Judge: Man can't be forced to divulge encryption passphrase
A federal judge in Vermont has ruled that prosecutors can't force a criminal defendant accused of having illegal images on his hard drive to divulge his PGP (Pretty Good Privacy) passphrase.
U.S. Magistrate Judge Jerome Niedermeier ruled that a man charged with transporting child pornography on his laptop across the Canadian border has a Fifth Amendment right not to turn over the passphrase to prosecutors. The Fifth Amendment protects the right to avoid self-incrimination.
Niedermeier tossed out a grand jury's subpoena that directed Sebastien Boucher to provide "any passwords" used with his Alienware laptop. "Compelling Boucher to enter the password forces him to produce evidence that could be used to incriminate him," the judge wrote in an order dated November 29 that went unnoticed until this week. "Producing the password, as if it were a key to a locked container, forces Boucher to produce the contents of his laptop."
Especially if this ruling is appealed, U.S. v. Boucher could become a landmark case. The question of whether a criminal defendant can be legally compelled to cough up his encryption passphrase remains an unsettled one, with law review articles for the last decade arguing the merits of either approach. (A U.S. Justice Department attorney wrote an article in 1996, for instance, titled "Compelled Production of Plaintext and Keys.")
This debate has been one of analogy and metaphor. Prosecutors tend to view PGP passphrases as akin to someone possessing a key to a safe filled with incriminating documents. That person can, in general, be legally compelled to hand over the key. Other examples include the U.S. Supreme Court saying that defendants can be forced to provide fingerprints, blood samples, or voice recordings.
Orin Kerr, a former Justice Department prosecutor who's now a law professor at George Washington University, shares this view. Kerr acknowledges that it's a tough call, but says, "I tend to think Judge Niedermeier was wrong given the specific facts of this case."
The alternate view elevates individual rights over prosecutorial convenience. It looks to other Supreme Court cases saying Americans can't be forced to give "compelled testimonial communications" and argues the Fifth Amendment must apply to encryption passphrases as well. Courts already have ruled that that such protection extends to the contents of a defendant's minds, so why shouldn't a passphrase be shielded as well?
In this case, Judge Niedermeier took the second approach. He said that encryption keys can be "testimonial," and even the prosecution's alternative of asking the defendant to type in the passphrase when nobody was looking would be insufficient.
Laptop files: Unencrypted, then encrypted
A second reason this case is unusual is that Boucher was initially arrested when customs agents stopped him and searched his laptop when he and his father crossed the border from Canada on December 17, 2006. An officer opened the laptop, accessed the files without a password or passphrase, and allegedly discovered "thousands of images of adult pornography and animation depicting adult and child pornography."
Boucher was read his Miranda rights, waived them, and allegedly told the customs agents that he may have downloaded child pornography. But then--and this is key--the laptop was shut down after Boucher was arrested. It wasn't until December 26 that a Vermont Department of Corrections officer tried to access the laptop--prosecutors obtained a subpoena on December 19--and found that the Z: drive was encrypted with PGP, or Pretty Good Privacy. (PGP sells software, including whole disk encryption and drive-specific encryption. It's a little unclear what exactly happened, but one likely scenario is that Boucher configured PGP to forget his passphrase, effectively re-encrypting the Z: drive, after a few hours or days had elapsed.)
According to Niedermeier's written opinion, prosecutors sent Boucher a grand jury subpoena asking for the passwords because:
Secret Service Agent Matthew Fasvlo, who has experience and training in computer forensics, testified that it is nearly impossible to access these encrypted files without knowing the password. There are no "back doors" or secret entrances to access the files. The only way to get access without the password is to use an automated system which repeatedly guesses passwords. According to the government, the process to unlock drive Z could take years, based on efforts to unlock similarly encrypted files in another case. Despite its best efforts, to date the government has been unable to learn the password to access drive Z.
The opinion added:
If the subpoena is requesting production of the files in drive Z, the foregone conclusion doctrine does not apply. While the government has seen some of the files on drive Z, it has not viewed all or even most of them. While the government may know of the existence and location of the files it has previously viewed, it does not know of the existence of other files on drive Z that may contain incriminating material. By compelling entry of the password the government would be compelling production of all the files on drive Z, both known and unknown.
Boucher is a Canadian citizen who is a lawful permanent resident in the United States and lives with his father in Derry, N.H. Two attorneys listed as representing him could not immediately be reached for comment on Friday.
So what happens next? It's possible that prosecutors will be able to establish that Boucher's laptop has child pornography on it without being able to access it: after all, there were at least two federal agents who looked at the laptop when the Z: drive was still unencrypted.
But if this ruling in the case is eventually appealed, it could have a far-reaching impact in a pro-privacy or pro-law-enforcement direction.
Michael Froomkin, a law professor at the University of Miami, has written that the government "would have a very hard time" trying to obtain a memorized passphrase. A similar argument, published in the University of Chicago Legal Forum in 1996, says:
The courts likely will find that compelling someone to reveal the steps necessary to decrypt a PGP-encrypted document violates the Fifth Amendment privilege against compulsory self-incrimination. Because most users protect their private keys by memorizing passwords to them and not writing them down, access to encrypted documents would almost definitely require an individual to disclose the contents of his mind. This bars the state from compelling its production. This would force law enforcement officials to grant some form of immunity to the owners of these documents to gain access to them.
But prosecutors think they can split the idea of immunity into two halves: divulging the passphrase, and then using the passphrase to decrypt the files. A 1996 article by Philip Reitinger of the Department of Justice's computer crime section proposes a clever device for forcing a defendant to divulge a PGP passphrase and then convicting him anyway (remember, the passphrase lets the key be used to decrypt the document):
Finally, even if the foregoing considerations require the government to grant act-of-production immunity to compel production of a key, the scope of the immunity should be quite narrow. The contents of the key are not privileged, and it is the contents that will be used to decrypt a document. Therefore, the government can use the contents of the decrypted document without impediment. Unless the government cannot authenticate the document to be decrypted without using the act of production of the key, granting act-of-production immunity should have little effect.
Translation: Giving a defendant limited immunity in terms of forcing them to turn over the passphrase can lead to a conviction. That's because the fellow technically isn't being convicted based on his passphrase; he's being convicted for what it unlocks. Isn't the law grand?
Declan McCullagh, CNET News' chief political correspondent, chronicles the intersection of politics and technology. He has covered politics, technology, and Washington, D.C., for more than a decade, which has turned him into an iconoclast and a skeptic of anyone who says, "We oughta have a new federal law against this." E-mail Declan. 
Both sides of this argument are bad: some scum pedo and over reaching Fuzz at the border. While I don't condone pedophilia and child abuse, I don't think we need a jack-booted lock down 1957 Russia either. ~ Franky
encryption, then sadly this accused pedophile he should go free.
There HAS to be some other physical evidence other than
scrambled bits of images. I would NOT want for a child to get hurt
by setting him free but our post-9/11 freedom demands it.
and all the shenanigans in our "open" government ... i welcome a
strong assertion of the constitution over any person ... a nation of
laws not men ...
thanks, declan
[[digitalshaman]]
This case should be thrown out of the courts and the man's computer should be returned to him post-haste.
The practice has been upheld, so this was entirely legal.
However an easy way around this is to use pass phrases that are incriminating for some infraction of the law. Hypothetically if a person's passphrase was "I committed a crime on <date> by <action>." The government could never force him to reveal this passpharse because it forces him to incriminate himself for some other event. Since the government doesn't know what the event is, they can't write a narrow immunity scope for it. Thereby he'd be able to claim 5th amendment protections until the cows came home. Who said a passphrase had to be neutral?
The government doesn't have to narrowly tailor the immunity
grant before they give it out. They can instead grant you
transactional immunity for anything that you testify to that is
within the scope of the questioning. This is not as good as it
sounds, since it doesn't prohibit them from prosecuting you for
any crimes that you confess to doing; it just prohibits them from
using the confession and any immediately consequential
products of that testimony (e.g. if you say where a body is,
they'd have to show that they would have found the body
anyway to use it against you).
So if you made you password "I knocked up this liquorstore on
April 5th," they could give you immunity, get the passphrase and
then choose not to prosecute you for the crime (or choose to do
so if they could find other evidence). Note that they only have to
make the immunity grant if the crime is legit; you obviously
can't claim self incrimination protection against a hypothetical
crime.
After all, do we not have the right to remain silent? One could just as well refuse the offer of immunity. There is more than one law protecting the accused here. The right to remain silent - just pretend your a deaf mute and there is nothing they can do about it. And also there is, "The burden of proof shall fall on the accuser." meaning that I cannot be compelled to even help bring any evidence at all against me. So if the right to remain silent doesn't work, that one can also work.
But that idea... wow. If all else fails, that is a clever way to explain it. But personally, I'd just rather say "I don't want anyone to see my private journal." as a reason for how far I would go to not tell them anything, and then use that idea, "For all you know, my password may in and of itself be an incriminating statement and so therefore I am still protected by the 5th Amendment."
With so many laws protecting the accused, they don't stand a fighting chance.
But, hey, it's okay because they're all operating on enlightened self interest and are men of action.
Bah.
everything to put children pornographers behind bars, along with
the pedophiles!!!! They have the laptop already, they have the
evidence. This Judge needs to wake up and do the job he was hired
to do.
"My own opinion may the should check on all the people that agree
with this decision!"
A person with kiddie porn has no rights.
If these scumbags have no right, then neither do you or the kids.
Do you want them to live in a totalitarian state? That is what you are advocating.
some cases, this perhaps being one, I refuse to judge as I was
not present, a person who committed a crime has no consequence. Well, that's not entirely true. Regardless of his
guilt/innocence there are those who would judge him without
the facts anyway. That is not my point. My point is, I would
rather have a guilty man free then an innocent man in prison. If
a guilty man does no time, he may well clean up his act anyway.
If an innocent man does time, he losses his time. I refuse to let
fear govern my basic belief that everyone is innocent in the eyes
of the law. The burden of proof is on the government, not on
the person. If you can prove that he is guilty I welcome you to
do so. I do not believe that anyone should have to prove
themselves guilty. Indeed it is their right to the presumption of innocence.
By the way, there ARE files encrypted on your computer that you (ACTUALLY) do not know the password to, but will the jury believe that? Not a jury of YOUR peers, you must have something to hide.
Do absolutely everything to put these people behind bars? OK, we will start with you, because if we just put everyone behind bars (innocent or guilty) we will get them all won't we!
combination"? Can one be compelled to cough up the
combination to a safe (as opposed to handing over a physical
key)?
Personally, it doesn't matter if the schmuck is a paedo or not -
he at least does have the right to not self-incriminate. If that
means the files on his encrypted drive cannot be accessed, then
at least it'll prevent a less scrupulous prosecutor or other
government functionary from railroading somebody else.
Time for the forensics team to break out the rainbow tables and
start grinding at the passphrase...
/P
I do not think it would be of much use against a 15 or 20 word passphrase using more than one язык (language) with intentional misspelllings, rAnd0m caSe and numb3r5 replacing letters. If his passphrase was "passphrase", they have him.
Rainbow tables are only useful if he had encrypted with Windows' EFS, since windows credentials are stored using the LM/NTLM hash, for which there are a number of rainbow tables.
Of course, if he had used truecrypt, or any form of steganography he would have plausible deniability in his back pocket, and we wouldn't be having this discussion. Enough typing, and no I won't go into steganography, someone else can open that can of worms or you can just hit wikipedia ;)
Ah, planned for 5.0 release in january. Excellent.
accidentally drowns then we don't need the password. Problem
solved.
By turning into something worse then the soviet union?
This will solve our problem?
Our problem is we have to many idiots that can only respond with shortsighted emotions, not clear headed thinking.
Thankfully the judge is clearheaded enough to know what is really at stake and refuses to burn the constitution.
nuff said
Your suggestion has been overturned.
Personally, I am a conservative. Do I think the judge ruled correctly? Absolutely! Is my rationale based on my conservative moral values? No! It is based on my interpretation of the Constitution.
So, lose the holier than thou attitude towards conservatives and you might get some respect.
I think the phrase "Innocent unill proven guilty" should still
mean something here in the USA.
Oh yeah.. that and the right to not incriminate yourself.
If you really want to start to FORCE people to incriminate
themselves, let's get your President and your Vice-President to
tell us some of their secrets..
That'd be a better use of Gov't resources...
Who cares if a ruling in the opposite way will lead us further down the dark path to totalitarianism?
Who cares that if these morons got what they wanted then the children they are pretending to protect would have no freedoms?
What ever happened to "Live free or die" and "Give me liberty or give me death"?
I also think that if the officer lost the evidence because he/she is an idiot (computer forensics 1st rule. image the drive before you do anything.) it should be dropped and they should stop wasting time. They lost let him go and accept the law suit that will follow. End of story.
I don't agree with what was found (the kiddy porn)
You can't base a decision on opinion.
Jay
OK. Some of us would say "Yea, they are."
But the government doesn't think so.
In the case of decrypting a drive, it would be legal. It would be similar if they had a warrant to search your house, and you refused. They would simply break down your locked door. The law can exempt its self from certain aspects when law enforcement has passed the appropriate channels.
Besides, it wasnt the customs agents stupidity, hes not a computer forensics officer, he had no way of knowing that he needed to image the drive, and probably had no method of doing so either.
I dont think that they should require the divulging of the password though. As much as I hate the crime, Im all for protecting digital rights.
I do think they can manage to obtain the information eventually. It will take time, but they can brute force the pass, or they will find a way to get him to divulge the password.
I suspect they already tried to brute force the password and failed.
A strong password could take millions of years, even on todays best computers.
By the time they crack it, the point will be moot.
Unfortunately, The passphrase is not on the hard drive. the passphrase is not even in ram. The passphrase is used to unlock a very large key that is kept in ram. Your computer forgets the passphrase as soon as you type it.
Assuming the alleged scum sucking pervert used a passphrase that is around 20 words using more than one language, numbers symbols as well as upper and lower case letters (This is what everyone using encryption should do, scum sucking pervert or not), the prosecution will never break his data.
One other note, The feds have two agents that can claim to have seen the images. They will not have a problem putting him in jail.
We don't know for sure that the guy's laptop actually CONTAINED kiddy porn, we only have the border agent's suspicion. I don't know about you, but I've definitely seen under-qualified border guards with chips on their shoulders.
Bottom line: can a prosecutor force you to incriminate yourself? Should they be able to?
So anyone who excercises their rights has something to hide.
I hope you aren't falsely accused and have to face a judge as ignorant as you.
Although, it might be the only thing that could make you understand why you are wrong.
Do you have illegal mp3s on your hard drive? If you do, should you turn yourself in? If not, should you be convicted of a seperate crime of not turning yourself in (or not turning your neighbor or friend in?)
ain't nothin' the courts or anyone else can do about it. The
Repubicans perfected that one a long time ago. Look at the
idiotic "I don't recall" answers that Gonzales gave to congress on
virtually every line of questioning -pure fabrications every one
of them, but not a day in jail!
Ironically, the guy may in fact really forget his password. I
constantly have to get cnet to mail me my password if I don't
use it for a few weeks. If his was particularly tricky it's quite
plausible that he could have actually forgotten it and no amount
of waterboarding, genital electrocution, sleep deprivation etc will
get it out of him.
- The opposite is true in the UK
- by teabag_46 December 16, 2007 5:02 AM PST
- Here in the UK, we have an act called RIPA (Regulation of Investigatory Powers Act). This act allows law enforcement officers to compel a suspect to give up any passwords. Failure to do so can result in a 2 (two) year prison sentence. This is on top of whatever evidence of a crime may be later recovered from a computer/data storage device.
- Like this Reply to this comment
-
-
- Sucks to be you
- by Paul Skinner December 16, 2007 5:46 AM PST
- That sucks! And why do you have such a law? I assume that all brits
- Like this View reply
Processing -
- Nothing More Than An Academic Exercise
- by Librarian Woes December 16, 2007 12:15 PM PST
- As I indicated by my earlier comment, nobody could ever prove that someone "forgot" their password if they previously memorized it and never wrote it down. From a legal point of view this is an interesting case, but from a purely practical point of view... Game over. In reality, if someone indicates that s/he forgot what the password was, can anyone truly prove that s/he didn't?
- Like this
-
- Not the best example
- by soggy0 December 16, 2007 2:35 PM PST
- Yes, but there in the UK, with only 1% of the world's population, you are
- Like this
-
- So You are saying
- by PzkwVIb December 17, 2007 7:19 PM PST
- That "V" is coming true?
- Like this
-
Showing 1 of 3 pages (177 Comments)decided that this was the way to go?
watched by 20% of the world's surveillance cameras; your population is
effectively disarmed and defenseless (except for the criminals); and you
are imprisoned for resisting criminal attack in any effective manner even
within your own homes. Sorry, but Americans discussing constitutional
liberties don't expect to be looking across the pond for much
enlightenment, expect perhaps for an example of where things will
inevitably go if we defend our liberties as feebly as you defended yours.