It seems obvious - when you enter the country Customs can force you to open a briefcase to look for illegal drugs, so why can't they force you to decode an encrypted file on your computer so they can look for information about illegal drug smuggling?
Customs have issued a set of papers discussing a planned review of the Customs & Excise Act. In the Powers paper, they are asking for the power to force people to hand over the passwords for their electronic devices or face penalties.
Unfortunately the analogy breaks down when you consider what would actually happen in the real world.
- If a person tries to enter New Zealand with a locked briefcase and refuses to open it on request, the Customs officer gets a hammer and chisel and forces it open.
- If the person tries to enter New Zealand with a laptop containing a file that cannot be read and the person doesn't hand over the key, the Customs officer can do nothing.
The important thing to note is that with a locked physical object there is always the option of literally forcing the issue. Any refusals are merely a delaying tactic.
The situation with encrypted files could be any of the following:
- The file is just random information used by an application (e.g. disk performance testing). In this case the person who owns the computer cannot provide the key to decrypt it because there isn't one - but the Customs people can't tell whether that (a properly encrypted files looks like random noise).
- The file was not put there by the owner of the laptop but was placed there by someone else - either part of the operating system and pre-loaded applications, or by a software install, or by malware, or by someone else who borrowed the computer for the weekend. In these cases the person who owns the computer can't provide the key because they don't know it.
- The file is an encrypted file containing illegal material that could see the person go to jail for a number of years. They refuse to provide the key and choose to pay the (theoretical) $500 fine instead.
In all these cases there is nothing that the Customs officer can do to overcome either the ignorance of the person or their unwillingness to comply. The issue cannot be forced because a modern encryption system can't be cracked without the proper key.
There's also no easy way for the Customs officer to tell which situation they're dealing with. Is that person saying they don't know anything about any encrypted files on their laptop telling the truth or lying?
The worrying thing is that in any case where you make the penalties extreme enough to intimidate someone who does have illegal files into handing the key over, you are also going to end up victimising the innocents who either don't have any encrypted files or don't have the keys for them by making them suffer those same penalties.
And, of course, someone who really was bringing in illegal files is much more likely to store the information online somewhere, enter the country with a completely clean laptop and download it when they got here. Or they might use an encryption system that supports a "Police Key" and a "Real Key", where handing over the "Police Key" just presents some fake innocuous files.
We haven't even considered the civil liberties issues such as being able to protect your most personal files from government snoops, or that Customs has long been suspected of exceeding its powers to do searches on behalf of the Police.
Importantly, things that work in the physical domain don't always transfer cleanly across to the digital domain. There are real issues with how any such power to force people to hand over keys would be used in practice.
Giving Customs this power might catch a few naive criminals but it's not going to catch people who are even halfway serious about personal security - and we're worried that too many blameless people might get caught up in the net, forced into the difficult task of trying to prove that they don't know something.
An interview with Ross from Cyberdodge, a supplier of VPN services that enables internet users to hide what they do on the internet.
What inspired you to offer the service?
People will always choose the easiest way to get the latest movies and TV shows and downloading off the internet is it. Unfortunately options are now limited to VPN tunnels not only for p2p but also for using an American IP address to get access to TV sites like www.hulu.com.
Are you getting many customers and what do they want it for?
Yes I am. VPN tunnels have a number of uses that include getting an American IP address to watch tv sites such as hulu.com, encrypt internet traffic when they are using a public WiFi point and of course hiding their real IP address.
How do you feel about the fact that some of your customers will probably be using your service to break NZ law?
What sort of information do you keep about your customers?
We only keep the email address.
What sort of information do you keep about your customers connections? (Such as when they connect, how long they connect for, anything they do through the service.)
We do not log what the user does or transfers over our network but we do log the time of connection and disconnection. We use this data to strategically deploy network resources. We also log the country the user is logging in from, this helps us to detect hijacked accounts and abuse. We do not log IP addresses.
Do you think your business has an obligation under the Telecommunications (Interception Capability) Act to allow the NZ police or other enforcement agencies to monitor traffic?
No, I am not a network operator. A network operator means a person who owns, controls, or operates a public telecommunications network or a person who supplies (whether by wholesale or retail) another person with the capability to provide a telecommunications service. CyberDodge does not provide anyone else with the capability to provide a service and CyberDodge is not a public telecommunications network. Public telecommunications network means a public switched telephone network and a public data network. CyberDodge is not a public switched telephone network nor a public data network. A public data network means a data network used, or intended for use, in whole or in part, by the public and includes, without limitation, the following facilities: Internet access and email access. CyberDodge requires that you have internet and email access already. This law applies to ISPs, which CyberDodge is not.
Do you think your business has an obligation under the Copyright (Infringing File Sharing) Act to store customer IP addresses so that you can pass on notices?
No, I am not a IPAP. IPAP, or Internet protocol address provider, means a person that operates a business that, other than as an incidental feature of its main business activities, offers the transmission, routing, and providing of connections for digital online communications, between or among points specified by a user, of material of the user's choosing and allocates IP addresses to its account holders and charges its account holders for its services and is not primarily operated to cater for transient users. CyberDodge does not offer the transmission nor providing of connections for digital online communications. CyberDodge only routes digital online communications. This law applies to ISPs and CyberDodge is not a ISP.
A Tech Liberty representative spent two half days at a group discussion about privacy and technology.
Here are some of the things that were discussed:
[This post was prompted by contact from a person who had a laptop seized. Since original publication they have asked for their comments to be removed.]
We recently asked Customs whether they were able to do this and they replied that they could under the Customs and Excise Act (1996).
Looking for information
We'd like to find out more about what Customs are doing in this area. In particular we'd like to know what they're looking for, whether they're targeting anyone in particular, and what they do with the systems and data they seize.
Please contact us if this has happened to you or anyone you know. Please include as much detail as possible. We promise to respect your anonymity.
The new Search and Surveillance Bill includes provisions to force people who own and manage computer systems to give full access to those systems. This includes the obligation to give up passwords to enable the authorities to access encrypted information.
Of course, this assumes that the person involved actually has the password. It's quite common for someone running a system to not be able to break the encryption used by other users to secure their data. Will the courts understand that? And even if they understand that, will they believe it?