The Canadian Association of Chiefs of Police recently passed a resolution that “urges the Government of Canada, for the purpose of community safety, to identify a legislative means for public safety agencies inclusive of law enforcement, through judicial authorization, to compel the holder of an encryption key or password to reveal it to law enforcement.”
On the surface, it is easy to understand. Police are used to searching and seizing paper documents. Search warrants grant them the power, when necessary, to forcibly enter and search the location specified on the warrant. While it is unlawful for the owner or occupant of property being searched to resist police, they are under no obligation to assist. If documents police desire are inside a safe, police may have to forcibly open it.
In the cyber world, police encounter virtual safes they cannot open. One of the only privacy controls governments cannot defeat is properly implemented strong cryptography. Legislation will not change this.
In Canada, criminal defendants have the right to remain silent. They can not be compelled to answer questions by police or testify in court. In practice, some police forces even read caution statements to witnesses. Any good lawyer will advise them not to answer any questions.
Computers and mobile devices contain vast amounts of personal information. With so many laws and jurisdictions, it is possible that searching the files, photographs, and emails of any person could result in evidence of some offence. It seems highly unlikely that the government could craft legislation to force disclosure of passwords and encryption keys to the police without running afoul of constitutional rights.
If such legislation is enacted, it could likely be thwarted by three simple words: “I don’t recall.” Assuming criminal sanctions are attached to refusing to divulge a password, it would be necessary for the Crown to prove intent. (Reverse onus offences in Canadian criminal law have generally been struck down as unconstitutional.) It would be virtually impossible for the Crown to prove, in the face of stress created by police and a court order, that a person didn’t simply forget their password. As any help desk can attest, it happens all the time.
If the federal government is misguided enough to pass this type of legislation, it can also be rendered ineffective by technical controls. Some products already contain duress password functionality that erases data when entered. Properly implemented, it is not possible to prove that a duress password was used.
Remotely approved passwords are another technical option. Instead of using a password to unlock a decryption key on the local device, a remote server could be required. Law enforcement may face a scenario in which is is not possible to unlock a device off-line, even with the correct password. A remote server could supply part of the decryption key. The owner of the device, or another person, could instruct the server to delete the key prior to the law enforcement request. Alternatively, once placed on-line, existing remote locking and wiping features could be invoked, rendering the device inaccessible.
Cryptographic implementations that require multiple users to unlock a key already exist. It is not difficult to implement a data encryption scheme that requires three of five people to connect remotely to a server, perhaps via TOR, to enable the decryption process. If police seize the server, they would also have to identify and simultaneous serve password disclosure orders to prevent the key material from being permanently deleted. They stand little chance of success.
Legislation sought by the police will have negligible impact on terrorists, cybercriminals, or anyone capable of saying, “I don’t recall.” It could be used to bully those who can not afford legal representation and appeals into allowing police to rifle through their digital lives at an unprecedented level.
Police have a difficult job to do, but they must invest in training and developing better investigative techniques rather than asking parliament for ineffective intrusive powers.
Have a security question you’d like answered in a future column? Email firstname.lastname@example.org
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…