A federal district court in Texas recently handed down a new case on the scope of computer warrant searches that shows how important and yet uncertain the rules of computer search and seizure are these days: United States v. Kim, — F.Supp.2d —, 2009 WL 5185389 (S.D. Texas 2009). The case was handed down December 23 by District Judge Vanessa Gilmore.
Law enforcement agents were searching a computer with a warrant for evidence of computer hacking when they come across folders containing encrypted files with the suggestive titles such as “ForbiddenFruit”, “Illegal_Loli #”, and “Loli#”. The files were encrypted with “CryptaPix,” encryption software that is generally known as a way to encrypt image files. The agents requested a warrant to open the files and search for child pornography, but the magistrate rejected the warrant application on the ground that there was insufficient probable cause. The government decided to try to decrypt the files anyway under the authority of the warrant to search for evidence of computer hacking. It took two months, but eventually the government decrypted the images and found 840 images of child pornography.
The district court suppressed the child pornography images as being beyond the scope of the warrant. However, the court did not follow the subjective approach that several courts have used in the computer search and seizure context to measure the scope of the warrant. (Under the subjective approach, courts look to whether the agents subjectively was trying to stay within the scope of the warrant when he clicked on the file.) Instead, the court concluded that it was objectively unreasonable for the government to decrypt the images based on its alleged interest in searching for evidence of computer hacking:
Looking in the encrypted folders for evidence of Computer Intrusion was unreasonable for several reasons. First, none of the other evidence of Computer Intrusion was located in encrypted folders. Agent Mance signed a sworn affidavit to the court asserting that he believed the encrypted folders to contain evidence of child pornography. He did not mention that the folders could contain evidence of Computer Intrusion. . Second, the encrypted folders were created five years before, and last modified approximately three years before the dates of the alleged computer intrusion.
Third, Cryptapix, the software used to encrypt the folders in question was not the type that could be used to encrypt images. At the hearing McGrody, the Government’s witness, established that the Defendant had version 2.2 of Cryptapix on his computer. Only Cryptapix 3.04, which was created in 2009, had the technology to store data as image files. Cryptapix 2.2, the version that the Defendant had on his computer and the version used to encrypt the files in the folder allegedly containing evidence of child pornography, did not have this feature.
Finally, at the hearing, Agent Symeonidis testified that the Government did not find any evidence of Computer Intrusion on the computer allegedly containing evidence of child pornography. In fact, McGrody testified that the Government did not have any evidence that the IP address of the computer containing the encrypted files attempted to gain access to the GEXA network. In fact, he stated that none of the IP addresses discussed in the search warrant belonged to the computer containing the encrypted files. Accordingly, the Court finds that when the Government agents began looking at the encrypted files, they were acting outside the scope of their warrant.
For the reasons stated above, the Court finds that when the Government agents decided to spend two months decoding the files in the encrypted folders, they did not do so in continuation of a valid search for evidence of Computer Intrusion. Rather, the Court finds that the Government examined the encrypted folders searching for evidence of child pornography, in direct defiance of the magistrate court’s order. The Court finds that the Government’s attempts to claim that they discovered the files while looking for evidence of Computer Intrusion is a clear attempt to justify the government’s warrantless search for evidence of child pornography and to manipulate the Court into authorizing their defiance of the Magistrate’s order.
This decision reminds me of United States v. Payton, the recent Ninth Circuit case in which the Ninth Circuit suppressed evidence found in a computer on the ground that there was no reason to think the evidence in the warrant would be on the computer. Like Payton, Kim reaches that result through a general reasonableness analysis: It seems to have a sense of when it would be objectively reasonable to open a particular file, much like Payton had a sense of when it was objectively reasonable to look inside a computer.
My own view, as I expressed in this 2005 article, is that the eventual answer — the least bad alternative, really — will be for courts to eliminate the plain view exception in the computer search and seizure context. The problem with a general reasonableness analysis is that courts have very little sense ex ante of what kinds of computer forensic searches are reasonable. Judges are not computer forensic specialists: They aren’t very well-positioned to distinguish reasonable from unreasonbale computer forensic steps. You can see that in Kim: The reasons why the court concludes it was ex ante unreasonable to decrypt the files ends up relying in large part on what the government found ex post, after the files were decrypted.
Imagine the next case. A hacker has read the Kim case, so he takes his hacker files, encrypts them using Cryptapix, and labels the folder “childpornpics.” The government comes across the folder when they’re searching the computer under a warrant for hacking evidence. Under Kim, are they allowed to even try to decrypt the files? You could read Kim as indicating that they can’t, as it would be unreasonable given the file label. Alternatively, you can read Kim as saying that the reasonableness of decrypting the files depends on what evidence they find: It’s reasonable if they end up finding evidence within the scope of the warrant but not if they find evidence outside the scope of the warrant. But if you take the latter interpretation of Kim, that’s just a complicated way of saying that the plain view exception doesn’t apply. Think about it: If the reasonableness of the search depends on whether the evidence discovered is within the scope of the warrant, that’s just an indirect way of saying that the evidence is allowed if it’s within the scope of the warrant and excluded if it’s outside the scope of the warrant.
Anyway, stay tuned: With recent cases like Payton, CDT and Kim, this seems to be an area that is moving fast these days. Thanks to Susan Brenner for the case information; she also has a post on the case at her cyb3rcrim3 blog.
Chris Travers says:
Given the emphasis on the access and file creation times, do you think the judges are holding these as reliable metrics regarding computer searches?
A hacker that has read the Kim case not only does as you describes but does so after setting his system clock back five years (then resetting it), might easily hide the evidence outside the scope of the warrant.
January 8, 2010, 1:34 pmruuffles says:
According to its website, CryptaPix (at least the current version) uses 256-bit AES encryption, which is what the federal gov’t uses for protecting classified documents.
I draw one of several conclusions:
1) Kim chose a weak password
2) CryptaPix had a weak implemenation of AES-256 that is suspectible to easier decryption
3) The gov’t devoted a hefty chunk of computer time to this
It’s almost certainly 1), but 2) is also possible since this is commercial software (read: not open source).
January 8, 2010, 1:34 pmruuffles says:
I should add that the use of 2 months of computer time is a lot when there was no evidence of what they would find (as supposed to the case where officers saw the pictures, but it was encrypted when they tried to access it later). The titles
could just as well be for legal porn of 18 year olds.
January 8, 2010, 1:39 pmKen Arromdee says:
Imagine the next case. A court rules that the police, searching for illegal hacking files, are not permitted to destroy the suspect’s priceless Ming vase. A hacker has read this case, so he takes his hacker files, puts them on a micro-SD card, and conceals it in a hidden compartment inside an antique vase.
So should be legal for the police to destroy everyone’s antiques when they have a warrant for hacking files? Can they do a body cavity search? And if the court rules that they can’t do a body cavity search, what’s to keep the next hacker from reading the case and concealing the documents in a body cavity?
It’s always possible to hide something in an unlikely place, especially computer files, which can fit in incredibly small spaces. To say that the possibility of doing so means the police should be allowed to search the unlikely place gives the police a blank check to search everything and anything, and lets them use it as a pretext to search for other things.
[OK Chimes in: Ken, the Supreme Court rejected your view a long time ago. Recall what Justice Stevens said about limits on physical searches with warrants in United States v. Ross (1982):
January 8, 2010, 1:42 pmPubliusFL says:
But Kim relies on a lot more than just the file label. Aside from the date evidence (which as Chris Travers suggests isn’t terribly reliable) there’s the nature of the encryption. The second paragraph from the opinion that’s quoted above is very confusingly worded, but it appears that the encryption format used on the computer could only be used to encrypt images. Presumably your hypothetical hacker, therefore, would have to use some other method to encrypt his hacker files in the misleadingly-labelled folder, which affects the reasonableness of suspecting that the folder might contain evidence of hacking.
January 8, 2010, 1:42 pmChris Travers says:
You can hide anything in a jpg or tiff though. Same with many other formats. You might only be able to encrypt images, but that hardly means you can only encrypt image data.
(Of course with NTFS, you can hide executables which appear to be harmless text files with arbitrary content, but I assume that this sort of things is checked by standard forensic toolkits. metadata within the file type is a different question entirely and would probably be encrypted with the file.)
January 8, 2010, 1:45 pmruuffles says:
According to its website, CryptaPix also supports steganography, that is, encrypting text (or any other data) into a photo.
January 8, 2010, 1:45 pmPubliusFL says:
Good point.
The court expressly addresses that, pointing out that that’s a feature added in a version later than was on Kim’s computer.
January 8, 2010, 1:47 pmDavid M. Nieporent says:
I think if you label it “childpornpics,” that just might constitute probable cause for a warrant to look at them for evidence of child porn.
Also, it seems pretty clear in this case that the court was rather annoyed that when the magistrate denied the warrant, the government decided to ignore him. And was doubly annoyed that when they found evidence of child porn, they lied and claimed they were looking for evidence of hacking, even though they had previously admitted they were looking for evidence of child porn.
January 8, 2010, 1:56 pmSam says:
David: but Kim more or less did label something “childpornpics”…. “loli” is roughly “sexually suggestive young girl” (from Nabokov’s Lolita via Japanese anime & manga “lolicon”). “Illegal loli” would suggest something more than “sexually suggestive”.
January 8, 2010, 2:21 pmMalvolio says:
The court may have pointed it out, but it isn’t true. Without any tools but what was delivered with my Mac, I took an existing JPG file and hid some secret data in it in about 15 seconds, without damaging the original image. If Kim were any kind of hacker (which, from his incredibly weak security tactics, I doubt) he could certainly have done the same thing. Too bad for him he’s just a pedophile.
January 8, 2010, 2:23 pmDavid M. Nieporent says:
I agree, but for whatever reason, the magistrate didn’t find it such. But “childpornpics” is even more explicit, don’t you think?
January 8, 2010, 3:02 pmAnthony says:
Being a hacker doesn’t require terribly high skill, particularly if you have some form of inside knowledge. I’m not sure I’m convinced by the original denial of probable cause, but given the denial, claiming that they were searching for evidence of hacking is incredibly thin.
January 8, 2010, 3:05 pmA. Criminal says:
“ForbiddenFruit”
How lame. As a criminal I keep information which could implicate me in files and directories named “Great Lakes Geography” and “Cookie Recipes.” (But that’s a lie – it’s actually buried in the back yard, and is financial records, not naughty pictures).
“[McGrody] the Government’s witness, established that the Defendant had version 2.2 of Cryptapix on his computer. Only Cryptapix 3.04, which was created in 2009, had the technology to store data as image files.”
That’s nonsensical as well as not true: http://www.briggsoft.com/cpix_rh.htm
“McGrody testified that the Government did not have any evidence that the IP address of the computer containing the encrypted files attempted to gain access to the GEXA network.”
We have more than one computer that show the same IP to the outside world. That’s because the computers themselves don’t have an IP address.
This website says McGrody is the defendant’s witness, and has at least one more false statement from McGrody*: http://cyb3rcrim3.blogspot.com/2010/01/encryption-and-execution-of-computer.html:
“Symeonieis testified that the government did not rely on the created or last modified dates because the agents thought the dates could have been changed or altered. McGrody testified that changing the dates would have taken … hundreds of hours.”
Symeonieis was correct – I can change the created/modifed/accessed times on hundreds or thousands of files in a few seconds with AttributeMagic. Why and how do they get these people to testify if they don’t know anything? (I should be so lucky)
January 8, 2010, 3:06 pmDarel Finkbeiner says:
I thought the point of his going on about this ( IP address, etc ) was that it didn’t appear that this was even the right computer.
So the analogy would be a warrant for a blue taurus, but then the VIN and license plate are different, and it’s not even the same model year… oh, search it anyway, we might find something!
January 8, 2010, 3:07 pmChris Travers says:
What do you have to do to take hundreds of hours to change the dates on less than 900 files? I just can’t fathom it.
January 8, 2010, 3:11 pmSecurityGeek says:
As a friend who worked at the NSA said, “it’s never the crypto, it’s always the key.”
Cryptographic attacks against real world systems very rarely rely on mathematical attacks against a symmetric cipher, such as AES. The most fruitful lines of attack are generally against key management, key derivation, or human stupidity.
I haven’t looked specifically Cryptapix, but generally systems like that take a human remembered passphrase and use a Key Derivation Function to turn it into a bytestream appropriate for use as a key for a symmetric block cipher, such as AES. There are some good, well documented ways of doing this (PBKDF2) but a lot of people implementing these systems just wing it. When they do so, they greatly reduce the computational complexity of performing a brute-force attack against the user’s passphrase.
Another problem is that people reuse passwords, or include data that otherwise relates to their life (dates, names, places). It is well documented that the Secret Service already has a system that uses key phrases from a suspect’s hard drive to seed and accelerate an attack against their passphrase. Also a no-no: using the same password to login to your computer as you use to encrypt data. Operating systems use much weaker algorithms to protect your password than most encryption programs. If Mr. Kim used his Windows password as his Cryptapix password, then it would be pretty easy for an examiner to crack his Windows (preferably Lanman) password hash and use it to decrypt his porn stash.
Long story short, if you want to keep files on your laptop secret, then use a TPM-backed full-disk encryption product with multiple levels of keys, such as a passphrase and a key on a usb stick. Windows Bitlocker is an excellent option and included in the high-end versions of Windows 7.
January 8, 2010, 3:20 pmJust Dropping By says:
Imagine the next case. A hacker has read the Kim case, so he takes his hacker files, encrypts them using Cryptapix, and labels the folder “childpornpics.”
I’d be interested to meet the person gutsy enough to specifically label a folder “childpornpics” as part of a plan to evade a search warrant relating to computer hacking. I can only assume that it’s very rare for people to conceal criminal conduct type “A” by trying to make it appear to be criminal conduct type “B”.
January 8, 2010, 3:21 pmjcm says:
If the hacker hackers has read Poe , his computer cannot be searched?.
Not really the Court base his reasoning in four premises, so will be wrong to take one without the others.
“with my Mac, I took an existing JPG file and hid some secret data in it in about 15 seconds, without damaging the original image”.
January 8, 2010, 3:24 pmYes ,and in 5 second without using any forensic tool anyone can discover them
“which, from his incredibly weak security tactics, I doubt”
They needed two months to break them , that s not weak. With the best supercomputers a group was able to to break a 128 encryption code in two days.
Orin Kerr says:
Just Dropping By,
I have never heard of such a thing, either, but then before this decision came down there would be no reason to do that.
January 8, 2010, 3:26 pmFub says:
Maybe I’m still too caffeine deprived, or have lost what little mind I once possessed, but I read the excerpt provided as saying approximately what Ken said. That is:
is approximately another way of saying:
It sure looks to me that if police want to smash that Ming vase, all they have to do is say they were searching for something within the scope of the “things to be seized”, but so small that might be contained in the vase. Nothing prevents them from using that pretext to actually search for something else which they just happen to find, or to just wantonly wreck priceless objects because they feel like it. All they have to do is claim (truthfully or falsely) that they were looking for something small within the scope of the warrant.
If the things to be seized in general can be hidden in small places, any object becomes a possible hiding place.
January 8, 2010, 3:30 pmKen Arromdee says:
But this wasn’t a physical search. (At least not in the same sense.)
January 8, 2010, 3:34 pmDE says:
While I’m all for privacy and reducing the currently-overbroad-IMO scope of computer searches, those folder names are the equivalent of putting a sign up somewhere saying “Evidence of Illegal Activity; Do Not Show to Police”. I find it hard to imagine circumstances where that that shouldn’t trigger immediate probable cause.
January 8, 2010, 3:34 pmpc says:
If someone were stupid enough to do that, would it be difficult to get another search warrant that covers child porn based on seeing a folder labeled “childpornpics” that contains encrypted image files?
I think David M. Nieporent has it right. The court didn’t seem too happy with the agents exceeding the authority of the warrant and lying about it.
January 8, 2010, 3:36 pmSecurityGeek says:
No. It is not now and will probably never be feasible to perform a brute force attack against a well-designed* 128-bit symmetric cipher. There are some basic thermodynamic limits that come into play here: just to count to 2^128 would take something like the entire output of our sun for billions of years**.
*The caveat: despite assumptions to the contrary, the vast majority of cryptographic algorithms in use (RSA, DH, DSA, AES) are not provably secure. We can’t prove that the problems these systems are based upon are hard, we just think they are hard. It is certainly possible to design an algorithm that can be easily broken even if it uses a 128-bit key, but no 128 bit symmetric block cipher in wide use has ever been successfully attacked in the known literature.
**A working quantum computer would invalidate some of these limits, since it would draw upon computation performed not only in our Universe but many other Universes.
January 8, 2010, 3:36 pmMee_too says:
I am a computer forensic examiner.
The solution is to allow “black box” decryption — where the examiner who also has legal training on relevance, is given the subject matter of the warrant, and examines the decrypted data to determine if it is relevant and covered by the warrant. He makes a list of the material he believes is relevant, and gives it to the D, who has 14 days to move the court to quash or suppress any particular material as not covered by the warrant. Anything not objected to then goes to o/c after 14 days. Anything objected to, the Judge examines it in camera, to determine its relevance and decide the objection.
I have done this several times. It works and is fair. It should also be employed with non-encrypted data too, to prevent fishing expeditions through the intimacies of our lives that we all store on computers. Three felonies a day… remember?
As an aside, I’ve always been bothered by use of one statute just to get a warrant, then turn the place upside down to fond evidence of “something” to hang the guy on. IIRC, a study of “terrorism” warrants found that the resulting charges from the search rarely involved terrorism, but frequently were for wholly unrelated crimes.
January 8, 2010, 3:45 pmSeaDrive says:
This is a judgment call, of course. I tend to side with the cops that they had probable cause. However, the subsequent behavior of the cops, and the arguments cited to justify it are awful.
January 8, 2010, 5:11 pmDG says:
One point here – encryption is encryption. The idea that you can’t use a particular version of an encryption suite to encrypt images is ridiculous. I don’t understand that part of this at all.
January 8, 2010, 5:33 pmGuy says:
Why do so many 4th Amendment computer cases involve child porn? Is child porn really that popular? It’s beginning to look like the computing analog to drugs in physical searches.
January 8, 2010, 5:35 pmAnthony says:
Two months probably indicates the length of time it took to reach the top of the project queue for the person responsible for doing the decryption, not the actual work time required.
January 8, 2010, 5:55 pmOrin Kerr says:
Guy,
Contraband cases are always a rich source of Fourth Amendment cases. The crime is mere possession, and if the government catches the bad guy in possession, there are few if any claims that can be raised in defense. The one obvious defense is to challenge the way that the government came to discover that the defendant was in possession: that is, argue that the contraband was unlawfully obtained and thus must be thrown out. If the defendant wins, the whole case is gone. Thus defendants in contraband cases very often file Fourth Amendment suppression motions.
Oh, and yes, there are a lot of these cases.
January 8, 2010, 6:15 pmFub says:
I’m not sure if you’re saying here that you think filenames and encryption constitute PC for a warrant. If so, then I must disagree.
I, and many other folks I know, use screwy file names, and some use encryption as a default byproduct of file compression programs. The encryption is weak, but it will prevent perusal of the files by a casual observer who just happens to use the computer. This is not because the files contain anything criminal. They don’t. People just don’t want any old person who happens to use their computer to access their personal musings about innocuous but possibly controversial subjects.
If file names constitute PC, then almost anybody could be subject to a search warrant based upon some officer’s or magistrate’s imagination.
Does the filename “atombomb.abc” mean “this file contains plans for an atomic bomb”? Or is it just a lamely humorous name meaning “this file contains a review of a concert where Tom (a performer) bombed, ie: A Tom Bomb”?
January 8, 2010, 6:16 pmOrin Kerr says:
Fub,
What if the folder has 500 files in it, all 500 of which have titles that are suggestive of child porn? Does that provide probable cause to search the folder’s contents?
January 8, 2010, 6:20 pmDon Miller says:
I am not a lawyer, I am a network administrator.
Several facts quoted by the judge
1. The IP address of the computer did not match the ip addresses used by the hacker (NAT technology allows your network to have one public IP address for a group of computers, but all of them have IP addresses. It is trivial to identify the private address of a PC that is on the otherside of a NAT device.)
2. The dates in the file folder meta data predated the hacking attempts by several years (Metadata can be manipulated, but when combined with #1, seems unlikely)
3. The encryption software used was an older version and did not have the capability that the police claimed it had.
As much as I hate child porn, I think the court did the right thing in this case. This sounds like a computer that once the police identified it was not covered by the original warrant (wrong IP address), they should have put it aside and gone onto the next one.
January 8, 2010, 6:42 pmDon Miller says:
I am not a lawyer, I am a network administrator.
Several facts quoted by the judge
1. The IP address of the computer did not match the ip addresses used by the hacker (NAT technology allows your network to have one public IP address for a group of computers, but all of them have IP addresses. It is trivial to identify the private address of a PC that is on the otherside of a NAT device.)
2. The dates in the file folder meta data predated the hacking attempts by several years (Metadata can be manipulated, but when combined with #1, seems unlikely)
3. The encryption software used was an older version and did not have the capability that the police claimed it had.
As much as I hate child porn, I think the court did the right thing in this case. This sounds like a computer that once the police identified it was not covered by the original warrant (wrong IP address), they should have put it aside and gone onto the next one.
January 8, 2010, 6:42 pmThe Volokh Conspiracy » Blog Archive » New Case on Computer … | Damn Right Straight says:
[...] the original post: The Volokh Conspiracy » Blog Archive » New Case on Computer … Share and [...]
January 8, 2010, 6:43 pmDr. Caligari says:
So he goes to the trouble to obtain and use some fairly sophisticated encryption software and then gives his files names like “Illegal_Loli #” when with no greater effort he could use innocent sounding names like “Xmas 2007″ or “classreunionpics” or “grandcanyontrip”.
Human stupidity is infinite.
January 8, 2010, 7:02 pmTweets that mention The Volokh Conspiracy » Blog Archive » New Case on Computer Searches, Encryption, and Plain View: United States v. Kim -- Topsy.com says:
[...] This post was mentioned on Twitter by Rick F. Barnes, Eugene Volokh. Eugene Volokh said: New Case on Computer Searches, Encryption, and Plain View: United States v. Kim: A federal district court in Te.. http://bit.ly/5f4n8X [...]
January 8, 2010, 7:07 pmDavid M. Nieporent says:
Again, probable cause does not mean “proof.” It’s a standard to satisfy to be allowed to look for evidence. The fact that there may be an innocent explanation does not mean that there’s no probable cause.
A filename “atombomb” is certainly reason to believe that there are plans for an atombomb there; of course, it’s not illegal to have such plans, so I’m not sure how that example is analogous. It is illegal to have child porn, though, and folders with names like the ones in this case certainly seem like strong reason to think there might be child porn in those folders. The magistrate disagreed, though, and the police don’t get to substitute their views for his.
January 8, 2010, 7:07 pmFub says:
That’s a reasonable question, but I think the answer should be “no.”
I’m not sure what titles would necessarily be “suggestive”. It seems to me an entirely subjective question, and the richer one’s imagination, the greater the “suggestion”.
For example, the “atombomb” file name I mentioned above. One might have “atombomb.001″ through “atombomb.500″ for different drafts of a musical performance review, or 500 different reviews (Tom doesn’t do too well at his performances, but he has a packed schedule). Or one of the files might, maybe, on a chance, be real plans for an atom bomb. But so might a file named “grandmothers-recipes.abc”
Maybe it’s my age. When I was professionally programming, the vicissitudes of various file system naming conventions (and especially those with very limited name lengths) meant that everyone I worked with used file names often contracted and contorted to terse, objectively obscure but subjectively meaningful descriptors of file contents. A file name’s relationship to its contents was often counterintuitive or meaningless to anyone except the file creator and coworkers.
I just don’t think some officer’s or magistrate’s imagination should constitute probable cause or a reasonable belief that a file’s textual name actually describes its contents in the way he might imagine it does.
January 8, 2010, 7:28 pmChris Travers says:
So, if I set up a folder containing all manner of legal pictures but ones which are offensive to law enforcement, and put them in an encrypted folder which I name “childpornpics” and my computer is later searched, is that obstruction of justice?
January 8, 2010, 7:42 pmChris Travers says:
My Linux system contains a file called libsexy.so
To find out what it does, you have to look it up:
yum provides libsexy.so
returns:
libsexy-0.1.11-13.fc12.i686 : Funky fresh graphical widgets for GTK+ 2
Who knew? It almost sounded like something else…..
January 8, 2010, 7:46 pmFub says:
My analogy was about file name’s relationship to content, independent of the content’s legality.
I simply don’t think that “atombomb” is an objectively rational reason to believe that the file’s contents are likely to contain plans for a nuclear device.
I’ve seen too many screwy file names to believe there is necessarily any objective connection between file names and content.
January 8, 2010, 7:59 pmThe Volokh Conspiracy » Blog Archive » New Case on Computer … | GA Publications says:
[...] the original post: The Volokh Conspiracy » Blog Archive » New Case on Computer … Tags: a-new-case, and-yet, how-important, new-case, [...]
January 8, 2010, 8:26 pmRyan Waxx says:
With all these fanciful descriptions of how you could possibly hide data, keep in mind how practical it is to do so if the info is at all currently being used. Sure, you can take your hacking program suite and rename all the files to .jpg, run a attribute changer to set it 5 years back, and THEN use an encrypter better suited to pictures than to data…
… but do you want to do this every day that you engage in developing and/or deploying your hacks?
And if it is NOT currently being used, there are more effective ways of backing it up then getting it OFF the hard drive.
In theory you could disassemble a getaway car and bury the parts between robberies, but I don’t see a magistrate authorizing a excavation of your garden on that basis.
January 8, 2010, 9:43 pmChris Travers says:
A USB dongle and hard disk encryption is also pretty easy on Linux too.
January 8, 2010, 10:26 pmChris Travers says:
Just set your system clock back five years when engaging in developing or deploying your hacks?
Or more likely just have a script that makes the modifications that you can run on demand. Automate the process so you don’t have to do a lot of work.
Really it ISNT that impractical. Anything boring and repetitive can be automated anyway.
January 8, 2010, 10:27 pmRyan Waxx says:
Well, that handles ONE of the hindrances. You did notice there are others?
And the presence of that script is now your probable cause. What shall hide the hider?
Again, the question isn’t what’s probable, its what’s practical. And if we design our warrant systems to catch superhackers who hide layers within layers… then what chance will there be that innocent people will not be targeted, since s Moriarty-esque hacker would look exactly like an innocent person?
How do we know the person who is the subject of this posting was actually using version 2.2? He could have had the latest version hidden on physical disks which he installed every time he wanted to re-encrypt everything!
January 8, 2010, 10:36 pmWm Tanksley says:
There’s no such thing — there’s immediate reasonable cause (which can, according to the constitution, trigger a legal search), and then there’s probable cause, which can authorize a warrant, which in turn can authorize a search.
The Supreme Court has ruled that in the absence of certain exceptions (such as hot pursuit), there’s no such thing as “reasonable cause”. I don’t think that’s what the Constitution says, but I admit that it grants more protection to individual criminals, although not so much to innocent persons, and none at all to criminally wronged persons.
-Wm
January 8, 2010, 11:45 pmDavid Schwartz says:
So, just to be clear, under existing law, if a warrant allows a search for ammunition and specifies the place to be searched by address, can the police strip search everyone present at that address at the time the warrant is served? It is possible to hide a bullet inside your body, it is not?
January 9, 2010, 12:11 amChris Travers says:
I don’t know about you but if it were me, I would have kept the script in the same place I would keep my encryption keys (somewhere away from my computer). Maybe it is in a SD card placed in a small watertight box, buried in my garden. Or maybe the card is placed in an envelope and wedged between the mailbox and the plank it rests on. Or it is placed underneath the fridge. Maybe it is under my car mat. I could probably even find ways of concealing it in my desk so that non-destructive searching would be unlikely to find it.
The point is that each of these mechanisms means that the police must have less confidence that they actually have all the information, or that the search was successful in recovering everything it was supposed to recover.
Look: Yes, eventually, and with perfect searching, it would be possible to find enough material to get probable cause, but absent knowing where to look and what exactly to look for, the question in my mind is what minimal knowledge can the police assume to know for sure.
This opinion seems to be shaky because the specific concerns raised are fairly easy to circumvent and thus any search might do well to assume that they didn’t find some critical piece of information. If someone is careful, the search is almost certain to miss something important.
I am with the other guy who said the solution here is to move to clean room searches, where the decryption and forensics team provides, for the police, only the evidence that matches the warrant and discards the rest. Nothing else really works.
January 9, 2010, 1:11 pmBuddy Hinton says:
This case is easy:
1. Police lied about why they were decrypting the suggestively entitled files.
2. This shows a willingness, by these particular policemen to lie with respect to this defendant.
3. Because the policemen are willing to lie with respect to this defendant, there is a decent chance that they planted the files there in the first place.
4. Because there is a decent chance they planted the files in the first place, there can be no proof beyond reasonable doubt that the defendant is guilty. The chance that the lying policemen planted the files IS reasonable doubt.
5. Case dismissed. Maybe make a deal with defendant on his potential section 1983 claim as a condition of dropping the charges and expunging everything.
January 9, 2010, 2:45 pmhtom says:
I fear that my first thought was that the files had been added.
What’s really bothering me is that I can’t figure out a way to prevent that from happening. Whole-disk encryption, perhaps, with the unused space filled with re-creatable pseudo-random data, so that a properly encrypted alteration to the disk would cause a conflict with the pseudo-random stream … but this would be so hard to use correctly (and a keylogger would defeat it.)
Sucks not to trust the government. It’s good to be alive, though!
January 9, 2010, 6:19 pmRyan Waxx says:
I don’t agree that they are fairly easy to circumvent if the information is presumed to be in use, rather than in storage. And if it’s in storage, it could be literally anywhere. I think your definition of “fairly easy” would change if it was you doing the procedure every day or every week.
So… do you have anything buried in your garden? If not, why not?
January 9, 2010, 6:28 pmChris Travers says:
Ryan:
Determining probable cause for something that was “in use” when the computer was last shut down might include for example, looking through swap files, etc. If something was in use and the computer system uses some sort of virtual memory, very likely some portion of the program will be cached on disk in the swap space and can be recovered from there. Most computer systems will have swap space enabled. (Linux allows you to turn swap on/off so this would be different there.)
So even there one would certainly not have to rely on file names. Most likely unencrypted CONTENT would be at least partly available.
As for the second question, keep in mind that I have been known to hide things in a number of places. None of my most common hiding places are listed in my previous post. Why? Because there is some value to some forms of security through obscurity.
January 9, 2010, 9:11 pmRyan Waxx says:
Like I said, If we assume every suspect is Moriarty and hides everything within layers of layers, then we’ll have no meaningful scope of search civil rights, since any amount of searching, no matter how unlikely to find anything, will become suddenly justifiable. This case, and all the “well, it COULD have been there!” apologists points that out rather forcefully.
January 9, 2010, 9:56 pmDavid Nieporent says:
Uh, no? Is this a trick question?
January 9, 2010, 10:18 pmDavid Nieporent says:
There doesn’t need to “necessarily” be. The standard is probable cause, not certainty. The issue isn’t whether they can convict him based on the filename; the issue is whether the filename gives them cause to search.
January 9, 2010, 10:20 pmRich Rostrom says:
I think there is an obvious point here: there is no such thing as “in plain sight” on a computer system. File and directory names have no necessary connection to the contents. “Suggestive” names prove nothing.
Having said that: that also means that “non-suggestive” names don’t prove anything either. The severed head of a murder victim could be in a box marked “Christmas ornaments”. Police would not be barred from looking in that box during a warranted search for murder evidence.
The next question is how much a warrant’s professed object should constrain a search which by its nature is going to be selective. If I was searching in the paper files of some accountant for evidence of money laundering for a drug dealer, and I saw a folder labelled “Madoff offshore accounts”, can I look in it?
January 9, 2010, 10:23 pmRyan Waxx says:
Sure. But if you find Madoff offshore accounts inside that aren’t connected to the money laundering… guess what? You can’t bring a new set of charges based on what you find.
January 9, 2010, 10:47 pmDavid Schwartz says:
Objective reasonableness. You can’t strip search everyone who happens to be in the place described in a search for ammunition just because it’s possible to hide ammunition in an orifice. You can’t break down every wall just because a bullet can be hidden somewhere.
If the police are concerned that they may need to do things that others may not consider to be objectively reasonable, they can ask for them specifically in the warrant application. If they discover the need later, they can file for an additional warrant. If there’s some special reason they can’t do that, then we can make special exceptions.
We just ask that they be reasonable. That’s all the fourth amendment requires.
January 10, 2010, 9:59 ammarkm says:
The file names sound like probable cause to me. However, when the cops applied for a further warrant to search them for child porn, the magistrate denied it. I wonder if the magistrate has seen so many cases where the evidence discovered in a search is unrelated to the crime alleged in the search warrant as to be highly suspicious that the original warrant was pretextual.
At any case, the cops asked for a warrant to search those files, it was denied, and rather than developing better documentation of probable cause or even applying with a different judge, they went ahead and searched anyway. If that search was legal, the 4th Amendment is dead.
January 10, 2010, 2:34 pmWm Tanksley says:
No no no. It’s resting. Pining for the fjords.
Really, though, I agree with your reasoning. I don’t think the cops should have needed a warrant, since they certainly had reasonable cause, and I think them searching without it makes them directly liable for a violation of privacy if the investigation were not successful — but since they lied and broke procedure in so many other ways, it seems to me that it’s impossible to call the investigation successful, even if they do claim that the search turned up results.
-Wm
January 10, 2010, 3:31 pmBuddy Hinton says:
See, now this is what I am talking about.
Volokh.com quote of the year — and we aren’t even halfway thru January yet!!1!
January 10, 2010, 4:19 pm