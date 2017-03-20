'Sorry, I've Forgotten My Decryption Password' is Contempt Of Court, Pal - US Appeal Judges (theregister.co.uk) 32
Thomas Claburn, reporting for The Register: The US Third Circuit Court of Appeals today upheld a lower court ruling of contempt against a chap who claimed he couldn't remember the password to decrypt his computer's hard drives. In so doing, the appeals court opted not to address a lower court's rejection of the defendant's argument that being forced to reveal his password violated his Fifth Amendment protection against self-incrimination. In the case under review, the US District Court for the Eastern District of Pennsylvania held the defendant (referred to in court documents as "John Doe" because his case is partially under seal) in contempt of court for willfully disobeying and resisting an order to decrypt external hard drives that had been attached to his Mac Pro computer. The defendant's computer, two external hard drives, an iPhone 5S, and an iPhone 6 Plus had been seized as part of a child pornography investigation.
Under stress, and my poor memory due to my job, I can't remember the password. I write it down, but I seem to have lost it.
Well say hello to a jail cell then. You can be help for contempt for a very long time.
Sounds like someone's never heard of asymmetric cryptography you can encrypt files without having the ability to decrypt them. Of course that's not usually the type of encryption used to secure entire drives.
Perhaps some type of expiry after 30-60 days of non-use for sensitive encrypted drives might protect against this, since there's no way the person could decrypt the drive after that threshold.
>"upheld a lower court ruling of contempt against a chap who claimed he couldn't remember the password to decrypt his computer's hard drives"
I am not saying that is the case here, but what if a defendant really doesn't remember the password? Throw him in jail forever? Some devices don't need a key/password UNLESS they are disconnected or reset, and it is very plausible someone might have been using something for a long time without knowing.
Believe me I've tried, considering they contain photos taken together with two separate previous girlfriends.
To jail I go, apparently.
Decrypted or not, you were going to jail; only difference would be on what charges.
>"upheld a lower court ruling of contempt against a chap who claimed he couldn't remember the password to decrypt his computer's hard drives"
I am not saying that is the case here, but what if a defendant really doesn't remember the password? Throw him in jail forever? Some devices don't need a key/password UNLESS they are disconnected or reset, and it is very plausible someone might have been using something for a long time without knowing.
Yeah. I don't know the pincode for my SIM-card, I only ever need it when the phone updates the operating system, and it is separate from the code used to lock the phone. So if my phone is powered down, I have no way of unlocking it without traveling back to my home country out of US reach to get the printed copy of the pincode.
Maybe he said it with a snarky attitude.
But, I had the same question...if you're not allowed to 'forget' something...what if you actually do?
This amounts to "We know you're guilty even though we can't prove it so we're not going to bother with proof", and worse, they're using that to apply a potentially unlimited sentence.
Just because the guy is accused of having a child porn collection doesn't mean the niceties of law shouldn't apply.
I'm actually not so much for the right against self-incrimination, but I am very much for the right to a fair trial based on evidence and not what people 'know'. I'm also very much on finite sentences proportional to the needs of protecting society, punishing enough to scare the next guy, and attempting to reform the convicted if possible... but there shouldn't be a sentence at all without a just conviction.
While I have less than zero sympathy for child pornographers, what about the 5th amendment? I thought it was to EXPLICITLY prevent the courts from obliging you to give information that may incriminate you.
Also isn't the onus on the court to prove you're definately guilty before punishing you? I think its more than reasonable that someone could honestly forget their password, especially in a stressful situation such as a trial.
It has been established that you can't be forced to turn over the numbers to your combination lock while you can be compelled to provide the physical key if you have it. The problem is that in cryptography, we call it a key but we mean combination lock, the judges here ruled a cryptographic "key" is something similar to a physical key, a piece of code/hardware you can give them to unlock your "safe" while it's actually a combination lock.
I thought it was to EXPLICITLY prevent the courts from obliging you to give information that may incriminate you.
The password (like a key to a safe) itself isn't self-incriminating, even if the thing it's protecting may be.
Nothing more to say, really.
So when are the politicians going to be charged with contempt of court when they "do not recall"?
In my personal experience, passwords that are > 24 characters, are easily forgettable if unused for a period of time. I struggle with remembering complicated passwords if I haven't used them in over a month. Not sure if it's because they're to complicated or if it's a neurological limit. I also suffer from ADD and have a history of radiation exposure.
That being said, I completely understand how it's possible for someone to forget a password.
Self-incrimination issues aside:
On these drives, are they completely encrypted preventing mounting or is it just the file contents?
If it's the former, then one should be able to see the last time a file was changed. If it's a few days before the seizure, I'd call BS. If the last access/modification was a fair time ago then it becomes more reasonable to assume the "I forgot" defence is truthful
That is, unless it's the physical key to a safe, or some hardware encryption key. That's physical, and subject to seizure. But a combination or encryption password is a product of the mind, and forcing it out
My understanding of the logic behind attempting to force him to provide the passwords is that he won't be giving the government anything that they don't already know or have.
That being the case, why do the need the passwords at all? If they already "know everything", then they can proceed with their prosecution. If they don't have everything that they need to proceed without the passwords, then they obviously don't know everything.
Self-contradictory, isn't it?
Seems like encryption systems need to have two passwords; one that decrypts the volume and another that wipes the keys and images a fresh filesystem. When they compel you to enter your password, you enter the "destroy code."
Sure, you could be charged with tampering with evidence if they realized what you'd done. But maybe that would be preferable to indefinite incarceration for contempt of court.
Probably the best solution.
But, could you really be charged with evidence tampering if the prosecution can't prove beforehand there was evidence there in the first place?
I suspect it would be a long and expensive process to find out what the final outcome would be.