Man Sues Microsoft Because The FBI Was Able To Access His Encrypted Files
from the quite-a-challenge dept
A man who was arrested for gun-related charges is apparently now suing Microsoft for allowing FBI agents to view the contents of his hard drive. He bought a Compaq computer from Circuit City loaded up with various security and encryption products. When he was arrested on gun charges, the Bureau of Alcohol, Tobacco and Firearms took his computer as well. Agents there were unable to access his computer, but handed it off to the FBI who was able to access the content by making a copy of the hard drive. The man was then embarrassed, because, among other things, his hard drive included "sexually explicit videos of him and his girlfriend" as well as "evidence that he frequented pornographic Web sites." He claims that he had Microsoft IE set to erase his history every five days, and between that and the FBI being able to access his computer, Microsoft owes him a couple hundred thousand. Apparently, he already convinced both HP and Circuit City to pay up for their part. Either way, you have to wonder if there's a reasonable expectation that when you buy this kind of security software that folks like the government wouldn't ever be able to break it.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Two suggestions...
(2) Do use Truecrypt
[ link to this | view in chronology ]
Re: Two suggestions...
[ link to this | view in chronology ]
Re: Two suggestions...
Nothing's wrong with Truecrypt, as far as I know, I use it myself and recommend it.
That's why I said "Do use Truecrypt" rather than whatever other products this gentleman purchased and used ... ?
[ link to this | view in chronology ]
Re: Two suggestions...
It is also my understanding that there are lots of encryption tools (like Truecrypt) that allow encryption that pretty much can't be broken.
I'm assuming the guy mentioned in the article is just an idiot...
[ link to this | view in chronology ]
Unusual one
However unless it came with an absolute guarantee that cracking was impossible I think this is a little far-fetched
The precedents it would set would be mind-numbing - if you can't absolutely guarantee the effectiveness of your product against someone actively trying to break it, you could be sued
Lock Manufacturers, Anti-Virus Companies and Pharmaceutical manufacturers would probably all have to hang up their boots if this goes through
I think the fact that ATF couldn't get into the drive on their own is proof enough that the defences do what they say on the box - however nothing is 100%
[ link to this | view in chronology ]
umm, so
[ link to this | view in chronology ]
Re: umm, so
[ link to this | view in chronology ]
Dumb
The magnet signature from your data stays a very, very long time even after defragging, and re-writing, etc. etc. Even firms that promise DOD-level erasure through software know that there is still a possibility that a smart person can retreive data from that drive. The only true security would be to completely destroy the drive.
[ link to this | view in chronology ]
Re: Dumb
[ link to this | view in chronology ]
Re: Re: Dumb
[ link to this | view in chronology ]
Re: Re: Re: Dumb
[ link to this | view in chronology ]
Re: Re: Dumb
open your eyes,... there are companies who SPECIALIZE in data recovery services, if your hard drive ever dies look them up... they may be your saving grace.
[ link to this | view in chronology ]
Re: Dumb
[ link to this | view in chronology ]
Re: Dumb
[ link to this | view in chronology ]
Re: Dumb
2 Burn it
3 Shred it
4 Butn it again
5 Put the ashes into an oil barrel
6 Add water and mix throughly
7 Bury in toxic waste dump
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
True, but he did commit a felony and under the laws if the police have a warrant they can take whatever they want. I'm not surprised the cops took his computer since he could have admitted to the crime via e-mail, instant message, etc.
Now suing Microsoft because he assume that deleting his file more than a week old means it totally deletes them is absurd. For one thing Internet Explorer is considered a free product, so chances of him winning are slim to none.
Secondly, ignorance is no excuse to the law. All those companies say that nothing is guaranteed as far as security when it comes to the Terms of Use. There are way too many variables to take into account.
And honestly, you think these companies want to develop software to keep the feds out of suspected criminal's computer? That's a whole different legal battle, and you don't want the government on the other side.
[ link to this | view in chronology ]
Re: Re:
Not so true. That would have to be included in the warrant (when serving a warrant, you have to specify such things in the warrant to the judge, to have it allowed in the search. You wouldn't look for a dictionary inside a calculator, its an 'unreasonable search and seizure'. (Just an example of what I'm trying to relay, it has to be within a reasonable search and seizure, which might be exactly what he is basing the suit on). Now, the articale says gun charges. The only reason I can think of such a reason to take his computer, would be if he were arrested on trafficing, he would have used the computer in the course of the crime, which they would reasonably have to identify in the search and seizure.
Now you got me off on a tangent. :P
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re: Air rifle silencer
[ link to this | view in chronology ]
Re: laser sighted slingshot
[ link to this | view in chronology ]
Re:
"Who makes a silencer for an air rifle? That's like putting laser sights on a slingshot."
http://www.catsdomain.com/
[ link to this | view in chronology ]
?
[ link to this | view in chronology ]
Re: ?
[ link to this | view in chronology ]
BB gun seller
2. "True, but he did commit a felony"
Actually the story says he's charged with selling an AIR RIFLE with a SILENCER. He's not convicted yet of anything and it was only a BB gun.
He's not suing the FBI for doing their job, he's suing Microsoft for not doing theirs. It should have gone to court, the judge would decide if the guy had to give up the password with the option of appeal if he disagreed.
It's quite possible the judge would decide the case is so piffling (and air rifle?? a BB gun!?) that it doesn't warrant his privacy being taken away.
But it means the encryption can't be used because if the FBI can access the drive, so can thieves.
[ link to this | view in chronology ]
Personal Privacy?
If someone is arrested for a gun related (non-computer) charge, should they no longer have rights to personal privacy?
It has be illustrated many times that encryption / information protection technology can be broken. I don't see the point of trying to sue the companies that made the products that have been broken. I see a bigger problem with whether the federal government can use the technology available to crack this type of data protection when someone has been charged with a non-computer related crime.
To me the software and encryption products that were used held up to 'reasonable expectations' of what they said they were doing. To expect otherwise would be to expect that technology couldn’t be broken or cracked. This has been proven over and over that this is not the case.
So for me the fact that his privacy was violated was not the fault of the softwarehardware makers, but that of the federal government. To me someone’s digital information which they are trying to keep private should not be violated simply because they have been charged with a gun related crime.
If someone is being charged with a gun related crime and have a gun safe located in their house, I could see justification for breaking or cracking the safe. But, to break or crack the technology being used to protect his personal privacy (digital data in this case), which has nothing to do with the charge, is not acceptable.
For this to be thought of as acceptable then you would have to have the mindset that anyone charged with a crime no longer has a right to personal privacy. I think this is a more dangerous precedent to set than it would be that companies are responsible for their technology being broken (by the federal government, as in this case).
I also must state that my views and opinios are based on a very limited access to the information of what actually happened. In today’s world of inaccurate and objective information, who knows what really happened.
“Look at things for what they REALLY are, not for what others want them to be perceived as.”
[ link to this | view in chronology ]
Re: Personal Privacy?
I don't think that being a computer crime should be a prerequisite for having your computer examined. The use of computers is so wide spread now that they can be seen as simple tools that almost everyone uses. So accessing his computer would be seen as looking at one of the tools that he might have used to commit the crime he has been accused of. In the same way that they look over someones accounting books if they are accused of money laundering. Or they examine your clothes if you are accused of killing or kidnapping someone even though you didn't kill them with your clothes.
[ link to this | view in chronology ]
Re: Re: Personal Privacy?
The same way a police officer cannot search your car for pulling you over for a traffic violation. That is why the government has to get search warrants or have reasonable cause (in theory: to protect against unreasonable search and seizure).
So I guess a good question would be: Is our digital data protected against unreasonable search and seizure, they same way our house and car, and other personal privacy are protected against unreasonable search and seizure?
Encryption is a lock and the encryption key is the key to the lock. So like the real world equivalent of something being protected with a lock and key, law enforcement should have a warrant specifically stating that they can break/crack/hack the digital lock and key just like in the real world scenario. This is what protects our personal privacy from unreasonable search and seizure and it should apply to the 'digital world' as well.
As far as the article that started this discussion, I don't know enough information to make an intelligent assumption of what 'truly' happened. Therefore, I cannot say if what happened in that instance what a violation of personal privacy or not.
"What is right and wrong is a matter of opinion, and peoples' opinions will always be different."
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Encryption standards
As a student of Computer Science, I came to know that National Institute of Standards and technology (NIST) has approved Advanced Encryption Algorithm (AES) and a few other standards such as DES and DES3 etc. for use to protect data from common public or for securing data overseas from US. They have done this because they can break those if need be.
Also is this true - That you cannot develop and use a "home-made" encryption algorithm that the FEDS cannot break using their "super-computers"?
I believe that this ties in the Patriot act. The Government agencies such as NSA/FBI/CIA has to be able to monitor the public.
[ link to this | view in chronology ]
And another thing, you could use multiple layer of encryption... hardware encryption, filesystem encryption, file encryption, ... and then it would be really hard for the governement agencies to decrypt the file.
And you can "forget the passwords you used" if you are asked to reveal them.
[ link to this | view in chronology ]
Advertising claims
But a few hundred thousand? To whom did the FBI publish this information? If he did it to himself, he is stupid along with being a jerk. Regardless, the most a court should award him is $1.99
[ link to this | view in chronology ]
New light...
http://www.realtechnews.com/
Where it states:
Michael Alan Crooker had his home raided in 2004 based on reports that he owned bomb-making materials. And in fact, the FBI found apparent IEDs and chemicals and equipment used in the production of ricin.
So with this in light, it wasn't a simple gun charge (I was wondering why the FBI would get involved in a gun related case anyway).
Do to the Patriot Act, the police had full discretion to seize the computer, especially if they thought he was a terrorist.
I doubt Crooker would win the case against Microsoft if they decided to go to trial simply because Microsoft offers no hint that history is "permanently deleted" off your hard drive when you set that option.
I bet Microsoft settles though. I wouldn't want to be known for selling some security products and then having a lawsuit about how they don't work.
[ link to this | view in chronology ]
Re: New light...
I will explain further. They found caster bean plants and they found rosary pea plants. With high enough skill it is possible to take the fruit of those 2 plants and make ricin and abrin. Abrin comes from the rosary peas and ricin from the castor plants. But the huge side not is that both of these plants are extremely popular as decorational plants and lots and lots of people have them. In fact some people might have them and might not even know that they can be used to make poison. Making ricin poison is extremely hard and complicated. I doubt that he had the skill to do it. They basically arrested him for having house plants, because they were angry that they looked stupid when he got out on appeal. He didnt have ricin or abrin in his house, he had the plants that could have made them. Do you know that the leaves of a tomato plant are very poisonous? How would you like it if someone came to your house and you were growing tomatoes and accused you of making poisons because you had tomatoes. You cant just take castor beans and the peas from rosary pea plant and squish them up to make the poison. You have to have a full chemistry lab as well. So unless they found a lab as well this case is a farce.
[ link to this | view in chronology ]
...
[ link to this | view in chronology ]
*previous comment*
My comment #27 was in response to Mr. Dave Vick's #23 comment.
[ link to this | view in chronology ]
Some light on the issue...
Michael Alan Crooker had his home raided in 2004 based on reports that he owned bomb-making materials. And in fact, the FBI found apparent IEDs and chemicals and equipment used in the production of ricin.
http://www.realtechnews.com/
Considering this, and the Patriot Act, they had every right to confiscate his computer. I was wondering why the FBI would be involved in a simple gun case, but it seems more serious than that.
As far as suing Microsoft, let him try. Although I bet Microsoft will just settle as they do not want a whole lot in the news pointing to security flaws in Internet Explorer. But if it went to court, my money is on Microsoft for the win.
[ link to this | view in chronology ]
No guarantee
FBI should be covered under the Patriot Act.
[ link to this | view in chronology ]
ya know...
[ link to this | view in chronology ]
FBI loves computers...
There is a case here in AZ. where a man was found guilty of having 3 pictures of girls that appeared to be underage porn on his computer (out of over 1000 pics). The pictures were found in the "temp internet files" folder of his windows program after his angry wife turned it over to the police. He claims they were just from porn pop-ups, and he had no intentions of viewing them in the first place, much less to keeping the pics. But, because they are on his computer, he was forced to plead to a lesser charge, he is now doing 3 years and has to register as a sex offender for the rest of his life.
Almost any adult who has surfed porn on the internet has had these pop-ups. You don't have to look for them, they make themselves obvious. And once they pop up, they are on your computer, and you now are in possession of illegal of child porn, And you are now a criminal.
You can't always control what pops up on your screen, but you can decide how you deal with it. So you can run out and buy software designed to clean out your computer of all these pics and pages that you did not solicit. BUT NO! Thanks to our intrusive govenment, The software is designed so that if someone wants to look close enough, they can see everything you tried to delete or encript. Even if you try to distroy the pictures that you didn't look for, didn't want to see, and don't want to keep, there is still evidence that can come back a burn you someday.
Privacy is an enemy of the state. The more they know about you, the more they can intimidate and control you.
Gimpydwarf
"It only hurts when i laugh ;-D "
[ link to this | view in chronology ]
Big Brotha Pwnz joo
The side show question is that why did he trust m$? Everyone screws everyone and nobody cares anymore, everyone accepts it and moves on.
Personal is no longer a word that should be associated with property or privacy. Both can be taken by the government at will.
[ link to this | view in chronology ]
WTF?
[ link to this | view in chronology ]
Oh come on....
I keep seeing over and over here that they (the ATF) did not have reason for "breaking" the security of this poor saps computer. But as you can READ from TFA it clearly stakes a SALE of a firearm. So by no reasonable stretch of reason the computer could have clearly been used in the commission of this "alleged" crime.
[ link to this | view in chronology ]
poor standards all round
Secondly, it never ceases to amaze me that weak minded beliefs such as "The police can do whatever they like" are so often aired. It is no wonder that corrupt officials find it easy to abuse their powers when so many people maintain this rubbish. I wonder, where do they get these beliefs? Watching too much television? Or making defeatist assumptions based on twisted authoratarian ideas?
Gimpydwarf: "The software is designed so that if someone wants to look close enough, they can see everything you tried to delete or encript. Even if you try to distroy the pictures that you didn't look for, didn't want to see, and don't want to keep, there is still evidence that can come back a burn you someday."
While it's widely held that Microsoft furnish the NSA with backdoors into their software I am personally very sceptical that there is a proper conspiracy between these organisations. There is no need. Microsoft software is so defective by negligent design that anyone with the most basic knowledge can gain access to a Windows computer. Why would any organisation risk exposure by explicitly coding in backdoors when all they have to do is maintain their current standards of security? Rather it is the case that most software doesn't actually behave the way most users assume it does.
But Gimpydwarf raises a very interesting point in this observation.
The first point is that because of its intrinsic weakness a user of a Microsoft Windows system is not in control of that system. I have made this point several times, that there can be no mens rea, no guilt attached to the mere presence of certain data because the users actions cannot demonstrably be proven. There are many self-proclaimed computer "experts" who dispute this, but they are either misinformed, partially informed or outright lying. Many cases I have heard of in this regard revolve around circumstantial evidence, implication and assumption.
But let us assume what many people erroneously believe, that every keystroke and action is logged on a system and that such evidence equates to incontrovertible evidence of intent. In that case there is actually enough information there to acquit a user that has unwanted data on their system (say, by the mechanism of malware or popups). As Gimpydwarf says, that the user " didn't look for, didn't want to see, and don't want to keep" the data, if provable is evidence enough for any intelligent and honourable judge to find for the defendent, at least for her/his character.
But because most laymen, policemen and judges are not experts in computing any accused person is at the mercy of an investigator to absolutely and thoroughly discharge their duty without error, and not to selectively filter the evidence.
The problem is that the investigative software is not designed to execute this task in an impartial manner, it is desgned with a task model which is affirmative, ie looking for positives, rather than attempting to build a picture that could equally acquit or convict a criminal. I know this because I've studied many forensic applications used by the police in a detailed way. Furthermore, it is often used by inexperienced investigators who do not have the time to be thorough.
In many circumstances the shreds of evidence that are uncovered by these present methods should never be admissable as evidence in criminal case, and if presented to a jury of non-experts would certainly be misleading.
[ link to this | view in chronology ]
Is she a big fat grotesque sweat hog?
I say: 'No case, No settlement, and let the punishment fit the crime; one shot in each limb with the air rifle...'
Compaq/Hp and Microsoft are actually entertaining this friggin nonsense?
The man is clearly mentally incompetent.
He should be more worried about the broad he videotaped then the feds, or his own embarassment, - she's got him by the short hairs.
[ link to this | view in chronology ]
M$ backdoor
One way you could get around this law (apart from downloading a system from overseas, setting the password to be, say 256MB and storing it on a USB, with a 4pt printout that you can supply to the police if they dmmand it) would be to make your own modified form of Linux with an obscure and mangled file system which is so thoroughly intertwined in hardware specific version of the OS that they have to try to use your computer, store a heap of viruses on your HDD which can be accessed by a normal file system, and setting up your version of Linux to format the HDD if they do not use a certain key combo when booting. This would mean that the data is wiped when they try to read it.
Alternaltively, store all incriminating data on a USB, which can be easily smashed/flushed down the toilet/eaten/thrown in the fire or otherwise destroyed or hidden. THen if tehy demmand teh data and passwords, you can provide them safely.
[ link to this | view in chronology ]
Old News - Schneier noted this in May '06
========================================
Schneier on Security: Man Sues Compaq for False Advertising
http://www.schneier.com/blog/archives/2006/05/man_sues_compaq.html
Posted on May 03, 2006 at 09:26 AM
I think this is great. It's about time that computer companies were held liable for their advertising claims.
=========================================
Interesting discussion there as well.
[ link to this | view in chronology ]
he "felt secure in Circuit City's claims of impenetrability and security."
[ link to this | view in chronology ]
So they ghosted the machine and suddenly everything was decrypted?
[ link to this | view in chronology ]
Man Sues Microsoft Because The FBI Was Able To Access His Encrypted Files
[ link to this | view in chronology ]
He did nothing wrong
according to this website crocker had his home raided because he had a previous felony conviction and was in possession of a air rifle. But, the thing is that according to the law felons, while not being allowed firearms, are allowed air rifles. Air rifles, according to the law, are not firearms and it is legal for convicted felons to have them. His business was not selling air rifles, it was selling the silencers. His job was selling silencers. They illegally intercepted his packages he was sending out to his clients, then raided his home illegally, and then took his computer and hacked it and basically raped him of all rights that we as american citizens have. It is illegal for the government to intercept mail UNLESS they have reasonable suspicion that a crime is being commited. The only evidence they had was the silencer they found in the package and they only found it after they seized the mail illegally. for them to legally have obtained the mail they would have had to have reasonable proof before intercepting the package.
After raiding his home illegally, exposing his embarrasing information, they had him arrested for being a felon in possession of a firearm, even though federal law says that air guns are exempt from this law. Then they sentenced him to 22 years in prison for something he did that was NOT ILLEGAL. He was convicted in 2004 and the conviction was overturned in 2006 because in appeal they realized that air rifles are not by law firearms. With him being in jail for 2 years in prison where aweful things might have happened to him he deserves way more then 200k, he deserves 200mil. The fact is that even though the software companies might have had a backdoor for the government the government must have a warrant to get this information. I am not talking about a warrant for the computer in the house. After that they need another warrant to be issued to HP and COMPAQ. They legally needed a warrant from a judge for Compaq and HP to break the code because when the guy bought his program they promised it to be unbreakable and they are only legally able to break that promise with a legal order from a judge. And a judge would never give a warrant for a computer related in a non computer crime. Therefore, the only explanation is the HP and COMPAQ broke the agreement without a warrant and therefore commited a breach of contract with MR. Cooker.
Not only should he have sued all the companies involved but he should have sued the ATF for coming after him for having a non firearm, and the FBI for breaking into the computer when they had no legal basis for doing so.
[ link to this | view in chronology ]
He did nothing wrong
according to this website crocker had his home raided because he had a previous felony conviction and was in possession of a air rifle. But, the thing is that according to the law felons, while not being allowed firearms, are allowed air rifles. Air rifles, according to the law, are not firearms and it is legal for convicted felons to have them. His business was not selling air rifles, it was selling the silencers. His job was selling silencers. They illegally intercepted his packages he was sending out to his clients, then raided his home illegally, and then took his computer and hacked it and basically raped him of all rights that we as american citizens have. It is illegal for the government to intercept mail UNLESS they have reasonable suspicion that a crime is being commited. The only evidence they had was the silencer they found in the package and they only found it after they seized the mail illegally. for them to legally have obtained the mail they would have had to have reasonable proof before intercepting the package.
After raiding his home illegally, exposing his embarrasing information, they had him arrested for being a felon in possession of a firearm, even though federal law says that air guns are exempt from this law. Then they sentenced him to 22 years in prison for something he did that was NOT ILLEGAL. He was convicted in 2004 and the conviction was overturned in 2006 because in appeal they realized that air rifles are not by law firearms. With him being in jail for 2 years in prison where aweful things might have happened to him he deserves way more then 200k, he deserves 200mil. The fact is that even though the software companies might have had a backdoor for the government the government must have a warrant to get this information. I am not talking about a warrant for the computer in the house. After that they need another warrant to be issued to HP and COMPAQ. They legally needed a warrant from a judge for Compaq and HP to break the code because when the guy bought his program they promised it to be unbreakable and they are only legally able to break that promise with a legal order from a judge. And a judge would never give a warrant for a computer related in a non computer crime. Therefore, the only explanation is the HP and COMPAQ broke the agreement without a warrant and therefore commited a breach of contract with MR. Cooker.
Not only should he have sued all the companies involved but he should have sued the ATF for coming after him for having a non firearm, and the FBI for breaking into the computer when they had no legal basis for doing so.
[ link to this | view in chronology ]