Judge orders woman to give up password to hard drive

There are 11 Comments

dcbii's picture

EditorModerator

Actually, I do believe this ruling is a problem, since while I'm no legal mastermind, I still believe the judge went to a lot of trouble to circumvent the intent of the 5th amendment. It's quite clear that giving up the information could be incriminating, and the police should be required to get the information themselves, similar to a search of a house, rather than require her to hand it to them. They have the hard drive, they can work with that.

The previous decisions on questions like this are split, and since I disagree with this decision, I hope it's appealed and is accepted by a higher court.

The reason I posted this is that there may be some spiritual dynamics I haven't considered. Obviously, Christians should follow the law, but what is the law in this case? I believe this judge has misinterpreted the law to make things easier for law enforcement, but it's hard for me to believe that the founders (who would have had access to codes that were already in use, some of which have only recently been broken) hadn't considered this when drafting the 5th amendment.

Dave Barnhart

Rob Fall's picture

The crux of American Criminal Law is making the State prove its case without the accused's help.

Hoping to shed more light than heat..

Shaynus's picture

dcbii wrote:
Actually, I do believe this ruling is a problem, since while I'm no legal mastermind, I still believe the judge went to a lot of trouble to circumvent the intent of the 5th amendment. It's quite clear that giving up the information could be incriminating, and the police should be required to get the information themselves, similar to a search of a house, rather than require her to hand it to them. They have the hard drive, they can work with that.

The previous decisions on questions like this are split, and since I disagree with this decision, I hope it's appealed and is accepted by a higher court.

The reason I posted this is that there may be some spiritual dynamics I haven't considered. Obviously, Christians should follow the law, but what is the law in this case? I believe this judge has misinterpreted the law to make things easier for law enforcement, but it's hard for me to believe that the founders (who would have had access to codes that were already in use, some of which have only recently been broken) hadn't considered this when drafting the 5th amendment.

The 5th Amendment doesn't cover someone from giving up incriminating information. It protects people from testifying against themselves under oath. There's a huge difference. Think of the hard drive as a secret stash of documents. Would you want a government that couldn't subpoena, say personal papers of Ted Kennedy known to exist that contain evidence of a crime, but hidden somewhere? The best analogy I can think of is to think of the encryption as a safe or a hiding place. The court is telling this woman to give up use what she knows about where the information is in order to reveal the information. Look at the actual text of the 5th Amendment and tell me how it says people cannot be forced to reveal incriminating evidence. The 5th Amendment deals with "witness" not obtaining evidence. Courts tell people to hand over evidence that could incriminate them all the time. It's called a subpoena.

Quote:
No person shall be held to answer for a capital, or otherwise infamous crime, unless on a presentment or indictment of a Grand Jury, except in cases arising in the land or naval forces, or in the Militia, when in actual service in time of War or public danger; nor shall any person be subject for the same offense to be twice put in jeopardy of life or limb; nor shall be compelled in any criminal case to be a witness against himself, nor be deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use, without just compensation.

dcbii's picture

EditorModerator

Part of the problem is the understanding of encryption as a hiding place. Let's say the hidden papers you referred to were freely available, but written in a language that few understand, and even though I'm the accused, I'm the only one the police can find. I believe it would be testifying against myself if I am required to translate the papers for the police. They can do that work themselves.

Encryption is similar. It's simply a language the police don't understand. The police have the hard drive and the files. They can do the hard work to find out what they say that might incriminate the woman. She has turned over the physical evidence, just not the meaning of the evidence. If she has to "translate" for them, she is, in essence, witnessing against herself. I certainly don't see where the text of the 5th amendment must specifically refer to oral testimony under oath. That's where I believe the differences in interpretation are quite important, and why this type of incident has resulted in decisions that go both ways in the past.

Let's go one step further. Let's say the drive is encrypted in a way where it appears one way when one password is typed in, and another if done differently, but done in such a way that this is not previously known to be the case. Then, she gives them a password, but the one that when used makes the drive look completely innocuous. Would she then be in contempt for not giving them the right one? Would they think she was in contempt and there must be another password only because they didn't find anything? How could they force her to give up something they don't know for sure exists?

In any case, I don't see how the defendant giving *meaning* to the evidence (that the authorities already have in their possession) is anything other than witnessing against herself.

Dave Barnhart

Shaynus's picture

Dave,

That just isn't how computer encryption works. It's not like translating stick figures that stand for letters in a Sherlock Holmes flick. The same data can't be decrypted one way with one password and another way with another. In computers, encryption is all or nothing. In previous non-computer generations you might have a point. For example, a spy might have used code words like "the sky is high at noonday, and the beast lurks within" which meant "Meet me at six o'clock, I'll have the secret files").

That's why the analogy of a language doesn't work. Encryption passwords are like keys. That's why when you enter a password to create an encryption, you are known as creating a "Key." Google "Encryption Keys." They are called this because the best analogy in the real world is not a language that is translated, but a box that is locked or unlocked. On the Mac I'm sitting at, there is an application called "Keychain" that contains keys or passwords.

If a court can compel someone to give up papers in a locked box, then it can compel someone to give up a password/key. I'm writing this as someone with a political science degree, and I work in the tech industry now. I've had a weeklong training in how to recover data from drives in a way that will hold up in court from a former FBI cyber crimes expert and former head of security at Apple. We learned how to recover data, analyze it, and use mathematical tools to prove the information we were looking at came from the hard drive.

I'm sorry but your analogy doesn't have anything to do with the reality of the world of cyber crime. Guess who this ruling would help if it went the way you want it to? Child porn operators. My old company maintained huge storage devices at one of the Federal alphabet soup agencies that goes after child porn. The thing about child porn guys, is they all use encryption, and sometimes the very strong kind that takes years to break with lots of servers working to decrypt it. I don't think you've thought through all the implications of what your interpretation of the 5th Amendment would mean.

As long as there is a warrant and subpoena, I'm cool with this ruling.

dcbii's picture

EditorModerator

Shaynus wrote:

That just isn't how computer encryption works...
[Edited here because I went over the allowed length for this post. ]
Quote:
That's why the analogy of a language doesn't work. Encryption passwords are like keys. That's why when you enter a password to create an encryption, you are known as creating a "Key." Google "Encryption Keys." They are called this because the best analogy in the real world is not a language that is translated, but a box that is locked or unlocked. On the Mac I'm sitting at, there is an application called "Keychain" that contains keys or passwords.

I should have known that a quick proposition would degrade into this. First, I should let you know that I work with encryption on a day to day basis, and have for years. I have not only implemented a complete SSHv2 server, I currently work with (debugging and fixing) various wireless encryption schemes on enterprise-level wireless products daily. I have also used PGP for more than 10 years to encrypt my email, some files, disc volumes, etc. I'm well aware of how current encryption schemes work, including the Keychain on a Mac.

What I was envisioning was the following:

Take a 1TB drive and create a type of disc encryption implementation that would essentially require two passwords. One would decrypt the first 500Gb, and the 2nd password, the 2nd 500Gb. It would be a fairly simple matter to have two file directory tables, one in each of the encrypted "partitions", such that only 500Gb of the data would appear, and the rest of the disc would appear as unused space (though in reality, it would be encrypted data). It would not be that difficult to implement, as long as care is taken to make sure there would be a warning before the 2nd 500Gb "free space" on the other volume is used.

If I were a criminal, I could hide my data on one of the pseudo-partitions, and the other would be completely innocuous. Obviously, part of the implementation would be to make it non-obvious how many partitions/passwords there are -- let's assume there could be N.

OK, enough boring of the other readers of this thread. I don't need to go much further down this road, as you should get what I'm trying to say here. I apologize for being too brief/inexact in my last message. I wasn't trying to give a technical presentation.

Quote:
If a court can compel someone to give up papers in a locked box, then it can compel someone to give up a password/key.

Well, that's the rub isn't it? The current decision claims this, but not all past decisions have come down this way. The whole comparison of a locked box is what some would like to claim this is. Of course, if I didn't provide the key to a box, it could just be broken into. The police could assume I had the key, but I could easily have disposed of it. If I were really attempting to do something illegal, I would create my volumes in such a way so that the real keys would be in a separate encrypted file that I would destroy at the first sign of anything going wrong, and then I couldn't provide the key, because I wouldn't have it. Obviously strong encryption (like AES 256 or similar) would take years to decrypt without the pass phrase, if indeed, it's even possible with NSA-strength computers. That's the reason people use it. If you give the police the hard drive, you've turned over all the physical evidence.

I understand you don't agree with me on this, but that's OK. The EFF stands on this essentially where I do, as does the inventor of PGP. Of course, that doesn't make our opinion settled case law. That's why I would like this decision appealed, and I hope it will be.

Quote:
I'm writing this as someone with a political science degree, and I work in the tech industry now. I've had a weeklong training in how to recover data from drives in a way that will hold up in court from a former FBI cyber crimes expert and former head of security at Apple. We learned how to recover data, analyze it, and use mathematical tools to prove the information we were looking at came from the hard drive.

I would imagine this is pretty easy to do with unencrypted volumes. I haven't worked on hard-drive recovery, but without a lot of over-writing and demagnetization of the platters, I understand it's pretty straightforward to recover the data. Usually, it's just easier to physically destroy the media, if you want to be sure the data is destroyed. Failing that, encrypted data would be a lot harder, and that's the point. If I had to give you the unencoded data to convict me, I'm still witnessing against myself. That's why not all the court decisions have gone the way the current one did.

Quote:
Guess who this ruling would help if it went the way you want it to? Child porn operators. My old company maintained huge storage devices at one of the Federal alphabet soup agencies that goes after child porn. The thing about child porn guys, is they all use encryption, and sometimes the very strong kind that takes years to break with lots of servers working to decrypt it. I don't think you've thought through all the implications of what your interpretation of the 5th Amendment would mean.

I'm sure that's true, as it would be hard to think through ALL the implications, but don't be deceived into thinking I haven't put a lot of time into it. And you know what? Strong encryption is used not only by criminals and terrorists, but by average guys like me, who believe there are some things that are private, and only intended to be read by me. All of sudden, opinions like yours make it sound like anyone who uses strong encryption without giving the government all the access it wants is just as guilty as the aforementioned lawbreakers.

Codes that are not based on simple substitution ciphers have been around since long before the founders finished the constitution. One example of one of these that came from the 1600's or 1700's was just cracked last year. They would have been hard to use without computers, but it was certainly done. Bad crime has been around a long time -- there is nothing new under the sun, the Bible says. The right to not incriminate oneself could be used by a lot of people like child porn operators, terrorists, and such like. However, it's there for a reason. If you read case law (and I've only read summaries of some of them), you can see that application of the 5th has been argued since pretty much the time it was added to the constitution, with interpretations all over the map. I happen to think this last decision was a travesty, as I believe it should never be my responsibility to make law enforcement's job easy if their goal is to incriminate me, which I believe, was the *intent* of the 5th amendment. I'm certainly glad it did not directly specify oral testimony under oath.

Quote:
As long as there is a warrant and subpoena, I'm cool with this ruling.

I'm sure you're not alone, but I hope your numbers are few, otherwise, there won't be much stopping of a government that believes it has not only the right to read anything that belongs to me, but the right to force me to essentially read it to them.

Dave Barnhart

Shaynus's picture

Dave,

Good to know you have a technical background. I still think the language illustration utterly fails. Even if you have a complicated volume structure, either the volumes are unencrypted and visible or encrypted and invisible.

Just a simple question: is assisting police in gathering evidence against you the same as testifying against yourself? No it isn't. Defendants are called upon all the time to give up information about themselves by subpoena. The President of the United States has been called upon to give up evidence that could incriminate him. He just isn't called to testify against himself under oath.

Shayne

Dick Dayton's picture

Let us remember that, for us as believers, God sets a very high standard. "Provide things honest in the sight of all men."

We should not have to encrypt anything we say or keep on our computers, unless it woud be personal financial data we do not want hacked and stolen.

Dick Dayton

dcbii's picture

EditorModerator

So you're saying that even using strong encryption on a regular basis (or for everything) would not be "providing things honest in the sight of all men?"

I'm not sure I see the difference between financial data I don't want hacked and stolen or any data I don't want hacked and stolen. I would think by your reasoning here, we should leave *everything* as an open book that others could read.

Of course, given what God says about thieves "breaking through" and stealing, keeping things (which might include information) safe from thieves would certainly be the normal and expected thing to do.

Or maybe you are just saying we should always allow someone from the government access to our data at any time, just as they would have to our homes? That's an interesting way to view it. I'll have to give it some thought.

Dave Barnhart