Slashdot Mirror
'Sorry, I've Forgotten My Decryption Password' is Contempt Of Court, Pal - US Appeal Judges (theregister.co.uk)
Thomas Claburn, reporting for The Register: The US Third Circuit Court of Appeals today upheld a lower court ruling of contempt against a chap who claimed he couldn't remember the password to decrypt his computer's hard drives. In so doing, the appeals court opted not to address a lower court's rejection of the defendant's argument that being forced to reveal his password violated his Fifth Amendment protection against self-incrimination. In the case under review, the US District Court for the Eastern District of Pennsylvania held the defendant (referred to in court documents as "John Doe" because his case is partially under seal) in contempt of court for willfully disobeying and resisting an order to decrypt external hard drives that had been attached to his Mac Pro computer. The defendant's computer, two external hard drives, an iPhone 5S, and an iPhone 6 Plus had been seized as part of a child pornography investigation.
There is precedent for this when the defendant has already decrypted the drive for authorities and then refuses to do so for the court. In that case, the contents are considered a "foregone conclusion" and there is no question that the defendant both acknowledges the encrypted volume and knows the key to decrypt it. This is a reasonable balance against Fifth Amendment protections.
If he has not ever revealed the password to authorities, the Constitution absolutely prohibits this action by the court. A man cannot be compelled to self-incriminate, the court may not presume guilt (innocent until proven guilty), and the court can only establish guilt through due process of law (everything from investigation to conviction) and with equal protection under the law (the law is applied the same way to everyone). This ruling blatantly violates most of these basic rights if the contents of the drive are not a "foregone conclusion."
what if a defendant really doesn't remember the password? Throw him in jail forever?
Sure. Why not? The criteria is "reasonable doubt" not "certainty". In practice, the standard for "reasonable doubt" is not very high. When DNA evidence first became valid in court, the Innocence Project reviewed thousands of old cases, and determined that about 10% of them could not possibly have committed the crimes for which they were convicted. One case overturned was the Central Park Five, which EVERYONE, including our president, was absolutely certain were guilty. There are many, many other cases with no DNA evidence, but there is no reason to believe the false conviction rate is any lower for those.
So if 90% certainly is good enough to lock up some poor black kids for life, why isn't it good enough for a rich white guy with a Macbook Pro?
All you need is a lawyer who's willing to argue that police lost evidence of this during arrest/warrant sweep. Happens quite often and there's a lot of case law on it.
Om, nomnomnom...
This is very hardware dependent. Plenty of systems out there that require a passkey to unlock but nuke themselves with a few bad tries. They are not clonable (unless you're the NSA and even then some go to lengths to prevent chip lapping and other methods from working). In essence it's a small computer that you can not practically copy with a hardened interface that stores the actual decryption keys.
Even the TPM chips tied to hard drives should support that.
No sir I dont like it.
An admission of a crime was made, written up, encrypted, and put on a USB(CD maybe) and sent to the Home Secretary. The police were then contacted and informed that the Home Secretary has, in his possession, an admission of a crime that requires a custodial sentence.
Technically, that he never had the keys to unlock it was irrelevant. He had an item that was an admission of a crime, he was duty bound to hand it over and unlock it, even though there's no way on earth he could. But the way the law was written, he was the one in trouble.
If this is allowed to stand, we now have the way for someone/anyone to send you an encrypted file (email/cookies), that will then get you found in contempt of court as you are unable to prove you can't unlock it.
Waiting for an amusing sig.
As a victim of a rubber hose attack by the American government I can offer some insight into how it works and how everyone looks at the issue wrong. The government usually gets it hands on you somehow and threatens you with some ridiculous mandatory minimum prison sentence. Its a somewhat civilized approach to the rubber hose attack.
You go hire a big buck attorney who starts to work on the case. Next thing you know the government is offering you immunity for whatever is on your computer in exchange for the passwords. Of course your attorney says give them the passwords and this thing will likely go away. You hand over the passwords and it goes away, the statute of limitations ticks off a few years later.
Now if you are the main target of their interest they will wait until they can nail you to the wall and do this step to anyone they think may be able to help.
A better approach would be to use a wifi accessible ssd hidden in a wall or elsewhere it wont be found. Most of the time they are in and out of your house in under a hour, it is very rare, without an informants telling them all of your opsec secrets that anything well hidden will be found.
Cops are humans, most humans are lazy and have mixed feelings about their job, remember that. Encrypted disks in the hands of the government should be treated as the starting point in negotiations.