A law that requires individuals to produce decryption keys for encrypted data could send innocent people to jail, because it is hard to tell the difference between encrypted data and white noise. The government wants to increase the penalty for not providing decryption keys to law enforcement from 2 to up to 10 years.
Extending gaol time for failing to provide secret keys to encrypted data extends an already terrible law. For most practical purposes, an encrypted message is indiscernible from random noise. The only way to distinguish between encrypted content and random noise is to have access to the private key. As such, a person with white noise on their device, or any files not encrypted by them on their device, could be subject to long gaol sentences.
Below we will outline four different ways that an innocent person can be prosecuted under this law, by being incapable of producing encryption keys for data that is in their possession.
1) Being sent encrypted information or white noise
Users are not always explicitly in control of the information that is downloaded and stored on their computer. A demonstration of this is below:
The first string is effectively just random noise (generated by https://random.org). No information can be gathered from this string.
The second string contains encrypted information. The information says, “This law is a bad idea,” and is encrypted using 128-bit AES with the very simple password “password1”, which was simply performed on the website https://aesencryption.net/. There are many other sites providing this functionality, and the functionality is in-built in all modern web browsers.
The first string looks very similar to the second string. If we did not include this password to the second string, and the reader of this report would not be able to tell if there is information in the second string. In fact it is impossible for the reader (or anyone else, including our best spies, for that matter) to know if either of the strings contain encrypted information.
Unfortunately, it is impossible for us to prove that the first random string does not contain information. As such, this report becomes a legal liability for someone likely to be searched and carrying an electronic device with this report stored on its internal storage.
Even deleting the file will not work. Deleting a file from a device only marks the space as available to be written over. If you have downloaded this as a PDF to your drive, a silent copy can remain on your drive. Terrorists, child exploitation material peddlers and other nefarious people can use this fact to transfer data as “deleted” and use a disk recovery tool to retrieve the information. Likewise, police can also use a disk recovery tool to find the deleted information. If they find this submission by the Science Party, and you cannot provide the encryption key to the first string, you are at risk of going to gaol.
If you are likely to be searched (for example, crossing our border), the only way to ensure that this report doesn’t get you into trouble under this law is to throw out this device and get a new one.
The only way to be safe from prosecution under this law is to not own any electronic devices whatsoever.
Unfortunately, this will likely be insufficient. Pieces of seeming non-sense are routinely downloaded and stored in the cache on our devices every time we surf the web, all without our knowledge. All of this seemingly random data could hold encrypted information, and ultimately puts you at risk, whether you are crossing the border, or your computer is under investigation for any other reason. The only way to be safe from prosecution under this law is to not own any electronic devices whatsoever.
2) Buying a second-hand computer
As discussed above, deleting a file doesn’t mean that it is gone. The deleted information can still be recovered. If you receive a computer, even one with a fresh install, and do not reformat the hard drive with white noise to replace hidden deleted files, you are at risk of being prosecuted for not providing the encryption key to information on your personal device.
3) Owning a computer with a white-noise cleaned hard drive
That second hand computer we bought above, which we tried to do the right thing with by wiping the hard drive with white noise now suffers from the same problem in point 1) above: white noise and encrypted data are impossible to tell apart.
4) Receiving any image or sound
Steganographic techniques mean all data could contain encrypted information. By taking an image and changing some of the pixels ever so slightly, we can send this new image to a friend with a message inside of it. The United States FBI reported that Russian foreign agents used steganographic techniques to send encrypted information on public networks. Considering that the method simply relies upon the same but slightly different image being sent as a means of containing cryptographic information, all pictures effectively become a means for storing encrypted information.
If your computer holds a copy of a picture of a dog, and its brightness and contrast of some pixels are slightly different to another version on the internet (which can be caused simply through re-saving an image), an enforcer of this law may find the difference between the two images, and present you with a long string that they could ask you to decrypt. Unfortunately for you, despite the fact that it will look like random noise, there is no way to prove to the law enforcement agent that there is no encryption key for this random noise.
All people are at risk of being punished under a law which fails to take into consideration that encrypted data and white noise is transmitted and stored routinely, and most people have no way of unlocking this data.