A bid by the US government to force a child porn suspect to surrender his encryption password has sparked fierce debate about whether the move violates constitutional protections against self-incrimination. The case, which is reported here by The Washington Post, is likely the first time a court has waded into the issue. It …
Just the same as the old days
Nothing new here.
Not surrendering a password is just the same as not surrendering the keys to a safe that holds evidence or not revealing where some documents/loot are hidden.
Surely there is suficient pre-computer-age precedence to be able to make a rational decision.
There's far too much knee-jerk that computers/internet change everything legally/morally etc, bit in truth they do not. This silliness is found in copyright, unauthorised access, privacy etc.
Caption is Big Brother searching your ccoat pockets for evidence.
One problem with your reasoning is that you could destroy someone by sticking an encrypted file full of rubbish on their machine, and turning them in. They can't provide the key because they haven't got it, and unlike a safe it's physically impossible to get at the data.
So anyone with any encrypted file for which they haven't got the password can be locked up for anything - because they can't prove they didn't do it. And the law is innocent until proven guilty, not the other way around. If you alter this, you're done for as a free society.
You've rather missed the point, haven't you? There are plenty of precendents - the question is, which one to choose? Is a password like the keys to the safe (which you can be compelled to provide), or like the combination to the safe (which you cannot be compelled to provide)?
Even a cursory reading of the article would have made this fairly obvious. I therefore generously conclude you didn't read the article before posting.
Guilty unless proven innocent (and then, quite possibly, still guilty)
Doesn't the U.S. proclaim that suspects are "innocent unless proven guilty"? Actions like this one are directly contradictory to that. Forcing a suspect to reveal the contents of their computer, home, safe, or whatever else in order to prove there is no usable evidence against them can only be interpreted as the suspects having to prove their innocence. In other words, guilty unless proven innocent. We've known for a long while that that's the way people have been treated, but this shows it with astonishing clarity.
@ Human - I'd watch your HDD if I were you...
Say someone were to plant some kiddie-pr0n on YOUR hard disks... would you be happy with The Beak saying "shred 'im"?
After all - possession is proof in the digital world; just ask the RIAA!
They have no right to the information
It doesn't matter and is completely irrelevant if he's a pedophile pornographer, a terrorist or terrorist sympathiser, a snuffer or a serial killer.
They have no right to the information and that's final.
I can fully understand the frustration cops are feeling. But before we have a "a code of ethics" which would keep any information spreading I also can understand EFF and other such organizations. But politics make it difficult, in child porno cases they really should have access to everything BUT if found that it wasn't - nothing should slip out, it destroys lives, families, careers, etc. In terrorism it is even more difficult - you even think differently (or have some weird name/looks) than the ruling class, you are a terrorist. In child porno cases it is more black&white but when the same rules are applied to politics / business it will not work, they are ideas, not facts. Todays unfortunate reality is that even a suspect is often already in trouble and there are no safety or recovery policies or mandates to make that right after a mistake. Who is going to get your family back or fix your credit or reputation or lost whatever after a such incident?
Maybe there should be a politically and business independent third party which has rights / access to this information and can make the decisions if it should given further to other institutions. There are a lot of good people and (IMHO) many really are in standard police organizations but not all.
Or maybe we should get the Hammurabi code / law back?
Whatever we do, protect the bad guy
It's like an episode of Law and Order - the system bending over backwards to protect the vile criminal. Ebveryone wants to see him get his just deserts but the greasy lawyer bangs on about the constitooshum and the judge says "the smoking gun is ruled out". Well bollocks to that. If someone sets up an encrypted system to hide his criminality - in this case participation in industrial child rape - then he has to open the door or be punished for it.
they are encrypted by the military-grade Pretty Good Privacy program.
Well if that's true, I guess that I'm pleased that I'm using GPG.
I wonder if it's military-grade too????
Who even THINKs it would be right??
Who even THINKS it would be right to try and coerce something out of someone's head!!??
Couldn't you just happen to forget your password/encryption key?
A cynical thought...
I have to wonder whether this case is being pushed by the US Government because what they *really* want to do is to ensure that *everyone* can be forced to reveal encryption passwords etc, but they're doing it by picking the "soft target" of child porn on the grounds that most people do not apply logical thought where children are concerned.
Of course once they have the precedent that someone can be required to incriminate themselves in this way, they can then extend it to "terrorist suspects" and from there it's plain sailing down the line to allowing the RIAA to say "well we think he has encrypted MP3s on his hard drive..."
Only one person really got the point
This is an almost classic text book example for legal students.
If you take the emotionally charged offense out of this and replace it with some incredibly boring white collar crime, where no one has in any way been hurt, then the whole thing has a different complexion. This is not about this one defendant it's about a pretty fundamental principle of US law. You can't be compelled to incriminate yourself. By divulging a piece of information this person could easily incriminate himself, he can't be compelled to do so. It doesn't matter if the files on his hard disc contain child porn or copyrighted poetry, you can't compel him to give up the password. If you do you destroy a fundamental protection in this society. There really shouldn't even be any debate on this point.
That said, if this guy is what they say he is, then I hope that with the evidence they have they still have what they need to put him away for a long enough for him to become acquainted with Bubba and his friends inside....
I find it astonishing that an accused could be compelled to provide a passphrase which clearly will lead to incrimination (this case is a poster case, everyone hates this type of pr0n person so eroding of civil liberties is much easier-- too few think of the unintended consequences down the road.).
The accused is an idiot anyway, not having a screen password (HELLO?), having file names that attract attention, and not even being bright enough to generate a lie-- "I keep the passphrase on a piece of paper, and when the border police seized the machine I ate the paper and Lordy, I can't remember what the passphrase is!" or some such.
The persons really wanted are the ones who generated the source files. Send those perps to @Human for a thorough maceration.
I wonder how long before the CIA starts water-boarding him to get him to give up the information.
If he is guilty then he should be locked up for a long time, but it seems at this point they have no evidence.
How is a law forcing people to turn over their passwords going to prevent terrorism?
I guess if there's a law that says they have to turn over their passwords, that they will say, shuck, darn, we shouldn't even bother encrypting our passwords now!
Or that if they did encrypt their password they will give up the codes to the dirty bomb location because they don't want to go to jail?
You hear this phrase all the time when some criminal has been caught - "... was protected with military grade encryption..." So what is that exactly? 256-bit AES was classed beyond that at one point, but is so common now as to make the designation "military grade" worthless. I bet current "military grade" offerings go beyond key length into other realms.
Well it's not entirely worthless - it does give a lovely dramatic CSI spin on the story, and perception is everything. The truth is the media love a good whodunnit techno wankfest, and people go all glassy-eyed and weak at the idea of dirty paedophiles being outsmarted by the suited good guys.
How to get someone convicted:
If this goes thru, all you need to do is send someone a file of garbage maybe with the first characters in plain text that say 'this is child porn' (or equivalent). If the name of the file is equally incriminating, they will try to compel you to give up the password. Nice try, but I don't know the password. Why is the file on your disk, obviously it is bad, etc...
This is a very slippery slope!
So many questions
If you can't unencrypt the files then how do you prove that the Customs and Border Protection inspector is telling the truth?
Since the files were copied peer-to-peer, if they do get unencrypted then could the inspector(s) not be charged with distributing child pron?
People often get nervous or confused when under pressure. How do you prove that the suspect can remember the password?
The way I understand it, you can only incriminate yourself if you've done something wrong.... by claiming you'd incriminate yourself you're admitting you've done wrong more or less(... this being semantics, not legal understanding.)
Its almost an extension of the whole 'If you've nothing to hide you're safe' idea, but theres a good argument there- if you're innocent why not give up your password/key and then change it and re-encrypt to ensure the police wont get in again?
Its a horrible suggestion, but there must be a way to safeguard computer users whilst not extending this to people such as paedophiles.... No one will develop a method because it could be political suicide depending on the spin, and it'd be difficult- better to declare everyone a 'h4xx0r' and using escrow or putting in backdoors
Activist judges folks
Once upon a time in America we had judges who strictly interpreted the law and only ventured forth opinions in uncharted territory when the Legislature hadn't addressed the issue.
Then sometime in the 1950s we lost that. They declared the Constitution was a "living document" that needed to be reinterpretted to fit contemporary values by the courts, not amended by a Constitutional process. This isn't mere hyperbole -- one of the Justices in the early 1960s became physically ill and retired early when the court imposed one man, one vote -- because as much as he supported the principle, it sickened him to see the Supreme Court violating the seperation of powers and imposing new law on the Legislatures.
So in a country where the Police are allowed to implement such unreasonable searches as Drunk Driving checkpoints that stop everyone going through a spot without cause to intimidate them into having a conversation (i.e waive their right to remain silent)...it gives hope to activist Prosecutors that a Judges somewhere will similiarily figure it's good to reinterpret the Constitution to allow this too.
But hey, if it's:
a) Drunk Driver
b) Drug Dealer
c) Child Pornographer
then you have good reason to believe in a living consitution to meet the needs of prosecuting those really bad guys. If it just sets precedent for everyone else, hey, what are you trying to hide Comrade?
Here's an idea...
Okay. Create an encryption scheme so that entering A Fake Password will reveal perfectly-legal public-domain pictures of puffy clouds, colourful flowers, and perhaps an extremely contented cow relaxing on the XP Bliss hillside.
Jumping the gun
The prosecutor jumped the gun. They didn't catch the guy in the act and now they want them to incriminate themselves. New technologies means the police and prosecutors need to learn new techniques, if they screw up and let a pedo off that is their fault for not doing their jobs right in the first place.
Terrorists who are willing to blow themselves up are not likely to meekly hand over their passwords, who are they kidding...
Just like communism, it's all a red herring.
Anytime prosecutors or the gov't need to dangle the proverbial carrot to prove a point then you can automatically assume their position has both a hidden agenda and is so overtly amazingly incredibly wrong.
Highlander is the only person with any brains in this thread. Unfortunately, as the internet so often proves, most people are knee-jerk reactionists that couldn't give two shits less about anyone else's rights.than their own.
It would have been easy
if it was Windows EFS.
The issue of forcing someone to self incriminate, should not even be an issue. The government is asking for the right to imprison a person (for contempt), unitl they agree to testify against themself. This can't happen...
The prosecutors should not have charged the person. They should have offered a plea bargain, in return for cooperation. While retaining the hammer of a future charge. Something like "in the next few years, we will be able to decrypt this drive. If you don't take the plea now... it will not be offered to you when we decrypt the drive, and when we do.... we will put you in prison forever".
The biggest mistake, is that the officer copied the drive. The officer should have seized the computer. Then they would have a chance. Since they copied the drive, they may never be able to decrypt it.
I don't know too much about PGP, but I know a little about EFS (windows encrypted file system). With EFS, you (at least I) am done if the OS takes a crap and needs reinstall, or if you copy the data and try to decrypt on another system. But on the same system... that's easy. All you need is an administrator group account to retreive the data, then run xcopy as local system.
But trying to crack encryption on a copy runnning on another system, that could be tough.
What kind of cop would see files named 'Raping two year old', and not seize the computer? What an idiot. That is where the case fell apart, now they are just trying to save face.
What've you got to hide?
I agree with James Condron, by hiding the encryption, you're in fact stating you're hiding something incriminating and should be treated as such.
If you're suspected and find yourself within a trial, be it for terrorism or child porn charges and have nothing to hide, surely you'd want to give over everything you can and be as co-operative as possible to clear your name.
re: Military Grade
This term is still in use for historical reasons. Back when internet explorer only included 40 bit encryption for SSL in the UK (1997 or earlier IIRC), 128 bit encryption was designated "military grade" which prohibited its export from the US. Anyone with a clue could download it anyway, so it was never going to last.
I sign my stuff with 1024 bit encryption anyway, as it is quite sufficiently overkill for the stuff I'm protecting. I do a fair amount of SSHing to my servers across the net and the key is the only way in so I'd like it as secure as possible.
As I see it, the evidence is there in the filenames, and it's up to the defendant to prove that that the files are not illegal.
How is this different from less emotive cases, e.g. joyriding? "Is this your car sir? Can you tell me the registration number?" or suspected stolen goods "Can you prove you bought this? Do you have a receipt or bank statement showing the purchase?"
If he "forgot" the password, it's not proof either way, but I bet a jury would find that suspicious. As for planted "evidence" - It can happen with unencrypted files & physical items too.
Fortunately it sounds like there is enough unencrypted evidence to convict him.
Often I read stories how the Americans make legal precedents with some very unnerving consequences so it's refreshing to see so many back the idea that passwords shouldn't be demanded to be handed over - unlike a law they snuck in over here in blighty where we're now compelled to.
You US people should think yourselves lucky. This side of the pond in the UK, we have the "Regulation of Investigatory Powers" act that means they can force you to hand over your password and if you don't it's up to two years in the slammer for you. Quite what happens if you genuinely forget your password has never been considered.
The police in this case are being stupid. Just go to his ISP and demand the logs of his Internet traffic for the last 6 months. If he's visited any kiddy porn sites they can get him on that.
It's a classic case of "innocent until proven guilty" - if they can't prove him guilty without forcing him to incriminate himself, then he has to be found innocent.
What a thoroughly depressing case, in every way
A stupid, vile defendant and a dangerous attack on very old rights.
As Highlander has pointed out, there is already evidence - the two videos mentioned in the article which I can't bring myself to name here.
It would be a great shame if a legal precedent to force disclosure of keys resulted from this case when there is already plaintext CP on his laptop. More than likely the police ballsed up the chain of evidence which is why they claim to need the keys. Or, perhaps, there isn't enough plaintext CP to send him away for a really long time.
I believe we already have such a law (not a precedent, a real law) in our damp, grey land of fear. It is supposed to apply to terrorist cases but we've already seen how willing the police are to extend anti-terrorist powers to everyday life. I'm sure the courts will follow soon.
Best start using http://www.truecrypt.org (it solves many of these problems and I don't mind posting it here because I hope there are no CP-addicts among El Reg's readership.)
The Border Inspector
"The case concerns the investigation of Sebastien Boucher for possession of child pornography. In late 2006, the Canadian citizen with legal residency in the US was crossing the border into Vermont when a US Customs and Border Protection inspector searched his laptop"
What right did a US Customs and Border Protection Inspector have to search someone's laptop while crossing the border in the first place?
Truecrypt looks interesting, but given that it is open source it would, I suspect, be pretty trivial to break 'plausible deniability' by demonstrating the supplied password was for the 'outer volume' and not for the 'hidden volume'.
if this was a fraud case, or some other "lower" crime they wouldn't have a hope in hell of compelling it. It seems the world works like this
Want something digital forced through the courts by creating a precedent?
Get a CP case to set the precedent becouse everybody will be on the side of the law when it comes to CP evidence be dammed. (Or dress something up as CP so you can get good headlines and throw a few innocent people in jail - drawings say - that illustration is only 10 years old! Somebody mongled mind loli to create it! Your a peado!)
However as Tim said as there's already evidence on his machine *shrugs* thats pretty compelling and will plant doubt in the jurys mind anyway, he has video's x and y and over 20gb of encrypted files named a and b.
"Highlander is the only person with any brains in this thread................................most people are knee-jerk reactionists that couldn't give two shits less about anyone else's rights.than their own"
Sounds like a knee-jerk reaction to me, considering at least half the people who have posted on this thread seem to agree with the same basic principle that Highlander stated. In fact, if you look at the post directly above Highlanders, it more or less echo's the exact sentiment of a hidden agenda by the government that you state in your own post. So by your own admission (of sharing a sentiment with someone with no brains) you prove that you have no brains.
That said, I happen to agree with both Highlander, Graham Marsden and yourself in that firstly, regardless of the nature of the accusations they have no right to force him to incriminate himself, and secondly that THIS case is probably being pushed as it is a soft target to push their hidden agenda. The US government almost certainly wants to change the law so that you essentially incriminate yourself by refusing to hand over your password - in which case any illusion of privacy is blown to shreds.
For example only, lets say that I enjoyed cross dressing (I don't, but I have a relative who does), and I had some encrypted files on my PC with some pictures and emails that I didn't want my wife/kids to see (I don't have a wife/kids either IRL). At the end of the day, it's none of the governments business what is in those files (as it's perfectly legal) and could potentially ruin my marriage/life if it came out. But a law like this would force me to reveal my secrets, just because refusal to do so would "prove" me guilty.
As Graham says, assuming they succeed, how long before the RIAA (and the like) start using it in their own cases? The simple fact is that they are using a case that provokes a high emotional response to push their agenda.
Another poster also mentioned if that was the case, what's to stop someone from dumping an encrypted folder onto someone elses PC and grassing them up? The "suspect" would be guilty simply by "refusing" to give up the password that in truth they do not know.
All that said, if the guy really is guilty I hope he gets what he deserves, but it doesn't change the facts.
"The persons really wanted are the ones who generated the source files. Send those perps to @Human for a thorough maceration."
A very admirable thought but what if the contents of the encrypted information shows that he was one of the content generators.
Hmm , the US can actually bypass any constitutional court ruling by merely sending you before a Grand Jury which ends the deadlock , then jail you for contempt for the duration for not answering the question and reconvene ad infinitum !
@Here's an idea...
TrueCrypt (http://www.truecrypt.org) supports "hidden volumes" which does exactly what you propose.
Must also comment that popular notion that possession of immoral films and pictures should render a long prison sentence. If the case only involves possession and not (coerced) production I really don't see why this man should deserve a prison sentence. Current morality standards and law should not be mixed.
Why Paris? 'cos I looove her movies :)
Adding in the emotional aspect
"If you take the emotionally charged offense out of this and replace it with some incredibly boring white collar crime, where no one has in any way been hurt, then the whole thing has a different complexion. This is not about this one defendant it's about a pretty fundamental principle of US law."
That's fine and sensible, but look above and see the commenters trying to *enhance* the emotional aspect. Our politicians play this game these days with full on effect, and that the 'terrorism' thing has given them a major weapon.
'Cyberterrorist' for example, trying to add the fear of terrorism to turn boring white collar Internet flame wars into a thing where we can sacrifice freedom of speech to protect ourselves from. 'Internet Predators' another demonizing usage to strike fear of the net into the average punter.
At the base level we need the crusty old judges to hold the line here. I'd personally like to see Blair's anti free speech law overturned, and his attacks on privacy undone. There were a bunch of laws he created that clashed with the Human Rights act, and were driven through by appealing to irrational emotional fears that need to be looked at again.
So let me get this straight....
f they have a safe, with physical keys they have hidden, then its okay to force them to extract the imformation from their head as to the location of the keys so they can hand them over.
If however its an ecrypted file and the keys are in their head its a no no?
I have always asked people when sprouting off about their rights, "Will you defend the rights of those whom you despise?". If they answer "no" they have no cause to have any rights themselves. Either rights apply universally or they are not rights.
Bear in mind, and this case is an excellent example, rights are about curbing the power of the executive against the people.
As there is already precedent and a constitutional bar (in the US) to demanding knowledge with which to prosecute someone, a rule which has been used by presidents to avoid prosecution, there is no ground to demand decryption keys to open the files.
The government always uses emotional cases to bring about changes in the law which they know are controversial. Mainly targeted at free speech, by using the pornography industry as an example. This is despite the US constitution denying them the power to introduce such laws.
If you hear a politician claiming to be "protecting our children" you can safely bet that is the last thing on his mind. What is really wanted is to make gaining convictions easier, which is a step in the wrong direction. Somewhat like Tony Bliar attempting to remove the right to a jury trial.
When they came for animal rights protester, I did nothing, because I was not an animal rights protester. When they came for the paedophiles, I did nothing because I was not a paedophile. When they came for the muslims, I did nothing because I am not a muslim.
Rights are worth defending, even for those whom you despise. Permitting the government to remove YOUR rights because you don't like someone is just plain stupid. Once lost, they are a bugger to get back. There is never any greater good, and it is often used by religious nuts (George Bush & Tony Bliar) to force therio private agenda on unsuspecting others.
Enough have been removed under fraudulent pretexts, stop it now.
If I'd committed some horrible crime and the police were knocking at my door, I think it's fair enough that I don't open it. You want to get in so badly, get out the battering rams. Same applies to encrypted files you want to look at. Can't crack the encryption? Boo hoo hoo, go off and find some comatose diabetics to Taser(TM) until you feel better.
There is a valid argument that if the police are able to gain entry to your house they should be able to gain entry to your encrypted files, US-specific constitutional arguments aside, but I find the dilemma is made much easier by the fact that the police have far too much power already. I'm not inclined to be reasonable until they give some of the more flagrantly authoritarian powers up.
very difficult choice
The state/controllers of power and liberties such as governments are not always right, one doesn't have to look far to see this, even here in the UK.
A terrorist is a relative term depending on which side of the fence one sits. There are oppressive governments out there, governments who will send the police/protectors of their power base to arrest/drag off and murder dissenters to the status quo. Does fighting government oppression make one a terrorist? Does standing in front of the tanks of an oppressive government make one a terrorist?
Paedophilia is a more clear cut case, one either sexually abuses or encourages the sexual abuse of children or one doesn't. And the vast majority of the population of this planet would agree child abuse is out of order to say the very least.
Unfortunately, both these types of person may rely on encryption to protect themselves from the law, whether that law is a good and just one or not.
So the data of the innocent(again a relative term) and the righteous are protected along with that of paedophiles, or neither are protected.
I am of the opinion that a person has a right to privacy, and if that person has encrypted files they should not be forced to reveal passwords. Sadly this protects the paedophiles too.
Unfortunately one does not have to visit kiddie porn sites to download images of abused children. There are binary newsgroups with titles that bear no indication of the off topic posts that maybe in there. Encrypted torrents may also be used to disseminate child porn. It is not always a clear cut case of examining ISP logs to prove child porn was downloaded. However traffic can be sniffed and any unencrypted packets re-assembled. Humans make mistakes, If enough time and resource is dedicated to monitoring suspected paedophiles, they will be caught.
A filename does not always reflect the content of the file. I used to hide some system passwords in text files and rename them to such things as wallpaper1.jpg and put them in a folder of wallpapers. It is no big deal to rename say childabuse.jpg to readme.txt.
Government: "Supply us with evidence that you've done something illegal. If you don't we'll send you to prison".
Send the disk or whatever to Hollywood. I bet Sandra Bullock or Keanu Reeves can crack its protection and give the police the contents in seconds.
The best post in this thread was the one with "by hiding the encryption, you're in fact stating you're hiding something incriminating and should be treated as such"... posted by a Anonymous Coward, who apparently does not have anything to hide. Oh, the irony!
Anyone else thinking about the RIP bill
Doesn't the RIP Bill in the UK require you to incriminate yourself in such cases?
Providing encryption keys on request or face upto 2 years jail time? If that's the case then the scenario mentioned by David Wiernicki is possibly in the UK.
Over in the UK, this wouldn't be an issue.
We're already fucked.
They are not a criminal until they've been proven guilty.
If you still don't like it, how about this scenario.
I guess you've got kids. A child is three times more likely to be sexually abused by their immediate family than a random J Public. Therefore I suspect you're a child molester.
Now prove yourself innocent.
Even if you do, do you think the neighbourhood will think you innocent?
Oh, and just to get you in a double-bind, if you don't have kids, you're probably broody so you're likely to plan a child abduction...
We can't assume people are guilty just because we hate the crime they did. And if we find this person guilty without this evidence, although we could then require them to give up the keys, why bother: they're already guilty.
The problem isn't that the law protects the guilty but that the truly innocent think they have nothing to fear and don't know their rights. So they give information to the police that the criminal element know they don't have to (or hope they don't, but then if the police lie about their powers, why don't the public lie about their rights...?). Not knowing your legal rights (and the police/etc not telling you them) is the problem.