DOJ: No comment on forcing encryption passphrases
The U.S. Department of Justice won't say when it believes an American citizen should be forced to divulge his or her PGP passphrase.
We've been trying for the last two days to get the DOJ to answer this question, which became an important one after last week's news about a judge ruling a criminal defendant can't be forced to divulge his passphrase on Fifth Amendment grounds.
The Fifth Amendment, of course, protects the right to avoid self-incrimination.
In the case of U.S. v. Sebastien Boucher, federal prosecutors think that the defendant has child pornography encrypted with PGP (Pretty Good Privacy) on his Alienware laptop. They sent him a grand jury subpoena demanding the passphrase--which is what a judge rejected on Fifth Amendment grounds.
"I won't be able to provide anyone for an interview," said DOJ spokesman Jaclyn Lesch. "The point you raise is one that we would want to address in court. I hope you understand."
We had asked the DOJ this: "In the DOJ's view, under what circumstances can a person be legally compelled to turn over an encryption passphrase?"
In one view, which prosecutors tend to share, a passphrase is like a document or key that must be forcibly turned over. The civil libertarian view treats a passphrase as the contents of someone's mind, which a defendant cannot be compelled to divulge.
The distinctions between these views are important to Americans' privacy rights and law enforcement needs. Unfortunately, we'll have to wait for future legal filings to find out what our public servants actually think.
News.com's Anne Broache contributed to this report
Declan McCullagh, CNET News' chief political correspondent, chronicles the intersection of politics and technology. He has covered politics, technology, and Washington, D.C., for more than a decade, which has turned him into an iconoclast and a skeptic of anyone who says, "We oughta have a new federal law against this." E-mail Declan. 
PGP is ancient. Public key encryption is the basis of just about
all web commerce and the Feds don't have a clue.
I was involved, as an investigator, in a large civil suit in
California in the 90's. The opposing side didn't buy that what I
did was protected by attorney work product privilege.
Somehow, they got a court order, (basically, the court didn't
know what the hell they were talking about), to seize the hard
drive - a 250MB drive - to prevent me from changing anything.
Three goons showed up with screwdrivers and, of all things, a
prybar. They ruined the Power Mac that it was in, forcing me to
buy another one. The content they wanted to view was PGP
encrypted. After they got the hard drive, (the court order
allowed preservation, not examination), they sued me to get me
to give them the password. Their attorney told the judge he
might as well order me to give it up as they were only days
from breaking the encryption, (I think it was 128 bit). The
opposing counsel made me out to be some kind of super spy,
because I was using encryption, painted a real bad picture of
me.
The matter was never decided because the lawsuit settled out
of court. I got the hard drive back after they had sent it to a
data recovery service. Apparently, they were told the data
recovery service could break the encryption. The hard drive was
ruined. They ended up paying for the new computer I had to
buy... [http://The one time Grove's Law has actually worked for me.|http://The one time Grove's Law has actually worked for me.]
The attorney may have claimed they were days away, but he was full of crap. Since they didn't get it fairly quickly, they had to brute force the password or the encryption.To brute force to the password there are 95 ^ (len of the password) different combinations. On a 3Ghz machine, it would take over 600,000 years to generate them. So unless you are EXTREMELY lucky, it won't happen in your lifetime.
To crack a solid 128 bit encrpytion scheme by brute force would take, much, much longer,
It doesn't matter how "ancient" they are. Just because it is older doesn't mean it is magically easier to crack. Finding a flaw makes it easier.
If they truly were within days of cracking it, then you were using 40 bit encryption or what not.
"I DON'T RECALL!!"
Those 3 little words seem to exonerate the most obviously guilty
from any and all crimes.
They are no longer around to enforce laws, but to rubber stamp proclamations from our wanna-be dictator.
The DoJ has NO credibility whatsoever.
Encryption is just a symptom of mistrust and it has been around
forever.
I look forward to you blaming all the ills of the world on Bush's
successor. But the real culprit is even closer. Just look in the
mirror.
And, no, I did not vote for Bush, but I also realize he is not the
real problem here. Personally, I get a laugh when I see the legal
system choking on PGP. May it live forever.
The amendmant was to protect people from being forced to make confessions.
If the evidence on the computer had not been encrypted, the police would have been able to use it in a court of law. Thus, having data on the PC is not protected by the 5th. Simply encrypting it, should not change things.
For example, if a defendant hid the smoking gun in a locked cabinet, the police can get a subponea to open the cabinet. Simply conceiling evidence by locking it away is again not protected.
All the defendant has done here is take the evidence and place a virtual lock on it to conceil the contents. There is nothing in the Constitution or Bill or Rights that should provide protection to conceiling evidence through a virtual lock.
think before you come to conclusions...
For example I killed someone and i hid the murder weapon in the flower bed but unfortunaely the entire yard has been redone and all the soil has been disturbed. I'm not going to tell the police its in the flower bed under the window by the bathroom and its about 4 feet deep. It up to the investigators to determine where it might be and dig deep enough for it. Samething with the pass its up to the prosecutors to find a way of obtaining it.
For the record I know can be way off basis with arguement also. But the 5th amendment has had to evolve to keep up with how society has changed since its original inception or you probably wouldn't be able to invoke in today's society if it had not evlolved over time.
You encrypt one volume but something personal but not too personal in it and then you have a hidden encrypted volume within that one. That why you can plausiblity deny any thing.
It came up if someone puts a gun to your head or something violence and tries to make you reveal your passphrase.
Hmm, looks like the next person will be one step ahead.
Still, its not a matter of the the charges , its a matter of personal freedom. Suppose big-shot political district attorney wants to selective prosecute someone based on their political standing even though they haven't really done anything wrong, ie the US attorneys Controversy or the Mississippi's selective prosection of Paul Minor rather than Trent Lott's brother for "contributing money to a judge" which wasn't even against the law, and how the 5th circuit judge gave the jury technicalities to say ya, you can convict him anyways.
We need to stand up to personal freedom,
Wait, you might ask isn't the DOJ all for invading privacy and doing all crazy things. Yes, but What IF
The DOJ is forced to reveal their secrets about us attorney controversey, halliburton, wiretaps, torture, etc - Maybe they would wish for the immunity then! So Im not suprised they have not commented .
water it down or install a backdoor so THEY could get in.
Thankfully he denied. They hated that it was so simple and so
secure. This goes back, gosh, I want to say 10 years or more...
Long time ago. Additional features have been added on since
the public key and private key when it first rolled off.
YES it is impossible to brute-force crack. For other wares you
are ahead to look for backdoors or over-ride by common
techniques (back in my days). They have plugged more of the
mouse holes and glass cracks now compared to before :) .
Other than the software like PGP, you can also use (medium to
weak) finger print protection on bootup and sleep or (better)
lock-key (USB) that will turn your screen black unless the key is
plugged in. However if you can slave it on bootup disabling the
key may not be that hard (haven't tried to hack it yet).
most law enforcement agencies follow standard practices when
examining a computer. One of which is to pull the hard drive and
connect it to the examiners computer - the same thing a most of
us do when trying to rescue data from a sick machine.
At that point all the OS and add on protection is worthless if your
data isn't encrypted.
- There might be a simple remedy to this...
- by raveneye74 January 23, 2008 3:57 AM PST
- What if you always made the words in your passphrase a confession to a crime?
- Reply to this comment
-
(14 Comments)Would the narrow scope of immunity proposed not apply, as the passphrase itself would be self-incriminating and therefore could not be divulged?