Encryption and Privacy

The encryption tug-of-war between technology interests and law enforcement is nothing new.  Below is an article published at the Computers, Freedom and Privacy Conference at MIT in 1996 by Christine Axsmith.  It was a mock legal debate about a mock law:  "The Cryptography Control Act."

"The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without
understanding." Olmstead v. United States, 277 US 438 (1928) (dissent, J. Brandeis). Sadly, today American
jurisprudence faces the same zeal and misunderstanding as it did during the Prohibition years when Justice
Brandeis wrestled with the telephone and privacy. This court is faced with a statute which handles new
technologies in a manner frighteningly unaware of the basic principles of privacy guaranteed under the
Constitution, as elucidated by the Supreme Court. The majority sanctions the wholesale abridgment of the
necessary and supporting right of association that accompanies the First Amendment, the reasonable
expectation of privacy in the Fourth Amendment, and the privacy rights in the Ninth Amendment. New
technologies do not mandate a new constitution, or an erosion of the one currently in place. The
unconstitutional part of this statute cannot be separated from the rest of the statute; and therefore, the entire
statute is unconstitutional, and the conviction under the statute should be reversed.

The defendant was convicted by a lower court of a violation of the Cryptography Control Act in that he
communicated electronically over a wire using encryption for which the US government did not have a key.
The registering of a key in excess of 64 bits with an Authorized Key Escrow Agency is mandated by the
Cryptography Control Act. While the defendant was convicted of section 10 (b) of this statute, this dissent
will address the statute as a whole since its unconstitutionality is encompassed throughout its provisions.

A. First Amendment - Overbreadth

The statute in question does serve some governmental purpose of facilitating the fighting of crime; but it is
achieved by means which sweep unnecessarily broadly and invade First Amendment protected speech. The
statute does this by including every person in the United States within its scope, whether a criminal or not. A
chilling effect on protected speech results.

The doctrine of overbreadth was relied upon in NAACP v Alabama ex rel. Patterson, 357 U.S. 449 1958),
stating "a government purpose to control or prevent activities constitutionally subject to regulation may not
be achieved by means which sweep unnecessarily broadly and thereby invade the area of protected
freedoms." Using that reasoning, the Supreme Court invalidated an Alabama law that required the NAACP,
as an organization applying for a license to operate in Alabama, to submit a list of its members. The NAACP
protested, claiming that doing so would subject it members to harassment. The Supreme Court found that the
freedom of association of the NAACP members in Alabama would be infringed upon if the state of Alabama
could demand a membership list. The right of association is tied to the First Amendment's right to free
speech, applied to the state through the Fourteenth Amendment, and the Court found for the NAACP. The
general rule in constitutional interpretation is that parties before the court may only assert their own rights.
However, the Supreme Court has fashioned an exception to that rule in the area of First Amendment
overbreadth, where a party before the court is permitted to claim that a statute is overbroad because it
infringes upon the rights of a party not before the court.

The defendant in the case before the court today seeks to invalidate the statute under which he was convicted
on First Amendment grounds. Facial invalidation of a statute requires "substantial overbreadth." Broadrick v.
Oklahoma, 413 US 601 (1973). If the overbreadth is substantial, then the law cannot be enforced against
anyone, including the party before the court, until it is narrowed to reach only unprotected activity. Brockett
v. Spokane Arcades, 472 US 491 (1985).

Later cases narrowed the application of the overbreadth doctrine where conduct rather than pure speech was
at issue. Here, the constitutional standards for pure speech are appropriate. Pure speech was regulated
because the contents of the file encrypted were pure speech and that is the item which resulted in the criminal
conviction. The argument that the act of encrypting constituted "conduct" that the statute regulated is invalid
because encrypting is not against the statute. It is the failure to file the key with a government agent that is the
source of illegality in the The Cryptography Control Act under sections 10 (a) through 10 (d). Therefore, the
harsher over breadth standard for statutes regulating "pure speech" should apply.

In the case before the court today, the stated legitimate government purpose of the statute is fighting crime,
but that does not mean any measure which would further that goal is acceptable. Two way televisions in
every room in the United States, with each move monitored and recorded, would also do a great deal to
prevent crime in America and aid in law enforcement. Unfortunately for those who would seek such a future
for the United States, there are constitutional limits to some crime fighting measures. In this case, one of the
limits is the First Amendment. While advancing in some manner the legitimate government interest of
fighting crime, legal and protected speech is included, making the sweep of the statute too broad for

I have already determined that the First Amendment overbreadth standard for pure speech will apply.
However, even using the standard for First Amendment expressive conduct, the statute before the court fails
the overbreadth test. In Frisby v. Schultz, the Supreme Court looked at the factors of ample alternative means
of communication, content neutrality, and the scope of the statute. The statute, though content neutral, is
overbroad in its scope and no other ample alternative means of communication are available (Frisby v.
Schultz, 487 US 474 (1988)) on par with electronic communication. A legitimate interest in regulating
conduct relating to crime prevention and detection certainly exists. The statute before the court today does,
arguably, achieve this end. However, in doing so, its scope incorporates all speech, not merely speech for
which purpose the statute was drafted. In terms of whom the statute is applicable to, it fails in that its scope is
so large it includes every human being that could be kidnapped and dragged onto United States soil.
Additionally, other alternative channels of communication do not exist. Where else could a person post a
message that could very conceivably be read by thousands of people worldwide, and where else could ideas
be spread so quickly as electronic communications and other similar means yet to be invented? Where else
could there be such a diversity of input, or exchange of ideas? Nowhere else.

The government claims that the statute only continues the current abilities of the government to monitor
conversations. The dissent disagrees. The legislature mentions that methods historically used for law
enforcement and national security purposes will no longer be available with the advent of stronger encryption
capabilities in private hands. It claims that advances in encryption pose a serious threat to that continued
ability. Advances in the technology of communication, including encryption, do pose an obstacle to law
enforcement. However, the U.S. constitution was not drafted to aid in law enforcement or to cement the
national security powers of particular government agencies. Other methods are at their disposal to investigate
crimes and assure the national defense.

Once the government acquires the key to decrypt information, everything encrypted with that key is readable.
This is a heavy tool to place in law enforcement's hands. Under this statute, all electronic communications
must be readable to the government. Comparisons to current wire tap laws are wrong because the scope of
information is broader and will expand. In the future, America's lifeline will be on-line. Business and
economics will be vastly impacted by connections to the Internet and various electronic communications yet
to be conceived. Business processes will be as tied to electronic communication tomorrow as it is today to the
telephone and the credit card. This is a larger category of information than mere phone conversations. The
current statute does not merely continue the status quo; it tries to force telephone analogies on a medium of
expression where it does not apply. The rule this court is setting down for future technology is a piteous line
for freedom of speech. In the marketplace of ideas, the truth will flourish against competition, or so our
founding fathers believed. "We are not afraid to follow truth wherever it may lead, nor to tolerate any error so
long as reason is left free to combat it," wrote Thomas Jefferson. Where every stored and transmitted
communication must be made in a manner that is conveniently decoded, speech critical of the government or
its policies will naturally be chilled for fear of reprisal.

The crucial factor is the interplay of speech and thought that formulates the speech. The Supreme Court has
recognized the importance of uninhibited, robust, and wide-open debate on public issues, see New York
Times v. Sullivan, 376 US 254, 270 (1964), previously in interpreting the First Amendment. Such debate
challenges citizens' minds to explore ideas previously unthought. That basis for understanding the rights
guaranteed by the constitution has not changed. In order to decide whether the overbreadth doctrine applies to
a particular case, we have weighed the likelihood that the statute's very existence will inhibit free expression.
City of Los Angeles v. Taxpayers for Vincent, 466 US 789 (1984). This statute chills protected speech and
causes those under its broad sweep (i.e., all U.S. citizens and permanent resident aliens) to glance warily over
their shoulder before even beginning to type.

Absent evidence that most US citizens and permanent resident aliens are criminals, there is no reasonable or
justifiable basis to include all of them within the parameters of this statute. The statute includes protected
speech in its overly broad sweep attempt to fight crime.

Construing the statute as narrowly as possible would still apply it to everyone in the United States.
If the unconstitutional part of a statute can be severed from the constitutional part of the statute, a court
should partially invalidate the statute Allen v. Louisiana, 103 US 80 (1881). Severing the unconstitutional
section from the main body of the statute is not feasible, its unconstitutionality is its essence.
Therefore, the statute as a whole is invalid under the First Amendment overbreadth doctrine and the
conviction should be overturned.

B. Fourth Amendment - Reasonable Expectation of Privacy

The appellant claims that his Fourth Amendment rights were violated by his arrest and conviction under the
Cryptography Control Act. The dissent agrees.

The Fourth Amendment states "the right of the people to be secure in their persons, houses, papers, and
effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue but upon
probable cause, supported by oath or affirmation, and particularity describing the place to be searched, and
the persons or things to be seized." The Supreme Court has interpreted the Fourth Amendment to include a
reasonable expectation of privacy in certain areas. Initially, that expectation of privacy extended to physical
places only. Olmstead v. United States, 277 US 438 (1928). That changed with the seminal case Katz v.
United States, 389 US 343 (1967).

In Katz, a man had made a phone call from a pay phone booth and a bug was placed on the outside of the
booth without a warrant on the wire carrying the voice communication. In a reversal of its previous stance on
the Fourth Amendment search and seizure rulings, the Court wrote, "The Fourth Amendment protects people,
not places, against unreasonable searches and seizures." The Court found that intercepting the call was a
search in violation of the defendant's Fourth Amendment rights since no warrant was issued authorizing the
search. In that case, the Supreme Court chose not to ignore the vital role that new technology, the public
telephone, had come to play in private communication. Bypassing a neutral predetermination of the scope of
a search leaves individuals secure from Fourth Amendment violations "only in the discretion of the police."
Katz, at 358.

In the case before the court, a reasonable expectation of privacy was present in the information because of the
act of encryption. Electronic information is so easily transferable, and there is diminished assurance that there
is protection adequate to prevent an unauthorized access to the communication without it. Encryption is a
specific action taken to ensure that the communication is not read by those not possessing a key to decrypt.
Taking this active measure to prevent non-key holders from reading this information guarantees a reasonable
expectation of privacy in that information. This opinion does not mean to imply a reasonable expectation of
privacy exists only where electronic information has been encrypted. Fourth Amendment privacy for
unencrypted electronic information is not the issue before the court in this case.

Having established that a reasonable expectation of privacy exists for information that has been encrypted,
who has the right to assert a reasonable expectation of privacy? Granting limitless extensions of the
reasonable expectation of privacy for encrypted information would necessarily lead to illogical results. For
example, a hacker could conceivably encrypt the information of a computer she had broken into and then
claim a reasonable expectation of privacy in the information. There is no need to sanction such logical
extremes. A possessory interest must be present in the medium of storage upon which the encrypted
information is stored at the time of encryption before a reasonable expectation of privacy under the Fourth
Amendment attaches. "Possessory" is meant in a very loose sense. A user of an Internet provider would have
a possessory interest in any encrypted information stored on the provider's machine, and an Internet user that
sent an encrypted file over the Internet would retain her reasonable expectation of privacy because of the
possessory interest of the medium of storage when the information was encrypted. It includes any computer
to which a user has authorized access.

Here, the defendant owned the information and the medium upon which it was stored when encrypted and
had a reasonable expectation of privacy. The next question is: does requiring the key to be given to the US
government violate the defendant's reasonable expectation of privacy under the Fourth Amendment? Yes.
The Cryptography Control Act permits the Department of Justice and other law enforcement and intelligence
agencies to reach back in time to prepare their search from a time prior to the establishment of probable
cause. The search begins with the registering of the key. Since the statute reviewed by this court requires that
a key be registered for potential future use by the US government at a later date, there is a violation of the
defendant's reasonable expectation of privacy because the requirement is in place prior to the establishment
of probable cause.

There is also some issue as to the sufficiency of particularity that is required of a warrant. In this type of
technology, under the current legislation, there is no requirement to change keys at all. So if a user would
obey the statute and register her key and then never change it, any warrant issued to decrypt would include all
information that ever was encrypted by that key, which may be broader than what is permissible by warrant.
The court is not unaware that a warrant could just as well issue for everything ever written by someone and
all paper records they have in their possession. However, in the current statutory scheme, no mechanism is in
place that would provide for a warrant requirement for less than everything ever encrypted by a user, should
that user decide never to change their key. Also for that reason, the statute before the court today is
unconstitutional under the Fourth Amendment. Not every warrant issued under its guise would be assured of
the same high standards of particularity, and the push would be to expand the scope of the warrant in the
instances where the combination of a long-standing key and the requirements for a warrant intersect.
In addition to the unconstitutionality of the statute for the other reasons outlined in this opinion, the statute is
unconstitutional under the Fourth Amendment in the process it establishes to retrieve the encrypted
information, and also in that it requires the forfeit of an encryption key prior to the establishment of probable

D. Ninth Amendment - Right to Privacy

The Ninth Amendment states, "The enumeration in the Constitution of certain rights shall not be construed to
deny or disparage others retained by the people." The amendment reserves to the people rights not
specifically mentioned in the previous amendments and was passed for fear that the listing of rights might
lead to the interpretation that the listed rights are the only guaranteed ones. The Cryptography Control Act
fails to pass this constitutional hurdle as well.

In ben Shalom v. Secretary of the Army, 489 F.Supp. 964 (1980) the federal court wrote, 'If what the United
States Supreme Court itself has termed the right of "personal privacy" means anything, it should safely
encompass an individual's right to be free from unwarranted governmental intrusion into matters so
fundamentally affecting a person as one's personality, self-image, and indeed, one's very own identity.'
The regulation in ben Shalom and the statute before the court today both chill the freedom of association.
Association is part of a process by which the formulation of First Amendment protected speech is made. The
Ninth Amendment protects the privacy of one's personality, while the First Amendment protects
manifestations of that personality. See ben Shalom, 489 F.964 at 976.

In Olmstead, Griswold, and Wade, the Supreme Court recognized that the Constitution protects fundamental
liberties, in addition to those enumerated in the Bill of Rights. In Griswold, the fundamental right was the
right of marital privacy, where a couple was arrested for purchasing birth control. In Wade, the Court
recognized the decision to have an abortion as one of those rights.

The majority would exclude from this list the right to communicate free of guaranteed governmental
oversight. The Cryptography Control Act seeks to reserve a right to the government, that of the ability to be
able to eavesdrop on all electronic communications. The Ninth Amendment states the reverse.
For that reason, the Cryptography Control Act is also unconstitutional under the Ninth Amendment.

E. Conclusion

The Cryptography Control Act is constitutionally invalid under the First, Fourth, and Ninth Amendments to
the US Constitution. The majority adopts the notion that electronic communications have evolved into
nothing more than a variation of speaking on the phone, ignoring reality quite like the Olmstead majority did
over sixty years ago. Only a studied attempt could achieve this result.
The depth of electronic communications in its imagery, widespread reach, and sheer communication to a
large number of people refute any telephone analogies. The founders of this country wrote the Constitution as
a living document to adapt with time and events, not as an encrusted one with outmoded definitions sufficient
only to strangle the freedoms once enjoyed. The statute before this court solidifies the erosion of personal
freedoms in the name of "security." Too soon there will be no real security in what was once the birthright of
every U.S. citizen: freedom.

No comments: