Encryption is Evidence of Illegal Activity
Most of our readers will be aware that the Customs Service has a program to search the laptops of selected travelers returning to the United States. Typically, a traveler is asked to step aside, power on the computer, and provide the password so that the computer can be perused ostensibly for contraband. Of course, anyone who experiences this will, at best, find this a huge hassle. Moreover, if you also happen to be trafficking in child pornography or jihadist writings, your trip may get a lot worse at this point. However, what if you’re a mild-mannered businessman — or woman – who’s been abroad on business and just wants to get home with his or her company provided laptop?
The answer is it’s not so pretty. There are many reasons you might not want the government to know the contents of your laptop. For example, your laptop might contain the confidential information of clients for whom you provide highly sensitive and confidential advice. Or, your laptop may contain writings that are privileged communications between yourself and your attorney; or your laptop might contain the confidential intellectual property of your employer which you are bound to keep secret under the terms of your employment contract, unless you are compelled to reveal it through judicial due process. The little kabuki drama that unfolds at Customs is not a judicial due process. So, you may be tempted to simply refuse to provide the password to unlock and/or decrypt the computer. Now what?
The government may seize your computer and keep it for an indeterminate period of time while they examine it for contraband. Apparently, after a recent ruling by the United States District Court, you have essentially no rights in this matter. [Genao v. U.S., 2009 WL 1033384 (U.S. District Court for the Southern District of New York 2009)] This is true even if you are a US citizen with a valid passport having traveled abroad legally and satisfied all of the procedural requirements. The government need not show “probable cause” in order to look at your computer. In fact, as with compulsory sobriety checkpoints, the government may simply pursue a program of spot checks and random searches in order to reach its reasonable goal of preventing contraband from entering the country.
In Genao the ruling came on a motion to return seized computers, hard disks and CDs after the conclusion of a child pornography trafficking case in which Genao was convicted. The government had been unable to decrypt many of the CDs. Nevertheless, the court held that the presence of encryption gives rise to a reasonable presumption that the illegal data must be on the encrypted storage devices. In this case, the illegal activity was child pornography; the court reasoned that encrypted files and storage devices could be presumed to contain contraband and were not returned to Genao, even though the legal precedent established that there was no reason for the government to retain the encrypted disks after a conviction had been obtained and the case concluded. CYB3RCRIM3 Blog of June 17, 2009.
Based on this ruling, I would advise my clients not to travel with their laptops if they contained any encrypted or confidential material. Or, purchase and use a “throwaway” laptop for the duration of your trip or have your company maintain a supply of such throwaways so that simple e-mail, PowerPoint, and other basic functions could be provided for business purposes while on the trip. Then, use unbreakable encryption (PGP was cited in the case as not susceptible to forensic attempts to disclose the key and therefore I deem it “unbreakable”) to encrypt all remaining sensitive materials, personal identifying information, and other intellectual property, for which any businessperson might have a reasonable cause of confidentiality. Then, when the customs inspector asks you to supply the password, cheerfully refuse and surrender the PC. If enough people do this, customs will have to revise its policy and show probable cause and/or obtain a warrant to search the laptop. Breaking PGP, when it has been used with a sound key generation process, is going to be practically impossible even for the vast United States government. 10 years ago, when I talked with a high Justice Department official he told me that even then (1997) unbreakable encryption was being encountered in something like 2% of all criminal cases. One can only assume that that number has increased as concerns about computer security have continued to escalate — totally apart from the rise in criminal activity that might also benefit from the use of encryption. Oh, and one more teensy little point: all of the above also would apply to cell phones, iPhones, PDAs, memory cards etc. etc.
The real legal issue here is, of course, the presumption — now recognized by the United States government judicial system — that any use of encryption (a) is a reasonable indicator that the encrypted material contains evidence of criminal activity or contraband and, (b) that the burden of proof transfers to the claimant to prove that the encrypted files do not contain evidence of criminal activity or contraband. Since it is already established law that under the Fifth Amendment, one cannot be compelled to reveal a password, it now appears clear that a prudent, law-abiding citizen has no option but to surrender his or her laptop upon demand by the Customs Service.
None of the foregoing argument should be construed as advocating the position that the Department of Homeland Security should in any way relent on its efforts to identify contraband coming into the country. It’s a real Catch-22. Right now, they search something like one in every 1000 laptops entering the country. This is a deterrent, not a prophylaxis. DHS might well argue that a strip search of one in every 1000 passengers entering the United States was similarly justified. After all, it is well known that contraband can enter the country secreted in the body cavities of “mules” hired for the purpose. Knowing that you had a one in 1000 chance of being strip searched for no apparent reason might have the salutary effect of reducing the waiting lines for travelers planning to reenter the country. But just as we have been required since 2002 to remove our shoes at the airport checkpoint for fear that we have hidden an improvised explosive device in our heel — after some nitwit attempted it that year — TSA rules and procedures serve as a ready and all too apparent indicator that we are in a continued struggle and of their efforts to win that struggle. In contrast, of course, cargo containers entering the US are not effectively scrutinized and could readily contained contraband or worse. However, procedures on cargo docks are out of sight and out of mind for the American public. Therefore the arguably inane procedures we follow at airport security are primarily intended to remind us — the good guys and gals — that there are real risks and we are expected to do our part to combat those risks. But do the procedures go too far for no real gain in security? We think so.
Hopefully the bad law that equates encryption with criminality will soon be reviewed and reversed. Maybe the PGP Corporation will pursue this topic out of enlightened corporate self-interest. Phil Zimmermann, the inventor of PGP, has already run the gauntlet of fighting the U.S. government for his rights over encryption. It would be a shame to think that we still need Phil or the PGP Corporation to help establish our rights once again. But I fear that until the laptops start piling up over at DHS, we will be stuck with the unfortunate current state of affairs.
Obviously, the thing to do here is to require a warrant or at a minimum probable cause before demanding and searching a computer at the airport. Unlike removing one’s shoes, divulging confidential information to the government as a condition for a citizen’s reentry to the United States is fundamentally intrusive, foolish and a violation of our Constitution. The unjustified searches and seizures need to stop now.