Can Encryption Create A "Reasonable Expectation of Privacy"?:
I have just posted an early paper I wrote that still seems to generate some interest: The Fourth Amendment in Cyberspace: Can Encryption Create a "Reasonable Expectation of Privacy"?, 33 Conn. L. Rev. 503 (2001). (33 pages, .pdf) This was a really fun paper to write, as the argument is highly counterintuitive, sets up lots of fun puzzles, and also ultimately sheds light on important but underappreciated aspects of the Fourth Amendment.
Here's the abstract:
Here's the abstract:
Does encrypting Internet communications create a reasonable expectation of privacy in their contents, triggering Fourth Amendment protection? At first blush, it seems that the answer must be yes: A reasonable person would surely expect that encrypted communications will remain private. In this paper, Professor Kerr explains why this intuitive answer is entirely wrong: Encrypting communications cannot create a reasonable expectation of privacy. The reason is that the Fourth Amendment regulates access, not understanding: no matter how unlikely it is that the government will successfully decrypt ciphertext, the Fourth Amendment offers no protection if it succeeds. As a result, the government does not need a search warrant to decrypt encrypted communications. This surprising result is consistent with Fourth Amendment caselaw: it matches how courts have resolved cases involving the reassembly of shredded documents, recovery of deleted files, and the translation of foreign languages. The Fourth Amendment may regulate government access to ciphertext, but it does not regulate government efforts to translate ciphertext into plaintext.I should add that the broader Fourth Amendment framework I offer in the article (between what I then called "rights-based" and "statistical" approaches) has changed significantly in the last five years. I'm working on a piece now that I think has a much more helpful framework, and also situates the argument of this early effort more accurately. Despite that, though, I still think the argument in this early article is correct.
Well, that fits my amateur understanding of the Fourth Amendment, so Prof. Kerr must be incorrect!
Has anyone (to your knowledge) analyzed the fifth amendment implications of potential key-escrow requirements?
The real question is whether the government may force private citizens to reveal the encryption keys they use. For example: people who are not suspects themselves must answer police questioning and do not have a right to remain silent (assuming they themselves have not committed any crimes).
Say I have a friend who is suspected of a crime and there may be pertinent information in letters he wrote to me. The government can persumably get a warrant and force me to give them the letters. Now assume the letters are encrypted: can they also get a warrant for the keys? In the alternative, can they force me to decrypt the messages for them?
Note that in the world of public-key cryptography, knowledge of my secret key would allow the government to read any other message I may have received.
Does the argument in the paper then imply that I can scan, encrypt, and destroy every paper I own, and satisfy a search warrant by providing the encrypted scans, without a key? Oddly enough, giving up the expectation of privacy would then enhance the actual privacy, assuming a strong enough encryption?
As this interesting area of the law develops, people might want to look into truecrypt. It's free on the net and fairly secure.
One nifty feature is that it allows for two levels of access so you can encrypt some documents and surrender that password if forced to do so but other documents remain hidden in the mounted encryption volume. Supposedly these documents cannot be detected.
1. You assert that “Whenever the government obtains ciphertext consistently with Fourth Amendment standards, decrypting the communication into plaintext without a warrant cannot violate the Fourth Amendment.
Surely, you meant to write “Whenever the government obtains ciphertext and the relevant keys consistently with Fourth Amendment standards, decrypting the communication into plaintext without a warrant cannot violate the Fourth Amendment.
If they get the keys from a search that violates the Fourth Amendment, the decrypted text should be treated as fruit of the poisonous tree. The same argument should apply if they only got 110 bits of the key by an illegal search and used brute force for the other 18 bits.
2. If the government warranted that the code was, for all practical cases, unbreakable or required the use of the encryption for certain uses, then should not reliance on that warrantee—at least against the government doing the warranting—be reasonable? For example, if someone used 256-bit AES today and the FBI broke it (say because it has a backdoor), it seems that, given the claims other parts of the federal government have made for AES, that the user would have had a reasonable expectation of privacy. Note that this argument distinguishes between breaking AES using a new quantum computer and reading AES traffic because of a backdoor.
3. You might want to consider what is the efficient rule for such rights. If encryption creates no expectation of privacy, then users of encryption have stronger incentives to use strong encryption and to use it correctly. Consequently, the market for encryption products and complementary markets (such as testing services for encryption products) could only be strengthened. Thus, in the long run, privacy might be better served if the constitutional interpretation you set forth is adopted. I would argue for your policy, not on constitutional grounds, but on efficiency and privacy grounds.
Chuck Jackson
Seems to me that the answer to your question may involve the self-incrimination clause of the Fifth Amendment as well as the search and seizure provisions. If you have a copy of the key in written form, I see no reason why the government couldn't get it with a properly phrased search warrant, and if not, then, in your hypothetical, the government could require you to give them the key, since you're not incriminating yourself.
What's the answer if the letters would incriminate you? I suppose you would not have to tell them, since you don't have to say anything at all.
I know this isn't relevant as a matter or law, but, out of curiosity, do you have a good memory for obscure passwords, keys etc? I don't. Within 2 days, if I hadn't written it down or stored it on a computer, I would have forgotten the key.
But beware of the Martha Stewart trap: you tell the government investigators half of the truth (when you had no obligation to tell them anything)--result is a felony on its own. So if the government somehow discovers that you're using such a two-tier encryption and you only gave them the key to one tier,you're toast if they asked you the right follow-up question: "Will this key decrypt all the documents that you've encrypted?"
I suppose if one were trying to hide something (and who but the guilty need privacy anyway?) they would have to depend on the claims that the presence of the 2nd level encryption could not be discovered, let alone cracked.
This is where the intersection of the 4th and 5th amendments gets interesting.
You might say my mail analgoy goes only to "access" and does not show why, if the information falls into the government's hands independently, they should not be able to "understand" it. Well, I think that's a very stunted understanding of electronic communications. It's impossible to "wrap" digital communications in any envelope BUT encryption: that's what we MEAN by access. These things flit over the Internet, and we wrap them up by encrypting them. Just because the government happens to intercept one does not mean that it should be able to "open" it any more than it should be able to open an envelope.
In light of the flimsiness of your distinction, the appropriate question is simply: what do people expect? Do they expect that data they take a great deal of care to encrypt is going to be opened by the government without following standard Fourth Amendment procedures? I think if you asked a cross-section of the population, they would say "absolutely not."
I realize that the Supreme Court's reasonable expectations of privacy doctrine is often illogical and incoherent. But I don't think we should complicate it even further, and reach even MORE counter-intuitive results by introducing an access/understanding distinction (Which, as I showed above, doesn't even really work).
In essence, you've come up with a clever little law review article. But precisely the fact that it is clever and counterintuitive shows it is wrong under the Fourth Amendment. What matters is what people expect. And when they encrpyt something, they expect it to be at least as secure as an envelope they send in the mail.
If you agree that the DMCA is an access statute not a copyright statute than that means you believe that decrypting copyrighted content is a form of access. (And thus that the DMCA restricts access).
Why then doesn't government decryption constitute access?
Note: this whole line of argument revolves around your double use of the word 'access'. The 4th amendment doesn't use that word so its possible your position is that access is merely an apt analogy until we get to this point of unifying the usage of the word access wrt to the dmca and government decryption.
I address your analogy in the paper, and explain why I think it is incorrect. I'd be curious as to your response upon reading the paper. As to your question "what do people expect?", I explain in the paper that this is not the question that the Supreme Court generally asks. Of course, you might respond that the Supreme Court doesn't understand the Fourth Amendment, but I think that would mean that your "beef" is not with me, but with the Supreme Court.
Chuck Jackson,
Re point 2, no, I don't think that's right, for the reasons in the paper. Point 1 sounds right, although it's a bit beyond the scope of paper.
And if encryption (which exists only to insure privacy) doesn't "create a reasonable expectation of privacy", what does? Is the envelope of encryption any different than the envelope of a letter? Any different than a Post Office Box (that strange device that's locked at one end and completely open at the other)?
Your last response says you've addressed those in the paper - I'll go off and read. The question remaining is, what does create that reasonable expectation?
In other words for this deciscion to hold up one can't take the position that the government is free to analyze information is has obtained. It would presumably be perfectly okay for the government to use a commercial video camera to film the outside of your house. However, if by analyizing the information stored by that camera they could see through your walls this supreme court deciscion suggests that would require a warrant.
This brings us to the situation with encryption. Encryption seems (roughly) analagous to a physical envelope protecting a message inside. I suspect their are many situations where the government has the authority to search the outside of a sealed envelope but not the inside. Say a post office employee is murdered and forensic evidence has been deposited on your envelope. In this situation surely the government is allowed to take pictures and videotapes of the outside of the envelope.
However, given sufficent computer processing power it is likely that a long enough video of an envelope lighted from behind could be processed to reveal the contents inside. The answer here has to be the same as that in the house situation, using techniques to reveal the writing inside the envelope count as a search of the interior, but surely the 4th ammendment doesn't stipulate that only 5 minutes of video of the exterior can be taken if you need 10 minutes to computationally reconstruct the message inside.
It seems this requires us to reject the principle that the government has free reign to analyze information it already posseses. In particular I can't see any way to distingush using visible light to reconstruct the interior of the envelope computationally from computationally reconstructing the encrypted communication.
Also, it's worth mentioning that the "Fourth Amendment singles out 'papers' for special mention and protection above and beyond all other 'effects'." Amar and Adams, The Bill of Rights Primer, 116 (1998). Thus, "[w]here the materials sought to be seized may be protected by the First Amendment, the requirements of the Fourth Amendment must be applied with scrupulous exactitude." Zurcher v. Stanford Daily, 436 U.S. 547 (1978) (Fourth Amendment allows warrants to search newspaper offices) (internal citation omitted).
It seems wrong to me (a communications engineer) that anyone could claim an reasonable expectation of privacy in a web posting that was encrytped in ROT-13. But, once you recognize that some encryption algorithms do not provide a reasonable expectation of privacy, then the court has to decide whether any particular algorithm falls on one side or the other side of the line between "reasonable expectation" and "no reasonable expectation". Why put that burden on the courts? His solution is "If anyone can break it, it isn't secure; therefore it does not provide a reasonable assurance of privacy." That is a simple rule, easy to explain and understand. It does not burden the court.
It also does not burden members of the public. There are publicaly available algorithms that the U.S. government states can be used to protect information classified as TOP SECRET. See
and reference 2 therein. So, people have available quite secure alternatives. His rule only requires that people use the better products.
As I mentioned earlier, I also think that his rule would, in the long run, serve privacy better because it would strengthen the market for privacy products.
Chuck Jackson
OT: I wouldn't be surprised if the NSA is capable of cracking AES. Considering their history with DES, SHA, SHA-1, and skipjack, it seems that they are at least a decade ahead of the rest of the world.
I don't doubt danl's suggestion that NSA is capable of cracking AES. I am just wondering if, as a practical matter, that they would perform this service for, say, the FBI or other agencies for run of the mill crimes not involving national security.
It's true that DES was designed to criteria (resistance to differential cryptanalysis) that weren't publicly known, but according to Coppersmith, IBM did develop differential independently of NSA.
SHA (now called SHA-0) had a weakness that NSA clearly knew about well before anyone else, which is why they designed SHA-1. However, there's no evidence that NSA knew about the weaknesses in SHA-1 recently uncovered by Wang et al.
As for Skipjack, I don't know of any evidence that Skipjack is much stronger than recent public symmetric cipher designs.
I was wondering if you could give some real world examples (not the Lex Luther example) of where a person might claim that data is protected from search by the Fourth Amendment solely because of encryption. As I understand it, numerous types of electronic data may not be searched without a warrant---such as private emails or password protected data (i.e., financial records maintained in web-accessible electronic compilations). It strikes me that almost all uses of encryption will occur where other indicia of the intent to maintain privacy exist. Thanks.
This isn't completely unjustified --- I knew long ago of an encryption method that was believed unbreakable in the open literature, but for which there was an attack in the classified world. (No, I'm not telling any more.)
But AES is not an algorithm that anyone at NSA had anything to do with concocting, it's completely open in design and implementation, and it's been thoroughly attacked by all sorts of top crypto people, all to no avail.
Failing a slick attack, which would probably depend on mathematics that are unknown to the community (pretty unlikely, there are lots of people who aren't encumbered by classification who would make their professional reputation for life by finding an attack), it's going to take in the neighborhood of 10^80 operations to break AES with a 256-bit key.
I'll leave it as an exercise to come up with a reasonabe way to express how big that is, but notice that most estimates say there are fewer than 10^80 atoms in the entire universe.
For example, Title III imposes certain restrictions on wiretaps that may go beyond what the Fourth otherwise would protect. It affirmatively prohibits warrantless surveillance of communications in interstate commerce, which seems to apply to email, cordless phones and cell phones even if they are not protected directly by the Fourth; it prohibits investigative wiretaps for offenses outside an enumerated list; and it requires a showing that other techniques could not be used to acquire the wiretap evidence.
Once those rules are codified, does violating them become an "unreasonable" search in the constitutional sense because reasonable persons are entitled to rely on the statute enacted by reasonable legislators?
I discuss this a lot in the paper I'm working on. As a general matter, the answer is no. However, some courts have suggested otherwise in various contexts.
Encryption thus controls access to a work, not understanding of the work. There are many things that control your ability to understand a work, such as file and document formats, character sets, languages, and the like: however, these are not access controls. Encryption however, is so. And to the extent the Fourth Amendment regulates government access to individuals' papers, and assuming we accept Prof. Tribe's reasonable expectation of privacy theory as still alive and well in this digital world, then encryption does in fact express one's subjective expectation of privacy. Whether that expectation was objectively reasonable depends on the circumstances and existing caselaw.
What does the DMCA have to do with the Fourth Amendment? I can't understand why you see the former as having any impact on the latter.
Also, subjective expectations of privacy are essentially irrelevant in Fourth Amendment law because the goverment normally cannot prove that a defendant lacked one, and yet it has the burden of proof on this question. Thus, the sole question is really what a court will recognize as "reasonable," and my point is that "existing caselaw" tells us that encryption can't make an expectation "reasonable."
By this reasoning, "proof beyond a reasonable doubt" should be taken to mean "if someone doubts it, it isn't reasonable".
The law deals with gray areas all the time. If a judgment call has to be made, then a judgment call gets made.
1. Orin's right, if gov't is allowed to get to encrypted data, they're allowed to try to break it.
2. Same with keys.
3. Gov't will not outlaw encyption, including by requiring key escrow.
4. Gov't will work with industry to set up "encryption taps" to enable surveillance of the vast majority of encrypted data.
To understand the last point, you have to understand a little about the current state of the industry. Almost all keys in use ultimately derive from a few keys held by firms such as VeriSign. These "root" keys are distributed in software like Windows and FireFox. Creating and using your own key is of course possible, in the same sense that delivering your own mail is possible. There's no need for a comprehensive escrow system since there's really only about 100 keys that control 99.9% of encrypted traffic on the Internet. They encrypt it indirectly, but were the gov't to hold copies of those 100 keys, they would be able to decrypt all that traffic, as long as they had the ability to not only intercept, but modify, data on the Internet.
Orin - that may be an interesting question to study. To what extent, in a warrantless-yet-reasonable search, is law enforcement allowed to not only listen to, but modify, communications over private channels, provided that such modifications a) do not alter the content of the communications, b) are designed not to be detectable by the communicating parties, and c) are done purely to enable the otherwise-legal interception of the content? Given the way phone-taps work, which (according to the movies at least) often violate (b), such man-in-the-middle "attacks" are legal.
And as well, an expectation of an attempt to read, say by breaking the code, which is why the code is likely to be difficult to break.
An envelope, by contrast, shows neither. If the matter is private, it doesn't indicate it. It relies on a convention.
I'd also argue that the phrase "strong statistical likelihood" is misused. It constitutes understatement to such a degree as would deserve a contempt citation if attempted seriously in court. The "statistical likelihoods" in many codes lead to probabilities that make winning the NY lottery every week for a year seem as realistic as flipping an unbiased coin. One feeble comparison used is made with TRS-80s and Crays. A Cray is scarce more than a few trillion times more powerful; many modern ciphers have no publicly (IE, non-classified) known attack other than brute force. Such codes oft would hypothetically require turning each proton and neutron in the universe into a computer fast enough to require only a Planck time for each key test, and running for more millions of times the current age of the universe as astronomers currently understand it before having even a 1% chance of cracking the code. I would submit the magnitude of such ludicrously high odds makes a qualitative difference in effect.
Similarly, the claim "the full panoply of Fourth Amendment protections [...] will always precede any effort to obtain plaintext" is laughable under the current administration. Oh, and the historical Burr case also rides on the 5th amendment, weakening it's value as an example.
I would suggest that a better interpretation would be that encryption creates a reasonable expectation of privacy, with reasonableness relative to the encryption strength, not as an absolute; and with the right to that privacy also not absolute, especially given a warrant properly issued under probable cause. Perhaps it's just a difference in emphasis, but I feel it's an important one.
Kyllo is pretty clearly limited to the home, I think. Indeed, as far as I know, no court has interpreted it to have any application outside the home. Do you know of any caselaw to the contrary?
Also, the strength of the statistical likeliood is legally irrelevant under Supreme Court precedent, so I'm not sure why you think that failure to describe it as accurately as possible would merit contempt charges. I gather you are just exagerrating?
Of course, nothing concrete follows directly from that -- 1201 is simply a statute, after all, and has no necessary connection with "reasonable expectations of privacy." But the theory behind it is that encryption of a DVD works like a lock on the content, keeping it "safe," and 1201 is meant to punish unlocking without the authority of the content owner. If it's reasonable for content owners to expect their encrypted content to remain encrypted when possessed by consumers, why isn't it reasonable for e-mail senders to expected their encrypted e-mail messages to remain encrypted when possessed by the government? In other words, it's possible that encryption is taking on a significance under the law that foreign languages or shredders don't have.
The Fourth Amendment doesn't work that way, I'm afraid. The Supreme Court uses "reasonable expectation of privacy" as a term of art, and you can't just select a meaning of that constitutional test that strikes you as logical based on the literal meaning of the phrase. Explaining that is the actual point of the article, actually; encryption is just a particularly dramatic example of how it plays out in a way that is contrary to the literal meaning of "reasonable expectation of privacy."
In any event, I have more on this in a draft I'm working on; I hope these points will make more sense after you take a look at it.
And if what he says is true then no wonder the government is pushing AES if the mechanisms are already in place to decrypt it.
Does information on a website, but protected from casual access by an authentication scheme, offer the same (lack of) expectation of privacy? For example, suppose we have two websites which both wish to make a message available only to those with the password. One website encrypts the message and posts the encrypted text so that anyone can view it, but only those with the password can understand it; the second website will display the unencrypted message to anyone that supplies the correct password.
The key to the encrypted text available on the first website is the same as the password that allows access on the second website, so the degree of difficulty to obtain access to the document via brute-force is the same for either website. How do the two websites differ (if at all) in the expectation of privacy?
My first thoughts are that they would not differ at all in the statistical model of the Fourth Amendment the Professor Kerr discusses, but that the second website might offer a stronger expectation of privacy under the rights-based model of the Fourth Amendment. Professor Kerr also argues that the rights-based model is the one generally used. If this is the case, then password-accessible website would still have a stronger claim to expectation of privacy even if the password was much easier to guess or brute-force than the key needed to decrypt the message on the first web site.
This is a bad analogy. Rot-13 does not create an expectation of privacy, because its purpose is to permit the reader to decide whether/when to read the rotated information. In other words, a message sent in Rot-13 is intended to be deciphered. A court need not decide how difficult a code is to break, only whether the purpose of using the code was to prevent eavesdropping (vs some other purpose).
That leaves the slippery-slope and other intuitional-pull-type scenarios you raise -- Lex Luthor and pig latin. However, I think that it may be possible to deal with those hypos to lessen their force. For Lex, isn't there an exigent circumstances-type exception that would override the warrant requirement? It can't be the case that I can walk up to a police officer and say, "My briefcase contains a bomb -- but you can't search or seize it without a warrant! And by the time you get one it will go off! Muhahahahahaha!" Or, alternatively, by publishing it in the manner he did ("Here it is and here (generally) is what it contains -- ha, ha, suckers!") perhaps he "abandoned" the communication it in the same way one can abandon a briefcase by leaving it on a subway platform. And even if neither of those arguments works, for both the simple one-letter transfer and pig latin, I think there a line can be drawn between "technological protection measures," as in 1201, and codes decipherable by a human. That may be a fuzzy line in some circumstances, but most lines are fuzzy, and for the most part the cases will involve 40-bit keys and such that are not decipherable by almost any human, but require a device (even a simple software device) to "open." This would deal with the historical argument as well.
Question: CAN ENCRYPTION CREATE A "REASONABLE EXPECTATION OF PRIVACY"?
Answer: Well, that all depends on the strength of the encryption! As much as we'd all love to believe that the Constitution has a secret decryption key hidden on its back, it is much more likely that the user of said encryption chose something other than "The 4th admendment" or "The 5th amendment" as their pass phrase.
Note to self: Damnit, now I have to change my pass phrase.
-Riskable
http://riskable.com
"Almost all keys in use ultimately derive from a few keys held by firms such as VeriSign. These "root" keys are distributed in software like Windows and FireFox."
Seemingly, Randal refers to the public parts of DSA and RSA keys of Certificate Authorities like VeriSign that establish the validity of the certificates held by web sites in the setup of SSL communications like HTTPS (HTTP over SSL) using digital signatures. This does not mean that VeriSign can decrypt any of the communications that follow between the web site and the user. They cannot. Simplifying, an ephemeral, throw away, symmetric key for an algorithm like AES or RC4 is established using the asymmetric DSA or RSA web site keys for all subsequent communications between the web site and the user. Verisign's mere digital signature of the web site certificate does not allow them to penetrate this exchange or anything that follows. http://en.wikipedia.org/wiki/Secure_Sockets_Layer
Yes, VeriSign could decrypt the exchange, if - and I took pains to point this out - they were able to modify the Internet packets flowing between the user and the website (or between any two entities using a throwaway key ultimately chained back to a VeriSign key). The crux is that when the website sends its public key to the user, VeriSign could replace it with an imposter key. It can do so since it can sign it with the "root" private key, a key automatically trusted by all users of Windows and FireFox. The gov't could do the same were it to hold a copy of VeriSign's private key.
See man-in-the-middle on Wikipedia.
I'm making no statement about the practical feasibility of such a system - it would be tricky, to say the least - harder than simply tapping a phone. But there are no cryptographic obstacles.
I'll raise you one: Encryption subverts the expectation of privacy.
If the interception of a communication is supported by probable cause and authorized by a warrant, then the government can compel production of the key. If you need a warrant and don't have probable cause, then brute force decryption is a fruit of the poisonous tree. The only issue that matters is whether the capture of the communication, if not authorized by warrant, is supported by some combination of exigent circumstance and reduced expectation of privacy.
If the Government can surveil communications between the U.S. and Pakistan without probable cause, then it can use encrypton as a "flag" that stands out like a sore thumb, and either identify the parties (because the "to" and "from" fields aren't encrypted), or establish that the identities have been obscured. Encryption supplied for a good reason by a tranactional website (Citibank or Amazon) can be set aside, leaving a relatively small pool of non-transactional, person-to-person communications between a person in America and a person in Pakistan that have been encrypted purposefully, non-automatically, and by pre-arrangement, which is uncommon. The pre-application investigation that turns up no apparent relationship between the parties is only a little less suspicious than an encypted communication between a young man and his mother.
Encryption comes close to slapping probable cause on a needle in haystack.
John Noble
(I am agnostic on the second question and taking it as a premise.) That is, if the goons at city hall want to go thru my briefcase and copy things for later decryption, that would be an unwarranted search, but it would have been even if my papers weren't encrypted... I'm not sure if my category is just the empty set; whether or not it helps anything. It at least takes material out of plain view.
This post is an example of why the fourth amendment,
[The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable search or seizure, shall not be violated; and no warrant shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the person or thing to be seized.]
means something different than my state constitution's
Section 11. [Search and seizure
Section 11. The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable search or seizure, shall not be violated; and no warrant shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the person or thing to be seized.]
Tangent: A client of mine wasn't allowed to vote, after he wouldn't produce a government ID unless he was shown a search warrant.
I think this violates both the 4th A and section 11,
but I could be wrong, and it could be expensive to find out. I welcome thoughts, gtbear at gmail.