In this, the final instalment in the series, Pauline C. Reich, Professor and Director of the Asia-Pacific Cyberlaw, Cybercrime and Internet Security Research Institute at the Waseda University School of Law in Tokyo, Japan examines the implications of the recent US v. Apple case in terms of disclosure requirements in Asia and across the globe.
Key disclosure laws
These laws, also called “mandatory key disclosure” “require individuals to surrender cryptographic keys to law enforcement. The purpose is to allow access to material for confiscation or digital forensics purposes and use it either as evidence in a court of law or to enforce national security interests. Similarly, mandatory decryption laws force owners of encrypted data to supply decrypted data to law enforcement.1
A quick review of the laws applying to decryption requests in countries in this region indicated the following:
The Cybercrime Act 2001 No. 161, Items 12 and 28 grant police with a magistrate’s order the wide-ranging power to require “a specified person to provide any information or assistance that is reasonable and necessary to allow the officer to” access computer data that is “evidential material”; this is understood to include mandatory decryption. Failing to comply carries a penalty of 6 months imprisonment. Electronic Frontiers Australia calls the provision “alarming” and “contrary to the common law privilege against self-incrimination.”6
The Crimes Act 1914, 3LA(5) “A person commits an offence if the person fails to comply with the order. Penalty for contravention of this subsection: Imprisonment for 2 years.”7
Canada implements key disclosure by broad interpretation of “existing interception, search and seizure and assistance procedures”;10 in a 1998 statement, Cabinet Minister John Manley explained, “warrants and assistance orders also apply to situations where encryption is encountered — to obtain the decrypted material or decryption keys.”11
Section 69 of the Information Technology Act, as amended by the Information Technology (Amendment) Act, 2008, empowers the central and state governments to compel assistance from any “subscriber or intermediary or any person in charge of the computer resource” in decrypting information.16 17 Failure to comply is punishable by up to seven years imprisonment and/or a fine.
New Zealand Customs is seeking power to compel Key disclosure.18
The Regulation of Investigatory Powers Act 2000 (RIPA), Part III, activated by ministerial order in October 2007,23 requires persons to supply decrypted information and/or keys to government representatives with a court order. Failure to disclose carries a maximum penalty of two years in jail. The provision was first used against animal rights activists in November 2007,24 and at least three people have been prosecuted and convicted for refusing to surrender their encryption keys,25 one of whom was sentenced to 13 months’ imprisonment.26
The Fifth Amendment to the United States Constitution protects witnesses from being forced to incriminate themselves, and there is currently no law regarding key disclosure in the United States.27 However, the federal case In re Boucher may be influential as case law. In this case, a man’s laptop was inspected by customs agents and child pornography was discovered. The device was seized and powered-down, at which point disk encryption technology made the evidence unavailable. The judge held that it was a foregone conclusion that the content exists since it had already been seen by the customs agents, Boucher’s encryption password “adds little or nothing to the sum total of the Government’s information about the existence and location of files that may contain incriminating information.”28 29
In another case, a district court judge ordered a Colorado woman to decrypt her laptop so prosecutors can use the files against her in a criminal case: “I conclude that the Fifth Amendment is not implicated by requiring production of the unencrypted contents of the Toshiba Satellite M305 laptop computer,” Colorado U.S. District Judge Robert Blackburn ruled on January 23, 2012.30 In Commonwealth v. Gelfgatt,31 the court ordered a suspect to decrypt his computer, citing exception to Fifth Amendment can be invoked because “an act of production does not involve testimonial communication where the facts conveyed already are known to the government…”.32
However, in United States v. Doe, the United States Court of Appeals for the Eleventh Circuit ruled on 24 February 2012 that forcing the decryption of one’s laptop violates the Fifth Amendment.33 34
The Federal Bureau of Investigation may also issue national security letters that require the disclosure of keys for investigative purposes.35 One company, Lavabit, chose to shut down rather than surrender its master private keys.
Since the summer of 2015, cases were fought between major tech companies such as Apple over the regulation of encryption with government agencies asking for access to private encrypted information for law enforcement purposes. A technical report was written and published by MIT Computer Science and Artificial Intelligence Laboratory, where Ronald Rivest, an inventor of RSA, and Harold Abelson, a computer science professor at MIT with others, explain the technical difficulties, including security issues that arise from the regulation of encryption or by making a key available to a third party for purposes of decrypting any possible encrypted information. The report lists scenarios and raises questions for policy makers. It also asks for more technical details if the request for regulating encryption is to be pursued further.36
A brief interview conducted by the author with a law professor from Australia in June 2016 indicated that Australia will hold defendants indefinitely if they do not provide access to encrypted devices/data. A Japanese law school dean interviewed on the same occasion indicated that Japanese criminal law does not address such access in similar mandatory manner. Although Japanese law appears more voluntary in tone, there are, however, prison sentences and fines for non-cooperation with law enforcement, according to the dean.
A temporary response?
A recent, long-awaited decision came from the Second Circuit Court of Appeals in the United States about the Microsoft Ireland case.2 In that case, US law enforcement was trying to obtain data related to a US criminal case held on a Microsoft server in Ireland. The Court of Appeals decision held in favor of Microsoft, however it is possible that the US government will appeal the decision and there will not yet be closure on the cross-border access issue.
In addition, outside of the court context, we are hearing calls in the United States for the updating and amendment of the various Internet-related laws to clarify what can and cannot be done by law enforcement in relation to a search in a criminal case.3
The Microsoft Ireland case is significant in a number of ways for countries in this region. First of all, for now they will have some insight into when and how US law enforcement will and will not be able to enforce a warrant for data on servers maintained outside the United States. This may be informative for counsel to multinational corporations that are or are not members of the Council of Europe Cybercrime Convention. Secondly, for those countries that are formulating their own laws and policies, this case and the various Apple cases may be partially instructive, although it is important to look at the Apple cases on the bases of the facts of each of the cases, e.g. what was Apple expected to do to unlock a newer or older version of the iPhone (or what might another company be expected to do to enable access to its device, as we have noted in the Blackberry negotiations with various governments and those outcomes). Third, we must note that the US government and the courts have stepped back from one of these conunudra: the Bakersfield Apple case became moot4 when the government found a different provider of a technological means to crack the IPhone of the deceased alleged perpetrator, which was actually a phone provided by his employer. (Perhaps this may be a lesson for employers as well, i.e. that they put the password into phones they provide for employees – but then again, the employees may be able to change the passwords once they are in possession of the employer’s device). The Microsoft Ireland case was reversed and remanded to the lower federal court and the warrant for Microsoft to produce the data has been quashed. That could change if there is an appeal to the U.S. Supreme Court.
Other countries will need to consider what domestic legislation to adopt to address similar situations that may arise in their own jurisdictions related to law enforcement access to data and devices, privacy and human rights statutes. The law is evolving, courts do not agree on standards, legislatures are in a quandary about legislation. We are living in challenging times.
1 Wikipedia, “Key disclosure law”, https://en.wikipedia.org/wiki/Key_disclosure_law , last modified July 11, 2016
2 In the Matter of a Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corporation, Microsoft Corporation v. United States of America, U.S. Court of Appeals for the Second Circuit, Docket No. 14-2985, July 14, 2016, https://files.wordpress.com/2016/07/14_2985_complete_opn.pdf. See also Brad Smith, “Our search warrant case: An important decision for people everywhere,” Blog, Microsoft on the Issues, July 14, 2016, http://blogs.microsoft.com/on-the-issues/2016/07/14/search-warrant-case-important-decision-people-everywhere#sm.00001wsk8jfcooefwyzouxvupqscc
3 See Jonathan Stempel, “Microsoft wins landmark appeal over seizure of foreign emails,” Reuters, July 14, 2016, http://mobile.retuers.com/article/idUSKCN0ZU1RJ; see Jennifer Granick, “The Microsoft Ireland Case and the Future of Digital Privacy,” JustSecurity.org, July 18, 2016, https://www.justsecurity.org/32076/microsoft-ireland-case-future-digital-privacy/ ; Orin Kerr, “How does the Cybersecurity Act of 2015 change the Internet surveillance laws?” Washington Post, 12/24/2015, https://www.washigtonpost.com/news/volokh-conspiracy/wp/2015/12/24/how-does-the-cybersecurity-act-of-2015-change-the-internet-surveillance-laws?htm_term….See, also new legislation that has been passed and calls for amendment of existing laws such as the ECPA and the DMCA. Cybersecurity Act of 2015 (P.L. 114-113) was passed and became effective on December 18, 2015 and will remain in effect until September 30, 2025. It calls for voluntary sharing of cyber threat information by the government and the private sector and is to “protect individuals’ privacy rights by ensuring that personal information is not unnecessarily divulged”, however “Privacy advocates counter that the new law authorizes and enables broader surveillance by the federal government and provides weak privacy protections”. “U.S. Enacts Cybersecurity Information Sharing Legislation”, Special Report, January 6, 2016, http://m.isaca.org/cyber/pages/cybersecuritylegislation.aspx?utm_ref…
4 David Bisson, “A Timeline of the Apple-FBI iPhone Controversy (Updated 3/29/16), http://www.tripwire.com/state-of-security/government/a-tieline-of-the-apple-fbi-iphone-controversy/