In this, the final instalment in the series, Pauline C. Reich, Professor and Director of the Asia-Pacific Cyberlaw, Cybercrime and Internet Security Research Institute at the Waseda University School of Law in Tokyo, Japan examines the implications of the recent US v. Apple case in terms of disclosure requirements in Asia and across the globe.
Key disclosure laws
These laws, also called “mandatory key disclosure” “require individuals to surrender cryptographic keys to law enforcement. The purpose is to allow access to material for confiscation or digital forensics purposes and use it either as evidence in a court of law or to enforce national security interests. Similarly, mandatory decryption laws force owners of encrypted data to supply decrypted data to law enforcement.1
A quick review of the laws applying to decryption requests in countries in this region indicated the following:
The Cybercrime Act 2001 No. 161, Items 12 and 28 grant police with a magistrate’s order the wide-ranging power to require “a specified person to provide any information or assistance that is reasonable and necessary to allow the officer to” access computer data that is “evidential material”; this is understood to include mandatory decryption. Failing to comply carries a penalty of 6 months imprisonment. Electronic Frontiers Australia calls the provision “alarming” and “contrary to the common law privilege against self-incrimination.”6
The Crimes Act 1914, 3LA(5) “A person commits an offence if the person fails to comply with the order. Penalty for contravention of this subsection: Imprisonment for 2 years.”7
Canada implements key disclosure by broad interpretation of “existing interception, search and seizure and assistance procedures”;10 in a 1998 statement, Cabinet Minister John Manley explained, “warrants and assistance orders also apply to situations where encryption is encountered — to obtain the decrypted material or decryption keys.”11
Section 69 of the Information Technology Act, as amended by the Information Technology (Amendment) Act, 2008, empowers the central and state governments to compel assistance from any “subscriber or intermediary or any person in charge of the computer resource” in decrypting information.16 17 Failure to comply is punishable by up to seven years imprisonment and/or a fine.
New Zealand Customs is seeking power to compel Key disclosure.18
The Regulation of Investigatory Powers Act 2000 (RIPA), Part III, activated by ministerial order in October 2007,23 requires persons to supply decrypted information and/or keys to government representatives with a court order. Failure to disclose carries a maximum penalty of two years in jail. The provision was first used against animal rights activists in November 2007,24 and at least three people have been prosecuted and convicted for refusing to surrender their encryption keys,25 one of whom was sentenced to 13 months’ imprisonment.26
The Fifth Amendment to the United States Constitution protects witnesses from being forced to incriminate themselves, and there is currently no law regarding key disclosure in the United States.27 However, the federal case In re Boucher may be influential as case law. In this case, a man’s laptop was inspected by customs agents and child pornography was discovered. The device was seized and powered-down, at which point disk encryption technology made the evidence unavailable. The judge held that it was a foregone conclusion that the content exists since it had already been seen by the customs agents, Boucher’s encryption password “adds little or nothing to the sum total of the Government’s information about the existence and location of files that may contain incriminating information.”28 29
In another case, a district court judge ordered a Colorado woman to decrypt her laptop so prosecutors can use the files against her in a criminal case: “I conclude that the Fifth Amendment is not implicated by requiring production of the unencrypted contents of the Toshiba Satellite M305 laptop computer,” Colorado U.S. District Judge Robert Blackburn ruled on January 23, 2012.30 In Commonwealth v. Gelfgatt,31 the court ordered a suspect to decrypt his computer, citing exception to Fifth Amendment can be invoked because “an act of production does not involve testimonial communication where the facts conveyed already are known to the government…”.32
However, in United States v. Doe, the United States Court of Appeals for the Eleventh Circuit ruled on 24 February 2012 that forcing the decryption of one’s laptop violates the Fifth Amendment.33 34
The Federal Bureau of Investigation may also issue national security letters that require the disclosure of keys for investigative purposes.35 One company, Lavabit, chose to shut down rather than surrender its master private keys.
Since the summer of 2015, cases were fought between major tech companies such as Apple over the regulation of encryption with government agencies asking for access to private encrypted information for law enforcement purposes. A technical report was written and published by MIT Computer Science and Artificial Intelligence Laboratory, where Ronald Rivest, an inventor of RSA, and Harold Abelson, a computer science professor at MIT with others, explain the technical difficulties, including security issues that arise from the regulation of encryption or by making a key available to a third party for purposes of decrypting any possible encrypted information. The report lists scenarios and raises questions for policy makers. It also asks for more technical details if the request for regulating encryption is to be pursued further.36
A brief interview conducted by the author with a law professor from Australia in June 2016 indicated that Australia will hold defendants indefinitely if they do not provide access to encrypted devices/data. A Japanese law school dean interviewed on the same occasion indicated that Japanese criminal law does not address such access in similar mandatory manner. Although Japanese law appears more voluntary in tone, there are, however, prison sentences and fines for non-cooperation with law enforcement, according to the dean.