Slashdot Mirror
DOJ: We Can Force You To Decrypt That Laptop
betterunixthanunix writes "A mortgage-fraud case may have widespread implications for criminals who use cryptography to hide evidence. The US Department of Justice is pushing for the defendant to be forced to decrypt her hard drive, claiming that if they cannot force such decryptions, law enforcement will be unable to gather important evidence. The defendant's lawyer and the Electronic Frontier Foundation have made the claim that forcing such a decryption would be a violation of the defendant's fifth amendment right not to self-incriminate. The prosecutor in the case has insisted that the defendant would not be forced to disclose her passphrase, but only to enter the passphrase into a computer to decrypt the drive."
"I'm sorry, but I don't recall my passphrase. I guess the stress of this case has made me forget it!"
If it works for the DoJ it should work for us...
hey, if you did something wrong and would be going to jail, why the hell help them even more? either way you go to jail, right?
they won't KILL you if you don't unlock your encr. stream. they will lock you up either way.
so don't give it to them. you cannot be forced to hang yourself.
fuck the DOJ.
--
"It is now safe to switch off your computer."
From TFA:
Much of the discussion has been about what analogy comes closest. Prosecutors tend to view PGP passphrases as akin to someone possessing a key to a safe filled with incriminating documents. That person can, in general, be legally compelled to hand over the key. Other examples include the U.S. Supreme Court saying that defendants can be forced to provide fingerprints, blood samples, or voice recordings.
That sounds like a rather spot on analogy. Sounds like precedent is against her. The argument that the passphrase, itself, is the incriminating self-testimony seems really weak, both because the passphrase is not being required, and because the passphrase is not, in the end, what will incriminate her.
IANAL, of course.
Here's a presentation discussing the issue of force password disclosures and laptops I gave at DefCon 17: http://www.youtube.com/watch?v=ibQGWXfWc7c
Check the law and make up your own mind.
I am no lawyer, but the argument that this is a fifth amendment issue seems strong to me.
How is allowing the defendant to keep the password private a meaningful concession? The password has no value if the hard drive has been decrypted.
The prosecutor in the case has insisted that the defendant would not be forced to disclose her passphrase, but only to enter the passphrase into a computer to decrypt the drive."
That would still seem to violate the 5th amendment. The relevant text is bolded below:
No person shall be held to answer for a capital, or otherwise infamous crime, unless on a presentment or indictment of a Grand Jury, except in cases arising in the land or naval forces, or in the Militia, when in actual service in time of War or public danger; nor shall any person be subject for the same offence to be twice put in jeopardy of life or limb; nor shall be compelled in any criminal case to be a witness against himself, nor be deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use, without just compensation.
Anyone of more legal background care to comment?
Cheers,
"What in the name of Fats Waller is that?"
"A four-foot prune."
obstruction of justice.
probably that's what they'd say.
but which would you rather 'deal with' - that or the fact that they successfully stole your soul? so to speak. forcing someone to unlock their most private journal is a sign of an evil state.
I am under no obligation to comply with the illegal and unconstitutional wishes of evil leaders or states.
but you may have hit on something: if they raise the anty and sell the idea to the public that they are now 'forced' to unlock their journals, I do expect to see more 'destroy on tamper' seals on things.
tit for tat. hey gov, you really want to fight your own people in this way? re-think that, guys. this is not a fight you want with the geek population. we actually outnumber you!
--
"It is now safe to switch off your computer."
Why do US authorities not just torture people to get the information they need? Wouldn't that be more effective and convenient?
Oh wait...they already did in Abu Ghraib and Guantanamo...
If you have a safe with a combination lock, can the authorities legally require you to either tell them the combination or unlock the safe? The passphrase to allow access to an encrypted drive is equivalent to the combination of a safe, so the same rules should apply.
Sadly this is taking a leaf out of the UK's book. I say sadly, sad that we got there first on this sort of nonsense. It's a crime not to reveal passwords when required to do so. It's part of the Regulation of Investigatory Power Act 2000 (look it up!)
If I recall someone demonstrated the stupidity of it by sending an encrypted file to the then home secretary. He was then in possession of a file that he could not possibly decrypt, but it would be a criminal offence for him not to supply the passphrase to decrypt it if required to do so. In other words, a law that he could not possibly obey no matter how much he wanted to.
Despite this demonstration of the stupidity of the act, I believe it still stands.
Sigs are so 1990s. No way would I be seen dead with one.
... they already can.
(Legally compel you to reveal crypto keys or render the relevant information intelligible that is. Well, you could refuse, but that's an offence obviously. Section 49 of Part III of the Regulation of Investigatory Powers (RIPA)).
http://www.legislation.gov.uk/ukpga/2000/23/section/49
"The prosecutor in the case has insisted that the defendant would not be forced to disclose her passphrase, but only to enter the passphrase into a computer to decrypt the drive."
I can see that there is a difference between forcing the disclosure of the password and being able to read something that is already decrypted, however I can't see how that wouldn't still be self-incrimination. I assume the police would either bring her to the evidence room and tell her to enter the passphrase, or they would simply demand that she deliver an un-encrypted copy of the drive. Either way they are forcing her to give up evidence that may be used to incriminate. This seems to be a seriously frightening precedent to set.
They would never be able to take someone accused of murder and say, in effect: "look, we KNOW you did it, we just lack all the evidence needed to convict. You are now ordered to show us every place you visited on the day in question, including where the body is hidden."
-d
"Here Lies Philip J. Fry, named for his uncle, to carry on his spirit"
Whoever said that you have to arrange your papers and effects in such a way that the government can understand it?
Does this also apply to paper documents?
Are you not allowed to write your thoughts in a coded manner?
Is it also OK to use euphemisms in your diary?
Is it the government's position that you also have to interpret your diary for the prosecution?
I'm not a lawyer, but I play one on the Internet. Blog
I'm thinking along the lines of two-factor authentication that requires a USB key or other external device which could be set to erase itself.
sounds like the best course of action is to say you forgot your passphrase. Problem solved.
They will have cloned the drive before they let her anywhere near it.
http://xkcd.com/538/ Their mistake was waiting until it got to trial. Now this method is harder to use.
Many criminals will use encryption that permits access by law enforcement, if that is the type of encryption that is commonly used and included in over-the-counter software
Because criminals buy their encryption software at Best Buy...
new password tech: the model you have in your mind, on how to vary the password based on current date and time and the matching code in the auth-modules.
there, fixed. there isn't 'one' password anymore, it varies based on when (maybe even where, if you can pull that off). maybe even based on other things: how many times its been booted or something. some variable that raises the bar beyond static passwords.
not needing those DES cards, but still having a varying password that is coded in your system and also in your mind.
slightly better: every user (who wants stronger protection) takes the source code, changes something, compiles and then deletes the source. you keep the secret of the algorithm only in your mind.
again, goverment: you really want to declare war on your geeks like this? this cannot end well, for both sides. please reconsider. we want peace and to be left alone with our privacy. why is that fundamental human right SO DAMNED HARD for you gov types to understand?
--
"It is now safe to switch off your computer."
This is why anyone serious about security uses TrueCrypt or other encryption systems which have plausible deniability built in. If she was using TrueCrypt, she could give them the password they are looking for, without revealing ANYTHING about what is actually on the drive.
Begun, the clone wars has.
I read an article to truly protect you from self incrimination, because regardless of who you are, you will be "forced" to give up your pass phrase or "willingly" decrypt the HDD. With this set up, you can 'willingly' give up your passphrase but for the 'dummy' partition and they won't be able to tell that there is a hidden partition because the space available will only show that of the dummy encrypted partition, not the whole HDD. Unless, of course, they take out the HDD and see the capacity, but you can go further and print out a fake a HDD label with a size similar to that of the dummy encrypted partition... This article is a great how-to on truly protecting yourself.
http://www.makeuseof.com/tag/create-hidden-partition-truecrypt-7/
Previewing comments are for sissies!
I'm not sure why, with a proper warrant, this shouldn't happen.
For the same reason that you cannot get a warrant for someone to tell you the location of a dead body.
Palm trees and 8
"No, that really is the password, the file(s) must have gotten corrupted. What did you do to my laptop?"
http://en.wikipedia.org/wiki/Contempt_of_court#United_States Actually, they can hold you until you provide what they want it seems. They held one man 14 years for contempt of court.
... unless someone followed even the remotest bit of common sense and made a copy of your drive before asking you to decrypt it. Trying to self-destruct the data is both futile and a VERY fast way to get either an obstruction of justice charge or get nailed with contempt of court. Better to let the lawyers fight it out.
What you describe is not possible in any way.
An "encrytped hard drive" or an "encrypted file" are both the same thing: a very very large number. When the government took possession of the medium that stores that number, they then permanently know it. It's a series of 1s and 0s, and they have it for sure, definitely, it can never be altered. So whatever procedure you have in mind is like saying, what if the number 8 simply decays in September. It doesn't make any sense.
How do I prevent them from adding anything to the system after it is in their possession.
If I turn over my key to the encryption I want a method to ensure than anything they use against me was put there by me, not by them afterward.
Can that be done?
After all, if they are willing to force an issue you can be sure some will make sure something is wrong. Its not like the current Administration is concerned about the rights of its citizens, they are making Bush Jr look like a staunch civil liberties advocate
* Winners compare their achievements to their goals, losers compare theirs to that of others.
Or you may use a plausible deniability system. But in doing that you may want to be reasonably sure that no data leaks exist, or you may find yourself in an even worse position.
Do they have to show cause first or is this a new tool in the arsenal of the TSA?
You guys need to get your government departments straight. This is NOT the TSA. The TSA are the ones at Fargo International Airport who x-ray your flip-flops and make sure you're not taking nail clippers onto an airplane. They're not tasked with searching your laptop - They're only tasked with X-raying your laptop and your kid's teddy to make sure there isn't a bomb inside. If they suspect criminal activity they have to call the police.
The US CBP (Customs and Border Protection) *do* have the right to search the contents (i.e. files) of your laptop when you are entering the USA. They can search your laptop, search your luggage and search your person. In the same way they can require you to open a locked box that you might be travelling with, they are require you to open your 'locked' laptop. The courts have backed them up - See: http://news.cnet.com/8301-13578_3-10172866-38.html
So don't get TSA and CBP mixed up - They're different.
[Insert dozens of obligatory Slashdot posts here about TrueCrypt "Plausible Deniability" here.]
Finally, note that this article has nothing to do with airport or border security - It's about a court case.
So once the technology is available to directly read someone's thoughts, I assume they will allow the same argument. You can't be forced to say what you're thinking, but you can't stop them from looking inside your head because the evidence is there.
"I don't recall" work great for Ronald Reagan. I'm sure there is precedent that it is acceptable under oath.
Second, and this is a technical solution, we need a forked compression system, where two different passwords give you two different sets of contents. Where encrypted data looks like empty space on the faux system. When the faux system is engaged, the encrypted data is destroyed. Hopefully one uses backup.
Strictly speaking, couldn't it be said that the data in an encrypted volume technically exists only in your mind?
I possess a hard drive full of meaningless bits, that reasonably can never be brute forced. There are no documents there, no .jpg files, no audio, no video.
The 30+ character key to reconstitute those bits into something readable resides only in my mind.
Therefore the act of decrypting the volume technically involves the creation of those files anew.
from the TSA to a cop in a coffee shop, to force decryption.
Again, that's my point. The TSA are *not* LEOs - Even if they have nifty badges on their shirts. They're no more an LEO than the security guard outside a Wal-Mart. If they suspect a crime, they need to call over an LEO. The cop in the coffee shop is an LEO, and yes, once he had a warrant he could compel you to type in your password, in the same way he could compel you to open your safe.
Not if your adversary just copies the data and decrypts it elsewhere.
I hope the defendant doesn't give in. Personally, I'd rather sit in jail on contempt of court charges than go to big boy prison for whatever the state were investigating me for. At least with the contempt of court charges, I run the chance of becoming a cause celeb for standing up for principles, which is way better than being convicted of a crime.
I got into an argument about this very case with my (non-American) girlfriend the other day. She honestly doesn't get the fifth amendment and assumes that anyone who invokes it is basically admitting guilt, which isn't the case. She's from central America. You would think that people down in that part of the world would have some recent memory of unjust laws. Just because something is the law, doesn't make it right, and it is better for all of us that we keep the fifth amendment intact for cases when the law is not just than to violate it just so that someone can get convicted of fraud, murder or anything else.
Now that compelled testimony (prohibited by 5th amendment) and compelled speech which may be used to obtain evidence, have suddenly become two different things, Miranda warnings will have to be reworded.
"You have the right to remain silent," will have to change to "You have the right to withhold information which may be used against you, but do not have the right to withhold information which leads to other information which may be used against you." And that's just a first draft off the top of my head but probably still doesn't work quite right.
It's going to take a lot of lawyers working a lot of years to rewrite Miranda, I think. And somehow I doubt it'll be comprehensible when they're done.
Law is too complex for humans.
"Believe me!" -- Donald Trump
Comment removed based on user account deletion
What password?
I bumped my head when you put me in the police car. Can't remember a thing. Other than my 5th Amendment right to give you nothing you can't find on your own.
...and yes, once he had a warrant he could compel you to type in your password, in the same way he could compel you to open your safe.
Well...that's still to be determined by the courts.
MCSE? No, sir...I don't do Windows. Yes, I am an idealist. What's your point?
Perhaps the problem is that the graphics they're using to crack the password just aren't fancy enough...
If the masses can keep you down, you're not the Ubermensch.
Exactly! Wow, I'm deep into the comments before anyone has started talking sense! The whole article is about the legal issue as to whether or not the courts can compel you to reveal your password. The courts cannot force you to testify at your own trial, and the question here is whether disclosing your password is tantamount to testimony (IANAL).
The Fifth Amendment wouldn't stop you from the contents of a safe for which a search warrant was obtained, so I don't see why it would be any different for an encrypted drive.
Remember, you're not being asked to incriminate yourself. You're being asked to produce an unencrypted version of a drive that is already known to exist, just like you would be asked to provide the contents of a safe that is known to exist. How you actually go about doing this (letting the DOJ crack open the safe, or giving them the password) is irrelevant.
Your password should be a direct admission of any crime you are actively engaged in. Your password could then be used under a "fruits of a poisonous tree" defense.
--- Generation X: The first generation to have SIG lines inferior to their parents... ---
My take on it is simply this, the knowledge they need is in the defendants head, giving or otherwise providing that knowledge self incriminated and thus goes against the 5th amendment. The police can ask you where the bodies are buried but they can't make you tell them. Something in someones head is always protected under 5th amendment laws as far as I'm concerned.
Dear DOJ,
Each step you take like this causes us to take one step closer to a revolution.
Sincerely,
Cranky citizens
Did you even bother to read anything on that link? Blaming an entire org for one or two loudmouth racists would be like saying all of us southerners like to spend our weekends lynching anybody that isn't white.
I have several friends and family that have been in the military and I can tell you they take their oath to the constitution VERY seriously. Read the link, see what they are fighting for. you'll see they simply want to uphold their original oath which wasn't to a single man but to the Constitution of The United States of America. Frankly I think we need a lot more people like that, that are willing to risk everything for what they believe in.
ACs don't waste your time replying, your posts are never seen by me.
Well, it's happened.
Benford's Corollary to Clarke's Law: "Any technology distinguishable from magic is insufficiently advanced."
They are incompetent because they have no evidence, not because they can't crack encryption. If the entire case hangs on the ability to decrypt digital data (which really has no verifiable chain of custody), then the prosecution isn't doing that great of a job.
There is the big difference. You didn't have to do or say anything. Same for say a blood sample or DNA sample. You don't have do (or say) anything to provide it. They do all work. But in forcing you to decrypt, they are forcing you to take action against yourself. That's self incrimination, and that's a violation of the fifth amendment.
Not that it will help much when most judges think they are above the law. Case in point.
"The courts have backed them up ..."
Wrong, in the general sense. The courts can force you to reveal your passwords, only in cases where they can already show that the encrypted data contains something illegal. They do NOT have the right to force you to reveal your password or decrypt your data just so they can find "evidence".
The article you point to in that link failed to emphasize that the customs agents had already seen child pornography that was contained in his encrypted data. Therefore, they already knew that there was illegal material in it.
The courts have NOT supported forcing someone to reveal encrypted data under any other circumstances.
It isn't that they can't get competent people to crack an "electronic safe", the problem is that the electronic safes are exponentially harder to crack than the physical ones.
So, what you're saying is that if someone designed a better physical safe that was much harder to crack, it would be OK for the police to demand that you open it?
Eventually, this ends up as "well, it's just so darn hard to prove people are guilty, so let's just find ways we can throw them into jail without any effort on our part".
Now, that case says that he was being compelled to release a decrypted version of the Z: drive, which they had already seen exists. To me, that isn't any different than compelling someone to open a safe which is known to exist.
The obvious solution is to make it illegal for the prosecution to use any evidence they have not specifically requested to see, and which would be irrelevant to the case. I.e. if they find evidence for a different crime, it can't be used if the person first pleaded the fifth regarding the contents. So then the prosecution has a choice between (a) saying yes to getting the evidence through compelled disclosure, but knowing they can only use what's requested and not prosecute for, say, murder they discover as part of that investigation, or (b) say no to a compelled disclosure, and either do without the evidence or break into it themselves, in which case they can use any information they find there.
Seems simple enough, and guards the fifth, so I bet it will never become reality.
Wasn't there a case in NY where a guy was getting a divorce and refused to give over his account numbers where he stashed all his loot as he didn't want his wife to have any of it.
The judge basically said he was in contempt of court and could stay in jail until he felt like sharing that information.
He stayed in jail in protest in contempt of court for like 12 years before I think they finally released him (or is he still in jail, I have no idea).
This seems like a very similar issue.
But if you have not admitted that it is your laptop, or have not admitted that the encrypted file is yours or that you know the password, then they are asking you to divulge information - perhaps not the password itself, but the information that you know the password, that the data is yours. You cannot be forced to testify to any of these facts. This is why you should not say anything at all when asked questions by government officers, even if the questions seem harmless. (Don't lie, either - that is a crime in itself.)
"Is life so dear, or peace so sweet, as to be purchased at the price of chains and slavery?" - Patrick Henry
The better analogy is them forcing you to give them the coordinates of where the bodies are buried.
They can search likely locations without your help (by brute forcing your password), but if they actually want to find it, they have to get you to tell them where it is.
This is CLEARLY self incrimination, and EVERYONE has the right to remain silent when they are under arrest. PERIOD.
Anyone who claims otherwise should be disbarred, have their citizenship stripped, and be dumped in North Korean territory.
And which court cases are those that the judge ordered them to reveal a password when they have absolutely no idea what was encrypted on the drive? I have only read about cases where they had to reveal the password when someone/a witness had already actually seen what was on the encrypted drive.
To clarify this point: if somebody (say a couple of undercover detectives, for example) SAW you put known contraband in your safe, then a court can force you to open that safe. If, on the other hand, they don't know of anything illegal in that safe, but only THINK there may be EVIDENCE of something illegal contained in your safe, the 4th Amendment prevents them from undertaking such a "fishing expedition", merely to try to find evidence.
The court case under discussion appears to be a case of a fishing expedition. They THINK there may be EVIDENCE of illegal activity contained in her encrypted data. This is clearly a 4th Amendment issue, not at all like the case of the guy in the airport with observable child porn.