Thursday, January 26th 2012

Possible Precedent: Accused Americans Can Be Forced To Decrypt Their Encrypted Data

The Fifth Amendment rules that nobody may be "compelled in any criminal case to be a witness against himself." Or, in other words, one has a right to avoid self-incrimination. Therefore, it's highly significant that Judge Robert Blackburn ordered a Peyton, Colorado woman accused of a being involved in a mortgage scam, to decrypt the hard disc drive of her Toshiba laptop no later than February 21. If not, she would face the consequences, including contempt of court. In a 10-page opinion, the judge wrote, "I find and conclude that the Fifth Amendment is not implicated by requiring production of the unencrypted contents of the Toshiba Satellite M305 laptop computer."
The accused, Ramona Fricosu, is declining to decrypt the laptop, which has been secured withSymantec's PGP Desktop software, which is strong enough to thwart the FBI. She will appeal the ruling, perhaps because it appears that she may be unable to decrypt it for any number of possible reasons, according to her lawyer, which could technically get her off the hook, as people cannot be punished for not doing what they are physically incapable of doing. It's not yet clear what those 'reasons' are.

Requiring a defendant to give up their password is a thorny, unsettled legal issue, with judges in some cases agreeing that they shouldn't have to give up their passwords due to the Fifth Amendment and in other similar cases that they do, with law review articles arguing for either side over the last 15 years. This case might settle this question once and for all. It's important to note that the prosecutors in this case are not asking for the actual password, but simply expect the defendant to type it into the laptop in order to decrypt its contents, which might be the key to getting their way.

So, let's look at this from the defendant's point of view, assuming that the order to decrypt stands and they have actually done what they're accused of. They would be in a lose-lose situation, since they would get punished whether they reveal the decrypted contents or not. What they now have to decide is which option causes them to lose less. In the UK, you can be jailed for two years for not decrypting data when demanded, which might actually be a good compromise for a crime that carries a hefty sentence of say, 10 years or so. Plus, they get the dubious satisfaction of having thwarted the authorities, which might be priceless to them.

There's more detail and analysis on this story over at c|net.
Add your own comment

96 Comments on Possible Precedent: Accused Americans Can Be Forced To Decrypt Their Encrypted Data

#1
silkstone
twilyth said:
I don't see how having an indictment would make a difference.
Ok, i don't really know enough about law to continue. However it seems to go against common sense :banghead:

Why not just get the husband to provide the password and if he doesn't, incarcerate him :nutkick:

At the end of the day i feel it should go like this -

The Court: "If you don't give us your password you go to jail"

The Defendant - "I forgot it"

The Court - "ok, we can't prove you didn't - you are free to go"
Posted on Reply
#2
Horrux
silkstone said:
Ok, i don't really know enough about law to continue. However it seems to go against common sense :banghead:

Why not just get the husband to provide the password and if he doesn't, incarcerate him :nutkick:

At the end of the day i feel it should go like this -

The Court: "If you don't give us your password you go to jail"

The Defendant - "I forgot it"

The Court - "ok, we can't prove you didn't - you are free to go"
That would be good, and much better than what they are doing. I guess what they're actually doing is if she doesn't provide the password, she is held in contempt of court. And what if all this stress actually did make her forget it? And what if all this stress actually did make her forget it AND she's actually innocent?
Posted on Reply
#3
FordGT90Concept
"I go fast!1!11!1!"
qubit said:
Yes they do. Strong encryption is just that - strong. And if you're thinking of back doors from the likes of Symantec, then there's always open source solutions, which definitely won't have it.

Even from Symantec though, there's no backdoor, as you can see from this article.
If it is really that important, they'll hand it off to the NSA and I wouldn't be surprised at all if the NSA has supercomputers that can try trillions of passphrases a second breaking any encryption in a matter of weeks.

...the thing is, a petty case like this doesn't exactly qualify for those kinds of resources...
Posted on Reply
#4
Horrux
FordGT90Concept said:
If it is really that important, they'll hand it off to the NSA and I wouldn't be surprised at all if the NSA has supercomputers that can try trillions of passphrases a second breaking any encryption in a matter of weeks.

...the thing is, a petty case like this doesn't exactly qualify for those kinds of resources...
I would be surprised if an electronic computer - as opposed to a quantum one - would be able to brute force a large key (1024-4096 bit) Eigamal or triple blowfish encryption any time before our sun dies.

For example, the energy required to flip the bits inside an electronic computer has been calculated and the results speak for themselves: trillions of strong keys a second would require something akin to a large nuclear reactor's energy to be expended inside said computer in order to achieve this. Just imagine the cooling solution. Moreover, breaking a 4096-bit key would require more energy than the sun would provide over its entire lifetime. One single key.

Just saying.
Posted on Reply
#5
Steevo
Horrux said:
I would be surprised if an electronic computer - as opposed to a quantum one - would be able to brute force a large key (1024-4096 bit) Eigamal or triple blowfish encryption any time before our sun dies.

For example, the energy required to flip the bits inside an electronic computer has been calculated and the results speak for themselves: trillions of strong keys a second would require something akin to a large nuclear reactor's energy to be expended inside said computer in order to achieve this. Just imagine the cooling solution. Moreover, breaking a 4096-bit key would require more energy than the sun would provide over its entire lifetime. One single key.

Just saying.
Going at it the wrong way results in that sort of time being needed.


If we KNOW there is a file with certain properties on the disk, all we need to do is to find it. Once we find it, we have a significant portion of the key.


For example, we KNOW there is a operating system on the hard drive, and we KNOW we can read the disk in a program byte by byte.

No matter what you do to certain files they can' be compressed, only rearranged. So we start with a file like autoplay.dll, we know where it resides, its size for the OS installed, and what is is byte for byte as we can compare it.

Compare it with byte by byte sectors of the HDD, just like a anti-virus scan looks for files, except the beautiful things called rainbow tables are the anti-virus definitions. Once found all we need to do is put it back together in the correct sequence and we then have a part of the key used. In almost any sort of encryption system the storage key is one of one, with a partial of a master key that authorizes the rest of the key to be verified, without it all you would have to do is a dump state when the keys were compared as the actual key would be loaded during that process.
Posted on Reply
#6
Kreij
Senior Monkey Moderator
That's not how encryption works, Steevo.
There is no "stored" decryption key. The password(s) are input into the algorithms to create keys, hashes and salts, and are run against the encrypted file. Wrong password(s) and decryption fails.

There are, however, shortcuts that allow decryption methods and keys to be assertained in a LOT less time than "brute force".
Posted on Reply
#7
Unregistered
Update

full story
Colorado federal authorities have decrypted a laptop seized from a bank-fraud defendant, mooting a judge’s order that the defendant unlock the hard drive so the government could use its contents as evidence against her.

The development ends a contentious legal showdown over whether forcing a defendant to decrypt a laptop is a breach of the Fifth Amendment right against compelled self incrimination.

The authorities seized the encrypted Toshiba laptop from defendant Ramona Fricosu in 2010 with valid court warrants while investigating alleged mortgage fraud, and demanded she decrypt it. Colorado U.S. District Judge Robert Blackburn ordered the woman in January to decrypt the laptop by the end of February. The judge refused to stay his decision to allow Fricosu time to appeal.
Posted on Edit | Reply
#8
FordGT90Concept
"I go fast!1!11!1!"
Well dammit. I wanted to see that judge burn. :(
Posted on Reply
#9
Horrux
FordGT90Concept said:
Well dammit. I wanted to see that judge burn. :(
Me too... Any info on what kind of encryption was used on her lappy? Must have been real weak. I mean, I hope so, or no data is secure...
Posted on Reply
#10
Benetanegia
It's pretty obvious either Fricosu or her ex-husband provided the key.
Posted on Reply
#11
Unregistered
Horrux said:
Me too... Any info on what kind of encryption was used on her lappy? Must have been real weak. I mean, I hope so, or no data is secure...
I think I read on another forum it was a Symantec product, but I might be thinking of another case, so don't people start ragging on Symantec just on what I'm saying.
Posted on Edit | Reply
#12
FordGT90Concept
"I go fast!1!11!1!"
In the OP it says Symantec PGP. As Benetanegia said, the defendent blames the co-defendent for providing the password. My guess is that he is going to get a lesser sentence for doing so.
Posted on Reply
#14
FordGT90Concept
"I go fast!1!11!1!"
As the article twilyth linked said, this case is n a different appeals court (10th) than the one that ruled (11th). 10th appeals court didn't want to hear the case and 11th's ruling does not set precedent for 10th.

Virtually any court will rule the same as 11th for the reasons the 11th ruled the way it did: forcing to decrypt evidence is the same as forcing testimony which is illegal.
Posted on Reply
#15
silkstone
FordGT90Concept said:
As the article twilyth linked said, this case is n a different appeals court (10th) than the one that ruled (11th). 10th appeals court didn't want to hear the case and 11th's ruling does not set precedent for 10th.

Virtually any court will rule the same as 11th for the reasons the 11th ruled the way it did: forcing to decrypt evidence is the same as forcing testimony which is illegal.
On Wednesday, the Tenth Circuit Court of Appeals let stand a judge's ruling in a Colorado case that the defendant in a mortgage fraud case could be compelled to produce the contents of her encrypted laptop. But on Thursday, the Eleventh Circuit Court of Appeals overturned a Florida contempt of court charge against a suspect in a child pornography case who refused to decrypt the encrypted contents of several hard drives.

It says the 10th court did hear the case and compelled her to produce the password. The case in the 11th court was a different case.
Posted on Reply
#16
FordGT90Concept
"I go fast!1!11!1!"
In any event, it isn't going to be set in stone until it reaches the Supreme Court. It sounds like neither cases are going to get anywhere close to that though.
Posted on Reply
#17
silkstone
Yes, it would be interesting to see. I wonder if they compelled the joint defendant to reveal the password or whether it was part of a plea bargain.

"In previous cases, the courts have held that when the government already knows of the existence of specific incriminating files, compelling a suspect to produce them does not violate the Fifth Amendment's rule against self-incrimination. On the other hand, if the government merely suspects that an encrypted hard drive contains some incriminating documents, but lacks independent evidence for the existence of specific documents, then the owner of the hard drive is entitled to invoke the Fifth Amendment."

There may be a precedent already regarding this. As many cases have compelled defendants to reveal passwords before.

Things like this make sense

"For example, in 2006, a border guard in Vermont examined the contents of a traveler's laptop and found several files that appeared to be child pornography. But when the laptop was closed, the portion of the hard drive containing these files was automatically encrypted, and the government sought to compel the suspect to decrypt the files again. The court ruled that because a government agent had already seen specific incriminating files, compelling the suspect to produce those same files did not violate the Fifth Amendment's privilege against self-incrimination."
Posted on Reply
#18
FordGT90Concept
"I go fast!1!11!1!"
But even that 2006 case could have gone to higher courts because instead of the guard's word against the defendant's word, they were "compeling" the defendant to produce self-incriminating evidence that the prosecution did not have access to. Just like this case, they should have had to build a prosecution (using the guard's testimony) against the defendant without it.
Posted on Reply
#19
silkstone
I agree that it would be interesting to see what would happen in the supreme court, but it may not be something they are even interested in looking at. Until then, all the courts have is precedent from previous cases and so that is basically how the law stands at the moment.
Posted on Reply
#20
AphexDreamer
tigger said:
If she refuses, it should just be taken as a admission of guilt, if there was nothing on it proving her guilt, she would just give them the data.
If we adopted this logic, then each persons privacy wouldn't be an issue or even a right to protect.

The thing is she might have some files that are evidence against her but a computer has many types of files and purposes which is why it is an invasion of privacy and why they are probably appealing. Else if they have a warrent she is supposed to let them "in".
Posted on Reply
#21
FordGT90Concept
"I go fast!1!11!1!"
Not all business secrets are of the illegal variety. Businesses don't like giving up their private data any more than individuals do.

For example, even if you never did anything illegal on your computer, how embarrassed would you be if someone seized your computer and rifled through all your browser history, emails, instant message logs, applications, documents, music, and pictures?
Posted on Reply
Add your own comment