Your Encryption Key Is Protected By The Constitution?
from the can't-incriminate-yourself dept
In an interesting case up in Vermont, a federal judge has ruled that someone accused of a crime cannot be forced to reveal his or her encryption key, as it would be a violation of the Constitution’s 5th Amendment, saying that an individual cannot be forced to self-incriminate. In an age where encryption is becoming increasingly popular, expect to see other cases of this nature. It seems likely that a case like this one (if not this one itself) will eventually wind up before the Supreme Court to determine whether or not someone can be forced to give up his own encryption key. Where it gets tricky is the question of whether or not the key itself incriminates the person. As the article notes, a person can be forced to give up a key to a safe that contains incriminating evidence, which many say is analogous to this situation. In the meantime, though, we’ve already seen cases where people are presumed guilty just because their computers have encryption software installed — so, it may not matter whether or not the key is provided when the presence of PGP alone is viewed as incriminating.
Filed Under: constitution, encryption, encryption key, fifth amendment, pgp
Comments on “Your Encryption Key Is Protected By The Constitution?”
I have a hard time accepting that
“people are presumed guilty just because their computers have encryption software installed”
Does that mean if I lock my doors I’m assumed to be doing something illegal inside?
Suppose I just want to keep the grandkids out of my porn?
5th ammendment
So… if I make my password an admission of some crime then they couldn’t make me give it up.
Re: 5th ammendment
OJ’s password is; I_DID_IT
Re: 5th ammendment
I know the comment about the password being an admission of some crime was at least partially facetious, but it’s an important point. While the key to a safe can only, forever, be some sort of physical key-type of object, a passphrase can be literally anything, from “sodighwreg456725$##” to “I am a filthy paedophile and all the kiddy porn on this laptop belongs to me” (as an example). The former could be given up freely, the latter, not so much, and there’s no way for the state to know which it is until it’s given up. If it is the latter (or something similar), than I can’t really see how you couldn’t give 5th amendment protection (despite the fact that it’s almost certainly a clever way to ensure just that).
And your constitution is protected by…?
Re: Re:
…7 senior citizens
Protection of constitution
@anon
Actually, the Constitution is protected by the full strength of the U.S. military, whose officers are sworn to support and defend *it*.
One can hope that the vast majority of said officers take that oath seriously, and can tell when *its* authority is being usurped by mere politicians…
Re: Protection of constitution
Actually the people of the US and the Constitution are protected by the military. The people of the US by virtue of the power of the second amendment also protect the constitution from the government when needed. If you doubt that read what Thomas Jefferson has to say about overthrowing the government sometime 😉
Funny, I don’t see the military stepping in now to prevent the Constitution from being turned inside out. Why are they not protecting it right now from team Bush?
The rule makers
President George W. Bush said of our Constitution: “It’s just a goddamn piece of paper.” Google it yourself.
Those in charge make the rules and the rule benefit only those in charge. One day, hopefully, this will come to an end.
—–BEGIN PGP PUBLIC KEY BLOCK—–
Version: GnuPG v1.4.6 (GNU/Linux)
mQGiBEdbHE0RBADEEtnxrVLK9ocQonX8zVP4hUejy/C89RnuHLL7dXDF35XqEt1b
lVsuvzG7YTX2aFqZNkQv1nZO8InpwT3KXrADzbGb6otkSo4vA8C0fq+IqNi2KJ9R
FYtGKDvFnvp90iAn1fDqT7jXiNkKpDdp9CPBsHbIHS/XgpAiZqdCDeaXOwCg6uvt
2ZJhPyNNPzWuux63zx5HZXsEAIb6CXLwch38vsDt8Big4XRWpBOUtUTQZlxd6XSt
U9pdSY0WBnzFjtA4ahSnZaLoHjs5/kyjv1z/H1MuDstcZ8AnkoINWnT1ozviPiup
T8mWS15NYCSj46Oqc/ztrNeyhPFOhXg6ZxNEY/4zM9vqSz+F+pIZu0FOVKKFdVVq
w/YCBACHWjrtl2uAmVhbOCRc9hQz9sNbkk9F+OWgKcrEJliXmCcXDQRfhQ3JN1FH
EleuapuUFTV7Wke+IkNjP5CfwRWmIQTgWKpHPOef1K6YgRr+bhPJjXMiRjXRuBUm
OvngPsbZgb0MS2Ajy/3bmLMUijKZmNjrlmyPC1eYjWSbJXRh17QpUm9iaW4gU21p
dGggKGdlbnVzZSkgPGZ1ZWdvNDUxQGdtYWlsLmNvbT6IYAQTEQIAIAUCR1scTQIb
IwYLCQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJEDyNrB0qhmTxT3UAnRs/tDQi8KFQ
DAeBDYN1UzcenWvJAKCKsgrsCg0/QoGFTmYht7eipK3aD7kBDQRHWxxQEAQAlYAr
WXRkbfMgmWI3UljoMSQpkGB0x3ZPqjC/gExzrXVlGeTBm3C40mg0oFZrNHKlWMCi
smt3oVyEwOrP9ngeUnunk2PddxKdznw9gRGQjzByDgXwd2oQtJiL94l5Jy76KZfX
bHdPZl8Y67thCgSMCO4pvWKZuAkllW8EvXFv7XsAAwUD+gOJKZsHPpCXCtPi71Fy
Fe6+NyHZI1Sb/cXIQtCShHeciKihuDIcUqCyEEqFEBzm5f8H6Axny01tUe0Y/01Z
wDuTVJB2wTIHO9G0JAuSuUWsD3PgcwX8ALMhm+9eoym4vcaI9WY3zg7hQiijH1p2
2+4QKvHNvcJ7VW6tVAja4/UYiEkEGBECAAkFAkdbHFACGwwACgkQPI2sHSqGZPGR
ZwCdH73m8BnlmJM8BsSwKNLFR69+g+0AmwaFSaIQOSAqCtyzTM0KuTCW0OsT
=NlOY
—–END PGP PUBLIC KEY BLOCK—–
Bush also ..
.. said on more than one occasion that his job would be much easier if, and he would prefer it if, the US was just a dictatorship.
Re: Bush also ..
I like how you people never give any citations to back up what you are claiming someone else said.
Re: Bush also ..
I heard Bush once said that he thinks Hitler was a swell guy.
Oh, and he hates puppies, too.
Combination locks
It’s established law, IIRC, that you cannot be forced to give up the combination to your combination lock because that would require an utterance. The same goes for the passphrase to a private key. The key itself they can have, but not the passphrase required to use it. It’s not the key that’s the issue; it’s the passphrase. Moral of the story: use passphrases on your private keys, and don’t write them down anywhere.
The difference between a safe combination lock and a digital private key is that a safe’s lock can be circumvented in a reasonable timeframe. A digital private key encrypted with a strong passphrase and nonreversible encryption, not so much.
Re: Combination locks
> you cannot be forced to give up the combination
> to your combination lock because that would
> require an utterance
An utterance isn’t the standard involved. It’s well-established in consitutional law that requiring people to participate in voice line-ups and/or provide vocal samples for technical analysis does not violate the 5th Amendment, even though such things require an utterance.
The difference is that a voice sample is not testimonial. The police aren’t using what you say as evidence. They’re using the unique qualities of your voice as evidence, just like they would fingerprints. The words are irrelevant, hence constitutional.
Re: Re: Combination locks
Hmm, so they can make you talk as long as they don’t use your actual words as testimony? For example, they could force someone to tell what happened and reveal where other evidence can be found and then use that other evidence but not the actual statement in court. In that case it sounds like water boarding could become a primary investigative tool.
RE: Your Encryption Key Is Protected By The Consti
I have read about a few cases where having encrypted information on your hard drive was the only evidence but that is such flimsy evidence cause that encrypted data could or could not be illegal or could or could not be relevant in the case. So if you have data that is or could be illegal your better off encrypting it.
Lock Combo
I think Kelly has the issue. There is a difference between a physical key and a combination. The pwd is a combination, not a key.
Testifying
I think the point about the passphrase is that giving it up is tantamount to testifying against yourself. Whilst giving up the physical key to a safe that contains incriminating evidence is essentially self-incriminating it is not doing so by testifying against your self which is what i beleive the 5th amendment protects against. Where as if the safe has a combination lock you could claim the 5th as giving up the combination amounts to testifying against your self.
Consitiution
Uniboy, et al
If you had any understanding of the military in their constitutional role you would not be posting such blather.
The military is not a political organization, it does not make decisions with regard to constitutional issues. That is the role of the SC. The Military was placed under control of civilians, subordinate to duly elected officials.
To complain about your elected officials is your 1st amendment right. To advocate the violent overthrow of the government is sedition.
Testifying
Ben
The twist on that is the password itself is not incriminating, but the files that it opens may be. So is the pwd protected or not?
For the SC to decide.
Re: Testifying
I thought the point was that you can’t be made to testify against yourself IN CASE you incriminated yourself. How can someone determine whether or not something is incriminating without revealing the evindence, as previously mentioned his pass phrase could well be “I download kiddy porn” as far as the feds know.
Sedition
Like 18th century sedition?
save evidence until a supercomputer cracks it
save evidence until a supercomputer cracks it
Compelled Production of Passwords
Being a cop myself, I nevertheless tend to side with the judge on this one. People shouldn’t have to help the government make a case against them. Besides, this is just like trying to compel someone to produce a voice sample— what happens if the court orders him to produce the password and he still refuses? Hold him in contempt? Big deal. If he’s facing 10 years on a child porn charge and he knows that if he produces the password, they’ll have the evidence to convict him, a few months in the local jail on a contempt charge is by far the better deal.
Re: Compelled Production of Passwords
by BTR1701
“Being a cop myself, I nevertheless tend to side with the judge on this one. People shouldn’t have to help the government make a case against them. Besides, this is just like trying to compel someone to produce a voice sample— what happens if the court orders him to produce the password and he still refuses? Hold him in contempt? Big deal. If he’s facing 10 years on a child porn charge and he knows that if he produces the password, they’ll have the evidence to convict him, a few months in the local jail on a contempt charge is by far the better deal.”
Plus not be labeled as a pedophile, in this case anyhow. Should of used Truecrypt. Wouldn’t even get to the point of an arrest, much less contempt, or an actual conviction. This is from truecrypts Documentation:
It may happen that you are forced by somebody to reveal the password to an encrypted volume. There are many situations where you cannot refuse to reveal the password (for example, due to extortion). Using a so-called hidden volume allows you to solve such situations without revealing the password to your volume.
The principle is that a TrueCrypt volume is created within another TrueCrypt volume (within the free space on the volume). Even when the outer volume is mounted, it is impossible to prove whether there is a hidden volume within it or not*, because free space on any TrueCrypt volume is always filled with random data when the volume is created** and no part of the (dismounted) hidden volume can be distinguished from random data. Note that TrueCrypt does not modify the file system (information about free space, etc.) within the outer volume in any way.
http://www.truecrypt.org/docs/
under
Plausible Deniability
Hidden Volume
I find it ironic that I think of myself as a conservative, (at least I voted that way for a couple decades) but of late have had to vote with the other US party because I am trying to “conserve” what makes this country special (to me at least). When I was young, a long time ago, both sides of the aisle seemed to feel the rule of law and justice was important (variances in that belief did not seem to line up with party, at least). So I voted over things that were matters of opinion and gave my support to those who seemed to agree. Now it seems I am having to throw my weight on the side of the Bill of Rights while other important issues (like my children’s and grandchildren’s economic future) get less attention. I applaud the judge for their decision, and BTR1701’s insightful understanding that in the US it is a long standing precedent that everyone is presumed innocent until proven guilty by the state.
Re 21 Citations & 22 BTR
http://www.buzzflash.com/analysis/2002/10/29_Dictator.html
Google is a wonderful thing.
Its so easy to use, you should try it sometime.
But there you go.
3 different times he mentioned it (one was off handed joking but saying it other times you gotta wonder).
Feel free to puruse these as well.
http://politicalhumor.about.com/library/blbushisms.htm
It’s only sedition if you try, and fail…
cryptographic protection
The assumption of guilt due to installation of special purpose crypto software is going to be a bit harder if your OS provides good crypto support. Microsoft includes bitlocker for systems with a TPM 1.2 chip in the Enterprise and Ultimate SKU’s. If this is appropriately configured, it will give very good protection, and it is part of a broadly distributed OS. Clearly, other OS’s have or will have similar support.
Re: cryptographic protection
Given the choice between OSS and an MS solution, which would you really prefer?
Who is to say that MS doesn’t have a means of breaking the code and handing over the info to whoever requests it?
When I read their licenses, it sounds to me that is exactly what they have the “right” to do with software you license from them and the information they gather from you.
I think if it comes down to real security, I’m going with an OSS solution. At least I can look through the code for anything that looks like a backdoor or skeleton key.
This kind of goes back to the companies that forget or ignore the governments keyloggers and trojans in their security software.
Re: cryptographic protection
Do a search on Microsoft NSA_KEY.
Encryption: heh
Well, If having encryption is considered to be increminating, then I would have to say, woowhoo!!! that finally means that credit card companies need to stop using it.. It makes us look guilty of fraud…?
On a side note: what if you work in a security concious environment that requires any VPN users to use PGP for files directly related to their job, and in that case should the government get an injunction to decrypt said cryptainer, at that point you are protecting your company and it’s assets regardless of what else is encrypted.
cryptographic protection
Nunya’s got it right — software that hasn’t been independently peer-reviewed can’t be trusted to perform
any functions, let alone security-critical ones such as
encryption. As we’ve seen (over and over and over again),
it’s very difficult to implement correctly-functioning
software even with enormous amounts of peer review;
without it, it’s hopeless.
My way of explaining this is “closed-source is
faith-based security”.
Specifics of the case
I know everyone is getting wrapped up on the principals behind this case but let’s not lose the sight of the fact that it will likely be decided on the particulars.
Note that the CP was observed by a an official BEFORE the cryto kicked in. That may or may not be the deciding factor.
The SC has a tendency to decide on very narrow grounds, the days of the warren court are long gone. No penumbras likely to be found here.
In Soviet Union...
Secret Key encrypts you? OK, seriously. Let’s turn this around to the boogeyman hypothetical situation that we all like to pick on.
Let’s pretend that you are a political dissident in China. You have been caught sending seditious PGP-encrypted messages to people outside of the country (how do we know they are seditious? Because they are encrypted, of course.) We brutally pull you into detention and check your hard drive. Lo and behold, you have further encrypted files on your hard drive! Incredible! Treason! Now, let’s just pretend that the Chinese government magically gets something like the 5th Amendment, the Supreme Court, and something approaching the rule of law.
How would any citizen of any country react to this situation? Wouldn’t we be outraged that a citizen was being oppressed for “possible crimes against the state”? Crimes that could not be proven, except by torturing the secret key out of the person? Stop me when this starts to sound familiar.
See, PGP was not created for the express purpose of hiding the communications of people in Burma and China, exclusively. Any political dissident, anyone with an opinion contrary to the opinions held by those currently in power, and basically anyone who values his/her privacy, has the right to encrypt.
If the government has independent proof that I or anyone else has committed a crime, let the government present that evidence. Seizing and fishing through a laptop is a cop-out. It’s lazy police work. If a crime has been committed, and anyone is arrested in connection to that crime, you’d better have great evidence that connects this crime to this person. Otherwise, you have to let that person go.
Sorry, but your person is a better criminal than you are a cop. You’ll just have to catch that person when they commit their next crime. Sounds harsh? So does false imprisonment, and holding political prisoners. The U.S. criminal justice system was originally set up so that it was given that some criminals would go free. As long as no innocent person was placed in prison, this was considered an acceptable price. Now, with our “Law and Order” folks running around, the balance has shifted. Now, you’re “guilty until proven innocent” and even then, you’re innocent only if you can afford an expensive lawyer.
You absolutely have the right to remain silent. There is no God or Government that can compel you to speak. If they use torture, coercion, “harsh methods” of any sort, you’ve just proven that the authorities have zero moral (and legal) legitimacy. Also, you can just claim that you forgot your password. Hey, the “I don’t remember” excuse worked for Reagan. Turns out he, at least, was telling the truth.
The "I Don't Remember"
Also worked quite well for Gonzales. Just to use a much more recent example.
Very well said Shun.
I agree with your argument.
Encrypted Corporate Hard Drive
I work for a multi-national corporation that deals in sensitive financial information. It is a policy that all laptops must have encrypted hard drives in case a machine is lost or stolen. I have to type in my key to boot it up. Will a “search” require me to cough-up the password just to boot the machine?
Speaking of George W. Bush:
George W. Bush committed hate crimes of epic proportions and with the stench of terrorism (indicated in my blog).
George W. Bush did in fact commit innumerable hate crimes.
And I do solemnly swear by Almighty God that George W. Bush committed other hate crimes of epic proportions and with the stench of terrorism which I am not at liberty to mention.
Many people know what Bush did.
And many people will know what Bush did—even to the end of the world.
Bush was absolute evil.
Bush is now like a fugitive from justice.
Bush is a psychological prisoner.
Bush has a lot to worry about.
Bush can technically be prosecuted for hate crimes at any time.
In any case, Bush will go down in history in infamy.
Submitted by Andrew Yu-Jen Wang
B.S., Summa Cum Laude, 1996
Messiah College, Grantham, PA
Lower Merion High School, Ardmore, PA, 1993
“GEORGE W. BUSH IS THE WORST PRESIDENT IN U.S. HISTORY” BLOG OF ANDREW YU-JEN WANG
______________________
I am not sure where I had read it before, but anyway, it is a linguistically excellent statement, and it goes kind of like this: “If only it were possible to ban invention that bottled up memories so they never got stale and faded.” Oh wait—off the top of my head—I think the quotation came from my Lower Merion High School yearbook.
An interesting note to this is that while you cannot be forced to give any passwords that would unencrypt your data and potentially incriminate you, the government can bring in their uber hackers to simply crack your encryption software and forcefully extract data that may incriminate you. Seems kind of contradictory, don’t you think?