Encryption Passphrase Protected by the 5th Amendment
Takichi writes "A federal judge in Vermont has ruled that prosecutors can't force the defendant to divulge his PGP passphrase. The ruling was given on the basis that the passphrase is protected under the 5th amendment to the United States Constitution (protection against self-incrimination)." The question comes down to, is your password the contents of your brain, or the keys to a safe.
So.... this tells me two things... first, that the government cannot force you to give up your PGP passphrase.... but possibly more important, the government (currently) cannot break PGP encryptopn.
Hmmm....
"That worked for Gonzales. Maybe waterboarding could make you remember, tho."
Hmm, that brings the question, did we waterboard Gonzales? If not, why not?
...once it gets to appeals court it will hold up as long as a geek in waterboarding session. Certain kinds of utterances have been determined to be "non-testimonial" and not eligible for Fifth Amendment protection, and encryption keys are IMO almost certain to be found as such by the current Supreme Court, since it isn't the key which is incriminating, but the evidence protected by the key.
If the passphrase is considered keys to a safe, and you are therefore likely to be forced to divulge it, then you can avoid trouble by using an encryption system, like TrueCrypt, that supports plausible deniability. Inside the encrypted volume, blank space is always filled with random data, which can also be another nested encrypted volume. Without the correct passphrase, nobody can prove that the random bits are anything more than random bits.
This is horrible case law. I get search warrants for the data on the machine. Therefore it should be held under the same rules as getting access to a safe or a house.
Encryption keeps getting easier and easier to use - someday my job wont be possible without good case law forcing defendants to give up encryption keys. The only other option is to step up the use of no-knock search warrants and live acquisition. Problem is... when a daughter accuses her step-dad of molesting her and taking pictures - there is usually a family fight long before law enforcement gets involved. This leaves the subject days to encrypt and clean any evidence he has.
I know that most people think that the police go around taking peoples' machines without any cause but I can tell you from my experiences (and the experiences of everybody else I've run into in this field) we don't go around looking for new cases. We are completely understaffed, under-budgeted, and flooded with horrible crimes. Plus, its not easy to get a search warrant. You need to satisfy probable cause in order for the judge to sign off on your warrant.
Botnets cannot break decent encryption either.
What a lot of people fail to realise is that encryption can be made unbreakable even by brute force by simply choosing a large enough encryption key. What people also fail to realise is that 256 bit encryption doesn't take twice as long to crack as 128 bit encryption. It in fact takes 2^128 times as long to crack.
Let's for a second assume that 128 bit encryption is crackable by your own personal home computer in a period of 1 hour.
136 bit encryption would take 2^8 times as long (250 times as long)... so we use 250 computers, and crack it in 1 hour still.
144 bit encryption takes again 250 times as long, so instead we use 250 superpowerful server computers and crack it in 1 hour.
156 bit encryption takes another 250 times longer, so we use a top-secret government super computer the size of the Pentagon and still crack it in 1 hour.
164 bit encryption takes.. you guess it, 250 times longer to crack. All the governments in the world pool their top-secret super computers and crack your content in.. 1 hour.
172 bit encryption takes 250 times longer to crack. We use all the computers on the entire planet and manage to crack it in 1 hour.
180 bit encryption takes 250 times longer to crack. We use all those computers, but let them run 250 hours (10 days) instead.
188 bit encryption takes 250 times longer to crack. We let those computers run 6 years to crack your password.
192 bit encryption takes 250 times longer to crack... never mind, we're not THAT interested in your personal photo album.
Since it's protected under the 5th Amendment, not only can it not ordered disclosed, it can't be commented on by the prosecutor if the defendant refuses to divulge it.
The Law blocking a criminal investigation thing stems from years of torture to confess something. The Salem witch trials and the Spanish inquisition would be a classic example but there are others directly related to the struggles between colonist and England as well as examples outside US history. the person was tortured or otherwise compelled into admitting guilt- Whether they were guilty or not.
Basically, if you have the right to not incriminate yourself, then they can't force you to "confess". And if it happens, then any convictions should be turned over by a higher courts assuming that things go according to plan. This also carries the problem of blocking a criminal investigation but the necessity of not being forced to confess out ways the setback to criminal investigations. Many people support this idea if not simply because they don't want the cops showing up at their front door demanding you to tell them something you did that was illegal and later claiming it was part of an investigation.
As for me, I think it is a necessary evil that protects people in many ways above any benefit from a criminal investigation. If there is sufficient cause for the criminal investigation, then there will be other evidence outside that aspect that will eventually show up if it isn't already there.
One way they get around the 5th amendment is to grant immunity from prosecution for anything found or disclosed which seems to have the same effect of the 5th amendment. Something like that would be useful in convicting others involved by letting one person escape justice.
It's more then just confessions. The police can't decide you are a thief and then ransack your house on the hopes of finding something stolen. When they search they have to know what they are looking for, and have reason to believe that they will find it.
Here they are saying that he has files that they know nothing about. Because those files are unknown, he is protected from having to provide them.
Thinking about it, I'm surprised that we haven't heard of cases getting thrown out because of computer evidence collected outside of the scope of any search warrant poisoning too much of the subsequent evidence. I could imagine a warrant to look on your computer for a warez program they think you have turning up an ssh known_hosts file entry for a warez server. Since they weren't looking for that evidence (maybe because they thought the computer had not been networked, or was not involved in warez transmission, just storage) then they can't use it, and if they then go hunting the logs of that remote server to find the connection that can't be used either because it was evidence they only knew to look for because of evidence they weren't allowed to have anyway. And because you can't un-know information once you have tainted evidence you have to show that any subsequently gathered evidence did not come from knowledge of that evidence or at least would have eventually been discovered by other means.
However I must offer the following disclaimer: I am not a lawyer (nor do I do anal like so many of you non-lawyers), but I have watched a lot of Law & Order. Disclaimer: Not being a lawyer, much