Feds appeal loss in PGP compelled-passphrase case

It's time to take another look at the intriguing case of United States v. Boucher, which may set the ground rules for whether or not criminal defendants can be compelled to divulge encryption passphrases.

When I last wrote about the Boucher case, the U.S. Department of Justice was refusing to comment on the matter. Here's my original article from last month for background.

The case arose because federal agents believe Boucher has child pornography on his laptop, and obtained a warrant to search it. But part of the hard drive was PGP-encrypted, and the Feds obtained a subpoena to force him to disclose (or even simply type in) his passphrase.

U.S. Magistrate Judge Jerome Niedermeier in Vermont rejected the subpoena on Fifth Amendment grounds--namely, that compelled disclosure of a passphrase amounted to self-incrimination. The Fifth Amendment says no person "shall be compelled in any criminal case to be a witness against himself."

The Washington Post, by the way, finally got around to writing about this (a month later) on Wednesday in a page one article. It quotes Boucher as saying that he likes to download Japanese cartoons and occasionally adult pornography, but that he does not seek to view child porn.

Now the Justice Department is filing a sealed appeal to the magistrate judge's decision to U.S. District Judge William K. Sessions. Sessions is a Clinton appointee, a former public defender who became a partner at the Middlebury, Vt. law firm Sessions, Keiner, Dumont & Barnes. He was part of the U.S. Sentencing Commission during the Clinton administration.

What's a bit odd is that, as far as I can tell, the Feds' appeal brief itself was filed under seal on January 2, and Boucher's reply brief in opposition filed on January 15 was also under seal. Considering that the original criminal complaint is public, and the magistrate judge's Fifth Amendment decision is public, there's no obvious reason why this extra secrecy is necessary. More on this as the case progresses.

[The_Decider]

The correct decision

Hopefully it will stand as it moves up and likely gets in front of the notoriously anti-constitutional supreme court.<br /><br />What is or is not on his laptop is completely irrelevant. Those claiming otherwise, better hope that someone with subpoena power doesn't suspect their computer of having illicit materials.<br /><br />If the feds can crack it while they have custody of it, more power to 'em. But to force a password? That is no different then forcing a confession.<br /><br />A solid encryption program like PGP along with a strong password, will render the files uncrackable. At least within the next 100,000 years. If they can brute force it before then(assuming no exploitable flaws are found in the implementation), they can consider themselves extremely lucky.

[mikalg]

Somewhat Agree

I do agree that the 5th is an appropriate position for this case. I disagree that you seem to be saying that the "feds" should not be allowed (legally) to brute force/other method, the password. They DO have a warrant, and as such the encryption is a "door" that must be entered to execute the warrant. I see no difference between the "virtual door" of encryption and a physical door in the "real world". We all know of the battering rams deployed to execute warrants. Surprising to me is the fact that this encryption could defeat a Federal agency. Might you expect a better method of breaking 128-bit by the government? I suppose not! Worrisome that a cheap program (very good software, referring to the cost) could deter the feds! Although this is not the type of case you would expect a "better" way to break 128 to be used...publicly anyway.

[Robert.Tackett]

Search and seizure?

If you don't have to provide access to your hard drive because it would be considered a violation of the 5th, why would you have to allow access to your home or car? I'm all for privacy, but this doesn't make sense. They can force me to open my home and allow them to dig through every nook and cranny, force me to open my safe or any other locked containers so they can search, but not my computer. What would happen if I refused to let the police in my home or car? Shouldn't the same happen if I refuse access to my hard drive?

[capng]

re: Search and seizure?

They do have access to the hard drive, and they have the warrant to seize it and search it. But that warrant doesn't grant them the right to force the person to disclose a password to access data. Using your comparison to searching a home, if the police obtain a warrant to search your home because they suspect you of murder, they have the legal right to enter and search. But that warrant doesn't compel you to reveal the location you buried the body. <br /><br />Being forced to reveal a password that could lead to incriminating evidence against you is a violation of the 5th. A person cannot be compelled to self-incriminate. For this same reason, involuntary DNA samples should not be allowed.

[jsmith1785]

Re: Search and seizure?

In the case of your home or car, if they have a warrant, you don't have to provide them with keys to get in. They simply break in. If there's a safe in your house, they'll get someone to crack it. You get my point?<br /><br />They aren't forcing you to let them in, they're forcing their way in themselves. If they want his hard drive contents, they can break it themselves, not require him to open it. If it's too hard to crack, well that's just too bad.<br /><br />BTW, PGP Corp. should really take the ad opportunity. Encryption so strong the feds can't break it.

[Travis Ernst]

re:search and seizure

The point is they HAVE access to the computer. The accused is <br />not withholding it from them. It never says you have to show <br />them everything. The Feds have the computer. It is up to them <br />to obtain what's on it.<br /><br />You can hide text in a MP3 if you want, or in an art file. You <br />don't have to SHOW the people who are trying to charge you <br />where the smoking gun is. Just give them (physically) access to <br />what they want and you have fulfilled your legal end. <br />Remember, this is still pre court stage, so it is not even where <br />they can claim contempt or hindering.<br /><br />As for what/where they are searching it better be in your name <br />and they better have a warrant in hand. If the computer is <br />registered to somebody else, or a company then it's another <br />tangled mess. I've refused to let the boys in blue in to my <br />residence before. They tried to get in, I told them unless they <br />had a paper saying so, they had no way in and had to talk to me <br />in public.<br /><br />Car searches are depending on the state. They can't just search <br />your car if they want to in every state. It depends on the states <br />law. Most states they need you (the driver) to consent for a <br />search, unless you have Illegal plants on your back seat, or other <br />criminal items that gives them reasons to do a full search.

[Leria]

Ah, but's heres the point

Usually, when they are wanting you to open up your home, they ALREADY have evidence of a crime..... in this case, they don't have any evidence except the word of a third person that CP was on the computer in question, and that simply isn't good enough for a warrant in most, if not almost all, cases.<br />This is basically telling someone "Okay, you can prove your innocence by letting me see what's in this locked box, even though I have no evidence of a crime." The correct response in that case is "Why do I have to show you anything, you have no or little evidence that I have committed a crime?"<br /><br />Secondly, they can only search places where they have REASONABLE SUSPICION might have some evidence of a crime or a piece of evidence. In this case, they do not have that reasonable suspicion. They are close to it, but that infinitesimal gap is what makes a legal search into an illegal or unconstitutional one.

[i_am_still_wade]

Innocent until PROVEN guilty

Aside from the arguments already made, you must remember a person is innocent until proven guilty, unless it a high-profile case and the media gets involved than a person guilty even when proving innocent. However, despite the media sensationalism, the burden or proof rests entirely with the government. What proof do they have? Apparently only anecdotal. If this was before a grand jury that I was on, it would be dismissed due to lack of evidence.

[Dalkorian]

A fine line

Robert.Tackett posted this for consideration:<br /><br />"They can force me to open my home and allow them to dig <br />through every nook and cranny, force me to open my safe or any <br />other locked containers so they can search, but not my <br />computer."<br /><br />I fear you're missing an important point. Yes, they can force you <br />to open your home (battering ram) and they can force their way <br />into your safe. What they can not do is force you into telling <br />them the combination of the safe, which is exactly what they are <br />trying to do here!<br /><br />They have not been refused access to the hard drive in any way, <br />they have it in their possession. They just can't crack the <br />encryption on the drive. Consider the situation where they want <br />into your safe and they don't have a safe cracker available. Are <br />they able to force you into opening the safe yourself or divulging <br />the safe's combo?<br /><br />(Note I have assumed your safe has a combination lock and not a <br />keyed one, I think they can force a physical safe key from you. <br />They can NOT force you into giving the the combination though, <br />at least in the America that we all love where freedom reigns <br />supreme and people like GWB are in prison.)

[k2dave]

The difference between a access to home or safe to password

is that if you don't provide access to the home or safe they will break in, causing damage, so it is your best interest to comply to minimize damage, they will get in. In this case there is a real change that the gov't will never get in.

[inachu]

No matter the subject matter......

Be it top secret or pedophilia or secret time sensitive information if it is to be used to incriminate then that person has every right not to tell.<br /><br />The only time I would vote against this is if telling the passcode will save a human life.<br />If it can save a childs life then I say beat it out of him.

[MTGrizzly]

Slippery slope...

One of the most dangerous aspects of Dubya's "War on Terror" <br />is that we, the American public, are seeing his lack of <br />constitutional insight in to what is or isn't an acceptable <br />interrogation technique leak over from alleged "terror" <br />investigations to plain criminal law. The government has made <br />the distinction that, in some cases, torture - "torture" is a <br />nebulous concept, but one which starts way before the <br />Gonzales' memoes to Dubya - of terrorists is acceptable to the <br />government and some people.<br /><br />Because of this, we get statements like, "If it can save a child"s <br />life then I say beat it out of him." Not only won't "beat it out of <br />him" work - study after study has shown, if enough pressures is <br />applied in the right way and over a long enough time period, <br />people who are 'tortured' will say anything just to stop what is <br />being done to them. Can anyone say, with any degree of <br />reliability and documentation where torture has led to the <br />discovery of "high value intelligence" that led to lives being <br />saved" since the Bush administration starting torturing people in <br />Gitmo? No, because there hasn't ever been a case. Once we have <br />accepted torture to "save a child's life," how long is it before we <br />accept torture as an acceptable method to save an adult's life or <br />to stop something that may be perceived as anti- or asocial that <br />we don't like? Once you start down that road, you have no idea <br />where it will end. I do, tyranny and absolutely no security.<br /><br />The founding fathers, having just escaped one tyrant - King <br />George - structured a government that protected its citizens <br />from falling under further forms of tyranny. The constitution <br />recognized "unalienable rights" - it doesn't recognize <br />"unalienable rights," unless it can save a life or produce some <br />information of dubious to no value from a guy who's been <br />sitting in Gitmo for the last four years getting the snot beat out <br />of him, waterboarded, et cetera. It guarantees unalienable rights <br />for EVERYONE. EVERYONE. Just because we get frustrated and <br />start to believe that whatever cause we are pushing justifies <br />ignoring the constitution does not mean that we should be able <br />to do so with impunity. We are a nation of LAWS, NOT MEN.<br /><br />Torture helps no one and debases our society. The 4th, 5th and <br />13th amendments, Miranda vs. Arizona and its successors, et <br />cetera work together to prevent unlawful search, seizures and <br />to protect due process. These are not "options," they are the law <br />of the land. Torturing people, for whatever reason, makes our <br />society less civilized and degrades a form of government that <br />has served us well for over 200 years. Are we really ready to <br />throw that all away for nothing?

[volterwd]

DNA

but they can force you to give DNA samples that will possibly incriminate yourself then or in the future?

[MTGrizzly]

The difference is physical evidence vs...

The courts may compel you to allow the cops to gather DNA <br />evidence from your body. Just like the supremes have upheld <br />that compelling you to submit to test to determine your blood <br />alcohol content is acceptable. This is "PHYSICAL EVIDENCE," <br />something that is physical that can be held in your hand.<br /><br />Compelling you to reveal your password/phrase is testimonial <br />evidence. Since you cannot be compelled to give testimonial <br />evidence that would tend to incriminate you, the government <br />can not compel you to disclose a password/phrase.<br /><br />Anybody remember the NSA's absurd battle to force the use of <br />the "Clipper Chip" in civilian encryption software, so they would <br />always have a backdoor into any encryption method? Didn't fly <br />then , won't fly now.<br /><br />I don't think anyone has mention is, but I don't even think the <br />cops have enough probable cause to support a non-border <br />seizure of the laptop. They "think" someone saw some child <br />porn images on the hard drive. "Thinking" is not probable <br />cause. There must be actual physical or testimonial evidence for <br />a non-border seizure of the laptop and its subsequent search. I <br />don't see that here. Even then forcing an individual to give over <br />the password/phrase is testimonial evidence and cannot be <br />compelled. Further, it is my understanding that the guy claims <br />to have forgotten the password/passphrase to the subject <br />encrypted matter. Short of "beating it out of him" - which won't <br />work, see my earlier posting on this subject about torture and <br />the bogus information it "produces" - I don't see any realistic <br />way to get the passphrase to decrypt the data. Any IT <br />professional knows that simple to moderately complex <br />passwords/passphrases are forgotten by users all the time. <br />Somehow, I don't think the government is going to be really <br />happy if they have to accept this everyday occurrence, (a <br />forgotten password/passphrase), which is NOT A CRIME, in this <br />case.

[anonfunk]

Here are some of my thoughts on this subject...

1) The customs agents claim that they saw images of child pornography. Ok, lets say that it's their right to do a routine check on the laptop of someone who is entering the US (someone might disagree); what is the use when they clearly don't have the training to handle such situations as the discovery of illegal content? Cause if they were trained (or simply smart) they whould have taken a photograph of the laptop while the illegal content was on display. That's what a forensics team would have advised them to do (as a first step). The battle was lost at that early point.<br /><br /><br />2) Since they allegedly opened the files on the laptop and they saw the illegal content, doesn't that mean that some traces of the files may reside somewhere in the computer? <br /><br />For example:<br /><br />-- R.A.M. --<br />We all know that the contents of RAM are lost after shutdown. Let's assume thought that the laptop hadn't been restarted (just shut down) after the initial inspection at the customs (so that the standart memory test that occurs at boot time wouldn't overwrite anything). Couldn't the computer experts examine the RAM and extract at least fragments/evidence of the illegal content?<br /><br />-- "pagefile.sys" (or "swap" or "paging file" or whatever you want to call it) --<br />I'm sure it would take more than your average user to find traces of illegal content there, but couldn't a forensics team do it? Imho it's much easier (and straightforward) than trying to brute force their way into the data of the encrypted partition... Of course they might retrieve just a small part of the illegal material (let's say a couple of pictures), but won't that be enough for a conviction? <br /> <br />-- "deleted" files --<br />Can't the forensics team look for traces of deleted (but not securely erased) older files? (We all know how standart delete works; no data overwritting whatsoever). If they could restore even one such illegal picture from the unencrypted partitions of his laptop, problem's solved. You'd think that he is "smart" because he used encryption, but in reality he might have made such a stupid mistake as to not securely erase old illegal files...<br /><br />-- ISP --<br />I don't know what data ISPs tend to keep and for how long, but if the guy claims that he downloaded this material, isn't there a way for the FBI/computer forensics (whatever) to require traffic data from the ISP for this user? Couldn't such info provide the evidence that the police needs? If the guy had a habbit of downloading cp even the ISP might have taken notice.<br /><br />-- key logger --<br />It's far-fetched I know, but if they really want to get that guy, they could simply install a key logger and return the laptop to his owner. Or they could return the laptop, monitor the guy's online activity and somehow install a keylogger when the guy gets online (after he starts feeling he's safe). The next time they will confiscate his laptop they will have the info they want. <br /><br /><br />3) I believe it's just a matter of how much effort and resources they are willing to throw in to catch this guy. But let's be honest, they simply don't care THAT much! <br />I mean, you are a cop; who would you rather get? The junkie or the guy that makes big bucks selling narcotics? I think that the same thing applies here. They'd rather get their hands on a guy producing or/and selling child pornography than a guy merely downloading it. It's a matter of priorities, I believe...<br /><br /><br />4) Guilty or innocent, scum or saint, I believe that this guy must not give his password. The police has the testimonies of two customs agents and all the methods I mentioned above to find the evidence they need for a court of law. God help them if they can't put this guy to jail, but that means they didn't have much evidence to begin with. In any case, they can't expect from him (the accused) to find the evidence for them! They might as well give him a rope and order him to hang himself!<br /><br />Thanks for reading, sorry for my bad english.