Förderverein Informationstechnik und Gesellschaft

FC: Orin Kerr says "encryption in a crime" penalty isn't that bad

------- Forwarded message follows ------- Date sent: Wed, 12 Feb 2003 15:18:00 -0500 To: From: Declan McCullagh <> Subject: FC: Orin Kerr says "encryption in a crime" penalty isn't that bad Copies to: Send reply to:


From: "Orin Kerr" <> To: Date: Wed, 12 Feb 2003 14:47:55 -0600 Subject: for politech, if you like


This is an edited version of a blog posting of mine commenting on the proposed offense, "unlawful use of encryption." The original is here:

Orin _________________________________


Section 404 of the new DOJ anti-terrorism proposal has a section that would create a new federal crime, "unlawful use of encryption." The proposal would allow the government to charge "[a]ny person who, during the commission of a felony under Federal law, knowingly and willfully encrypts any incriminating communication or information relating to that felony" with a separate felony crime. DOJ argues that this crime is "warranted to deter the use of encryption technology to conceal criminal activity."

Civil libertarians worry that this law will just thump pretty much every computer criminal with an extra five years in prison. Declan McCullagh argues: "When encryption eventually becomes glued into just about every technology we use, from secure Web browsing to encrypted hard drives, the [provision] would have the effect of boosting maximum prison terms for every serious crime by five years. It'll be no different--and no more logical--than a law that says 'breathing air while committing a crime' is its own offense."

I think both sides are a bit off here. DOJ is probably optimistic about the likely good of this proposal, and Declan overstates the harm. If passed into law, I think this crime would probably make little difference in practice, and would be charged only rarely.

Why wouldn't this law make much of a difference? Let's start by considering how law enforcement discovers uses of encryption in criminal cases. The FBI gets legal authority to conduct surveillance of a suspect in a particular case, and when they get the information, they find out it is encrypted. What to do? Decrypting the information by brute force is essentially impossible, so the FBI will either a) locate the key that will allow them to decrypt the information, or b) never be able to decrypt the information and will try to solve the case in another way.

If the FBI cannot find the key, the defendant will not be charged under the "unlawful use of encryption" statute because the government will lack proof: if the government can't decrypt a file, it cannot prove that the file is "incriminating" and that the information it contains "relat[es]" to another felony the defendant is committing. The government can only bring the charge if they have successfully decrypted the communication, which to my knowledge has happened in only two cases (including the Scarfo case).

But what if the government succeeds in decrypting a defendant's files, and finds out that a defendant was in fact encrypting incriminating information relating to a felony? Won't the government be able to add an extra five years in the slammer to that defendant's sentence? It's quite unlikely. First, the proposed statute requires that the government show that the defendant encrypted the incriminating communication "willfully." Although the meaning of "willfully" in federal criminal law is not entirely settled, the word usually means "in knowing violation of the law." In other words, the government must show not only that the defendant knew that he was concealing the information, but that he knew that it was illegal to do so. Even where applicable, this would be extremely hard for the government to prove: criminal defendants have a constitutional right not to testify, which means that the government would have to prove based on the context that the defendant must have known that his use of encryption was criminal. Given that the law only applies to the use of encryption to further federal (not state) crimes that are felonies (not misdemeanors), this would be hard to do.

But let's say a defendant sent an e-mail to the FBI when he encrypted his files, saying: "Dear Mr. FBI Agent, I am hereby encrypting files in furtherance of a federal felony offense, and I realize it is a crime." In that case, the government would be able to prove the defendant encrypted his communications willfully. Wouldn't it add five years to a defendant's sentence then? Not necessarily. The trick is that the "five year" penalty for this proposed crime is only a theoretical maximum penalty: the actual sentence would be imposed under the federal Sentencing Guidelines. (This is true for all federal crimes, actually, and means that you need to be skeptical when you read about people being arrested and facing zillions of years in prison. It's not uncommon for a defendant to be arrested on 10 felony counts each with a maximum of 10 years in prison, and for the defendant to plead guilty and get a sentence of 6 months in prison or even just probation.)

The real question of how the proposed law would impact criminal sentences depends upon how it would be treated under the Sentencing Guidelines. There are no guidelines for this crime, of course (this just being a proposed law, not an actual one), so the actual effect of a conviction under the proposed crime is a matter of speculation. But it's worth noting that the most common approach to grouping related offenses under the guidelines is for the most serious offense to control the sentence. So if I go on a crime spree and commit one serious federal offense along with three minor federal offenses, the offenses normally will be "grouped" and only the most serious offense will actually determine the sentence. The rest of the crimes won't make a difference.

Why does this matter? It matters because the proposed crime is by its nature a dependent crime: a defendant would be guilty of unlawful use of encryption only if he was also guilty of another federal felony crime, and the government could prove that other felony. As a result, if the independent crime is the more serious crime under the guidelines, the "grouping" of the offenses could make the independent crime the key offense under the guidelines. In this case, a conviction for unlawful use of encryption might have no effect whatsoever on the defendant's sentence. (As I said above, though, this is just speculation-- the actual effect would be up to the Sentencing Commission, which would have to figure out how to deal with this new crime if it became law.)

If the law could have so little effect, you may be wondering, why would DOJ propose it in the first place? One possibility is that deterrence can work based on perceptions as much as reality. If people *think* that this law will send them to jail for an extra five years for using encryption to further a serious crime, they might be deterred from using encryption to further criminal activity-- even if the law is unlikely to do that.

Orin S. Kerr Associate Professor George Washington University Law School Washington, DC 20052

---------------------------------------------------------------------- --- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. To subscribe to Politech: This message is archived at Declan McCullagh's photographs are at ---------------------------------------------------------------------- --- Like Politech? Make a donation here: Recent CNET articles: ---------------------------------------------------------------------- ---

------- End of forwarded message -------