Comments on: Judge orders defendant to decrypt PGP-protected laptop

Federal court orders defendant accused of having illegal data on his laptop to type in his PGP passphrase so prosecutors can access decrypted files.

[pulstarjwc]

1. if you have nothing to hide, you can show token resistence for the principle, but ultimately provide the required passphrase.
2. a Lawyer can easily request that the contents of the encrypted partition/ drive be suppressed from public release. Assuming there is personal information that is usually suppressed like banking information, SSN, etc. , the request would be honored.

Kevin Mitnick has a simple way around all of this. When he travels abroad, before he goes to the airport or crosses the border, he uploads what he needs to a server and then wipes the drive. Of course, the FBI ensures that his computer would be searched. If the drive is wiped, there is nothing to find.

[bullsballs]

BTW, If you have the Bart and Lisa Simpson cartoons of Lisa performing a sex act to Bart, or Bart to Lisa, this is considered child pornography today. That is all it takes to be in violation of the law.
Sure, we need to protect kids, but draconian law is not the answer. And to throw the Constitution out the window is wrong. Granted, the guy may spend time in prison, but there is the principle...

[jafarm66]

I wouldn't type the password so they can arrest me for contempt and I'll my lawyer puts the information in every paper and news outlet in the country!! Then maybe I'll decide not to sue the for a Civil Rights violation. Unlikely since I don't trust government or authority.

[mrjay001]

A few comments.

1. There is no way I would provide that password or pass phrase under any circumstance. I would say I forgotten it or just say no to their request.

2. The border guard is not an expert on child porn. Without further review by an expert, I doubt the government can say with 100% certainty that the material the border guard witnessed was really child porn. I think a good lawyer can raise doubt in the mind of any jury.

3. The government has overstepped it authority in this situation, in my opinion. What is the combination to the safe that holds the evidence that can convict you? The difference is the government can force its way into the safe without you giving them the combination. The only difference is the government lacks the tools to force its way pass the security and depends on the defendant to give them the access to info that maybe could send him to jail. A big middle finger to the government.

[zxcvvcxz3000]

You can take it for a fact that the govt has already made at least one, if not a few cloned back-ups of the drive in question. By coincidence, I happened to chat with a cop on this topic about 2 years ago. They never even turn on the suspect's PC. They just remove the drive in question, and use specialized software that creates a bit-by-bit identical clone. Then they make another clone to use for investigative purposes. So the original drive is never actually turned on when connected to the suspect's PC, and the first back-up is kept safe in case the second back-up blows up for some reason. (The exact procedure may differ slightly depending on the particulars of the law enforcement agency, but any digital forensics dept worth a damn will use pretty similar techniques)

So for all those who suggested he wipe the drive, or use some form of LoJack, these are simply not valid choices, because by the time they let him touch any keyboard, you can rest assured he'll be working from a clone, and not the original drive.

[zxcvvcxz3000]

The real issue here is whether or not harsher penalty can be imposed if/when he refuses to decrypt the files. Put it this way. Just for the sake of argument, let's just pretend this drive is filled with hundreds of kiddy porn files. Now, the way the laws are currently written, he could be given a 5 (or more) year sentence for each and every single file. Resulting in a possible sentence of hundreds of years. But, for the sake of argument again, let's just say the prosecutors count them all in lump, we're still taking a very substantial period of time he could be in prison when found guilty. So, he has absolutely no incentive whatsoever to unlock the drive.

On the other hand, he could gamble, and either by outright refusal, or by pretending he forgot the key, not decrypt the drive. In which case... and as I see it, this is the real point here... what are the govt's choices? Can they lock him away for 10's of years? Sure, we know they can get him for Contempt of Court. But how long a sentence would that bring? In other words, in the event that they cannot produce actual kiddy porn from this drive, what is the maximum sentence they could impose?

[zxcvvcxz3000]

It seems to me, in that case, they fall back to the sworn testimony of a law enforcement officer (the border guard). And it boils down to how credible the jury sees this officer, and how much they are willing to believe he saw what he says he saw. Additionally, it would depend on if the prosecution would be allowed to tell the jury that the defendant refused to decrypt the drive -- thereby causing the jury to believe the defendant "Must be guilty or else he'd decrypt the files".

As I see it, this guy is going to prison no matter what. The testimony of the border guard will insure that. Not because they can "prove" the files are kiddy porn, but because the accusation of being a pedophile is enough to turn the jury against him.

So given that he's almost certainly going to be found guilty no matter which choice he makes, the real question is, can the judge/jury impose substantial additional penalties for refusing to decrypt the drive?

[zxcvvcxz3000]

I fully admit I am ignorant of the law in this area. For example, if i murder someone, and refuse to turn the weapon over to the cops, can they impose a harsher penalty? Or if I swindle some investors out of their life savings in my ponzi scam, can they impose harsher penalties if I refuse to turn over my files? I don't know the answers to these questions. But it all boils down to the same thing. If *I* know I'm guilty, what reason do I have to cooperate and give the cops whatever they need to cook my goose?

And likewise, if we begin with the assumption that the man is innocent, does the govt have the right to impose harsher penalties just because he refuses to cooperate with the investigation? We often like to believe that we (American's) are "Innocent until PROVEN guilty". But the fact is, that is not truly the case, and has not been for many years. In many instances, the accusation, or "sworn testimony" from someone the jury trusts/believes, is all it takes. And "Proof" becomes irrelevant.

[zxcvvcxz3000]

I'm not judging this man. Child molestation and/or exploitation is wrong. And if he is guilty of either of these, or of activities which promote such behavior (it can be argued that downloading such files "promotes" the behavior by encouraging those directly involved to do it more). But the legal question at this moment is not does he or does he not have kiddy porn (or even caricatures of kiddy porn). The question is, what rights still remain with regards to not being forced to give incriminating evidence against one's self? And what penalties can the govt impose when one refuses to provide potentially incriminating evidence?

Sadly, I feel that individual rights are going the way of the dodo, and that (short of a popular uprising), the govt is getting closer and closer to a police state. ... but that's just my $.02 worth, you mileage my vary.

[ross613]

An interesting case to be sure. Canada's legal system offers no "5th amendment"-style protections, opting instead to simply immunize any witness or accused against self-incriminating evidence thus allowing for use of that evidence in other aspects of a case. (See §13, Canadian Charter of Rights and Freedoms.) Were this a Canadian court, that might mean that none of the evidence acquired through disclosure of the password could be used against the accused - even though it were known to the court, although I'm not at all sure this has been tested.

Still, it seems bizarre that in the U.S. the defendant should be expected to assist the prosecution with the case to this extent; and it certainly says a lot about the effectiveness of PGP encryption that the authorities are forced to turn to legal remedies under such circumstances (rather than trying to break the encryption themselves). At the very least, it seems the U.S. legal system has left itself vulnerable to all kinds of legal abuse by allowing for coercion of participants in legal proceedings to gain access to encrypted data.

Surely, there are better alternatives. People should keep in mind too that, ultimately, any kind of guarantees for personal privacy - both technical and legal - will mean some of those who traffic in child pornography, hate literature and other forms of censored material; will get away with it. It all comes down to determining how valuable personal privacy is to a society; and I'm inclined to think such guarantees are worth it, in the end.

[martusfine1]

couldn't one say they forgot the password?

[emcourtney]

I used to work with COMSEC, which includes cryptographic keys, when I was enlisted in the Air Force. We stored the key's physical medium in safes and our procedure was not to commit the combinations to memory on the theory that if we didn't know them we couldn't reveal them, either accidently or under coercion.

"I never committed it to memory" is even better than "I forgot". Of course, I'm sure the actual password was written on a post-in stuck to the bottom of the laptop which ICE's lousy evidence handling procedures has allowed to wander off :)

[camillelambert]

I am surprised that none of the commenters have yet considered the well being of the children in this case. Lets suppose that the Law Officer really saw thousands of child pornography photographs.
What if some of the children were captive still today? What if your own two year old son or daughter had disappeared a few months or years ago? What if this password could help locate and free your own child?
If we forget the law for a second, what do we have? On one side the rights of an alleged child pronographer, on the other side potentially several captive and/or raped children, or at the very least the rights of these children if they are still alive today.
I think in that case the law could be slighty adapted for that precise situation, without a significant loss of civil liberties for the other citizens.

[archaeopteryx]

Yes, it really would be wonderful if the authorities worked WITH Boucher instead of AGAINST him. I wish they'd think of the children!

[Dalkorian]

I guess we can still take comfort in the old retardican defense - "I can't recall".

[jjgoodman]

In other words: "Never mind the constitution. Think of the children!". Sorry, there may be room reasonable people to disagree about whether revealing a password amounts to self incrimination, but that particular excuse is old and tired, and it's not going to fly.

But just for the sake of argument, if the welfare of children is the primary concern, perhaps he would be willing to turn over contents if he were granted complete immunity. I wonder why they haven't tried that. It would be awful petty to endanger the lives of all those children just for the sake of punishing one man, wouldn't it?

[jjgoodman]

Sorry, that was meant to be a reply to camillelambert's comment.

[therealgeeves]

I thought that in the US, if you did something illegal you had to turn yourself into the authorities...

[archaeopteryx]

Here's a subtle distinction I read on the Washington Post on the 5th amendment issue:

" In his ruling, Niedermeier said forcing Boucher to enter his password would be like asking him to reveal the combination to a safe. The government can force a person to give up the key to a safe because a key is physical, not in a person's mind. But a person cannot be compelled to give up a safe combination because that would "convey the contents of one's mind,'' which is a "testimonial" act protected by the Fifth Amendment, Niedermeier said . "

http://www.washingtonpost.com/wp-dyn/content/article/2008/01/15/AR2008011503663.html

[Pam Nos]

The article says that "thousands of images of adult pornography and animation depicting adult and child pornography." Part of the question is if the animation is movies or if it's animated and doesn't depict real people. The Supreme Court ruled that possession of virtual child pornography could not be a crime, but this was mainly overturned by the 2003 Protect Act (if the images can be considered obscene). If this happened before 2003 then they may not even have a case.

[Lao_Gai]

FYI -
George Washington, Ben Franklin and Thomas Jefferson all used codes and ciphers as part of their official and personal business affairs. I am certain the King George would have loved to have found the code keys for the messages between Washington and LaFayette.

One if By Land... Two if By sea...