Slashdot Mirror
'Sorry, I've Forgotten My Decryption Password' is Contempt Of Court, Pal - US Appeal Judges (theregister.co.uk)
Thomas Claburn, reporting for The Register: The US Third Circuit Court of Appeals today upheld a lower court ruling of contempt against a chap who claimed he couldn't remember the password to decrypt his computer's hard drives. In so doing, the appeals court opted not to address a lower court's rejection of the defendant's argument that being forced to reveal his password violated his Fifth Amendment protection against self-incrimination. In the case under review, the US District Court for the Eastern District of Pennsylvania held the defendant (referred to in court documents as "John Doe" because his case is partially under seal) in contempt of court for willfully disobeying and resisting an order to decrypt external hard drives that had been attached to his Mac Pro computer. The defendant's computer, two external hard drives, an iPhone 5S, and an iPhone 6 Plus had been seized as part of a child pornography investigation.
I do not even know any of the passwords I use either at home or work....random passwords+2FA. I could not even remember them, even if my life depended on it.
Perhaps some type of expiry after 30-60 days of non-use for sensitive encrypted drives might protect against this, since there's no way the person could decrypt the drive after that threshold.
>"upheld a lower court ruling of contempt against a chap who claimed he couldn't remember the password to decrypt his computer's hard drives"
I am not saying that is the case here, but what if a defendant really doesn't remember the password? Throw him in jail forever? Some devices don't need a key/password UNLESS they are disconnected or reset, and it is very plausible someone might have been using something for a long time without knowing.
i forgot routine. https://www.youtube.com/watch?...
This amounts to "We know you're guilty even though we can't prove it so we're not going to bother with proof", and worse, they're using that to apply a potentially unlimited sentence.
Just because the guy is accused of having a child porn collection doesn't mean the niceties of law shouldn't apply.
I'm actually not so much for the right against self-incrimination, but I am very much for the right to a fair trial based on evidence and not what people 'know'. I'm also very much on finite sentences proportional to the needs of protecting society, punishing enough to scare the next guy, and attempting to reform the convicted if possible... but there shouldn't be a sentence at all without a just conviction.
While I have less than zero sympathy for child pornographers, what about the 5th amendment? I thought it was to EXPLICITLY prevent the courts from obliging you to give information that may incriminate you.
Also isn't the onus on the court to prove you're definately guilty before punishing you? I think its more than reasonable that someone could honestly forget their password, especially in a stressful situation such as a trial.
Nothing more to say, really.
A government is a body of people notably ungoverned - AC
So when are the politicians going to be charged with contempt of court when they "do not recall"?
In my personal experience, passwords that are > 24 characters, are easily forgettable if unused for a period of time. I struggle with remembering complicated passwords if I haven't used them in over a month. Not sure if it's because they're to complicated or if it's a neurological limit. I also suffer from ADD and have a history of radiation exposure.
That being said, I completely understand how it's possible for someone to forget a password.
Self-incrimination issues aside:
On these drives, are they completely encrypted preventing mounting or is it just the file contents?
If it's the former, then one should be able to see the last time a file was changed. If it's a few days before the seizure, I'd call BS. If the last access/modification was a fair time ago then it becomes more reasonable to assume the "I forgot" defence is truthful
I agree, it's contempt of court. As well it should be, since the court is contemptible. The right against self-incrimination is absolute - you don't have to testify against yourself, you don't have to unlock that (combination) safe, you don't have to decrypt files. You have the right to remain silent.
That is, unless it's the physical key to a safe, or some hardware encryption key. That's physical, and subject to seizure. But a combination or encryption password is a product of the mind, and forcing it out is forcing self-incrimination.
Sure, law enforcement has a right, with the proper warrant, to break into the safe or attempt to decrypt the contents themselves, but failing that, they're simply SOL.
"National Security is the chief cause of national insecurity." - Celine's First Law
My understanding of the logic behind attempting to force him to provide the passwords is that he won't be giving the government anything that they don't already know or have.
That being the case, why do the need the passwords at all? If they already "know everything", then they can proceed with their prosecution. If they don't have everything that they need to proceed without the passwords, then they obviously don't know everything.
Self-contradictory, isn't it?
If you're a zombie and you know it, bite your friend!
Seems like encryption systems need to have two passwords; one that decrypts the volume and another that wipes the keys and images a fresh filesystem. When they compel you to enter your password, you enter the "destroy code."
Sure, you could be charged with tampering with evidence if they realized what you'd done. But maybe that would be preferable to indefinite incarceration for contempt of court.
Breakfast served all day!
Slip your own encrypted disk into someone else's possession, send an anonymous tip to the cops, and they go to jail for the rest of their lives.
The government's argument is that the passcode itself is not incriminatory. It's the protected contents which may be, and the person is not being asked to directly disclose those. But that ignores that showing the ability to access the files may itself be incriminatory.
Anyway, his passcode is "1Admit1'mGuiltyAsH3ll.", so disclosing it would be self-incrimination.
"National Security is the chief cause of national insecurity." - Celine's First Law
Secret courts can pry my encryption keys out of my cold dead American hands!
-- Tigger warning: This post may contain tiggers! --
The government has been violating the constitution in spirit and word for so long that nobody seems phased by this sort of nonsense. It sadly gives weight to Trump's phrase "so-called judge": Forcing anyone to incriminate themselves by compelling them to give information in their mind is blatant violation of the 5th amendment. It's upon burden of prosecution to provide evidence BEFORE trial, not compel someone being tried to give evidence during the trial. As has be proven many times, there are a various number of ways investigators can get around encryption with a little planning (the was that guy running the drug trading service from a library I remember, they did it smart and the charged individual was a bit smug/laid back). If you can't prosecute with out that data, it shouldn't have been brought to trial. and if you have proper evidence already, don't need anyone's password. It's creating a culture where proper policework is not done, but prosecution says "to blazes with proper evidence, we'll use circumstantial evidence and wing it in court because it's convenience to try to compel someone being tried to waive their 5th amendment rights. you give us everything we need to prosecute you, or we'll lock you up for contempt charges. That's just wrong. And given the huge data dragnet we already have controlled by the CIA (another unconstitutional program confirmed by the courts). they have other tools (even if unconstitutional less so) for using data in a court case. Putin claims our system is no better than Russia, and if we keep violating our supposedly most precious standards like this, we'll prove him right.
"Imagination is more important than knowledge" - Einstein
There is precedent for this when the defendant has already decrypted the drive for authorities and then refuses to do so for the court. In that case, the contents are considered a "foregone conclusion" and there is no question that the defendant both acknowledges the encrypted volume and knows the key to decrypt it. This is a reasonable balance against Fifth Amendment protections.
If he has not ever revealed the password to authorities, the Constitution absolutely prohibits this action by the court. A man cannot be compelled to self-incriminate, the court may not presume guilt (innocent until proven guilty), and the court can only establish guilt through due process of law (everything from investigation to conviction) and with equal protection under the law (the law is applied the same way to everyone). This ruling blatantly violates most of these basic rights if the contents of the drive are not a "foregone conclusion."
I told you so.
While it still (at the moment) seems unconstitutional to force a person to reveal their passwords, it is simple to get around this by ordering the person to enter the password themselves.
So if you think you're going to evade the long arm of the government by memorizing all your passwords, think again or you too will be jailed.
And remember kiddies, "I forgot" or "I don't remember" only works if you are part of the government itself ;)
The Cheney defense although I'm sure it was used by others long before him
Pain is merely failure leaving the body
Why not just subject him to water boarding and other forms of "enhanced interrogation" techniques? At this point, what does it even matter? If we are so willing to break some of the most fundamental rights owned by our society, then what does the rest of it matter? You can argue day and night about whether there is still logic to the 2nd amendment; and lets be real, the logic falters when you exercise that right against a military as heavily funded as in the US. However, the existence of the 5th amendment is paramount to the freedom of our citizens.
Why stop at compelling an alleged criminal to stand as witness of information against themselves? Why not violate the rest of the amendment and just retry every single case that we thought should have gone another way. Hell, why even bother with costly trials at all? We can just go full Idiocracy right now and just decide if a person is guilty by appearance and conjecture alone.
Maybe we can avoid breaking the 5th amendment by violating the 4th instead and just require every person to subject themselves to a monthly screening of their house, vehicle and computer. Keys and Passwords would only be allowed to be administered by the state. Any time necessary, they state can perform an immediate screening of your property. Then no one has to stand as witness against themselves.
Lets take away the annoying 6th amendment too. No need for a speedy trial in cases like this. If an assailant is so clearly guilty, regardless of obtained evidence, then maybe its just 'good enough' that the person be locked away. Maybe we can allow police officers to act as jury as well. They surely know the law better than the commoner. Maybe that would ensure speedy trials instead.
Which brings us back to the 8th amendment and "enhanced interrogation" techniques in obtaining any necessary information that just can't quite be obtained in any other manner deemed reasonable by this modern governing style.
No matter what this person really did, the ultimate sacrifice is made by our entire society by breaking the fundamental rules that were set up to prevent this exact thing from happening. The bill of rights is far more important to the whole than this one trial, even if the accused is so accused accurately.
My password is "sorry I've forgotten my password". They won't be able to claim I didn't tell em!
No the logic is the same as a suspect ordered to unlock a safe/hidden room/car etc. having to do that. If the locked space then contains something illegal it is valid evidence however the suspect isn't being forced to say there are illegal stuff there.
Or to make the comparison even easier: if police have a search warrant they have to be provided access to a location, failure to give that access is in itself a criminal act. Here the police have a search warrant for the disks and aren't given access to them.
The only way the analogy fails is that it is possible to genuinely forget a password. Well a key can be dropped too but it is easier to do a search of the suspects belongings than searching their memories...
Rather than destroy the contents it would be better to have a separate code that will show photos and videos of granny's 100th birthday.
"Sir, why did you use password protection for such a purpose?"
"Why wouldn't I use it to protect my memories of my G'Ma?"
Mimetics Inc. Twitter
If there was no way to reset the password, I'd be screwed.
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
I had a couple of encrypted partitions on my Linux setup that I rarely accessed that became inaccessible after a Linux update. In my case I did remember the password but Linux would not accept it. I eventually reformatted it and restored the data from a backup.
Any time you are arrested you should always choose to remain silent and request an attorney even if you are innocent.
This post is encrypted twice with ROT-13. Documenting or attempting to crack this encryption is illegal.
No one wants to side with a potential child pornographer, but law is definitely taking a turn for the worse if something like this is allowed to happen... they can't force the accused to produce proof of the crime against himself so he's charged with something else? This is basically abuse of power.
According to the original article, they have a testimonial from a sister, they have been able to figure out keys from other devices and forensics traced his traffic to known child pornography websites, so he most likely is the real deal. But justice still presumes innocence until proven guilty, and the justification for being this heavy handed does not work... as if cryptography becoming a prevalent thing justifies courts being able to force people to produce proof against themselves.
Did criminals denying charges made torture legal for them to fess up? Because it's basically the same thing here.
This is, again, a failure on persecuting the guy. They didn't have enough circumstatial evidence of what he did, so the court is forcing him to produce it himself at the risk of being framed for other crimes.
Now, most of us might not care if he suffers other penalties or not, as he most likely deserves all this, but we might not want a justice system that feels it's ok to do stuff like that.
Ok, there is a fundamental misunderstanding of how civil contempt works here. Rather than address 100 different posts let me summarize:
The whole idea here is that he has been ordered to do something, and is refusing to do it. The judge may order him held to persuade him to follow the order. Persuasion can take a while on something like this. The judge has a duty to monitor the situation and eventually determine that the defendant is unpersuadable.
Once it becomes clear that the person is unpersuadable, then proceedings for criminal contempt of court should start.
At that point, there are full criminal law protections and procedures. The standard becomes proof beyond a reasonable doubt, and the prosecution has the burden of proof on every issue of contention: i.e. whether he really forgot.
So, to address many posts: (1) it is not forever; (2) if he continues to there will eventually be a criminal trial of at least civil contempt. This is a form of obstruction of justice, so the penalty can be severe.
Like the sticker note with the password on the bottom of the laptop.
"I don't know the pw, it's on the bottom of the laptop."
Police: "..." Unless of course they filmed the whole arrest and house visit.
And about the 'forgone conclusion' and the fact they aren't simply starting the trial based on the evidence that led to this conclusion:
I think it's quite possible that law enforcement told the judges, confidentially, that they already have hacked the disks using a secret back-door or other procedure, but just can't (won't) make that public. In that case a trial wouldn't work either.
And where is the proof that the files are actually on his HD and that he hasn't deleted them already?
He could admit downloading them (out of curiosity), but erasing them immediately upon discovering their true nature.
Which leaves the testimony of his sister to deal with, who must have been really pissed off by the pictures she's seen on his phone--maybe her own child was involved, that she witnessed against her own brother?
"Trump!!", the new Godwin.
In earlier times, the English king could throw anybody in 'the Tower' if he didn't like him.
I thought it was exactly to prevent this that the bill of rights was made, and now the judges are the new king?
What if he really forgot the password?
"Trump!!", the new Godwin.
Definitely if one of them was underage and you not.
"Trump!!", the new Godwin.
Where did you get that?
And maybe it's better for him to be solitarily confined in jail, then to be a CP offender in a shared prison cell.
I guess his best chance is to sit in jail until the normal term for CP is over, then give his password, be trialled and set free because he spent already his term in jail.
"Trump!!", the new Godwin.
Possibly. That's the real question here, while I've read the case info provided in the article there's a bunch of things that are unclear until I get a chance to read the initial case. But, local police forces which is what this case is doesn't usually have the resources to backdoor things like this unless they're commonly known exploits. And if I remember the cases correctly, if they were seized as part of evidence in the original warrant and they were able to get the information off the drives without his co-operation it wouldn't matter anyway. Since it would have already proven that he was in possession of CP. So that doesn't really matter, in the rare cases where something like this happens they can seal part of the court case to protect the disclosure of things like that which would lead to the compromising of on-going investigations.
The real thing is is what you pointed out though, where the proof. There is none really. The prosecution states they have "known hashes" but that doesn't mean much beyond that. It's more likely that the sister saw actual CP, and that's it. That in itself leads weight to it, but it still doesn't mean too much without the actual evidence.
I wouldn't be surprised if this keeps moving through the court system, or their lawyer simply tells them to take the contempt charge which he'll likely serve on weekends and get on with his life. The contempt charge itself could be an entirely new ball of wax especially if it's contested which wouldn't surprise me. The lawyer(s) in question could make their career defining case off of it. Since then the court will have to prove that he knowingly engaged in contempt.
Om, nomnomnom...
"Where did you get that?"
By reading the actual court ruling, along with some publicly available analysis by actual lawyers.. The Regitser has a copy of the ruling if you do not have a PACER account: https://regmedia.co.uk/2017/03...
You are making the presumption that he is guilty. This may or may not be true. He might be innocent and actually have forgotten his password.
OTOH, just consider, if he gives them his password, they will be able to implant any evidence they choose onto his disks. Whoops! Forging dates isn't that hard.
I think we've pushed this "anyone can grow up to be president" thing too far.
> I thought that it was already established by case law that you did not have to say anything to aid the prosecution in any way, that your right to remain silent was absolute in a criminal case?
The law is you don't have to *testify* against yourself. Testimony is spoken evidence.
Physical evidence can be compelled because it's not spoken.
Words which are not evidence can be compelled - for example your name is not evidence, so a defendant can be compelled to give their name. Knowing the name may certainly aid the investigation, but your name is not itself evidence of any crime. Because it's not evidence, it's not testimony. The fifth amendment refers to testimony.
So yeah you can be compelled to provide information which is not itself evidence, but does aid the investigation.
One recent case has been cited in even more recent cases regarding passwords. That case ruled that if it's not proven that the drive is yours, stating "the encryption password is foobar" would be effectively testifying that it *is* your drive. That would be protected by the fifth. However, if it's not disputed that the device belongs to the defendant, the password is not evidence and is therefore not protected by the fifth amendment, the court ruled.
As someone else posted here, if the password were "I admit I am guilty of ...", then the password itself would be testimony and therefore it seems it would be protected.
If evidence is destroyed *after* it's been subpoenaed, that may be contempt of court, but more importantly it's tampering with evidence, if done with the expectation that a prosecution is likely.
Tampering with evidence generally has a lesser sentence than child porn, so one might argue it makes sense to take a tampering conviction if it prevents a CP conviction.
And when failing to surrender such passwords to the court when requested is contempt of court, you can then be held in contempt of court only for what you are thinking.
Yup, the 21st century's gonna be just great. Somebody call over the guy selling popcorn.
File under 'M' for 'Manic ranting'
In an ideal world (for the cops) yes - but resources and not always what you expect from television. The old Bruce Sterling non-fiction text "The Hacker Crackdown" (free download) is still apt after all these years. Back then the cops wanted the budget to buy an Amiga, now it's the budget for a computer forensic lab up to the quality of a guy running a hard disk recovery business out of his garage.
> > then *the password itself* would be testimony and therefore it seems it would be protected.
> No. "My password is 'I am guilty'" is not the same as saying "I am guilty." The first is mention, the second is use. Or put another way, the quotation marks matter.
You may notice there are no quotation marks in the password itself. Or put another way, quotation marks matter - you can't just insert them into my sentence without changing its meaning a bit.
*The password itself* is evidence that at the time they chose that password, the declarant either believed they were in fact guilty of possessing child porn or at very least, when creating the encrypted volume they had child porn in mind. So it's evidence in words, aka testimony. It would be admissable under Uniform Rule 63(1), Prior Inconsistent Statements. See also California v. Green, 399 U.S. 149 (1970).
On the other hand, adding quotation marks to get:
My password is "I'm guilty of child porn"
Is essentially the same as these alternative statements:
When I created the encrypted drive, I had child porn in mind.
I'm the type of sicko who chooses "I'm guilty of child porn" as his password.
Both of the above statements are evidence of the declarant's intent and state of mind around the time of the act. As evidence, spoken, they are testimonial.
No, the drives will have been imaged through a hardware device that blocks all attempts to write, and their work will be on their own computers running their forsensic software against the images of his drives, with his original drives safely in the evidence lockup.
And if criminals start using drives with custom firmware to foil this
This is not a custom firmware.
There is a thing on ATA protocols dating back when it didn't even have the initial "P" in front to contrast with SATA yet :
HW access to the harddrive can be password protected.
No password ? You can't even access the blocks on the device, it refuses to read them.
I think I remember that the first X-Box did use something similar to try to protect the content of their disk.
Probably most modern SSD drive should be able to do it.
And if criminals start using drives with custom firmware to foil this (they've already read the first GB sequentially? return gibberish and erase everything!), the cops will then be removing the control boards and subsituting their own before they do the imaging.
A long long time ago, it used to be possible to swap the control boards of spinning rust media and still get something remotely meaningful if you squint enough at it.
(The only thing you'd be losing by doing that, would be the mapping from the physical sectors on the actual disk platter to the logical block addresses (LBA) as seen by the computer on SATA bus as handled by the SMART running on the controller to remap old defective sectors).
With modern SSD, you'd be losing the layer of encryption that the controller board does on the fly when writing to the flash media (it's a standard protection feature of most controllers, with the exception of maybe a few dead-cheap no-names that you wouldn't be using for these kind of missions anyway), in addition to all the mapping (done by the flash-translation-layer, which is much more complicated than SMART because it handles all the wear levelling).
Bascially a SSD, without the controller board that was used to write the data is just plain gibberish.
And that's *another* layer of gibbersih in addition to the whole-drive encryption done by the OS.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Laws just exist to keep people of of prison. If there were no laws, the executive (in this case: the most violent group) could just lock up everybody else.
Truecrypt (before it went dead) has a plausible deniability option where you had two passwords. One would open your files, the other would open a different, dummy filesystem. As long as you used it recently (to show it was the real one, not a dormant clever ruse) no one could tell it wasn't decrypting the real system. Where are all the plausible deniability options in encrpytion tools these days?
I wonder what about the self-incrimination rule if the text of the password itself is incriminating.
Imagine I'm being charged with possession of child porn, but my password is "TheCorpseIsBuriedBehindTheGarage".
Revealing it would be direct self-incrimination, regardless of the drive content, wouldn't it?
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
apparently this court ruling happened during the roaring 20's
Calvin:Do you believe in the devil? Hobbes:I'm not sure man needs the help.
For images it doesn't matter what his age was, only hers.
For various "activities" the ages come in to play.
> One of my past passwords was "iAmCh33seburger"; do you really think I think I'm a sandwich?
There is strong reason to believe you don't think you're a cheeseburger, despite the (weak) evidence that you have an interest in cheeseburgers. On the other hand, if through some strange set of circumstances your belief in your cheeseburgerness WERE at issue in a trial (something to do with insanity perhaps) the fact that you wrote "I am a cheeseburger" prior to the trial would be very weak evidence that you thought that. Not convincing evidence, probably, since also approximately nobody thinks they are a cheeseburger, but evidence nonetheless.
The point here is that the fifth doesn't say "compelled in any criminal case to be a BELIEVABLE witness against himself"; it says "a witness against himself". Whether or not the testimony is credible doesn't limit the fifth amendment.
Add to this the convenient loophole that the defendant "has the keys to his own cell" and thusly that protections of due process don't apply.
While it involves encryption and passwords, the basic premise is nothing new. There needs to be perhaps a look at the powers of the court in the US in regards to the whole "Contempt of Court" charge.
Many years ago there was a man who was getting divorced from his wife. During the proceedings his assets were being split up and half or whatever value was being given to the wife. The Wife accused that he husband had secret offshore bank accounts that contained millions. The Husband said he did not or perhaps even pled the 5th, or simply refused to divulge the information (I forget which). The judge found him in "Contempt of Court" and sentenced him to jail until such time as he released the information on his offshore bank accounts. He was in jail for many *years*, perhaps is still in jail.
There are a couple things wrong with that. First is a sentence with no end, which is a problem. Second is being forced or "compelled" by court to release information he may not have. Considering the guy was or is in jail for years, either he doesn't have the information to release (or he does and it is a ton of money, and/or he really hates his wife, or possibly by doing so perhaps would convict himself of another crime if the money was illegal in some way, hence the 5th usage perhaps).
At any rate the whole encryption/password thing is the technological component, but the basic idea predates that by quite a bit.
Like the sticker note with the password on the bottom of the laptop.
"I don't know the pw, it's on the bottom of the laptop."
Police: "..." Unless of course they filmed the whole arrest and house visit.
The password is encoded using the serial numbers of the bills in the envelope which are in ascending order of value. What do you mean the $100s are missing?
Hehehe, genious! :)
"Trump!!", the new Godwin.