Pico is a password replacement system currently under development at the University of Cambridge. The Pico project’s strap line is: No more passwords! But is that right, should this really be our goal when designing new authentication schemes?

We are asked to remember far too many passwords. But not all passwords are created equal. As designers of secure systems we need to be aware that, at least in the US, they is a legal difference between the cognitive act of recalling a password and the physical act of providing a “key”. Pico is envisaged as a device that replaces PINs and passwords everywhere. And this includes encrypting and decrypting files. In such a world, Pico’s users would be dragged into requests for compelled decryption.

In the US, demands for passwords are unconstitutional as they violate a citizen’s 5th Amendment rights (rights against self-incrimination). Therefore, compelled decryption often takes the form of the user decrypting the requested files and then handing them over to law enforcement. This itself may or may not be unconstitutional. In such cases decryption of files is clearly compelled and may be self-incriminating, therefore, the crux of whether this is constitutional is whether the compelled decryption constitutes “testimony”.

The “act of production [of physical evidence]” can be testimonial if it requires the “contents of [the] mind”. That is, whether the compelled disclosure is analogous to providing a key to a safe or a combination to a safe. If it is like “a combination to a safe” compelled disclosure is unconstitutional. However, there is an important exception, that is, whether the disclosure is a forgone conclusion; concretely, this is about whether law enforcement already know (or have a good guess) as to the content of the files. If law enforcement already know what the file contains then compelled decryption is not unconstitutional.

Pico clearly is analogous to a key to a safe, and thus decryption doesn’t require the “contents of [the] mind” and therefore there has no testimonial aspect (what is testimonial is slippery, but courts agree that handing over a key isn’t). Therefore, it is possible that compelled decryption with a Pico like device would always constitutional (the court could issue a demand for evidence – subpoena duces tecum – and seize the Pico and its siblings). That seems very bad.

As the Pico is unlocked through the presence of a set of physical tokens, I don’t see any hiding place from this. Of course I might be wrong, but that is my understanding at this moment.

In conclusion, aside security and usability differences between tokens and passwords there may well be legal differences as well. And as security researchers and systems designers we should take these legal aspects into account.

BTW the main issue, so far as I understand, for rendezvous points, backup and revocation servers are that if they are located in the US law enforcement can obtain session/message metadata and account information with a very (very) low barrier (under the Pen/Trap act). Clearly anyone can host these services wherever they please, but it’s still worth noting.