing him encrypted documents / random bits. I'm sure he knows how to decrypt those.

So you're right, it is crap.


In terms of the law, you don't own those blueray movies so it isn't the same.

The law is fuzzy on the issue of someone emailing you an encrypted archive you didnt have the password to.


> In terms of the law, you don't own those blueray movies so it isn't the same.

If that works, I might try telling them that the file they can't open is a DRM'd media file which I no longer have rights to and do not own.

For some people, that might even be true.


Seriously. I love this kind of thinking! Hell, it might just work.


The medium verses transformation is a really interesting argument. I wonder how the law will see it when that day comes.

I have a feeling that the transformation argument may fall pray to the "color of bits" problem but perhaps not. I think it may even come down the choice of algorithm - if I use a publicly available encryption algorithm then it might be considered a medium, whereas if I invent my own language maybe it won't.

As for the forgotten key, that's another argument. There is probably a burden of proof somewhere in there (and probably more on the side of the prosecution). If, for example, the police knew you accessed the contents of the hard drive last week, it would be pretty difficult to claim you forgot your key.


If the law sees it as anything other than what it is, a separation between what my data is and the fact that it belongs to me, in contrast to where it is stored, it will probably open a a big ass can of worms. Might as well change the name of the USA to North Korean States of America.

My opinion: If I write a poem in a notebook (hard drive) using a cipher (encryption) for which only I know the key, the law is able to take my notebook as evidence and process it as they see fit for their investigation, but the data is still mine, it's my set of bits which I'm entitled to not share with anyone unless it's my desire. I'd even say that to force me to share my data is equal to torturing me to get information from me. In both cases the law would be forcing me to reveal something against my consent, which is a violation of my rights however you look at it.

YMMV of course.


This is sort of why I think it may come down to your choice of algorithms. For example, let's say I buy a hypothetical external hard drive. This external drive has built in encryption, and I have to enter a password using a keypad on the drive before I can mount it. Should I be legally compelled to enter the combination?


Not in the USA. 5th amendment and all.


While I agree with you and believe that the 5th amendment does protect you in theory, this hasn't really been tested in US courts. The law may decide that encryption is a safe rather than a language. In that case the 5th amendment won't protect you. Hopefully that won't be the case.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: