Massachusetts Ignores 5th Amendment; Says Defendant Can Be Forced To Decrypt His Computer
from the that's-unfortunate dept
For many years, courts have struggled with the legal question of whether or not law enforcement can force a defendant in a lawsuit to decrypt encrypted files. All the way back in 2007, we wrote about a judge in Vermont finding that such forced decryption represented a Fifth Amendment violation, as it could be considered a form of self-incrimination. However, that was just one court. Other courts have ruled the other way. Not surprisingly, the Justice Department doesn't believe the Fifth Amendment should apply in these situations, but courts still seem to be divided as judges go back and forth on the issue.Unfortunately, it appears that Massachusetts' highest court has now gone over to the wrong side of the debate, finding that there is no Fifth Amendment violation in forcing people to decrypt their computers. In this ruling, the court said that there was "an exception" to the Fifth Amendment, if the results are a "foregone conclusion." As Cyrus Farivar at Ars Technica summarizes:
That exception, the MSJC said, can be invoked when “an act of production does not involve testimonial communication where the facts conveyed already are known to the government, such that the individual ‘adds little or nothing to the sum total of the Government's information.’”Of course, that seems like a fairly dangerous "exception." Prosecutors can just claim that such facts are "already known." Furthermore, if the information adds little or nothing, then... why is it even needed? It's difficult to see why anyone should be forced to decrypt information on the basis that... it's not really needed. Here's the key paragraph from the ruling:
When considering the entirety of the defendant's interview with Trooper Johnson, it is apparent that the defendant was engaged in real estate transactions involving Baylor Holdings, that he used his computers to allegedly communicate with its purported owners, that the information on all of his computers pertaining to these transactions was encrypted, and that he had the ability to decrypt the files and documents. The facts that would be conveyed by the defendant through his act of decryption—his ownership and control of the computers and their contents, knowledge of the fact of encryption, and knowledge of the encryption key—already are known to the government and, thus, are a "foregone conclusion." The Commonwealth's motion to compel decryption does not violate the defendant's rights under the Fifth Amendment because the defendant is only telling the government what it already knows.Given the back and forth nature of so many of these rulings, you have to imagine that it'll eventually end up before the Supreme Court. Hopefully that Court's renewed belief in the Fourth Amendment will extend to the Fifth as well.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: 5th amendment, decrypt, encryption, massachusetts, self incrimination
Reader Comments
Subscribe: RSS
View by: Time | Thread
However, you can be sure that there is no way in hell they'd ever offer such a 'deal', as everyone involved knows full well that handing over the encryption keys is handing over self-incriminating evidence, no matter how much they like to pretend and/or lie otherwise.
[ link to this | view in chronology ]
This ruling is INSANE
What...the...fuck!?!? They're actually codifying an exemption of a constitutional right on the basis of a presumption of guilt by the PROSECUTOR? So we're now not only violating the constitution, but universal human rights as well?
This entire contortion of a ruling makes zero sense. Evidence is compelled of the accused that the prosecution believes will incriminate that same accused, as evidenced by the prosecution "already knowing" what it will say/be/read, and that same presumption of guilt is what obviates the law of the land?
This is a ruling that cannot be allowed to stand....
[ link to this | view in chronology ]
Re: This ruling is INSANE
In re Boucher Basically, his computer was searched going through US Customs and Child Pornography was found. When the computer was powered off, disk encryption prevented them from confirming the evidence.
My question is basically what's stopping the person from simply saying they forgot the password? Can they hold you in contempt?
Give you a simple example, I've used PGP for email for a long time. If they asked me for emails from say 10 years ago, there's simply no way I could provide them my private signing key from back then. Would that automatically make me a criminal?
[ link to this | view in chronology ]
Re: Re: This ruling is INSANE
[ link to this | view in chronology ]
Re: This ruling is INSANE
If it does stand, then it seems like people with encrypted info they don't want the government to see need to use encryption software that either provides access to different files based on which password is entered, or which nukes the entire drive if a password isn't entered within a predetermined period of time.
[ link to this | view in chronology ]
He should have taken Popehat's advice: STFU! & ask for a lawyer.
[ link to this | view in chronology ]
Re:
It shouldn't have mattered what he said, as had he been dealing with a judge that actually respects the Constitution and the rights of the accused, they would have stated/noted that forcing someone to hand over encryption keys is forcing them to provide evidence against themselves, and therefor prohibited it.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
Presumably the only reason they would need to get the key from him is to be able to find incriminating information on his computer that he has not shared with them, thus it would be information not known to the government and would add substantially to the "sum total of the Government's information".
If the government already has the facts of the crime known to them, then they don't need the encryption key at all. Just try him in court with the facts you already have.
[ link to this | view in chronology ]
Re: Re: Re:
This judge felt that confessing that he has the key is all that was needed to compel the man to use the key.
[ link to this | view in chronology ]
Re: Re: Re: Re:
True, for as far as you have carried the analogy. The other half of the analogy, which you didn't carry is, the court cannot, indeed under Fourth Amendment may not compel, require, indeed, even ask for production of information/documents/recordings, etc. that are not germane to the matter in hand. I believe the term of art is 'responsive material(s)', and the provision is, a subpoena must be 'narrowly tailored' to the responsive materials. In the case of subpoenas where it's not possible to separate materials that clearly, the court is obligated to enter and enforce a protective order, covering destruction of materials not responsive in the case at bar.
Decrypting the hard drive is providing access not only to the 'responsive material(s)', but also to a plethora of other information which under other provisions of the Constitution, court decisions, even the rules of procedure, the court may not see. I could even name a case in which a court would be absolutely barred from seeing certain documents - for example, a letter from the accused to his lawyer, or priest, or doctor, that he typed on his computer, printed out one copy for mail/fax/personal deliver, and kept on on the hard drive for record-keeping purposes.
If the court in this case did not enter a protective order, and still ordered the drive decrypted...well, it would take a lawyer or judge to outline what kind of effect that could have on the case. At a minimum, I would expect an appeal of some description on that basis alone.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
> cabinet, you can't refuse a subpoena for those
> documents on 5th amendment grounds.
No, but you can't be forced to physically open the cabinet, either. If you won't do it, the police can bring in a locksmith or use some other means to force the cabinet open, but you don't have to help them.
Using your own analogy, the government is free to 'cut the lock off the computer' by breaking the guy's encryption (if it can), but just as with a locked file cabinet, he shouldn't be forced to help them. The only difference here is that the defendant locked his cabinet up pretty darned good. I don't see how the quality of the lock changes the legal analysis, however.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
You can absolutely be compelled to turn over the documents in your locked safe. It's called a subpoena. Sure, they have ways of breaking the lock if you don't comply. But you are definitely subject to criminal penalties for not complying as well.
[ link to this | view in chronology ]
Re: Re:
Source: I'm a criminal defence lawyer. And this is one scary-ass ruling. Feel free to apply the XKCD rule to that statement, it works just as well that way.
[ link to this | view in chronology ]
If the government knows, and can be prove that they know it, then they do not need to decrypt the drive. If they cannot prove it, then the do not know it, but only suspect it; in which case forcing the person to decrypt is self incriminating, as they cannot get the conviction without having the data decrypted for them.
[ link to this | view in chronology ]
Re:
If you had attended the secret hearing about the secret laws that were secretly interpreted in a secret manner you'd know that, but it's a secret so you don't.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
oxymoronic
[ link to this | view in chronology ]
And I wouldn't count on the Supreme Court wrapping things up in a neat little bow. The foregone conclusion doctrine is not some new concept they just made up to deal with encryption. It's been kicking around since 1976 and SCOTUS has already had multiple chances to consider it. (Encryption might be new, but similar issues arose even before encryption, such as whether a suspect could be forced to divulge the combination to a wall safe).
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
When that starts happening, there will be no need to force people to hand over encryption keys -- hard drives will be cracked open while the suspect is being fingerprinted.
[ link to this | view in chronology ]
Re: Re: Re: Re:
What you say is mathematically impossible, even with supercomputers. They might have copied his hard drive that quickly, but not decrypted it unless they actually got the keys.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
http://www.bbc.co.uk/news/uk-23898580
(Greenwald later insisted there was no sheet of paper containing a password, however.) How do we really know that the encrypted drive's contents was actually revealed? Because a government spokesman said so!
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
This is not true. It is mathematically possible, and there exist several supercomputers that can accomplish it. If your crypt is given to one of these systems, and if the quantity of encoded data is significant, and if you aren't using the best possible crypt (almost nobody is), then the crypto can be cracked in a period of time ranging from an hour to a couple of days. How long it actually takes is partly a matter of luck and partly a matter of how much encoded data there is to work with (the more the better).
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
Lots of crypto engineers have proven this wrong. What you're citing is how long it would take to crack the crypto if what you're doing is just trying all possible keys. That's not how it's done in reality.
[ link to this | view in chronology ]
Re:
Here's what Supreme court Justice Stevens once wrote:
He may in some cases be forced to surrender a key to a strongbox containing incriminating documents, but I do not believe he can be compelled to reveal the combination to his wall safe —- by word or deed.
There's been a few other instances where the Supreme Court has also used this analogy of a key/combination to help decide whether a subpoena is appropriate.
This judge, however, seems to think that once you've revealed that you know the combination to a safe, there's no more significant self-incrimination left. That combination then becomes more like a key, in terms of 5th amendment considerations, that should be turned over.
The lesson here - don't confess knowledge of encryption keys.
[ link to this | view in chronology ]
Re: Re:
While I don't agree with the court's outcome here, I do think it's based on a fair reading of the precedent. The decision itself is only a few pages long and makes the case pretty clearly.
(Note that only two out of the seven Massachusetts Supreme Judicial Court dissented. This is not one random judge.)
[ link to this | view in chronology ]
Re: Re: Re:
The assembly of those documents was like telling an inquisitor the combination to a wall safe, not like being forced to surrender the key to a strongbox.
I can see how this court thought that having the suspect use the key (that he already admitted having) was non-testimonial. But I wonder if there isn't further self-incrimination in having a person prove/verify that the password he claimed knowledge of actually works.
- not actually an attorney
[ link to this | view in chronology ]
Don't Talk to Cops
The presumption by the prosecutors that he was telling the truth that evidence was there is actually hilarious. What if he lied, and then they get in there, after all of this, and all they see is well not incriminating, unless he managed to encrypt a ham sandwich.
[ link to this | view in chronology ]
You know what the government doesn't know? the encryption key and the number of or content of the encrypted files/drive. As such, those are not 'forgone conclusions', and compelling the release of the encryption key or decryption of the drives does not qualify for this exemption.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
"We need you to disclose your password, so we can view the information we already know is on your hard drive."
Basically, the court is saying they have a strong suspicion of what's on the defendant's hard drive, but the prosecution isn't able to absolutely 'prove' it beyond a shadow of a doubt.
So the court is demanding the defendant decrypt the hard drive, so the prosecution has absolute evidence to 'prove' his guilt.
This is exactly the situation the 5th amendment is supposed to protect against. It doesn't matter if the defendant verbally or non-verbally incriminates himself. It ultimately leads to the same thing. Self incrimination.
Moral of the corrupt justice system story. I forgot my password. That's my story and I'm sticking to it.
[ link to this | view in chronology ]
Why is it that week after week, year after year, every time someone in power has to choose between doing things the right way and doing them the easy way, they always choose the easy way?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Looks like The Old Colony State is going to have to change its' official Motto now
Obvoiusly in latin. I gusee the Mass. Supreme court does not know any latin.
"By the sword we seek peace, but peace only under liberty"
[ link to this | view in chronology ]
The 5th Amendment, in relevant part, states "nor shall be compelled in any criminal case to be a witness against himself . . . ." The Supreme Court has held that this means that you cannot be compelled to testify against yourself. The 5th only protects testimony. It does not prevent the court from compelling you to produce evidence that you have in your possession, regardless of whether or not it may incriminate you. For example, the court can compel you to turn over guns, drugs, accounting documents, and anything else that is evidence.
There's an exception to the 5th Amendment for testimony about "foregone conclusions." That is, if the testimony does not tell the government anything it doesn't already know, the court can compel you to reveal it.
Now, let's apply the law to these facts: The contents of the encrypted files themselves are not testimony, they are evidence. That means that the court can compel their production. The court also knows, because of his statements, that the computer and the files are his. The only question before the court was whether or not the decryption of the files can be compelled. The court can only compel the decryption if 1) the decryption is not testimony, or 2) the decryption is testimony but the knowledge the testimony reveals is a "foregone conclusion."
We will all agree that if the decryption is not testimony then the 5th Amendment isn't implicated. It's only if it is testimony that we have any question. The court here held that the act of decryption reveals only that the defendant has ownership and control of the computer and the files, which, crucially, is a fact the court already knows. It's a foregone conclusion that the computer is his. The contents of the files isn't a foregone conclusion, but it doesn't matter because the 5th Amendment doesn't protect against compelled production of incriminatory evidence.
[ link to this | view in chronology ]
Re:
Additionally, it's practically impossible to decrypt a drive without revealing the key - whether through watching the defendant type it in, or searching for it in RAM post-decryption, or fingerprinting the keyboard after the key has been entered.
Also, if the defendant has never claimed the ability to decrypt the drive - simply admitted knowledge of it's encryption - then the act of decryption is, in fact, testimony that he knows the key.
[ link to this | view in chronology ]
Re: Re:
As to your third point, here's an excerpt from page 3 of the opinion:
On the day of his arrest, the defendant was interviewed by law enforcement officials after having
been advised of the Miranda rights. In response to questioning, he said that he had more than one
computer in his home. The defendant also informed the officials that "[e]verything is encrypted
and no one is going to get to it." In order to decrypt the information, he would have to "start the
program." The defendant said that he used encryption for privacy purposes, and that when law
enforcement officials asked him about the type of encryption used, they essentially were asking for
the defendant's help in putting him in jail. The defendant reiterated that he was able to decrypt
the computers, but he refused to divulge any further information that would enable a forensic
search.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
Here's the huge hole in that argument: If they already know what's on the drive, then why do they need to force the person to decrypt it? If they're not going to find anything they don't 'already know', then what use is forcing the person to decrypt it?
Also, and maybe it's just my vision not being what it used to be, but could you point out exactly where that 'exception' is listed, because for the life of me I can't find it.
'No person shall be held to answer for a capital, or otherwise infamous crime, unless on a presentment or indictment of a Grand Jury, except in cases arising in the land or naval forces, or in the Militia, when in actual service in time of War or public danger; nor shall any person be subject for the same offence to be twice put in jeopardy of life or limb; nor shall be compelled in any criminal case to be a witness against himself, nor be deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use, without just compensation.'
Is it in the footnotes or something and they forgot to add the asterisk to the main document? Something like *Unless the prosecution pinky swears that they already have the evidence, and they just want the accused to hand over self-incriminating evidence as verification'?
[ link to this | view in chronology ]
Re: Re:
Sure. No problem.
It's in the Constitution of the Commonwealth of Massachusetts. Right there under “A Declaration of the Rights of the Inhabitants of the Commonwealth of Massachusetts”. Article XII:
Do you see it now? It says, “No subject shall … be compelled to … furnish evidence against himself.”
Plain as daylight. All you have to do is read the words.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
We can go back to slavery, no more women voting or poor white folk for that matter, taking guns away and removing your rights to free speech.
You are a fucking tool!
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
That wouldn't matter if it was a federal trial, but this is a state trial.
I've only skimmed the ruling, but it seems that the matter of that above quoted passage of the state constitution wasn't commented on. I assume that means that it was misquoted, or has been amended or watered down to provide no more protection than the federal Constitution. (Even if the matter wasn't raised, here the judges would generally point out that they're being asked an irrelevant question.)
[ link to this | view in chronology ]
Re: Re:
As for the foregone conclusion exception to the 5th Amendment, you'll have to take that up with the Supreme Court. From Fisher v. U.S.
It is doubtful that implicitly admitting the existence and possession of the papers rises to the level of testimony within the protection of the Fifth Amendment. The papers belong to the accountant, were prepared by him, and are the kind usually prepared by an accountant working on the tax returns of his client. Surely the Government is in no way relying on the "truthtelling" of the taxpayer to prove the existence of or his access to the documents. 8 Wigmore § 2264, p. 380. The existence and location of the papers are a foregone conclusion and the taxpayer adds little or nothing to the sum total of the Government's information by conceding that he in fact has the papers. Under these circumstances by enforcement of the summons "no constitutional rights are touched. The question is not of testimony but of surrender." In re Harris, 221 U. S. 274, 279 (1911).
Of course, if you question the power of the Supreme Court to decide what the 5th covers and doesn't cover, ask yourself where the 5th Amendment says it applies to the states in the first place...
[ link to this | view in chronology ]
Re:
A digital key is unlike a key to a safe, which contains static stuff. Encrypted digital files are not tangible evidence that can be produced. Until they are transformed, you have an unknowable Schrödinger's cat scenario, sans the key—not a forgone conclusion.
[ link to this | view in chronology ]
Re: Re:
And the court is not blind. The fact that files are encrypted doesn't mean the court throws up its hands and says it's a fair cop. Encrypted files are seen by the law as just regular evidence. Clever technical finaglings don't usually help in court.
And, as I (and the courts) have said multiple times, the only foregone conclusion is that it's his encryption. There doesn't need to be an exception for the content of the files, because the content is not protected by the 5th Amendment because it's not testimony.
[ link to this | view in chronology ]
Re: Re: Re:
I liken it to a storage locker or safe filled with information. You can claim that it's locked, and refuse to give the key, and the state can still cut their way in and view the evidence. Encryption is a key, not unlike a key to a lock...
The story may have been different if the guy never mentioned the computers and never taunted the police with the encryption, he made it clear he had something hidden and made a warrant to get it all but a foregone conclusion.
[ link to this | view in chronology ]
Re: Re: Re:
You assume that the 'body authorized by the Constitution' to define that term, got the definition correct?
No disrespect here, but given, for example Roe v. Wade or or Marbury v. Madison or even - maybe especially? - (shudder) National Federation of Independent Business v. Sebelius, I find your faith in that particular body to be a bit...misguided, shall we say.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
The disk drive has many sets of files, let's call them A, B, and C for now. The government knows he has set A of files on the disk.
Him providing the password will also demonstrate that sets B and C (which the government doesn't know about yet; set B might be, for instance, a set of illegally downloaded movies) are his files.
Producing the password, he is testifying against himself; he's testifying that sets A, B, and C are his. He is admitting, in my example, to having pirated movies (set B) and having pictures of adorable kittens (set C).
The problem is not his withholding the contents of his drive. The problem is that, by decrypting it, he is admitting to having the contents of his drive - all of it, including pirated movies and cat pictures.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
Think about it. Under your theory, the government could not ever compel you to produce your business records because they might demonstrate that you were conducting some other illegal activity. Yet we know that the government is entitled to such evidence.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
The contents of the drive are readily available to the government: they just don't know how to interpret them. Making sense of those bytes requires the defendant to supply information in his head to translate those bytes into intelligible data which can then be used, the government hopes, to determine guilt.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re:
Unfortunately, it seems that defendants can be forced to supply information which is solely in their heads, at least in some contexts. For instance (correct me if I am wrong), they could be forced to tell the court what they saw at some date and time, which is something (their memory) which is solely on their heads.
It is one of these situations where what the law is and what the law ought to be diverge. The 5th amendment is too limited. In the same way we should never be forbidden to speak (1st amendment), we should never be forced to speak.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re:
Now, you may be of the opinion that the government shouldn't be able to compel a defendant to perform any overt act to assist in his defense. You must then realize, however, that then the government couldn't compel production of all kinds of evidence, and moreover, such a limitation does not appear anywhere in the 5th Amendment or in caselaw. We would need to have court rulings to that effect, and the logic of the Massachusetts court is fairly compelling.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re:
Isn't there an issue with the specificity of the warrant with regards to what they are looking for? Decrypting a whole hard drive might open someone to something not being sought, and therefore incriminating. Giving the key in this instance might be different?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re:
What if he testifies that there is nothing of interest to them on any of his drives?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
> not ever compel you to produce your business records
> because they might demonstrate that you were conducting
> some other illegal activity.
And under your theory, it seems the government could compel you to produce all illegal drugs in your possession (and hold you in contempt if you refuse to tell the police where they are), because the drugs themselves are evidence and not testimony.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
Only someone who has the key can produce encrypted files which, together with the key, will decrypt to something which is not complete gibberish (that is not generally true - see for instance the OTR protocol - but it's true of all full-disk encryption software).
By producing the key or decrypting the disk in front of these gentlemen, he undeniably proves that the resulting files were made by someone who had the key - which is supposed to be only himself.
Therefore, by producing the key or decrypting the disk, he is testifying that all the files are his. This includes files the government knows about, AND files the government didn't know about.
This last set is the self-incrimination bit. He is testifying that he possesses files the government didn't have the foggiest idea he possessed (I believe the canonical example is "midget porn", whatever that is).
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
On the day of his arrest, the defendant was interviewed by law enforcement officials after having been advised of the Miranda rights. In response to questioning, he said that he had more than one computer in his home. The defendant also informed the officials that "[e]verything is encrypted
and no one is going to get to it." In order to decrypt the information, he would have to "start the program." The defendant said that he used encryption for privacy purposes, and that when law enforcement officials asked him about the type of encryption used, they essentially were asking for
the defendant's help in putting him in jail. The defendant reiterated that he was able to decrypt the computers, but he refused to divulge any further information that would enable a forensic search.
And again, under the theory you're positing, the government would never be able to compel production of any document that might contain evidence of any other crime, which we know is not the case. The defendant's remedy under those types of situations is to seek a protective order or find a challenge under the 4th. But here, under the 5th, the only testimonial bit is that it's his drive, which he already testified to.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
Since it wasn't mentioned in the decision, I assume the section has been amended or watered down to the same level as the fifth amendment, or it was misquoted, because otherwise the defendant's lawyer isn't very good.
[ link to this | view in chronology ]
Re:
> anything it doesn't already know, the court can compel you
> to reveal it.
If the government already knows it, why does it need me to reveal it?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
PROSECUTION: Please state for the court the password for your computer.
DEFENDANT: I plead the fifth.
This is the appropriate response and one supported clearly by both constitutions (state and federal). It makes perfect sense because answering any questions proposed by the prosecution requires the defendant to supply an answer vocally, on official record, that is by definition testimony. The only way it could become evidence is if they force, or otherwise trick, said defendant into writing the password onto a piece of paper, then entered that as evidence. Kind of a long shot though, constitutionally speaking. Especially in light of other rulings.
On top of all that, we have this which is copied from the very Constitution of the Commonwealth of Massachusetts itself:
"Article XII. No subject shall be held to answer for any crimes or offence, until the same is fully and plainly, substantially and formally, described to him; or be compelled to accuse, or furnish evidence against himself."
https://malegislature.gov/Laws/Constitution
I see nothing on that page which would suspend this article of law in any way, shape, or form, for this particular situation specifically.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
I see a market opportunity!
[ link to this | view in chronology ]
Re: I see a market opportunity!
What would work better is having half of the key in hardware, with an anti-theft system which detects that the computer case has been opened and forgets the key when that happens. Attempting to duplicate the hard drive would instead erase the key. Add something like SecureBoot plus a boot password plus geofencing plus other tricks and you have a pretty secure anti-theft solution.
[ link to this | view in chronology ]
Re: I see a market opportunity!
[ link to this | view in chronology ]
Re: I see a market opportunity!
http://www.kali.org/how-to/emergency-self-destruction-luks-kali/
...and it's free!
[ link to this | view in chronology ]
We need to implent...
I suppose it also would hurt to have multi-component keys for one's security, so that it's possible to render a hard-drive incapable of being opened, even by yourself.
Of course that could lead to having something encrypted turning into "obstruction of justice" or "contempt of court". But it might remind activists and legislators that the term justice has little meaning anymore here in the US.
From Anonymous Coward Give you a simple example, I've used PGP for email for a long time. If they asked me for emails from say 10 years ago, there's simply no way I could provide them my private signing key from back then. Would that automatically make me a criminal?
Possibly, yes. And if someone wants to put you in jail it might stand.
As of this posting I have not received a US National Security Letter or any classified gag order from an agent of the United States
This post does not contain an encrypted secret message
Thursday, June 26, 2014 3:39:26 PM
promotion bullfight limit stream digging salon fever honey
[ link to this | view in chronology ]
Re: We need to implent...
Please remain alert for the possible absence of this statement from future communications.
[ link to this | view in chronology ]
Re: We need to implent...
> turning into "obstruction of justice"
Even if encryption in and of itself were criminalized, if I was a criminal, I'd rather serve five years for that, than 25 years for child porn, or murder, or whatever else the unencrypted files would prove I did.
[ link to this | view in chronology ]
Re: Re: We need to implent...
Of course, after a few years, you might not remember the password, and if you can convince the court of that then you're not in contempt.
[ link to this | view in chronology ]
Here's a question...
[ link to this | view in chronology ]
Re: Here's a question...
That's a direct analog to old-school pen-and-paper cryptography (creating your own language is basically a codebook variant). What is the jurisprudence on encrypted pen-and-paper diaries? Is the defendant forced to decrypt his notes?
The "encrypted pen-and-paper diary" is a way, way better analogy to an encrypted computer than a "locked safe" analogy. Why aren't lawyers and judges using it?
[ link to this | view in chronology ]
Re: Re: Here's a question...
[ link to this | view in chronology ]
Decryption as a wall safe
But there is a difference: Decryption creates something that did not exist previously: unencrypted files.
So consider another analogy: If the court demands your financial records as evidence, can it force you to create them where they did not exist before? Or perhaps, translate them, if you wrote them in code? I seem to recall some lawsuit involving an encoded diary...
[ link to this | view in chronology ]
Evidence and testimony
I think we'll all agree that neither could the government force a suspect to produce all child pornography or illegal drugs in his possession, because even though the physical evidence is not incriminating in itself compelling the defendant to use his mind to testify clearly is so.
It however raises another interesting issue, if the defendant in this case had used a shared computer with friends or a remote storage server with joint access -- where multiple persons could upload encrypted files, the government could not force the suspect to decrypt because the ability to decrypt would testify as to ownership, control and knowledge as to the contents.
So the lesson apart from don't do crime is never store potentially incriminating data locally but always use a shared online resource with no easy authentication.
If the government can't prove you own the data, or doesn't know where the data is located, it can't force you to use the labor of your mind to incriminate yourself.
[ link to this | view in chronology ]
Re: Evidence and testimony
> doesn't know where the data is located, it can't force
> you to use the labor of your mind to incriminate yourself.
Whenever the government runs into a 'possession' stumbling block, it just presumes everyone involved possesses the item in question and charges everyone with it.
Happens all the time with drugs found by cops when they pull over cars on the side of the road. If none of the driver/passengers admits to possession, they all get charged with possession.
Also with minors possessing alcohol in situations like a house party. If the alcohol is there but no one is actually holding it or drinking it when the police arrive, they charge every minor in the house with possession of it.
Seems the same end-run around due process would apply to your cloud data scenario. If they can't prove possession by any one person who has access, they'll just charge everyone who has access with possession of the incriminating data.
Voila! Problem solved, 'cause we all know that the most important thing is that the police should not have to work overly hard to make their cases.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
What if the computer is shared, and the defendant knows the password to the administrator account but doesn't admit to control over data put in other accounts by other users?
In such a scenario, it could be argued that the government's power to compel production should only extend to the administrator account and data it knows the defendant controls.
[ link to this | view in chronology ]
Re:
drive itself that's testimonial.
What about control, custody and knowledge of the contents of single encrypted files and folders?
If you control the file, and admit you know how to decrypt it, you testify that you know the contents.
In some contexts, the act of decryption is therefore testimonial because the act of decryption or the ability to decrypt authenticates knowledge of the contents.
And it's an incriminating admission if possession of the contents is itself criminal, and the mens rea for culpability is knowing possession of child pornography.
[ link to this | view in chronology ]
Re:
movies (set B) and having pictures of adorable kittens (set C).
The problem is not his withholding the contents of his drive. The problem is that, by decrypting it, he is admitting to having the contents of his drive
- all of it, including pirated movies and cat pictures.
If he has admitted that he is the only one with custody, control and ownership of the computer, your example is not applicable because the government knows he is the sole person control of the computer and all data within it.
However, if he is smart, which most criminals aren't, he (a) either doesn't talk to the police; (b) shares the computer with friends in a manner making authentication of every fileset impossible; (c) stores everything in a remote location like an online backup.
[ link to this | view in chronology ]
Why this is creepy
Here is what I have so far. It doesn't matter what the laws and courts say; I'm trying to understand our feelings.
First, a password is a kind of thing that should be kept exclusively on our mind, and it is a kind of thing that we consider to be highly private ("Never tell it to anyone, not even your wife. Never write it down.") Being forced to reveal the password goes against that.
That does not explain why it still feels creepy even if we do not have to reveal the password, only the data. I believe that is because the level of privacy we give the password extends to the data. As Snowden said, the math is still sound; the data is as secure as the password. If we treat the password as a most private thing, whatever that password encrypts is also treated as a most private thing.
We end up treating the encrypted container as being as secure as our mind (which it is, if the math is sound). We feel safe putting our most hidden feelings on the container, things like embarrassing love letters. It being possible that someone would force us to bare it all for the world to see, under the color of law and authority, feels as wrong as being forced to strip naked in front of a live television transmission.
The closest analogy for how we treat an encrypted container would be a secret diary. Something we write down, for nobody else to ever read. Somewhere we can write down our most embarrassing thoughts. The main difference being that it's protected by math, and that it's infinitely bigger.
Methinks the ones who treat an encrypted container as a "wall safe" have read too many cyberpunk novels, where the container would be represented in virtual reality as a virtual safe and its password as a virtual key. That's a bad analogy, and makes for bad law. Encryption isn't some wall made of virtual material which we put around the data; it actually scrambles the data. Technically, the data is mixed with the key using a heavily nonlinear process, in a way which is reversible if and only if the key is known.
[ link to this | view in chronology ]
Re:
To sum it up, the fact that a file abc is on computer xyz does not necessarily prove that (a) it was recently put there by the defendant; (b) the defendant being the only one with control and custody; and (c) that the defendant is aware of the actual contents.
Even if the defendant now claims control and custody, the file could still be very old and have been generated by a previous user with access to the system.
[ link to this | view in chronology ]
Always plead the 5th
[ link to this | view in chronology ]
How would courts handle a perfect safe?
That does present an interesting hypothetical. Let us imagine someone did have an impenetrable strong-box, one into which it was impossible to break without destroying the contents. (Maybe it incinerated the documents if it detected an attempted crack).
Under what circumstances could a court of law then require the owner of the safe to open it?
[ link to this | view in chronology ]
Re: How would courts handle a perfect safe?
[ link to this | view in chronology ]
Re: Evidence and testimony
Everyone charged with a crime must be booked, and must get a defense lawyer and there is probably more paperwork to be done.
And the police does not decide itself if the person subsequently gets prosecuted.
I don't think the system could afford such overaggressive charging in all cloud scenarios, nor do I think that you could get a jury to find the defendant guilty beyond a reasonable doubt.
If I share a cloud account with 20+ persons, I don't think that the government has the resources or will to charge everyone.
[ link to this | view in chronology ]
Re: Evidence and testimony
People in these situations usually know each other well.
But in my cloud scenario,a group of N persons need only have one interest in common -- sharing an online datadump.
An online datadump can be seized, but proving whom to direct the subpoena is difficult, because an IP address does not identify a person, and he/she may be overseas or use an anonymous non-logging proxy.
[ link to this | view in chronology ]
Re: Evidence and testimony
Encrypt a large gigabyte file and split into segments and upload it to a binary UseNet newsgroup or a Pastebin like service.
If the government can't prove you have it, and you don't register with real name, the government can't force you to use the contents of your mind to identify where the data is located.
[ link to this | view in chronology ]
Re: Re: Evidence and testimony
How about you have 20 incriminating documents. You shred them into little pieces, and ship the pieces to 10 people you don't really know to hold onto them for you. The process of showing these documents (a) to exist and (b) where they might be located would be a serious challenge.
If you are going to go to that extent...
[ link to this | view in chronology ]
False confession.
[ link to this | view in chronology ]
One thought I'd had- what if the password itself was more testimonial in nature, for example:
AllJohnDoesWhistleblowerDocumentsAreInHere&$HSndauv&*bna23
or
JohnDoeHasCommitedSuchAndSuchCrimeSpecificallyReleventToFilesHere&nda9343&*nke3R
Would this change things, and if so, how?
a few comments on encryption:
snowden said "properly implemented" encryption works BUT endpoint security and transit are so often bad that they rarely have to bother actually cracking the encryption- they just get the key/pass by other means. When it does come to breaking encryption- as John sorta said above, the time to 'brute force' figures often quoted are marketing BS; Even if you had the perfect encryption algorithm, properly implementing it (for example obtaining sufficient entropy) is challenging at best. It doesn't matter how good your encryption algorithm is if you don't have enough entropy; which is why the NSA/NIST/RST poisoned PRNG's where such a big deal- they subverted ANY encryption implemented with them.
[ link to this | view in chronology ]
forget it
[ link to this | view in chronology ]
Plausible deniability
[ link to this | view in chronology ]
civil vs. criminal case
Comments?
[ link to this | view in chronology ]