DOJ: We Can Force You To Decrypt That Laptop

← Back to Stories (view on slashdot.org)

DOJ: We Can Force You To Decrypt That Laptop

Posted by samzenpus on Monday July 11, 2011 @03:49AM from the show-us-everything dept.

betterunixthanunix writes "A mortgage-fraud case may have widespread implications for criminals who use cryptography to hide evidence. The US Department of Justice is pushing for the defendant to be forced to decrypt her hard drive, claiming that if they cannot force such decryptions, law enforcement will be unable to gather important evidence. The defendant's lawyer and the Electronic Frontier Foundation have made the claim that forcing such a decryption would be a violation of the defendant's fifth amendment right not to self-incriminate. The prosecutor in the case has insisted that the defendant would not be forced to disclose her passphrase, but only to enter the passphrase into a computer to decrypt the drive."

42 of 887 comments (clear)

Min score:

Reason:

Sort:

I don't recall... by Anonymous Coward · 2011-07-11 03:52 · Score: 3, Insightful

"I'm sorry, but I don't recall my passphrase. I guess the stress of this case has made me forget it!"
If it works for the DoJ it should work for us...
1. Re:I don't recall... by jeffmeden · 2011-07-11 04:13 · Score: 4, Informative
  
  If it's anything like the movies, a search warrant allows police to search property by any means necessary. So no, they can't force you to open a safe, but they can certainly force the safe open (which, for a safe almost any private citizen can afford, is not terribly challenging.) The thing about encryption is that it isn't so much a "safe", it's more analogous to a private citizen having their own moon on which to store valuables. Getting access to it isn't a matter of will, its a matter of effort (years and years of crunching, even for a massive supercomputer.) As long as the only way to unlock the encryption is in your head, they can't legally force it out.
2. Re:I don't recall... by JonahsDad · 2011-07-11 04:23 · Score: 5, Funny
  
  "I'm sorry, but I don't recall my passphrase. I guess the stress of this case has made me forget it!"
  Wow! That actually is my passphrase.
3. Re:I don't recall... by betterunixthanunix · 2011-07-11 04:24 · Score: 5, Insightful
  
  The thing about encryption is that it isn't so much a "safe", it's more analogous to a private citizen having their own moon on which to store valuables.
  It is more akin to speaking and writing everything in your own private language, and forcing the police to determine how to translate that language.
  
  --
  Palm trees and 8
4. Re:I don't recall... by Znork · 2011-07-11 04:54 · Score: 3, Insightful
  
  According to TFA, yes, you can be obliged to hand over the key.
  With regards to encryption it's an old problem that's solved by using multiple pass keys; the one you hand over decrypts something reasonably embarrassing like your tranny porn collection, while the real key decrypts the actual material you want to hide.
  So trying to force people into divulging encryption keys is just asinine; it will merely lead to widespread adoption of readily available methods to defeat it while failing to accomplish the desired goal.
5. Re:I don't recall... by MaskedSlacker · 2011-07-11 05:25 · Score: 5, Informative
  
  That pesky constitution is why. For that matter, the supreme court has already ruled on this issue. In the US you cannot be forced to give up a password. The DOJ can bitch all they want, but it's already a settled issue.
6. Re:I don't recall... by JabberWokky · 2011-07-11 05:35 · Score: 3, Informative
  
  Being jailed for contempt doesn't last forever in the real world. Once it's clear it's not going to be forced, that's the end of being jailed. I'm not sure where you got "seize all your assets", as I've never heard of that happening, even in cases where the witness gets chained because they lunged at the judge (you see some odd things working at a courthouse). Not related to contempt charges for lack of testimony, at any rate.
  That said, the whole question here is if you can be forced to give up your password. If not (if it's like a safe combination or the location of a storage unit), then there is no "crime of failing to give up your password". No judge can compel you to give it up. If they can't access it, they can't have it. Plain and simple. The question here is if a password falls under something that can be compelled, like a warrant to be able to walk into your bedroom and search because somebody said they saw you hide something in there (i.e., with cause), or if it's something more akin to compelling somebody to tell you where you put something, which the court can't do.
  
  --
  "$30 for the One True Ring. $10 each additional ring!" -- JRR "Bob" Tolkien
7. Re:I don't recall... by hey! · 2011-07-11 06:35 · Score: 4, Funny
  
  The thing about encryption is that it isn't so much a "safe", it's more analogous to a private citizen having their own moon on which to store valuables.
  It is more akin to speaking and writing everything in your own private language, and forcing the police to determine how to translate that language.
  Actually, it's like putting the evidence far away and making the police fetch it in your car, only they have to hotwire it because you don't give them the keys...
  Yeah, I know it sucks, but at least I *tried* to put it automotive terms.
  
  --
  Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
not fair to ask you to rat on yourself by TheGratefulNet · 2011-07-11 03:52 · Score: 3, Insightful

hey, if you did something wrong and would be going to jail, why the hell help them even more? either way you go to jail, right?
they won't KILL you if you don't unlock your encr. stream. they will lock you up either way.
so don't give it to them. you cannot be forced to hang yourself.
fuck the DOJ.

--

--
"It is now safe to switch off your computer."
1. Re:not fair to ask you to rat on yourself by Skapare · 2011-07-11 04:06 · Score: 4, Insightful
  
  That's what the 5th Amendment is about ... you don't have to do their work for them.
  
  --
  now we need to go OSS in diesel cars
2. Re:not fair to ask you to rat on yourself by Nerdfest · 2011-07-11 04:15 · Score: 5, Insightful
  
  You shouldn't need to be forced to clear yourself either.
3. Re:not fair to ask you to rat on yourself by Svartalf · 2011-07-11 05:01 · Score: 5, Interesting
  
  Actually, NO, they are not allowed the privilege to "not agree".
  If you invoke the Fifth in a criminal case, discussion STOPS. On the spot and there is NO further questioning allowed. Regardless of whether it's a State or Federal Court, per the Fourteenth Amendment and the Fifth.
  If you invoke the Fourth and can PROVE that they violated that one, Case DIES on the spot. No further discussion, all evidence that stems from the improper warrant action must be discarded and is forever usable. Again, this is regardless of whether it's a State or Federal Court.
  Now...what remains is whether this court deems the forcing you to decrypt things is a violation of the Fifth. Personally, I see it as being so. It's making you potentially incriminate yourself- which is PRECISELY what the Amendment was intended to prevent. It's irrelevant what form that self-incrimination takes. If they don't "see" it that way, you can bet your bottom dollar it'll be appealed right up to the Supreme Court because it's just that- a direct violation of the Fifth as much as forcing testimony out of you on the stand or in a police interrogation room.
  
  --
  I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
4. Re:not fair to ask you to rat on yourself by VGPowerlord · 2011-07-11 05:33 · Score: 3, Insightful
  
  In addition to what anyGould said, pleading the fifth will likely be used against you in court.
  I probably don't need to mention that pleading the fifth makes you look guilty as hell.
  
  --
  GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
Unfortunately.... by LordLimecat · 2011-07-11 03:54 · Score: 4, Insightful

From TFA:

Much of the discussion has been about what analogy comes closest. Prosecutors tend to view PGP passphrases as akin to someone possessing a key to a safe filled with incriminating documents. That person can, in general, be legally compelled to hand over the key. Other examples include the U.S. Supreme Court saying that defendants can be forced to provide fingerprints, blood samples, or voice recordings.
That sounds like a rather spot on analogy. Sounds like precedent is against her. The argument that the passphrase, itself, is the incriminating self-testimony seems really weak, both because the passphrase is not being required, and because the passphrase is not, in the end, what will incriminate her.
IANAL, of course.
1. Re:Unfortunately.... by betterunixthanunix · 2011-07-11 04:03 · Score: 4, Interesting
  
  On the other hand, decrypting data amounts to interpreting evidence for the prosecutor. Suppose the defendant had been using secret code words, known only to her and her co-conspirators; should the prosecutor have the right to compel her to explain those code-words? What makes AES any different, other than the fact that it is a well-designed and difficult to crack cipher?
  
  The argument that the police will be unable to gather evidence if criminals use encryption is just as weak, considering the techniques they have developed for defeating such measures:
  
  http://cryptome.org/isp-spy/crypto-spy.pdf
  
  --
  Palm trees and 8
2. Re:Unfortunately.... by idontgno · 2011-07-11 04:07 · Score: 5, Interesting
  
  Me too, but EFF's perspective is also useful, and forms a valuable distinction:
  
  The Fifth Amendment generally protects a person from being compelled to give testimony that would incriminate her. United States v. Hubbell, 530 U.S. 27, 34 (2000) (Hubbell I); Fisher v. United States, 425 U.S. 391, 408 (1976). The privilege is limited to testimonial evidence, or a communication that "itself, explicitly or implicitly, relate[s] a factual assertion or disclose[s] information." Doe v. United States, 487 U.S. 201, 210 (1988) (Doe I). Put a different way, the privilege protects the "expression of the contents of an individual's mind."
  
  (Quote from EFF's amicus brief, emphasis mine)
  So, while you can be compelled to surrender a physical object (the key to the safe, in the previous analogy), the 5th Amendment is specifically is about something in your mind.
  If the "locked safe" in the previous analogy is not locked, but hidden, can a defendant be compelled to disclose its location?
  As to the DoJ's "end run" based on the principle "don't tell us, just type it into the computer".... would the 5th Amendment not apply is a defendant is compelled to type self-incriminating testimony into a computer instead of speaking it to a law-enforcement officer?
  The DoJ, IMHaUO*, hasn't got a leg to stand on.
  *In My Humble and Uneducated Opinion... IANAL, after all.
  
  --
  Welcome to the Panopticon. Used to be a prison, now it's your home.
3. Re:Unfortunately.... by ClubPetey · 2011-07-11 04:12 · Score: 5, Interesting
  
  Simple solution, just make your pass-phrase "IKilledAGuyIn1998@Work!"
  Not only does it meat the requiments of a strong password. Your pass-phrase WOULD be incriminating evidence, and they cannot get you to reveal it.
  
  --
  Si hoc legere scis nimium eruditionis habes
4. Re:Unfortunately.... by haystor · 2011-07-11 04:42 · Score: 3, Insightful
  
  If only judges dealing with lying politicians took the same dim view. The "I don't recall" defense works particularly well for politicians, even under oath.
  
  --
  t
5. Re:Unfortunately.... by zill · 2011-07-11 05:33 · Score: 3, Informative
  
  Let's not forget about politicians' all-convenient "I'm not obliged to recall that fact." exception either.
Search And Seizure Explained - They Took My Laptop by tdc_vga · 2011-07-11 03:54 · Score: 5, Informative

Here's a presentation discussing the issue of force password disclosures and laptops I gave at DefCon 17: http://www.youtube.com/watch?v=ibQGWXfWc7c
Check the law and make up your own mind.
The EFF's argument makes sense. by FoolishOwl · 2011-07-11 03:55 · Score: 4, Insightful

I am no lawyer, but the argument that this is a fifth amendment issue seems strong to me.
How is allowing the defendant to keep the password private a meaningful concession? The password has no value if the hard drive has been decrypted.
Still violates the 5th by zooblethorpe · 2011-07-11 03:55 · Score: 4, Insightful

The prosecutor in the case has insisted that the defendant would not be forced to disclose her passphrase, but only to enter the passphrase into a computer to decrypt the drive."
That would still seem to violate the 5th amendment. The relevant text is bolded below:

No person shall be held to answer for a capital, or otherwise infamous crime, unless on a presentment or indictment of a Grand Jury, except in cases arising in the land or naval forces, or in the Militia, when in actual service in time of War or public danger; nor shall any person be subject for the same offence to be twice put in jeopardy of life or limb; nor shall be compelled in any criminal case to be a witness against himself, nor be deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use, without just compensation.

Anyone of more legal background care to comment?
Cheers,

--
"What in the name of Fats Waller is that?"
"A four-foot prune."
1. Re:Still violates the 5th by chipwich · 2011-07-11 04:30 · Score: 3, Insightful
  
  No. Your analogy is part of the problem. The DOJ and Feds have subverted the concept of innocent until proven guilty into If you're not doing anything wrong, then you shouldn't have anything to hide.
  
  By setting up your analogy with the statement that there is a dead body in the trunk, you've already presumed guilt, nothing any civilized society should be doing.
  
  What kind of a crime can be committed where the only access to incriminating evidence lies in the mind of the accused? We're entering a dangerous era of thought-crime. Why doesn't the DOJ just apply some random permutation on the data so that it generates some unrelated and arbitrary but incriminating documents?
  
  TL;DR - Law enforcement should either do better detective work to find evidence without relying on the accused to provide it, or save taxpayer money, cut the whole "democracy" shenanigans, and just use false or forced confessions.
Re:Self-Destructing Key by TheGratefulNet · 2011-07-11 03:56 · Score: 4, Insightful

obstruction of justice.
probably that's what they'd say.
but which would you rather 'deal with' - that or the fact that they successfully stole your soul? so to speak. forcing someone to unlock their most private journal is a sign of an evil state.
I am under no obligation to comply with the illegal and unconstitutional wishes of evil leaders or states.
but you may have hit on something: if they raise the anty and sell the idea to the public that they are now 'forced' to unlock their journals, I do expect to see more 'destroy on tamper' seals on things.
tit for tat. hey gov, you really want to fight your own people in this way? re-think that, guys. this is not a fight you want with the geek population. we actually outnumber you!

--

--
"It is now safe to switch off your computer."
Torture anyone? by aaaaaaargh! · 2011-07-11 03:57 · Score: 3, Insightful

Why do US authorities not just torture people to get the information they need? Wouldn't that be more effective and convenient?
Oh wait...they already did in Abu Ghraib and Guantanamo...
Taking a leaf out of the UK's book by Geeky · 2011-07-11 03:58 · Score: 4, Interesting

Sadly this is taking a leaf out of the UK's book. I say sadly, sad that we got there first on this sort of nonsense. It's a crime not to reveal passwords when required to do so. It's part of the Regulation of Investigatory Power Act 2000 (look it up!)
If I recall someone demonstrated the stupidity of it by sending an encrypted file to the then home secretary. He was then in possession of a file that he could not possibly decrypt, but it would be a criminal offence for him not to supply the passphrase to decrypt it if required to do so. In other words, a law that he could not possibly obey no matter how much he wanted to.
Despite this demonstration of the stupidity of the act, I believe it still stands.

--
Sigs are so 1990s. No way would I be seen dead with one.
In the UK... by BandoMcHando · 2011-07-11 03:58 · Score: 3, Informative

... they already can.
(Legally compel you to reveal crypto keys or render the relevant information intelligible that is. Well, you could refuse, but that's an offence obviously. Section 49 of Part III of the Regulation of Investigatory Powers (RIPA)).
http://www.legislation.gov.uk/ukpga/2000/23/section/49
Interpretation by MetalliQaZ · 2011-07-11 03:58 · Score: 5, Interesting

"The prosecutor in the case has insisted that the defendant would not be forced to disclose her passphrase, but only to enter the passphrase into a computer to decrypt the drive."
I can see that there is a difference between forcing the disclosure of the password and being able to read something that is already decrypted, however I can't see how that wouldn't still be self-incrimination. I assume the police would either bring her to the evidence room and tell her to enter the passphrase, or they would simply demand that she deliver an un-encrypted copy of the drive. Either way they are forcing her to give up evidence that may be used to incriminate. This seems to be a seriously frightening precedent to set.
They would never be able to take someone accused of murder and say, in effect: "look, we KNOW you did it, we just lack all the evidence needed to convict. You are now ordered to show us every place you visited on the day in question, including where the body is hidden."
-d

--
"Here Lies Philip J. Fry, named for his uncle, to carry on his spirit"
Papers and effects by Compaqt · 2011-07-11 03:59 · Score: 5, Insightful

Whoever said that you have to arrange your papers and effects in such a way that the government can understand it?
Does this also apply to paper documents?
Are you not allowed to write your thoughts in a coded manner?
Is it also OK to use euphemisms in your diary?
Is it the government's position that you also have to interpret your diary for the prosecution?

--
I'm not a lawyer, but I play one on the Internet. Blog
"I forgot" worked for alberto gonzales by Dan667 · 2011-07-11 04:00 · Score: 4, Insightful

sounds like the best course of action is to say you forgot your passphrase. Problem solved.
1. Re:"I forgot" worked for alberto gonzales by Cro+Magnon · 2011-07-11 04:14 · Score: 3, Funny
  
  What if your passphrase is "I forgot"?
  
  --
  Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
TrueCrypt FTW by brunes69 · 2011-07-11 04:07 · Score: 3

This is why anyone serious about security uses TrueCrypt or other encryption systems which have plausible deniability built in. If she was using TrueCrypt, she could give them the password they are looking for, without revealing ANYTHING about what is actually on the drive.
Re:Self-Destructing Key by Yvan256 · 2011-07-11 04:08 · Score: 3, Funny

Begun, the clone wars has.
OK, so here is my simple question by Shivetya · 2011-07-11 04:24 · Score: 5, Interesting

How do I prevent them from adding anything to the system after it is in their possession.
If I turn over my key to the encryption I want a method to ensure than anything they use against me was put there by me, not by them afterward.
Can that be done?
After all, if they are willing to force an issue you can be sure some will make sure something is wrong. Its not like the current Administration is concerned about the rights of its citizens, they are making Bush Jr look like a staunch civil liberties advocate

--
* Winners compare their achievements to their goals, losers compare theirs to that of others.
Plausible deniability by xded · 2011-07-11 04:26 · Score: 3, Insightful

Or you may use a plausible deniability system. But in doing that you may want to be reasonably sure that no data leaks exist, or you may find yourself in an even worse position.
Re:When Can They Force Decryption? by CohibaVancouver · 2011-07-11 04:29 · Score: 4, Informative

Do they have to show cause first or is this a new tool in the arsenal of the TSA?
You guys need to get your government departments straight. This is NOT the TSA. The TSA are the ones at Fargo International Airport who x-ray your flip-flops and make sure you're not taking nail clippers onto an airplane. They're not tasked with searching your laptop - They're only tasked with X-raying your laptop and your kid's teddy to make sure there isn't a bomb inside. If they suspect criminal activity they have to call the police.

The US CBP (Customs and Border Protection) *do* have the right to search the contents (i.e. files) of your laptop when you are entering the USA. They can search your laptop, search your luggage and search your person. In the same way they can require you to open a locked box that you might be travelling with, they are require you to open your 'locked' laptop. The courts have backed them up - See: http://news.cnet.com/8301-13578_3-10172866-38.html

So don't get TSA and CBP mixed up - They're different.

[Insert dozens of obligatory Slashdot posts here about TrueCrypt "Plausible Deniability" here.]

Finally, note that this article has nothing to do with airport or border security - It's about a court case.
Contempt of Court by bsDaemon · 2011-07-11 04:52 · Score: 5, Insightful

I hope the defendant doesn't give in. Personally, I'd rather sit in jail on contempt of court charges than go to big boy prison for whatever the state were investigating me for. At least with the contempt of court charges, I run the chance of becoming a cause celeb for standing up for principles, which is way better than being convicted of a crime.
I got into an argument about this very case with my (non-American) girlfriend the other day. She honestly doesn't get the fifth amendment and assumes that anyone who invokes it is basically admitting guilt, which isn't the case. She's from central America. You would think that people down in that part of the world would have some recent memory of unjust laws. Just because something is the law, doesn't make it right, and it is better for all of us that we keep the fifth amendment intact for cases when the law is not just than to violate it just so that someone can get convicted of fraud, murder or anything else.
Re:When Can They Force Decryption? by element-o.p. · 2011-07-11 05:24 · Score: 3, Insightful

...and yes, once he had a warrant he could compel you to type in your password, in the same way he could compel you to open your safe.
Well...that's still to be determined by the courts.

--
MCSE? No, sir...I don't do Windows. Yes, I am an idealist. What's your point?
Re:When Can They Force Decryption? by pluther · 2011-07-11 05:30 · Score: 5, Funny

What are you talking about? I've seen lots of movies with hackers in them. It never takes more than a few minutes to get through any security.
Perhaps the problem is that the graphics they're using to crack the password just aren't fancy enough...

--
If the masses can keep you down, you're not the Ubermensch.
Re:When Can They Force Decryption? by s73v3r · 2011-07-11 05:31 · Score: 3, Insightful

The Fifth Amendment wouldn't stop you from the contents of a safe for which a search warrant was obtained, so I don't see why it would be any different for an encrypted drive.
Remember, you're not being asked to incriminate yourself. You're being asked to produce an unencrypted version of a drive that is already known to exist, just like you would be asked to provide the contents of a safe that is known to exist. How you actually go about doing this (letting the DOJ crack open the safe, or giving them the password) is irrelevant.
Re:When Can They Force Decryption? by berzerke · 2011-07-11 06:30 · Score: 3, Interesting

...the police will open it...
There is the big difference. You didn't have to do or say anything. Same for say a blood sample or DNA sample. You don't have do (or say) anything to provide it. They do all work. But in forcing you to decrypt, they are forcing you to take action against yourself. That's self incrimination, and that's a violation of the fifth amendment.
Not that it will help much when most judges think they are above the law. Case in point.
Re:When Can They Force Decryption? - Wrong by Jane+Q.+Public · 2011-07-11 06:31 · Score: 4, Informative

"The courts have backed them up ..."
Wrong, in the general sense. The courts can force you to reveal your passwords, only in cases where they can already show that the encrypted data contains something illegal. They do NOT have the right to force you to reveal your password or decrypt your data just so they can find "evidence".

The article you point to in that link failed to emphasize that the customs agents had already seen child pornography that was contained in his encrypted data. Therefore, they already knew that there was illegal material in it.

The courts have NOT supported forcing someone to reveal encrypted data under any other circumstances.