U.S. Court Extends Fifth Amendment to Encrypted Data

[OldRat]

Well, this is a bit problematic. On one hand, I can very well see why this is a good thing. And on the other hand, I can see why this is a bad thing. So I'm going to reserve judgement and see how this plays out.

 

[tehroc]

Great for the little guy, but will set a precedent that will be abused by any major corporation.

 

[FrostyChick]

Couldn't you just say you don't know how or don't know the password?
They can't prove you know or don't know it.
If they ask you hod you accessed it, you say you had it written on a piece of paper and lost it.


Just asking.

Unfortunately not. Under The Regulation of Investigatory Powers Act 2000, Part III.
It is an offence to refuse to decrypt information when requested to do so by law enforcement.
Failure to provide decrypted information or the keys to read the information can carry a penalty of up to 2 years in prison.

The thing about pleading ignorance is, how do you prove you don't know something in a court of law?
What evidence could one offer up that proves they don't know something other than their word?

It massively sucks as it is very possible for people to go to jail for not knowing how to access an encrypted file on their own system.

 

[Evil Alpaca]

Its kinda funny how everyone here thinks data encryption means its untouchable. Nothing could be farther from the truth.

1) Decrypting data takes time and I think the FBI wanted to shortcut the process. Since the feds already had warrants for the material, if the man had decrypted the data and then the appeals court overturned the ruling, the data might still be admissible in court since it was obtained under a warrant.

2) If it were a high profile case, don't you think the people at TrueCrypt would help and probably have methods for bypassing their own security. Enough with the doomsday scenarios.

3) This is about the right to no self-incriminate. You are legally entitled to do nothing to help the police build a case.

btw: If you encrypt data after its been requested, that's obstruction. So this ruling only applies to someone who routinely encrypts their data.

 

[OldNewNewOld]

Couldn't you just say you don't know how or don't know the password?
They can't prove you know or don't know it.
If they ask you hod you accessed it, you say you had it written on a piece of paper and lost it.


Just asking.

Unfortunately not. Under The Regulation of Investigatory Powers Act 2000, Part III.
It is an offence to refuse to decrypt information when requested to do so by law enforcement.
Failure to provide decrypted information or the keys to read the information can carry a penalty of up to 2 years in prison.

The thing about pleading ignorance is, how do you prove you don't know something in a court of law?
What evidence could one offer up that proves they don't know something other than their word?

It massively sucks as it is very possible for people to go to jail for not knowing how to access an encrypted file on their own system.

But that means that you're guilty until you prove your self innocent. That's totally against democracy. They should prove me guilty, not the other way around.

IMHO, makes no sense and should be changed ASAP. I know that that could make some cases harder even tho the defendant is obviously guilty, but the current situation can be abused to easily.

Just an example. Someone could create some encrypted data on your PC (via hacking or by just having direct access to your PC) and give the police an anonymous tip. You really don't know anything, jet you can't prove it. You're guilty by default. In the current world, where computer access is a "must", that's damn wrong. It doesn't need to be anything illegal. Just an encrypted empty .txt document and you go 2 years.

 

[MrTub]

The part that Im confused is that people actually believe that people will decrypt stuff that will land them several years in prison simply cause you can receive up to two years prison time for refusing to do so.

I'm pretty sure that anyone that has half a brain will choose 2 years over (example) 5 years in prison..

 

[FrostyChick]

But that means that you're guilty until you prove your self innocent. That's totally against democracy. They should prove me guilty, not the other way around.

IMHO, makes no sense and should be changed ASAP. I know that that could make some cases harder even tho the defendant is obviously guilty, but the current situation can be abused to easily.

It can be massively abused, a point that my IT legislation lecturer loves to bring up.
And I know, it is pretty horrible but the law has been around now for 12 years. There is always hope that it might be changed at some point in the future. But when you wait 12 years to start a political shitstorm, your message kinda gets blunted by the inevitable, "Why wait till now, over a decade later, to say anything about it?".

 

[Athinira]

Its kinda funny how everyone here thinks data encryption means its untouchable. Nothing could be farther from the truth.

1) Decrypting data takes time and I think the FBI wanted to shortcut the process. Since the feds already had warrants for the material, if the man had decrypted the data and then the appeals court overturned the ruling, the data might still be admissible in court since it was obtained under a warrant.

2) If it were a high profile case, don't you think the people at TrueCrypt would help and probably have methods for bypassing their own security. Enough with the doomsday scenarios.

It's funny how people like you come here and talk about stuff you literally know NOTHING about.

Modern encryption algorithms, the ones employed by TrueCrypt, are so strong that if you employ a strong password (and potentially keyfiles) they can't be cracked within the lifetime of the universe, even if you gathered the earths collective computer power and multiplied it by a trillion. Even quantum computers cannot help bruteforce modern algorithms (their application is in factoring prime-numbers, which can crack public key crypto like RSA, but not symmetrical key crypto like AES, Twofish and Serpent).

Neither the FBI, nor any other organization (NSA, CIA, Russians, Chinese) have the capabilities to crack modern symmetrical key crypto with a proper password/key. And no, the TrueCrypt developers cannot help them either. The system is designed with no backdoors. TrueCrypt is Open-Source, uses well-known encryption algorithms (including AES which the US Government themself use to protect data), and TrueCrypt containers have already been attempted cryptoanalyzed before. They just look like random data.

Edit: Decided to fetch you an article [http://www.zdnet.com/blog/ou/is-encryption-really-crackable/204], that might be able to put things into perspective.

 

[Atmos Duality]

Damn. And to think that this topic has been seething under the public's eye since the early 90s when the FBI wanted to restrict or ban encryption systems from public use because it would interfere with police procedure.

"Due process" interferes with their line of work, and ignoring the usual Tin-Foil-Hat/Trust issues for a moment, I can sympathize with that kind of frustration when information forensics is timely.

However, I'm absolutely certain the Internet needed open distribution of such security to private entities just to function). My main job was/is network security, and there is simply no right or reason to keep prodding around for loopholes that undermine the public's trust.

"Safety without trust is neither."

 

[OldNewNewOld]

The point you, and others, miss here is that in this case there has already been a safeguard imposed. That is to say that the evidence has been seized legally, a judge has already looked this over, and approved the seizure of that computer and data as relevent within the scope of the search. This is about access, not self incrimination, because the evidence has already been approved and entered, which is why it's a contempt issue. This isn't about testimony but a totally differant section of the legal system.

The problem is that he gave them access to the computer and the data. It's not his problem that they don't know how to use/read the data.

It's like giving them your gun. It's their damn problem that they don't know how to run the ballistics and see if the gun was used recently. If the bullet matches the bullet found. You don't help the police to see if you're DNA is on the victim. You give them access to the DNA. You don't help them find any blood in your house. You give them access to the house.

You give them the data. They don't know how to use it.
And the court CAN'T force you to decrypt it because that would be assuming that you know how to encrypt it. If you just deny that the data is yours, they can't do shit. If they assume you know it, then you are guilty until proven innocent.

Forcing you to give a password is like forcing you to give a document that may or may not exist. But if you don't give it, you go to jail. It's not important that the document doesn't exist, they don't believe you.

 

[spartan231490]

I hope they do this in the UK too, as far as I know they can force you to unencrypt your data.

Does the UK even have protection against self-incrimination?

OT: Seems legit. I'm all for any time when personal rights are upheld or extended.

 

[spartan231490]

I love that 'The Founding Fathers' knew about computing and encryption when they wrote the constitution!
Any chance your old document could be slightly irrelevant to a modern day problem *Cough*Bible*Cough*

<a href=http://en.wikipedia.org/wiki/Jefferson_disk>The Founding Fathers DID know about encryption.

LOL hardly encryption compared to modern standards

The principle is literally identical.

Except that their encryption is for passing on messages and ours is for hiding information of varying description

uh, their encryption was used to pass messages with hidden information in them.

but only text based information, whereas a hard drive can store more than text

a hard drive can only store binary data, which can be interpreted as text, images, or what have you. In any case, means of encrypting or hiding data, whether visual or textual, has existed for millenia and the Founding Fathers were certainly aware of the methods available to them, as they used them extensively throughout the Revolution.

They are irrelevant nowadays, the world is so different today than it was then, they need to write a new constitution, that's right I said it.

Firstly, the bill of rights is different from the constitution. Secondly, the bill of rights has not, nor will it ever be, made irrelevant by the passage of time. It defines what rights the government isn't allowed to infringe upon. What technology is available at the time is irrelevant to those rights. The court system was created partially to make sure that new technology didn't create loopholes, which is exactly what's being done now.

Furthermore, the entire constitution was designed to be flexible and adapt to changing times, which it has done remarkably well.

Now with that said, I do think the constitution could use a major revamp. It has been bent to near breaking between executive orders, some of the amendments, and certain bills and laws that are obviously unconstitutional but have never made it to the supreme court to be shot down. It's time we rewrote the document before we are driven to it by fear or oppression, in a time when we can look back at how it has been abused and decide how to correct it without powerful emotion or a too short time-table crippling our ability to do it right.

 

[Not G. Ivingname]

But hey data privacy is way more important than protecting the democratic process.

You could make the same argument for warrantless phone taps, searches without any sort of probable cause and pretty much anything else. How far are you willing to go in the name of security? What are you willing to sacrifice?

If you are ordered by a court to produce a printed document you shred it not only are you guilty of contempt the shred document can be put together and used in evidence against you. Why should the process of encryption be treated any different from shredding? It is also clear that he was ordered to by a court after due process. The FBI didn't walk and demand he decrypt without a warrant is the same way that they bugged Rod Blagojevich phone. Why should it be treated any different, in both cases due process occurred. In encryption case he actually knew that and order was beginning potentiality made against him and had an opportunity defend himself in court which is more than Rod Blagojevich had. Why should data held on disk have greater legal protection than the same information held on paper or the same information exchanged by spoken word?

The pieces of the shredded paper are still in the world, they are not contained in your head. The encryption code IS in your head. They are making you give up a piece of information that may or may not lead to incriminating evidence. A key to a safe isn't a piece of information, it is a physical object that the police have every right to take with a warrant. You equaly cannot tell if it is a drug dealer hiding behind the Bill of Rights, or an innocent man just trying to use the rights he has been given. Innocent before proven guilty, remember that.

 

[Evil Alpaca]

snip

It's funny how people like you come here and talk about stuff you literally know NOTHING about.

Modern encryption algorithms, the ones employed by TrueCrypt, are so strong that if you employ a strong password (and potentially keyfiles) they can't be cracked within the lifetime of the universe, even if you gathered the earths collective computer power and multiplied it by a trillion. Even quantum computers cannot help bruteforce modern algorithms (their application is in factoring prime-numbers, which can crack public key crypto like RSA, but not symmetrical key crypto like AES, Twofish and Serpent).

Neither the FBI, nor any other organization (NSA, CIA, Russians, Chinese) have the capabilities to crack modern symmetrical key crypto with a proper password/key. And no, the TrueCrypt developers cannot help them either. The system is designed with no backdoors. TrueCrypt is Open-Source, uses well-known encryption algorithms (including AES which the US Government themself use to protect data), and TrueCrypt containers have already been attempted cryptoanalyzed before. They just look like random data.

Edit: Decided to fetch you an article [http://www.zdnet.com/blog/ou/is-encryption-really-crackable/204], that might be able to put things into perspective.

Thanks for the article, interesting read.

Decryption may not be the right word I'm looking for. What would you call figuring out a person's password based on what you know of the individual. I agree that a bruteforce solution to cracking the software is unlikely.

I wasn't trying to say the FBI would crack the software, but that they could find the necessary password key files. Given human tendency for password redundancy and the fact that the feds have the man's hardware, I was thinking in terms of cracking this particular man's software would involve searching through the man's life for figuring out what password and key files he would have picked. That too takes time which could easily be saved if the man gave up his password information.

 

[Athinira]

Thanks for the article, interesting read.

Decryption may not be the right word I'm looking for. What would you call figuring out a person's password based on what you know of the individual. I agree that a bruteforce solution to cracking the software is unlikely.

I wasn't trying to say the FBI would crack the software, but that they could find the necessary password key files. Given human tendency for password redundancy and the fact that the feds have the man's hardware, I was thinking in terms of cracking this particular man's software would involve searching through the man's life for figuring out what password and key files he would have picked. That too takes time which could easily be saved if the man gave up his password information.

People who actively employ encryption typically don't use cheap passwords. TrueCrypt itself actually warns you if you try to create a container with a password with a length shorter than 20 characters (20 characters is enough to make the password uncrackable within the lifetime of the universe). Now assuming that someone doesn't pick something stupid (like combining the name of their cat with their phone number). Most modern encryption programs actively

Looking through their life for details that could be part of their password seldomly gives results, and if you go above a 20 character password (and doesn't use something stupid) it's still going to be practically impossible to break. Best thing you can hope for with a modest amount of processing-power is a dictionary attack with some random permutations, but the chance of even breaking a moderate (9-12 character) password is very slim.

A few years back when Amazons cloud was in the early stages, a firm was hired by a guy to crack a file he had forgotten the password to. The password was 7-8 chars long, and either took some hours or days to crack if i recall correctly. The thing is though, you only need to jump up 2 characters before the password becomes OVER NINE-THOUSAND times harder to crack (9.216 times to be exact, but i couldn't resist ). Cracking a password at 8-9 chars would be possible, but unfeasable. 10 chars+ using a cloud service is really pushing it unless you pull some serious money into the project, and 11-12 chars you might as well forget it (you need supercomputers to do that, and even there we're talking months, if not years).

So while i get your theory, it's unfeasable in most cases. But of course you should try. You might get lucky and have a noob on your hand.

 

[MrTub]

snip

It's funny how people like you come here and talk about stuff you literally know NOTHING about.

Modern encryption algorithms, the ones employed by TrueCrypt, are so strong that if you employ a strong password (and potentially keyfiles) they can't be cracked within the lifetime of the universe, even if you gathered the earths collective computer power and multiplied it by a trillion. Even quantum computers cannot help bruteforce modern algorithms (their application is in factoring prime-numbers, which can crack public key crypto like RSA, but not symmetrical key crypto like AES, Twofish and Serpent).

Neither the FBI, nor any other organization (NSA, CIA, Russians, Chinese) have the capabilities to crack modern symmetrical key crypto with a proper password/key. And no, the TrueCrypt developers cannot help them either. The system is designed with no backdoors. TrueCrypt is Open-Source, uses well-known encryption algorithms (including AES which the US Government themself use to protect data), and TrueCrypt containers have already been attempted cryptoanalyzed before. They just look like random data.

Edit: Decided to fetch you an article [http://www.zdnet.com/blog/ou/is-encryption-really-crackable/204], that might be able to put things into perspective.

Thanks for the article, interesting read.

Decryption may not be the right word I'm looking for. What would you call figuring out a person's password based on what you know of the individual. I agree that a bruteforce solution to cracking the software is unlikely.

I wasn't trying to say the FBI would crack the software, but that they could find the necessary password key files. Given human tendency for password redundancy and the fact that the feds have the man's hardware, I was thinking in terms of cracking this particular man's software would involve searching through the man's life for figuring out what password and key files he would have picked. That too takes time which could easily be saved if the man gave up his password information.

That is called social engineering or something similar.

And honestly why bother encrypting something if you write the password on a usb stick/notepad? seems a bit stupid tbh

 

[Athinira]

That is called social engineering or something similar.

No. Social Engineering is more like scamming. Like sending an e-mail pretending to be someone else. "hi Danny. I need the password to your computer so i can use it for a while. Love, Mom!"

And honestly why bother encrypting something if you write the password on a usb stick/notepad? seems a bit stupid tbh

Because it's better to use a really complicated password and write it down than using a weak password that is easy to remember (and you use elsewhere).

Once you've learned the complicated password in your sleep, you can destroy whatever you wrote it down on.

 

[MrTub]

That is called social engineering or something similar.

No. Social Engineering is more like scamming. Like sending an e-mail pretending to be someone else. "hi Danny. I need the password to your computer so i can use it for a while. Love, Mom!"

And honestly why bother encrypting something if you write the password on a usb stick/notepad? seems a bit stupid tbh

Because it's better to use a really complicated password and write it down than using a weak password that is easy to remember (and you use elsewhere).

Once you've learned the complicated password in your sleep, you can destroy whatever you wrote it down on.

Of course its better to use a complicated password. I just do not see the need to have it written down somewhere for longer then a day at most.

The reason I thought that social engineering was a fitting word since he suggested that they would gather information on the person and then try to crack the password. But I guess you are correct.

 

[Athinira]

Of course its better to use a complicated password. I just do not see the need to have it written down somewhere for longer then a day at most.

Some people really have terrible memories, and will take quite a while to safely learn a long password. Remember, if you encrypt your data and forget your password, it's a really shitty situation for you