Slashdot Mirror
Encryption Passphrase Protected by the 5th Amendment
Takichi writes "A federal judge in Vermont has ruled that prosecutors can't force the defendant to divulge his PGP passphrase. The ruling was given on the basis that the passphrase is protected under the 5th amendment to the United States Constitution (protection against self-incrimination)." The question comes down to, is your password the contents of your brain, or the keys to a safe.
Just how did the judge come to this conclusion? On the summary side of things, it makes sense, but just what circumstances led to this particular notion?
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Terrorists!
"I forgot."
8==8 Bones 8==8
So.... this tells me two things... first, that the government cannot force you to give up your PGP passphrase.... but possibly more important, the government (currently) cannot break PGP encryptopn.
Hmmm....
It's a sad sad day in America that the truth of the 5th ammendment and the constitution itself is even called into question in this way. Thanks to the judge who supported the constitution, unfortunately there are laws shredding it up as we read this news.
http://www.govtrack.us/congress/bill.xpd?bill=h110-1955
Welcome to the police state.
Liberty.
If someone is asked to give her passphrase, and she is not under oath (i.e. in a police investigation), it is possible to just lie, right? In the other hand, if the person is under oath (i.e. in court), she cannot lie, but providing such information would constitute self-incriminating testimony, and that would infringe the 5th amendment. Does that make any sense?
Nolo clears things up nicely about self incrimination. While I don't know the accused or support his alleged crime, I do think that the judge is correct in his statement. Kudos to the judge! If the prosecution wishes to discover the contents of an encrypted file then they actually need to jump through the hoops of an investigation. Hell, getting a warrant and just installing a camera over his keyboard would sooner or later reveal the passphrase wouldn't it?
load "$",8,1
On my current setup with Ubuntu 7.10, it is fairly easy to set up TrueCrypt with hidden volumes.
http://www.truecrypt.org/docs/hidden-volume.php
Without any proof of the existence of a hidden volume, there is no way for the government to compel discovery. I don't bother using a hidden volume myself because I'm not concerned with plausible deniability. But without being able to tell me apart from the users that do, a judge won't be able to do anything for the government.
Support microSD: in a post 9/11 world, it is unwise to carry your data on media that you cannot comfortably swallow.
..this means that people covered by US law can refuse investigators access to their PC, for example if they are under investigation for piracy, but they also have 5Gb of childporn on their PC? Or did i misunderstand completly?
Pure awesomenes
No they don't.
Just like any other serious crime the police should be investigating it correctly and building a case without needing to look around the suspects' house first.
liqbase
My passphrase is: "field kitty sr53"... " or maybe that was 35, I never remember, the 5 could have been a 7" .. then there is "tulip Sandiwch" ... "or was it sandwich Tulip?, you know I was only playing around with this partition I don't actually store anything on it... Hmm, did I decide to use underscores or hyphens? I think I used underscores because I decided spaces might brak things, or maybe it was underscores, they are on the same key you know... try holding down shift... Maybe I misspelt "sandwich", english is'nt my mother tonge.
But anyway, now you know my pass-phrase.
From TFA:
An officer opened the laptop, accessed the files without a password or passphrase, and allegedly discovered "thousands of images of adult pornography and animation depicting adult and child pornography."
Like it or not, the "adult pornography" is probably a red herring, so what is this "animation" business? Is that all they have on him? I've seen episodes of South Park that qualify as "animation depicting child pornography". I hope there's more to this case than was explained in TFA. If not, this sounds like a witch hunt.
http://greenobyl.com/ please.... think of the children!!
IANAL but my law view is this...
The law can convince you to incriminate yourself, and the evidence is admissible. You may confess a crime if you have one to confess. You have to state that it's by your own free will. However during trial if you fee so-moved, you can invoke the 5th amendment to disavow your earlier statements. This may be taken as hostile to the court, if not decided upon by prior consultation.
If other evidence already obtained points to you, the law can search you or your premises by obtaining a warrant from a court. The warrant must specify what is being sought and what will be seized. Unfortunately many search-and-seizure operations overstep their bounds. Computer communications are there for the taking, a wealth of self-incrimination, and the courts have no problem using them.
When you send an email you have no choice whether it is archived somewhere or not. Recent emails are always sitting in incoming and outgoing mail queues. Thus the only way to opt out and get true privacy is to use encryption. Your concerted choice was to keep communication confidential between yourself and your compadre. If the only way the law can incriminate you is to coerce you, the information obtained cannot be used in evidence against you. You must be willing to volunteer it. If you are not willing to volunteer it, then they must find other avenues to bring evidence.
For the moment torture is still illegal, at least once it's brought before our court system. This is why the prisoners at Guantanamo are being held off from our court system for the time-being. All those cases will inevitably need to be tried here, because no upcoming president will be good enough to sign on to a world court, and no military tribunal can just go off and just hang a group of abused, innocent people. So most of those cases will be thrown out for lack of evidence. And most of those prisoners will counter-sue for false imprisonment. And they will sue the People of the United States for committing illegal acts of torture.
Likewise, persons convicted and thrown into US prisons based on confessions obtained through torture are today counter-suing the People and their torturers.
So there is a lot of hope that torture will remain illegal. However, ask yourself, how much pain and discomfort would I endure to protect my secrets? What if I was held in a room and not allowed to go and urinate? Would I enjoy pissing myself? That's not such a torture, is it? Maybe that's perfectly legal. These things do go on, on all kinds of levels, so just realize that if you've got a PGP pass phrase that somebody wants... they may just get it anyway.
-- thinkyhead software and media
> allegedly discovered "thousands of images of adult pornography and animation depicting adult and child pornography."
animation gets you arrested?
I think you've just created another purpose for a botnet..
It makes for a fine organised crime recipe:
(1) targeted theft
(2) decryption of interesting data with distributed botnet cracking
(3) sale or blackmail?
(4) Profit!
Replace (1) with 'politically motivated arrest'/'espionage'/'anti terror' and (2) with "expensive NSA room heaters" and you have in principle the same mechanism, but "legal"..
BTW, can't see why it would take long to boot up unless you kick the various components sequentially to prevent a power surge. The control node simply keeps updating its distribution list as more and more components come online.
Insert
Yes, it will protect them, as it should. They are not terrorists until PROVEN so, not because we suspect them to be - just like you are not necessarily a selfish jerk, even though I suspect you are.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
IANAL, I'm not even American, and it seemed to me that nor shall be compelled in any criminal case to be a witness against himself was quite clear and included that sort of thing, unless you interpret "to be a witness" ridiculously restrictively. And isn't the Bill of Rights supposed to be a collection of general principles rather than specific, restrictive directives?
Ultimately courts could decide that the the key constitutes being a "witness against himself" and entitled to protection.
Or it could decide it is the equivalent of a lock. I know that the police can force a door for a search warrant - and they are trying to force the key to this drive. But according to the article, a defendant can be compelled to reveal a combination to a safe - basically the same thing: an item in memory that allows access to evidence.
Stickier is the issue of additional evidence.
Search warrants must specify what is being searched for. But if I reasonably run across something else, that's fair game. Say that the warrant is for a 60" flat-screen TV. I could reasonably look in the garage, under beds, and such. But I couldn't look in a shoebox, desk drawer or other area too small for the TV. So nearly all search-warrants also specify "indicia of residency". Phone bills, rent/mortgage payments, electric bills and such help prove the residence was used by the suspect. But more insidiously, such documents could be almost anywhere greatly expanding the "reasonable" search to drawers, files, shoeboxes - anywhere someone might keep documents. "I was looking in a shoebox and found a stolen gun and meth." Score! If someone were compelled to reveal their encryption key it's likely that anything revealed by the key would be fair game.
~~~~~~~
"You are not remembered for doing what is expected of you." - Atul Chitnis
Since the article speaks of the disclosure of the pass phrase itself as violating the 5th, then perhaps they should just try some obvious pass phrases: "dig that 15yo a$$" "old enough to bleed..." "i need two tens for a twenty" or the obvious- "i did it"
Blessed with all the brains that God gave a duck's ass, and twice the charisma.
...once it gets to appeals court it will hold up as long as a geek in waterboarding session. Certain kinds of utterances have been determined to be "non-testimonial" and not eligible for Fifth Amendment protection, and encryption keys are IMO almost certain to be found as such by the current Supreme Court, since it isn't the key which is incriminating, but the evidence protected by the key.
I always thought it was a much larger 5th amendment sort of issue, not just a simple 'destruction of evidence' thing as the cops wanted to make it out to be.
Good to see some people in power haven't lost all sense of reality.
---- Booth was a patriot ----
If the passphrase is considered keys to a safe, and you are therefore likely to be forced to divulge it, then you can avoid trouble by using an encryption system, like TrueCrypt, that supports plausible deniability. Inside the encrypted volume, blank space is always filled with random data, which can also be another nested encrypted volume. Without the correct passphrase, nobody can prove that the random bits are anything more than random bits.
Me? I'll bet there are new laws being drawn up as I write this to make witholding a password illegal.
Any takers...?
No sig today...
This case is a very interesting overlap between 4th Amendment "right to privacy" cases and 5th Amendment "right not to self-incriminate" cases. I personally think that if the government can't break the encryption to "prove" what is hidden from them, they have no right to force the owner to do their work for them. People have a right to keep stuff private, and if they've hidden it effectively, then tough shit for the cops.
I acknowledge that child porn is inherently harmful to the children involved, and that laws targeting possession of child porn are therefore valid so far as they aim to protect children by destroying the market for the exploitative and harmful material. And there is no first-amendment protection for child porn. But the cops still can't break into your house without a warrant just because they they think you have pictures of naked kids inside, and they can't wiretap your internet connection without a court order (heh, they can't LEGALLY, even though it's probably going on right now OMGHI2NSA). Those are 4th amendment rights. But the 5th amendment kicks in to say that even with a court order and a valid warrant, the cops in your house can't force you to tell them which floorboard is the loose one with the bloody knife hidden under it. If you refuse to tell them, they have to find it on their own-- and if they can't find it, they can't use it as evidence against you. That's exactly how the 5th amendment is supposed to work.
A police force with the power to compel self-incriminating testimony becomes the enemy of any citizen who wishes to lawfully express dissent with any policy of government. The 5th Amendment is the most powerful safeguard citizens have against confessions extracted via torture finding purchase in US courts.
From the decision itself (lifted from that post at Volokh Conspiracy), bolded emphasis is mine:
Humpty Dumpty was pushed.
Lying in an official police statement is the same as lying under oath. Basically you're obstructing justice by lying, therefore perjury.
Karma: Non-Heinous
This is horrible case law. I get search warrants for the data on the machine. Therefore it should be held under the same rules as getting access to a safe or a house.
Encryption keeps getting easier and easier to use - someday my job wont be possible without good case law forcing defendants to give up encryption keys. The only other option is to step up the use of no-knock search warrants and live acquisition. Problem is... when a daughter accuses her step-dad of molesting her and taking pictures - there is usually a family fight long before law enforcement gets involved. This leaves the subject days to encrypt and clean any evidence he has.
I know that most people think that the police go around taking peoples' machines without any cause but I can tell you from my experiences (and the experiences of everybody else I've run into in this field) we don't go around looking for new cases. We are completely understaffed, under-budgeted, and flooded with horrible crimes. Plus, its not easy to get a search warrant. You need to satisfy probable cause in order for the judge to sign off on your warrant.
You can write your password on a paper then claim it's too long/difficult to remember and the paper was destroyed.
Whether or not they believe you is another story, and you might be in jail until they finally make their minds up.
No sig today...
I always thought the 5th amendment served two main purposes:
1. Prevent the government from compelling individuals to confess (through torture, or other means).
2. Give weight to confessions by ensuring that they were not obtained through torture.
Perhaps it will be illustrative to take the computer out of it, since we tend to get distracted by the technology. To me it seems pretty clear that if someone is arrested carrying a letter that was encoded with a cipher with information that may or may not be relevant to the case, that the person could not be compelled under law to explain how to decrypt the letter, whether to law enforcement or in court. Of course that couldn't stop the officials from attempting to break the cipher. But just because modern encryption is more difficult to crack than a hand cipher, I don't believe that changes the nature of the situation.
Haven't you been watching the news lately? That's exactly what they'd do.
If you build it, nerds will come. Soylentnews.org
For some commentary on this case by a real lawyer who has some idea of what he's talking about, see this Volokh Conspiracy posting. Note, for example, that he points out why this is far from decided, and some interesting complexities in the case because it took place at a border crossing.
Imagine a crypto system that encrypts an entire disk volume (sitting between the file system and the block device). Imagine this crypto system can accept two different keys. When the volume is decrypted with "KEY A", only "SUBSET A" of files are exposed. When decrypted with "KEY B", only "SUBSET B" files are are exposed.
Mount the volume with "KEY A", add a bunch of innocuous files, then unmount.
Mount the volume with "KEY B", then add the files you really want to keep from prying eyes.
If you're pressured to reveal a key, give them "KEY A".
Take it from the mouth of the ex-Attorney General and just about anyone else connected to the Bush administration... when asked to divulge your passphrase, simply say "I don't recall." It works for them, so it should work for everyone else.
People who say "money does not buy happiness" are just people without money trying to make themselves feel better.
After they allowed digital cameras to be sold without buyers having to supply a DNA sample, things just went downhill.
For the perfect anti-Unix, write an OS that thinks it knows what you're doing better than you do and let it be wrong.
Since it's protected under the 5th Amendment, not only can it not ordered disclosed, it can't be commented on by the prosecutor if the defendant refuses to divulge it.
Hmm, I'm going to be unpopular.
I was under the impression that they wouldn't find you guilty of what you had been originally been charged with if you failed to provide your encryption key (assuming that the encrypted data is required for a conviction) but rather would charge you for *not* supplying your key (which of course you *would* be guilty of).
Of course if a warrant is issued by a judge (so there is some other evidence to suggest that the encrypted data is evidence of a crime) and there is *certainty* that you have the key (or a decrypted copy, after all you need to provide one *or* the other) then I am not too worried by the idea of being forced to hand over keys / decrypts.
That position isn't because I believe that 'if you have nothing to hide you have nothing to fear' etc... but rather because a legal search warrant already breaches your privacy to a fairly completely and will have been scrutinised by a judge, this simply extends it into the digital sphere. Where I get worried by it is that you could end up in jail for legitimately forgetting a key, or for receiving encrypted data.
There needs to be a balance between security and privacy and that balance should be tipped in favour of privacy, however using digital measures to hide data that would previously (prior to encryption targeted at the consumer for example) is not maintaining privacy it is extending it, there are already protections for privacy and they are fairly robust, encryption is still useful, just not if it appears to have been used in conjunction with the commission of a crime.
I think that at the moment the two things that worry me about the UK law IIRC are the fact that a warrant is *not* required and that you can be ordered to remain silent about having handed over the keys, that is very very bad IMHO.
Clearly the requirement to hand over encryption keys or decrypts rests with the safeguards in place to protect you from abuse by the government, I do feel however that in certain cases it may be appropriate.
There is no clear and definite answer to what's in an encrypted file. Most importantly, someone may actually have forgotten the key, making it impossible for him to comply. Also, there are some techniques that result in different content for different passwords, meaning that the government can keep claiming that there is more stuff even when the defendant has already produced one password.
So, with a container, at worst, the government can force it open, and then everybody knows. But with encryption, a defendant simply cannot comply in some situations, and there is no way of telling whether an inability to hand over the keys is genuine or just a pretext.
Therefore, the answer is clear: nobody should be forced to hand over encryption keys; it simply doesn't make any sense to have such a requirement.
What if someone actually did forged their long, complicated pass phrase? In that case, prosecutors would be trying to force someone to divulge a passphase that they don't even know.
On several occasions, I have briefly played around with encryption programs and made an extra copy of unimportant stuff and then encrypted it. Since it was usually just for practice, I did not always bother writing the passphrase down on the sheet of paper which lists all my passwords and passphrases. I may have not always got around to deleting those encrypted practice files and they may still exist somewhere on one of my old hard disks or on a USB key or somewhere or in the box of CDs that I have burned. I would have no idea what the password or passphrase was for those old practice encryption files.
I could easily imagine some prosecutor putting me in jail for not being able to come up with a passphrase to some old encrypted practice file. Then eventually, after getting out of jail, perhaps I would eventually find the passphrase on some old scrap of paper and they would discover that it was just an encrypted folder full of dozens of free 80 year old Gutenberg.net ebooks.
A person, such as myself, who has have never actually bothered to use encryption on a routine daily basis, would someone who is most likely to forget their passphrase. Perhaps I should dispose of all my old hard disks or wipe all the data with Darik's Boot and Nuke Of course, if there were indications that someone has recently used their encrypted partition, folders or files recently, that would be different. A recent time stamp on the file or folder would be one such clue.
That would make revealing the key self-incriminating, regardless of whether or not the encrypted files are incriminating.
The problem with this is that the warrant gives the police the power to search your house/computer, but does not mean you have to explain everything to them. If they find a notebook full of math equations in your house they are not smart enough to figure out, you cannot be charged with refusing to educate them. If they find a bunch of bits on a hard drive they do not understand, you should not have to explain them.
Part of the problem also comes from this sentence "Of course if a warrant is issued by a judge (so there is some other evidence to suggest that the encrypted data is evidence of a crime) and there is *certainty* that you have the key (or a decrypted copy, after all you need to provide one *or* the other) then I am not too worried by the idea of being forced to hand over keys / decrypts."
Certainty that you have the key? Ever forget a password in your life? Would you like to be charged with a crime because you forgot one at an inopportune moment? Innocent until proven guilty means the state cannot assume you guilty then charge you with a crime because they are not smart enough to prove it and you are refusing to help them prove their assumption.
They will ask me about it and I will say it is for my financial records and cheerfully provide them with the password.
They will open the file and find a few mundane documents.
And then you get questioned under oath as to why the free space on the encrypted disk image is orders of magnitude bigger than the documents inside it. Without actually knowing the password, it is impossible to know it's there. Other than reasonable suspicion based on the ratio of volume size to files on the volume, perhaps?what if you write that password on a piece of paper, and then put it in a safe?
The higher the technology, the sharper that two-edged sword.
Imagine this scenario. Someone scans your HD. They find encryption telltales (like, say, .Net framework, pgp, etc.). They decide you might have encrypted files. They run 'strings' on every file that isn't a known binary file (i.e., .exe, .com, .dll, .bin, .mp3, .jpg, etc). They find a few files that strings doesn't like. Hmm... They might be encrypted. Maybe there are "magic" characters at the beginning of the file that indicate the file was protected by something like pgp.
.Net Framework, which is installed in one form or another on XP, Vista, et al...
Suddenly, you're given a free flight to Kazakhstan [sp], to meet with Borat. Oh, yeah. you've now become a non-entity while they waterboard you to try to get your passphrase out of you.
Like others have said, waterboarding is great for extracting a confession. Or, if you are so hard-core, they decide that they just need to kill you or let you rot in a hole somewhere far, far away.
Or, less sinister, they just pass laws that say, "failure to surrender encryption keys or passphrases is determined by law to be an admission of guilt", just like not submitting to a breathalyzer or blood test is treated as admission of guilt in DUI in some states, which works just fine in a civil or administrative court. And conviction of certain civil or administrative crimes suddenly allows you to be tried later for new criminal laws where the administrative/civil judgments are used as justification to throw you into prison big time.
But, they just might take the easy way out: while investigating certain crimes (child porn, white collar crime, conspiracy, "terrorism", etc.), discovery of encryption products on your computer results in automatic civil seizure and forfeiture of computer hardware.
Well, anyone following instructions on MSDN can easily throw together programs that encrypt files using the encryption facilities in the
To address your first point, leaving a notebook of equations (or even a document in latin or some other obscure language) is a bad analogy, there will be at least one other person able to derive meaning from it, its up to them to deal with that issue, it is quite possible for an encrypted document to be unbreakable (unlike locks or safes etc..). If there is evidence to suggest that the encrypted file is evidence *and* there is evidence that you have the key, then I don't think there is a problem.
Your second point about forgetting keys is very pertinent, no one should be able to simply jail you arbitrarily because you really cannot comply with their request, it would be very difficult to determine whether someone has forgotten something or if they are hiding it, however a judge should as a last resort be able to make a decision one way or another (they do every day with regard to other similar matters after all).
Innocent until proven guilty means that you are assumed innocent of a crime until you have been through a process to determine your guilt, nothing more nothing less, failing to provide an encryption key when it has been determined that you have it would make you guilty of a crime (even if you didn't have the key, but that is simply the same as being found guilty of some other offence that you have not committed, courts are not clairvoyant nor do they have a monopoly on the truth.)
I disagree with the implementation of the UK Act, but I do agree with what it is trying to do, like I said before there need to be some fairly robust safeguards to protect people who have forgotten / never had a key but then that should be true of any law. I see no problem in jailing someone who is covering up a crime by hiding a key if it is determined that they have it, after all they have the option of revealing the key and being tied on the basis of whatever is contained within the encrypted file *or* being found guilty of failing to provide the key. The problem as you pointed out is proving that they have the key, I would assume that that would only be possible in a vanishingly small number of cases. As it is the law can be abused, but there are ways to prevent that abuse.
Could this mean that if you keep a password in your head it counts as counts of your brain and therefore protected by the constitution, but if you write down your password then it simply counts as some form of keys and therefore not protected? IANAL, but could this be another reason to keep your passwords in your head?
Also, I see so many people assuming that no one on the planet can currently break strong encryption in short time. Well, to break strong encryption efficiently it takes only a breakthrough mathematical algorithm, nothing else. Well, I wouldn't bet that there is no one on the planet who knows a secret algorithm... In fact the public Shor's algorithm could break RSA if one had a big quantum computer. It isn't incomprehensible that one could have found a classical algorithm for fact factorisation and kept it secret or sold it only to a select few three-letter-acronym clients. This proposition, however, is easily testable in the sense that if one was able to do that then we should expect within a reasonable number of years someone else to find the same or a similar solution, since mathematical knowledge is built upon itself and most probably a hypothetical person or organisation in possession of a secret fast factorisation algorithm wouldn't have an immensely superior mathematical base to begin from in the first place. Many times multiple people end up to the same or similar discoveries, very simply because we all begin from the same basic knowledge and have more-or-less similar intelligences (speaking for orders of magnitude), and there are also so many people who research the same questions at the same time. I really wouldn't be surprised if a three-letter acronym shop is already in possession of a smart algorithm that no one else knows about (although I would really be surprised if they could manage to keep it secret for more than 30-40 years, such things aren't easily kept secret).
In fact, Clifford Cocks (who worked for a four-letter acronym shop) had probably found RSA in 1970s, before the RSA guys, and the world only learnt about it in the 90s. Would you bet that no one currently knows a fast algorithm capable of breaking strong encryption in reasonable time?
Hey, if it works for our Esteemed Leaders, it should work for you, right?
that are hard to remember. I lost a bunch of stuff, because I couldn't remeber the passphrase. Now they want me to rot in jail if I happen to forget one that they need from me?
That's mean!
If that is the content of AC's brain, I'd hate to see his PGP passphrase...
Self-referential Sigs are cool on /. these days...
54
This is so painfully obvious that I'm somewhat concerned that it took so long for a judge to rule in this manner.
Obvious to you and I maybe, but Scalia, Roberts, Alito, and Thomas never met an unreasonable search.
If prosecutors can jail reporters indefinitely until they hand over their sources, how is it that much different for the government to imprison someone for not turning over their encryption keys? The only difference I see is one may incriminate someone else and the other may incriminate you.
Of course, the smart thing would be not to mount the encrypted drive when you're not using it. And for the police not to shut the device off until they've secured enough of the data to obtain a conviction. Otherwise it's hearsay. I could claim I saw the plans for a nuclear bomb on your computer. And if we're admitting hearsay then anyone could claim you had anything on your computer. Would that be compelling enough to make you hand over encryption keys to prove there's nothing incriminating on your computer?
Now we're getting into the territory of having an encrypted partition is probable cause. Just like having a pager or cell phone is probable cause for a vehicle search on a traffic stop. Sadly that's true, or used to be.
Makes the paranoid among us utilize hidden volumes. Some people go three or four layers deep. Keep something mildly incriminating in the normal layer and let them think that's the big prize. Try to take the water boarding for 30 or 40 seconds before you give it up to sell it.
When you put safety and security ahead of freedom there's no bottom to the privacy slide.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
Just remember... You (This means YOU! (or even ME!)) can be reclassified as an "unlawful enemy combatant" by the executive branch with no judicial review, no checks, no balances. Once you're reclassified, there are no rules.
Ain't it great!
The living have better things to do than to continue hating the dead.
CPs? Is this some jargon term used by enthusiasts?
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
What cipher are you using and who wrote it?
A lot of people feel like they can protect their privacy with AES or 3DES or whatnot, but fail to realize that it was either developed by or for the government in question.
The safest way to protect your data with encryption is to develop your own cipher and don't publish how it works. I know the security through obscurity critics will gnaw on me for saying that but it is another layer of security.
If the NSA have cracked AES / TwoFish / 3DES etc, then you'll be damn sure they've found a way to automate the detection of weak keys and cracking.. but if something comes across the wire that doesn't match what they're expecting, additional effort has to go into analyzing and cracking it.
In summary, if you believe using a cipher that your government has adopted for its standard secures you from their prying eyes, you're most likely delusional regardless of the supposed computing power required to brake it.
The road between democracy and tyranny is paved with secrecy in the name of security.
To address your first point, leaving a notebook of equations (or even a document in latin or some other obscure language) is a bad analogy, there will be at least one other person able to derive meaning from it
Maybe, maybe not. Either way, it is not up to the suspect to explain it. Maybe the equation contains evidence of a crime. Maybe it is clear evidence of a crime in a weird encrypted format. Maybe it is the result of drunken doodling. The point is the suspect does not have to assist the police in figuring it out. They legally got access to the evidence, interpreting it is their responsibility. A suspect is also not required to help the police dust for fingerprints if they are incapable of doing that too.
If there is evidence to suggest that the encrypted file is evidence *and* there is evidence that you have the key, then I don't think there is a problem.
There is currently no such thing as evidence that you posses the key in your brain. I also cannot fathom what evidence would exist that would indicate what exists in an encrypted file short of actually decrypting it. Suspicion is not evidence.
however a judge should as a last resort be able to make a decision one way or another (they do every day with regard to other similar matters after all).
It would be a scary day indeed that a judge could jail you because the police cannot prove you are guilty or anything and they claim you are lying about forgetting something that they believe might help them prove it.
failing to provide an encryption key when it has been determined that you have it would make you guilty of a crime
Again, that determination is currently impossible. Also this judgment just proved the opposite (it does not make you guilty of a crime, at least in the US).
The only way it is possible to prove someone has the key is to find it (for example written on a postit note under their keyboard). We don't have the technology to probe someone's brain and if we did, the question of what they had hidden in an encrypted file would be moot.
I see no problem in jailing someone who is covering up a crime by hiding a key if it is determined that they have it
Neither do I, the catch 22 is that you do not know if they are covering up a crime until you get into the file, so you can never really jail someone for this until you decrypt the file yourself. Perhaps the file contains something embarrassing or private enough that they do not want the police knowing about it.
I was very curious about this as well. I have been through customs many times with a laptop. They have searched the exterior of my laptop, but they have never asked to look around the filesystem.
This isn't a privacy issue, it's a compulsion issue. Your privacy can be invaded in almost any way imaginable if a warrant can be obtained, but you can't be compelled to provide incriminating information against yourself under any circumstances.
IANALBIPOOS.... So if the customs agent had demanded that he turn on the cell phone and display his call logs, would that have been legal? Cell phones don't have logins (at least my doesn't), so why would data on the phone be any more/less subject to inspection (in comparison to the laptop)?
weft45gvsd'cjascwefgvedfv[jsde0[9rgjh5bdmx s eRWT$Y%^&%^$Rqwedw23WDF34t45^&*Tybdfvsmdnfewf
Oh, the contents of my brain is mostly random noise!
I drink to make other people interesting!
True for the US, not for the UK (grandparent was focusing on the UK) primarily as the right to silence (which is the the right that prevents self incrimination) is restricted by statutory and common law exceptions, not to mention that when it does apply it is often not taken up.
Under various laws there are requirements to disclose information (for example to HMRC) who can compel answers on pain of contempt of court (which is not too different from how this works in essence), you cannot be jailed or convicted for not testifying against yourself but you can be punished for failing to supply a particular piece of information as specified in law (I don't think that that info can be used against you in a subsequent criminal trial though).
However if you fail to provide such information, you are not automatically guilty, you still have the opportunity to present a case, a case in which the prosecution would have to prove that you *do* have the information they are asking for.
Anyway, Like I said its broken and needs fixing.
Tell those mother fuckers, "Well, if YOU can find out what the password is, then please tell me, because I can't remember it to save my life!"
And that would actually be your passphrase, but those idiots will never figure that one out.
The government is incompetent.
Here's the simple explanation: The 5th Ammendment protects us from "statements" that could incriminate us. A PGP passphrase is not a statement. Therefore, a PGP passphrase is not protected by the 5th Ammendment.
...I think it's ridiculous because even under the UK RIP law etc. you can almost certainly claim mental trauma which has lead you to forget it. I'm sure you are aware of people that get all stressed on on their final exams and forget even basic things. Now you're being compelled to produce it or be thrown in jail, and that's a lot worse. Throw in some nightmares about ending up in jail because you had forgotten the key and your mind went into a "was it dgdssd34234? or dgdssd34284? or maybe ddgssd34234? AAAAAAAAAHH I can't remember!!!!" state and just got yourself completely confused and blanked out. Given the number of people that have trouble remembering their PIN, I think it's more than plausible.
Live today, because you never know what tomorrow brings
Why the hell is a customs agent able to rummage around someone's laptop at a border crossing? To examine the files on a laptop seems a bit over the top even if the guy is acting suspiciously. I could see turning it on to make sure it is functional like they do at airport security. That would ensure the laptop is not being used to hide explosives or drugs. But examining files? I can not imagine anything that would give a customs agent probable cause to snoop through laptop files. That is, not counting stupid pedo tricks...like having nekkid kids as his background picture.
SELECT * FROM User WHERE Clue > 0
0 rows returned
I must say that the use of 8 asterisks (********) has never failed to amuse me. Sure, it's the first thing a brute force attack would try, but it does appeal to my sense of humour.
Insert
The problem with equations like that is that they make dangerous assumptions about the quality of the cipher in the first place. All you need is one flaw in the algorithm and you're history in a much shorter time - and it's not like that hasn't happened yet.
You're also limiting your attack vector to pure linear brute force. The article itself already alluded to using language analysis to create a prioritised subset for analysis.
Insert
Of course, if there were indications that someone has recently used their encrypted partition, folders or files recently, that would be different. A recent time stamp on the file or folder would be one such clue.
Note to self; disconnect the network cable, reboot into bios, change bios date 10 years, write encrypted file from live CD, reconnect network cable, reboot.
The truth shall set you free!
The solution is to make your password so complex that you can't remember it fully under duress or distress. I'll leave it to someone to devise a technique.
Know your pads. One time pad: good for cryptography. Two timing pad: where to take your mistress.
However, a person who can get physical control of your machine, say to boot from a CD and use it to image your drive across the network and establish a baseline, then create another image later, could see what parts of the drive are changing, and thereby impute that the unallocated space in that drive was used by a hidden volume. There isn't much that can be done about that, other than providing a mechanism for those encrypted volumes without inner hidden volumes to randomly pick sectors to scramble, thereby producing a reasonable explanation for why the unused space is changing.
[100% ISO 646 Compliant]
SVM, ERGO MONSTRO.
...they'll never take me alive.
This is simply incorrect, from http://www.archives.gov/national-archives-experience/charters/constitution_transcript.html
Article. V.
The Congress, whenever two thirds of both Houses shall deem it necessary, shall propose Amendments to this Constitution, or, on the Application of the Legislatures of two thirds of the several States, shall call a Convention for proposing Amendments, which, in either Case, shall be valid to all Intents and Purposes, as Part of this Constitution, when ratified by the Legislatures of three fourths of the several States, or by Conventions in three fourths thereof, as the one or the other Mode of Ratification may be proposed by the Congress; Provided that no Amendment which may be made prior to the Year One thousand eight hundred and eight shall in any Manner affect the first and fourth Clauses in the Ninth Section of the first Article; and that no State, without its Consent, shall be deprived of its equal Suffrage in the Senate.
How the hell did the parent post get a +5 informative of all things?!
The answer is of course simple. Make your passphrase a quote from a movie. That way, telling the officers would be a prohibited public performance, i.e. it would be a crime to tell them. Then plead the no-self-incrimination law. :) After all, we don't want to make the MPAA unhappy right?
you cannot be jailed or convicted for not testifying against yourself but you can be punished for failing to
... say something that will get you convicted?
As always, all IMO. Insert "I think" everywhere grammatically possible.
I remember sitting my final examinations at University. Maths exams. The kind where you cannot understand the questions.
After one particularly distressing humilation I went to the cash machine to get some money to buy beer and drown my sorrows. Zilch, nil, zero: not my account total, my memory of my PIN. My mind was a blank. I guessed three times and the ATM ate my card.
Would the threat of imprisonment for contemp of court have helped me remember?
The original parent poster was correct, +5. People implied that the Congress could change the constitution. Only the states can change the constitution. Congress can ask the states for an amendment. Its conceptually pretty simple. The Constitution is a Federal Goverment, but it is also a treaty among the states, enacted and amended by the consent of the states.
This is my sig.
the search warrant grants the court access to whatever is named in the warrant
the defendant may be held in contempt until he complies
5th amendment protection doesn't apply if the contents of the laptop cannot be used in a prosecution. What you are arguing for would be fine providing the person is given full immunity regarding the contents of the laptop or any information derived from said contents (like for example if you got a name of a co-conspirator and then that person provided evidence). But no a person should not have to help the police convict him in any way.
Domestic terrorists that are US citizens, yes they will be protected.
The problem is that they have the machine, and they have access to every bit of data on the machine. Look at it another way. Let's say you're an accountant for a mob boss, but you used some kind of code for drug deals in the secret accounting books. The police might be able to force you to unlock the safe, but can they force you to explain what '100p for Santa's snow' means in your code? Maybe it's $100,000 for cocaine. Do you have to explain it to them?