Secret Laws: How does the cryptographic ‘law’ against security by obscurity apply to laws in a democracy?

The original appearance of this entry was in Danny Weitzner - Open Internet Policy

Last week, John Gilmore had a chance to convince the 9th Circuit Court of Appeals that he should be allowed to board commercial aircraft without showing ID. And perhaps more importantly, he argues that if there is a government rule requiring an ID, then the full extent of that rule/law should be made public. Gilmore claims that the rule requiring presentation of ID is an unreasonable search under the 4th Amendment and is unconstitutionally vague (violating his 5th Amendment due process rights) because the law isn’t even publicly available. The Department of Justice (defendant in this case) counters that courts have already accepted that searches at airports are acceptable under the 4th Amendment (see US v. Davis, 482 F.2d 893 (CA9, 1971)) and that the rule requiring searches need not be made public. While the Justice Department has not acknowledged the existence of any rules, it did offer to present something to the judges (though not to Gilmore) in a secret session.

There’s certainly a fundamental 4th Amendment question here, but what about our right to know the laws and rules under which we’re governed? In the world of Internet security, cryptographers generally accept Kerckhoffs’ law, holding that the security of a cryptographic algorithm must not be dependent on the secrecy of the ciphering method. That is, the mathematical process used in any coding system must be publicly visible. (Of course there will be secret keys that make the algorithm work, these need not be made public.) Kerckhoffs asserted this view because he believed that an algorithm should strong enough that it remains secure if an adversary discovers it. Modern computer security thinking has extended this law to the more general principle that security mechanisms ought to be able to be subjected to public scrutiny so that we have the best chance of catching unintended flaws in the mechanism. So where does this leave these ID rules? Is it enough that we simply know they exist (Gilmore and the rest of us know the basics of their operation from going through airport screening. We know we can’t get on a plane without showing ID.) Or, is there some practical and/or principled reason why we should know the full extent of the rules.

The government asserts that even if the rule requiring presentation of ID exists, citizens have no constitutional right to see if. The trial court accepted the government’s argument that such a rule is a law enforcement procedure and as such need not be disclosed. The court reasoned that the substance of the rule is quite apparent by the practice of requiring ID presentation so there’s no need to see the details. The Justice Department’s brief likens the rule (if it exists), to a drug dealer profile used by border guards to catch potential drug smugglers. This is a rule to which we’re all subject in that when we cross the border manifesting traits that are on the profile, we’re going to be stopped and searched, but we have no right to see the actual profile. In fact, most people would probably agree that disclosing the details of the drug dealer profile could harm law enforcement effors without any significant enhancement of civil liberties.

Gilmore, on the other hand argue that in a free society there are simply no secret laws. In the case of ID checks or other law enforcement rules, how much transparency is enough?

Hear the oral arguments through this WMA link from the 9th Circuit Court of Appeals website.