Slashdot Mirror
'Sorry, I've Forgotten My Decryption Password' is Contempt Of Court, Pal - US Appeal Judges (theregister.co.uk)
Thomas Claburn, reporting for The Register: The US Third Circuit Court of Appeals today upheld a lower court ruling of contempt against a chap who claimed he couldn't remember the password to decrypt his computer's hard drives. In so doing, the appeals court opted not to address a lower court's rejection of the defendant's argument that being forced to reveal his password violated his Fifth Amendment protection against self-incrimination. In the case under review, the US District Court for the Eastern District of Pennsylvania held the defendant (referred to in court documents as "John Doe" because his case is partially under seal) in contempt of court for willfully disobeying and resisting an order to decrypt external hard drives that had been attached to his Mac Pro computer. The defendant's computer, two external hard drives, an iPhone 5S, and an iPhone 6 Plus had been seized as part of a child pornography investigation.
This is a case pertaining childâ pornography, So...yes, in order to make a example of him and/or set a precedent (more likely the latter imo).
Seems like encryption systems need to have two passwords; one that decrypts the volume and another that wipes the keys and images a fresh filesystem. When they compel you to enter your password, you enter the "destroy code."
Sure, you could be charged with tampering with evidence if they realized what you'd done. But maybe that would be preferable to indefinite incarceration for contempt of court.
Breakfast served all day!
There is precedent for this when the defendant has already decrypted the drive for authorities and then refuses to do so for the court. In that case, the contents are considered a "foregone conclusion" and there is no question that the defendant both acknowledges the encrypted volume and knows the key to decrypt it. This is a reasonable balance against Fifth Amendment protections.
If he has not ever revealed the password to authorities, the Constitution absolutely prohibits this action by the court. A man cannot be compelled to self-incriminate, the court may not presume guilt (innocent until proven guilty), and the court can only establish guilt through due process of law (everything from investigation to conviction) and with equal protection under the law (the law is applied the same way to everyone). This ruling blatantly violates most of these basic rights if the contents of the drive are not a "foregone conclusion."
what if a defendant really doesn't remember the password? Throw him in jail forever?
Sure. Why not? The criteria is "reasonable doubt" not "certainty". In practice, the standard for "reasonable doubt" is not very high. When DNA evidence first became valid in court, the Innocence Project reviewed thousands of old cases, and determined that about 10% of them could not possibly have committed the crimes for which they were convicted. One case overturned was the Central Park Five, which EVERYONE, including our president, was absolutely certain were guilty. There are many, many other cases with no DNA evidence, but there is no reason to believe the false conviction rate is any lower for those.
So if 90% certainly is good enough to lock up some poor black kids for life, why isn't it good enough for a rich white guy with a Macbook Pro?
All you need is a lawyer who's willing to argue that police lost evidence of this during arrest/warrant sweep. Happens quite often and there's a lot of case law on it.
Om, nomnomnom...
Irrelevant.
Of course, it is not — and the judge is well aware of it. He had these large drives attached to your computer. They both agree, he accessed the data on them with a password. He claims, he no longer remembers the password — well, the judge happens to not believe him.
This is not a Constitutional question — the guy is not asked to testify against himself. What he is to say is not under oath and will not be used against him. What is demanded of him is a key to the premises, for which a perfectly valid search-warrant has already been issued.
That the key happens to be a word — rather than something tangible like a metal key or a thumb-print — is irrelevant and does not magically add a Constitutional protection.
In Soviet Washington the swamp drains you.
No, but you can set your encryption to scramble the key if there are (X) false attempts. Or even to scramble if a certain password is entered instead of the real one. And, if you used reasonably secure encryption, once that is done, its toast. I cannot ever be decrypted with today's technology. And likely can never be decrypted, ever.
judge won't like it. Prosecution won't like it. But it is easy to prove that this is a fact.
An admission of a crime was made, written up, encrypted, and put on a USB(CD maybe) and sent to the Home Secretary. The police were then contacted and informed that the Home Secretary has, in his possession, an admission of a crime that requires a custodial sentence.
Technically, that he never had the keys to unlock it was irrelevant. He had an item that was an admission of a crime, he was duty bound to hand it over and unlock it, even though there's no way on earth he could. But the way the law was written, he was the one in trouble.
If this is allowed to stand, we now have the way for someone/anyone to send you an encrypted file (email/cookies), that will then get you found in contempt of court as you are unable to prove you can't unlock it.
Waiting for an amusing sig.
As a victim of a rubber hose attack by the American government I can offer some insight into how it works and how everyone looks at the issue wrong. The government usually gets it hands on you somehow and threatens you with some ridiculous mandatory minimum prison sentence. Its a somewhat civilized approach to the rubber hose attack.
You go hire a big buck attorney who starts to work on the case. Next thing you know the government is offering you immunity for whatever is on your computer in exchange for the passwords. Of course your attorney says give them the passwords and this thing will likely go away. You hand over the passwords and it goes away, the statute of limitations ticks off a few years later.
Now if you are the main target of their interest they will wait until they can nail you to the wall and do this step to anyone they think may be able to help.
A better approach would be to use a wifi accessible ssd hidden in a wall or elsewhere it wont be found. Most of the time they are in and out of your house in under a hour, it is very rare, without an informants telling them all of your opsec secrets that anything well hidden will be found.
Cops are humans, most humans are lazy and have mixed feelings about their job, remember that. Encrypted disks in the hands of the government should be treated as the starting point in negotiations.
Like the sticker note with the password on the bottom of the laptop.
"I don't know the pw, it's on the bottom of the laptop."
Police: "..." Unless of course they filmed the whole arrest and house visit.
And about the 'forgone conclusion' and the fact they aren't simply starting the trial based on the evidence that led to this conclusion:
I think it's quite possible that law enforcement told the judges, confidentially, that they already have hacked the disks using a secret back-door or other procedure, but just can't (won't) make that public. In that case a trial wouldn't work either.
And where is the proof that the files are actually on his HD and that he hasn't deleted them already?
He could admit downloading them (out of curiosity), but erasing them immediately upon discovering their true nature.
Which leaves the testimony of his sister to deal with, who must have been really pissed off by the pictures she's seen on his phone--maybe her own child was involved, that she witnessed against her own brother?
"Trump!!", the new Godwin.
.Perhaps some type of expiry after 30-60 days of non-use for sensitive encrypted drives might protect against this, since there's no way the person could decrypt the drive after that threshold.
You aren't imagining the defendant's computer in a nice neat room with his drives plugged in and a cop sitting at it trying to guess the password, are you?
No, the drives will have been imaged through a hardware device that blocks all attempts to write, and their work will be on their own computers running their forsensic software against the images of his drives, with his original drives safely in the evidence lockup.
And if criminals start using drives with custom firmware to foil this (they've already read the first GB sequentially? return gibberish and erase everything!), the cops will then be removing the control boards and subsituting their own before they do the imaging.
"Self destructing crypto" will just be something else for them to work around. It might foil the local police department, but if the FBI/NSA/CIA/etc. really wants your data, that's not going to foil them any more than straight strong crypto will.