Thursday, January 26th 2012
Possible Precedent: Accused Americans Can Be Forced To Decrypt Their Encrypted Data
The Fifth Amendment rules that nobody may be "compelled in any criminal case to be a witness against himself." Or, in other words, one has a right to avoid self-incrimination. Therefore, it's highly significant that Judge Robert Blackburn ordered a Peyton, Colorado woman accused of a being involved in a mortgage scam, to decrypt the hard disc drive of her Toshiba laptop no later than February 21. If not, she would face the consequences, including contempt of court. In a 10-page opinion, the judge wrote, "I find and conclude that the Fifth Amendment is not implicated by requiring production of the unencrypted contents of the Toshiba Satellite M305 laptop computer."
The accused, Ramona Fricosu, is declining to decrypt the laptop, which has been secured withSymantec's PGP Desktop software, which is strong enough to thwart the FBI. She will appeal the ruling, perhaps because it appears that she may be unable to decrypt it for any number of possible reasons, according to her lawyer, which could technically get her off the hook, as people cannot be punished for not doing what they are physically incapable of doing. It's not yet clear what those 'reasons' are.
Requiring a defendant to give up their password is a thorny, unsettled legal issue, with judges in some cases agreeing that they shouldn't have to give up their passwords due to the Fifth Amendment and in other similar cases that they do, with law review articles arguing for either side over the last 15 years. This case might settle this question once and for all. It's important to note that the prosecutors in this case are not asking for the actual password, but simply expect the defendant to type it into the laptop in order to decrypt its contents, which might be the key to getting their way.
So, let's look at this from the defendant's point of view, assuming that the order to decrypt stands and they have actually done what they're accused of. They would be in a lose-lose situation, since they would get punished whether they reveal the decrypted contents or not. What they now have to decide is which option causes them to lose less. In the UK, you can be jailed for two years for not decrypting data when demanded, which might actually be a good compromise for a crime that carries a hefty sentence of say, 10 years or so. Plus, they get the dubious satisfaction of having thwarted the authorities, which might be priceless to them.
There's more detail and analysis on this story over at c|net.
Requiring a defendant to give up their password is a thorny, unsettled legal issue, with judges in some cases agreeing that they shouldn't have to give up their passwords due to the Fifth Amendment and in other similar cases that they do, with law review articles arguing for either side over the last 15 years. This case might settle this question once and for all. It's important to note that the prosecutors in this case are not asking for the actual password, but simply expect the defendant to type it into the laptop in order to decrypt its contents, which might be the key to getting their way.
So, let's look at this from the defendant's point of view, assuming that the order to decrypt stands and they have actually done what they're accused of. They would be in a lose-lose situation, since they would get punished whether they reveal the decrypted contents or not. What they now have to decide is which option causes them to lose less. In the UK, you can be jailed for two years for not decrypting data when demanded, which might actually be a good compromise for a crime that carries a hefty sentence of say, 10 years or so. Plus, they get the dubious satisfaction of having thwarted the authorities, which might be priceless to them.
There's more detail and analysis on this story over at c|net.
96 Comments on Possible Precedent: Accused Americans Can Be Forced To Decrypt Their Encrypted Data
Why not just get the husband to provide the password and if he doesn't, incarcerate him :nutkick:
At the end of the day i feel it should go like this -
The Court: "If you don't give us your password you go to jail"
The Defendant - "I forgot it"
The Court - "ok, we can't prove you didn't - you are free to go"
...the thing is, a petty case like this doesn't exactly qualify for those kinds of resources...
For example, the energy required to flip the bits inside an electronic computer has been calculated and the results speak for themselves: trillions of strong keys a second would require something akin to a large nuclear reactor's energy to be expended inside said computer in order to achieve this. Just imagine the cooling solution. Moreover, breaking a 4096-bit key would require more energy than the sun would provide over its entire lifetime. One single key.
Just saying.
If we KNOW there is a file with certain properties on the disk, all we need to do is to find it. Once we find it, we have a significant portion of the key.
For example, we KNOW there is a operating system on the hard drive, and we KNOW we can read the disk in a program byte by byte.
No matter what you do to certain files they can' be compressed, only rearranged. So we start with a file like autoplay.dll, we know where it resides, its size for the OS installed, and what is is byte for byte as we can compare it.
Compare it with byte by byte sectors of the HDD, just like a anti-virus scan looks for files, except the beautiful things called rainbow tables are the anti-virus definitions. Once found all we need to do is put it back together in the correct sequence and we then have a part of the key used. In almost any sort of encryption system the storage key is one of one, with a partial of a master key that authorizes the rest of the key to be verified, without it all you would have to do is a dump state when the keys were compared as the actual key would be loaded during that process.
There is no "stored" decryption key. The password(s) are input into the algorithms to create keys, hashes and salts, and are run against the encrypted file. Wrong password(s) and decryption fails.
There are, however, shortcuts that allow decryption methods and keys to be assertained in a LOT less time than "brute force".
full story
They ruled in pretty much the common sense way and the way i thought was correct in my earlier posts.
Virtually any court will rule the same as 11th for the reasons the 11th ruled the way it did: forcing to decrypt evidence is the same as forcing testimony which is illegal.
It says the 10th court did hear the case and compelled her to produce the password. The case in the 11th court was a different case.
"In previous cases, the courts have held that when the government already knows of the existence of specific incriminating files, compelling a suspect to produce them does not violate the Fifth Amendment's rule against self-incrimination. On the other hand, if the government merely suspects that an encrypted hard drive contains some incriminating documents, but lacks independent evidence for the existence of specific documents, then the owner of the hard drive is entitled to invoke the Fifth Amendment."
There may be a precedent already regarding this. As many cases have compelled defendants to reveal passwords before.
Things like this make sense
"For example, in 2006, a border guard in Vermont examined the contents of a traveler's laptop and found several files that appeared to be child pornography. But when the laptop was closed, the portion of the hard drive containing these files was automatically encrypted, and the government sought to compel the suspect to decrypt the files again. The court ruled that because a government agent had already seen specific incriminating files, compelling the suspect to produce those same files did not violate the Fifth Amendment's privilege against self-incrimination."
The thing is she might have some files that are evidence against her but a computer has many types of files and purposes which is why it is an invasion of privacy and why they are probably appealing. Else if they have a warrent she is supposed to let them "in".
For example, even if you never did anything illegal on your computer, how embarrassed would you be if someone seized your computer and rifled through all your browser history, emails, instant message logs, applications, documents, music, and pictures?