Skip to comments.Judge: Americans can be forced to decrypt their laptops
Posted on 01/24/2012 12:06:01 AM PST by LibWhacker
American citizens can be ordered to decrypt their PGP-scrambled hard drives for police to peruse for incriminating files, a federal judge in Colorado ruled today in what could become a precedent-setting case.
Judge Robert Blackburn ordered a Peyton, Colo., woman to decrypt the hard drive of a Toshiba laptop computer no later than February 21--or face the consequences including contempt of court.
Blackburn, a George W. Bush appointee, ruled that the Fifth Amendment posed no barrier to his decryption order. The Fifth Amendment says that nobody may be "compelled in any criminal case to be a witness against himself," which has become known as the right to avoid self-incrimination.
"I find and conclude that the Fifth Amendment is not implicated by requiring production of the unencrypted contents of the Toshiba Satellite M305 laptop computer," Blackburn wrote in a 10-page opinion today. He said the All Writs Act, which dates back to 1789 and has been used to require telephone companies to aid in surveillance, could be invoked in forcing decryption of hard drives as well.
Ramona Fricosu, who is accused of being involved in a mortgage scam, has declined to decrypt a laptop encrypted with Symantec's PGP Desktop that the FBI found in her bedroom during a raid of a home she shared with her mother and children (and whether she's even able to do so is not yet clear).
Colorado Springs attorney Phil Dubois, who once represented PGP creator Phil Zimmermann, now finds himself fighting the feds over encryption a second time.
"I hope to get a stay of execution of this order so we can file an appeal to the 10th Circuit Court of Appeals," Fricosu's attorney, Phil Dubois, said this afternoon. "I think it's a matter of national importance. It should not be treated as though it's just another day in Fourth Amendment litigation." (See CNET's interview last year with Dubois, who once represented PGP creator Phil Zimmermann.)
Dubois said that, in addition, his client may not be able to decrypt the laptop for any number of reasons. "If that's the case, then we'll report that fact to the court, and the law is fairly clear that people cannot be punished for failure to do things they are unable to do," he said.
Today's ruling from Blackburn sided with the U.S. Department of Justice, which argued, as CNET reported last summer, that Americans' Fifth Amendment right to remain silent doesn't apply to their encryption passphrases. Federal prosecutors, who did not immediately respond to a request for comment this afternoon, claimed in a brief that:
Public interests will be harmed absent requiring defendants to make available unencrypted contents in circumstances like these. Failing to compel Ms. Fricosu amounts to a concession to her and potential criminals (be it in child exploitation, national security, terrorism, financial crimes or drug trafficking cases) that encrypting all inculpatory digital evidence will serve to defeat the efforts of law enforcement officers to obtain such evidence through judicially authorized search warrants, and thus make their prosecution impossible.
While the U.S. Supreme Court has not confronted the topic, a handful of lower courts have.
In March 2010, a federal judge in Michigan ruled that Thomas Kirschner, facing charges of receiving child pornography, would not have to give up his password. That's "protecting his invocation of his Fifth Amendment privilege against compelled self-incrimination," the court ruled (PDF).
A year earlier, a Vermont federal judge concluded that Sebastien Boucher, who a border guard claims had child porn on his Alienware laptop, did not have a Fifth Amendment right to keep the files encrypted. Boucher eventually complied and was convicted.
Prosecutors in this case have stressed that they don't actually require the passphrase itself, and today's order appears to permit Fricosu to type it in and unlock the files without anyone looking over her shoulder. They say they want only the decrypted data and are not demanding "the password to the drive, either orally or in written form."
Because this involves a Fifth Amendment claim, Colorado prosecutors took the unusual step of seeking approval from headquarters in Washington, D.C.: On May 5, Assistant Attorney General Lanny Breuer sent a letter to Colorado U.S. Attorney John Walsh saying "I hereby approve your request."
The question of whether a criminal defendant can be legally compelled to cough up his encryption passphrase remains an unsettled one, with law review articles for at least the last 15 years arguing the merits of either approach. (A U.S. Justice Department attorney wrote an article in 1996, for instance, titled "Compelled Production of Plaintext and Keys.")
Much of the discussion has been about what analogy comes closest. Prosecutors tend to view PGP passphrases as akin to someone possessing a key to a safe filled with incriminating documents. That person can, in general, be legally compelled to hand over the key. Other examples include the U.S. Supreme Court saying that defendants can be forced to provide fingerprints, blood samples, or voice recordings.
On the other hand are civil libertarians citing other Supreme Court cases that conclude Americans can't be forced to give "compelled testimonial communications" and extending the legal shield of the Fifth Amendment to encryption passphrases. Courts already have ruled that that such protection extends to the contents of a defendant's minds, the argument goes, so why shouldn't a passphrase be shielded as well?
Fricosu was born in 1974 and living in Peyton as of 2010. She was charged with bank fraud, wire fraud, and money laundering as part of an alleged attempt to use falsified court documents to illegally gain title to homes near Colorado Springs that were facing "imminent foreclosure" or whose owners were relocating outside the state. Some of the charges could yield up to 30 years in prison; she pleaded not guilty. Her husband, Scott Whatcott, was also charged.
You don’t have a right to prevent the government from spying on you.
Sounds like the Brits and King George have come back after two hundred odd years. “Into the hoosegow until you remember where you put that key!”
But do you have to furnish them the wherewithal to spy?
I could see the creation of “chameleon” PGP systems that when brought up with one passphrase have all the naughty bits, but when brought up with another one have naughty bits permanently erased.
The surveillance net on America is quite staggering.
well, what are they gonna do if you decline to comply? torture the passwords out of you?
That’s a cool idea. I like that.
Charge you with contempt of court. You could spend a long time in jail. Personally, I’m a law-abiding guy and have nothing to hide. But if I weren’t, I wouldn’t refuse outright. I’d just say I forgot the passphrase. They can’t punish you for that.
I mean the wherewithal to spy, in particular, on YOU.
This is Big Brother again, and you must not turn off the monitor in your house.
simple solution: 2 passwords
one to unlock... one to wipe
seriously though, so much for not incriminating yourself
Fricosu doesn’t sound in particular like any angel, but this sounds like overkill in this case. She submitted forged documents — who cares if she made them on the laptop or farmed it out to China? Nail her on the forged documents she submitted.
Well, you would want to wipe to innocuous looking state, and also so that the result cannot be distinguished from the result of decrypting to your own state. That way they can’t have any legal basis to look and say “this was a phony pass, now we will restore from our backups and you have to do it right this time.”
The cops take your laptop, you give them a password.
Instead of the real data getting decrypted, it either gets scrambled or rendered innocuous.
Beat me to it.
Deem you a terroist. Send you to Gitmo. Waterboard you.
Just a portion of the pass phrase awould enable most cracking algorithms a 98% chance to succeed....
Now its the Sh*ts and King George Soros, along with his donkey eared court fool..
Just a portion of the pass phrase awould enable most cracking algorithms a 98% chance to succeed....
Jawol, comrade, you MUST comply!
‘F any court that rules against our clearly elucidated constitutional rights.
The tendency to support LE even when they are WRONG is NOT conservative, it is short sighted, and smacks of cowardice.
I thought Gov. Org. already forced the PGP programmers to give them a master key?
Here is a business idea.
Someone sets up a company called Foreign Encryption Services (FES) in a foreign country like Russia, out of reach of the US courts. Anyone who wants to avoid turning their data over just needs to sign a license to FES that will exclusively and completely and irrevocably sell all of the content of their hard drives, clouds, phones, personal computers etc etc to FES. For $20 a month, FES will lease access to that content and the drives/cloud/phone etc back to you, encrypted. FES will provide you a key only if you certify that you are not facing any civil or criminal penalty. If you should be indicted, or sued, or compelled in any way by any court to turn over data, you are in violation of our agreement and FES will cease to provide you encryption keys and block your access to the data.
So even if the court compelled you, you couldn’t do it because 1) it isn’t yours (it belongs to FES) and 2) to give it would be to force a breach of contract with FES and 3) you don’t have they key to unlock it even if you did own it and didn’t face civil penalties for turning it over.
I sure don’t want to create ideas that will help criminals and pedophiles, and I understand the need for law and order, but in this day and age where data and ideas can be licensed, where stuff can be stored remotely and accessed remotely etc, the court is behind the times. This can be prevented by those who want to prevent it.
Something like that would probably be addressed via treaty. It might have to be in a truly enemy country (North Korea?) in which case you wouldn’t trust them with your data any further than you can throw them.
In the early days, PGP was open source. It was practically impossible for anyone to insert a back door; too many cryptologists and programmers would’ve seen it and raised the alarm. Now that Symantec owns it . . . who knows?
Oops, sorry, databoss. My last comment was meant for Loyal Sedition.
What do they do to journalists who refuse to give up sources? Jail them.
I would just give them a wrong passphrase. When it doesn't work, say, well, that is what I thought it was. At least shift the burden of proof of whether you are lying or not to them. But I stopped using PGP in email ages ago - figured it would flag me for this kind of problem.
Still available open source without the bells and whistles. www.gnupg.org/
Another interesting thing about this case is just how far encryption technology has advanced (as in, advanced in what is available to ordinary citizens and not just military cyphers working on cryptography). There used to be a time that having a 'password' meant nothing, and for the vast majority of people that still applies. However, nowadays it is possible to get a proper encryption program that can make it very difficult for someone to access your files (they can still do so, but it would be quite the task for the vast majority of entities that would be seeking to do so). Hence this case.
I wonder if some FReeper knows how far the technology available to the public has gone. With more and more information being stored in the Cloud one can expect such technology to get better.
If you own a safe, do you have to provide the combination for it to the government if they demand it?
If you don’t provide it can they legally put you in jail as a result. This is no different.
If past law doesn’t allow forcing the combination out of you by threat of jail then this will fail in the supreme court because it is no different.
You can simply encrypt the same file multiple times using different passwords each time. To undo it you have to use the right passwords in the right order. With good encryption without back doors and then piling on the layers it would be essentially impossible to undo it without the key information.
I think it is more about severe crime versus non crimes for me in this issue.
The solution: using TrueCrypt or any similar program, encrypt the entire drive, and then (still using the encryption program) create a “hidden” encrypted volume on the drive for things you don’t want just anyone to find. “Decrypting” merely means you have given the “key” to the processor so it can interpret the encrypted data on the drive. The drive is not suddenly readable to all. The “hidden” volume will look the same as empty space on the drive. Since it is indistinguishable from empty space, there is no way for the government to prove you have anything hidden on the drive.
This should, in theory, work. However, there is always the possibility that the government holds “back doors” to the publicly available encryption algorithms that will allow them to detect any double-encrypted files. Also, this will not guard against them “unwinding” the encryption, though whether that would reveal any hidden volumes might be debatable.
Truecrypt is open source, so the the possibility of back doors is just about non-existent. It sounds like you are suggesting they may have cracked the encryption, which may well be possible. Also, while I know they say the inner volume appears as empty space I don’t put a whole bunch of faith in that. The FAQ on that is here, in case anyone is interested:
What’s worse is that this isn’t some lib activist judge. This guy was appointed by W.
Thanks. I figured Symantec probably wouldn allow anyone to maintain open source versions. I guess Zimmerman must’ve stipulated otherwise when he sold it, which is a good thing; I won’t have to fall back on the ancient versions I downloaded in the early 90s. For now, I don’t use PGP. I’ve never been able to get a single one of my friends or relatives to show the least bit of interest (yet they still lick the flap shut on their snail mail).
Extensive list of countries and their crypto laws:
>> I guess Zimmerman mustve stipulated otherwise when he sold it
Yeah, exactly. My understanding is he insisted on that.
That is true....
The biggest practical problem here would be keeping the harmless “decoy” up to date. You would have to web surf entertainment sites, play games, etc. and that eats up time, and has to be done all the time. Now if the computer could be made to show operating systems running in both the decoy and the hidden volume simultaneously, keeping the decoy up to date would be easier, but that probably creates other problems.
This subject came up yesterday when my 16 yr old daughter was amazed that a woman got 5 years probation (yes, she does scan the news sites-which I am proud of! She is particularly political-which I am also proud of, heee) for SPANKING, not beating (no bruises), but SPANKING her child and the judge said “We don’t spank in this day and age...”
She said, so what do we do when the judicial branch oversteps it’s authority. What other branch deals with them. My 16 year old is a wildfire and doesn’t hesitate to tell you that her fear of the ‘whooping’ she would get tamed her a lot of times in her younger days. Thank GOD she outgrew most of it. Now she just needs to outgrow her mouth, but still... not so bad. Her brains makes up for most of it. ;o)
I did not have answer (but also... PROUD!) Maybe you guys can help me with this?
We need the format button called decrypt.
Iran [Source 5]Lol, poor b******s.
2. Domestic laws and regulations According to the 2005 HRW report False Freedom, use of encryption for exchanging information requires a license. Users have to request permission by submitting crypto algorithm and keys and information about 'related parties' to the Supreme Council for Cultural Revolution, as regulated in art. 5.3.8 of the Rules and Regulations for Computer Information Providers.
8 years ago I would agreed with you.
Now... after seeing the Patriot Act abused, the Dept of Homeland Security abused (as I feared, but was told here ‘if you don’t have anything to hide, what does it matter...’)
W, as much I worked to get him elected in 08, wasn’t a conservative in the legal sense. Maybe in social issues, but not in legal ones. Or in fiscal ones for that matter.
That being said, I don’t feel it was from the same attitude as Obama, just ignorance. I like and miss W very much.
Although none of us have anything to hide, there is no need to “at the least”, leave your deleted files available for anyone to bring back to life. As some of you know, deleted files go to your recycle bin to be permanently deleted at a future time unless you delete by using the “shift+delete method that bypasses the recycle bin. None of these files are ever really deleted, but sent to your free space on the drive. Most drives anymore have hundreds of gigabytes of free space at any given time leaving all your deleted files in tact for recovery.
ANSWER - Glary Utilities Free Edition - This program wipes your free space clean and should be run often, as it not only cleans up your past, but your puter will run faster when these Junk Deleted files go bye bye. Directions: Download “Glary Utilities” - Link included below from cnet. Open program and choose File Shredder - then choose “Wipe Free Space” and let ‘er rip. :-)
Duh! Decisions, decisions!
BTW, I think this judge is dead wrong.
Exactly my thoughts. Some entranapeur is going to develop this. The creation of a system minus directories you specified.
This chaps my hide!
Plausible deniability is your friend.
You can use the possibility of surveillance to position “facts” that when discovered protect you.
A word to the wise......
Following up on my last Post -ran out of posting length- Glary has many other great features that that make “clearing your browser look like child play”. One of them is called “One Click Maintenance” which will send every website you have ever visited, along with every other thing that you thought you have sent to the PROMISED LAND actually to the PROMISED LAND never to be seen again by ANYBODY - PERIOD.
Many more great features to play with also. I have used it for years and every update makes it just get Better and Better. And no, I have NO affiliation with Glary!
It sounds like you are very lucky my FRiend, to have such a daughter :-)
Looking at what it says about this case (which is not a whole lot) it sounds virtually superfluous whether or not anybody can find the phonied documents on her computer, if she went and submitted them to government records under her Jane Doe (which normally requires signing for them separately from the document, meaning taking responsibility for the documents’ veracity). Is there some separate crime of “having phony documents on a computer” the prosecution hopes to have her found guilty of? It would at most lend a teeny bit more weight to an already heavy case she faces.
You call upon president Gingrich to newter the beast!
Please dear God, help us to elect Newt.