Slashdot Mirror
PGP Ruled as Relevant For Criminal Case
waytoomuchcoffee writes "A Minnesota appeals unamimously ruled in a child porn case that "the existence of an encryption program" on the defendants computer could be admitted as evidence of criminal intent. The article doesn't mention if this can be taken into account for sentencing too."
"We find that evidence of appellant's Internet use and the existence of an encryption program on his computer was at least somewhat relevant to the state's case against him," Judge R.A. Randall wrote in an opinion dated May 3.
I find this very disturbing based on the attitude people have regarding encryption. It's seen in such a negative way as if everyone who uses encryption as evil. Let me put it this way:
ENCRYPTION != EVIL
I use this for my day to day communications. Either over IM, E-Mail or moving things from server to server (GPG, then sending the file via FTP etc.). How do we help the public to understand that just because someone wants to keep something secret, even under a mass of public scrutiny, it does not constitute someone breaking the law! I have a TON of letters to and from my girlfriend that are encrypted, that she herself does as well!
I'm not saying the guy accused of the crime shouldn't produce keys, he obviously was doing something totally heinous by photographing a 9 year old in sexual position, and then those pictures destroyed. Predators of this nature are f-ing sick creatures that need some bad rehabilitation.
My point is the attitude of the people. Admission of the fact that he had PGP on his computer shouldn't be a condemning factor of his behavior and should be based on his crimes. NOT THE FACILITATOR, MEANS, TOOL (Physical or otherwise) OR SOFTWARE to commit such crimes. He was using perfectly legal encryption utilities and software.
Just because they were for hiding his crimes/pictures should NOT be a factor in his punishment. What kind of precedent would the judge be inadvertently (or purposely??) placing on the use and ownership of encryption and the tools to do such?
~zoloto
And with other evidence, why shouldn't it be? In fact, the presence of it ought to lead prosecutors to tack on the charge of conspiracy.
Just like the presence of a gun during a robbery lifts the crime to armed robbery, the presence of encryption ought to imply not only that the culprit intended to commit the crime but also intended to cover it up as well.
So if someone is intelligent enought to know how to protect him/herself, they're more likely to be a criminal? Where is 'innocent until proven guilty' these days? bo
bad_outlook
--
Is this vague enough for you?
Yes, the crime is reprehensible and unforgivable.
But that doesn't mean the presence of encryption tools meant he was guilty. Encryption tools have many uses, some of which are good - like authentication and assurance of confidentiality. It's great to have encryption tools like PGP when you're sending an email to your broker that you want to issue a stock trade from your investments account. Or to be reasonably assured that discussing a prototype / secret business proposal will not be intercepted.
Encryption is merely a tool, to be used for both good and evil. A mail envelope can contain mail, or it can contain anthrax. An encrypted document could be a plot by terrorists, or it could be just any other email.
Doing the Right Thing should not be preempted by making a buck.
I used Fedora Core 2. Encryption built right in, 256 bit in any of a few flavors. I encrypt my journal, which has nothing illegal in it. But, if I'm unwilling to let someone read my personal files, why not accuse me of any number of terrible things? Terrorist? Necrophile? Hell, rack'em up boys! If he has an encryption program, he's obviously a criminal?
Good citizens have nothing to hide, after all. Why don't we just ban encryption entirely? And we'll install the cameras here and here...
Seriously...
I'm not totally familiar with what this means legally, but I know it's a bad thing. And a reason for every OS to include it by default, PRONTO!
If this stands up, privacy will take a beating.
Since all modern Macs ship with FileVault as an option for securing their home folders and you also can create encrypted disk images with the Disc Utility tool in Mac OS X, this now can be used against Mac users in a court of law. Somehow, I suspect Bill Gates is behind this. No doubt, in a couple days, we will be see Microsoft ads touting that if you use a Mac, you will go to jail.
Strange women lying in ponds distributing swords is no basis for a system of government.
The encryption software here is treated in the same manner as an item such as a large bag would be treated in a shoplifting case. That is, if you go into a store, see something you like, grab it, and run, the court would likely view that as something that you did at the spur of the moment, without putting much forethought into it. The crime, while still very much a crime, would likely be treated as a stupid action you took because you didn't stop to think if it was right or wrong, and the sentence would likely be applied with some leniency. In such a case, assuming the item costs less than $400.00, the crime would be treated as a misdemeanor. On the other hand, if you had entered the store with an unnecessarily large bag that is mostly empty, this might, in the eyes of the court, show that you had planned to shoplift from the outset, and you would receive a much stiffer punishment. In this case, the crime would likely be treated as a felony, regardless of the item's value.
In much the same way, the court handling this pornography case is probably trying to determine under which of the statutes the aforementioned materials fall, and the presence of software used with the intent to traffic in such material, regardless of the software's generally accepted purpose, can allow the prosecution to go for a crime with stiffer penalties.
In other words, if you use PGP, don't worry, because it's not going to be outlawed. But if you're the guy in that pornography case, be afraid... be very afraid. Here in Soviet Russia, pornography encrypts YOU!
As an aside, one should not look at pornography, because it can have an adverse effect on future relationships that you might have.
I agree with you. It's bullshit.
Some of us like this little thing called PRIVACY. It's something that you get less and less of these days and it's only going to get worse. RFID national ID cards, bias against encryption, tracking databases, no travel without ID..
The excuse is always "If you're not hiding anything you don't have anything to worry about." I don't know what these people are afraid of. Why can't I go about my life without being tracked? Why is it a bad thing that I want to encrypt my communications?
A 12 year old can figure out that if one wanted to commit a crime, all these things won't help any. So obviously that can't be the reason.
Bah. People suck.
- It's not the Macs I hate. It's Digg users. -
This is one of those cases where use of a legal tool to aid or cover up a crime can absolutely be part of the case, and it is NOT an indictment of the tool.
My sig is blank, I typed this by hand.
Even More Important is the fact that you may be storing information in your brain that you have refused to decrypt and make public for investigators. Just as a disk may be encrypted and thus prosecutors are unable to determine whether anything important lies within, so too is your brain capable of hiding information that cannot be unveiled by prosecutors. What we need now is to prosecute people for having brains as potential encrypted information storage devices.
You're completely incorrect--I don't think you're thinking about the situation rationally.
Encryption is merely a tool that this man used to commit his crimes. Should video cameras the defendant used not be admitted? Should video TAPES? What about any other equipment he used in the filming process? They clearly (I think you'll agree) should be admissible as evidence. Why not the fact that he went to great lengths to hide his creations? Encryption is JUST a TOOL. It's not magically special just because it's on computers.
Note in the article, encrypted files were not EVEN located on the computer used in evidence.
This is tantamount to pointing to a car in which drugs were sniffed (but not found), and telling the jury, it has locks, so they must be trying to hide something. ( and further introducing the car or its locks, and the police testimony thereof as evidence )
Yes, I read that the girl involved testified against him, so forget about whether he's a slimeball or not, he probably is, the jury assumedly believed her story.
Bollocks!
Anyone seen my low uid? last seen 10 years ago while panning the #@$# out of Taco's 'web based discussion system'
If you built an underground cavern with a hidden door, security cameras, and multiple locks to hide the dead bodies from your killing rampage, the fact you spent all that time doing it should be evidence in the case of your intent.
This person is not being indicted for using crypto, his use of it is simply being used to show intent... why is that so wrong?
If you hide evidence in the course of any crime, the fact that you hid it is a perfectly reasonable thing to be brought up at trial, is this any different?
If someone gets arrested with bolt cutters breaking into a building, it's reasonable to use the presence of the bolt cutters at trial, just as it's reasonable to show any other tools (such as crypto) that were used to commit a crime.
My sig is blank, I typed this by hand.
The unfortunate thing about encryption is that it's not as pervasive as it should be. Virtually everybody has a lock on their house, and only rarely are they trying to conceal a criminal act. Virtually everybody puts mail -- particularly sensitive mail -- in envelopes before sending it, and again this is to retain privacy rather than deter law enforcement. But encrypted files are uncommon and therefore draw attention, right or wrong.
This is another example of where our justice system has gone round the bend when it comes to understanding new (and not even -that- new) technology and its relation to currently accepted practices in other parts of life. Locksmithing tools are specific to that practice, but encryption tools are general purpose and not only legal but encouraged for use by average citizens to retain their privacy.
Horrible precedents are usually set over reprehensible crimes, when said crimes represent only the tinest portion of the larger picture. Hopefully that won't be the case here when everything shakes out, but I have a feeling encryption will be severely curtailed in years to come as average people become more familiar with it and it becomes harder for law enforcement to deal with.
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
That is not the point. It was simply admitted as evidence of possible criminal intent. If you are a suspect in a murder case where a knife was used, a knife could be admitte as evidence. In this case he had the encryption program in order to hide naked pictures of a 9 year old. That is illegal use and is evidence of premeditation and thought and can be used by a court to show that this sick man needs to be locked up because he is a danger to society. The fact that he had the encryption software isn't proof of his crime but it is proof of his ability to commit the crime. If he didn't do it, then the evidence would prove nothing. Sometimes nerds forget to think illogically.
We apologize for the inconvenience.
You can safely assume that the NSA can break anything. They do not 'play fair' when they try to break things - they 'play dirty' and look for weaknesses in the implementation. They use enormous lookup tables and dictionaries. They use special hardware. If they know something is on a PC, then they could read all data off the hard disk and try every word or phrase ever typed on it as a key. Of course, you need to be pretty friggen important before they will waste their time on you...
Oh well, what the hell...
This is what the judge said (from the article):
"We find that evidence of appellant's Internet use and the existence of an encryption program on his computer was at least somewhat relevant to the state's case against him," Judge R.A. Randall wrote in an opinion dated May 3.
He did not say the encryption program was evidence of guilt.
To say otherwise is tabloid "journalism."
I see what you're saying...but there are several flaws in this reasoning, both theoretical and practical.
(And for the record, when it comes to child pornographers, there can be no punishment too severe.)
Somewhere I hear Vadar saying, "I find your lack of faith disturbing..." ;-)
PGP uses a passphrase, right? What are the chances this guy's passphrase--now remember he's not only dumb enough to make and locally store child porn, but he doesn't even clear out his browser history--what are the chances his passphrase contains more than, say, 40 bits of entropy?
You don't have to break RSA or El Gamal or IDEA or Blowfish or whateverTF he was using...just get his keyring and bruteforce the passphrase. Or, if he's just using the symmetric cipher, do the same thing.
4096-bit RSA over Blowfish is pretty damn strong. Too bad the passphrase is so weak! It's like having that huge shield door from NORAD on your house, except with a full-size doggie door built into the front.
And is it difficult to implement this brute-force key search on the massively parallel architectures surely used by the NSA? Nope.
Think about the average complexity of any password a normal individual would use repeatedly, and you'll see how easy this really is. The NSA laughs their collective asses off at any commentary that begins, "The NSA cannot break [insert cipher name here]. Nobody can, not ever."
We don't even need to talk about differential cryptanalysis and other such exploits that would help to make the NSA's job even easier. Why bother? The weakness of the people who use the passwords is enough to "break" just about anything.
Look the judge instructed the jury that mere possession of encryption software could be used ti infer criminal intent on the part of THIS ONE PERSON!
Damn! It's like the RIAA making a patently absurd claim that just because one COULD use an iPod for storing illegally copied MP3s, therefore ALL iPod owners are using them to store illegally downloaded MP3s...
Oh, wait...
Guaranteed! This comment 100% Anthrax free!
Wrong. This is simply adding intent and conspiracy elements to the crime, it would be the same as you killing someone with a knife and then buying five gallons of bleach to clean up the blood splatters on the walls. Buying bleach is of course legal, and no one is questioning that, but adding the fact that you bought/used the bleach for a specific purposes related to the crime absolutely shows that you a) knew what you were doing b) had the presence of mind to clean up after yourself c) intended to conceal the crime.
No, I would say this is more like you killing someone with a knife and simultaneously having a bottle of bleach at home in the laundry room, and they have no evidence of you buying or using it for any other reason than doing the laundry, and yet it is somehow taken as "supporting evidence" that your crime was thought out in advance, with you having the bleach on hand specifically to clean up after the crime. Obviously the bleach could have been used to clean up some blood, so that must have been your intention in owning it.
Your mistake is in comparing this to a non-ordinary amount of bleach and suggesting they had some sort of evidence that you used the bleach to clean the blood off the walls. This encryption software is just an everyday, regular size, common bottle of bleach sitting in the laundry room, just like almost anyone would have in their home if they happen to have a laundry room. It indicates absolutely nothing. Thinking otherwise is an extremely dangerous logical fallacy. And it absolutely IS an indictment of the tool. Encryption software is not the logical equivalent of five gallons of bleach.
This person is not being indicted for using crypto, his use of it is simply being used to show intent... why is that so wrong?
Because you, like most of the slashdotters arguing in favor of this ruling, apparently haven't read the fucking article. There is no evidence whatsoever that the man used encryption for ANYTHING AT ALL, much less hiding child porn. None. Nada. Zip.
It was present on his computer. That's it. It's also present on your computer if you use WinXP, Win2000, or have just about any distro of Linux. And we'll be sure to use it as 'evidence' of your intent to 'hide your crime' should we ever suspect you of doing anything illegal.
Max
My god carries a hammer. Your god died nailed to a tree. Any questions?
No, you don't get it (and apparently neither do the mods). The things you say are true, hiding evidence is a crime, but they have no bearing on this situation. The point is, they have no evidence of the software being purchased or used for purposes of committing or covering up this crime (or any crime). Your analogy to going through a bunch of specific actions that can be linked directly to the crime is totally fallacious. Everyone who is saying this is a dangerous and stupid ruling is correct. The simple presence of the software is being taken as proof that it was intended for a criminal use. It is not his "use" of it that is being used, it is the "presence" of it on his computer that is being used against him.
And there you go again at the end of your post with another fallacious analogy, comparing encryption software to bolt cutters, as if it is obvious that its presence alone implies criminal intent. That's extremely dangerous reasoning. Just because I want to encrypt something does not mean I am encrypted child porn. Are you buying child porn whenever you enter a secure website that uses SSL? THINK about it. Think real hard. It's a subtle but extremely important distinction.
Same thing with someone above who compared encryption software to having a gun during a robbery. WTF? Guns, five gallons of bleach, bolt cutters, all these things have very limited uses and can be easily related to the crime in the analogy, but it will still require some sort of evidence that the defendant actually intended to use the item to commit a crime. If a guy gets caught breaking into something and happens to own a pair of bolt cutters that are stored in his shed at home, the bolt cutters have absolutely nothing to do with his crime. If a person owns a laundromat that has a clothes washing service, it would not be out of the ordinary for them to have a lot of bleach on hand. The fact that they had a bunch of bleach and used it to clean up some blood after they killed someone with a knife could not be used as supporting evidence that the crime was thought out beforehand. It just happened to be there. The fact that they used it to clean up the blood is the only fact that can be brought in as evidence, and it could only support the accusation that they were conscious afterward of having committed a crime, and trying to cover it up. The simple presences of the bleach could not have any bearing on the case.
Encryption software is a tool with many uses. Without direct evidence of its specific use, it cannot be used as supporting evidence for anything criminal. All the comments I've seen say they do not have any direct evidence of it being used in the crime, or being purchased for use in the crime, therefore it should not be admissable as supporting evidence of criminal intent. Do you get it now? It's like if you had a hammer in your desk drawer and they took it as supporting evidence that you were going to download child porn and hide it. It's totally nonsensical unless a direct link can be provided by the police.
Argh.
Use your brain.
Oh, no! Using a brain is a crime by itself in modern advertisment-based society.
Read Fahrenheit 451 or many other stories by American SF writers. They warn you 50 years ago that this would end with that - having encyption software is a crime, having gun is a crime, thinking independently is a crime too.
How many Linux distros have gpg installed by default? Should we automatically be suspected as criminals?
How many PCs don't some form of encryption? Crypto includes browsers that support SSL... necessary for e-commerce. I'm sure that at least some of the judges have PCs and browsers. Should search warrants be obtained on this basis and their computers be checked for kiddie porn?
With respect to crypto, I personally use it to keep proprietary technology and business discussions private and to digitally sign documents. I also plan to continue to do so even if it makes Minnesota judges think I must be a criminal of some sort.
The court decision is... contemptible, but to be expected, it's from the same kind of ignorant people who voted the DMCA into law.
The most charitable thing I can say is that a great many people's brains shut down immediately if the subject of child pornography comes up, and speculating as to why would. . . be very impolite.
Tech Public Policy stuff
In other news, it was later ruled that "possession of envelopes" could be admitted as evidence of criminal intent to conceal communications.
Believing something doesn't make it true. Not believing something doesn't make it false.
Why? Most tools used by burglars aren't illegal. Yet they are relevant in a burgary case. Encryption tools aren't illegal either, yet they are relevant in some cases.
In don't understand the fuss.
This is your sig. There are thousands more, but this one is yours.
Isn't this the same kind of reasoning that has led to things like witch hunts and the spanish inquisition? This is a dangerous way of thinking that criminalizes anyone with a desire to preserve their privacy... something our current government would love to turn into law at the drop of a hat.
8==8 Bones 8==8
been saying this over and over and over
mail clients need to have encryption built in
mail servers should have spam filtering built in
the way it is now, encryption stands alone, and filtering is done at the client level. each one should be pushed up a level.
This clearly could only happen because everybody said: I have nothing to hide, so why use encryption?
Every time I hear that argument I almost explode in a rage and claim that at times the usage of encryption alone will be held evidence that you're a criminal.
These times start NOW.
And by the way, this is YOUR fault you lazy bum.
-jsl
Dyslectics of the world, untie!
He didn't say NSA could break it, he claimed that no one "other than the NSA" could break it. Whether the NSA could break it or not was left unspecified. If I say that NSA can break DES, how am I guilty of divulging classified information? I deduce the information on the basis that NSA isn't incompetent and that DES has been broken by others for quite some time now.
but the signs were there for a long time.
:(
I mean, I remember, when selecting packages for a Debian installation, the very interesting non-US category
The axiom that someone is innocent until proven guilty has been reversed for some years now. At first, it was only the media that did that to some poor fellow that was pronounced guilty on TV at arrest time. But gradually this has become true in more formal forms (read Guantanamo)
And the EU is steady following
www.lemonodor.com A mostly Lisp weblog
There are lots of things that aren't really pervasive, but that doesn't necessarily make them criminal.
E.g., my parents have rented a box at a bank to keep their documents there. Their reasoning being that in case of a fire or burglary, might as well not lose those.
It's not a pervasive thing, and it _could_ theoretically be used to hide something illegal, but that's not what they use it for. And a prosecution line of reasoning along the lines of "if it's not pervasive, it shows criminal intent" would make them both criminals. (Mind you, I'm not always on good terms with them, but "criminals" is a bit too harsh a word to call them;)
E.g., high-end sports cars are not that pervasive, and _could_ be used to try to outrun the police cars. But I sure hope it doesn't make everyone who bought a sports car automatically guilty of criminal intent and planning to flee the police to the border in that car.
E.g., I know at least two people who regularly purge their browser's history and cache. One is just clinically paranoid, (Yes, literally, believes in a world-wide conspiracy, that is secretly responsible for everything from wars to Jar Jar in Episode 1. No, literally.) The other just doesn't want his wife to find out about his porn surfing habits.
It's not that pervasive a thing to do, and it _could_ be used to hide surfing for something illegal, but none of them actually surf for anything illegal. (The paranoid one is just too paranoid, for example. He _knows_ that the conspiracy is watching him.)
So to cut to the end of a long rant, an idea like "if it's different from the norm, it can get you (extra) time in jail" seems like a very very dangerous precedent to me. Pressure to be 100% conformist and obedient can be bad enough as it is. Attaching an extra potential jail sentence to anything if it's unusual, seems to me like a very bad idea.
A polar bear is a cartesian bear after a coordinate transform.
In this case, there doesn't have to be encrypted files, PGP can do secure wipes.
And your still wrong.
Not only was there no indication that he encrypted porn, but there was no indication that he wiped anything either.
Had a wipe been done it would have been forensically OBVIOUS. The normal contents of 'empty' areas of a harddrive are miscelaneous file fragments, not systematically scrubbed sectors. Now assuming the police are not incompetent and they actually analyzed the harddrive, this means that the harddrive itself is actual evidence that no wipe was done.
You want to 'get the bad guy' and you are allowing it to bias the evidence in the case. You are imagining things he may have done that there is absolutely no indcation that he actually did, and you are allowing your imagination to be used as evidence.
The actual evidence is that nothing was encrypted. The actual evidence is that nothing was wiped.
This is exactly why certain things are supposed to be excluded from evidence. The prosecution cannot toss in irrelevant and prejudical items to get the jury to think X when the actual evidence is that X never happened.
God forbid someone actually does have an encrypted file on their computer - a very personal diary - and gets accused of some crime and gets you on the jury. You are going to jump to the FALSE conclusion that the encrypted file is evidence of guilt, even when there is absolutely no actual indication of any connection between the file and the alleged crime.
2 plus an imaginary 2 does not equal 4. If 2 is enough to convict then fine, convict based on the 2. If 2 is not enough to convict then you should not be throwing in an imaginary 2 to change a not guilty into a guilty and to convict a likely innocent person.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
If he was making "artful" works, it's not against the law to take nude pictures of children. If it was, all our mothers would be pornographers. You can't tell me your mom doesn't have a photo of you from when you were 2 or 3 running around the yard naked..
Not a Twitter sockpuppet... but I wish I was.
I have a penis . . . in a rape case, this can be construed as criminal intent.
If you think you're joking, you haven't spent much time on a college campus recently.
I understand your point of view, but I believe that is more like: "You have been accused of murder. Your door has locks, so you have something to hide."
There is nothing wrong about having a door with locks on it. Neither to have PGP installed.
Is very different if behind the door you can find a lot of child porn pics... The problem is not related to the PGP, but with the content that is encrypted.
#3 is interesting. I know TPM is associated with 'evil-DRM-Trusted-computing-stuff', but I use it as an unbreakable store of my sensitive keys. If what the inventors say is true (I work with some of them), you'd have to be a stronly motivate government to stand a chance of getting stuff off the TPM, so implicitly, off this hard disk.
If your work with the inventors, you should know one thing. It is not trusted computing that is seen as inherently unsafe or "bad". That is the (IMHO VERY harmful) anti-tcpa propaganda which dumbs things down too much - which leads to people like you asking "so what?"
Yes, I would be very happy to own a trusted computing device, if and only if I have access to ALL keys and there is nothing hidden to me as the user (of course, with authorization by a passwort/master-key).
But that's the point and the danger. Trusted computing with "not-your-own-keys", areas on your computer controlled by someone else, makes the most evil forms of DRM, goverment control etc. possible!
FTA: "The court didn't say that police had unearthed any encrypted files or how it would view the use of standard software like OS X's FileVault. Rather, Levie's conviction was based on the in-person testimony of the girl who said she was paid to pose nude, coupled with the history of searches for "Lolitas" in Levie's Web browser.
Judge Thomas Bibus had convicted Levie of two counts of attempted use of a minor in a sexual performance and two counts of solicitation of a child to engage in sexual conduct. The appeals court reversed the two convictions for attempted use of a minor, upheld the two solicitation convictions, and sent the case back to Bibus for a new sentence."
So the only evidence against this man (that we know) is one exercpt from his browser history, and the uncredible testimony of a 9 year old. Remember the peoples lives damaged by satanic ritual abuse, when in fact "There is ample evidence that therapists and law enforcement personnel encourage and reward children for accepting the suggestions of bizarre abusive behavior". So unless there's some photos, anyone who wants this guy put away is an overemotional idiot that needs to learn the meaning of justice.
The road to hell is paved with good intentions.