'Sorry, I've Forgotten My Decryption Password' is Contempt Of Court, Pal - US Appeal Judges (theregister.co.uk) 85
Thomas Claburn, reporting for The Register: The US Third Circuit Court of Appeals today upheld a lower court ruling of contempt against a chap who claimed he couldn't remember the password to decrypt his computer's hard drives. In so doing, the appeals court opted not to address a lower court's rejection of the defendant's argument that being forced to reveal his password violated his Fifth Amendment protection against self-incrimination. In the case under review, the US District Court for the Eastern District of Pennsylvania held the defendant (referred to in court documents as "John Doe" because his case is partially under seal) in contempt of court for willfully disobeying and resisting an order to decrypt external hard drives that had been attached to his Mac Pro computer. The defendant's computer, two external hard drives, an iPhone 5S, and an iPhone 6 Plus had been seized as part of a child pornography investigation.
Under stress, and my poor memory due to my job, I can't remember the password. I write it down, but I seem to have lost it.
Well say hello to a jail cell then. You can be help for contempt for a very long time.
All you need is a lawyer who's willing to argue that police lost evidence of this during arrest/warrant sweep. Happens quite often and there's a lot of case law on it.
Sounds like someone's never heard of asymmetric cryptography you can encrypt files without having the ability to decrypt them. Of course that's not usually the type of encryption used to secure entire drives.
Rubber-hose cryptanalysis (Score:2)
Perhaps some type of expiry after 30-60 days of non-use for sensitive encrypted drives might protect against this, since there's no way the person could decrypt the drive after that threshold.
How do you implement the timeout assuming the attacker will have possession of the device in question?
Apple has been dealing with something similar with their 10 try then wipe password limitation they keep figuring out new ways to bypass it.
What if (Score:2)
>"upheld a lower court ruling of contempt against a chap who claimed he couldn't remember the password to decrypt his computer's hard drives"
I am not saying that is the case here, but what if a defendant really doesn't remember the password? Throw him in jail forever? Some devices don't need a key/password UNLESS they are disconnected or reset, and it is very plausible someone might have been using something for a long time without knowing.
Believe me I've tried, considering they contain photos taken together with two separate previous girlfriends.
To jail I go, apparently.
Decrypted or not, you were going to jail; only difference would be on what charges.
Yeah. I don't know the pincode for my SIM-card, I only ever need it when the phone updates the operating system, and it is separate from the code used to lock the phone. So if my phone is powered down, I have no way of unlocking it without traveling back to my home country out of US reach to get the printed copy of the pincode.
Then they charge you with destruction of evidence.
It would be kind of interesting to see how that played out though. Would they have to argue that you intentionally set up a system to destroy evidence based on knowing that you were committing crimes?
Maybe he said it with a snarky attitude.
But, I had the same question...if you're not allowed to 'forget' something...what if you actually do?
He probably 'said' it through his attorney via filing, which I expect would be on-paper.
While it's possible to be snarky on paper it requires both intent and a general finesse for language that most people don't have.
what if a defendant really doesn't remember the password? Throw him in jail forever?
Sure. Why not? The criteria is "reasonable doubt" not "certainty". In practice, the standard for "reasonable doubt" is not very high. When DNA evidence first became valid in court, the Innocence Project reviewed thousands of old cases, and determined that about 10% of them could not possibly have committed the crimes for which they were convicted. One case overturned was the Central Park Five, which EVERYONE, including our president [nytimes.com], was absolutely certain were guilty. There are many, many other cases
This question actually did come up in this case, as at one point the defendant claimed to have forgotten the passwords. However, the defendant undermined himself by at another time refusing to provide the passwords by which he proved that he did have them.
Steve Martin to the rescue (Score:2)
That's not good law (Score:5, Insightful)
This amounts to "We know you're guilty even though we can't prove it so we're not going to bother with proof", and worse, they're using that to apply a potentially unlimited sentence.
Just because the guy is accused of having a child porn collection doesn't mean the niceties of law shouldn't apply.
I'm actually not so much for the right against self-incrimination, but I am very much for the right to a fair trial based on evidence and not what people 'know'. I'm also very much on finite sentences proportional to the needs of protecting society, punishing enough to scare the next guy, and attempting to reform the convicted if possible... but there shouldn't be a sentence at all without a just conviction.
Just because the guy is accused of having a child porn collection doesn't mean the niceties of law shouldn't apply
Does the law distinguish between having, distributing or making these images? I consider those very different crimes.
Also, since they know he visited the sites and downloaded *somethings*, they can nail him just for that crime and waive or suspend the contempt charge if he agrees to forfeit possession of the hard drives.
It's a bad law because it's literally leaning on "I said so."
The power is ultimately in the owner's hands. Consider: Even under torture, access is technically only granted when the owner says. And so, like warrant canaries, this power will simply rearrange itself until it's out of reach again, until untouchable by infantile laws that are comparable to a child shouting about a supershield that blocks anything.
This is bullcrap (Score:2)
While I have less than zero sympathy for child pornographers, what about the 5th amendment? I thought it was to EXPLICITLY prevent the courts from obliging you to give information that may incriminate you.
Also isn't the onus on the court to prove you're definately guilty before punishing you? I think its more than reasonable that someone could honestly forget their password, especially in a stressful situation such as a trial.
It has been established that you can't be forced to turn over the numbers to your combination lock while you can be compelled to provide the physical key if you have it. The problem is that in cryptography, we call it a key but we mean combination lock, the judges here ruled a cryptographic "key" is something similar to a physical key, a piece of code/hardware you can give them to unlock your "safe" while it's actually a combination lock.
I thought it was to EXPLICITLY prevent the courts from obliging you to give information that may incriminate you.
The password (like a key to a safe) itself isn't self-incriminating, even if the thing it's protecting may be.
So if you make the password itself something that would be incriminating, you could legitimately withhold it?
the fifth amendment is so the cops can't torture you to force you to confess like used to happen in Europe around the time it was written. I read an interesting book one time how they used to put you on the rack and break your bones until you confessed or they were sure you really didn't do it.
the concept that the police can collect evidence and you have to give up evidence of your guilt has been around for a long time cause justice trumps your right to break the law
This is a case of secured evidence, not self-incrimination. If you have a locked safe that you won't give the combo to, they have the legal authority to break into your safe (and not compensate you for it), this is just an issue of where they are authorized to use force, but don't have sufficient force. (and this does indeed piss off the law / govt when it happens, they fancy themselves omnipotent and take enormous offense when proven otherwise)
The Courts (and Law Enforcement) have gotten really lazy, and it's confusing to me why they don't see it.
During the San Bernardino iPhone stuff and other such stories, there were so many 'seemingly intelligent' people saying how encryption shouldn't be allowed because it made law enforcement difficult. Since when has it been easy? Wearing gloves makes it hard to pickup fingerprints. Should you outlaw gloves as well? However, these people are saying, "You should be forced to live in a way that makes
And when a judge orders you to do something in a trial, such as provide a password to your drive, and you decline, that's contemp
So you're telling me that the Judge has power to order you to do literally anything during a trial? such as stick a knife in yourself or someone else? and if you refuse you are now in contempt and can go to prison for ever?
Direct violation of the Constitution (Score:3)
Nothing more to say, really.
In fairness (Score:5, Insightful)
So when are the politicians going to be charged with contempt of court when they "do not recall"?
I believe it (Score:1)
In my personal experience, passwords that are > 24 characters, are easily forgettable if unused for a period of time. I struggle with remembering complicated passwords if I haven't used them in over a month. Not sure if it's because they're to complicated or if it's a neurological limit. I also suffer from ADD and have a history of radiation exposure.
That being said, I completely understand how it's possible for someone to forget a password.
In my personal experience, passwords that are > 24 characters, are easily forgettable if unused for a period of time. I struggle with remembering complicated passwords if I haven't used them in over a month. Not sure if it's because they're to complicated or if it's a neurological limit. I also suffer from ADD and have a history of radiation exposure.
That being said, I completely understand how it's possible for someone to forget a password.
Obligatory xkcd - https://xkcd.com/936/ [xkcd.com]
Access/modification times (Score:1)
Self-incrimination issues aside:
On these drives, are they completely encrypted preventing mounting or is it just the file contents?
If it's the former, then one should be able to see the last time a file was changed. If it's a few days before the seizure, I'd call BS. If the last access/modification was a fair time ago then it becomes more reasonable to assume the "I forgot" defence is truthful
Re: Access/modification times (Score:2)
Well, then, they could probably get an estimate of "access time" from the amount of dust on the computer, skin oil on the keys, etc.
Contemptible. (Score:2)
Although the SCOTUS agrees with you, there hasn't been any legally binding decision made surrounding these issues, lower courts have typically established that providing some assistance to your own conviction is acceptable.
The 'true' solution would be to create a password/passphrase that requires you to actively participate with your mind. Eg. - I can only unlock this password by doing some sort of obstacle course with each stop providing me parts of the passwords.
Won't be disclosing anything that's new or unknown (Score:1)
My understanding of the logic behind attempting to force him to provide the passwords is that he won't be giving the government anything that they don't already know or have.
That being the case, why do the need the passwords at all? If they already "know everything", then they can proceed with their prosecution. If they don't have everything that they need to proceed without the passwords, then they obviously don't know everything.
Self-contradictory, isn't it?
Anyway, his passcode is "1Admit1'mGuiltyAsH3ll.", so disclosing it would be self-incrimination.
No the logic is the same as a suspect ordered to unlock a safe/hidden room/car etc. having to do that. If the locked space then contains something illegal it is valid evidence however the suspect isn't being forced to say there are illegal stuff there.
Or to make the comparison even easier: if police have a search warrant they have to be provided access to a location, failure to give that access is in itself a criminal act. Here the police have a search warrant for the disks and aren't given access to them.
I told you so.
While it still (at the moment) seems unconstitutional to force a person to reveal their passwords, it is simple to get around this by ordering the person to enter the password themselves.
So if you think you're going to evade the long arm of the government by memorizing all your passwords, think again or you too will be jailed.
And remember kiddies, "I forgot" or "I don't remember" only works if you are part of the government itself
Destroy code? (Score:3)
Seems like encryption systems need to have two passwords; one that decrypts the volume and another that wipes the keys and images a fresh filesystem. When they compel you to enter your password, you enter the "destroy code."
Sure, you could be charged with tampering with evidence if they realized what you'd done. But maybe that would be preferable to indefinite incarceration for contempt of court.
Probably the best solution.
But, could you really be charged with evidence tampering if the prosecution can't prove beforehand there was evidence there in the first place?
I suspect it would be a long and expensive process to find out what the final outcome would be.
No, it is not even fantasy to have a "destroy everything" password. Even a rookie investigator knows to make a copy first. If you provide self-destruct keys it'll be blatantly obvious.
This is very hardware dependent. Plenty of systems out there that require a passkey to unlock but nuke themselves with a few bad tries. They are not clonable (unless you're the NSA and even then some go to lengths to prevent chip lapping and other methods from working). In essence it's a small computer that you can not practically copy with a hardened interface that stores the actual decryption keys.
Even the TPM chips tied to hard drives should support that.
Seems like encryption systems need to have two passwords; one that decrypts the volume and another that wipes the keys and images a fresh filesystem. When they compel you to enter your password, you enter the "destroy code."
Sure, you could be charged with tampering with evidence if they realized what you'd done. But maybe that would be preferable to indefinite incarceration for contempt of court.
I doubt that would work in this case as I'm sure LEO images the media and tries to decrypt the images.
I think forensic analysts will mount your disks in read only before mucking with them.
A better solution would probably be to have a password that decrypts only part of the drive which contains decoy data.
Ressurect different HDD Image? (Score:2)
Rather than destroy the contents it would be better to have a separate code that will show photos and videos of granny's 100th birthday.
"Sir, why did you use password protection for such a purpose?"
"Why wouldn't I use it to protect my memories of my G'Ma?"
What court? (Score:1)
Secret courts can pry my encryption keys out of my cold dead American hands!
Clearly violation of 5th amendment.. (Score:2)
Does this case fit the precedent? (Score:3)
If he has not ever revealed the password to authorities, the Constitution absolutely prohibits this action by the court. A man cannot be compelled to self-incriminate, the court may not presume guilt (innocent until proven guilty), and the court can only establish guilt through due process of law (everything from investigation to conviction) and with equal protection under the law (the law is applied the same way to everyone). This ruling blatantly violates most of these basic rights if the contents of the drive are not a "foregone conclusion."
While we're at it... (Score:1)
Only one way out... (Score:2)
My password is "sorry I've forgotten my password". They won't be able to claim I didn't tell em!