Slashdot Mirror
Encryption Passphrase Protected by the 5th Amendment
Takichi writes "A federal judge in Vermont has ruled that prosecutors can't force the defendant to divulge his PGP passphrase. The ruling was given on the basis that the passphrase is protected under the 5th amendment to the United States Constitution (protection against self-incrimination)." The question comes down to, is your password the contents of your brain, or the keys to a safe.
Terrorists!
"I forgot."
8==8 Bones 8==8
So.... this tells me two things... first, that the government cannot force you to give up your PGP passphrase.... but possibly more important, the government (currently) cannot break PGP encryptopn.
Hmmm....
Read the article:
If the subpoena is requesting production of the files in drive Z, the foregone conclusion doctrine does not apply. While the government has seen some of the files on drive Z, it has not viewed all or even most of them. While the government may know of the existence and location of the files it has previously viewed, it does not know of the existence of other files on drive Z that may contain incriminating material. By compelling entry of the password the government would be compelling production of all the files on drive Z, both known and unknown.
By giving the government his password, the judge held, that the defendant was incriminating himself by opening up all of his files that weren't pertinent to the investigation. That was my take on it. *I am not a lawyer, but I scored high on critical reading on the SAT's, for what it's worth.
I got a catholic block.
It's a sad sad day in America that the truth of the 5th ammendment and the constitution itself is even called into question in this way. Thanks to the judge who supported the constitution, unfortunately there are laws shredding it up as we read this news.
http://www.govtrack.us/congress/bill.xpd?bill=h110-1955
Welcome to the police state.
Liberty.
By giving the government his password, the judge held, that the defendant was incriminating himself by opening up all of his files that weren't pertinent to the investigation.
Quite the opposite. By giving the password the defendant may incriminate himself by opening files containing incriminating (and pertinent) information, but unknown to the government prior to that.
Thank God...FINALLY, a score for US privacy rights...and upholding our Constitutional rights!!!
You just don't see that much any more.....
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
No they don't.
Just like any other serious crime the police should be investigating it correctly and building a case without needing to look around the suspects' house first.
liqbase
Yes, and it's perfectly legal for those investigators to try to decrypt your files themselves. What they CAN'T do is say, "Tell us where the incriminating evidence in your house is, or we'll put you in jail," or "Give us an itemized list of every single thing in your house so we can decide what is incriminating, or we'll put you in jail." Neither can they say, "Give us your encryption password or we'll put you in jail."
This is so painfully obvious that I'm somewhat concerned that it took so long for a judge to rule in this manner. On the other hand I am relieved it has finally happened.
Well, there is that whole pesky link in TFA to the decision.
;) This password is similar to a combination lock. However, in this case, the government had already seen some of the files contained within his encrypted drive. There is a question as to whether the government's knowledge of the preexisting files would be enough to force the turnover of the password. The government argued that they would allow the suspect to enter the password without supervision, meaning that the government wouldn't be able to use the entry itself in court. In the past, the government has tried to prosecute someone when they had immunity for turning over documents by arguing that said documents themselves were incriminating,. not just that the suspect kept them. The supreme court found that reasoning to be bull. Someone is protected via the 5th amendment by all fallout of their testimony via immunity.
But I'm nice and I found it an interesting read, so I will summarize it. There are a great many of cases involving what and when the government can force someone to turn over documents. Generally, things which don't represent what's in your mind can be forced over. An example would be a key to a lock as compared to a combination lock. The former exists, and is known to exist, and the latter's turnover requires the suspect to devolve information contained within his mind, which would be tantamount to testifying.
In this case, there is some splitting of legal hairs, and my description will be less than sound. While IANAL, I am marrying one
As I already rambled here, the government argues that they knew of the files, and that they had already seen the files. As such, the defendant needed to turn over the password. Something similar has been done previously, where the government knew that a suspect had a document in his possession,and the court forced its turnover. In this case, however, the judge unacknowledged that the prosecution has seen only a small number of the files on the encrypted drive, and that they were almost certainly incriminating. As such, the judge decided that he couldn't order the defendant to turn over the password as the governmetn would have access to new files it knew nothing about.
So, the lesson here is to just not talk to the police without your lawyer present, and don't fricking enter passwords to your files without a court order.
I think you two are talking at cross purposes. The post you're replying to says "(and pertinent)" - ie files that *do* relate to the case.
You're saying "he can't be made to release incriminating files that are nothing to do with the case", while the poster you're replying to is saying "he can't be made to release incriminating files even if they are related to the case".
It's official. Most of you are morons.
Probably forever, since Congress can't amend the Constitution.
"Sacrifice for the good of The State" - The State
Yes, it will protect them, as it should. They are not terrorists until PROVEN so, not because we suspect them to be - just like you are not necessarily a selfish jerk, even though I suspect you are.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
...once it gets to appeals court it will hold up as long as a geek in waterboarding session. Certain kinds of utterances have been determined to be "non-testimonial" and not eligible for Fifth Amendment protection, and encryption keys are IMO almost certain to be found as such by the current Supreme Court, since it isn't the key which is incriminating, but the evidence protected by the key.
If the passphrase is considered keys to a safe, and you are therefore likely to be forced to divulge it, then you can avoid trouble by using an encryption system, like TrueCrypt, that supports plausible deniability. Inside the encrypted volume, blank space is always filled with random data, which can also be another nested encrypted volume. Without the correct passphrase, nobody can prove that the random bits are anything more than random bits.
Well, maybe because a better analogy is "I have a warrant to search your whole house. You need to give me the key to the locked room in the back." I'm not sure it is "painfully obvious" but this is the correct decision in the end.
This comment is guaranteed*
*not guaranteed
That's exactly right. As far as I understand, the main concern is that by opening the disk he would potentially give the government access to the incriminating files not seen by the customs agents.
This case is a very interesting overlap between 4th Amendment "right to privacy" cases and 5th Amendment "right not to self-incriminate" cases. I personally think that if the government can't break the encryption to "prove" what is hidden from them, they have no right to force the owner to do their work for them. People have a right to keep stuff private, and if they've hidden it effectively, then tough shit for the cops.
I acknowledge that child porn is inherently harmful to the children involved, and that laws targeting possession of child porn are therefore valid so far as they aim to protect children by destroying the market for the exploitative and harmful material. And there is no first-amendment protection for child porn. But the cops still can't break into your house without a warrant just because they they think you have pictures of naked kids inside, and they can't wiretap your internet connection without a court order (heh, they can't LEGALLY, even though it's probably going on right now OMGHI2NSA). Those are 4th amendment rights. But the 5th amendment kicks in to say that even with a court order and a valid warrant, the cops in your house can't force you to tell them which floorboard is the loose one with the bloody knife hidden under it. If you refuse to tell them, they have to find it on their own-- and if they can't find it, they can't use it as evidence against you. That's exactly how the 5th amendment is supposed to work.
A police force with the power to compel self-incriminating testimony becomes the enemy of any citizen who wishes to lawfully express dissent with any policy of government. The 5th Amendment is the most powerful safeguard citizens have against confessions extracted via torture finding purchase in US courts.
From the decision itself (lifted from that post at Volokh Conspiracy), bolded emphasis is mine:
Humpty Dumpty was pushed.
Lying in an official police statement is the same as lying under oath. Basically you're obstructing justice by lying, therefore perjury.
Karma: Non-Heinous
This is horrible case law. I get search warrants for the data on the machine. Therefore it should be held under the same rules as getting access to a safe or a house.
Encryption keeps getting easier and easier to use - someday my job wont be possible without good case law forcing defendants to give up encryption keys. The only other option is to step up the use of no-knock search warrants and live acquisition. Problem is... when a daughter accuses her step-dad of molesting her and taking pictures - there is usually a family fight long before law enforcement gets involved. This leaves the subject days to encrypt and clean any evidence he has.
I know that most people think that the police go around taking peoples' machines without any cause but I can tell you from my experiences (and the experiences of everybody else I've run into in this field) we don't go around looking for new cases. We are completely understaffed, under-budgeted, and flooded with horrible crimes. Plus, its not easy to get a search warrant. You need to satisfy probable cause in order for the judge to sign off on your warrant.
You can write your password on a paper then claim it's too long/difficult to remember and the paper was destroyed.
Whether or not they believe you is another story, and you might be in jail until they finally make their minds up.
No sig today...
I always thought the 5th amendment served two main purposes:
1. Prevent the government from compelling individuals to confess (through torture, or other means).
2. Give weight to confessions by ensuring that they were not obtained through torture.
Perhaps it will be illustrative to take the computer out of it, since we tend to get distracted by the technology. To me it seems pretty clear that if someone is arrested carrying a letter that was encoded with a cipher with information that may or may not be relevant to the case, that the person could not be compelled under law to explain how to decrypt the letter, whether to law enforcement or in court. Of course that couldn't stop the officials from attempting to break the cipher. But just because modern encryption is more difficult to crack than a hand cipher, I don't believe that changes the nature of the situation.
Imagine a crypto system that encrypts an entire disk volume (sitting between the file system and the block device). Imagine this crypto system can accept two different keys. When the volume is decrypted with "KEY A", only "SUBSET A" of files are exposed. When decrypted with "KEY B", only "SUBSET B" files are are exposed.
Mount the volume with "KEY A", add a bunch of innocuous files, then unmount.
Mount the volume with "KEY B", then add the files you really want to keep from prying eyes.
If you're pressured to reveal a key, give them "KEY A".
Botnets cannot break decent encryption either.
What a lot of people fail to realise is that encryption can be made unbreakable even by brute force by simply choosing a large enough encryption key. What people also fail to realise is that 256 bit encryption doesn't take twice as long to crack as 128 bit encryption. It in fact takes 2^128 times as long to crack.
Let's for a second assume that 128 bit encryption is crackable by your own personal home computer in a period of 1 hour.
136 bit encryption would take 2^8 times as long (250 times as long)... so we use 250 computers, and crack it in 1 hour still.
144 bit encryption takes again 250 times as long, so instead we use 250 superpowerful server computers and crack it in 1 hour.
156 bit encryption takes another 250 times longer, so we use a top-secret government super computer the size of the Pentagon and still crack it in 1 hour.
164 bit encryption takes.. you guess it, 250 times longer to crack. All the governments in the world pool their top-secret super computers and crack your content in.. 1 hour.
172 bit encryption takes 250 times longer to crack. We use all the computers on the entire planet and manage to crack it in 1 hour.
180 bit encryption takes 250 times longer to crack. We use all those computers, but let them run 250 hours (10 days) instead.
188 bit encryption takes 250 times longer to crack. We let those computers run 6 years to crack your password.
192 bit encryption takes 250 times longer to crack... never mind, we're not THAT interested in your personal photo album.
Since it's protected under the 5th Amendment, not only can it not ordered disclosed, it can't be commented on by the prosecutor if the defendant refuses to divulge it.
What if someone actually did forged their long, complicated pass phrase? In that case, prosecutors would be trying to force someone to divulge a passphase that they don't even know.
On several occasions, I have briefly played around with encryption programs and made an extra copy of unimportant stuff and then encrypted it. Since it was usually just for practice, I did not always bother writing the passphrase down on the sheet of paper which lists all my passwords and passphrases. I may have not always got around to deleting those encrypted practice files and they may still exist somewhere on one of my old hard disks or on a USB key or somewhere or in the box of CDs that I have burned. I would have no idea what the password or passphrase was for those old practice encryption files.
I could easily imagine some prosecutor putting me in jail for not being able to come up with a passphrase to some old encrypted practice file. Then eventually, after getting out of jail, perhaps I would eventually find the passphrase on some old scrap of paper and they would discover that it was just an encrypted folder full of dozens of free 80 year old Gutenberg.net ebooks.
A person, such as myself, who has have never actually bothered to use encryption on a routine daily basis, would someone who is most likely to forget their passphrase. Perhaps I should dispose of all my old hard disks or wipe all the data with Darik's Boot and Nuke Of course, if there were indications that someone has recently used their encrypted partition, folders or files recently, that would be different. A recent time stamp on the file or folder would be one such clue.
That is assuming a higher court doesn't reverse this decision in some manor.
What is hard to understand here? A person cannot be compelled to give self-incriminating testimony.
Seems like a fair law to me.
The point of the ruling is that the password has to be treated like testimony (which cannot be forced), rather than a physical object, like a safe key, which the defendant may be forced to surrender.
Because, due to abuse of authority widely practiced by the government, far too many "criminal investigations" are actually witch hunts designed to root out "subversives". Maybe your government doesn't do that, but the vast majority of them do. And we need to protect ourselves from tyrants. Not that we are doing very well in that department. I hope that helps to clear things up a bit.
What?
The Law blocking a criminal investigation thing stems from years of torture to confess something. The Salem witch trials and the Spanish inquisition would be a classic example but there are others directly related to the struggles between colonist and England as well as examples outside US history. the person was tortured or otherwise compelled into admitting guilt- Whether they were guilty or not.
Basically, if you have the right to not incriminate yourself, then they can't force you to "confess". And if it happens, then any convictions should be turned over by a higher courts assuming that things go according to plan. This also carries the problem of blocking a criminal investigation but the necessity of not being forced to confess out ways the setback to criminal investigations. Many people support this idea if not simply because they don't want the cops showing up at their front door demanding you to tell them something you did that was illegal and later claiming it was part of an investigation.
As for me, I think it is a necessary evil that protects people in many ways above any benefit from a criminal investigation. If there is sufficient cause for the criminal investigation, then there will be other evidence outside that aspect that will eventually show up if it isn't already there.
One way they get around the 5th amendment is to grant immunity from prosecution for anything found or disclosed which seems to have the same effect of the 5th amendment. Something like that would be useful in convicting others involved by letting one person escape justice.
Imagine this scenario. Someone scans your HD. They find encryption telltales (like, say, .Net framework, pgp, etc.). They decide you might have encrypted files. They run 'strings' on every file that isn't a known binary file (i.e., .exe, .com, .dll, .bin, .mp3, .jpg, etc). They find a few files that strings doesn't like. Hmm... They might be encrypted. Maybe there are "magic" characters at the beginning of the file that indicate the file was protected by something like pgp.
.Net Framework, which is installed in one form or another on XP, Vista, et al...
Suddenly, you're given a free flight to Kazakhstan [sp], to meet with Borat. Oh, yeah. you've now become a non-entity while they waterboard you to try to get your passphrase out of you.
Like others have said, waterboarding is great for extracting a confession. Or, if you are so hard-core, they decide that they just need to kill you or let you rot in a hole somewhere far, far away.
Or, less sinister, they just pass laws that say, "failure to surrender encryption keys or passphrases is determined by law to be an admission of guilt", just like not submitting to a breathalyzer or blood test is treated as admission of guilt in DUI in some states, which works just fine in a civil or administrative court. And conviction of certain civil or administrative crimes suddenly allows you to be tried later for new criminal laws where the administrative/civil judgments are used as justification to throw you into prison big time.
But, they just might take the easy way out: while investigating certain crimes (child porn, white collar crime, conspiracy, "terrorism", etc.), discovery of encryption products on your computer results in automatic civil seizure and forfeiture of computer hardware.
Well, anyone following instructions on MSDN can easily throw together programs that encrypt files using the encryption facilities in the
So, only 500 years instead of 1500.
(Also, even if the NSA did have a quantum computer--as I understand it, it would need as many Qubits as the key it's trying to crack. We're not anywhere close to breaking strong encryption from any published experiments. There's little reason to believe the government could actually do it.
So if they can be compelled to testify against themselves, what methods
are appropriate for that? Nothing life-threatening, surely, but perhaps a bit
of waterboarding is in order?
True, but you're missing the whole point of the parent's illustration about exponential growth. By the time you get to 256-bit encryption, even given all the resources in the world, exploring 0.0001% of the keyspace is infeasible, let alone 33%. Even for large governments, brute forcing PGP is more unlikely than winning every major lottery simultaneously.
Bush has the comic shop guys keep track of that kinda stuff. Just the other day, i walked in and the guy behind the counter said "Back again, eh?"
Now if that isn't proof i don't know what is!
Or they wait 6 years, and crack it in 10 seconds with their wrist watch.
If that is the content of AC's brain, I'd hate to see his PGP passphrase...
Self-referential Sigs are cool on /. these days...
54
This is so painfully obvious that I'm somewhat concerned that it took so long for a judge to rule in this manner.
Obvious to you and I maybe, but Scalia, Roberts, Alito, and Thomas never met an unreasonable search.
If prosecutors can jail reporters indefinitely until they hand over their sources, how is it that much different for the government to imprison someone for not turning over their encryption keys? The only difference I see is one may incriminate someone else and the other may incriminate you.
Of course, the smart thing would be not to mount the encrypted drive when you're not using it. And for the police not to shut the device off until they've secured enough of the data to obtain a conviction. Otherwise it's hearsay. I could claim I saw the plans for a nuclear bomb on your computer. And if we're admitting hearsay then anyone could claim you had anything on your computer. Would that be compelling enough to make you hand over encryption keys to prove there's nothing incriminating on your computer?
Now we're getting into the territory of having an encrypted partition is probable cause. Just like having a pager or cell phone is probable cause for a vehicle search on a traffic stop. Sadly that's true, or used to be.
Makes the paranoid among us utilize hidden volumes. Some people go three or four layers deep. Keep something mildly incriminating in the normal layer and let them think that's the big prize. Try to take the water boarding for 30 or 40 seconds before you give it up to sell it.
When you put safety and security ahead of freedom there's no bottom to the privacy slide.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
It's more then just confessions. The police can't decide you are a thief and then ransack your house on the hopes of finding something stolen. When they search they have to know what they are looking for, and have reason to believe that they will find it.
Here they are saying that he has files that they know nothing about. Because those files are unknown, he is protected from having to provide them.
Thinking about it, I'm surprised that we haven't heard of cases getting thrown out because of computer evidence collected outside of the scope of any search warrant poisoning too much of the subsequent evidence. I could imagine a warrant to look on your computer for a warez program they think you have turning up an ssh known_hosts file entry for a warez server. Since they weren't looking for that evidence (maybe because they thought the computer had not been networked, or was not involved in warez transmission, just storage) then they can't use it, and if they then go hunting the logs of that remote server to find the connection that can't be used either because it was evidence they only knew to look for because of evidence they weren't allowed to have anyway. And because you can't un-know information once you have tainted evidence you have to show that any subsequently gathered evidence did not come from knowledge of that evidence or at least would have eventually been discovered by other means.
However I must offer the following disclaimer: I am not a lawyer (nor do I do anal like so many of you non-lawyers), but I have watched a lot of Law & Order. Disclaimer: Not being a lawyer, much
But in getting that "key to the safe" in response to a search warrant there isn't a wide open "fishing expedition" granted.
If the warrant is to gain access to, for example "the twelve pornographic photographs known to be in the safe" that does not allow the investigators to also review the contents of all the accounting books also in the safe.
Since the original officers who looked at the images probably have no idea which files they were, I suspect that they will rifle through EVERYTHING in that drive if they had the opportunity, just to make sure they found the ones he saw.
By doing so they will likely find other things that may pose a problem to the owner of the drive the government now possesses, and US law has always said that one can't be made to incriminate themselves.
Very picky points, but in this case I actually think the judge may be right within very narrow confines.
(If the original investigator can remember the actual file names/paths, I suspect the defense could be asked to product THOSE files, but lacking that...)
--
Tomas
Actually if you look at the problem from a energy consumption (Von Neumann-Landauer Limit) POV
brute force attacks on a search space of 2^128 is boarding on consuming all of approximated
energy of all the stars in the Milky-way galaxy (imagine Dyson shells around all the stars
in our galaxy)
So in reality if a greatly less than brute force method is not found for such search spaces
then there is no real way of practically applying brute-force methods.
Arash Partow's Philosophy: Be a person who knows what they don't know, and not a person who doesn't know.
You advocate punishing people for not confessing a crime?
Get a grip.
As always, all IMO. Insert "I think" everywhere grammatically possible.
What facts? Congress passes the amendment by a two thirds vote, and sends it out to be ratified by three fourths of the states. Difficult, but not impossible.
This is simply incorrect, from http://www.archives.gov/national-archives-experience/charters/constitution_transcript.html
Article. V.
The Congress, whenever two thirds of both Houses shall deem it necessary, shall propose Amendments to this Constitution, or, on the Application of the Legislatures of two thirds of the several States, shall call a Convention for proposing Amendments, which, in either Case, shall be valid to all Intents and Purposes, as Part of this Constitution, when ratified by the Legislatures of three fourths of the several States, or by Conventions in three fourths thereof, as the one or the other Mode of Ratification may be proposed by the Congress; Provided that no Amendment which may be made prior to the Year One thousand eight hundred and eight shall in any Manner affect the first and fourth Clauses in the Ninth Section of the first Article; and that no State, without its Consent, shall be deprived of its equal Suffrage in the Senate.
How the hell did the parent post get a +5 informative of all things?!
I wish you were being ironic. But I fear you actually mean this.