The law depends on compute power

In 2011 Sony sued George Hotz and his friends for jailbreaking the Playstation 3. One of the main complaints was that Hotz published an encryption key online (Sony foolishly broke one of the basic rules of digital signatures).

The case was eventually settled out of court, but the question remains whether it’s illegal to publish a specific number on the internet. The law currently seems to agree with Sony, that free speech doesn’t cover Hotz’s case.

One counterargument is that if a specific number is illegal to publish, then so is anything derived from that number. An excellent example of this is the Free Speech Flag

The colors of this flag, when decoded to hexadecimal, contain the PlayStation3 signing key

Likewise, so called “illegal numbers” were put on t-shirts, embedded in poems, and amusingly bad YouTube songs.

The illegality of publishing these numbers is probably tightly connected to their relevance. Since the PlayStation3 was superseded by the next generation of video game consoles, I doubt PlayStation would sue anyone for publishing the old keys.

But what about more long-term sensitive numbers, such as social security numbers? On that front the law is much clearer. In California, penal code 1798.85(1) on the confidentiality of social security numbers:

(a) Except as provided in this section, a person or entity may not do any of the following:

(1) Publicly post or publicly display in any manner an individual’s social security number. “Publicly post” or “publicly display” means to intentionally communicate or otherwise make available to the general public.

If this applied to the PlayStation key, then publishing the key in plaintext would clearly be illegal. Then later in the same law:

(g) A person or entity may not encode or embed a social security number in or on a card or document, including, but not limited to, using a barcode, chip, magnetic strip, or other technology, in place of removing the social security number, as required by this section.

So this would rule out publishing someone’s social security number using a flag, since that is both encoding and embedding the number in a document using “other technology” (or really, a barcode, but other technology captures all computer programs I suppose).

But all of this seems to assume that these rules only apply if the social security number is hard for people in the general public to get access to. The law makes special exceptions for all of these provided that the social security number is securely encrypted.

Of course, what it means for something to be securely encrypted depends heavily on how power current computers are. For example, here’s my social security number, encrypted using Keybase. It seems pretty clear that it’s not illegal to do that, but now that it’s public, you have to wonder whether this will bite me in the ass when I’m 60, computational power has exceeded the security of this particular cryptosystem, and my identity gets stolen.

But it makes you wonder how many SSN-like documents, encrypted using old, broken encryption schemes (or using weak secret keys), are still lying around on the internet. Would it be illegal to decrypt them and publish the results, seeing that anyone with a sufficient skill set could do it?

Or worse, what if I told you that the California Governor’s social security number was one of the numbers on this webpage? It contains 10 thousand social security numbers. But if that were actually true, given enough time an average person could conceivably find it. This would be even easier if there were a programmatic method for verifying that a name is tied to a social security number, and I don’t doubt that various automated phone/computer systems are weak enough to allow a sufficiently motivated programmer to do this.

So is it illegal for that website to publish these huge lists of SSNs? Is it illegal for me to say that his social security number is on that webpage, if it actually is?

What if I gave you a list of the digits of the Governor’s SSN, but not in the correct order? Here they are: 000013488. Is publishing that illegal? It probably doesn’t correspond to more than a few hundred valid social security numbers, so you could write a simple computer program to search through them all.

But is that a “public display”? It’s not an encoding or an embedding, any more than a big list of all SSNs is. And moreover, SSNs are so short that they almost certainly occur naturally in other contexts. For example, here’s a random social security number I took from that list of SSNs: 289-03-0001. If I Google this number (without dashes) I get 500 results. This SSN turns out to be the product number of this Sony bracket, the ID number of this dog walk, and the SKU of this macbook sticker, and more.

So where does the law draw the line?

The only real conclusion I can draw from this is the observation that the law necessarily depends on current computational power, but the law doesn’t make that explicit in any document or court opinion I’ve heard of.

Mathematics PhD, currently at Google. Author of Math ∩ Programming @MathProgramming

Mathematics PhD, currently at Google. Author of Math ∩ Programming @MathProgramming