Alleged criminal ordered to surrender password to hard drive

Seen something interesting in the news or on the intertubes? Discuss it here.

Moderators: Zamfir, Hawknc, Moderators General, Prelates

User avatar
Aikanaro
Posts: 1801
Joined: Wed Sep 24, 2008 1:43 pm UTC
Location: Saint Louis, MO

Alleged criminal ordered to surrender password to hard drive

Postby Aikanaro » Tue Jan 24, 2012 5:19 am UTC

http://technolog.msnbc.msn.com/_news/2012/01/23/10219384-judge-orders-woman-to-give-up-password-to-hard-drive

Spoiler:
MSNBC.com wrote:Judge orders woman to give up password to hard drive
By Suzanne Choney

In the future, your hard drive may not be your hard drive: A federal judge has ruled that a Colorado woman, charged in a mortgage scam case, must turn over the password needed to decrypt her hard drive so that police can view the files on it.

Ramona Fricosu was given until Feb. 21 to comply with the order by U.S. District Court Judge Robert Blackburn. The judge said Fricosu's defense — the Fifth Amendment's right against self-incrimination — did not apply in the case, in which she is charged with bank fraud, wire fraud and money laundering.

"I find and conclude that the Fifth Amendment is not implicated by requiring production of the unencrypted contents of the Toshiba Satellite M305 laptop computer," the judge said in his ruling Tuesday, as reported by CNET.

The Electronic Frontier Foundation, a digital civil liberties organization that filed an amicus brief on Fricosu's behalf, had argued that Fricosu should not be compelled to give up her password because it would violate her Fifth Amendment right, and there was no immunity "offered for loss of this protection."

In addition, the EFF said, the government had not specified what it was looking for on the Fricosu's laptop, making it seem like an "evidence-fishing trip."

But the U.S. Attorney's Office said in court documents that if Fricosuwasn't ordered to unlock her computer, it would result in a "concession to her and potential criminals (be it in child exploitation, national security, terrorism, financial crimes or drug trafficking cases) that encrypting all inculpatory digital evidence will serve to defeat the efforts of law enforcement officers to obtain such evidence through judicially authorized search warrants, and thus make their prosecution impossible.”

As CNET's Declan McCullagh wrote, "The question of whether a criminal defendant can be legally compelled to cough up his encryption passphrase remains an unsettled one, with law review articles for at least the last 15 years arguing the merits of either approach."


Not sure how I feel about this. I suppose it could be compared to allowing the police to search your property when they have a warrant, and that if a door were locked, they'd have the right to pick the lock, request a key, etc.....
Dear xkcd,

On behalf of my religion, I'm sorry so many of us do dumb shit. Please forgive us.

Love, Aikanaro.

User avatar
buddy431
Posts: 446
Joined: Mon Dec 06, 2010 5:21 pm UTC

Re: Alleged criminal ordered to surrender password to hard d

Postby buddy431 » Tue Jan 24, 2012 5:43 am UTC

There's also the 2006 case of Sebastien Boucher

The Fifth amendment has typically been treated very narrowly. You can be forced to give up documents, to provide keys to lock-boxes, to provide your name to police officers when stopped. In civil cases, refusing to testify against an allegation can be taken as an acquiescence to the allegation. If you wish to invoke your 5th amendment rights, you must do so explicitly - merely remaining silent during questioning is not sufficient. You can be compelled to testify against others, and, if granted immunity, compelled to testify about your role in a crime.

Of course, the obvious thing to do would be to "forget" your password at this point.
Gellert1984 wrote:Also, bomb president CIA al qaeda JFK twin towers jupiter moon martians [s]emtex.

User avatar
Shivahn
Posts: 2200
Joined: Tue Jan 06, 2009 6:17 am UTC

Re: Alleged criminal ordered to surrender password to hard d

Postby Shivahn » Tue Jan 24, 2012 6:59 am UTC

Aikanaro wrote:Not sure how I feel about this. I suppose it could be compared to allowing the police to search your property when they have a warrant, and that if a door were locked, they'd have the right to pick the lock, request a key, etc.....


If they didn't specify what they're looking for, it's not really analogous to having a warrant.

User avatar
Malice
Posts: 3894
Joined: Sat Jul 21, 2007 5:37 am UTC
Location: Los Angeles, CA
Contact:

Re: Alleged criminal ordered to surrender password to hard d

Postby Malice » Tue Jan 24, 2012 8:13 am UTC

If they have a warrant for a residence, and the drive is contained within that residence, does that mean they have a warrant for that drive as well? It doesn't seem to me to be any different from a safe, really. Maybe they should specify "documents, digital or otherwise" in the list of things they're looking for. But I don't think they should need a separate warrant for the drive.
Image

User avatar
buddy431
Posts: 446
Joined: Mon Dec 06, 2010 5:21 pm UTC

Re: Alleged criminal ordered to surrender password to hard d

Postby buddy431 » Tue Jan 24, 2012 8:17 am UTC

Surely the better comparison is to a Subpoena rather than a warrant? I.e. you are compelled by the court to give your testimony, or to hand over physical evidence (which may be as broad as "all documents pertaining to x").
Gellert1984 wrote:Also, bomb president CIA al qaeda JFK twin towers jupiter moon martians [s]emtex.

elasto
Posts: 3757
Joined: Mon May 10, 2010 1:53 am UTC

Re: Alleged criminal ordered to surrender password to hard d

Postby elasto » Tue Jan 24, 2012 8:51 am UTC

I don't get what they are meant to do if you say you can't remember it though. Are they meant to go all Jack Bauer on you?

I imagine I have a USB thumbdrive or two sitting in a drawer somewhere with encrypted files on I've long since forgotten the contents of or key to. If I were to get arrested for something in the future could I be looking at a multi-year jail sentence for refusing to hand over a key I have no memory of and which contains nothing relevant to whatever crime I'm accused of?

User avatar
folkhero
Posts: 1775
Joined: Fri Aug 01, 2008 3:34 am UTC

Re: Alleged criminal ordered to surrender password to hard d

Postby folkhero » Tue Jan 24, 2012 11:37 am UTC

Malice wrote:If they have a warrant for a residence, and the drive is contained within that residence, does that mean they have a warrant for that drive as well? It doesn't seem to me to be any different from a safe, really. Maybe they should specify "documents, digital or otherwise" in the list of things they're looking for. But I don't think they should need a separate warrant for the drive.

What if instead of a drive, the information was saved on a cloud? Should that make a difference when it comes down right to privacy vs. the police's right to search? There is also a difference between the police having the right to search and having the right to compel you help them search. If an officer searches my home (with a warrant) and asks if I have anything hidden, am I required to tell him about my hidden passageway and which candelabra to pull to access it?
To all law enforcement entities, this is not an admission of guilt...

User avatar
Malice
Posts: 3894
Joined: Sat Jul 21, 2007 5:37 am UTC
Location: Los Angeles, CA
Contact:

Re: Alleged criminal ordered to surrender password to hard d

Postby Malice » Tue Jan 24, 2012 12:25 pm UTC

folkhero wrote:
Malice wrote:If they have a warrant for a residence, and the drive is contained within that residence, does that mean they have a warrant for that drive as well? It doesn't seem to me to be any different from a safe, really. Maybe they should specify "documents, digital or otherwise" in the list of things they're looking for. But I don't think they should need a separate warrant for the drive.

What if instead of a drive, the information was saved on a cloud? Should that make a difference when it comes down right to privacy vs. the police's right to search?


Yes. The laws are written such that police are given license to search by places, not ownership, which is why they need a separate warrant for your car versus your house. The information you put on the cloud, assuming it's not locally stored, is legally in the server its own, and the police require a separate warrant in order to access that information.

There is also a difference between the police having the right to search and having the right to compel you help them search. If an officer searches my home (with a warrant) and asks if I have anything hidden, am I required to tell him about my hidden passageway and which candelabra to pull to access it?


Actually, I'm not sure. You're required to "comply" with warrants but I'm not sure what the law is on much cooperation you have to give. Generally if you, say, refuse to unlock the garage, they'll break in; but I don't know how that applies to something they can't access without you (assuming they can't hack your drive).
Image

User avatar
Belial
A terrible sound heard from a distance
Posts: 30450
Joined: Sat Apr 15, 2006 4:04 am UTC
Contact:

Re: Alleged criminal ordered to surrender password to hard d

Postby Belial » Tue Jan 24, 2012 12:54 pm UTC

elasto wrote:I don't get what they are meant to do if you say you can't remember it though. Are they meant to go all Jack Bauer on you?

I imagine I have a USB thumbdrive or two sitting in a drawer somewhere with encrypted files on I've long since forgotten the contents of or key to. If I were to get arrested for something in the future could I be looking at a multi-year jail sentence for refusing to hand over a key I have no memory of and which contains nothing relevant to whatever crime I'm accused of?


Yeah, that's what strikes me as ridiculous. I forget passwords to shit all the time. Now, to be fair, the password to boot my computer is one I'm extremely unlikely to forget, but are they really going to make not ever forgetting your password enforceable?
addams wrote:A drunk neighbor is better than a sober Belial.


They/them

User avatar
lutzj
Posts: 898
Joined: Fri Feb 05, 2010 6:20 am UTC
Location: Ontario

Re: Alleged criminal ordered to surrender password to hard d

Postby lutzj » Tue Jan 24, 2012 12:58 pm UTC

Belial wrote:Yeah, that's what strikes me as ridiculous. I forget passwords to shit all the time. Now, to be fair, the password to boot my computer is one I'm extremely unlikely to forget, but are they really going to make not ever forgetting your password enforceable?


I suppose if you were designated as the custodian for some data (i.e. your patients' medical records) you could be held responsible in court for the password, but that doesn't seem to apply in this case.
addams wrote:I'm not a bot.
That is what a bot would type.

juststrange
Posts: 296
Joined: Wed Jul 23, 2008 3:57 pm UTC

Re: Alleged criminal ordered to surrender password to hard d

Postby juststrange » Tue Jan 24, 2012 1:00 pm UTC

This difference between this case and the Boucher case was that police saw child pornography on his machine before it was locked. They knew 2 things for a fact: 1. There was something illegal on it, 2. He had access to the password. This case is different IIRC, as when the police arrived, the laptop was off and she was not seen accessing it. Her lawyer is arguing that just by providing the password, her client will have incriminated herself just by proving she had access to the laptop (should it turn out that the laptop has stuff on it).

User avatar
Steax
SecondTalon's Goon Squad
Posts: 3038
Joined: Sat Jan 12, 2008 12:18 pm UTC

Re: Alleged criminal ordered to surrender password to hard d

Postby Steax » Tue Jan 24, 2012 1:04 pm UTC

Then there's the issue of plausible deniability (e.g. a second password that, when entered, gives a completely different set of data). It's theoretically impossible to detect, too. How would anyone know if the password he gave was true? A person could give up 100 passwords - there's always the possibility of a 101th. Of course, there are technical limitations, but it's just not that clear-cut.
In Minecraft, I use the username Rirez.

User avatar
Zamfir
I built a novelty castle, the irony was lost on some.
Posts: 7594
Joined: Wed Aug 27, 2008 2:43 pm UTC
Location: Nederland

Re: Alleged criminal ordered to surrender password to hard d

Postby Zamfir » Tue Jan 24, 2012 1:14 pm UTC

Is that really such a great hurdle? There might be cases where "I forgot" is plausible, but in many cases it's not. If you are using a computer, data stick or webservice on a daily basis, then claim to forget the password exactly on the day that it's demanded by the police, a court can decide that you are lying.

Or suppose you are unable to produce important documents that you had provable regular access to in the recent past. Let's say there are printouts available, or because such documents would be required to operate your business. If there is also an encrypted data store around, the prosecutor can build a case that this store must contain those documents, or at least that you are hiding them.

It's not very different than lying about other things, like "I forgot how my boss in this criminal racket looks like, I forget faces all the time". Sometimes a defendant will have the benefit of doubt, sometimes not. And if you claim to have forgotten the password, the police can then proceed to try and break your password. That's a very different situation from where they are forbidden to access the information on principle.

User avatar
Steax
SecondTalon's Goon Squad
Posts: 3038
Joined: Sat Jan 12, 2008 12:18 pm UTC

Re: Alleged criminal ordered to surrender password to hard d

Postby Steax » Tue Jan 24, 2012 1:20 pm UTC

Plausible deniability means you can hand over a password and reveal a bunch of cat photos. It's cryptographically theoretically impossible to figure out that there are other files stored there.

(Unless you weren't replying to me, which I assumed by default due to post orders.)
In Minecraft, I use the username Rirez.

User avatar
Belial
A terrible sound heard from a distance
Posts: 30450
Joined: Sat Apr 15, 2006 4:04 am UTC
Contact:

Re: Alleged criminal ordered to surrender password to hard d

Postby Belial » Tue Jan 24, 2012 1:26 pm UTC

And if you claim to have forgotten the password, the police can then proceed to try and break your password. That's a very different situation from where they are forbidden to access the information on principle.


And no one has made a 4th amendment case here, so no one is saying that they are forbidden on principle from attempting to access it. Going for a 5th amendment objection means that the only thing she and the EFF are contesting is whether she can be compelled to help them.

Of course, I suspect they're not bothering with the 4th amendment case because they know the police can't crack it without their help. Not because the police are dumb, but because a suitably secure encryption is almost impossible to break. That being, after all, the idea.
addams wrote:A drunk neighbor is better than a sober Belial.


They/them

User avatar
Zamfir
I built a novelty castle, the irony was lost on some.
Posts: 7594
Joined: Wed Aug 27, 2008 2:43 pm UTC
Location: Nederland

Re: Alleged criminal ordered to surrender password to hard d

Postby Zamfir » Tue Jan 24, 2012 1:34 pm UTC

Belial wrote:And no one has made a 4th amendment case here, so no one is saying that they are forbidden on principle from attempting to access it. Going for a 5th amendment objection means that the only thing she and the EFF are contesting is whether she can be compelled to help them.

My apologies. If the case rests on specifics of the US constitution, I'll leave the topic to the Americans.

Chen
Posts: 5577
Joined: Fri Jul 25, 2008 6:53 pm UTC
Location: Montreal

Re: Alleged criminal ordered to surrender password to hard d

Postby Chen » Tue Jan 24, 2012 1:48 pm UTC

Imagine you had a very strong, nearly impossible to break into safe. And you told them you forgot the combination. Would they try to break it open? Or would it normally be left alone as being "inaccessible"? I'd imagine it would be similar to this computer case. The only real difference I see is that it'll almost always be possible to open the safe. The computer it may not be possible (within a reasonable time frame) to break the encryption on it.

User avatar
Belial
A terrible sound heard from a distance
Posts: 30450
Joined: Sat Apr 15, 2006 4:04 am UTC
Contact:

Re: Alleged criminal ordered to surrender password to hard d

Postby Belial » Tue Jan 24, 2012 1:53 pm UTC

Zamfir wrote:My apologies. If the case rests on specifics of the US constitution


It does, but it's not terribly complex, and the amendments in question are like so:

The 4th amendment is protection against unreasonable searches. If they were staking their objection on this amendment, they'd be saying that it's unreasonable for the cops to even try to get this data, that they lack the cause to go after it themselves. No one is currently making this case, which means that no matter how this goes the cops are 100% free to attempt to crack that hard drive themselves. I suspect the defendant is just pretty confident they can't.

The 5th amendment is protection against being forced to incriminate yourself. It's the same amendment that keeps you from being caught in the legal trap wherein you're put on the stand as a witness against yourself (thus potentially forcing you to add perjury to any list of convictions). It's also the amendment that makes it so that you never have to talk to or cooperate with cops because for all you know you're a suspect in something. This is what they're arguing: that providing the password could potentially be participating in her own incrimination, and therefore requiring her to do so violates her rights.
addams wrote:A drunk neighbor is better than a sober Belial.


They/them

User avatar
Zamfir
I built a novelty castle, the irony was lost on some.
Posts: 7594
Joined: Wed Aug 27, 2008 2:43 pm UTC
Location: Nederland

Re: Alleged criminal ordered to surrender password to hard d

Postby Zamfir » Tue Jan 24, 2012 2:13 pm UTC

I see, in that case the breaking issue disappears. My other points still stand, don't they? At least in principle, it should be possible to make a compelling case that a person has to know a password. Not in every case, but in many cases. For example, if their fingerprints show that they are regular users of the laptop.

Juststrange says that this person not only refuses to give the password, but also does not admit that she knows the password. IThe latter seems a matter of legal fact-finding*, relatively unrelated from the issue if she has to give the password if she knows it.

Also, a technical question for those in the know: how unbreakable is a hard drive, not in the extreme case but in a typical case? I am sure that when people encrypt with a long random string of bits (which they have to store in turn), it can be made unbreakable. But in many cases, the protection will be a not-too-long password that the user regularly types in. That can hardly be unbreakable, or is it? A few weeks of dictionary+brute forcing attacks should make a dent, or am I missing something?



* I am not sure if 'fact-finding' is the correct English legal term. The legal process where people make different claims about a fact, and a court rules if there is compelling evidence for one version.

User avatar
Belial
A terrible sound heard from a distance
Posts: 30450
Joined: Sat Apr 15, 2006 4:04 am UTC
Contact:

Re: Alleged criminal ordered to surrender password to hard d

Postby Belial » Tue Jan 24, 2012 2:20 pm UTC

Zamfir wrote:For example, if their fingerprints show that they are regular users of the laptop.


Here's the thing: if I say I lost the password last week, all you can prove with fingerprints is that I have touched the keyboard since. People who have lost their passwords touch their keyboards: usually because they're trying to remember their password.

If you could access the hard drive, you could check whether it's been used, but if you can check the harddrive the gig is already up.

Also important is to consider what I said above, except remove the words "I say". Because even if we think she's lying, somewhere down the road someone will get busted and have a laptop that they legitimately did forget the password for last week. Just through sheer application of murphy's law to their life.
addams wrote:A drunk neighbor is better than a sober Belial.


They/them

User avatar
Zamfir
I built a novelty castle, the irony was lost on some.
Posts: 7594
Joined: Wed Aug 27, 2008 2:43 pm UTC
Location: Nederland

Re: Alleged criminal ordered to surrender password to hard d

Postby Zamfir » Tue Jan 24, 2012 3:08 pm UTC

Is that much different from other criminal affairs? There's always a possibility that bad luck causes incriminating-looking circumstances, and legal systems have to deal with that. They won't do this perfectly, sadly enough. But is this decision particularly likely to cause a screw-up?

Compare it to accused smugglers who claim that other people put the contraband in their luggage/truck/babies' diapers. People who lose a key of an unused building, which just happens to be used by an acquaintance to run a meth lab. Or even closer: a building fire that conveniently destroys the relevant documentation or other potential evidence. Sometimes such things really do happen, and courts already have to decide when such explanations are plausible, and when the rest of the evidence pushes it beyond a line of reasonable doubt.

User avatar
Steax
SecondTalon's Goon Squad
Posts: 3038
Joined: Sat Jan 12, 2008 12:18 pm UTC

Re: Alleged criminal ordered to surrender password to hard d

Postby Steax » Tue Jan 24, 2012 3:10 pm UTC

Zamfir wrote:how unbreakable is a hard drive, not in the extreme case but in a typical case? I am sure that when people encrypt with a long random string of bits (which they have to store in turn), it can be made unbreakable. But in many cases, the protection will be a not-too-long password that the user regularly types in. That can hardly be unbreakable, or is it? A few weeks of dictionary+brute forcing attacks should make a dent, or am I missing something?


(Note: IANAC)

It does depend entirely on the algorithm and password used, which would be proportional to the effort the person is exerting. Your run-of-the-mill encryption software will use something like AES-256 at 14 rounds, which has no publicly-known easier methods of attack aside from brute force. Governments might know of something or have the computer power to brute-force it, but it's a stretch.

So yeah, it's entirely dependent on how secure the person hiding the data is trying to be.
In Minecraft, I use the username Rirez.

kiklion
Posts: 513
Joined: Fri Mar 14, 2008 5:02 am UTC

Re: Alleged criminal ordered to surrender password to hard d

Postby kiklion » Tue Jan 24, 2012 3:13 pm UTC

Depends on what they used to encrypt it. If it is just 'Windows Password' then depending on version of windows, there are cracks to log in as an admin and change the users password to whatever you want (on XP at least), if it is a full harddrive encrypted software such as pointsec, it can only be decrypted with a specific file that is generally stored away from the pc itself.

If you are talking about brute force, it could take years depending on the algorithm used and the length of the password.

I would say the polices success rate depends mainly on the following, in this order:

How is it being protected, and what system do they use?
Is the password using a common word/phrase and vulnerable to a rainbow table?

Brute forcing any half way decent encryption method is a waste of time for a single password.

User avatar
buddy431
Posts: 446
Joined: Mon Dec 06, 2010 5:21 pm UTC

Re: Alleged criminal ordered to surrender password to hard d

Postby buddy431 » Tue Jan 24, 2012 3:29 pm UTC

At this point, she's not making an "I forgot" argument (and no one else has either), so it's all speculative to discuss it at this point. Typically the penalty for failure to comply with a court request is to be held in contempt of court, which could include exorbitant fines or jail time (Judith Miller was jailed for 3 months for refusing to testify in the Valerie Plame fiasco. Even when she did testify, she was pretty widely derided for claiming she couldn't remember who told her Plame's name, though she wasn't hit with any charges related to that).

I guess I don't have much of a problem with this. The fifth amendment protection against self-incrimination is to try to prevent coerced confessions, i.e. so that police or a prosecutor can't just keep pressuring you until you break down. While it arguably doesn't always do a great job in that, this is clearly a very different case. Being in possession of a password to an encrypted drive is not incriminating. The contents of the drive may or may not be incriminating, but that's why investigators are demanding access to them.

Anyways, the correct way to handle these situations is to not put yourself in a situation where you might want to refuse to hand over evidence anyways. Many companies have policies of destroying documents and e-mails after a short amount of time. Many news agencies have a policy of destroying reporters' notes after a short period of time, so that they can truthfully and plausibly avoid thing's like Miller's case. The EFF has some guidelines about carrying digital devices over the boarder. If you have sensitive information, you should encrypt it in such a way that you cannot reveal it at the border - use a long, hard to forget password that is sent ahead to your destination in a secure manner, for example.

Judges aren't stupid (at least in general). They don't robotically apply the law no matter what the circumstances are. If they think you're lying about being able to produce evidence, they can hit you with a contempt of court charge.
Gellert1984 wrote:Also, bomb president CIA al qaeda JFK twin towers jupiter moon martians [s]emtex.

User avatar
Belial
A terrible sound heard from a distance
Posts: 30450
Joined: Sat Apr 15, 2006 4:04 am UTC
Contact:

Re: Alleged criminal ordered to surrender password to hard d

Postby Belial » Tue Jan 24, 2012 3:37 pm UTC

Zamfir wrote:Or even closer: a building fire that conveniently destroys the relevant documentation or other potential evidence.
This is the closest to a proper analogy, as it is something that can happen by accident without any malfeasance on the part of a third party. And the thing is, in order to prove destruction of evidence, you'd need to prove arson. There are ways to do that. You can in theory prove whether someone set a fire deliberately or if it appears to be accidental. There is really no way to prove whether someone remembers something or not, short of maybe some deep brain scans.
kiklion wrote:Depends on what they used to encrypt it. If it is just 'Windows Password' then depending on version of windows, there are cracks to log in as an admin and change the users password to whatever you want (on XP at least)
That isn't actually encryption at all. The OS just refuses to access any of the data without the password. If you bypass the OS, all the data is still just chilling there unencrypted waiting to be read. If that were the only obstacle, no argument would be occurring: crimelabs bypass windows passwords routinely. They wouldn't bother fighting a court battle over something they could sort out in 20 seconds.

In fact, it's pretty safe to assume that if they could get into this harddrive without her assistance, they wouldn't be arguing about it.
buddy431 wrote:Being in possession of a password to an encrypted drive is not incriminating.
Sure it is. If the data on the harddrive is incriminating, then entering the password is admitting that you know the password and therefore admitting that you use and have access to the harddrive where that data is stored, thus tying you to that data. Therefore, the act of entering the password in the first place is potentially self-incrimination.
addams wrote:A drunk neighbor is better than a sober Belial.


They/them

User avatar
The Great Hippo
Swans ARE SHARP
Posts: 7368
Joined: Fri Dec 14, 2007 4:43 am UTC
Location: behind you

Re: Alleged criminal ordered to surrender password to hard d

Postby The Great Hippo » Tue Jan 24, 2012 3:47 pm UTC

Belial wrote:In fact, it's pretty safe to assume that if they could get into this harddrive without her assistance, they wouldn't be arguing about it.
buddy431 wrote:Being in possession of a password to an encrypted drive is not incriminating.
Sure it is. If the data on the harddrive is incriminating, then entering the password is admitting that you know the password and therefore admitting that you use and have access to the harddrive where that data is stored, thus tying you to that data. Therefore, the act of entering the password in the first place is potentially self-incrimination.
Similarly, if there's a storage facility full of drugs, and I own a set of keys for the door, that's pretty incriminating. Probably circumstantial, but incriminating nevertheless.

User avatar
Belial
A terrible sound heard from a distance
Posts: 30450
Joined: Sat Apr 15, 2006 4:04 am UTC
Contact:

Re: Alleged criminal ordered to surrender password to hard d

Postby Belial » Tue Jan 24, 2012 3:49 pm UTC

Though possession of the keys could be established without your cooperation by searching your pockets or your desk drawer or whatever.

If the door was keypad locked, though...
addams wrote:A drunk neighbor is better than a sober Belial.


They/them

kiklion
Posts: 513
Joined: Fri Mar 14, 2008 5:02 am UTC

Re: Alleged criminal ordered to surrender password to hard d

Postby kiklion » Tue Jan 24, 2012 4:04 pm UTC

Belial wrote:
Zamfir wrote:Or even closer: a building fire that conveniently destroys the relevant documentation or other potential evidence.
This is the closest to a proper analogy, as it is something that can happen by accident without any malfeasance on the part of a third party. And the thing is, in order to prove destruction of evidence, you'd need to prove arson. There are ways to do that. You can in theory prove whether someone set a fire deliberately or if it appears to be accidental. There is really no way to prove whether someone remembers something or not, short of maybe some deep brain scans.
kiklion wrote:Depends on what they used to encrypt it. If it is just 'Windows Password' then depending on version of windows, there are cracks to log in as an admin and change the users password to whatever you want (on XP at least)
That isn't actually encryption at all. The OS just refuses to access any of the data without the password. If you bypass the OS, all the data is still just chilling there unencrypted waiting to be read. If that were the only obstacle, no argument would be occurring: crimelabs bypass windows passwords routinely. They wouldn't bother fighting a court battle over something they could sort out in 20 seconds.

In fact, it's pretty safe to assume that if they could get into this harddrive without her assistance, they wouldn't be arguing about it.


I am aware it isn't encryption, I was basing it off of news sites claiming DDoS attacks as hacking, typically having no idea what is actually going on. While I don't doubt that the police have access to the data, they may be prevented from trying to circumvent something as simple as a password on other grounds that I don't know of.

User avatar
buddy431
Posts: 446
Joined: Mon Dec 06, 2010 5:21 pm UTC

Re: Alleged criminal ordered to surrender password to hard d

Postby buddy431 » Tue Jan 24, 2012 4:11 pm UTC

Belial wrote:
buddy431 wrote:Being in possession of a password to an encrypted drive is not incriminating.
Sure it is. If the data on the harddrive is incriminating, then entering the password is admitting that you know the password and therefore admitting that you use and have access to the harddrive where that data is stored, thus tying you to that data. Therefore, the act of entering the password in the first place is potentially self-incrimination.


Except that courts have pretty routinely held that it isn't incriminating (and that's what this court is holding too). It may or may not surprise you that you can be forced to hand over keys to safety deposit boxes, or otherwise produce documents that you are able to, no matter how incriminating they may be or how well protected from others they are. The court's not trying to prove that she knows about the contents, or that the hard drive is hers (presumably they already have pretty good proof of that, hence this ruling). They're trying to get access to the documents stored on it and use them as evidence.
Gellert1984 wrote:Also, bomb president CIA al qaeda JFK twin towers jupiter moon martians [s]emtex.

Arrian
Posts: 464
Joined: Wed May 20, 2009 10:15 am UTC
Location: Minnesota

Re: Alleged criminal ordered to surrender password to hard d

Postby Arrian » Tue Jan 24, 2012 4:27 pm UTC

Zamfir wrote:Is that really such a great hurdle? There might be cases where "I forgot" is plausible, but in many cases it's not. If you are using a computer, data stick or webservice on a daily basis, then claim to forget the password exactly on the day that it's demanded by the police, a court can decide that you are lying.


<smartass> You haven't worked IT support, have you? </smartass> (Though that's closer to true than not in a lot of cases.)

I believe, if the police have a search warrant to search the house, they cannot search the computers unless it's "in plain sight." I.e. turned on and they see something on the screen. (There was a recent case where a police officer jiggled the mouse to take a PC out of screensaver mode, then looked at the revealed facebook page for information, and that was ruled a Fourth Amendment search. A similar case was ruled the same way, but at least one law prof feels it shouldn't have been and will likely be overturned. Note that in the latter, the police had a warrant to search the house and that included searching the computer.) Because of this, though, most search warrants include a specification to search all computers and computer hardware as well as everything else in a house. (Though there might be hope that search warrants including computers for crimes that are completely unrelated to computers might be held overbroad, as that's similar to a case the Supreme Court heard on December 5th.)

In any case, Malice is right, a search warrant specifying your computer won't allow the police to search data stored on the cloud or a remote server and vice versa.

As for the Fifth Amendment claim that she would be incriminating herself by handing over the password, I can't find a cite but I seriously doubt that will fly. I'm pretty sure that the Fifth is read to only apply to testimony; documents and other evidence can be compelled even though they're incriminating. Since a password itself isn't incriminating, it can probably be compelled even though it will lead to the discovery of incriminating evidence.

Finally, I have a feeling that if you claim to have forgotten your password, you'll likely get slapped with a felony for something like obstructing justice. They make the penalties tough for that kind of thing so you can't just stonewall and escape justice. You don't have to convince a cop or judge that you honestly forgot your password, you have to convince a jury that you did. And the prosecutor will probably try to convince the jury that you're guilty of a felony even if you honestly did forget the password. Catch-22 is alive and well in a lot of ways.

The most interesting advice I've heard is to partition your HDD into multiple, encrypted volumes and separate out your stuff on the volumes: Porn on one, financial data on another, personal correspondence on a third, etc. Then, when the police search, only give them the password to the volume that contains the information they are searching for. (Or maybe, give your lawyer all the passwords and let him decide which one unlocks the appropriate information.) That way you comply with the search warrant but you don't get sent to jail for kiddy porn because some jackass posted something inappropriate on 4chan and it didn't get deleted completely enough out of your cache. I am not a lawyer, so I don't know if this would be a successful strategy, and it still gives the cops what they were looking for in the first place. It just doesn't give them anything else.

User avatar
clockworkmonk
I'm on a horse!
Posts: 649
Joined: Fri Aug 03, 2007 12:53 am UTC
Location: Austin

Re: Alleged criminal ordered to surrender password to hard d

Postby clockworkmonk » Tue Jan 24, 2012 4:45 pm UTC

they can charge you sure, but they have to convince people that you did not forget your password, not the other way around.
418 I'm a teapot

User avatar
Belial
A terrible sound heard from a distance
Posts: 30450
Joined: Sat Apr 15, 2006 4:04 am UTC
Contact:

Re: Alleged criminal ordered to surrender password to hard d

Postby Belial » Tue Jan 24, 2012 4:45 pm UTC

buddy431 wrote:Except that courts have pretty routinely held that it isn't incriminating (and that's what this court is holding too). It may or may not surprise you that you can be forced to hand over keys to safety deposit boxes, or otherwise produce documents that you are able to, no matter how incriminating they may be or how well protected from others they are. The court's not trying to prove that she knows about the contents, or that the hard drive is hers (presumably they already have pretty good proof of that, hence this ruling). They're trying to get access to the documents stored on it and use them as evidence.


The problem here is that unlike those other situations, in this case doing one also proves the other. What, are the prosecutors going to pinky-swear not to use her knowledge of the password to link her to the files?

Trick question. Of course they're not, because that's what the EFF means by "no immunity offered for loss of this protection."
addams wrote:A drunk neighbor is better than a sober Belial.


They/them

User avatar
Xeio
Friends, Faidites, Countrymen
Posts: 5101
Joined: Wed Jul 25, 2007 11:12 am UTC
Location: C:\Users\Xeio\
Contact:

Re: Alleged criminal ordered to surrender password to hard d

Postby Xeio » Tue Jan 24, 2012 4:49 pm UTC

Arrian wrote:The most interesting advice I've heard is to partition your HDD into multiple, encrypted volumes and separate out your stuff on the volumes: ... I am not a lawyer, so I don't know if this would be a successful strategy, and it still gives the cops what they were looking for in the first place. It just doesn't give them anything else.
I'm highly doubtful that would work. What's there to stop you from giving them the wrong partition?

Also, they probably don't need warrants for individual partitions on the same device.

User avatar
buddy431
Posts: 446
Joined: Mon Dec 06, 2010 5:21 pm UTC

Re: Alleged criminal ordered to surrender password to hard d

Postby buddy431 » Tue Jan 24, 2012 5:07 pm UTC

Arrian wrote:As for the Fifth Amendment claim that she would be incriminating herself by handing over the password, I can't find a cite but I seriously doubt that will fly. I'm pretty sure that the Fifth is read to only apply to testimony; documents and other evidence can be compelled even though they're incriminating. Since a password itself isn't incriminating, it can probably be compelled even though it will lead to the discovery of incriminating evidence.


That's exactly what this case was. It was ruled that she can be compelled to give her password. Prior to this case, there wasn't very much precedent for this type of situation. Now we at least have some inkling on if it will fly or not (though it could always be challenged, of course).

Arrian wrote:Finally, I have a feeling that if you claim to have forgotten your password, you'll likely get slapped with a felony for something like obstructing justice. They make the penalties tough for that kind of thing so you can't just stonewall and escape justice. You don't have to convince a cop or judge that you honestly forgot your password, you have to convince a jury that you did. And the prosecutor will probably try to convince the jury that you're guilty of a felony even if you honestly did forget the password. Catch-22 is alive and well in a lot of ways.


As already mentioned, the term is Comtempt of court. You can be given either criminal or civil penalties, up to and including years in prison (the record holder is one H. Beatty Chadwick. Many believe that specific case is a pretty gross miscarriage of justice, but the point is that there are serious penalties if the judge thinks you're holding back).
Gellert1984 wrote:Also, bomb president CIA al qaeda JFK twin towers jupiter moon martians [s]emtex.

elasto
Posts: 3757
Joined: Mon May 10, 2010 1:53 am UTC

Re: Alleged criminal ordered to surrender password to hard d

Postby elasto » Tue Jan 24, 2012 5:23 pm UTC

Arrian wrote:Finally, I have a feeling that if you claim to have forgotten your password, you'll likely get slapped with a felony for something like obstructing justice. They make the penalties tough for that kind of thing so you can't just stonewall and escape justice. You don't have to convince a cop or judge that you honestly forgot your password, you have to convince a jury that you did. And the prosecutor will probably try to convince the jury that you're guilty of a felony even if you honestly did forget the password. Catch-22 is alive and well in a lot of ways.

Yeah, but how far will it go? Steax made the follow-up point I would have made had I not gone out for the day: That encryption protocols like TrueCrypt allow you to have more than one distinct, undetectable encrypted area within a file.

Let's take the simple case of two encrypted areas within a file. The police demand the password and you give it to them. They open up the file and find just normal, legal information inside. But you used TrueCrypt and they know that can have multiple undetectable encrypted regions within it. They demand the second password. You tell them there isn't a second password - and, in reality, maybe there is and maybe there isn't. It just seems a nightmare scenario both for the police and for an innocent victim who did only have one password to one encrypted region.

I honestly don't know the answer, but anyone who has something to hide is going to go down the plausible deniability route and have multiple regions for sure.

Arrian
Posts: 464
Joined: Wed May 20, 2009 10:15 am UTC
Location: Minnesota

Re: Alleged criminal ordered to surrender password to hard d

Postby Arrian » Tue Jan 24, 2012 5:39 pm UTC

Xeio wrote:
Arrian wrote:The most interesting advice I've heard is to partition your HDD into multiple, encrypted volumes and separate out your stuff on the volumes: ... I am not a lawyer, so I don't know if this would be a successful strategy, and it still gives the cops what they were looking for in the first place. It just doesn't give them anything else.
I'm highly doubtful that would work. What's there to stop you from giving them the wrong partition?

Also, they probably don't need warrants for individual partitions on the same device.


That's why you give it to your lawyer and the lawyer hands over the relevant information. At least it works that way in subpoenas, it might also be able to work that way for search warrants in situations like this. One of the regular jobs of a lawyer is to look through their client's records and pass on those that are germane to the other side's case. Like I said, I'm not certain it would work, but also remember that search warrants are only to look for evidence of a specific crime, they're not meant to be fishing licenses. So if your lawyer hands over everything that could be evidence, there's no need to execute the warrant and search through everything that's unrelated in order to find what's related.

buddy341 wrote:As already mentioned, the term is Comtempt of court. You can be given either criminal or civil penalties, up to and including years in prison (the record holder is one H. Beatty Chadwick. Many believe that specific case is a pretty gross miscarriage of justice, but the point is that there are serious penalties if the judge thinks you're holding back).


Contempt of court, certainly, but I also wouldn't be surprised if the prosecutor were able to get an obstruction of justice or other similar charge in there. After all, if the feds can turn making an obviously BS statement to cover your ass into a section 1001 felony despite the fact that it never impacted the investigation, why can't they also get a conviction on some similar charge (or the same, in the case you say you forgot your password but they think you didn't) in order to get a stronger penalty than contempt will give them?

joek
Posts: 95
Joined: Tue Apr 21, 2009 4:33 pm UTC

Re: Alleged criminal ordered to surrender password to hard d

Postby joek » Wed Jan 25, 2012 12:49 pm UTC

elasto wrote:
Arrian wrote:Finally, I have a feeling that if you claim to have forgotten your password, you'll likely get slapped with a felony for something like obstructing justice. They make the penalties tough for that kind of thing so you can't just stonewall and escape justice. You don't have to convince a cop or judge that you honestly forgot your password, you have to convince a jury that you did. And the prosecutor will probably try to convince the jury that you're guilty of a felony even if you honestly did forget the password. Catch-22 is alive and well in a lot of ways.

Yeah, but how far will it go? Steax made the follow-up point I would have made had I not gone out for the day: That encryption protocols like TrueCrypt allow you to have more than one distinct, undetectable encrypted area within a file.

Let's take the simple case of two encrypted areas within a file. The police demand the password and you give it to them. They open up the file and find just normal, legal information inside. But you used TrueCrypt and they know that can have multiple undetectable encrypted regions within it. They demand the second password. You tell them there isn't a second password - and, in reality, maybe there is and maybe there isn't. It just seems a nightmare scenario both for the police and for an innocent victim who did only have one password to one encrypted region.


I agree that for the police it is an impossible situation: whether or not you have done anything wrong, it would be impossible for them to find potential incriminating data. But from the point of view of the suspect, surely this is exactly what they want: a jury cannot convict on the basis that there is a possibility that there may be undiscovered evidence...

User avatar
Steax
SecondTalon's Goon Squad
Posts: 3038
Joined: Sat Jan 12, 2008 12:18 pm UTC

Re: Alleged criminal ordered to surrender password to hard d

Postby Steax » Wed Jan 25, 2012 1:21 pm UTC

joek wrote:
elasto wrote:
Arrian wrote:Finally, I have a feeling that if you claim to have forgotten your password, you'll likely get slapped with a felony for something like obstructing justice. They make the penalties tough for that kind of thing so you can't just stonewall and escape justice. You don't have to convince a cop or judge that you honestly forgot your password, you have to convince a jury that you did. And the prosecutor will probably try to convince the jury that you're guilty of a felony even if you honestly did forget the password. Catch-22 is alive and well in a lot of ways.

Yeah, but how far will it go? Steax made the follow-up point I would have made had I not gone out for the day: That encryption protocols like TrueCrypt allow you to have more than one distinct, undetectable encrypted area within a file.

Let's take the simple case of two encrypted areas within a file. The police demand the password and you give it to them. They open up the file and find just normal, legal information inside. But you used TrueCrypt and they know that can have multiple undetectable encrypted regions within it. They demand the second password. You tell them there isn't a second password - and, in reality, maybe there is and maybe there isn't. It just seems a nightmare scenario both for the police and for an innocent victim who did only have one password to one encrypted region.


I agree that for the police it is an impossible situation: whether or not you have done anything wrong, it would be impossible for them to find potential incriminating data. But from the point of view of the suspect, surely this is exactly what they want: a jury cannot convict on the basis that there is a possibility that there may be undiscovered evidence...


Yes, and that's the issue. Every single person that holds encrypted data may not be 100% truthful when they reveal their password/data contents. It kind of nullifies the point of investigating it, since you can never definitively tell when you have or haven't uncovered all the evidence contained there.
In Minecraft, I use the username Rirez.

Chen
Posts: 5577
Joined: Fri Jul 25, 2008 6:53 pm UTC
Location: Montreal

Re: Alleged criminal ordered to surrender password to hard d

Postby Chen » Wed Jan 25, 2012 2:05 pm UTC

Steax wrote:Yes, and that's the issue. Every single person that holds encrypted data may not be 100% truthful when they reveal their password/data contents. It kind of nullifies the point of investigating it, since you can never definitively tell when you have or haven't uncovered all the evidence contained there.


Sure you can't necessarily know if you found all the evidence, but if you find any that's still useful information.

User avatar
Steax
SecondTalon's Goon Squad
Posts: 3038
Joined: Sat Jan 12, 2008 12:18 pm UTC

Re: Alleged criminal ordered to surrender password to hard d

Postby Steax » Wed Jan 25, 2012 2:58 pm UTC

If you find any, yes. But encryption is very hard to deal with, and in typical cases we probably won't have the ability to crack them. This means information we get from it is entirely decided upon by the owner, which would be dangerous to trust.
In Minecraft, I use the username Rirez.


Return to “News & Articles”

Who is online

Users browsing this forum: iamspen and 6 guests