With appeals ruling, the United States has effectively outlawed file encryption

An appeals court has denied the appeal of a person who is jailed indefinitely for refusing to decrypt files. The man has not been charged with anything, but was ordered to hand over the unencrypted contents on police assertion of what the contents were. When this can result in lifetime imprisonment under “contempt of court”, the United States has effectively outlawed file-level encryption – without even going through Congress.

Yesterday, a US Appeals Court ruled against the person now detained for almost 18 months for refusing to decrypt a hard drive. The man has not been charged with anything, but authorities assert that the drive contains child pornography, and they want to charge him for it. As this is a toxic subject that easily spins off into threads of its own, for the sake of argument here and for sticking to the 10,000-foot principles, let’s say the authorities instead claim there are documents showing tax evasion on the drive. The principles would be the same.

Authorities are justifying the continued detention of this person – this uncharged person – with two arguments that are seemingly contradictory: First, they say they already know in detail what documents are on the drive, so the person’s guilt is a “foregone conclusion”, and second, they refuse to charge him until they have said documents decrypted. This does not make sense: either they have enough evidence to charge, in which case they should, or they don’t have enough evidence, in which case there’s also not enough evidence to claim with this kind of certainty there are illegal documents on the drive.

In any case, this loss in the Appeals Court effectively means that file- and volume-level encryption is now illegal in the United States.

Without going through Congress, without public debate, without anything, the fuzzy “contempt of court” has been used to outlaw encryption of files. When authorities can jail you indefinitely – indefinitely! – for encrypting files out of their reach, the net effect of this is that file level encryption has been outlawed. (Encryption of transmissions, like with a VPN, has never been threatened this way – transmissions are transient in nature and therefore can’t be seized.)

So were there illegal documents on the drive? We don’t know. That’s the whole point. But we do know that you can be sent to prison on a mere assertion of what’s on your drive, without even a charge – effectively for life, even worse than the UK law which will jail you for up to five years for refusing to decrypt and which at least has some semblance of due process.

The point here isn’t that the man “was probably a monster”. The point is that the authorities claimed that there was something on his encrypted drive, and used that assertion as justification to send him to prison for life (unless he complies), with no charges filed. There’s absolutely nothing saying the same US authorities won’t claim the same thing about your drive tomorrow. Falsely, most likely. The point is that, with this ruling, it doesn’t matter.

Privacy remains your own responsibility.