Laptops

Personal data encryption, IT and the Fifth Amendment

Last week, a federal court for the first time ruled that the Fifth Amendment of the U.S. Constitution -- the right to not self-incriminate -- protects against "forced decryption."

It is the ruling that has IT reaching to make sense of it all. Make that two rulings.

Last week in San Francisco, a federal court for the first time ruled that the Fifth Amendment of the U.S. Constitution -- the right to not self-incriminate -- protects against "forced decryption." The judge, from the 11th Circuit in San Francisco, ruled that a Florida court violated a defendant's rights when its Grand Jury gave him the choice to either reveal his TrueCrypt password or go to jail. The privacy watchdog group Electronic Frontier Foundation (EFF) called this "a major victory for constitutional rights in the digital age." You can read the full ruling on the case --called United States v. Doe -- here. Read it for yourself.

It's a controversial ruling that enterprise should closely watch. The defendant, who is unidentified in the brief, pled the fifth when the court ordered him to reveal his TrueCrypt password. That strong, on-the-fly encryption program prevented the FBI agents who nabbed him from getting at any of the data on the notebook computers and external drives they also seized.

The EFF was exultant. "The government's attempt to force this man to decrypt his data put him in the Catch-22 the 5th Amendment was designed to prevent -- having to choose between self-incrimination or risking contempt of court," EFF attorney Marcia Hoffman said in a statement. "We hope this ruling will discourage government from using abusive grand jury subpoenas to try to expose data people choose to protect with encryption."

This is definitely a first. I called some of the CTOs and IT pros I know to get their take. What if your users use a program like TrueCrypt on the laptops or other personal devices they use with company data? If, say, a company terminates an employee -- does this ruling mean the company could not legally force him or her to reveal the encryption password?

What about opposing rulings?

What if the company believed the employee had violated laws, too, civil or criminal? Or just policy? The questions run deep.

Another court -- one in Colorado -- not so long ago rejected an appeal in a similar case, where a court has ordered a woman to decrypt her laptop in a real estate fraud case. We've got a big gray area here. And, you might worry, a powerful precedent.

As legal experts weigh in on other side, here's what a sampling of IT professionals told me.

Peter Baer Galvin, a Boston-based CTO at the VAR Corporate Technologies, said it is all too easy "to have a home directory that syncs automatically from the laptop back to the servers, caching the contents on the laptop. It’s easy for a user to create a separate encrypted file and keep the keys to themselves. Legally the contents of that file belong to the company because it’s stored on a company laptop." Galvin says, "But of course the encryption would prevent the company from finding the contents. If those are important documents then the company seems to be out of luck."

This wouldn't let employees hide their email, Galvin emphasizes. "Email has to go through servers to get delivered. MS Exchange, for example, has a setting where it can save all email for period of time, even if the user deletes it or encrypts it at rest on the laptop." But what of the rest of the data?

Jeremy Lesniak, an IT pro and the founder of Vermont Computing in Duxbury, VT, had harsher words. "If the company didn't mandate any form of backup to their own servers, it deserves to lose its data. That's an amateur mistake. There are certainly strong differences between this (alleged criminal) case and a company mandating that the data on a laptop be returned. Whether there are legal differences," Lesniak says, isn't as clear.

Eric Finkenbiner is a foreign service IT specialist for the U.S. Department of State, for which he is currently stationed in Rangoon, Burma. He expresses a mixed reaction. "There are a few different ways that I would approach this," he says, boiling it all down to either "virtualization or lockdown/separation."

"Currently, I see the pendulum swinging back in favor of virtualization (terminals) versus PCs. In many larger enterprises, even if a user has a laptop it is simply the hardware used to tunnel into a corporate portal where all the data actually resides. At that point, using Truecrypt locally should pose no risk to corporate data since it is in its own sandbox on the users device.

Not all businesses can afford such software and infrastructure. In those cases, any IT dept worth its salt would be wise to lock down PCs to the point where users wouldn't have the proper rights to install truecrypt or any other encryption software. Additionally its important to educate users to keep their personal and business data separate.

My personal opinion is that this ruling is a good thing. The reality is that you can't prevent this 100 percent of the time. But by making the right thing to do the easiest and most natural thing to do, you avoid most of the problems."

Rob Maxwell, senior security engineer at the University of Maryland at College Park, said the decision initially startled him. And he provides some more background. "Businesses need to be using encryption to protect their data, but they need to be protecting it in other ways, as well. And they should be using an enterprise product with (at least) a key-escrow system. People lose passwords all the time, and sometimes things just break. There needs to be a master key with the company to ensure that important things don't disappear by accident.

"If you have to worry about employees stealing documents, or not storing them as they should," adds Maxwell, "you have HR problems, not encryption problems."

An important distinction enterprise should make also: "Encryption only protects data at rest," he says, emphasizing the words "at rest." He continues: "If your machine is compromised by a hacker looking to steal your data, that hacker will wait until you decrypt the data to use it, then grab it. The user cannot work with their own data while it's encrypted either. Encryption saves headaches when external drives or laptops are lost or stolen."

What do you think? Let me know below. I'll add to this as I get more reaction from CTOs, IT pros -- and of course corporate and legal analysts.

About

Gina Smith is a NYT best-selling author of iWOZ, the biography of Steve Wozniak. She is a vet tech journalist and chief of the geek tech site, aNewDomain.net.

31 comments
Yangtze
Yangtze

I have a problem with your followup conversations with IT professionals and the use of company equipment. This court ruling would have no application in such. If an employee puts unauthorized software on a company computer, then the employee (or ex-employee) would be compelled to provide any passwords for that software, and there is no court on this planet that wouldn't. If he uses someone else's equipment to enact a crime, he was too stupid to begin with. However, the use of personal equipment would be covered by this ruling. And don't get me started on having company information on non-company equipment. That's the whole issue behind the BYOD debate. Courts will always rule in favor of the company when there is company data and information NOT on company equipment.

NickNielsen
NickNielsen

The 11th Circuit Court of Appeals is located in Atlanta, not San Francisco.

buchanan_david
buchanan_david

One need only look at the erosion of our 2nd Amendment rights to see the technological pitfall this ruling could have created for essential personal liberties provided in the 5th Amendment. "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety." -- Benjamin Franklin

SHCA
SHCA

Jeremy Lesniak and Rob Maxwell hit the nail on the head. It's up to the company to maintain and protect its property. Illegal copies need to be destroyed, not viewed. As stated by Tom Marsh, any employment agreement should include company ownership rights of all data. If the company is not doing that, they deserve what happens. Beyond that, simple IT good practices would ensure that no employee can possess the only copy of a company document. Therefore encryption is a non-issue; once the employer has shown that the document comes from company property, the company has a right to destroy (not view) any such illegal copies. Similarly if the encrypted file is on a company computer, the company should have no problem wiping the computer regardless of encryption.

jbookout
jbookout

I got to thinking about my response and realized it was a bad example. Let's try this: if someone has a safe in their house that may have incriminating evidence in it, is law enforcement allowed to force you to open that safe and jail you for contempt if you refuse? If so, then they should be able to force you to turn over your password. If not, then they shouldn't.

jbookout
jbookout

You may have something in your house that would incriminate you. Should we not allow law enforcement to enter someone's residence because something in there may incriminate them? If law enforcement has a warrant, are they not allowed to bust down the door to enter the residence if the owner refuses to give them the key?

ReliableEnergy
ReliableEnergy

I think such issues comes mainly from poor IT Management practices. First the company should have updated IT policies place. Second, giving away local admin rights to all the staff is not wise. A comnpany can setup enterprise backup softwares to backup data from user's work PCs. With the local admin rights people can do nasty thing intentionally or un-intentionally.

BdeJong
BdeJong

Its about the right to not self-incriminate they are stating you should not have to give your housekey to the government. It should not mean they are not allowed access to your home, those are two separate things.

bhoffman
bhoffman

By the way, the court in San Francisco is the ninth circuit court. People are commenting that they don't get it or that people who assert their rights must be dead guilty, etc. Everyone seems to forget that we are supposed to assume that someone charged with a crime is not guilty until proved otherwise. That we are not to be subject to searches unless there is probable cause. And that we are not required to provide evidence against ourselves. The government is not permitted to use its probable cause as an excuse to do a more broad search. These are important rights that we all deserve. If the government has a case against you for committing a crime then they can present it and you can defend against the evidence that they provide. That's how our adversarial system works. The government has awesome power and resources that few can match. No one should have to help them present the evidence to use against themselves. If the contents of a computer has evidence that would help prove someone's guilt then the government can only use it if they have a legal copy of it, they should not be able to compel you to help them with a password. By the way, there are many reasons that someone would use their 5th amendment rights even though they committed no crime (they could be embarrassed about something that would be revealed that has nothing to do with the crime, e.g. having to treat an embarrassing disease or having communicated with an ex-lover or revealing photos of themselves. The list can go on and on.) When you are charged with a crime the government is looking to convict you, not for ways of interpreting the evidence to exonerate you; there is no reason anyone is motivated help them, guilty or not. Of course, you can choose to provide requested evidence if it help you but it is rarely clear that it will (again, they are trying to use it against you). Where were you last night at 10:45pm? If you read in the paper that someone was killed at 10:45pm in the hotel room next to yours (and you were having an affair in that room) you probably won't want to answer the question, you shouldn't have to, and no one should assume that you must have committed murder because you don't answer. If you had photos from that affair encrypted on your computer why should you have to help the government look at them? Not to mention the fact that even if they were legally permitted to give you the choice to provide a password or charge you with contempt that is seems that the burden of proof that you recalled the password would be on them and, again, you should be able to use the protection of the 5th amendment to not answer whether you recalled the password or not. Since your memory is not currently verifiable using technology the court could not have evidence that you know the password at any given moment. We can easily focus on the adverse aspects of a particular crime and want to punish the perpetrator but I think that it is more important to ensure that the justice system is fair to all of us.

RobertFL
RobertFL

Well, when I first read this, I was excited the 5th amendment was invoked and supported. However, further reading I learn what the guy was hiding, and I really don't want to support that. Talk about mixed feelings, but along those same lines now, wouldn't any computer / device seizure now be considered self incriminating? I mean if I have what they are looking for, and even if they find something they were not looking for and they took my hardware and found it, isn't that the same as self incrimination? I am no attorney and far from it, but I do support networks which I am good at, but the act of seizure just seems wrong after reading this. Rob

chrisbedford
chrisbedford

The 5th says you can't be forced to give evidence against yourself. "Did you commit the murder? Remember you are under oath not to lie" "I refuse to answer that question on the grounds that I may incriminate myself" - well it usually means you are dead guilty, doesn't it. But in the case in point, the culprit (and I'm again assuming guilty, until proven innocent) was picked up for something which he keeps records of, and those records will obviously incriminate him. But until they open the records, they can't prove it... your laws are way too protective of the perpetrator, while victims don't seem to have the same rights. My point is do this (alleged) criminal's records constitute "him, giving evidence"? Since when does 5th amendment protection extend to any *other* physical evidence seized at a crime scene? Can you imagine handcuffing and blindfolding law enforcement agencies by disallowing them from opening paper records found in the execution of a search warrant? All seems bizarre to me.

homesjc
homesjc

A one place of employment I had a long intense discussion with the IT manager re the use of of passwords. Low level stuff, mostly locked PDF's. I had obtained at my cost a password cracker and had used it to open and convert back to Doc / excel etc format of some older company documents to save retyping. The pass words had been lost as people move on. He stated that PW crackers should not be on/or used on the premises. I was and am of the opinion that for many low level documents, if copies are found to be cracked, they are no longer reliable and as such the company does not have to suffer any unforeseen consequences. Otherwise, with OCR etc, they are effectively open and how is the cheapest way to edit when the original source documents have been lost. As far as forcing the opening of protected documents in a court of law, unless the content of documents is totally unknown, any offense would be derived from the consequences of the use of the content of those documents. Other wise one would need to wipe all memories of any persons who has any critical information in their brain. It helps to look after such persons, so no blow back. We do not have any such wipers yet.

dartonion
dartonion

The bit that worries me is that the FBI were unable to decrypt the data themselves. It certainly would be safer if criminal activity couldn't be hidden so easily.

adornoe
adornoe

where, if an employee wants to copy or "steal" data from an employer, the employer might be stuck with no access to the data once it's encrypted. The employee might have to decrypt the data for the employer, and the employer might need to get their hands on the employee's device, and maybe even confiscatory powers to take the device from the employee if the employee doesn't make the company's records/data available with the encryption code. However, this could all be a moot point if an employee is determined to steal information, and it would be easy to keep the data on his device and encrypt it too; but, with total access to his machine, he could easily make a second copy of the data to another device while keeping the encrypted data available to the employer and ready to decrypt anytime. In that sense, the employee will have met his contractual obligations to decrypt, but, he will have, unethically/immorally and perhaps illegally, made a third copy of the material, which the employer won't even have a clue about.

tom.marsh
tom.marsh

For one simple reason: You have a contract with your employees about company data in their possession that requires them to disclose what data they have and return it upon leaving the company. It is already settled law that the 5th amendment does not protect you from fulfilling contractual obligations to private parties when you're not in a situation where criminal liability is a factor. In short, alarmism over what this means for coporate and enterprise data are extremely overblown. On the other hand, if your company is involved in crimes you'd like to conceal, I can see how this would apply to your business, and potentially abet the opportunity for corporate criminals to skirt responsibility for criminal mischief in the workplace. With that on the table, the "employee has data when terminated" scenario is already covered by existing property rights, intellectual property, and contract law, so I wouldn't get too worked up about it until there is something to get worked up about.

adornoe
adornoe

If the companies are foolish enough to allow BYOD, then, there is no certainty that the courts will rule in favor of the companies, which trusted their employees with the data and software. The companies would first have to prove that the data and/or software being "protected" is in fact, something that belongs to the companies. In order for the courts to rule in favor of the companies, the court would have to judge on something they don't know, which is that, the data and software being "hidden" does in fact belong to the companies. When it comes to company equipment and anything encrypted into that equipment, you are right, but, when it comes to employee-owned equipment, the courts would have a real battle in their hands, and there are no guarantees about who owns the data and software on that equipment.

sboverie
sboverie

There was a recent case where someone had a safe that uses a combo. The police were not allowed to coerce the suspect into giving them the combo. If the safe was locked with a key, then the police could force the suspect into surrendering the key. The important distiction was that a combo is kept in memory and a key is a physical object; thoughts can not be coerced but a physical object can be demanded. If the safe has a combo lock, then the prosecutors, police and other government officials can not ask for the combo. The same standard for encryption should be used, if encrypted then the key can not be coerced.

Professor8
Professor8

As reported, this is very confusing. How did a case in Florida get shifted to the 9th Circus? So, the owner cannot be required to decrypt it, himself; that would be self-incriminating. But a grand jury can get warrants. The question then is can they issue a warrant for the decryption key? That's different from self-incrimination. OTOH, we learned in the 1990s that the criminal activities of the DoJ must be carefully constrained, and the Obummer admin activities remind us that is still the case. Unfortunately, the corrupt judges run interference for the premeditated perpetrators under the bogus monarchical doctrine of "official immunity". sigh

sissy sue
sissy sue

We submit to government snooping as if we were performing an act of patriotism. We hear too many people say that "if you have done nothing wrong, you have nothing to hide." In a free society, there are limitations to what government can do to its citizens. In an unfree society, government officials have no limitations on what they can do to you. It's about time we citizens of the US wised up to what the Founding Fathers had already learned about government oppression, and protect the Bill of Rights that limits the power that government has over you.

sboverie
sboverie

The 5th amendment was written to reduce abuse of power. The US fore fathers had experienced many forms of tyranny from different types of authorities and used that experience to balance individual freedom against authorities. It is ironic that you state that you are assuming guilt in the Florida case since the standard is to assume innocence until proven guilty in a court of law. Prosecutors and police announce a lot of information about a suspect and a crime and this bypasses the justice and goes to the court of public opinion; this is done to make the public think that the prosecutors and police are doing their jobs. The problem is that in the rush to judgement that a lot of innocent people are harmed and their reputations trashed. A case in point is the security guard who found a bomb in a backpack at an Olympic event did the right thing and was intially a hero for preventing people from being injured, the investigators turned on him and publicly questioned if he was the perpetrator. The real culprit was identified but the security guard's reputation was trashed so badly that he could not work. Our rights have been watered down and we have helped weaken those rights.

monster_cookie2148
monster_cookie2148

What a liberal piggish view. Just because they are the "FBI" doesn't automatically give them the right to gain access to what ever they want. That is why we have "rights", or have you forgotten about that. It's people thinking like you that allow our rights to be taken away. Every person should have the right to protect themselves, and/or property, from any unreasonable or illegal searches and that includes any device I purchase for personal use that's made to store our personal data.

chrisbedford
chrisbedford

...given a couple hundred years. From TrueCrypt's FAQs (the first one!): "TrueCrypt does not allow recovery of any encrypted data without knowing the correct password or key". Depending on the size of your key and the speed of the computer is that you use to attempt the hack, it could, according to them, take "thousands or millions of years". That's not worrying, it's reassuring.

gevander
gevander

IF, as one of the technical people suggested in the article, this can be the company holds the encrypt/decrypt keys (an enterprise solution). If the keys do not reside on the individual's device but are accessed *from* their device while on the network, they will not be able to decrypt at will, only when connected to the corporate network. The important thing is for the company to take control of the encryption of their own data and handle it the same way as they handle the data: It belongs to the company, not the individual. An individual caught using encryption not provided by the company is subject to sanction, including termination. Etc.

netwidget
netwidget

With more and more employees using personal devices it is not that clear cut. I know of several systems that I have administered that included personal devices. And having helped employees "setup" there personal devices for use on company LAN's I can tell you that more often than not I have run into personal information (some sensitive) residing in the same, drive, directory/folder as the corporate info. Most people are not good at self managing the segregation of corporate vs personal data on their own devices. This presents an interesting issue. I don't know of any corporate contract that protects the corporation from a counter suit if personal data obtained (intentionally or not) from a forced decrypted disclosure of a personal device is made public. In most cases the corporation has more to loose in a law suit than the individual. What about contracted employees who work for more than one employer and are required to use their personal device for each job. Now you could have corporations each going after each other and the individual or the other way around abusing forced disclosure requirements. It is even theoretical that if Company A knows that one of their contract employees also works for Company B that they could enforce a termination and/or disclosure of a personal device to gain information about Company B. I have associates that are employed by large corporations that develop software who also develop independently at home for open source projects and also for their own proprietary projects. These associates are developing applications that do not violate any non-complete contracts that they currently have with their employers. If they encrypt their personal work in a separate folder with an encryption system separate from the their corporation's who gets to say what the corporation looks at and what gets disclosed? They (my associates) have a vested interest in maintaining the security, proprietary, and legal status of their work/copyrights. In short there are so many possible scenarios in which even in the private and corporate sector's that this issue could call into question the actions and intentions of others that it is far from simple or straight forward. The more individuals use, store, and maintain information, personal, corporate, etc digitally on personal devices, the more this issue is going to come up. I for one think the courts decision to uphold the condition in the 5th Amendment is the best course of action. Why, because it will hopefully force the corporation (the one with all the resources, not the individual) to be better prepared through use of virtualization, the cloud, and enterprise solutions to better protect themselves while also protecting there own employees from themselves and corporate retribution. The other way around is just a free-for-wall litigation-fest party I would not want to be invited to.

JJMach
JJMach

Have there ever been precedents set in regards to information that was encrypted old-school? I suspect that, in the days of the Prohibition Mob-busting court cases, they were decided dealing with this sort of thing, if not before and since. Anyone else recall the scene in [u]The Untouchables[/u] where they needed to get the mob accountant to translate the ledgers that were written in code? Just because the data is digitized, doesn't change the legal nature of encryption, it just makes the encryption that much harder to break, if you do not have a way to make someone decode it for you.

JJMach
JJMach

What makes the problem sticky for the courts is that, using modern encryption software and standards, even if the government could marshal all of the computing power that could be thrown at the problem, you may not be able to break the encryption within the century, let alone the statute of limitations. Before computers and digital data storage, you typically didn't have to worry about a door that could not be opened or a safe that could not be cracked.

chrisbedford
chrisbedford

You are forgetting they had a warrant, which assumes some form of just cause. The courts are (depending on what state, I guess) usually pretty fair in the issue of warrants, aren't they? So at least one judge was satisfied the feebs had a good enough case to enter the man's premises. And please remember a warrant is is permission to *look at everything on the premises*,not just to break down the door. That means the judge gave them permission to look at the records on his computer. Just because you think the individual has the right to "privacy" (whatever that might mean in this day and age) doesn't mean he has the right to block law enforcement from reading his "private" records. If they were locked away in a safe he'd be obliged to open the safe for the agents, wouldn't he? If you value your privacy don't do stuff that gets the FBI to get a search warrant for your house.

adornoe
adornoe

the employee knows the encryption key and copies the data and then, uses encryption on the copy of the data. In that case, it might as well have been unencrypted data at the company end, since, the employee has made a copy and protected that copy from the employer. The reality is that, the best protection for an employer against employee data theft and against data destruction/corruption, is for the employee not to have his own devices at work.

tom.marsh
tom.marsh

Under no circumstances should you allow a personal device on your "internal" network, and when you allow a personal device to access your business applications, it should be in a very controlled manner such as (in the laptop scenario you described) via terminal services, and precautions in place to prevent transfer of the data to the employee system in the first place. If the employee "steals" the data, it's a criminal matter. If he just fails to wipe his phone when he quits, you sue him in court. You've got lawyers: Use them. Data thieves are generally after money, but that becomes an iffy proposition if your employer sues you into oblivion. This really is not any where near as big of a problem as is being made out. Most of these leaks, though, aren't "criminal" situations, they're screw-ups by people who didn't read what they signed when they joined the "iphones allowed" plan for the company Exchange Server.