When privacy dies and encryption is illegal

One day just appearing like you might have something to hide could get you in serious trouble ...

"You have zero privacy anyway. Get over it." - Scott McNealy, chairman of Sun Microsystems, 1999

There are still many people who have no objection to the government surveilling them. Many of my friends say "I've got nothing to hide" arguing that whatever the government does in the way of monitoring their telephone calls, Web browsing, and email messages doesn't bother them because they are not one of the "bad guys."

On the other hand, when asked if they value their privacy, every single one of them says that their personal privacy is very important. 

The problem is that most people understand the concept of the state monitoring public and private communications to find out what the bad guys are up to and hopefully thwart them, but they don't connect the accumulation of data about themselves over a long period combined with a lack of rigorous controls on who can access that trove with a risk to their privacy. And the idea that over-reach is somehow not inevitable seems to go hand-in-hand with a belief that the government watchers are "good guys" in the broadest sense; that the authorities are somehow on the public's side.

What my friends, and probably yours too, fail to see is that the more they simply acquiesce as intelligence collection becomes increasingly comprehensive, the more those who are concerned about their privacy will be singled out for defending their privacy and how "transparent" citizens should be will become increasingly legislated.

For example, if you use encryption to secure data on your desktop, laptop, or smartphone and, for whatever reason, the police or customs should decide to search your property they may well demand the decryption key. In a case last year:

A Colorado federal court has ruled that decrypting a computer hard drive does not constitute self-incrimination from a Fifth Amendment perspective. Judge Robert Blackburn ordered accused fraudster Ramona Fricosu to release a decrypted version of her computer's hard drive. Fricosu's attorneys had argued that doing so would mean testifying against herself, which is prohibited by the US Bill of Rights. 

Wired reported: 

Her attorney appealed, hoping to win a reprieve based on the assertion that being forced to decrypt her laptop amounts to a breach of the woman's Fifth Amendment right against compelled self-incrimination.

The 10th U.S. Circuit Court of Appeals, however, sided with the government's contention that an appeal was not ripe - that she must be convicted or acquitted before the circuit court would entertain an appeal. Appellate courts usually frown on hearing appeals until after there's been a verdict. / The appellate court wrote (.pdf) Wednesday that it lacks "jurisdiction to consider the resulting proceeding under any exception to our usual finality rules."

In the end Federal authorities "successfully decrypted Fricosu's hard drive without her involvement" which left the whole issue of whether her decryption key could be demanded without violating her fifth amendments rights up in the air. And then there's the problem of what could be done by Federal authorities if she had claimed that she had "forgotten" the key? The judge could have thrown her in jail for contempt until she complied but, of course, if she had really forgotten the key then she would wind up being held indefinitely. 

Now, what if this was you at a customs checkpoint in, say, Russia and a mean-looking guy flanked by guards with guns is demanding to examine your computer. And what if you're using TrueCrypt? TrueCrypt is free, open source encryption system that can not only secure your data but also creates a hidden volume on a drive. This hidden volume is designed to be truly hidden:

The principle is that a TrueCrypt volume is created within another TrueCrypt volume (within the free space on the volume). Even when the outer volume is mounted, it should be impossible to prove whether there is a hidden volume within it or not*, because free space on any TrueCrypt volume is always filled with random data when the volume is created and no part of the (dismounted) hidden volume can be distinguished from random data. Note that TrueCrypt does not modify the file system (information about free space, etc.) within the outer volume in any way.

So, when you enter one key the outer volume is decrypted and when you enter the other key, the inner, hidden volume is decrypted. Great, but there you are at customs being threatened and they know you're using TrueCrypt. You can claim that you don't have a hidden volume but they say "But you're using TrueCrypt, prove there's no hidden volume." Of course you can't so depending on if they are feeling ornery or not you could well wind up going to jail for what you don't have because you can't prove you don't have it.

While what happens when you are trying to negotiate customs in an unfriendly land (which could be the US if you're not a US citizen) may be a risk today tomorrow's risks might be to US citizens and could start out much as it did for the Catalanos who I wrote about yesterday

The Catalanos were fingered by an ex-employer as possible terrorists on ridiculously specious grounds and, as a consequence, their home was searched by the police. But what if this family had had an encrypted computer and they had refused to reveal its decryption key? They were already under suspicion so how would the authorities feel if the Catalanos had refused to be transparent? And if the Catalanos had been using TrueCrypt how could they ever prove they weren't hiding anything even if they did choose to cooperate?

And we know the Feds don't like encryption. Remember that back in 2010 there was an effort by the Federal government to regulate the use of encryption online:

Federal law enforcement and national security officials ... want Congress to require all services that enable communications - including encrypted e-mail transmitters like BlackBerry, social networking Web sites like Facebook and software that allows direct "peer to peer" messaging like Skype - to be technically capable of complying if served with a wiretap order. The mandate would include being able to intercept and unscramble encrypted messages.

Thankfully that effort was derailed but you can bet that the idea of this legislation is not dead but, zombie-like it, or its hideous offspring, will rise again to stalk the halls of Washington. 

The way things are going at some point in the future the mere use of anything that could obfuscate your trail in the world, hide your data, and or secure your privacy could be interpeted as suspicious behavior and that could be enough to warrant your in-depth surveillance and with that whatever privacy you thought you had.

Today you have some privacy left but one day Scott McNealy could well be right.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10