Slashdot Mirror
Federal Magistrate Rules That Fifth Amendment Applies To Encryption Keys
Virtucon writes "U.S. Magistrate William Callahan Jr. of Wisconsin has ruled in favor of the accused in that he should not have to decrypt his storage device. The U.S. Government had sought to compel Feldman to provide his password to obtain access to the data. Presumably the FBI has had no success in getting the data and had sought to have the judge compel Feldman to provide the decrypted contents of what they had seized. The Judge ruled (PDF): 'This is a close call, but I conclude that Feldman's act of production, which would necessarily require his using a password of some type to decrypt the storage device, would be
tantamount to telling the government something it does not already know with "reasonably particularity" — namely, that Feldman has personal access to and control over the encrypted storage devices. Accordingly, in my opinion, Fifth Amendment protection is available to Feldman. Stated another way, ordering Feldman to decrypt the storage devices would be in violation of his Fifth Amendment right against compelled self-incrimination.'"
If the government has reasonable suspicion that you have illicit data, they can still compel you to decrypt it.
V qba'g xabj, guvf ybbxf yvxr n ernfbanoyl fhfcvpvbhf cbfg gb zr...
Where did the last sentence in this summary come from? It seems to be completely contradictory to the main content. Elaborate?
I don't know what you mean by encrypted. I never encrypted anything on my computer\laptop\tablet\phone, your honor.
I would like to know what is the method and software that is used to encrypt the hard-drive in such a way that FBI has no way of breaking a decryption, other than asking a judge to compel the discovery.
XKCD 538: A crypto nerd's imagination vs. what would actually happen
Two years could be a much better sentence than allowing them access to your ... data.
Does the 5th amendment right to avoid self-incrimination apply only to the particular charges being brough in a given case, or does it cover any statement that could be incriminating, even if it were in a different proceeding, or if the record from Case A were to be used as evidence in Case B?
Say, in the case of an encrypted HDD, it's reasonably plausible that a broad spectrum of the suspect's electronic activities will be there. Common software tends to be a bit 'leaky' in terms of recording what it does(temp files, caches, search indexes, etc.) and most people don't have entirely separate computers for each flavor of crime they are engaged in.
If somebody were being charged for one crime that probably left evidence on the HDD(kiddie porn, say); would the fact that they know that there is evidence of CC-skimming(but, unlike the kiddie porn, the feds have no circumstantial evidence or other grounds for belief) justify a 5th-amendment refusal to decrypt the volume? Would the other potentially-incriminating stuff be irrelevant because it isn't among the charges(even if the court record could be used as evidence to bring future charges)? Would the suspect be compelled to divulge the key; but the prosecution only have access to material relevant to the charges being filed, with some 3rd party forensics person 'firewalling' to exclude all irrelevant material?
Yeah sometimes we pass silly laws in the UK and other times they do in the States. Its like trying to figure out which pile of shit has the least offensive smell.
I am a free slashdotter. I will not be modded, blogged, DRM'd, patented, podcasted or RFID'd. My life is my own.
Encryption keys? It's arguing about the wrong topic. These silly arguments about the Fifth Amendment will soon be about as relevant to our lives as the Austro-Hungarian Empire.
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
And requires the police and DA to do some detective work before a conviction is possible.
As for leaders who are dissatisfied with the protections given in the constitution, use the democrat process that we have to amend the constitution. It's quite possible to change it. Don't like the 5th amendment, then propose something else. Ignoring the laws we have on the books isn't acceptable as then they will be inconsistently applied. Inconsistent justice is not justice at all.
“Common sense is not so common.” — Voltaire
It's a subtle point described in the judges decision.
If the government has knowledge of particular documents, they can force you to present them. This includes forcing you to open your safe or decrypting your hard drive.
If the government has no knowledge of the contents of the hard drive, no information from other sources that indicate that you have specific documents it wants, then it can't force you to decrypt your hard drive.
The judge's position was that since the government had no indication of whatever documents are on the hard drive, producing them tied the defendant to the documents - providing evidence of control and ownership. Since that evidence (control and ownership) was not available to the government beforehand, it would be compelled testimony.
I think this is also reasonable in light of the fourth amendment. If the government doesn't have knowledge of specific documents, it can't go "rummaging around" on your disk looking for things.
What encryption algorithm did he use that's FBI-proof?
There is a baseline to all of this and that's: does the government know what's on the encrypted drive?
If it does, such as in the case of the guy moving child porn across the border from Canada, the agents SAW the kiddie porn, so when ordered to decrypt the harddrive the government already knew what was on there.
If the government doesn't know what's on there and only suspects it thats when the 5th kicks in.
Make sense?
Bzzt. In this real life example, when the guys with the $5 wrench came along, the victim called his lawyer who brought in a judge who wields a $100 wrench.
And it all happened (he beat the $5 wrench guys) because he encrypted. If he hadn't encrypted, he might not have ever known he was under attack (well, ok, in this particular example he actually did; most of the time you don't), wouldn't have been confronted with the $5 wrench, and wouldn't have have had the recourse of getting the judge to come in with his $100 wrench.
Encrypt. More of than not, it results in you defeating your adversary. That's true whether the adversary is your government, someone else's government, a common thief, Google, whoever bought your refurbished drive after you RMAed it, or whoever.
You're stupid and knowingly negligently careless if you don't encrypt anything important. We're all going to point and you and laugh at the non-random misfortune that you consciously chose to experience.
Examples of what's important are: your shopping list, where you're having dinner tonight, mundane thoughts such as "yes, I'll have another beer" and nearly anything else. Anything you say can be used against you, and I'm not quoting Miranda; I'm quoting reality itself.
$22k a year? I'd be willing to not edit the submissions for a fraction of that.
From what I understand, it doesn't even have to be your key. If someone slipped an encrypted flash drive into your pocket, you could be sent away for refusing to divulge the encryption key - even though you have no possible clue what it might be.
When our name is on the back of your car, we're behind you all the way!
I sometimes wonder at all the victimless crimes we seem to have.
In this case federal prosecutors not only don't have a victim, they don't have evidence of a crime. The only way to convict the defendant is to get the evidence from him.
I think the constitution was made specifically to protect us from these sorts of "investigations of suspicion"; specifically, the founding fathers recognized that many activities may seem suspicious from the outside and in certain contexts, but that the government can't simply come in and rummage around for reasons to arrest someone.
This is especially salient in today's world, where innumerable crimes go unaddressed even though there are real victims, and investigating and prosecuting would be trivial. Spam, phishing fraud, identity theft, stolen laptops where the laptop tells the owner where it is, robocalling - all crimes where an average citizen has to beg the government to intercede... to no avail.
Having "suspicious activity" but no evidence should be a clear signal to the authorities. Drop the case, or do something to get real evidence. This general "he's done something wrong, we only need the tools to do our job" thing has to stop.
Do your job by protecting real victims.
Politicians, police, and heads of major bodies are trained to answer "I can't remember" to questions where a refusal to answer is not permitted.
By Law, in the USA, the statement "I cannot remember" can NEVER be categorised as lying (without a freely offered self-confession of this fact). Understand that the USA is one of the obscene nations where lying to law enforcement goons is a serious criminal offence in itself, whereas the same law enforcement goons have full State authority to use lies as a tool of investigation and interrogation. The reason every lawyer in the USA states that you must NEVER talk to law enforcement goons without a lawyer present is because of these facts. Innocent people can be lawfully converted into criminals in the USA, simply by how they respond to a manipulative and dishonest line of questioning.
Even in the UK, lying to law enforcement goons is not a criminal offence in and of itself (at worst, you can be charged with wasting police time- but there the lie has to be one that suggests false details about a crime that cause unnecessary and useless investigation).
All nations can 'force' a person to reveal a password under some legal principle or other, if the circumstances are right. 'Force' means, of course, that a refusal to comply is a crime. "I cannot remember the password" will work for any elite individual who actually exists above the law (like senior 'banksters' in the USA). It will not work for an ordinary target of law enforcement.
Good lawyers always offer cynical advice. How often have you read stories of famous Americans refusing to be breathalysed at the scene of a DUI incident. The lawyer has trained these clients that the penalty for refusal is FAR lower than the penalty for being found DUI. Forced decryption follows the same logic. For political targets, the USA uses the obscene system of 'contempt' and sequential re-incarceration- effective turning the penalty for the offence into one of life in prison.
The argument about "reasonable suspicion" is an interesting one. It does, however, smack of turning 'presumed innocent' into 'presumed guilty'. Should the command to force decryption be accompanied with a promise that only the expected incriminating digital evidence be used against the individual, and that other illicit digital content that may be found with no relationship to the current case should be ignored, if it proves that the expected material is NOT present within the digital 'safe'?
In other words, if law enforcement goons are wrong about you with their current claims, should you be forced to incriminate yourself over an unrelated 'crime'? After all, if you reward law enforcement goons for engaging in 'fishing expeditions', clearly this tactic will only grow.
I'm sure it'd be permissible, but with a proper key, only without an understanding of how encryption works should you believe anybody has the computing power to crack the current encryption algorithms.
They are following the constitution. Now the neo-cons will be upset about that and insist that their buddies at SCOTUS to overrule the 5th.
I prefer the "u" in honour as it seems to be missing these days.
If they can crack it they're totally free to use it.
imagine that there's a body buried someone in kansas. they can't force you to tell them where it is so that they can go collect evidence against you from it.
But if they find it themselves they're free to use it.
for encryption the search space is a mathematical one but otherwise it's similar.
of course if the NSA or some such can crack it there's no way that they'll admit it for something as trivial as a conviction for some petty criminal because then everyone would know it had been cracked and would use a different form of encryption and the NSA would have to do all the work of cracking that new one.
I don't think it would be illegal. The only reason that this is an issue is because they either can't or won't break the encryption themselves. Instead they are trying to compel the suspect to divulge information that could be inciminating. If they had other evidence proving that there was evidence on the encrypted device then they could legally compell the suspect to do so.
So far as breaking the encyption there are a couple possibilities in play. The government might have access to the computing power or theniques necessary but it is doubtful that some generic police department or prosecutor would have access to even the knowledge that such a resource was available. The government wouldn't want to tip their hand in that kind of way when they can continue to let our enemies think their communications are secure.
Personally I think it's unlikely that any government possesses a computer capable of breaking the best current encryption protocols. But if they did we'd never know about it until long after it was useful information.
I'm sure the FBI / NSA has some supercomputers that could crack his computer in very short orde.
Then you simply watch too much television.
I can't get real worked up about that. You sound like a guy I know at work. You did forget the obligatory quote from Jefferson or another founding father containing dire warnings about giving up liberty.
I've just heard too many people rant and rave for years about how the Constitution is being ignored, destroyed, etc. to get worked up about this. When George W. Bush was president, we heard that he was going to declare martial law and suspend the elections. Yet the man obeyed every Supreme Court decision that came down and when he stepped down, as required by law, the people who swore he never would give up power had no answer. Then the other side started to claim that Obama doesn't care about your rights, blah blah blah. Despite the hysterical ramblings we get here, the US legal system has remained independent as always. In fact, the only place that I've noticed where rights really and truly do seem to be disappearing is Western Europe, but nobody complains about that. You can still express distasteful thoughts in public in the USA and not be put in jail as long as you don't make threats against individuals, but Western Europe is at a place right now where you can get serious jail time for saying things that in no way invoke threats on anyone.
What if the accused claims copyright protection and coverage under DMCA? The investigators would be violating DMCA in cracking the encryption, right?
So, it's rather like if the police found a special car with very strong windows and combination locks. They have strong evidence that it's got a lot of heroin in it and want to get inside it to search it and have a warrant to do so but can't get it open.
They think, but don't have much evidence to support that belief, that you had unrestricted access to the car interior and therefore have the combination and can open the door for them.
What this ruling says is that they can't compel you to product the combination because then you would be being forced to reveal that you did, in fact, have the combination and, hence, access to the inside of the vehicle which would be incriminating given the contents of the car.
If, however, they found a surveillance video that showed you opening the door of the car using the combination you could then be compelled to provide the combination as that would not reveal, for the first time, that you actually had access to the interior of the car.
Is that correct?
Why is there an "insightful" mod and why isn't it "-1"? If I wanted insight, I wouldn't be reading
That is because you don't understand encryption.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Things I learned from reading the ruling:
1. As usual, keep your mouth shut. The guy merely admitted that he lived alone in his current residence for 15 years before he got smart and lawyer-ed up, and that fact makes an appearance in the ruling. It doesn't hurt much and they would have figured it out anyway, but it definitely didn't help.
2. Use whole-disk encryption and encrypt everything. All evidence against him mentioned in the ruling was obtained from unencrypted drives and were what should have been private bits and metadata that leaked or never making it to the encrypted drive, especially log files. They have highly incriminating file-names, drive letters, peer-to-peer download logs, basically a ton of metadata. While this ruling almost certainly doesn't cover all the evidence against him, it's not clear the FBI would have anything at all if it weren't for the two drives that they found unencrypted. Although they must have had something else to go after him in the first place.
3. IMO he really dodged a bullet at least in this narrow instance. Crudely speaking, Judge says it isn't reasonable to conclude that both the files in question necessarily exist and that the defendant had access to them (it sounds like the real problem is the latter). This when they have file-names, log files, and the disks in question were taken from his residence where he has lived alone for 15 years, and while he certainly hasn't admitted the disks were his, I don't see an active claim to the contrary either (which I'd likely support but he needs to say it). I'm very pro-encryption and am generally not happy with the court compelling encryption keys, but this is one of the weakest cases for not doing so that I could think of, and is probably why the FBI decided to go for it and now potentially lost big if this it the burden or proof they are stuck with to prove ownership or control of data on a disk.
I have files on my Hard Drive that are encrypted, with the key being stored on a USB dongle. Unfortunately, that dongle went missing.
So I now sit on a lot of files that I can't access and couldn't turn the key over (but hey, if you find the dongle in your search, be my guest), but I know the moment I delete them I find that darn dongle...
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Can still be used as case law, or persuasive precedent, in other cases. "Look, your honor, here is how another judge ruled and his reasoning. You don't have to agree, but you should consider this ruling."
Now that you gave him a password and he does not see what he wants, he just assumes you used a hidden partition, and gets right back to beating you. The problem with deniable encryption is that you have deniable encryption software, and everyone will assume you are using it. You give your "innocent" password, and then they ask for your "other" password.
Palm trees and 8
Sad truth, and I think the first (non-techie) old farts who will understand encryption probably haven't been born yet :-(
"When information is power, privacy is freedom" - Jah-Wren Ryel
True, it could be quite easy to get someone framed. Create a flash drive with an empty encrypted partition*, drop it in enemy's pocket, pick up a pay phone anonymously,** wait for enemy to enter low-surveillance public area** and call the cops and say "I just saw two guys browsing child porn on a laptop, one of them was [common outfit, average description] and the other was [enemy's description and clothes] and he took a flash drive that was plugged into the laptop and gave the other guy money! The guy with the flash drive is still in [low surveillance public area], hurry!"
*Without getting your goddamn fingerprints and DNA all over it, and bought with cash, ideally from a vending machine
**is VERY hard to do and will get harder
"When information is power, privacy is freedom" - Jah-Wren Ryel
I don't believe that for a second. They just won't want to show that they broke the encryption to fool us into thinking it is safe to use, so they are trying this trick of compelling the guy to talk.
“He’s not deformed, he’s just drunk!”
Deniable encryption
\u262D = \u5350
It sounds like it's time for some sort of proxy key management service.. where userA gets paired with userB, userA has the keys for userB, and B has the keys for A, but neither has their own keys to unlock their data... user A just asks userB to unlock the data once in a while. Then when asked, the reply could be 'Oh, BillyBob193 has the key, I just ask him to unlock it. And he's really good at knowing if I sound like I'm being coerced... Oh, and we just chat over an IRC server hosted in some foreign country, so, good luck getting their logs.. and I think BillyBob might actually live in some other country too and just ssh's in to my laptop here, so.. good luck finding and coercing him too... And even of you just sign up for the service, but still have your own keys, it might be good for plausible deniability... just make sure you aren't caught typing it yourself.
Oh no, not again.
Most likely he didn't use a simple passphrase. 256 bits is only 32 characters. And most (decent) passphrase-based systems unlock a key which is then used to unlock the rest of the data.
And that is IF he used a passphrase and IF they know what crypto algorithm he chose. Truecrypt for example allows you to stack encryption algorithms so you may even have a flawed algorithm (one with a hidden backdoor), they still can't crack the rest.
Custom electronics and digital signage for your business: www.evcircuits.com
I don't know, this looks like a reasonably suspicious post to me
FTFY