Slashdot Mirror
Federal Magistrate Rules That Fifth Amendment Applies To Encryption Keys
Virtucon writes "U.S. Magistrate William Callahan Jr. of Wisconsin has ruled in favor of the accused in that he should not have to decrypt his storage device. The U.S. Government had sought to compel Feldman to provide his password to obtain access to the data. Presumably the FBI has had no success in getting the data and had sought to have the judge compel Feldman to provide the decrypted contents of what they had seized. The Judge ruled (PDF): 'This is a close call, but I conclude that Feldman's act of production, which would necessarily require his using a password of some type to decrypt the storage device, would be
tantamount to telling the government something it does not already know with "reasonably particularity" — namely, that Feldman has personal access to and control over the encrypted storage devices. Accordingly, in my opinion, Fifth Amendment protection is available to Feldman. Stated another way, ordering Feldman to decrypt the storage devices would be in violation of his Fifth Amendment right against compelled self-incrimination.'"
If the government has reasonable suspicion that you have illicit data, they can still compel you to decrypt it.
V qba'g xabj, guvf ybbxf yvxr n ernfbanoyl fhfcvpvbhf cbfg gb zr...
Where did the last sentence in this summary come from? It seems to be completely contradictory to the main content. Elaborate?
When this gets to the old farts in the higher courts - the kind of people who dictate their emails and get confused by double clicking on icons - this will be overturned. The lack of any real world experience in concert with authoritarian attitudes will make sure this doesn't stay case law.
I wish that were the case here. In England you can be imprisoned for up to two years for refusing to divulge your encryption key.
Dafuq is "Feldman"? C'mon editors...earn your $22K/year.
I don't know what you mean by encrypted. I never encrypted anything on my computer\laptop\tablet\phone, your honor.
I would like to know what is the method and software that is used to encrypt the hard-drive in such a way that FBI has no way of breaking a decryption, other than asking a judge to compel the discovery.
XKCD 538: A crypto nerd's imagination vs. what would actually happen
Does the 5th amendment right to avoid self-incrimination apply only to the particular charges being brough in a given case, or does it cover any statement that could be incriminating, even if it were in a different proceeding, or if the record from Case A were to be used as evidence in Case B?
Say, in the case of an encrypted HDD, it's reasonably plausible that a broad spectrum of the suspect's electronic activities will be there. Common software tends to be a bit 'leaky' in terms of recording what it does(temp files, caches, search indexes, etc.) and most people don't have entirely separate computers for each flavor of crime they are engaged in.
If somebody were being charged for one crime that probably left evidence on the HDD(kiddie porn, say); would the fact that they know that there is evidence of CC-skimming(but, unlike the kiddie porn, the feds have no circumstantial evidence or other grounds for belief) justify a 5th-amendment refusal to decrypt the volume? Would the other potentially-incriminating stuff be irrelevant because it isn't among the charges(even if the court record could be used as evidence to bring future charges)? Would the suspect be compelled to divulge the key; but the prosecution only have access to material relevant to the charges being filed, with some 3rd party forensics person 'firewalling' to exclude all irrelevant material?
Encryption keys? It's arguing about the wrong topic. These silly arguments about the Fifth Amendment will soon be about as relevant to our lives as the Austro-Hungarian Empire.
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
And requires the police and DA to do some detective work before a conviction is possible.
As for leaders who are dissatisfied with the protections given in the constitution, use the democrat process that we have to amend the constitution. It's quite possible to change it. Don't like the 5th amendment, then propose something else. Ignoring the laws we have on the books isn't acceptable as then they will be inconsistently applied. Inconsistent justice is not justice at all.
“Common sense is not so common.” — Voltaire
This is a decision by a Magistrate (not a full judge) at the District Court level. About as low as you can get within the federal judiciary.
Good decision, but as far as precedential value goes, there is almost zero unless this is upheld on appeal.
It's a subtle point described in the judges decision.
If the government has knowledge of particular documents, they can force you to present them. This includes forcing you to open your safe or decrypting your hard drive.
If the government has no knowledge of the contents of the hard drive, no information from other sources that indicate that you have specific documents it wants, then it can't force you to decrypt your hard drive.
The judge's position was that since the government had no indication of whatever documents are on the hard drive, producing them tied the defendant to the documents - providing evidence of control and ownership. Since that evidence (control and ownership) was not available to the government beforehand, it would be compelled testimony.
I think this is also reasonable in light of the fourth amendment. If the government doesn't have knowledge of specific documents, it can't go "rummaging around" on your disk looking for things.
"If the government has reasonable suspicion that you have illicit data, they can still compel you to decrypt it."
Wrong. Wrong. And Wrong.
If the government has *probable cause* _AND_ can make a reasonable claim of exigent circumstances (i.e. the decryption of the data is required to prevent imminent and otherwise unavoidable casualty), then one can be compelled to decrypt data, but that data then may not be used against the person in a criminal case against them unless it can be shown that they were responsible for that imminent threat WITHOUT having the data that was decrypted, and also cannot use that data against them in any other unrelated criminal case (i.e. we need to decrypt this data to thwart an imminent terrorist attack, but we also found child pr0n, so let's charge him with pr0n - doesn't fly)
What encryption algorithm did he use that's FBI-proof?
There is a baseline to all of this and that's: does the government know what's on the encrypted drive?
If it does, such as in the case of the guy moving child porn across the border from Canada, the agents SAW the kiddie porn, so when ordered to decrypt the harddrive the government already knew what was on there.
If the government doesn't know what's on there and only suspects it thats when the 5th kicks in.
Make sense?
I'm sure the FBI / NSA has some supercomputers that could crack his computer in very short order. If they did, would the evidence be permissible in US court ? Would this be considered unreasonable search and seizure ? Is a court order needed to use cracking software like this ? There are lots of legal technicalities that need to be resolved here.
Bzzt. In this real life example, when the guys with the $5 wrench came along, the victim called his lawyer who brought in a judge who wields a $100 wrench.
And it all happened (he beat the $5 wrench guys) because he encrypted. If he hadn't encrypted, he might not have ever known he was under attack (well, ok, in this particular example he actually did; most of the time you don't), wouldn't have been confronted with the $5 wrench, and wouldn't have have had the recourse of getting the judge to come in with his $100 wrench.
Encrypt. More of than not, it results in you defeating your adversary. That's true whether the adversary is your government, someone else's government, a common thief, Google, whoever bought your refurbished drive after you RMAed it, or whoever.
You're stupid and knowingly negligently careless if you don't encrypt anything important. We're all going to point and you and laugh at the non-random misfortune that you consciously chose to experience.
Examples of what's important are: your shopping list, where you're having dinner tonight, mundane thoughts such as "yes, I'll have another beer" and nearly anything else. Anything you say can be used against you, and I'm not quoting Miranda; I'm quoting reality itself.
I sometimes wonder at all the victimless crimes we seem to have.
In this case federal prosecutors not only don't have a victim, they don't have evidence of a crime. The only way to convict the defendant is to get the evidence from him.
I think the constitution was made specifically to protect us from these sorts of "investigations of suspicion"; specifically, the founding fathers recognized that many activities may seem suspicious from the outside and in certain contexts, but that the government can't simply come in and rummage around for reasons to arrest someone.
This is especially salient in today's world, where innumerable crimes go unaddressed even though there are real victims, and investigating and prosecuting would be trivial. Spam, phishing fraud, identity theft, stolen laptops where the laptop tells the owner where it is, robocalling - all crimes where an average citizen has to beg the government to intercede... to no avail.
Having "suspicious activity" but no evidence should be a clear signal to the authorities. Drop the case, or do something to get real evidence. This general "he's done something wrong, we only need the tools to do our job" thing has to stop.
Do your job by protecting real victims.
Politicians, police, and heads of major bodies are trained to answer "I can't remember" to questions where a refusal to answer is not permitted.
By Law, in the USA, the statement "I cannot remember" can NEVER be categorised as lying (without a freely offered self-confession of this fact). Understand that the USA is one of the obscene nations where lying to law enforcement goons is a serious criminal offence in itself, whereas the same law enforcement goons have full State authority to use lies as a tool of investigation and interrogation. The reason every lawyer in the USA states that you must NEVER talk to law enforcement goons without a lawyer present is because of these facts. Innocent people can be lawfully converted into criminals in the USA, simply by how they respond to a manipulative and dishonest line of questioning.
Even in the UK, lying to law enforcement goons is not a criminal offence in and of itself (at worst, you can be charged with wasting police time- but there the lie has to be one that suggests false details about a crime that cause unnecessary and useless investigation).
All nations can 'force' a person to reveal a password under some legal principle or other, if the circumstances are right. 'Force' means, of course, that a refusal to comply is a crime. "I cannot remember the password" will work for any elite individual who actually exists above the law (like senior 'banksters' in the USA). It will not work for an ordinary target of law enforcement.
Good lawyers always offer cynical advice. How often have you read stories of famous Americans refusing to be breathalysed at the scene of a DUI incident. The lawyer has trained these clients that the penalty for refusal is FAR lower than the penalty for being found DUI. Forced decryption follows the same logic. For political targets, the USA uses the obscene system of 'contempt' and sequential re-incarceration- effective turning the penalty for the offence into one of life in prison.
The argument about "reasonable suspicion" is an interesting one. It does, however, smack of turning 'presumed innocent' into 'presumed guilty'. Should the command to force decryption be accompanied with a promise that only the expected incriminating digital evidence be used against the individual, and that other illicit digital content that may be found with no relationship to the current case should be ignored, if it proves that the expected material is NOT present within the digital 'safe'?
In other words, if law enforcement goons are wrong about you with their current claims, should you be forced to incriminate yourself over an unrelated 'crime'? After all, if you reward law enforcement goons for engaging in 'fishing expeditions', clearly this tactic will only grow.
They are following the constitution. Now the neo-cons will be upset about that and insist that their buddies at SCOTUS to overrule the 5th.
I prefer the "u" in honour as it seems to be missing these days.
I realize the last sentence is just commentary, but the language of the 4th Amendment is specific. It says that "no warrants shall issue but upon probable cause". There has been a surge in people (including the head of NSA) claiming that "reasonable belief" is sufficient, but they are wrong. Also, the warrant must be specific as to what is to be searched for. Naturally cops get warrants that are as broad as possible, but they still sometimes get overturned for being "overly broad".
They key in this case is that the prosecution could not claim to have a reasonable belief that the defendant had control of the encrypted device. And the judge is ruling that the defendants use of the key to unlock the device would, in essence, be admitting to the police that he _did_ control the device, which would be an admission of guilt.
So if they have probable cause to search your encrypted drive for contraband, you can be compelled to produce the key. If they don't have evidence that contraband exists, or that you were the person with control of the device, they no longer have probable cause for the search.
Wouldn't giving up a password clearly be in contradiction to your right to remain silent?
I can't get real worked up about that. You sound like a guy I know at work. You did forget the obligatory quote from Jefferson or another founding father containing dire warnings about giving up liberty.
I've just heard too many people rant and rave for years about how the Constitution is being ignored, destroyed, etc. to get worked up about this. When George W. Bush was president, we heard that he was going to declare martial law and suspend the elections. Yet the man obeyed every Supreme Court decision that came down and when he stepped down, as required by law, the people who swore he never would give up power had no answer. Then the other side started to claim that Obama doesn't care about your rights, blah blah blah. Despite the hysterical ramblings we get here, the US legal system has remained independent as always. In fact, the only place that I've noticed where rights really and truly do seem to be disappearing is Western Europe, but nobody complains about that. You can still express distasteful thoughts in public in the USA and not be put in jail as long as you don't make threats against individuals, but Western Europe is at a place right now where you can get serious jail time for saying things that in no way invoke threats on anyone.
So, it's rather like if the police found a special car with very strong windows and combination locks. They have strong evidence that it's got a lot of heroin in it and want to get inside it to search it and have a warrant to do so but can't get it open.
They think, but don't have much evidence to support that belief, that you had unrestricted access to the car interior and therefore have the combination and can open the door for them.
What this ruling says is that they can't compel you to product the combination because then you would be being forced to reveal that you did, in fact, have the combination and, hence, access to the inside of the vehicle which would be incriminating given the contents of the car.
If, however, they found a surveillance video that showed you opening the door of the car using the combination you could then be compelled to provide the combination as that would not reveal, for the first time, that you actually had access to the interior of the car.
Is that correct?
Why is there an "insightful" mod and why isn't it "-1"? If I wanted insight, I wouldn't be reading
Things I learned from reading the ruling:
1. As usual, keep your mouth shut. The guy merely admitted that he lived alone in his current residence for 15 years before he got smart and lawyer-ed up, and that fact makes an appearance in the ruling. It doesn't hurt much and they would have figured it out anyway, but it definitely didn't help.
2. Use whole-disk encryption and encrypt everything. All evidence against him mentioned in the ruling was obtained from unencrypted drives and were what should have been private bits and metadata that leaked or never making it to the encrypted drive, especially log files. They have highly incriminating file-names, drive letters, peer-to-peer download logs, basically a ton of metadata. While this ruling almost certainly doesn't cover all the evidence against him, it's not clear the FBI would have anything at all if it weren't for the two drives that they found unencrypted. Although they must have had something else to go after him in the first place.
3. IMO he really dodged a bullet at least in this narrow instance. Crudely speaking, Judge says it isn't reasonable to conclude that both the files in question necessarily exist and that the defendant had access to them (it sounds like the real problem is the latter). This when they have file-names, log files, and the disks in question were taken from his residence where he has lived alone for 15 years, and while he certainly hasn't admitted the disks were his, I don't see an active claim to the contrary either (which I'd likely support but he needs to say it). I'm very pro-encryption and am generally not happy with the court compelling encryption keys, but this is one of the weakest cases for not doing so that I could think of, and is probably why the FBI decided to go for it and now potentially lost big if this it the burden or proof they are stuck with to prove ownership or control of data on a disk.
I have files on my Hard Drive that are encrypted, with the key being stored on a USB dongle. Unfortunately, that dongle went missing.
So I now sit on a lot of files that I can't access and couldn't turn the key over (but hey, if you find the dongle in your search, be my guest), but I know the moment I delete them I find that darn dongle...
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Now that you gave him a password and he does not see what he wants, he just assumes you used a hidden partition, and gets right back to beating you. The problem with deniable encryption is that you have deniable encryption software, and everyone will assume you are using it. You give your "innocent" password, and then they ask for your "other" password.
Palm trees and 8
they can jail you from other evidence, but refusing testimony on your 5th Amendment rights is not a chargeable offense.
in certain cases, a judge can tell the jury that refusing to disclose the information may be a piece of circumstantial evidence, I have read.
I do not know the encryption key to my encrypted storage. That is 100% true. I do not know it.
OTOH, I know how to create it using a few different tools.
I encrypt storage for privacy concerns, not because I have anything to hide from any government, but if asked, I'm wondering whether I'd have the guts to refuse access to someone - anyone, including governments.
I travel internationally. My netbook has multiple partitions, but only 1 is encrypted and it is the only partition that I've actually used the last 3 yrs. I'm happy to boot WinXP and let them see anything there - because there is nothing. I haven't used it beyond patching.
Still, I wonder if an overly aggressive federal agent would consider my encrypted storage too hard to resist. Suppose he demands that I decrypt it. I refuse.
Now, my life has been thrown into chaos. Search warrants for every other device, my home, my family's homes happen. Nothing is found. A judge orders me to decrypt the storage or be held in contempt - indefinitely - until I choose to decrypt the storage.
I can see this happening - seriously.
Will I sit in the county jail over this principle or cave? If I don't cave immediately, how long would I last? 1 day? a week, 3 months, 2 years? I think a contempt charge can be indefinite length - EVEN WITHOUT ANY PROOF.
What would you do?
I don't believe that for a second. They just won't want to show that they broke the encryption to fool us into thinking it is safe to use, so they are trying this trick of compelling the guy to talk.
“He’s not deformed, he’s just drunk!”
Deniable encryption
\u262D = \u5350
How....exactly....are they going to compel someone to give up their keys? Imprison you until you talk? They can't lawfully beat it out of you, so if you are unwilling to open your mouth....How will they get your passkey? Is there an instance where a person has been imprisoned until he/she gave up their keys?
A Sad Day for Obama's America when a lowly Magistrate Judge reminds Fuhrer President Obama of Constitutional Law.
A Sad Day when the Vice (Vice, i.e. Immoral, Unethical, Unlawful) President masturbates in public over a university building guard (quitting 5 colleges, getting fired from 5 jobs (including janitor) is not preparation for nor a God Sent Message of a life commitment to 'Law Enforcement') masquerading as a 'Police Man' with no training in firearms safety or evne usages who killed himself accidentally and in so doing got another person killed.
Hip Hip Hooray !
Indeed.
You cannot compel somebody to incriminate themselves.
Period.
In Australia - we have similar laws. However they haven't been tested. The forced decryption laws of 2001 mandate that a judge can force you to decrypt. If you refuse - you get a 6 month holiday. However, they can't ask you again in that time - if you have done something very, very naughty - such as posess CP - you'd be joing to gaol for 4-6 years. If the evidence is on this encrypted disk, and the police can't access it, I wonder what would happen to the case.... (?)
I'd imagine it would fall apart and that would be it. 6 months is better than 6 years. Job done. You'd have to get your evidence back though. That could be fun...
I don't know, this looks like a reasonably suspicious post to me
FTFY
Why on earth would they expect the defendant to do their jobs? If they want the contents of the drive, then have at it. Just because it's difficult (encrypted) is no excuse.
That's the whole point of encryption... if you want in, you either know the key or you crack it but it's not the obligation of the owner to let you in.
That's why they have battering rams... imagine a SWAT team asking for permission to be let into a building... You can't break it down, tough luck.
If this were a civil case, it might be something he could be compelled to do, unless it could show criminal wrongdoing in which case I think the 5th applies. But there would likely be some civil court sanctions applied including limits on what you could testify to, and assumptions about facts that the other side might be able to have the judge make based on your refusal of discovery requirements. I think there are definite limits under search and seizure AND compelling the person to testify against himself in a CRIMINAL case. (4th and 5th Amendments) They MIGHT be able to push harder to compel it if it is a criminal case AND the defendant is going to testify, but even that would be somewhat iffy to me, unless there is some proof that he has already disclosed that information to a third party. If I write something down but do not disclose it to anyone but my attorney, I don't think it can be introduced, BUT if you lie under oath about it, and your attorney knows you are going to lie about it,I don't think he can question you on the stand about those facts.