Judge Says Americans Can Be Forced To Decrypt Laptops

from the 5th-amendment-begone dept

A few years ago, we wrote about a case, in which a court found that a defendant could not be forced to give up his encryption key for encrypted files on his computer, because that would be a violation of the 5th Amendment. The argument was that the key was a form of speech, and that speech would self-incriminate the person. However, in a new case, a judge has said that it is not a 5th Amendment violation if a defendant is required to decrypt their laptop, even if that laptop contains incriminating information. The difference here? The key. In the first case, the question was over whether or not the defendant had to hand over the key. In this case, there was no request for the key — just to decrypt the hard drive. As the court saw it, this was no different than demanding a defendant hand over documents related to a case, something that obviously happens all the time. It does seem like a fine line (and perhaps a meaningless distinction if law enforcement now knows to do the latter, rather than the former). Either way, the defendant in this case, Ramona Fricosu, accused of being part of a mortgage scam, is intending to appeal. It would be interesting to see the Supreme Court eventually weigh in, but I would guess that they’ll side with this particular ruling.

Filed Under: , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Judge Says Americans Can Be Forced To Decrypt Laptops”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Re: Re:

I sense a need for encryption systems which include an option to store part of their password in a file uploaded to the net. Many file locker services allow setting the uploaded file’s expiration date (e.g., yousendit.com, magicvortex.com).

If law enforcement is already monitoring your net connection, this may not work, but if they have seized the computer and afterwards get the urge to make you decrypt it then you can merely claim that there is no possibility because part of the key has been deleted from the cloud (you can even go through the motions of putting in your key).

Machin Shin (profile) says:

Re: Re: Re: Re:

Or the really good one is have one password to unlock it and one to destroy the file. They ask you for your password and so you give them one. They enter it and destroy any hope of ever getting it. This also eliminates any chance whatsoever of them getting the real password out of you later. The file is destroyed and no amount of threatening you will get them in.

btr1701 says:

Re: Re: Re:3 Re:

> And then they put you away for destruction of evidence…
> perhaps it’s a lesser charge

Yes, this isn’t about beating the charge completely, but if you know that the drive contains evidence of child porn or murder or worst of all, copyright violation, and you know it will put you away for 30 years to life, then taking a 5-year hit for evidence tampering is a helluva good deal.

Ian (profile) says:

Re: Re: Re:4 Re:

Oh, but here’s the best part:

A forensic specialist, on seizing the drive, will have loaded it in a write-blocker, and made a bit-for-bit copy. The only thing they’ll give you to let you enter your nuke password on is one of those copies.

You enter your nuke password, and send back the disk. Now they can compare the two disks, and find that you’ve changed them.

Now they’re charging you with destruction of evidence, and they /still demand the unencrypted contents/. What does that mean? Well, it means they can hold you in contempt, and detain you indefinitely until you comply. IE, instead of that 30 years to life, you’re there for “until you comply”. After you comply, you still have the 30 years to life to face.

Anonymous Coward says:

Re: Re: Re:5 Re:

I don’t really think they can charge you for solely that if your decryption method requires writeback to the original file. (For example, Windows’ built-in “compress folder” will replace the file with “uncompress copy” if it has been “touched”.)

Regarding bit-for-bit copy, anyone with experience working on firmware know there’s a “write-only” one that you can only program on, but not read back (I don’t know whether there’re ways read back those chips by other means, though). Working on a bit-to-bit copy won’t work if the encryption/decryption program is written on chips.

Jeremy Lyman (profile) says:

Make me.

Forced to divulge information? I sure hope enhanced interrogation isn’t going to fly in the American legal system.

This seems like a detective asking a robber where he hid the diamonds to me, you’d have to weigh the consequences of not cooperating. Sounds like a reinforcement of the advice that people not know their encryption keys, but know how to get them instead.

nasch (profile) says:

Re: Make me.

Sounds like a reinforcement of the advice that people not know their encryption keys, but know how to get them instead.

As the story indicated, the police can compel you to decrypt the information. They wouldn’t care if you have the key memorized or just know where to get it, as long as you do it. As far as I can tell the only options would be 1) cooperate 2) go to jail 3) convince the judge you’re unable to comply or 4) convince the judge/investigators that you have complied even though you haven’t.

Number 3 could perhaps be accomplished by demonstrating a secure delete facility on your computer. You can claim that the encrypted block of data is just garbage created by the secure deleter. I don’t know enough about the technology to know if that would fly or not.

Austin (profile) says:

Wrong Analogy

The correct analogy here is a locked safe.

Courts have held that a suspect is NOT required to hand over the keys to a safe. They have ALSO held that the same suspect is also NOT required to unlock the safe for the police. The distinction between giving the authorities your password or simply decrypting the files for them is the same – if one is considered unlawful, so too should the other be.

And beyond that, this should be protected under the 4th amendment, regardless of whether or not it violates the 5th. This is about as damn well “unreasonable” as a search can possibly be.

Anyhow…if the defendant was asked to have over a disk – still encrypted – with the files on it, that is legal. After that, the police are free to take as much time as they like (should be around 2,000 years with a strong password and good algorithm) and try to crack it themselves. This is like saying they can seize the safe and have a locksmith try to open it for them. Legally, they can do this. But compelling the suspect and/or defendant to make their case for them? Pretty damn unreasonable.

Machin Shin (profile) says:

Re: Wrong Analogy

Suddenly there is a solution. If you encrypt your files and instead of using a password you use a key file on a thumb drive. You can now lock that in a safe that you are not required to open. Of course that would only slow them down while they break into the safe but it is something.

I also wonder though how far you could get by hiding the data they wanted in masses of useless data. Like the key file for your encryption could be a small text file on a thumb drive with millions of text files. Once they have the thumb drive you can honestly tell them they have the key.

Anonymous Coward says:

Re: Wrong Analogy

The Supreme Court has stated that a defendant may be compelled to turn over the key to a locked safe. (http://supreme.justia.com/cases/federal/us/487/201/case.html#F9). True, a state court may decide not to go that far, but requiring production of the key is certainly constitutional. So the locked-safe analogy is a loser.

And the 4th Amendment argument will never carry the day (the EFF didn’t even attempt to make the 4th Amendment argument in their amicus brief). The police had a perfectly valid warrant to search the computer. The issue is not whether searching the computer was reasonable. Rather it is whether the defendant can be compelled to grant access to the encrypted files.

I don’t mean to imply that I think the court got it right here. Just trying to clear some things up.

btr1701 says:

Re: Re: Wrong Analogy

> The issue is not whether searching the computer was
> reasonable. Rather it is whether the defendant can be
> compelled to grant access to the encrypted files.

This issue makes for some great law school exam questions and philosophical legal discussions, but the practical reality is that judges, prosecutors, and law enforcement can never actually win this one.

There are too many ways for defendants to defeat them. Some have been mentioned here– multiple passwords that unlock some data but not other, cloud keys that expire, etc.– but even a defendant who just claims not to remember the password will eventually win. Sure, they might get some time in a county jail for contempt, but a judge can’t keep someone there for life. Most states top it out at a year. So if the suspect knows that the stuff on his computer will get him 10-20 in a state penitentiary, spending a year in the county lockup for contempt is hardly the worst option on the table.

Anonymous Coward says:

Re: Re: Re: Wrong Analogy

H. Beatty Chadwick might disagree with you regarding the scope of punishment for contempt. (http://en.wikipedia.org/wiki/H._Beatty_Chadwick). He spent 14 years in prison for failing to comply with an order from a Delaware County court during a divorce proceeding. And his detention was approved by the 3rd Circuit Court of Appeals.

Sure, a defendant can try and play the “I don’t remember” card. But if a court has good reason to believe otherwise, he may find himself held in contempt for a very long time.

I’ve never heard the “most states top it out at a year” claim before but I would guess it is a popular misconception, not actual law.

Anonymous Coward says:

Re: Re: Re:3 Wrong Analogy

Cases may exist where the court doesn’t have a good reason. I never excluded that possibility. But if evidence is offered that the defendant regularly, repeatedly and/or recently accessed the encrypted data (either through surveillance, undercover work, eye-witness accounts, etc.), a court could very easily find good reason to believe that a defendant is lying.

I know you tried to help me out by answering the question you (quite colorfully) posed to me, but I wanted to get my two cents in anyway.

Anonymous Coward says:

Re: Re: Re:4 Wrong Analogy

…a court could very easily find good reason to believe that a defendant is lying.

The court has no warrant to search the contents of the human mind.

Everyone has had the experience of forgetting items that they should be able to remember. For some people, it happens when the take tests. For others, it happens when they get out of bed in the morning and can’t find their eyeglasses.

A court that would jail someone because the judge knows that the defendant must have power to recall, is a court defying human experience?a court worth nothing but contempt.

btr1701 says:

Re: Re: Re:2 Wrong Analogy

> H. Beatty Chadwick might disagree with you regarding the
> scope of punishment for contempt.

You can always find a statistical outlier which results from a case with unique circumstances or which occurred before legislative preemption. It’s hardly the norm, however.

Many states have set statutory limits on the length of time a judge can hold someone in contempt. Others have required contempt orders to meet certain criteria for them to be upheld, the most common and important of which is that the contempt cannot be punitive rather than coercive. Once it becomes punitive, the contempt order instantly violates about 50% of the Bill of Rights.

Judges simply don’t have unfettered power to lock people up indefinitely at what essentially amounts to their whim.

> I’ve never heard the “most states top it out at a year” claim
> before but I would guess it is a popular misconception,
> not actual law.

As an attorney myself, I tend not to deal in popular misconception.

btr1701 (profile) says:

Re: Re: Re:2 Wrong Analogy

> Sure, a defendant can try and play the
> “I don’t remember” card. But if a court
> has good reason to believe otherwise, he
> may find himself held in contempt for a
> very long time.

In cases where a court has ordered someone to produce an encryption key, which is likely to be a long string of numbers and letters, the longer the contempt order goes on, the more likely it is that the defendant really will forget it, and be truly unable to come up with the key even if he wanted to.

Such a defendant will cease to ‘have the keys to his own jail cell’ which will automatically trigger constitutional due process requirements and void the contempt order.

Anonymous Coward says:

Re: Re: Re: Re:

Unfortunately, as screwed up as it is, looking at the wikipedia entry for ‘contempt of court’, it looks like in America at least there is no upper limit for how long a person can be imprisoned, so if someone genuinely forgot something(in this case a password), and the judge didn’t believe them… they could potentially spend the rest of their life in jail for it.

nasch (profile) says:

Re: Re: Re:2 Re:

if someone genuinely forgot something(in this case a password), and the judge didn’t believe them… they could potentially spend the rest of their life in jail for it.

If I understand correctly, that is true, but as a practical matter I just don’t see that happening. At some point the judge would decide there’s nothing to be gained by keeping someone locked up. Not to mention it’s likely word would get out, and the pressure to drop the charge would probably mount quickly.

So far no one’s been jailed more than 14 years. And that guy was definitely and clearly not following a court order. Since it was to pay a bunch of money I hope it’s not just that he didn’t have the money to pay. According to another poster he was released because it was determined the incarceration had become punitive, which is not allowed.

Anonymous Coward says:

Re: Re: Re:

Yes. It should be okay in encrypted form.

See… For documents handing to court, the documents are not always in English. And the defendents are neither required to hire translators to translate the documents, nor required to pay the fees for court to hire the translators.

Can’t see how they can force you to tranlate the documents if you always write them in some rare or obscure language. 😛

Jeremy Lyman (profile) says:

Re: Re: Re:

Yeah, IANAL, but a warrant means police have the authority to go look for something in a specific location, not the authority to command a suspect divulge information. You have to trick them into revealing the secret by leveraging their own ego:

Col. Jessep: You want answers?
Kaffee: I think I’m entitled.
Col. Jessep: You want answers?
Kaffee: I want the truth!
Col. Jessep: You can’t handle the truth!
Col. Jessep: Son, we live in a world that has tubes, and those tubes have to be guarded by encryption algorithms. Who’s gonna do it? You? You, Lt. Weinburg? I have more numerous salt bits than you could possibly fathom. You weep for digital forensics, and you curse the cipher. You have that luxury. You have the luxury of not knowing what I know. That cryptography’s invention, while inconvenient, probably keeps secrets. And my use of it, while absurd and incomprehensible to you, keeps secrets. You don’t want the truth because deep down in places you don’t talk about at parties, you want secrets to be kept, you need secrets to be kept. We use words like key, code, hash. We use these words as the backbone of a science dedicated to securing communication. You use them as a specter. I have neither the time nor the inclination to explain cryptography to a man who rises and sleeps under the blanket of the very security that it provides, and then questions the security it provides for others. I would rather you just said thank you, and went on your way, Otherwise, I suggest you pick up a decrypter, and start brute forcing. Either way, I don’t give a damn what you think you are entitled to.
Kaffee: Do you know the private key?
Col. Jessep: I know the premise of encry…
Kaffee: Do you know the private key?
Col. Jessep: 4b752O7o3dgJ#?;6q7IxLBr7:#gUL^!

Boom! Techno-lawyered.

Richard (profile) says:

Re: Re:

Seems reasonable if you ask me. If it’s legal for the government to demand you hand over documents, I fail to see why the government should not also be able demand that an encryption key be handed over to make the documents legible.

The difference is simple. It is comapratively easy to establish whether the documents exist. It is impossible to establish whether a person knows or can remember the encryption key.

You cannot tell the difference between an innocent person who never knew or has forgotten the keys and someone who is withholding them.

Basic principles of law require that innocence be given the benefit of the doubt.

Franklin G Ryzzo (profile) says:

Re: Re:

The government can compel you to hand over documents, but if those physical documents are written in a language that no one can read, can they compel you to translate the documents as well? This is how I see the situation and I’m not convinced they should be allowed to compel decryption. How would it be any different if I created my own code language and used that to write all my documents in, whether they be physical pieces of paper or files on a hard drive?

pixelpusher220 (profile) says:

Re: Re:

If it was simply written in a language that they don’t understand, I am supposed to translate it for them?

Not hardly. They have it, they can do what they want with it, but *I* am not required to ‘help’ them do that. i.e. the 5th amendment.

The proper way around this is to grant the subject immunity from prosecution for anything found. Then there is no 5th amendment grounds. If the data is that important you do this..but if you only want to prosecute this particular person, then no you aren’t supposed to be able to force them to help you.

Duke (profile) says:

Re: Re:

There was a case on the UK equivalent of this ruling a while back (the requirement to hand over keys is enshrined in legislation over here), and they discussed the issue of self incrimination, and admissions of ownership/knowledge.

The Court ended up finding that it wasn’t contrary to the principle against self-incrimination on the grounds that the law only covered decrypting information as part of the investigation, not as part of the trial, and if issues of self-incrimination did come up, they could be dealt with by declaring either the material uncovered, or the fact that the defendant had handed over the key (thus “proving” knowledge) could be withheld from evidence.

However, that seems to be a particularly English approach, perhaps not reflected in the US, where you start with as much information as possible, then cut out whatever the jury or court shouldn’t know about.

Beta (profile) says:

Re: Re:

You are volunteering to be a martyr, to educate the authorities in basic cryptography theory at your own expense. A slightly less costly approach would be to carry a 500MB file of random bits called “OneTimePad.txt”, along with some simple scripts to use it, and maybe a couple of innocuous encrypted letters and the one-pages you carelessly forgot to delete.

And if that doesn’t get you locked up, you can then do the same thing but with a random-looking 500MB file containing all of your juicy secrets.

Violated (profile) says:

Re: Re: Re: "Judge Says Americans Can Be Forced To Decrypt Laptops"

See the movie Unthinkable.

If the stakes are extremely high how far are you willing to go? Ignore human rights laws? Torture? Torturing and killing their partner? Torturing and killing their children?

And what does that then make you? All they claimed you were.

btr1701 says:

Re: Re: Re:2 "Judge Says Americans Can Be Forced To Decrypt Laptops"

> And what does that then make you? All they claimed you were.

Not hardly. If they create such an extreme situation that it drives people to do something they would never normally do (in your ‘Unthinkable’ movie example– nationwide nuclear holocaust), then it’s ridiculous to then turn around and say, “See! They’re barbarians after all!”

nasch (profile) says:

Re: "Judge Says Americans Can Be Forced To Decrypt Laptops"

The Judge is factually wrong. No one can be forced to give up a password. At most they can be punished for not doing so.

The term “compel” legally means if you don’t do it the government is allowed to arrest and imprison you. You can complain about the usage, or just understand it and move on. 😉

New Mexico Mark says:

Re: Re: "Judge Says Americans Can Be Forced To Decrypt Laptops"

I’m sure you could be imprisoned and life could be very difficult for a while. But sooner or later (probably sooner if you could afford a high-powered lawyer to keep pressing the issue) it seems you would have to be released or just punished under whatever laws cover destruction of evidence, just as if you had shredded everything.

There would probably be different results between refusing a legal order to decrypt and saying you forgot the password.

Anonymous Coward says:

Re: Re: Re: "Judge Says Americans Can Be Forced To Decrypt Laptops"

Well, I don’t really agree with the ruling in this case, but I do want to point out a few things that a lot of folks overlook in all this: If the judge decides to hold you in contempt, there is no sentence length. He could keep you in prison in contempt for 75 years if he wants. As for destruction of evidence, those penalties are stiff, ever since SOX. I believe it’s 20 years at the federal level. And that exceeds most federal sentence lengths except the most heinous.

IOW, you probably would do less time just providing the documents and being found guilty than you would trying to cover things up.

btr1701 says:

Re: Re: Re:2 "Judge Says Americans Can Be Forced To Decrypt Laptops"

> He could keep you in prison in contempt for 75 years if he wants.

Actually most states have limited the length of detainment for contempt to a year, barring extraordinary circumstances.

Judges are not dictators with ultimate power to do whatever they like.

Anonymous Coward says:

Re: Re: Re:3 "Judge Says Americans Can Be Forced To Decrypt Laptops"

Judges are not dictators with ultimate power to do whatever they like.

It’s a federal judge: Judge Robert Blackburn, appointed by George W. Bush.

You may presume that Judge Blackburn, like most of his black-robed brethren on the federal bench, doth truly and sincerely believe himself God, and is thus totally undaunted by quaint notions of brimstone and hellfire.

nasch (profile) says:

Re: Re: Re: "Judge Says Americans Can Be Forced To Decrypt Laptops"

From WP: “The civil sanction for contempt (which is typically incarceration in the custody of the sheriff or similar court officer) is limited in its imposition for so long as the disobedience to the court’s order continues: once the party complies with the court’s order, the sanction is lifted. The imposed party is said to “hold the keys” to his or her own cell, thus conventional due process is not required…

In civil contempt cases there is no principle of proportionality. In Chadwick v. Janecka (3d Cir. 2002), a U.S. court of appeals held that H. Beatty Chadwick could be held indefinitely under federal law, for his failure to produce US$ 2.5 mill. as state court ordered in a civil trial. Chadwick had been imprisoned for nine years at that time and continued to be held in prison until 2009, when a state court set him free after 14 years, making his imprisonment the longest on a contempt charge to date.”


This is why...

I’ve never kept a diary. Sure, it would be fun to read how I felt 20, 30 years ago. I’d enjoy reading my childish thoughts as a student. But you have a whole lifetime for this sort of thing to fall into the wrong hands. I think of all the things I did as a youngster which were legal then, or at least not specifically illegal, which are crimes now. Best advice I’d give a kid these days is “keep yer mouth shut and don’t put anything in writing”.


Re: Re: This is why...

Iunderstand what you are saying. But do we not see many examples of situations where a person is innocent, or at least not guilty, but is punished all the same. Maybe not prison, but loss of employment, loss of reputation or other unpleasantness. And as to the statute of limitations; it would seem that there is considerable pressure towards extending that limit in some cases. We have, for instance, extremely broad limits for some sex offenses, in some cases many decades. Yet the limit for, say, arson might be 5 or 7 years. How will this change in future? What about laws that were not enforced in the past suddenly being agressivly enforced. The recent file-sharing situation is an example. If the government or some determined character or just fate is out to get you, life can be pretty nasty. The less evidence one supplies, the safer one is.

nasch (profile) says:

Re: Re: Re: This is why...

But do we not see many examples of situations where a person is innocent, or at least not guilty, but is punished all the same. Maybe not prison, but loss of employment, loss of reputation or other unpleasantness.

Yeah, like innocent people being executed.

And as to the statute of limitations; it would seem that there is considerable pressure towards extending that limit in some cases.

Yes, but you can never be prosecuted for something that wasn’t illegal when you did it. The statute of limitation cannot be extended retroactively. That’s what ex post facto means.

If the government or some determined character or just fate is out to get you, life can be pretty nasty. The less evidence one supplies, the safer one is.

Can’t argue with that. It’s unfortunate that law enforcement has the ability to nearly ruin someone’s life even if they don’t have enough evidence for a conviction.

Josh in CharlotteNC (profile) says:

Re: Re:

The other one causes the computer to melt.

I’m going to assume you mean “wipe out the data on the drive” as opposed to the computer bursting into flames (typical movie nonsense). Those that wipe data when incorrect passwords are entered already exist, however you’ll need to think about using it as that could get you a destruction of evidence charge. Also, it probably wouldn’t be much use anyway, as any competent forensic computer tech wouldn’t be using the real drive, but would have cloned it multiple times and be working on a copy (perhaps even in a virtual environment with the ability to restore back should something like that happen).

A better option would be TrueCrypt with hidden partitions in which one password unlocks the operating system and nonsensitive files, and another unlocks the stuff you really want to be secret. If set up properly, it is virtually impossible to tell whether (or how many) hidden partitions exist.

nasch (profile) says:

Re: Re:

how about and encryption program with 2 passwords. One safely unlocks the hards drive. The other one causes the computer to melt.

Truecrypt does better than that, with one password that unlocks boring stuff and one that unlocks the secret stuff. And after unlocking the boring stuff there’s no way to know the secret stuff is even there.

btr1701 says:

Re: Re: Re: Re:

> well except for the fact that they probably know about
> Truecrypt and would ask you if there are multiple
> passwords in use.

> No – perjury

Not hardly. In order to be charged/convicted of perjury you have to be testifying under oath, and as the defendant, you have the 5th Amendment right not to testify at all. So unless you’ve been stupid enough to voluntarily take the stand at trial and then start lying about your passwords, there’s no danger of perjury for saying ‘no’ to anyone else’s questions about your passwords.

KK says:

why go through all this

I have an encrypted drive inside an encrypted drive(which is appended to a movie’s file). You can still watch the movie never knowing that there is something I’m trying to hide..
in short if you are smart enough giving an eccryption key is not going to let anyone else get to you…
and ya.. I have nothing special in my special encrypted partition.. its there caz I could do it..

Rich Kulawiec (profile) says:

A "deadman switch" algorithm

You can’t disclose what you don’t know.

1. You use Truecrypt with a plausible deniability volume, and you use a password that’s very long — much too long for you to memorize.

2. You put that password in a file. You encrypt that file with Truecrypt and use a second password — and this second one, you memorize.

3. You store that encrypted file on a server — let’s say, a very cheap virtual server in a country with reasonably strong data privacy laws, like Switzerland. You stipulate to the service provider that you do NOT want your virtual server backed up.

4. You set up a cron job on that server, such that it regularly checks to see if you’ve logged in recently…where “recently” might be “within the last week”.

5. If you actually need password #1, you log into the server, retrieve the file, and use password #2 to recover it.

6. But if that “recent login” check fails, the file gets automagically deleted. You never knew password #1, because you couldn’t memorize it; now you can’t retrieve it, either.

Of course, variations on this are possible: it’s possible to use multiple files on multiple virtual servers, diminishing the probability that an attacker could acquire them all. You could also hedge your bet by splitting password #1 into (let’s say) 3 pieces and distributing those across 3 servers in this fashion: server 1 (parts 1 and 2); server 2 (parts 2 and 3); server (parts 1 and 3) so that you could suffer the loss of any one server and still be able to recover the file with encrypted password #1. This also helps if one of the service providers — against your wishes — backs up the file, because what’s in their backups only has 2/3 of password #1, thus if they’re compelled to disclose it via legal process, the best they can do is cough up an encrypted file with incomplete data.

Note also: there are cryptographic algorithms that are based on multiple keys (say, M keys) but only require N, N<=M keys to work. This allows, let’s say, a group of 7 people to decrypt an encrypted file if any 4 of them agree to use their keys. I think this technology could also be applied here.

Rich Kulawiec (profile) says:

Re: Re: A "deadman switch" algorithm

I have two concerns about that, one of which may stem from my incomplete understanding of how the Truecrypt plausible deniability volume works. I’m concerned that it may be possible to use (virtual) disk usage/size measurements to infer the existence of another volume — say, by attempting to fill up the p.d. volume and noting at which point calls to write(2) fail. If they do so when (let’s say) a 100G disk only appears to have 60G on it, then can we not infer that the other 40G is unavailable because it’s in use?

The other concern is that disclosure of a p.d. volume may be viewed by the legal process as just that. Given the way this ruling has been written, I wouldn’t be surprised to see the same judge (if asked to rule on a case involving a p.d. volume) write a ruling that treats that in a way unfavorable to privacy. I’m not saying it will happen; I’m not saying it’s a good thing or a desirable thing; I’m just saying that it seems within the realm of possibility, and therefore I’m concerned about it.

Andrew F (profile) says:

Re: Re: Re: A "deadman switch" algorithm

If you’re hiding a TrueCrypt volume within another volume, mounting only the outer volume won’t reveal the existence of the hidden volume. First, the “empty” space in a volume is always filled with noise, so the presence of a hidden volume can’t be inferred by size. Second, attempting to write past the size limit of the outer volume won’t result in a failure. You’ll just overwrite the hidden volume. This happens because TrueCrypt assumes if you enter in only the password for the outer volume, you’re in plausible deniability mode and that it’s preferable to overwrite hidden data than reveal it.

As for legal process, it’s possible they could force you to disclose the password to a hidden volume, but that’s only if they know there is one. Since there’s no technical way to reveal the presence of a hidden volume, the only way they could know about this is if (1) they force you to reveal your state of mind, which is clearly forbidden by the 5th Amendment, or (2) you do something stupid like brag about your hidden volume to a police officer.

As for the deadman’s switch idea, I’m not a fan. In order to explain why you don’t have the password, you have to reveal that there is a deadman’s switch. And the presence of a deadman’s switch may indicate to authorities a sign of wrongdoing. Or may be interpreted as an attempt to destroy evidence.

PrometheeFeu (profile) says:

This is an important-enough issue that it deserves details. The 5th amendment issue is not actually with producing the information on the drive. It’s long-established law that a court can make you produce evidence even if that evidence will incriminate you. The issue was that by decrypting the drive, you are demonstrating that it is your hard-drive and your data. THAT is self-incriminating testimony.

So what did the court do here? Well the court looked at the facts and said: We already know it’s your laptop, hard-drive and data. Also, the government has agreed to grant you immunity from that testimony. (They won’t be able to tell the jury that you were able to decrypt the data) So decrypt the data already.

In the real world, the court couldn’t force you to tell them that you have the key to a safe, but it could force you to open the safe once it’s been established that you have the key.

Let’s also remember this is not some creepy executive action such as border search, national security letters or whatever. This is a judge issuing a warrant. There are all sorts of safe-guards such as appeal, judicial standards to be met, etc…

Pitabred (profile) says:

Re: Re:

The government ALSO had a conversation in which she admitted the information that was encrypted was related to the case. They have probable cause, which significantly changes the 4th and 5th amendment’s scope.

Also note that the judge directed that the prosecution was NOT allowed to use the fact that she decrypted it against her.

Anonymous Coward says:

Re: Re: Re:

They have probable cause, which significantly changes the 4th and 5th amendment’s scope.

Yes, we understand that the magical phrase ?probable cause? renders the former constitution null, void, and a farce.

You have lost the respect for human dignity that forms the foundation and cornerstone of ordered liberty.

Anonymous Coward says:

Re: Re: Re:2 Re:

That’s pretty cut and dry.

Yes. I understand that you have adjudged her guilty, and consider the trial an empty formality.

What you have forgotten is the principles of human dignity and freedom of conscience that once animated our former bill of rights. You have lost sight of the history: The phrase camera stellata holds no meaning for you.

So, you go around waving the magic phrase ?probable cause? and insist upon a warrant to search this woman’s mind.

PrometheeFeu (profile) says:

Re: Re: Re:3 Re:

Wow, I love the hyperbole. Nobody is searching that woman’s mind. That woman is simply ordered to produce the evidence that she admitted to storing on her hard drive the same way she might be ordered to produce evidence stored in a locked box or hidden under floorboards. For that order to be lawfully issued, the prosecution had to demonstrate that they had “probable cause” (a direct quotation from the 4th amendment if you believe it) to believe that there was evidence on the hard drive. They did so by having her on tape admitting to that fact. If she doesn’t like that outcome, she can file an appeal and then request certiorari from SCOTUS.

But as it stands, the information stored in her mind is not requested which means her rights under the 5th Amendment are being respected. And just to be sure, the prosecution agreed that they could not bring the fact that she was capable of decrypting the drive as evidence against her.

What were you expecting? That if you store a piece of evidence in an envelope they can force you to hand it over, but if you encrypt it they can’t? That would be an absurd result.

Anonymous Coward says:

Re: Re: Re:4 Re:

That would be an absurd result.

You, and Blackburn, start with the assumption that the state has an absolute right to any papers the state covets. And you reach the conclusion that any means justify that end.

We have an irreconciliable difference in values.

I do not believe that citizens exist solely to serve the state. Rather, people have a foundational liberty in their own conscience, and fundamental rights to the freedom of their own thoughts.

PrometheeFeu (profile) says:

Re: Re: Re:5 Re:

Actually no. I don’t believe the state has any right to any papers at all. I do however believe that people have a right to not be defrauded and that that right must be balanced against people’s right to privacy. The 4th amendment, the probable cause requirement and independent courts arbitrate between the two. That’s their job and here, they did it well.

PrometheeFeu (profile) says:

Re: Re: Re: Re:

“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”

The phrase “probable cause” is in the Constitution. That is the bar that the 4th Amendment itself says you must clear in order to compel production of evidence. If you believe that the Constitution does not adequately protect people, that is your right. But do not go about complaining about “probable cause” nullifying the Constitution.

Anonymous Coward says:

Re: Re: Re:2 Re:

But do not go about complaining about “probable cause” nullifying the Constitution.

And why not? You have emptied the phrase, and stood the words on their heads. The guarantee runs against unreasonable searches?yet you insist that probable cause overrides all to permit a search against reason.

The guarantees of the Bill of Rights were enacted by men of their times, who held a memory of the great abuses of the Crown. They looked to their own history, knew well the old horrors of rule by Sterr’d Chambre, and set out pickets and wards against return of that evil.

Anonymous Coward says:

Re: Re: Re:

You’re correct, there is no statutory limit. The current record for contempt in a civil case is 14 years.



Note that the release was authorized because the incarceration had lost its coercive effect and had become punitive. Take that for what it’s worth.

Pjerky (profile) says:

No way in hell

I don’t care what they threaten me with. Even if I only have pictures of cute little kittens on my computer. There is no way in hell that I would give them access to the data on my computer. I would resist simply on principle, but also because I believe it a violation of my rights. If I have to go to jail for what I believe in then so be it.

If we don’t stand up for our rights then no one else will either.

Anonymous Coward says:

Re: No way in hell

I don’t care what they threaten me with. Even if I only have pictures of cute little kittens on my computer.

Peine forte et dure.

Giles Corey (died September 19, 1692, Salem Village, Province of Massachusetts Bay)

On Monday, September 19, Corey was stripped naked, a board placed upon his chest, and then–while his neighbors watched–heavy stones and rocks were piled on the board. Corey pleaded to have more weight added, so that his death might come quickly.

Samuel Sewall reported Corey’s death: “About noon, at Salem, Giles Corey was press’d to death for standing mute.” Robert Calef, in his report of the event, added a gruesome detail: Giles’s “tongue being prest out of his mouth, the Sheriff with his cane forced it in again, when he was dying.” Judge Jonathan Corwin ordered Corey buried in an unmarked grave on Gallows Hill.

Pjerky (profile) says:

Re: Re: No way in hell

So your quoting actions that happened in the British colonies almost a full 100 years before the American Revolutionary War (http://en.wikipedia.org/wiki/American_Revolutionary_War).

The laws are quite a bit different now. Anything they can get away with doing, legal or not, are not things that are sufficient for me to give into these assholes.

btrussell (profile) says:

Re: Re: Re:5 No way in hell

“”Is the public aware that I am a gentleman of leisure, watching color TV in the A.C., reading, taking naps at will, eating three well balanced hot meals a day,” Hembree asked in the letter. “I’m housed in a building that connects to the new 55 million dollar hospital with round the clock free medical care 24/7.””

PrometheeFeu (profile) says:

Re: No way in hell

Can you please explain to us which ones of your rights are being violated? Is it your right to ignore a narrowly drafted warrant for evidence based upon a finding of probable cause by an impartial judge? Would you complain as much if instead of being encrypted the data was printed out and in a safe? What’s the difference?

Anonymous Coward says:

Re: Re: No way in hell

Is it your right to ignore a narrowly drafted warrant for evidence based upon a finding of probable cause by an impartial judge?

Yes. When the warrant runs contrary to reason.

Humans have an inviolable right to the integrity of their own minds. You may try to brainwash it away, but people have no duty to aid your evil.

John Fenderson (profile) says:

So many complicated ideas

It’s interesting how many comments here are proposing ways to avoid disclosure of the decrypted data (which is tangential to the point of this article, imo).

All of them are too complicated. It’s really very easy — if you must keep extremely sensitive data in electronic form, do not keep it on a hard drive, laptop, cell phone, etc. Keep it encrypted on a microSD card, and keep that on your person. Should there be a danger of it falling into the hands of people you don’t want to have access to it, lose or swallow the card.

Just don’t let anyone see you, or you may find your shit confiscated.

Violated (profile) says:

Key to Self Incrimination

They already do this in the UK. Refuse to hand over your password and they can put you into prison for years. Innocent or guilty makes little difference.

Here is one example…

A 19-year old from Lancashire has been sentenced to 16 weeks in a young offenders institution for refusing to give police the password to an encrypted file on his computer. Oliver Drage, from Naze Lane, Freckleton, Lancashire was arrested in May as part of an investigation into child sexual abuse images. His computer was seized.

Talk about incriminating yourself or jailed if you don’t.

The best defence if you encrypt your HDD is to say this partition is just random data because you just erased your HDD (using some random data tool) and so there is nothing to decrypt. There is no way they can prove the data is encrypted through examining it.

Pjerky (profile) says:

You may use logical threats/arguments to avoid being required to do this.

You could try stating the following to avoid giving it up (the password/key you perv):

Your attempts to force me to give you my password/encryption key violates my 4th amendment rights. If I have anything incriminating on the machine then it also violates my 5th amendment rights against self-incrimination. Are there any more of my constitutional rights you want to violate today? I am sure my lawyer would love to add those to the list of items during the trial against you and your superiors.

And yes, I wrote that.

Anonymous Coward says:

Re: Re: well, shit


It is totalitarianism.

You are unwilling to cede the individual a sphere of personal autonomy proof against all the demands of the state.

You insist that the state may grab hold of this woman’s very thoughts?and examine the harvest of those thoughts to see whether they lead to heresy.

PrometheeFeu (profile) says:

Re: Re: Re: well, shit

Nobody is saying that they may examine her thoughts! We are saying that she has to hand over evidence which is in her possession when an impartial arbiter has determined that there is probable cause that the evidence is relevant to a case where she may have violated the rights of another individual. That’s it. What’s wrong with that?

Skeptical Cynic (profile) says:

I think I now have a new idea for a business

The Ultra-Secure Laptop. Guaranteed data destruction if your computer is every touched by law-enforcement.

“Have data you need to keep secure from prying eyes? Don’t want to have your stupidly kept documents incriminating you in court? Then buy the Ultra-Secure Laptop. Guaranteed to destroy all of your data the second any law-enforcement officer touches it!!”

Just have to work out the details now.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...