Passwords are the new guns

Guest Blogger:

Your password is a gun. It can’t shoot but at least the government treats it like a gun. In the UK, they made it a crime to refuse to give up your password to the government. The US long considered encryption an armament.  It means encryption has military uses like weapons, infra-red goggles, plutonium, and armoured cars. When the government forces you to give up your password, it can read your data. Then you can’t hide anything from the government. It can get what it wants by demanding your password. In the UK, you can go to prison for years if you say no. In this information age, there is a real public interest in giving the government electronic investigation powers. But the UK is doing it the wrong way. They breach your right not only to privacy but also to due process. If gun rights didn’t sound so silly today, I would call the encryption rights the new gun rights.

The UK government recently disclosed that two people had been convicted for refusing to give up their encryption keys. There is no word on the sentence, but the prison term for this offence can stretch to five years. The UK government has had a power to take passwords by force since October 2007.  This is how it works. If the government believes it needs your password for national security, crime prevention, or for economic well-being of the UK, it can give you a section 49 notice, named after the authorizing section of the Regulation of Investigatory Powers Act. A permission of the court is not necessary for this notice. You have only “reasonable” time to comply. After that, prosecutors can charge you with a criminal offence if you “knowingly” fail to give up the password.

Don’t say you have nothing to hide because you didn’t do anything wrong. There is a good reason to hide anything you want and still be a good citizen. Governments consist of people, even democratic governments. No matter how much you feel your government represents you, there are two ways in which a government can go rogue. First, you stop being in the majority. Second, a government official figures the majority won’t notice or will forgive him for abusing only you. That’s why many modern democratic countries enshrine human rights in their constitutional law: the US, Canada, and the EU, for example. Our Charter of Rights and Freedoms lets you ask the courts for protection from rogue government officials no matter what the majority thinks. The Canadian Constitution is a curb on both the government and the will of the majority. It presumes that both of them can do bad things. No one is a saint.

There are two ways to protect yourself from the government’s or the majority’s abuse. One is the constitutional law. The other one is physical. Many, many years ago gun ownership was such a physical barrier to government abuse. In the 18th century, it was reasonable to think that if men had guns, the government would not abuse them for fear of an armed response. Today it doesn’t make sense, of course, because no armed band of neighbourhood dads will be a match for the modern state’s professional military machine. But things we want to protect with physical barriers from governments gone astray are different today. It’s not land, or crops, or not even our physical liberty or security (courts do a good job protecting those two from abuse, and if a day comes when they can’t, a higher being will be our only hope).

What we more and more often want to protect today is computer data. Our lives are online or on the hard drive. Emails, records of every website we go to, diaries, mad or creepy thoughts we share with the computer screen, political manifestos, ideas, inventions, art: it’s really anything that can change the world in a perfectly legal way but an official may want to censor, delete or use in some other way to harass you, charge you, or declare that you don’t look like your passport picture when you go abroad. Do we live in a dictatorship? Of course not. Does our government do things like that routinely? No, no, and no. Does it looks like it wants to? Not really. But like the Charter presumes that the government has the capacity for evil, every citizen must have a right to presume the same thing and to build impenetrable walls around his private life. Gun lovers in a certain country south of the border got a wrong target in their sights. They cling to the wrong tools. Guns are outdated, good-for-nothing protection of human rights. Passwords are the new guns.

The UK law wants to take your passwords from you. And like many things in the computer age, passwords are tricky. You can’t rip them from the owner’s arms and break them into pieces. You can’t even know for sure who has them or who the owner of the data they protect is. That’s a huge problem with the UK law. To overcome this problem, the law must make presumptions. First, it must presume that whoever has the hardware, owns the data on it. Unfair. Plug your computer and lots of stuff will land on your hard drive in the first five minutes without your knowledge. Second, the law must assume that whoever has the encrypted data, knows the password. Don’t ever forget passwords that the government wants. It’s may be a criminal offence in the UK. Finally and most scarily, the law must presume that every chunk of random data is encrypted. Without a password, there is no way to tell an encrypted Word document from a piece of an image file. Encryption works by making ordered data appear random. Sadly, much legitimate, unencrypted data on your hard drive looks exactly like that. Experts can even encrypt text by turning it into a jpeg of a cat.

There is a very thin line between enforcing the UK password law and letting cops wade through arbitrary computers under the cover of the today’s hottest flavour of the public interest. There are just too many legal fictions in this criminal offence. For this reason, I think Canadian courts would not let it stand if our Parliament passed a similar law. It’s just not necessary to force people to give up passwords to defend the absolutely legitimate public interest of safety or national security. The government can do its job without breaching human rights this much. Forcing people to surrender passwords will not minimally impair their Charter rights. The offence in the UK law is also too vague because any file with random data is potentially encrypted and subject to investigation. Giving up passwords may also be self-incriminating. No one should be punished for refusing to testify against themselves.

Let’s not kid ourselves. More and more criminals will encrypt the data used to commit crimes. But the way computer networks work makes it easy for that data to end up on an ordinary citizen’s computer. The government shouldn’t have powers to force us to give up passwords to any random heap of data that it believes to be connected to criminal activity. Passwords to our email or computer accounts will not be safe from such investigations either. Spammers bombard our computers with billions of attachments every year. There is a good chance spammers’ networks or computers are implicated in crime. That’s a real connection to our pretty Macs or drab PCs humming in our living rooms or bedrooms. And little can stop the police from suspecting that you know the password. This scenario doesn’t have to be common to cause alarm. It should cause alarm because of its potential for abuse. Making it an offence to refuse to give passwords justifies police involvement that can go beyond reasonable limits. That’s too much for our civil liberties, even in the name of fighting crime.

The UK password law is harsh and unreasonable. It can make too many law-abiding citizens targets of police interest. It will make them potential criminals when they refuse  to take down barriers between their private space and the government. Someone said we increasingly lived online. If we take our affairs to the electronic realms, let’s make sure we take our civil liberties there too, even if we have nothing to hide.

Leave a Reply

Your email address will not be published. Required fields are marked *