FC: Orin Kerr says "encryption in a crime" penalty isn't that bad

[Declan McCullagh <declan () well com>]

--

From: "Orin Kerr" <okerr () law gwu edu>
To: declan () well com
Date: Wed, 12 Feb 2003 14:47:55 -0600
Subject: for politech, if you like

Declan,

This is an edited version of a blog posting of mine commenting on the proposed
offense, "unlawful use of encryption." The original is here:
http://volokh.blogspot.com/2003_02_09_volokh_archive.html#90304660

Orin
_________________________________

WOULD A LAW CRIMINALIZING "UNLAWFUL USE
OF ENCRYPTION" HAVE MORE BARK THAN BITE?

    Section 404 of the new DOJ anti-terrorism proposal has a section that 
would
create a new federal crime, "unlawful use of encryption." The proposal 
would allow
the government to charge "[a]ny person who, during the commission of a felony
under Federal law, knowingly and willfully encrypts any incriminating
communication or information relating to that felony" with a separate 
felony crime.
DOJ argues that this crime is "warranted to deter the use of encryption 
technology
to conceal criminal activity."

    Civil libertarians worry that this law will just thump pretty much 
every computer
criminal with an extra five years in prison. Declan McCullagh argues: "When
encryption eventually becomes glued into just about every technology we 
use, from
secure Web browsing to encrypted hard drives, the [provision] would have the
effect of boosting maximum prison terms for every serious crime by five 
years. It'll
be no different--and no more logical--than a law that says 'breathing air 
while
committing a crime' is its own offense."

    I think both sides are a bit off here. DOJ is probably optimistic 
about the likely
good of this proposal, and Declan overstates the harm. If passed into law, 
I think
this crime would probably make little difference in practice, and would be 
charged
only rarely.

    Why wouldn't this law make much of a difference? Let's start by 
considering
how law enforcement discovers uses of encryption in criminal cases. The FBI 
gets
legal authority to conduct surveillance of a suspect in a particular case, 
and when
they get the information, they find out it is encrypted. What to do? 
Decrypting the
information by brute force is essentially impossible, so the FBI will 
either a) locate
the key that will allow them to decrypt the information, or b) never be 
able to
decrypt the information and will try to solve the case in another way.

     If the FBI cannot find the key, the defendant will not be charged 
under the
"unlawful use of encryption" statute because the government will lack 
proof: if the
government can't decrypt a file, it cannot prove that the file is 
"incriminating" and
that the information it contains "relat[es]" to another felony the 
defendant is
committing. The government can only bring the charge if they have successfully
decrypted the communication, which to my knowledge has happened in only two
cases (including the Scarfo case).

    But what if the government succeeds in decrypting a defendant's files, 
and finds
out that a defendant was in fact encrypting incriminating information 
relating to a
felony? Won't the government be able to add an extra five years in the 
slammer to
that defendant's sentence? It's quite unlikely. First, the proposed statute 
requires
that the government show that the defendant encrypted the incriminating
communication "willfully." Although the meaning of "willfully" in federal 
criminal law
is not entirely settled, the word usually means "in knowing violation of 
the law." In
other words,  the government must show not only that the defendant knew 
that he
was concealing the information, but that he knew that it was illegal to do 
so. Even
where applicable, this would be extremely hard for the government to prove:
criminal defendants have a constitutional right not to testify, which means 
that the
government would have to prove based on the context that the defendant must 
have
known that his use of encryption was criminal. Given that the law only 
applies to the
use of encryption to further federal (not state) crimes that are felonies (not
misdemeanors), this would be hard to do.

    But let's say a defendant sent an e-mail to the FBI when he encrypted 
his files,
saying: "Dear Mr. FBI Agent, I am hereby encrypting files in furtherance of a
federal felony offense, and I realize it is a crime." In that case, the 
government
would be able to prove the defendant encrypted his communications willfully.
Wouldn't it add five years to a defendant's sentence then? Not necessarily. 
The
trick is that the "five year" penalty for this proposed crime is only a 
theoretical
maximum penalty: the actual sentence would be imposed under the federal
Sentencing Guidelines. (This is true for all federal crimes, actually, and 
means that
you need to be skeptical when you read about people being arrested and facing
zillions of years in prison. It's not uncommon for a defendant to be 
arrested on 10
felony counts each with a maximum of 10 years in prison, and for the 
defendant to
plead guilty and get a sentence of 6 months in prison or even just probation.)

     The real question of how the proposed law would impact criminal 
sentences
depends upon how it would be treated under the Sentencing Guidelines. There 
are
no guidelines for this crime, of course (this just being a proposed law, 
not an
actual one), so the actual effect of a conviction under the proposed crime 
is a
matter of speculation. But it's worth noting that the most common approach to
grouping related offenses under the guidelines is for the most serious 
offense to
control the sentence. So if I go on a crime spree and commit one serious 
federal
offense along with three minor federal offenses, the offenses normally will be
"grouped" and only the most serious offense will actually determine the 
sentence.
The rest of the crimes won't make a difference.

     Why does this matter? It matters because the proposed crime is by its 
nature a
dependent crime: a defendant would be guilty of unlawful use of encryption 
only if
he was also guilty of another federal felony crime, and the government 
could prove
that other felony. As a result, if the independent crime is the more 
serious crime
under the guidelines, the "grouping" of the offenses could make the 
independent
crime the key offense under the guidelines.  In this case, a conviction for 
unlawful
use of encryption might have no effect whatsoever on the defendant's 
sentence.
(As I said above, though, this is just speculation-- the actual effect 
would be up to
the Sentencing Commission, which would have to figure out how to deal with 
this
new crime if it became law.)

     If the law could have so little effect, you may be wondering, why 
would DOJ
propose it in the first place?  One possibility is that deterrence can work 
based on
perceptions as much as reality.  If people *think* that this law will send 
them to jail
for an extra five years for using encryption to further a serious crime, 
they might
be deterred from using encryption to further criminal activity-- even if 
the law is
unlikely to do that.

Orin S. Kerr
Associate Professor
George Washington University Law School
Washington, DC 20052




-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
Declan McCullagh's photographs are at http://www.mccullagh.org/
-------------------------------------------------------------------------
Like Politech? Make a donation here: http://www.politechbot.com/donate/
Recent CNET News.com articles: http://news.search.com/search?q=declan
-------------------------------------------------------------------------