Crypto and Self-Incrimination FAQ

Version 1.1 - 13 August 1999

© 1999 Bert-Jaap Koops

This is work in progress. Some questions are not yet answered, but they will, hopefully, be in due time. If you can provide me with answers or elaborate or update on my answers, I appreciate that.

Contents

0. About this FAQ
1. General
2. The privilege against self-incrimination
3. Legal issues
4. Technical and practical issues
5. More information

0. About this FAQ
0.1. What is a FAQ?
0.2. Is this legal advice?
0.3. What sources did you use?
0.4. Where do I send questions or suggestions about this FAQ?

1. General
1.1. What's the problem?
1.2. What is cryptography?
1.3. What is self-incrimination?

2. The privilege against self-incrimination
2.1. What is the privilege against self-incrimination?
2.2. Where in the law do I find the privilege?
2.3 How is the privilege defined in the US?
2.4. What are the major cases in the US?
2.5. How is the privilege defined in the UK?
2.6. What are the major cases in the UK?
2.7. How is the privilege defined in the Netherlands?
2.8. What are the major cases in the Netherlands?
2.9. How is the privilege defined in European law?
2.10. What are the major cases in European law?
2.11. What exceptions to the privilege are allowed?
2.12. What is the rationale behind the privilege?

3. Legal issues
3.1. Does the police have the right to demand my key?
3.2. When can I invoke the privilege against self-incrimination?
3.3. When and how can the police ask someone to decrypt in the US?
3.4. When and how can the police ask someone to decrypt in the UK?
3.5. When and how can the police ask someone to decrypt in the Netherlands?
3.6. What happens if I refuse a decryption command?
3.7. Who has the burden of proof?
3.8. Does mandatory LEAK infringe the privilege against self-incrimination?
3.9. Which countries require suspects to decrypt under legal warrant?
3.10. Does a crypto key resemble a strongbox key or a safe combination?

4. Technical and practical issues
4.1. Is there a difference between handing over keys or plaintext?
4.2. Is it technically feasible to comply with a demand to decrypt?
4.3. What technologies can criminals use to prevent the police asking them to decrypt?
4.4. Can I use a "duress code"?
4.5. "But I forgot the password!"
4.6. "But these are just random data!"

5. More information
5.1. Where do I find offline information on the subject?
5.2. Where do I find online information on the subject?
5.3. Where do I find related information?

0. About this FAQ

0.1. What is a FAQ?

FAQ is short for Frequently Asked Questions. The Internet developed the FAQ as a means of opening up information on a particular subject. Besides questions, a FAQ of course also contains answers. Through the Table of contents, it is easy to find an answer to a particular question. Also, by reading through a section of the FAQ, you can improve your general knowledge of the subject.

Back to Contents.


0.2. Is this legal advice?

No, it is not. I am working at the law faculty of Tilburg University and have researched this issue rather extensively, but the answers in this FAQ are my own opinion which is not always substantiated by (case) law.

Back to the Table of Contents.

0.3. What sources did you use?

I mainly relied on case law in the Netherlands, the US, and by the European Court of Human Rights. I used general literature on the privilege against self-incrimination, and the only article I know of on this subject, by Greg Sergienko (see 5.2).

Back to Contents.

0.4. Where do I send questions or suggestions about this FAQ?

To: "Bert-Jaap Koops" <E.J.Koops@kub.nl>. Please mention "self-incrimination FAQ" in the subject field.

Back to Contents.

1. General

1.1. What's the problem?

Cryptography provides confidentiality of data (text, speech, images). If a suspects communicates with use of encryption, the police cannot interpret the wiretaps when they are eavesdropping. Also, if a suspect uses encryption to safeguard files in his computer, a computer search by the police will not yield evidence. So, the police will want to get the crypto key to decrypt the wiretaps or stored data. They can ask the suspect to decrypt, but in many cases, that would mean asking the suspect to contribute to his own conviction. Therefore, the privilege against self-incrimination prevents the police from demanding decryption (or prevents the suspect from having to comply). This FAQ addresses the issue to what extent the police can ask suspects to decrypt.

Back to Contents.

1.2. What is cryptography?

Cryptography (secret writing), or crypto for short, is a means to hide data from unauthorized people. Since the 1970s, robust and reliable automated crypto systems provide efficient and generally uncrackable protection of communications and stored data. Since the mid-1990s, crypto programs have become more user-friendly and more widespread (see a recent survey); you can download several programs from the Internet (within the limits of export controls).

To encrypt data, you need a crypto program and a key. For decrypting the data, you need the decryption key, which is the same as the encryption key in "symmetric cryptography" (such as DES and IDEA), or a different one in "asymmetric" or "public-key" cryptography (such as RSA and PGP). The decryption key (which is indeed key to keeping the data secret) must be kept secret, and is generally stored safely on a diskette or a hard disk, protected by a password (or, better still, a passphrase).

For more information about cryptography, see RSA's Cryptography FAQ, the PGP FAQ, a large list of websites, or handbooks such as Bruce Schneier's Applied Cryptography or Menezes, van Oorschot, and Vanstone's Applied Cryptography.

Back to Contents.

1.3. What is self-incrimination?

Self-incrimination is (not) doing or saying something by which you provide evidence that you committed a crime. For instance, saying where you were on the night of the murder, doing a breathalyzer test which shows that you were dead drunk driving, or failing to explain how you could afford to buy that lovely Van Gogh.

Back to Contents.

2. The privilege against self-incrimination

2.1. What is the privilege against self-incrimination?

The privilege against self-incrimination is a fundamental legal principle that is part of the right to a fair trial. It says that a suspect cannot be forced to incriminate himself or to yield evidence against himself. The privilege is recognized in most countries, either explicitly in the constitution or implicitly through case law (see 2.2). However, it is not absolute, as several exceptions have been accepted by legislators and courts (see 2.11).

The definition of the persons who can invoke the privilege may differ from country to country. In the European Convention of Human Rights, the privilege (and, more generally, the right to a fair trial of article 6) applies to people facing a "criminal charge". In the Netherlands, the privilege holds (or may hold) for suspects, which means that there must be circumstances which suggest a reasonable suspicion that someone is guilty of a crime. These definitions are not identical: someone can be a suspect without there being a criminal charge in the sense of article 6 of the European Convention. Note that the privilege applies to criminal cases only: if public authorities investigate under administrative rather than criminal law, the rights of the target of investigation can be radically different and generally do not include a privilege against self-incrimination (although, to make things yet more complex, the European Court may view certain administrative procedures as a criminal charge).

Back to Contents.

2.2. Where in the law do I find the privilege?

The privilege against self-incrimination is defined in the International Covenant on Civil and Political Rights (ICCPR), in article 14 paragraph 3 sub g: everyone charged with a criminal offence has the right not to be compelled to testify against himself or to confess guilty. In the US, the Fifth Amendment contains the privilege (see 2.3). Other countries do not have an explicit definition of the privilege, but have developed it through case law interpreting the right to a fair trial (see 2.7 (Netherlands) and 2.9 (European Convention)).

Back to Contents.

2.3 How is the privilege defined in the US?

The Fifth Amendment of the Bill of Rights reads: "No person (...) shall be compelled in any criminal case to be a witness against himself". The Supreme Court has restricted this to giving evidence "of a testimonial or communicative nature".

Back to Contents.

2.4. What are the major cases in the US?

Back to Contents.

2.5. How is the privilege defined in the UK?

Back to Contents.

2.6. What are the major cases in the UK?

Back to Contents.

2.7. How is the privilege defined in the Netherlands?

There is not a general definition of the privilege against self-incrimination in Dutch law. The Constitution and the Dutch Code of Criminal Procedure (DCCP) do not mention it. The DCCP does contain several articles that reflect the privilege; for instance, a command to hand over goods or a command to provide access to a protected computer cannot be given to a suspect (art. 107 and art. 125m paragraph 1 DCCP).

The Dutch Supreme Court has generally said that "it would ill be in keeping with the spirit of the DCCP" if "the suspect would be compelled to contribute to his own conviction under threat of punishment" (HR 16 January 1928, NJ 1928 p. 233), but also inclines to the opinion that "there is no unconditional right or principle that a suspect can not in any way be obliged to cooperate in the obtaining of possibly incriminating evidence" (HR 15 February 1977, NJ 1977, 557 m.nt. GEM).

Back to Contents.

2.8. What are the major cases in the Netherlands?

Back to Contents.

2.9. How is the privilege defined in European law?

The privilege against self-incrimination is not explicitly mentioned in the European Convention for the Protection of Human Rights, but the European Court of Human Rights has interpreted it as being part of article 6 sub 1, the right to a fair trial. This incorporates "the right of anyone 'charged with a criminal offence', within the autonomous meaning of this expression in Art. 6, to remain silent and not to contribute to incriminating himself" [Funke, see 2.10].

The "autonomous meaning" of the term "criminal charge" means that the European Court does not only look at the classification of the alleged offence in a nation's law (criminal or otherwise), but also at the nature of the offence and the nature of the penalty threatened.

Back to Contents.

2.10. What are the major cases in European law?

A related case, on the presumption of innocence and the right to remain silent, is

Back to Contents.

2.11. What exceptions to the privilege are allowed?

Although the privilege against self-incrimination is usually defined quite broadly ("not contribute to incriminating one-self"), the scope of the privilege is limited. Both in the US and in Europe, the privilege by and large only protects the compelled rendering of testimonialevidence, implying a suspect's act or statement which somehow or other involves the use of his mind.

According to the European Court, the privilege "is primarily concerned, however, with respecting the will of an accused person to remain silent. (...) it does not extend to the use in criminal proceedings of material which may be obtained from the accused through the use of compulsory powers but which has an existence independent of the will of the suspect such as, inter alia, documents acquired pursuant to a warrant, breath, blood and urine samples and bodily tissue for the purpose of DNA testing." (Saunders, see 2.10).

The US Supreme Court, in Schmerber (see 2.4), ruled that the privilege against self-incrimination only protects evidence of a testimonial or communicative nature (which, in that ruling, excluded furnishing a blood sample). Under circumstances, handing over documents canbe privileged, if the act of providing them is testimonial (in that the suspect admits having them) (Fischer, Doe I, see 2.4).

Back to Contents.

2.12. What is the rationale behind the privilege?

Opinions differ.
  1. Humanity: it is inhumane to force someone to contribute to his own misfortune.
  2. Autonomy: a suspect is free to choose an attitude in criminal proceedings, he can decide whether he wants to cooperate or not.
  3. Reliability: evidence must be reliable.
  4. Prohibition of pressure: the privilege is a safeguard against the police using (too much) pressure to force a suspect to cooperate.

The 3rd option has great explicative value. The disclosure of things which exist "outside of the will of the suspect" provides reliable evidence, whereas testimonial statements generally do not (you don't know whether the suspect tells the truth). Thus, the privilege contributes to truth-finding and shields the judiciary from "miscarriages of justice" (Murray, see 2.10). However, I think it is impossible (and unnecessary) to pinpoint a single rationale: all of the above grounds have something to say for them and explain different aspects of the privilege.

(There are other suggestions for rationales, such as privacy (the privilege protects the privacy of the mind), but I do not consider these relevant.)

Back to Contents.

3. Legal issues

3.1. Does the police have the right to demand my key?

Back to Contents.

3.2. When can I invoke the privilege against self-incrimination?

Back to Contents.

3.3. When and how can the police ask someone to decrypt in the US?

Back to Contents.

3.4. When and how can the police ask someone to decrypt in the UK?

Back to Contents.

3.5. When and how can the police ask someone to decrypt in the Netherlands?

Back to Contents.

3.6. What happens if I refuse a decryption command?

Back to Contents.

3.7. Who has the burden of proof?

Back to Contents.

3.8. Does mandatory LEAK infringe the privilege against self-incrimination?

LEAK (Law-Enforcement Access to Keys) means a system in which the police can access your key without your knowledge or cooperation, for instance by having you deposit your key with a Key Escrow Agent. (See my key-recovery page.) Some people have suggested that this may infringe the privilege against self-incrimination. After all, you oblige people to give the police the means to gather evidence against them.

For several reasons, the argument does not hold. First, the privilege against self-incrimination pertains to suspects, whereas a mandatory LEAK system is a general measure targeting citizens at large; people depositing their keys do not do so in a capacity of criminal suspect. Moreover, the concern protected by the privilege against self-incrimination is that the truth be found in criminal proceedings (see 2.12). Now, requiring people to use means that enable law-enforcement agencies to gather evidence does not threaten the fact-finding process, as people are not forced to give evidence itself. After all, people may refrain from using the LEAK system; they are not in any way obliged to use it for communicating incriminating evidence. There are plenty of parallels, for instance in the tax-law requirement of keeping verifiable books: this also is a requirement that creates the possibility for law enforcement to gather evidence, while it does not concretely push people to hand over incriminating evidence.

Back to Contents.

3.9. Which countries require suspects to decrypt under legal warrant?

As far as I know, there is no country which has a law requiring suspects to decrypt under legal warrant.

The Netherlands has a provision that the police can command someone to decrypt during a search, but this command cannot be given to suspects (art. 125m DCCP). A 1998 pre-draft law (Computer Crime II) initially would have introduced this possibility, but after protests from the legal community, the provision was withdrawn, respecting the privilege against self-incrimination.

Several other countries have proposed a kind of decryption command, in some cases without excepting suspects. However, none of these proposals have yet been implemented. See the entries on Belgium, Canada, Finland, and the UK in my Crypto Law Survey.

Back to Contents.

3.10. Does a crypto key resemble a strongbox key or a safe combination?

Back to Contents.

4. Technical and practical issues

4.1. Is there a difference between handing over keys or plaintext?

What the police really wants is plaintext. So, they want the decryption of the ciphertexts they have recorded. This can be done in three ways:
  1. You give the decryption key to the police.
  2. You give the plaintext to the police.
  3. You give your key to a third party, who decrypts and hands over the plaintext to the police.

Technically, there is a big difference between these options. If you have used asymmetriccryptography (like PGP), handing over your private key will not only give access to the messages the police have a warrant for, but also to any other messages encrypted in the past or in the future with the corresponding public key. Although the police should not read messages intercepted outside of the warrant period, and should destroy the key after the warrant period, it's tempting for them to do so.

If you have used symmetric cryptography, handing over the key will only give access to the files or messages encrypted with that key, so in that case, there is not much difference.

Legally, there's also a difference. If you hand over a key or the passphrase to a key, the police can check themselves whether it's the right one. But if you hand over plaintext, and claim it corresponds to the ciphertext the police wants decrypted, why should the police believe you unless you demonstrate that the plaintext and ciphertext match? Logically, then, the police (or the judge in court) should ask you to perform the decryption before their eyes.

There's the third option, which seems to me to be a good middle way. Give your key (or passphrase) to a public notary (or the judge herself, if needs be), and let her decrypt the messages the police wants decrypted. This ensures that only messages are decrypted for which the police have a warrant, and gives the resulting plaintexts sufficient evidential value.

Back to Contents.

4.2. Is it technically feasible to comply with a demand to decrypt?

That is a tricky issue. There are several cases.

1. Stored data. If you store encrypted data on your computer, what is the use if you cannot decrypt? After all, you only keep them on your computer because you may want to access them sometime in the future. So, logically, you should be able to decrypt. Reality - and human frailty - of course, are not so logical. People forget passphrases every now and then, and with hard disks getting ever bigger, why bother to destroy age-old files which you will no longer need? Still, this is a relatively straightforward case. If you have stored encrypted data on your computer, you should, in principle, be able to decrypt, and if you cannot, the burden of proof is on you to explain why you cannot (compare 3.7).

Much trickier is the case with encrypted communications.

2a. Encrypted email. If you store encrypted email messages in encrypted form, the case is similar to stored data (see above). However, if the police has intercepted an encrypted email message in transit (difficult as it may be), or if they have encountered the message in a copy-to-self folder of the sender, they may ask you to decrypt. If the message has indeed been encrypted with your public key, you will be able to comply. PGP indicates in encrypted messages with whose key they have been encrypted. I do not know whether all crypto programs do that, nor whether it is feasible to tamper with this feature. (Can anyone tell me?)

2b. Encrypted phone calls or fax messages. If the police have intercepted some of your encrypted telephone communications and they ask you to decrypt, can you comply? That will depend on the crypto hardware or software you have used. I do not know whether crypto phones are able to decrypt former conversations - I suspect that generally they cannot, but I am not sure about that. The session keys used in encrypted communications are destroyed immediately the session has ended, but it may be possible that the key-exchange mechanism of the crypto phone is able to reconstruct the session key if the entire communication (including the "handshake" messages which crypto phones use to establish a session key) has been recorded. (Can anyone tell mewhether crypto phones work this way?)

If the communication was encrypted with a 'perfect forward secrecy' protocol (see 4.3), it is not possible to reconstruct the session key afterwards, and the suspect will not be able to comply with a decryption command.

Back to Contents.

4.3. What technologies can criminals use to prevent the police asking them to decrypt?

(Please note that I include this question and answer not to induce people to use such mechanisms, but to show how tricky a decryption command can be.)

If a criminal wants to prevent the police from ever asking him to decrypt, or from his having to comply if they do, there are a number of options.

First, he can hide the fact that he is using encryption at all. With steganography (hidden writing), you can hide your encrypted data (text, images, video, sound) in other data, in particular in digitized images. This will hardly alter the look of the image, and so the police may not notice that anything is hidden in the picture. (Of course, the presence on the computer of a program like "hideseek" will alert them to the criminal's using steganography.) On steganography, see Peter Wayner, Disappearing Cryptography (Chestnut Hill: AP Professional, 1996).

Second, crypto protocols and implementations are being devised which ensure "perfect forward secrecy": a characteristic which means that after a session has ended and the session key has been destroyed, there is no way to reconstruct the session key. This means that it is technically impossible for a criminal to give the key of former sessions to the police. Note that this holds only for encrypted communications, not for encrypted data storage. (Can anyone update me to what extent current crypto applications have this feature?)

Third, he may try "duress codes" or "deniable encryption", with which he decrypts the ciphertext at stake to a fake plaintext. See 4.4.

And then, there are ways to anticipate a criminal's"forgetting the password" if ever the police asks him for it, for instance, by using many key pairs at the same time or changing his key frequently. See 4.5.

Back to Contents.

4.4. Can I use a "duress code"?

A "duress code" is something devised for people who have to do something (open a safe, change the course of the aircraft) under threat of violence. They have to comply, of course. However, a feature is built-in that performs the action (it opens the safe, redirects the plane) but at the same time raises a silent alarm somewhere.

In the context of the police asking someone to decrypt, it is possible that the person complies and decrypts the ciphertext.... but that he uses a different key which does not yield the original (incriminating) plaintext, but another (innocent) one. I call this a "duress code".

Say you want to send the message: "twelve tons of dope" using a Vigenere system (addition of letters: A+B=B, C+D=F, etcetera). With Hamlet's monologue as a key, this yields the ciphertext:
plaintext TWEL VETO NSOF DOPE
key TOBE ORNO TTOB ETHA
ciphertext MKFP JVGC GLCG HHWE






When forced to decrypt, instead of giving the real key, you might give the key BWSJ YNLY NEGQ NDSR instead, which decrypts the message as follows:
ciphertext MKFP JVGC GLCG HHWE
key BWSJ YNLY NEGQ NDSR
plaintext LONG LIVE THEQ UEEN






This way you can decrypt the ciphertext to any plaintext you choose: from the ciphertext and the desired plaintext, you can compute the key you need to 'decrypt' to the desired plaintext.

Although this is technically feasible, I do not consider this a serious option. Most modern cryptography does not work with Vigenere systems or One-Time Pads. If you do, I think you would have to explain to the police why you are using this system; the fact that you use it will likely alert them to the possibility that you are performing this trick (although, to be sure, they have no way of ascertaining this).

Other cryptographic protocols are being developed which ensure this possibility. For instance, Canetti and others have proposed "deniable encryption". This is a scheme in which "the sender can generate 'fake random choices' that will make the ciphertext 'look like' an encryption of a different cleartext, thus keeping the real cleartext private." (Ran Canetti, Cynthia Dwork, Moni Naor, Rafail Ostrovsky, 'Deniable Encryption', in: B.S. Kaliski (ed.), Advances in Cryptology - CRYPTO 97, Berlin: Springer 1997, pp. 90-104) I don't know whether this has ever been implemented, but tend to think that it will be an exotic scheme for some time to come.

Back to Contents.

4.5. "But I forgot the password!"

Who hasn't ever forgotten a password or a PIN code? It's very human. Still, it israther a convenient time to forget your password just when the police pops in and ask you for it. It will depend on the circumstances whether this excuse will convince the police or the judge in court. I think such circumstances will include:

A key issue here is who has the burden of proof (see 3.7). I tend to incline that if you claim you have forgotten the passphrase, the burden of proof is on you to argue why. If you provide evidence for some of the above arguments (especially if the data were encrypted a long time ago or if you by now are using another key pair), the burden of proof shifts to the police. They will then have to show that, for instance, you still used the key to sign a message the other day, or that you are a computer-security expert who at his office has never yet forgotten his passwords.

Back to Contents.

4.6. "But these are just random data!"

Very funny. Why on earth would you store random data on your computer, or send around messages containing only random data? That is very hard to believe - particularly if you have a crypto program on your hard disk as well... You must be able to demonstrate that you're doing research on random numbers (that will hold perhaps for a few cryptographers), that you use random numbers for thwarting traffic analysis (this is a heavy security measure: you send random data every hour, so that an attacker will not know at what time you are sending encrypted messages), or show a certificate of lunacy in your medical record. This is not a retort that will convince a policeman or a judge in court.

Back to Contents.

5. More information

5.1. Where do I find offline information on the subject?

Back to Contents.

5.2. Where do I find online information on the subject?

Back to Contents.

5.3. Where do I find related information?

Back to Contents.

© Bert-Jaap Koops, 1999. All rights reserved.
Updated on 13 August 1999.

home | help | address | mail | links
research | crypto law survey | publications | personal | amnesty