back to article 'Sorry, I've forgotten my decryption password' is contempt of court, pal – US appeal judges

The US Third Circuit Court of Appeals today upheld a lower court ruling of contempt against an ex-cop who claimed he couldn't remember the password to decrypt his computer's hard drives. In so doing, the appeals court in Philadelphia avoided addressing a lower court's rejection of the defendant's argument that being forced to …

  1. Herby Silver badge

    Hashes of Encrypted files?

    If they think they know what is on the other side of the encryption, then they already have the password. Last I heard, the hash before and after any encryption ought to be different.

    Of course, we could ask which hash they were using, and argue that some hashes are know to have collisions (SHA-1).

    All in all not too good for us normal folk, as I disagree with the ruling, but from the looks of it the guy is a real scumbag if the government is right.

    We shall see....

    1. Anonymous Coward
      Anonymous Coward

      Re: Hashes of Encrypted files?

      I don't think it was hashes of encrypted files, they were able to decrypt the mac pro, but not the external HDs. Somehow from decrypting the Mac they were able to determine that he had downloaded images that match that of known child porn images (the hash matches). These hashes were somehow able to be generated without the images actually still being on the computer as the images were not on the computer?

      I do not see how there is a difference between the government having a sense of what is on the drive and not actually knowing, as they can compel someone to reveal a password if it will not provide any additional evidence. If they could prove that he has downloaded these images they wouldn't require the password as they have the evidence they need. If they dont have the evidence then they need the contents of the drives but cant request it as the drives would then be providing evidence. If the government only needs a 'sense' of what is on something without actual proof then they can have a 'sense' of some wrong doing on all encrypted devices and demand them be unlocked or jail time.

      1. scarletherring

        I don't recall

        So they're basically saying "I don't recall" equals contempt of court? Interesting, that. I seem to remember quite a few high profile cases that hinged on that particular defense!

        1. Anonymous Coward
          Anonymous Coward

          Re: "I don't recall" equals contempt of court?

          I sometimes make exceeding cryptic notes in weird locations to remind me of a password, in which case a request to decrypt would be "Um, hang on, I'm sure I had a note somewhere ... err, bloody hell, ummmmmm." And that'd be when I was being cooperative. Even if I found the note it then might well be "Argh, what the hell is that supposed to mean? Oh god...". Somewhere I've got an encrypted file full of old backups that I've been meaning to try to write a script to brute force it. Needless to say, /that/ password was very easy to remember at the time.

      2. Meerkatjie

        Re: Hashes of Encrypted files?

        I think in this case it's more like getting a warrant to search. They have enough to show the judge that they should be given access but not enough to convict. In the case of houses they could just break down the door or drill out the locks but with encryption they have to rely on the person charged to open it for them.

    2. Anonymous Coward
      Anonymous Coward

      Re: so Desperation

      Unfortunately, if we want to keep our rights, we have to allow them to be extended to scumbags too. Once the precedent is set that scumbags don't get a right to privacy, none of us do.

      1. Anonymous Coward
        Anonymous Coward

        Re: so Desperation

        Unfortunately, if we want to keep our rights, we have to allow them to be extended to scumbags too. Once the precedent is set that scumbags don't get a right to privacy, none of us do.

        The difference is that when such a sumbag's ext HDD is decrypted, they seemingly stand a good chance of being jailed. Whilst an honest ordinary upstanding member of society such as yourself wouldn't.

        If one thinks one is living in a police state, count how many times you or your friends / family have been arbitrarily stopped, fined, forced to pay a bribe, wrongfully imprisoned, beaten up, disappeared, etc. If the sum is approximately zero, then you're not living in a police state. If the answer is zero, you're probably in Switzerland or somewhere Scandinavian. In Switzerland it's not the police you have to worry about, it's the neighbours. They'll quite happily dib you in for taking a bath after 10pm, or washing your own car, or mowing your lawn on a Sunday, etc...

        If you want to try the full-on police state experience, try living in Zimbabwe and shout "Mugabee is a thug" on a street corner, or something similar in various other parts of the world not equipped with a functioning democracy. Once you have that experience, you're better placed to judge one's own society. Your mileage may vary.

        1. edge_e
          Flame

          Re: so Desperation

          Nothing to hide, nothing to fear:-

          http://www.theregister.co.uk/2013/07/09/post_office_admits_false_accusations_after_computer_system_cockup/

          http://www.independent.co.uk/news/world/americas/video-shows-us-police-officer-taser-and-pepper-spray-african-american-man-who-had-suffered-a-stroke-10274072.html

          https://www.youtube.com/watch?v=3kEpZWGgJks

        2. Vector

          Re: so Desperation

          "The difference is that when such a sumbag's ext HDD is decrypted, they seemingly stand a good chance of being jailed. Whilst an honest ordinary upstanding member of society such as yourself wouldn't."

          This assumes that governments are steady-state, which is often not the case. Today's fine upstanding citizen can quite easily become tomorrow's undesirable as the winds of change flow through the corridors of state.

          1. Anonymous Coward
            Anonymous Coward

            Re: so Desperation

            This assumes that governments are steady-state, which is often not the case. Today's fine upstanding citizen can quite easily become tomorrow's undesirable as the winds of change flow through the corridors of state.

            What's the state of the government got to do with it? It's the judiciary who run the legal system and put people in jail. Though paid and in part appointed by the government, the judiciary independent of government.

            Just at the moment one can see the federal judiciary demonstrating their independence from government; they keep over turning Trump's executive orders.

            You want to try what it's like when government controls the judiciary, go and live in China, places like that, see how many rights you have there!

            1. Cynic_999 Silver badge

              Re: so Desperation

              "

              What's the state of the government got to do with it? It's the judiciary who run the legal system and put people in jail.

              "

              Because it is the government that creates the laws that the judiciary have to act upon. Theoretically the government cannot make a law that runs counter to the constitution in the US or is contrary to the HRA in the UK, but in practice there are ways around those inconveniences, you just have to engineer a situation where the public perceives that the constitution of HRA is standing in the way of "justice" and you can get that part of the constitution or HRA revoked so as to clear the way for what you really want to do. Much of the general public in the UK have already been brainwashed into thinking that the HRA is a bad thing, and that the HOL are over-privileged unelected parasites, so perhaps we will soon get rid of both those things. After which the government will be able to pass pretty much any law it likes with impunity. And judges will be forced to uphold such laws.

              If the government decided to put all Muslims into concentrations camps for example, and enacted a law that made it illegal to withhold the whereabouts of Muslims, then anyone who refused would be a criminal.

              1. cynic56
                Pint

                Re: so Desperation

                I am really sorry but limitations in the register upvoting system only allowed me to give you +1 vote. Have a virtual beer too. I'm obviously UK as well so the beer will be rather good.

            2. Anonymous Coward
              Anonymous Coward

              Re: so Desperation

              Just at the moment one can see the federal judiciary demonstrating their independence from government; they keep over turning Trump's executive orders.

              Rule by judiciary is a form of aristocracy. Technically, this form of rule gives judges unlimited and unchecked power.

              Judges are supposed to apply the law. When judges create new law they technically violate the will of the people and therefore the separation of powers.

        3. dan1980

          Re: so Desperation

          @AC

          "The difference is that when such a sumbag's ext HDD is decrypted, they seemingly stand a good chance of being jailed. Whilst an honest ordinary upstanding member of society such as yourself wouldn't."

          Irrelevant.

          The defendant was being asked to testify against himself. I appreciate that the line between having to provide a key to a safe and having to provide a password to a hard drive appears fine but that is only when you approach it from the point of view of use, rather than source and format.

          Ask yourself this - what if the police had access to a machine capable of reading information directly from someone's mind? It's a situation I've ranted on before but here it is particularly relevant. If such a device were to exist, should the police be able to employ it to force information from a defendant?

          If you accept that a court should be able to force a defendant to turn over information in their mind, then it's hard to argue, logically, that a mind-reading device couldn't be used. After all, if the police are executing a legal warrant to search someone's house, no amount of refusal to let the police enter will stop them - they are allowed to use necessary force to execute that warrant.

          Still, you might say that this is all okay with you because it would only be used on 'scumbags'. But who decides who is a 'scumbag' and who is an 'honest, ordinary, upstanding member of society'?

          Sometimes it's hard to tell who gets to make that decision but, spoiler alert: it's not you. And it's certainly not me.

          But let's say that it is decided that in certain cases, involving certain (alleged) crimes, the stakes are high enough to force people to reveal information contained in their mind that the authorities will then use as evidence against them.

          Why not just force them to testify against themselves? After all, you've already admitted that it's okay to compel people to reveal information in their heads - information which is being sought for the express purpose of convicting that person.

          What you then have is, effectively, a test on when the Fifth Amendment should and should not apply and who it should and should not apply to. Perhaps, even then, you are still defiantly sticking to your guns. But think of what that actually means . . .

          It means that the Constitution - a document that expressly limits how the government may act and what laws it may make - can be ignored when the government wants.

          In other words, it means that the government can make laws that restrict the constitution.

          And make no mistake - the government would love to do this and we see it with First Amendment cases not infrequently. In such cases, the government makes a law that bans some type of behaviour - for example (and controversially) burning the flag. The courts then slap that down as unconstitutional.

          In these cases, the government's line is not that the action isn't free expression of ideas, but that this particular idea should be considered especially problematic. The flaw in the government's arguments in these cases is that the First Amendment already contains exceptions and the proposed/enacted laws do not fall into those (narrow) spaces. Instead, the laws, effectively, try to add new exceptions to the constitution.

          And that's just not how it works - the government of (e.g.) Texas, can't decided that the Constitution doesn't apply when it says it shouldn't.

          This is the whole point of the Constitution - to set aside some laws and rights and protections and restrictions that cannot be easily overruled and ignored based on current political ideology or populist sentiment.

          1. dan1980

            Re: so Desperation

            As an side-note, the reason the laws and cases against flag burning are particularly relevant is that burning a flag is not harmful to anyone. Oh, you may hate it and it may make you feel angry but it doesn't harm you.

            The flags in question are private property that have been purchased by the individual in question and, as such, destruction of which represents no damage of public property. It is also just a flag - pieces of died and sewn cotton* - and so has no worth except that of the ideas it stands for. Ideas. Not a person, not a building - just some ideas. No one's child is being kidnapped and abused - no one is being murdered or beaten. No one's house is being broken into or car stolen.

            But yet this - this expression (and it is accepted as such by the government) that harms no one and constitutes no loss or damage of public property - is enough to prompt governments to try to circumvent the Constitution.

            Oh, you had better believe that the government would like to be able to do that and that, if it was able to, it wouldn't stop at extreme cases. It wouldn't be just to 'protect the children'.

            * - Burning a flag may be free expression of an idea but setting polyester on fire is plain stupid.

          2. Anonymous Coward
            Anonymous Coward

            Re: so Desperation

            Still, you might say that this is all okay with you because it would only be used on 'scumbags'. But who decides who is a 'scumbag' and who is an 'honest, ordinary, upstanding member of society'?

            This is America, the decision is made by the judiciary and where relevant a jury. That's what they're for, it's their sworn duty. The police and prosecutors may claim that someone is a scumbag but they don't get to decide or not whether that's true.

            Even today, even with a fairly nutty President on the throne, someone accused by the unholy trinity of the FBI, police, and all the State prosecutors of stashing illegal material on an encrypted HDD will have their name cleared by the judiciary simply by unlocking that drive and allowing the judiciary /jury to see that nothing illegal is held within. That's all it takes.

            That's a strong protection of people's liberty. It probably results in a successful claim of wrongful arrest too.

            And if the prosecutors have been making a habit of bringing such cases that they keep losing (accompanied by venomous condemnation from the judge), a few successful claims for wrongful arrest, mendacious prosecution, etc, would force them to alter their behaviour. There are, eventually, personal consequences for prosecutors and police who bring dumb unfounded cases.

            That's why such things don't happen very often.

            That's not what seems to be going on in this particular case. Based on the reports, it seems that there is a strong likelihood that Doe really is a complete and utter scumbag, an opinion shared by the Judge.

            In other words, it means that the government can make laws that restrict the constitution.

            I'd have thought that especially in America with its vaunted constitutional separation of powers that people would be more aware of the role of the legislature, the body that makes laws, and the role of government, a body that does not make laws.

            Ask yourself this - what if the police had access to a machine capable of reading information directly from someone's mind? It's a situation I've ranted on before but here it is particularly relevant.

            You get angry about something that doesn't exist? Oh deary me.

            1. Anonymous Coward
              Anonymous Coward

              Re: so Desperation

              " There are, eventually, personal consequences for prosecutors and police who bring dumb unfounded cases."

              Ehheh. You really believe so?

              Oh deary me.

              Somehow we haven't ever seen that happening. Have you?

            2. Cynic_999 Silver badge

              Re: so Desperation

              "

              their name cleared by the judiciary simply by unlocking that drive and allowing the judiciary /jury to see that nothing illegal is held within. That's all it takes.

              "

              So what if the police were to find an old USB memory stick that you used to transport some confidential files 5 years ago, and demanded that you decrypt it, but you could not remember the password you used? You'd presumably be quite happy to go to jail for life.

              And what if you did in fact have some Snowden whistleblowing type information on an encrypted drive that might be seen as treasonous? Does that make you a scumbag that deserves all he gets? Or you learn that your 12 year old son took some explicit photos of his girlfriend - would you be quite happy to help the police convict him and put him on the sex offenders' register so ruining his chance of a reasonable life?

          3. Meerkatjie

            Re: so Desperation

            They already have machine that can read peoples thoughts - a lie detector - which people have been forced to use for years. It just happens that the detector is absolutely useless.

            What would be your solution be in this case that balances the right of the individual against the right of the public? Whose rights should take precedence here - a person who is indirectly responsible for harm against children or the children?

            To make this more grey and less emotive we can have a different scenario. Someone films themselves stealing something which they then toss/destroy so there is no evidence. The film is encrypted but the police have a fairly good idea what the film shows because the person mentioned they did something like it to their friends. Whose rights should take precedence - the person who stole or the person who was stolen from?

            1. dan1980

              Re: so Desperation

              @Meerkatjie

              "What would be your solution be in this case that balances the right of the individual against the right of the public?"

              This is the question that is used by everyone seeking to circumvent and weaken protections provided by the constitution. To be clear, I am not suggesting that is you position - I am simply pointing out that this question of 'balance' is the wedge that gets used.

              The problem is that the protection of, say, the Fifth Amendment is a protection for the public against the government. It is an acknowledgment that the government has more power than the individuals it accuses of crimes.

              You can talk about the individual vs the public but the public is made up of individuals, each of whom are afforded the same protection. Given that this is, as stated, a protection for the public against the government, you can't separate the rights of on person from the rights of all people.

              When you talk about the rights of the individual vs the rights of the public, what you are really asking is whether the government should be allowed to strip the rights from some individual when they believe - or profess - that it benefits 'the public'. Once that it done, then NONE of the public have that right anymore because any single person may be stripped of it.

              The Fifth Amendment is for the good of the public, it just sometimes doesn't feel that way. Just as the First Amendment is for the good of the public and yet it allows behaviour that many find objectionable.

              Some protections are all-or-nothing because as soon as you allow wriggle room, the government tends to have the advantage and can perform all manner of contortions to justify what they want.

            2. Kiwi Silver badge

              Re: so Desperation

              Whose rights should take precedence here - a person who is indirectly responsible for harm against children or the children?

              Your following comment was interesting, but I'd still side with the idea of protecting the individual's privacy - I've known people who when asked by police, out of fear/autism-related-stuff/general nastiness they'll often say they're aware of someone having done or said something. And I know full well the pigs will twist everything they can and even make things up if they're wanting a pay bonusconviction enough. So often they've done "we know you did it, your mate in the other room is confessing to everything and will testify against you in court so you might as well come clean" - standard pigshit bullshit procedure (never go into an interview with them without a lawyer, even if you have absolutely irrefutable proof of your innocence!).

              But in what you mentioned here.. If someone is viewing material that already exists and has already been distributed, is there any manner in which that is harming the child to any degree? Especially if the child in question doesn't know of this specific instance. I don't doubt that the production of any pornography can be harmful to the individuals involved, especially where manipulation/coercion/force etc was involved, and especially where the person is unaware of the porn being made (adult with hidden camera or child not really grasping what is going on around them), but if you're unaware of someone getting their jollies off to a picture of you, how can that harm you? I'd love some realistic answers, not the "it's the same as abusing them all over again" type of stuff.

              1. Cynic_999 Silver badge

                Re: so Desperation

                "

                ... but if you're unaware of someone getting their jollies off to a picture of you, how can that harm you?

                "

                That's easy to answer. If the police catch someone with child porn and they can identify the children depicted, they will make the effort to inform every child and/or their parents of the fact that they have just found yet another copy of the material in the hands of a vile paedophile. This will cause embarrassment and upset which the police can then blame the sex offender for causing.

        4. Anonymous Coward
          Anonymous Coward

          Re: so Desperation

          "The difference is that when such a sumbag's ext HDD is decrypted, they seemingly stand a good chance of being jailed. Whilst an honest ordinary upstanding member of society such as yourself wouldn't."

          Irrelevant difference: What you lose in both cases, is the privilege to have the encryption in the first place, i.e. privacy. Jail time for not revealing password to any authority who bothers to ask for it, literally means no right to privacy.

          And that is the primary target here, one people more in prison is totally irrelevant in this case: The attack is against privacy. Everyone's privacy.

        5. fruitoftheloon
          Stop

          @AC:Re: so Desperation

          AC,

          out of interest, how many friends do you have that are black and live in a major metropolis...?

          Please post the publicly visible IP address of the webcam in your bedroom, because of course:

          YOU HAVE NOTHING TO HIDE, do you now?

          On a related note, why isn't your handle visible too???

          Be careful what you wish for my friend...

          Regards,

          Jay

        6. Anonymous Coward
          Anonymous Coward

          Re: so Desperation

          If one thinks one is living in a police state, count how many times you or your friends / family have been arbitrarily stopped, fined, forced to pay a bribe, wrongfully imprisoned, beaten up, disappeared, etc

          You quite obviously do not have to cross the USA border very often. While you usually do not need to pay a bribe you get a good subset of the remaining to remind you that USA claims of not being a police state are a bit far fetched.

      2. goldcd

        Re: so Desperation

        Eloquently put

        1. Doctor Syntax Silver badge

          Re: so Desperation

          "Eloquently put"

          What was?

      3. a_yank_lurker Silver badge

        Re: so Desperation

        "Unfortunately, if we want to keep our rights, we have to allow them to be extended to scumbags too. Once the precedent is set that scumbags don't get a right to privacy, none of us do." - Exactly correct. Also, paraphrasing Ben Franklin: those who want privacy and the ability snoop will not have privacy.

    3. John Smith 19 Gold badge
      Childcatcher

      "the looks of it the guy is a real scumbag if the government is right."

      Child pornography cases always guarantee public sympathy for law enforcement.

      Which is why it's always best for the government to use them if law is likely to be contentious.

      Note BTW this is the case in a United States court, just in case anyone thought this was the position in every other country in the world.

      Since we are talking the US Constitution 5th Amendment IE the right to not incriminate yourself, I'd guess the question is what would be the story if (in earlier days) he was a Mafia book keeper and kept the books in his own personal code ?

  2. Vector

    "Scores of companies now encrypt their data," Terzian wrote. "In the EFF’s alternate universe, these companies are effectively immune from discovery and subpoenas."

    Stop treating corporations as people and you wouldn't have that problem.

    1. Flocke Kroes Silver badge

      In Terzian's alternate universe ...

      ... a subpoena for a specific piece of information about one customer of a company can only be handled by handing over the company's entire collection of data to the police and hoping that it eventually comes back unmodified.

      1. kevinonh

        Re: In Terzian's alternate universe ...

        Absolutely correct. Terzian's example falls on it's face immediately. Furthermore, the discovery example is also good: you only get the information that is specific to the action. But the real killer is that during discovery, you may interview someone who has broken the law, and they have an absolute right to refuse to answer.

        This precedent is terrible. The State doesn't have nearly the evidence it needs, so it has gone on a fishing expedition and put a defendant in a vice: keep silent and remain in jail, or open his mouth and go to jail.

        My favorite analogy is information in a safe. The State executes a search warrant. If they are in a good mood, they will offer you the opportunity to open the safe for them. If you refuse, they will drill out the lock. If you create a safe that the State cannot break into, you should have the right to refuse to open it.

    2. Anonymous Coward
      Anonymous Coward

      "Scores of companies now encrypt their data," Terzian wrote. "In the EFF’s alternate universe, these companies are effectively immune from discovery and subpoenas."

      Stop treating corporations as people and you wouldn't have that problem.

      That won't help, but being a bit more transparent in all of this might. If the encryption providing companies have done their job well (and Apple's encrypted HFS is quite well done) they will not even be ABLE to help because, you know, it's encrypted and needs a password.

      I can see why this chap didn't opt for storing the drive's password in the Mac's account keychain, but yes, I find it rather hard to believe he has "lost" the password. You could even just run a SMART test on the drive and you'd get its age, and from that you could assert that the drive has been used often enough for it to be accessible.

      That said, if contempt of court was x years and being exposed as child porn handler/collector with associated jail time and fun time in jail (as child porn people are apparently not really liked) is longer I can see this chap taking the easy route out.

      I would still have a look at his Mac keychain passwords to see if there's a trend visible - especially memorised passwords tend to follow a pattern for easy recall.

      1. Vector

        Stop treating corporations as people and you wouldn't have that problem.

        "That won't help..."

        Yes, it would. If corporations are not people then corporations have no fifth amendment right to assert.

        1. dan1980

          @Vector

          Quite so. I am reminded of this amusing nugget:

          http://imgur.com/SCVWSCF

        2. disgustedoftunbridgewells Silver badge

          If corporations aren't legal people, they also cannot be taken to court.

          Corporations aren't natural people, which is a distinction lost on the "companies aren't people" ranters.

          1. Vector

            As affirmed by the "Citizens United" decision, corporations are people enough to be granted constitutional rights which would include the right against self incrimination. To my mind, corporate structures should exist purely for financial indemnification and nothing more.

            Of course, virtually every time a corporation gets sued, they settle "without admitting fault," so maybe the fifth amendment is irrelevant for them anyway...

          2. Eddy Ito Silver badge

            If corporations aren't legal people, they also cannot be taken to court.

            I beg to differ. Nobody here, or anywhere else for that matter, would argue that an automobile or other inanimate objects are persons legal, natural, or otherwise. That has never stopped the United States from bringing lawsuits against inanimate objects. For example, I give you United States of America v. One 2003 Mercedes Benz CL500 (PDF) and US vs One 1985 Mercedes Benz and $12,000 in cash. Sadly I could go on for quite a long time using only Mercedes Benz. If I expand that to other automobiles or just cash or real estate it would be a very long list indeed. DDG, Google, Bing will all reveal just how sad it really is.

        3. kevinonh

          RE: "If corporations are not people then corporations have no fifth amendment right to assert."

          You don't just serve the papers on the Corporation: the papers are served against the officers of the Corporation.

      2. Kiwi Silver badge

        I find it rather hard to believe he has "lost" the password.

        Years ago I started writing a novel, worked a bit on it every day for some months. I was distrustful of those around me so I kept it encrypted when not working on it. The file name itself gave me a key to the password. One day, after several months of constant work, something happened. One possibility is that I forgot the password despite the strong clue as to its content. The other (which I would think is far less likely) is that somehow the password for the file got altered accidentally. I don't recall if I kept more than one copy of the file (but I suspect I would've done), but if I did then I couldn't open any version which means the problem probably was with me. To this day, despite the clue, I cannot open the file. I am more than 90% certain of what the password should, I have a good memory for these things, but I simply cannot get the file to open.

        It would be interesting to know how long since the drives were last used, If they were in regular use recently then despite what I've written above it's probable he remembers the password OK, but if he hasn't used them for a couple of years then that's another matter, quite possible he has forgotten the passwords and the ones he's tried are honest attempts at unlocking the drive.

        Personally, with the exception of my novel, I don't keep any encrypted stuff past it's intended use, there's little more frustrating than a drive that might have something useful on it but is encrypted and you can't recall the password. I'd rather wipe it and know it is gone.

        1. Cynic_999 Silver badge

          "

          It would be interesting to know how long since the drives were last used, If they were in regular use recently then despite what I've written above it's probable he remembers the password OK

          "

          It is usually the case that (due to a backlog), the HDDs are not examined for several months after they have been seized, so it will be at least that long since he last used the password. I have occasionally forgotten a PIN when I have not used a card for 3 or 4 weeks, so forgetting a possibly complex password that has not been used for several months is perfectly possible, especially when you take into account the trauma of his arrest. Unless it can be proven *beyond reasonable doubt* that he remembers the password, he should not be imprisoned.

          If the entire HDD is encrypted, then there would be no way of knowing when it was used last. SMART data will reveal its date of manufacture and how often it has been used, but as a HDD does not contain a RTC it will not show the dates on which it was used. Even if the encrypted data is in a container file, many encryption applications will stop the "last modified" and "last accessed" timestamps being updated.

          1. Roland6 Silver badge

            It is usually the case that (due to a backlog), the HDDs are not examined for several months after they have been seized, so it will be at least that long since he last used the password.

            Many plausible reasons are given for why people can and do forget passwords, however, the key is in the official court record:

            "Further, a detective who executed the original search warrant stated that Doe did not provide his password at the time because he wanted to prevent the police from accessing his computer. Doe never asserted an inability to remember the passwords at that time. Doe presented no evidence to explain his failure to comply or to challenge the evidence brought by the Government."

            I suggest that at the time of the original search Doe was most likely to know his passwords, so unless the detective is misrepresenting what happened, but then surely Doe would have subsequently contested the detective's testimony, Doe actively refused to provide either a password or an excuse for his lapse of memory. I also suspect that examination of the computer showed recent used. Hence why the judge decided Doe hadn't forgotten his password...

    3. goldcd

      Not entirely sure I follow

      I can't think of many corporations that depend on a human's memory to produce decryption keys.

      Mainly as they're collectively so distrustful of a single point of salary-renegotiation.

      1. Ken Hagan Gold badge

        Re: Not entirely sure I follow

        "a single point of salary-renegotiation."

        Thank you for that. It has got the day off to a fine start. :)

    4. swm Bronze badge

      "Stop treating corporations as people and you wouldn't have that problem."

      That's not the problem - just treat the officers as co-conspirators and jail all of them if the corporation "person" is convicted of anything.

    5. Swarthy Silver badge
      WTF?

      My thought:

      Q: Rather than contempt for not decrypting/giving the password to decrypt, how about just convicting them of "Destruction of Evidence" which is a crime, punishable by jail time?

      A: That would be reasonable, and would not erode personal freedoms/protections enough.

  3. Jason Bloomberg Silver badge
    Unhappy

    Future Justice

    Why not cut to the chase; introduce a law which says "if we believe you to be guilty then you are. No evidence needed".

    That would save a whole lot of court and police time and massively cut costs. That seems to be where we are heading anyway and it worked for Guantanamo detainees.

    1. Anonymous Coward
      Anonymous Coward

      Re: Future Justice

      That would go too far, but I don't think it's not unreasonable to demand access and then set a contempt of court charge - provided it's fully motivated by the fragments of evidence found on the Mac. Just doing it because he failed isn't good enough, but if there is cause to believe there's dodgy stuff on the drive I think there is some justification.

    2. gnasher729 Silver badge

      Re: Future Justice

      "Why not cut to the chase; introduce a law which says "if we believe you to be guilty then you are. No evidence needed"."

      But there is evidence. There was a Mac Pro whose contents got decrypted and which showed evidence of child porn downloads. And there were encrypted hard drives connected to that Mac. If I had an encrypted drive and forgot the password, I would try any password I can think of until I get the right one or give up, and when given up it would be reformatted.

      1. dan1980

        Re: Future Justice

        "But there is evidence."

        Certainly there is. And they have that evidence. So build your case on that. (Which they did.)

        Let us completely ignore whether the defendant knows the password or not. In fact, let us assume that he does know it and is indeed refusing to hand over the information, as the court 'found'.

        THIS IS INFORMATION IN HIS HEAD. His thoughts; his secrets; his ideas.

        The government wants to force the accused to speak for the express purpose of using those words as evidence against him. They are saying he should be forced to testify against himself. The fact that the thoughts they want him to give voice to represent passwords is irrelevant - it is information he has in his brain that the government wants to force him provide so it can incriminate him.

        The fact that they have evidence of some crimes does not allow them to force the defendant to testify against himself to prove other crimes or a greater extent of criminality.

        Say you had someone charged with stealing a car and had evidence sufficient to secure that conviction but the government (as the prosecutor) strongly believed that this same person was responsible for several other thefts occurring around the same time. The defendant does not have to provide testimony that puts him at those additional crime scenes - he can invoke his Fifth Amendment rights to refuse to provide that information.

        The fact that there is evidence he committed one crime does not mean the Fifth Amendment no longer applies because it applies to every charge - every crime. This is so you can't find someone guilty and then laden him/her up with bunches of other crimes.

      2. Ken Hagan Gold badge

        Re: Future Justice

        "But there is evidence."

        You missed out the sister who claims that she saw lots of child porn on the machine, which isn't on the drives that have been decrypted so far. It's not *proof*, but it is *evidence*.

      3. Anonymous Coward
        Anonymous Coward

        Re: Future Justice

        "But there is evidence. There was a Mac Pro whose contents got decrypted and which showed evidence of child porn downloads."

        No there wasn't. Downloading something which doesn't exist anymore isn't an evidence of possession.

        Claiming that downloaded files were actually child porn is also shaky without the files, download logs show only file size and name and those aren't by any means unique.

        Prosecutors lying to get people hanged _and_ to remove the right to have encrypted hard drives in the first place are the problems here.

        1. bombastic bob Silver badge
          IT Angle

          Re: Future Justice

          "Claiming that downloaded files were actually child porn is also shaky without the files, download logs show only file size and name and those aren't by any means unique."

          also, if they were "downloaded by accident" [and you could legitimately claim this], they wouldn't be proof of having "downloaded child porn" [or else people who occasionally see such content on image boards, before the moderators delete it, would be guilty as well].

          as for the main topic...

          This judgement basically upholds that the defendant can be held in contempt if an order from a judge compels him to decrypt his external hard drives, and he refuses to comply with the order. I guess it would be like giving up the key/combination to your safe.

          Anyway, taking the hit for contempt is like taking a penalty in US'ian football, to avoid having your opponent score (like obvious 'pass interference' next to the goal line to stop a touchdown). It's really the strategy of someone who _IS_ guilty, and doesn't want a conviction on the greater charge.

    3. Truckle The Uncivil

      Re: Future Justice

      @Future Justice

      Is that not how it works in France? You have to prove your innocence rather than the prosecution proving your guild? The Napoleonic Code (or something else I do not understand).

      1. JaitcH
        Meh

        Re: Future Justice

        Napoleonic Code is the same as reverse onus - guilty until you prove your innocence.

        In the States it's more like "Let's Do A Deal".

    4. wolfetone Silver badge

      Re: Future Justice

      "Why not cut to the chase; introduce a law which says "if we believe you to be guilty then you are. No evidence needed"."

      We already have that in the UK.

      1. Anonymous Coward
        Anonymous Coward

        Re: Future Justice, Real Soon Now

        Introduced in Finland too: You are guilty for (minor offences) whenever the Police says so, pay 70e fine.

        70e for now, it will rise rapidly when they get this to the actual law. And too bad for car owners: The register plate is enough to fine you, nothing else is needed.

        No evidence, no nothing: Just a bill to pay mailed to your home and not even the 'crime' needs to be identified. Only thing you need to know that you have to pay.

        That's how you make a police state, literally.

      2. cynic56

        Re: Future Justice

        100%.

        I.e. I agree. Why am I saying this? Because I meant to upvote,but the fat fingers pressed the downvote, so decided to apologise in the reply. Then found I can switch the minus to plus. Now can't delete comment. Moral: stop digging, stop drinking. Am I the manfrommars?

  4. FF22

    Actual case aside

    This is just ridiculous. How could the judge have "found that Doe remembered the passwords needed to decrypt the hard drives but chose not to reveal them"? Obviously, he couldn't. He just assumed it, because of.... thought police?

    Also, somehow wanting to force the accused person to reveal his password goes against all established principles of due process, like the accused not having to incriminate himself, or the right to remain silent.

    "The appeals court found that forcing the defendant to reveal passwords was not testimonial in this instance because the government already had a sense of what it would find."

    ^ This is circular reasoning. As long as they don't know the password and can't decrypt the drive, they just can't know what's on it - let alone prove it.

    1. Anonymous Coward
      Anonymous Coward

      Re: Actual case aside

      If there is (accurate) information about the use pattern then the claim "chose not to" might be reasonable, e.g. if the system log shows the drive being mounted three times a day for the past year then a claim to have forgotten the password a few days later may strain credulity.

      However it certainly wouldn't be reasonable for a fallow device - I have a PGP disk volume from many years ago which proved not to have any of the passwords that I remember using then and resisted brute forcing. I've hung onto it out of sheer cussedness - probably whatever is inside is now devoid of real interest but, damnit, I want to know! so I still wait for some long-inactive neuron to fire and spill the beans...

      1. arthoss

        Re: Actual case aside

        me too!

        But coming to the mac. If they cracked the main password of the computer, it should be easy to look up in the key chain of the encrypted hard drives if they're saved there - normal users save it there. In the next step if the user really entered the password to the encrypted hard drives every time, there should be saved last time they were connected so it's easy to infer if the guy really doesn't remember or not.I'm no pro so I guess that's why the judges found him guilty of contempt of court.

    2. bazza Silver badge

      Re: Actual case aside

      This is just ridiculous. How could the judge have "found that Doe remembered the passwords needed to decrypt the hard drives but chose not to reveal them"? Obviously, he couldn't. He just assumed it, because of.... thought police?

      There's also the sister's statement to consider. From the article:

      Authorities in Delaware investigating the case already had a sense of the contents of the drives because, according to court documents, the defendant's sister had told police investigators "that Doe had shown her hundreds of images of child pornography on the encrypted external hard drives."

      So unless she's making it up and the other evidence doesn't amount to damning, it seems reasonable to assume that Doe knows it's not in his best interests to unlock that drive. That's a motive. He's been ordered to unlock it, and has been sat in front of a computer to unlock it. That's an opportunity. And, as no one can read his thoughts, that's a means of ensuring it remains locked*. Sounds like the three elements of an offence...

      * Until the NSA/FBI/CIA improve their capabilities. I'm just waiting for Trump to accuse GCHQ of being able to read encrypted US gov email. If he does that's "just got to be true", and perhaps they could help in this case, and someone in Cheltenham would need a pay rise.

      1. FF22

        Re: Actual case aside

        "So unless she's making it up and the other evidence doesn't amount to damning"

        So how do we know she's not making it up? There's no evidence to prove that what she's saying is true. Can't she lie? For what we know, the drive could belong to her, have been planted by her, and Doe might possibly really not know the password to it.

        Again, I'm not trying to take sides in the actual case, just trying to show, that there's no actual evidence against the man, just assumptions based obviously on prejudice (because they can't be based on proven facts in the absence of these).

        "So unless she's making it up and the other evidence doesn't amount to damning, it seems reasonable to assume that Doe knows it's not in his best interests to unlock that drive. That's a motive."

        That's again, circular reasoning. It's only a motive if you can actually prove that there's something incriminating on the drive. But until you can decrypt the drive, you can't prove even that Doe would have reason not to want to unlock it.

        1. Doctor Syntax Silver badge

          Re: Actual case aside

          "So how do we know she's not making it up? There's no evidence to prove that what she's saying is true."

          A sworn statement by her would be evidence. There's no indication in the article as to whether she made one.

          1. dan1980

            Re: Actual case aside

            @Doctor Syntax

            "A sworn statement by her would be evidence."

            Indeed it would be, in exactly the same way as a sworn statement of an eye witness to an auto theft is evidence. Which is to say that the statement, if the witness is found to be compelling and trustworthy, will constitute equally-compelling evidence.

            BUT, and this is the key thing, regardless of whether that evidence is sufficient to convict the defendant or not, it doesn't somehow provide justification to remove the defendant's Fifth Amendment rights.

            The issue is whether the information held in one's head can be ordered to be divulged in order to be used against you, not whether it's likely that you are guilty. There is no threshold of evidence, past which your Fifth Amendment rights no longer apply.

            The information is either protected under the Fifth Amendment or it isn't - if it isn't then it's Fourth Amendment time and it would be ridiculous to suggest that such a 'search' would be unreasonable, thus the information (the password) would have been fair game long ago.

            If the information is protected under the Fifth Amendment then no circumstance or amount of evidence is sufficient to compel the disclosure of it.

            1. Doctor Syntax Silver badge

              Re: Actual case aside

              "BUT, and this is the key thing, regardless of whether that evidence is sufficient to convict the defendant or not, it doesn't somehow provide justification to remove the defendant's Fifth Amendment rights."

              I'm not saying it would. Quite the contrary in effect as if there's eye-witness evidence to convict then the whole argument about passwords is irrelevant.

              1. Anonymous Coward
                Anonymous Coward

                Re: Actual case aside

                "Quite the contrary in effect as if there's eye-witness evidence to convict "

                Hearsay, at most. Is the witness even able to recognize child porn if seen? or is it just young looking porn stars? Midgets?

                No, "eye witness" in this case doesn't mean much. Definitely not enough for jail time.

          2. Anonymous Coward
            Anonymous Coward

            Re: Actual case aside

            "A sworn statement by her would be evidence. There's no indication in the article as to whether she made one."

            Yes,but there's no way to prove it's actual truth, until the content of the drive is decrypted.

            It's easy to make whatever statement to get your relative into jail and if you side with the prosecution, it's very rare to get any penalty at all for lying in court. So it's quite safe to lie to get someone in jail, sworn statement or not.

        2. Anonymous Coward
          Anonymous Coward

          Re: Actual case aside

          ""So unless she's making it up and the other evidence doesn't amount to damning"

          So how do we know she's not making it up?"

          Yes. We don't.

          And as a witness she can say whatever she wants just to put his brother in jail. Wouldn't be the first time.

      2. Anonymous Coward
        Anonymous Coward

        Re: Actual case aside

        " that Doe knows it's not in his best interests to unlock that drive. That's a motive. He's been ordered to unlock it, and has been sat in front of a computer to unlock it. "

        Irrelevant: Basically you are saying that there is no right to remain silent.

        That's against every agenda there is.

      3. Anonymous Coward
        Anonymous Coward

        Re: Actual case aside

        If I'm reading the article right the evidence in this case so far is...

        his computer was used to download file matching hashes of know abuse images.

        his sister claims she was shown similar images from an encrypted drive

        I'll ignore the phones for now as the article doesn't state what was found was illegal or even relevant.

        Given this info it's just as possible that the sister (if we assume she had access to his computer) used his computer to download the files to a drive that had been reformatted and encrypted with her password before claiming he had shown her the images

      4. Kiwi Silver badge

        Re: Actual case aside

        "that Doe had shown her hundreds of images of child pornography on the encrypted external hard drives."

        So unless she's making it up and the other evidence doesn't amount to damning

        Not necessarily her that is making things up. The piggie-wiggies aren't exaclty bastions of innocence and law-abidence now are they? Enough case history exists to cast a lot of doubt of what the police do or say.

        Consider.. We're expected to believe that this person has such a relationship with his sister that he feels he can show her "hundreds of CP images. It's also mentioned that there are photos of his nieces in underwear (which can be quite innocent) - it's presumable that these are the sister's own children. If they are her children, and the same uncle who gets pictures of CP is also getting pictures of them in their underwear, well, there's something pretty messed up there. If not her children, then there's a good chance they're the kids of one of her siblings (though the guy could be married and they could be the wife's sibling's kids).

        Given the sort of sentences that've been reported for CP possession in the us, if you were intelligent enough to encrypt all such things would you also be stupid enough to show anyone else such pictures, especially if that someone was the mother of some of the children who happen to be in your collection? I have some doubts about that, the math isn't quite right for me.

      5. Cynic_999 Silver badge

        Re: Actual case aside

        "

        ... it seems reasonable to assume that Doe knows it's not in his best interests to unlock that drive.

        "

        Sure, but that does not mean that he could unlock it if he wanted to. It is not in my best interests to jump over the Moon (I'd die during the transition through vacuum), but that fact does not mean that I would be capable of doing so, or should be imprisoned for refusing.

    3. gnasher729 Silver badge

      Re: Actual case aside

      "Also, somehow wanting to force the accused person to reveal his password goes against all established principles of due process, like the accused not having to incriminate himself, or the right to remain silent."

      That's where you are absolutely wrong. Evidence on an encrypted drive is the same as evidence in a safe - you have no right at all to keep that evidence unknown to the police if they have a search warrant, and no right to keep it secret from the court.

      You would only incriminate yourself if the fact that you know the password is incriminating. If you live with your room mate, and the police knows beyond reasonable doubt that _one of you_ has the password to a hard drive full of child porn, but they don't know which one, then the fact that _you_ know the password would incriminate you. But in this case, no. The fact that he knows the password is not incriminating evidence, so he has to reveal it.

      1. FF22

        Re: Actual case aside

        "That's where you are absolutely wrong. Evidence on an encrypted drive is the same as evidence in a safe - you have no right at all to keep that evidence unknown to the police if they have a search warrant, and no right to keep it secret from the court."

        Wrong. You do have the right to remain silent or claim you can't open the safe. The police then has the right to bring in a locksmith for the safe, but if he fails to open the safe or its contents get destroyed in the process, they can't assume you had child porn in there and convict you based on that.

        The same goes with the drive. You (as the owner of the drive) can remain silent or even claim you forgot the password. And even though the police has the right to bring in a security expert for the drive, if he fails to decrypt the drive, they can't just go ahead with the assumption you had child porn on it, and convict you based on that.

        "You would only incriminate yourself if the fact that you know the password is incriminating."

        You, too, are applying circular reasoning here, basing your conclusion on things you'd have to prove first to be considered facts. Like that there's actually child porn on the drive - which we have no proof for. For all we know the drive could be full of random bytes. Or it could be full of illegal material despite being completely devoid of any child porn, in which case Doe would incriminate himself by revealing the password. Which he can not be forced to do.

        That said Doe didn't invoke the right against self-incrimination, but simply claimed he can't remember the password. And unless they can prove that this is a lie, they've no proof for contempt of court either.

        1. gnasher729 Silver badge

          Re: Actual case aside

          "You, too, are applying circular reasoning here, basing your conclusion on things you'd have to prove first to be considered facts. "

          There's no circular reasoning at all. Police and court have the legal right to access the disk drive. There's a search warrant. You need a strong suspicion for a search warrant, not evidence that something will be found - if you had that evidence, you wouldn't need to search. And the accused was ordered to provide the password. As far as "contempt of court" is concerned, it doesn't matter what's on the drive. If he is totally innocent and refuses to hand over the password when ordered, it's still contempt of court.

          Just like opening your front door to police with a search warrant, handing over your password is not (in this case) incriminating yourself. It's the evidence on the drive that would incriminate you, not the fact that you have the password - which is already known, otherwise there would be no contempt of court. And you have no right to hide that evidence.

          A situation where you wouldn't have to reveal the password because the act would be incriminating: If you live with a roommate, and if there was an encrypted disk, likely containing child porn, but just pictures with no evidence of the owner on the disk, and if it was known beyond reasonable doubt to be either your disk or your roommates disk, then providing the password would be proof that it is yours and not your roommate's. That would be self incriminating and you wouldn't have to provide the password.

          1. Anonymous Coward
            Anonymous Coward

            Re: Actual case aside

            "There's no circular reasoning at all. Police and court have the legal right to access the disk drive. There's a search warrant. "

            And they have the drive, what they are whining about?

            Ah, you mean the _content_ of the drive? They have that too, all ones and zeroes.

            What they don't have is the _meaning_ of those ones and zeroes and that's not something that can be included in search warrant.

            So warrant is irrelevant and also whole logic attached to it.

          2. Swarthy Silver badge
            Alert

            Re: Actual case aside

            Justice John Paul Stevens wrote the now-magic words:

            A defendant can be compelled to produce material evidence that is incriminating. Fingerprints, blood samples, voice exemplars, handwriting specimens, or other items of physical evidence may be extracted from a defendant against his will. But can he be compelled to use his mind to assist the prosecution in convicting him of a crime? I think not. He may in some cases be forced to surrender a key to a strongbox containing incriminating documents, but I do not believe he can be compelled to reveal the combination to his wall safe —- by word or deed.

      2. Doctor Syntax Silver badge

        Re: Actual case aside

        "evidence in a safe - you have no right at all to keep that evidence unknown to the police if they have a search warrant"

        Opening a safe doesn't require a key (or combination if that applies). The only advantage of having it is that you're able to re-use the safe.

        Combination locks raises another issue. Surely there are precedents for this. They should apply to passwords.

      3. P. Lee Silver badge

        Re: Actual case aside

        >That's where you are absolutely wrong. Evidence on an encrypted drive is the same as evidence in a safe

        ... and the police have complete physical access to it. All the data is in plain view - go ahead and search. What they are demanding is some thoughts in a person's head. Sending someone to jail because they won't tell you the thoughts in their head is incredibly dangerous law.

        It is literally, "we don't have the evidence against you, so we'll put you in jail."

        It doesn't matter if the guy is a complete scumbag - and I assume that he is. This is bad law.

      4. Donn Bly
        Holmes

        Re: Actual case aside

        <quote>That's where you are absolutely wrong. Evidence on an encrypted drive is the same as evidence in a safe - you have no right at all to keep that evidence unknown to the police if they have a search warrant, and no right to keep it secret from the court.</quote>

        While you have no right to keep that evidence unknown, similarly the court has no right to force you to give them the combination out of your mind (although they can order you to produce a physical key). If they want access they are required to gain access to the safe via other means.

        The police now have physical possession of the drives, and that is the full extent of cooperation from the defendant they are entitled to demand. Interpreting the encrypted 1's and 0's they have to do on their own.

        If it were a physical safe, and they used a torch or grinder to cut the lock to gain access and found documents encoded with a one-time cipher pad, they would still be on their own to decode them and they aren't entitled to demand that the defendant give up the cipher. This situation is no different. The government is NOT entitled to suspend the constitution whenever they like.

      5. Anonymous Coward
        Anonymous Coward

        Re: Actual case aside

        "You would only incriminate yourself if the fact that you know the password is incriminating. "

        Irrelevant. The point is that you or the court isn't the one getting to decide what is incriminating or not: It's the accused who decides that.

        Also there's this right to remain silent and you can't bypass that by court order. As much as the court wishes to do so, overstepping their authority and being the actual criminal here.

      6. Jason Bloomberg Silver badge

        Re: Actual case aside

        Evidence on an encrypted drive is the same as evidence in a safe - you have no right at all to keep that evidence unknown to the police if they have a search warrant, and no right to keep it secret from the court.

        I would say people have every right to try to keep things as unknown and as secret as they can, while the police have every right to try and reveal the same.

        The accused should have no obligation to incriminate themselves or prove a case or allegation against them. It is up to the prosecution or accuser to prove the facts of their claimed case.

        As soon as we go beyond that we are all in very dangerous and frightening territory.

    4. Criminny Rickets

      Re: Actual case aside

      ""The appeals court found that forcing the defendant to reveal passwords was not testimonial in this instance because the government already had a sense of what it would find."'

      So wouldn't this be the same as if it was a murder trial where the glove found at the scene of the crime fit the defendant; wouldn't this be like like saying - forcing the defendant to "testify" against himself is not testimonial in this instance because the government already had a sense of what it would find?

    5. Truckle The Uncivil

      Re: Actual case aside

      @FF22

      If they have logs or records of what was written to the drive then they have a pretty good idea of what is (or was) on it. If they know the hashes (which they apparently do) of some of the files recorded as being saved to that disc then they know it contains (or contained) the files which have those hashes.

      1. Anonymous Coward
        Anonymous Coward

        Re: Actual case aside

        To have (correct) hashes they need to have the actual files too. Which they apparantly don't have.

        Whole 'hash' explanation smells very fishy here anyway: There are no un-encrypted files available and encrypted files of course have totally different hashes, so I'm assuming the prosecutors are lying on this.

        And they are entitled to do so, also in court: There's not a thing demanding that prosecutor tells the truth, ever.

        Only tampering the evidence is illegal, anything else is free game.

      2. cynic56

        Re: Actual case aside

        They have hashes.But do the hashes tie to this disk?

      3. Kiwi Silver badge

        Re: Actual case aside

        Can you (or anyone) explain this some more please? I'm not hugely familiar with OSX to the filesystem level but :

        If they have logs or records of what was written to the drive then they have a pretty good idea of what is (or was) on it.

        I don't recall ever coming across a system that logs files written to this level - not for a home system. I would expect that for a journalling filesystem, such data is stored on the drive itself, and if it is a fully encrypted drive than everything would be encrypted (but if somehow the journal data isn't encrypted, that could potentially provide some evidence of what is there). Would would be the source of "logs or records" unless he was keeping some sort of index of what he had? (which also is probably not beyond the realms of possibility given the numbers of pictures mentioned in the article).

        If they know the hashes (which they apparently do) of some of the files recorded as being saved to that disc then they know it contains (or contained) the files which have those hashes.

        And this also doesn't make a lot of sense. So the cops can see the guy visited the sites somehow (obviously not using a secure way to protect his activities) and viewed certain files (do CP servers make that sort of data available, or was he caught in a sting where the cops/feds seized the CP servers? I somehow expect the servers in the former case would be set to minimal log levels and wiping stuff ASAP?), but again I would expect that everything about encrypted data is encrypted. Why would you have separate hashes of files? Are these so you can verify the archive (like when you download a Linux ISO, you can also get the hash to confirm the file you downloaded is legit, especially if you're using Bittorrent etc) In this sort of case where someone has mentioned the possibility of collisions, I'd argue that if he has 20 hashes and one matches a known CP file then your argument might be valid, but if 10 match known CP stuff then I would have a hard time believing he innocently had 10 collisions!)

        Just thinking on some of this, I guess if OSX has an indexing system like Windows has and Linux may have, then that could be another way they get the evidence of the contents - the drive and all it's data is encrypted but there's a search index with the OS that says "volume x has files y and z and also xxx..." - but do indexing systems look at this stuff? I've not looked far into them, certainly not into using those things to list the files that might be on an external drive without having the drive plugged in (always assumed the index resides on the drive itself).

        This would help clear up some of my confusion around this case.. Not that I want to know too much more about it.

  5. Eric Olson

    I guess that means it's time to add a time component to the encryption

    No successful logins after X days means the key is destroyed and the data cannot be recovered. Probably defeatable, but it seems like a safe defense if the courts won't recognize it as a viable Fifth Amendment. You can't be held in contempt for something that cannot be resolved; just refuse to comply and wait the required number of days.

    1. Down not across Silver badge

      Re: I guess that means it's time to add a time component to the encryption

      No successful logins after X days means the key is destroyed and the data cannot be recovered.

      Or another password, that will destroy data (wipe or re-encrypt with random key).

      Although for forensic investigation all the work would be happening on a copy rather than original so it would be fairly easy to spot what happened. End result would likely be in contempt anyway.

      1. Neil Barnes Silver badge

        Re: I guess that means it's time to add a time component to the encryption

        There's a secondary issue: how do you tell the difference between an encrypted disc and one full of random numbers? Or one containing two encrypted partitions, one of which is completely innocent?

        (Apropos of neuron-fade: this weekend I was completely unable to recall a user number (i.e. their reference for me) for my bank. I've used it every couple of days for perhaps twenty years... didn't come back until I stopped thinking about it.)

        1. Down not across Silver badge

          Re: I guess that means it's time to add a time component to the encryption

          There's a secondary issue: how do you tell the difference between an encrypted disc and one full of random numbers? Or one containing two encrypted partitions, one of which is completely innocent?

          I don't think you can (without having the password and therefore being able to decryp and mount). Not reliably anyway.

          With two partitions, presence of one known encrypted partition (confirmed by it being decrypted by the provided password) might raise suspicion of any other partitions on the disk being also encrypted.

          Possibly better option would be TC's hidden volumes (within a parent volume). Even then a keen eyed observer might get suspicious with discrepancy between apparent used vs free space.

          There are of course various other ways presence of hidden volume might be revealed.

          1. Cynic_999 Silver badge

            Re: I guess that means it's time to add a time component to the encryption

            "

            Possibly better option would be TC's hidden volumes (within a parent volume). Even then a keen eyed observer might get suspicious with discrepancy between apparent used vs free space.

            "

            There will be no discrepancy. The outer volume will show exactly the correct amount of unused space - i.e. used + unused space will exactly equal the total container size. The fact that most of that seemingly unused space is in fact the encrypted data of the inner (hidden) container cannot be detected. Writing to that "unused" space will destroy the encrypted data in the hidden container.

  6. TRT Silver badge

    To be honest...

    I can't remember half my passwords nowadays. But I have them on a keychain in a computer which I do know the encryption code for, and which is keyed into a fingerprint as well as a password/key.

    1. Doctor Syntax Silver badge

      Re: To be honest...

      "which is keyed into a fingerprint"

      An injury to the finger could be a problem.

      1. Someone Else Silver badge
        Coat

        @Doctor Syntax -- Re: To be honest...

        An injury to the finger could be a problem.

        "Nice finger you got dere. Shame if sumpin' was to happen to it...."

    2. Tom 7 Silver badge

      Re: To be honest...

      I've a couple of bank accounts I cant access online as they ask questions the answer is easy to discover and I cant remember the shit I used instead. I've probably got encrypted files on old disks that are there from playing with encryption algorithms as part of one of my jobs. I'd bet there are files generated by storing data to disk in proprietary and or experimental formats. I've got half a dozen disks from Raspberry Pi's that are corrupted with god knows what because I'd been running them of a large battery that hovered around the failure voltage for a noticeable period of time.

      Basically I've probably got several Gig of innocent noise* that cannot be distinguished from an encrypted file which I could be locked up for. Fucking stupid law.

      *I've also got white noise files (and pink and others) some of which are useful but some out of bloody mindedness.

  7. Anonymous Coward
    Anonymous Coward

    Valid excuse for the more elderly of us

    I've had to give up on several files, the contents of which I genuinely do not know, as I can't remember, or work out the password. Some I was just testing encryption, others stored financial information, but I couldn't offer the password if you paid me. Remember that we are encouraged to not write down password, not use "simple" phrases. Recipe for disaster.

    1. Ogi

      Re: Valid excuse for the more elderly of us

      Not just the elderly. My twenties and teenage years were littered with lots of encrypted files I cannot the remember the passwords to.

      Some of them were just my attempts at hiding porn from my parents, others were attempts at encryption, some are my personal files backed up to be stored remotely , etc...

      I still keep the files in the hope that one day I will just remember what the password was like a bolt from the blue (it has happened), but if you asked me to remember them right now I probably couldn't.

      Hell, if you threatened me with prison time and demanded I unlock something right now in front of police officers, I probably would be so nervous/stressed that I could not actually remember the password, even if I typed it in earlier that day. Being under massive stress can make you forgetful, this is well known.

      And I am not alone, just yesterday I had to bruteforce a friends password protected word document because back in 2012 she encrypted it (has all her bank account info in there) and has forgotten the password.

      Forgetting passwords is so common that people invented password managers, so you only have to recall one single master password.

      The court is essentially saying that forgetting is a crime here (whether the guy really forgot or is blocking is irrelevant, as we have no way of being sure which it is), which I find mind boggling, but then again, a lot that has been happening in the world is mind boggling to me, so a bit more should not surprise me anymore.

      1. Roland6 Silver badge

        Re: Valid excuse for the more elderly of us

        Re: The court is essentially saying that forgetting is a crime here

        I think it is a little more nuanced. The key is the extent to which the external drives were used in recent times.

        Whilst I totally accept the issues with old drives - I have encrypted stuff that is over ten years old for which I hope I've still got the relevant project notebooks which will contain the clues to what the keys are. However, if the drive has been in use regularly over a relatively long period including recent months, I suggest either the guy really has had a mind blank (like we all get when we come back from a long holiday and find ourselves struggling to remember our login details on the first day back) or as the court seems to be intimating, he is being economical with the truth:

        Further, a detective who

        executed the original search warrant stated that Doe did not

        provide his password at the time because he wanted to

        prevent the police from accessing his computer. Doe never

        asserted an inability to remember the passwords at that time.

        Doe presented no evidence to explain his failure to comply or

        to challenge the evidence brought by the Government.

        1. Anonymous Coward
          Anonymous Coward

          Re: Valid excuse for the more elderly of us

          "I suggest either the guy really has had a mind blank [...]"

          It does happen. Last week the neighbours and their kids were all coming home from school. As they passed me being busy in the garden there were constant interruptions as they all said "hi $name". I dutifully replied with the usual litany of their names.

          Then a neighbour whom I know very well caught me by surprise from a different direction and my mind went blank - managing only a weak "Hi".

          For several hours afterwards I couldn't recall her name. Her neighbours, her husband, her children - all names I could recall - but every time I summoned up her face - zilch.

          I had a sense of the rhythm of her name - and finally went through the alphabet for an initial letter. No sense of that "ring" to confirm a match. Then on a last attempt I reached the letter "L" again and the name suddenly appeared.

          Of course since then every time I visualise her face - the name is there instantly. It is a relief that I am not going to have to ask her or her family "what's her name?".

  8. Anonymous Coward
    Anonymous Coward

    EncFS is your friend...

    as its possible to 'mount' an EncFS directory entering the wrong password (using non-validate password option) in this case the files are visible but still unreadable as opened with wrong key.

  9. gypsythief

    Already incriminated by a witness.

    With the usual "I am not a shark lawyer" disclaimer, it would seem in this case that there are reasonable grounds to force a password confession despite the Fifth Amendment, as the police have a reliable witness, the defendant's sister, who has testified as to seeing the images on the external hard drive.

    Whilst this is one person's word against another's, I would have thought such testimony was sufficient existing evidence that "the defendant would be incriminating himself" would no longer apply as it is the sister who has incriminated him with her testimony.

    And why on earth, if you were in possession of such images, would you show them to your sister?!

    1. Rainer

      Re: Already incriminated by a witness.

      > And why on earth, if you were in possession of such images, would you show them to your sister?!

      Probably some sort of acknowledgment of his brain that he should seek outside counseling.

    2. Pen-y-gors Silver badge

      Re: Already incriminated by a witness.

      If they've got the sister's sworn testimony, why do they need the files? If the sister swore that she'd seen him exposing himself in public, would they demand photos (or it didn't happen)?

      1. gnasher729 Silver badge

        Re: Already incriminated by a witness.

        "If they've got the sister's sworn testimony, why do they need the files? "

        She claims she has seen hundreds of photos. That doesn't mean "hundreds of photos" is proven. Just like when the cops measure you drove 56 mph in 50 zone, only maybe 53 mph will be considered "proven". Or he could have shown her the same 50 photos six times.

        On the other hand, they don't care how many pictures he showed to his sister, but how many are on his drive. Even if it was considered proven that there are pictures on the drive, for _correct_ sentencing you would need to know how many exactly. And these photos come from somewhere, so they might help the police catching the distributor. Plenty of reasons to want to see what's on the files.

        1. Doctor Syntax Silver badge

          Re: Already incriminated by a witness.

          "On the other hand, they don't care how many pictures he showed to his sister, but how many are on his drive."

          It could be that they've been deleted in which case there are none although it would then be unlikely that he'd withhold the password if he did remember it.

          "Even if it was considered proven that there are pictures on the drive, for _correct_ sentencing you would need to know how many exactly. And these photos come from somewhere, so they might help the police catching the distributor."

          If they were more concerned to catch the distributor - well, the USA is the land of the plea bargain.

    3. Cynic_999 Silver badge

      Re: Already incriminated by a witness.

      "

      And why on earth, if you were in possession of such images, would you show them to your sister?!

      "

      Exactly. So perhaps he didn't.

      Your statement indicates that you have reasonable doubt about the veracity of her testimony.

  10. Bandikoto

    the Founding Fathers are spinning in their graves

    Taking the Fifth (invoking the Fifth Amendment (against self-incrimination)) is as good as an admission of guilt these days - after all, if you didn't have anything to hide, you wouldn't object to them stomping your Fourth Amendment rights (to privacy) with their hobnail boots.

    Also, what browser saves file hashes?

    Or, if they were torrented, then the names and locations (on the external drives) would be known, in addition to hashes, at which point, that would be sufficient to say that he had said images in his possession at some point (as well as having distributed them). At which point they wouldn't be demanding his keys and the judge wouldn't be making up laws.

    If his lawyer is any good, he'll get off.

    1. tom dial Silver badge

      Re: the Founding Fathers are spinning in their graves

      Taking the Fifth probably has been assumed an admission of guilt and resulted in convictions from time to time, but never has been so considered legitimately. While it is not quite the same, the judge in criminal trials normally instructs the jurors that they may not infer either guilt or innocence from a defendant's failure to testify.

      1. Doctor Syntax Silver badge

        Re: the Founding Fathers are spinning in their graves

        "the judge in criminal trials normally instructs the jurors that they may not infer either guilt or innocence from a defendant's failure to testify."

        Juries have been known to ignore the judge's instructions.

      2. Bandikoto

        Re: the Founding Fathers are spinning in their graves

        "legitimately"

        Aye, there's the rub.

        There isn't always a jury, and the Fifth is invoked in places other than Criminal court. The Judge is God in their courtroom. If your Family court judge hates your guts because you have a Y chromosome, or your hair is the wrong color, you're going to suffer unless your attorney is not just merely clever, but really most sincerely clever.

        And before you say "Appeal", realize that involves a major outlay of cash and that in parts of the US, Family court judges are essentially there for life.

  11. mics39
    Gimp

    Inquisition

    Will mental disability still be allowed?

    1. Anonymous Coward
      Anonymous Coward

      Re: Inquisition

      In the UK I think the government are trying to eliminate mental disability by taking away their benefits... and it appears Trump is attempting to do the same over in the US through his proposed healthcare reforms.

      1. Anonymous Coward
        Anonymous Coward

        Re: Inquisition

        I thought Herr Don was acting as a champion for the mentally different people and was leading by example?

        1. mics39
          Pint

          Re: Inquisition

          "I thought Herr Don was acting as a champion for the mentally different people and was leading by example?"

          Sure, but disabled quite differently from me.

  12. DougS Silver badge

    Can they make you provide the combination to a safe?

    Same thing, really. Since safes have been around since the 1800s, presumably the Supreme Court ruled ages ago and it is well established precedent.

    Sure, it is possible for authorities to drill a safe, but there are safes that if a break in is attempted will destroy the contents, which is effectively the same as them being unable to break in.

    1. Swarthy Silver badge
      Big Brother

      Re: Can they make you provide the combination to a safe?

      SCOTUS Justice John Paul Stevens wrote in a dissent (which was agreed with, and since used as president):

      A defendant can be compelled to produce material evidence that is incriminating. Fingerprints, blood samples, voice exemplars, handwriting specimens, or other items of physical evidence may be extracted from a defendant against his will. But can he be compelled to use his mind to assist the prosecution in convicting him of a crime? I think not. He may in some cases be forced to surrender a key to a strongbox containing incriminating documents, but I do not believe he can be compelled to reveal the combination to his wall safe —- by word or deed.

      So, according to SCOTUS precedent/tradition, No, they cannot make you provide the combination of a safe; but they can force the production of a key.

  13. a_yank_lurker Silver badge

    How Stored?

    How was the password stored? All my passwords are stored in a password manager file so only remember about 4 total, including work. If he had stored them in a password manager and given the general incompetence of the flatfeet and the benching warming shysters it is quite possible no one bother to check if there was password manager installed. If you ask me for my email password for example you would get a blank stare, I have no idea what it is. So if they asked him for the password without the password manager he might not actually know them.

  14. Snowy

    Try not entering the password for a few week then remember it?

    1. P. Lee Silver badge

      >Try not entering the password for a few week then remember it?

      My inbox is littered with password reset emails.

  15. alain williams Silver badge

    How long do you want to eat porrige for ?

    The sentence for 'forgetting' a password, or the sentence for having files that contain: kiddie-porn/bomb-making-instructions/... ?

    Work out which is the shorter before you decide if you can remember the password.

    1. Anonymous Coward
      Anonymous Coward

      Re: How long do you want to eat porrige for ?

      "The sentence for 'forgetting' a password [...]"

      IIRC in England it is a 2 year sentence in such cases. It is said that when you come out they can ask for the password again - and that's another two years if you say you still don't know. Rinse and repeat.

      You can also in general remain silent when questioned. However the court is then allowed to take such silence as likely to mean you are guilty.

  16. MNGrrrl

    Court fail

    This is an ongoing problem, caused by ignorance. People view technology incorrectly; Rulings by the judiciary and legislative branches in many governments is not based on a sound understanding of what computers are, and what they can do, and do not use this understanding when considering the larger body of law and the lessons learned there.

    Judges are partly to blame for this -- they are typically over the age of 50, have a limited understanding of technology, and rely heavily on metaphor and analogy to make their rulings. But the majority of the blame is at the hands of legislators, who suffer from the same ignorance except that it is ignorance that is actively encouraged -- law enforcement blatantly lies to them, and political interests as well, and the few from the industry who try to educate them are quickly declared enemies of the state or discredited for not having any "business" sense.

    This has resulted in rulings and laws which simply are not logically consistent, even within the narrow contexts they are made; Such as encryption. To wit -- the government's case, accepted by this judge, is that they don't even have to prove he knows the password, simply that he *could* know it. So now, people can be thrown in jail as long as it's possible for them to know a password or key. Which, taken to its logical conclusion, means that the court holds any computer that you have ever accessed, at any time, is sufficient grounds for contempt if you do not provide an access method upon request. And be mindful that contempt of court is not a crime with a defined sentence... they can throw you in prison for the rest of your life without parole, trial, or possibility of appeal. Which in this case, is justified because the defendant can end his incarceration by simply complying with the judge's demand.

    A demand that could be impossible to meet.

    1. Doctor Syntax Silver badge

      Re: Court fail

      "Judges are partly to blame for this -- they are typically over the age of 50, have a limited understanding of technology"

      This is just ageist bollocks. I'm over the age of 70. I've been using computers for nearly 50 of those years starting with FORTRAN about 1970. I know a few 80-90 year old friends and family who use computers regularly. I wonder how old you are and what understanding you have of the law or, come to that, of those older than yourself.

      1. gnasher729 Silver badge

        Re: Court fail

        About 30 years ago I met a retired postman (in his 60s) who bought himself an Apple II computer, learnt 6502 assembly language, and did some things with it that impressed all the kids in their 20's.

      2. Sir Runcible Spoon Silver badge

        Re: Court fail

        "This is just ageist bollocks. I'm over the age of 70. I've been using computers for nearly 50 of those years starting with FORTRAN "

        Do you consider yourself 'typical' in this regard? Do you also have a long-standing career in an entirely different field under your belt as well?

        It was clearly a general-ism and not intended to be 'ageist'. I refer the honorable gentleman to the following court extract on this very subject..

        https://www.youtube.com/watch?v=9VgwxKW0J6I

      3. Kiwi Silver badge

        Re: Court fail

        "Judges are partly to blame for this -- they are typically over the age of 50, have a limited understanding of technology"

        This is just ageist bollocks. I'm over the age of 70. I've been using computers for nearly 50 of those years starting with

        So for much of that time you were using computers. You weren't going through law school, then practising law, eventually reaching the required level of experience to become a judge - you were working in the computer field.

        Judges are very seldom computer experts. Like many older people, while they may use computers and use them quite well, and may be quite intelligent (I have a couple of well-respected scientists among my friends who are over 70), they do not necessarily have a great technical knowledge of them. How many systems are there that you have little or no real knowledge of? How many programs are there that you could not use without a manual or someone to guide you? I don't intend to disparage your knowledge or experience, but I'd be quite willing to bet that while you may have used many systems, you've probably only seen a small percentage of the software that is out there. Aptitude lists a tad over 68,000 packages in the "not installed" category for this computer, with 2,575 installed. I have VM's for Dos 6, Win XP and 7, GhostBSD and a few other things on here - I'm a long way above what the average user is capable of but I am far far below what most people here on El Reg could do. I certainly have more experience of computers than the average 70 yo because for me they have been something I embraced and made a big part of my life and my entertainment, whereas most people 50 years ago barely even knew of their existence, and would have very little direct contact with them throughout their working lives.

        It's only in recent years that computers have been a regular component of courtrooms. Why would you think that judges have the sort of experience with them that I have, let alone someone as advanced as yourself?

  17. Anonymous Coward
    Anonymous Coward

    "This is just ageist bollocks."

    The poster seemed to be suggesting that anyone over 50 is less likely to have been exposed to IT technology - not that their age made them less competent generally. That seems reasonable. I remember people of my parents' generation born round the start of the 20th century who had never adjusted to an understanding of electricity or radio.

    I still meet intelligent young people who have little concept of IT. They have just learned to do a few operations by rote. Most non-IT people - and even many who work in IT - have only ever learned to press the right buttons. Ask someone how a car works - eg the engine or differential and often they have no idea.

    1. dan1980

      "The poster seemed to be suggesting that anyone over 50 is less likely to have been exposed to IT technology . . ."

      Without arguing this, it's not really the point in this case. If you can find a judge who doesn't understand what a password is, then I will show you a judge who is senile beyond the ability to perform the functions of their office.

      It is well-enough established that a person can be compelled to produce a key to a safe but not a combination.

      Many people have argued how this distinction should be applied in the digital world but one tack is to say that passwords shouldn't be protected by the Fifth amendment because they can't be compared to combinations of safes. The reasoning there is that there isn't a strong reason to compel someone to reveal the combination of a safe because the safe can, generally, be accessed with the assistance of locksmiths.

      It's an open area of discussion and debate but I would suggest that, logically, the ability of Law Enforcement to access a safe means there's also no good reason to compel someone to produce the key either.

      So why the difference? If both a key and a combination are conveniences for the Government surely production the them should be treated the same under the Fifth Amendment.

      The reason they aren't can only be because of the nature of what is being demanded: a physical object vs the contents of someone's mind.

      There are only two ways out here - either the entire contents of someones mind is covered by the Fifth Amendment or only some parts are.

      To my point about the technical knowledge of the judge, it's worth noting that it doesn't matter if the combination lock on a safe is a multiple-dial lock, a single-dial lock or even a keypad and it doesn't matter if the safe door is locked by bolts on one side or all around and it doesn't matter what the bolts are made of or whether they are mechanically or electrically driven - or how hard the safe is to crack or how long that will take.

      In other words, the specific safe construction and lock mechanism is irrelevant to the Fifth Amendment question of whether the combination for is protected or not.

      1. Doctor Syntax Silver badge

        "It is well-enough established that a person can be compelled to produce a key to a safe but not a combination."

        We're getting a little off-topic here but...

        I don't have the key but I know where it is. Can I be compelled to tell? Likewise if I know who has it?

        There are probably precedents but from past experience I can imagine the jury being cleared out of court and much debate and flourishing of law books between counsel and judge over which precedents apply in the circumstances of the case.

    2. Doctor Syntax Silver badge

      "The poster seemed to be suggesting that anyone over 50 is less likely to have been exposed to IT technology - not that their age made them less competent generally. That seems reasonable."

      Even if we disregard earlier stuff such as the Apple II, Trash-80 etc, someone aged 50 this year would have been ~14 when the IBM PC was introduced. And I know people born in the '20s & '30s who can find their way round PCs (and have worked out how to download Open- or LibreOffice because that's what they use).

      " I remember people of my parents' generation born round the start of the 20th century who had never adjusted to an understanding of electricity or radio."

      That would be the same as the older members of my parents' generation. I never met any of my aunts, uncles or their friends who had the slightest unfamiliarity with either.

  18. Anonymous Coward
    Anonymous Coward

    My $0.02 worth

    As unter US law "contemnors" can essentially be given an unlimited sentence, this scumbag is basically stating he would rather serve life without parole as a contemnor than a probably lower sentence as a pedo aka nonce but with substantially worse conditions.

    The problem here is that this is not justice in any sense of the word, and makes a mockery of the entire system because worst case the data is only protected while the encryption remains unbroken.

    I have calculated in this case 2027 to be about right by which time the law will probably have been changed due to too many "prisoners of conscience" and double jeopardy may or may not apply.

    Is it ethical to impose the same sentence on say a whistleblower who is relying on the prison system to defend them from death by assassination (cough Big Pharma/Big Finance/Big Oil /cough), when in theory they are actually only guilty of trying to protect their families from retaliation?

    Maybe what we need to do as a society is specify a set sentence equivalent to the *likely* outcome, if he wants to argue with this then so be it.

    1. Kiwi Silver badge

      Re: My $0.02 worth

      As unter US law "contemnors" can essentially be given an unlimited sentence, this scumbag is basically stating he would rather serve life without parole as a contemnor than a probably lower sentence as a pedo aka nonce but with substantially worse conditions.

      Your proof that he can remember the password is?

  19. ecofeco Silver badge

    This is strictly un-Constitutional.

    See title. The 5th Amendment makes no exceptions.

  20. Potemkine Silver badge

    Comparing real and virtual world

    Real world: police can search for a house with a warrant: if the house is closed, police can use whatever mean to open it.

    Virtual world: police can search computers and storage devices with a warrant: if the access is denied, police should be allowed to use whatever technical mean to "enter". We know that intelligence agencies have these technical means, police should then be allowed to use them (or use agencies in a "decoding as a service" attitude).

    1. hoola

      Re: Comparing real and virtual world

      And this is the real issue, in an increasingly digital world the evidence for many crimes is also digital. A physical warrant can be executed very quickly, if you have to spent days or weeks attempting to brute force encryption, further evidence can also be "lost" (hidden away or removed by the parties in question), then where do you go? You either need a quick, brute force back door (a coded way in) or there has to be sufficient resources available to access the data in an expedient way. That will cost huge amounts of money that will be subject to all the inter-departmental turf wars.

      Just because it is digital, why should the authorities not obtain access (assuming procedure is followed)? At the moment not revealing encryption keys is seen as a way of avoiding prosecution and frustrating the course of justice.

      The overwhelming view appears to be that the suspect is within his rights to withhold the password "Fifth Amendment". One hopes that all those supporters will be firm in their views if they end up a victim and the perpetrators walk free because critical evidence was digital and the passwords would not be revealed.

      It is not impossible to foresee a future where failure to disclose the passwords/keys is seen as an admission of guilt.

      Prepare for downvotes but there appear to be some very different standards being applied here.

      1. ElReg!comments!Pierre Silver badge

        Re: Comparing real and virtual world

        " One hopes that all those supporters will be firm in their views if they end up a victim and the perpetrators walk free because critical evidence was digital and the passwords would not be revealed. "

        One hopes the proponent of the opposite approach will remember any and all of their passwords, including the 20-yo ones, should they be involved in a spurrious lawsuit some day.

        1. Sir Runcible Spoon Silver badge
          Joke

          Why am I reminded of this...

          El Reg: What's the point of fighting for the governments right to scan your brain, when they can't scan your brain?

          Francis: It is symbolic of their struggle against freedom.

          El Reg: It's symbolic of their struggle against reality.

          Apologies to Monty Python for the paraphrasing :)

      2. Someone Else Silver badge
        Thumb Down

        @hoola -- Re: Comparing real and virtual world

        Prepare for downvotes but there appear to be some very different standards being applied here.

        Here's one!

      3. dan1980

        Re: Comparing real and virtual world

        @hoola

        There is indeed a concern with laws made for the physical world needing to cover the 'digital'/'virtual' world.

        One pet peeve of mine is that the government is all-too-happy to use outdated laws designed for a purely physcial world to do things in the digital world that were never envisioned. Thus digital surveillance is so very broad because it can be, while physical surveillance was, of necessity, targeted.

        And yet they (the politicians and the law agencies) will happily claim that what they are doing is no different to the physical equivalent, despite the vastly increased breadth and scope of what is now possible, once it moves to the digital world.

        It's something of the same thing here and yet the government is trying to argue the exact opposite: that the quantity of data now able to the stored (and therefore hidden from the government) in a 'digital' safe* means that you can't compare that to its physical equivalent and therefore the same protections shouldn't apply.

        But think what that increased quantity of information in the digital world includes - think of all the data you have that is protected (however weakly or strongly) by a password.

        If you're an average person, it includes a vast amount of your personal communications for many years, in the form of e-mail history. Thus, with a single password, the government could get access to all that. Sure, in the physical world, a warrant would provide access to any letters you have in your house, but there is no way that you would have kept all your letters for years back. Thus, with a password, the government can access data it never would have been able to access were that data transmitted via a physical medium.

        That means that protection for your 'digital life' is potentially more important for your Fifth Amendment rights than is protection for (e.g.) a physical safe.

        * - I.e. an encrypted hard drive.

      4. Kiwi Silver badge

        Re: Comparing real and virtual world

        The overwhelming view appears to be that the suspect is within his rights to withhold the password "Fifth Amendment". One hopes that all those supporters will be firm in their views if they end up a victim and the perpetrators walk free because critical evidence was digital and the passwords would not be revealed.

        I have been a victim of violent crime.

        I absolutely uphold human rights, and rule of law where it does not interfere with basic human rights ("UN Charter for Human Rights" definition is close enough if you want to get an idea how I define "basic human rights"). That includes freedom of speech and belief.

        Where someone has acted against me in a criminal manner, and I wish for them to be brought before the courts, then it must be in a fair and legal manner. If I wish for their legal protection sto be waived for my benefit, what right do I have to expect legal protections remain in place if it is me before the beak? Either the protections in law cover everyone, or they cover no one.

        If you were up before the courts on some charges, real or imagined, you would be screaming for your rights to be honoured. What's that about double standards again?

  21. Michael H

    How does this affect TLS?

    With perfect forward secrecy enabled (which basically all servers have now), the key for TLS can't be recovered unless there was a bug in the implementation. Can you be held in contempt for being unable to decrypt subpoenaed HTTPS traffic?

    1. John H Woods Silver badge

      Re: How does this affect TLS?

      And how does it affect the Truecrypt/Veracrypt hidden volume?

      I've used Truecrypt in the past to protect backup disks, simply because some correspondence may contain financial info. I didn't bother with the hidden volume functionality. But, AIUI, there is no way to prove that one doesn't exist. So if I provide the password and it turns out it's just a load of old backups; and the prosecution has a "sense" that there might be a hidden volume ... ?

  22. Tom 7 Silver badge

    With your spare ram memory on the computer you need to keep it randomised

    to ensure that you dont leak. I'm keeping all the spare space on my harddrives in a similar state. The trouble is its actually impossible to know whether that is cleverly encrypted data or just white noise.

    I keep white noise files as well just to be annoying.

  23. Anonymous Coward
    Anonymous Coward

    This Terzian guy is a fascist

    "Scores of companies now encrypt their data," Terzian wrote. "In the EFF’s alternate universe, these companies are effectively immune from discovery and subpoenas.""

    Applies only to people. Oh, some idiot decided that companies are people? Too bad, Terzian.

    So basically Terzian wants a police state where you are mandated to witness against yourself and if you don't you get put in jail anyway, just because you didn't. Nice circular logic which boils down to the fact that you sit in jail because some guy like Terzian wants you in jail: No other reasons needed.

    Just like it happens in the UK now.

  24. SimonC

    If you throw someone in prison until they give up some information they may or may not have, isn't that torture? As in, geneva convention banned plain as day torture?

    I'm trying to see how confining a terrorist to their cell until they confess knowledge they may or may not have is any different.

  25. Anonymous Coward
    Anonymous Coward

    the 5th

    I'm not an american but isn't this a 5th amendment issue?

  26. Putters

    I may be getting old ...

    ... but it doesn't seem that long ago that "I don't recall" was a perfectly acceptable answer in the States - especially if you were an ex President being quizzed about sending arms and cash to hostile regimes and right wing guerrillas ...

  27. Det915

    We have rights. But we have courts to evaluate if we have to give up those rights. We can live anywhere we want unless a court sends us to jail. If the court issues an order we should be compelled to abide. Whether we are Apple Inc or a pedofile. If we are an innocent citizen and there is nothing to seize then we get our data back. The end of the world scenarios advanced by attorneys are bogus. I have done stupid things in my life but if a judge orders that I provide something then I am obligated to do it.

  28. JaitcH
    WTF?

    The Answer for the password should have been . . .

    it was written on a small piece of paper because the password was so long and comprised random numbers and letters. I don't know what happened to it when the Plod/Cops raided my house.

    Who can remember the passwords issued automatically? For example, Arstechnica issues 12-digit randomised passwords that would defy memorising other than by a person with an eidetic memory.

  29. Jake Maverick

    In the UK it is also considered perfectly legal to gaol a man/ women indefinately if they refuse to help pigyobs 'gang rape' his own wife for example, by decrypting said file of him buttfucking hiw own wife, or somebody else's wife for that matter....slavery was also perfectly legal, as was the holocaust and the chipping of dogs and cats that lead to cancers and other medical problems....:-(

  30. DrM

    Selling it

    I don’t think the guy sold it hard enough, “You f_cked up my computer! My password won’t work, what did you do!”

  31. Anonymous Coward
    Anonymous Coward

    Morton's Fork

    The issue here is that they want to take the "easy" option which is for the guy to hand over the key(s).

    I've got several random .zip and other files on my machine(s), its impossible to tell what they are because I have genuinely forgotten the passwords. This was way back close to a decade ago, pretty sure I know whats in them (ie backup of microcontroller code from hobby) but without any way to unlock them they could be anything.

    Also sometimes found .rar files for device drivers etc and discovered after downloading them that they were password locked, again they could be anything.

    1. gnasher729 Silver badge

      Re: Morton's Fork

      What you have is a different situation. You have some random old files on your disk. And quite a few of them. So your claim that you have forgotten the password is quite reasonable. Forensics can check when these files were last opened. If I have an encrypted hard drive _attached to my computer_, then a claim that I forgot the password is much less believable. Since I don't throw away things often enough, there is a chance that there is an old hard drive somewhere in my garage that is encrypted and I don't know the password. That old hard drive would turn up when my garage is searched, it wouldn't be attached to my computer. It would be covered in dust. It would be years old. It's a different situation.

      Saying that you forgot a password isn't contempt of court. Saying that you forgot a password when it is quite clear that this is a lame excuse, that is contempt of court.

  32. Conundrum1885

    In other news

    I actually need to check something in one of those old dusty .zip files, because it proves priority of an invention.

    Any ideas? Pretty sure that the passphrase was something to do with a film but which one?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019