You can be compelled to produce a physical key to a safe. However what if the contents of the safe are paper with text written in an invented language, known only to you?
Can you be compelled to translate them for the court?
What if they just contained numbers? Could you be forced to explain what the numbers mean?
I would conclude that such an action would violate the 5th ammendment.
Forcing her to decrypt the hard drive is the same thing.
Given a warrant, the police have the right to search her hard drive. If they can't understand what it says, she should not have to explain it to them.
Right now, they have no evidence. She is being compelled to produce evidence against her self.
Providing a physical key produces no evidence. It produces a key.
Providing a decrypted version of the data on the laptop is producing information. The contents of the laptop are such that they exhibit a high level of entropy. By definition, they are not information. If they did contain information, they would by definition not be encrypted.
Thus, the request is for the defendant in a criminal trial to replace something that is not information with something that is information. That is clearly a violation of the 5th ammendment.
Actually if you read the ruling, it states that they have a recording of a conversation, transcribed in the ruling, where she basically admits what they are looking for is on the laptop. They then use existing Vermont case law where some perv had child porn on his laptop that an officer and ICE agent witnessed before getting locked out of the laptop. The case law the judge quotes says "where the existence and location of the documents are known to the government, no constitutional rights are touched, because these matters are a foregone conclusion." So basically the established case law they are using is where they already knew for sure the perv's laptop contained the evidence they are looking for because they saw it firsthand. In this lady's case, they know the laptop contains the documents they are looking for because they have her recorded saying so. The judge states as much in the ruling: "There is little question here but that the government knows of the existence and location of the computer’s files."
So as much as people are freaking out about this, I don't think this is definitive case law that says the 5th amendment doesn't ever apply. The Vermont case and now the Colorado case both hinge on the government knowing that what they are looking for is on the encrypted drive because they saw it and have an admission to it respectively. This is what the ruling states in my opinion.
The 5th amendment may still apply if they don't know for sure the encrypted drive contains what they are looking for, that is to say they never saw the contents nor you admitted to it containing the contents which they seek.
This is an interesting case. From a civil liberties, card-carrying ACLU member standpoint, I'm all for the "anti" side of this - keep the gov't out.
On the other hand, there's a decent case made that establishing this kind of precedent would basically mean that if criminals are smart enough to use PGP, then that data can never be used against them. Since you can be compelled to turn over a physical key via due process, why can you not also be compelled to turn over a digital one?
Most of the privacy arguments vanish as well since they don't want the password (which could give them access to other things they're not supposed to have), but they just want the data.
why can you not also be compelled to turn over a digital one?
Because you may have forgotten it. It's likely you would not have had access to the hardware in the many months these things drag out. I know I've forgotten some complex passwords in a day or two.
Also, there may be an argument to be made that by demonstrating your knowledge of the password you are being forced to confess to ownership of whatever content is unlocked. Although the lock-and-key metaphor seems very attractive, it not necessarily the case that "decryption" equals "authentication".
Encryption is easy, authentication is the harder problem! There have been encryption products sold and used that did not provide effective authentication, i.e., someone who didn't know the key could tamper with the contents of the disk so that it decrypted to something else.
On the other hand, there's a decent case made that establishing this kind of precedent would basically mean that if criminals are smart enough to use PGP, then that data can never be used against them.
So now smart criminals will move to Truecrypt hidden volumes and claim there isn't any hidden volume. So now what do you do? Jail someone who might be telling the truth, or let him go?
This doesn't solve anything. Encryption is way past it.
My understanding of existing case law regarding safes is that you can be compelled to give up a key, as it is just physical property to which the state has right to request, but can not be compelled to give a combination, as that is just memory and would violate the fifth amendment. Just because cryptographers use the term "key" doesn't mean the should be treated as real keys. It seems obvious that a key/paraphrase is perfectly analogous to a safe combination.
They savy criminal argument doesn't pass constitutional muster.
You could say "allowing criminals to not testify against themselves could frustrate law enforcement because a savy criminal could just commit everything to memory."
The 5th ammendment clearly says "too bad, those are the rules."
Since you can be compelled to turn over a physical key via due process, why can you not also be compelled to turn over a digital one?
I know this is rare, but in my opinion it's best to reason about the digital world by explicitly ignoring any analogies to the real world. Rep. Watt said during the SOPA committee hearings that we need parallels in the virtual world to the physical world. I couldn't disagree more.
Okay, American hackers, here's your civil disobedience:
Go to a foreign country. Buy a flash drive. Set up two partitions; make one a small TrueCrypt bootstrap partition, configured to decrypt the second with a password. Random-wipe the second. (For insurance, you may wish to do this provably. Maybe use a publicly-accessible source of random data?)
Travel back across the border. When you are asked to decrypt your drive, inform the authority that you are unable to do so, since no password exists, and the data is utterly meaningless.
They will probably want you to provide some evidence of this. Refuse; insist that you cannot be required to prove that you have not done something wrong.
If all goes well, they'll arrest you for something. Then, call a lawyer.
Let's look a little bit further down the road, say 100 or 200 years. If the computer is implanted in my head, can you compel me to give you the data in it? What if the computer is made partly of cells? Just how tightly integrated do I have to be with the storage device before it's part of the private, protected sphere of my personal consciousness?
I don't mean to be frivolous. As we become ever more dependent on cloud storage and mobile devices as extensions of our memories and our capabilities, we're eventually going to have revisit the legal boundaries of our personhood.
My communications with my attorney are subject to attorney-client privilege. It's almost like the attorney is considered to be a subprocess of me when he is thinking about my problems. We correctly see it as being in the public interest to allow me to communicate with my attorney without hindrance. Why shouldn't my communications with myself be given the same privilege?
Well, governments can compel to collect DNA sampling from you now. Why not go further and compel to read your implanted chip? They can collect your recorded GPS location as evidence.
If I encrypt a letter by hand using, say, Caesar's cipher (despite how weak it is), could a court compel me (i.e. is there common law precedent in the US or elsewhere) to decrypt said letter? Surely there must be some precedent before we had computers and whatnot, right? This, after all, seems to be the closest-fitting analogy I can think of—both the "key to lock" and "privacy of mind" arguments seem to be stretching it.
Unless the reason they're using these analogies is that no one has ever brought a non-digital encryption case before a court, which would make sense as to why they're not consulting that precedent, but surely 230 years of US law and several times that of British law would bring up something...
There is precedent that a court can't compel you give up the combination to a combination lock, because it would be considered testimony. Seems to me that this falls under that precedent.
I used to think of moving to USA. I'm a pretty good programmer and it would've been nice to work in an American startup. When reading these news, about SOPA/PIPA, about the crazy amount of spying and control in the airports, about forcing to decrypt my laptop, I don't want to go there even for a holiday anymore. I'm happy here in Berlin and even though the salaries are half what I would get from Silicon Valley, the cost of living is also much lower.
>Dubois said that, in addition, his client may not be able to decrypt the laptop for any number of reasons. "If that's the case, then we'll report that fact to the court, and the law is fairly clear that people cannot be punished for failure to do things they are unable to do," he said.
So can everyone just claim they can't decrypt their drive because of <sort-of-plausible-excuse-here> ?
This should be cause for serious concern. There's often no way to prove that someone knows a key or pass-phrase. If a personal computer I've used for years has TrueCrypt at boot, perhaps a reasonable argument[1] could be made that I know the password. That's not true of a flash drive or an encrypted file on a shared computer.
If someone plants a safe in my house, I may be held in contempt for a while while it's drilled open. Properly encrypted data might withstand attacks for a lifetime or more.
[1] Best I can tell, it's possible for me to TrueCrypt encrypt your computer with only physical access. You wouldn't notice until next boot.
For anyone wondering what this might look like in practice, look up the Regulation of Investigatory Powers Act. There have been a number of prosecutions in the UK for failing to provide encryption keys, many of them resulting in imprisonment.
Notably, the first prosecution was of a paranoid schizophrenic man, who was moved to a secure psychiatric hospital during his prison sentence.
We have not yet had a test case regarding deniable encryption, but I imagine it will be only a matter of time.
Ceci n'est pas une pipe. Reasonable people are sophisticated enough to understand that there is a difference between using a sentence as a password, and believing that sentence to be true.
On a related note, I once looked into changing my middle name to an executable implementation of RSA, so that my passport would be a non-exportable munition. (No go.)
I'm a government-should-leave-reasonable-people-the-hell-alone libertarian and a crypto-is-the-shit kind of guy. I also think warrants for searches of encrypted media are totally legit, and think the hair splitting over "typing in the password without anyone seeing it" vs. "being compelled to dictate the password" is completely pointless.
1. Not every vocal Utterance qualifies as Testimony, and the only person who gets to self-identify with an encryption key is Whitfield Diffie, and that rule only applies after 3 bong hits -OR- when he's doing Salvia with Ron Rivest as his sitter. Your weasel card-skimming ass ain't no Whitfield Diffie.
2. If you leak enough inculpatory evidence outside your encrypted hard drive, such that the police are now holding a warrant for searching inside your encrypted hard drive, the jig is up, son! Shouldn't have leaked all that other guilt-stench, and should have plausibly-deniably deleted that evidence.
Isn't this one of the things TPMs are designed to defend you against? The TPM only releases the encryption key after the right password is entered, some number of wrong passwords cause a reset, and perhaps a single duress code instantly causes a reset? Once the TPM is erased, who's to tell if it wasn't just broken to begin with.
(Presumably serving an 18 month contempt sentence in a county jail is better than the 25-to-life in a maximum security federal prison you'd get if they saw the contents of your hard drive.)
Perhaps I don't understand some dynamic here, but what prevents someone from just stating that they no longer know the pass phrase? I thought that was more or less a free pass, as no one can prove what you do or don't remember. Hence why the phrase "I'm sorry, I don't recall that senator" is used so often when everyone knows they're lying.
The problem here is what are they going to find that ISN'T Illegal?
Everyone has cracked software, pirated movies, & torrents. Then there's content that isn't illegal but very personal: chat logs, email archives, contact lists, usernames & passwords, FTP info, master passwords to everything, OH and my entire life's worth of inventions and ideas. I'm not saying they'd steal them but remember, we're talking about the American Government here. The same one that can't account for billions of dollars in missing money. Lost 6.6 Billion in Iraq and doesn't know what happened to it. And doesn't know how or why a warehouse full of missiles in the middle east is empty. If that's how they treat their money and weapons, I wonder how they're going to treat my life's work. So...
Just use TrueCrypt to create a hidden volume on a flash drive or SD card, keep everything else un-encrypted. They won't even know it's there. I've got a 32 GB SD card just for this purpose, it's got all my project files on it, thunderbird portable, my entire collection of inventions and business ideas, my life's work basically. If anyone were to plug that card in, it would just read "card has not been formatted yet". I've got a backup of it as well.
If you have a hard drive full of torrented content or DVD rips that look like torrented content just make 2 TrueCrypt volumes, one that is visible (put some porn on it to simulate a "this is all I have hidden" excuse) and the other volume hidden (with all of your pirated content). They literally won't ever know it was there.
>Everyone has cracked software, pirated movies, & torrents
That's a bit of a leap, really.
Also, Truecrypt's deniable encryption here doesn't seem like it would help, since they're talking at the computer level. Presumably, a power on or hard drive password. Assuming there's only one volume, you put that one in and the attacker has the keys to the kingdom.
Besides that, most averages joes wouldn't go through this kind of trouble. If you're running in opposition to a ruling power who might, say, launch a missile at you from 30,000 feet while you're in foreign territory (not naming any names here), then you probably already know to cover your ass.
On the other hand, an average joe thinking that they're cute by giving up the password to the concealed volume will only land a contempt charge when the file access times are checked.
I'm curious what the courts would say when told that it is possible to have a hidden inner volume that is impossible to detect and when I hand over my key it may just be the outer containers, not the hidden inner container that I have unlocked.
A stupid idea: what if we passed a law making, say, knowing an encryption key illegal, with a $0.01 penalty per year? Then asking you for your encryption key would be asking you to provide self-incriminating testimony.
You don't need to do that - there's a decent argument to be made that forcing you to decrypt a drive is already forcing you to testify against yourself, in violation of the 5th Amendment.
If you're able to pass silly laws, wouldn't it be easier to just pass a law saying discovery can't compel people to divulge encryption keys kept only within their own head?
[+] [-] scottdw2|14 years ago|reply
Can you be compelled to translate them for the court?
What if they just contained numbers? Could you be forced to explain what the numbers mean?
I would conclude that such an action would violate the 5th ammendment.
Forcing her to decrypt the hard drive is the same thing.
Given a warrant, the police have the right to search her hard drive. If they can't understand what it says, she should not have to explain it to them.
Right now, they have no evidence. She is being compelled to produce evidence against her self.
Providing a physical key produces no evidence. It produces a key.
Providing a decrypted version of the data on the laptop is producing information. The contents of the laptop are such that they exhibit a high level of entropy. By definition, they are not information. If they did contain information, they would by definition not be encrypted.
Thus, the request is for the defendant in a criminal trial to replace something that is not information with something that is information. That is clearly a violation of the 5th ammendment.
[+] [-] steelaz|14 years ago|reply
Actually if you read the ruling, it states that they have a recording of a conversation, transcribed in the ruling, where she basically admits what they are looking for is on the laptop. They then use existing Vermont case law where some perv had child porn on his laptop that an officer and ICE agent witnessed before getting locked out of the laptop. The case law the judge quotes says "where the existence and location of the documents are known to the government, no constitutional rights are touched, because these matters are a foregone conclusion." So basically the established case law they are using is where they already knew for sure the perv's laptop contained the evidence they are looking for because they saw it firsthand. In this lady's case, they know the laptop contains the documents they are looking for because they have her recorded saying so. The judge states as much in the ruling: "There is little question here but that the government knows of the existence and location of the computer’s files." So as much as people are freaking out about this, I don't think this is definitive case law that says the 5th amendment doesn't ever apply. The Vermont case and now the Colorado case both hinge on the government knowing that what they are looking for is on the encrypted drive because they saw it and have an admission to it respectively. This is what the ruling states in my opinion. The 5th amendment may still apply if they don't know for sure the encrypted drive contains what they are looking for, that is to say they never saw the contents nor you admitted to it containing the contents which they seek.
[+] [-] tedunangst|14 years ago|reply
uh, the bits of a compressed file also exhibit a high level of entropy. Are compressed files not information either?
[+] [-] unknown|14 years ago|reply
[deleted]
[+] [-] pi18n|14 years ago|reply
[+] [-] worldimperator|14 years ago|reply
[+] [-] Karunamon|14 years ago|reply
On the other hand, there's a decent case made that establishing this kind of precedent would basically mean that if criminals are smart enough to use PGP, then that data can never be used against them. Since you can be compelled to turn over a physical key via due process, why can you not also be compelled to turn over a digital one?
Most of the privacy arguments vanish as well since they don't want the password (which could give them access to other things they're not supposed to have), but they just want the data.
I'll be watching this one closely.
[+] [-] marshray|14 years ago|reply
Because you may have forgotten it. It's likely you would not have had access to the hardware in the many months these things drag out. I know I've forgotten some complex passwords in a day or two.
Also, there may be an argument to be made that by demonstrating your knowledge of the password you are being forced to confess to ownership of whatever content is unlocked. Although the lock-and-key metaphor seems very attractive, it not necessarily the case that "decryption" equals "authentication".
Encryption is easy, authentication is the harder problem! There have been encryption products sold and used that did not provide effective authentication, i.e., someone who didn't know the key could tamper with the contents of the disk so that it decrypted to something else.
[+] [-] icebraining|14 years ago|reply
So now smart criminals will move to Truecrypt hidden volumes and claim there isn't any hidden volume. So now what do you do? Jail someone who might be telling the truth, or let him go?
This doesn't solve anything. Encryption is way past it.
[+] [-] kinghajj|14 years ago|reply
[+] [-] scottdw2|14 years ago|reply
You could say "allowing criminals to not testify against themselves could frustrate law enforcement because a savy criminal could just commit everything to memory."
The 5th ammendment clearly says "too bad, those are the rules."
[+] [-] nitrogen|14 years ago|reply
I know this is rare, but in my opinion it's best to reason about the digital world by explicitly ignoring any analogies to the real world. Rep. Watt said during the SOPA committee hearings that we need parallels in the virtual world to the physical world. I couldn't disagree more.
[+] [-] shasta|14 years ago|reply
[+] [-] Cushman|14 years ago|reply
Go to a foreign country. Buy a flash drive. Set up two partitions; make one a small TrueCrypt bootstrap partition, configured to decrypt the second with a password. Random-wipe the second. (For insurance, you may wish to do this provably. Maybe use a publicly-accessible source of random data?)
Travel back across the border. When you are asked to decrypt your drive, inform the authority that you are unable to do so, since no password exists, and the data is utterly meaningless.
They will probably want you to provide some evidence of this. Refuse; insist that you cannot be required to prove that you have not done something wrong.
If all goes well, they'll arrest you for something. Then, call a lawyer.
[+] [-] geoffschmidt|14 years ago|reply
I don't mean to be frivolous. As we become ever more dependent on cloud storage and mobile devices as extensions of our memories and our capabilities, we're eventually going to have revisit the legal boundaries of our personhood.
My communications with my attorney are subject to attorney-client privilege. It's almost like the attorney is considered to be a subprocess of me when he is thinking about my problems. We correctly see it as being in the public interest to allow me to communicate with my attorney without hindrance. Why shouldn't my communications with myself be given the same privilege?
[+] [-] hobin|14 years ago|reply
...and then they get used to it.
[+] [-] ww520|14 years ago|reply
[+] [-] waiwai933|14 years ago|reply
Unless the reason they're using these analogies is that no one has ever brought a non-digital encryption case before a court, which would make sense as to why they're not consulting that precedent, but surely 230 years of US law and several times that of British law would bring up something...
[+] [-] learc83|14 years ago|reply
[+] [-] pimeys|14 years ago|reply
And I'm not alone.
[+] [-] grecy|14 years ago|reply
So can everyone just claim they can't decrypt their drive because of <sort-of-plausible-excuse-here> ?
[+] [-] kogir|14 years ago|reply
If someone plants a safe in my house, I may be held in contempt for a while while it's drilled open. Properly encrypted data might withstand attacks for a lifetime or more.
[1] Best I can tell, it's possible for me to TrueCrypt encrypt your computer with only physical access. You wouldn't notice until next boot.
[+] [-] aaronblohowiak|14 years ago|reply
Just like using an IP address as identification of a person.
[+] [-] jwhitlark|14 years ago|reply
[+] [-] unknown|14 years ago|reply
[deleted]
[+] [-] rsl7|14 years ago|reply
[+] [-] mcritz|14 years ago|reply
If it’s good enough for Bob McFarlane and Alberto Gonzales, it’s good enough for regular Americans, too!
[+] [-] jdietrich|14 years ago|reply
Notably, the first prosecution was of a paranoid schizophrenic man, who was moved to a secure psychiatric hospital during his prison sentence.
We have not yet had a test case regarding deniable encryption, but I imagine it will be only a matter of time.
[+] [-] ryanwaggoner|14 years ago|reply
"I shot the sheriff."
Then you could claim that supplying your password would constitute self-incrimination, and so you'd like to invoke your 5th Amendment rights :)
[+] [-] geoffschmidt|14 years ago|reply
On a related note, I once looked into changing my middle name to an executable implementation of RSA, so that my passport would be a non-exportable munition. (No go.)
[+] [-] tedunangst|14 years ago|reply
"Prosecutors in this case have stressed that they don't actually require the passphrase itself"
[+] [-] ComputerGuru|14 years ago|reply
[+] [-] noblethrasher|14 years ago|reply
[+] [-] feralchimp|14 years ago|reply
1. Not every vocal Utterance qualifies as Testimony, and the only person who gets to self-identify with an encryption key is Whitfield Diffie, and that rule only applies after 3 bong hits -OR- when he's doing Salvia with Ron Rivest as his sitter. Your weasel card-skimming ass ain't no Whitfield Diffie.
2. If you leak enough inculpatory evidence outside your encrypted hard drive, such that the police are now holding a warrant for searching inside your encrypted hard drive, the jig is up, son! Shouldn't have leaked all that other guilt-stench, and should have plausibly-deniably deleted that evidence.
[+] [-] eck|14 years ago|reply
[+] [-] gte910h|14 years ago|reply
[+] [-] jrockway|14 years ago|reply
(Presumably serving an 18 month contempt sentence in a county jail is better than the 25-to-life in a maximum security federal prison you'd get if they saw the contents of your hard drive.)
[+] [-] ComputerGuru|14 years ago|reply
[+] [-] Steko|14 years ago|reply
http://news.ycombinator.com/item?id=2693599
'TrueCrypt User Held in Contempt of Court (truecrypt.org) "
[+] [-] trotsky|14 years ago|reply
[+] [-] ChrisNorstrom|14 years ago|reply
Everyone has cracked software, pirated movies, & torrents. Then there's content that isn't illegal but very personal: chat logs, email archives, contact lists, usernames & passwords, FTP info, master passwords to everything, OH and my entire life's worth of inventions and ideas. I'm not saying they'd steal them but remember, we're talking about the American Government here. The same one that can't account for billions of dollars in missing money. Lost 6.6 Billion in Iraq and doesn't know what happened to it. And doesn't know how or why a warehouse full of missiles in the middle east is empty. If that's how they treat their money and weapons, I wonder how they're going to treat my life's work. So...
Just use TrueCrypt to create a hidden volume on a flash drive or SD card, keep everything else un-encrypted. They won't even know it's there. I've got a 32 GB SD card just for this purpose, it's got all my project files on it, thunderbird portable, my entire collection of inventions and business ideas, my life's work basically. If anyone were to plug that card in, it would just read "card has not been formatted yet". I've got a backup of it as well.
If you have a hard drive full of torrented content or DVD rips that look like torrented content just make 2 TrueCrypt volumes, one that is visible (put some porn on it to simulate a "this is all I have hidden" excuse) and the other volume hidden (with all of your pirated content). They literally won't ever know it was there.
[+] [-] Karunamon|14 years ago|reply
That's a bit of a leap, really.
Also, Truecrypt's deniable encryption here doesn't seem like it would help, since they're talking at the computer level. Presumably, a power on or hard drive password. Assuming there's only one volume, you put that one in and the attacker has the keys to the kingdom.
Besides that, most averages joes wouldn't go through this kind of trouble. If you're running in opposition to a ruling power who might, say, launch a missile at you from 30,000 feet while you're in foreign territory (not naming any names here), then you probably already know to cover your ass.
On the other hand, an average joe thinking that they're cute by giving up the password to the concealed volume will only land a contempt charge when the file access times are checked.
[+] [-] Simucal|14 years ago|reply
[+] [-] techiferous|14 years ago|reply
I don't have any of these. I'm not being contrary, just saying you should update your view that everyone has these things.
[+] [-] shasta|14 years ago|reply
[+] [-] patrickgzill|14 years ago|reply
[+] [-] cynwoody|14 years ago|reply
Of course, she could be lying, but how could they prove that?
[+] [-] meatmanek|14 years ago|reply
[+] [-] chimeracoder|14 years ago|reply
[+] [-] bdonlan|14 years ago|reply