Key disclosure law
Key disclosure laws, also known as mandatory key disclosure, is legislation that requires individuals to surrender cryptographic keys to law enforcement. The purpose is to allow access to material for confiscation or digital forensics purposes and use it either as evidence in a court of law or to enforce national security interests. Similarly, mandatory decryption laws force owners of encrypted data to supply decrypted data to law enforcement.
Nations vary widely in the specifics of how they implement key disclosure laws. Some, such as Australia, give law enforcement wide-ranging power to compel assistance in decrypting data from any party. Some, such as Belgium, concerned with self-incrimination, only allow law enforcement to compel assistance from non-suspects. Some require only specific third parties such as telecommunications carriers, certification providers, or maintainers of encryption services to provide assistance with decryption. In all cases, a warrant is generally required.
Theory and countermeasures
Mandatory decryption is technically a weaker requirement than key disclosure, since it is possible in some cryptosystems to prove that a message has been decrypted correctly without revealing the key. For example, using RSA public-key encryption, one can verify given the message, the encrypted message, and the public key of the recipient that the message is correct by merely re-encrypting it and comparing the result to the encrypted message. Such a scheme is called undeniable, since once the government has validated the message they cannot deny that it is the correct decrypted message.As a countermeasure to key disclosure laws, some personal privacy products such as BestCrypt, FreeOTFE, and TrueCrypt have begun incorporating deniable encryption technology, which enable a single piece of encrypted data to be decrypted in two or more different ways, creating plausible deniability. Another alternative is steganography, which hides encrypted data inside of benign data so that it is more difficult to identify in the first place.
A problematic aspect of key disclosure is that it leads to a total compromise of all data encrypted using that key in the past or future; time-limited encryption schemes such as those of Desmedt et al. allow decryption only for a limited time period.
Criticism and alternatives
Critics of key disclosure laws view them as compromising information privacy, by revealing personal information that may not be pertinent to the crime under investigation, as well as violating the right against self-incrimination and more generally the right to silence, in nations which respect these rights. In some cases, it may be impossible to decrypt the data because the key has been lost, forgotten or revoked, or because the data is actually random data which cannot be effectively distinguished from encrypted data.A proactive alternative to key disclosure law is key escrow law, where the government holds in escrow a copy of all cryptographic keys in use, but is only permitted to use them if an appropriate warrant is issued. Key escrow systems face difficult technical issues and are subject to many of the same criticisms as key disclosure law; they avoid some issues like lost keys, while introducing new issues such as the risk of accidental disclosure of large numbers of keys, theft of the keys by hackers or abuse of power by government employees with access to the keys. It would also be nearly impossible to prevent the government from secretly using the key database to aid mass surveillance efforts such as those exposed by Edward Snowden. The ambiguous term key recovery is applied to both types of systems.
Legislation by nation
This list shows only nations where laws or cases are known about this topic.Antigua and Barbuda
The Computer Misuse Bill, 2006, Article 21, if enacted, would allow police with a warrant to demand and use decryption keys. Failure to comply may incur "a fine of fifteen thousand dollars" and/or "imprisonment for two years."Australia
The Cybercrime Act 2001 No. 161, Items 12 and 28 grant police with a magistrate's order the wide-ranging power to require "a specified person to provide any information or assistance that is reasonable and necessary to allow the officer to "access computer data that is "evidential material"; this is understood to include mandatory decryption. Failing to comply carries a penalty of 6 months' imprisonment. Electronic Frontiers Australia calls the provision "alarming" and "contrary to the common law privilege against self-incrimination."The Crimes Act 1914, 3LA "A person commits an offence if the person fails to comply with the order. Penalty for contravention of this subsection: Imprisonment for 2 years."
Belgium
The Loi du 28 novembre 2000 relative à la criminalité informatique, Article 9 allows a judge to order the authorities to search the computer systems and telecommunications providers to provide assistance to law enforcement, including mandatory decryption, and to keep their assistance secret; but this action cannot be taken against suspects or their families. Failure to comply is punishable by 6 months to 1 year in jail and/or a fine of 130 to 100,000 euros.Cambodia
Cambodia promulgated its Law on Electronic Commerce on 2 November 2019, after passage through legislature and receiving consent from the monarch, becoming the last among ASEAN states to adopt a domestic law governing electronic commerce. Article 43 of the statute prohibits any encryption of evidence in the form of data that could lead to an indictment, or any evidence in an electronic system that relates to an offense. This statutory obligation may imply that authorities could order decryption of any data implicated in an investigation. While remaining untested in courts, this obligation actively contradicts an accused person's procedural right against self-incrimination as provided under Article 143 of the Code of Criminal Procedure.Canada
In Canada key disclosure is covered under the Canadian Charter of Rights and Freedoms section 11 which states "any person charged with an offence has the right not to be compelled to be a witness in proceedings against that person in respect of the offence;" and protects the rights of individuals that are both citizens and non-citizens of Canada as long as they are physically present in Canada.In a 2010 Quebec Court of Appeal case the court stated that a password compelled from an individual by law enforcement "is inadmissible and that renders the subsequent seizure of the data unreasonable. In short, even had the seizure been preceded by judicial authorization, the law will not allow an order to be joined compelling the respondent to self-incriminate."
In a 2019 Ontario court case, the defendant was initially ordered to provide the password to unlock his phone. However, the judge concluded that providing a password would be tantamount to self-incrimination by testifying against oneself. As a result, the defendant was not compelled to provide his password.
Czech Republic
In the Czech Republic there is no law specifying obligation to issue keys or passwords. Law provides protecting against self-incrimination, including lack of penalization for refusing to answer any question which would enable law enforcement agencies to obtain access to potential evidence, which could be used against testifying person.Finland
The Coercive Measures Act 2011/806 section 8 paragraph 23 requires the system owner, its administrator, or a specified person to surrender the necessary "passwords and other such information" in order to provide access to information stored on an information system. The suspect and some other persons specified in section 7 paragraph 3 that cannot otherwise be called as witnesses are exempt from this requirement.France
allows a judge or prosecutor to compel any qualified person to decrypt or surrender keys to make available any information encountered in the course of an investigation. Failure to comply incurs three years of jail time and a fine of €45,000; if the compliance would have prevented or mitigated a crime, the penalty increases to five years of jail time and €75,000.Germany
The German Code of Criminal Procedure grants a suspect the right to deny cooperation in an investigation that may lead to incriminating information to be revealed about themselves. For private usage is no legal basis that would compel a suspect to hand over any kind of cryptographic key due to this nemo tenetur principle.There are different laws stating that companies must ensure this data is readable by the government. This includes the need to disclose the keys or unencrypted content as and when required.
Iceland
In Iceland there is no law specifying obligation to issue keys or passwords.India
Section 69 of the Information Technology Act, as amended by the Information Technology Act, 2008, empowers the central and state governments to compel assistance from any "subscriber or intermediary or any person in charge of the computer resource" in decrypting information. Failure to comply is punishable by up to seven years' imprisonment and/or a fine.Ireland
Section 7 of the Criminal Justice Act 2017 allows a member of the Garda Síochána or other persons as deemed necessary to demand the disclosure of a password to operate a computer and any decryption keys required to access the information contained therein.7 A member acting under the authority of a search warrant under this section may—
operate any computer at the place that is being searched or cause any such computer to be operated by a person accompanying the member for that purpose, and
require any person at that place who appears to the member to have lawful access to the information in any such computer—
to give to the member any password necessary to operate it and any encryption key or code necessary to unencrypt the information accessible by the computer, immediate data destruction
otherwise to enable the member to examine the information accessible by the computer in a form in which the information is visible and legible, or
to produce the information in a form in which it can be removed and in which it is, or can be made, visible and legible.