Security

Presumption of guilt: Your rights when it comes to data encryption

This isn't about the bad guys; we all know encryption helps defend against them. What isn't so clear is our rights to data encryption when dealing with the legal system.

I initially became interested in the topic of data encryption and the law due to the 2005 Minnesota appeals case, State of Minnesota versus Ari David Levie, in which Levie was accused of taking illegal pictures of a minor. I didn't follow the entire case, just the appeal. The court was deciding whether it was legal or not to enter certain evidence -- in this case, the fact that the defendant had an encryption utility on his computer.

The ruling

The appeals court unanimously agreed with the trial judge: The prosecutor could mention that an encryption utility was installed on the defendant's computer. That's it. Nothing about what's encrypted. Judge R. A. Randall mentioned the following in his opinion:

"Evidence of appellant's computer usage and the presence of an encryption program on his computer was relevant to the state's case."

I remember a prosecutor mentioning there was plenty of other evidence in the trial with the defendant being convicted based on that evidence. Why then introduce the information about the encryption application?

I have read numerous articles interpreting what the appeals court ruling means. FUD factor aside, many feel this is a dangerous precedent because the mere presence of an encryption utility seems to imply criminal intent. It seems they are worried about how implication seems to be good enough.

Another case

A few years later in 2007, U.S. versus Boucher caught my eye. In this case, a U.S. Magistrate Judge decided the defendant was not required to divulge the password for an encrypted hard drive, saying that it violated 5th Amendment rights, the amendment protecting an individual from self-incrimination (to plead the 5th).

That ruling gave the privacy advocates some relief. But, U.S. versus Boucher was appealed in 2009. The case was overturned. The responsible U.S. District Judge's reasoning was:

"Holding that the 5th Amendment privilege against self-incrimination does not require the conclusion that a criminal defendant may elect not to divulge a password for an encrypted hard drive."

The prosecutors are learning. They changed tactics in the appeal:

"The Government stated that it does not in fact seek the password for the encrypted hard drive, but requires Boucher to produce the contents of his encrypted hard drive in an unencrypted format by opening the drive before the grand jury."

I have not been able to find out what the new verdict means officially. I suspect the defendant will have a choice to make.

Data encryption laws elsewhere

Other countries are dealing with this issue as well. The UK has an actual law. Regulation of Investigatory Powers Act (RIPA) part III gives police authority to ask for encryption keys or the data to be decrypted. The Register has an interesting article "UK jails schizophrenic for refusal to decrypt files". The piece describes the circumstances behind the first person to be jailed under RIPA part III.

According to the Register, the case was a bit rough. It appears the defendant and his model rocket were never a real threat.

EFF's suggestions

I found little documentation as to what our rights are when it comes to encrypting data. Then, I remembered the Electronic Frontier Foundation's Web site. It's not much, but the EFF offers the following advice:

  • Do not give the password to the authorities during the search; you have the right to remain silent.
  • Call a lawyer; in fact call a lawyer immediately upon being searched.

What happens next depends on individual circumstances. The EFF has this to say:

"A lawyer may be able to get your property back if the warrant was improper, negotiate a deal with the government's attorneys to limit the search or get important files back, or convince the court to strictly limit the search so that they won't search files that are legally privileged (like confidential legal or medical records), protected by the First Amendment (like private membership lists), or irrelevant to the case."

Their advice turns a bit nebulous when dealing with a prosecutor:

"A prosecutor may ask a judge to order you to turn over your password. The law is unclear on whether such an order would be valid, but that is a matter to face with the assistance of counsel. No one other than a judge can force you to reveal your password."

Final thoughts

We are told to use encryption. It prevents the bad guys from stealing our data and identities. That's good advice. It is also in our best interest to know the ramifications of using encryption. The only problem is no one seems to know what they are.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

181 comments
HAL 9000
HAL 9000

Many years ago when I worked for a bank we used to have to carry around NB's and with all of the Technical Staff we had a form in Triplicate made up by the Legal Section which we had to hand over to anyone who wanted to look at the stuff on the NB. It listed their Name to be filled in date and so on with a Provision that they would not use any information that they saw on the system for Personal Gain. I don't know just how enforceable that was but the mere fact of handing it to them to fill in before allowing them to look at the contents of the NB was enough to get everyone that asked me or my staff for a look see to withdraw the request. Most Petty Bureaucrats do not like to be in a position of being held responsible for their actions and do not want a bar of being involved if they have to take responsibility for their actions. ;) Col

etkinsd
etkinsd

even a kid still in law school should have been able to defend the U.S. vs Boucher case. If the prosecution needed the encryption key, it clearly means they don't know what is on the machine; how is that "evidence". Evidence is things that on their face can prove a crime. If the prosecution has no idea what is on the drive; then they should be allowed to go fishing. What if the guy had hand written notes that were encrypted? How would they be allowed to get the "password" then -- through torture? This is bad legal precedence.

Deadly Ernest
Deadly Ernest

is that you need to consider a basic standard defence of 'No way, Jose,' just as a matter of principle right at the start. Refuse to hand anything over or answer questions until your lawyer arrives. Only hand over information AFTER you've had a chance to stand in court and hear their reason for the search and give your reason for them to take a long walk off a very short pier. The reason for this is - once you say 'OK,' to one lot, they get ten times as pushy when you do draw a line. So to keep the over all pressure low, you state up front that it's a policy of NO right from the start - make them prove they have a prima facie case to get access to the data before you even think about it. Hell, the US government does the same thing when asked if a ship has any nukes on board, and always have. So they can't complain about the same policy procedure.

Neon Samurai
Neon Samurai

If I have combination locked safe and contents can be proven relevant to the case they I'm likely going to have to provide that password or open the safe myself during the search. Why is an encrypted computer system any different? If it's proven relevant to the case then the invasion of privacy may be justified. The bigger risk is in treating it differently to justify opening up the digital safe without just cause for search. Sadly, this is encryptiong which has always been treated differently. At one time I could walk across the US boarder with a locked brief full of papers but if I transferred that same information with strong encryption then I'd be committing a crime. Even now, we don't question a lock on a car or home but a lock on a digital file.. it must be criminally related then.

jck
jck

Then what the hell are they going to do if you don't put in the password for them? Hang you by your toenails and beat you with a wet noodle? Call the NSA and say "Hey, can you guys crack this hard drive for us cause we think this guy stole two twinkies from 7-11?" Sit on your password. When they can't prove anything, get your stuff back...and move on. Just hope law enforcement doesn't use any tempest methods to capture ur stuff.

santeewelding
santeewelding

Are they the "God-given" kind? The kind you keep while your fingers one at a time are being smashed with a hammer? Or, is this about convention? The kind where you stupidly acknowledge and open your stupid mouth to begin with, oblivious to the conservatorship of custody that begins the moment your forward movement is arrested?

HAL 9000
HAL 9000

On the part of the Authorities. A little know fact is that these Encryption Methods must be breakable and that way to break them supplied to the Relevant Authorities before that product can be put on sale. If they want to demand the Password all it shows is that they are unwilling to spend the necessary Time & Money to do their Jobs properly. Or that they really do not have the authority to look in the first place to begin with. But saying that I have no reason not to hand over Passwords for my files. But it all depends on who's files I'm caring at that time when asked as to what I would do. Files of Commercial Confidence in nature I do not believe I am required to expose to anyone who asks. If they want they can get a Court Order to Access the Files but if they are willing to do that they may as well do their job properly and use the supplied Decryption Tools to read all of the Data on the Storage Devices. ;) Col

david_heath
david_heath

"they won't search files that are legally privileged (like confidential legal or medical records)" So, perhaps we should name our encrypted volumes "Conversations with my Lawyer" or something else that would give similar cause for pause.

larrie_jr
larrie_jr

Is this really any different than a lock on a box? What are the ramifications to not opening (or giving the key) to a lock box? We all have them. Fireproof 'safes' for which we keep our Birth Certificates, SSN, whatever. What if there were incriminating evidence in there among the legal documents? I see no difference. You got to give it up.

Dusterman
Dusterman

This now is so common an issue that we don't even realize that the governments [ most that work closely with the private sector ] merely want to get information that they can use for the betterment of their country. That my friends is a fact. Our government is and was just as flagrant about the acquiring of secure information in this manor. They claimed it was in our national security, I am sure that spies encrypted the info and then entered a country and then didn't claim diplomatic immunity...right........it is merely about a country making every effort to keep their country as up to date information wise as possible... If you really don't believe that every government doesn't have their private "sectors" or university's that they have to relay the corporate information that they gain this way ...well let me sell you some of the land thatI have acess to in FL...it's just a little wet :-) . Happy holidays everyone ! !

Deadly Ernest
Deadly Ernest

I must admit I'm not enough into the data encryption system to know if this will work, but many programs are now cross platform, and you can share data drives with multiple operating systems. So what if: 1. Computer has two logical drives on it; first is MS Windows with apps and second is the data drive. 2. Create a file on the data drive with an encryption app that is available as a Windows version and a Linux version, and able for multiple encryptions. 3. Access the file from a version of Linux on a USB drive and have this encrypt the data using a second encryption app and password that's on the USB drive, and then encrypt that using the same app and password that's available through Windows. What happens when the thought police arrive? They find PC and ask for password - you give password. They enter password in Windows, file decrypts and is still gibberish due to other encryption and password not known to Windows. They complain, and you lodge a complaint about how they're ham fingered staff have corrupted all your commercially confidential data and just cost you millions of bucks. Then let them try and prove how it happened.

Deadly Ernest
Deadly Ernest

in the virtual world to fight this sort of intrusion into personal life. Call it the -- Keep Individuals Defending International People's On-line Rights Network - and allow free or cheap membership. See how the thought police feel after they see you have your KIDIPORN site bookmarked with a saved password, and when they get there it's all about rights and freedoms and NOT nude children doing things they shouldn't.

Craig_B
Craig_B

If you do not encrypt your data in the first place, we know what someone will have access to.

LocoLobo
LocoLobo

figure you can't afford to go to trial unless you have lots of money. So their job is to plea bargain. Whether you like it or not.

Michael Kassner
Michael Kassner

I mentioned that in the article as being what the EFF recommends.

DSCtsuru
DSCtsuru

Last time I went to Toronto, the Border Patrol wanted my old HP turned on so they could browse my files. I was pulled aside and had to plug in and wait for my battery to recharge. They got it all; pics of my kids,wife and cats, the PPs of the cabling layout, an unfinished tax return (unencrypted), and some spreadsheets. When they saw the PPs, I had to play them and when they saw the architectural drawings with "all those lines", the CMP wanted to know what those were (especially since it had an address on it). 3 hours later, I got to go. I think I empowered those that were downtrodden that day. Made them feel important instead of impotent (there's a joke in there somewhere). No Due Process, No Warrants, Just a simple command, "turn it on and let us see what you have" ... or else.

Ocie3
Ocie3

the decryption key that I used to secure a PKZware .ZIP file of medical information. I wish that He (or She) would tell me what it is!

Neon Samurai
Neon Samurai

It's not a retail product and is also open source providing wide peer review. Maybe there is still a backdoor code but it's very unlikely.

Ocie3
Ocie3

Quote: ".... A little know fact is that these Encryption Methods must be breakable and that way to break them supplied to the Relevant Authorities before that product can be put on sale." Are you referring to British or Canadian law?? As far as I know, that is no longer true in the United States. For a long time it was all but illegal for anyone to develop encryption/decryption systems, although it was pursued as a matter of "academic freedom" by various "researchers", who were always skirting the edges. After that ban ended, PGP, PKZip file encryption, independent encryption utilities, the public development of AES, and HDD utilities like Jungle Disk and True Crypt all became possible. Whether the Authorities are being lazy, not in the USA. The National Security Agency might have enough computing power for a massively parallel brute force attack on a document or picture encrypted with AES, with a rendering of it in plaintext within a reasonable amount of time (at enormous cost!), but why would they bother with yours or mine when they have so much more important bitstreams to decipher?? Not even the FBI, nor the DEA, can decrypt the communications of organized crime nowadays.

Michael P.
Michael P.

with -any- evidence that an Encryption method has to supply "Authorities" a way to break it before it can be sold? In the case Michael cited, U.S. versus Boucher, the Gov't has had Boucher's computer for almost 2 years and has been unable to decrypt the PGP drive. Could it be, even in this present climate of going after Child pr0n so heavily, that he is just a small fry and not worth divulging that PGP is cracked?

Deadly Ernest
Deadly Ernest

find the locked box in an area where they already have a search warrant for that area, thus they've already got other evidence to justify a search for FURTHER evidence; while what this pushes is the power to demand the key when they do NOT have a search warrant, and all they have is they're checking your computer at a border crossing or some other general public search area. Yes, a search of all vehicles on a road for someone smuggling drugs can justify a request of ' unlock that box, please, sir.' But it doesn't justify a data search, which this power being discussed enacts.

techrepublic@
techrepublic@

Police wants to open my looked safe? Use a sledge hammer!

Michael Kassner
Michael Kassner

In researching, I found a dissertation about this exact subject. I was surprised to learn the law seemingly considers them different. I will try and find that paper and post the link here

Curious00000001
Curious00000001

Unfortunatly unless they really are incompetent they will follow procedures and will not even touch your actual computer other than to make a forensic copy which they will use. Makes me wonder... what about an encryption suite that ties to a specific hard drive mounted on a specific machine??? Their forensics would not work forcing them to use the actual machine and giving you deniability!!!

Curious00000001
Curious00000001

Keep the membership free and sign me up for an account ASAP. Now to find a way to get my computer searched without actually doing anything wrong...

Michael Kassner
Michael Kassner

A person of logic. lessor of two evils is always a good choice.

HAL 9000
HAL 9000

But I did love some of the looks on faces when they looked at what they where asked to fill in before they suddenly dropped the need to see what it was I was caring. ;) Col

Deadly Ernest
Deadly Ernest

that you should NOT let them into your house or office, but go outside to talk to them. That way, they have NO legal reason to enter until AFTER they see a judge and get a search warrant that details what they're looking for, and where. Also, insist on a supervised single searcher; it makes it so much harder for them too.

Neon Samurai
Neon Samurai

I'm not surprised by your delayes when it comes to travel and boarders. I have to side with Mr Shneier on the idea that boarder security seriously need to be rethought and reimplemented in a way that actually improves safety rather than fullfilling the government's need to snoop without just cause.

Deadly Ernest
Deadly Ernest

before a court, before they see it - if they can do that, they can just as easily get a search warrant in the first place. If they can't, they have no right to force you to open your file or your locked room.

jck
jck

However if there is no discovery of wrongdoing, and no proof beyond a reasonable doubt that you were doing an illegal act...they have no grounds to pursue the charge and a good attorney would move for a dismissal. I mean, they can't put you in prison for suspicion of having illegal files...can they? I would think the most they could do to you is what they do to reporters for not revealing a source of information. After all, the hard drive is the only thing that will tell them what it knows if you tell it to...just like a person. Luckily, I don't have to worry. I will let anyone look at my hard drive. Tip to criminals: Keep all your questionable stuff on a cheap usb stick that you can drop on the ground and crush useless in one step. :^0

HAL 9000
HAL 9000

I'm assuming that you are aware that all Telephony in the US is Monitored are you? The same Organization who monitors US Traffic is also responsible for monitoring International Telephony Traffic in other parts of the world and to this end they have massive Sites in service around the world. Here in AU they run a place called Pine Gap which is one of their smaller Interception Facilities. ;) Col

HAL 9000
HAL 9000

Microsoft Coffee That's been in the news recently and is just one of the weaker tools available. OH Don't bother looking on M$ Web Site I don't think that have anything about it available unless you qualify. The other tools available I'll not talk about as to my limited knowledge they have not been mentioned ever in any of the media. ;) [i]edited to add[/i] Also the supposed Strength of all Encryption is set on 1 File being intercepted and is a Theoretical Time that it would take a Unsupported Person to break the Encryption Key using a Brute Force Attack. When you have more than 1 file to play with using the same encryption system the chances of breaking that Encryption expand exponentially. So the more that you have to work with the easier it is to crack. I still maintain that the people prosecuting the listed case here [b]Did Not[/b] try very hard at all and defiantly [b]Did Not[/b] pass a Cloned Image of the HDD of this persons computer to the Proper Authorities who have the Know How and Ability to crack the Encryption. ;) Col

Deadly Ernest
Deadly Ernest

But, I do remember, some time ago, part of the problem with the creator of PGP had with the US government was his refusal to give them the information on how to crack it and another part was his refusal to hold back on it's release. A big issue was made at the time, and I vaguely remember the US passing a law requiring the people who create encryption programs to include a method for the US authorities to easily crack it or access it via a back door. The down side for the US being they had no success in being able to enforce that law on people outside the US who created encryption software - thus the big issue re the Russian ex military encryption software that was used by a paedophile ring a few years back, the US authorities couldn't crack it (as they change the code to often to allow that) until they got someone inside who had the current code. Anyway, 99% of the government claims about fighting child porn are pure BS as the major child porn rings broken in the last several years have all been using VPNs for P2P transfers and the break has come through normal police work.

david_heath
david_heath

Only by opening the item would they know - are they brave enough to do that?

Deadly Ernest
Deadly Ernest

this is the long term aim of Microsoft - just imagine having all your data automatically encrypted, if you want it or not. Then, and change to the OS or the motherboard or the HD, and you can no longer get any of your data. http://en.wikipedia.org/wiki/Trusted_Computing quote Sealed storage Sealed storage protects private information by binding it to platform configuration information including the software and hardware being used. This means the data can be read only by the same combination of software and hardware. For example, users who keep a song on their computer that has not been licensed to be listened will not be able to play it. Currently, a user can locate the song, listen to it, and send it to someone else, play it in the software of their choice, or back it up (and in some cases, use circumvention software to decrypt it). Alternately the user may use software to modify the operating system's DRM routines to have it leak the song data once, say, a temporary license was acquired. Using sealed storage, the song is securely encrypted using a key bound to the trusted platform module so that only the unmodified and untampered music player on his or her computer can play it. This will prevent people from buying a new computer, or upgrading parts of their current one except after explicit permission of the vendor of the old computer. end quote NB: This type of encryption is already available in some versions of Windows 7 - and don't you love the way RIAA can force you to have to buy a copy of their song for every computer you have, so your kids can't borrow your copy, like when they borrow your CD - and a new copy when you upgrade, as required by the new version of Windows due out in five years or so.

LinuxPops
LinuxPops

It's bad enough they are trying to get your key but recently the police have not been returning hard drives for a long period, if at all. Would I want all my data out there for someone else to pillage. If the hard drives get sold at an auction, you could really be in some trouble.

OH Smeg
OH Smeg

I worked Up North in the middle of nowhere for a few years and you may be interested in what they have on that site. The funny thing is when I first started they showed me around the entire place inside buildings that I wasn't allowed into after I was actually working there. That's Security for you. :^0 But the places outside the US that monitor Telephony Traffic are not actually involved in the Internal US Monitoring but possible threats tot he US. So as a result they get to listen in to everything around the world. Ain't National Security Grand. ;) Col

Deadly Ernest
Deadly Ernest

of the US monitoring actually takes place in Canada or as the signals cross the US border, or any other radio receiver.

Ocie3
Ocie3

a judge (in the USA) will quite likely appoint a "neutral party" as an agent of the court -- sometimes called a Special Master, or Referee -- with the power to examine the "confidential records" to ascertain whether that is, indeed, what they are. If that agent reports that the contents are not confidential records at all, your goose is cooked.

Deadly Ernest
Deadly Ernest

between them while in transit. You handover the codes and the Trusted Computing encryption like Bit Locker will continue to refuse to decrypt the drive, thus frustrating the cops. Even if you have a clean system and if they take and image, the code won't work on the image at all as it's NOT int he system with the right motherboard and CPU or copy of the OS.

Curious00000001
Curious00000001

This is not what I was talking about at al!!! My idea was supposed to help me not hurt... I take my idea back, they can't have it /stomps foot /sigh oh well all is lost, unless a VM would circumvent this!

Michael Kassner
Michael Kassner

The drive was encrypted in the example. So selling it is not a problem, right? Isn't it easier to ditch an encrypted flash drive before having to go through all sorts of legal issues about it.

Deadly Ernest
Deadly Ernest

have in getting access to study the material to prepare your defence.