privacyguides.org/_includes/legacy/sections/key-disclosure-law.html

89 lines
8.9 KiB
HTML
Raw Normal View History

<h1 id="kdl" class="anchor"><a href="#kdl"><i class="fas fa-link anchor-icon"></i></a> Key Disclosure Law</h1>
<h3>Who is required to hand over the encryption keys to authorities?</h3>
<p>Mandatory <a href="https://en.wikipedia.org/wiki/Key_disclosure_law">key disclosure laws</a> require individuals to turn over encryption keys to law enforcement conducting a criminal investigation. How these laws are implemented (who may be legally compelled to assist) vary from nation to nation, but a warrant is generally required. Defenses against key disclosure laws include steganography and encrypting data in a way that provides plausible deniability.</p> <p><a href="https://en.wikipedia.org/wiki/Steganography">Steganography</a> involves hiding sensitive information (which may be encrypted) inside of ordinary data (for example, encrypting an image file and then hiding it in an audio file). With plausible deniability, data is encrypted in a way that prevents an adversary from being able to prove that the information they are after exists (for example, one password may decrypt benign data and another password, used on the same file, could decrypt sensitive data).</p>
<div class="row mb-2">
2020-12-03 23:44:27 -05:00
{% include legacy/panel.html color="danger"
title="Key disclosure laws apply"
body='
<ol class="card-ol">
<li><a href="https://en.wikipedia.org/wiki/Key_disclosure_law#Antigua_and_Barbuda">Antigua and Barbuda</a> <div class="float-right"><span class="flag-icon flag-icon-ag"></span></div></li>
<li><a href="https://en.wikipedia.org/wiki/Key_disclosure_law#Australia">Australia</a> <div class="float-right"><span class="flag-icon flag-icon-au"></span></div></li>
<li><a href="https://en.wikipedia.org/wiki/Key_disclosure_law#France">France</a> <div class="float-right"><span class="flag-icon flag-icon-fr"></span></div></li>
<li><a href="https://en.wikipedia.org/wiki/Key_disclosure_law#India">India</a> <div class="float-right"><span class="flag-icon flag-icon-in"></span></div></li>
<li><a href="https://en.wikipedia.org/wiki/Key_disclosure_law#Ireland">Ireland</a> <div class="float-right"><span class="flag-icon flag-icon-ie"></span></div></li>
<li><a href="https://edri.org/norway-introduces-forced-biometric-authentication/">Norway</a> <div class="float-right"><span class="flag-icon flag-icon-no"></span></div></li>
<li><a href="https://www.bloomberg.com/news/articles/2018-03-20/telegram-loses-bid-to-stop-russia-from-getting-encryption-keys">Russia</a> <div class="float-right"><span class="flag-icon flag-icon-ru"></span></div></li>
<li><a href="https://en.wikipedia.org/wiki/Key_disclosure_law#South_Africa">South Africa</a> <div class="float-right"><span class="flag-icon flag-icon-za"></span></div></li>
<li><a href="https://en.wikipedia.org/wiki/Key_disclosure_law#United_Kingdom">United Kingdom</a> <div class="float-right"><span class="flag-icon flag-icon-gb"></span></div></li>
</ol>
'
%}
{% include legacy/panel.html color="danger"
title="Key disclosure laws may apply"
body='
<ol class="card-ol">
<li><a href="https://tweakers.net/nieuws/163116/belgische-rechter-verdachte-mag-verplicht-worden-code-smartphone-af-te-staan.html">Belgium</a> <div class="float-right"><span class="flag-icon flag-icon-be"></span></div></li>
2019-03-31 22:39:05 -04:00
<li><a href="https://www.riigiteataja.ee/akt/106012016019">Estonia</a> <div class="float-right"><span class="flag-icon flag-icon-ee"></span></div></li>
<li><a href="https://en.wikipedia.org/wiki/Key_disclosure_law#Finland">Finland *</a> <div class="float-right"><span class="flag-icon flag-icon-fi"></span></div></li>
<li><a href="https://en.wikipedia.org/wiki/Key_disclosure_law#New_Zealand">New Zealand</a> (unclear) <div class="float-right"><span class="flag-icon flag-icon-nz"></span></div></li>
<li><a href="https://en.wikipedia.org/wiki/Key_disclosure_law#The_Netherlands">The Netherlands *</a> <div class="float-right"><span class="flag-icon flag-icon-nl"></span></div></li>
<li><a href="https://en.wikipedia.org/wiki/Key_disclosure_law#Sweden">Sweden</a> (proposed) <div class="float-right"><span class="flag-icon flag-icon-se"></span></div></li>
2019-04-02 20:31:34 -04:00
<li><a href="https://en.wikipedia.org/wiki/Key_disclosure_law#United_States">United States</a> (see related info) <div class="float-right"><span class="flag-icon flag-icon-us"></span></div></li>
</ol>
'
%}
{% include legacy/panel.html color="secondary"
title="Key disclosure laws don't apply"
body='
<ol class="card-ol">
2020-09-25 11:28:35 -04:00
<li><a href="https://en.wikipedia.org/wiki/Key_disclosure_law#Canada">Canada</a> <div class="float-right"><span class="flag-icon flag-icon-ca"></span></div></li>
<li><a href="https://en.wikipedia.org/wiki/Key_disclosure_law#Czech_Republic">Czech Republic</a> <div class="float-right"><span class="flag-icon flag-icon-cz"></span></div></li>
<li><a href="https://en.wikipedia.org/wiki/Key_disclosure_law#Germany">Germany</a> <div class="float-right"><span class="flag-icon flag-icon-de"></span></div></li>
2019-03-31 22:41:07 -04:00
<li><a href="https://en.wikipedia.org/wiki/Key_disclosure_law#Iceland">Iceland</a> <div class="float-right"><span class="flag-icon flag-icon-is"></span></div></li>
2019-04-13 00:27:37 -04:00
<li><a href="https://iclg.com/practice-areas/cybersecurity-laws-and-regulations/italy">Italy</a> <div class="float-right"><span class="flag-icon flag-icon-it"></span></div></li>
<li><a href="https://en.wikipedia.org/wiki/Key_disclosure_law#Poland">Poland</a> <div class="float-right"><span class="flag-icon flag-icon-pl"></span></div></li>
<li><a href="https://www.wikipedia.org/wiki/Key_disclosure_law#Switzerland">Switzerland</a> <div class="float-right"><span class="flag-icon flag-icon-ch"></span></div></li>
</ol>
'
%}
</div>
<p>* <em>People who know how to access a system may be ordered to share their knowledge. However, this doesn't apply to the suspect itself or family members.</em></p>
<h3>Related Information</h3>
<ul>
<li><a href="https://en.wikipedia.org/wiki/Key_disclosure_law">Wikipedia page on key disclosure law</a></li>
<li><a href="https://law.stackexchange.com/questions/1523/can-a-us-citizen-be-required-to-provide-the-authentication-key-for-encrypted-dat">law.stackexchange.com question about key disclosure law in US</a></li>
<li><a href="https://peertube.mastodon.host/videos/watch/e09915eb-5962-4830-a02f-8da5c2b59e71">DEFCON 20: Crypto and the Cops: the Law of Key Disclosure and Forced Decryption</a></li>
</ul>
<h3 id="usa" class="anchor">Why is it not recommended to choose a US-based service?</h3>
2020-12-03 23:44:27 -05:00
<img src="/assets/img/legacy_svg/layout/great_seal_of_the_united_states_obverse.svg" width="200" height="200" class="img-fluid float-right ml-3" alt="USA">
Fix some typos, grammar, etc., and add details (#1418) * Fix some typos, grammar, etc. on the site Fixes some issues with typos, capitalization, grammar, and et cetera. * Fix typo, grammar, etc. in repository * Update README.md Mention Discourse community earlier, add missing period * Update CONTRIBUTING.md i.e. is used for equivalence or clarification while e.g. is for examples. For instance, we shouldn't say that IMAP is equivalent or an explanation to all open-source software used to access email (e.g. there's POP3, open-source clients to access when there isn't IMAP such as Tutanota, etc.). We also shouldn't call IMAP open-source software since it's a protocol. * Change "socially motivated * Apply suggestions from code review Co-Authored-By: Jonah Aragon <jonah@triplebit.net> * Suggestion from code review with extras * 'Kill switch' to 'Killswitch" * Consistency and minor additions to details - More parallel sentence structures, following <Name> <Verb phrase> for the first sentence of cards. Related to issue #1420. - Make Njalla parallel to the others, and mention Njalla is based in Nevis with VPS in Sweden - Don't use "us" when talking about external services - Orange Website also provides domain registration - Update capitalization and add more hyphens - Mention that TOS;DR evaluations are done by the community and that they also evaluate privacy policies (see https://edit.tosdr.org/about) - "E2EE encryption" is redundant since "E2EE" already has "encryption" in it. Might as well expand it since full term is used later on. - <Name> <Verb phrase> structure for Magic Wormhole - For consistency, don't start Worth Mentioning entries with the name - https://english.stackexchange.com/questions/27707/post-hyphenation-of-split-compound-words - All the other "alert alert-warning" don't repeat the generic name and we also don't say 'a software' * instant-messenger: Remove <em>, more cleanup * voice-video-messenger: Hyphens and cleanup - We don't say "a software" so replace it with something that works * paste-services: Cleanup & change cryptography info As per CryptPad's whitepaper and FAQ: https://cryptpad.fr/faq.html#security-crypto https://blog.cryptpad.fr/images/CryptPad-Whitepaper-v1.0.pdf Fixes #1417. * encryption: "open-source" * Page descriptions and other cleanup
2019-10-26 01:58:01 -04:00
<p>Services based in the United States are not recommended because of the country's surveillance programs and use of <a href="https://www.eff.org/issues/national-security-letters/faq">National Security Letters</a> (NSLs) with accompanying gag orders, which forbid the recipient from talking about the request. This combination allows the government to <a href="https://www.schneier.com/blog/archives/2013/08/more_on_the_nsa.html">secretly force</a> companies to grant complete access to customer data and transform the service into a tool of mass surveillance.</p>
2019-05-12 03:09:01 -04:00
<p>An example of this is <a href="https://en.wikipedia.org/wiki/Lavabit#Suspension_and_gag_order">Lavabit</a> a secure email service created by Ladar Levison. The FBI <a href="https://www.vice.com/en_us/article/nzz888/lavabit-founder-ladar-levison-discusses-his-federal-battle-for-privacy">requested</a> Snowden's records after finding out that he used the service. Since Lavabit did not keep logs and email content was stored encrypted, the FBI served a subpoena (with a gag order) for the service's SSL keys. Having the SSL keys would allow them to access
communications (both metadata and unencrypted content) in real time for all of Lavabit's customers, not just Snowden's.</p>
<p>Ultimately, Levison turned over the SSL keys and <a href="https://www.theguardian.com/commentisfree/2014/may/20/why-did-lavabit-shut-down-snowden-email">shut down</a> the service at the same time. The US government then <a href="https://www.cnbc.com/id/100962389">threatened Levison with arrest</a>, saying that shutting down the service was a violation of the court order.</p>
<h3>Related Information</h3>
<ul>
<li><a href="https://www.bestvpn.com/the-ultimate-privacy-guide/#avoidus">Avoid all US and UK based services</a></li>
<li><a href="https://en.wikipedia.org/wiki/Surespot#History">Proof that warrant canaries work based on the surespot example.</a></li>
<li><a href="https://en.wikipedia.org/wiki/UKUSA_Agreement">The United Kingdom United States of America Agreement (UKUSA)</a></li>
<li><a href="https://en.wikipedia.org/wiki/Lavabit#Suspension_and_gag_order">Lavabit: Suspension and gag order</a></li>
<li><a href="https://en.wikipedia.org/wiki/Key_disclosure_law">Key disclosure law</a></li>
<li><a href="https://en.wikipedia.org/wiki/Portal:Mass_surveillance">Wikipedia Portal: Mass_surveillance</a></li>
</ul>