Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
The Courts Government Encryption Security News

Encryption Passphrase Protected by the 5th Amendment 537

Takichi writes "A federal judge in Vermont has ruled that prosecutors can't force the defendant to divulge his PGP passphrase. The ruling was given on the basis that the passphrase is protected under the 5th amendment to the United States Constitution (protection against self-incrimination)." The question comes down to, is your password the contents of your brain, or the keys to a safe.
This discussion has been archived. No new comments can be posted.

Encryption Passphrase Protected by the 5th Amendment

Comments Filter:
  • Just how did the judge come to this conclusion? On the summary side of things, it makes sense, but just what circumstances led to this particular notion?
    • by explosivejared ( 1186049 ) <hagan.jared@g m a i l . com> on Saturday December 15, 2007 @01:54PM (#21710052)
      Read the article:

      If the subpoena is requesting production of the files in drive Z, the foregone conclusion doctrine does not apply. While the government has seen some of the files on drive Z, it has not viewed all or even most of them. While the government may know of the existence and location of the files it has previously viewed, it does not know of the existence of other files on drive Z that may contain incriminating material. By compelling entry of the password the government would be compelling production of all the files on drive Z, both known and unknown.

      By giving the government his password, the judge held, that the defendant was incriminating himself by opening up all of his files that weren't pertinent to the investigation. That was my take on it. *I am not a lawyer, but I scored high on critical reading on the SAT's, for what it's worth.
      • by snarkh ( 118018 ) on Saturday December 15, 2007 @02:01PM (#21710138)
        By giving the government his password, the judge held, that the defendant was incriminating himself by opening up all of his files that weren't pertinent to the investigation.

        Quite the opposite. By giving the password the defendant may incriminate himself by opening files containing incriminating (and pertinent) information, but unknown to the government prior to that.
        • by cayenne8 ( 626475 ) on Saturday December 15, 2007 @02:07PM (#21710208) Homepage Journal
          "Quite the opposite. By giving the password the defendant may incriminate himself by opening files containing incriminating (and pertinent) information, but unknown to the government prior to that."

          Thank God...FINALLY, a score for US privacy rights...and upholding our Constitutional rights!!!

          You just don't see that much any more.....

        • I thought that's exactly what I said. He was opening up files that may be incriminating, but otherwise not related to the offense he was being held for and unknown to the government. Sorry if I confused anybody.
          • Re: (Score:3, Insightful)

            by Tim C ( 15259 )
            I think you two are talking at cross purposes. The post you're replying to says "(and pertinent)" - ie files that *do* relate to the case.

            You're saying "he can't be made to release incriminating files that are nothing to do with the case", while the poster you're replying to is saying "he can't be made to release incriminating files even if they are related to the case".
            • Re: (Score:3, Informative)

              by snarkh ( 118018 )

              That's exactly right. As far as I understand, the main concern is that by opening the disk he would potentially give the government access to the incriminating files not seen by the customs agents.
      • That's what I thought as well but I just can't get past the search warrant analogy. Investigators entering and searching your house with a warrant will see things not pertinent to the investigation.
        • by Anonymous Coward on Saturday December 15, 2007 @02:25PM (#21710384)
          Yes, and it's perfectly legal for those investigators to try to decrypt your files themselves. What they CAN'T do is say, "Tell us where the incriminating evidence in your house is, or we'll put you in jail," or "Give us an itemized list of every single thing in your house so we can decide what is incriminating, or we'll put you in jail." Neither can they say, "Give us your encryption password or we'll put you in jail."

          This is so painfully obvious that I'm somewhat concerned that it took so long for a judge to rule in this manner. On the other hand I am relieved it has finally happened.
          • by pboulang ( 16954 ) on Saturday December 15, 2007 @02:41PM (#21710520)
            Well, maybe because a better analogy is "I have a warrant to search your whole house. You need to give me the key to the locked room in the back." I'm not sure it is "painfully obvious" but this is the correct decision in the end.
          • This is so painfully obvious that I'm somewhat concerned that it took so long for a judge to rule in this manner.

            Obvious to you and I maybe, but Scalia, Roberts, Alito, and Thomas never met an unreasonable search.

            If prosecutors can jail reporters indefinitely until they hand over their sources, how is it that much different for the government to imprison someone for not turning over their encryption keys? The only difference I see is one may incriminate someone else and the other may incriminate you.

    • by Anonymous Coward on Saturday December 15, 2007 @02:26PM (#21710390)
      Well, there is that whole pesky link in TFA to the decision.

      But I'm nice and I found it an interesting read, so I will summarize it. There are a great many of cases involving what and when the government can force someone to turn over documents. Generally, things which don't represent what's in your mind can be forced over. An example would be a key to a lock as compared to a combination lock. The former exists, and is known to exist, and the latter's turnover requires the suspect to devolve information contained within his mind, which would be tantamount to testifying.

      In this case, there is some splitting of legal hairs, and my description will be less than sound. While IANAL, I am marrying one ;) This password is similar to a combination lock. However, in this case, the government had already seen some of the files contained within his encrypted drive. There is a question as to whether the government's knowledge of the preexisting files would be enough to force the turnover of the password. The government argued that they would allow the suspect to enter the password without supervision, meaning that the government wouldn't be able to use the entry itself in court. In the past, the government has tried to prosecute someone when they had immunity for turning over documents by arguing that said documents themselves were incriminating,. not just that the suspect kept them. The supreme court found that reasoning to be bull. Someone is protected via the 5th amendment by all fallout of their testimony via immunity.

      As I already rambled here, the government argues that they knew of the files, and that they had already seen the files. As such, the defendant needed to turn over the password. Something similar has been done previously, where the government knew that a suspect had a document in his possession,and the court forced its turnover. In this case, however, the judge unacknowledged that the prosecution has seen only a small number of the files on the encrypted drive, and that they were almost certainly incriminating. As such, the judge decided that he couldn't order the defendant to turn over the password as the governmetn would have access to new files it knew nothing about.

      So, the lesson here is to just not talk to the police without your lawyer present, and don't fricking enter passwords to your files without a court order.
  • But but but! (Score:4, Insightful)

    by skulgnome ( 1114401 ) on Saturday December 15, 2007 @01:50PM (#21710020)
    Terrorists!
  • by Bones3D_mac ( 324952 ) on Saturday December 15, 2007 @01:52PM (#21710032)
    "I forgot."
  • by rickthewizkid ( 536429 ) on Saturday December 15, 2007 @01:53PM (#21710036)
    So.... this tells me two things... first, that the government cannot force you to give up your PGP passphrase.... but possibly more important, the government (currently) cannot break PGP encryptopn.

    Hmmm....

    • Re: (Score:3, Insightful)

      So.... this tells me two things... first, that the government cannot force you to give up your PGP passphrase.... but possibly more important, the government (currently) cannot break PGP encryptopn.

      Hmmm....


      Well the government of Vermont can't at least.
      • by Tumbleweed ( 3706 ) * on Saturday December 15, 2007 @02:13PM (#21710252)
        >So.... this tells me two things... first, that the government cannot force you to give up your PGP passphrase.... but possibly more important, the government (currently) cannot break PGP encryptopn.

        Hmmm....

        Well the government of Vermont can't at least.


        It was a Federal judge.

        It was also probably not worth bothering the NSA with. I wouldn't take this to mean much of anything about how quickly the Feds can crack PGP.
    • by GregPK ( 991973 )
      O... the government can break it. It's just that the DOJ doesn't have access to the computers required to do so. Nor does it want to spend the money on buying a multi-billion dollar computer if it doesn't need to. I think this would be a good business for some. Leasing out time on a built supercomputer for breaking passwords. Probably takes 20-30 minutes to boot up and sync. But it'll fly when it does.
      • by tomz16 ( 992375 ) on Saturday December 15, 2007 @02:02PM (#21710142)

        O... the government can break it. It's just that the DOJ doesn't have access to the computers required to do so. Nor does it want to spend the money on buying a multi-billion dollar computer if it doesn't need to.
        ? What leads you to this conclusion? There's absolutely NOTHING to indicate that strong encryption can be defeated by ANYONE on the planet at this moment.
        • I agree and am pretty sure that strong encryption can't be broken at the moment, but what the GGP said isn't necessarily true. It might mean that they can't break it, or it might mean that they don't want to be bothered utilizing big (and expensive) means to catch "small fish".
        • If the NSA had a working (but very expensive) quantum computer... would they mention it? Doubtful. They could certainly afford it, even if it cost 1million dollars to run for a couple hours.
      • I think you've just created another purpose for a botnet..

        It makes for a fine organised crime recipe:

        (1) targeted theft
        (2) decryption of interesting data with distributed botnet cracking
        (3) sale or blackmail?
        (4) Profit!

        Replace (1) with 'politically motivated arrest'/'espionage'/'anti terror' and (2) with "expensive NSA room heaters" and you have in principle the same mechanism, but "legal"..

        BTW, can't see why it would take long to boot up unless you kick the various components sequentially to prevent a powe
        • by swilver ( 617741 ) on Saturday December 15, 2007 @03:11PM (#21710782)
          Botnets cannot break decent encryption either.

          What a lot of people fail to realise is that encryption can be made unbreakable even by brute force by simply choosing a large enough encryption key. What people also fail to realise is that 256 bit encryption doesn't take twice as long to crack as 128 bit encryption. It in fact takes 2^128 times as long to crack.

          Let's for a second assume that 128 bit encryption is crackable by your own personal home computer in a period of 1 hour.

          136 bit encryption would take 2^8 times as long (250 times as long)... so we use 250 computers, and crack it in 1 hour still.

          144 bit encryption takes again 250 times as long, so instead we use 250 superpowerful server computers and crack it in 1 hour.

          156 bit encryption takes another 250 times longer, so we use a top-secret government super computer the size of the Pentagon and still crack it in 1 hour.

          164 bit encryption takes.. you guess it, 250 times longer to crack. All the governments in the world pool their top-secret super computers and crack your content in.. 1 hour.

          172 bit encryption takes 250 times longer to crack. We use all the computers on the entire planet and manage to crack it in 1 hour.

          180 bit encryption takes 250 times longer to crack. We use all those computers, but let them run 250 hours (10 days) instead.

          188 bit encryption takes 250 times longer to crack. We let those computers run 6 years to crack your password.

          192 bit encryption takes 250 times longer to crack... never mind, we're not THAT interested in your personal photo album.

          • Re: (Score:3, Informative)

            by xquark ( 649804 )
            Actually if you look at the problem from a energy consumption (Von Neumann-Landauer Limit) POV
            brute force attacks on a search space of 2^128 is boarding on consuming all of approximated
            energy of all the stars in the Milky-way galaxy (imagine Dyson shells around all the stars
            in our galaxy)

            So in reality if a greatly less than brute force method is not found for such search spaces
            then there is no real way of practically applying brute-force methods.

    • by swillden ( 191260 ) <shawn-ds@willden.org> on Saturday December 15, 2007 @02:19PM (#21710306) Journal

      So.... this tells me two things... first, that the government cannot force you to give up your PGP passphrase.... but possibly more important, the government (currently) cannot break PGP encryptopn.

      No, it doesn't tell you the second. If the government has the knowledge required to break the ciphers used by PGP, they would be very unlikely to reveal that for something as unimportant as this court case.

      Personally, I strongly doubt that the NSA can break PGP, but this decision doesn't say anything one way or the other about the question.

    • by GoofyBoy ( 44399 )
      If they can break PGP, then the last thing they want people to know is that they can.
      They could using this legal judgment to make it look like they can't.
    • but possibly more important, the government (currently) cannot break PGP encryptopn.
      If I could, I wouldn't admit to it either.

      More people would keep using that which I could easily bypass that way.
  • Sad state. (Score:3, Interesting)

    by 7-Vodka ( 195504 ) on Saturday December 15, 2007 @01:56PM (#21710084) Journal

    It's a sad sad day in America that the truth of the 5th ammendment and the constitution itself is even called into question in this way. Thanks to the judge who supported the constitution, unfortunately there are laws shredding it up as we read this news.

    http://www.govtrack.us/congress/bill.xpd?bill=h110-1955 [govtrack.us]

    Welcome to the police state.

    • Re: (Score:3, Insightful)

      by Kelz ( 611260 )
      Cute sentiment, but still a bit off-topic. I find this a good ruling for me personally, though honestly the ruling could have gone either way. What I find intriguing about it is how confused the judicial system seems about how to apply pre-internet laws to crimes. Should a cyber-crime be treated like a robbery? Should encrypted data be treated like a safe holding potential evidence?
    • by RT Alec ( 608475 )

      I looked through the text of the bill you referenced, but I found nothing in it to suggest "there are laws shredding it up". It looks like it is authorizing a few committees to study the formation of domestic "home-grown" terrorist organizations and cells.

      Did I miss something?

      • by 7-Vodka ( 195504 )

        http://www.house.gov/paul/congrec/congrec2007/cr120507h.htm

        Remarks on Violent Radicalization & Homegrown Terrorism Prevention Act, HR 1955

        5 December 2007

        Rep. Ron Paul, M.D.

        Madame Speaker, I regret that I was unavoidably out of town on October 23, 2007, when a vote was taken on HR 1955, the Violent Radicalization & Homegrown Terrorism Prevention Act. Had I been able to vote, I would have voted against this misguided and dangerous piece of legislation. This legislation focuses the weight of

  • Nolo [nolo.com] clears things up nicely about self incrimination. While I don't know the accused or support his alleged crime, I do think that the judge is correct in his statement. Kudos to the judge! If the prosecution wishes to discover the contents of an encrypted file then they actually need to jump through the hoops of an investigation. Hell, getting a warrant and just installing a camera over his keyboard would sooner or later reveal the passphrase wouldn't it?
    • by KPU ( 118762 )
      What makes you think the defendant plans on decrypting the drive again? Or for that matter that the government would ever return the encrypted contents to him?
      • I didn't say that he would decrypt the volume after discovery. I did say that if they had investigated using methods that didn't jeopardize access to the content later they would have a viable case. As it stands now the prosecutions case is dead.
        • by KPU ( 118762 )
          More to the point, the article states that agents did in fact have access to the unencrypted volume at the border. They just waited too long and PGP timed out.
  • My passphrase is: "field kitty sr53"... " or maybe that was 35, I never remember, the 5 could have been a 7" .. then there is "tulip Sandiwch" ... "or was it sandwich Tulip?, you know I was only playing around with this partition I don't actually store anything on it... Hmm, did I decide to use underscores or hyphens? I think I used underscores because I decided spaces might brak things, or maybe it was underscores, they are on the same key you know... try holding down shift... Maybe I misspelt "sandwich",
  • From TFA:

    An officer opened the laptop, accessed the files without a password or passphrase, and allegedly discovered "thousands of images of adult pornography and animation depicting adult and child pornography."

    Like it or not, the "adult pornography" is probably a red herring, so what is this "animation" business? Is that all they have on him? I've seen episodes of South Park that qualify as "animation depicting child pornography". I hope there's more to this case than was explained in TFA. If not, thi
  • IANAL but my law view is this...

    The law can convince you to incriminate yourself, and the evidence is admissible. You may confess a crime if you have one to confess. You have to state that it's by your own free will. However during trial if you fee so-moved, you can invoke the 5th amendment to disavow your earlier statements. This may be taken as hostile to the court, if not decided upon by prior consultation.

    If other evidence already obtained points to you, the law can search you or your premises by obtain
  • IANAL, I'm not even American, and it seemed to me that nor shall be compelled in any criminal case to be a witness against himself was quite clear and included that sort of thing, unless you interpret "to be a witness" ridiculously restrictively. And isn't the Bill of Rights supposed to be a collection of general principles rather than specific, restrictive directives?
  • Ultimately courts could decide that the the key constitutes being a "witness against himself" and entitled to protection.

    Or it could decide it is the equivalent of a lock. I know that the police can force a door for a search warrant - and they are trying to force the key to this drive. But according to the article, a defendant can be compelled to reveal a combination to a safe - basically the same thing: an item in memory that allows access to evidence.

    Stickier is the issue of additional evidence.

    Search war
  • A good ruling but... (Score:4, Interesting)

    by russotto ( 537200 ) on Saturday December 15, 2007 @02:39PM (#21710502) Journal
    ...once it gets to appeals court it will hold up as long as a geek in waterboarding session. Certain kinds of utterances have been determined to be "non-testimonial" and not eligible for Fifth Amendment protection, and encryption keys are IMO almost certain to be found as such by the current Supreme Court, since it isn't the key which is incriminating, but the evidence protected by the key.

    • Re: (Score:3, Funny)

      by fizzding ( 1171839 )
      What if the key itself is incriminating? Supposing his passphrase was "I like to touch little boys", I think that would be just a tad condemning given the circumstances.
  • I always thought it was a much larger 5th amendment sort of issue, not just a simple 'destruction of evidence' thing as the cops wanted to make it out to be.

    Good to see some people in power haven't lost all sense of reality.
  • by Diomidis Spinellis ( 661697 ) on Saturday December 15, 2007 @02:41PM (#21710518) Homepage
    If the passphrase is considered keys to a safe, and you are therefore likely to be forced to divulge it, then you can avoid trouble by using an encryption system, like TrueCrypt [truecrypt.org], that supports plausible deniability [wikipedia.org]. Inside the encrypted volume, blank space is always filled with random data, which can also be another nested encrypted volume. Without the correct passphrase, nobody can prove that the random bits are anything more than random bits.
  • by oliphaunt ( 124016 ) on Saturday December 15, 2007 @02:43PM (#21710542) Homepage
    The blog post is here. [volokh.com]

    This case is a very interesting overlap between 4th Amendment "right to privacy" cases and 5th Amendment "right not to self-incriminate" cases. I personally think that if the government can't break the encryption to "prove" what is hidden from them, they have no right to force the owner to do their work for them. People have a right to keep stuff private, and if they've hidden it effectively, then tough shit for the cops.

    I acknowledge that child porn is inherently harmful to the children involved, and that laws targeting possession of child porn are therefore valid so far as they aim to protect children by destroying the market for the exploitative and harmful material. And there is no first-amendment protection for child porn. But the cops still can't break into your house without a warrant just because they they think you have pictures of naked kids inside, and they can't wiretap your internet connection without a court order (heh, they can't LEGALLY, even though it's probably going on right now OMGHI2NSA). Those are 4th amendment rights. But the 5th amendment kicks in to say that even with a court order and a valid warrant, the cops in your house can't force you to tell them which floorboard is the loose one with the bloody knife hidden under it. If you refuse to tell them, they have to find it on their own-- and if they can't find it, they can't use it as evidence against you. That's exactly how the 5th amendment is supposed to work.

    A police force with the power to compel self-incriminating testimony becomes the enemy of any citizen who wishes to lawfully express dissent with any policy of government. The 5th Amendment is the most powerful safeguard citizens have against confessions extracted via torture finding purchase in US courts.

    From the decision itself (lifted from that post at Volokh Conspiracy), bolded emphasis is mine:

    Entering a password into the computer implicitly communicates facts. By entering the password Boucher would be disclosing the fact that he knows the password and has control over the files on drive Z. The procedure is equivalent to asking Boucher, "Do you know the password to the laptop?" If Boucher does know the password, he would be faced with the forbidden trilemma; incriminate himself, lie under oath, or find himself in contempt of court. Id . at 212.
    The Supreme Court has held some acts of production are unprivileged such as providing fingerprints, blood samples, or voice recordings. Id. at 210. Production of such evidence gives no indication of a person's thoughts or knowledge because it is undeniable that a person possesses his own fingerprints, blood, and voice. Id. at 210-11. Unlike the unprivileged production of such samples, it is not without question that Boucher possesses the password or has access to the files.
    In distinguishing testimonial from non-testimonial acts, the Supreme Court has compared revealing the combination to a wall safe to surrendering the key to a strongbox. See id. at 210, n. 9; see also United States v. Hubbell, 530 U.S. 27, 43 (2000). The combination conveys the contents of one's mind; the key does not and is therefore not testimonial. Doe II, 487 U.S. at 210, n. 9. A password, like a combination, is in the suspect's mind, and is therefore testimonial and beyond the reach of the grand jury subpoena.
    The government has offered to restrict the entering of the password so that no one views or records the password. While this would prevent the government from knowing what the password is, it would not change the testimonial significance of the act of entering the password. Boucher would still be implicitly indicating that he knows the password and that he has access to the files. The contents of Boucher's mind would still be displayed, and therefore the testimonial nature does not change merely because no one else will disc

  • Horrible case law (Score:3, Interesting)

    by Anonymous Coward on Saturday December 15, 2007 @02:45PM (#21710558)
    This is horrible case law. I get search warrants for the data on the machine. Therefore it should be held under the same rules as getting access to a safe or a house.

    Encryption keeps getting easier and easier to use - someday my job wont be possible without good case law forcing defendants to give up encryption keys. The only other option is to step up the use of no-knock search warrants and live acquisition. Problem is... when a daughter accuses her step-dad of molesting her and taking pictures - there is usually a family fight long before law enforcement gets involved. This leaves the subject days to encrypt and clean any evidence he has.

    I know that most people think that the police go around taking peoples' machines without any cause but I can tell you from my experiences (and the experiences of everybody else I've run into in this field) we don't go around looking for new cases. We are completely understaffed, under-budgeted, and flooded with horrible crimes. Plus, its not easy to get a search warrant. You need to satisfy probable cause in order for the judge to sign off on your warrant.
    • Re:Horrible case law (Score:5, Interesting)

      by QuoteMstr ( 55051 ) <dan.colascione@gmail.com> on Saturday December 15, 2007 @02:58PM (#21710648)
      I had a hard time deciding whether to reply to your comment or moderate it "interesting." I emphatically disagree with your post, but you make a good point. True, forcing defendants to give up their encryption keys would result in more convictions.

      But as a society, we place a higher priority in personal liberty than on catching the maximum number of criminals. There are states that invert these two concepts: we call them "police states". I, for one, would rather live in a society where a few guilty people walk free because we can't crack their encryption than live in one where I can hide nothing from the government. It's a question of priorities.
    • Re: (Score:3, Insightful)

      Comment removed based on user account deletion
    • Re: (Score:3, Insightful)

      by yndrd1984 ( 730475 )
      This is horrible case law.

      No. This is about the most obviously correct court opinion I've ever heard of.

      I get search warrants for the data on the machine. Therefore it should be held under the same rules as getting access to a safe or a house.

      Right - you can get a warrant for a safe, but if they've moved the safe, you can't force them to tell you where it went.

      someday my job wont be possible without good case law forcing defendants to give up encryption keys

      Boo-hoo.

      Problem is... there is usu

    • Re: (Score:3, Informative)

      by StormReaver ( 59959 )
      "This is horrible case law."

      You contradict yourself two short sentences later.

      "Therefore it should be held under the same rules as getting access to a safe or a house."

      It is, and this is where you contradict yourself and support the judge's (correct) conclusion. See oliphaunt's posting above regarding the Supreme Court's decisions in regards to combination safes. [slashdot.org] For convenience, I'll reproduce the relevant portion of his posting here:

      In distinguishing testimonial from non-testimonial acts, the Supreme Co
  • by Joce640k ( 829181 ) on Saturday December 15, 2007 @02:48PM (#21710580) Homepage
    You can write your password on a paper then claim it's too long/difficult to remember and the paper was destroyed.

    Whether or not they believe you is another story, and you might be in jail until they finally make their minds up.

    • Re: (Score:3, Interesting)

      by sjames ( 1099 )

      Whether or not they believe you is another story, and you might be in jail until they finally make their minds up.

      Even if the 5th ammendment didn't exist, the state could not compell you to divulge information that you don't have. The state also cannot prove that you do have information. even if they can prove that you ever had the information they want, people forget things all the time. Any juror is likely well aware that people forget important things all the time. Practically everyone has discovered

  • by Orestesx ( 629343 ) * on Saturday December 15, 2007 @02:49PM (#21710584)

    I always thought the 5th amendment served two main purposes:

    1. Prevent the government from compelling individuals to confess (through torture, or other means).
    2. Give weight to confessions by ensuring that they were not obtained through torture.

    Perhaps it will be illustrative to take the computer out of it, since we tend to get distracted by the technology. To me it seems pretty clear that if someone is arrested carrying a letter that was encoded with a cipher with information that may or may not be relevant to the case, that the person could not be compelled under law to explain how to decrypt the letter, whether to law enforcement or in court. Of course that couldn't stop the officials from attempting to break the cipher. But just because modern encryption is more difficult to crack than a hand cipher, I don't believe that changes the nature of the situation.

  • by crimguy ( 563504 ) on Saturday December 15, 2007 @03:14PM (#21710818) Homepage
    Since it's protected under the 5th Amendment, not only can it not ordered disclosed, it can't be commented on by the prosecutor if the defendant refuses to divulge it.
  • by Rick17JJ ( 744063 ) on Saturday December 15, 2007 @03:37PM (#21711046)

    What if someone actually did forged their long, complicated pass phrase? In that case, prosecutors would be trying to force someone to divulge a passphase that they don't even know.

    On several occasions, I have briefly played around with encryption programs and made an extra copy of unimportant stuff and then encrypted it. Since it was usually just for practice, I did not always bother writing the passphrase down on the sheet of paper which lists all my passwords and passphrases. I may have not always got around to deleting those encrypted practice files and they may still exist somewhere on one of my old hard disks or on a USB key or somewhere or in the box of CDs that I have burned. I would have no idea what the password or passphrase was for those old practice encryption files.

    I could easily imagine some prosecutor putting me in jail for not being able to come up with a passphrase to some old encrypted practice file. Then eventually, after getting out of jail, perhaps I would eventually find the passphrase on some old scrap of paper and they would discover that it was just an encrypted folder full of dozens of free 80 year old Gutenberg.net ebooks.

    A person, such as myself, who has have never actually bothered to use encryption on a routine daily basis, would someone who is most likely to forget their passphrase. Perhaps I should dispose of all my old hard disks or wipe all the data with Darik's Boot and Nuke [sourceforge.net] Of course, if there were indications that someone has recently used their encrypted partition, folders or files recently, that would be different. A recent time stamp on the file or folder would be one such clue.

  • by Forbman ( 794277 ) on Saturday December 15, 2007 @04:25PM (#21711458)
    Imagine this scenario. Someone scans your HD. They find encryption telltales (like, say, .Net framework, pgp, etc.). They decide you might have encrypted files. They run 'strings' on every file that isn't a known binary file (i.e., .exe, .com, .dll, .bin, .mp3, .jpg, etc). They find a few files that strings doesn't like. Hmm... They might be encrypted. Maybe there are "magic" characters at the beginning of the file that indicate the file was protected by something like pgp.

    Suddenly, you're given a free flight to Kazakhstan [sp], to meet with Borat. Oh, yeah. you've now become a non-entity while they waterboard you to try to get your passphrase out of you.

    Like others have said, waterboarding is great for extracting a confession. Or, if you are so hard-core, they decide that they just need to kill you or let you rot in a hole somewhere far, far away.

    Or, less sinister, they just pass laws that say, "failure to surrender encryption keys or passphrases is determined by law to be an admission of guilt", just like not submitting to a breathalyzer or blood test is treated as admission of guilt in DUI in some states, which works just fine in a civil or administrative court. And conviction of certain civil or administrative crimes suddenly allows you to be tried later for new criminal laws where the administrative/civil judgments are used as justification to throw you into prison big time.

    But, they just might take the easy way out: while investigating certain crimes (child porn, white collar crime, conspiracy, "terrorism", etc.), discovery of encryption products on your computer results in automatic civil seizure and forfeiture of computer hardware.

    Well, anyone following instructions on MSDN can easily throw together programs that encrypt files using the encryption facilities in the .Net Framework, which is installed in one form or another on XP, Vista, et al...

Life in the state of nature is solitary, poor, nasty, brutish, and short. - Thomas Hobbes, Leviathan

Working...