I like this argument and agree with it, but it seems like the only real way to truly protect yourself from being compelled to incriminate yourself is to use deniable encryption. There will always be cases where a specific jurisdiction makes an incorrect call that forces someone to give up their key or go to jail. There needs to be a solution for that other than suing to put the toothpaste back in the tube.
Deniable encryption only works if either (a) everyone is using it or (b) there is no way to tell if you are using it. I doubt you will ever see the former, and that latter is pretty difficult -- even if such a scheme exists, you have to also hide the deniable encryption software you are using i.e. it is the classic warden problem.
To put it another way, let's say you are using Truecrypt, and the prosecution can prove that you have incriminating documents on your laptop. You enter your "innocent" passphrase and behold! No incriminating documents. I think the next obvious move will be for the court to demand that you enter your other passphrase, leaving you trying to prove that you really were not using the distinguishing feature of Truecrypt.
A better solution, where applicable, is to destroy keys as quickly as you can. Keep your keys on a smartcard, and self-destruct the card if you think you will be arrested. You will deny yourself access to your files, but you will also deny your adversary such access. The police might try to prove that you destroyed evidence, but that is much harder to prove if your own procedure is to periodically destroy your keys (and such a procedure can be done individually without raising suspicion). Basically it all comes down to opsec -- something the military has known for centuries.
I'm talking about a deniable encryption scheme such as rubberhose, where the fact that you're using it is known, but it's impossible to tell whether you've revealed all the hidden aspects or not. "Here's my key." "Well, you're using deniable encryption; we need your other key." "Ok, here are my other two keys."
But your hypothetical is also strange: "let's say ... the prosecution can prove that you have incriminating documents on your laptop." If the prosecution can prove that you have incriminating documents before you ever provide the keys, you're already screwed.
The thing is, if you are using deniable encryption and keep producing keys that reveal innocent data, the government will just keep demanding keys from you. Basically, you have to be able to last until they give up -- but the odds are already against you on that.
As for the hypothetical scenario, that is actually something that happened in real life:
In real life it is somewhat unusual for the government to grab random people off the street and demand plaintexts. There is going to already be some kind of evidence against you, something to make the government suspicious. Maybe you attended an antiwar protest. Maybe you published a book about how to molest children. Maybe you are connected to some kind of fraud. Maybe a cop saw what appeared to be child pornography on your monitor. If the government is asking for your passphrase, it is because they already expect to find incriminating files; they will not just shrug and say, "We goofed!" when they see a deniable encryption system producing innocent files.
While there is a sort of a "when do you stop asking for keys" problem, that doesn't mean they will necessarily be able to compel you to provide that final key you don't want them to have. The fact that they haven't gotten what they're after yet is not evidence that you have more keys, because it's indistinguishable from the case where you've simply already deleted the files.
I'm not expecting them to shrug and say "we goofed", I'm expecting them to realize that with a well-designed deniable system, they can't tell the difference between you being uncooperative and there being nothing incriminating to find. If they can prove the files exist and you're refusing to give them up, then that's something they can charge you with, but as I indicated earlier, that's a different kettle of fish.
The big risk with deniable encryption, of course, is that the courts don't really understand it well and you end up in a situation where they are compelling you to provide information that actually does not exist (they think it's on a hidden aspect but they're wrong), and are willing to throw you in jail for not producing it. This risk is what leads me to the conclusion that the law must acknowledge that compelling complete decryption of all data is impossible.
"The fact that they haven't gotten what they're after yet is not evidence that you have more keys, because it's indistinguishable from the case where you've simply already deleted the files."
Perhaps, but then why not just provide no key at all and rely on the semantic security of the cryptosystem? If you need to give the court a reason why you are not producing the secret key, you can always claim to have forgotten it. How does deniable encryption improve over that, if in the end it comes down to indistinguishability?
"I'm expecting them to realize that with a well-designed deniable system, they can't tell the difference between you being uncooperative and there being nothing incriminating to find."
OK, but the same is true of non-deniable encryption when you say, "I forgot the key!" Anything that might lead them to believe otherwise would be equally applicable to deniable encryption.
To put it another way, what is the difference between saying, "I only have this key," and saying, "I cannot remember the key at all?" In either case, you need to convince the police that there is no incriminating key they can demand from you.
This is a good question, and the differences are pretty small. One difference, although I'm not sure what the impact is of this difference, is that if you say you've forgotten the key, that's an acknowledgement that there is data there to be discovered, just that you can't provide access to it. Does this leave a door open to other efforts to decrypt it? I don't know.
I think the typical solution is to have something embarrassing but not incriminating (or incriminating, but for a lesser charge) for the last password you give up.
I doubt that would cut it. If the police are expecting you to reveal spreadsheets detailing your real estate fraud, and your deniable encryption system outputs some embarrassing fetish porn, the police are going to ignore the porn and demand your other key. Why should they believe you about the embarrassing files being the real or only reason you are using deniable encryption? Why would they not simply assume that you put those files there as part of an attempt to develop a plausible excuse?
The real problem here is that, in a way, using deniable encryption is itself incriminating unless everyone uses it -- and we do not live in such a world. Unlike other cryptosystems, it is hard to develop a "legitimate" reason for using deniable encryption, as it has no particular advantage in protecting data from criminals over non-deniable encryption.
The purpose and usage of deniable encryption is not for police to stop demanding the other key.
They may or may not stop, you can't control that. However, if you simply refuse to provide any more keys (regardless if such keys exists); then their only recourse is to try and convict you for not providing the key - and there, on a trial by a layman jury, the plausibility of whatever excuse you [didn't] provide would matter a great deal.
It's all about reducing the likelihood. Keeping my fetish porn hidden behind legitimate looking encrypted whatever is not an absurd story, so a chunk of the probability moves that way, leaving it correspondingly less likely that the deniable-encryption-supporting encrypted file here also contains the thing they were looking for. Whether it's less likely enough depends on a whole ton of things.
