Slashdot Mirror
DOJ: We Can Force You To Decrypt That Laptop
betterunixthanunix writes "A mortgage-fraud case may have widespread implications for criminals who use cryptography to hide evidence. The US Department of Justice is pushing for the defendant to be forced to decrypt her hard drive, claiming that if they cannot force such decryptions, law enforcement will be unable to gather important evidence. The defendant's lawyer and the Electronic Frontier Foundation have made the claim that forcing such a decryption would be a violation of the defendant's fifth amendment right not to self-incriminate. The prosecutor in the case has insisted that the defendant would not be forced to disclose her passphrase, but only to enter the passphrase into a computer to decrypt the drive."
Do they have to show cause first or is this a new tool in the arsenal of the TSA?
Agile Artisans
You just have to sign this confession we very thoughtfully prepared for you.
Yeah, I know, it's not entirely the same; it's not even really analogous. It's just an example of other back-door out-of-the-box problem-solving thinking, the kind of thing that made America great.
Welcome to the Panopticon. Used to be a prison, now it's your home.
"I'm sorry, but I don't recall my passphrase. I guess the stress of this case has made me forget it!"
If it works for the DoJ it should work for us...
hey, if you did something wrong and would be going to jail, why the hell help them even more? either way you go to jail, right?
they won't KILL you if you don't unlock your encr. stream. they will lock you up either way.
so don't give it to them. you cannot be forced to hang yourself.
fuck the DOJ.
--
"It is now safe to switch off your computer."
What if the key automatically self destructs and it becomes impossible to decrypt it?
And what if you forgot your passphrase? Can't force you then.
From TFA:
Much of the discussion has been about what analogy comes closest. Prosecutors tend to view PGP passphrases as akin to someone possessing a key to a safe filled with incriminating documents. That person can, in general, be legally compelled to hand over the key. Other examples include the U.S. Supreme Court saying that defendants can be forced to provide fingerprints, blood samples, or voice recordings.
That sounds like a rather spot on analogy. Sounds like precedent is against her. The argument that the passphrase, itself, is the incriminating self-testimony seems really weak, both because the passphrase is not being required, and because the passphrase is not, in the end, what will incriminate her.
IANAL, of course.
If it gets to the point that the authorities are trying to force a person to decrypt their computer, then I seriously doubt the threat of additional prison time is going to sway said people to do so.
I mean, what the hell are they gonna do? Send you off to Guantanamo or some other gulag?
I'll go ahead and decrypt this big middle finger for them, though. Hell, I'll even throw in a second one.
I totally forgot the passphrase!
Here's a presentation discussing the issue of force password disclosures and laptops I gave at DefCon 17: http://www.youtube.com/watch?v=ibQGWXfWc7c
Check the law and make up your own mind.
I am no lawyer, but the argument that this is a fifth amendment issue seems strong to me.
How is allowing the defendant to keep the password private a meaningful concession? The password has no value if the hard drive has been decrypted.
The prosecutor in the case has insisted that the defendant would not be forced to disclose her passphrase, but only to enter the passphrase into a computer to decrypt the drive."
That would still seem to violate the 5th amendment. The relevant text is bolded below:
No person shall be held to answer for a capital, or otherwise infamous crime, unless on a presentment or indictment of a Grand Jury, except in cases arising in the land or naval forces, or in the Militia, when in actual service in time of War or public danger; nor shall any person be subject for the same offence to be twice put in jeopardy of life or limb; nor shall be compelled in any criminal case to be a witness against himself, nor be deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use, without just compensation.
Anyone of more legal background care to comment?
Cheers,
"What in the name of Fats Waller is that?"
"A four-foot prune."
Why do US authorities not just torture people to get the information they need? Wouldn't that be more effective and convenient?
Oh wait...they already did in Abu Ghraib and Guantanamo...
If you have a safe with a combination lock, can the authorities legally require you to either tell them the combination or unlock the safe? The passphrase to allow access to an encrypted drive is equivalent to the combination of a safe, so the same rules should apply.
Sadly this is taking a leaf out of the UK's book. I say sadly, sad that we got there first on this sort of nonsense. It's a crime not to reveal passwords when required to do so. It's part of the Regulation of Investigatory Power Act 2000 (look it up!)
If I recall someone demonstrated the stupidity of it by sending an encrypted file to the then home secretary. He was then in possession of a file that he could not possibly decrypt, but it would be a criminal offence for him not to supply the passphrase to decrypt it if required to do so. In other words, a law that he could not possibly obey no matter how much he wanted to.
Despite this demonstration of the stupidity of the act, I believe it still stands.
Sigs are so 1990s. No way would I be seen dead with one.
... they already can.
(Legally compel you to reveal crypto keys or render the relevant information intelligible that is. Well, you could refuse, but that's an offence obviously. Section 49 of Part III of the Regulation of Investigatory Powers (RIPA)).
http://www.legislation.gov.uk/ukpga/2000/23/section/49
"The prosecutor in the case has insisted that the defendant would not be forced to disclose her passphrase, but only to enter the passphrase into a computer to decrypt the drive."
I can see that there is a difference between forcing the disclosure of the password and being able to read something that is already decrypted, however I can't see how that wouldn't still be self-incrimination. I assume the police would either bring her to the evidence room and tell her to enter the passphrase, or they would simply demand that she deliver an un-encrypted copy of the drive. Either way they are forcing her to give up evidence that may be used to incriminate. This seems to be a seriously frightening precedent to set.
They would never be able to take someone accused of murder and say, in effect: "look, we KNOW you did it, we just lack all the evidence needed to convict. You are now ordered to show us every place you visited on the day in question, including where the body is hidden."
-d
"Here Lies Philip J. Fry, named for his uncle, to carry on his spirit"
Whoever said that you have to arrange your papers and effects in such a way that the government can understand it?
Does this also apply to paper documents?
Are you not allowed to write your thoughts in a coded manner?
Is it also OK to use euphemisms in your diary?
Is it the government's position that you also have to interpret your diary for the prosecution?
I'm not a lawyer, but I play one on the Internet. Blog
Sounds like this might have helped...
http://en.wikipedia.org/wiki/Deniable_encryption
I am only a middling user, but Truecrypt offers also plausible deniability, in that two different passwords offer access to a whole different set of data ("hidden volume"). It would be very difficult to assess if it has been used.
"If a boss demands loyalty, give him integrity. But if he demands integrity, give him loyalty." (John Boyd, 1927-1997)
So, what we need is an encryption program that has two passwords. One password to decrypt all the data, and a second password that decrypts harmless data but secretly destroys sensitive data. When the cops force you to enter your password, you enter the second password and they are none the wiser.
Of course, you'd need some way to separate the two types of data, but that could easily be accomplished by using different folders.
sounds like the best course of action is to say you forgot your passphrase. Problem solved.
As several people have pointed out - it is perfectly reasonable for someone to forget a password/combination or lose a key. (Sorry, yer honor, I can't remember it/find it)
As an aside - the obvious next step is to include in the software a destroy password. This would be akin to a safe having an incinerate button. Then the police *WILL* ask you for the password and not just have you type it in.
Finally, most safes, even if you don't have the key/combo can eventually be opened. Police have that option...same as they do in this case.
is this encryption so hard that it cant be bruteforced? if it is just simple password could work ofc if it is more advanced stuff like for web then then i understand
computer is nothing without a power just lika as bullet in nothing without a gun
Sounds like we need to build-in a 'panic' phrase that would scramble the data rather than decrypt it. Or, perhaps, render the data into text files of "Mary had a little lamb." Nothing incriminating about that!
"Want me to decrypt my drive? Sure... here's the passphrase. Gee, I'm sorry. Not sure what happened to my data. Have you guys been messing with my drive?"
and I won't come in your mouth, I promise.
quote:
Prosecutors stressed that they don't actually require the passphrase itself, meaning Fricosu would be permitted to type it in and unlock the files without anyone looking over her shoulder. They say they want only the decrypted data and are not demanding "the password to the drive, either orally or in written form."
bullshit. if there ever was a lie, it is this. how many here believe they'll let you enter your passphrase and NOT have a keylogger on that system?
fucking bullshit. boldface liars. nope, I won't come in your mouth. I'll pull out before, I promise.
--
"It is now safe to switch off your computer."
Some encryption systems are designed so that an SHA512 hash of the passphrase is only used to decrypt a larger 4096 bit key of random bits stored on an obscure sector of the drive. That key (once itself decrypted) is then used to decrypt the various random keys over various drive segments to decrypt the actual data. It can also check to see if the decryption fails. If the decryption fails for N times, where N defaults to 3, but can be configured by the owner to even be one, it will erase the encrypted 4096 bit key stored on that obscure sector by writing over it with random bits. All the data will then be instantly gone.
now we need to go OSS in diesel cars
"The prosecutor in the case has insisted that the defendant would not be forced to disclose her passphrase, but only to enter the passphrase into a computer to decrypt the drive."
How is that any different? "Oh, we don't expect you to show us the key or let us duplicate it ourselves, but we're legally requiring you to unlock the door so we can search what's contained inside."
If that situation would run afoul of the 5th amendment (and I'm not a lawyer, so I don't know), then so should this. My understanding is, you have a right to refuse to answer questions and to remain silent. If the key constitutes something that you have to communicate (e.g., a numeric codelock for the relevant door or computer encryption), it sounds applicable to me, because you don't have to say *anything*.
http://xkcd.com/538/ Their mistake was waiting until it got to trial. Now this method is harder to use.
...is an incredibly foolish idea in the first place. I encrypt my data on principle, even if there was something to encrypt.
And no, they can't force you to decrypt your laptop. Let them charge you with perjury, obstruction of justice, what-have-you... but never let them get their hands on your data.
Many criminals will use encryption that permits access by law enforcement, if that is the type of encryption that is commonly used and included in over-the-counter software
Because criminals buy their encryption software at Best Buy...
I'm not sure why, with a proper warrant, this shouldn't happen. No, a police officer shouldn't be able to ask you to decrypt without a warrant, same as they can't enter your house without one (except for special circumstances). But if they can convince a judge, then it's due process. TSA is a different deal I expect, given that the whole TSA theater doesn't sit on American soil or some such. Remember kids:
An Enemy Combatant isn't a Prisoner of War.
Dropping bombs with drones is not fighting a war.
Security zones in airports are the fuzziest of fuzzy law areas.
You can either:
1. Get 1 day of jail and a fine for contempt of court.
OR
2. Get 15 years for felony mortgage fraud.
Is this really difficult?
Also, "forgetting" does happen and is more likely to happen to an individual under extreme stress...a psychiatrist can testify on her behalf.
This is why anyone serious about security uses TrueCrypt or other encryption systems which have plausible deniability built in. If she was using TrueCrypt, she could give them the password they are looking for, without revealing ANYTHING about what is actually on the drive.
I don't know the law at all, so I'll just ask a logical progression of questions. Maybe a lawyer could respond.
If you have a physical vault with a key, can you be required to surrender the key?
If the vault instead used a keypad, can you be required to surrender the passcode or open the vault?
Assuming you can be forced to open physical vaults as just stated, it seems a simple logical step that you can also be required to decrypt a digital vault.
We like to complain that "over the internet" or "on a computer" does not make for a valid patent claim around here. So I would also think that storing documents in a vault "on a computer" also doesn't deserve any extra special protection under the 5th amendment.
I read an article to truly protect you from self incrimination, because regardless of who you are, you will be "forced" to give up your pass phrase or "willingly" decrypt the HDD. With this set up, you can 'willingly' give up your passphrase but for the 'dummy' partition and they won't be able to tell that there is a hidden partition because the space available will only show that of the dummy encrypted partition, not the whole HDD. Unless, of course, they take out the HDD and see the capacity, but you can go further and print out a fake a HDD label with a size similar to that of the dummy encrypted partition... This article is a great how-to on truly protecting yourself.
http://www.makeuseof.com/tag/create-hidden-partition-truecrypt-7/
Previewing comments are for sissies!
How is this different from an warrant issued to search someones house? I can't plead the 5th because my house contains incriminating evidence and stop them from entering, this seems no different. If my house is actually an impenetrable fortress that only I can open, could I simply deny them entry? Handing over the keys is not an incriminating act and doesn't seem to be protected, and if it is many a hacker will be jumping for joy.
How is this any different than acquiring a warrant to search someone's home? People are worried about this being abused? Fine, require a warrant to search someone's laptop.
The prosecutor in the case has insisted that the defendant would not be forced to disclose her passphrase, but only to enter the passphrase into a computer to decrypt the drive.
That's STILL self-incrimination! Talk about disingenuous!
Chas - The one, the only.
THANK GOD!!!
I have an idea, for every law found to be unconstitutional, we fire the person that proposed it and all the people that arranged for it to become law, for forever ban them from taking a dime of tax payer money, ever again, maybe then we can have the freedom to not have our rights chipped away by an over eager state that wants to violate them. Then, we can say, go ahead baby, make my day. We can call the new law, the make my day law.
Time to offend someone
Instead of just spouting vituperative nonsense like a few others have, thank you for writing something useful and relevant. This key argument makes sense.
Cheers,
"What in the name of Fats Waller is that?"
"A four-foot prune."
I think the best analogy would be to a safe with a combination lock. Can they compel you to disclose the combination? Can they compel you to unlock it without disclosing the combination? What if you claim to have forgotten the combination?
This makes sense, thank you for this.
Cheers,
"What in the name of Fats Waller is that?"
"A four-foot prune."
"The prosecutor in the case has insisted that the defendant would not be forced to disclose her passphrase, but only to enter the passphrase into a computer to decrypt the drive."
you have to be either an incompetent moron or to be a very sly, kniving bastard in order to be able to say such a thing, since the two things are analogous. the latter, we call 'lawyer' in plainspeak.
Read radical news here
They'll get your drive decrypted one way of the other, your Constitutional rights be damned.
Can't you just say "Sure, I'll enter my pass phrase - but the key is stored on the blue USB flash drive that was under my bed. I couldn't find it after you guys took all of my equipment, so I assumed you had it. You mean you don't? Oh well my passphrase is only used to unlock the 4096 bit key on that flash drive. Without that key I have no way to get to my data. Can I sue you for losing that drive?"
This is why you use a hidden volume. Don't people read the Truecrypt manual? You can therefore give them the passphrase to a sanitized volume devoid of anything incriminating. It is impossible to prove that there exists a second, hidden volume. If a laptop is encrypted at all, you can't prove you forgot a password or that it isn't encrypted. But for crying out loud, there is a single easy step to take for 100% plausible deniability.
Then you let your lawyer fight on principle, without really giving a shit personally if you win or lose.
I8-D
I watched the first couple of minutes of that video and turned it off. Making jokes and taking a drink from the crowd during your presentation in the first 2 minutes took away any credibility that what you say is worth anything.
It's almost as if the 5th amendment was written before computer encryption was even invented.
Ignoring the less-serious parts of your post, it's worth pointing out that encryption itself is quite old indeed. Is there legal precedent for forcing someone to decrypt encoded text in their possession in order to prosecute them? The only difference here is the much-derided "with a computer" bit that has been such a bugaboo for patents.
Cheers,
"What in the name of Fats Waller is that?"
"A four-foot prune."
It is right there in your Miranda rights that they still sort of have to read to you sometimes.
You cannot be forced to speak and you do not have to prove your innocence.
How do I prevent them from adding anything to the system after it is in their possession.
If I turn over my key to the encryption I want a method to ensure than anything they use against me was put there by me, not by them afterward.
Can that be done?
After all, if they are willing to force an issue you can be sure some will make sure something is wrong. Its not like the current Administration is concerned about the rights of its citizens, they are making Bush Jr look like a staunch civil liberties advocate
* Winners compare their achievements to their goals, losers compare theirs to that of others.
... nor shall be compelled in any criminal case to be a witness against himself ...
Anyone of more legal background care to comment?
IANAL but if you are going to go that route be aware that it seems to have pros and cons. The key word seems to be "witness", as in someone offering evidence. They key/passphrase itself is not evidence. It may in fact be the legal equivalent to a physical key that unlocks a physical box, a box that may or may not contain evidence. There should be ample case history and ruling as to whether a person can be compelled to provide such a physical key. I expect that a direct answer to key/passphrase disclosure will be found there.
Nice video, thank you.
Or you may use a plausible deniability system. But in doing that you may want to be reasonably sure that no data leaks exist, or you may find yourself in an even worse position.
... to assume guilt than innocence ... after all, countries all over the globe are switching to this, e.g. with data retention ... everybody is guilty, just have to find out of what ... just grab somebody, see if they prove they didn't do it, and if they can't (or won't) - off to jail!
So once the technology is available to directly read someone's thoughts, I assume they will allow the same argument. You can't be forced to say what you're thinking, but you can't stop them from looking inside your head because the evidence is there.
Hacker: "Right, there is a simple passcode I set up two years ago to decrypt the hard drive. You will see that it is completely legitimate.
The passcode is-"
DOJ: "What? What is the passphrase"
Hacker: "I can't remember, its been two years since I set it up. Oh well, guess you'll have to find other evidence."
DOJ: "That's obstruction of justice."
Hacker: "It's only obstruction of justice if I forgot it intentionally, which is impossible to prove. Sorry."
DOJ: "FFFFFFFUUUUUUUUUUUUUU"
"I don't recall" work great for Ronald Reagan. I'm sure there is precedent that it is acceptable under oath.
Second, and this is a technical solution, we need a forked compression system, where two different passwords give you two different sets of contents. Where encrypted data looks like empty space on the faux system. When the faux system is engaged, the encrypted data is destroyed. Hopefully one uses backup.
Strictly speaking, couldn't it be said that the data in an encrypted volume technically exists only in your mind?
I possess a hard drive full of meaningless bits, that reasonably can never be brute forced. There are no documents there, no .jpg files, no audio, no video.
The 30+ character key to reconstitute those bits into something readable resides only in my mind.
Therefore the act of decrypting the volume technically involves the creation of those files anew.
Knowing a passphrase is more akin to knowing the combination of a combination lock thank having a key to the safe.
In this case though it's like having a combination lock with about 70-80 numbers to choose from (50 or 100 is typical on a combination lock) and 8-20 or more "turns" (characters) instead of the more typical 3-5 turns.
Oh, and it's like having a combination lock to a safe that is otherwise impenetrable without waiting 5-10 years for someone to invent a "super drill" (analogous to a good-enough quantum computer that can economically figure out the passcode, which is probably 5-10 years away, perhaps less) that can drill into the safe.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I think this is along the lines of... if you have a safe, they can, with a warrent/court order, force the safe open. And find incriminating evidence inside. It's not the same thing as forcing you to incriminate yourself. They are just looking at this as a container that's locked. If you have a safe full of documents, they get a court order to access them, and before they get to them you 'accidentally' set fire to everything in the safe, that's obstruction of justice. Essentially they are trying to treat electronic evidence no different than physical records.
I was thinking that decrypting is similar to forcing someone to unlock their safe and I don't have a problem with this. However, the more I think about it I see it as a secret code. If I invent my own language XYZ and write everything down with it, can they compel me to translate my documents back to English? Or force me to give them an XYZ to English dictionary? The decryption password to me is the same thing as a translation dictionary.
What you need is an alternate passphrase (kind of like alarms have to silenty notify authorities) that would destroy a certain section of contents when entered and make it not detectable. That way, it's as if you entered the correct passphrase, but no incriminating contents. How do we get this feature built into Linux hard drive encryption?
But they can't prove I'm obstructing justice...nor can they prove I haven't "forgotten" the password - I can remember Presidents who have forgotten lots of things.
Hell, if "I can't recall" wasn't valid, a lot of people would be in jail...including Dick (72 times) Cheney.
The second is likely to get you a obstruction of justice charge, tamping with evidence, etc. But I am assuming that those are lesser crimes compared to whatever is on your laptop. (After all, if there wasn't anything there, other than the privacy issue, it's would be in your favor to say - "Sure, here you go. BTW: since there is no evidence, I'm suing the state for false arrest")
And let's face it....any state that offers you a "well, you can get an obstruction of justice charge" vs. "really, really, really nasty charges" and you'd be a fool not to take it.
All they have to do is offer "feature" and states would NEVER ask you for the password again.
the decryption is not analogous to you unlocking your home. it's forcing someone to do the detective work for them. if police have a warrant to search my home, but can't figure out that the manuscript i'm writing has hidden messages embedded in it, i'm not obligated to point it out and translate it to them. the equivalent here is like taking an encrypted message on paper, and demanding that the accused explain what it says. the authorities have possession of the encrypted data already, that's what the warrant is for. now they want this person to incriminate themselves, which is no surprise. that's their job, to trick you into incriminating yourself.
if you think about it, someone who is witholding a confession is also, in a way, encrypting the information about the crime that took place.
insensitive clod overlords obligatory xkcd car analogy russian reversals whoosh pedant fanbois ftfy in 3...2...1..PROFIT
Or else what?
I hope the defendant doesn't give in. Personally, I'd rather sit in jail on contempt of court charges than go to big boy prison for whatever the state were investigating me for. At least with the contempt of court charges, I run the chance of becoming a cause celeb for standing up for principles, which is way better than being convicted of a crime.
I got into an argument about this very case with my (non-American) girlfriend the other day. She honestly doesn't get the fifth amendment and assumes that anyone who invokes it is basically admitting guilt, which isn't the case. She's from central America. You would think that people down in that part of the world would have some recent memory of unjust laws. Just because something is the law, doesn't make it right, and it is better for all of us that we keep the fifth amendment intact for cases when the law is not just than to violate it just so that someone can get convicted of fraud, murder or anything else.
Now that compelled testimony (prohibited by 5th amendment) and compelled speech which may be used to obtain evidence, have suddenly become two different things, Miranda warnings will have to be reworded.
"You have the right to remain silent," will have to change to "You have the right to withhold information which may be used against you, but do not have the right to withhold information which leads to other information which may be used against you." And that's just a first draft off the top of my head but probably still doesn't work quite right.
It's going to take a lot of lawyers working a lot of years to rewrite Miranda, I think. And somehow I doubt it'll be comprehensible when they're done.
Law is too complex for humans.
"Believe me!" -- Donald Trump
posting AC did the same thing for you...
"Give a woman two glasses of wine and some pad thai, and they'll agree to just about anything." the Sports Guy
Comment removed based on user account deletion
Except encryption is not a container. Regardless of the safe existence and condition, its contents exist and can be extracted even without a person opening it with a key. Opening the safe does not change the fact that contents will be accessible, it merely provides an easier option of all options available.
Readable data literally does not exist until the moment decryption is performed -- and asking a person to provide it would certainly be a violation of the 5th amendment. Encrypted data is already in evidence, however if prosecution can't use it for any purpose, it's merely a problem for prosecution, and defendant has no obligations related to it.
Contrary to the popular belief, there indeed is no God.
It may well require a US Supreme Court decision, but if well argued should be a win for the EFF. The protection against self-incrimination is very solid and should be extended to encrypted electronic devices. IMHO, IANAL, WWJD,
For every benefit you receive a tax is levied. - Ralph Waldo Emerson
For my research I have a couple terabytes of truly random data- and literally no encrypted data on the system. What happens if they think that's encrypted data and charge me up the wazoo for not revealing the code to it?
"A mortgage-fraud case may have widespread implications for criminals who use cryptography to hide evidence. The US Department of Justice is pushing for the defendant to be forced to decrypt her hard drive, claiming that if they cannot force such decryptions, law enforcement will be unable to gather important evidence" ..
I guess we here in the United Kingdom are ahead of the US in this regard, the same with the right to silence. Under the UK RIPA act, you can get up to five years if you fail to reveal a decryption key. And if under arrest, you have the right to silence except "it may harm your defence" if you fail to disclose anything that you later rely on in court.
Using true crypt plausible deniability.
This reminds me of a security conference I went to. After a talk about computer forensics by someone from the UK police, I asked what they did about encrypted messages. He replied that they "normally just ask for the password", he didn't go into details about quite what "ask" involved.
There are four sorts of people in the world: fools, lunatics, idiots and morons. - Umberto Eco, Foucaut's pendulum.
Just use a one time pad scheme and give them a dummy key. It's impossible to prove the difference.
Comment removed based on user account deletion
The analogies are OK, but there must be precedent somewhere of a direct comparison? Someone who wrote down information but used an old school cipher to encode it?
There must be a precedent somewhere in hundreds of years of case law that has dealt with a hand-written cipher. A computer cipher is no different.
Create whatever "evidence" you'd like there to be, XOR that against the cipertext, and then provide the result to law enforcement as the OTP.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
This makes me think of Godel Escher Bach. Is it perhaps unclear in this situation where the data actually lies? Is the entirety of the data in the encrypted drive and the key is just a trigger to bring it out? Or is there some actual content in some regards in the key itself?
What about this situation, for example. Lets say you have some hard drive (drive1) with incriminating evidence on it. You encrypt it with key1, which you never look at, but store on a tiny (
Or what about this. Lets say you choose an xor cipher as your encryption scheme. In this case, both the key and the encrypted data are equal-length random bits. Does it somehow matter which you store in your head, and which you keep on the computer? Or can the court force you to divulge either?
The key is not just a key in encryption, it is part of the data itself. The analogy to a physical key is flawed.
What password?
I bumped my head when you put me in the police car. Can't remember a thing. Other than my 5th Amendment right to give you nothing you can't find on your own.
5th ONLY applies if you can't be harmed by what you disclose; they can force you but only if you get immunity from being incriminated. 4th applies to the laptop; however, to get to her documents she must give the password which could INDIRECTLY incriminate her.
The sticky point is the INDIRECTION. It really shouldn't be but somehow just adding a few intermediate steps people get confused.
If allowed, other forms of indirection could be justified to undo the 5th as well. We have already been seeing this with the 4th for years as the government tries to get around its limitations by indirectly violating rights -- they can't search your email without a warrant but they can ask ATnT to search your email (and all your internet) without a warrant and the fact ATnT just handed it over without any resistance....(not the best example but its all that came to mind.) Like letting a cop into your home when they ask--- once inside, you lose; you waved your right.
They've been arguing that 3rd or 4th parties make it ok for them to do things which are prohibited and they have been doing it in multiple areas. Each time requires a bunch of court battles and I bet you that they are working on 4th, 5th, 6th party indirections knowing it will be a long time before they are stopped-- and defendants will be in a DoS attack situation-- unable to dig 3+ levels deep of 3rd parties.) I read about a case where the gov was claiming they didn't need warrants for emails; they lost-- but not that long ago I read about them doing it AGAIN but with cell phones.
If gmail, which says in the agreement they will comply with local law enforcement decides that means voluntarily handing over your emails and searches when asked without warrant... how can you claim the 4th?? you agreed in the ToS agreement that it was up to google to decide... maybe they've fixed their thing since I first read it back when it was invite only beta... Does the "expectation" of privacy work when you click agreements you don't read that state you can't expect that level of privacy? Its all even more messy when you try to read some of the court cases on these matters as I have. It should be simple but it is not.
Democracy Now! - uncensored, anti-establishment news
Lighten up, Francis.
I agree with EFF that merely entering a password into a computer is testimony in that you are testifying that you have access to and/or control over it. Secondly, obviously, if whatever was on the device was highly incriminating then I would take the contempt charge. Finally, how can the prosecutor prove that that haven't merely misplaced or forgotten the password?
Your password should be a direct admission of any crime you are actively engaged in. Your password could then be used under a "fruits of a poisonous tree" defense.
--- Generation X: The first generation to have SIG lines inferior to their parents... ---
My take on it is simply this, the knowledge they need is in the defendants head, giving or otherwise providing that knowledge self incriminated and thus goes against the 5th amendment. The police can ask you where the bodies are buried but they can't make you tell them. Something in someones head is always protected under 5th amendment laws as far as I'm concerned.
Encrypt a large section of your hard drive that contains NO incriminating data as a distraction from where you keep the real info..
Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
Suppose that a defendant encrypted incriminating data using a one time pad, and memorized the one time pad. Forcing the defendant to reveal the one time pad would be meaningless. If a defendant memorizes a password with less entropy than the encrypted incriminating data it becomes possible to verify the accuracy of what the defendant has revealed. Finally consider the case where a defendant is in possession of a single bit of information; the answer to the question "Did you commit the crime of which you are accused?"
In both the first and third cases the fifth amendment protects the revelation of information by the defendant. Why should the second case be any different? Courts must always consider the effect of their actions and not merely the legal technicalities. In my mind there is little difference between coercing a defendant to pen his or her own confession (the equivalent of forcing a defendant to decrypt a OTP ciphertext), decrypt potentially incriminating data with a password, or directly admit guilt.
Face it, the government does have the resources to decrypt her drive. The DOJ is either just being lazy or have been told by one or more three letter agencies to bugger off because a mortgage fraud case just isn't worth their time. If I were the defense I would strongly push that the act of decrypting the drive is well within the governments capabilities and that the defendant should not be forced to perform labor that assists her antagonists.
Average Intelligence is a Scary Thing
Some people seem to be conflating this with the TSA searching laptops at checkpoints. This is entirely different. The prosecutor has sufficient evidence to go to a judge to get a warrant compelling the person to reveal their files. This is not a violation of their rights like a search without probable cause. This is part of the normal discovery process.
Now I am curious how this compares to a physical key to a safe. If a person can be compelled to provide a physical key, or to open a safe without providing the key itself, can they be forced to do the virtual equivalent? Or is the virtual key self-incrimination but the physical key is not?
With a warrant, they should be able to decrypt your laptop... but I certaintly wouldn't help them do it. Isn't there something in the constitution about not having to implicate yourself?
That's precisely the kind of situations were you need a system that encrypts multiple (possibly interleaved) partitions with different keys. When forced to relinquish a pass phrase, just give the one with partition A, and have them nose around. When doing real work, use the pass phrase for partition B.
cpghost at Cordula's Web.
sounds like the best course of action is to say you forgot your passphrase. Problem solved.
The judge is not obliged to believe you.
Twenty-five years on the bench makes for a very low tolerance of the geek's brand of bull ---
and he has a cure:
a 6x8 cell and a bunk mate named Big Mike.
...I can't remember any of the passphrases to any of my PGP encrypted files. I've had about 10 different keys now, can't remember the passphrase to a single one anymore. :-(
What would be worse is if I placed that block of data on someone else's machine. Come the time they get busted there is no possibility that the data could be decrypted and therefore the only option is jail - even though no crime has been commited since owning random data is not illegal.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
There's a simple solution here: the government has the right to seize the computer as evidence. The suspect has the right not to incriminate herself by telling them how to get dirt on her. The feds therefore just have to either use the intel they have on the suspect to figure out the password (have they tried her kids' names already?), or else brute-force it. If no one in the DOJ is smart enough to do that, what are we paying taxes for?
MSIE: The world's most standards-complaint web browser.
Dear DOJ,
Each step you take like this causes us to take one step closer to a revolution.
Sincerely,
Cranky citizens
This is an interesting Fifth Amendment problem that courts have not handled in a uniform manner.
The Fifth Amendment is not exactly a "right to remain silent." For instance, a person charged with uttering a threat can be required to speak in a "voice identification lineup" where the person is directed to speak a certain pattern of words.
The Fifth Amendment does not always prevent you from giving evidence against yourself, as a person can be compelled to produce fingerprints and blood (think Blood Alcohol or DNA) if there is sufficient probable cause.
The Fifth Amendment protects a person from being compelled to "testify" against himself or to provide "testimonial" evidence. Here's what the Supreme Court has said about the matter: "[T]he Fifth Amendment would not be violated by the fact alone that the papers on their face might incriminate the taxpayer, for the privilege protects a person only against being incriminated by his own compelled testimonial communications."
Certainly, and without question, making a person reveal a password to a computer is a testimonial act because giving up the password is just another way of stating that you know how to run that computer (or a part thereof) that nobody else can get to run. So, for the dude on the street, your password sits squarely within your commonly understood "right to remain silent."
It gets very weird, however, when the government does not care about the "testimonial" component of the computer-owner's 'password-statement' and the government seeks to use the Court to compel the witness/suspect to give up the password. In other words, the government doesn't give a damn about your testimonial act of providing the papers--it just wants the papers themselves to use them against you.
For instance, the Government can give the witness USE immunity and seek to compel the witness to enter the password into the computer (or disclose it) and THE ACT OF ENTERING THE PASSWORD (or disclosing it) into the computer could never be USED against the witness (but other evidence, including the formerly encrypted documents, sure could).
Courts have been split on the issue, but as I read it, most courts look on the password as a virtual key to a virtual file cabinet. A court can definitely make you give up the key to your file cabinet, but your act of producing the key to that cabinet can never be used against you.
One difference between the locked file and the encrypted file is that the locked file is not transformed by the act of unlocking the file cabinet. The act of password use, however, is a transformative act because the entry of the password changes the file. The act of password use is also dependent upon the mental processes of the witness. The latter consideration has mattered to some courts.
Seems to me that if you want to protect your data from seizure, you have to protect the data from yourself. If you can "open the file cabinet," the government can compel you to open the file cabinet (or jail you for a long time).
The prosecutor in the case has insisted that the defendant would not be forced to disclose her passphrase, but only to enter the passphrase into a computer to decrypt the drive."
Of course this will happen ONLY after the court ordered key-logger is installed.
to use something like a conveniently left open AP and a shared data drive, then simply claim it's not even your encrypted file?
Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
What does the distinction between disclosing the passphrase and entering the passphrase have to do with the Fifth Amendment? I can understand Fourth Amendment.
"Love heals scars love left." -- Henry Rollins
”claiming that if they cannot force such decryptions, law enforcement will be unable to gather important evidence. ”
uhm, yeah, that's kind-of the POINT!
It seems pretty clear: a new encryption application is needed. It would require 2 pass phrases; one that would encrypt/decrypt files and the other that would activate an erase routine that completely removes all encrypted files on the disk(s). When your computer gets confiscated by any LEO, you would agree to cooperate fully by entering your pass phrase for them. You would then enter the 2nd pass phrase, which would cause all incriminating files to be erased. You cooperated and they found no evidence. Problem solved!
Just store all you encoded data in a file called say 'systemDump.obj' and store it in the system directory tmp.
Undetectable Steganography? Yep, there's an app fo
If the DOJ doesn't get its way, I can see the government having laws changed to allow imprisonment until the data has been cracked. I don't know why they haven't done it already.
Hmm, can't homeland security arrest you and detain you for no reason? You'd think that the DoJ would be jealous. They do have that pesky word "Justice" in their name. Maybe they should get rid of that and call themselves the Department of You're Screwed" or something more appropriate to efficient US fasci... er, administration.
"The courts have backed them up ..."
Wrong, in the general sense. The courts can force you to reveal your passwords, only in cases where they can already show that the encrypted data contains something illegal. They do NOT have the right to force you to reveal your password or decrypt your data just so they can find "evidence".
The article you point to in that link failed to emphasize that the customs agents had already seen child pornography that was contained in his encrypted data. Therefore, they already knew that there was illegal material in it.
The courts have NOT supported forcing someone to reveal encrypted data under any other circumstances.
Nope. Requiring the accused to decrypt the hard disk is exactly equal to asking him/her to open an office safe to show its contents when a search warrant is served.
You might be in agreement and I'm just missing that in your comment above, but other posters in this thread like dgatwood in this comment point out that compelling the accused to open a safe or decrypt a volume both equate to compelled self-incrimination, which is generally in contravention of the 5th amendment. If the accused agrees, that's one thing, but compelling is apparently a no-no.
Cheers,
"What in the name of Fats Waller is that?"
"A four-foot prune."
Thanks for a well-reasoned comment. :)
As dgatwood pointed out over here, apparently compelling the accused to either open a safe or decrypt a volume could both amount to compelled self-incrimination, which seems to be what the 5th amendment was intended to prevent.
Cheers,
"What in the name of Fats Waller is that?"
"A four-foot prune."
Completely OT minor quibble, but...
Grammar-wise, the last line of your sig should read, E pluribus sanguinem, making sanguis the direct object of the sentence.
And now I doff my Pedant Hat. :)
Cheers,
"What in the name of Fats Waller is that?"
"A four-foot prune."
I have had to regenerate pgp keys too many times to count. I frequently forget my passwords, and end up letting the encrypted data go. Does this mean that if I encrypt a sappy love-note to myself, and forget the password after being accused of being unlawfully brown, or saying "don't tread on me", that I will be imprisoned until the NSA can crack my password? WTF? This is ludicrous! Someone say expat?
Laws are like sausages. It's better not to see them being made. - Otto von Bismarck
With some careful planning I'm pretty sure one could respond to such a request from the DOJ by either:
"Decrypting" his/her laptop .... OR .... Decrypting his/her "laptop"
Maybe for the ambitious:
"Decrypting" his/her "laptop".
uhm im not a hacking genius or anything but why dont they use brutis or something and figure out the passwords for themselves? They just hired the gaylord Dark Tangent to homeland security.. so when he aint decrypting muslim jihad emails.... get him to do this.. afterall hes a government Boy.. now.
On the bright side, at least the DOJ is still technologically forced to attempt such a thing. I'd feel more despair if they just took it into a back room, hooked it up to a supercomputer, and emerged a week later with the key.
The same rules shouldn't apply as they aren't the same.
With a safe, one can see there is an actual safe that can be opened. In theory with data, there's no way to know if it's encrypted data or a bunch of random bits. If the police get the idea that some random data is actually encrypted data, there would be no way to prove that that isn't the case. They would keep asking for a non-existent password and you'd be in jail for not giving it. You'd have no recourse.
With a safe, one can physically see the safe and know it exists. There may or may not be anything in it, but that's provable. If a bunch of random bits is encrypted or not isn't provable.
Wasn't there a case in NY where a guy was getting a divorce and refused to give over his account numbers where he stashed all his loot as he didn't want his wife to have any of it.
The judge basically said he was in contempt of court and could stay in jail until he felt like sharing that information.
He stayed in jail in protest in contempt of court for like 12 years before I think they finally released him (or is he still in jail, I have no idea).
This seems like a very similar issue.
If the result of this case means that one can be punished for not providing the password, you could get in trouble for having anything that looks like encrypted data.
Before I upgraded my hard drive I ran a program to wipe the old one with random data. Now the old hard drive is sitting in a box. If my place got raided and they seized that hard drive, they might think it's encrypted (since strongly encrypted data is mathematically indistinguishable from random noise), but I would be absolutely unable to provide them with any password because there isn't any.
When I have to send very sensitive data through email, I'll encrypt it and tell the recipient the password through another means. Neither of us had any reason to continue to remember the password once the recipient extracted the data, so now we have encrypted files for which neither of us knows the password.
If one can be forced to reveal passwords, that could have very scary implications for law-abiding citizens who are unable to provide a password because they forgot it or because there never was one.
---------
There is inferior bacteria on the interior of your posterior.
These are not the sectors you are looking for.
I haven't finished this, but at 3:40 they to be telling people that privacy isn't an inherent human right. It also implies that we need the constitution to grant us our rights.
We are not allowed to punish people for refusing to incriminate themselves because that ...
We did this for multiple reasons, but they are irrelevant - it is the LAW. Why we did this is not important, what the law says is.
One of the big questions is what if someone says I forgot my password
Before you accuse them of lying, remember how many times you personally have forgotten a password. I have forgotten multiple passwords, including email, work, financial accounts, etc.
Passwords are protected by the 5ifth amendment because the government can not prove someone has NOT forgotten it.
excitingthingstodo.blogspot.com
It would have to be a confession of that particular crime. Not that it'd be hard...
pa55\/\/0rd2my1ll3g4ls7uff
I don't really see it as any different from being forced to open a locker that is suspected to contain a murder weapon. If I argued that under the fifth amendment, I am not obligated to open that locker because it would be self-incriminating, how would that hold up in court (I don't actually know the answer, but I would assume this is precedented and has an answer)? They aren't asking me to give them the key to the locker, they're just asking me to open it. I suppose the only difference is that it's much easier to force your way into a locker than it is to brute force an encrypted drive, but even then, the concepts of privacy and the fifth amendment should be the same, yes? And I suppose you could also argue that the password itself might contain keywords or some such which are incriminating, but by the same token I could have something incriminating etched onto a key.
...is easy. Put a protected zip document on your desktop named "tehsecretz" and fill it with one thousand GOATSE images of all different sizes. That way they're sure to have to look at each and every one of them. They won't want your passwords anymore. Atleast, one would hope....
You have the right to remain silent. Anything you say not only can, but will be used against you.
Certainly the same must apply to typing. If your lawyer can't make that case, get a new lawyer.
WHO is the clown in charge of that huge blunder?
All you dudes at DOJ figure that out,
so you know whose head goes on the pike
when the layoffs come
and the raises don't.
Or do you DOJ Dudes think that trillion dollar deficit belongs to space aliens?
Then you missed out on a good talk. Give it another try.
Simple, setup two passphases. One passpharse decrypts and the other passphases initiates the ATA secure erase command.
There is a similar technique which makes it harder for the attacker.
When asked to decrypt the laptop, explain that you use a keyfile instead of / in addition to a passphrase. The keyfile is stored in a USB thumb drive / SD card. When your laptop was seized, you destroyed the file/card/drive, so now no one will be able to decrypt, not even yourself. (Or, you gave it to someone outside the jurisdiction of the court, who has been instructed not to release it back to you for two years or something similar.) Let them stew.
In reality, everything you have said so far is the absolute truth. What you choose not to mention, however, is that you have already memorized the contents of the keyfile and can reproduce the file from memory. It could be something as banal as a 2-line text file containing #!/bin/sh and the next line PATH="${PATH##*:}:${PATH%:*}" or ls -a "$@" or something similar. So you're not really in danger of losing the encryption key.
This would work great for those airport inspections.
"Why do you have an encrypted volume on your laptop? Decrypt it so I can find an excuse to confiscate it."
"Sorry, that encrypted volume is for work, decrypted only by a keyfile on my USB key, but since I'm here on vacation, I didn't bring my USB key. No keyfile, no decryption."
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
If you have anything to hide,
1- store it on an external server, not your own laptop.
2- make it untrackable by steganographic encoding.
No encryption, no passphrase, no lawyer, no 5th amendment: privacy at last!
Comment removed based on user account deletion
In this case, the Prosecution offered her production immunity. That means they cannot admit in court the fact that she provided the passphrase. They only seek to use the decrypted contents.
What we really need is not a misguided Department of Justice that is trying to tweak and misinterpret the Constitution or a judge who apparently needs to go back to law school but a Supreme Court ruling on this issue that affirms the Fifth Amendment that our founder fathers have put in place.
Suppose I'm a suspect in a murder and I know the whereabouts of a witness who law enforcement believes witnessed the murder. Am I compelled to give up that information?
I swear to God...I swear to God! That is NOT how you treat your human!
You have knowledge in your head to make sense of the recorded information. You're a bookie with your log book, nicknames for all the clients. Can they force you to divulge which client has which nickname? You're a money launderer who does your books in code, with amounts, items and names mixed up according to a key you have in your head. Can they force you to divulge the key in order to prosecute you?
Not a chance. They get to figure that out for themselves, if they can. Without the code the books are useless, and information in them can't be used against you. In both of the above cases they would first give the person immunity, then force him to divulge the code. Somehow, when it comes to computers, people think they can force it.
Here's a presentation discussing the issue of force password disclosures and laptops I gave at DefCon 17: http://www.youtube.com/watch?v=ibQGWXfWc7c
Check the law and make up your own mind.
The "Law" is interpreted by the judge. If you don't like his or her interpretation,you can appeal. The appeal will be "decided" by another judge. The DOJ is out of control. Thanks pres. Bush..............oh wait!!!!!!
I do not recall
The devil thing is somewhere on earth. Compelling someone to reveal where they hid it or face consequences just unlocks access to permissable evidence the same way a key unlocks access to a safe or a password unlocks access to an encrypted file.
The evidence is in your mind. Forcing you to sit in a machine that extracts the evidence from your mind is not self incrimination. After all you are not testifying against yourself are you? A machine is simply extracting permissable evidence.
With weasel wordsmithing does "witness against himself" afford the defendant any protection of any kind? What does it affirmativly protect against and why?
Does it apply to women? Note "himself".
Lawyers think they are being clever when they have that eureka moment and invent novel interpretations of plain language to support their case while the rest of us look on in discust wishing they would be disbarred.
the location of the body? Doing so is an admission of guilt. No way.
Disclosing your passphrase is also an admission of guilt if the encrypted files contain incriminating evidence.
This is perfect. Thank you for the post.
1. Commit a crime. Nothing serious, just a misdemeanor.
2. Create a password, that describes your crime.
Then, they cannot force you to disclose your password, because by disclosing it, you would incriminate yourself.
Not only can you be held indefinitely for contempt, but should you disobey a court order to turn over evidence (e.g. because you destroyed it), the court is allowed to interpret the missing evidence in the most damning way possible for your case.
To clarify this point: if somebody (say a couple of undercover detectives, for example) SAW you put known contraband in your safe, then a court can force you to open that safe. If, on the other hand, they don't know of anything illegal in that safe, but only THINK there may be EVIDENCE of something illegal contained in your safe, the 4th Amendment prevents them from undertaking such a "fishing expedition", merely to try to find evidence.
The court case under discussion appears to be a case of a fishing expedition. They THINK there may be EVIDENCE of illegal activity contained in her encrypted data. This is clearly a 4th Amendment issue, not at all like the case of the guy in the airport with observable child porn.
Just curious, but what if the defendant gave them a poison pill password, one that securely wiped the encrypted data upon entry?
Would the defendant be liable for destroying evidence, even though they never entered the password? Also. if the data is wiped before being examined by law enforcement, how could they make the case for destroying 'evidence'? There may have never been any evidence in the files at all...
Oh, never mind. I just saw the flaw in my own logic. Any competent enforcement officer or prosecution attorney would of course make a backup of any encrypted data before applying the defendant's submitted password to it...wouldn't they?
"I love animals! Some are cute, others are tasty, what's not to like?" - Betsy Schroeder, Jeopardy contestant
I had many discussions years ago with a colleague about cryptography and coding theory. His analogy about cryptography and the right of law enforcement to obtain the passphrase was in the end asking them to interpret your language for them, which you are not required to do.
Whistling Analogy
Imagine you and I want to speak with each other in a way others do not understand. We create a whistling language where whistles of certain lengths and combinations will represent the codeset of our language. We both agree to this and can communicate effectively, albeit not very much information, when we are both within earshot of each other. Seeing as how we were both Electrical Engineers, we built a modem (I said this was many years ago) that transmits this whistling language over a phone line but at a much higher speed.
Now the government certainly can get a wiretap (and as we've learned AT&T has been providing this all along) and record all the whistles, but they can never force us to teach them what the code means.
To make this analogy more relevant to this case - the whistles are bits (0 and 1) and the hard drive is just the storage mechanism that I am using for communicating with myself at a later time. The encryption is still the language that needs to be interpreted. The government can have the physical device (computer, hard drive) but can never force me to teach them the language to translate the bits into another language that they understand.
then I would consider writing a program that render it useless. It wouldn't even be hard. 1.) Well Encrypted drive. 2.) Anything that goes into it is Encrypted AGAIN, then hidden into an innocuous carrier using steganography (home-brew algorithm so there is no known signature; even if they do manage to steganalyze, they'll be looking at another wall of encryption). 3.) Once sure it works, I might hide the source code and scrubbing everything else (walling in any evidence). 4.) If they come after me for anything, I'll just let them into the drive. Nothing to see but home videos, home photos, backups of legally bought movies, $CARRIER. I could even be creative and use some sort of embarrassing genre of pornographic videos as the carrier. That would offer pretty convincing testimony when I insist there was nothing else there. "The drive was only encrypted because I'm a deviant. Are you happy now that you've uncovered all of my scat and midget porn, your honor?" There would be design details to be worked out. This is just the first thing that came to mind.
http://xkcd.com/538/
I believe YOU have the right to remain silent ! no?
Its not just passwords, in a lot of places (like for example Texas) there is mandatory blood draw for people accused of DWI. They call it "no refusal weekends" or some such. You don't have the right to refuse, they will forcibly draw it if you resist.
In alarm systems, there is a feature, where if you punch in a specific four or six digit code for example, the alarm will disarm as it should but in addition place a silent alarm call to a monitoring station. This is a security feature, if you are being forced to disarm an alarmsystem, by a burglar for example.
I suppose this could easily be done with de/encryption software as well.
Imagine you had "safe data" ie. no incriminating data, and incriminating data.
If you enter the correct passphrase you get access to all your data. If you enter the special passphrase, it will appear as if you had entered a correct passphrase, but you only have access to non-incriminating data. optionally, the software could even delete the incriminating data in the background.
If your operating system comes with an encryption solution that provides safety for you in the case that someone steals your laptop, then everyone with sense will use it. The number of people that would bother to look for something other than what's already provided will be vanishingly small. The major reason anybody goes looking for the third-party solutions that are currently available is because their OS didn't come with a built-in solution.
I found this the other day when perusing the feds cybercrime resources. http://www.cybercrime.gov/crypto.html#IVa It's their agenda to push "key recoverable" encryption products that only they could recover plaintext from. This and the article mentioned above is their two pronged attack against the major irritant that encryption is proving to be. Just watch as they slowly tighten the net both from a legal and technical standpoint.
Suppose you're an unparalleled genius. Further suppose you've come up with your own "secret code" which you can encrypt/decrypt in your head as fast as you can read and write. You, and you alone, are capable of directly writing things in this code and reading what was written. Finally, let's assume you prefer pen and paper to computers. Now, the DOJ finds some of your encoded writings, it knows your algorithm because you've made it public, and the DOJ only needs your key.
Question #1: Does the US Constitution allow the DOJ to compel you to decrypt the encoded writings they found?
Question #2: Change the final assumption so that you prefer to type your manually encoded notes into some text editor and store those on a computing device instead of using pen and paper, then reconsider Question #1 in this context.
My own view is that Question #2 is no different from #1; putting your writings on a computing device is no different than putting them on paper. If that's true, then the only difference between this scenario and the case in question is that this hypothetical algorithm isn't publicly available. I can't see how being compelled to reveal your encryption key for a public algorithm is conceptually different than being forced to manually decrypt your own encrypted writings, so it doesn't seem to me that it should be allowed under the 5th Amendment.
- T
This sounds like a good use for GPG based encryption using a smart card. I use the OpenPGP card for my private key. This prevents keylogging from being able to get my passphrase and then look at my encrypted backups. I can make a backup and encrypt it without the smart card, and it is only at decrypt time that I need the smart card and reader.
After three tries of the PIN that protects the card the PIN is disabled. After three tries of the admin reset PIN the card burns out. It doesn't matter if the HDD is duplicated -- once the keys are fried, they are out of luck.
I would certainly give up my password. My password may not unlock the hard drive, at which point I would proclaim that while MY hard drive was encrypted with FIDDLYDOO, this hard drive does not open to that password, so I cannot verify that this is in fact my hard drive, but that it appears to be the same model as mine.
Drive cryptos need two pass phrases One that decrypts... and a second to fry the data / system
You don't want to incriminate yourself, you say?
In all probability, if someone asks you a question that you can't answer because it's precision doesn't allow you to give any other circumstantial answer other than your self-incrimination, thereby you claim the 5th Amendment in your defense?? The question has already been asked, after the plot and summary have alluded to point to you, and perhaps other people have contributed to evidence to encriminate you, and you think the 5th Amendment has any general emballment of your body to self-witness?
If none of you understand what I'm trying to say, then it has the effect that the answer you give where lacks a complaint is ample evidence alone. The legislated courts have nothing to do with self-encrimination and the Amendments: they are founded on REGULATION, to interfere with the de-jure Court of record and law thathas the jurisprudence to outcast a man to the netherworlds.
5th Amendment is actually a trick reservation, that has nothing to do with not answering questions, but actually tells the Court that you will incriminate yourself upon answering under the 5th Amendment: it's a catch. By claiming the 5th Amendment, you admit that you are a criminal, not that you refuse to testify against yourself. Why wouldn't you have a normal casual conversation with a Judge to reflect on your persuasion and spirit of the law to that matter at hand?
would work. How embarrassing.
Say you give someone the true passphrase, but they are unable to prove that they re-encrypted your laptop data to another passphrase than the true passphrase given them because they are tampering with evidence and manufacturing evidence to encriminate for maximum injury against you rather than REMEDY to so-called corpus delecti?
What then? What...then?
But on a remote crypted volume.
so if I type my passphrase in, you'll find on the root of the filesystem a file called "password.txt" which contains the passphrase for the crypted partition.
So I would reveal the passphrase in any case.
Is revealing your passphrase self-incriminating (hard to see how unless your passphrase is 'hahaIkilledKennedy') or is it more akin to having to hand over the keys to your office/house/car to allow police to search?
In the UK the courts have chosen the latter interpretation.
My solution to this problem? I simply just do not know the pass-phase.
When I moved to whole disk encryption with my work laptop I ran a trial with having my girlfriend knowing the boot passphrase, and then my Mac OS X login password for my account is completely different, which I know.
I found given that I use the laptop every day, I never run it below 20% battery life and I have no need to restart other then a major software update - I hardly ever needed to boot it, and when I did 9 times out of 10 I was at home with my girlfriend. Worst case scenario if I find I need to boot, I am geographically away from her - I simply have her tell me what it is over the phone, and be done with it.
As a result, my pass-phase is now known only to my personal solicitor (i.e. not our business solicitor) and given I see him regularly every 2-3 months I line up software updates, etc, when I have an appointment and he enters the pass-phase. I also have a monitoring script that after the 3rd failed attempt at enter the password at my screensaver my Mac will forcefully reboot, thus bringing up the WDE boot screen.
I find my overly protective solution works fairly well and If I am ever forced to reveal the pass-phase, I'm sorry officer but I do not know it, and if push comes to shove I will direct them to my solicitor.
Not that I have anything to hide, but after-all - my privacy is worth protecting.
I can not unencrypted the drive because I have to see the output of my pass phrase assigning script at 8 am everyday. I missed it and no longer have access to my computer.
Just another compelling piece on how the Government can control an individual anymore. Dont give it to them make them work for it.
I'm just curious as to how after this will be spun to be Bush's fault.
Then we get back to the usual argument: how do you deal with people who can (convincingly!) claim that they forget their password(s)?
"Oh my God, I thought my password was 1234hunter2" !!? Um.... what else could it be, Judge???"
Go to jail anyway. After all, think of the children.
We're slipping into dangerous "thought crime" territory.
Sounds like an opportunity to me ... Software that has 2 purposes: 1. encrypt/decrypt hard drives ... 2. seriously damage hard drive formatting. Depending on the password entered.
It's that word, "only." That word is misused and abused to the point where we know that no one hearing it will know that it's misplaced and incorrect. Forcing one to "only" decrypt one's hard drive is forcing one to turn over evidence about oneself. Notably, they aren't forcing her to erase the hard drive.
Cranky educator.
Depending on how far this goes it doesn't matter anyway... The government will just create a new law that forces software makers to build in a back door for law enforcement. It is the same way they can do wire taps. The phone company has to have a back door for the cops by law. So even if this person doesn't give up her password, future software will allow the DOJ to simply bypass passwords.
Looks like it's time for the crew at Truecrypt to add a burn, pillage, plow, & salt password to their program... I'd rather lose decades of journals, notes, quotes, manuscripts, and personal history than to be FORCED to allow anyone to see any of it... The ideal name would be the "Oops!" key "Oh darn, LOOK WHAT YOU MADE ME DO!!!" The Easter Egg could be a full transcript of the US Declaration of Independence, Constitution, and Federalist Papers appearing in place of the data!!!!
"The US Department of Justice is pushing for the defendant to be forced to decrypt her hard drive" - another simple example about "freedom" in the USA... Only blind people believe in the true freedom in the USA.
Recipes for USA bankrupt - http://tinypaste.com/0d66f dd = dollar deluge (printed in the infinity)
The whole purpose is the 5th amendment...if someone is asked to voluntarily give up information that will incriminate themselves they have a right to refuse...plain and simple....or else you talk to their lawyers....and deal with them, same here should apply, if i own a laptop that has verbal recordings (example only here) of things i have done that can incriminate me, then is it not the same as obtaining illegal wire taps...unless the person tells you its ok to record them, or are told they are being recorded, it is the same thing here with the laptop, it contains information that was plunked there BEFORE any knowledge it might get used against that person, therefor should not be forced by that person to give up any access what so ever....
it kills me that cyber or virtual presence is being treated differently then actual physical presence on some cases, but not on others.... ...that means they are legally equivalent to someone's legal binding word. If you lie under oath, then you can be charged...because your word is recognized as a legal means of communicating information that has to be accepted as truth.... if we differentiate between virtual and physical, there will be abuse of the system on all points by the government as it sees fit.
if there is an email in the white house that is purged, it is considered treason as it is an accepted means of communication legally that could have information important to the white house...and legally must be kept/backed up....there are legal repercussions if you lose them
There needs to be a set protocol that assumes if you have a diary (written word) that can be used against you in court, or can be dismissed for being illegally obtained, then the same thing is evident for such things as encrypted information. If you force me to give you access, then it was obtained illegally...and because the warrant might be obtained to search your virtual documents with dates starting as of the date the warrant was issued....any files created before should not fall under that same warrant....this is the differentiating factor we need to apply between physical and virtual information....as the legal wiretap would get you conversations starting from that date, and not before, so any encrypted files would not be allowed under that warrant, based on its date (which is part of the encryption info for any real encryption software...)
none of my businese. metcn.cc