Slashdot points to an article by Greg Taylor of Electronic Frontiers Australia titled "The Council of Europe Cybercrime Convention -
A civil liberties perspective"
In that article, Taylor writes:
"1.5 Access to Encryption Keys
In the last few years, after considerable international debate over surveillance, privacy and electronic commerce, the use of encryption has been liberalized, except in a few authoritarian governments such as China and Russia. Clause 4 of Article 19 (Search and Seizure of Stored Computer Data) is a step backwards by seemingly requiring that countries adopt laws that can force users to provide their encryption keys and the plain text of the encrypted files. So far, only a few countries, such as Singapore, Malaysia, India and the UK, have implemented such provisions in their laws. In those countries, police have the power to fine and imprison users who do not provide the keys or the plaintext of files or communications to police. It should be noted that the UK Government faced significant opposition over its initiative. Such approaches raise issues involving the right against self-incrimination, which is respected in many countries worldwide. "
"4. Each Party shall adopt such legislative and other measures as may be necessary to empower its competent authorities to order any person who has knowledge about the functioning of the computer system or measures applied to protect the computer data therein to provide, as is reasonable, the necessary information, to enable the undertaking of the measures referred to in paragraphs 1 and 2."
That may indeed lead to a duty to disclose encryption keys. However, it is a different question if that duty, if it is introduced according to the Treaty, trumps the right against self-incrimination as guaranteed for example in the Fifth Amendment of the American Constitution, which requires that no person "shall be compelled in any criminal case to be a witness against himself."
In a 1996 paper Greg S. Sergienko explains that in America, the Fifth Amendment would give a suspect the right to refuse handing over encryption keys.
I agree with that analysis.
Therefore, I think that any legislation based on Article 19 of the Cybercrime Treaty would only enable law enforcement authorities to request encryption keys from third parties who run no risk to be prosecuted themselves. Article 19 should not be constructed as requiring self-incrimination.
Posted by Karl-Friedrich Lenz at April 26, 2004 11:23 AM | TrackBack