The Iconoclast Subscribe to The Iconoclast
December 14, 2007 5:33 PM PST

Judge: Man can't be forced to divulge encryption passphrase

Posted by Declan McCullagh

A federal judge in Vermont has ruled that prosecutors can't force a criminal defendant accused of having illegal images on his hard drive to divulge his PGP (Pretty Good Privacy) passphrase.

U.S. Magistrate Judge Jerome Niedermeier ruled that a man charged with transporting child pornography on his laptop across the Canadian border has a Fifth Amendment right not to turn over the passphrase to prosecutors. The Fifth Amendment protects the right to avoid self-incrimination.

Niedermeier tossed out a grand jury's subpoena that directed Sebastien Boucher to provide "any passwords" used with his Alienware laptop. "Compelling Boucher to enter the password forces him to produce evidence that could be used to incriminate him," the judge wrote in an order dated November 29 that went unnoticed until this week. "Producing the password, as if it were a key to a locked container, forces Boucher to produce the contents of his laptop."

Especially if this ruling is appealed, U.S. v. Boucher could become a landmark case. The question of whether a criminal defendant can be legally compelled to cough up his encryption passphrase remains an unsettled one, with law review articles for the last decade arguing the merits of either approach. (A U.S. Justice Department attorney wrote an article in 1996, for instance, titled "Compelled Production of Plaintext and Keys.")

This debate has been one of analogy and metaphor. Prosecutors tend to view PGP passphrases as akin to someone possessing a key to a safe filled with incriminating documents. That person can, in general, be legally compelled to hand over the key. Other examples include the U.S. Supreme Court saying that defendants can be forced to provide fingerprints, blood samples, or voice recordings.

Orin Kerr, a former Justice Department prosecutor who's now a law professor at George Washington University, shares this view. Kerr acknowledges that it's a tough call, but says, "I tend to think Judge Niedermeier was wrong given the specific facts of this case."

The alternate view elevates individual rights over prosecutorial convenience. It looks to other Supreme Court cases saying Americans can't be forced to give "compelled testimonial communications" and argues the Fifth Amendment must apply to encryption passphrases as well. Courts already have ruled that that such protection extends to the contents of a defendant's minds, so why shouldn't a passphrase be shielded as well?

In this case, Judge Niedermeier took the second approach. He said that encryption keys can be "testimonial," and even the prosecution's alternative of asking the defendant to type in the passphrase when nobody was looking would be insufficient.

Laptop files: Unencrypted, then encrypted
A second reason this case is unusual is that Boucher was initially arrested when customs agents stopped him and searched his laptop when he and his father crossed the border from Canada on December 17, 2006. An officer opened the laptop, accessed the files without a password or passphrase, and allegedly discovered "thousands of images of adult pornography and animation depicting adult and child pornography."

Boucher was read his Miranda rights, waived them, and allegedly told the customs agents that he may have downloaded child pornography. But then--and this is key--the laptop was shut down after Boucher was arrested. It wasn't until December 26 that a Vermont Department of Corrections officer tried to access the laptop--prosecutors obtained a subpoena on December 19--and found that the Z: drive was encrypted with PGP, or Pretty Good Privacy. (PGP sells software, including whole disk encryption and drive-specific encryption. It's a little unclear what exactly happened, but one likely scenario is that Boucher configured PGP to forget his passphrase, effectively re-encrypting the Z: drive, after a few hours or days had elapsed.)

According to Niedermeier's written opinion, prosecutors sent Boucher a grand jury subpoena asking for the passwords because:

Secret Service Agent Matthew Fasvlo, who has experience and training in computer forensics, testified that it is nearly impossible to access these encrypted files without knowing the password. There are no "back doors" or secret entrances to access the files. The only way to get access without the password is to use an automated system which repeatedly guesses passwords. According to the government, the process to unlock drive Z could take years, based on efforts to unlock similarly encrypted files in another case. Despite its best efforts, to date the government has been unable to learn the password to access drive Z.

The opinion added:

If the subpoena is requesting production of the files in drive Z, the foregone conclusion doctrine does not apply. While the government has seen some of the files on drive Z, it has not viewed all or even most of them. While the government may know of the existence and location of the files it has previously viewed, it does not know of the existence of other files on drive Z that may contain incriminating material. By compelling entry of the password the government would be compelling production of all the files on drive Z, both known and unknown.

Boucher is a Canadian citizen who is a lawful permanent resident in the United States and lives with his father in Derry, N.H. Two attorneys listed as representing him could not immediately be reached for comment on Friday.

So what happens next? It's possible that prosecutors will be able to establish that Boucher's laptop has child pornography on it without being able to access it: after all, there were at least two federal agents who looked at the laptop when the Z: drive was still unencrypted.

But if this ruling in the case is eventually appealed, it could have a far-reaching impact in a pro-privacy or pro-law-enforcement direction.

Michael Froomkin, a law professor at the University of Miami, has written that the government "would have a very hard time" trying to obtain a memorized passphrase. A similar argument, published in the University of Chicago Legal Forum in 1996, says:

The courts likely will find that compelling someone to reveal the steps necessary to decrypt a PGP-encrypted document violates the Fifth Amendment privilege against compulsory self-incrimination. Because most users protect their private keys by memorizing passwords to them and not writing them down, access to encrypted documents would almost definitely require an individual to disclose the contents of his mind. This bars the state from compelling its production. This would force law enforcement officials to grant some form of immunity to the owners of these documents to gain access to them.

But prosecutors think they can split the idea of immunity into two halves: divulging the passphrase, and then using the passphrase to decrypt the files. A 1996 article by Philip Reitinger of the Department of Justice's computer crime section proposes a clever device for forcing a defendant to divulge a PGP passphrase and then convicting him anyway (remember, the passphrase lets the key be used to decrypt the document):

Finally, even if the foregoing considerations require the government to grant act-of-production immunity to compel production of a key, the scope of the immunity should be quite narrow. The contents of the key are not privileged, and it is the contents that will be used to decrypt a document. Therefore, the government can use the contents of the decrypted document without impediment. Unless the government cannot authenticate the document to be decrypted without using the act of production of the key, granting act-of-production immunity should have little effect.

Translation: Giving a defendant limited immunity in terms of forcing them to turn over the passphrase can lead to a conviction. That's because the fellow technically isn't being convicted based on his passphrase; he's being convicted for what it unlocks. Isn't the law grand?

Recent posts from The Iconoclast
FBI's Net surveillance proposal raises privacy, legal concerns
Transcript: FBI director on surveillance of 'illegal' Internet activity
FBI, politicos renew push for ISP data retention laws
Shamos: Why e-voting paper trails are a bad idea
FBI nudges state 'fusion centers' into the shadows
Add a Comment (Log in or register) 170 comments (Page 1 of 5)
Both Sides Are Evil
by FrankTurd December 14, 2007 6:18 PM PST
Yuck. Both sides of this argument are bad: some scum pedo and over reaching Fuzz at the border. While I don't condone pedophilia and child abuse, I don't think we need a jack-booted lock down 1957 Russia either. ~ Franky
Reply to this comment View all 2 replies
THIS IS REAL NEWS - AWESOME
by digitalshaman December 14, 2007 6:58 PM PST
i am abhorent of child porn but the relationship between this case and all the shenanigans in our "open" government ... i welcome a strong assertion of the constitution over any person ... a nation of laws not men ... thanks, declan [[digitalshaman]]
Reply to this comment
Why did the officer do the first search?
by Leria December 14, 2007 8:09 PM PST
Why did the officer do the first search in the first place? There seems to be no reason to even turn on the computer when it is going through customs, and seems like an illegal search on it's face. This case should be thrown out of the courts and the man's computer should be returned to him post-haste.
Reply to this comment View all 2 replies
The government's immunity trick
by gos12 December 14, 2007 8:14 PM PST
So suppose the person refusing to give over his passphrase is presented with the immunity trick the article discusses. The government will give immunity for the passphrase, but not for the material it may unlock. However an easy way around this is to use pass phrases that are incriminating for some infraction of the law. Hypothetically if a person's passphrase was "I committed a crime on <date> by <action>." The government could never force him to reveal this passpharse because it forces him to incriminate himself for some other event. Since the government doesn't know what the event is, they can't write a narrow immunity scope for it. Thereby he'd be able to claim 5th amendment protections until the cows came home. Who said a passphrase had to be neutral?
Reply to this comment View all 2 replies
You can always say you forgot
by unknown unknown December 15, 2007 12:02 AM PST
-the key or passphrase.
Reply to this comment View reply
Waste of time and money
by expatincebu December 15, 2007 12:11 AM PST
Corporate managers are stealing the country blind but our justice system waste its time on prosecuting someone for photographs and cartoons!
Reply to this comment View reply
This is crazy!!!!
by lexleugers December 15, 2007 12:13 AM PST
What are they thinking? This is our children. We should do everything to put children pornographers behind bars, along with the pedophiles!!!! They have the laptop already, they have the evidence. This Judge needs to wake up and do the job he was hired to do. "My own opinion may the should check on all the people that agree with this decision!"
Reply to this comment View all 6 replies
Strange indeed...
by Penguinisto December 15, 2007 12:27 AM PST
I wonder why everyone mentions a "key" and not, say, a "safe combination"? Can one be compelled to cough up the combination to a safe (as opposed to handing over a physical key)? Personally, it doesn't matter if the schmuck is a paedo or not - he at least does have the right to not self-incriminate. If that means the files on his encrypted drive cannot be accessed, then at least it'll prevent a less scrupulous prosecutor or other government functionary from railroading somebody else. Time for the forensics team to break out the rainbow tables and start grinding at the passphrase... /P
Reply to this comment View reply
This is why I LOVE TrueCrypt
by jimcbr December 15, 2007 4:54 AM PST
Forget PGP, TrueCrypt has a hidden disk inside an encrypted disk, and there's no way that anyone can even prove the hidden disk exists.
Reply to this comment View all 2 replies
"Waterboard" the guy!
by lkrupp December 15, 2007 7:26 AM PST
This is why waterboarding should be legalized. And if he accidentally drowns then we don't need the password. Problem solved.
Reply to this comment View all 3 replies
1 | 2 | 3 | 4 | 5 | Next 10 Comments >>
Powered by Jive Software
advertisement
Click Here

  • About The Iconoclast

  • Declan McCullagh has covered politics, technology, and Washington, D.C. for over a decade, which has turned him into an iconoclast and a skeptic of anyone who says: "We oughta have a new federal law against this."

Add this feed to your online news reader
Google
Yahoo
MSN

The Iconoclast topics

Latest blog posts from News.com

Featured blogs

Beyond Binary by Ina Fried A look at how technology is changing our lives and at the people behind all that life-changing stuff.

Coop's Corner by Charles Cooper Charles Cooper weighs in on Silicon Valley hijinks, and he doesn't suffer fools gladly.

Defense in Depth by Robert Vamosi Covering the latest in computer viruses and computer crime.

Geek Gestalt by Daniel Terdiman At the tech culture nexus of video games, fire art, and virtual worlds.

Green Tech Fresh green tech news and commentary.

One More Thing by Tom Krazit Tom Krazit takes on the tech phenomenon that is Apple, and keeps a close watch on the chip industry.

Outside the Lines by Dan Farber When business and technology meet, that's when things get interesting.

The Social by Caroline McCarthy Exploring all facets of social media and tech culture.

Underexposed by Stephen Shankland Coverage of digital photography, science, and open-source software.

advertisement
Welcome (log out) |View profile
Log in | Sign up Why join?
On TV.com: MILEY CYRUS photographs
Advanced
search
advertisementA great deal awaits. united.com
Advanced
search
Visit other CNET Networks sites: