Sophos Cloud Optix
In Colorado, a District Court judge is deliberating on whether Ramona Fricosu, accused of committing financial fraud, has to disclose her laptop password to decrypt the stored content.
Marcia Hoffman of the Electronic Frontier Foundation (EFF) is counsel for the defendant. She alleges that Fricosu should not be compelled to give up her password for two main reasons:
- The government haven’t specifically identified what they are looking for on the laptop. This makes it seem somewhat of an evidence-fishing trip.
- Requiring disclosure of the password would breach her US Constitutional Fifth Amendment right against forced self-incrimination. There hasn’t been any immunity offered for loss of this protection.
In contrast, the Prosecution says failing to demand data decryption harms public interests. The team alleges it defeats the efforts of law enforcement in securing successful prosecutions and signals an unjustified concession to Fricosu.
Furthermore, Assistant U.S. Attorney Patricia Davies is quoted in Wired.com, “if the defendant is not compelled to unlock her computer, that would amount ‘to a concession to her and potential criminals (be it in child exploitation, national security, terrorism, financial crimes or drug trafficking cases) that encrypting all inculpatory digital evidence will serve to defeat the efforts of law enforcement officers to obtain such evidence through judicially authorized search warrants, and thus make their prosecution impossible.'”
I think this slightly exaggerated justification extends beyond the circumstances of the current case. It presupposes defendant guilt and diminishes the importance of assessing individual interests against those of the state.
Such polarised viewpoints highlight the necessity in finding the correct balance for conflicting interests.
With the US ruling due soon, it is worth considering how a similar scenario might pan out across the pond in the UK.
For the law, we look to the UK Regulation of Investigatory Powers Act 2000 (RIPA). RIPA Part III was added to the original statute in 2007, after a consultation and much controversy, creating specific provisions for access to encrypted content.
A RIPA s49 Notice seeks the disclosure to law enforcement of the encryption key or the decrypted data in an intelligible form.
There are strict procedural requirements for s49 Notice including proportionality to the aim, balancing individual privacy against public interest and necessity of key disclosure as the most reasonably practical option.
In the UK, there have been cases where individuals were jailed for refusing to hand over their passwords to the authorities. Oliver Drage was sentenced to four months in jail for this s53 RIPA offence.
Recorded usage of s49 notices seems to have fallen in the last year. The Report of the Chief Surveillance Commissioner for 2010-11 notes a drop in granted notices to 26, down from 38 in 2009-2010.
Despite this decline, in the correct context, our encrypted data remains well within the reach of UK law enforcement.
And all this leads me to believe that the arguments being uttered in the US against self-incrimination and guaranteeing individual privacy and data security will continue to transcend across the Atlantic for the foreseeable future.
What do you think?
there's no law for lost password yet 😉
Under RIPA you can face jail for not supplying a password and I seriously doubt that "I have forgotten my password" will be a valid excuse if an encrypted drive is found in your possession when being investigated.
So time to plant an encrypted drive on an enemy, make an anonymous tip to the plod about them being into child porn and storing the images on an encrypted drive…
Then watch as their natural denials an inability to decrypt the drive I planted gets them sent down.
Yep nothing wrong with punishing people for non disclosure of passwords at all…
I'd say the question is WAY too pointed..
"Should potential criminals be forced to give access to their encrypted data?"
Surely this should be:
"If reasonable suspicion can be provided that evidence is hidden in encrypted content, Should potential criminals be forced to give access to their encrypted data?"
Preferably followed by "..and what safeguards are in place to protect the suspect from excessive exposure?"
( I know, that's not a yes/no pollster question 😉 )
I'm concerned about forcing decryption of personal information for what would amount to a fishing expedition, and this should not be allowed, but then you have to balance this against law enforcement searching for evidence.
If they can prove reasonable suspicion, and can list what they are looking for, then that's a different issue.
The main thing that springs to mind is a concern about the "If you have nothing to hide, you won't mind me looking.." mindset that seems to have become the norm.
This was my feeling exactly. Too general of a question. Appears to have been vaguely worded to illicit a dramatic number of "NO" responses. Purpose well served.
As an American, the changes happening in the US regarding our rights as citizens scares the hell out of me. It took eleven terrorists three years to put Americans in more risk of loss of freedom than England could have ever thought possible in 1776. The Patriot act (the name along makes me ill), and now with National Defense Act of America (NDAA) our rights have been slashed unless you have big pockets to get a congressman's support or a team of lawyers.
And now with unlimited money from corporations – SOPA to control the internet.
Yep, we're really doing a bang up job over here on this side of the pond.
I think if they had something specific to look for, yes. Like having a house/car/residence of any sort searched. You shouldnt be forced to give up that amount of privacy just because a cop believes there MIGHT be something on your PC that they need.
It kind of depends on several things. As Trololol said, perhaps a suspect lost the password, but as an excuse, that doesn’t work if a judge believes the password is actually being withheld. Why would a suspect retain a file he/she can’t decrypt? Wouldn’t someone format and reinstall the OS if the password was lost for drive encryption?
The defence could also make a reasonable argument the encrypted file itself IS the evidence, and it’s the prosecution’s job to prove it’s incriminating, rather than suspects proving themselves innocent.
The other option is to deny the existence of any encrypted data. For example, it’s possible to encrypt a .zip archive, and remove the .pgp or .asc part of the file extension. Unless the forensics software identifies it as encrypted, it could be claimed the file’s actually corrupted.
Thanks for the article.
"arguments […] will continue to transcend across the Atlantic" – I don't think this is the right usage of the verb transcend. The verb already includes the concept of across. Arguments could transcend borders, and could possibly transcend the Atlantic, although that last one sounds a little strange.
Back on topic… I think that users have more chance of resisting these intrusions in the US than in the UK, which does not have as strong a concept of protecting against self-incrimination (the fifth amendment to the US Constitution). I am not a lawyer, however…
does it not go against the 5th amendment of the constitution of usa (the right not to incriminate yourself)
Only law-abiding people have rights. If you have nothing to hide, then there is no reason to hide or withhold the cipher password! I recommend "rubber-hose" cipher-analysis to get the password. People should respect law enforcement and the courts and repeated corporal punishment is the most perfect training.
The weirdness of anglo-american law, where the activity of criminals is more valuable and media-praised then the passivity of their victims, comes from the weird habit of ancient saxon tribes, who were extremely violent and lawless people.
The so-called "Common Law" is little more than honour among thieves and homicidors and totally unsuitable for the modern civilized world. The law of ancient romans, which is the basis of modern law in continental Europe, is much better. There the state has the rights and grants some of that to the people and raises them with rational education to become good citizens, law-obeying and non-deliquent.
Some excellent arguments there. No doubt many were saying the same in the Reichstag during the 1930s, and they did very well in producing ‘law-obeying and non-delinquent’ citizens who kept their heads down and mouths shut, and did what the state ordered them.
Of course, the delinquents who really did have something to hide, and therefore something to fear, had a knock on the door by the local friendly Gestapo. And some of them did get the good old ‘rubber-hose’ treatment you recommended.
Just because you have something to hide does not in any way make you a criminal. Pretty much everyone has things about themselves they do not want others to know. Most peoples personal computers contain secrets about them that they would not tell to their own partners. I'm sure you would not enjoy someone digging through the details of your private life.
The 5th Amendment to the US Constitution says essentially that if you have something to hide, you have a right to hide it!
Ironically you feel that people have to be "raised" to be "law abiding and non delinquent" … by some all-seeing, all knowing an perfect State that is not somehow made up of fallible people, one presumes?
Today, the notion of self-restraint on the part of so empowered a State is "little more than honour among thieves and homicidors [sic] and totally unsuitable for the modern civilized world."
The individual's right against self-incrimination must be preserved. Let the State try to brute-force the encryption key if they must, the defendant has no obligation to provide a rope by which the State will hang him….especially where the requirements for a Warrant (specificity as to what is being looked for and where they will look) are not met.
Prosecutors will always have an argument along the lines of "the Prosecution says failing to demand data decryption harms public interests. The team alleges it defeats the efforts of law enforcement in securing successful prosecutions and signals an unjustified concession to Fricosu." Prosecutors could ultimately argue that the presumption of innocence itself "defeats the efforts of law enforcement in securing successful prosecutions". Such arguments should be given no credence as they aim to ultimately strip the accused of their right to against self-incrimination.
Are you for real? Opening yourself up to undetermined incrimination is exactly why we have a 5th Amendment to begin with. Our forefathers were well aware of EVERY governments inherent abuse of power against people it wants to target for whatever reason.
People like you who are so willing to give up their and others liberty under the guise of so-called security don't deserve either!
What you want are mindless robots and slaves who appeal to the lazy mindset of the non-thinking class who simply obey orders and do exactly as they're told. You would have made a wonderful Nazi!
The thing that pops into my mind reading this is TrueCrypt. I’m sure there are others out there that due the same thing, but using TrueCrypt you can create a hidden encrypted drive inside another encrypted file. So you have one password you give out in a case like this and it unlocks the file where you have something like nude photos or some other unimportant files that are believable you would encrypt. You then have another password that unlocks the hidden area that is impossible to detect. So basically this whole thing is a foolish pursuit anyways. The point of encryption is to protect data, if you try and compromise the encryption then someone will find a way around it. People already recognize the weakness of someone forcing you to hand over your password and there are already solutions in place to deal with that issue.
This clearly violates the 4th amendment.
the Supreme Court has stated that American citizens are protected by the Fourth Amendment when there is a “reasonable expectation of privacy.”
The Fourth Amendment is as follows:
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized. However, the courts have ruled that without a reasonable expectation of privacy, there is no privacy right.
Plus it violates the 5th amendment, against self-incrimination.
I would recommend that even if law enforcement can secure a a warrant , that would only allow them physical access to the drive, the information contained within would fall under the 5th amendment.
Taking a masters course on cyber ethics currently, and we just discussed this last week.
Thank you for your post Todd! Good to know there are still real ethical patriots still out here!
That poll question should read:
Should criminal _SUSPECTS_ be forced to give access to their encrypted data?
Help me understand here. While I am all for protecting whatever little personal freedoms we have left, how is asking for the computer hard disk decryption key different from getting a warrant for searching a house, which is mostly a fishing expedition as well?
The difference is that the warrant for searching the house has to say what they are looking for and where. Warrants are not just a pass to rummage through the house without any idea what it is you are even looking for. Should be the same here, they should have to state what it is they are expecting to find.
I can understand getting a warrant for what they are looking for. But surely, all warrants don't restrict themselves to where in the house the search will be done? Granted, my knowledge of these things come only from crime dramas, if the warrant is not specific about where in the house the search will be done, it seems to be a good analogy for warrants not being specific about where in the computer the investigators will sniff around.
Because you require due process to get a warrant, and you need (or should need) a warrant to perform any search, whether it is your house or your Hard Drive.
And stop relying on TV crime dramas for factual information.
U.S.A is becoming a police state and trampling rights of Americans. The government can get a search warrant as long as they follow Constitutional Law.
Thumbs up on that one Ekim. But there are more countries than just the US, where the US does not have any authority over the Internet. But, many countries will follow because other governments want to ‘protect their citizens’ as well.
Getting a search warrant is as easy as asking for the time.
If successful, it won’t be long before it may become illegal to encrypt anything on one’s computer – for one’s own safety of course, or national security.
Some people would say “If you are not being bad, why encrypt anything? Then – if electronic bank-books, stock and shares, or other sensitive data needs to be encrypted, we will be able to upload it to a government citizen protection service – for our protection – of course.
As in the past before the Internet, privacy was well respected – in North America. But, Big Bro realized, our protection is primary when it comes to accessing -us- and what we are doing. As soon as limits are placed, many things are then driven underground. PGP is an example. The feds couldn’t ban it though they tried, so they limited it by making those getting a copy state they are/were US citizens. They also made it illegal to export it outside of the US. People around the world still use it and others.
The more the government, especially the US, starts looking after something for my ‘protection’ and “safety”, I look for a method to opt out. I like to live dangerously 🙂
Not everyone is an neophyte, and some are very good at flying below the Internet radar – not because they have anything to hide, they just enjoy not being a browsing, or shopping statistic for free. I block all requests to drop cookies, or follow me around, what kind of OS, Browser, versions adnauseum, snoops keep piling on us. If they want to monitor what habits, they can pay me.
It all reads like some sci-fi movies of just the last few years.
I hope the judge uses open eyes and remembers your constitution – we don’t have one in my country so we are use to government looking after our protection >:( and, how to circumnavigate it.
i
"Should potential criminals be forced to give access to their encrypted data?"
Forced how? By saying that failing to do so is admission of guilt? In that case, would it be any different than just assuming you're guilty until proven innocent? "You're guilty because I say you are. Now prove that you're innocent and I'll let you go." To me, that doesn't sound good at all…
What they do in a case like this to "force" you to do something would be that they ask for it and when you refuse you are held in contempt of court. You are then held in jail until you choose to give up the information. So unless whatever in encrypted is worth life in jail the person will eventually give in.
what happens if you forgot it NDAA kicks in?
Thought the US and UK were signatures to the cryptography convention?
It's up to Davies to make her own case, not to whine her way into the resetting Constitutional warping Tort law. There are already cogs in the wheel for the obtaining of this evidence, should it truly exist; she merely needs to petition the court with sufficient probable cause. One can only assume she tried that…and was told "No."
Comments use of the word 'transcend' is completely wrong both by definition and in the spirit it has evolved over the centuries. In its simplist form it intends to convey 'above all other' especially when used by many faiths when revering their Deity.
I'd like to make a comment regarding this issue. We go through life and sometimes we do things that we regret. I personal was sued in Federal Court, during which time, I was asked to turn over lots of information on my computer. At the time I was not using crypto. In retrospect, I really wish that I had sent encrypted email to various people. The point is that I could have realized the following scenario:
* I turn over the messages from my sent-mail folder.
* They say "This is gobbldygook. You must by order of the Court decrypt it".
* I inform them that it was encrypted using the public key of the recipient and they need to see if the recipient still has his private key.
As for being required to decrypt a private hard drive, the same principal applies: If you encrypt your hard-drive, you need to have someone else be the keeper of your public key. Then they have to either find him or throw in the towel.
A persons password is theirs. And if they have never disclosed it then only they and the system it is used for will know it.
Create a law to subpeona the password from;
a computer manufacturer
a program developer
an operating system developer
a web site
If the information is encrypted, then it's the burden of the prosecutors to unencrypt the information. The end does not justify the means. Obtain the infomation legally without trampling peoples rights.
I'd like to make a comment regarding this issue. We go through life and sometimes we do things that we regret. I personal was sued in Federal Court, during which time, I was asked to turn over lots of information on my computer. At the time I was not using crypto. In retrospect, I really wish that I had sent encrypted email to various people. The point is that I could have realized the following scenario:
The consensus appears to be that one should be forced to decrypt one’s computer provided that a search warrant has been lawfully obtained. To refuse is akin to having police arrive with a warrant to search one’s house, but refusing to disclose the combination number of the safe.
Personally I would be willing to relax many of my rights if it leads to the conviction of more child abusers, terrorists, drug-pushers and other serious criminals.
If the police find evidence of irrelevant but unsavoury activities that are not actually illegal, such as cheating on my spouse, I would expect them to exercise the utmost discretion.
And if your going to rely on the government or law enforcement to do so then perhaps you need a history lesson to see what happens in those instances which are not one time only offenses!
Russia, China, Cuba and Nazi Germany applaud you!
What did law enforcement do before computers? If she is guilty of financial indescretions then perhaps hiring an accountant would be more productive than snooping through her PC.
surely (and I'm probably being stupid here) they can just hack it, surely that isn't to hard for the american forensics teams!
Some of you are taking it to the extreme. We're not talking about an attempt to circumvent the process or some spy job where data was planted to get over on someone. So in that regard, the case should be dropped and everyone walk their seperate ways?
The amendments can also have revisions made to them concerning computer privacy. And they should.
The article uses the phrase, "…assessing individual interests against those of the state."
What the…? Interests of the state? What does that mean, exactly?
The state has no interests because it is not a person and it does not own property. It seizes the property of individuals and claims it as "state property", but the concept itself is self-contradictory. This is typical of the kind of thinking that claims, for example, there's such a thing as "good profits" and "bad profits".
Utter nonsense. All profit is good–a moral gain realized through a voluntary transaction. If it's bad, it's not profit…for example when people are forced to hand over some of their property to the state (taxes) through direct physical coercion or the threat of physical coercion.
The same is true of any gain realized through coercion by fraud. That's not a voluntary transaction either. It wouldn't happen if the victim knew he was being defrauded. That's not profit either. In both cases, it's plunder.
Anyhow, the state doesn't own anything it hasn't stolen from someone else. If it owns no property, it has no proprietary interests. There are only the individual ambitions and cravings for power of the transient individuals who manage to worm their way into positions of authority. Their interests are always in conflict with those of the people whom they victimize.