Will encrypting incriminating documents allow me to escape conviction if the time to break the encryption is longer then the statute of limitations?
February 19, 2006 9:02 PM   Subscribe

Let's say I have a document on my computer that incriminates/implicates me in a crime. Let's say I encrypt it, and I conveniently forget the password or encryption key that was used to encrypt the file. Let's assume the police can break the encryption, but, the time needed to break the encryption is longer then the statute of limitations of the crime in question. What can they do to me? What can happen to me? (Besides possibly getting convicted of obstruction of justice or contempt of court for not divulging the encryption key?)

I have no intention of committing any actual crimes. This question is purely hypothetical. Really, I'm just curious.
posted by yeoz to Law & Government (18 answers total)
Best answer: In most jurisdictions they can keep you in jail until you give up the key, or the encryption is broken.

Statute of Limitations does not apply once you have been charged.

However, if the encrypted item were the *only* evidence, then you'd be home free because by definition no one would suspect you so long as the evidence stayed encrypted. IE no probable cause.
posted by unSane at 9:07 PM on February 19, 2006

In the U.S., I don't think you can be forced to reveal the key anyway -- it's your privilege against self-incrimination. (However, it seems that they could offer you immunity for the crime, then ding you for obstruction when you "refuse" to remember the password). If the crime can somehow be described as terrorism (and what can't, nowadays?) you're probably looking at a world of hurt.
There was a U.K. law a few years ago that somehow criminalized encryption. I don't remember exactly what the terms were, but I do remember that some civil disobedients filmed (or otherwise recorded) an actual crime committed by one of them, then encrypted the disk and sent it to one of the MPs. They were pointing out how absurd the law was: I think the MP was liable to be arrested and imprisoned (as if!) because he had possession of an encrypted record of a crime and wouldn't (couldn't) decrypt it.
posted by spacewrench at 9:08 PM on February 19, 2006

Depending on the type of encryption you use, there are some methods of doing so that will not only extend the decryption time past the statute of limitations (and this is solely dependent of the crime you are suspected of, some do not have statutes) but decryption could extend past your own life time. Also, as unSane mentioned, once you are charged (and this is usually based on other evidence) there is no statute at all. However, a charge can be dropped by a judge if the the prosecution cannot come up with enough evidence to warrant arrest or an appearance in court.
posted by purephase at 9:14 PM on February 19, 2006

you might be compelled to give the key

"{4} The Fifth Amendment's guarantee against self incrimination also provides little protection for existing documents. The Court generally interprets the Fifth Amendment to allow the government to compel the production of these documents, because the government did not compel anyone to write the documents.[7] Thus, the government can compel the production of documents and, if written, the key encrypting the documents. Although
there may still be some protection for private documents, such protection is uncertain in its existence and narrow in its scope.[8]

{5} Under the Warden view and Fifth Amendment jurisprudence, written cryptographic keys cannot be distinguished from the documents themselves. If the key is found by a search, it can be used. If one can subpoena the
underlying documents, one can subpoena the key.

{6} In this section, I shall assume the correctness of Justice O'Connor's belief that there is now no Fourth or Fifth Amendment obstacle to the compulsory production of existing documents, whether text, encrypted text,
or cryptographic key.[9] This means that the basis of protection must be an assertion of Fifth Amendment privilege against a question asking one to disclose a memorized cryptographic key."

i'm not sure on this, but didn't congress also pass a law making it a crime to fail to give a key in the course of an investigation?

in any case, not giving the key doesn't seem foolproof to me
posted by pyramid termite at 10:17 PM on February 19, 2006 [1 favorite]

skimming through that link, it seems as though the author of the paper wants to argue that one is protected by the constitution in this case ... but it's by no means clear what a court would rule
posted by pyramid termite at 10:27 PM on February 19, 2006

Keep in mind that many laws don't have a statute of limitations. For example, there is no limitation on murder -- you can be charged at any point in the future.
posted by frogan at 10:31 PM on February 19, 2006

Even if there is no law making it a crime to fail to present an encryption key, a savvy prosecutor could demonstrate that it is highly unlikely that you are forgot your key e.g. by examining your encryption logs, times of encrypting and unencrypting other files, queries to Metafilter etc. Even if you somehow managed to delete/scramble these footprints, the act of deleting/scrambling them itself may suggest deceptive behavior and negative aspects of your character in the minds of a jury.
posted by DirtyCreature at 10:32 PM on February 19, 2006

Best answer: The key here is to use denial encryption. They can't make you reveal the key if they can't prove that the document exists.
posted by SPrintF at 11:20 PM on February 19, 2006

Best answer: just to add that truecrypt (referenced in the wiki page above) is a very nice piece of software. you can make a partition on your disk, encrypt it, and put some porn there. next, put a second encrypted folder inside that, and put your stuff in there. when asked for the password, give the one for the first level (with the porn). there's absolutely no (afaict) evidence that the second level exists, so no way you can be detained for the second password.
posted by andrew cooke at 5:10 AM on February 20, 2006

wow, deniable encryption is an incredible idea... I think I just got my next screenplay...
posted by unSane at 6:04 AM on February 20, 2006

Sorry to rain on your parade here but -

Two minute prosecution attack against simple denial encryption.
1. You decrypt the partition/file using the "safe" key.
2. I copy the resultant file/s to another place
3. I re-encrypt these files using your "safe" key.
4. I compare file sizes and see they are different.
5. Your credibility is in tatters again.

You might invent a work around for this as well but who is to say some researcher will not discover some other tell-tale property of the encryption like this in the future.

By the way, looks like it is illegal to not reveal your key in the US.
posted by DirtyCreature at 10:13 AM on February 20, 2006

Response by poster: From what I can tell, that attack does not work against TrueCrypt. It's not simple file encryption; instead it allows for the creation of encrypted disk volumes. Volumes generated by TrueCrypt are initially generated with cryptographically-strong random data, so, any reencryption process will always generate unique volumes.

I'm willing to bet that you won't be able to find a researcher that can find 'tell-tale' differences between two different sets of cryptographically-strong random data. It's a problem almost as hard as breaking the encryption.
posted by yeoz at 10:23 AM on February 20, 2006

My point is I wouldn't bet my freedom on it if I were you.
posted by DirtyCreature at 10:26 AM on February 20, 2006

Let's assume the police can break the encryption, but, the time needed to break the encryption is longer then the statute of limitations of the crime in question.

I think you've made a fatal error in your assumptions.

If people say "it takes X number of years to break encryption system Y" then that's only a guess, an average, an estimate.

It's possible that the people trying to break your encryption will get lucky and decrypt your document after just a couple of hours.

To say "it would take five years" is like saying "you could shuffle a pack of cards once a minute and you wouldn't get a royal flush for five years". It could happen first time out of the box.
posted by AmbroseChapel at 1:05 PM on February 20, 2006

Best answer: The police are not going to break your encryption by brute force method. Ever. They simply do not have the time, computers, or expertise to do that unless you are really stupid about your choices of encryption (like, you favor mono-alphabetic substitution ciphers or something).

However, unless you are very careful, they can find weakness in your protocol -- you might have written it down, your software implementation is flawed, your OS stores keys in a non-secured chunk of memory, they install a key logger without your knowledge, etc.

It short, it's trivially easy today to make an encrypted message that is never going to be cracked. No law enforcement agency is going to waste time trying to crack the encryption of a petty criminal -- they are going to either coerce you into giving them the key, they are going to spy on you to get the key, or they are going to find the key through your own carelessness.
posted by teece at 1:28 PM on February 20, 2006

It could happen first time out of the box.

Right. And you could win the lottery three times in a row. Most modern key spaces are large enough that that possibility is not worth considering.
posted by teece at 1:29 PM on February 20, 2006

DirtyCreature writes "looks like it is illegal to not reveal your key in the US."

Which of course means it's illegal to have random bits (say the recording of the raw output stream of a photoled pointed at a lava lamp) on your HD. The law is totally unenforcable in any meaningful way.
posted by Mitheral at 2:30 PM on February 20, 2006

Right. And you could win the lottery three times in a row. Most modern key spaces are large enough that that possibility is not worth considering.

I think you're wrong, or at least you're misrepresenting what I said.

Here's the question we've been asked: if the statute of limitations is five years and I encrypt information in such as way that it takes five years to decrypt, am I safe?

He's not safe if it takes less than five years, and he seems to be working on the assumption that the "five years" figure is locked in -- that if the cops start now, they'll get the information exactly five years from now and not before.

It could be before, and it could be after. All I'm saying is, it's not exactly five years.
posted by AmbroseChapel at 12:56 PM on February 25, 2006

« Older I need help making my own glass coffee table!   |   Dog training Newer »
This thread is closed to new comments.