Magistrate Judge Finds Fifth Amendment Right Not to Enter Encryption Passphrase:
Imagine the government seizes a suspect's hard drive and finds encrypted files inside. Can the government force the suspect to enter in his encryption passphrase so the government can view the decrypted files? Or does the Fifth Amendment privilege give the suspect a legal right not to enter in the passphrase? On November 29, Magistrate Judge Jerome Niedermeier in Vermont handed down the first opinion to squarely address the issue: In re Boucher. Judge Niedermeier ruled that the defendant did have a Fifth Amendment privilege in such circumstances. This is a hard issue, but I tend to think Judge Niedermeier was wrong given the specific facts of this case.
First, the facts. Boucher was crossing the border from Canada to Vermont when border agents began to suspect he had child pornography in the car. They saw a laptop in the back of the car and opened it up. It was not password-protected, an an agent began to look through it. (By way of background, the Fourth Amendment has an exception at the border that makes this search legal.) The agent came across several files with truly revolting titles that strongly suggested the files themselves were child pornography. The files had been opened a few days earlier, but the agent found that he could not open the file when he tried to do so. Agents asked Boucher if there was child pornography in the computer, and Boucher said he wasn't sure; he downloaded a lot of pornography on to his computer, he said, but he deleted child pornography when he came across it.
In response to the agents' request, Boucher waived his Miranda rights and agreed to show the agents where the pornography on the computer was stored. The agents gave the computer to Boucher, who navigated through the machine to a part of the hard drive named "drive Z." The agents then asked Boucher to step aside and started to look through the computer themselves. They came across several videos and pictures of child pornography. Boucher was then arrested, and the agents powered down the laptop.
Now here's where it gets interesting. Two weeks later a government forensic analyst started to analyze the machine. He created a "mirror" copy of the hard drive and then looked at the mirror to see what it contained. But it turned out that the part of the hard drive that was designated "drive Z" was encrypted with the popular software program PGP, and no one — no one, presumably, except for Boucher — knew the password. The government tried to guess the password and failed, so the grand jury issued a subpoena to Boucher ordering him to disclose the password to drive Z. Boucher's counsel them moved to block the subpoena, arguing that he had a Fifth Amendment privilege not to comply. The government responded that it would be happy to just have Boucher enter in the password without the government ever seeing it. The Court thus addressed only whether Boucher had a Fifth Amendment privilege not to enter in the password.
Judge Niedermeier ruled that Boucher did have such a privilege and quashed the subpoena. According to Judge Niedermeier, entering in the password would be testimonial.
First, the facts. Boucher was crossing the border from Canada to Vermont when border agents began to suspect he had child pornography in the car. They saw a laptop in the back of the car and opened it up. It was not password-protected, an an agent began to look through it. (By way of background, the Fourth Amendment has an exception at the border that makes this search legal.) The agent came across several files with truly revolting titles that strongly suggested the files themselves were child pornography. The files had been opened a few days earlier, but the agent found that he could not open the file when he tried to do so. Agents asked Boucher if there was child pornography in the computer, and Boucher said he wasn't sure; he downloaded a lot of pornography on to his computer, he said, but he deleted child pornography when he came across it.
In response to the agents' request, Boucher waived his Miranda rights and agreed to show the agents where the pornography on the computer was stored. The agents gave the computer to Boucher, who navigated through the machine to a part of the hard drive named "drive Z." The agents then asked Boucher to step aside and started to look through the computer themselves. They came across several videos and pictures of child pornography. Boucher was then arrested, and the agents powered down the laptop.
Now here's where it gets interesting. Two weeks later a government forensic analyst started to analyze the machine. He created a "mirror" copy of the hard drive and then looked at the mirror to see what it contained. But it turned out that the part of the hard drive that was designated "drive Z" was encrypted with the popular software program PGP, and no one — no one, presumably, except for Boucher — knew the password. The government tried to guess the password and failed, so the grand jury issued a subpoena to Boucher ordering him to disclose the password to drive Z. Boucher's counsel them moved to block the subpoena, arguing that he had a Fifth Amendment privilege not to comply. The government responded that it would be happy to just have Boucher enter in the password without the government ever seeing it. The Court thus addressed only whether Boucher had a Fifth Amendment privilege not to enter in the password.
Judge Niedermeier ruled that Boucher did have such a privilege and quashed the subpoena. According to Judge Niedermeier, entering in the password would be testimonial.
Related Posts (on one page):
- More on Encryption, the Fifth Amendment, and the "Foregone Conclusion" Exception:
- Magistrate Judge Finds Fifth Amendment Right Not to Enter Encryption Passphrase:
On the 5A issue, I agree with the the court on this one. It's up to the government to develop its own evidence, not have it handed to it on a silver platter.
At any rate, the penalty for refusing the subpoena should be less than for possession of kiddie porn, so Boucher would be inclined to tell the investigators to screw themselves regardless.
Boucher won't be "bringing" the files to the police in response to an order to incriminating files; he will merely be opening the door to the safe that we all know is his and that we seem to know he knows how to open.
I think this is why analogies to the physical world don't (or shouldn't) apply. If the action/information would result in additional counts of the same crime they already have evidence for, would that not trigger 5A? If it were a physical safe, would a contempt charge result even if the police owned a cutting torch?
I never understand these kinds of facts. When asked to enter the password the first time, why didn't he say "no"? Why on earth would he waive his miranda rights?
i disagree and here's why. at least as i have been taught, this is a 5th amendment issue, and the right not to be a witness against oneself, incriminate oneself, etc. refers to testimonial evidence. you cannot force (even by subpoena, warrant, or whatever), somebody to TESTIFY against themself (confess, etc.)
you most certainly can force them to provide EVIDENCE against themself - such as (given appropriate orders, warrants, etc. ) - DNA, check their hands for offensive/defensive wounds, blood sample for alcohol analysis, etc.
this is just such a case.
part of the way the govt. develops "its own evidence" is by (assuming they have the necessary probable cause, order, etc.) searching for evidence, and compelling it be turned over.
he absolutely established that he had an expectation of privacy - especially since the files were encrypted. that means the govt. has to establish PC etc. to search the hard drive. which they had. the fact that he encrypted it does not mean they have no authority to do so, nor does it mean he has some kind of (invented) right not to turn over the password given proper PC and court order.
otoh, if he said he FORGOT the password, could they really prove beyond a reasonable doubt that he was lying about that?
When you say you agree with the Court, I gather that means you disagree with me; I'm curious, where do you think I go astray?
Oops, I guess not. Maybe "roslton"
Oops, I guess not. Maybe "soltron"
Oops, I guess not. Maybe "noslot"
Oops, I guess not. Maybe "tlosron"
Oops, I guess not. Maybe "thiscangoonforever,chump"
a smart person would have said "i can't remember the password right now, i'm so stressed out".
" Why on earth would he waive his miranda rights?"
this has been explained about a million times. there are all sorts of reasons why people waive miranda, due to a # of issues. you have to look at it from a psychological angle. also note that waiving miranda is NOT necessarily against your best interests. i have seen many many cases where suspects waiving miranda helped them out significantly.
i'd analogize this to a DUI case. assuming the person is in custody (differentiating from the traffic stop which is an investigative detention up until the point it becomes a custodial arrest), and thus since they guy is now in custody, triggering miranda assuming interrogaton was to begin.
the 5th, and the flawed reasoning behind miranda included, does not mean one would have to mirandize the person before asking them to perform field sobriety tests. why? because nystagmus, walk and turn, one leg stand, etc. are not "interrogation", and they are not likely to elicit an incriminating response - testimony.
they are a search for direct evidence, not testimonial evidence.
cops can search the hard drive if they have PC and a warrant, or consent.
the fact that its encrypted is irrelevant to the above. it's still evidence, they have the authority to search.
people have rights, the state has authority(s) or in the case of eric cartman "authoritah".
he doesn't get some kind of magical pass because he chose to use encryption.
as long as the cops can establish that they have PC to search the hard drive, and they have the order, they have the authority. thus, he has no "right" not to tell them the password, any more than he has the "right" to stand behind the door of a house they have authority to search and not let him in, or he has the right to keep them from poking a needle in his arm to draw blood (assuming they have PC for that, etc.).
they certainly couldn't ask him "did you put these files on the hard drive" etc? without mirandizing him, nor could they compel him to answer. i also think that since they can COMPEL him to give the password, they should not be able to introduce as evidence - the fact that he knew the password, based on the fact he gave it to them. if they can otherwise establish it - through his testimony etc. (i know the password and im not telling), fine.
There are no publically known such insecurities in the PGP product.
"The agents powered down the laptop" Oops...
I agree that once he disclosed the contents the first time, he abandoned the protection of the 5th (unless he was contesting he was under duress the first time around).
child pornography in the car.
How exactly did that work, one wonders? "Is it just me, or does the guy in the red Toyota in lane 5 look like he's got child porn on his mind?" "Gadzooks, you're right! Let's pull him over!"
I'm sure there's some kind of story there, but it's a bit mystifying as written.
Are you sure they need reasonable suspicion? The district court in Arnold said so, but that's just a district court in California and (based on the oral argument) is probably about to be overruled by the Ninth Circuit anyway.
Am I correct in reading this to mean that the 5th Amendment means I don't have to give the police the combination to my safe, but doesn't mean I can refuse to give them a physical key? To a naive non-lawyer like myself this defies logic, but if it's right then I don't see why a combination is more privileged than a password.
However, if he hadn't shown the files to the officers already, then I'd agree with the judge and he should not be compelled to give up the password on 5th amendment grounds.
The UK has a law that compels disclosure upon demand. It's a law that I happen to disagree with.
Yes, I'm one of those non-lawyer types who just happens to read this blog daily.
My sense is that these cases come up in various disturbing ways: very young children's clothes in the car but no children, a person who has been under suspicion before, etc. I suppose I could have called up the lawyers and tried to get the full story, but it's not actually relevant to the legal issues raised in the case and those facts aren't in the opinion.
(1) The government has one dead body and blood evidence that someone was in violent contact with a second missing person, i.e. an admission that "Sure, that bloody shirt is mine."
(2) Then obtains a subpoena requiring the (guilty of one, a definite suspect of a second) murderer to reveal the location of the second body.
I don't think you would argue that providing (2) is not communicative. But by Orin's argument, it's just the location of an object. If I'm not picking up on something, please explain.
This is why law school is no fun.
This is based on a statement in the dissent in Doe v. United States, 487 U.S. 201, where Stevens says:
The majority addresses this by saying that the situation was more analogous to a key than a combination. In this case though, it seems that the password is closer to a combination, so--at least based on that wisp of precedent--the judge here was right.
But note that Boucher was not being compelled to reveal the password; he was only being compelled to use it. I think that responds directly to Stevens' argument.
As to the foregone conclusion doctrine, if it really has only been used in previous cases for the production of documents and other physical things, the same analysis applies.
Orin, I understand that you think the law should be different, but how do you distinguish this from the safe combination? It seems like, at least in the average case, we would know who the safe, and therefore the contents of the safe, belong to. I suppose if there is an apartment or business office rented in a false name or by a dummy corp, we might not know. But if its in someone's home, the safe belongs to the homeowner too.
I don't understand your hypo. Can you clarify who says what, who is the suspect,and whose shirt is it?
David Schwartz,
Can you quote the passage of Hubbell that you think is dispositive here?
I am puzzled by your comment on several grounds. First, I didn't say I think the Supreme Court law should be different. I don't know why you seem to believe otherwise.
Second, the caselaw suggests that handing over a key is okay but disclosing a combination would not be. Why do you think that entering in a passphrase but not disclosing it is like disclosing a combination but not like handing over a key?
How does it help that he's only being asked to use it? First off, "just" opening the drive gives up all testimonial aspects of using the password; ie., z drive is mine, or at least I have access and control over it. Secondly, officers could easily turn their backs while someone enters a combination to a wall safe for example.
That being said, a previous poster mentioned that this was dicta in a dissent, therefore it has little to no precedential value.
Now, whether that is trumped by his previous waiver where he (at least arguably) showed such control, knowledge and access I'm not sure--but I think the magistrate would be on pretty firm grounds without such waiver.
I think I answered your second question in my subsequent post. As to your first question, I was assuming that the quoted portion was from the majority, as it doesn't indicate otherwise, and actually, as it's a series of ID's, you can't tell the case.
The distinction arised from the fact that the Federal right against self-incrim uses the term to "testify" against himself. In the 18th century, there were no forensic tests.
In a DUI case here I argued that the state bill of rights, which says no one may be compelled to "give evidence" against themselves was broader and should cover a breathalyzer. It got shot down, of course.
I didn't mean that in the sense of a heightened standard. It just seems a bit odd, as alkali notes, that they didn't see any evidence until they powered up the laptop. The search itself was not random - the agents claim to have had SOME suspicion, but it isn't obvious from what is written what that suspicion was based on.
Don't argue in bad faith, Orin. You know Fisher was wrongly decided.
The disagreement with the judge seems to be completely closed down by a quote further in the "Doe II" case cited in the opinion. The majority talks about how this is more like a key than a combination. Shortly after that they talk about why it is not a combination (ie., why it doesn't prove control of the bank accounts at issue in Doe II).
Given that quote, how does the password not testify that a SPECIFIC drive and the contents of that drive are controlled by Defendent?
Would you hold the same opinion if the suspect confessed before being Mirandized but then wouldn't confess after being Mirandized? Presumably, the suspect *should* under your logic, have to confess again, because the police would just be getting back to where they already were. And the contents of the mind were just being produced again for the convenience of the authorities.
I can see your point, but I have to say I side more with the judge, here. I'm not sure yet if that's just because I don't feel like the courts should bend over backwards to rescue official stupidity (they powered down the laptop!?) or because I think the legal analysis is better than yours.
I think your argument is a loser because of the combination/key case, and I'm not convinced that "the police know he knows the password" is enough to get you out of that rule.
Because demanding a password is more like demanding a combination (information in the brain) than handing over a physical object. There is no substantive difference between saying a password and entering it onto a keypad.
Professor Kerr, do you know of any cases in which a defendant has been compelled to produce information from his brain over a Fifth Amendment challenge?
Boucher's entering in the password won't amount to Boucher's testimony about anything they don't already know in the context of this case.
This is utterly irrelevant. A defendant can tell a cop, "I killed my wife" one minute, and take the Fifth the next minute when the cop asks him to repeat it. It's not like the Fourth Amendment where once the idiot hands his pot to the cops, it belongs to the cops forever.
This case also shows how utterly stupid so many of our clients are. This dude goes through all the trouble of encrypting his hard drive, but then voluntarily shows the contents to the cops. Moron.
Further, why is the Government going through all this trouble? As you said, they can already put the agents on the stand, have them describe the images they saw, and send the guy to prison. Child pornography charges bring huge sentences for only a few images. Plus, creative prosecutors could find other charges to stack on this guy.
To this end, I think there should be an exception to the 5th Amendment similar to the hearsay exception, you can't use testimony for its truth value, but you can use it for other purposes. For example, if someone tells you where the murder weapon is (under torture or otherwise) you can still go get the weapon and use it as evidence against them. If they were tortured to get the gun, the people torturing him should be charged with a separate crime.
The reason for this is that the constitution should protect the innocent and not the guilty. Allowing tortured confessions runs the risk of leading to the conviction of innocent people. Using the testimony to get other evidence will not cause any trouble for innocent people, because an innocent person wouldn't know where the evidence was.
To apply this idea to the instant case, I don't think that it should be allowed to ask this guy whether he downloaded the porn, or if he knew that it was there, but you should be allowed to force him to hand over the password. The only possible problem I could see here is that admitting to knowing the password is likely testimonial, insofar as it may go to show that he had possession of the porn. Theoretically, the police could get the password through other methods and tell him what it was and force him to admit that he knows it. There is an easy solution to this though, admit the porn found on his computer and bar his "testimony" that he knew the password.
* * *
These bring up an interesting ethical question. If I lose a challenge like this and if all appeals are exhausted, can I advise my client to disobey a federal court order if I'm convinced that he's better off accepting a civil contempt penalty than the criminal penalty he would face if the government got the information he had? I imagine not.
But I could see giving advice like, "Here are your choices. 1) provide the information and go to prison forever for child pornography. 2) Face a civil contempt prison term for a maximum of ___ years. As an officer of the court, I cannot consider your best interests, and I must advise you to turn over the information even though if you don't, it will save you decades in prison."
The more interesting question, which I'd like to hear people's speculation about, is whether the government really can't break PGP (and if it could, it would not need the password at all), or whether its just not willing to admit that it break PGP in the context of prosecuting a child pornography posession case.
Google "steganography." You'll be amazed as what people in the encryption field have devised.
I'm interested in your response to AnonLawStudent's hypo, where there's good reason to belive that a body hidden somewhere, and the suspect is subpoenaed to tell officers where it is... and when that doesn't work, subpoenaed to take blindfolded officers to the body.
I can't quite tell from your post - are you arguing that the judge was wrong only because we already know that he knows the password? In other words, would the decision have been valid if either a) he had never previously demonstrated his knowledge of it, or b) the government was still demanding the password itself?
My hypo is this:
(1) Police ask a guy [Boucher] crossing the border to open his trunk. They find that he has a dead body #1 [kiddie porn Set 1] in the trunk. While examining the car, they also find a shirt that is covered in blood. When asked, the guy says "Sure, that shirt is mine." When the shirt is analyzed, the police determine that it has blood from missing person #2 [kiddie porn Set 2] in sufficient quantity to indicate missing person #2 is dead.
(2) The police obtain a grand jury subpoena requiring the guy to disclose the location of dead body #2.
What distinguishes disclosing the password verbally versus disclosing it by typing it in? Is it possible to prevent the government from gathering evidence as he performed his compelled action, such as by watching him type it in, by logging the keystrokes, or by fingerprinting the keyboard afterward?
Given the way PGP works, the correct analogy isn't really to having files in a combination-locked wall safe. It's having files in a keyed strongbox, where the only key is in a combination-locked wall safe. (And where both the strongbox and wall safe are stronger than physically possible.)
The government can take stuff from you (keys, blood, even stomach contents) but they can't make you say anything or do anything. Is there any case law out there that requires a person to talk or act?
And I wholeheartedly agree with you.
I believe such a product (one one very similar) does in fact exist. I don't remember the name, but I think what it does is encrypt your Windows disk with multiple different passwords, where password A is necessary to get basic access, and password B is necessary to view the super-protected files (or even know they exist).
It also does some magic with the filesystem to completely hide the existence of the super-protected files from such high-level analysis as checking the physical capacity of the disk against the free space and total file sizes.
I just wish I could remember the name.
This actually raises interesting questions from my perspective—what about cryptographic dongles that supply passwords? They function identically to a good cryptographic key, and look like a physical key, but exchange digital information that's much too complicated for a person to reason through rapidly.
Really good systems rely on the presence of both a dongle and a key—could the defendant be ordered to turn over one and not the other?
What about destruction of evidence issues? I own media that is tamperproof (cannot be cracked open and physically hacked/copied/archived), and will self destruct if the wrong password is entered too many times. Is the defendant under obligation to tell law enforcement that if they attempt to crack it they will be destroying evidence? Is the defendant culpable through their inaction even with their fifth amendment right not to speak?
It's already established that 'mere access mechanisms' like a perjury-trap don't hold up—so you couldn't use a passphrase like "Under penalty of perjury, I hereby testify that I assert my identity is John Doe and I unlock this under free will and not by court order"
The judge really does appear right on. If a party can be ordered to provide a key, the prosecution should at the very least have the burden of proving that they do have it. Not only is this clearly impossible with respect to proving intent and knowledge, but it takes away the presumption of innocence—Who has never forgotten passwords before? Worse yet, with the aforementioned systems (truecrypt), I could provide any number of passphrases, providing any number of different "realities". One of my hard drives at this moment has a 10G sector of pure random numbers (indistinguishable from encrypted data), that is waiting to have an encrypted sector assigned to it. If I was arrested at this moment, a court order to 'reveal a key' would be impossible at worst, and at best result in me fabricating a lie. A court would of course order production of 'all necessary keys'—but at what point do they stop and believe me when I indicate that this last random block is truly just garbage? Believe me when I state that mathematically speaking, for anyone but your worldclass intelligence institutions—there is no way to tell the difference
Am I to be held accountable for every single website I ever registered for, until the end of eternity?
Public Defender—I like your point. I have heard that in some nations, they do not impose additional penalties on individuals who attempt to escape from prison (assisting is another matter), because they recognize the natural state of any individual is to seek their own freedom. I'd like to take your comment one step further—a defender is the last barrier between their client and the awesome power of "The State" If at any time they ever ceased to act with their client's best interests in any capacity—could any client ever trust them (all defenders) again? As the last obstacle between a loss of freedom, and (in some nations) death—I submit that any action whatsoever to the detriment of the client for the benefit of the state or its laws is likely to unravel the delicate social fabric of respect and respect for authority that holds the legal systems together. If people cannot trust their solicitor, then even the innocent accused suffer widely. Just a few thoughts...
Let's say I have a computer with (1) some files on it that are not password-protected, (2) some files that are password protected to which I possess the password, and (3) some files that are password-protected to which I do NOT possess the password. (So far is still actually true).
Now let's say that I do not know the contents of some of the files in category 3. (This is (probably) not true of me, but it is plausible for some people.) Were some of the files in category 2 or 3 to be illegal and were my culpability for possessing those files to be at all dependent upon my knowledge of their contents, I would be incriminating myself by revealing which category (2 or 3) a given file belonged to.
By providing a password for a file, even if I don't disclose the password, I still reveal which category the file is in. I have testified to the ability to open the file, something that is in doubt before I testify to it. That appears to incriminate me.
Now perhaps I misunderstand the uses of PGP. Perhaps it is unlikely that one might use it in a manner similar to the way password protected .zips (inside torrents) are used. But unless someone can substantially differentiate this case from my hypothetical, I am inclined to think this judge is fairly astute.
All that said, this is a big, big "uh oh" for computer law enforcement. If you can't be compelled to reveal encrypted data on a machine in your possession, by a constitutional right, then you can expect a huge explosion of encryption to follow. Hell, I would - why risk that some cop might want to check to make sure my work didn't contain any child porn? (Especially as I subtitle anime for a living - the distinctions can be fine enough that I might not want an angry cop making the call!)
On the other hand, if you really do have something vile on your drive, and not just scans of a porno book that sells on the newsstand in Japan, why in God's good name would you decrypt it in front of a cop? "Dunno, that's been there since I got the computer, think it's a system restore something or other." You could even rig the computer to look like it had been hacked and the (encrypted) data put there without your knowledge... But even telling the judge to sit and spin on your data encryption password isn't as bad as a conviction for full-on child pornography, no? In this case, Boucher can't even claim "look, I gave you the right password, it's not my fault if it won't open", since he opened it himself!
If the rational conclusion when thrown into such a situation is to engage in such activities, then why be surprised when it happens? Given the choice of going to jail for a year and longer incarceration followed up by a lifetime registry as a sex offender, being tagged, and risking being murdered by your neighbors, in addition to being a convicted felon who no longer has many basic rights--the choice to a rational individual is quite obvious. The order to reveal information puts an individual in the situation of imminent danger to their liberties, or to disobey the court and accept a (lesser) threat.
Similarly--with public defenders, if they fail to provide meaningful advice to their clients, and instead act in the interests of the state, why would anyone trust them with their well-being? Yes, I don't expect my solicitor to smuggle a pistol into the jail for me--but anything less than completely candid advice on my best interests, and they can no longer be expected to provide the counterbalance they were intended to. Worse yet--they risk being viewed as an agent of the state itself, and not trusted by the innocent who need them to preserve their liberties. How can I even trust them to tell me I should refuse something pending an appeal when that might be a mere ploy?
I think it is a big "uhoh" for the police no matter what. That's why they keep trying to find weaknesses in encryption methods. I personally favor the idea that the police can get a warrant for the encrypted (cypher) text, but they can not force someone to give up plain-text. Encryption in and of itself is not illegal, and without cause I don't think they even have a reason to search inside of it. But because the material is (possibly) incriminating, to the extent that if it is revealed in plain-text he's going to jail for a long time, the fifth logically applies. Now, if the cops can break the encryption, bully for them, but they can't compel it.
A poster on a blog site posts something illegal to the comments section of the volokh conspiracy. Maybe it's one of those DRM keys, maybe it's a bomb threat. I dunno. But the government wants to find who did it.
All they manage to obtain is an account name and an IP address to a public terminal. They also discover that I posted to the volokh conspiracy very close in time to the offending post and that I did it from the same public terminal. Using some bit of publicly available information, they track me down and I confirm that I authored the post written under my log in name.
Can the police now order me to turn over the password to the other account that posted from the same public terminal at roughly the same time?
Either it wasn't me, and I don't know the password. Or I do know the password, and by entering it, I provide pretty strong evidence that I made the offending post.
This hypothetical seems similar to the case in that there is no proof that I know the password, and turning it over will involve showing that I know the password, a piece of information that incriminates me.
The problem with your approach is that it can be reasonably guessed that you are hiding something else based on the size of the size of the encrypted file vs. the unencrypted file unless you have additional cleverness. For example, in e-mail there are some encryption tools where you use some normally unused bits in certain graphics formats to hide an encrypted text message. As was mentioned, this guy would have been better off with TrueCrypt – he could have had one encrypted partition with some legal stuff in it, and competently hidden another partition within the first partition. The inner partition would look like random junk on the disk to other people searching the disk (much like real unused space).
I disagree with your analysis. You are confusing "foregone conclusion" with waiver. The cases that say that there is no additional "testimonial" information to be gleaned from enforcing compliance with a subpoena (the "foregone conclusion" cases) usually have to do with subpoenaing bank records from a defendant when you already know the bank account information (e.g., location and number/identifying information on the account). I have never seen it applied to something that would be the equivalent of granting the government access possibly to additional evidence of separate criminal acts. In this case, to apply it to a bank account hypo, if the government knew of account A at Wells Fargo, in the name of the defendant, a subpoena to defendant for his records of account A would not add to anything to what the government already knows, so there is no "testimonial act" being compelled, of any practical significance, by such a subpoena. But, if the subpoena asked for all records regarding any bank accounts that you control at Wells Fargo, and the defendant possibly had accounts that the government did not know about at Wells Fargo (beyond Account A), that would be a testimonial act of great significance (authenticating the records of the other accounts would incriminate the defendant). The second situation is what we have here: the government knew about some child pornography on the computer controlled by defendant. having the defendant type in the password would force him to admit to the government his control over, and access to, possibly other instances of child pornography, and absolutely would incriminate him.
Just imagine, the AUSA would argue at trial that the defendant's knowledge of the password was very damning, and proved that he (1) controlled and limited access to this stuff, and therefore must have put it on his computer (and not someone else) and (2) knew it was wrong which is why he encrypted it.
This does not stop the prosecutor from running exhaustive password cracking tests against the 'drive Z' and this does not require a further subpoena nor impinge on the defendant.
The exact point here is that the defendant *MUST SPEAK* to comply with the prosecutor's demand.
John (at 10:09 pm) had it right in non-legal language.
Orin. the joke goes 'you must be an intellectual to believe something like that'. I am surprised that you did not see the distinction. (P.J. O'Rourke, I think..),,
Geoff
This isn't true. Because it's not so easy to distinguish between an innocent person, and a guilty person who lies and claims not to know. But guilty people get punished for not turning over the evidence. Which means that innocent people will also get punished for turning over the evidence they don't have.
As has been pointed out, breaking PGP or similar encryption requires factoring very big numbers. It can be done, which is why as computers have gotten faster, more “bits” are used to encrypt – bigger keys makes breaking the cypher through brute force much harder (that is a bit simplified but generally true). You can find lots of estimates on what it might take to break a single encrypted file – breaking the strongest encryption is unlikely using publicly available methods and modern computers.
It is also unlikely that the government can easily “break” state-of-the-art encryption, as in the movie Sneakers (which is a pretty decent movie BTW). If the NSA has any tricks to decrypt PGP (and it would be the NSA), it is probably just a weakness in the encryption that NSA can exploit to turn the extremely hard problem into a less hard problem - and then NSA would still need to use its huge CPU resources to finish the job. Might NSA have found a shortcut? Maybe. When the original public encryption standard (DES) became available from ANSI in the 70s, it took the academic community 2 decades to fully understand two modifications the NSA was known to have made to the public standard. Academic and commercial en/decryption have probably caught up quite a bit, but the NSA could still easily be years ahead of everyone else. And no, the NSA would not reveal any weaknesses in PGP's encryption for a kiddy porn case, any more than a broken enemy code would have been revealed for a single criminal trial during WWII.
Orin, this analogy seems to be the key to your thinking, and I believe it is wrong. Or at least, I hope it is wrong. I'm trying to think of what "bringing the files to the police" would entail in this context. The closest I can think if is if the court were to compel him not to disclose, or even type in, the password, but to unencrypt drive Z. If it would be improper to compel him to unencrypt the drive, then I don't see how it could be proper to compel him to type in the password, which effectively unencrypts it. What is the distinction?
Maybe it analogizes to physical documents written in code. We know he knows the code because he has decyphered some of the documents in the past. Can he be compelled to decypher the remaining documents?
Perhaps I am misunderstanding the facts. You say he waived his Miranda rights. That makes me think that the police testimony is admissible. What more do they need from the password? Are they concerned that he's going to claim at trial that the police are lying / halucinating? Or are they digging for additional contraband? If the latter, that seems problematic.
Is there caselaw around what happens when a suspect reveals a portion of an indivisible set of documents; that portion turns out to be incriminating; and the entire set ends up out of reach of the prosecution, where only testimony from the defendent could retrieve it? For example, the police end up in posession of a copy of a single page of a document; they lose the page (and don't even remember which one it was); and they attempt to subpoena the entire document from the defendent?
1) PGP Disk Encryption, a part of the commercial PGP Desktop product, is completely different than the PGP email standard and attacking each would use different techniques.
2) AFAIK, there are no quicker attacks against PGP Disk Encryption than trying many many possible passphrases. The key derivation function for PGP desktop is pretty computation intensive (PKCS #5) so a brute-force attack is impractical for any passwords but the most basic.
3) Because #2 is true for most disk encryption products, I once read that the Secret Service has a software suite that looks for unique words and phrases on a person's hard drive and then tries passphrases related to them. So if your passphrase is your SSN, birthdate, and dog's name, they might guess it in a reasonable amount of time.
4) It is true that Truecrypt, a free encryption product, allows you to create an encrypted partition where if you enter one password it only reveals some of the disk, and if you enter another it reveals the entire disk. This is pretty cool, especially because you cannot mathematically (and I guess legally?) prove that the secret partition exists, if you set things up right.
5) This issue is going to be much bigger in the coming years, because the Bitlocker encryption technology built into the expensive versions of Windows Vista is not only excellent, but uses a computer's hardware security chip to "trapdoor" the disk and force the use of a "recovery code" to decrypt the disk if somebody tampers with the machine or tries to enter a password too many times.
More broadly, I'm really interested in the fact that so many readers think this issue is so easy! I think the general question of subpoenaing encryption keys is difficult if not impossible to answer because there is no Supreme Court case really on point; the general issue is in the gray zone amidst Fisher and Hubbell and Doe I and Doe II. I tend to think that the specific facts of the case make this more like Fisher than Hubbell. But either way I think it's hard: it's hard because the scope of Fisher and Hubbell and Doe I and Doe II are really murky. Given that, it's really interesting to hear that some readers think the issue is really pretty obvious and that it's clearly another Hubbell.
"OK, I give up. The password is 'arglebargle2' ... What do you mean it didn't work? That's the password I used when I unlocked the Z drive for the border patrol agents! Look, they're the ones who were messing with it, and they turned it off -- they must have altered something! Ask them what they did to screw things up! Boy, you know how finicky Windows Vista is about digital rights management issues -- I'll be lucky if I can ever access any of my files now!"
Upon first reading, your description of the background did not seem to agree with the quoted statement, so I went to the linked file and read the judge's background description.
Upon reading that description, I see that the entire drive is encrypted with one key, which prevents officers from seeing the same exact files that they were given access to by Mr. Boucher previously. Thus, there is no further incrimination that Mr. Boucher can perform by demonstrating that he knows the password. That clearly makes the nature of delivering up the password different from what I (and I assume others) believed it to be.
Becoming aware of this fact doesn't make me suddenly do a 180 on my opinion, but I now see how it is a difficult case, not a seemingly obvious one.
I get the impression in this discussion that being compelled to turn over a physical key is uncontroversial. However, this doesn't conform to my layman's understanding of the Fifth Amendment.
Let's say the police, legally searching a closet in my house that I share with my immediate family, find a strongbox. I know that it contains an unregistered handgun that I recently used to commit a murder and I alone know where the key is. If asked to turn over the key, can't I refuse to confirm or deny that I've seen the box before, let alone that I have the key for it? Wouldn't complying with the request be more incriminating than allowing the box to be forced open?
Since when can a person be subpoenaed to commit an act generally? Suppose the grand jury subpoenaed me with instructions to knit a sweater. Suppose that whether I could do this had evidentiary value. Would such a thing really be a subpoena? No. A subpoena is nothing more than the power to produce a person or an object in the grand jury room.
It is not the power to issue arbitrary instructions, however, relevant those instructions may be.
The government already possesses the hard drive, thus there is no longer an object or a person within scope of the subpoena powers.
Passwords seem to be significantly more testimonial than combinations. The real problem with analyzing the testimonial nature of passwords is that they can largely be anything. PGP, for example, allows very long passwords. Now that password could be a long random string of characters, or it could be "I am guilty of receiving child pornography having been shipped in interstate commerce pursuant to 18 U.S.C. 2252(a)(2)." or it could be "childpr0n" or it could be the name of a pet. These all possibly have testimonial qualities, but the possible range is pretty extreme and it is certainly plausible that some of the passwords could be incriminating. The problem is, the judge has no way of knowing what testimonial quality of information is in the password itself.
The solution to realize is that divulging the password is itself divulging a fact - the fact of whether or not the password contains factual information. This is of course, in similarity to the combination case, to the fact that the password unencrypts the files (like the combination that unlocks the door).
The other real problem for this will be if a court follows the HIIBEL V. SIXTH JUDICIAL DIST. COURT OF NEV.,HUMBOLDT CTY, 542 U.S. 177 (2004), in an analogous situation of being forced to disclose your name to your officer, held that "Answering a request to disclose a name is likely to be so insignificant in the scheme of things as to be incriminating only in unusual circumstances." This seemed to be something of a de minimis test for 5th amendment violations. However, the court was applying this to the incriminating prong, rather than the whole test or the testimonial prong. The evidence in this case is clearly potentially incriminating.
An interesting question would be to what degree use immunity would get around some of the issues. Could the prosecutor promise not to use the potentially incriminating password in the trial, but still get to use the files it decoded? Specifically, for fruit of the poisonous tree / use immunity analysis, can the good fruit of the non-testimonial aspects of the compelled testimony be separated from the bad fruit of the testimonial aspects?
That was my point in a nutshell. At the end of the day, if they've never seen you open up the box, they can't prove that you can; the judge may be cross with you, but if you're insisting that you provided the password, and it's not functioning, what can they do? Throw the book at you for not cooperating, sure, but if all the nasty child porn evidence is sitting on the partition where they can't get at it, they can't try you for it, can they?
(Of course, we're talking about a pretty dim bulb here, if he went to the trouble of encrypting files and then nicely unencrypted them when asked; it's entirely possible that there was more CP in his cache or other places where they can nail him anyway. For that matter, if you encrypt a file, why the heck would you leave the file name as something that screamed "child porn in here!" And if the policeman asks you if you have child porn on your computer, the answer is "no, sir!", preferably followed by "I like older women, sir!")
I don't know that this is a particularly good case with respect to encryption, though. It's true that Boucher's providing of the password would be tantamount to admitting before the court that he had child porn on his computer. At the same time, he has already made that tacit admission when he accessed the drive the first time. Unless he's denying that he accessed the drive, and that the agents are lying about that access, he's already made that admission to the court. In essence, you can take the Fifth to refuse to provide testimony against yourself, but once you've provided that testimony, you can't retroactively take the Fifth like some kind of take-back.
Then again, this is just the subpoena. The government could still present a pretty strong case - i.e. "this guy had a video file on an encrypted hard drive with 'baby rape' in the title, we looked at it, it was baby rape, but now we can't get back into it because of the encryption and he won't fess up with the password." Police's word against perp's word, and the police can still present the hard drive with the encrypted files that caused them to become suspicious in the first place, no?
Ruling that one can refuse to enter a password on the Fifth would make computer forensics really, really hard, though. What would Officer Pike have done if there were a password on the whole computer, and Boucher said "I prefer not to provide that password on the grounds that it might incriminate me?" (Obvious answer, seized the computer! But then Boucher wouldn't be up on child porn charges...)
This goes too far. I can't and won't advise my clients to lie, even if I know they thought they could get away with it. Also, I can't advise my clients to violate a court except under rare circumstances (for instance, where I plan to appeal the contempt citation to test the legality of the order).
The officer-of-the-court stuff means something. I think the dialog I gave above is the furthest I can go in dealing with an unjust but final order. My guess is that some prosecutors would say even that goes too far.
it's called a "sneak and peek" warrant. these are VERY rare, btw. i've read case law about them. i've never seen one (done scores of warrants myself), never talked to an officer who has written one, etc.
they are most commonly used in organized crime type investigations (such as above) and/or terrorism type cases.
my understanding is, especially in WA state, they are VERY VERY difficult to get.
PGP: i've seen only a very few cases where defendant's actually used PGP to encrypt their files. this boggles my mind, BUT in genereal people don't encrypt files that they should. this holds for everybody, not just criminals. people who are parole/probation etc. for child porn STILL don't usually use PGP. your average 14 yr old computer nerd (myself included) used PGP all the time. most people don't
according to my computer forensics guy, he SUSPECTs that maybe possibly some super high speed NSA type guys might have some way to break it, but that's just conjecture. if you encrypt it, us cops can't figger out the password (unless you use your daughters name like in wargames).
"Further, why is the Government going through all this trouble? As you said, they can already put the agents on the stand, have them describe the images they saw, and send the guy to prison."
because you have to prove the elements of the crime, namely that it IS child porn, not just porn. having some agents say "it looked like little kids" etc. might be enough to get a warrant for something, but it's not enough to prove beyond a reasonable doubt that said photos were in fact - child porn vs. say photos of young looking adults, etc.
also, wasn't the recent case about VIRTUAL CHILD PORN (compute generated images generated to look like child porn but that used no actual children) ruled that child porn laws could not be applied? i could be wrong on this, but wasn't that ruled legal?
so, even if the agents viewed photos of BABY PORN (it's pretty easy to establish that an infant is in fact below the legal age for explicit videos etc.), you would need to prove it was ACTUAL babies, and not computer generated. without access to the files, and just based on recollection, that's difficult (again, assuming my recollection about virtual child being legal ).
"provide all documents, whether in electronic or paper form, reflecting any passwords used or associated with the Alienware Notebook Computer, Model D9T, Serial No. NKD900TA5L00859, seized from Sebastien Boucher at the Port of Entry at Derby Line, Vermont on December 17, 2006."
Let's say he's never written down his password (not at all unlikely). Can't he comply with the subpoena by saying there are no documents that are responsive to the subpoena?
1) Turn over the password knowing what is on the drive and go to jail convicted of child porn and be dealt with in that manner.
2) Don't turn it over and go to lockup (or whatever is appropriate) under contempt.
Who do you think will be dealt with worse in prison? One way, you are a "dead" man and when you do get out, have to register every where you go for the rest of your life.
The other, you move on after spending the time in jail.
In all seriousness, I have to come down with the magistrate judge here. When I was in CrimPro the 5A mantra was tabula rasa: They could view the body, but never the mind. I see that there is more complexity to it than that by the other comments, but it still seems like a reasonable rule.
By the way, I have a PGP-excrypted "disk" on my laptop (my employer's laptop to be more precise) that holds many gigs of HIPAA protected info. I'm not giving anyone the pass phrase until told to my by company's general counsel.
You were correct about the attention this post would generate. (a previous email between Orin and me) I will definitely be including this issue in my black hat 2008 talk. From those who know me (as a govt hack who has never seen a bad search)(joking) I think this case was decided correctly under the knowledge of a combination vice producing a key argument. My question, if you have a biometric access device on the computer (eye scan or fingerprint scanner) can the govt grab your finger and forcefully place it on the computer? Seems it is like a key. But can you imagine some of the struggles the accused might use too avoid placing their finger down!!
What happens now if someone doesn't want to give a fingerprint--or (presumably after a Court order), refuses to submit to a blood draw/cheek swab/etc.?
Do they just go for contempt or is there forcible compulsion?
For that matter, I consider it forced self incrimination to compel a man to provide *anything* that may be used against him in a criminal case, but that is (almost) another matter.
Having said that, I'm unhappy that this *would* have to be a hard case (what appears to be an actual pervert who gets his sick jollies from viewing child pornography). You know the old saying about hard cases tending to make bad law, not to mention rulings. Some arrogant nerts in black robes at a higher level are likely to rule that forcing a man (even a pervert) to help the State hurt him is "legal". :(
Suppose the police stop me because they suspect that I'm dealing drugs. In a moment of panic I take them to a Storage Container that's full of incriminating evidence. The police briefly examine the Storage Container and find incriminating evidence. They then close the container and take me down to the station for questioning. Later, when they attempt to return to the Storage Container to fully inventory the evidence, they find that they don't have the right address. The police then try to force me to provide the address of the Storage Container that they know contains incriminating evidence. I decline the opportunity. The police know that I have a Storage Container full of incriminating evidence, I know that the police know about my Storage Container, but I'm under no obligation to provide them with the evidence to convict me. They had access to it, they lost access to it, too bad for them.
Do they just go for contempt or is there forcible compulsion?
They use force. If a DUI suspect refuses a breath test, some cops will seek a warrant, and then forcibly take a blood draw.
Actually, the advances being made in Quantum Cryptography, especially by Japanese computer scientists, will make PGP vulnerable in the very near future. Then cryptographers will develop methods for quantum encryption and the chase begins anew. It is a constant battle between those who want to keep secrets, and those who want to discover them.
Additionally, I believe a mathematician in Europe has submitted a proof describing a method of factoring very large prime numbers in a way that is revolutionary, and also defeats public key encryption. Don't have the reference, but "The Truth is Out There"
For an excellent layman's guide to all things cryptographic, check out Simon Singh's, The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography
Finally for a hard core explanation of cryptography, read Bruce Schneir's seminal work,