Category Archives: Cryptography

Does Using PGP Mark You as a Criminal?

Posted on July 10, 2008 by Michael Froomkin

Does encrypting your data with PGP tend to show that you are a member of a criminal organization? That's what this article, Infoshop News – Repression in Austria over PGP keys, alleges is the view of the Austrian police.

I'd need to know a lot more to form a view of how accurate these claims (by “anonymous” no less) are. Might be nothing to it.

I mention it because it's an interesting issue, and one that's sure to come up again elsewhere, in similar guises.

I can see how if parties are communicating by encrypted email (or otherwise) with someone known or suspected to be a member of a gang, then by ordinary principles of traffic analysis, police might decide they were worth knowing more about. The use of encryption on stored data, however, does not by itself suggest people are anything other than prudent.

Posted in Cryptography | Comments Off on Does Using PGP Mark You as a Criminal?

The “Security Mindset” and “Thinking Like a Lawyer”

Posted on March 25, 2008 by Michael Froomkin

One of my favorite security gurus, Bruce Schneier, has an entertaining and yet infuriating article on The Security Mindset in which he tries to explain how security professionals think differently from other engineers.

SmartWater is a liquid with a unique identifier linked to a particular owner. “The idea is for me to paint this stuff on my valuables as proof of ownership,” I wrote when I first learned about the idea. “I think a better idea would be for me to paint it on your valuables, and then call the police.”

Really, we can't help it.

This kind of thinking is not natural for most people. It's not natural for engineers. Good engineering involves thinking about how things can be made to work.

It's fun and you should read the whole thing.

But it's also a bit frustrating — because Bruce restricts his discussion to how engineers think. To me, what he is describing is a big part of “thinking like a lawyer”. And when Bruce asks whether this sort of demented worldview, one in which you shake things to see how they break, can be taught, I think, “Hell, yes: I've been doing it for years.”

Most lawyers don't have the math to be a cryptographer or the technical chops to do security analysis of a complex program. But good lawyers — whether transactional or litigation oriented — do have a “security mindset”: A big part of learning to 'think like a lawyer' is learning again and again how things broke. That equips you to try to build things that won't break (or at least won't break in old ways); it also trains you how to break them.

Posted in Cryptography, Law School | 5 Comments

Microsoft Acquires Credentica’s U-prove

Posted on March 6, 2008 by Michael Froomkin

Big news to the folks who care about such things: Microsoft acquires Credentica's U-prove technology.

Bravo to Stefan.

Posted in Cryptography | Comments Off on Microsoft Acquires Credentica’s U-prove

Map of International Crypto Law

Posted on March 2, 2008 by Michael Froomkin

Map of international crypto law (plus some information security law) built using google maps.

Posted in Cryptography | 2 Comments

Mozy Understands How to Write Warnings

Posted on February 19, 2008 by Michael Froomkin

Online backup provider Mozy.com offers 2GB of free storage to the home user.

You can use their encryption key — which means it's recoverable: they have a backdoor if you loose lose it, or if someone else turns up with a subpoena — or you can grow your own.

I chose the latter. Which produced this great warning pop-up:

I understand that if I ever lose this key, that neither I nor MozyHome will be able to decrypt my data and I will be hosed.

I clicked “yes”.

(Only later did I find out that Mozy will only backup files resident on a fixed disk. I wanted to back up my USB drive. Oh well. At least I got a laugh.)

Posted in Cryptography, Internet | 5 Comments

NYT Does Encryption and the 5th Amendment

Posted on January 7, 2008 by Michael Froomkin

Adam Liptak, who has been on a roll lately, has another great “Sidebar” in today's NYT entitled, If Your Hard Drive Could Testify …. The article quotes me and Orin Kerr as if we were opposed; oddly, although I think Orin and I do have disagreements about what the law on encryption should be, I suspect Orin and I agree with each other on the points for which we're actually quoted.

Although the article does a great job of describing some recent cases and issues, the academic in me wishes that every time anyone writes about this stuff they'd have the space and time to provide what I see as some critical context for the debate as to when a person can be forced to hand over the key to a cryptosystem.

There are plenty of technical issues here (what happens if you really have forgotten your password? or if someone has put random gunk on your hard drive, making it look like there's crypto there?), but even more important fundamental ones. In particular, the current debate over the extent to which the 5th Amendment protects encrypted messages matters so much because our understanding of the 4th Amendment has changed. A hundred years ago, the Supreme Court thought it was obvious that asking a person to turn over his private papers was a constitutional violation. Even 30 years ago the Court thought that the 4th Amendment protected some zone of private papers such as a diary from demands that they be turned over. (Note that there can be an important difference between finding something in a search and demanding that the subject of the search find it for you.) Today, although the Supreme Court has never actually decided the diary issue, it's pretty clear that no other writing — and probably not the diary either — is protected from such demands.

It's the evisceration of the 4th that puts such pressure on the 5th. It may be that as a society we really don't want to allow any zone of privacy beyond what you can keep in your head. But as devices record more of our lives, and as we rely increasingly on what some of us only half-jokingly call our prosthetic memories, I think that it is increasingly unrealistic to exclude at least some bits from the intimate zone of privacy if we wish to remain true to the purposes of the 5th (and 4th) Amendments.

Posted in Cryptography, Law: Constitutional Law | 2 Comments