Encrypting to self

[Michael Froomkin - U.Miami School of Law]

I suppose I count as a legal folks, so let me respond to DG Sweiger's
claim about US law.

Let's be clear here:  If you are a party in a *civil* suit in the USA and
you receive a discovery order to produce records and you have them in
unencrypted form, you have to turn them over.  If all you have is an
encrypted form, we have no case law on whether you must decrypt.  I would
bet a fortune that the court would require, **at a minimum** that you
turned over the ciphertext, everything about how the records were
encrypted, how to decrypt them, and the relevant key(s).  The court might
not require you turn over plaintext (but it might).  I repeat:  if the key
is in your possession, or in any of your agents' and you don't want to
disclose the plaintext, you will be forced to turn it over (or, maybe,
given the option of turning over the plaintext instead).  The difference
is of course one of cost only:  the party with the cipher-text may be able
to impose the cost of decryption on the requester -- that's the cost of
getting the machine, buying the program and plugging in the key (NOT the
cost of "breaking" the encryption). The defense that "we don't have the
key"  will not be credible in the case of ordinary business records. 

Contrast the above with the position in criminal cases.  You don't get an
order in a criminal case to "hand over your incriminating documents" --
the police get a search warrant and seize what they can find.  It gets
interesting if they find crypto they cannot break.

Here the law is indeed contested.  I and others have argued that the 5th
amendment right to self incrimination provides two levels of protection: 
first since possession of the key authenticates the record, and identifies
its owner, you have at a minimum a right to suppression of the fact that
you had the sole key (or, more likely, passphrase to a key) which
decrypted the data.  Even some folks in law enforcement accept this, and
when I last looked at it in early 1995, the Justice Department's manual on
computer evidence ("Federal Guidelines for Searching and Seizing
Computers") was wishy washy on the subject; it suggested that "use"
immunity may be required here -- preventing the facts surrounding the
existence of the key from being used against you, but not the data itself. 
(I haven't heard of any changes on this, but haven't checked recently
either.)

The tougher question is whether giving up the key is compelling speech to
the point where the 5th amendment would be violated unless full blown
immunity -- barring the use of the data -- is required.  The Justice
Department says there is no such prohibition, and my friends there argue
this point with great passion and citations to somewhat relevant cases. 
Others think it is far more arguable. I'm in the latter camp, since I
don't read the law as giving the police a right to an effective search,
but I recognize that this is not as certain a winner as I'd like.

OB UK issue: I'm surprised that no one has suggested that the right
against self-incrimination in the European Convention on Human Rights
might play a similar role.  Am I missing something? 

On Sat, 4 Jul 1998, D.G. Sweiger wrote:

> 
> 
> The rumors around the legal folks I know is that 
> a U.S. individual that receives a subpeona can not
> be compelled to produce and encrypted file.
> 
> In RE:Tobacco Settlement, the tobacco concerns have
> begun mass encryption of files and letters to avoid
> producing these files under a federal civil
> subpeona.
> 
> dgs
> 
> 
> 
> 
> ---T Bruce Tober <octobersdad@reporters.net> wrote:
> >
> > In message <Pine.SOL.3.96.980704001352.17988A-100000@flemming>, Ian
> > Goodyer <goodyer@well.ox.ac.uk> writes
> > >On Fri, 3 Jul 1998, Carl Ellison wrote:
> > >
> > >> At 08:43 PM 7/3/98 +0100, T Bruce Tober wrote:
> > >> >According to David Swarbrick it is law that you must produce
> plaintext
> > >> >of any computer file upon request (or warrant?). I will copy your
> > >> >message to him if you like and ask him to respond and will post
> that
> > >> >here if he does. Let me know if you want me to.
> > >
> > >Yes, please get his opinion.
> > 
> > 
> > Done, I'll let you know if he responds.
> > 
> > tbt -- Whose book on Net security issues and solutions for SMEs is now
> >                                available from 
> >
> <http://www.bloor.co.uk/prodserv/html/bloor_research_-_internet_secu.html>
> > 
> > -- 
> > |Bruce Tober, <octobersdad@reporters.net>,
> <http://www.crecon.demon.co.uk>   |
> > |Birmingham, UK, EU +44-121-242-3832 Freelance PhotoJournalist - IT,
> Arts,   |
> > |       Business, etc. Also website content consultancy and
> development.     |
> > 
> > 
> 
> _________________________________________________________
> DO YOU YAHOO!?
> Get your free @yahoo.com address at http://mail.yahoo.com
> 
> 

A. Michael Froomkin        | +1 (305) 284-4285; +1 (305) 284-6506 (fax)
Professor of Law           | 
U. Miami School of Law     | froomkin@law.tm          http://www.law.tm 
P.O. Box 248087            |   
Coral Gables, FL 33124 USA | It's hot here!