FC: Orin Kerr says "encryption in a crime" penalty isn't that bad

From: Declan McCullagh (declanat_private)
Date: Wed Feb 12 2003 - 12:18:00 PST

  • Next message: Declan McCullagh: "FC: Bill Purdy accuses WashPost attorneys of hijacking his domains"

    --
    
    From: "Orin Kerr" <okerrat_private>
    To: declanat_private
    Date: Wed, 12 Feb 2003 14:47:55 -0600
    Subject: for politech, if you like
    
    Declan,
    
    This is an edited version of a blog posting of mine commenting on the proposed
    offense, "unlawful use of encryption." The original is here:
    http://volokh.blogspot.com/2003_02_09_volokh_archive.html#90304660
    
    Orin
    _________________________________
    
    WOULD A LAW CRIMINALIZING "UNLAWFUL USE
    OF ENCRYPTION" HAVE MORE BARK THAN BITE?
    
         Section 404 of the new DOJ anti-terrorism proposal has a section that 
    would
    create a new federal crime, "unlawful use of encryption." The proposal 
    would allow
    the government to charge "[a]ny person who, during the commission of a felony
    under Federal law, knowingly and willfully encrypts any incriminating
    communication or information relating to that felony" with a separate 
    felony crime.
    DOJ argues that this crime is "warranted to deter the use of encryption 
    technology
    to conceal criminal activity."
    
         Civil libertarians worry that this law will just thump pretty much 
    every computer
    criminal with an extra five years in prison. Declan McCullagh argues: "When
    encryption eventually becomes glued into just about every technology we 
    use, from
    secure Web browsing to encrypted hard drives, the [provision] would have the
    effect of boosting maximum prison terms for every serious crime by five 
    years. It'll
    be no different--and no more logical--than a law that says 'breathing air 
    while
    committing a crime' is its own offense."
    
         I think both sides are a bit off here. DOJ is probably optimistic 
    about the likely
    good of this proposal, and Declan overstates the harm. If passed into law, 
    I think
    this crime would probably make little difference in practice, and would be 
    charged
    only rarely.
    
         Why wouldn't this law make much of a difference? Let's start by 
    considering
    how law enforcement discovers uses of encryption in criminal cases. The FBI 
    gets
    legal authority to conduct surveillance of a suspect in a particular case, 
    and when
    they get the information, they find out it is encrypted. What to do? 
    Decrypting the
    information by brute force is essentially impossible, so the FBI will 
    either a) locate
    the key that will allow them to decrypt the information, or b) never be 
    able to
    decrypt the information and will try to solve the case in another way.
    
          If the FBI cannot find the key, the defendant will not be charged 
    under the
    "unlawful use of encryption" statute because the government will lack 
    proof: if the
    government can't decrypt a file, it cannot prove that the file is 
    "incriminating" and
    that the information it contains "relat[es]" to another felony the 
    defendant is
    committing. The government can only bring the charge if they have successfully
    decrypted the communication, which to my knowledge has happened in only two
    cases (including the Scarfo case).
    
         But what if the government succeeds in decrypting a defendant's files, 
    and finds
    out that a defendant was in fact encrypting incriminating information 
    relating to a
    felony? Won't the government be able to add an extra five years in the 
    slammer to
    that defendant's sentence? It's quite unlikely. First, the proposed statute 
    requires
    that the government show that the defendant encrypted the incriminating
    communication "willfully." Although the meaning of "willfully" in federal 
    criminal law
    is not entirely settled, the word usually means "in knowing violation of 
    the law." In
    other words,  the government must show not only that the defendant knew 
    that he
    was concealing the information, but that he knew that it was illegal to do 
    so. Even
    where applicable, this would be extremely hard for the government to prove:
    criminal defendants have a constitutional right not to testify, which means 
    that the
    government would have to prove based on the context that the defendant must 
    have
    known that his use of encryption was criminal. Given that the law only 
    applies to the
    use of encryption to further federal (not state) crimes that are felonies (not
    misdemeanors), this would be hard to do.
    
         But let's say a defendant sent an e-mail to the FBI when he encrypted 
    his files,
    saying: "Dear Mr. FBI Agent, I am hereby encrypting files in furtherance of a
    federal felony offense, and I realize it is a crime." In that case, the 
    government
    would be able to prove the defendant encrypted his communications willfully.
    Wouldn't it add five years to a defendant's sentence then? Not necessarily. 
    The
    trick is that the "five year" penalty for this proposed crime is only a 
    theoretical
    maximum penalty: the actual sentence would be imposed under the federal
    Sentencing Guidelines. (This is true for all federal crimes, actually, and 
    means that
    you need to be skeptical when you read about people being arrested and facing
    zillions of years in prison. It's not uncommon for a defendant to be 
    arrested on 10
    felony counts each with a maximum of 10 years in prison, and for the 
    defendant to
    plead guilty and get a sentence of 6 months in prison or even just probation.)
    
          The real question of how the proposed law would impact criminal 
    sentences
    depends upon how it would be treated under the Sentencing Guidelines. There 
    are
    no guidelines for this crime, of course (this just being a proposed law, 
    not an
    actual one), so the actual effect of a conviction under the proposed crime 
    is a
    matter of speculation. But it's worth noting that the most common approach to
    grouping related offenses under the guidelines is for the most serious 
    offense to
    control the sentence. So if I go on a crime spree and commit one serious 
    federal
    offense along with three minor federal offenses, the offenses normally will be
    "grouped" and only the most serious offense will actually determine the 
    sentence.
    The rest of the crimes won't make a difference.
    
          Why does this matter? It matters because the proposed crime is by its 
    nature a
    dependent crime: a defendant would be guilty of unlawful use of encryption 
    only if
    he was also guilty of another federal felony crime, and the government 
    could prove
    that other felony. As a result, if the independent crime is the more 
    serious crime
    under the guidelines, the "grouping" of the offenses could make the 
    independent
    crime the key offense under the guidelines.  In this case, a conviction for 
    unlawful
    use of encryption might have no effect whatsoever on the defendant's 
    sentence.
    (As I said above, though, this is just speculation-- the actual effect 
    would be up to
    the Sentencing Commission, which would have to figure out how to deal with 
    this
    new crime if it became law.)
    
          If the law could have so little effect, you may be wondering, why 
    would DOJ
    propose it in the first place?  One possibility is that deterrence can work 
    based on
    perceptions as much as reality.  If people *think* that this law will send 
    them to jail
    for an extra five years for using encryption to further a serious crime, 
    they might
    be deterred from using encryption to further criminal activity-- even if 
    the law is
    unlikely to do that.
    
    Orin S. Kerr
    Associate Professor
    George Washington University Law School
    Washington, DC 20052
    
    
    
    
    -------------------------------------------------------------------------
    POLITECH -- Declan McCullagh's politics and technology mailing list
    You may redistribute this message freely if you include this notice.
    To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
    This message is archived at http://www.politechbot.com/
    Declan McCullagh's photographs are at http://www.mccullagh.org/
    -------------------------------------------------------------------------
    Like Politech? Make a donation here: http://www.politechbot.com/donate/
    Recent CNET News.com articles: http://news.search.com/search?q=declan
    -------------------------------------------------------------------------
    



    This archive was generated by hypermail 2b30 : Wed Feb 12 2003 - 12:39:44 PST