Forgot your password?
typodupeerror
Encryption The Courts Your Rights Online

Federal Magistrate Rules That Fifth Amendment Applies To Encryption Keys 322

Posted by Unknown Lamer
from the but-the-nsa-has-quantum-computers dept.
Virtucon writes "U.S. Magistrate William Callahan Jr. of Wisconsin has ruled in favor of the accused in that he should not have to decrypt his storage device. The U.S. Government had sought to compel Feldman to provide his password to obtain access to the data. Presumably the FBI has had no success in getting the data and had sought to have the judge compel Feldman to provide the decrypted contents of what they had seized. The Judge ruled (PDF): 'This is a close call, but I conclude that Feldman's act of production, which would necessarily require his using a password of some type to decrypt the storage device, would be tantamount to telling the government something it does not already know with "reasonably particularity" — namely, that Feldman has personal access to and control over the encrypted storage devices. Accordingly, in my opinion, Fifth Amendment protection is available to Feldman. Stated another way, ordering Feldman to decrypt the storage devices would be in violation of his Fifth Amendment right against compelled self-incrimination.'" If the government has reasonable suspicion that you have illicit data, they can still compel you to decrypt it.
This discussion has been archived. No new comments can be posted.

Federal Magistrate Rules That Fifth Amendment Applies To Encryption Keys

Comments Filter:
  • by fuzzyfuzzyfungus (1223518) on Wednesday April 24, 2013 @12:16PM (#43537561) Journal

    Does the 5th amendment right to avoid self-incrimination apply only to the particular charges being brough in a given case, or does it cover any statement that could be incriminating, even if it were in a different proceeding, or if the record from Case A were to be used as evidence in Case B?

    Say, in the case of an encrypted HDD, it's reasonably plausible that a broad spectrum of the suspect's electronic activities will be there. Common software tends to be a bit 'leaky' in terms of recording what it does(temp files, caches, search indexes, etc.) and most people don't have entirely separate computers for each flavor of crime they are engaged in.

    If somebody were being charged for one crime that probably left evidence on the HDD(kiddie porn, say); would the fact that they know that there is evidence of CC-skimming(but, unlike the kiddie porn, the feds have no circumstantial evidence or other grounds for belief) justify a 5th-amendment refusal to decrypt the volume? Would the other potentially-incriminating stuff be irrelevant because it isn't among the charges(even if the court record could be used as evidence to bring future charges)? Would the suspect be compelled to divulge the key; but the prosecution only have access to material relevant to the charges being filed, with some 3rd party forensics person 'firewalling' to exclude all irrelevant material?

  • by DNS-and-BIND (461968) on Wednesday April 24, 2013 @12:18PM (#43537591) Homepage
    This is all a big brouhaha over nothing. The Fifth Amendment has a remaining lifespan measured in years, not decades. There was already a call to give up on the Constitution [nytimes.com], naming the document "downright evil". Now we have Bloomberg saying that the Boston bombing will have to change the way we 'interpret' the Constitution. No, I'm not kidding, the Mayor of New York City really said these words:

    "The people who are worried about privacy have a legitimate worry," Mr. Bloomberg said during a press conference in Midtown. "But we live in a complex world where you're going to have to have a level of security greater than you did back in the olden days, if you will. And our laws and our interpretation of the Constitution, I think, have to change. Look, we live in a very dangerous world. We know there are people who want to take away our freedoms. What we cant do is let the protection get in the way of us enjoying our freedoms. You still want to let people practice their religion, no matter what that religion is. And I think one of the great dangers here is going and categorizing anybody from one religion as a terrorist. That's not true ... That would let the terrorists win. That's what they want us to do."

    Encryption keys? It's arguing about the wrong topic. These silly arguments about the Fifth Amendment will soon be about as relevant to our lives as the Austro-Hungarian Empire.

  • Re:Last Sentence (Score:5, Interesting)

    by Yebyen (59663) on Wednesday April 24, 2013 @12:29PM (#43537739) Homepage

    It reads differently to me. They do not know that he can decrypt the data (he could have destroyed the passphrase, or it was destroyed when left in the hands of an automated system and he was incarcerated), and compelling him to do so would be a) demanding that he prove that he could decrypt them, a "fact" about him that is not already known to be true (and could be incriminating.)

    The last sentence in the summary reads like nonsense to me and does not seem to contribute anything.

    They cannot compel you to do something they don't already know that you have the ability to do, and if it turns out later that they can decrypt the drive without your help, the fact that you were able to decrypt it would be the incriminating part (apparently) as much as whatever they had actually found on the drive. Even if they know there is illicit stuff on the drive (somehow) without having decrypted it, they do not know you have control over it (unless this was proven some other way.)

    It's like those cops that ask, "do you have any illegal drugs on you" -- if you show them, you waived your right to be protected from unreasonable search and seizure. They did not violate it. You did. Has your fifth amendment right been violated? They could have asked the dog, and he would tell them, but putting dogs on you without probable cause is almost certainly illegal search violation. If you are threatened with contempt if you do not decrypt the drive, even when they haven't proven that you even can, it's much the same situation.

  • by hawguy (1600213) on Wednesday April 24, 2013 @12:32PM (#43537787)

    What encryption algorithm did he use that's FBI-proof?

  • Re:Last Sentence (Score:5, Interesting)

    by janeuner (815461) on Wednesday April 24, 2013 @12:44PM (#43537967)

    Incorrect. The government knows that the specified files are (or were) on the storage device at some point. What it lacks is evidence that the defendant is capable of accessing that storage.

  • I can't remember... (Score:2, Interesting)

    by Anonymous Coward on Wednesday April 24, 2013 @12:55PM (#43538099)

    Politicians, police, and heads of major bodies are trained to answer "I can't remember" to questions where a refusal to answer is not permitted.

    By Law, in the USA, the statement "I cannot remember" can NEVER be categorised as lying (without a freely offered self-confession of this fact). Understand that the USA is one of the obscene nations where lying to law enforcement goons is a serious criminal offence in itself, whereas the same law enforcement goons have full State authority to use lies as a tool of investigation and interrogation. The reason every lawyer in the USA states that you must NEVER talk to law enforcement goons without a lawyer present is because of these facts. Innocent people can be lawfully converted into criminals in the USA, simply by how they respond to a manipulative and dishonest line of questioning.

    Even in the UK, lying to law enforcement goons is not a criminal offence in and of itself (at worst, you can be charged with wasting police time- but there the lie has to be one that suggests false details about a crime that cause unnecessary and useless investigation).

    All nations can 'force' a person to reveal a password under some legal principle or other, if the circumstances are right. 'Force' means, of course, that a refusal to comply is a crime. "I cannot remember the password" will work for any elite individual who actually exists above the law (like senior 'banksters' in the USA). It will not work for an ordinary target of law enforcement.

    Good lawyers always offer cynical advice. How often have you read stories of famous Americans refusing to be breathalysed at the scene of a DUI incident. The lawyer has trained these clients that the penalty for refusal is FAR lower than the penalty for being found DUI. Forced decryption follows the same logic. For political targets, the USA uses the obscene system of 'contempt' and sequential re-incarceration- effective turning the penalty for the offence into one of life in prison.

    The argument about "reasonable suspicion" is an interesting one. It does, however, smack of turning 'presumed innocent' into 'presumed guilty'. Should the command to force decryption be accompanied with a promise that only the expected incriminating digital evidence be used against the individual, and that other illicit digital content that may be found with no relationship to the current case should be ignored, if it proves that the expected material is NOT present within the digital 'safe'?

    In other words, if law enforcement goons are wrong about you with their current claims, should you be forced to incriminate yourself over an unrelated 'crime'? After all, if you reward law enforcement goons for engaging in 'fishing expeditions', clearly this tactic will only grow.

  • by ewieling (90662) <user@@@devnull...net> on Wednesday April 24, 2013 @12:56PM (#43538115)
    Truecrypt. <URL:http://en.wikipedia.org/wiki/TrueCrypt>

    The FBI has admitted defeat in attempts to break the open source encryption used to secure hard drives seized by Brazilian police during a 2008 investigation. <URL:http://news.techworld.com/security/3228701/>
  • Re:Last Sentence (Score:5, Interesting)

    by Spazmania (174582) on Wednesday April 24, 2013 @01:05PM (#43538217) Homepage

    No, the trick is this:

    The government hasn't proven that Feldman *has* the encryption key. Compelling him to turn over the encryption key would be compelling him to admit that he has the key. The compelled admission that he has the encryption key is the fifth amendment violation.

    Had Feldman admitted that he had the key or if there was prima facie evidence that he possessed the key, the government could still compel him to provide it.

  • Re:Last Sentence (Score:4, Interesting)

    by NatasRevol (731260) on Wednesday April 24, 2013 @01:21PM (#43538355) Journal

    Interesting, and good to know.

    From a non lawyer point of view, discovery that you provide, about yourself, sounds an awful lot like testimony against yourself.

  • by uncqual (836337) on Wednesday April 24, 2013 @01:54PM (#43538691)

    So, it's rather like if the police found a special car with very strong windows and combination locks. They have strong evidence that it's got a lot of heroin in it and want to get inside it to search it and have a warrant to do so but can't get it open.

    They think, but don't have much evidence to support that belief, that you had unrestricted access to the car interior and therefore have the combination and can open the door for them.

    What this ruling says is that they can't compel you to product the combination because then you would be being forced to reveal that you did, in fact, have the combination and, hence, access to the inside of the vehicle which would be incriminating given the contents of the car.

    If, however, they found a surveillance video that showed you opening the door of the car using the combination you could then be compelled to provide the combination as that would not reveal, for the first time, that you actually had access to the interior of the car.

    Is that correct?

  • Lessons (Score:4, Interesting)

    by Anonymous Coward on Wednesday April 24, 2013 @02:00PM (#43538751)

    Things I learned from reading the ruling:

    1. As usual, keep your mouth shut. The guy merely admitted that he lived alone in his current residence for 15 years before he got smart and lawyer-ed up, and that fact makes an appearance in the ruling. It doesn't hurt much and they would have figured it out anyway, but it definitely didn't help.

    2. Use whole-disk encryption and encrypt everything. All evidence against him mentioned in the ruling was obtained from unencrypted drives and were what should have been private bits and metadata that leaked or never making it to the encrypted drive, especially log files. They have highly incriminating file-names, drive letters, peer-to-peer download logs, basically a ton of metadata. While this ruling almost certainly doesn't cover all the evidence against him, it's not clear the FBI would have anything at all if it weren't for the two drives that they found unencrypted. Although they must have had something else to go after him in the first place.

    3. IMO he really dodged a bullet at least in this narrow instance. Crudely speaking, Judge says it isn't reasonable to conclude that both the files in question necessarily exist and that the defendant had access to them (it sounds like the real problem is the latter). This when they have file-names, log files, and the disks in question were taken from his residence where he has lived alone for 15 years, and while he certainly hasn't admitted the disks were his, I don't see an active claim to the contrary either (which I'd likely support but he needs to say it). I'm very pro-encryption and am generally not happy with the court compelling encryption keys, but this is one of the weakest cases for not doing so that I could think of, and is probably why the FBI decided to go for it and now potentially lost big if this it the burden or proof they are stuck with to prove ownership or control of data on a disk.

  • Re:Last Sentence (Score:5, Interesting)

    by tattood (855883) on Wednesday April 24, 2013 @03:01PM (#43539221)

    But you can't be compelled to provide evidence against yourself that the government doesn't know you have.

    What if the drive contains the evidence that they know you have, but it also contains other evidence that they do NOT know you have, which one would have precedence? If decrypting the drive will give them access to other evidence that would incriminate you in another crime.

  • Re:Last Sentence (Score:5, Interesting)

    by Jane Q. Public (1010737) on Wednesday April 24, 2013 @03:48PM (#43539673)

    "Likewise, if there's good reason to believe that you have a different set of books in a safe, or perhaps a murder weapon - you can be compelled to give the combination."

    Not even.

    In 5th Amendment cases, "reason to believe" is not good enough. Even probable cause is not good enough. They have to KNOW, already, that there is something illegal in there (and exactly what it is) before they can compel a password or a combination. See my explanation elsewhere in this thread.

    If they don't already know it's there, beyond reasonable doubt, they can't compel you. Because then you would be incriminating yourself.

    However, what they CAN do, if they have probable cause and it's something like a safe, is force it open. (If we assume they physically can. There are few things that can't be forced open given time and money.) If they force it open, there is no 5th Amendment question.

    "I think a really interesting test case would be if a criminal used a confession or otherwise key incriminating evidence as the pass phrase for an encrypted device. If they plead the Fifth, and then were compelled anyway - how much would be ruled inadmissible?"

    Because of what I just explained, that could never happen. If they already know that there is something illegal there, then they can compel you to divulge the password or combination. But if they DON'T already know, they can't compel you to divulge because the act of doing that would be incriminating yourself.

  • Re:Last Sentence (Score:4, Interesting)

    by femtobyte (710429) on Wednesday April 24, 2013 @03:57PM (#43539773)

    Your analysis is off-the-mark for this particular case. According to the judge's writeup linked in the summary, the prosecution in this case actually did have evidence that child porn files were being downloaded to the servers and saved to the encrypted disks. The reason that the defendant was granted 5th Amendment immunity is that the prosecution lacked evidence that he was the only person in control of the computers. Maybe someone else had broken in and set up the encryption without the defendant's knowledge? By turning over the encryption keys, the defendant would prove that he knew the encryption keys, and thus incriminate himself of being responsible for the porn-filled encrypted disks (instead of an unwitting victim of hacking).

"Love your country but never trust its government." -- from a hand-painted road sign in central Pennsylvania

Working...