Innovation

Encryption blurs admissible evidence in child porn case

Sebastien Boucher was stopped at the United States - Canadian border on Dec. 17, 2006. At that time, agents inspecting his computer said that they found files containing child pornography. Boucher was promptly arrested, but when the authorities tried to access the files, they ran into the PGP encryption program.

Sebastien Boucher was stopped at the United States - Canadian border on Dec. 17, 2006. At that time, agents inspecting his computer said that they found files containing child pornography. Boucher was promptly arrested, but when the authorities tried to access the files, they ran into the PGP encryption program.

Boucher, a 30-year-old drywall installer, is a Canadian with U.S. residency in New Hampshire where he works. When he was stopped, he assisted agents in the initial inspection, which revealed files with names such as "Two-year-old being raped during diaper change" and "pre-teen bondage."

Boucher admitted to downloading pornographic images from the Internet through a news board but stated that he unknowingly downloaded images of child pornography. He claimed that he deleted images of child pornography when he realized it, according to an affidavit filed by Immigration and Customs Enforcement.

According to federal Magistrate Jerome Niedermeier on Nov 29, 2007, "Producing the password, as if it were a key to a locked container, forces Boucher to produce the contents of his laptop. The password is not a physical thing. If Boucher knows the password, it only exists in his mind."

On the face of it, this case is simple — a person trying to carry pornographic images of children across an international border. The catch is whether the courts can compel him to voluntarily abandon his rights under the Fifth Amendment.

From the Globe and Mail:

Orin Kerr, a law professor and computer crime expert at George Washington University, said the distinction that favours the government in Boucher's case is that he initially co-operated and let the agent look at some of the laptop's contents.

"The government can't make you give up your encryption password in most cases. But if you tell them you have a password and that it unlocks that computer, then at that point you no longer have the privilege," he said.

Tien, the attorney with the Electronic Frontier Foundation, said a person's right to keep a password secret is a linchpin of the digital age.

Encryption is "really the only way you can secure information against prying eyes," he said. "If it's too easy to compel people to produce their crypto keys, it's not much of a protection."

Another point to consider is that if Magistrate Niedermeier's ruling is allowed to stand, the result could be "dangerous" for law enforcement. According to Mark Rasch, a privacy and technology expert with FTI Consulting and former federal prosecutor, "If it stands, it means that if you encrypt your documents, the government cannot force you to decrypt them. So you're going to see drug dealers and pedophiles encrypting their documents, secure in the knowledge that the police can't get at them."

At the end of the day, we have to consider some truly gripping questions. First, we have to recognize that the rule of law is the rule of law for all. If you fall into U.S. jurisdiction, you are subject to whatever ruling is mandated as "law" on this question.

If we say that by encrypting the files, the individual had a reason to believe that the information should be private, is it okay to say that when the individual is a suspected terrorist? Or pornographer? Or senior business official? Is one better than another?

If we decide that a person's Fifth Amendment rights are inconsequential, are they always inconsequential? Are we then compelled to self-implicate? Where does the Fifth fit in?

This brings us to some crucial underlying questions — Where is the line, and HOW do we draw it? Or is the question HOW do we define the line? Can law truly BE case-by-case?

While the first person to test existing law has an unsavory rationale, I have to ask- would you care more if the files under fire were private business documents? Would you feel differently if they were personal documents between you and your significant other? Would you feel differently if they were personal documents between you and your terrorist cell?

How do you think these documents should be handled? Because of their very nature, it seems as if each incident should be considered on its own merits, but how do we define the supporting law?

This isn't about one guy with questionable content on his laptop. It is much deeper, and the impacts of the answers are far-reaching.

Can you excuse pornography, even child pornography, to keep your business safe? How about your country? How do we define the boundaries, and what is our message to the law makers? How about to law breakers?

More information:

In Child Porn Case, a Digital Dilemma (Washington Post)

Child-porn case hinges on laptop's password (Orlando Sentinel)

Encrypted laptop poses privacy dilemma (CIO Today)

Editor's Picks