2

Summary: Possible way to avoid the requirements of giving away the decryption key. Will this work?

Many countries have laws forcing citizens to decrypt their private data if they are being suspected of some illegal activities. If one refuses, he is to be punished.
Now the idea to avoid this. For simplicity the person having private information will be myself.
1. The data stored locally is encrypted.
2. Encryption/decryption key is stored at the remote server controlled by some third party. It can be my lawyer or person/company outside the country's jurisdiction.
3. Regular mode. I authenticate at the remote server, download the key, decrypt my local data, work with it.
4. Emergency mode. I was detained and told by a law enforcement officer or judge to disclose my files. Then I either enter a secret "under pressure" password or my lawyer alerts the third party.
After this the remote server no longer returns me the key. Instead, some agent (person, not software) of the third party monitors the situation and will put the system to the regular mode only after making sure that I am released and all charges dropped.
I honestly tell the police that I don't have the key and describe the scheme.

Question: Will this work?

Related questions about possible loopholes.
Is there any reliable way for a third person to learn if all charges against someone were dropped?
Can I be compelled to contact someone and tell lies?

PS. This is purely theoretical question. Laws may differ by country, any input is appreciated.

Upd. The primary interest is US laws but please feel free to add more details on any other jurisdiction you are have good knowledge of.
And my gratitude for all who contributed so far or will do ater.

Improve this question
3
  • I think the question is too general and hypothetical as it stands. If you can pick a specific country that has a "must decrypt" law of the kind you describe, it may be possible to give an answer for that country. But we can't really answer for a hypothetical country that may or may not hypothetically have other relevant laws or legal procedures.
    – Nate Eldredge
    Commented Dec 18, 2018 at 18:45
  • Let's start with the US. At least this country generates the most news about encryption and stuff
    – deep down
    Commented Dec 18, 2018 at 23:58
  • Okay. I added the appropriate tag for you. Can you please edit your question to clarify that you are focusing on the US?
    – Nate Eldredge
    Commented Dec 18, 2018 at 23:59

2 Answers 2

Reset to default
1

Most jurisdictions have laws that prohibit the destruction of evidence. The deletion of the key in Step (4) will violate these.

If you leave the key with the third party then it can be obtained. You also face the risk that your trusted third party will leak it.

Improve this answer
10
  • 1
    There is no key deletion. The third party in another country will simply refuse to provide it. No evidence is destroyed. Also, your link references Microsoft Corp. vs. the United States, which case resulted in the CLOUD Act. That means, as far as I can tell at a quick glance, that the accused can be asked to request a copy of the key. The third party is not under jurisdiction of that court, and can't be compelled to divulge it except by going through the court system that does have jurisdiction.
    – David Thornley
    Commented Dec 18, 2018 at 16:32
  • The "destruction of evidence" statutes are usually more broad than that. Consider for instance 18 USC 1519 which also makes it a crime to "conceal" evidence. Sending it somewhere where the authorities can't get it (i.e. outside the jurisdiction) would surely be construed as "concealing", I would guess.
    – Nate Eldredge
    Commented Dec 18, 2018 at 18:38
  • This might be not clear from my initial description so here are some missing details. The don't control the third party in any way. We just simply signed a contract that they send me a key under certain conditions. And I don't even see the key, it's handled by the third-party software.
    – deep down
    Commented Dec 18, 2018 at 18:44
  • 1
    @NateEldredge Normally, precautions seem to be allowed if they're implemented before the law gets involved. My iPhone can be set to destroy its AES-256 key with ten failed attempts to enter the PIN. and as far as I know that's legal.
    – David Thornley
    Commented Dec 18, 2018 at 21:17
  • 1
    @NateEldredge But you did that before you had any reason to believe that the key was relevant to any investigation. Surely you can't be convicted of destruction of evidence for arranging the conditional destruction of something that was not evidence at the time you acted.
    – David Schwartz
    Commented Dec 19, 2018 at 10:18
0

I honestly tell the police that I don't have the key and describe the scheme.

Question: Will this work?

Assuming that the law provides for disclosure of decryption keys or of the contents at issue (see the Electronic Communications Privacy Act, 18 U.S.C. § 2510 et seq., or the Stored Communications Act, 18 U.S.C. Chapter 121 §§ 2701–2712, in U.S. legislation), this scheme would fail in jurisdictions as those of the U.S.

Once you describe the scheme, a [reasonable] judge could order the third-party agent to put the system back to regular mode, and hence order you to facilitate the information at issue. Not complying with the order(s) would put you or the agent, accordingly, in civil contempt (which means jail and/or fines for each additional day of non-compliance).

Your lawyer would get in trouble as well if he is found to have conspired with you, or knowingly assisted you, to avoid mandated disclosure. This would be consistent with the crime-fraud exception of the attorney-client privilege, which supposedly prohibits an attorney to act in furtherance of his client's misconduct.

Improve this answer
6
  • The judge has no power over the third party. Under the circumstances given, the third party may refuse to comply with a request from the defendant. The OP's secret password scheme may well be illegal, but if the third party finds out about the arrest without being tipped off by client or lawyer, or requires the defendant to say he or she isn't under arrest or in custody, I'm not nearly as sure. Civil contempt is to punish someone for refusing to do something the court orders, and if the defendant does everything the court says it would seem inapplicable.
    – David Thornley
    Commented Dec 18, 2018 at 21:23
  • @DavidThornley "if the defendant does everything the court says it would seem inapplicable" That is why in the 2nd paragraph I premised the matter of civil contempt with "Not complying with the order(s)" and "for each additional day of non-compliance". And, the judge can certainly compel a third party regardless of the latter's compliance with defendant's requests. In civil court this would be by means of a motion to show cause if the third-party does not comply with the underlying subpoena or court order, and I doubt procedural law in criminal court differs significantly on this.
    – Iñaki Viggers
    Commented Dec 18, 2018 at 21:33
  • The third party is located outside the country's jurisdiction, this was the whole point. Their response to the judge is "you are nobody to me". Also, is it illegal for me to explicitly tip them off? If so, can I ask my lawyer to ask some new reported to announce the fact of detention?
    – deep down
    Commented Dec 19, 2018 at 0:00
  • @deepdown "The third party is located outside the country's jurisdiction" In that case, then yes, the judge might be powerless. That really depends on international treaties. I just did not pay much attention to the equivocal/probabilistic condition that it "can be" outside the country's jurisdiction. As for explicitly tipping them off, the judge could order you to reverse it or somehow facilitate the information (and resort to punishment for civil contempt).
    – Iñaki Viggers
    Commented Dec 19, 2018 at 0:23
  • Iñaki Viggers, please give more details here. I tell the judge that I have no control over the third party. Moreover, the contract we signed requires them not to trust my words but investigate the situation on their own. Is "I cannot help you in any way" a valid response to the judge?
    – deep down
    Commented Dec 19, 2018 at 9:31

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .