Sophos Cloud Optix
The maple leaf. Hockey. Tim Horton’s donuts. Forced decryption?
If one of these doesn’t seem to go with the others, you might not be a member of the Canadian Association of Chiefs of Police (CACP).
At its annual conference this week, CACP voted to support legal changes that would permit judges to “compel the holder of an encryption key or password to reveal it to law enforcement” when needed to decrypt potential digital evidence.
According to CBC, RCMP Assistant Commissioner Joe Oliver told a press conference that criminals are operating online in almost complete anonymity using tools that mask identities and messages.
Oliver added that Canadian law currently offers no provision for legally demanding that a suspect provides passwords to enable access to files under investigation:
The victims in the digital space are real. Canada’s law and policing capabilities must keep pace with the evolution of technology.
To bolster its argument, CACP cited a recent report by the International Association of Chiefs of Police, arguing that “law enforcement’s decreasing ability to lawfully access and examine digital evidence at rest and evidence in motion due to technical and non-technical barriers – is increasingly placing public safety at risk.”
However, as Motherboard observes:
The CACP is merely an advocacy body and resolutions they pass have no effect on the law of the land. Moreover, the organization has a history of asking for [greatly expanded] powers…
At the CACP’s 2015 national convention, the organization resolved to support the creation of a law that would allow police to access telecom subscriber information in real-time, and without a warrant. To date, no such law exists.
Still, CACP is contributing to an active debate in Canada, reports CTV news:
The police chiefs’ resolution comes as the federal government begins a [two month] consultation on cybersecurity that will look at… the best way to balance online freedoms with the needs of police.
There’s been quick, albeit polite, pushback.
OpenMedia spokesperson David Christopher called the proposal “wildly disproportionate,” noting that providing a laptop’s decryption key would be like “handing over the ‘key to your whole personal life.’… this seems like it’s clearly unconstitutional.”
Micheal Vonn, policy director for the BC Civil Liberties Association, told Motherboard:
To say this is deeply problematic is to understate the matter.
Meanwhile, Jacob Ginsberg, senior director for Echoworx, an email encryption firm based in Toronto, told IT World Canada:
While we don’t blame CACP for wanting tools to make their jobs easier, a law of this kind would criminalize privacy…
Finally, on Thursday, CACP defended itself in a series of tweets:
As the Canadian government’s cybersecurity consultation moves forward, we’ll keep an eye out. If CACP’s wishlist finds its way into legislation, we’ll let you know.
This request strikes me as an open request to violate the fundamental right to avoid self-incrimination. Perhaps that right is not as fundamental as I think, but it’s in the Canadian Charter.
It’s always easier to understand these issues by re-imagining digital rights management, such as encryption, into a physical form.
For example, let’s say that I make a piece of art by writing down on a canvas the details for how I committed a crime. Now I complete the artwork by overlaying brown paper over the canvas with glue. The authorities can ask if I can remove the paper covering, expecting to find something useful. I refuse. Do they then have the right to “demolish” my artwork to find the incriminating canvas underneath? Furthermore, if they do, doesn’t that mean that the evidence can be legally thrown out of the case, ejecting the only real evidence against me?
Such a “right” as being able to unencrypt a suspect’s life has two problems, beyond illegally-obtained evidence: There is typical “power corrupts” argument, where the rules that normally protect the public will eventually be used to destroy a life. Additionally, as an offshoot of that problem, there is the issue of other law enforcement agencies adopting this policy, and the instructions of “how” being either released to the public accidentally, or through exfiltration, multiplying the risk of corruption.
There is no real “balance”; that is an illusion. Such permissions will simply drive the serious criminal element to deeper, uncompromised encryption methods, while the public will be left vulnerable to decryption methods that bad agents will exfiltrate out of the official channels sooner or later.
As much as I support the police and want them to get the “Bad Guys” I cannot support their stance on this issue.
Perhaps it is time for law enforcement (***and law makers***) to start thinking of new and different ways to combat cybercrime and to get digital evidence from suspected criminals..
you mean do their jobs… and stop being lazy donut sucking ******.
I say OK . . . as long as there’s a $800 Bazillion Buck penalty to be paid immediately to the violated party if Tha Fuzz DOES NOT find what they sought, plus a buncha years in the slammer for the liars.
So what happens if you forget your password? Are you going to end up behind bars because you legitimately forgot it? I have some old laptops sitting my garage that I haven’t powered up in years. I have no idea what the passwords are now. This is why law enforcement should stick to enforcing the law and not trying to create it.
I’m not sure what will the other ISO think, but isn’t terrible to give them the keys to data all over the country? What would stop them form abusing this or someone else taking advantage of such situation or position?
Even if they get the keys to everything within Canada, what makes them think that they’re infallible? Are they so certain thay won’t be targetted by hacker(s) or hacker group(s) for those masterkeys to every data in the Country?
One must remember this is no longer only criminals, there is business espionage and can be said that even countries may spy on others to obtain the intelectual property that sets apart in a advantageous position against other countries.
The Canadians are quickly catching up with us to become dumb, mean-spirited, and anti-democratic.
So a police chief is going to walk up to a criminal and say, “Give me your digital keys so I decrypt your data and send you to jail”, and the criminal will be obligated to obey, right? The only people who are even going to be in a position for a police chief to walk up to them and ask for their digital keys and who would comply, are innocent people. Are we sure that Donald Trump or Adolf Hitler isn’t the Chief of Police in Canada?
“There’s been quick, albeit polite, pushback.”
I mean…it IS Canada.
Seriously though, this is terrible for security.
It’s a subtle difference, but a vital one: IMO, the Police Chiefs ought to have opened the batting with a more palatable option, namely that courts should have the power, with suitable oversight, to require access to decrypted data of certain sorts if pertinent to a case. IMO this is a logical progression from a search warrant process of this sort: “open the trunk, we have a warrant”, “no, I refuse”, “we’ll open it with a crowbar”, “oh, no you won’t, stand back, I’m torching the car”, “we’re nicking you for obstructing justice, tampering with evidence and so on.”
(There’s no point in having search warrants if they are voluntary, just as there’s no point in having roadside blood-alcohol testing laws if there’s no penalty for simply refusing the test.)
It sounds like a small deal, but there is a difference between, “Give us the password and let us see what we can do with it” and “the court has authorised us to take and use data from the following devices, so provide it please.” The accused might choose to hand over the password, just like he might choose to give the cop the key to the padlock on the storage locker, or he might choose to unlock it himself and stand aside.
How to figure out when witnesses are pretending to be unable to remember their passwords and when they are obstructing justice is a tricky problem, but it isn’t an issue that’s new to the judiciary. As the “Miranda Rights” equivalent in the UK goes:
(I think the penultimate sentence is crying out for ‘that’ instead of ‘which’, but that’s a digression for a more laid-back time.)
The police have the right to decrypt stuff. Whether they have sufficient computing power or sufficient rights to request the decryption key is a whole different issue. Next up, they’ll want everyone to only communicate in English because translating from a different language is hard.