Saving Your Cryptographic Front Door

Does the Fourth Amendment protect SSL keys? Not really, argues the executive branch in Lavabit’s appeal. “[A] business cannot prevent the execution of a search warrant by locking its front gate.”1

True enough. But a business does have a constitutional right to keep that gate intact. When executing a warrant, officers must ordinarily announce themselves and afford an opportunity to open up.

This is not some quirk of jurisprudence. In Wilson v. Arkansas, the Supreme Court held unanimously that the “‘knock and announce’ principle forms a part of the reasonableness inquiry under the Fourth Amendment.” 514 U.S. 927, 939 (1995). That common law rule, the Court understood, traces its roots far back in the English legal tradition and “was woven quickly into the fabric of early American law.” Id. at 933.

Two years later, the Supreme Court held—again unanimously—that even felony drug busts can be subject to knock-and-announce. Richards v. Wisconsin, 520 U.S. 385 (1997). In the course of its opinion, the Court established the current constitutional standard for no-knock incursions.

In order to justify a “no-knock” entry, the police must have a reasonable suspicion that knocking and announcing their presence, under the particular circumstances, would be dangerous or futile, or that it would inhibit the effective investigation of the crime by, for example, allowing the destruction of evidence. Id. at 394.

If there’s a good reason, then, officers can break in. But, in general, “individuals should be provided the opportunity to comply with the law and to avoid the destruction of property occasioned by a forcible entry.” Id. at 393 n.5.

A cloud service should receive at least as much protection in its cryptographic front door. If not more—the service is an innocent bystander, compromised SSL keys are a devastating security breach, and the entire user population has interests at stake. When government officials lawfully demand user records, a cloud service should be given a reasonable opportunity to comply without forfeiting technical safeguards.

This position is informed as much by constitutional law as computer science. A cloud service usually can turn over user data without surrendering its front-end security.2 SSL only protects information in transit; once data reaches the service, it is decrypted to plaintext. At that point, making a copy for law enforcement will usually be straightforward.3 Not trivial, necessarily, but hardly a feat of engineering.4 And the government would ordinarily compensate the cloud service for its efforts.5

The brief for the United States hints at willingness to accept this sort of constitutional compromise.6 “[I]n most cases, when government agents serve a provider with a pen/trap order, they are happy to let the provider use its own equipment and software to implement the order.” That includes keeping SSL keys secret.

Consider the implications of a more lenient rule. If a single mafioso uses Gmail, should that alone be sufficient to snag Google’s treasured SSL keys? Plainly not.

This middle-ground approach seems a pragmatic way for the courts to reconcile Internet security and law enforcement realities.7 It also suggests an outcome where Lavabit could lose—owing to its cavalier recalcitrance—but the Internet would still win substantial constitutional protections.

Disclaimer: I am not (yet!) a laywer. None of the above should be construed as legal advice.

1. Specifically, the United States appears to view SSL keys as mundane business records that are merely incidental to a compelled disclosure. Lavabit, the Electronic Frontier Foundation, and the American Civil Liberties Union argue cloud service SSL keys can never be demanded owing to various statutory and constitutional barriers. This post argues for a constitutional intermediate position between those absolutes.

2. Lavabit eventually offered a solution like this, which the government criticized as too little, too late, and too costly. In practice, the middle-ground solution proposed here would be a matter for negotiation between a cloud service and law enforcement. Where an agreement cannot be quickly reached, given the sensitivities surrounding SSL keys, it would be reasonable for the judiciary to mediate. (Contrast the approach for no-knock searches, where officers alone apply for a no-knock warrant or make a determination in the field.) Requiring a warrant specifically for SSL keys, like was issued in the Lavabit case, seems a sensible procedural safeguard.

3. My argument here is limited to services that already acquire the plaintext of user activity. If a company only has ciphertext (and no key), there would be reengineering required to negate security measures. That is a much more questionable matter of law and policy. In the Communications Assistance to Law Enforcement Act (CALEA), for example, Congress expressly exempted services of the sort: “A telecommunications carrier shall not be responsible for decrypting, or ensuring the government’s ability to decrypt, any communication encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication.” 47 U.S.C. § 1002.

4. Out of curiosity, I took on the toy example of a realtime pen/trace for a web application using Apache over HTTPS. I assumed the target user had a unique cookie, and I used mod_setenvif and mod_log_config to write a custom log for the target user’s activity at a secret URL. It took less than half an hour.

5. In the Lavabit case, the government challenged the firm’s estimate of engineering cost. That argument only arose, however, after Lavabit had waited for weeks and appeared uncooperative to law enforcement.

6. If pressed, the United States would presumably frame this as a voluntary procedure and not a constitutional requirement. It would likely also contest the duration of delay, scope of judicial supervision, and substantive standard for compelled disclosure of SSL keys.

7. Lavabit’s appeal sloshes with incidental issues, including argument forfeiture and questionable conduct. It is therefore quite possible the Fourth Circuit will not even reach the merits.