[Dshield] Fw: [ISN] Judge: Man can't be forced to divulge encryption passphrase
Jim McCullough
jim.mccullough at gmail.com
Tue Dec 18 01:04:46 GMT 2007
This could pose a challenge to other aspects of forensics for law
enforcement also. Such as the legality of breaking encryption for a
criminal investigation. Then comes even more questions after that.
On Dec 17, 2007 6:15 PM, <aihomes at comcast.net> wrote:
> This case has some pretty far reaching implications.
>
> If a precedent like this survives higher appeals court scrutiny, does this
> spell doom for future forensic investigations of any kind because PGP or
> other encryption solution is implemented by the bad guys?
>
> Maybe I'm reading this wrong...
>
> Even more critical, will PGP take cues and start building a backdoor into
> later releases of their solution?
>
> Sent from my BlackBerry(R) wireless handheld
>
> -----Original Message-----
> From: InfoSec News <alerts at infosecnews.org>
>
> Date: Mon, 17 Dec 2007 00:14:19
> To:isn at infosecnews.org
> Subject: [ISN] Judge: Man can't be forced to divulge encryption passphrase
>
>
> http://www.news.com/8301-13578_3-9834495-38.html
>
> Posted by Declan McCullagh
> December 14, 2007
>
> A federal judge in Vermont has ruled that prosecutors can't force a
> criminal defendant accused of having illegal images on his hard drive to
> divulge his PGP (Pretty Good Privacy) passphrase.
>
> U.S. Magistrate Judge Jerome Niedermeier ruled that a man charged with
> transporting child pornography on his laptop across the Canadian border
> has a Fifth Amendment right not to turn over the passphrase to
> prosecutors. The Fifth Amendment protects the right to avoid
> self-incrimination.
>
> Niedermeier tossed out a grand jury's subpoena that directed Sebastien
> Boucher to provide "any passwords" used with his Alienware laptop.
> "Compelling Boucher to enter the password forces him to produce evidence
> that could be used to incriminate him," the judge wrote in an order
> dated November 29 that went unnoticed until this week. "Producing the
> password, as if it were a key to a locked container, forces Boucher to
> produce the contents of his laptop."
>
> Especially if this ruling is appealed, U.S. v. Boucher could become a
> landmark case. The question of whether a criminal defendant can be
> legally compelled to cough up his encryption passphrase remains an
> unsettled one, with law review articles for the last decade arguing the
> merits of either approach. (A U.S. Justice Department attorney wrote an
> article in 1996, for instance, titled "Compelled Production of Plaintext
> and Keys.")
>
> This debate has been one of analogy and metaphor. Prosecutors tend to
> view PGP passphrases as akin to someone possessing a key to a safe
> filled with incriminating documents. That person can, in general, be
> legally compelled to hand over the key. Other examples include the U.S.
> Supreme Court saying that defendants can be forced to provide
> fingerprints, blood samples, or voice recordings.
>
> Orin Kerr, a former Justice Department prosecutor who's now a law
> professor at George Washington University, shares this view. Kerr
> acknowledges that it's a tough call, but says, "I tend to think Judge
> Niedermeier was wrong given the specific facts of this case."
>
> The alternate view elevates individual rights over prosecutorial
> convenience. It looks to other Supreme Court cases saying Americans
> can't be forced to give "compelled testimonial communications" and
> argues the Fifth Amendment must apply to encryption passphrases as well.
> Courts already have ruled that that such protection extends to the
> contents of a defendant's minds, so why shouldn't a passphrase be
> shielded as well?
>
> In this case, Judge Niedermeier took the second approach. He said that
> encryption keys can be "testimonial," and even the prosecution's
> alternative of asking the defendant to type in the passphrase when
> nobody was looking would be insufficient.
>
>
> Laptop files: Unencrypted, then encrypted
>
> A second reason this case is unusual is that Boucher was initially
> arrested when customs agents stopped him and searched his laptop when he
> and his father crossed the border from Canada on December 17, 2006. An
> officer opened the laptop, accessed the files without a password or
> passphrase, and allegedly discovered "thousands of images of adult
> pornography and animation depicting adult and child pornography."
>
> Boucher was read his Miranda rights, waived them, and allegedly told the
> customs agents that he may have downloaded child pornography. But
> then--and this is key--the laptop was shut down after Boucher was
> arrested. It wasn't until December 26 that a Vermont Department of
> Corrections officer tried to access the laptop--prosecutors obtained a
> subpoena on December 19--and found that the Z: drive was encrypted with
> PGP, or Pretty Good Privacy. (PGP sells software, including whole disk
> encryption and drive-specific encryption. It's a little unclear what
> exactly happened, but one likely scenario is that Boucher configured PGP
> to forget his passphrase, effectively re-encrypting the Z: drive, after
> a few hours or days had elapsed.)
>
> According to Niedermeier's written opinion, prosecutors sent Boucher a
> grand jury subpoena asking for the passwords because:
>
> Secret Service Agent Matthew Fasvlo, who has experience and training
> in computer forensics, testified that it is nearly impossible to
> access these encrypted files without knowing the password. There are
> no "back doors" or secret entrances to access the files. The only
> way to get access without the password is to use an automated system
> which repeatedly guesses passwords. According to the government, the
> process to unlock drive Z could take years, based on efforts to
> unlock similarly encrypted files in another case. Despite its best
> efforts, to date the government has been unable to learn the
> password to access drive Z.
>
> The opinion added:
>
> If the subpoena is requesting production of the files in drive Z,
> the foregone conclusion doctrine does not apply. While the
> government has seen some of the files on drive Z, it has not viewed
> all or even most of them. While the government may know of the
> existence and location of the files it has previously viewed, it
> does not know of the existence of other files on drive Z that may
> contain incriminating material. By compelling entry of the password
> the government would be compelling production of all the files on
> drive Z, both known and unknown.
>
> Boucher is a Canadian citizen who is a lawful permanent resident in the
> United States and lives with his father in Derry, N.H. Two attorneys
> listed as representing him could not immediately be reached for comment
> on Friday.
>
> So what happens next? It's possible that prosecutors will be able to
> establish that Boucher's laptop has child pornography on it without
> being able to access it: after all, there were at least two federal
> agents who looked at the laptop when the Z: drive was still unencrypted.
>
> But if this ruling in the case is eventually appealed, it could have a
> far-reaching impact in a pro-privacy or pro-law-enforcement direction.
>
> Michael Froomkin, a law professor at the University of Miami, has
> written that the government "would have a very hard time" trying to
> obtain a memorized passphrase. A similar argument, published in the
> University of Chicago Legal Forum in 1996, says:
>
> The courts likely will find that compelling someone to reveal the
> steps necessary to decrypt a PGP-encrypted document violates the
> Fifth Amendment privilege against compulsory self-incrimination.
> Because most users protect their private keys by memorizing
> passwords to them and not writing them down, access to encrypted
> documents would almost definitely require an individual to disclose
> the contents of his mind. This bars the state from compelling its
> production. This would force law enforcement officials to grant some
> form of immunity to the owners of these documents to gain access to
> them.
>
> But prosecutors think they can split the idea of immunity into two
> halves: divulging the passphrase, and then using the passphrase to
> decrypt the files. A 1996 article by Philip Reitinger of the Department
> of Justice's computer crime section proposes a clever device for forcing
> a defendant to divulge a PGP passphrase and then convicting him anyway
> (remember, the passphrase lets the key be used to decrypt the document):
>
> Finally, even if the foregoing considerations require the government
> to grant act-of-production immunity to compel production of a key,
> the scope of the immunity should be quite narrow. The contents of
> the key are not privileged, and it is the contents that will be used
> to decrypt a document. Therefore, the government can use the
> contents of the decrypted document without impediment. Unless the
> government cannot authenticate the document to be decrypted without
> using the act of production of the key, granting act-of-production
> immunity should have little effect.
>
> Translation: Giving a defendant limited immunity in terms of forcing
> them to turn over the passphrase can lead to a conviction. That's
> because the fellow technically isn't being convicted based on his
> passphrase; he's being convicted for what it unlocks. Isn't the law
> grand?
>
>
> __________________________________________________________________
> Visit InfoSec News
> http://www.infosecnews.org/
>
> _________________________________________
> SANS Security 2008 in New Orleans!! January 11-19 2008. Why freeze up
> north if you can be in New Orleans. http://www.sans.org/info/15826
>
--
Jim McCullough
A friend is someone who will help you move. A real friend is someone who
will help you move a body.
- Unknown
More information about the list
mailing list