Cyphernomicon Top
Cyphernomicon 10.3

Legal Issues:
Basic Legality of Encryption


   10.3.1. "Is this stuff legal or illegal?"
           - Certainly the _talking_ about it is mostly legal, at least
              in the U.S. and at the time of this writing. In other
              countries, you prison term may vary.
           + The actions resulting from crypto, and crypto anarchy, may
              well be illegal. Such is often the case when technology is
              applied without any particular regard for what the laws say
              is permitted. (Pandora's Box and all that.)
             - Cypherpunks really don't care much about such ephemera as
                the "laws" of some geographic region. Cypherpunks make
                their own laws.
           + There are two broad ways of getting things done:
             - First, looking at the law and regulations and finding
                ways to exploit them. This is the tack favored by
                lawyers, of whic$are many in this country.
             - Second, "just do it." In areas where the law hasn't
                caught up, this can mean unconstrained technological
                developement. Good examples are the computer and chip
                business, where issues of legality rarely arose (except
                in the usual areas of contract enforcement, etc.). More
                recently the chip business has discovered lawyering, with
                a vengeance.
             - In other areas, where the law is centrally involved,
                "just do it" can mean many technical violations of the
                law. Examples: personal service jobs (maids and
                babysitters), contracting jobs without licenses,
                permissions, etc., and so on. Often these are "illegal
                markets," putatively.
           - And bear in mind that the legal system can be used to
              hassle people, to pressure them to "plead out" to some
              charges, to back off, etc. (In the firearms business, the
              pressures and threats are also used to cause some
              manufacturers, like Ruger, to back off on a radical pro-gun
              stance, so as to be granted favors and milder treatment.
              Pressure on crypto-producing companies are probably very
              similar. Play ball, or we'll run you over in the parking
              lot.)
   10.3.2. "Why is the legal status of crypto so murky?"
           - First, it may be murkier to me than it it to actual lawyers
              like Mike Godwin and Michael Froomkin, both of whom have
              been on our list at times. (Though my impression from
              talking to Godwin is that many or even most of these issues
              have not been addressed in the courts, let alone resolved
              definitively.)
           - Second, crypto issues have not generally reached the
              courts, reflecting the nascent status of most of the things
              talked about it here. Things as "trivial" as digital
              signatures and digital timestamping have yet to be
              challenged in courts, or declared illegal, or anything
              similar that might produce a precedent-setting ruling. (Stu
              Haber agrees that such tests are lacking.)
           - Finally, the issues are deep ones, going to the heart of
              issues of self-incrimination (disclosure of keys,
              contempt), of intellectual property and export laws (want
              to jail someone for talking about prime numbers?), and the
              incredibly byzantine world of money and financial
              instruments.
           - A legal study of crypto--which I hear Professor Froomkin is
              doing--could be very important.
   10.3.3. "Has the basic legality of crypto and laws about crypto been
            tested?"
           - As usual, a U.S. focus here. I know little of the situation
              in non-U.S. countries (and in many of them the law is
              whatever the rulers say it is).
           - And I'm not a lawyer.
           + Some facts:
             - no direct Constitutional statement about privacy (though
                many feel it is implied)
             - crypto was not a major issue (espionage was, and was
                dealt with harshly, but encrypting things was not a
                problem per se)
             + only in the recent past has it become important...and it
                will become much more so
               - as criminals encrypt, as terrorists encrypt
               - as tax is avoided via the techniques described here
               - collusion of business ("crypto interlocking
                  directorates," price signalling)
               - black markets, information markets
           + Lawrence Tribe..new amendment
             - scary, as it may place limits.... (but unlikely to
                happen)
           + Crypto in Court
             - mostly untested
             - can keys be compelled?
             - Expect some important cases in the next several years
   10.3.4. "Can authorities force the disclosure of a key?"
           + Mike Godwin, legal counsel for the EFF, has been asked this
              queston _many_ times:
             - "Note that a court could cite you for contempt for not
                complying with a subpoena duces tecum (a subpoena
                requiring you to produce objects or documents) if you
                fail to turn over subpoenaed backups....To be honest, I
                don't think *any* security measure is adequate against a
                government that's determined to overreach its authority
                and its citizens' rights, but crypto comes close." [Mike
                Godwin, 1993-06-14]
           + Torture is out (in many countries, but not all). Truth
              serum, etc., ditto.
             - "Rubber hose cryptography"
           + Constitutional issues
             - self-incrimination
           + on the "Yes" side:
             + is same, some say,  as forcing combination to a safe
                containing information or stolen goods
               - but some say-and a court may have ruled on this-that
                  the safe can always be cut open and so the issue is
                  mostly moot
               - while forcing key disclosure is compelled testimony
             - and one can always claim to have forgotten the key
             - i.e., what happens when a suspect simply clams up?
             - but authorities can routinely demand cooperation in
                investigations, can seize records, etc.
           + on the "No" side:
             - can't force a suspect to talk, whether about where he hid
                the loot or where his kidnap victim is hidden
             - practically speaking, someone under indictment cannot be
                forced to reveal Swiss bank accounts....this would seem
                to be directly analogous to a cryptographic key
             - thus, the key to open an account would seem to be the
                same thing
             - a memorized key cannot be forced, says someone with EFF
                or CPSR
           + "Safe" analogy
             + You have a safe, you won' tell the combination
               - you just refuse
               - you claim to have forgotten it
               - you really don't know it
             - cops can cut the safe open, so compelling a combination
                is not needed
             - "interefering with an investigation"
           - on balance, it seems clear that the disclosure of
              cryptographic keys cannot be forced (though the practical
              penalty for nondisclosure could be severe)
           + Courts
             + compelled testimony is certainly common
               - if one is not charged, one cannot take the 5th (may be
                  some wrinkles here)
               - contempt
           + What won't immunize disclosure:
             + clever jokes about "I am guilty of money laundering"
               - can it be used?
               - does judge declaring immunity apply in this case?
               - Eric Hughes has pointed out that the form of the
                  statement is key: "My key is: "I am a murderer."" is
                  not a legal admission of anything.
             - (There may be some subtleties where the key does contain
                important evidence--perhaps the location of a buried body-
                -but I think these issues are relatively minor.)
           - but this has not really been tested, so far as I know
           - and many people say that such cooperation can be
              demanded...
           - Contempt, claims of forgetting
   10.3.5. Forgetting passwords, and testimony
           + This is another area of intense speculation:
             - "I forgot. So sue me."
             - "I forgot. It was just a temporary file I was working on,
                and I just can't remember the password I picked." (A less
                in-your-face approach.)
             + "I refuse to give my password on the grounds that it may
                tend to incriminate me."
               + Canonical example: "My password is: 'I sell illegal
                  drugs.'"
                 - Eric Hughes has pointed out this is not a real
                    admission of guilt, just a syntactic form, so it is
                    nonsense to claim that it is incriminating. I agree.
                    I don't know if any court tests have confirmed this.
           + Sandy Sandfort theorizes that this example might work, or
              at least lead to an interesting legal dilemma:
             - "As an example, your passphrase could be:
                
                        I shot a cop in the back and buried his body
                under
                        the porch at 123 Main St., anywhere USA.  The gun
                is
                        wrapped in an oily cloth in my mother's attic.
                
                "I decline to answer on the grounds that my passphrase is
                a statement which may tend to incriminate me.  I will
                only give my passphrase if I am given immunity from
                prosecution for the actions to which it alludes."
                
                "Too cute, I know, but who knows, it might work." [S.S.,
                1994-0727]
   10.3.6. "What about disavowal of keys? Of digital signatures? Of
            contracts?
           - In the short term, the courts are relatively silent, as few
              of these issues have reached the courts. Things like
              signatures and contract breaches would likely be handled as
              they currently are (that is, the judge would look at the
              circumstances, etc.)
           + Clearly this is a major concern. There are two main avenues
              of dealing with this"
             - The "purist" approach. You *are* your key. Caveat emptor.
                Guard your keys. If your signature is used, you are
                responsible. (People can lessen their exposure by using
                protocols that limit risk, analogous to the way ATM
                systems only allow, say, $200 a day to be withdrawn.)
             - The legal system can be used (maybe) to deal with these
                issues. Maybe. Little of this has been tested in courts.
                Conventional methods of verifying forged signatures will
                not work. Contract law with digital signatures will be a
                new area.
           - The problem of *repudiation* or *disavowal* was recognized
              early on in cryptologic circles. Alice is confronted with a
              digital signature, or whatever. She says; "But I didn't
              sign that" or "Oh, that's my old key--it's obsolete" or "My
              sysadmin must have snooped through my files," or "I guess
              those key escrow guys are at it again."
           - I think that only the purist stance will hold water in the
              long run.(A hint of this: untraceable cash means, for most
              transactions of interest with digital cash, that once the
              crypto stuff has been handled, whether the sig was stolen
              or not is moot, because the money is gone...no court can
              rule that the sig was invalid and then retrieve the cash!)
   10.3.7. "What are some arguments for the freedom to encrypt?"
           - bans are hard to enforce, requiring extensive police
              intrusions
           - private letters, diaries, conversations
           - in U.S., various provisions
           - anonymity is often needed
   10.3.8. Restrictions on anonymity
           - "identity escrow" is what Eric Hughes calls it
           - linits on mail drops, on anonymous accounts, and--perhaps
              ultimately--on cash purchases of any and all goods
   10.3.9. "Are bulletin boards and Internet providers "common carriers"
            or not?"
           - Not clear. BBS operators are clearly held more liable for
              content than the phone company is, for example.
  10.3.10. Too much cleverness is passing for law
           - Many schemes to bypass tax laws, regulations, etc., are, as
              the British like to say, "too cute by half." For example,
              claims that the dollar is defined as 1/35th of an ounce of
              gold and that the modern dollar is only 1/10th of this. Or
              that Ohio failed to properly enter the Union, and hence all
              laws passed afterward are invalid. The same could be said
              of schemes to deploy digital cash be claiming that ordinary
              laws do not apply. Well, those who try such schemes often
              find out otherwise, sometimes in prison. Tread carefully.
  10.3.11. "Is it legal to advocate the overthrow of governments or the
            breaking of laws?"
           - Although many Cypherpunks are not radicals, many others of
              us are, and we often advocate "collapse of governments" and
              other such things as money laundering schemes, tax evasion,
              new methods for espionage, information markets, data
              havens, etc. This rasises obvious concerns about legality.
           - First off, I have to speak mainly of U.S. issues...the laws
              of Russia or Japan or whatever may be completely different.
              Sorry for the U.S.-centric focus of this FAQ, but that's
              the way it is. The Net started here, and still is
              dominantly here, and the laws of the U.S. are being
              propagated around the world as part of the New World Order
              and the collapse of the other superpower.
           - Is it legal to advocate the replacement of a government? In
              the U.S., it's the basic political process (though cynics
              might argue that both parties represent the same governing
              philosophy). Advocating the *violent overthrow* of the U.S.
              government is apparently illegal, though I lack a cite on
              this.
           + Is it legal to advocate illegal acts in general? Certainly
              much of free speech is precisely this: arguing for drug
              use, for boycotts, etc.
             + The EFF gopher site has this on "Advocating Lawbreaking,
                Brandenburg v. Ohio. ":
               - "In the 1969 case of Brandenburg v. Ohio, the Supreme
                  Court struck down the conviction of a Ku Klux Klan
                  member under a criminal syndicalism law and established
                  a new standard: Speech may not be suppressed or
                  punished unless it is intended to produce 'imminent
                  lawless action' and it is 'likely to produce such
                  action.' Otherwise, the First Amendment protects even
                  speech that advocates violence. The Brandenburg test is
                  the law today. "
 

Next Page: 10.4 Can Crypto be Banned?
Previous Page: 10.2 SUMMARY: Legal Issues

By Tim May, see README

HTML by Jonathan Rochkind