Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
The Courts Government Encryption Security News

Encryption Passphrase Protected by the 5th Amendment 537

Posted by CmdrTaco
from the my-password-is-password dept.
Takichi writes "A federal judge in Vermont has ruled that prosecutors can't force the defendant to divulge his PGP passphrase. The ruling was given on the basis that the passphrase is protected under the 5th amendment to the United States Constitution (protection against self-incrimination)." The question comes down to, is your password the contents of your brain, or the keys to a safe.
This discussion has been archived. No new comments can be posted.

Encryption Passphrase Protected by the 5th Amendment

Comments Filter:
  • by explosivejared (1186049) <`moc.liamg' `ta' `deraj.nagah'> on Saturday December 15, 2007 @01:54PM (#21710052)
    Read the article:

    If the subpoena is requesting production of the files in drive Z, the foregone conclusion doctrine does not apply. While the government has seen some of the files on drive Z, it has not viewed all or even most of them. While the government may know of the existence and location of the files it has previously viewed, it does not know of the existence of other files on drive Z that may contain incriminating material. By compelling entry of the password the government would be compelling production of all the files on drive Z, both known and unknown.

    By giving the government his password, the judge held, that the defendant was incriminating himself by opening up all of his files that weren't pertinent to the investigation. That was my take on it. *I am not a lawyer, but I scored high on critical reading on the SAT's, for what it's worth.
  • by swillden (191260) <shawn-ds@willden.org> on Saturday December 15, 2007 @02:19PM (#21710306) Homepage Journal

    So.... this tells me two things... first, that the government cannot force you to give up your PGP passphrase.... but possibly more important, the government (currently) cannot break PGP encryptopn.

    No, it doesn't tell you the second. If the government has the knowledge required to break the ciphers used by PGP, they would be very unlikely to reveal that for something as unimportant as this court case.

    Personally, I strongly doubt that the NSA can break PGP, but this decision doesn't say anything one way or the other about the question.

  • by Anonymous Coward on Saturday December 15, 2007 @02:26PM (#21710390)
    Well, there is that whole pesky link in TFA to the decision.

    But I'm nice and I found it an interesting read, so I will summarize it. There are a great many of cases involving what and when the government can force someone to turn over documents. Generally, things which don't represent what's in your mind can be forced over. An example would be a key to a lock as compared to a combination lock. The former exists, and is known to exist, and the latter's turnover requires the suspect to devolve information contained within his mind, which would be tantamount to testifying.

    In this case, there is some splitting of legal hairs, and my description will be less than sound. While IANAL, I am marrying one ;) This password is similar to a combination lock. However, in this case, the government had already seen some of the files contained within his encrypted drive. There is a question as to whether the government's knowledge of the preexisting files would be enough to force the turnover of the password. The government argued that they would allow the suspect to enter the password without supervision, meaning that the government wouldn't be able to use the entry itself in court. In the past, the government has tried to prosecute someone when they had immunity for turning over documents by arguing that said documents themselves were incriminating,. not just that the suspect kept them. The supreme court found that reasoning to be bull. Someone is protected via the 5th amendment by all fallout of their testimony via immunity.

    As I already rambled here, the government argues that they knew of the files, and that they had already seen the files. As such, the defendant needed to turn over the password. Something similar has been done previously, where the government knew that a suspect had a document in his possession,and the court forced its turnover. In this case, however, the judge unacknowledged that the prosecution has seen only a small number of the files on the encrypted drive, and that they were almost certainly incriminating. As such, the judge decided that he couldn't order the defendant to turn over the password as the governmetn would have access to new files it knew nothing about.

    So, the lesson here is to just not talk to the police without your lawyer present, and don't fricking enter passwords to your files without a court order.
  • by Hijacked Public (999535) on Saturday December 15, 2007 @02:30PM (#21710416)
    Probably forever, since Congress can't amend the Constitution.
  • by Anonymous Coward on Saturday December 15, 2007 @02:30PM (#21710420)
    > allegedly discovered "thousands of images of adult pornography and animation depicting adult and child pornography."

    animation gets you arrested?
  • by snarkh (118018) on Saturday December 15, 2007 @02:41PM (#21710522)

    That's exactly right. As far as I understand, the main concern is that by opening the disk he would potentially give the government access to the incriminating files not seen by the customs agents.
  • by ebbomega (410207) on Saturday December 15, 2007 @02:43PM (#21710544) Journal
    Lying in an official police statement is the same as lying under oath. Basically you're obstructing justice by lying, therefore perjury.
  • by Anonymous Coward on Saturday December 15, 2007 @02:51PM (#21710604)
    Imagine a crypto system that encrypts an entire disk volume (sitting between the file system and the block device). Imagine this crypto system can accept two different keys. When the volume is decrypted with "KEY A", only "SUBSET A" of files are exposed. When decrypted with "KEY B", only "SUBSET B" files are are exposed.

    Mount the volume with "KEY A", add a bunch of innocuous files, then unmount.
    Mount the volume with "KEY B", then add the files you really want to keep from prying eyes.

    If you're pressured to reveal a key, give them "KEY A".
  • Re:Wanna bet? (Score:1, Informative)

    by iminplaya (723125) <iminplaya.gmail@com> on Saturday December 15, 2007 @03:54PM (#21711204) Journal
    All that stuff only applies if you're not an "unlawful combatant", and according to the government, you need to be an American citizen. In other words, "void where prohibited by law".
  • by Anonymous Coward on Saturday December 15, 2007 @04:33PM (#21711506)
    Information about the NSA's capabilities does leak out occasionally.

    Stuff from the WWII era is pretty widely known now. The NSA wasn't around then but its predecessors were. It's clear from the information available than they were decades ahead of academia at that point.

    DES was designed in the mid-70s. The NSA was heavily involved in the later stages of the design, resulting in mysterious changes which nobody knew why they were made. A lot of people speculated that it was some sort of back door inserted by the NSA. Then in 1990, differential cryptanalysis was discovered in academia, and surprise! The new NSA-approved DES turned out to be much more resistant to it than the original. So we can conclude that the NSA was roughly 15 years ahead of academia at this point.

    SHA-0 was published in 1993. It was quickly withdrawn, and replaced by SHA-1 in 1995. The reason for this was unknown, although the NSA claimed it was due to a security problem. In 1998, a cryptanalysis for SHA-0 was published, revealing a weakness which SHA-1 did not have. In 2004 an collision was found, and SHA-0 could be considered definitively broken. We can conclude that the NSA was only 5-10 years ahead of academia at this point.

    It is generally accepted at this point that the NSA is just a few years ahead of what is public knowledge. They know more than the public, but not greatly more. They have enormous resources at their disposal, but without huge theoretical breakthroughs those resources will not break modern algorithms. Their capabilities are unknown, but from what is known it is pretty safe to say that they can break older ciphers, newer ciphers with extremely short key lengths, and improperly used newer ciphers, but they cannot break newer ciphers when used properly with a reasonable key length. In other words, your 2048-bit RSA keys and 128-bit AES encrypted data are very likely to be safe even if the NSA wants to get into them.

    The idea that the NSA has quantum computers ready to crack encryption is pretty well ridiculous. The government has not been ahead of private industry when it comes to electronics and computation since the 50s or 60s. The first practical quantum computer is virtually guaranteed to come from the private sector.
  • by Anonymous Coward on Saturday December 15, 2007 @05:24PM (#21711882)
    Hm, looks like it's illegal again. Congress keeps passing laws saying that depictions of minors that don't exist using things that aren't minors are illegal, presidents keep signing the laws, and then someone's life gets ruined, after which the supreme court says "hey, you can't do that!". Then Congress passes a new law making it illegal again.

    An amusingly slow way to ignore the Constitution.
  • by xquark (649804) on Saturday December 15, 2007 @06:28PM (#21712380) Homepage
    Actually if you look at the problem from a energy consumption (Von Neumann-Landauer Limit) POV
    brute force attacks on a search space of 2^128 is boarding on consuming all of approximated
    energy of all the stars in the Milky-way galaxy (imagine Dyson shells around all the stars
    in our galaxy)

    So in reality if a greatly less than brute force method is not found for such search spaces
    then there is no real way of practically applying brute-force methods.

  • by mattwarden (699984) on Saturday December 15, 2007 @09:19PM (#21713540) Homepage
    Not only that, but it is possible to make it hard or impossible to tell that you have even used TrueCrypt:

    Q: Is it possible to use TrueCrypt without leaving any 'traces' on Windows?

    A: Yes. This can be achieved by running TrueCrypt in traveller mode under BartPE. BartPE stands for "Bart's Preinstalled Environment", which is essentially the Windows operating system prepared in a way that it can be entirely stored on and booted from a CD/DVD (registry, temporary files, etc., are stored in RAM - hard disk is not used at all and does not even have to be present). The freeware Bart's PE Builder can transform a Windows XP installation CD into BartPE. As of TrueCrypt 3.1, you do not need any TrueCrypt plug-in for BartPE. Simply boot BartPE, download the latest version of TrueCrypt to the RAM disk (which BartPE creates), extract the downloaded archive to the RAM disk, and run the file 'TrueCrypt.exe' from the folder 'Setup Files' on the RAM disk (the 'Setup Files' folder should be created when you unpack the archive containing TrueCrypt).
  • Re:Horrible case law (Score:3, Informative)

    by StormReaver (59959) on Saturday December 15, 2007 @09:28PM (#21713604)
    "This is horrible case law."

    You contradict yourself two short sentences later.

    "Therefore it should be held under the same rules as getting access to a safe or a house."

    It is, and this is where you contradict yourself and support the judge's (correct) conclusion. See oliphaunt's posting above regarding the Supreme Court's decisions in regards to combination safes. [slashdot.org] For convenience, I'll reproduce the relevant portion of his posting here:

    In distinguishing testimonial from non-testimonial acts, the Supreme Court has compared revealing the combination to a wall safe to surrendering the key to a strongbox. See id. at 210, n. 9; see also United States v. Hubbell, 530 U.S. 27, 43 (2000). The combination conveys the contents of one's mind; the key does not and is therefore not testimonial. Doe II, 487 U.S. at 210, n. 9. A password, like a combination, is in the suspect's mind, and is therefore testimonial and beyond the reach of the grand jury subpoena.

  • Uhh ... no (Score:5, Informative)

    by icedevil (450212) on Sunday December 16, 2007 @03:53AM (#21715348)
    This is simply incorrect, from http://www.archives.gov/national-archives-experience/charters/constitution_transcript.html [archives.gov]

    Article. V.

    The Congress, whenever two thirds of both Houses shall deem it necessary, shall propose Amendments to this Constitution, or, on the Application of the Legislatures of two thirds of the several States, shall call a Convention for proposing Amendments, which, in either Case, shall be valid to all Intents and Purposes, as Part of this Constitution, when ratified by the Legislatures of three fourths of the several States, or by Conventions in three fourths thereof, as the one or the other Mode of Ratification may be proposed by the Congress; Provided that no Amendment which may be made prior to the Year One thousand eight hundred and eight shall in any Manner affect the first and fourth Clauses in the Ninth Section of the first Article; and that no State, without its Consent, shall be deprived of its equal Suffrage in the Senate.

    How the hell did the parent post get a +5 informative of all things?!

"Consider a spherical bear, in simple harmonic motion..." -- Professor in the UCB physics department

Working...