• On MovieTome: See the TRAILER for TERMINATOR 4!
advertisementAT&T Tech Support 360
January 18, 2008 1:58 PM PST

Feds appeal loss in PGP compelled-passphrase case

Posted by Declan McCullagh

It's time to take another look at the intriguing case of United States v. Boucher, which may set the ground rules for whether or not criminal defendants can be compelled to divulge encryption passphrases.

When I last wrote about the Boucher case, the U.S. Department of Justice was refusing to comment on the matter. Here's my original article from last month for background.

The case arose because federal agents believe Boucher has child pornography on his laptop, and obtained a warrant to search it. But part of the hard drive was PGP-encrypted, and the Feds obtained a subpoena to force him to disclose (or even simply type in) his passphrase.

U.S. Magistrate Judge Jerome Niedermeier in Vermont rejected the subpoena on Fifth Amendment grounds--namely, that compelled disclosure of a passphrase amounted to self-incrimination. The Fifth Amendment says no person "shall be compelled in any criminal case to be a witness against himself."

The Washington Post, by the way, finally got around to writing about this (a month later) on Wednesday in a page one article. It quotes Boucher as saying that he likes to download Japanese cartoons and occasionally adult pornography, but that he does not seek to view child porn.

Now the Justice Department is filing a sealed appeal to the magistrate judge's decision to U.S. District Judge William K. Sessions. Sessions is a Clinton appointee, a former public defender who became a partner at the Middlebury, Vt. law firm Sessions, Keiner, Dumont & Barnes. He was part of the U.S. Sentencing Commission during the Clinton administration.

What's a bit odd is that, as far as I can tell, the Feds' appeal brief itself was filed under seal on January 2, and Boucher's reply brief in opposition filed on January 15 was also under seal. Considering that the original criminal complaint is public, and the magistrate judge's Fifth Amendment decision is public, there's no obvious reason why this extra secrecy is necessary. More on this as the case progresses.

Declan McCullagh, CNET News' chief political correspondent, chronicles the intersection of politics and technology. He has covered politics, technology, and Washington, D.C., for more than a decade, which has turned him into an iconoclast and a skeptic of anyone who says, "We oughta have a new federal law against this." E-mail Declan.
Topics:

Privacy

Tags:

encryption,

Fifth Amendment

Bookmark:
Digg
Del.icio.us
Reddit
Recent posts from News - Politics and Law
President signs broadband data collection bill
Will Senate actually investigate NSA spying on Americans?
Former software execs charged with wire fraud
Social application builds possible electoral map
Business, labor urge Bush to sign RIAA-backed copyright bill
Add a Comment (Log in or register) 25 comments (Showing first 20 comments)
The correct decision
by The_Decider January 18, 2008 7:20 PM PST
Hopefully it will stand as it moves up and likely gets in front of the notoriously anti-constitutional supreme court.

What is or is not on his laptop is completely irrelevant. Those claiming otherwise, better hope that someone with subpoena power doesn't suspect their computer of having illicit materials.

If the feds can crack it while they have custody of it, more power to 'em. But to force a password? That is no different then forcing a confession.

A solid encryption program like PGP along with a strong password, will render the files uncrackable. At least within the next 100,000 years. If they can brute force it before then(assuming no exploitable flaws are found in the implementation), they can consider themselves extremely lucky.
Reply to this comment View reply
Search and seizure?
by Robert.Tackett January 18, 2008 8:14 PM PST
If you don't have to provide access to your hard drive because it would be considered a violation of the 5th, why would you have to allow access to your home or car? I'm all for privacy, but this doesn't make sense. They can force me to open my home and allow them to dig through every nook and cranny, force me to open my safe or any other locked containers so they can search, but not my computer. What would happen if I refused to let the police in my home or car? Shouldn't the same happen if I refuse access to my hard drive?
Reply to this comment View all 6 replies
The difference between a access to home or safe to password
by k2dave January 19, 2008 5:37 AM PST
is that if you don't provide access to the home or safe they will break in, causing damage, so it is your best interest to comply to minimize damage, they will get in. In this case there is a real change that the gov't will never get in.
Reply to this comment
No matter the subject matter......
by inachu January 21, 2008 12:13 PM PST
Be it top secret or pedophilia or secret time sensitive information if it is to be used to incriminate then that person has every right not to tell.

The only time I would vote against this is if telling the passcode will save a human life.
If it can save a childs life then I say beat it out of him.
Reply to this comment View reply
DNA
by volterwd January 21, 2008 5:42 PM PST
but they can force you to give DNA samples that will possibly incriminate yourself then or in the future?
Reply to this comment View reply
Here are some of my thoughts on this subject...
by anonfunk February 21, 2008 8:12 AM PST
1) The customs agents claim that they saw images of child pornography. Ok, lets say that it's their right to do a routine check on the laptop of someone who is entering the US (someone might disagree); what is the use when they clearly don't have the training to handle such situations as the discovery of illegal content? Cause if they were trained (or simply smart) they whould have taken a photograph of the laptop while the illegal content was on display. That's what a forensics team would have advised them to do (as a first step). The battle was lost at that early point.


2) Since they allegedly opened the files on the laptop and they saw the illegal content, doesn't that mean that some traces of the files may reside somewhere in the computer?

For example:

-- R.A.M. --
We all know that the contents of RAM are lost after shutdown. Let's assume thought that the laptop hadn't been restarted (just shut down) after the initial inspection at the customs (so that the standart memory test that occurs at boot time wouldn't overwrite anything). Couldn't the computer experts examine the RAM and extract at least fragments/evidence of the illegal content?

-- "pagefile.sys" (or "swap" or "paging file" or whatever you want to call it) --
I'm sure it would take more than your average user to find traces of illegal content there, but couldn't a forensics team do it? Imho it's much easier (and straightforward) than trying to brute force their way into the data of the encrypted partition... Of course they might retrieve just a small part of the illegal material (let's say a couple of pictures), but won't that be enough for a conviction?

-- "deleted" files --
Can't the forensics team look for traces of deleted (but not securely erased) older files? (We all know how standart delete works; no data overwritting whatsoever). If they could restore even one such illegal picture from the unencrypted partitions of his laptop, problem's solved. You'd think that he is "smart" because he used encryption, but in reality he might have made such a stupid mistake as to not securely erase old illegal files...

-- ISP --
I don't know what data ISPs tend to keep and for how long, but if the guy claims that he downloaded this material, isn't there a way for the FBI/computer forensics (whatever) to require traffic data from the ISP for this user? Couldn't such info provide the evidence that the police needs? If the guy had a habbit of downloading cp even the ISP might have taken notice.

-- key logger --
It's far-fetched I know, but if they really want to get that guy, they could simply install a key logger and return the laptop to his owner. Or they could return the laptop, monitor the guy's online activity and somehow install a keylogger when the guy gets online (after he starts feeling he's safe). The next time they will confiscate his laptop they will have the info they want.


3) I believe it's just a matter of how much effort and resources they are willing to throw in to catch this guy. But let's be honest, they simply don't care THAT much!
I mean, you are a cop; who would you rather get? The junkie or the guy that makes big bucks selling narcotics? I think that the same thing applies here. They'd rather get their hands on a guy producing or/and selling child pornography than a guy merely downloading it. It's a matter of priorities, I believe...


4) Guilty or innocent, scum or saint, I believe that this guy must not give his password. The police has the testimonies of two customs agents and all the methods I mentioned above to find the evidence they need for a court of law. God help them if they can't put this guy to jail, but that means they didn't have much evidence to begin with. In any case, they can't expect from him (the accused) to find the evidence for them! They might as well give him a rope and order him to hang himself!

Thanks for reading, sorry for my bad english.
Reply to this comment
 See all 25 Comments >>
Powered by Jive Software
advertisement

About News - Politics and Law

Lead contributor Declan McCullagh has covered politics, technology, and Washington, D.C., for more than a decade, which has turned him into an iconoclast and a skeptic of anyone who says, "We oughta have a new federal law against this."

Add this feed to your online news reader

News - Politics and Law topics

Featured blogs

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
Latest news
Business tech
Green tech
Wireless
Security
Media
Popular topics
Apple iPhone
Apple iPod
Best hybrid cars
Cell phones
Dell
GPS
CNET sites
CNET TV
Downloads
News
Reviews
Shopper.com
Site map
More information
Newsletters
Corrections
Customer Help Center
RSS
What's new
About CNET