US government: We can jail you indefinitely for not decrypting your data

https://www.theregister.co.uk/2017/08/30/ex_cop_jailed_for_not_decrypting_data/

 

The article is misleading. To identify Rawls, investigators hosted child porn on Freenet, using a modified client that logs traffic with peers. They identified peers that routed pieces of their hosted images, based on known hashes. That's quite a bit different from saying that "an examination of the drives showed that they had been used in a computer that had visited child abuse sites".

And yes, there's apparently no statutory limit to jail time for contempt. Better not forget those passphrases

Indeed, now that I think of it, I probably have some old encrypted drives with unknown passphrases

 

Then I guess you don't need data that is on them. I would probably overwrite them or destroy them if not needed.

 

Yeah, it's been a few years since my last drive bonfire

 

What kind of society is this where people can be held in jail for refusing to provide evidence of their own guilt.
This needs to be challanged in the higher courts as infringing on the right to remain silent.

 

Well, it does make some sense, I think. I mean, if you know that you're facing decades in jail, and lifetime problems after that, accepting a few years for pretending to forget your passphrase seems like a good-enough deal. So authorities want to discourage that sort of gaming. However, it suck if you really have forgotten your passphrase

Courts are distinguishing refusal to provide subpoenaed information (here, contents of encrypted drives) from refusal to provide the requisite passphrase. They point out that they don't actually want the passphrase, just the data. Indeed, they have offered to let Rawls decrypt the drive(s) in private.

But it's still bad news for those who keep their drives, email, etc encrypted More and more, the best option seems to be keeping sensitive stuff encrypted online. And to keep no findable records of where that data is located, or credentials to access it. I write some about that in a series of guides that IVPN will publish at some point.

 

That's not the point though, the right to remain silent is the right to not incriminate yourself.
That should have wider implications than just the use of physical speech.
The right to remain silent should not only protect the accused from being forced to say things that might be self incriminating, it should also protect him from being forced to do things.
Of course this case being about such an immotive issue as child porn easily distracts from such issues.

 

I do tend to agree with you. But it's pretty well established that criminal prosecutors and courts in civil cases can compel production of subpoenaed evidence. If it's a safe, they'll break it open. So they won't be keeping you in jail for failing to supply the combination. I suppose that the same standard could be used here. If you fail to supply the passphrase, they're free to try breaking encryption. And if they fail, you go free. Somehow, though, that seems unlikely

 

Yes even not withstanding my point about the scope of the right to not self incriminate, just the right to not SAY incriminating things should obviously also mean you can't be forced to write it down or type it in otherwise what is the point.

 

IMO there should also be an independent body mandated to closely monitor the activities of these so called child porn investigators because while posting child porn on the internet to entrap people into downloading it does absolutely nothing to stop people abusing children, a few such arrests goes a long way towards justifying the existence of "investigators" who can claim it is their job to seek out and view child porn all day and get paid for it.
Sounds like the perfect job for a bunch of nonses if you ask me.

 

Yeah, that malicious Freenet client was a piece of work, for sure

But on the other hand, it was a couple decades before they did it, so hey.

 

It's actually my policy to change encryption key to some random rubbish that I'll never remember or record, when I want to "delete" the content or dispose of the drive safely (in some cases, in fulfilment of statutory obligations such as data protection). Actually keeping passphrase records is worse than never having them in that situation.

Ironic that such prudent measure would be seen as obstructive, but these days, that Catch 22 scenario is all too common.

It's also disturbing that a court's power to gather evidence is being used in this way, contrary to presumption of innocence - it's like the court has already decided he's guilty (he may well be), and therefore the jail time is dandy. You'd also hope or expect that LE had subverted the clients involved before arrest in order to capture this kind of information.

 

Yes, not knowing passphrase is definitely prudent. But in current situation it even better to destroy or overwrite encrypted data. That way you can't be in contempt since there is nothing that can be unencrypted.

 

But that's the issue - you claim it's overwritten - but how is that different from something that's encrypted? They could say, I don't believe you, that random set of bits is actually encrypted data, hand over the passphrase.

As for physically destroying (particularly an HDD) - not as easy as it sounds! PMR is remarkably resistant to both heat and magnetism.

 

If there are only zeros written all over the disk, it can't be said that it is encrypted.

 

Ah, yes OK. Problem then is, with a failed drive which you cannot overwrite so nicely with zeros, or where you can't be bothered to overwrite it, are you obligated to keep records of keys in perpetuity in case some judge wants them? I mean, my record-keeping is good, but not that good! Also, if you use TPM + Bitlocker, the key would also include TPM data, so you'd need to preserve the machine/TPM chip in perpetuity too?!

In addition, for sure, in various experiments I've encrypted data and don't have a clue what the key was, and I don't think I'm obliged to do so. And what about random number files (which have legitimate uses too) - what do I do if required to produce a passphrase for that?

Franz Kafka would have loved all this....

 

Yes, of course I don't agree with this stance also. I just pointed out some additional steps that can be taken so that one doesn't encounter similar situation.

 

Well, appears U.S. Supreme Court will decide this if they first decide to hear the petition:

https://www.bleepingcomputer.com/ne...-hard-drives-still-in-prison-after-two-years/

Personally for me, it is fairly obvious by now the guy has "kiddie porn" on the drive. I really don't see this guy as some "privacy" advocate or the like. And two years in prison is a long time to "stand by" your principals.

 

He's not convicted of anything and "innocent until proven guilty" still applies last time I checked, which means it's messed up that he can sit 2 years in jail for potentially having forgotten his password.

 

Maybe so, maybe no. He may just have encrypted bits of child porn. Which investigators can identify by hash, because they served them from malicious peers under their control. Which his peer was merely forwarding to other peers. And caching, because that's how Freenet works.

But explain that to a nontechnical jury? Not likely, I think

Peers knowing each other's ISP-assigned IP addresses is a fatal flaw in Freenet. There is no such thing as "plausible deniability", when defendants are faced with dishonest experts who bullshit juries.

 

Ohh to the futility of it all...
This is how easily they erode and take back, the rights and principles people fought for and in many cases died for.
They throw the most extreme case out there, terrorist or pedophile are both good ones, knowing the dumb masses will be blinded by that and say hell yeah the authorities need to do this more to put these criminals behind bars!!
Then before you know it, the people have no rights. They just stood by nodding and applauding while the ruling classes used mass ignorance as a tool to just tear them up in front of their faces.
Then one day, its not a terrorist or a pedophile, its you, or your wife or one of your kids that said or did something that displeasured the ruling classes and then you'll say this is all wrong, I didn't do anything, they haven't proven anything but I'm in prison like someone in medievil times... In the days before people fought to gain rights and protections from this kind of thing....

 

FYI. The person involved was no ordinary citizen; he was a police officer. As such, he was well versed in the law in the jurisdiction where he resided.

U.S. judges and the courts they preside over hold law enforcement to a higher legal standard than ordinary citizens. Hence the judge's sentence to unlimited confinement for contempt of court for failing to comply with his order to unencrypt the drive.

I also believe the Supreme Court will not hear this case for the above reasons.

 

I know he was a police officer but the point people do not seem to understand is a shocking case like that, a police officer pedophile, is the perfect one for authoritarians who wish to ban encryption to have the higher courts make a judgement on.
The courts will be under immense pressure to give them the judgement they want because it is a pedophile case and when they make a judgement it will apply to everyone who uses encryption, not just him.
In other words, if the higher courts uphold the contempt of court judgement and if you use encryption and are ever arrested for any reason... (In case anyone doesnt know, when you are arrested and charged, the cops have automatic right to search your home and property) and if they find a device with encryption, you better know, if you don't give it up, you are going to prison.
Indefinitely.
You think anyone will care that you forgot the password?
You think anyone will care if your password doesn't work cause it is an old corrupted volume you haven't used in years?
You think anyone will care if you never even knew the password because it was generated in a password manager that got deleted?
Or what if a bent cop or anyone else for that matter, plants an encrypted thumbdrive on you?

 

The U.K. can also compel you to give up your encryption password. They however have put a limit on how long you can be imprisoned for not doing so. I suspect this current case if reviewed by the higher court will resolve that point:

https://www.lawontheweb.co.uk/personal/encryption-law

 

Yes but America has a constitution and I have enough intelligence and enough of an education to able to read and understand it and I don't need a supreme court or any other court to tell me what the 5th amendment means when it says,
NO ONE SHALL BE COMPELLED IN ANY CRIMINAL CASE TO BE A WITNESS AGAINST HIMSELF.
Those who have no respect for the constitution of the United States of America and who are therefore a disgrace to the flag and to the office they hold will try to deliberately misconstrue the meaning of those words and try to twist it to serve their own agenda just like they always have done while knowing full well what it means is,
NO ONE SHALL BE FORCED TO PROVIDE EVIDENCE AGAINST THEMSELVES IN A CRIMINAL TRIAL.
There is no room for debate on that, it is quite clear and anyone who says that is not what it means is either a fool or a liar.

Witness
: One who gives evidence
: One who has knowledge of something
: Something serving as evidence or proof