43 comments

[ 2.6 ms ] story [ 231 ms ] thread
If it were possible to prove that I didn't remember the password to my encrypted drive, would I be violating some law that I could get into trouble for?
That would be rather difficult to prove. Conversely, it'd be difficult to prove that you didn't forget the password. I think it comes down to a Fifth Amendment issue. If a judge decides it's not protected under the Fifth Amendment, then I suppose you could be held in contempt of court.

http://www.brettwmartin.com/contempt-of-court-in-colorado/co...

How could you prove that I didn't forget it? It's impossible.
It's impossible to prove it beyond a reasonable doubt, but there could be a preponderance of evidence that you didn't forget it. For instance, someone could testify that they saw you log in the day the computer was seized.

http://en.wikipedia.org/wiki/Legal_burden_of_proof

However, you could argue that you didn't log in using your PGP password that day, but rather your OS level password. Your habit is to never shut down your computer, but rather to let it stand by, so very rarely do you ever use your PGP password. Earlier that week you changed your PGP password, but you can't remember it. The password went something like blah blah blah. This way you are cooperative, without turning yourself in.

It would be akin to say "this safe? I lost the keys.", wouldn't it? I don't know what's the standard way of dealing with that either though.
Depending on what was inside of it, they would just have someone open it.
I imagine with enough willpower or strength any safe can be broken into. Not so much with encryption.
I misread that as "colocated woman".

(Edit: This comment made sense before the title was edited.)

(comment deleted)
Yes, my apologies. After I read your comment I no longer read the "Colo." as an abbreviation for a state; now it instantly meant "colocated." :(

My thanks to whomever fixed it.

I would refuse to decrypt the drive, even though it would be contempt, but everyone has to decide for themselves what battles are worth fighting.
I would like to see them prove that I knew my password. That would be an interesting precedent.

On an unrelated note, these people are probably guilty and it is a bummer that I have to choose to side with them because letting them go free is better than giving the government one more tool to erode privacy.

I would too. County jail is a lot better than federal prison. (Anything that you'd want to encrypt is going to get you life in prison these days, so it's not like you have anything to lose.)
>(Anything that you'd want to encrypt is going to get you life in prison these days, so it's not like you have anything to lose.)

There's more you can use encryption for than just illegal activities. Personal and financial information comes to mind, as do company secrets.

I wonder what the penalty for contempt is?

let's say it's a high-profile murder case, and they need the info on the drive to make it stick. Without the drive, there is no case. If the defendant gives over the key, they get 25-life, what's the penalty for contempt?

In Colorado, it looks like the maximum sentence for contempt is 6 months. In Wyoming (my state), the max is 90 days or a $500 fine. I would choose contempt.
Every 6 months (or 90 days) the judge hauls you in to court and orders you to give up your password until one of you breaks.
"Federal prosecutors argue that not allowing the government access to encrypted computers would make it impossible to prosecute crimes such as terrorism, child exploitation and drug trafficking"

good old 'think of the children'

What I find annoying is the use of the word "impossible". Really? If everyone used encryption, the number of successful prosecutions of these crimes would drop to zero?
We should ask if before everyone had a laptop, and before those laptops were encrypted, haven't those crimes existed and be prosecuted in the first place?
That line just bugs me on so many levels. Why can't they prosecute those cases without having the data on someone's laptop? What can someone have on a laptop that can be so important that without it it becomes impossible to convince a jury?

Honestly, I think if the prosecution is unable to move forward without that data, then they had no hope in the first place.

Wouldn't an obvious case be possession of child pornography?
(comment deleted)
I disagree. In cases of fraud, logs, emails, and spreadsheets could all be used to guarantee a case— especially if it's the online variety.

From my understanding, you're basically asking for the prosecution to prosecute a murder case but not allow them to use the murder weapon— with the person's prints on it— as evidence.

Wow, that raises so many interesting questions / loopholes / stupid scenarios.

1. What if I encrypt the drive twice? Sure, I'll decrypt the first layer, then they can have the "contents" of that.

2. What are the legal implications if I've "encrypted" something written down? i.e. replaced every letter with the next letter in the alphabet. Do I have to decrypt that?

3. What are the legal implications if I've written things down in another language, known only to me - can I be forced to translate it? I would think a nice defense here is to say they can have the disk, it's just in another language, which is their problem.

4. Further to point 3. what if I have the info on a drive with a File System that only I can read/write? Do I have to give them the tools to read the file system?

5. Similar to point 4, I write my own custom binary file format that only I know how to read/write - again, do I have to describe the file format?

This is about to get crazy.

As a response to #1, I'm pretty sure that wouldn't hold up. Unless they specifically state that she will "Run the XXX Algorithm on the drive" It's probably legally sound that she has to fully decrypt all the data.

#2 probably holds similarly. The remaining ones are just getting more ridiculous.

This is far from over. There is still the matter of "I forgot". (No, the judge might not like that, but on the other hand, if she did actually forget...)
How is this different than being forced to unlock something like a filing cabinet or empty your pockets, or open the storage locker as part of a police investigation?

this is investigating a specific crime. It's not like being forced to decrypt when the police are fishing for a reason to bust you. (or NYC's stop-and-frisk emptying of your pockets which I firmly oppose)

Should we all be storing our hard drives in a lockable vault, such that we can get the legal protection that physically sealing it would do?
No. My point is that search warrants should cover decrypting your digital data in exactly the same way that they allow the police to search your home, your office, your storage locker, your safe, etc.
Why not treat cryptography as a novelty?

A nice outcome is that it avoids all the issues surrounding guessing whether the key to the random bits even exists, and what form it takes, and whether there is more than one key, and so on.

For all anyone can prove, its random data. What are they going to do next time I safely erase a file? Throw me in jail for contempt because I can't magically turn the random data into incriminating evidence?
The decrypted data could be random, but afaik, encrypted data does have patterns that are evident of encrypted data.
Usually this is only in the form of a header on the block device. Dm-crypt on linux has a mode called 'plain'. This uses the sector number and passphrase/keyfile to generate a unique encryption key for each sector. This means there is no meta-data, and corruption of any physical sectors map directly to the unencrypted block device. In this case, it does look just like random data.
Future solution: Create a killswitch password that completely erases specific directories when used.
This would hardly solve the problem. By the time they would have you decrypt, they would have made a disk image of the drive in question. When you enter the killswitch, they could simply restore, and request that you try again, not to mention that that is then suddenly better evidence against you.

The best solution seems that it may be nested encrypted partitions. ala, the trucrypt solution: http://www.truecrypt.org/docs/?s=hidden-volume

Steganography FTW, here. "Here you go, I've decrypted my hard drive. Now, somewhere in my gigs of cat photos and music lie the documents you're looking for. Have fun."
Unless the US specifically has laws about not revealing passwords, all this couple have to do is claim they forgot it.

Even if that failed, the most the judge can add to their charge is contempt of court...

This is clearly a fishing expedition (unlike, allegedly, the cited border child pornography case) by government agencies AND the justice system trying to set a precedent for searches without existing hard evidence of a crime.

I have many encrypted files that I do not know the password to. The passwords are in an encrypted keychain that I do know the password to. If I delete the keychain, there is no way that I will be able to decrypt those files.

What would happen if the courts ordered me to decrypt a file where I no longer have access to the password?

What encryption software is this woman using?