Should prosecutors be able to compel you to reveal an encryption password?

[motivez]

A federal judge in Vermont has ruled that prosecutors can't force a criminal defendant accused of having illegal images on his hard drive to divulge his PGP (Pretty Good Privacy) passphrase.
U.S. Magistrate Judge Jerome Niedermeier ruled that a man charged with transporting child pornography on his laptop across the Canadian border has a Fifth Amendment right not to turn over the passphrase to prosecutors. The Fifth Amendment protects the right to avoid self-incrimination.
Niedermeier tossed out a grand jury's subpoena that directed Sebastien Boucher to provide "any passwords" used with his Alienware laptop. "Compelling Boucher to enter the password forces him to produce evidence that could be used to incriminate him," the judge wrote in an order dated November 29 that went unnoticed until this week. "Producing the password, as if it were a key to a locked container, forces Boucher to produce the contents of his laptop."
Especially if this ruling is appealed, U.S. v. Boucher could become a landmark case. The question of whether a criminal defendant can be legally compelled to cough up his encryption passphrase remains an unsettled one, with law review articles for the last decade arguing the merits of either approach. (A U.S. Justice Department attorney wrote an article in 1996, for instance, titled "Compelled Production of Plaintext and Keys.")
This debate has been one of analogy and metaphor. Prosecutors tend to view PGP passphrases as akin to someone possessing a key to a safe filled with incriminating documents. That person can, in general, be legally compelled to hand over the key. Other examples include the U.S. Supreme Court saying that defendants can be forced to provide fingerprints, blood samples, or voice recordings.
Orin Kerr, a former Justice Department prosecutor who's now a law professor at George Washington University, shares this view. Kerr acknowledges that it's a tough call, but says, "I tend to think Judge Niedermeier was wrong given the specific facts of this case."
The alternate view elevates individual rights over prosecutorial convenience. It looks to other Supreme Court cases saying Americans can't be forced to give "compelled testimonial communications" and argues the Fifth Amendment must apply to encryption passphrases as well. Courts already have ruled that that such protection extends to the contents of a defendant's minds, so why shouldn't a passphrase be shielded as well?
In this case, Judge Niedermeier took the second approach. He said that encryption keys can be "testimonial," and even the prosecution's alternative of asking the defendant to type in the passphrase when nobody was looking would be insufficient.
Laptop files: Unencrypted, then encrypted
A second reason this case is unusual is that Boucher was initially arrested when customs agents stopped him and searched his laptop when he and his father crossed the border from Canada on December 17, 2006. An officer opened the laptop, accessed the files without a password or passphrase, and allegedly discovered "thousands of images of adult pornography and animation depicting adult and child pornography."
Boucher was read his Miranda rights, waived them, and allegedly told the customs agents that he may have downloaded child pornography. But then--and this is key--the laptop was shut down after Boucher was arrested. It wasn't until December 26 that a Vermont Department of Corrections officer tried to access the laptop--prosecutors obtained a subpoena on December 19--and found that the Z: drive was encrypted with PGP, or Pretty Good Privacy. (PGP sells software, including whole disk encryption and drive-specific encryption. It's a little unclear what exactly happened, but one likely scenario is that Boucher configured PGP to forget his passphrase, effectively re-encrypting the Z: drive, after a few hours or days had elapsed.)
According to Niedermeier's written opinion, prosecutors sent Boucher a grand jury subpoena asking for the passwords because:

Secret Service Agent Matthew Fasvlo, who has experience and training in computer forensics, testified that it is nearly impossible to access these encrypted files without knowing the password. There are no "back doors" or secret entrances to access the files. The only way to get access without the password is to use an automated system which repeatedly guesses passwords. According to the government, the process to unlock drive Z could take years, based on efforts to unlock similarly encrypted files in another case. Despite its best efforts, to date the government has been unable to learn the password to access drive Z.

The opinion added:

If the subpoena is requesting production of the files in drive Z, the foregone conclusion doctrine does not apply. While the government has seen some of the files on drive Z, it has not viewed all or even most of them. While the government may know of the existence and location of the files it has previously viewed, it does not know of the existence of other files on drive Z that may contain incriminating material. By compelling entry of the password the government would be compelling production of all the files on drive Z, both known and unknown.

Boucher is a Canadian citizen who is a lawful permanent resident in the United States and lives with his father in Derry, N.H. Two attorneys listed as representing him could not immediately be reached for comment on Friday.
So what happens next? It's possible that prosecutors will be able to establish that Boucher's laptop has child pornography on it without being able to access it: after all, there were at least two federal agents who looked at the laptop when the Z: drive was still unencrypted.
But if this ruling in the case is eventually appealed, it could have a far-reaching impact in a pro-privacy or pro-law-enforcement direction.
Michael Froomkin, a law professor at the University of Miami, has written that the government "would have a very hard time" trying to obtain a memorized passphrase. A similar argument, published in the University of Chicago Legal Forum in 1996, says:

The courts likely will find that compelling someone to reveal the steps necessary to decrypt a PGP-encrypted document violates the Fifth Amendment privilege against compulsory self-incrimination. Because most users protect their private keys by memorizing passwords to them and not writing them down, access to encrypted documents would almost definitely require an individual to disclose the contents of his mind. This bars the state from compelling its production. This would force law enforcement officials to grant some form of immunity to the owners of these documents to gain access to them.

But prosecutors think they can split the idea of immunity into two halves: divulging the passphrase, and then using the passphrase to decrypt the files. A 1996 article by Philip Reitinger of the Department of Justice's computer crime section proposes a clever device for forcing a defendant to divulge a PGP passphrase and then convicting him anyway (remember, the passphrase lets the key be used to decrypt the document):

Finally, even if the foregoing considerations require the government to grant act-of-production immunity to compel production of a key, the scope of the immunity should be quite narrow. The contents of the key are not privileged, and it is the contents that will be used to decrypt a document. Therefore, the government can use the contents of the decrypted document without impediment. Unless the government cannot authenticate the document to be decrypted without using the act of production of the key, granting act-of-production immunity should have little effect.

Translation: Giving a defendant limited immunity in terms of forcing them to turn over the passphrase can lead to a conviction. That's because the fellow technically isn't being convicted based on his passphrase; he's being convicted for what it unlocks. Isn't the law grand?

Judge: Man can't be forced to divulge encryption passphrase | The Iconoclast - politics, law, and technology - CNET News.com

An older article, but it popped up on Slashdot today. What do you guys think?

I don't think they should be able to compel that type of testimony, since it's effectively forcing someone to give incriminate themselves.

I think the legal wrangling of saying the password in and of itself isn't incriminating is bullshit, since it's obvious that it's still providing police with what they'd need to potentially convict someone.. which is no different than someone revealing the location of some other incriminating evidence IMO.

Any legal eagles here want to weigh in?

[DosEquis]

They don't need him to give up the password to get access to his drive, as there are ways around passwords especially if you have the physical disk. I would request the password from him and if he refused, I would just note his level of cooperating in the sentencing.

[motivez]

Originally Posted by DosEquis

They don't need him to give up the password to get access to his drive, as there are ways around passwords especially if you have the physical disk. I would request the password from him and if he refused, I would just note his level of cooperating in the sentencing.

Uh, there's not ways around full disk encryption except for decryption, and as noticed in the article, that can take many years depending on the strength of the password..

From my thread on TrueCrypt: TrueCrypt releases version 6.0

Even the NSA would have to devote a significant part of their resources. 95^12 is over 500 sextillion combinations. So, say you've got a really really fast CPU that can do 1 billion test decrypts a second (which is unfeasibly fast at the current time). It would take that computer over 17 million years to find the password.

So, let's say that the NSA has a million CPUs at their disposal, it would still take over 17 years to decrypt. So, they'd have to be pretty sure that you have some seriously cool porn on your PC before they start devoting 100,000,000 impossibly fast CPUs to the task of cracking your password in a couple of months.

The Storm Botnet would take centuries to hack a random 12 character password (it would cut down on spam though).

They recommend you use at least 25-30 characters for your password.. but you see the amount of time it would take for a less substantial one.

[WickedLou9]

The 5th ammendment agrees with this ruling.

[7960]

Originally Posted by motivez

Judge: Man can't be forced to divulge encryption passphrase | The Iconoclast - politics, law, and technology - CNET News.com

An older article, but it popped up on Slashdot today. What do you guys think?

No.

But I'm surprised by this:

Prosecutors tend to view PGP passphrases as akin to someone possessing a key to a safe filled with incriminating documents. That person can, in general, be legally compelled to hand over the key.

I didn't know they could compel you to give them a key

[7960]

Originally Posted by DosEquis

They don't need him to give up the password to get access to his drive, as there are ways around passwords especially if you have the physical disk.

I believe you don't know what you're talking about.

[WickedLou9]

Originally Posted by 7960

No.

But I'm surprised by this:

Prosecutors tend to view PGP passphrases as akin to someone possessing a key to a safe filled with incriminating documents. That person can, in general, be legally compelled to hand over the key.

I didn't know they could compel you to give them a key

Handing over a physical piece of evidance is one thing, but what if it was a combination? They can't make you talk. What if you simply refuse?

[7960]

Originally Posted by WickedLou9

Handing over a physical piece of evidance is one thing, but what if it was a combination? They can't make you talk. What if you simply refuse?

contempt, jailed until you do?

[motivez]

Originally Posted by 7960

contempt, jailed until you do?

They can't force you to provide testimony against yourself, though. You have the right to remain silent, etc.. So, I don't see how they could do that..

[DosEquis]

Originally Posted by motivez

Uh, there's not ways around full disk encryption except for decryption, and as noticed in the article, that can take many years depending on the strength of the password..

From my thread on TrueCrypt: TrueCrypt releases version 6.0



They recommend you use at least 25-30 characters for your password.. but you see the amount of time it would take for a less substantial one.

:Orly:

[7960]

Originally Posted by motivez

They can't force you to provide testimony against yourself, though. You have the right to remain silent, etc.. So, I don't see how they could do that..

it depends on the analogy. if it's a key to a lock then you have to provide it or be in contempt. if it's incriminating testimony then you don't have to and they can't. So, my opinion:

1. personally i think you shouldn't be forced to give a password.
2. and personally I think the courts are going to uphold that.
3. and personally I believe it's going to lead to laws creating mandatory back-doors in encryption software.

[JaJae]

Originally Posted by motivez

They can't force you to provide testimony against yourself, though. You have the right to remain silent, etc.. So, I don't see how they could do that..

If they obtain a warrant to search your laptop then you would be required to provide them with access to it and give them the key if necessary the same as if they had a warrant to search any other piece of your property.

[motivez]

Originally Posted by 7960

it depends on the analogy. if it's a key to a lock then you have to provide it or be in contempt. if it's incriminating testimony then you don't have to and they can't. So, my opinion:

1. personally i think you shouldn't be forced to give a password.
2. and personally I think the courts are going to uphold that.
3. and personally I believe it's going to lead to laws creating mandatory back-doors in encryption software.

It can't be the same as a 'key to a lock' because it would require them to disclose the contents of their mind, as the article says.. They've memorized the password, it's different than a physical object such as a key.

I mean, I hate to make this analogy because it's one used with someone who's actually guilty.. but they can't force someone they suspect of murder to tell them the location of the body.. because that knowledge is inside their head.

[motivez]

Originally Posted by JaJae

If they obtain a warrant to search your laptop then you would be required to provide them with access to it and give them the key if necessary the same as if they had a warrant to search any other piece of your property.

I disagree, like I said in my previous post.. it's the contents of your mind, not a physical object.

[JaJae]

Originally Posted by motivez

I disagree, like I said in my previous post.. it's the contents of your mind, not a physical object.

I've been thinking about it some more and I've been starting switch my opinion. This would be like someone writing a diary in code and the police asking for the key to read it. In that case I'm not too sure the government should be able to have you give it to them.

[7960]

Originally Posted by motivez

It can't be the same as a 'key to a lock' because it would require them to disclose the contents of their mind, as the article says.. They've memorized the password, it's different than a physical object such as a key.

and that's why I think this was a right decision.

but it's also why I think there's going to be legislation to require a way for the feds to get past encryption.

[7960]

Originally Posted by JaJae

I've been thinking about it some more and I've been starting switch my opinion. This would be like someone writing a diary in code and the police asking for the key to read it. In that case I'm not too sure the government should be able to have you give it to them.

this is no different than being required to give the name of your accomplice or (as motivez said) give the location of the body. an encryption key is knowledge, they can't (and shouldn't be able to) compel incriminating knowledge.