Minnesota court takes dim view of encryption

A Minnesota appeals court has ruled that the presence of encryption software on a computer may be viewed as evidence of criminal intent.

Ari David Levie, who was convicted of taking illegal photographs of a nude 9-year-old girl, argued on appeal that the PGP encryption utility on his computer was irrelevant and should not have been admitted as evidence during his trial. PGP stands for Pretty Good Privacy and is sold by PGP Inc. of Palo Alto, Calif.

But the Minnesota appeals court ruled 3-0 that the trial judge was correct to let that information be used when handing down a guilty verdict.

"We find that evidence of appellant's Internet use and the existence of an encryption program on his computer was at least somewhat relevant to the state's case against him," Judge R.A. Randall wrote in an opinion dated May 3.

Randall favorably cited testimony given by retired police officer Brooke Schaub, who prepared a computer forensics report--called an EnCase Report--for the prosecution. Schaub testified that PGP "can basically encrypt any file" and "other than the National Security Agency," nobody could break it.

The court didn't say that police had unearthed any encrypted files or how it would view the use of standard software like OS X's FileVault. Rather, Levie's conviction was based on the in-person testimony of the girl who said she was paid to pose nude, coupled with the history of searches for "Lolitas" in Levie's Web browser.

Judge Thomas Bibus had convicted Levie of two counts of attempted use of a minor in a sexual performance and two counts of solicitation of a child to engage in sexual conduct. The appeals court reversed the two convictions for attempted use of a minor, upheld the two solicitation convictions, and sent the case back to Bibus for a new sentence.

[Pete Bardo]

Nothing to Hide, No Need to Worry!

This is one of the most hideous statements of our time--if you have nothing to hide, you have nothing to worry about.

Privacy is a natural concern, and Americans have a right to expect, practice and preserve our personal privacy. The mere existance of encryption software on a personal computer is an admission of guilt as much as having a lock on your front door.

Most computer users store credit card numbers, passwords and other sensitive information that could be a big problem if this information falls into the wrong hands.

The fact that PGP encryption had been installed on this person's computer had in no affected the outcome of the trial. It was, in fact, in no way relevant to the conviction. The "conviction was based on the in-person testimony of the girl...", quoting from the article. Allowing this to be submitted as evidence in this case jeopardizes all of us and our privacy.

[njstahl]

I agree and then some!

I thought the bedrock principle of the Bill of Rights (especially the 4th through 8th Amendments dealing with the rights of the accused), and the Fourteen Amendment's "Due Process" clause as applied to the states, was the PRESUMPTION OF INNOCENCE UNTIL PROVEN GUILTY BEYOND A REASONABLE DOUBT IN A COURT OF LAW AT A PUBLIC TRIAL ADJUDGED BY A FAIR AND IMPARTIAL JURY OF YOUR PEERS AND A JUDGE WITH THE ASSISTANCE OF COUNSEL.

It is important to note here that the merits of this case were largely based on the testimony of one person, the accuser and defendant's niece. I am not going to expound on the credbility of the child accuser here, I just assume for the record that her statements are at least correct in their base factual content with some minor inconsistencies that are not important to the criminal charges with which the defendant was charged.

As it applies to the case at hand here, the mere presence of encryption software is insufficient or irrelevant to the allegations of child sexual misconduct. There are several acceptable explanations as to the presence of such software, none of which are related to criminal behavior. Nothing more needs to be said here.

As far as the browser search history, I am a little more willing to accept, but not totally convinced, its relevance. Just because the defendant, or anyone for that matter, searches for pornographic material on the internet (including those queries whereby child porn could be found), does not in and of itself make the defendant a child molester, so long as they are of legal age to view such materials in their jurisdiction. The search history can only demonstrate one facet of the sexual preferences of the defendant. Last time I checked, desire itself (even of those under the arbitrary age that the law defines as the "legal age of consent") is not a crime. You can only be convicted if you attempt to take actions on those desires. For example, If I were to say that I think Hilary Duff (age 17 until 28 September 1987, according to IMDB) is pretty hot, does that make me a pedophile?

Without solid photos or tangible corrobative witnesses, this conviction should not stand and be overturned. Testimony of only one person, a child no less, should not be sufficient to sustain a felony criminal conviction. And the inclusion of browser search histories seems to me a desperate grasp for straws in a case based largely on "he said-she said" allegations.

Sex crimes involving those too young to understand the situation are among the most heinous that can be committed. But conviction of any crime, no matter how inconceivable, should not be arrived at simply because of the nature of the crime and an inherent desire of closure for the accuser. Remember that facts and evidence decide criminal convictions not thoughts and emotions.

It is better to let a hundred guilty people go free than let one innocent person be falsely imprisoned. (See "Double Jeopardy" clause of Fifth Amendment: "No person shall... be twice put in jeopardy of life or limb for the same offense.")

Damn skippy! This judge is a Nazi

You think Thomas Jefferson would agree with that alarmist neo-nazi platitude? HELL NO.

We must all speak out or we will lose the right to encrypt. I encrypt everything, and if a FBI Pig took my PC I would not comply with their anti-Americanism.

I don't have anything to hide. THEREFORE YOU HAVE NO RIGHT TO LOOK. When did Minnesotta, the home of Battlin Bob Laffollete etc become a police state happily pooping on the constitution, and throwing poop in the face of our Founding Fathers? I guess it happened today....

[poster48150]

Windows XP

Windows XP Professional includes the ability to encrypt files...

Jim

[Andrew J Glina]

So does Win2K

But Shhhhhh.. Apple users think that they were first. Don't upset the Apple cart.

Not just WinXP...

Miltary-grade encryption can be found in any
operating system these days, and there are also
a number of hardware encryption solutions too.

All versions of Windows released in the past 4
years or so, Mac OS/X (even older Mac OSes with
certain software), all versions of UNIX,
FreeBSD, Linux, BeOS, etc. have features at the
filesystem and application level for such
things.

PGP or GPG can be more secure than the
filesystem level encryption, if used properly,
but they are a must for people that need to
digitally sign documents, send sensitive e-mails
for work, etc. I'm not sure that a tool that
specifically meets a federal standard for
digital signatures on documents is evidence of
criminal intent; even if the user happens to be
a criminal.

Could not the criminal hide evidence by keeping
all incriminating data on a DVD-RW that is
hidden inside a DVD box along with a movie in
his DVD collection? By the court's logic, a DVD
collection must equally be evidence of criminal
intent.

Bah

Knowing Microsoft, there's a law-enforcement backdoor.

[Andrew J Glina]

Errr....

Is this even a Microsoft story?

The 'backdoor' as you call it

The backdoor that you are refering to is called a 'data recovery agent' which when using EFS, (Encrypted File System) the utility built into NTFS in 2000 and XP that allows you to encrypt files, allows the administrator to recover encryption keys. This is not a backdoor, it is necessary in a large environment.

[Andrew J Glina]

Scarey

Assuming that this story is not missing any facts I find it incredible that the only evidence they have is some web searches and a testimony. I have done web searches in the past and accidently found child porn. (It hasn't happend for a while so I suspect that the search engines are getting smarter than the porn sites.) Surely they have more evidence than that!

[sanenazok]

The case was based on

a weirdo uncle who asked if he could take naked pictures of his niece and pay for them. She testified about it. Now if his computer revealed that he searched for "lolitas" which apparently ties to these materials then yes it helps to show that she didn't misunderstand and that he wasn't taking "medical" or "artistic" pictures.

[sanenazok]

Hardly the center of the case

The material regarding what the court thought about the encryption program is about three sentences in the whole decision, which is about 15 pages. So the court didn't really say anything about it and whatever it said wasn't necessary to the decision of this case.

[declan00]

but an important part of the case

There were five issues on appeal. The encryption question was one of them. So while it's not the only topic of the appeal, it was an important one.

Excerpt follows.

1. Did the district court err in admitting evidence concerning appellant?s internet usage and encryption capability for his computer?

2. Is there sufficient evidence to support appellant?s conviction for two counts of Attempted Use of a Minor in a Sexual Performance and two counts of Solicitation of a Minor to Engage in Sexual Conduct?

3. Does the complaint adequately set forth the essential facts constituting the offenses of which appellant was convicted?

4. Did the district court?s findings regarding matters outside of the record deny appellant his right to a fair trial?

5. Does appellant?s sentence violate Minn. Stat. § 609.04, subd. 1(4) (2002) (multiple convictions), or § 609.035 (2002), which prohibits multiple sentences for offenses arising out of the same behavioral incident?

PGP + DMCA = problems

America, land of the free*

*rules and conditions apply...

Does this mean that locks on your doors indicate criminal intent too?

And maybe and government with an army really only has an army because they are doing something illegal too.

In today's age, no one is looking out for you, or me, or anyone else. There are risks around every corner. It's a shame that these jurors didn't get a fair explaination how how or why security exists.

I bet if their personal information was stolen from a unsecured website, they'd be standing in line for the class action suit.

Actually, what it means is:

If your windows are equipped with curtains (whether you close them or not), you must have something to hide.
If you're reluctant to allow strangers to rifle through your filing cabinet at will, the the IRS ought to investigate.
If the the trunk of your car is equipped with a lock, the police have probable cause to search it.

[Slamlander]

There is a compatibility problem

between that Judge and the US Constitution. Privacy is a part of our 1st and 4th Amendment rights. The presence of encryption is a protection against an illegal search. It does not, per se, supply "probable cause". Absent other evidence of a crime, the mere presence of encryption constitutes nothing more than a desire for 4th Amendment privacy.

That Judge needs to be officially rebuked.

IANAL

[aabcdefghij987654321]

i'm guilty!

I have lots and lots of 'hacking' documentation, proof of hacked servers, lists of users and passwords for fortune 500, list of bank accounts....hell I have even PGP encrypted them! I deffinately had/have intent to conceal evidence of any wrong doing....but then again....the company who I have hacked has me pgp-encrypt the reports and information with their keys..now they're guilty too...conspiracy to commit computer crimes!

I won't send any relevant plaintext information via email; network traffic is too easy to sniff.

To those who say "I have nothing to hide", next time you try access to your bank online...call them up first and tell the you do not want to use SSL because you trust them and you have nothing to hide!

While...

While I think people that involve children in anything that is in the least bit sexual should be shot (after a trial of course). Unless a perp has encrypted child porn on his computer the fact that he has encryption software or encrypted files on his computer is unimportant.

If only one U.S. agency could crack the encryption and the prosecution is concerned about any encrypted files on the perps computer, then they should either get setup to break the encryption themselves or send the computer off to have it de-encrypted. Otherwise it is un-important to the case.

Robert

[george_humphrey]

Article is misleading

The title and first sentence of this article are very misleading and possibly indicate that either the author did not understand the court's opinion or is deliberately "hype-ing" the story to garner more eyeballs and therefore more ad revenue.

The opinion's full test is available here:
http://www.lawlibrary.state.mn.us/archive/ctappub/0505/opa040381-0503.htm

In it, it cites the testimony of the victim. The child molester is the victim's Uncle, who convinced the victim to allow him to take pictures of the victim's genitals.

The opinion, (main author, Judge Randall), never states that the courts takes a dim view of encryption, or that the presence of encryption tools are eveidence of criminal intent.

The Opinion only notes that: "The record shows that appellant took a large number of pictures of <victim> with a digital camera, and that he would upload those pictures onto his computer soon after taking them. We find that evidence of appellant?s internet use and the existence of an encryption program on his computer was at least somewhat relevant to the state?s case against him."

Declan - Please note for the future that "somewhat relevant" does not equal "criminal intent". You blew this one up.

The opinion further notes that "Rulings involving the relevancy of evidence are generally left to the sound discretion of the district court. And rulings on relevancy will only be reversed when that discretion has been clearly abused. The party claiming error has the burden of showing both the error and the prejudice.?

[declan00]

misleading? hardly

A headline can never capture as much detail as the full story.

There was no mention in the ruling that the case involved encrypted files that the police could not decrypt. Without that mention, it's odd and noteworthy that the court saw fit to say that the presence of encryption software should be part of the court record.

Nice lie buddy, good job ignoring the text you cite

cryptography is BROAD NEGATIVE INTEFERENCE.

THATS the problem with this case, not that perfect little self-serving nazi-loving anti-american quote you tweezed out of there to make it look like your terrorist friends in Minnesota are not launching an all out war against our constitution and our presumption of innocence doctrine.

I hope you get put in jail for having encryption too. There might be child porn on your computer, but since Microsoft Windows has the CryptoAPI, the BROAD NEGATIVE INTEFERENCE stopped us from finding it.

The court did NOT prove that this sicko had a picture. While I agree that this perv is getting what he deserves... I DO NOT DESERVE TO GET WHAT HE DESERVED because I can't prove that these pitctures never existed on my PC. CAN YOU?

Precedent?

So will this be used for precedent in other trials? What about businesses protecting their data/networks through encryption? I am not defending this low-life's crime, but this sounds like something that would happen in Stalin's USSR or Nazi Germany, not Minnesota, USA.

What next? search warrants because we lock our doors at night?

[sanenazok]

probably

Yes if there's evidence that you engaged in child porno (like your niece saying that you asked her to get naked), and you have a hard disk full of encrypted files, then yes it will be used as evidence against you.

This case doesn't say that encryption itself is bad, but if you're doing something nasty then trying to hide in this way isn't going to benefit you.

[OldMarine1]

All right put your hands up

You are all under arrest. If only the national ID was here to save us.

[MTGrizzly]

Important Issues

While I agree the mere presence of encryption
software is not an indication of criminal intent,
that really isn't the point in this matter. If it
were, everyone with a SSL browser would
have "criminal intent." There is no, "some
people have encryption software and Internet
access on their computers." Everyone who
uses a commercially produced browser on
their computer has encryption software on
their computer. And having a browser without
Internet access would be pretty silly, don't you
think?

The point here is that the mere mention of
encryption scares people to death. Most
people don't understand what it is, what it
does or that there are legitimate uses for it.
The controversy about the "clipper chip" and
other governmental attempts to invade the
privacy of private citizens, during which the
government has shouted from the roof tops
that only people with something to hide,
terrorists, et cetera use or possess encryption
software, has led people to an unreasonable
conclusions about use of encryption - the
person using encryption is a criminal. After all,
the government has said that only criminals
use it.

Having established that only criminals use
encryption and that there was encryption in
use in this case, then use of encryption can be
used to "prove" one is a criminal. Once juries
have decided someone is a criminal, they may
tend to give more weight to the "evidence"
against a defendant and less weight to the
evidence presented by the defendant. Having
lowered the standard of proof by bringing up
the issue of encryption, it is a short trip to get
a jury to decide that, since the defendant is a
"criminal", then he must have done what the
government accuses him of.

In our current society, revenge and expediency
has supplanted justice as the central concern
of our judicial system. Cases are not made
solely on their merits. The state first engages
in extensive campaigns to thoroughly discredit
and demonize defendants after they are
arrested and before they go to trial. It is
conceivable that a jury would be able to see
that a defendant might make a mistake, if they
think the defendant is, simply, a bad or misled
person. However, when the state spends so
much time demonizing all defendants, juries
are prone to see not a human being, but a
demon from whom they must "protect" society.

The process of demonizations is rampant in
our society, so a juror doesnt' have to have
heard the state demonize a particular
defendant, just that the state feels all
defendants are demons as a generic
statement.

Prosecutors tend to have very little faith in the
court system to mete out justice - and "justice"
is not as important to prosecutors as winning,
(expediency) - and we get prosecutors who
will do anything to win. The guilt of a
defendants, particularly in a high profile case,
is not as important to prosecutors as
"winning." As evidence that prosecutors have
very little faith in the court system, I refer you to
the statements made by the Los Angeles
County District Attorneys offce that the jurors in
the Blake murder case were "idiots" that had
failed to convict a clearly guilty defendant. They
weren't interested in who killed Blake's wife,
they were interested in winning and in
steering blame for not getting a conviction
away from themselves.

So, the issue of whether the presence of
encryption software on a defendant's
computer, while not the central issue in this
case, is an issue of paramount importance.
Simply because allowing this evidence into
the trial has the very real effect of making the
defendant look like someone who has
engaged in a practice the government has led
people, (and jurors are people), to believe is
only practiced by criminals. So, therefore, he
must be a criminal and it is easier for them to
convict him. This, I suspect, was the entire
point to raising the issue of allowing the
presence of encryption software on appeal.

In reality, the defendant might be the lowest of
low. Yet, in our society, with our system of
LAWS, not men, he is entitled to the
presumption of innocence. Allowing evidence
of the presence of encryption software on his
comptuer, without evidence it was used in an
illegal manner, deprived him of that
assumption.

[Jonathan]

More proof that most judges don't get technology at all.

On behalf of all the rational Minnesotans out there I apologize for the stunning stupidity of this fellow.

I wish to god that every judge in the US would be required to take basic computer training 101 classes.

So Microsoft are criminals and Bill Gates the Public Enemy #1 then? ;o)

It appears to me that the Court does not understand what is encryption AT ALL :(

Right to Encrypt, Right to Privacy, Right to Rebel

The right to encrypt is based mainly on the right to privacy, which is really a basic human right. But it has another important aspect: Like the right to bear arms, it supports the right to rebel against tyranny that is explicit in the Declaration of Independence.

In the present political context of increasing tyranny and tyrannical intent that is implicit in the theft of elections and continuing legislative assault by the fascist wing of the Republican Party on crucial American institutions, including the Judicial branch itself, it is very unwise for any judge to seek to weaken the public's ability to rebel.

truly alarming

Some of the statements coming out of the government these days are truly alarming. So there's no legitmate reason to have encryption software? So according to this judge, having certain kinds of legal software shows criminal intent. What's next, the DHS saying that if you have a DVD burner you're a criminal simply because you have the means to pirate software and movies?

[Transaction7]

PGP Encryption Software As Evidence of Criminal Intent???!!!

I wish you had included a link, or at least a citation, to the appellate and trial court opinoins containing this dictum that presence of PGP encryption software constituted evidence of criminal intent.

From your summary, it escapes me, as a retired lawyer who had been involved in a number of matters involving sexual abuse and exploitation of children, mostly representing the victims but, finding myself representing some defendants guilty of this and other dirmes, how the presence of PGP encryption software on the defendant's computer could be any more relevant than a lock on his front door or his file cabinet to criminal intent or any other issue in this case, which you report included the pornographic pictures and clear and direct testimony of an exploited child. Encryption of a picture or text file wouild not even begin to become relevant and material until after these had already been found relevant to the allegations and admitted into evidence, and found to be criminal. At that point, PGP software would be about as relevant and material to such a case as Quicken, Grand Theft Auto, or Tetris on the defendant's computer or a bottle of soda pop on his desk. They might, or might not, have some relevance or materiality to a criminal child pornography enterprise,but only after and conditioned upon a finding that they were used or intended to be used to commit the crime, based upon other evidence.

Having had my office burglarized and privileged and confidential paper and computer files, including data implicating certain politicians and other holders of positions of public trust in, among other things, incest and dereliction of duty where child abuse was concerned, and eventually destroyed by arson, you had better believe that I had long ago learned to encrypt cetain sensitive privileged and confidential data for my own and my molested clients' and other sources' protection. Would an attorney working on an umcoming merger of public companies do any less to protect the confidentiality of data?

Your article did not make clear whether any child porn, or anything related to child porn, was encrypted with PGP.

PGP, quite useful for a number of legitimate purposes, including preserving the confidentiality of attorney-client confidences and trial stragegy while using a computer and the Internet which would not only be lawful and ethical but purposes mandated by legal and ethical rules governing attonreys in this or any other case, by itself, is evidnece of nothing unlawful. The drug paraphernalia rules, read literally, are broad enough to cover silverware and a John Deere tractor, an insulin syringe, etc., none of which should be admited into evidence without at least a prima facie link to such illegal activity. The statutory definition of a deadly weapon here in Texas, and many other states, quite naturally starts with the word "anything." It would logically follow that any number of things, such as a computer, a digital camera, a copy of PGP encryption or much other pefect legitimate software, a house, a car, or a puppy, with primarily legitimate uses, could be turned by an evil person or group of persons to evil uses including the seduction of children and the production and distribution of child pornography. That might qualify such objects to ill-used for forfeiture, and the fact that they were so brought together and used might be highly relevant to a child pornography prosecution, but it does not convert any of them, standing alone, into evidence of intent to possess, produce, or distribute contraband, much less into contraband in the absence of independent proof of such illegal use.

The fact that a child pornographer hid his product by using either a password, PGP encryption, a secret compartment in his home or car, a safe deposit box in some othe entity's name, or a Bible, would certainly be highly relevant to criminal knowledge and intent, etc. just as it might in a case of pirated non-pornograhic movies, stolen money, dope, or records pertaining to illegal anti-competitive activity by allegedly competing electrical equipment manufacturers or road contractors, but nothing about such usefulness of that kind of evidence makes a home safe or keeping a legitimate picture of your family in your Bible evidence of criminal intent or crime.

Would the fact that someone encrypted their copy of their unfinished Great American Novel, or the formula for Classic Coca-Cola or another trade secret, prove consciousness of guilt or intent to violate the law?

I hoe this is appeled, but, perhaps unfortunately for the appellate process and development of the law, your article indicates that the evidence against the defendant here was overwhelming without this error.

President Bush recently said he dods not use Email even to communicate with his daughters because of security concerns. Maybe we need more, not less, encryption and privacy protection, subject to appropriate provisions to deal with child pornographers and terrorists, etc.

Transaction7

[Jim Harmon]

A link...

http://tinyurl.com/dl63d

It was rather long. The link is through caslaw.lp.findlaw.com

Protecting yourself from criminals is now a crime

I don't even know where to start. Does Minnesota routinely fish at the short end of the genepool for judges, or are they just plain evil?

The "Broad Negative Interference" standard applies to anything I do to keep my information safe. Am I know going to be arrested for child molestation because I encrypt my password database and financial records? I hope this judge gets thrown in the deepest darkest most analy-raped jail in the world for having 128 bit SSL encryption on his PC. Maybe a few years of rubbing uglies with REAL criminals will teach him the difference between being guilty of child molestation and using cryptography.

Our founding fathers would turn over in their graves if they found out that protecting your free speech with encrypion is evidence of criminal intentions.

Has George Bush succeeded in turning America into Nazi Germany? I'd say that Minnesota's big fat turd that they flung at the constitution by claiming protecting your personal information and private free speech is now evidence of a crime.