You have commented 339 times on Rantburg.

Your Name
Your e-mail (optional)
Website (optional)
My Original Nic        Pic-a-Nic        Sorry. Comments have been closed on this article.
Bold Italic Underline Strike Bullet Blockquote Small Big Link Squish Foto Photo
Home Front: WoT
Judge: Man can't be forced to divulge encryption passphrase
2007-12-17
A federal judge in Vermont has ruled that prosecutors can't force a criminal defendant accused of having illegal images on his hard drive to divulge his PGP (Pretty Good Privacy) passphrase.

U.S. Magistrate Judge Jerome Niedermeier ruled that a man charged with transporting child pornography on his laptop across the Canadian border has a Fifth Amendment right not to turn over the passphrase to prosecutors. The Fifth Amendment protects the right to avoid self-incrimination.

Niedermeier tossed out a grand jury's subpoena that directed Sebastien Boucher to provide "any passwords" used with his Alienware laptop. "Compelling Boucher to enter the password forces him to produce evidence that could be used to incriminate him," the judge wrote in an order dated November 29 that went unnoticed until this week. "Producing the password, as if it were a key to a locked container, forces Boucher to produce the contents of his laptop."

Especially if this ruling is appealed, U.S. v. Boucher could become a landmark case. The question of whether a criminal defendant can be legally compelled to cough up his encryption passphrase remains an unsettled one, with law review articles for the last decade arguing the merits of either approach. (A U.S. Justice Department attorney wrote an article in 1996, for instance, titled "Compelled Production of Plaintext and Keys.")

This debate has been one of analogy and metaphor. Prosecutors tend to view PGP passphrases as akin to someone possessing a key to a safe filled with incriminating documents. That person can, in general, be legally compelled to hand over the key. Other examples include the U.S. Supreme Court saying that defendants can be forced to provide fingerprints, blood samples, or voice recordings.

Orin Kerr, a former Justice Department prosecutor who's now a law professor at George Washington University, shares this view. Kerr acknowledges that it's a tough call, but says, "I tend to think Judge Niedermeier was wrong given the specific facts of this case."

The alternate view elevates individual rights over prosecutorial convenience. It looks to other Supreme Court cases saying Americans can't be forced to give "compelled testimonial communications" and argues the Fifth Amendment must apply to encryption passphrases as well. Courts already have ruled that that such protection extends to the contents of a defendant's minds, so why shouldn't a passphrase be shielded as well?

In this case, Judge Niedermeier took the second approach. He said that encryption keys can be "testimonial," and even the prosecution's alternative of asking the defendant to type in the passphrase when nobody was looking would be insufficient.

A second reason this case is unusual is that Boucher was initially arrested when customs agents stopped him and searched his laptop when he and his father crossed the border from Canada on December 17, 2006. An officer opened the laptop, accessed the files without a password or passphrase, and allegedly discovered "thousands of images of adult pornography and animation depicting adult and child pornography."

Boucher was read his Miranda rights, waived them, and allegedly told the customs agents that he may have downloaded child pornography. But then--and this is key--the laptop was shut down after Boucher was arrested. It wasn't until December 26 that a Vermont Department of Corrections officer tried to access the laptop--prosecutors obtained a subpoena on December 19--and found that the Z: drive was encrypted with PGP, or Pretty Good Privacy. (PGP sells software, including whole disk encryption and drive-specific encryption. It's a little unclear what exactly happened, but one likely scenario is that Boucher configured PGP to forget his passphrase, effectively re-encrypting the Z: drive, after a few hours or days had elapsed...)
This is an icky situation. Either the 5th Amendment goes, or terrorists are able to conceal information that could be used to try them. (Though the information could still be used for intelligence purposes, it could not be used against them in court.)
Posted by:Anonymoose

#9  
Posted by: DMFD   2007-12-17 23:07  

#8  Oy, Eric. Now my head hurts.
Posted by: Barbara Skolaut   2007-12-17 22:31  

#7  NP-hard, not NPO. In any case, we don't know if factoring is NP-hard or not. Let's recall the definitions:

P: Polynomial time--a problem that can be solved in time polynomial in the size of the problem

NP: Nondeterministic Polynomial time--a problem whose solutions can be checked in such polynomial time. Given two factors of a d-digit number, multiply them--it takes O(d^2) operations.

NP-complete: A problem such that every NP problem can be reduced to it.

NP-hard: A problem at least as hard as NP problems.

Factoring is NP, but not necessarily NP-hard. There seems to be disagreement on whether it is or not.

Now, if you can prove P=NP or the opposite, you'll be rich!
Posted by: Eric Jablow   2007-12-17 21:12  

#6  Proc, no they cannot, if the person used PGP properly and chose a long enough keylength and good passphrase.

NSA is good, but cannot violate basic laws of math regarding factoring of large number and other NPO-Hard issues.

They depend on the same math themselves.
Posted by: OldSpook   2007-12-17 20:37  

#5  The password is:

oogahboogahdoodleleedee,

Your welcome, from the Psychotic Psychic Network
Posted by: Alaska Paul   2007-12-17 15:18  

#4  I'm sure the NSA could decrypt it over lunch. However, the NSA has higher demands then a pedophile to deal with and has no interest in becoming the locksmith for every law enforcement jurisdiction in the country.
Posted by: Procopius2k   2007-12-17 14:34  

#3  We have de-cryption programs, the cops are just to lazy to spend the time, money,and efort.

Depending on the encryption algorithm he chose, the time could be until the heat-death of the universe, and the money and effort required would be enough to hasten that day's arrival.
Posted by: Rob Crawford   2007-12-17 12:49  

#2  We have de-cryption programs, the cops are just to lazy to spend the time, money,and efort.

Looked for an easy way, and it backfired on them.
Posted by: Redneck Jim   2007-12-17 11:19  

#1  Niedermeier? Douglas R. Niedermeier, Jr? Class of '64?
Posted by: mojo   2007-12-17 10:59  

00:00