In the digital age, criminals like to encrypt their business-sensitive data just as much as all other people do. Albeit that the latter commonly encrypts their sensitive data as protection against the former, and the former simply prefers to stay out of jail. This resulted in a call for a duty to decrypt. However, such measures are not only useless, they typically effect normal citizens more than criminals and are harmful to our legal system.

It may be one of the most frustrating moments in the life of a digital policeman: you have confiscated a computer with all sorts of detailed information on some serious criminal offences, but it is strongly encrypted and you did not manage to secure the key. Given that the encryption algorithm is safe and the password is well chosen, there is very little you can do. In this context, it is only logical that politicians came up with the idea of a duty to decrypt. However, a duty to decrypt is not a viable measure for both social and technical reasons.

Would You Cooperate?
Imagine the following: you have a set of encrypted files on your disk that could result in twelve years of time in jail for you. However, the police is unable to decrypt them and you are unwilling to tell them the key. If there were a duty to decrypt, the police could put this in use. Nevertheless, what would happen if you said “No”? Presumably, you would get a large fine or possibly some time in jail, but most probably not as much as those twelve years you would get if these files were decrypted.

So, if you want to use a duty to decrypt to catch the most serious offenders – those that put the time in for putting near perfect encryption in place –, you have to put a very large punishment on not complying. This will inevitably result in punishments that are even unexplainable for the most tough politicians. You cannot reasonably give someone a lifetime of jail for not giving a key, as if he committed one of the most unspeakable offences the world knows.

Nemo Tenetur: You Shall NOT Be Required To Help Getting Yourself Convicted
In our legal system, we have the so-called nemo tenetur. Although this principle of “Nemo tenetur prodere se ipsum” – one is not required to burden himself –, is not written down in law, the European Court on Human Rights deduced it from the right on fair trial. This principle stipulates that a person under trial does not have to cooperate in getting himself convicted.

If we were to put a duty to decrypt in place, we would dishonour the principle of the nemo tenetur – actually, we would not be allowed to use it, because of it being in conflict with the European Convention on Human Rights. Additionally, if it were possible, it would weaken the legal protection a suspect gets and thereby weaken the well-balanced nature of our legal system.

One could also use a decryption duty to get keys from persons that are not under suspicion, such as contacts or family of the suspect. Nevertheless, this would make it interesting to only start “suspecting” your suspects on a later point in the investigation, thereby trying to circumvent the legal protection of the suspect. Furthermore, this makes it possible to start asking keys from and invading the privacy of persons that are only vaguely related to the case, but do not play a part – which we actually already do with wiretaps.

Perfectly Encrypted Data: It Cannot Be Recognised
Encryption has, of course, a mathematical background. Basically, encryption is an algorithm that transforms data to something that is completely random, but can be transformed back to the original input by using the decryption algorithm with the correct key. The randomness is fundamental to encryption, because it ensures that no information can be deduced from the ciphertext – the encrypted data. If it was not random, one could deduce certain information from it, e.g. the length of the original input.

As encrypted text is fully random, one can theoretically not prove that it is, in fact, encrypted data. For what you know, your suspect just has a hard disk full of random data. It is true that common solutions for encryption add extra data that explains the type of encryption in use for convenience, but one would expect that, if there were a duty to decrypt, criminals make sure they have to remember this information. Therefore, there is plausible deniability of the existence of encrypted information.

A Duty to Decrypt: Let’s Annoy the Normal Citizens
Due to all the practical problems with using a duty to decrypt on criminals, such a legal duty causes a large invasion in the privacy and legal protection of normal citizens. Criminals, on the other hand, are easily able to circumvent the measures by implementing there systems wisely or by accepting the lower punishment for not giving away their passwords. It should be noted that there are countries in this world that have a duty to decrypt, such as the United Kingdom. However, it is, in principle, a useless measure.


2 Responses to The Duty to Decrypt: One of the Most Useless Measures Ever Invented

  1. […] some time ago, I wrote about plausible deniability concerning cryptography (30 July 2012). Due to the mathematical properties of encryption, the fact that a certain random sequence of bytes […]

  2. […] Data Is Fully Opaque As one may recall from my comments on a decryption duty (30 July 2012), encrypted data looks like random bytes. This also means it is, to the unknowing eye, a completely […]

Leave a Reply

Your email address will not be published. Required fields are marked *