Discussion in 'privacy general' started by lotuseclat79, Jun 26, 2014.
Massachusetts high court orders suspect to decrypt his computers.
Man I hate this decision. I have been watching this case for about a year now. I was hoping for a "match" to the 11th circuit ruling on this. This subject is almost certainly bound for the Supreme Court sometime soon.
What an idiot, he almost deserves it for being dumb enough to say ANYTHING to them .
Indeed. And he's an attorney
Edit: So which outcome is worse, fraud conviction or contempt of court?
Was he using Truecrypt?
The article says his four computer were encrypted with "DriveCrypt Plus".
That's interesting. So evidently they can't crack Drivecrypt Plus. Good to know.
it means more that the one that could , don't bother do it for such low interest case
Well crap. There's another example.
We were talking about this before:
As you'll see there, some people didn't think this was possible, but obviously it is.
I'll reiterate it here, too: This is why plausible deniability is so important. The way these courts are swinging around this "foregone conclusion" BS, you really aren't even safe admitting the computers are yours or even that they are encrypted. Best case scenario, they can't prove the machines are yours. That's largely how the John Doe in the 11th Circuit TrueCrypt case escaped even being charged (which is why we don't even know his name...nice bonus there.)
It's important that you do not admit to anything, especially not that the computers are yours or that you can decrypt them. As the dissenters of the decision point out in this case as well as the Fricosu case: of course the cops don't know what they'll find. That's the whole reason they need these drives decrypted. If it was all a "foregone conclusion," the computers wouldn't matter. That's why these rulings are total bullocks. They're fishing, just hoping that something incriminating will be there so they can use it for a conviction.
Someone also brought up on a Bruce Schneier blog post that this is also why you don't want to be using a "Quick Format" option when setting up encryption on a new drive.
From the Doe decision:
From the Truecrypt documentation:
That very well could be. They might want to save that for extremely serious cases of national security.
in those cases Dban is your friend
Interestingly, there appears to be some disagreement among the lower courts over the application of the foregone conclusion exception.
The Ninth, Eleventh and D. C. Circuit have adopted the reasonable particularity requirement setting the bar for government compelled production very high -- the government must point to the existence, location and custody of particular of records -- while the Massachusetts Supreme Court holds that proving custody and control on a very high level of generality is sufficient.
I hope that the defendant petition for cert in the U. S. Supreme Court, because there's obvious confusion about the application of the Fifth Amendment to encryption and how much evidence the government must provide to compel production.
I have read the MA ruling and I find it disturbing that the majority opinion sets the threshold so low that a casual admission -- Yes, the computer is mine, and No, I wont help is sufficient to satisfy the foregone conclusion.
By this standardd, any ordinary citizen admitting ownership and sole custody of a computer can be compelled to grant government access.
On the other hand, there may be a silverlining.
The MA court misapplied the foregone conclusion, but it at least recognized the testimonial implication of being able to decrypt.
If you are careful you never talk to the police, never tell them anything about your setup (remember that lying to the police is a crime) and expressly invoke the Fifth Amendment and terminate the conversation, and if you are in custody immediately ask for a lawyer.
The Supreme Court has held that in order to plead the Fifth Amendment, you must expressly invoke the right, and that mere silence may be used against you at trial, remember Salinas v. Texas.
Interaction with the government in such cases is a minefield and even an honest citizen is stupid for talking to cops.
Paradoxically, Orwellian rulings like this will be of little consequence to calculating criminals with a lot to loose.
These references are food for thought.'
David Colarusso, "Heads in the Cloud, A Coming Storm the Interplay of Cloud Computing, Encryption, and the Fifth Amendment’s Protection Against Self-Incrimination"
J. Adam Engel , "Rethinking the Application of the Fifth Amendment to Passwords and Encryption in the Age of Cloud Computing"
Caren Myers Morrison, "Passwords, Profiles, and the Privilege Against Self-Incrimination: Facebook and the Fifth Amendment"
If you store everything you want to hide in anonymously created online datadumps with long data retention i.e UseNet subscriptions bought with prepaid cards, steganographically modified pictures uploaded to popular imagehosts, or anonymously created cloud accounts overseas (file host accounts maintained through Tor+vpn), you can still claim the Fifth Amendment as long as the government can't prove the data exist without your testimony.
Another angle deserving of more attention is a scenario wherein multiple parties can either admit or deny control and custody of individual data containers.
What I am thinking of is a computer with joint access, a collaborative cloud account, a shared dump directory on a remotely accessible overseas server or any other platform capable of storing data forr multiple parties.
If multiple parties can upload files to a dump directory with individual passwords, ownership and custody of an individual fileset is not a foregone conclusion unless a particular individual confesses.
If the server doesn't keep logs, and there is no legal requirement to do so, correlating all transactions by backwards forensic work is virtually impossible.
The foregone conclusion rests on what the government can establish about the chain of custody, and if there is 1000+ file containers, 20 users with joint access but no way to prove which user has the password everyone can claim the privilege.
The government only won in the Gelvgat, Boucher and Fricosu cases because the suspect talked too much and didn't employ any plausible deniability strategy.
Invoking the the privilege against self incrimination requires more than refusing to talk.
In order to successfully claim the privilege in an encryption case, you must already have thought through how to limit the government's ability to gather evidence about your setup.
This is only a preliminary checklist, and I hope others will add suggestions:
- Never tell any government official that you are using encryption and don't divulge any details about your setup.
- Never tell anything about your encryption setup to a friend, family or stranger since all of them may be called as witnessess.
- Operate two or more encrypted partitions on external media.
Partition 1 is the official one which is a plausible reason for having encryption software installed.
You can have it on your laptop when crossing the border and show it to custom officials.
Partition 2 is the black box with all the stuff you wont admit exists.
To obfuscate the chain of custody, only access partition two from a live cd with Truecrypt from a computer without any internal harddisk.
If the government can't prove that the usb harddisk with serial number xxx has ever been mounted on your innocent Windows laptop, you might benefit from the 11th circuit's ruling in the Doe case.
Even under the less stringent foregone conclusion rule adopted by the MA Supreme Court, you might still successfully invoke the privilege provided that partition 2 is not known to the government.
I don't see the logic; he has attempted to plead the Fifth, and he may yet be completely innocent.
The Fifth Amendment issue has nothing to do with innocence.
He is the defendant in a white collar crime case, and innocent or not he may well have good reasons for not wanting to help the prosecution.
Others cases http://scienceblogs.de/klausis-kryp...ion-baffles-the-police-a-collection-of-cases/
Law in different countries http://en.wikipedia.org/wiki/Key_disclosure_law
Big dilemma, as any privacy technology and law can be subverted and used for all kinds of crimes.
And as a focused security board, i guess that posting here requires sense of ethics, and in this case, posting some advices that might help criminals to hide their activities is quite paradoxical...
There's off course ways to build an anti-forensic laptop or cloud storage where no evidence can be find and used, but on the other hand, on the ground investigations and evidences might be enough for the public prosecutor.
This thread is not about helping criminals but about helping people not to be compelled to incriminate themselves.
Compelled self incrimination is wrong, and any technical method to preserve this right is good for security and privacy.
I have been a lawyer for more years than I am willing to admit, but it's over 30 years and 10 of those years were in Boston arguing cases before the Mass Courts.. That opinion is one the biggest bunch of result oriented, pre-ordained obscurification and bs I have read (which is not atypical of the Mass. Supreme Court). I have read it over twice and its reasoning remains a mystery to me. At this point while many organizations and news sources have commented on it's result and conclusion, I doubt any of them yet understand the underlying reasoning -- Actually I'm not sure there is any. A reading of the dissenting opinions confirms this, they seem just as confused about the court's reasoning as I am.
Seems apparent to me that there is a difference between a blood sample and a computer containing the defendant's written who knows what that could be used as written testimony against the defendant. How would that be any different than a written confession by the defendant??
The Court states that the police have evidence that the defendant committed 2 crimes so they know what's on the PC. What if it contains evidence of more than those two alleged crimes? This is not a case of national security nor does the fate of the Nation turn on it. It's about mortgage fraud.
But no worries, the National Defense Authorization Act already in effect has obliterated the fifth amendment as well as the 4th and 6th as well as the Posse Comitatus act
Ironic coming from the state where the revolution began, which resulted in the Constitution and Bill of Rights which were adopted to prevent the very kind of action the Mass Sup Court approved today.
Anyone is a criminal somewhere.
I can't really understand how a court can order that. What about if the password was so complicated that the suspect forgot it? It is plausible, and no court can force a biological process to happen since it is beyond the control of the suspect.
See my post above and the link to the discussion from the other thread. Again, people don't think this is possible, but these court cases have already happened. Obviously it is possible. If you look through that other discussion you can see how confused S.B. was, asserting that you cannot be compelled to reveal a password and have decrypted evidence then used against you.
That's exactly what happened in the Boucher case, the Fricosu case and evidently this one as well.
As I keep going back to, and as justpeace reiterated, the main thing is not divulging information. In this particular case, allegedly the guy twice admitted he could decrypt the computers. With these past court rulings that's basically asking for a compelled order.
But it was suggested in the Fricosu case that she might not remember the password, and they were basically going to have to deal with that if it came down to it.
Unfortunately it didn't, as her husband gave them passwords and they ended up decrypting without her.
Again, you need to maintain plausible deniability. Do not ever admit the machines are yours, and certainly do not assert that they are encrypted, let alone that you can decrypt them.
The actual "plausible deniability" feature of TrueCrypt is a last resort, if you actually do end up being compelled. But it should not come to that.
Not divulging information is important, but equally important is knowing how to interact with law enforcement.
Section 1001 of Title 18 provides:
""Whoever, in any matter within the jurisdiction of any department or agency of the United States knowingly and willfully falsifies, conceals or covers up
by any trick, scheme, or device a material fact, or makes any false, fictitious or fraudulent statements or representations, or makes or uses any false
writing or document knowing the same to contain any false, fictitious or fraudulent statement or entry, shall be fined not more than $10,000 or imprisoned not more than five years, or both."
If the government can't prove beyond a reasonable doubt you did a crime for which you are investigated, it may still get you for making a false statement even after the statute of limitation has run out.
If you are asked about your setup -- software, number of computers, and which online accounts you have ever used -- the safest response is not answering.
Apart from the possibility that talking to the government divulges information depriving you of Fifth Amendment protection, you'll also risk further charges under § 1001 or equivalent state obstruction of justice statutes if what you tell the agent is false.
Courts have held that even an exculpatory no constitutes a criminal violation of § 1001.
For a computer user answering in either way is a terrible dilemma.
For example, If an agent asks -- Do you use Truecrypt on your computer?
Answering no, where the truth is yes may bring charges under § 1001.
But answering yes will make it easier for the government to prove the chain of custody from your own confession.
So even a simple yes or no is risky.
The only prudent response to any question is expressly pleading the Fifth and tell the agent that they will hear from your lawyer.
Interestingly, both Ramona Fricosu and her husband had the password to the computer.
In other words, the computer was shared.
Her husband probably got a plea bargain or immunity for divulging the passwowrd, but in other shared resource scenarios -- multiaccount computers, networks with a lot of users and cloud accounts with joint access, it's easy to imagine that there will be a lot of file containers, a lot of users and no one having any master password or decryption key to exchange for a plea bargain.
Future plausible deniability systems should route around the problem by making it hard to prove any chain of custody.
Agreed, and a combination of shared/online/cloud storage adds to plausible deniability.
I found some interesting cases from the UK about the application of Regulation of Investigatory Powers Act 2000 Part III Investigation of electronic data protected by encryptionS.49.
During search of defendant's home, officers found a USB stick and external memory drive which were both encrypted with a password.
The defendant Syed Hussain refused to hand over the passwords and claimed the hardware was not working. The devices were sent away to NTAC (National Technical Assistance Centre)
and both passwords were revealed to be the same phrase from the Koran.
Defendant claimed it was not working.
- Obvious passwords.
- Same password for both usb storage devices.
- Likely a ton of forensic traces in defendant's computer.
- The employed encryption solution was not in doubt.
An animal rights activist was ordered to hand over her encryption keys to the authorities.
Her computer was seized by police.
The woman, who claimed to have not used encryption, related her experiences in an anonymous
"Now apparently they have found some encrypted files on my computer (which was stolen by police thugs in May this year) which they think they have 'reasonable
suspicion' to pry into using the excuse of 'preventing or detecting a crime'," she writes.
"Now I have been 'invited' (how nice, will there be tea and biccies?) to reveal my keys to the police so they can look at these files. If I do not comply
and tell them to keep their great big hooters out of my private affairs I could be charged under RIPA."
The woman claimed that any encrypted data put on the PC must have been put there by somebody else.
"Funny thing is PGP and I never got on together I confess that I am far too dense for such a complex (well to me anyway) programme. Therefore in a so-called democracy I am being threatened with prison simply because I cannot access encrypted files on my computer."
- The employed encryption solution was not in doubt.
Both cases concern a similar factual pattern:
(1 Persons whose computers have already been seized by the police incident to another separate investigation; (2) the person stored the encrypted data at home; (3) the person had not planned for the eventuality but only pled ignorance or forgetfulness as defense.
However, if the suspects had employed Truecrypt hidden volumes; used multiuser computer systems; or stored everything sensitive in a remote location, seizure of their equipment would not have helped the government.
One additional reason for never divulging any information to law enforcement about one's setup, is that admitting to possession and the ability to unlock a password protected resource may indirectly authenticate forensic evidence discovered incident to a search.
This is a problem for a defendant where the possession of data itself is a crime, and the data is found in the unlocked or decrypted resource.
If you confess that you have the password to the computer, and the forensic investigation turns up incriminating files or circumstantial evidence in the browser cache, the prosecution can use said evidence to either establish you are in knowing possession of contraband or use the circumstantial evidence to impeach your testimony.
If you deny ever having visited site xxx.com but the browser cache found on the unlocked operating system turns up frequent entries to the site, your credibility is damaged by the forensic evidence indirectly authenticated by your own testimony.
Of course, the government can still retrieve your browser history from your ISP, provided that such records exists, but retaining such history on your own computer makes everything cheaper for the government. and it deprives you of the wireless access by a stranger defense.
On the other hand, if the government only has an IP address, but you plead the Fifth, and the only evidence turning up is a fully encrypted computer with no forensic evidence, everything is a black box, and you can likely still invoke the privilege against self incrimination, because the existence, custody and authenticity of evidence is not yet a foregone conclusion.
The Doe in the 11th circuit case could invoke the privilege, because the government knew very little, but Boucher, Fricosu, and Gelvgat failed because their equipment had already been seized by the government.
On Fricosu's computer there was even a username likely pointing at the defendant herself.
Unless it's a Federal Agent who asks the question with probable cause. Submitting false information to the Federal Government about anything is a crime punishable by up to 5 yeara in prison plus a fine
"18 U.S.C. § 1001(a), which states:
(a) Except as otherwise provided in this section, whoever, in any matter within the jurisdiction of the executive, legislative, or judicial branch of the Government of the United States, knowingly and willfully—
(1) falsifies, conceals, or covers up by any trick, scheme, or device[ , ] a material fact;
(2) makes any materially false, fictitious, or fraudulent statement or representation; or
(3) makes or uses any false writing or document knowing the same to contain any materially false, fictitious, or fraudulent statement or entry
shall be fined under this title, imprisoned not more than 5 years or, …"
More plausible deniability strategies for fun and profit:
(1) Create two or more user accounts on the computer hosting the outer encrypted volume so you have something like:
Be sure to set the computer's clock at different date and time when creating each user.
(2) Don't place any really sensitive encrypted containers in the directory associated with your own account but rather spread the containers in different user account directories and give them random timestamps, open and access time (timestomp for Windows).
(3) To lead any forensic investigation on a bad trail, create multiple dummy Truecrypt containers with unguessable passwords 64 random characters.
(4) Think of probable nonincriminating naming conventions for each container and remember modifying creation, open and access time with Timestomp.
Remember to wipe Timestomp and other traces of antiforensic software from your computer.
(5) Increase the fun, and create a lot of dummy random headerless files and place these in unusual locations.
Any adversary who doesn't know which crypto system generated each file must expend considerable resources on analyzing or bruteforcing each file.
Some of these can be placed in the other non-admin user account directories, in temporary file directories or uploaded to different cloud storage services.
In some jurisdictions, creating a false forensic trail may be obstruction of justice, but if you don't admit having done it, and you flatly refuse to divulge any information about other users on your system, proving it will be very difficult.
Yes, as I also pointed out providing false information to an agent of the federal government is a crime, and the FBI loves this statute because it allows them to set up perjury traps for the otherwise innocent.
But 1001 does not require any suspect to divulge any information to the federal government.
You can and should refuse to talk and avoid going to jail for violation of 1001.
Federal agents can't force a suspect to provide incriminating testimony but they can legally set one up for perjury.
Ken White over at Popehat.com suggests that given the federal government's propensity to prosecute under 1001, it's best to lawyer up.
Sorry justpeace. I missed that part of your post. I'm not thinking too clearly ATM. I am still in a state of outrage at today's outrageous Facebook revelation and think it best I refrain from posting anything more today.
Separate names with a comma.