Thursday, December 12, 2019

Encryption, passwords, and self-incrimination

The University of Waikato and New Zealand Law Foundation have released a report today on the law around encryption in New Zealand. There's stuff in there about principles and values, and how proposed government policies to provide for "lawful access" by creating backdoors would destroy the trust which makes encryption work (and, given the availability of encryption, simply push people to use systems they can trust, without such backdoors). But they also find that the existing law around searches, under which people can be required to provide passwords or keys to enable government searches, on pain of imprisonment, fails to respect fundamental human rights, specifically the right against self-incrimination.

New Zealand law takes a broad view of self-incrimination, defining it as anything "reasonably likely to lead to, or increase the likelihood of, the prosecution of a person for a criminal offence". But if the police want to access your data because they think there is evidence there that you have committed a crime, then by definition assisting them increases your likelihood of prosecution and is self-incriminating. Unfortunately, the law as written does not include sufficient guidance to protect this right; there's a generalised right in the Evidence Act, but insufficient protections in the search clauses themselves. Which in turn effectively allows the government to force people to incriminate themselves, in contravention of legal norms and international human rights standards. As a result,

[t]he researchers recommend that the right or privilege against self-incrimination should be more strongly recognised in computer searches, and that persons suspected or charged with a crime should not be forced to disclose their passwords. While providers have a responsibility to assist the police in search or surveillance operations if it is within their existing technical capabilities, such assistance should not involve any act that would undermine the information security of their products and services or compromise the privacy of their clients as a whole.
Meanwhile, if the government ever asks you for your passwords, I recommend refusing. They'll threaten you with jail or a fine, but if the alternative is incriminating yourself (and by definition they are asking you to do so), then you should refuse to do so.

You can read the full report here.