burden of proof / keys or plaintext (Re: US Plans for Decryption Orders)

Brian Gladman gladman at seven77.demon.co.uk
Tue, 3 Aug 1999 08:35:28 +0100 

From: <adam@cypherspace.org>
To: <ukcrypto@maillist.ox.ac.uk>
Cc: <ben@algroup.co.uk>
Sent: 03 August 1999 0:02 AM
Subject: burden of proof / keys or plaintext (Re: US Plans for Decryption
Orders)

> Ben writes:
> > > Brian: I have been puzzled by the correspondence on UK-crypto about
the
> > > decryption order provisions of the draft UK bill. Some people seem to
be
> > > objecting to *any* police access to encrypted documents.
> >
> > I don't think that's true: the objections have been to access to keys.
>
> I think the distinction between keys and plaintext is fairly technical
> and not the real issue.

I don't agree that this is simply technical.  If my obligation is to offer
decryption in response to a decryption order, I remain in control of my keys
and hence I can judge the extent to which I and my colleagues will be
compromised by any actions I take.  If, however, I have to give up my long
term personal decryption keys (session keys are different I admit) than I
have put my entire privacy, security and safety in the hands of the State.
This is not something I wish to do and for me this is not a technical issue
even though it has a technical basis.

The real issue is the burden of proof.
>
> Because of the burden of proof issue:
>
> - if you can't decrypt the document because you don't have the key and
>   they send you to jail for 'failure to produce plaintext'
>
> you aren't going to be any happier than:
>
> - if you can't provide the key because you don't have the key and they
>   send you to jail for 'failure to produce key'
>
> So in the end it makes no difference.
>
But this is only one scenario, in others it makes a difference.  If the
police want just one message the risks involved in me decrypting this for
them are much smaller than if I am forced to give up my long term decryption
keys.

> This argues that they should be allowed to request decryption of
> specific documents for specific reasons as approved by a court

Yes.

> However I think realistically the police are going to need session
> keys rather than plaintext because with there is no way to check that
> plaintext corresponds to ciphertext without the session key, so
> session keys is the only sensible option.

In an ideal world where lawyers could translate technical distinctions into
water tight legislation, access to session keys might produce a sensible
compromise. But I will wait and see how this could be written into law
without putting longer term keys at risk before supporting such an approach.

In practice, I suspect the best way of incorporating this principle into law
will be by avoiding any mention of keys by:

(1) allowing decryption orders to impose only an obligation to decrypt;
(2) alllowing, where necessary, orders to impose an obligation to prove the
correspondence between an encrypted text and a decryption of it.

Session keys would then be one of a number of ways of meeting these
obligations but without access to keys having to be written into
legislation.

[snip]

> Proving you don't have information is impossible, and hence the
> current proposed burden of proof on the individual to prove to the
> police that they don't have a key is nonsensical.

Yes, this is especially pernicious and objectionable.

          Brian