Slashdot Mirror
PGP Ruled as Relevant For Criminal Case
waytoomuchcoffee writes "A Minnesota appeals unamimously ruled in a child porn case that "the existence of an encryption program" on the defendants computer could be admitted as evidence of criminal intent. The article doesn't mention if this can be taken into account for sentencing too."
dangerous precedent?
It also depends on whether he was using PGP to encrypt just his email or his HD, since newer vesions can do either. Personally I don't think he should have to produce the keys either way, but there is a difference. If he was just using PGP for email then it should be entirely irrelevant, since obviously no nine year old girl is going to have PGP on her email (or at least any 9yo girl who does should be smart enough not to hang around pedophiles).
If you had carefully RTFA, you would notice that nobody is suggesting that encryption software is illegal. They included it as a component of their case to establish _criminal intent_. In other words, if he's hiding something, he knows he has something to hide, therefore he knows he's doing something wrong... not just really, really stupid. Again, they're not suggesting everybody that has encryption software knows they're doing something wrong... in this case, the fact that he was doing something wrong was established with other evidence. The fact that he knew that what he was doing was wrong was supported by the fact that he tried to hide it. The same argument would probably be made if he had locked the pictures in an industrial-strength safe. As usual, the FA is not as bad as the slashdot headline.
As a side note, with that earlier /. article about the MS guy saying to write your passwords down, is encrypting my password list an act with criminal intent?
My front door has a lock which can be opened only with my key. Therefore, I am hiding something reprehensible inside my house.
Logic, people, logic!
-- The reason it's called the right wing? Irony.
The article says the conviction was based in part on his searching for child pornography through search engines. However, if he used PGP to encrypt his HD then there is no way that law enforcement could have known this. Does that mean that Google or whichever search engine he was using logged his search history and handed it over to police??
Keys and passwords can be obtained during discovery, and failure to provide them is the same in the eyes of the law as not providing keys to your premises; you can be found in contempt for such.
Why on earth did the court rule that the mere existence on this criminal's systems constituted criminal action?* Why didn't they ask for keys as part of the trial and find out what he had encrypted? All this does is punish us in the tech world by alluding to the use of cryptography as a criminal action.
*And yes, this guy certainly deserves what he had coming, but don't punish me for his actions...
What can I add to this that hasn't already been said half a dozen times. I use GPG (Gnu version of PGP) to digitally sign my email messages on my Linux machine. This is because certificates and other authentication methods cost money. GPG allows others to certify that I sent the message that claims to be from me. This is helpful for spam that parades as coming from me as well as other things. Additionally, as my family is starting up a business and we will all be in different states, the safest way for us to exchange information cheaply. Yeah, we have free long-distance on our cell phones, but for that we may as well be yelling out our windows. Email is likewise able to be tapped without some encryption. Thunderbird, enigmail, and GPG allow me to get a decent amount of protection for free. It isn't NSA-grade encryption, but it's good enough to stop most people. So yeah, I'm not a criminal because I use encryption. I just like to have some privacy. Otherwise why not just post my SSN to slashdot?
But if you selectively encrypt some documents and not others, it implies that you may have a particular reason to hide those documents. That makes it unreasonable to claim that you didn't know it was wrong.
If all your documents are encrypted, or at least many documents that aren't related to a crime, there's no implication that you're hiding something in particular. Then you can make the "I didn't know" argument.
Social scientists are inspired by theories; scientists are humbled by facts.
Yes, but by this logic, if someone "takes the fifth", it could be used to incriminate them, which kind of destroys the purpose of the right.
Why is this relevant? Well, if he is using encryption, and they ask him for his key to decrypt the files, I'd say that would be him testifying against himself. Along those same lines, if he refuses to give the key (because he has the right NOT to incriminate himself), they are basically saying "Hey, we don't need the key, because he wouldn't be hiding anything if he had nothing to hide, so he must be guilty!"
This really represents a failure on the part of the judge. The only thing encryption represents is an unknown: not intent, not a particular set of data. You might as well hand they police a blank drive and infer from that "He must have erased it, and he wouldn't have done that unless he was guilty!"
Just like the presence of a gun during a robbery lifts the crime to armed robbery, the presence of encryption ought to imply not only that the culprit intended to commit the crime but also intended to cover it up as well.
Well, if I use a gun in a robbery, that makes it armed robbery. But if I own a gun that is not used in the robber (say it's locked in a safe at home) does any robbery I undertake automatically become armed robbery? I mean, don't you think there should be evidence that I actually used the gun in the robbery?
That said, this isn't what the court decision is about. It isn't saying he is guilty because he has encryption software. It's saying the jury can consider that as evidence.
Mathematically, it is true that the significance of a fact depends on context. Thus something which in isolation doesn't mean much can become significant when joined to other facts. However, some things are so commonplace that you can't fit them into anyt kind of logical structure that will help you make a conclusion.
You might as well say that bank robbers wear shoes and the accused owns several pair.
Fortunately with the other evidence against him, I doubt this spurious instruction had any effect.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
The fact that he knew that what he was doing was wrong was supported by the fact that he tried to hide it.
And if you had read the article carefully, you would have noticed that there's no evidence he tried to hide the files. From the article:
Using your analogy it's more like they found an empty bargain-bin safe at the house, and used that as evidence against him. "The man had a SAFE! Only criminals have safes!". As far as comparing PGP to a "industrial strength safe", well that might be a good comparison.. if all safes were industrial strength and given away very cheap or free.
AccountKiller
This case could be more analagous with the following added components:
FBI: You Tried to launder money to the Soviets, didn't you?
Person: No. I didn't.
FBI: We caught you exchanging money with operatives in soviet russia.
Person: When?
FBI: You know when.
Person: I do?
FBI: Just answer the question.
Person: What question?
FBI: Uh. Encryption! You have encryption software on your computer, don't you?
Person: Yep.
FBI: So, you have something to hide.
Person: Sure, my credit card numbers that I use on line, personal data that could be used for identity theft, business correspondence I don't want my competitors to read, accounting data, that kind of stuff.
FBI: So, you could use this program for illicit purposes.
Person: What's 'illicit?'
FBI: You also have steganographic programs on your system.
Person: Stegano- what?
[Jury member takes note: "Linux newby. Doesn't know just what the vast majority of the software that came with his distro is or does, yet."]
------ The only greater hazard to your liberty than n politicians is n+1 politicians.
Now, said sleazebag is trying to get a new trial because the prosecutor was allowed to bring up his use of PGP. I certainly agree that mere presence of PGP does not prove criminal intent; after all, I have a similar program (GPG) on this machine. But even if that evidence should not have been allowed, it is at most a trivial error that did not appear to affect the case.
It's been suggested (though untested AFAIK), that a memorized key, with no copies written down, would not have to be divulged. And in any case you could "forget" and face only comtempt of court, which is likely to not be as bad as what the files would imply.
-nB
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
"No encryptet files were found on his computer".
The guy didn't use PGP, he just had it installed. Just like I used to, before I found any use for it (now I have one encryptet file, the one containing passwords for sites I don't visit very often).
This wasn't about admission as evidence. This was about proving criminal intent. His intent was 'proven' with the existence of encryption software -- so GPs analogy was actually quite accurate.
Of course, IANAL, but it seems to me that this would presuppose the defendant's guilt by virtue of allowing this evidence to be used in court. To me, that would be enough to contest and ask for a retrial. But then again, I'm no lawyer and I don't know all the rules.
Don't they have the investigative right, once you've been charged of a crime, to simply do whatever it takes to decrypt the files? Presumably, this would merely involve sitting down at your computer and using the same tool you used to encrypt them. I don't see why the existence of the encryption tool would be admissable. If you know that the tool was there, surely your warrant goes so far as to allow you to use it.
Unless, of course, there aren't any encrypted files to be decrypted. In which case you can either prove that the files were deleted or moved off the original computer with about the same amount of difficulty as actually decrypting those files. Otherwise how can you even know that he used the software once he downloaded it?
Of course, I could be going in entirely the wrong direction here. Maybe they wanted to keep the defendant from pleading insanity.
A strain of paranoid prevention can be worse than the disease, whate'er the intention.
This is no different than the fact that a guy charged with burglary had a crowbar on him. When you're suspected of a crime, the presence of the tools to commit that crime or cover it up are relevent (though not dispositive) in a criminal trial. For a guy charged with making child porn, having a digital camera is relevent; doesn't mean that your digital camera alone is going to get you thrown in jail.
This is a hail mary by the defense attorney that does nothing but put software on the same footing as other tools.
Anyone who loves or hates any language, platform, or manufacturer, doesn't know what they're talking about.
The trial judge allowed the jury to hear about the installation of PGP. The trial judge was accepting it as evidence of guilt.
The appeals judges let this stand, saying in effect that a trial judge has to screw up bigtime before they'll undo that judge's decision, and that in their opinion the trial judge did have a leg to stand on.
They didn't say that the very existence of PGP indicated criminal intent, it say that it may be used to prove criminal intent. Slightly different.
Because of the judicial branch.
The Executive and Legislative are completely corrupt.
The great thing about computers is that they make finding and manipulating digital data a snap. The bad thing about computers is that they make find and manipulating digital data a snap. It's a double edged sword that is, at least partially, dulled by encryption and other security measures.
You use a computer to generate sensitive data because its easier and more powerful than traditional methods, but that doesn't mean that you automatically want to forego the security that is implicit in a paper and pen solution.
Does this mean that keeping your photo album in a 'locked' house is evidence of criminal intent?
Scared of flying, pointy things snce 1979!
E.g., I do carry a bag or two with me almost at all times, because I sometimes just want to drop by at the grocery store and buy stuff on the way home from work. And I see no point in buying a new plastic bag each time.
So basically if someone decided to accuse me of shoplifting, that bag -- even if not used at the time -- would suddenly be criminal intent. Seems bloody stupid to me.
E.g., back in college I did have half of my hard drive encrypted -- and that was before the OS itself came with encryption -- just because I didn't want the rest of my family reading my private stuff. Among other things, for a month or so at the time I tried to write a diary, and I didn't want it to be the whole family's business. ("Nosy" is too mild a word to describe my parents.)
What if at the same time, and totally unrelated, I had followed a link to some illegal site? God knows some sites had tons of redirects and links to warez sites, porn sites, etc.
Would suddenly that encryption software count as criminal intent to encrypt and traffic that illegal stuff? Even though it was never actually used to encrypt any of that?
Seems to me that linking everyday items to somehow imply premeditation and guilt, is severely flawed. Unless it is proved that the bag, or the encryption software, or whatever, was actually _used_ in committing the crime, it seems to me that mere possession doesn't really mean anything.
A polar bear is a cartesian bear after a coordinate transform.
The trial judge did not accept it as evidence of guilt. In the American system of jurisprudence, judges never make any determination as to whether evidence is implicating or exonerating. They only decide whether evidence is relevant. All other decisions--like how much credibility to put in the evidence, whether the evidence implicates or exonerates, all other decisions--lie in the hands of the jury. The framers of the Constitution didn't trust the government to judge evidence; all fact-finding was delegated to the jury.
In this case, the judge decided the presence of PGP may have had evidentiary value and thus it deserved being presented to a jury. Twelve people from the community then looked over the entirety of evidence, of which the presence of PGP was a really minor part, and decided that the balance of the evidence indicated his guilt beyond a reasonable doubt. And an appellate court has said that the trial judge wasn't unreasonable in finding that the question of PGP was best left to the jury.
Wow. Amazing. How dare courts do that in America? It's positively unamerican.
ENCRYPTION != EVIL
OK, agreed.
But I wouldn't necessary put it that way if I needed to make a point. Even if you get somebody to agree with you, it doesn't necessarily help them draw more accurate inferences. Indeed their inferences might still differe hardly from if they thought it was evil. The point here is that they were instructed to consider encryption as evidence. Well, OK, but how to they weight that evidence? Bayes therem says: P(A|B) = P(B|A)*P(A)/P(B).
People have a kind of rough intuitive understanding of this. Suppose "A" is "Is a Terrorist" and "B" is "Uses Encryption". Let's say 1 % of the population is terrorist and 1% uses encryption, because I'm lazy and like my factors to cancel. But since we're talking rough intuition, it's not much of a stretch: what I'm saying is that both terrorism and encryuption use both perceived to be unusual, even if we can't assign precise numbers to them. So, in this case, we get P(A|B) = P(B|A). Let's say that only 10% of terrorist are stupid enough not to use encryption. If we find out somebody is using encryption, if these assumptions are roughly correct, we can be 90% certain that they're terrorists.
On the other hand, suppose everybody uses encryption. Skipping the boring algebra, this works out mean P(A|B) = P(A). This means that some person who happens to use encryption software is exactly as likely to be a bad guy as any person picked at random walking down the street. It'a one in a hundred chance, not quite enough to send anybody to the gallows, I'd say.
Which is a big mathematical "duh". People understand intuitively that unusual facts tell you more about somebody than commonplace ones. The fact that somebody staggers around making loud and rude comment and acting unruly is more helpful if you're trying to decide whether he's drunk than the fact he has ten fingers and toes, as it turns out most drunks do.
The heart of the problem then is that encryption is perceived as exotic. Dynamite, we can all agree, is not evil. But people don't keep it around unless they are using it on their job. If it is found in the urban apartment of a postal worker, it tells you something significant about that person.
This highly misleading message is reinforced by testimony like the police expert. Oh, I would love to have been the one to cross examine this guy. He pointed out that they only people who might be able to break this code are the National Security Agency. The logically inclined among us will naturally find this to be stunningly irrelevant. I might keep my valuables in a safe deposit box that could only be breached by a small nuclear device, it doesn't mean that I'm keeping stolen nuclear plans there. A marketing expert would of course understand exactly what the expert was telling the jury: "This is not something you'd ever use -- it's exotic, cloak and dagger stuff for nefarious purposes."
The better counter message is this:
"Encryption is commonplace stuff. You encrypt data probably every day without even being aware of it, because it's so natural and automatic you never stop to think about it. You encrypt data when you order a book online, or check your bank balances. If you don't encrypt your credit card or bank data, then chances are it's being done for you by the person who is serving you. While your personal information might not be safe when it gets to the bank, it is extremely safe en route. So far as we know, nobody can steam open the envelope and look inside, not even the US Government's top secret spy agencies. They have to wait for the bank to open the envelope first.
The world would be a very different place without encryption. Would you like it if you had to get your bank statements and paid your bills on post cards? Especially if anybody could use your credit card just by claiming to be you? Fortunately, every well designed system for storing and transmitting your data electronically has provisions for protect
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
I am not as shocked by them now saying that a program that encrypts files, are related to child porn. Hell, they told a grand jury (an Alabama grand jury. that means mostly farmers that have no evil computers) that "He has his hard-drive partitioned into 4 logical drives. This is common practice amung child porn people."
When it comes to child porn, they are really cracking down. And that's not a bad thing. It just seems like an invasion of privacy. I mean, what if you are into drafting, like me. If you have an encryption program on your computer, it could be used for anything.
It's the same with "safe-delete" programs. Will they go as far to say that "If you have a safe-delete program on your machine, you get arrested for possession of illegal things"? I guess this is the price we pay to have freedom as Americans.
There is a standard joke in the law enforcement community that goes something like this:
What do you call a perp that talked to the police at the scene?
Inmate.
EricF