In many countries, the use of strong cryptography or steganography faces legal limitations. There have been good arguments made both for and against this, and it is certainly a complex issue. This article does not attempt to go in depth with either of these arguments, but instead covers the confusion and lack of clarity in the laws concerning strong cryptography.
The vast majority of countries do not make their steganography or strong cryptography laws clear to the average citizen. If a citizen or resident wishes to abide by laws while giving a higher than average protection to some of their electronic data, it is difficult for him or her to know which methods are legal and which are not.
While I was researching the question, I noticed on various sites it has been alluded to that different countries tend to focus their laws on different areas of the question – which adds an additional layer of complexity. Some countries have export and import controls on cryptography. Traveling with encryption, for example, can violate export laws. Other countries allow strong cryptography and steganography with the caveat of requiring by law that cryptographic key(s) must be handed to law enforcement if asked. However there is a lack of authoritative information even on those issues.
Briefly, the case for and against strong encryption:
The case for strong encryption: If encryption is weak or non-existent, a phone (for example) may fall into the wrong hands or get hacked. Either way, personal data revealed. This could lead to identity theft, a very serious crime with long-lasting ramifications on the victim. Or in the case of a website, a legitimate website could get hacked to inject phishing software and cause identity theft on a much wider scale. The case for strong encryption is summarized well in a balanced manner by website security experts at WordFence Blog (see reference 1).
The case against strong encryption is made clearly and well by the FBI, describing cases in which crucial incriminating evidence has been recovered from its owner’s un-encrypted cellphone. In other cases, exonerating evidence has been recovered from a false accuser’s phone showing the alleged perpetrator to in fact be innocent. The argument the FBI makes so compellingly is that where strong encryption exists, law enforcement has been physically unable to recover the data, even though they are armed with all the legal requirements (e.g. court order) that entitles them to that data. (see reference 2).
My take on it: The issue is far from clear-cut. Yet, only allowing weaker forms of encryption is a little like saying “I’m going to make a huge pet flap for my front door to be certain my German Shepherd can get in and out of the house.” Next week: “Oh, my house got burgled! I wonder how that happened?” Where actual crimes have taken place such as mass shootings, I believe the point of prevention and intervention need not focus so strongly on electronic communications but instead the actual physical purchase of firearms and/or weapons. After the fact, I don’t think that zero encryption would have necessarily prevented the crime, as awful as the crime was. Yet the physical purchase of firearms (whether legally or illegally) could have been a much better target for intervention in a preventive sense.
How strongly are we allowed to encrypt something without breaking any laws?
A crucial question I will pose here is: “How strongly am I allowed to encrypt something without breaking any laws?” This question is surprisingly difficult to answer, as I discovered when I tried to research it.
For example, can I legally put Morse Code up on a website? Presumably I could, since it is not a strong encryption and anyone can decode it without requiring extra information other than the standard Morse Code.
However, if I were to take a steganography approach and put the same Morse Code into, say, an image (with a dot being a black pixel and a dash being a white pixel) and publish the image online, would I be breaking any laws?
Going on from there, I would like to pose the more significant question: “Am I legally allowed to use open-source steganography software tools which require electronic key(s) such as OpenPuff?”
If a country’s laws would not ordinarily allow steganography tools, what if I use OpenPuff to hide text in a photo, publish the photo on my website, and also publish the encryption key(s) alongside in clear text without any obfuscation? i.e. If everyone a) knows the item contains a message and b) can decrypt the message with the information given, does that even count as steganography anymore? Obviously, it would defeat the purpose of the encryption, but from a purely theoretical point of view, it is a valid legal question concerning the use of OpenPuff.
Moving beyond OpenPuff, what if a friend of mine develops his or her own private steganography software tools and we use it to exchange greetings? What if the friend lives overseas?
As you can see, the questions and the issues become complicated very quickly.
There is little to no authoritative and up to date information available on steganography laws for most countries. There is certainly a lot of conjecture and say-so on internet websites, but usually none reference any authoritative (i.e. government) site. This renders the information unreliable. Furthermore, much of this unauthoritative information is also out of date, much of it having been written 10 years ago or more. Searching for authoritative information from solely government agencies does not result in any clear-cut legal explanations that any average person could understand. By contrast, the FTC does an incredibly good job explaining what does and does not constitute correct disclosure for affiliate marketing in blogs or websites (reference 3). That level of explanation is sorely needed for law-abiding citizens seeking to know the laws governing strong cryptography or steganography.
Most governments have made it very difficult or even near to impossible for ordinary citizens to know what level of encryption they are legally allowed to use within their country, and what other legal limitations they are bound by.
If for example a small business owner wishes to use steganography to encrypt a trade secret, this individual may have a difficult time determining whether or not that is legal. Likewise if I want to say “Hi!” to my mom using steganography, am I legally allowed to?
In many countries, there is a need for clearer guidelines of laws for forms of strong encryption.
1. Mark Maunder. Why Wordfence Supports Strong Encryption Without Backdoors. February 2016 in WordFence Blog.
2. Amy Hess. Statement Before the House Oversight and Government Reform Committee, Subcommittee on Information Technology Washington, D.C. April 2015 in FBI news on FBI.gov
3. Federal Trade Commission .com Disclosures: How to Make Effective Disclosures in Digital Advertising. March 2013 in FTC.gov
Whether you live in a small town or a large city, you can reach the entire world!
Here are Purely Space, take a look at our tutorials for how you can create a forum about any topic. Or a blog, or your own social network, point and click - even if you're a beginner. It's a fun hobby that can even earn you some money. Take a look at our beginner's illustrated tutorial page here.