Adam Liptak, who has been on a roll lately, has another great “Sidebar” in today's NYT entitled, If Your Hard Drive Could Testify …. The article quotes me and Orin Kerr as if we were opposed; oddly, although I think Orin and I do have disagreements about what the law on encryption should be, I suspect Orin and I agree with each other on the points for which we're actually quoted.
Although the article does a great job of describing some recent cases and issues, the academic in me wishes that every time anyone writes about this stuff they'd have the space and time to provide what I see as some critical context for the debate as to when a person can be forced to hand over the key to a cryptosystem.
There are plenty of technical issues here (what happens if you really have forgotten your password? or if someone has put random gunk on your hard drive, making it look like there's crypto there?), but even more important fundamental ones. In particular, the current debate over the extent to which the 5th Amendment protects encrypted messages matters so much because our understanding of the 4th Amendment has changed. A hundred years ago, the Supreme Court thought it was obvious that asking a person to turn over his private papers was a constitutional violation. Even 30 years ago the Court thought that the 4th Amendment protected some zone of private papers such as a diary from demands that they be turned over. (Note that there can be an important difference between finding something in a search and demanding that the subject of the search find it for you.) Today, although the Supreme Court has never actually decided the diary issue, it's pretty clear that no other writing — and probably not the diary either — is protected from such demands.
It's the evisceration of the 4th that puts such pressure on the 5th. It may be that as a society we really don't want to allow any zone of privacy beyond what you can keep in your head. But as devices record more of our lives, and as we rely increasingly on what some of us only half-jokingly call our prosthetic memories, I think that it is increasingly unrealistic to exclude at least some bits from the intimate zone of privacy if we wish to remain true to the purposes of the 5th (and 4th) Amendments.
Good morning:
The whole thing about inspection of your hard disk at the border is interesting, but not relevant to anyone who is technical savvy. The answer to file protection is so easy. You can keep critical files in your flash watch, or keep as I do keep key files securely on line.
Google offers 6.5G of storage with gmail, free and secure. When you are overseas just retrieve them when needed. As for access speeds overseas the USA is the one that is to slow. Japan, the EU, and many countries have far greater access to higher speeds than we do in the USA.
related: http://www.truecrypt.org/
as an aside, the last release of debian (stable — 4.0, aka “etch”) automatically asks you during the initial install if you want the system disk (or partitions thereof) to be encrypted. If you say yes, the bootup process will ask for your decryption password before the partition (say your /home/ or /home/froomkin/private directories were in their own partition,) gets mounted.
unfortunately, because it’s a hassle, no one except the exceptionally curious or paranoid will use encryption willingly. (which is a shame, because it would make vote-verification and authentication actually, you know, work in electronic voting.) One of the things I’m really looking forward to vis-a-vis IPv6 is the included IPSec component; It’s a real PITA for IPv4, but necessary for a lot of traffic.
Dr Morton’s note above is true, but of course comes with the caveats that
a) unless you encrypt on your portable drive, you’re just risking losing the data via another method and
b) if your data is online, you have to really trust whoever handles it for you to not compromise you.
c) you also have trust their access to the ‘net and your access to them. if you cannot control access to the data, you cannot control the data.
In theory, you could of course, encrypt the data and put the encrypted volume on-line, but then there are the problems associated with transferring the data and someone attempting a man-in-the-middle (for e.g., someone running a Tor anonymizing node…and when was the last time anyone read through an SSL certificate a website gave them?).
In all likelihood, if your data has gone through an AT&T line on the internet’s backbone (ie, data going over someone a line owned by AT&T, not just your connection or the connection of whoever you were communicating with), then you’ve probably already gone through a man-in-the-middle attack.