Slashdot stories can be listened to in audio form via an RSS feed, as read by our own robotic overlord.

 



Forgot your password?
typodupeerror
The Courts Government Encryption Security News

Encryption Passphrase Protected by the 5th Amendment 537

Posted by CmdrTaco
from the my-password-is-password dept.
Takichi writes "A federal judge in Vermont has ruled that prosecutors can't force the defendant to divulge his PGP passphrase. The ruling was given on the basis that the passphrase is protected under the 5th amendment to the United States Constitution (protection against self-incrimination)." The question comes down to, is your password the contents of your brain, or the keys to a safe.
This discussion has been archived. No new comments can be posted.

Encryption Passphrase Protected by the 5th Amendment

Comments Filter:
  • by rickthewizkid (536429) on Saturday December 15, 2007 @01:53PM (#21710036)
    So.... this tells me two things... first, that the government cannot force you to give up your PGP passphrase.... but possibly more important, the government (currently) cannot break PGP encryptopn.

    Hmmm....

  • Sad state. (Score:3, Interesting)

    by 7-Vodka (195504) on Saturday December 15, 2007 @01:56PM (#21710084) Journal

    It's a sad sad day in America that the truth of the 5th ammendment and the constitution itself is even called into question in this way. Thanks to the judge who supported the constitution, unfortunately there are laws shredding it up as we read this news.

    http://www.govtrack.us/congress/bill.xpd?bill=h110-1955 [govtrack.us]

    Welcome to the police state.

  • by Znork (31774) on Saturday December 15, 2007 @02:25PM (#21710372)
    "That worked for Gonzales. Maybe waterboarding could make you remember, tho."

    Hmm, that brings the question, did we waterboard Gonzales? If not, why not?
  • A good ruling but... (Score:4, Interesting)

    by russotto (537200) on Saturday December 15, 2007 @02:39PM (#21710502) Journal
    ...once it gets to appeals court it will hold up as long as a geek in waterboarding session. Certain kinds of utterances have been determined to be "non-testimonial" and not eligible for Fifth Amendment protection, and encryption keys are IMO almost certain to be found as such by the current Supreme Court, since it isn't the key which is incriminating, but the evidence protected by the key.

  • by Diomidis Spinellis (661697) on Saturday December 15, 2007 @02:41PM (#21710518) Homepage
    If the passphrase is considered keys to a safe, and you are therefore likely to be forced to divulge it, then you can avoid trouble by using an encryption system, like TrueCrypt [truecrypt.org], that supports plausible deniability [wikipedia.org]. Inside the encrypted volume, blank space is always filled with random data, which can also be another nested encrypted volume. Without the correct passphrase, nobody can prove that the random bits are anything more than random bits.
  • Horrible case law (Score:3, Interesting)

    by Anonymous Coward on Saturday December 15, 2007 @02:45PM (#21710558)
    This is horrible case law. I get search warrants for the data on the machine. Therefore it should be held under the same rules as getting access to a safe or a house.

    Encryption keeps getting easier and easier to use - someday my job wont be possible without good case law forcing defendants to give up encryption keys. The only other option is to step up the use of no-knock search warrants and live acquisition. Problem is... when a daughter accuses her step-dad of molesting her and taking pictures - there is usually a family fight long before law enforcement gets involved. This leaves the subject days to encrypt and clean any evidence he has.

    I know that most people think that the police go around taking peoples' machines without any cause but I can tell you from my experiences (and the experiences of everybody else I've run into in this field) we don't go around looking for new cases. We are completely understaffed, under-budgeted, and flooded with horrible crimes. Plus, its not easy to get a search warrant. You need to satisfy probable cause in order for the judge to sign off on your warrant.
  • by Joce640k (829181) on Saturday December 15, 2007 @02:48PM (#21710580) Homepage
    You can write your password on a paper then claim it's too long/difficult to remember and the paper was destroyed.

    Whether or not they believe you is another story, and you might be in jail until they finally make their minds up.

  • Re:Horrible case law (Score:5, Interesting)

    by QuoteMstr (55051) <dan.colascione@gmail.com> on Saturday December 15, 2007 @02:58PM (#21710648)
    I had a hard time deciding whether to reply to your comment or moderate it "interesting." I emphatically disagree with your post, but you make a good point. True, forcing defendants to give up their encryption keys would result in more convictions.

    But as a society, we place a higher priority in personal liberty than on catching the maximum number of criminals. There are states that invert these two concepts: we call them "police states". I, for one, would rather live in a society where a few guilty people walk free because we can't crack their encryption than live in one where I can hide nothing from the government. It's a question of priorities.
  • by swilver (617741) on Saturday December 15, 2007 @03:11PM (#21710782)
    Botnets cannot break decent encryption either.

    What a lot of people fail to realise is that encryption can be made unbreakable even by brute force by simply choosing a large enough encryption key. What people also fail to realise is that 256 bit encryption doesn't take twice as long to crack as 128 bit encryption. It in fact takes 2^128 times as long to crack.

    Let's for a second assume that 128 bit encryption is crackable by your own personal home computer in a period of 1 hour.

    136 bit encryption would take 2^8 times as long (250 times as long)... so we use 250 computers, and crack it in 1 hour still.

    144 bit encryption takes again 250 times as long, so instead we use 250 superpowerful server computers and crack it in 1 hour.

    156 bit encryption takes another 250 times longer, so we use a top-secret government super computer the size of the Pentagon and still crack it in 1 hour.

    164 bit encryption takes.. you guess it, 250 times longer to crack. All the governments in the world pool their top-secret super computers and crack your content in.. 1 hour.

    172 bit encryption takes 250 times longer to crack. We use all the computers on the entire planet and manage to crack it in 1 hour.

    180 bit encryption takes 250 times longer to crack. We use all those computers, but let them run 250 hours (10 days) instead.

    188 bit encryption takes 250 times longer to crack. We let those computers run 6 years to crack your password.

    192 bit encryption takes 250 times longer to crack... never mind, we're not THAT interested in your personal photo album.

  • by crimguy (563504) on Saturday December 15, 2007 @03:14PM (#21710818) Homepage
    Since it's protected under the 5th Amendment, not only can it not ordered disclosed, it can't be commented on by the prosecutor if the defendant refuses to divulge it.
  • by snarkh (118018) on Saturday December 15, 2007 @03:50PM (#21711182)

    The point of the ruling is that the password has to be treated like testimony (which cannot be forced), rather than a physical object, like a safe key, which the defendant may be forced to surrender.
  • by sumdumass (711423) on Saturday December 15, 2007 @04:00PM (#21711256) Journal
    The Law blocking a criminal investigation thing stems from years of torture to confess something. The Salem witch trials and the Spanish inquisition would be a classic example but there are others directly related to the struggles between colonist and England as well as examples outside US history. the person was tortured or otherwise compelled into admitting guilt- Whether they were guilty or not.

    Basically, if you have the right to not incriminate yourself, then they can't force you to "confess". And if it happens, then any convictions should be turned over by a higher courts assuming that things go according to plan. This also carries the problem of blocking a criminal investigation but the necessity of not being forced to confess out ways the setback to criminal investigations. Many people support this idea if not simply because they don't want the cops showing up at their front door demanding you to tell them something you did that was illegal and later claiming it was part of an investigation.

    As for me, I think it is a necessary evil that protects people in many ways above any benefit from a criminal investigation. If there is sufficient cause for the criminal investigation, then there will be other evidence outside that aspect that will eventually show up if it isn't already there.

    One way they get around the 5th amendment is to grant immunity from prosecution for anything found or disclosed which seems to have the same effect of the 5th amendment. Something like that would be useful in convicting others involved by letting one person escape justice.
  • by Forbman (794277) on Saturday December 15, 2007 @04:25PM (#21711458)
    Imagine this scenario. Someone scans your HD. They find encryption telltales (like, say, .Net framework, pgp, etc.). They decide you might have encrypted files. They run 'strings' on every file that isn't a known binary file (i.e., .exe, .com, .dll, .bin, .mp3, .jpg, etc). They find a few files that strings doesn't like. Hmm... They might be encrypted. Maybe there are "magic" characters at the beginning of the file that indicate the file was protected by something like pgp.

    Suddenly, you're given a free flight to Kazakhstan [sp], to meet with Borat. Oh, yeah. you've now become a non-entity while they waterboard you to try to get your passphrase out of you.

    Like others have said, waterboarding is great for extracting a confession. Or, if you are so hard-core, they decide that they just need to kill you or let you rot in a hole somewhere far, far away.

    Or, less sinister, they just pass laws that say, "failure to surrender encryption keys or passphrases is determined by law to be an admission of guilt", just like not submitting to a breathalyzer or blood test is treated as admission of guilt in DUI in some states, which works just fine in a civil or administrative court. And conviction of certain civil or administrative crimes suddenly allows you to be tried later for new criminal laws where the administrative/civil judgments are used as justification to throw you into prison big time.

    But, they just might take the easy way out: while investigating certain crimes (child porn, white collar crime, conspiracy, "terrorism", etc.), discovery of encryption products on your computer results in automatic civil seizure and forfeiture of computer hardware.

    Well, anyone following instructions on MSDN can easily throw together programs that encrypt files using the encryption facilities in the .Net Framework, which is installed in one form or another on XP, Vista, et al...

  • Re:Horrible case law (Score:5, Interesting)

    by SirTreveyan (9270) on Saturday December 15, 2007 @04:50PM (#21711640)
    The point is the government has no business prying into the personal affairs of its citizens. The reason for the the 4th and 5th Amendments to the Constitution and the requiring of warrants to perform a search is to prevent government intrusion by over zealous government officials. Unfortunately, today more and more people believe that security is more important than liberty. Too many have forgotten, or perhaps never really been taught by our 'government schools', why our forefathers fought the American Revolution. Taxation without representation was a minor difficulty, compared to the injustices that were perpetrated by the English troops and King's Representatives that were stationed in the Colonies. Searches and seizures that were illegal by English law occurred daily. Imprisonment without trial, sometimes for years, was common. Basic rights that were afforded to all the Kings subjects in England by the Magna Carta and all subsequent English law were not afforded citizens of the American Colonies simply because they did not live in England.

    Unfortunately this situation is becoming more and more common in the practice of law today. For example, imprisoning someone for "contempt" is unjust. Where is the accused's right to a trial? There is none. What about appeals? There are none, you are in jail until you grovel enough to satisfy judge. No evidence...no trial...just the judge's opinion. God forbid you ever have to stand in front of a judge who decides to grind his ax on your ass.

    Back about 40-50 years ago, law enforcement and prosecutors could be held liable for misconduct. Then came the so called "shield" laws, which gave immunity to prosecutors and law enforcement in the event of misconduct. We are finally seeing the result of these 'fine' laws; Convictions being overturned because of fabricated evidence, withheld evidence, and tampering of witnesses by officers of the court. Peoples lives are being ruined because some court officers feel it is more important to get a conviction at all costs, instead of by the weight of the evidence. These 'shield' laws protect the wrong doer from any kind of repercussion. Nifong, of the Duke rape case infamy, is an exception to this, mostly because he was so vocal about the case, calling national attention to the case. However, while his career is in shambles, he has yet to pay any restitution to the boys he so vehemently accused, or face perjury charges for the false claims he made in court.

    All in all, there are a lot of reasons to keep government out of the personal affairs of it people.

  • by Egdiroh (1086111) on Saturday December 15, 2007 @05:02PM (#21711728)
    It's more then just confessions. The police can't decide you are a thief and then ransack your house on the hopes of finding something stolen. When they search they have to know what they are looking for, and have reason to believe that they will find it.

    Here they are saying that he has files that they know nothing about. Because those files are unknown, he is protected from having to provide them.

    Thinking about it, I'm surprised that we haven't heard of cases getting thrown out because of computer evidence collected outside of the scope of any search warrant poisoning too much of the subsequent evidence. I could imagine a warrant to look on your computer for a warez program they think you have turning up an ssh known_hosts file entry for a warez server. Since they weren't looking for that evidence (maybe because they thought the computer had not been networked, or was not involved in warez transmission, just storage) then they can't use it, and if they then go hunting the logs of that remote server to find the connection that can't be used either because it was evidence they only knew to look for because of evidence they weren't allowed to have anyway. And because you can't un-know information once you have tainted evidence you have to show that any subsequently gathered evidence did not come from knowledge of that evidence or at least would have eventually been discovered by other means.

    However I must offer the following disclaimer: I am not a lawyer (nor do I do anal like so many of you non-lawyers), but I have watched a lot of Law & Order. Disclaimer: Not being a lawyer, much
  • by sjames (1099) on Saturday December 15, 2007 @05:27PM (#21711904) Homepage

    Whether or not they believe you is another story, and you might be in jail until they finally make their minds up.

    Even if the 5th ammendment didn't exist, the state could not compell you to divulge information that you don't have. The state also cannot prove that you do have information. even if they can prove that you ever had the information they want, people forget things all the time. Any juror is likely well aware that people forget important things all the time. Practically everyone has discovered they have no idea where they put their keys are when they really needed them at one time or another.

    To make the matter even more complex, some crypto systems offer nearly perfect deniability. For example, cyphertext from an XOR based one time pad can literaly be any message at all that fits in the given space. Even using the correct key and getting a valid message proves nothing since there are many other keys that will also yield a valid (but different) message. For that matter, given a block of truly random data, you can STILL get any message you want out of it (again that fits within the size of the data), complete with checksums! That means that you can't actually prove that there was a message there at all.

    That is why the judge could not come to any other just conclusion. The alternative is that anyone could be jailed indefinatly just by claiming that any random block on their HD is actually a sooper sekret message and demanding the decoder ring (that never existed).

    Thought experiment: I may or may not have crafted this message such that when it is XORed with selected bits from the images /. uses, another message is revealed (perhaps with a dash of corruption salted in for extra deniability). You can never prove or disprove that beyond reasonable doubt.

  • by Jeremy Erwin (2054) on Saturday December 15, 2007 @10:29PM (#21713940) Journal
    What facts? Congress passes the amendment by a two thirds vote, and sends it out to be ratified by three fourths of the states. Difficult, but not impossible.

The IQ of the group is the lowest IQ of a member of the group divided by the number of people in the group.

Working...