It seems obvious – when you enter the country Customs can force you to open a briefcase to look for illegal drugs, so why can’t they force you to decode an encrypted file on your computer so they can look for information about illegal drug smuggling?
Customs have issued a set of papers discussing a planned review of the Customs & Excise Act. In the Powers paper, they are asking for the power to force people to hand over the passwords for their electronic devices or face penalties.
Unfortunately the analogy breaks down when you consider what would actually happen in the real world.
- If a person tries to enter New Zealand with a locked briefcase and refuses to open it on request, the Customs officer gets a hammer and chisel and forces it open.
- If the person tries to enter New Zealand with a laptop containing a file that cannot be read and the person doesn’t hand over the key, the Customs officer can do nothing.
The important thing to note is that with a locked physical object there is always the option of literally forcing the issue. Any refusals are merely a delaying tactic.
The situation with encrypted files could be any of the following:
- The file is just random information used by an application (e.g. disk performance testing). In this case the person who owns the computer cannot provide the key to decrypt it because there isn’t one – but the Customs people can’t tell whether that (a properly encrypted files looks like random noise).
- The file was not put there by the owner of the laptop but was placed there by someone else – either part of the operating system and pre-loaded applications, or by a software install, or by malware, or by someone else who borrowed the computer for the weekend. In these cases the person who owns the computer can’t provide the key because they don’t know it.
- The file is an encrypted file containing illegal material that could see the person go to jail for a number of years. They refuse to provide the key and choose to pay the (theoretical) $500 fine instead.
In all these cases there is nothing that the Customs officer can do to overcome either the ignorance of the person or their unwillingness to comply. The issue cannot be forced because a modern encryption system can’t be cracked without the proper key.
There’s also no easy way for the Customs officer to tell which situation they’re dealing with. Is that person saying they don’t know anything about any encrypted files on their laptop telling the truth or lying?
The worrying thing is that in any case where you make the penalties extreme enough to intimidate someone who does have illegal files into handing the key over, you are also going to end up victimising the innocents who either don’t have any encrypted files or don’t have the keys for them by making them suffer those same penalties.
And, of course, someone who really was bringing in illegal files is much more likely to store the information online somewhere, enter the country with a completely clean laptop and download it when they got here. Or they might use an encryption system that supports a “Police Key” and a “Real Key”, where handing over the “Police Key” just presents some fake innocuous files.
We haven’t even considered the civil liberties issues such as being able to protect your most personal files from government snoops, or that Customs has long been suspected of exceeding its powers to do searches on behalf of the Police.
Importantly, things that work in the physical domain don’t always transfer cleanly across to the digital domain. There are real issues with how any such power to force people to hand over keys would be used in practice.
Giving Customs this power might catch a few naive criminals but it’s not going to catch people who are even halfway serious about personal security – and we’re worried that too many blameless people might get caught up in the net, forced into the difficult task of trying to prove that they don’t know something.