{"id":3047,"date":"2021-04-21T12:28:33","date_gmt":"2021-04-21T16:28:33","guid":{"rendered":"https:\/\/www.bu.edu\/riscs\/?p=3047"},"modified":"2021-05-03T17:28:23","modified_gmt":"2021-05-03T21:28:23","slug":"scheffler-compelled-decryption","status":"publish","type":"post","link":"https:\/\/www.bu.edu\/riscs\/2021\/04\/21\/scheffler-compelled-decryption\/","title":{"rendered":"How a cryptographic definition of \u201cknowledge\u201d can help us understand the Fifth Amendment and compelled decryption"},"content":{"rendered":"

By Sarah Scheffler.<\/em><\/p>\n

 <\/p>\n

The best thing about interdisciplinary work is getting to unite concepts from very different areas of study that both fields have studied extensively.<\/span><\/p>\n

As far as I know, law doesn\u2019t have a single formal working definition of \u201cknowledge,\u201d but it does draw heavily from philosophy, which has a whole subfield devoted to working out definitions of knowledge.<\/span><\/p>\n

On the other hand, cryptography absolutely has consensus on a formal definition of \u201cknowledge.\u201d\u00a0 Agreement on the definition of \u201cknowledge\u201d was born of a practical need — designers of cryptographic systems need to know what they are trying to build, and users of those systems need to know what they\u2019re getting.\u00a0 The concept of \u201cknowledge\u201d in cryptography is that you \u201cknow\u201d something if you are capable of outputting it.\u00a0 You \u201cknow\u201d the answer to an exam question if you are capable of consistently outputting the answer.\u00a0 You \u201cknow\u201d your phone number if you can say it.\u00a0 Clearly this leaves some philosophical room to be desired — I might be able to output a drawing, but I wouldn\u2019t say I \u201cknow\u201d the drawing — but as a practical matter, the definition captures most useful scenarios.\u00a0 Among other uses, this notion of \u201cknowledge\u201d lets cryptographers define how much more information someone would \u201cknow\u201d about a message after seeing its encryption — hopefully, nothing.<\/span><\/p>\n

These different definitions can be helpful in ways you would never expect.\u00a0 In a recent work, we turned our attention to a legal question: Can a court legally order the owner of an encrypted device to decrypt it and provide its contents?\u00a0 This practice is called \u201ccompelled decryption.\u201d\u00a0 Aside from the obvious encryption connection, you wouldn\u2019t expect cryptographic definitions to be helpful to answer this question, or any other legal question.\u00a0 But adding cryptographic tools to the legal analysis toolbox turns out to be surprisingly helpful.<\/span><\/p>\n

The compelled decryption question is rooted in the Fifth Amendment of the U.S. Constitution, which states (in part) that \u201cno person … shall be compelled in any criminal case to be a witness against himself.\u201d\u00a0 This strong protection is meant to defend people from the \u201ccruel trilemma\u201d of being forced to choose between lying, self-incrimination, or facing contempt of court by staying silent.\u00a0 However, over the years, certain limitations have been interpreted — for example, the Fifth Amendment only applies to testimony the government forces or coerces you to say, not testimony you confessed willingly.<\/span><\/p>\n

One of these exceptions has to do with the government\u2019s \u201cknowledge\u201d of testimony that comes from an action.\u00a0 For example, if you\u2019re subpoenaed to bring something to court — let\u2019s say a plane ticket — then the action of bringing that plane ticket to court itself testifies to the fact that the plane ticket exists, and you have it, and that the ticket you brought is the real ticket.\u00a0 The rule since 1976 for this \u201cimplicit\u201d testimony has been: The government can compel you to produce the plane tickets if — and only if — it already \u201cknows\u201d all that implicit testimony.\u00a0 The government doesn\u2019t need to know anything about the contents of the plane ticket itself, only the \u201cmeta\u201d information that is communicated by your act of producing the ticket.<\/span><\/p>\n

This is where a formal definition of knowledge becomes useful.\u00a0 How can we say the government \u201cknows\u201d the ticket exists?\u00a0 Here, we find it useful to do the same kind of thought experiment that we might have done in cryptography.\u00a0 The government knows the ticket exists if it can produce the ticket.\u00a0 In fact, we could take this further and say the government knows the ticket exists if it is *capable* of producing the ticket — it doesn\u2019t actually have to do so.\u00a0 If the government knows, say via your friend\u2019s testimony, that your plane ticket is in your desk drawer, then it \u201cknows\u201d you have it because it could go get it from your desk drawer if it so chose.<\/span><\/p>\n

It turns out this concept actually works pretty well to describe prior cases that involve this kind of \u201cimplicit testimony.\u201d\u00a0 We reviewed every Supreme Court case involving this \u201cimplicit testimony\u201d and a couple dozen Circuit Court cases, just to be sure.\u00a0 All of the court cases that involve non-cryptographic subpoenas like producing paper documents align with this cryptographic \u201cknowledge\u201d approach.<\/span><\/p>\n

However, when it comes to cases that involve cryptography, like being forced to disclose the contents of an encrypted computer, the courts are much more confused — there are decisions all over the map.\u00a0 Some say nothing at all can be compelled.\u00a0 Others say everything — even the password itself — can be compelled directly.\u00a0 Some say the government only has to show that you know the password, and once they do that, you must provide the decrypted contents (though not the password itself).\u00a0 Biometrics like fingerprint logins or FaceID complicate the question even further — physical attributes like fingerprints are generally not protected under the Fifth Amendment, but at least one court has argued that use of a fingerprint to log in should be treated differently than other uses of fingerprints.<\/span><\/p>\n

The problem is genuinely confusing.\u00a0 When decrypting your device, what is the implicit testimony?\u00a0 If we\u2019re asking for the decryption of a specific known document, then we can use the same approach as before: the government must know the document\u2019s existence and so on.\u00a0 If we\u2019re looking for an underlying set of documents that may or may not exist, it seems more complicated.<\/span><\/p>\n

\"\"<\/p>\n

Our cryptographic \u201cknowledge\u201d method gives us a way out!\u00a0 The government \u201cknows\u201d the testimony inherent in the action if it could produce the result itself!\u00a0 The existence of an unencrypted backup of the files is certainly sufficient.\u00a0 Witness testimony about a particular file on the drive would probably be sufficient to produce that file.\u00a0 But the government can\u2019t compel testimonial information it didn\u2019t know in advance.\u00a0 It shouldn\u2019t be able to compel production of documents it doesn\u2019t know exist, and it definitely shouldn\u2019t be allowed to compel passwords themselves.<\/span><\/p>\n

This finding is not absolute — after all, we just used our own cryptographic definition of \u201cknowledge.\u201d\u00a0 Other methods probably lead to different results.\u00a0 But it\u2019s nice to find a method that is consistent with prior cases, is grounded in theory, and allows reasoning about cryptography directly — a task which has beguiled courts to date.\u00a0 Part of the excitement of interdisciplinary work is that very occasionally, you find a marriage between concepts that not only works, it shines light on genuinely difficult questions.<\/span><\/p>\n

For more technical details, see our paper at <\/span>https:\/\/eprint.iacr.org\/2020\/862<\/span><\/a>.<\/span><\/p>\n

 <\/p>\n

—<\/p>\n

Sarah Scheffler is a PhD student in the BUSec group working with Prof. Mayank Varia.\u00a0 She studies applied cryptography, including zero-knowledge proofs, multi-party computation, secure messaging, private set intersection, and hash combiners. Her\u00a0 research creates new cryptographic capabilities inspired by the needs of society, law, and policy.\u00a0 Visit her personal website sarahscheffler.net<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

By Sarah Scheffler.   The best thing about interdisciplinary work is getting to unite concepts from very different areas of study that both fields have studied extensively. As far as I know, law doesn\u2019t have a single formal working definition of \u201cknowledge,\u201d but it does draw heavily from philosophy, which has a whole subfield devoted […]<\/p>\n","protected":false},"author":19115,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/www.bu.edu\/riscs\/wp-json\/wp\/v2\/posts\/3047"}],"collection":[{"href":"https:\/\/www.bu.edu\/riscs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.bu.edu\/riscs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.bu.edu\/riscs\/wp-json\/wp\/v2\/users\/19115"}],"replies":[{"embeddable":true,"href":"https:\/\/www.bu.edu\/riscs\/wp-json\/wp\/v2\/comments?post=3047"}],"version-history":[{"count":3,"href":"https:\/\/www.bu.edu\/riscs\/wp-json\/wp\/v2\/posts\/3047\/revisions"}],"predecessor-version":[{"id":3051,"href":"https:\/\/www.bu.edu\/riscs\/wp-json\/wp\/v2\/posts\/3047\/revisions\/3051"}],"wp:attachment":[{"href":"https:\/\/www.bu.edu\/riscs\/wp-json\/wp\/v2\/media?parent=3047"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.bu.edu\/riscs\/wp-json\/wp\/v2\/categories?post=3047"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.bu.edu\/riscs\/wp-json\/wp\/v2\/tags?post=3047"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}