Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mass. Supreme Court Says Defendant Can Be Compelled To Decrypt Data

Posted by Unknown on from the wrench-helps dept.

Trailrunner7 (1100399) writes ... Security experts have been pounding the drum about the importance of encrypting not just data in transit, but information stored on laptops, phones, and portable drives. But the Massachusetts Supreme Judicial Court put a dent in that armor on Wednesday, ruling that a criminal defendant could be compelled to decrypt the contents of his laptops. The case centers on a lawyer who was arrested in 2009 for allegedly participating in a mortgage fraud scheme. The defendant, Leon I. Gelfgatt, admitted to Massachusetts state police that he had done work with a company called Baylor Holdings and that he encrypted his communications and the hard drives of all of his computers. He said that he could decrypt the computers seized from his home, but refused to do so. The MJSC, the highest court in Massachusetts, was considering the question of whether the act of entering the password to decrypt the contents of a computer was an act of self-incrimination, thereby violating Gelfgatt's Fifth Amendment rights. The ruling.

3 of 560 comments (clear)

  1. Re:Except, of course, they have to prove you can by Penguinisto · · Score: 5, Interesting

    From TFS:

    He said that he could decrypt the computers seized from his home, but refused to do so.

    Just because he was a dumbass doesn't mean the rest of us have to be.

    But let's say you want to be honest - here's a conceptual idea:

    Encrypt your stuff on a drive with two-factor auth. The first is a key that expires after x number of days, renewing the expiration every time you access it (let's say 3 to 14 days, tops.) The second factor is a passphrase. Shouldn't be hard to cook up if you use a high-bit-count SSL certificate as your key, and the encryption software checks the date. Keep the key on a separate but random-looking USB stick, SD chip, whatever. When you're not using it, stick it in a camera, unused smartphone, or similarly hidden. To prevent BIOS/EFI tinkering, insure that the encryption software double-checks that the system time is within the window (between last successful access and new expiry date) on boot, and destroys the key if the date is outside that window. Same with insuring that the HDD is in the same hardware it originally sat in, destroying the key if the software detects that a series of MAC addys and serial numbers don't match up.

    After the keypair expires (after all, you've been in jail all this time and unable to access it, so...) you can truthfully say that the data is unreachable by any means (though I do suggest that your statement not end with the phrase "...so suck it, copper!") Of course, this means *you* can't access it either, but one would hope you had a backup of the data stashed somewhere beyond the reach of a warrant or the authorities' knowledge, yes?

    Fun mental exercise either way. :)

    --
    Quo usque tandem abutere, Nimbus, patientia nostra?
  2. Same lie, two people, different outcome by Anonymous Coward · · Score: 5, Interesting

    Judge thinks you are lying. You're a geek, who presumably knows how to secure information on a computer. You saying "I lost the data" is equivalent to saying "My whole life is a lie and I don't actually know how to do any of the things I always talk about." Bullshit. You didn't lose the data. Your RAID6 didn't have a three-drive failure, and your backups weren't untested.

    Same judge can think Lerner is telling truth. Lerner is an administrator, and she uses an iPhone and thinks the "e" on her desktop is the Internet, Her saying "I lost the data" is equivalent to her saying "I think the car's oil might be low, but I haven't looked. but the problem really could be oil, because I read a story in Readers Digest about a couple who saw some smoke coming out their hood, and when they finally got to town for someone to check it out, it turned out they were low on oil!" Her act is consistently dumb enough that no dumbness could be out of character.

    When Lerner is asked the airspeed of an unladen swallow, she smiles helplessly, shrugs, and says "I don't know. What did you swallow?" When you're asked, you smugly immediately instinctively counter with "African or European?" and when the judge says "European," your eyes suddenly dart around and you say, unconvincingly, "Uh... I don't know anything about swallows."

  3. Re:I lost the password by Defenestrar · · Score: 5, Interesting

    No, as the series of court rulings have gone, the Fourth Amendment does not protect you from lawful search and seizure (such as a safe or hard drive). The combination to the safe, or encryption key to the drive, is not incriminating evidence and providing it to allow for lawful search and seizure does not violate your rights. They can admit evidence produced by oneself into court (such as two sets of books in one's own handwriting for a case of fraud) and that is not a violation of the Fourth (or Fifth) - just so with information one puts on a hard drive. What they can not compel one to do is testify against oneself (which is the Fifth by the way) nor assume guilt because you do not take the stand (not that a prosecutor won't toe that line with the jury). So, if one can keep all details of a crime in one's head and manage to destroy all other evidence which could be subject to lawful search and seizure - then you've got a shot at being a criminal mastermind.

    I'm not sure I entirely agree with the line of thought - but I can certainly follow the logic as well as the precedence.

    What would be interesting is if one's pass-code was material evidence with respect to the case - but a possible way around that would be limited immunity or ruling it as inadmissible evidence...It would make for an interesting case study.