Tech Liberty NZ Defending civil liberties in the digital age

Problems with Customs having the power to force decryption

Posted on March 4, 2015

It seems obvious - when you enter the country Customs can force you to open a briefcase to look for illegal drugs, so why can't they force you to decode an encrypted file on your computer so they can look for information about illegal drug smuggling?

Customs have issued a set of papers discussing a planned review of the Customs & Excise Act. In the Powers paper, they are asking for the power to force people to hand over the passwords for their electronic devices or face penalties.

Unfortunately the analogy breaks down when you consider what would actually happen in the real world.

  • If a person tries to enter New Zealand with a locked briefcase and refuses to open it on request, the Customs officer gets a hammer and chisel and forces it open.
  • If the person tries to enter New Zealand with a laptop containing a file that cannot be read and the person doesn't hand over the key, the Customs officer can do nothing.

The important thing to note is that with a locked physical object there is always the option of literally forcing the issue. Any refusals are merely a delaying tactic.

The situation with encrypted files could be any of the following:

  1. The file is just random information used by an application (e.g. disk performance testing). In this case the person who owns the computer cannot provide the key to decrypt it because there isn't one - but the Customs people can't tell whether that (a properly encrypted files looks like random noise).
  2. The file was not put there by the owner of the laptop but was placed there by someone else - either part of the operating system and pre-loaded applications, or by a software install, or by malware, or by someone else who borrowed the computer for the weekend. In these cases the person who owns the computer can't provide the key because they don't know it.
  3. The file is an encrypted file containing illegal material that could see the person go to jail for a number of years. They refuse to provide the key and choose to pay the (theoretical) $500 fine instead.

In all these cases there is nothing that the Customs officer can do to overcome either the ignorance of the person or their unwillingness to comply. The issue cannot be forced because a modern encryption system can't be cracked without the proper key.

There's also no easy way for the Customs officer to tell which situation they're dealing with. Is that person saying they don't know anything about any encrypted files on their laptop telling the truth or lying?

The worrying thing is that in any case where you make the penalties extreme enough to intimidate someone who does have illegal files into handing the key over, you are also going to end up victimising the innocents who either don't have any encrypted files or don't have the keys for them by making them suffer those same penalties.

And, of course, someone who really was bringing in illegal files is much more likely to store the information online somewhere, enter the country with a completely clean laptop and download it when they got here. Or they might use an encryption system that supports a "Police Key" and a "Real Key", where handing over the "Police Key" just presents some fake innocuous files.

Conclusion

We haven't even considered the civil liberties issues such as being able to protect your most personal files from government snoops, or that Customs has long been suspected of exceeding its powers to do searches on behalf of the Police.

Importantly, things that work in the physical domain don't always transfer cleanly across to the digital domain. There are real issues with how any such power to force people to hand over keys would be used in practice.

Giving Customs this power might catch a few naive criminals but it's not going to catch people who are even halfway serious about personal security - and we're worried that too many blameless people might get caught up in the net, forced into the difficult task of trying to prove that they don't know something.

Kiwicon – The government is your friend

Posted on November 7, 2011

The government is your friend and wants you to be happy.

This is the transcript of a speech given by Thomas Beagle at Kiwicon in Wellington on November 6th, 2011.

Customs testing body scanners

Posted on July 31, 2011

New Zealand Customs have been trialling body scanners at Auckland Airport and are now working on plans to implement them.

Green Party MP Keith Locke says that using such equipment is illegal as they are banned by the Aviation Crimes Act.

with respect to a person searched under subsection (1), a member of the police, an aviation officer, a Customs officer, or an agent of the carrier authorised by the carrier for the purpose may not use an aid or device that produces an unclothed image of the person.

We also had concerns about both the desirability and legality of this body scanning technology and wrote to the Minister of Customs, Maurice Williamson, earlier this year expressing our concerns. He responded (PDF) that while it was illegal to use body scanners for the purposes of aviation security, it was allowed under the Customs and Excise Act 1996 for the purpose of searching for contraband.

However, Keith Locke responds that the language used when the Aviation Crimes Act was amended in 2007 very clearly showed that Parliament's intention was to "...prevent any production of an unclothed image ... there was no hint of any exception."

Maurice Williamson says that he is not aware of any plans to further amend the Aviation Crimes Act.

Why did Customs seize this laptop?

Posted on March 8, 2010

[This post was prompted by contact from a person who had a laptop seized. Since original publication they have asked for their comments to be removed.]

We recently asked Customs whether they were able to do this and they replied that they could under the Customs and Excise Act (1996).

Looking for information

We'd like to find out more about what Customs are doing in this area. In particular we'd like to know what they're looking for, whether they're targeting anyone in particular, and what they do with the systems and data they seize.

Please contact us if this has happened to you or anyone you know. Please include as much detail as possible. We promise to respect your anonymity.