Key Disclosure Law

Who is required to hand over the encryption keys to authorities?

Mandatory key disclosure laws require individuals to turn over encryption keys to law enforcement conducting a criminal investigation. How these laws are implemented (who may be legally compelled to assist) vary from nation to nation, but a warrant is generally required. Defenses against key disclosure laws include steganography and encrypting data in a way that provides plausible deniability.

Steganography involves hiding sensitive information (which may be encrypted) inside of ordinary data (for example, encrypting an image file and then hiding it in an audio file). With plausible deniability, data is encrypted in a way that prevents an adversary from being able to prove that the information they are after exists (for example, one password may decrypt benign data and another password, used on the same file, could decrypt sensitive data).

{% include panel.html color="danger" title="Key disclosure laws apply" body='
  1. Antigua and Barbuda
  2. Australia
  3. Canada
  4. France
  5. India
  6. Ireland
  7. Norway
  8. Russia
  9. South Africa
  10. United Kingdom
' %} {% include panel.html color="warning" title="Key disclosure laws may apply" body='
  1. Belgium
  2. Estonia
  3. Finland *
  4. New Zealand (unclear)
  5. The Netherlands *
  6. United States (see related info)
' %} {% include panel.html color="success" title="Key disclosure laws don't apply" body='
  1. Czech Republic
  2. Germany
  3. Iceland
  4. Italy
  5. Poland
  6. Sweden (proposed)
  7. Switzerland
' %}

* (people who know how to access a system may be ordered to share their knowledge, however, this doesn't apply to the suspect itself or family members.)

Related Information

Why is it not recommended to choose a US-based service?

USA

Services based in the United States are not recommended because of the country's surveillance programs and use of National Security Letters (NSLs) with accompanying gag orders, which forbid the recipient from talking about the request. This combination allows the government to secretly force companies to grant complete access to customer data and transform the service into a tool of mass surveillance.

An example of this is Lavabit – a secure email service created by Ladar Levison. The FBI requested Snowden's records after finding out that he used the service. Since Lavabit did not keep logs and email content was stored encrypted, the FBI served a subpoena (with a gag order) for the service's SSL keys. Having the SSL keys would allow them to access communications (both metadata and unencrypted content) in real time for all of Lavabit's customers, not just Snowden's.

Ultimately, Levison turned over the SSL keys and shut down the service at the same time. The US government then threatened Levison with arrest, saying that shutting down the service was a violation of the court order.

Related Information