Forgot your password?
typodupeerror
Encryption Privacy The Courts Your Rights Online

Defendant Ordered To Decrypt Laptop Claims She Had Forgotten Password 1009

Posted by Unknown Lamer
from the war-on-alzheimer's-patients dept.
wiedzmin writes "A Colorado woman that was ordered by a federal judge to decrypt her laptop hard-drive for police last month, appears to have forgotten her password. If she does not remember the password by month's end, as ordered, she could be held in contempt and jailed until she complies. It appears that bad memory is now a federal offense." The article clarifies that her lawyer stated she may have forgotten the password; they haven't offered that as a defense in court yet.
This discussion has been archived. No new comments can be posted.

Defendant Ordered To Decrypt Laptop Claims She Had Forgotten Password

Comments Filter:
  • Stupid law (Score:4, Insightful)

    by aglider (2435074) on Tuesday February 07, 2012 @04:12AM (#38950587) Homepage

    trivial workaround

  • by Anonymous Coward on Tuesday February 07, 2012 @04:13AM (#38950593)

    If it works in a congressional hearing investigating potential ethics violations of the Attorney General, why not in a court of law?

  • 5th Amendment? (Score:5, Insightful)

    by MasaMuneCyrus (779918) on Tuesday February 07, 2012 @04:15AM (#38950601)

    How can this woman be charged with contempt? Is there precedent in law to ignore the Fifth Amendment [wikipedia.org]?

    No person shall... be compelled in any criminal case to be a witness against himself, nor be deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use, without just compensation.

    • Re:5th Amendment? (Score:5, Insightful)

      by dgatwood (11270) on Tuesday February 07, 2012 @04:17AM (#38950619) Journal

      Yes. The fifth amendment was repealed by the Patriot Act, along with the first and the fourth. Haven't you been paying attention?

      • Re:5th Amendment? (Score:4, Insightful)

        by medcalf (68293) on Tuesday February 07, 2012 @08:59AM (#38952283) Homepage
        Long before the PATRIOT Act. Actually, the 3rd may be the only amendment in the Bill of Rights that hasn't been essentially abrogated.
    • Re:5th Amendment? (Score:5, Insightful)

      by mosb1000 (710161) <mosb1000@mac.com> on Tuesday February 07, 2012 @04:23AM (#38950645)

      [sarcasm] The constitution is a living document. These things were never meant to be taken literally. [/sarcasm]

    • by N1AK (864906)

      How can this woman be charged with contempt? Is there precedent in law to ignore the Fifth Amendment [wikipedia.org]?

      I'm not entirely comfortable with the legal precedent of detaining people for refusing to disclose a password. At the same time I can appreciate that providing a password is not, in and of itself, providing witness against himself. The password is in all senses bar existing as a physical object analogous to a key. If a court can require someone to provide a key then it should be able to requi

    • Re:5th Amendment? (Score:5, Insightful)

      by Kjella (173770) on Tuesday February 07, 2012 @05:58AM (#38951179) Homepage

      That depends how broad you think the 5th amendment is. To quote Justice Stevens:

      A defendant can be compelled to produce material evidence that is incriminating. Fingerprints, blood samples, voice exemplars, handwriting specimens, or other items of physical evidence may be extracted from a defendant against his will. But can he be compelled to use his mind to assist the prosecution in convicting him of a crime? I think not. He may in some cases be forced to surrender a key to a strongbox containing incriminating documents, but I do not believe he can be compelled to reveal the combination to his wall safe - by word or deed.

      Note that this is from the dissenting opinion in Doe vs US, where the suspect was compelled to sign a form - that in itself contained no factual information - requesting information from foreign banks of any accounts he may be the holder of. The court found that they could, just like they could compel you to provide a handwriting sample.

      As for a password, the best idea would be to STFU completely because:

      The issue presented in those cases was whether the act of producing subpoenaed documents, not itself the making of a statement, might nonetheless have some protected testimonial aspects. The Court concluded that the act of production could constitute protected testimonial communication, because it might entail implicit statements of fact: by producing documents in compliance with a subpoena, the witness would admit that the papers existed, were in his possession or control, and were authentic. (...) Thus, the Court made clear that the Fifth Amendment privilege against self-incrimination applies to acts that imply assertions of fact.

      So unless you acknowledge that you're in (sole or not sole) possession of the password, as this woman apparently did, that in itself will have testimonial value. Even if the prosecution has ample evidence for that anyway, you should be able to invoke the 5th. In this case she may have seriously screwed herself there. If there's no testimonial value, there's not much precedent to say one way or the other. Oh yeah, and don't try to destroy any evidence with booby traps. In the search I found that the SOX act was used in a suspected child porn case:

      Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States (...)

      Limited to the SOX act? Nope. Destroy evidence and you get up to 20 years in jail. Of course it helps that he stupid fuck admitted to destroying his HDD after the cops came by the first time, but just goes to prove laws will be cross-applied everywhere they can.

    • Re:5th Amendment? (Score:4, Informative)

      by Myopic (18616) * on Tuesday February 07, 2012 @12:45PM (#38955357)

      Explain which part of that you think is being infringed.

      * She isn't testifying in court, so she is not a witness against herself
      * Any life, liberty, or property of which she is deprived is explicitly by due process of law
      * Her property is not being taken for public use

      I think the problem might be that you don't understand your rights. You should read up! Your rights are very important, and you should understand them.

  • Poor woman (Score:5, Insightful)

    by Anonymous Coward on Tuesday February 07, 2012 @04:15AM (#38950603)
    I often can't remember my password after a week away from the office on holiday. (And we have quite lax policies regarding passwords, no time, lenght or content limits, so I have a fairly easy one I've been using for months....) I might be hard pressed to remember a password after a month, under dures.s
  • What if... (Score:5, Interesting)

    by bgibby9 (614547) on Tuesday February 07, 2012 @04:15AM (#38950607) Homepage
    she honestly can't remember the password. How the hell are they going to rule on that???
    • Re:What if... (Score:5, Interesting)

      by AmiMoJo (196126) <mojo@@@world3...net> on Tuesday February 07, 2012 @04:31AM (#38950693) Homepage

      In the UK it works like this: If the prosecution can show that you probably know the password then you can go to jail for up to two years for refusing to give it. The burden of proof appears to be lower than the usual "beyond reasonable doubt" that is normally required, and evidence can be highly circumstantial. For example if you decrypted the data the day before you get arrested they could say you must know it, even if you happened to wipe the key or change the password or just genuinely forgot since. Justice is slow in the UK so it could easily be 6+ months before you are even asked.

      The stupidest part is that going to jail for two years and having the conviction expire (so you no longer have to declare it when applying for a job) after a few more years is infinitely preferable to, say, going down for 20 years on terrorism or being put on the Sex Offenders Register for life. It seems almost like a conciliation prize for the police when they have failed to gather any other evidence and would otherwise have to let the suspect go.

    • Depending on the type and method of encryption, she could say "Do you know when the last time I needed to know that password was? The last time some asshole law enforcement agency decided to rip the drive out of my laptop and gain unlawful and unjustified access to the data therein!"

  • by fortunato (106228) on Tuesday February 07, 2012 @04:15AM (#38950609)

    If I were in her shoes, I'd claim the same thing. However, this is just going to be a justification for when technology let's "the man" truly read your mind to say there was just cause to do so in order to determine whether she really forgot or just pretended to and all the crazy ethical questions/arguments/fights that will ensue. These days I'm doubting ethics and philosophy can possibly keep up with the pace of technology. I hope I'm wrong!

  • by gtch (1977476) on Tuesday February 07, 2012 @04:18AM (#38950623)
    ...you should put all the juicy stuff in plain sight on your harddisk. Then encrypt the stuff you don't care about. When the authorities finally get the password out of you, at least you'll have the satisfaction of confounding them.
  • Stare Decisis IANAL (Score:5, Interesting)

    by gd2shoe (747932) on Tuesday February 07, 2012 @04:21AM (#38950637) Journal

    Let me ask this (and display my ignorance): If I had a safe and a judge ordered it opened, and I claimed I'd lost the key, would I be held in contempt? Or would it just be forced open? Would this ever see the courtroom at all? Can lawful seizure require active participation of the accused?

    If I claim to no longer be in possession of a piece of evidence, and don't know were it is, could I be held in contempt? Couldn't I plead the fifth? "You want to convict me? You go find it."

    I'm trying to figure out the stare decisis on this topic (equal and consistent application of the law). It just seems so darn inconsistent.

    • by jcr (53032) <.jcr. .at. .mac.com.> on Tuesday February 07, 2012 @04:53AM (#38950805) Journal

      They'd just drill the safe. If you'd hidden the safe and they couldn't find it, they can't legally compel you to say anything that might help them convict you.

      -jcr

  • By default.. (Score:3, Insightful)

    by Methuselus (1011511) on Tuesday February 07, 2012 @04:28AM (#38950667)
    Encrypting seems to be indicative of guilt or the need to hide something. The presumption of innocence suddenly does not seem to apply.
    • Re:By default.. (Score:5, Interesting)

      by spintriae (958955) on Tuesday February 07, 2012 @05:30AM (#38951011)
      The concept of innocent until proven guilty is widely misunderstood. It is the obligation of the jury to presume innocence. Nobody else. Not the prosecution. Not the police. Not the accuser. If it were their obligation, nobody would be charged with anything ever.
  • by parshimers (1416291) on Tuesday February 07, 2012 @04:32AM (#38950699)

    she revealed that she, and only she, knew the password to the hard drive over the phone. so her claims she "forgot" are not very plausible. if she hadn't done that, i seriously doubt she would be in this predicament.

    • by bky1701 (979071) on Tuesday February 07, 2012 @05:11AM (#38950907) Homepage
      I was the only person to know the password to my old computer's login - no longer have any idea what it was. I figure I will just reformat it or bypass the login if I have a need to use it.

      However, if it was encrypted, I would currently have a legal timebomb sitting on my desk. This is not right and is clearly unconstitutional. Dressing up the matter does not change that.
  • by jcr (53032) <.jcr. .at. .mac.com.> on Tuesday February 07, 2012 @04:51AM (#38950787) Journal

    The fifth amendment is perfectly clear, and he's violated it.

    -jcr

    • by fearofcarpet (654438) on Tuesday February 07, 2012 @07:47AM (#38951835)

      Unfortunately The Man can trample all over your rights so long as the judicial branch agrees that the executive is following the intention of the legislative. I am curious, though, about the "smart chip" in my bank card. If I enter my PIN incorrectly three times it locks itself permanently and requires that I get a new card and a new PIN--a security feature (that prevents the banks from losing money). Assuming that The Man says I have to fork over my password--Bill of Rights be damned--if my hard drive encryption has the same "security feature" e.g., after three incorrect tries it eats the private key and renders the drive non-decryptable, can I then be charged with a crime for accidentally (which of course I can't prove) entering the wrong password three times? What if the Feds try a dictionary attack and trigger the three tries before even asking for the password? The information on the drive is completely lost, so holding me in contempt accomplishes nothing, but in the first case I "destroyed evidence" and in the second I basically conspired to destroy evidence, right? Without the evidence, they cannot convict me of the original crime, but would the sentence for destroying evidence (or obstructing justice or whatever) scale with the severity of the alleged crime?

  • by jholyhead (2505574) on Tuesday February 07, 2012 @05:04AM (#38950865)
    ...so if they throw her in jail for contempt, then doesn't the likelihood of her being able to remember the password decrease over the time of her incarceration, and with it, her ability to comply with the judges orders? If she rides it out for a few months, then isn't her inability to recall her password more credible? I think what this case demonstrates, is the need for a duress password. Enter it and bam. Unrecoverably locked. Then it would be for the prosecution to prove that you deliberately destroyed evidence.
  • by batistuta (1794636) on Tuesday February 07, 2012 @05:06AM (#38950885)

    If I really had something to hide, I'd use key files on a very old USB dongle (128 MB dongle or so). Truecrypt and Bitlocker support this. Then police will most likely raid your house during this whole action. But even if not, when asked to provide the key I'd simply say "this was in a USB dongle. It was laying on my table, so now you tell me where you've put it after messing up my whole house". Or "I had it with me and after my spontaneous arrest I had no idea where you made me forget it". Police might eventually find the donlge, but if they ask what that is, I'd say "that was some old key, no idea for what or what the decryption password is. The key you are looking for was on a new dongle.

    Thing is, it is easy to doubt that you know something. But you can get naked and show that you don't have anything hidden between your legs.

    • by ledow (319597) on Tuesday February 07, 2012 @05:50AM (#38951129) Homepage

      And when the filesystem history of your PC shows logs of you inserting that serial-numbered USB key into your PC last week, and using filesystem encryption tools to access it? And sure, you can combat that, but there's always another way to get caught out that you might not have considered. Hell, they can probably tell you the last time you touched the device itself, or inserted it, and into what computer you inserted it by various bog-standard forensic evidence (scratches on the USB connector, fingerprints, etc.).

      You don't even know if they haven't been *watching* you insert that USB key by that point (and if they've raided you, there's a good chance they *have* been watching first). They won't tell you that until AFTER you've already denied ever knowing where it was. You've just stamped "guilty" on your own head by being a smartarse.

      You can be a smartarse if you really want to, but nothing in the world is clever enough to stop "reasonable doubt" when you play games like that, especially if you're that confrontational. All that will do is make them WANT to put you away rather than plant doubt in their heads.

      After a police raid, they'll just have all your possessions. Sure, it'll take a while to catalogue them all but they will. They actually have to. Not only that, they'll know the serial number of every one and maybe even the purchase origin. While you're sitting in an interview room being a smartarse, they're sending out court orders based on your PC and ISP evidence and forensically recording your Slashdot comments (and the above, in the wrong context, could be enough to convict you even in ten years time if that DOES happen!).

      You missed the whole point of the article - the US, and the UK, have laws that if they even THINK you really have the key and haven't forgotten it, they'll throw you in a cell until you remember. Be as smart-arse as you like but people have already been convicted and jailed over it because of "reasonable doubt" that they weren't innocent. The law is there, it's written, it's enforceable (whether it's SENSIBLE is another matter and one that takes decades to argue in court) and if they suspect for a moment that you're being a smartarse, they'll use it.

      This is how the law works. If you're stopped by a policeman in the UK, he'll pay you zero attention if you're polite, genuine, "I know, officer, I was speeding. It's a fair cop." about it. Start being pricky towards them for no reason and they'll have you for your tyre wear, the rear light, the slightly-covered number plate, look up your insurance, your license, run a check on your name, look through the car for anything you shouldn't have, etc.

      It has to be said that it's not an unsuccessful method of law enforcement and anyone with brain enough to be respectful and polite and co-operative will "get away" with things that the idiots who's taking their badge number and threatening them won't. The same applies from the police up to the courts. Hire a good lawyer, be co-operative and polite, play by the rules and you'll get the best result. Be pricky about it and they'll do what they can to dig deeper and inconvenience you.

      I can think of ways you could reasonably consider to have good reason to have lots of encrypted USB sticks about that you don't know the passwords too. But being the smartarse will end up with you in jail, whether you "did" anything or not. You can argue about it as much as you like but if the judge takes a dislike to your attitude or methods, they'll put you away at least until your successful appeal.

      What do you do? You provide all the information you have and be as co-operative as possible. Why? The laws on that are worded so that co-operation is the better of the two options so that you're *forced* to co-operate or go to jail.

      You can argue about self-incrimination, free-speech, etc. afterwards - when the judge KNOWS that you've been 100% co-operative. You can still have evidence stricken, ask for a mis-trial, appeal, etc. but you've been co-ope

      • by Kjella (173770) on Tuesday February 07, 2012 @07:43AM (#38951811) Homepage

        You can argue about self-incrimination, free-speech, etc. afterwards - when the judge KNOWS that you've been 100% co-operative. You can still have evidence stricken, ask for a mis-trial, appeal, etc. but you've been co-operative and had nothing to hide so when they *DO* find a USB stick that you've never seen before and are demanded to decrypt it, you are much more likely to make them think "Damn, he gave us all the others, even when it incriminated him - maybe he really *doesn't* know this one?".

        As long as you've been read your rights, pretty much anything short of a confession at gunpoint is forever. You'll never manage to "undo" anything you've said to the police or in court and everything that tumbled out because you gave them access to everything you know and have will be fully legally admissible. Your whole argument revolves around your belief that they'll actually think you innocent, and not just "well we couldn't convict him on what we wanted, but we can slam him with everything we got".

        If they for some fucked up reason think you're involved in terrorism or kiddie porn or organized crime or whatever, do you think that suspicion will go away because you "give" them petty software piracy and having a joint? No, you just handed them enough rope to hang yourself with. That said, yes being a smart ass and trying for a game of wits with the police is a very bad idea, as is getting rude and obnoxious. Politely decline any search without a warrant and that you would not like to answer questions without a lawyer present. Most people just make a bigger mess of everything trying to "prove their innocence" as you seem to suggest.

      • by metacell (523607) on Tuesday February 07, 2012 @09:07AM (#38952329)

        What do you do? You provide all the information you have and be as co-operative as possible. Why? The laws on that are worded so that co-operation is the better of the two options so that you're *forced* to co-operate or go to jail.

        I agree that you should be polite and co-operate with the letter of the law, but it's also important to reveal as little information as possible. Even innocuous information can be twisted against you. A prosecutor won't think "Well, this guy was so co-operative and revealed potentially incriminating information he didn't have to, so he's probably innocent." The prosecutor'll think "This information the suspect gave me might convince the jury to convict him." It's a prosecutor's job to prosecute if there's chance of a guilty verdict, and he/she won't mention to the jury you were such a nice guy and revealed something you didn't need to.

  • by SharpFang (651121) on Tuesday February 07, 2012 @05:07AM (#38950887) Homepage Journal

    I wonder if the "no self-incrimination" clauses could help here.

    I am innocent of the allegations.
    But my HD contains files which might incriminate me in ways not covered by the claims of prosecution.
    By giving the password, I would open myself to prosecution on issues the prosecutor has no clue about.
    Therefore I refuse confession that would cause self-incrimination.

  • Would be plausible (Score:5, Informative)

    by gweihir (88907) on Tuesday February 07, 2012 @05:12AM (#38950919)

    The laptop was seized in 2010, the order to decrypt is from 2012. I have passwords long enough that I will have trouble remembering them after 2-3 months of not using them. (Happens very rarely.) Not using them for over a year could well make me unable to remember them at all. So I would consider this a real possibility. Not absolute certain, of course, but credible enough that asserting she does still know the password after not having used it for this long would be an unfair disadvantage to her, as she fundamentally cannot prove she does not remember it.

    Now the way around this for future cases is key-escrow or requiring everybody to write down their passwords, with the attached huge negative effects. In any sane legislation you can just refuse to give a password. I am amazed that in the self-proclaimed "land of the free" this does not seem to be the case and hope this will just turn out to be a judge that does not understand the issue and will get fixed permanently by a higher court.

  • by Anonymous Coward on Tuesday February 07, 2012 @05:27AM (#38950995)

    The password is R4ndumbG1bb3r1s# - but I stored the keyfile on megaupload.

  • by slasho81 (455509) on Tuesday February 07, 2012 @05:28AM (#38951005)
    Jack: Now let me hear you say the seven most important words in the American judicial system.
    Frank: My client has no memory of that.
  • by w0mprat (1317953) on Tuesday February 07, 2012 @05:37AM (#38951051)
    If I get caught, I'll tell them to decrypt it with rot13!
  • by mwvdlee (775178) on Tuesday February 07, 2012 @06:33AM (#38951407) Homepage

    Perhaps her password was "ICantRemember".

  • by Tanuki64 (989726) on Tuesday February 07, 2012 @06:58AM (#38951537)

    Currently I don't have something, which really need encryption. However, should it ever be necessary I'd modify after each use the timestamps so it looks like the container was last accessed years ago. Within sensible limits, of course. It would be much more believable to have forgotten a password, when the last access was several month ago than when the timestamps says it was accessed last week or even yesterday.

  • hm (Score:4, Funny)

    by segfault7375 (135849) on Tuesday February 07, 2012 @10:07AM (#38953003)
    Did they try hunter2?

This is a good time to punt work.

Working...