December 5, 2020

Comments on the Proposed Encryption Penalties

A new anti-terrorism bill criminalizes some uses of encryption:

Sec. 2801. Unlawful use of encryption
(a) Any person who, during the commission of a felony under Federal law, knowingly and willfully encrypts any incriminating communication or information relating to that felony –
(1) in the case of a first offense under this section, shall be imprisoned not more than 5 years, fined under this title, or both; and (2) in the case of a second or subsequent offense under this section, shall be imprisoned not more than 10 years, fined under this title, or both.
(b) The terms ‘encrypt’ and ‘encryption’ refer to the scrambling (and descrambling) of wire communications, electronic communications, or electronically stored information, using mathematical formulas or algorithms in order to preserve the confidentiality, integrity, or authenticity of, and prevent unauthorized recipients from accessing or altering, such communications or information.

Declan McCullagh at news.com is alarmed, but Orin Kerr at The Volokh Conspiracy says this provision is “all bark and no bite.”

As far as I know, nobody has remarked on a strange aspect of the proposal: it criminalizes all forms of encryption, even those that do not conceal information. Encryption is used to conceal information, but it is also used to ensure the integrity or authenticity of information by providing a way to detect tampering with information. So if I send you an email message, I can use crypto to keep the message secret from eavesdroppers, or to give you a way to verify that the message really came from me, or both. The proposal would criminalize all of these possibilities – note the definition of “encryption” as including data scrambling “”to preserve the confidentiality, integrity, or authenticity of, and prevent unauthorized recipients from accessing or altering … information.”

I can understand the public policy argument for criminalizing the use of crypto to conceal evidence of a crime. (There are also strong public policy arguments against doing this, but that’s another topic.) But where is the public policy argument for criminalizing other uses of crypto? If a criminal puts his digital signature on an incriminating message, or if he uses crypto to ensure the integrity of his incriminating records, where’s the harm?