Encryption Passphrase Protected by the 5th Amendment 537
Takichi writes "A federal judge in Vermont has ruled that prosecutors can't force the defendant to divulge his PGP passphrase. The ruling was given on the basis that the passphrase is protected under the 5th amendment to the United States Constitution (protection against self-incrimination)." The question comes down to, is your password the contents of your brain, or the keys to a safe.
But but but! (Score:4, Insightful)
If not anything else... (Score:5, Insightful)
Re:Interesting development (Score:3, Insightful)
Hmmm....
Well the government of Vermont can't at least.
Re:If not anything else... (Score:4, Insightful)
Re:If not anything else... (Score:4, Insightful)
Re:I was wondering... (Score:5, Insightful)
Quite the opposite. By giving the password the defendant may incriminate himself by opening files containing incriminating (and pertinent) information, but unknown to the government prior to that.
Re:Interesting development (Score:5, Insightful)
Re:Sad state. (Score:3, Insightful)
Re:I was wondering... (Score:5, Insightful)
Thank God...FINALLY, a score for US privacy rights...and upholding our Constitutional rights!!!
You just don't see that much any more.....
Re:Interesting development (Score:5, Insightful)
Hmmm....
Well the government of Vermont can't at least.
It was a Federal judge.
It was also probably not worth bothering the NSA with. I wouldn't take this to mean much of anything about how quickly the Feds can crack PGP.
Re:and the pedophiles rejoice (Score:3, Insightful)
Just like any other serious crime the police should be investigating it correctly and building a case without needing to look around the suspects' house first.
Re:I was wondering... (Score:5, Insightful)
This is so painfully obvious that I'm somewhat concerned that it took so long for a judge to rule in this manner. On the other hand I am relieved it has finally happened.
Re:I was wondering... (Score:3, Insightful)
You're saying "he can't be made to release incriminating files that are nothing to do with the case", while the poster you're replying to is saying "he can't be made to release incriminating files even if they are related to the case".
Re:This ruling is both good and bad... (Score:3, Insightful)
Re:I was wondering... (Score:4, Insightful)
Wanna bet? (Score:2, Insightful)
Any takers...?
write up at Volokh, by guys who are lawyers (Score:5, Insightful)
This case is a very interesting overlap between 4th Amendment "right to privacy" cases and 5th Amendment "right not to self-incriminate" cases. I personally think that if the government can't break the encryption to "prove" what is hidden from them, they have no right to force the owner to do their work for them. People have a right to keep stuff private, and if they've hidden it effectively, then tough shit for the cops.
I acknowledge that child porn is inherently harmful to the children involved, and that laws targeting possession of child porn are therefore valid so far as they aim to protect children by destroying the market for the exploitative and harmful material. And there is no first-amendment protection for child porn. But the cops still can't break into your house without a warrant just because they they think you have pictures of naked kids inside, and they can't wiretap your internet connection without a court order (heh, they can't LEGALLY, even though it's probably going on right now OMGHI2NSA). Those are 4th amendment rights. But the 5th amendment kicks in to say that even with a court order and a valid warrant, the cops in your house can't force you to tell them which floorboard is the loose one with the bloody knife hidden under it. If you refuse to tell them, they have to find it on their own-- and if they can't find it, they can't use it as evidence against you. That's exactly how the 5th amendment is supposed to work.
A police force with the power to compel self-incriminating testimony becomes the enemy of any citizen who wishes to lawfully express dissent with any policy of government. The 5th Amendment is the most powerful safeguard citizens have against confessions extracted via torture finding purchase in US courts.
From the decision itself (lifted from that post at Volokh Conspiracy), bolded emphasis is mine:
The spirit of the 5th amendment (Score:5, Insightful)
I always thought the 5th amendment served two main purposes:
1. Prevent the government from compelling individuals to confess (through torture, or other means).
2. Give weight to confessions by ensuring that they were not obtained through torture.
Perhaps it will be illustrative to take the computer out of it, since we tend to get distracted by the technology. To me it seems pretty clear that if someone is arrested carrying a letter that was encoded with a cipher with information that may or may not be relevant to the case, that the person could not be compelled under law to explain how to decrypt the letter, whether to law enforcement or in court. Of course that couldn't stop the officials from attempting to break the cipher. But just because modern encryption is more difficult to crack than a hand cipher, I don't believe that changes the nature of the situation.
Re:Wanna bet? (Score:1, Insightful)
Re:Horrible case law (Score:1, Insightful)
Using a warrant, They can still access the data on the machine, but at what point is the accused required to help Them interpret the data?
If They have a warrant, search my house, and find a notebook filled with writing that is obviously using some form of cipher, can I be compelled to decipher it for Them?
People who actually forget their passwords (Score:4, Insightful)
What if someone actually did forged their long, complicated pass phrase? In that case, prosecutors would be trying to force someone to divulge a passphase that they don't even know.
On several occasions, I have briefly played around with encryption programs and made an extra copy of unimportant stuff and then encrypted it. Since it was usually just for practice, I did not always bother writing the passphrase down on the sheet of paper which lists all my passwords and passphrases. I may have not always got around to deleting those encrypted practice files and they may still exist somewhere on one of my old hard disks or on a USB key or somewhere or in the box of CDs that I have burned. I would have no idea what the password or passphrase was for those old practice encryption files.
I could easily imagine some prosecutor putting me in jail for not being able to come up with a passphrase to some old encrypted practice file. Then eventually, after getting out of jail, perhaps I would eventually find the passphrase on some old scrap of paper and they would discover that it was just an encrypted folder full of dozens of free 80 year old Gutenberg.net ebooks.
A person, such as myself, who has have never actually bothered to use encryption on a routine daily basis, would someone who is most likely to forget their passphrase. Perhaps I should dispose of all my old hard disks or wipe all the data with Darik's Boot and Nuke [sourceforge.net] Of course, if there were indications that someone has recently used their encrypted partition, folders or files recently, that would be different. A recent time stamp on the file or folder would be one such clue.
Comment removed (Score:3, Insightful)
Re:Wanna bet? (Score:3, Insightful)
Re:I was wondering... (Score:3, Insightful)
Seems like a fair law to me.
Re:I was wondering... (Score:2, Insightful)
Re:A good ruling but... (Score:1, Insightful)
Re:Better use of a botnet? (Score:3, Insightful)
So, only 500 years instead of 1500.
(Also, even if the NSA did have a quantum computer--as I understand it, it would need as many Qubits as the key it's trying to crack. We're not anywhere close to breaking strong encryption from any published experiments. There's little reason to believe the government could actually do it.
Re:I was wondering... (Score:4, Insightful)
So if they can be compelled to testify against themselves, what methods
are appropriate for that? Nothing life-threatening, surely, but perhaps a bit
of waterboarding is in order?
Re:Better use of a botnet? (Score:3, Insightful)
Re:Interesting development (Score:5, Insightful)
If there is anything that you should have learned from reading all of those articles about quantum computing, is that it's friggin HARD. Any quantum device complicated enough to even be remotely useful in breaking encryption is many decades away. This is because it will take centuries of man hours and armies of graduate students in multiple fields to crack this nut. There still need to be tens of thousands of PhD's written on related topics before you can even dream of starting construction.
In order to have a secret working quantum computer, the US government would have had to have been actively working on the technology since long before traditional silicon computing took hold... hell, long before the idea of quantum computing for decryption even tickled our imaginations. They would have had to independently train a clandestine army of engineers and physicists that far outclassed our brightest minds in academia. These people would have had to replicate ALL of our modern advances decades earlier (which, btw. is not apparent from any other military technology). The resources required for a project like this are simply staggaring, and I estimate that the financial costs would have EASILY been in the trillions of dollars.
We certainly do spend enormous amounts of capital on military R&D in the USA, and there are many important technologies where the military is years ahead of commercial efforts. However from numerous projects that have bee declassified over the years, this advantage usually only involves the effective weaponization / improvement of currently existing/proven technologies. The military is only ahead in the little details of practical implementations, and not the fundamental scientific principles. In short, claiming the existence of some secret quantum computer is akin to claiming the US military had Joint Strike Fighters before the Wright brothers even made their first flight.
Re:I was wondering... (Score:1, Insightful)
Obvious to an intelligent person perhaps (Score:3, Insightful)
This is so painfully obvious that I'm somewhat concerned that it took so long for a judge to rule in this manner.
Obvious to you and I maybe, but Scalia, Roberts, Alito, and Thomas never met an unreasonable search.
If prosecutors can jail reporters indefinitely until they hand over their sources, how is it that much different for the government to imprison someone for not turning over their encryption keys? The only difference I see is one may incriminate someone else and the other may incriminate you.
Of course, the smart thing would be not to mount the encrypted drive when you're not using it. And for the police not to shut the device off until they've secured enough of the data to obtain a conviction. Otherwise it's hearsay. I could claim I saw the plans for a nuclear bomb on your computer. And if we're admitting hearsay then anyone could claim you had anything on your computer. Would that be compelling enough to make you hand over encryption keys to prove there's nothing incriminating on your computer?
Now we're getting into the territory of having an encrypted partition is probable cause. Just like having a pager or cell phone is probable cause for a vehicle search on a traffic stop. Sadly that's true, or used to be.
Makes the paranoid among us utilize hidden volumes. Some people go three or four layers deep. Keep something mildly incriminating in the normal layer and let them think that's the big prize. Try to take the water boarding for 30 or 40 seconds before you give it up to sell it.
When you put safety and security ahead of freedom there's no bottom to the privacy slide.
Re:Plausible deniability (Score:3, Insightful)
Re:I was wondering... (Score:4, Insightful)
If the warrant is to gain access to, for example "the twelve pornographic photographs known to be in the safe" that does not allow the investigators to also review the contents of all the accounting books also in the safe.
Since the original officers who looked at the images probably have no idea which files they were, I suspect that they will rifle through EVERYTHING in that drive if they had the opportunity, just to make sure they found the ones he saw.
By doing so they will likely find other things that may pose a problem to the owner of the drive the government now possesses, and US law has always said that one can't be made to incriminate themselves.
Very picky points, but in this case I actually think the judge may be right within very narrow confines.
(If the original investigator can remember the actual file names/paths, I suspect the defense could be asked to product THOSE files, but lacking that...)
--
Tomas
Re:Interesting development (Score:2, Insightful)
Re:Horrible case law (Score:3, Insightful)
No. This is about the most obviously correct court opinion I've ever heard of.
I get search warrants for the data on the machine. Therefore it should be held under the same rules as getting access to a safe or a house.
Right - you can get a warrant for a safe, but if they've moved the safe, you can't force them to tell you where it went.
someday my job wont be possible without good case law forcing defendants to give up encryption keys
Boo-hoo.
Problem is... there is usually a family fight long before law enforcement gets involved. This leaves the subject days to encrypt and clean any evidence he has.
And when someone commits a murder, they usually have time to ditch the gun. You still can't force them to tell you where it is.
We are completely understaffed, under-budgeted, and flooded with horrible crimes.
Yes, police need more money and fewer criminals. Write your representatives, ask for more funding, and tell them that terrorists and baby-rapers are getting away because you're too busy chasing potheads and hookers.
Plus, its not easy to get a search warrant. You need to satisfy probable cause in order for the judge to sign off on your warrant.
Where the hell do you think we live, the Police State of America?!?!? Yes, one government official has to convince another government official that he has a good reason to search or seize your stuff. My God, what a terrible burden - we might as well throw out "innocent until proven guilty", that can be difficult as well!
Re:I was wondering... (Score:5, Insightful)
You advocate punishing people for not confessing a crime?
Get a grip.
Re:Interesting development (Score:5, Insightful)
In case you still have no concept of how big this number is, there are estimated to be around 10^80 atoms in the universe, which is around 2^266. That means that each of your four billion computers is having try 2^1740 keys for every atom in the universe.
To put it another way: Let's assume each of your four billion computers is a few orders of magnitude faster than anything I know of and can try four billion keys a second, giving you a total of around 2^64 keys tried per second. This means you can do around 2^76 per day. At this rate (and don't forget that we are assuming that you have almost as many computers that are orders of magnitude faster than anything real as there are people in the world) it will take you 2^1972 days to do an exhaustive search (although on average it will only take you 2^1971 days to find the key). For those following at home, that's around 2^1962 years. For reference, the universe is approximately 13.7 billion years old, which is a shade under 2^34 years.
In summary, if every atom in the universe was a computer that ran orders of magnitude faster than anything we can build today, and it ran for the life of the universe to date, you would not be able to crack a single 2048-bit message. If, however, you have a quantum computer, then you might be able to.
Re:Interesting development (Score:3, Insightful)
I don't have any numbers on current top performance for testing keys, but let's assume that the Government has computers capable of trying one million keys per second. That being the case, you would need (2**2047) / (1000000 keys/s * 60 seconds * 60 minutes * 24 hours), or roughly 2**2010 computers to crack the key in one day.
For comparison, there are an estimated 10**80 or around 2**266 atoms in the observable universe.
Re:Horrible case law (Score:2, Insightful)
Your budgetary problems are not my concern. You will have to persuade your overlords to divert some of the billions you squander on victimless and consensual crime before I care to indulge your pleas.
It's not supposed to be easy to get a warrant. That's the point!
Re:I was wondering... (Score:3, Insightful)
I wish you were being ironic. But I fear you actually mean this.