Encryption Passphrase Protected by the 5th Amendment 537
Takichi writes "A federal judge in Vermont has ruled that prosecutors can't force the defendant to divulge his PGP passphrase. The ruling was given on the basis that the passphrase is protected under the 5th amendment to the United States Constitution (protection against self-incrimination)." The question comes down to, is your password the contents of your brain, or the keys to a safe.
Interesting development (Score:5, Interesting)
Hmmm....
Sad state. (Score:3, Interesting)
It's a sad sad day in America that the truth of the 5th ammendment and the constitution itself is even called into question in this way. Thanks to the judge who supported the constitution, unfortunately there are laws shredding it up as we read this news.
http://www.govtrack.us/congress/bill.xpd?bill=h110-1955 [govtrack.us]
Welcome to the police state.
Re:If not anything else... (Score:4, Interesting)
Hmm, that brings the question, did we waterboard Gonzales? If not, why not?
A good ruling but... (Score:4, Interesting)
Plausible deniability (Score:5, Interesting)
Horrible case law (Score:3, Interesting)
Encryption keeps getting easier and easier to use - someday my job wont be possible without good case law forcing defendants to give up encryption keys. The only other option is to step up the use of no-knock search warrants and live acquisition. Problem is... when a daughter accuses her step-dad of molesting her and taking pictures - there is usually a family fight long before law enforcement gets involved. This leaves the subject days to encrypt and clean any evidence he has.
I know that most people think that the police go around taking peoples' machines without any cause but I can tell you from my experiences (and the experiences of everybody else I've run into in this field) we don't go around looking for new cases. We are completely understaffed, under-budgeted, and flooded with horrible crimes. Plus, its not easy to get a search warrant. You need to satisfy probable cause in order for the judge to sign off on your warrant.
Self destructing passwords... (Score:3, Interesting)
Whether or not they believe you is another story, and you might be in jail until they finally make their minds up.
Re:Horrible case law (Score:5, Interesting)
But as a society, we place a higher priority in personal liberty than on catching the maximum number of criminals. There are states that invert these two concepts: we call them "police states". I, for one, would rather live in a society where a few guilty people walk free because we can't crack their encryption than live in one where I can hide nothing from the government. It's a question of priorities.
Re:Better use of a botnet? (Score:5, Interesting)
What a lot of people fail to realise is that encryption can be made unbreakable even by brute force by simply choosing a large enough encryption key. What people also fail to realise is that 256 bit encryption doesn't take twice as long to crack as 128 bit encryption. It in fact takes 2^128 times as long to crack.
Let's for a second assume that 128 bit encryption is crackable by your own personal home computer in a period of 1 hour.
136 bit encryption would take 2^8 times as long (250 times as long)... so we use 250 computers, and crack it in 1 hour still.
144 bit encryption takes again 250 times as long, so instead we use 250 superpowerful server computers and crack it in 1 hour.
156 bit encryption takes another 250 times longer, so we use a top-secret government super computer the size of the Pentagon and still crack it in 1 hour.
164 bit encryption takes.. you guess it, 250 times longer to crack. All the governments in the world pool their top-secret super computers and crack your content in.. 1 hour.
172 bit encryption takes 250 times longer to crack. We use all the computers on the entire planet and manage to crack it in 1 hour.
180 bit encryption takes 250 times longer to crack. We use all those computers, but let them run 250 hours (10 days) instead.
188 bit encryption takes 250 times longer to crack. We let those computers run 6 years to crack your password.
192 bit encryption takes 250 times longer to crack... never mind, we're not THAT interested in your personal photo album.
There's a bit more to it (Score:4, Interesting)
Re:I was wondering... (Score:3, Interesting)
The point of the ruling is that the password has to be treated like testimony (which cannot be forced), rather than a physical object, like a safe key, which the defendant may be forced to surrender.
Re:I was wondering... (Score:5, Interesting)
Basically, if you have the right to not incriminate yourself, then they can't force you to "confess". And if it happens, then any convictions should be turned over by a higher courts assuming that things go according to plan. This also carries the problem of blocking a criminal investigation but the necessity of not being forced to confess out ways the setback to criminal investigations. Many people support this idea if not simply because they don't want the cops showing up at their front door demanding you to tell them something you did that was illegal and later claiming it was part of an investigation.
As for me, I think it is a necessary evil that protects people in many ways above any benefit from a criminal investigation. If there is sufficient cause for the criminal investigation, then there will be other evidence outside that aspect that will eventually show up if it isn't already there.
One way they get around the 5th amendment is to grant immunity from prosecution for anything found or disclosed which seems to have the same effect of the 5th amendment. Something like that would be useful in convicting others involved by letting one person escape justice.
Unintended consequences... (Score:3, Interesting)
Suddenly, you're given a free flight to Kazakhstan [sp], to meet with Borat. Oh, yeah. you've now become a non-entity while they waterboard you to try to get your passphrase out of you.
Like others have said, waterboarding is great for extracting a confession. Or, if you are so hard-core, they decide that they just need to kill you or let you rot in a hole somewhere far, far away.
Or, less sinister, they just pass laws that say, "failure to surrender encryption keys or passphrases is determined by law to be an admission of guilt", just like not submitting to a breathalyzer or blood test is treated as admission of guilt in DUI in some states, which works just fine in a civil or administrative court. And conviction of certain civil or administrative crimes suddenly allows you to be tried later for new criminal laws where the administrative/civil judgments are used as justification to throw you into prison big time.
But, they just might take the easy way out: while investigating certain crimes (child porn, white collar crime, conspiracy, "terrorism", etc.), discovery of encryption products on your computer results in automatic civil seizure and forfeiture of computer hardware.
Well, anyone following instructions on MSDN can easily throw together programs that encrypt files using the encryption facilities in the
Re:Horrible case law (Score:5, Interesting)
Unfortunately this situation is becoming more and more common in the practice of law today. For example, imprisoning someone for "contempt" is unjust. Where is the accused's right to a trial? There is none. What about appeals? There are none, you are in jail until you grovel enough to satisfy judge. No evidence...no trial...just the judge's opinion. God forbid you ever have to stand in front of a judge who decides to grind his ax on your ass.
Back about 40-50 years ago, law enforcement and prosecutors could be held liable for misconduct. Then came the so called "shield" laws, which gave immunity to prosecutors and law enforcement in the event of misconduct. We are finally seeing the result of these 'fine' laws; Convictions being overturned because of fabricated evidence, withheld evidence, and tampering of witnesses by officers of the court. Peoples lives are being ruined because some court officers feel it is more important to get a conviction at all costs, instead of by the weight of the evidence. These 'shield' laws protect the wrong doer from any kind of repercussion. Nifong, of the Duke rape case infamy, is an exception to this, mostly because he was so vocal about the case, calling national attention to the case. However, while his career is in shambles, he has yet to pay any restitution to the boys he so vehemently accused, or face perjury charges for the false claims he made in court.
All in all, there are a lot of reasons to keep government out of the personal affairs of it people.
Re:I was wondering... (Score:4, Interesting)
Here they are saying that he has files that they know nothing about. Because those files are unknown, he is protected from having to provide them.
Thinking about it, I'm surprised that we haven't heard of cases getting thrown out because of computer evidence collected outside of the scope of any search warrant poisoning too much of the subsequent evidence. I could imagine a warrant to look on your computer for a warez program they think you have turning up an ssh known_hosts file entry for a warez server. Since they weren't looking for that evidence (maybe because they thought the computer had not been networked, or was not involved in warez transmission, just storage) then they can't use it, and if they then go hunting the logs of that remote server to find the connection that can't be used either because it was evidence they only knew to look for because of evidence they weren't allowed to have anyway. And because you can't un-know information once you have tainted evidence you have to show that any subsequently gathered evidence did not come from knowledge of that evidence or at least would have eventually been discovered by other means.
However I must offer the following disclaimer: I am not a lawyer (nor do I do anal like so many of you non-lawyers), but I have watched a lot of Law & Order. Disclaimer: Not being a lawyer, much
Re:Self destructing passwords... (Score:3, Interesting)
Whether or not they believe you is another story, and you might be in jail until they finally make their minds up.
Even if the 5th ammendment didn't exist, the state could not compell you to divulge information that you don't have. The state also cannot prove that you do have information. even if they can prove that you ever had the information they want, people forget things all the time. Any juror is likely well aware that people forget important things all the time. Practically everyone has discovered they have no idea where they put their keys are when they really needed them at one time or another.
To make the matter even more complex, some crypto systems offer nearly perfect deniability. For example, cyphertext from an XOR based one time pad can literaly be any message at all that fits in the given space. Even using the correct key and getting a valid message proves nothing since there are many other keys that will also yield a valid (but different) message. For that matter, given a block of truly random data, you can STILL get any message you want out of it (again that fits within the size of the data), complete with checksums! That means that you can't actually prove that there was a message there at all.
That is why the judge could not come to any other just conclusion. The alternative is that anyone could be jailed indefinatly just by claiming that any random block on their HD is actually a sooper sekret message and demanding the decoder ring (that never existed).
Thought experiment: I may or may not have crafted this message such that when it is XORed with selected bits from the images /. uses, another message is revealed (perhaps with a dash of corruption salted in for extra deniability). You can never prove or disprove that beyond reasonable doubt.
Re:I was wondering... (Score:3, Interesting)