Politics and Law

Commerce Secretary-designate Judd Gregg (center) speaks Tuesday at the White House, accompanied by Vice President Biden and President Obama.

(Credit: White House photo by Pete Souza)

Republican senator Judd Gregg on Tuesday officially became President Obama's nominee for secretary of commerce, bringing a pro-business and pro-law enforcement record to a cabinet position with significant influence over the new administration's technology policies.

In remarks at the White House, Obama called the New Hampshire senator "an outstanding addition to the depth and experience of my economic team, a trusted voice in my Cabinet, and an able and persuasive ambassador for industry who makes it known to the world that America is open for business."

A review of Gregg's actions as senator shows that his record on technology policy is mixed. His skepticism of Internet taxes and support for more H-1B visas has made him a frequent ally of the tech industry, but he was the first -- and only -- senator to call for a global ban on secure encryption products after the September 11, 2001 attacks.

The U.S. Department of Commerce oversees the administration's position on Internet regulation, the patent office, and tech-related standards including an algorithm used in digital signatures. Commerce's National Telecommunications and Information Administration calls itself the "president's principal adviser on telecommunications and information policy issues." In addition to its traditional involvement with Internet governance, NTIA is responsible for overseeing the coupon program for digital TV converter boxes.

Because Commerce oversees regulations relating to the Web posting and export of encryption code, Gregg's pro-surveillance views are causing a bit of nervousness in Washington circles. On the Senate floor on September 13, 2001, while the World Trade Center complex was still smoldering, Gregg said: "This is something that we need international cooperation on and we need to have movement on in order to get the information that allows us to anticipate and prevent what occurred in New York and in Washington."

Gregg said that encryption makers "have as much at risk as we have at risk as a nation, and they should understand that as a matter of citizenship, they have an obligation" to include decryption methods for government agents. Gregg, who previously headed the appropriations subcommittee overseeing the Justice Department, then told the Associated Press he was writing legislation "to give our law enforcement community more tools."

That proposal echoed legislation approved by one House of Representatives committee four years earlier, which would have made it a felony to distribute or sell encryption products unless they provided police with "immediate access to plaintext." That would have prohibited the distribution of Web browsers with built-in SSL encryption, operating systems with disk encryption, and software using standard Internet protocols including IPsec and SSH.

A month later in October 2001, without explanation, Gregg abandoned the legislation he was drafting.

"We are hopeful that as Commerce Secretary, Sen. Gregg will not revive the discredited idea of limiting the use of strong encryption," Greg Nojeim, senior counsel at the Center for Democracy and Technology, said on Tuesday. "Requiring a backdoor in encryption systems to help the government conduct surveillance would create vulnerabilities that would ultimately make us less, not more, secure."

A friend of the business community
In other areas and in other ways, though, Washington representatives of the high tech industry say Gregg is a solid choice.

The Business Software Alliance said the senator "has the potential to be an outstanding Secretary of Commerce." The Information Technology Industry Council said: "He has been a strong proponent of opening overseas markets to U.S. exports, he backed a permanent R&D tax credit and has voted favorably on litigation reform."

Gregg has been a friend of the business community, receiving a cumulative score of 88 percent in the U.S. Chamber of Commerce's most recent congressional scorecard. (By comparison, Obama received a 42 percent rating, and Vice President Joe Biden a mere 35 percent.) On CNET's 2008 scorecard that rated a broader range of votes including ones relating to gambling and wiretaps, Gregg received a 50 percent.

He has been a champion of eliminating any limits on H-1B "guest worker" visas, telling Microsoft's Bill Gates in 2007 that he "agreed 100 percent" that there should be no limits on them. Gregg acknowledged that his colleagues would not be inclined to support such a radical proposal; he introduced legislation last year raising the limit on H-1B "guest worker" visas from 65,000 to 115,000 and the advanced-degree exemption to 30,000 visas for the next three years.

Gregg has also suggested making it illegal to sell someone's Social Security number without their consent, and has consistently supported efforts to restrict Internet taxes.

The news of Gregg's nomination comes a day after the Senate confirmed Eric Holder as attorney general. Holder supported laws mandating Internet traceability, limits on domestic use of encryption, and restrictions on free speech online; during his confirmation hearing last month he said the president has inherent wiretapping and surveillance authority that "cannot be infringed by the legislative branch."

CNET's Stephanie Condon contributed to this report

By Declan McCullagh and Stephanie Condon

Before the World Trade Center and Pentagon attacks, President Bush focused more on technology. In this photograph from less than two weeks before September 11, 2001, he was announcing a relaunch of Whitehouse.gov.

(Credit: Declan McCullagh)

news analysis Months after being sworn in as president, George W. Bush sat down with reporters and his wife, Laura, for a technology-themed event: a relaunch of the Whitehouse.gov Web site, which previously had been rather dilapidated.

Bush and his aides proudly demonstrated the new features, including photo essays, better access for the disabled, and a kids' area with details about the First Pets. The president said the Web site would let Washington become "more accessible" and let Americans "participate in the process."

Less than two weeks later, the World Trade Center and Pentagon were attacked, the White House shifted to a wartime footing, and Bush never looked back. Instead of a presidency that might have become known for its technology policies--Bush was, remember, a businessman in Texas--he leaves Washington this week amid controversies involving the Iraq war, torture, wiretapping, an economic crisis and bailouts, and a doubled federal debt.

The 43rd president leaves behind a technology legacy characterized less by intent than by casual neglect. Bush and (especially) Vice President Dick Cheney and Attorney General Alberto Gonzales were adamant in their defense of warrantless wiretapping, and made it a priority of their administration. "The president has the inherent authority under the Constitution, as commander-in-chief, to engage in this kind of activity," Gonzales said in 2005 after details became public.

Yet wiretapping and its cousins such as monitoring financial transactions were the exception, not the rule. On more routine, humdrum topics, the White House seemed happy to defer to Congress or to its appointees in various federal agencies, rather than use the authority of the president to focus attention in certain tech topics--something President Bill Clinton regularly did to applause from Silicon Valley firms, whose executives would rarely turn town an invitation to the White House.

That apparent neglect occasionally led to embarrassing results, such as the Bush administration acknowledging last month that it opposed a spectrum plan backed by Kevin Martin, Bush's own appointee who heads the Federal Communications Commission. Bush's Federal Trade Commission warned that Net neutrality regulations would be dangerous, as did the Justice Department; but the FCC went ahead anyway and now is trying to defend its actions in court.

For his part, Bush has stressed that September 11, 2001, was what changed his priorities and his views.

"This evening, my thoughts return to the first night I addressed you from this house--September the 11, 2001," Bush said in his farewell address to the nation last week. "As the years passed, most Americans were able to return to life much as it had been before 9/11. But I never did."

(It may be a little too facile to attribute a near-complete policy shift to that date. There is some evidence that the National Security Agency's wiretapping program began immediately after Bush took office in 2001; a lawsuit filed by Qwest Communications' former chief executive says that he was approached by the NSA at that time, and another lawsuit makes similar allegations involving AT&T.)

The administration's broad claims of expansive executive power and an Iraq occupation that's lasted longer than World War II--coupled with massive deficits and a ballooning federal bureaucracy--eventually estranged some Silicon Valley Republicans who once were Bush loyalists. Venture capitalist Tim Draper chaired three Bush fundraisers circa 2000; last year he gave the legal maximum to President-elect Barack Obama.

"It's good to have a fresh face," Draper said in a recent interview. "At least from the press, we've seen about six years of fear. I'd like to see six years of opportunity and what that could do for our country, and I think that might happen with Obama."

What could, perhaps, have been a Reaganesque technology agenda founded on free market principles with an emphasis on free trade and immigration reform shifted focus to security and surveillance, especially with the creation of the U.S. Department of Homeland Security in November 2002.

"The Bush administration was largely AWOL on technology policy," said Ed Black, president and CEO of the Computer and Communications Industry Association, a technology trade association that supports antitrust regulation and counts Oracle, RedHat, and Sun Microsystems as members. "It was always an afterthought."

The Bush White House got off to a strong start by revamping Whitehouse.gov and launching the President's Council of Advisors on Science and Technology in 2001.

Yet even with the new White House Council, the lack of technology expertise within the administration was apparent from the beginning, said Black, who is listed as giving money to Hillary Clinton, Bill Richardson, and the Democratic Congressional Campaign Committee, but no Republicans.

"There were only a handful of people who by and large were the administration's technology people," he said. "In some cases, while they were fine people, they lacked the clout to make a big difference."

In many ways, a laissez-faire approach
On the other hand, the Bush administration's relatively laissez-faire approach when it came to Internet regulation turned out to be good for business. Bush opposed Internet taxes, though he spent little political capital on the topic. He expended more when supporting immigration reform, even when it put him at odds with conservative members of his own political party.

"Generally, the technology industry has flourished under the Bush administration," said Gary Shapiro, president of the Consumer Electronics Association, the organization that stages the annual Consumer Electronics Show. "It's a legacy of those who came before as well that the U.S. has managed to attract virtually every major company based around the Internet. All of these companies have been in the United States because of U.S. policy and creativity."

One early flashpoint came after a federal appeals court in Washington, D.C., ruled that U.S. District Judge Thomas Penfield Jackson's attempt to break up Microsoft could not stand. Jackson had, in violation of judicial ethics rules, invited favored reporters into his chambers for private chats about the perfidy of Microsoft executives--typically likening them to gangland killers and stubborn mules who should be walloped with a 2-by-4.

The appeals court's ruling overruled Jackson, tossed out his breakup order, and concluded that Microsoft had not illegally "tied" the browser or tried to monopolize the browser market to the detriment of Netscape Navigator. That left the new Bush administration with less antitrust ammunition, and it settled the case a few months later.

Liberal critics of the administration, however, blamed the settlement on a political philosophy hostile to expansive antitrust claims. They found even more to complain in a series of FCC-approved telecommunications mergers that took place during the Bush administration, including the merger between AT&T and BellSouth, Verizon and MCI, and SBC Communications and AT&T. (For its part, the White House characterizes itself as having "pro-growth telecommunications policies.")

The free market principles of the Bush administration were extended globally, and "the focus on free trade has been the most principled and lasting legacy" of the Bush administration, Shapiro said.

Bush can claim as victories the Central American Free Trade Agreement and a trade deal with Peru. He managed to ink deals with Colombia and South Korea, but Congress did not ratify them. Although there was more emphasis on bilateral agreements than multilateral trade deals, Bush's push for free trade was significant for an industry that is thoroughly international, Shapiro said, and especially laudable given the growing anti-trade sentiment in the country, particularly in Democratic and union circles.

Stronger protections for intellectual property were put in place with the Prioritizing Resources and Organization for Intellectual Property Act. Copyright law tends to be relatively bipartisan: there's no reason to believe that a Democratic administration would have been any different. President Clinton signed the Digital Millennium Copyright Act (which was overwhelmingly approved by a bipartisan congressional majority) into law, and Obama has chosen the recording industry's favorite lawyer for a senior administration position.

"There's a gradual increasing respect in the developing world for IP, and I suspect that's a trend that will continue," Shapiro said.

Immigration policy in the Bush years, however, is largely seen as a disappointment from the tech perspective.

"National security concerns and a loss of focus on visas was disappointing for us," Shapiro said. "In terms of attracting the best people around the world, we know we're losing people to countries with less rigorous security processes."

While it was negotiating international agreements, the Bush administration could have done more to create an Internet climate optimal for Internet companies by supporting policies and legislation such as the Global Online Freedom Act, Black said.

"Increasingly, we've seen country after country use the power of the government to block sites and to make companies liable for doing those things," Black said. "The Internet was created by the U.S., and for the U.S. not to have been a forceful advocate of U.S. principals of openness was squandering an opportunity."

The administration's silence on the issue may have been influenced by its defense of warrantless wiretapping, which may have caused it to be reticent on this topic.

"We didn't do any work on (privacy policy) in the last eight years, and the work we did do nobody wants to keep, like the warrantless surveillance program," said James Lewis, a director and senior fellow at the hawkish Center for Strategic and International Studies. "9-11 knocked the privacy balance askew. There were things we needed to do (to ensure national security), but we never tackled them in a way that doesn't weaken privacy."

While the Bush team was collecting information on its own, it did little to stop the private sector from its own questionable data collection, said Jeff Chester of the Center for Digital Democracy, a liberal group that advocates more federal regulation.

The Federal Trade Commission essentially ignored "the greatest threat to privacy we've ever experienced," he said.

The ramifications of commercial data collection is evident in the financial meltdown of the past year, Chester said, given that many people fell prey to online targeting of questionable financial services.

On the other hand, the Justice Department did mount an aggressive challenge to Google's planned advertising deal with Yahoo, even going so far as to hire a well-known litigator for the job. Google walked away from the deal in November, citing antitrust concerns.

Cybersecurity
Homeland Security was supposed to mastermind the government's cybersecurity efforts, combining what had previously been the FBI's National Infrastructure Protection Center, the Defense Department's National Communications System, the Commerce Department's Critical Infrastructure Assurance Office, an Energy Department analysis center and the Federal Computer Incident Response Center. But six years later, the agency proved to be anything but efficient at that task, prompting calls to move the responsibility to the White House or the National Security Agency.

Homeland Security managed to pour $400 million into cybersecurity without coming up with a coherent "cybercrisis" plan. And in 2004, the Homeland Security Department was given a discretionary reserve fund of $5.6 billion for Project BioShield, part of the president's war on terror.

"You had this idea you could apply the tech-heavy solutions we used on the DOD side to fix what were seen on problems on the homeland security side," said Lewis, who chaired CSIS's Commission on Cybersecurity for the 44th Presidency. "The tendency in the U.S. is to spend a lot to reduce risk. We've been doing that since the 1950s, so this might have been the reaction (to September 11, 2001) no matter who was in office."

The tech industry can be grateful for one important Bush administration decision. It never resumed the legal assault on encryption software, including PGP and Web browsers, which the Clinton administration had escalated in the 1990s. Even after the September 11, 2001, attacks, when some Republican senators and think tanks were calling for domestic restrictions on encryption without backdoors for government surveillance, the White House never followed suit.

The White House points out that President Bush signed into law the largest federal R&D budget in history and funded programs like the $1.9 billion Networking and Information Technology Research and Development initiative.

Kei Koizumi, director of the R&D budget and policy program for the American Association for the Advancement of Science, noted that the Bush administration's support for R&D was strong in the first term but cut back substantially in the second term because of overall budget deficits. Large investments in war and a stated desire to cut domestic federal spending drained fund that could have gone to support the American Competitiveness Initiative, which was created to strengthen math, science, and foreign language education in the U.S.

"When you talk about a Bush legacy for science funding you have to talk about legacy for the federal budget," Koizumi said, "and by most accounts that's not great because of debt."

Bush's vision for NASA to carry out human exploration of the moon and Mars has also created a quandary for the agency, which lacks the funding for all of its goals.

"The unwritten legacy is NASA will have to squeeze, juggle, and cut its portfolio to keep doing nonhuman exploration, climate research, and work on the space shuttle," Koizumi said.

President-elect Barack Obama checks his BlackBerry while riding on his campaign bus in Pennsylvania last March.

(Credit: Pete Souza/ Rapport Press )

Bill Clinton sent only two e-mail messages as president and has yet to pick up the habit. George W. Bush ceased using e-mail in January 2001 but has said he's looking forward to e-mailing "my buddies" after leaving Washington, D.C.

Barack Obama, though, is a serious e-mail addict. "I'm still clinging to my BlackBerry," he said in a recent interview with CNBC. "They're going to pry it out of my hands."

One reason to curb presidential BlackBerrying is the possibility of eavesdropping by hackers and other digital snoops. While Research In Motion offers encryption, the U.S. government has stricter requirements for communications security.

"Without more details I would have to say that putting sensitive or classified information on a BlackBerry is a risky proposition," said Greg Shipley, chief technology officer at Neohapsis, a governance, risk, and compliance consultancy.

Fortunately for an enthusiastic e-mailer-in-chief, some handheld devices have been officially blessed as secure enough to handle even classified documents, e-mail, and Web browsing.

The Sectera Edge, a combination phone-PDA that's been certified by the National Security Agency as being acceptable for Top Secret voice communications and Secret e-mail and Web sites.

(Credit: General Dynamics)

One is General Dynamics' Sectera Edge, a combination phone-PDA that's been certified by the National Security Agency as being acceptable for Top Secret voice communications and Secret e-mail and Web sites. Through three separate interchangeable modules, it works with Wi-Fi, GSM, or CDMA networks, and is dust-proof, waterproof, and rugged enough to survive repeated 4-foot drops onto concrete. Physically, it's a chunkier second cousin to the Palm Treo 750, though with an additional LCD display below the keyboard.

The price is $3,350 with a two-year warranty, a princely sum that's reflected in the Pentagon-worthy price tags for accessories: a simple adapter for a lighter plug costs $100. (Never again should you complain about how much your civilian analogue costs.)

The Sectera runs a mobile version of Microsoft Windows, including versions of Word, Excel, PowerPoint, and Windows Media Player. The NSA claims that the installed versions of Internet Explorer, WordPad, and Windows Messenger are good enough for data that's classified at a level of Secret. Presumably the federal spooks have found a way to protect IE from the numerous security flaws that continue to plague the Internet's most popular browser.

The NSA declined to comment on Monday.

L-3 Communications' Guardian, still in development, is similar, but sports a chunkier antenna and a slightly less conventional keyboard shaped like a V. It, too, runs Windows, boasts a stylus and QWERTY keyboard, supports desktop synchronization, and can be used on secure data plans with AT&T, Sprint, T-Mobile, and, internationally, Worldcell. Files stored locally are encrypted.

General Dynamics' C4 Systems boasts that the Sectera is rugged enough to survive repeated 4-foot falls onto concrete.

(Credit: General Dynamics)

Both PDA-phones owe their existence to a Defense Department project called SME-PED, meaning Secure Mobile Environment Portable Electronic Device. Because the SME-PED was explicitly designed to act as a classified-information-friendly replacement for a BlackBerry, it should be an easy switch for a President Obama.

That's assuming he still feels like e-mailing after Inauguration Day. Even though President Bush enjoys the same access to NSA-certified handhelds, he has never resumed his daily e-mail habit from the days when he went by the humble moniker of G94B@aol.com. (On January 17, 2001, Bush sent out this sad farewell: "Since I do not want my private conversations looked at by those out to embarrass, the only course of action is not to correspond in cyberspace. This saddens me. I have enjoyed conversing with each of you.")

At the time, Karen Hughes, one of Bush's closest aides, said that the president chose to abandon e-mail because of public records laws. That includes the Freedom of Information Act, or FOIA, and the Presidential Records Act of 1978.

Obama may find the convenience of wireless e-mail a pleasure difficult to give up. News reports during the presidential campaign described how he relied on his BlackBerry to bypass aides, which was even satirized by the Onion.

He checked e-mail during his daughter's football games, e-chatted with actress Scarlett Johansson, and before the New Hampshire primary told CNET News that the BlackBerry was his favorite gadget. On the other hand, Republican VP candidate Sarah Palin's e-mail breach is still within recent memory, as are the Bush White House's legal troubles stemming from the use of Republican National Committee e-mail systems.

"It's not just the flow of information," Obama said in the recent interview. "I mean, I can get somebody to print out clips for me, and I can read newspapers. What it has to do with is having mechanisms where you are interacting with people who are outside of the White House in a meaningful way. And I've got to look for every opportunity to do that--ways that aren't scripted, ways that aren't controlled, ways where, you know, people aren't just complimenting you or standing up when you enter into a room, ways of staying grounded."

Federal law does explicitly exempt from disclosure any "personal records" that do not relate to the president's official function. Those include electronic records that are "of a purely private or non-public character" and don't relate to official duties; the law lists diaries, journals, notes, and presidential campaign materials as examples. Similarly, FOIA prevents files from being released if the disclosure would significantly jeopardize "personal privacy."

In other words, Obama could choose to keep e-mailing judiciously, and trust his lawyers and the law to fend off overly nosy journalists and historians.

This secure PDA-phone from L-3 Communications is still being developed.

(Credit: L-3 Communications)

Wireless devices: What price convenience?
One thing that security experts can agree on is that despite RIM's efforts, a BlackBerry probably isn't up to the security standards for a leader of the free (or even unfree) world.

BlackBerrys can become infected with viruses that install spyware or turn the microphone on and record conversations, malware can be inadvertently downloaded, e-mail and text messages can be intercepted, and, of course, they can be lost or stolen, said Dan Hoffman, chief technology officer of SMobile Systems, which sells antivirus software for the devices.

The National Vulnerability Database, which is sponsored by the Department of Homeland Security's National Cyber Security Division, lists 14 vulnerabilities for BlackBerrys. Those include ways that a malicious attacker can install malware, and perhaps crash the device through a so-called denial of service attack.

It's not like snoopy computer utilities are difficult to find. Flexispy.com sells spyware that can be installed by someone with physical possession of a phone for 15 minutes. The creators boast that their software, once installed, can "bug a room or person" and "catch cheating husbands."

The U.S. government uses special ciphers for secret information and they use different data networks from the public data networks, said Phil Dunkelberger, chief executive of encryption provider PGP Corp. "Unless you're using point-to-point encryption technology...or the mail itself is encrypted, you would have exposure to people administering the network." And, on a related note, we know that Obama's cell phone records through Verizon were improperly accessed last year.

There's also the risk of someone tracking the coordinates of a BlackBerry through the device's built-in GPS or the carrier's ability to triangulate on the signal--something that police, for instance, claim they should be able to do without a search warrant or evidence of criminal activity. Bush White House aides say that security concerns prompted them to disable the GPS feature on their BlackBerrys.

James Atkinson, president of Granite Island Group, an engineering firm that helps the government protect classified networks and equipment, pointed this out as a possible security vulnerability. "You can identify where a person is without gaining access to the cell phone network just by the timing of the signals, Atkinson said. "You can identify who is sitting in which seat in a conference room from a couple thousand feet away."

Then again, it's not like the president of the United States and his entourage travel incognito that often.

If nothing else works, Obama can always turn to Bush for some tips. Not his immediate predecessor, but former President George H.W. Bush, a late-in-life convert to the joys of e-mail. Bush the Elder has been quoted as saying: "I'm what you might call a black belt wireless e-mailer."

CNET News' Elinor Mills contributed to this report.

Eric Holder, President-elect Barack Obama's pick for attorney general, drew applause from liberal Democrats earlier this year when he denounced the Bush administration's warrantless wiretapping program.

A review of Holder's public statements, speeches, and testimony when he was a top Justice Department official in the Clinton administration, however, reveals a more nuanced record on privacy. His remarks indicate support for laws mandating Internet traceability, limits on domestic use of encryption, and more restrictions on free speech online. He also called for new powers for federal prosecutors, some of which became law under President Bush as part of the USA Patriot Act.

Eric Holder

(Credit: Covington & Burling LLP)

In some cases, Holder's statements echoed the position of Justice Department staff members or political appointees, many of whom clashed with civil liberties groups. In others, the former deputy attorney general seems to have gone further than his colleagues in advocating more powers for police.

As one of the Clinton administration's most knowledgeable spokesmen on Internet crime, surveillance, and intellectual property infringement, Holder immersed himself in these topics and frequently appeared on Capitol Hill to address them. He also adopted some positions that former Attorney General Alberto Gonzales and other Bush administration officials would echo for the next eight years.

In 1999, Holder said that "certain data must be retained by ISPs for reasonable periods of time so that it can be accessible to law enforcement." A few years later, Gonzales said that Internet service providers must retain certain data for a "reasonable amount of time," and asked Congress to make it mandatory.

"What you get in an attorney general is an attorney general, and that's someone who is going to work to increase the power of law enforcement," said Jim Harper, a policy director at the libertarian Cato Institute in Washington, D.C.

A spokesman for the Obama transition team did not respond to requests for comment on Monday.

After Gonzales' unceremonious departure from the Bush administration, attempts in Congress to compel Internet providers to help identify what their users were doing have flagged, but some industry sources expect the measure to be revived in a solidly Democratic Congress next year. (A Democrat was one of the first legislators to embrace the idea.)

Free speech and censorship
In terms of free speech and pornography, Holder's views also previewed, in some ways, what Bush's attorneys general would later propose.

In 1998, Holder talked about using federal obscenity law to crack down on porn Web sites featuring consenting adult performers. "Investigation and prosecution of Internet obscenity is particularly suitable for federal resources," Holder wrote in a memo. "Prosecution of cases involving relatively small distributors can have a deterrent effect."

That could have been lifted from what Attorney General John Ashcroft said a few years later: "The Internet is perhaps the most pernicious medium for obscenity. The Department of Justice is committed unequivocally to the task of prosecuting obscenity."

Because a federal law exists that targets obscenity, the Justice Department is generally required to enforce it. But department officials aren't required to suggest additional laws restricting Internet speech.

In 1999, Holder suggested that courts might find additional restrictions on sexually explicit material acceptable. He said: "It seems to me that if we can come up with reasonable restrictions, reasonable regulations in how people interact on the Internet, that is something that the Supreme Court and the courts ought to favorably look at." Five years later, Attorney General Gonzales reached the same conclusion, suggesting that one such reasonable restriction would be mandatory Web labeling.

Efforts to restrict encryption
Another privacy flash point in the 1990s was encryption, including whether to regulate exports, and whether the federal government should--or could--outlaw hardware and software without backdoors for the government.

By today's standards, the idea seems almost quaint: strong encryption is now built into every major operating system, including Microsoft Windows and OS X. Laws encourage corporations to encrypt sensitive data, and every modern Web browser uses strong encryption to secure credit card numbers being transmitted over the Internet.

But a decade ago, the Justice Department was deadly serious in its demands for built-in-backdoors. One House of Representatives committee approved a bill banning encryption products (even Web browsers) without what was then known as "key escrow" or "key recovery." Meanwhile, Justice Department officials repeatedly made statements like law enforcement must "continue to have the same authority it has with the telephone" to access private communications even if they're scrambled.

Soon after Holder was confirmed as deputy attorney general in 1997, he selected an attorney called Robert Litt as his principal associate deputy. Litt had an unusual pedigree: he was the former partner of Clinton's personal attorney and someone who was dubbed a "partisan Democrat" by New York Times columnist William Safire.

Litt was already known in tech circles for telling Congress that, on the Internet, "not only do would-be terrorists have access to detailed information on how to construct explosives, but so do children." After Holder placed him in the new post, Litt told the Senate that the federal government was not seeking mandatory key escrow "at this time"--but argued that the U.S. Constitution nevertheless permitted it.

Rep. Zoe Lofgren, a California Democrat, asked Holder about encryption during a March 1998 hearing. She said, according to a transcript: "Does the Department of Justice or, to your knowledge, any other government agency, have plans to, through purchasing, to impose a domestic key recovery scheme on the United States?"

Holder did not say "No." Instead, he replied: "Our hope is that we can work with industry. We represent, obviously, law enforcement interests, and we think that there is a way in which we can come up with a solution that ultimately will be essentially acceptable to both sides."

"What he's saying is that government needs to have some sort of privileged access for encrypted information," said Cord Blomquist, a policy analyst and communications director at the nonpartisan Competitive Enterprise Institute. "Presumably the justification is that terrorists are communicating through encrypted messages and we want to listen in. Giving government privileged access to that is not only an attack on privacy, it's an attack on free speech itself."

That is not a uniform view. Marc Rotenberg, executive director of the Electronic Privacy Information Center, believes that Holder's past statements on encryption and surveillance "are fair topics to pursue at the nomination hearing."

But Rotenberg said any statements should be read narrowly and in context--suggesting that Holder may have been referring to data preservation after receiving a court order instead of preemptive data retention--and generally applauded his nomination. "Eric Holder is an outstanding public servant and would be a great attorney general, particularly after the last several years," Rotenberg said. "He is extremely well qualified, highly regarded, and has a deep commitment to the rule of law."

The American Civil Liberties Union declined to comment on Monday, saying it needed more than a few hours to review Holder's record and would prepare a full report. (When Bush announced Michael Chertoff's nomination to be Homeland Security Secretary, the ACLU did send out a press release the same day calling his nomination "worrisome.")

Another ambiguous statement came from Holder in 2000, when he warned that "a criminal using tools and other information easily available over the Internet can operate in almost perfect anonymity," apparently a reference to proxy services and disposable e-mail accounts.

Intellectual property piracy: "This is theft"
Less ambiguous were Holder's arguments for aggressive enforcement of U.S. intellectual property laws. In 1999, he joined the president of Adobe Systems at an event in San Jose, Calif., to announce that digital piracy had become a real problem and would become a "real priority" for the Justice Department.

"This is theft, pure and simple," Holder said at the time.

The Business Software Alliance, which counts Adobe Systems and Microsoft as members, applauded Holder's nomination this week. "He's smart, he's dedicated, open minded, he's very tenacious in pursuing the goals of the department," said BSA president Robert Holleyman. "We're very enthusiastic...He's a first rate choice."

Holleyman said he has no "concern" about Holder's previous restrictive views on encryption. "The way the debate has really shifted is increasingly technology is being used by cyber criminals for financially motivated crimes," he said. "I have complete confidence he'll be open-minded on how to best use technology."

Similarly, the U.S. Chamber of Commerce said in a blog post on Monday that: "Holder's selection offers the promise of not only greater enforcement of IP rights, but that a commitment to strong IP rights at home and abroad will be a hallmark of the Obama administration."

Since leaving the Justice Department, Holder has been a partner at the politically well-connected law firm of Covington and Burling. While there, he was hired by the Entertainment Software Rating Board to help fend off (PDF) aggressive federal regulators. He also was one of the attorneys representing Verizon (PDF) in its attempts to fend off a turbocharged subpoena from the recording industry that attempted to unmask a subscriber.

Proposed proto-Patriot Act in 1996
Another point of congruence between Holder and his successors can be found in his support for greater law enforcement surveillance powers during the Clinton administration. In early 2000, he asked Congress for a set of new laws, including granting police the ability to obtain nationwide court orders for telephone surveillance. Another targeted cyberstalking.

"We recognize the importance the public attaches to individual privacy, and any legislation must be carefully balanced to avoid unnecessary infringement on the privacy rights we hold dear in this country," Holder said.

Both of those proposals were signed into law by President Bush. The first became part of the Patriot Act. The second was glued onto a spending bill.

Salon.com columnist Glenn Greenwald views Holder as a "very positive step" for civil liberties, arguing that Holder publicly criticized the Bush Justice Department before many details surrounding the NSA spying program and Patriot Act implementation were even known, "and at a time when very few people were strongly criticizing Bush's executive power abuses." In 2004, Holder went on CNN and said that "I think the Patriot Act has been good," and would have been better if the Bush administration had not misused it. The Nation has has called Holder's support of the Patriot Act "unsettling."

An article in the Christian Science Monitor published a few weeks before the Patriot Act became law in October 2001 said: "After the Sept. 11 attacks, the Bush administration proposed loosening many of these constraints on domestic spying as part of a broad antiterrorism bill submitted to Congress...The Clinton administration unsuccessfully proposed similar changes in 1996 and 1998, says former Deputy Attorney General Eric Holder."

"It's fair to assume that in (the Justice Department), the permanent staff has a permanent and constantly growing wish list of law enforcement goodies," said Harper, the Cato policy director. "It may help to educate liberals and progressives who believe that Eric Holder will magically roll back the department's aggression toward civil liberty."

CNET News' Stephanie Condon contributed to this report.

The U.S. Department of Homeland Security has concocted a remarkable new policy: It reserves the right to seize for an indefinite period of time laptops taken across the border.

A pair of DHS policies from last month say that customs agents can routinely--as a matter of course--seize, make copies of, and "analyze the information transported by any individual attempting to enter, re-enter, depart, pass through, or reside in the United States." (See policy No. 1 and No. 2.)

DHS claims the border search of electronic information is useful to detect terrorists, drug smugglers, and people violating "copyright or trademark laws." (Readers: Are you sure your iPod and laptop have absolutely no illicitly downloaded songs? You might be guilty of a felony.)

This is a disturbing new policy, and should convince anyone taking a laptop across a border to use encryption to thwart DHS snoops. Encrypt your laptop, with full disk encryption if possible, and power it down before you go through customs.

Here's a guide to customs-proofing your laptop that we published in March.

It's true that any reasonable person would probably agree that Customs agents should be able to inspect travelers' bags for contraband. But seizing a laptop and copying its hard drive is uniquely invasive--and should only be done if there's a good reason.

Sen. Russell Feingold, a Wisconsin Democrat, called the DHS policies "truly alarming" and told the Washington Post that he plans to introduce a bill that would require reasonable suspicion for border searches.

But unless Congress changes the law, DHS may be able to get away with its new rules. A U.S. federal appeals court has ruled that an in-depth analysis of a laptop's hard drive using the EnCase forensics software "was permissible without probable cause or a warrant under the border search doctrine."

At a Senate hearing in June, Larry Cunningham, a New York prosecutor who is now a law professor, defended laptop searches--but not necessarily seizures--as perfectly permissible. Preventing customs agents from searching laptops "would open a vulnerability in our border by providing criminals and terrorists with a means to smuggle child pornography or other dangerous and illegal computer files into the country," Cunningham said.

The new DHS policies say that customs agents can, "absent individualized suspicion," seize electronic gear: "Documents and electronic media, or copies thereof, may be detained for further review, either on-site at the place of detention or at an off-site location, including a location associated with a demand for assistance from an outside agency or entity."

Outside entity presumably refers to government contractors, the FBI, and National Security Agency, which can also be asked to provide "decryption assistance." Seized information will supposedly be destroyed unless customs claims there's a good reason to keep it.

An electronic device is defined as "any device capable of storing information in digital or analog form" including hard drives, compact discs, DVDs, flash drives, portable music players, cell phones, pagers, beepers, and videotapes.

A team of computer scientists has published source code that can in some circumstances bypass encryption used in Microsoft's BitLocker and Apple's FileVault and be used to view the contents of supposedly secure files.

We reported in February on their research, which describes how the contents of a computer's memory could be dumped to a hard drive and the encryption keys forcibly extracted.

The source code includes tools for imaging the target computer's memory through USB and Netboot, and analyzing the memory image to extract AES and RSA encryption keys, even if they're partially degraded. It was published to coincide with the Last HOPE hacker conference over the weekend in New York, where research team member Jacob Appelbaum gave a presentation.

This collection of utilities will be of special interest to security researchers and computer forensics specialists in law enforcement or working for police. (A Justice Department conference that starts Monday, for instance, includes two panels on computer forensics.) It allows police to seize a computer with an encrypted volume mounted that may be asleep or locked with a screensaver, plug in a UPS, and eventually extract its memory and encryption keys.

If you're worried about this threat or the possibility of nosy border guards rummaging through your files, unmount your encrypted volumes when you're not using them or, better yet, completely power down your computer.

As more people use encryption--FileVault is built into all recent versions of OS X--finding ways to respond to it will become more of a challenge for law enforcement. In December, a federal judge ruled a man charged with transporting illegal images could not be forced to turn over his PGP pass phrase.

If you travel across national borders, it's time to customs-proof your laptop.

Customs officials have been stepping up electronic searches of laptops at the border, where travelers enjoy little privacy and have no legal grounds to object. Laptops and other electronic devices can be seized without reason, their contents copied, and the hardware returned hours or even weeks later.

Executives have been told that they must hand over their laptop to be analyzed by border police--or be barred from boarding their flight. A report from a U.S.-based marijuana activist says U.S. border guards browsed through her laptop's contents; British customs agents scan laptops for sexual material; so do their U.S. counterparts.

These procedures are entirely legal, according to court precedents so far. A U.S. federal appeals court has ruled that an in-depth analysis of a laptop's hard drive using the EnCase forensics software "was permissible without probable cause or a warrant under the border search doctrine." One lawsuit is seeking to force the government to disclose what policies it follows.

The information security implications are worrisome. Sensitive business documents can be stored in computers; lawyers may have notes protected by the attorney-client privilege; and journalists may save notes about confidential sources. Regulations like Sarbanes-Oxley, the Health Insurance Portability and Accountability Act, and Gramm-Leach-Bliley may apply. A 2006 survey of business travelers showed that almost 90 percent of them didn't know that customs officials can peruse the contents of laptops and confiscate them without giving a reason.

Fortunately, you have some technological defenses against overly snoopy border agents. Keep reading for our easy-to-understand, Homeland-Security-inspired, color-coded News.com Guide to Customs-Proofing Your Laptop. (And no, we're not responsible if you end up cooling your heels in some Burmese prison for using PGP; check local laws and use good judgment.)

Let's assume you've already backed up your files before traveling in case your laptop gets seized for an indefinite period of time. The next thing to know is that merely setting an account password is insufficient.

Unless you use encryption, a customs agent can simply remove your laptop's hard drive, plug it into another computer, and peruse its contents. There are plenty of programs, including Guidance Software's EnCase Forensic, that let police extract every bit of data possible from that hard drive.

To guard against that, you can set aside a section of your computer's hard drive to be encrypted. This is the simplest approach because not all the files will be encrypted; the operating system itself and, in most cases, applications you use will remain unencrypted.

For Apple OS X users, FileVault does this by seamlessly scrambling the contents of your home directory (to enable, select the Security panel in Preferences and also click the "Use secure virtual memory" option). PGP sells volume encryption software for OS X and Windows. There's also the free TrueCrypt application, which runs on Windows Vista, Windows XP, OS X, and Linux.

Most people use encrypted volumes to do things like save sensitive files--think tax returns, bank and credit card statements, medical records, and so on.

But encryption isn't enough. Research published last month ("Lest We Remember: Cold Boot Attacks on Encryption Keys") demonstrates how encryption keys can be extracted from a laptop that's placed in sleep mode when the contents are retained in RAM. They haven't released the software to extract the contents yet, but it's not terribly difficult to write and you may not want to bet your privacy on government agencies being ignorant of this attack.

The solution is to let the contents of RAM decay by turning off your computer and letting it sit for a few minutes. A test they did showed that, after five minutes, the memory contents had completely disappeared and could not be retrieved.

Turning off your computer is especially important for OS X users, at least until Apple patches a security glitch that keeps account passwords in RAM. In the default configuration, the account password is the keychain password and yields passwords to wireless networks, Web sites, accounts accessed via SSH, network-mounted volumes, etc.

There's more. You'll want to delete cookies and browser-stored passwords for Web sites. Erase the cache and Web browsing history. Securely delete files not protected by the encrypted volume so they can't be undeleted at the border. Here are still more tips.

Another problem is that if customs agents have physical possession of your laptop and you can't see what they're doing, they can install spyware. (They have the technical ability to do so; let's put aside for the moment in which circumstances they would have the legal authority to do so. Besides, in some non-democratic regimes, questions about due process are irrelevant.)

There are at least three cases in which the Feds have, with a court order, installed spyware on a suspect's computer. As encryption becomes more popular, so will the use of fedware. There may be no easy way to detect it--security software vendors generally say they will--short of booting off of a DVD or another trusted device and checking the operating system for tampering. Linux users can use a Knoppix CD or DVD for this.

All these extra steps are irksome, and stem from the fact that Threat Level Yellow with an encrypted volume doesn't completely protect you.

Why not? Unix-derived systems including Apple's OS X store details about VPN usage and user login times in unencrypted form. Some applications including Thunderbird save working copies of documents in an unencrypted area (/tmp or /private/tmp) outside the home directory. And the contents of the computer's virtual memory file may be readable as well.

That brings us to Threat Level Orange, at which point you should encrypt everything. That means you won't have to worry about whether applications leak data outside the virtual safe of an encrypted volume.

Microsoft has included the BitLocker Drive Encryption feature in the Enterprise and Ultimate versions of Windows Vista. A perpetual license for PGP Whole Disk Encryption 9.8--often viewed as the gold standard of encryption products--for Windows costs $149. Macintosh users are out of luck for now, though PGP did tell us last month that whole disk encryption for OS X is "in active development." Linux users have loop-aes and dm-crypt to choose from.

The same advice as Threat Level Yellow holds for laptopping-across-the-border: shut down your computer for a few minutes to make sure the memory decays.

While you're at Threat Level Orange, you might as well take some additional steps to harden your machine against other attacks. One of those is guard against having the entire contents of your computer's memory siphoned off through FireWire.

This isn't new. In 2004, Maximillian Dornseif showed how to extract the contents of a computer's memory merely by plugging in an iPod to the FireWire port. A subsequent presentation by Adam Boileau in 2006 expanded the FireWire attack to Windows-based systems; he released exploit code this month.

Under OS X, according to a security guide (PDF) by Paul Day, setting an Open Firmware password disables physical memory access for FireWire devices. Here's how to set an Open Firmware password.

If they're out to get you, or if you're sufficiently paranoid to think they are, you're at Threat Level Red.

One downside with encrypted drives is that they can be a huge blinking neon side to customs officers saying: "Contraband! Likely! Here!" Even if you're law-abiding, an encrypted drive could mean unwanted hassles and delays, and the unpleasant prospect of customs officials preventing you from entering the country unless you type in your password. In the U.S., whether you can be compelled to divulge it by court order remains an unanswered question--and other nations may not observe such legal niceties.

One answer is steganography, which means concealing data in a way that nobody even knows it's there. It's an electronic form of invisible ink. Data can be stored in MP3s, in videos, and even in apparently-empty space on the hard drive.

Unfortunately, steganographic file systems are about as well developed as cryptographic ones were a decade ago--they're still more of a laboratory curiosity than something that's been thoroughly tested and built into commercial products. One exception is TrueCrypt, which offers two levels of plausible deniability, including a standard TrueCrypt volume that appears when you're forced to give your "password," and a hidden one that remains concealed.

Some technologists remain skeptical. Jon Callas, PGP's chief technology officer, says:

I have a rather negative opinion about steganographic file systems. I just flat don't believe they work. I don't believe you can hide the data so that nobody can find it...

If this customs official says, "Aha! I see you have a steganographic file system, tell me the other password,' what do you do?" It is unsafe to use a product that has a steganographic file system since you can never prove you have no steganographic data...

For stegonography to work it must be custom-built for you. Or you're relying on the fact that the person searching for the data is stupid.

So what's left? Concealing the data in other ways. Bring your laptop with tourist snapshots and no steganography. Put your sensitive files on your camera's memory card or your phone's SD card; Sandisk's 32 GB SD card is supposed to ship soon.

Finally, there's always the option of bringing your data across the border electronically--by securely downloading it once you and your laptop have made it safely past customs. It may not work for everyone, and extremely large files may make it unwieldy as an option, but it may be the safest and easiest way to travel internationally nowadays.

Note: I'll be doing a live chat on this topic on Thursday (today) at 11am PT / 2pm ET. Join us!

Computer scientists have discovered a novel way to bypass the encryption used in programs like Microsoft's BitLocker and Apple's FileVault and then view the contents of supposedly secure files.

In a paper (PDF) published Thursday that could prompt a rethinking of how to protect sensitive data, the researchers describe how they can extract the contents of a computer's memory and discover the secret encryption key used to scramble files. (I tested these claims by giving them a MacBook with FileVault; here's a slideshow.)

"There seems to be no easy remedy for these vulnerabilities," the researchers say. "Simple software changes are likely to be ineffective; hardware changes are possible but will require time and expense; and today's Trusted Computing technologies appear to be of little help because they cannot protect keys that are already in memory. The risk seems highest for laptops, which are often taken out in public in states that are vulnerable to our attacks. These risks imply that disk encryption on laptops may do less good than widely believed."

The nine researchers listed on the paper include San Francisco-area programmers Jacob Appelbaum and Seth Schoen and a team of Princeton University computer scientists such as graduate students J. Alex Halderman and Nadia Heninger and professor Ed Felten. The paper is titled "Lest We Remember: Cold Boot Attacks on Encryption Keys."

Their technique doesn't attack the encryption directly. Rather, it relies on gaining access to the contents of a computer's RAM--through a mechanism as simple as booting a laptop over a network or from a USB drive--and then scanning for encryption keys. How the scan is done is one of the most clever portions of the paper.

The reason I say this research could prompt a rethinking of how to protect data is that many of us who use encrypted file-systems believe that if our computers are lost or stolen, our data will be secure. But if a thief (or nosy border guard, or FBI agent) nabs my laptop locked with a screen saver or in sleep mode with the RAM intact, the paper shows that encryption provides no protection.

"You can't rely on the screen saver," said Peter Gutmann, a computer science professor at the University of Auckland in New Zealand who has done related work but is not affiliated with Thursday's paper. "If you really are that worried, you have to turn off your PC."

The researchers say their technique works against Apple's FileVault, the BitLocker Drive Encryption feature included in the Enterprise and Ultimate versions of Windows Vista, the open-source product TrueCrypt, and the dm-crypt subsystem built into Linux kernels starting with 2.6. The other researchers include William Clarkson, William Paul, and Ariel J. Feldman.

In its marketing literature, Apple promises that, with FileVault turned on, "the data in your home folder is encoded and your information is secure if your computer is lost or stolen." When I contacted the company for comment, Apple would say only this: "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users. We always welcome feedback on how to improve security on the Mac."

Microsoft was more forthcoming, saying:

The claims detailed in the Princeton paper are not vulnerabilities, per se, but simply detail the fact that contents that remain in a computer's memory can be accessed by a determined third party if the system is running. BitLocker is an effective solution to help safe guard personal and private data on mobile PCs and provides a number of protection options that meet different end-user needs. Like all full volume encryption products BitLocker has a key-in memory when the system is running in order to encrypt/decrypt data, on the fly, for the drive/s in use. If a system is in 'Sleep mode' it is, in effect, still running. We recognize users want advice with regards to BitLocker and have published best practice guidance in the Data Encryption Toolkit (available here). In it we discuss the balance of security and usability and detail that the most secure method to use BitLocker is hibernate mode and with multi-factor authentication.

At this point, clever readers might be thinking: If the attack involves executing a specific memory-dump utility while rebooting, then Apple, HP, Toshiba, and so on can simply lock down the hardware to prevent any such utility from being run until the RAM can be safely wiped. Problem solved?

Well, not so fast. Another interesting technique that Thursday's paper describes is how to supercool the RAM chips with a can of compressed air held upside-down. Then the cooled memory can be physically extracted and inserted in another computer owned by the attacker. (If the memory is permanently affixed to the motherboard, there are still other methods [PDF] that can be used.)

The paper states:

Contrary to the expectation that DRAM loses its state quickly if it is not regularly refreshed, we found that most DRAM modules retained much of their state without refresh, and even without power, for periods lasting thousands of refresh intervals. At normal operating temperatures, we generally saw a low rate of bit corruption for several seconds, followed by a period of rapid decay. We obtained surface temperatures of approximately −50 degrees C with a simple cooling technique: discharging inverted cans of "canned air" duster spray directly onto the chips. At these temperatures, we typically found that fewer than 1% of bits decayed even after 10 minutes without power. To test the limits of this effect, we submerged DRAM modules in liquid nitrogen (ca. −196 degrees C) and saw decay of only 0.17% after 60 minutes out of the computer.

Gutmann, the New Zealand computer scientist, previewed this kind of attack in a 1996 paper that said: "To extend the life of stored bits with the power removed, the temperature should be dropped below -60 degrees C. Such cooling should lead to weeks, instead of hours or days, of data retention."

But in reality, such extreme methods probably won't be necessary. If thieves, FBI agents, or border guards have physical access to a computer that's turned on, they have other options. In 2004, Maximillian Dornseif showed how to extract the contents of a computer's memory merely by plugging in an iPod to the Firewire port. A subsequent presentation by "Metlstorm" in 2006 expanded the Firewire attack to Windows-based systems.

Translation: If you use an encrypted file-system and want privacy and security when you're not using your computer, you need to shut down your computer and wait a few minutes for the RAM contents to vanish. Another option for sensitive files is to use an encrypted volume like a PGP disk and unmount it as soon as you're done.

That assumes PGP erases the encryption keys from memory once the volume is unmounted, which the company swears it does. "We go well beyond that," said John Dasher, PGP Corporation's director of product management, adding that PGP products take "very elaborate measures to make sure that things are properly and completely disposed of."

He downplayed the potential threat to users of PGP, which provides both whole disk encryption and volume encryption and the researchers speculate will be vulnerable as well. "We never say buy whole disk and you're done," Dasher said. "You want to protect the device. You want to protect the data itself. And of course you're not going to get rid of your network protection. Security's not about buying whole disk encryption (and calling it a day)."

In response to the overall claim about the vulnerability of encrypted file-systems, Dasher said, "Even if it's true, I don't know if it changes my behavior."

It's been known for a long time--at least since Gutmann's 1996 paper--that encryption keys are vulnerable when stored in memory. And additional research (PDF) by Adi Shamir and Nicko van Someren two years later talks about identifying encryption keys by scanning hard drives.

By demonstrating the limits of off-the-shelf encryption products, what the research published on Thursday may do is shift the debate from academic arguments to how to protect users in real-world situations. It also advances previous research by calculating how long dynamic RAM chips hold their contents at different temperatures (little decay until a few seconds elapse) and offering algorithms to reconstruct encryption keys even when the contents of memory have begun to decay.

The reconstruction technique works by taking into account what's known as a "key schedule" for algorithms such as DES and AES, the U.S. government's Advanced Encryption Standard. A key schedule is used in certain kinds of ciphers that do multiple rounds of encryption. The computer scientists said that it takes them "a few seconds" to reconstruct AES keys with 10 percent of the bits decayed; the more decay, the longer it takes.

So what are the countermeasures? As I noted above, shutting down the system, zeroing memory on boot, and unmounting encrypted volumes are some options. The paper suggests others, including limiting booting from network or removable drives, better methods of putting a computer to sleep (perhaps involving encrypting the portions of memory with the keys to the file system), recomputing keys when they're needed to avoid keeping copies in memory, and hardware changes such as tamperproof or encrypting RAM.

There is one irony here. One Princeton Ph.D. student, Joseph Calandrino, is listed as having "performed this research while under appointment to the Department of Homeland Security." Because this research lets them bypass file-system encryption in some cases, police agencies are the most obvious and immediate beneficiaries of this research.

As early as 1984, the FBI Laboratory began developing computer forensics hardware. And we know from the Scarfo, Forrester-Alba, and Boucher cases how intent federal police agencies are in trying to find ways to circumvent the privacy that encryption provides. If the feds didn't know about these techniques already--remember, they were years ahead of everyone else in inventing public key cryptography--today will be a very good day for Homeland Security.

Update 12:30pm: I've been asked whether encrypted swap was turned on in our test to see if they could bypass FileVault. It was. But it actually doesn't matter; remember, they're analyzing the contents of RAM, not the contents of the hard drive.

It's time to take another look at the intriguing case of United States v. Boucher, which may set the ground rules for whether or not criminal defendants can be compelled to divulge encryption passphrases.

When I last wrote about the Boucher case, the U.S. Department of Justice was refusing to comment on the matter. Here's my original article from last month for background.

The case arose because federal agents believe Boucher has child pornography on his laptop, and obtained a warrant to search it. But part of the hard drive was PGP-encrypted, and the Feds obtained a subpoena to force him to disclose (or even simply type in) his passphrase.

U.S. Magistrate Judge Jerome Niedermeier in Vermont rejected the subpoena on Fifth Amendment grounds--namely, that compelled disclosure of a passphrase amounted to self-incrimination. The Fifth Amendment says no person "shall be compelled in any criminal case to be a witness against himself."

The Washington Post, by the way, finally got around to writing about this (a month later) on Wednesday in a page one article. It quotes Boucher as saying that he likes to download Japanese cartoons and occasionally adult pornography, but that he does not seek to view child porn.

Now the Justice Department is filing a sealed appeal to the magistrate judge's decision to U.S. District Judge William K. Sessions. Sessions is a Clinton appointee, a former public defender who became a partner at the Middlebury, Vt. law firm Sessions, Keiner, Dumont & Barnes. He was part of the U.S. Sentencing Commission during the Clinton administration.

What's a bit odd is that, as far as I can tell, the Feds' appeal brief itself was filed under seal on January 2, and Boucher's reply brief in opposition filed on January 15 was also under seal. Considering that the original criminal complaint is public, and the magistrate judge's Fifth Amendment decision is public, there's no obvious reason why this extra secrecy is necessary. More on this as the case progresses.