Child porn suspect ordered to decrypt own hard drive In a move sure to stoke debates over constitutional protections against self-incrimination in the digital age, a federal judge has ordered a child porn suspect to decrypt his hard drive so prosecutors can inspect its contents. In a ruling issued last month, US District Judge William Sessions in Vermont ruled criminal defendant …
It's the "computers don't count" argument.
They don't count as telephones, therefore spying on your email, chat and browsing history doesn't require a warrant.
They don't count as private property (cars, houses, letters) therefore a warrant is not required.
They are a world unto themselves and because they're new things, annoyances like The Constitution or indeed the law itself doesn't count.
The reason none of this should be a surprise is this is the same tactic prosecutors use every time a new technology becomes mainstream.
When telephones became mainstream, the government said they could listen in because the Constitution only protected people from being searched, not things.
It took a Supreme Court decision to change this. The same ruling could in theory be applied to computers, computer data and computer communications, but the government will say it doesn't count because computers weren't around when that ruling was passed, and deliberately ignore the intent.
The fact is The Constitution and its protections were supposed to be updated to stay relevant. A system called "Amendments to the Constitution" was invented for this very purpose. That's because the people that devised these laws had the foresight to understand that things change, new things are invented, new circumstances occur and new beliefs as to what is acceptable become mainstream. It's quite progressive thinking really for a bunch of people who've been dead for centuries.
Therefore regardless of whether we would like to see pedophiles self-incriminated to make our lives easier, the fact remains other laws state he is innocent until PROVEN guilty. The media doesn't count, neither does the government's promise that 'he is guilty, honest'. Whether showing the cops something is self-incrimination or not apparently requires a new Supreme Court ruling, preferably one that includes computers in general and whether conversations via modern communications that people want to be private, count as private.
I wonder what corporations will think of that when people start taking copies of data stored on networks home with them, including things that used to be intellectual or private property.
Would I be correct in assuming the laptop was suspended, the accused "resumed" it, the border control guys saw something they didn't like, they shut it down and then - when they re-booted it - they found they needed to re-enter a pass-phrase?
Surely some amazing incompetence here?
Do border agents have you turn on your laptop, log in and show them your porn when you enter the country now? I'm a little confused as to how this all went down. If not, then did they boot the laptop..... and it didn't have PGP or a password on it at that time? Then how did PGP get on there, don't tell me they gave it back to him and then took it again 9 days later. Maybe he was walking around the terminal showing people his porn? Then admitted it, but didn't care because he knew he had PGP on it? Tis wierd.
"Sessions reached his decision after concluding the act of producing an unencrypted version of the hard drive wasn't necessary to authenticate its contents, presumably based on Boucher's statements to border agents."
If it's not necessary to authenticate it's contents then why the fuck does he need to do it? Twat.
As much as I would like to think the privacy of that little box on my desk is inviolate just because I encrypt the drive, I find it hard to believe the government will allow that situation to stand.
As long as information crimes exist, this situation will become increasingly grating on government officials who are used to getting their way, as more and more people use encryption.
Whether the 5th amendment applies is debatable, it just depends on how broadly or narrowly you read it. That doesn't mean I agree with this ruling though. In my opinion it infringes on an even more fundamental right: the right to private thoughts. Unfortunately that one was never specifically mentioned in our constitution and nobody pays much attention to the 9th and 10th amendments.
Be nice when the Supremes in the US get someone who actually understands computers. Last I checked, they were mostly still at the quill-and-ink stage of life, having just graduated from stone tablets. From software patents to this crap, it's obvious the US legal system just hasn't caught up.
The decryption key is "eff" "oh" "are" "emm" aye" "tee" "space" "sea" "colon". It'll give a bogus message about the hard drive, just hit "wye" and enter.
Computers _are_ property, and therefore covered by the Fourth Amendment, no matter how bad the socialists hiding behind badges want otherwise.
netgeek
"Sessions reached his decision after concluding the act of producing an unencrypted version of the hard drive wasn't necessary to authenticate its contents, presumably based on Boucher's statements to border agents."
So my stupid question would be -- if the act of producing an unencrypted version of the hard drive isn't necessary to authenticate its contents, then why is he being forced to produce an unencrypted version of the hard drive? Either it is necessary or it isn't. You can't have it both ways. You can't say that it IS necessary for the Grand Jury, but is NOT necessary for the Trial Jury.
From the Fifth Amendment: "No person.. shall be compelled in any criminal case to be a witness against himself..." Seems pretty clear to me. By giving a passphrase, you are effectively a witness against yourself. Yes, it's ALSO an obstacle to the authorities, but that shouldn't come into play at all. Forcing a suspect to give the passphrase which will be used to decrypt his hard drive is analogous to forcing a suspect to say where he was at a specific time (because you think he committed a crime, and you need him to admit to it since you have no other evidence). Or, to offer another analogy, it would be the same as forcing a suspect to provide a list of every name (alias) he has ever used (in the hope that it will lead to evidence which will lead to a conviction). Yes, it will make it easier for the authorities to do their job. However, it also violates the Fifth Amendment and eliminates the presumption of innocence. Instead of the authorities proving a person guilty, it reverses the situation and makes it so that the person must prove themselves innocent.
But hey, when we live in a world which has done away with the presumption of innocence (and where even well-meaning people now use the phrase "innocent UNTIL proven guilty" instead of "innocent UNLESS proven guilty"), should such behavior really come as a surprise? This is just another example of the US being jealous of the UK's Big Brother style laws and wanting to enact similar laws without having to go through that pesky legislative process. Why bother with the trouble of crafting a bill, bickering about it, and hoping it's voted into law, when you can have a judge make a precedent which will then (in all likelihood) be used by other judges to create a de factor / common law? It's so much easier without the "checks and balances".
Look, if you watch any crime TV show here in the USA, you surely must know the standard Miranda warning "...anything you DO or SAY can be used against you in a court of law...". Well, to me "entering a password" is something you DO, so you don't get me to do it.
Of course, if you offer me immunity for all prosecutions related to my actions (like the stuff on my hard disk!) I might give it up. Until then, don't talk to me.
If someone presumably hides a murder weapon in a safe; the court can't order that person to open the lock of the safe?
[let's say it's it an unbreakable safe or think of any creative reason why breaking the safe it a worse idea than the person opening it itself].
I believe it's analogous - and other lame-ass examples given here - I don't think so.
Paris, coz she can decrypt any HARD drive.
- "innocent until PROVEN guilty"?
- Surely that should be "innocent *unless* PROVEN guilty".
- Your original statement assumes everyone is guilty, it's just a matter of time until they prove it. "
Ah he was obviously referring to the UK - we are guilty here - just need a few more databases and ID cards to prove it.
Clearly, you are not a lawyer! That's not an insult.
Unless the words are there, in black letter, it doesn't count. Conjecture doesn't get you very far in Law. You can argue that because safe combinations are in memory, and passwords are only in memory, that passwords are covered, but it's not clear cut.
All this means is that people with serious stuff to hide will use Truecrypt. It uses a dual encryption technique with the ability to have hidden volumes which nobody can prove exist. You can have "legitimate" files in the main encrypted part should you be forced to reveal it. I haven't tried it myself, but you can guarantee that it's going to be headache for the authorities.
Beats me. Perhaps quaint little laws based on timeless principles rather than temporary strict dictum are actually the best option? Fancy that...
Still, it wouldn't be the first time that I've considered the idea of a written constitution was just a fad and should now be considered out-of-date.
Such a shame that such an important discussion about civil rights is marred by the fact that no-one, self included, wants to stand up for the rights of people who face allegations of child abuse (or terrorism, in other UK cases). But the fact remains that the legal framework must protect human rights even at the expense of a few cases slipping through the net, because the alternative - a police state where the population lives in fear - is worse.
Strangely calm today
I fail to see the difference between handing over a password, and handing over the keys to a house/briefcase. The password itself is not incriminating, its the items its hiding that are.
Working on this basis, if the police suspected someone of killing a dozen people, and hiding the bodies in a cellar, they wouldn't be able to touch him if he had a voice activated lock rather than a standard key lock. All the criminal fraternity need to do to protect themselves from prosecution is fit voice activated or combination locks on everything.
He does have to de-crypt but the judge accepts the border agents statement that he "thought" he had kiddie p0rn on it?
So in essence its what they he said that makes him guilty?
This was a taped interview? If not we have a version of what used to be known in Britain as "Verbaling the suspect," where in during the ride into the police station suspect gets into casual conversion and "inadvertently" confesses.
I gather this is less common than it used to be. The rules of evidence became more akward . And for some reasons juries don't trust the police as much as they used to.
The fact the case is being fought suggests one of the 2 parties here disagrees with what is claimed to have happened. And IIRC US law officers are allowed to lie to suspects to get a confession. Witnesses who don't exist, magic forensics, co-defendants who have confessed already are all allowed.
It would seem the quicker the question of what rights a defendant has regarding a computer in their possesion is sorted out the better. Of course this only applies to US citizens. Everyone else entering the land of the free can expect any hardware to be switched on and copied at will as part of the War on Tourism.
Yes paedophillia is a nasty busienss which directly affects a very small percentage of the population. Living in a police state affects 100% of people living there.
hearing all this talk about how you are protected against self incrimination in the US when innocent people are forced to plead guilty to lesser charges.
Wether it be due to over stretched public defenders telling innocents
1: To take the deal cos they dont have the resources to mount a proper defence
2: Stating you may be innocent but you will be found guilty and they will go harder on you becasue you fought the charges.
This seems to apply to UK residents, if you fight extridition you will be found guilty (see the Nat West 3 or that prat Gary McKinnon)
Seems the roghts only really apply if you are white and have money
"Forcing a suspect to give the passphrase which will be used to decrypt his hard drive is analogous to forcing a suspect to say where he was at a specific time"
...
", it would be the same as forcing a suspect to provide a list of every name (alias) he has ever used (in the hope that it will lead to evidence which will lead to a conviction)"...
Those are a totally overblown, knee-jerk examples.
It is analogous to forcing a self-confessed paedophile to provide a key to gain entry to their house because the battering rams are not working.
The man has already admitted he had downloaded child porn. The judge has decreed that the statement he made at the border is enough to secure a conviction without the evidence encrypted on his hard disk. He has already implicated himself, the issue now is whether he should be forced to "open his house" so the investigation can check his basement.
I totally agree with this ruling. The evidence locked in his computer may even lead to further convictions and save a few children.
What happens when the accused forgets his password?
Also, does anyone have an estimation of how long it will take for law enforcement to be able to crack PGP? Surely the authorities can use this as part of a plea bargain to release the password now; tell us the password and get 50% off your sentence, or else wait a few years until we can figure it out ourselves and we give you the full punishment?
Not sure about PGP, but there is encryption sowtware out there which will wipe the data after an incorrect passphrase is entered a certain number of times. That would be kind of neat wouldn't it?
"Now lets see, I think this is the passphrase. Oh, Maybe it's this this one. No? Well I'm sure it's this one. Ooops! What does it mean when it says formatting drive?"
You've misunderstood the meaning of "authenticate" in this piece, perhaps partly due to Dan snipping the quote from Sessions. The full quote is:
"Sessions wrote: "Boucher's act of producing an unencrypted version of the Z drive likewise is not necessary to authenticate it. He has already admitted to possession of the computer, and provided the government with access to the Z drive. The government has submitted that it can link Boucher with the files on his computer without making use of his production of an unencrypted version of the Z drive, and that it will not use his act of production as evidence of authentication."
So "authenticate" here does not have anything to do with the encryption process, rather to do with authenticating in a legal way that the laptop, and contents, belong to Boucher
Remember, this is the good ol' US of A, and it all comes down to the picture the prosecutor can paint for the jury, whom are usually not computer or legal experts.
Case before - "We think the accused has downloaded porn on this laptop."
At this point the jury just think he's an unsavoury geek, but he has rights. After all, he could just have accidentally downloaded it or looked once out of stupid curiosity.
Case after first statement admitting downloading - "The accused has admitted to federal agents that he downloaded porn and viewed it on this laptop."
The jury probably think he still has rights, why decrypt the laptop?
Case now that he has refused to decrypt the drive - "The accused has admitted to federal agents that he downloaded porn and viewed it on this laptop. He obviously intended to view this material repeatedly as he saved the material, and obviously knew what he was doing was illegal and immoral as he has encrypted the drive to stop further evidence of his wrongdoing being presented in court. Without unencrypting the drive it is hard to judge the scale of the accused's crime and just how many children have been the victims of the accused's unsavoury and illegal sexual tastes. It could be that the accused has encrypted the drive to hide evidence of his having taken part in sexual acts with underage children, probably against their will. Unfortunately, the accused is more concerned with protecting his liberty than helping federal agents with tracking down the people that abuse these children for profit."
Now the jury think the accused is a monster that is just itching to kidnap, abuse and do God knows what to their own children, and he's using the Constitution to hide behind and protect his nasty, deviant buddies. At this point they're just about ready to lynch him.
After all, the reason they probably nabbed him was due to peeking at his ISP records, they can probably already see exactly which sites and even which pics he downloaded, whom he paid for his kiddie porn, and whom he messaged about it. What they're after now is the longest conviction they can get out of it, so the creep is probably making things worse for himself by NOT decrypting the drive.
AC wrote: "Computers _are_ property, and therefore covered by the Fourth Amendment, no matter how bad the socialists hiding behind badges want otherwise."
Or indeed, the fascists hiding behind the badges. Even the left-most of US politics is far-right to the rest of the world!
On a more serious note, why doesn't he just claim that the stress has made him forget the password. They can't prove that he *hasn't* forgotten it now, can they?
Paris because those of more limited intelligence would forget the password without being told to...
And there was me thinking a bill of rights and a written constitution as proposed by Liberty et al solved everything. The problem being that either they are written in stone, so can't take into account change (ie the right to belong to a militia and hence have arms) or they are so easy to change there is no point to them, since they remain the tyranny of the majority, or at least of the political class.
...to just give the court any bogus number or password you like? You can then claim as far as you recall this IS the correct password. You've fulfilled your obligation to provide some information and if forensics can't get your password to work that's no longer your problem. How are they going to prove to anyone that your password is bogus..?
So, for the sake of argument, say someone found a 500MB block of random data on my hard drive. They then claim that this hides some encrypted data that I'm not supposed to have and they therefore demand that I decrypt it (as they can't). In response I say that it's not an encrypted file, it's just some random data and I don't know how it got there - or that it's a set of random numbers I use for some other purpose.
How can some legal person/entity demand that one decrypt some arbitrary data, without first demonstrating that it does, in fact, contain decryptable data?
Any encryption scheme worth a dam' would not have headers saying "this is an encrypted file, use the XXX algorithm to decode" It would merely sit there and at best say "maybe I am, maybe I'm not, you can't prove anything" when subjected to any sort of detection for encrypted data. Leading to the conclusion that the only way to demonstrate a block of numbers is encrypted is to actually decrypt it in the first place.
If something like that ever made it to court, that would be a trial I'd follow closely!
I've got a computer beside me here which is bricked because I can't remember the password that I used some months back. I'll just reinstall, but surely this happens to others as well.
It seems to me that you can't prove that someone can remember something. How do they prove that he can remember the password? I know I often forget passwords and no amount of pressure is going to bring them back - quite the opposite, in fact. Sometimes I remember something for a while and then, as time goes by, I forget. Perhaps I'm unusual in that respect.
If this judge really does know if someone remembers something or not then I think he is a mind reader and should just inform the court what the password is without asking the accused.
I forget my passwords when I am on holiday. This guy last used the laptop in 2006. What happens when he is told to enter it and he can't remember what it was?
Does he get locked up for contempt just for forgetting something? How is it proven that he hasn't forgotten it?
Anyway, stick the border guards in front of a jury and have them say they saw child porn. Have him in front of the jury saying he's taking the fifth and watch which way the Jury goes. I'll put real money on this guy going to pokey.
well personally i dont believe anyone should have to give up passwords but there is something strange here.
Because i dont believe that a hard disk only encrypted with pgp couldnt be broken and read i'm not saying it will be easy and i'm not saying it wont take time but i'm virtually sure they can break and read most hard disks but perhaps they just dont want to show they can.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
