Slashdot Mirror
'Sorry, I've Forgotten My Decryption Password' is Contempt Of Court, Pal - US Appeal Judges (theregister.co.uk)
Thomas Claburn, reporting for The Register: The US Third Circuit Court of Appeals today upheld a lower court ruling of contempt against a chap who claimed he couldn't remember the password to decrypt his computer's hard drives. In so doing, the appeals court opted not to address a lower court's rejection of the defendant's argument that being forced to reveal his password violated his Fifth Amendment protection against self-incrimination. In the case under review, the US District Court for the Eastern District of Pennsylvania held the defendant (referred to in court documents as "John Doe" because his case is partially under seal) in contempt of court for willfully disobeying and resisting an order to decrypt external hard drives that had been attached to his Mac Pro computer. The defendant's computer, two external hard drives, an iPhone 5S, and an iPhone 6 Plus had been seized as part of a child pornography investigation.
I do not even know any of the passwords I use either at home or work....random passwords+2FA. I could not even remember them, even if my life depended on it.
>"upheld a lower court ruling of contempt against a chap who claimed he couldn't remember the password to decrypt his computer's hard drives"
I am not saying that is the case here, but what if a defendant really doesn't remember the password? Throw him in jail forever? Some devices don't need a key/password UNLESS they are disconnected or reset, and it is very plausible someone might have been using something for a long time without knowing.
This amounts to "We know you're guilty even though we can't prove it so we're not going to bother with proof", and worse, they're using that to apply a potentially unlimited sentence.
Just because the guy is accused of having a child porn collection doesn't mean the niceties of law shouldn't apply.
I'm actually not so much for the right against self-incrimination, but I am very much for the right to a fair trial based on evidence and not what people 'know'. I'm also very much on finite sentences proportional to the needs of protecting society, punishing enough to scare the next guy, and attempting to reform the convicted if possible... but there shouldn't be a sentence at all without a just conviction.
Nothing more to say, really.
A government is a body of people notably ungoverned - AC
So when are the politicians going to be charged with contempt of court when they "do not recall"?
I agree, it's contempt of court. As well it should be, since the court is contemptible. The right against self-incrimination is absolute - you don't have to testify against yourself, you don't have to unlock that (combination) safe, you don't have to decrypt files. You have the right to remain silent.
That is, unless it's the physical key to a safe, or some hardware encryption key. That's physical, and subject to seizure. But a combination or encryption password is a product of the mind, and forcing it out is forcing self-incrimination.
Sure, law enforcement has a right, with the proper warrant, to break into the safe or attempt to decrypt the contents themselves, but failing that, they're simply SOL.
"National Security is the chief cause of national insecurity." - Celine's First Law
Seems like encryption systems need to have two passwords; one that decrypts the volume and another that wipes the keys and images a fresh filesystem. When they compel you to enter your password, you enter the "destroy code."
Sure, you could be charged with tampering with evidence if they realized what you'd done. But maybe that would be preferable to indefinite incarceration for contempt of court.
Breakfast served all day!
It has been established that you can't be forced to turn over the numbers to your combination lock while you can be compelled to provide the physical key if you have it. The problem is that in cryptography, we call it a key but we mean combination lock, the judges here ruled a cryptographic "key" is something similar to a physical key, a piece of code/hardware you can give them to unlock your "safe" while it's actually a combination lock.
Custom electronics and digital signage for your business: www.evcircuits.com
Obligatory: https://xkcd.com/538/ XKCD gets it right yet again.
We're going to make information free Mr. Anderson, whether you like it, or not.
Secret courts can pry my encryption keys out of my cold dead American hands!
-- Tigger warning: This post may contain tiggers! --
The government has been violating the constitution in spirit and word for so long that nobody seems phased by this sort of nonsense. It sadly gives weight to Trump's phrase "so-called judge": Forcing anyone to incriminate themselves by compelling them to give information in their mind is blatant violation of the 5th amendment. It's upon burden of prosecution to provide evidence BEFORE trial, not compel someone being tried to give evidence during the trial. As has be proven many times, there are a various number of ways investigators can get around encryption with a little planning (the was that guy running the drug trading service from a library I remember, they did it smart and the charged individual was a bit smug/laid back). If you can't prosecute with out that data, it shouldn't have been brought to trial. and if you have proper evidence already, don't need anyone's password. It's creating a culture where proper policework is not done, but prosecution says "to blazes with proper evidence, we'll use circumstantial evidence and wing it in court because it's convenience to try to compel someone being tried to waive their 5th amendment rights. you give us everything we need to prosecute you, or we'll lock you up for contempt charges. That's just wrong. And given the huge data dragnet we already have controlled by the CIA (another unconstitutional program confirmed by the courts). they have other tools (even if unconstitutional less so) for using data in a court case. Putin claims our system is no better than Russia, and if we keep violating our supposedly most precious standards like this, we'll prove him right.
"Imagination is more important than knowledge" - Einstein
This is a case of secured evidence, not self-incrimination. If you have a locked safe that you won't give the combo to, they have the legal authority to break into your safe (and not compensate you for it), this is just an issue of where they are authorized to use force, but don't have sufficient force. (and this does indeed piss off the law / govt when it happens, they fancy themselves omnipotent and take enormous offense when proven otherwise)
It really comes down to more of a case of getting the book thrown at you for not respecting their authority. Can they do it? Definitely. Should they do it? probably. but not definitely.
Though this defense seemed to work for Ronald Reagan iirc? precedent by president!
I work for the Department of Redundancy Department.
There is precedent for this when the defendant has already decrypted the drive for authorities and then refuses to do so for the court. In that case, the contents are considered a "foregone conclusion" and there is no question that the defendant both acknowledges the encrypted volume and knows the key to decrypt it. This is a reasonable balance against Fifth Amendment protections.
If he has not ever revealed the password to authorities, the Constitution absolutely prohibits this action by the court. A man cannot be compelled to self-incriminate, the court may not presume guilt (innocent until proven guilty), and the court can only establish guilt through due process of law (everything from investigation to conviction) and with equal protection under the law (the law is applied the same way to everyone). This ruling blatantly violates most of these basic rights if the contents of the drive are not a "foregone conclusion."
The Courts (and Law Enforcement) have gotten really lazy, and it's confusing to me why they don't see it.
During the San Bernardino iPhone stuff and other such stories, there were so many 'seemingly intelligent' people saying how encryption shouldn't be allowed because it made law enforcement difficult. Since when has it been easy? Wearing gloves makes it hard to pickup fingerprints. Should you outlaw gloves as well? However, these people are saying, "You should be forced to live in a way that makes it simple for us to track you all the time." "Papers Please!"*
Two statements:
"As more and more people are using encryption these days it's much more difficult for us to obtain evidence." - legitimate
"As it impedes our abilities to gather evidence encryption in consumer devices should be restricted or should include a law enforcement backdoor." - completely not legitimate
*(Actually with the 'papers please' that's more about proving you're allowed to be there, rather than checking to see if you shouldn't be there. So it really doesn't apply to the situation.)
--Welcome to the Realm of the Hawke--
How do you implement the timeout assuming the attacker will have possession of the device in question?
Apple has been dealing with something similar with their 10 try then wipe password limitation they keep figuring out new ways to bypass it.
Minimum threshold fixed. Thanks!
Why not just subject him to water boarding and other forms of "enhanced interrogation" techniques? At this point, what does it even matter? If we are so willing to break some of the most fundamental rights owned by our society, then what does the rest of it matter? You can argue day and night about whether there is still logic to the 2nd amendment; and lets be real, the logic falters when you exercise that right against a military as heavily funded as in the US. However, the existence of the 5th amendment is paramount to the freedom of our citizens.
Why stop at compelling an alleged criminal to stand as witness of information against themselves? Why not violate the rest of the amendment and just retry every single case that we thought should have gone another way. Hell, why even bother with costly trials at all? We can just go full Idiocracy right now and just decide if a person is guilty by appearance and conjecture alone.
Maybe we can avoid breaking the 5th amendment by violating the 4th instead and just require every person to subject themselves to a monthly screening of their house, vehicle and computer. Keys and Passwords would only be allowed to be administered by the state. Any time necessary, they state can perform an immediate screening of your property. Then no one has to stand as witness against themselves.
Lets take away the annoying 6th amendment too. No need for a speedy trial in cases like this. If an assailant is so clearly guilty, regardless of obtained evidence, then maybe its just 'good enough' that the person be locked away. Maybe we can allow police officers to act as jury as well. They surely know the law better than the commoner. Maybe that would ensure speedy trials instead.
Which brings us back to the 8th amendment and "enhanced interrogation" techniques in obtaining any necessary information that just can't quite be obtained in any other manner deemed reasonable by this modern governing style.
No matter what this person really did, the ultimate sacrifice is made by our entire society by breaking the fundamental rules that were set up to prevent this exact thing from happening. The bill of rights is far more important to the whole than this one trial, even if the accused is so accused accurately.
My password is "sorry I've forgotten my password". They won't be able to claim I didn't tell em!
It does seem ironic that the law/government makes the laws in the first place, so they can write whatever suits them, yet they still break them.
I had a couple of encrypted partitions on my Linux setup that I rarely accessed that became inaccessible after a Linux update. In my case I did remember the password but Linux would not accept it. I eventually reformatted it and restored the data from a backup.
Any time you are arrested you should always choose to remain silent and request an attorney even if you are innocent.
This post is encrypted twice with ROT-13. Documenting or attempting to crack this encryption is illegal.
As a victim of a rubber hose attack by the American government I can offer some insight into how it works and how everyone looks at the issue wrong. The government usually gets it hands on you somehow and threatens you with some ridiculous mandatory minimum prison sentence. Its a somewhat civilized approach to the rubber hose attack.
You go hire a big buck attorney who starts to work on the case. Next thing you know the government is offering you immunity for whatever is on your computer in exchange for the passwords. Of course your attorney says give them the passwords and this thing will likely go away. You hand over the passwords and it goes away, the statute of limitations ticks off a few years later.
Now if you are the main target of their interest they will wait until they can nail you to the wall and do this step to anyone they think may be able to help.
A better approach would be to use a wifi accessible ssd hidden in a wall or elsewhere it wont be found. Most of the time they are in and out of your house in under a hour, it is very rare, without an informants telling them all of your opsec secrets that anything well hidden will be found.
Cops are humans, most humans are lazy and have mixed feelings about their job, remember that. Encrypted disks in the hands of the government should be treated as the starting point in negotiations.
I've skimmed the judgment. It's a convoluted case. He asserted his Fifth Amendment rights at some point, but failed to do so again at his contempt of court hearing. When he was held in contempt, he appealed and this time he again asserted his Fifth Amendment privilege. But the court that was hearing his appeal of the contempt of court ruling couldn't weigh its ruling based on the circumstances of his original, criminal case ... it could only rule on the civil contempt of court hearing, in which the Fifth Amendment was never made an issue ... anyway, something like that. They're giving him a helluva run-around but it doesn't sound like any legal overreach is actually happening here. It's just the usual prosecutor shenanigans. The defense made errors ... small though they may be ... and got tripped up in the paperwork.
Breakfast served all day!
Like the sticker note with the password on the bottom of the laptop.
"I don't know the pw, it's on the bottom of the laptop."
Police: "..." Unless of course they filmed the whole arrest and house visit.
And about the 'forgone conclusion' and the fact they aren't simply starting the trial based on the evidence that led to this conclusion:
I think it's quite possible that law enforcement told the judges, confidentially, that they already have hacked the disks using a secret back-door or other procedure, but just can't (won't) make that public. In that case a trial wouldn't work either.
And where is the proof that the files are actually on his HD and that he hasn't deleted them already?
He could admit downloading them (out of curiosity), but erasing them immediately upon discovering their true nature.
Which leaves the testimony of his sister to deal with, who must have been really pissed off by the pictures she's seen on his phone--maybe her own child was involved, that she witnessed against her own brother?
"Trump!!", the new Godwin.
.Perhaps some type of expiry after 30-60 days of non-use for sensitive encrypted drives might protect against this, since there's no way the person could decrypt the drive after that threshold.
You aren't imagining the defendant's computer in a nice neat room with his drives plugged in and a cop sitting at it trying to guess the password, are you?
No, the drives will have been imaged through a hardware device that blocks all attempts to write, and their work will be on their own computers running their forsensic software against the images of his drives, with his original drives safely in the evidence lockup.
And if criminals start using drives with custom firmware to foil this (they've already read the first GB sequentially? return gibberish and erase everything!), the cops will then be removing the control boards and subsituting their own before they do the imaging.
"Self destructing crypto" will just be something else for them to work around. It might foil the local police department, but if the FBI/NSA/CIA/etc. really wants your data, that's not going to foil them any more than straight strong crypto will.
Possibly. That's the real question here, while I've read the case info provided in the article there's a bunch of things that are unclear until I get a chance to read the initial case. But, local police forces which is what this case is doesn't usually have the resources to backdoor things like this unless they're commonly known exploits. And if I remember the cases correctly, if they were seized as part of evidence in the original warrant and they were able to get the information off the drives without his co-operation it wouldn't matter anyway. Since it would have already proven that he was in possession of CP. So that doesn't really matter, in the rare cases where something like this happens they can seal part of the court case to protect the disclosure of things like that which would lead to the compromising of on-going investigations.
The real thing is is what you pointed out though, where the proof. There is none really. The prosecution states they have "known hashes" but that doesn't mean much beyond that. It's more likely that the sister saw actual CP, and that's it. That in itself leads weight to it, but it still doesn't mean too much without the actual evidence.
I wouldn't be surprised if this keeps moving through the court system, or their lawyer simply tells them to take the contempt charge which he'll likely serve on weekends and get on with his life. The contempt charge itself could be an entirely new ball of wax especially if it's contested which wouldn't surprise me. The lawyer(s) in question could make their career defining case off of it. Since then the court will have to prove that he knowingly engaged in contempt.
Om, nomnomnom...
Why would you want to live in such a society? Have we really fallen so far that citizens now support such insane shit?