‘I forgot my password’ doesn’t impress judge in a child images case

Sorry, “John Doe”: the courts aren’t buying the notion that you’ve “forgotten” the passwords to unlock external hard drives that the Justice Department believes contain child abuse imagery.

Earlier this week a US Third Court of Appeals in Pennsylvania held that the defendant (referred to in court documents as “John Doe” because his case is partially under seal) is in contempt of court for willfully disobeying and resisting an order to decrypt external hard drives that had been attached to his Mac computer, The Register reports.

Here’s the ruling (PDF), posted courtesy of the Register.

According to the court, Doe voluntarily handed over the password for an Apple iPhone 5S, but he refused to provide the passwords to decrypt his Mac or the external hard drives. Forensic analysts figured out his computer password, but they haven’t been able to decrypt the external hard drives.

The police suspect that images are there, though. The analysts found an image of “a pubescent girl in a sexually provocative position” on the computer, along with logs showing that it had been used to visit sites with names common in child exploitation.

They couldn’t find the images themselves on the Mac, but they did find evidence of Doe having allegedly downloaded thousands of files with the hash values of known child abuse images.

Since 2008, the National Center for Missing & Exploited Children (NCMEC) has made available a list of hash values for known child sexual abuse images, provided by ISPs, that enables companies to check large volumes of files for matches without those companies themselves having to keep copies of offending images or to actually pry open people’s private messages.

The hash originally used to create unique file identifiers was MD5, but Microsoft at one point donated its own PhotoDNA technology to the effort.

PhotoDNA creates a unique signature for an image by converting it to black and white, resizing it, and breaking it into a grid. In each grid cell, the technology finds a histogram of intensity gradients or edges from which it derives its so-called DNA. Images with similar DNA can then be matched.

Given that the amount of data in the DNA is small, large data sets can be scanned quickly, enabling companies including Microsoft, Google, Verizon, Twitter, Facebook and Yahoo to find needles in haystacks and sniff out illegal child abuse imagery. Optimally, it works even if the images have been resized or cropped.

In this particular Pennsylvania case, the telltale hash values of known abuse images were found on Doe’s computer. Investigators presumed that those images had been downloaded to the external drives.

Doe eventually unencrypted another cellphone, an iPhone 6 Plus. It contained more than 2,000 images in what had been an encrypted app. Analysts discovered that the phone contained adult porn and indecent images of two very young girls.

But Doe claimed to have forgotten the passwords to decrypt the hard drives. He entered three incorrect passwords during the forensic examination.

The magistrate judge who heard the initial case didn’t swallow the “I forgot” defense, asserting that “Doe remembered the passwords needed to decrypt the hard drives but chose not to reveal them because of the devices’ contents.”

Doe has argued that he’s not in contempt of court because being forced to reveal his password violates his Fifth Amendment protection against self-incrimination. But in August 2015, the magistrate judge said that Doe’s decrypting his devices couldn’t be considered testimony against himself, because the government already knew that there would be child abuse imagery on the devices.

Doe didn’t testify at his own defense over the contempt charge. Nor did he call witnesses or offer evidence as to why he shouldn’t be held in contempt for failing to decrypt the devices. In fact, his own sister, who had lived with him in 2015, had testified that her brother showed her hundreds of abuse images and videos.

Doe was jailed, with a court order (PDF) to keep him locked up indefinitely until he decrypted the drive. The court at the time said he “[carries] the keys to his prison in his own pocket”.

That magistrate judge’s decision was upheld by the US Third Circuit Court of Appeals on Monday.

The Electronic Frontier Foundation (EFF) and the American Civil Liberties Union (ACLU) had filed a friend-of-the-court brief (PDF) in which they backed up the suspect’s Fifth Amendment argument, saying that…

…compelled decryption is inherently testimonial because it compels a suspect to use the contents of their mind to translate unintelligible evidence into a form that can be used against them. The Fifth Amendment provides an absolute privilege against such self-incriminating compelled decryption.

Mark Rumold, senior staff attorney at the EFF, told the Register that Monday’s ruling was disappointing, albeit not entirely surprising. The EFF still holds that individuals shouldn’t be compelled to provide passwords. The Register quoted him:

Any time suspects are forced to disclose the contents of their mind, that’s enough to trigger the Fifth Amendment, end of story.

But The Register also quoted Dan Terzian, a lawyer who’s argued against the EFF on this:

Scores of companies now encrypt their data… In the EFF’s alternate universe, these companies are effectively immune from discovery and subpoenas.

Rumold predicted that the Supreme Court would wind up weighing in on the case.