Slashdot Mirror
Encryption Passphrase Protected by the 5th Amendment
Takichi writes "A federal judge in Vermont has ruled that prosecutors can't force the defendant to divulge his PGP passphrase. The ruling was given on the basis that the passphrase is protected under the 5th amendment to the United States Constitution (protection against self-incrimination)." The question comes down to, is your password the contents of your brain, or the keys to a safe.
Terrorists!
"I forgot."
8==8 Bones 8==8
So.... this tells me two things... first, that the government cannot force you to give up your PGP passphrase.... but possibly more important, the government (currently) cannot break PGP encryptopn.
Hmmm....
Well the government of Vermont can't at least.
Libertarian Leaning Political Discussion Forum.
By giving the government his password, the judge held, that the defendant was incriminating himself by opening up all of his files that weren't pertinent to the investigation.
Quite the opposite. By giving the password the defendant may incriminate himself by opening files containing incriminating (and pertinent) information, but unknown to the government prior to that.
Thank God...FINALLY, a score for US privacy rights...and upholding our Constitutional rights!!!
You just don't see that much any more.....
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
>So.... this tells me two things... first, that the government cannot force you to give up your PGP passphrase.... but possibly more important, the government (currently) cannot break PGP encryptopn.
Hmmm....
Well the government of Vermont can't at least.
It was a Federal judge.
It was also probably not worth bothering the NSA with. I wouldn't take this to mean much of anything about how quickly the Feds can crack PGP.
No they don't.
Just like any other serious crime the police should be investigating it correctly and building a case without needing to look around the suspects' house first.
liqbase
Yes, and it's perfectly legal for those investigators to try to decrypt your files themselves. What they CAN'T do is say, "Tell us where the incriminating evidence in your house is, or we'll put you in jail," or "Give us an itemized list of every single thing in your house so we can decide what is incriminating, or we'll put you in jail." Neither can they say, "Give us your encryption password or we'll put you in jail."
This is so painfully obvious that I'm somewhat concerned that it took so long for a judge to rule in this manner. On the other hand I am relieved it has finally happened.
Yes, it will protect them, as it should. They are not terrorists until PROVEN so, not because we suspect them to be - just like you are not necessarily a selfish jerk, even though I suspect you are.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Well, maybe because a better analogy is "I have a warrant to search your whole house. You need to give me the key to the locked room in the back." I'm not sure it is "painfully obvious" but this is the correct decision in the end.
This comment is guaranteed*
*not guaranteed
This case is a very interesting overlap between 4th Amendment "right to privacy" cases and 5th Amendment "right not to self-incriminate" cases. I personally think that if the government can't break the encryption to "prove" what is hidden from them, they have no right to force the owner to do their work for them. People have a right to keep stuff private, and if they've hidden it effectively, then tough shit for the cops.
I acknowledge that child porn is inherently harmful to the children involved, and that laws targeting possession of child porn are therefore valid so far as they aim to protect children by destroying the market for the exploitative and harmful material. And there is no first-amendment protection for child porn. But the cops still can't break into your house without a warrant just because they they think you have pictures of naked kids inside, and they can't wiretap your internet connection without a court order (heh, they can't LEGALLY, even though it's probably going on right now OMGHI2NSA). Those are 4th amendment rights. But the 5th amendment kicks in to say that even with a court order and a valid warrant, the cops in your house can't force you to tell them which floorboard is the loose one with the bloody knife hidden under it. If you refuse to tell them, they have to find it on their own-- and if they can't find it, they can't use it as evidence against you. That's exactly how the 5th amendment is supposed to work.
A police force with the power to compel self-incriminating testimony becomes the enemy of any citizen who wishes to lawfully express dissent with any policy of government. The 5th Amendment is the most powerful safeguard citizens have against confessions extracted via torture finding purchase in US courts.
From the decision itself (lifted from that post at Volokh Conspiracy), bolded emphasis is mine:
Humpty Dumpty was pushed.
I always thought the 5th amendment served two main purposes:
1. Prevent the government from compelling individuals to confess (through torture, or other means).
2. Give weight to confessions by ensuring that they were not obtained through torture.
Perhaps it will be illustrative to take the computer out of it, since we tend to get distracted by the technology. To me it seems pretty clear that if someone is arrested carrying a letter that was encoded with a cipher with information that may or may not be relevant to the case, that the person could not be compelled under law to explain how to decrypt the letter, whether to law enforcement or in court. Of course that couldn't stop the officials from attempting to break the cipher. But just because modern encryption is more difficult to crack than a hand cipher, I don't believe that changes the nature of the situation.
What if someone actually did forged their long, complicated pass phrase? In that case, prosecutors would be trying to force someone to divulge a passphase that they don't even know.
On several occasions, I have briefly played around with encryption programs and made an extra copy of unimportant stuff and then encrypted it. Since it was usually just for practice, I did not always bother writing the passphrase down on the sheet of paper which lists all my passwords and passphrases. I may have not always got around to deleting those encrypted practice files and they may still exist somewhere on one of my old hard disks or on a USB key or somewhere or in the box of CDs that I have burned. I would have no idea what the password or passphrase was for those old practice encryption files.
I could easily imagine some prosecutor putting me in jail for not being able to come up with a passphrase to some old encrypted practice file. Then eventually, after getting out of jail, perhaps I would eventually find the passphrase on some old scrap of paper and they would discover that it was just an encrypted folder full of dozens of free 80 year old Gutenberg.net ebooks.
A person, such as myself, who has have never actually bothered to use encryption on a routine daily basis, would someone who is most likely to forget their passphrase. Perhaps I should dispose of all my old hard disks or wipe all the data with Darik's Boot and Nuke Of course, if there were indications that someone has recently used their encrypted partition, folders or files recently, that would be different. A recent time stamp on the file or folder would be one such clue.
So if they can be compelled to testify against themselves, what methods
are appropriate for that? Nothing life-threatening, surely, but perhaps a bit
of waterboarding is in order?
Statements such as these are often made by paranoid conspiracy nuts and dutifully repeated by people that have no absolutely no clue about how science works. There are some things money just can't buy today... A quantum computer entails decades worth of research in physics, chemistry, materials research, etc. etc. It's not really a task possible by a secret group of people working separately from the main academic community.
If there is anything that you should have learned from reading all of those articles about quantum computing, is that it's friggin HARD. Any quantum device complicated enough to even be remotely useful in breaking encryption is many decades away. This is because it will take centuries of man hours and armies of graduate students in multiple fields to crack this nut. There still need to be tens of thousands of PhD's written on related topics before you can even dream of starting construction.
In order to have a secret working quantum computer, the US government would have had to have been actively working on the technology since long before traditional silicon computing took hold... hell, long before the idea of quantum computing for decryption even tickled our imaginations. They would have had to independently train a clandestine army of engineers and physicists that far outclassed our brightest minds in academia. These people would have had to replicate ALL of our modern advances decades earlier (which, btw. is not apparent from any other military technology). The resources required for a project like this are simply staggaring, and I estimate that the financial costs would have EASILY been in the trillions of dollars.
We certainly do spend enormous amounts of capital on military R&D in the USA, and there are many important technologies where the military is years ahead of commercial efforts. However from numerous projects that have bee declassified over the years, this advantage usually only involves the effective weaponization / improvement of currently existing/proven technologies. The military is only ahead in the little details of practical implementations, and not the fundamental scientific principles. In short, claiming the existence of some secret quantum computer is akin to claiming the US military had Joint Strike Fighters before the Wright brothers even made their first flight.
But in getting that "key to the safe" in response to a search warrant there isn't a wide open "fishing expedition" granted.
If the warrant is to gain access to, for example "the twelve pornographic photographs known to be in the safe" that does not allow the investigators to also review the contents of all the accounting books also in the safe.
Since the original officers who looked at the images probably have no idea which files they were, I suspect that they will rifle through EVERYTHING in that drive if they had the opportunity, just to make sure they found the ones he saw.
By doing so they will likely find other things that may pose a problem to the owner of the drive the government now possesses, and US law has always said that one can't be made to incriminate themselves.
Very picky points, but in this case I actually think the judge may be right within very narrow confines.
(If the original investigator can remember the actual file names/paths, I suspect the defense could be asked to product THOSE files, but lacking that...)
--
Tomas
You advocate punishing people for not confessing a crime?
Get a grip.
As always, all IMO. Insert "I think" everywhere grammatically possible.
In case you still have no concept of how big this number is, there are estimated to be around 10^80 atoms in the universe, which is around 2^266. That means that each of your four billion computers is having try 2^1740 keys for every atom in the universe.
To put it another way: Let's assume each of your four billion computers is a few orders of magnitude faster than anything I know of and can try four billion keys a second, giving you a total of around 2^64 keys tried per second. This means you can do around 2^76 per day. At this rate (and don't forget that we are assuming that you have almost as many computers that are orders of magnitude faster than anything real as there are people in the world) it will take you 2^1972 days to do an exhaustive search (although on average it will only take you 2^1971 days to find the key). For those following at home, that's around 2^1962 years. For reference, the universe is approximately 13.7 billion years old, which is a shade under 2^34 years.
In summary, if every atom in the universe was a computer that ran orders of magnitude faster than anything we can build today, and it ran for the life of the universe to date, you would not be able to crack a single 2048-bit message. If, however, you have a quantum computer, then you might be able to.
I am TheRaven on Soylent News