[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FYI] (Fwd) FC: Orin Kerr says "encryption in a crime" penalty isn't that bad

To: debate@lists.fitug.de
Subject: [FYI] (Fwd) FC: Orin Kerr says "encryption in a crime" penalty isn't that bad
From: "Axel H Horns" <horns@ipjur.com>
Date: Wed, 12 Feb 2003 21:59:13 +0100
Delivered-to: mailing list debate@lists.fitug.de
List-help: <mailto:debate-help@lists.fitug.de>
List-id: <debate.lists.fitug.de>
List-post: <mailto:debate@lists.fitug.de>
List-subscribe: <mailto:debate-subscribe@lists.fitug.de>
List-unsubscribe: <mailto:debate-unsubscribe@lists.fitug.de>
Mailing-list: contact debate-help@lists.fitug.de; run by ezmlm
Organization: NONE
Priority: normal

------- Forwarded message follows -------
Date sent:      	Wed, 12 Feb 2003 15:18:00 -0500
To:             	politech@politechbot.com
From:           	Declan McCullagh <declan@well.com>
Subject:        	FC: Orin Kerr says "encryption in a crime" penalty isn't that bad
Copies to:      	okerr@law.gwu.edu
Send reply to:  	declan@well.com


--

From: "Orin Kerr" <okerr@law.gwu.edu>
To: declan@well.com
Date: Wed, 12 Feb 2003 14:47:55 -0600
Subject: for politech, if you like

Declan,

This is an edited version of a blog posting of mine commenting on the
proposed offense, "unlawful use of encryption." The original is here:
http://volokh.blogspot.com/2003_02_09_volokh_archive.html#90304660

Orin
_________________________________

WOULD A LAW CRIMINALIZING "UNLAWFUL USE
OF ENCRYPTION" HAVE MORE BARK THAN BITE?

     Section 404 of the new DOJ anti-terrorism proposal has a section
     that 
would
create a new federal crime, "unlawful use of encryption." The proposal
would allow the government to charge "[a]ny person who, during the
commission of a felony under Federal law, knowingly and willfully
encrypts any incriminating communication or information relating to
that felony" with a separate felony crime. DOJ argues that this crime
is "warranted to deter the use of encryption technology to conceal
criminal activity."

     Civil libertarians worry that this law will just thump pretty
     much 
every computer
criminal with an extra five years in prison. Declan McCullagh argues:
"When encryption eventually becomes glued into just about every
technology we use, from secure Web browsing to encrypted hard drives,
the [provision] would have the effect of boosting maximum prison terms
for every serious crime by five years. It'll be no different--and no
more logical--than a law that says 'breathing air while committing a
crime' is its own offense."

     I think both sides are a bit off here. DOJ is probably optimistic
     
about the likely
good of this proposal, and Declan overstates the harm. If passed into
law, I think this crime would probably make little difference in
practice, and would be charged only rarely.

     Why wouldn't this law make much of a difference? Let's start by
considering how law enforcement discovers uses of encryption in
criminal cases. The FBI gets legal authority to conduct surveillance
of a suspect in a particular case, and when they get the information,
they find out it is encrypted. What to do? Decrypting the information
by brute force is essentially impossible, so the FBI will either a)
locate the key that will allow them to decrypt the information, or b)
never be able to decrypt the information and will try to solve the
case in another way.

      If the FBI cannot find the key, the defendant will not be
      charged 
under the
"unlawful use of encryption" statute because the government will lack
proof: if the government can't decrypt a file, it cannot prove that
the file is "incriminating" and that the information it contains
"relat[es]" to another felony the defendant is committing. The
government can only bring the charge if they have successfully
decrypted the communication, which to my knowledge has happened in
only two cases (including the Scarfo case).

     But what if the government succeeds in decrypting a defendant's
     files, 
and finds
out that a defendant was in fact encrypting incriminating information
relating to a felony? Won't the government be able to add an extra
five years in the slammer to that defendant's sentence? It's quite
unlikely. First, the proposed statute requires that the government
show that the defendant encrypted the incriminating communication
"willfully." Although the meaning of "willfully" in federal criminal
law is not entirely settled, the word usually means "in knowing
violation of the law." In other words,  the government must show not
only that the defendant knew that he was concealing the information,
but that he knew that it was illegal to do so. Even where applicable,
this would be extremely hard for the government to prove: criminal
defendants have a constitutional right not to testify, which means
that the government would have to prove based on the context that the
defendant must have known that his use of encryption was criminal.
Given that the law only applies to the use of encryption to further
federal (not state) crimes that are felonies (not misdemeanors), this
would be hard to do.

     But let's say a defendant sent an e-mail to the FBI when he
     encrypted 
his files,
saying: "Dear Mr. FBI Agent, I am hereby encrypting files in
furtherance of a federal felony offense, and I realize it is a crime."
In that case, the government would be able to prove the defendant
encrypted his communications willfully. Wouldn't it add five years to
a defendant's sentence then? Not necessarily. The trick is that the
"five year" penalty for this proposed crime is only a theoretical
maximum penalty: the actual sentence would be imposed under the
federal Sentencing Guidelines. (This is true for all federal crimes,
actually, and means that you need to be skeptical when you read about
people being arrested and facing zillions of years in prison. It's not
uncommon for a defendant to be arrested on 10 felony counts each with
a maximum of 10 years in prison, and for the defendant to plead guilty
and get a sentence of 6 months in prison or even just probation.)

      The real question of how the proposed law would impact criminal
sentences depends upon how it would be treated under the Sentencing
Guidelines. There are no guidelines for this crime, of course (this
just being a proposed law, not an actual one), so the actual effect of
a conviction under the proposed crime is a matter of speculation. But
it's worth noting that the most common approach to grouping related
offenses under the guidelines is for the most serious offense to
control the sentence. So if I go on a crime spree and commit one
serious federal offense along with three minor federal offenses, the
offenses normally will be "grouped" and only the most serious offense
will actually determine the sentence. The rest of the crimes won't
make a difference.

      Why does this matter? It matters because the proposed crime is
      by its 
nature a
dependent crime: a defendant would be guilty of unlawful use of
encryption only if he was also guilty of another federal felony crime,
and the government could prove that other felony. As a result, if the
independent crime is the more serious crime under the guidelines, the
"grouping" of the offenses could make the independent crime the key
offense under the guidelines.  In this case, a conviction for unlawful
use of encryption might have no effect whatsoever on the defendant's
sentence. (As I said above, though, this is just speculation-- the
actual effect would be up to the Sentencing Commission, which would
have to figure out how to deal with this new crime if it became law.)

      If the law could have so little effect, you may be wondering,
      why 
would DOJ
propose it in the first place?  One possibility is that deterrence can
work based on perceptions as much as reality.  If people *think* that
this law will send them to jail for an extra five years for using
encryption to further a serious crime, they might be deterred from
using encryption to further criminal activity-- even if the law is
unlikely to do that.

Orin S. Kerr
Associate Professor
George Washington University Law School
Washington, DC 20052




----------------------------------------------------------------------
--- POLITECH -- Declan McCullagh's politics and technology mailing
list You may redistribute this message freely if you include this
notice. To subscribe to Politech:
http://www.politechbot.com/info/subscribe.html This message is
archived at http://www.politechbot.com/ Declan McCullagh's photographs
are at http://www.mccullagh.org/
----------------------------------------------------------------------
--- Like Politech? Make a donation here:
http://www.politechbot.com/donate/ Recent CNET News.com articles:
http://news.search.com/search?q=declan
----------------------------------------------------------------------
---

------- End of forwarded message -------


-- 
To unsubscribe, e-mail: debate-unsubscribe@lists.fitug.de
For additional commands, e-mail: debate-help@lists.fitug.de

Prev by Date: Re: [FYI] Ross Anderson - Open and closed security are roughly equivalent
Next by Date: [FYI] Internet-Zensur - und wie mensch sie umgeht
Previous by thread: Re: [FYI] (Fwd) EDRI-gram - Number 2, 12 February 2003
Next by thread: [FYI] Internet-Zensur - und wie mensch sie umgeht
Index(es):
- Date
- Thread