Schneier on Security
A blog covering security and security technology.
« Public Disclosure of Personal Data Loss |
| Backscatter X-Ray Technology »
June 9, 2005
More on "Encryption As Evidence of Criminal Intent"
I recently wrote about a Minnesota Appeals Court ruling that the presence of encryption software on a computer may be viewed as evidence of criminal intent. Jennifer Granick of the Stanford Law School's Center for Internet and Society has some intelligent comments on the ruling.
Posted on June 9, 2005 at 7:57 AM
• 52 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
The comment that using encryption software is a sign of criminal intent is a little hasty. PGP has another capability that I think was ignored in comments but probably presented at trial. PGP has the ability to wipe files using DoD standards or better. This could mean that not only could he have been encrypting the pictures to send them elsewhere, but he could also have been wiping them from his hard drive using PGP's file wipe feature.
If I read it correctly (see quotes bellow),
1, no evidence of the photos found
2, no evidence that they ever existed on the computer
3, There was no physical evidence to support a conviction
4, Knowing how to use a PC and browser added veracity to the girls statments.
5, Having PGP installed proved usage although no evidence of usage was found/presented(2).
Can somebody give me a sanity check on this, but if the points above are true, then,
Having PGP installed although there is no proof of use was sufficient to coroberate the statment of a young girl although no other real evidence was found and therby gain a conviction"
What is the difference between this and Bruce's title,
"Encryption As Evidence of Criminal Intent"
Other than the second statment is less serious (ie intent versus proof for conviction)
Just to add further fule to the fire,
If the man had sufficient expertise as to remove all evidence of the photos and encrypted files, then how come he did not remove PGP or his browser history?
I am sadly unconvinced by the whole thing and think (to miss quote Shakespear)
"Something is rotton in the state of Minnesota"
Quotes taken from the artical to support above points,
 "This is because no photos were found on the defendant's computer.
"Police did not find encrypted files on the defendant's machine, or evidence that the illegal pictures were encrypted or erased."
 "The trial court stated on the record that the physical evidence presented was not sufficient to support a conviction"
"victim's testimony that defendant took lewd photos of her with a digital camera as the most important evidence, and then said that the defendant's computer knowledge and skills corroborated her testimony."
"The judge then looked to additional evidence, including, most importantly, the testimony of the victim, evidence "that an encrypting capability was employed by the Defendant��?"
Where was the Computer Expert for the defendant? This should have been easily explained away.
Thusly, by locking the door on my home/car/etc is an admission of criminal intent?
Ms. Granick mentioned an important point, but did not expand on it:
"Police did not find encrypted files on the defendant's machine, or evidence that the illegal pictures were encrypted or erased."
How accurate is this finding? What sort of forensic techniques were employed to arrive at the determination that no files were erased?
I agree that the existence of PGP on the defendant's machine ideally should not be considered evidence of wrongdoing in and of itself. However, we have to separate our idealism from the reality of the world we live in. Unfortunately that reality is that there are essentially only three kinds of people that use this kind of encryption technology at home: government agents, security professionals, and criminals. Until your mother starts encrypting her emails, I see no reason to be concerned about admitting the existence of PGP as evidence against the defendant.
A very important distinction must be made here that I believe is being blurred by our initial visceral reactions. The use of encryption technologies was not the reason this defendant was brought up on charges. The defendant was indicted for child pornography. While I am not intimately familiar with the details of the case, it does seem appropriate for the judge to make a ruling that includes PGP as 'evidence.'
To make an analogy: nobody is going to arrest you for buying breadboards, antennae, and a soldering iron at Radio Shack. However, if you get arrested for monitoring cellular phone calls your purchases suddenly become very relevant.
I am not a lawyer, nor should this be construed as legal advice.
Or, as was heard around my office in response to this news, "Yeah, and since I own a gun, it must mean I killed somebody."
"Unfortunately that reality is that there are essentially only three kinds of people that use this kind of encryption technology at home: government agents, security professionals, and criminals. "
hrm...sounds like profiling to me...
"Until your mother starts encrypting her emails, I see no reason to be concerned about admitting the existence of PGP as evidence against the defendant."
You sir are a maroon.....
Something that surprises me is the fact that PGP was found, although no encrypted files were found, which could mean that either all encrypted files have been erased, or that this copy of PGP has only been used to wipe files. In that case, not finding any encrypted files could be thought as incriminating.
On the other hand, PGP can be used on a home device only to encrypt/decrypt/wipe the files that somebody brings to/from work, for obvious confidentiality reasons.
Finally, if I had incriminating files (encrypted or not), I would not store them on my PC's hard drive, as there are many efficient and small (easy to hide) devices that can hold gigabytes of data.
In that case, there is one question I would like to ask the defendant, which is "What are you using PGP for?". I assume that the answer to that question cannot be in a judgement, which puts this entire debate in a loop.
I posted this in the May 26th log, but it might help answer your questions:
[retired police officer who authored the EnCase Report, Brooke Schaub] "testified that he found an encryption program, PGP, on appellant’s computer; PGP 'can basically encrypt any file;' and, 'other than the National Security Agency,' he was not aware of anyone who could break such an encryption. But Schaub also admitted that the PGP program may be included on every Macintosh computer that comes out today..."
but the claim against relevance was based on the fact that
"there was no evidence that there was anything encrypted on the computer"
Very interesting. It's hard to tell from here, but it looks like files could have been encrypted and then sent via the Internet. Deleting a file in PGP usually performs a 3-pass secure wipe by default, so perhaps there is something relevant after all...
On the other hand it's hard to say why Schaub said PGP comes standard with every Macintosh. My guess is that was a reference to FileVault, which is actually AES-128. That mistake makes it somewhat obvious that Schaub is unfamiliar with encryption, and probably was not able to go beyond the basic functionality of EnCase.
And this points back to an important issue with "forensics experts" that sometimes end up getting stuck with the technical work. Can anyone really validate their expertise and skills before they are tasked with discovery, let alone asked to appear or defend a report in court? Does the average EnCase user know anything about encryption, or are they trained to treat it as evidence of criminal intent (or at least intent to evade EnCase)?
Second, the report implies a plausable connection between pictures, Internet use, and encryption:
"The record shows that appellant took a large number of pictures of S.M. with a digital camera, and that he would upload those pictures onto his computer soon after taking them. We find that evidence of appellant’s internet use and the existence of an encryption program on his computer was at least somewhat relevant to the state’s case against him."
So I have to admit it seems entirely possible that the state's case had something to do with the fact that pictures might be encrypted with PGP and then distributed. The intent of PGP encrypting illegal images is fairly clear, but the lack of encrypted data is odd. This suggests the investigation could be less about the data on the suspect's system (especially since PGP does a default 3-pass secure wipe) and more about how the private/public keys were handled relative to any online communication. After all, you can't post/email PGP encrypted information without a key exchange of some sort, so did anyone look into the keyring(s)?
The problem with JL's reasoning is that he's defining "essentially" in such a way that he means there are primarily only three groups, and he's right: the quantity of people who use technology like PGP at home who don't fall into those three categories is likely small.
The problem with extending that argument out and using it against someone at trial is twofold. One, possessing an app like PGP doesn't mean one USES it. Two, even if that quantity of legit users who doesn't fall into the above 3 categories is only .01% of the population that's still sizeable.
I'd hazard a guess that 75% of the people who have downloaded and installed any of the free PGP iterations over the years used it less than 10 times. People are interested in codes - it's why all those puzzle and spy books sell hike hotcakes to kids. Some of us are still big kids and like to play with our secret decoder rings.
As a percentage game, the U.S. population is almost 300M and 80% of those people are over 15. 0.1% of 80% of the US pop is 236,587 and almost none of those people are in JL's magic 3 groups. But it's not beyond the realm of possibility that some number of those people might find themselves being harassed by a government agency or targeted by a lawsuit and have a specific need for technology like PGP.
If MLK had had access to PGP when he was being harassed by the FBI for being a rabble rouser over all those pesky freedom things and used it to encrypt schedules, would we say that his use of encryption was prima facia evidence that the attention and charges were true? At least for whistle-blowers and people being harassed it would be a self-fulfilling situation were we to allow simple use of privacy technology to be evidence of wrongdoing.
James Landis writes: "However, if you get arrested for monitoring cellular phone calls your [Radio Shack] purchases suddenly become very relevant."
Only after it has been determined I used the hardware for the illegal act, and even then it is only supportive evidence. On it's own, the purchase of the electronic hardware means nothing.
Indicted is not convicted in this country (yet). Conviction on circumstantial evidence is not a path we want to be on if we are to retain our liberties.
Oh yes, my mother dare not start protecting her e-mails from prying eyes. To do so would be to demonstrate criminal intent (apparently). Maybe those security professionals had better start watching their backs...
Just exactly how would we stop admitting PGP as 'evidence' after we start admitting it?
Has anyone checked whether the version of PGP installed was even capable of doing file encryption? Just idle wonder, but I recall that the freeware versions from PGP, Inc., were only capable of encrypting e-mail.
And if the defendant was using an NTFS partition, what about metadata, which frequently leaves record of files thought deleted? Perhaps there was some evidence of this in those locations. Even many people familiar enough with computers to know about DoD-strength wipes are not familiar with metadata, and links from this may have provided significant information linking PGP use to digital photos of the girl. For example, they could have used times mentioned by the girl to corroborate a sequence of photos, information about which may have remained in metadata. Information about PGP-linked files, such as signatures, may also have remained, and been the link used at trial.
Unless and until the trial's records are pulled, we can't be sure of exactly how the link was made.
James Landis writes: "Unfortunately that reality is that there are essentially only three kinds of people that use this kind of encryption technology at home: government agents, security professionals, and criminals."
Reality check: I'm none of the above, and I encrypt much of my home computer data (it's on a laptop) -- several partitions, even swap space. The reason is very mundane: wiith so many laptops getting stolen, I'm just not comfortable with my personal data (credit card transactions, emails, financial records) floating around and accessible to whoever turns the damn thing on.
I also run a TOR router, understanding that many people (in this country and elsewhere) who are *not* criminals have perfectly legitimate reasons to have their internet use encrypted and untraceable.
(But -- oops -- I'm not a government agent nor a security professional. Quick, better haul me off to jail before somebody gets hurt!)
The PGP, Inc. freeware versions 8.0 and 9.0 both support file encryption, if i recall correctly, and may have done so in even earlier versions.
"Why research the law or have encryption software if you aren't doing anything wrong?"
And I have any entire partition on my notebook (where all my data resides) that is encrypted. What does that say about me?
"... and then said that the defendant's computer knowledge and skills corroborated her testimony."
Someone said I did it, I know how to do it, therefore I must have done it. Its a fair cop :-)
I notice that I received quite a few responses, but I certainly did not intend my comment to be a troll.
I want to clarify that I think there is a difference between entering a piece of information as evidence and classifying that piece of evidence as proof of guilt. As with any other evidence, a piece of information can have varying degrees of implication depending on all of the other evidence compiled against a defendant.
Let's take Josh Stone's example: "Yeah, and since I own a gun, it must mean I killed somebody."
Suppose Josh Stone was indicted for murder. Obviously, if the victim was strangled to death, it is irrelevant that he owns a gun. If the victim was shot, it suddenly becomes more relevant, but we still need to know a lot more before we can decide that the ownership of this gun implicates him in any way (caliber, riflings, power residue, etc.).
Similarly, encryption is clearly a requirement for transmission or storage of child pornography (discounting stupid criminals). Thus, it is an important piece of evidence in a child pornography case. Much like the gun scenario, we still need to know a lot more about the possession of encryption tools (and as a side benefit - secure erasing tools) of a defendant. Was evidence of encrypted data found? Was evidence of erased data found? Does the defendant have a legitimate reason for using encryption?
Maybe I can describe my position here a little more concisely: I believe that evidence that has relevance to a case should be admittable. I believe that encryption tools have relevance in a child pornography case.
@Davi Oppenheimer: Thank you for the additional details provided by the case officer. I think it is clear that because the defendant was using a digital camera according to testimony that it is likely at some point the pictures made it onto his machine. I suspect that it is likely that the defendant could have erased (using the secure erasing features of PGP) the evidence and escaped detection. While erasing algorithms try to ensure that it is virtually impossible to reconstruct the contents of the original file, very few do this in such a way that it can't be detected that an erasing has taken place. However, this detection is quite difficult and could easily be overlooked.
@Don: I suppose one could say that all cases are decided based on circumstantial evidence. Because we can never be absolutely sure, we gauge our certainty of a defendant's guilt on the volume and consistency of whatever information we have available about the circumstances of an alleged crime. The use of PGP alone has never to my knowledge led to a conviction. In this case, I suspect the testimony of the young girl was far more heavily weighted. I totally agree that the use of PGP should not be admitted in every criminal case and that that would be a very dangerous precedent. However, until it becomes unnecessary for child pornographers to use encryption tools, I don't see the danger in admitting this type of evidence in child pornography cases.
I am not a lawyer, nor should this be construed as legal advice.
Sorry, Don, your name was just above the AC's comment and it seems I responded to him with your name attached. My apologies.
I think Jennifer's initial suggestion is that the judge did not find sufficient physical evidence for a conviction, yet the physical evidence coupled with the "encryption capability" of the Defendant was considered sufficient for conviction.
She goes on to quote the Judge, who says there was evidence that "occasions  indicate that there was advance notice of that so called surprising and thorough search warrant" executed at appellant’s home. And she muses "I'm not sure to what this last finding refers, but I think the court may mean that the defendant's searching of the penal code prohibition against child pornography and perhaps other evidence shows he expected police intervention."
If this is a correct interpretation, then we all know that PGP secure wipe capabilities are relevant as evidence. Perhaps the only thing more relevant in terms of software would be if the Defendant had installed "Evidence Eliminator".
Above all, however, I think the issue goes far beyond Jennifer's concluding warning of "how [this decision] could be used by courts looking at this issue in the future. This is why its important for appellate courts to be more explicit about exactly what they are ruling."
I am equally concerned about the validity of digital forensics expertise on this and other cases. It can be shocking when you realize who in law enforcement is assigned to digital forensics work. Again, without knowing anything about retired Brooke Schaub, the published testimony indicates a mistake (regarding PGP on Macintosh) or worse (general unfamilarily with encryption and PGP) that makes me wonder about the strength of the "expert testimony". There are rare exceptions, but I would wager that many law enforcement groups use an antiquated pecking order that gives the computer investgation work to senior officers even when there are junior more qualified (computer/technology-savvy) officers available. So either the judges need to come up to speed quickly on the intricacies of digital forensics, or a better pool of experts is needed to dispense something closer to justice.
I have gpg installed on my home computer and I'm not a government agent, security professional, or criminal. Just someone who knows that email is about as secure as a postcard if you don't encrypt it. Granted, none of my friends use it so I rarely if ever send out encrypted email myself, but my public key is still out there in case anyone else ever wants to send encrypted email to me someday.
"But Schaub also admitted that the PGP program may be included on every Macintosh computer that comes out today..."
Read that statement again.
Note that he did not testify that every Mac comes with PGP. He ADMITTED (answered a question in the affirmative) that it MAY. Macs constitute about 2% market share, and I am guessing this guy wasn't admitted before the court as an expert in cryptography AND Macintosh computers. The defense attorney put out an irrelevant question this guy couldn't answer, and he said it was possible, instead of admitting he didn't know something he shouldn't be expected to know.
All this goes to the larger point, made by some the last time this subject appeared here; the court did not rule encryption software was proof of criminal intent. They ruled that the lower court correct in allowing the jury to hear a particular piece of information about the presence of PGP on this guys computer. The jury heard that evidence, among many other things, and made their decision.
While the two points may seem to be almost the same, there is a huge difference in a legal sense. To have a bunch of computer people arguing legal subtleties makes about as much sense as having attorneys discussing the intricacies of encryption software.
This is even more amazing. So, it would seem that they didn't actually find any evidence of a crime (photos) on the computer.
Let's see... person accused of committing a crime... can't find any evidence... but there must be evidence or person wouldn't have been accused... therefore person must have somehow destroyed the evidence that can't be found... person has "tools" that could be used to destroy evidence... guilty!
Wow, with this line of reasoning, anyone can be found guilty of anything.
This is especially distressful when one considers that just about every computer running Microsoft Windows OS or IE has "encryption" software available (via the Microsoft CryptoAPI).
So, if someone is accused of a crime where there is presumed to be evidence in electronic form, and that electronic evidence can't be found on the accused person's computer, then it will be automatically assumed that that person must have used "encryption" (either that built into the OS, or as part of a separate program) to somehow destroy the missing electronic evidence.
Interesting, if this gets widespread attention, PGP, Inc must be wondering who is ever going to buy their products. Buying encryption software could itself be considered criminal. Yikes, what's next, register the sale and purchase of all encryption software. I thought we were out of those "dark ages".
Even worse would be extrapolating this to businesses, many of which use encryption products. Many companies have policies which require laptops to use disk encryption. Missing electronic evidence, company has "encryption" software, they must be guilty of destroying the missing evidence.
The most stupid thing that could ever happen would be that some obvious crook would get off the hook because of some nitpicking about wording on his ruling. Granick's last sentence about summarizes the whole issue: "This is why its important for appellate courts to be more explicit about exactly what they are ruling." which is excactly what the debate should be about and not some current buzzword that seems to be PGP here.
"this guy wasn't admitted before the court as an expert in cryptography AND Macintosh computers"
No? Do you think it was perhaps because those things were considered irrelevant?
Just to be clear, given your above statement could you explain again why the court should consider encryption testimony from a non-expert as relevant to the conviction, let alone admissable?
"The most stupid thing that could ever happen would be that some obvious crook would get off the hook because of some nitpicking about wording on his ruling."
No. Much worse would be for an innocent person to be convicted and punished because his defence was waved away as "nitpicking".
"with this line of reasoning, anyone can be found guilty of anything"
Precisely. PGP was found installed, but no plausable link seems to have been made and the little information I have been able to dig up points to clearly faulty reasoning/information by the digital forensics expert on the stand.
"The most stupid thing that could ever happen would be that some obvious crook would get off the hook because of some nitpicking about wording on his ruling."
Nice. That's a fine interpretation of how to turn back the clock on justice a few hundred years. Very Monty Pythonesque..."She's a witch! Look at her nose."
"No. Much worse would be for an innocent person to be convicted and punished because his defence was waved away as 'nitpicking.'"
I agree 100%.
Here's how a criminal procedure works:
1. Reasonable suspicion a crime has been committed - A comparitively small amount of evidence is considered to determine if a crime has in fact taken place. Statements from witnesses or other kinds of evidence are considered sufficient for this.
2. Evidence gathering - This stage typically requires search warrants and witness questioning. Search warrants require an affidavit, and that affidavit must be specific in three ways: what will be searched, what is expected to be seized, and where the search will take place.
3. Probable cause and arrest - Probable cause is supported by the evidence gathered and must be substantiated in court. If probable cause cannot be supported in court, the arrest is void.
4. Charges, arraignment, plea, trial (if plea is not guilty)
5. Conviction - The standard for a conviction is 'beyond a reasonable doubt', meaning that there must be sufficient substantiated evidence to show a less than 1% likelihood that someone else committed the crime.
Now the presence of PGP on the computer alone is not grounds for even Reasonable Suspicion, as that is not enough to show a crime has been committed. The statement of the girl provided the reasonable suspicion.
The probable cause was gained when the computer was seized, among other things. The presence of PGP on the computer with its secure deletion capability can be seen as reason to believe evidence was destroyed if no other incriminating files can be found.
But bear in mind that they could not even get the computer without a warrant, which requires an affidavit from an officer, and that affidavit must explain not only that the computer is to be seized but also why. No warrant, no computer.
The fact that the girl stated that the pictures were taken with a digital camera shows that files did exist at one point in time. No files could be found on the computer, but PGP was found, and PGP has the ability to securely delete files. Hmm... sounds like probable cause to me.
Evidence that is presented to support probable cause is relevant to try to gain a conviction.
@Dav wrote 'I think Jennifer's initial suggestion is that the judge did not find sufficient physical evidence for a conviction, yet the physical evidence coupled with the "encryption capability" of the Defendant was considered sufficient for conviction.'
That's not what happened. The judge found that the PGP software was relevant because it slightly backed up the alleged victim's _testimonial_ evidence. And under the rules of evidence of Minnesota, the judge also found that the chance of the PGP software evidence prejudicing the jury was not substantial enough to outweigh the slight value. The judge simply left it up to the defense attorneys to present facts that challenge the value of the evidence, and up to the jury (I'm presuming this was a jury trial, though I don't know that for sure) to weigh the prosecution's evidence against whatever mitigating facts the defense presented. The jury weighed the evidence and found that the alleged victim's testimonial evidence with the slight backing of the existence of the PGP software on the defendant's computer was sufficient for conviction even without any substantial physical evidence.
As for @Anonymous' "anyone can be found guilty of anything"... Well duh! Of course that's true, because juries can be wrong even when the evidence is all perfectly fair. Perhaps this jury was wrong, but this appeal dealt with whether or not it was the judge's fault that the jury was wrong. All the ruling says is that it wasn't the judge's fault, because the judge followed the rules of evidence of the State of Minnesota.
Perhaps Minnesota's rules of evidence should be more strict when it comes to potentially prejudicial evidence that is of a technical nature that even the defense attorneys probably don't understand -- not to mention the jury, but I don't think that question was part of the appeal.
"Just to be clear, given your above statement could you explain again why the court should consider encryption testimony from a non-expert as relevant to the conviction, let alone admissable?"
Just to be clear, I didn't say the person was a non-expert, I said I was guessing he was not an expert in both fields. If he is, it would be a truly amazing coincidence. I don't determine the level of this guys experrtise, and neither do you. the courts do, based on his response to questions from lawyers representing both sides.
Your response makes my point for me. This whole thread is mainly people arguing about what they think may have happend, based on invalid suppositions about poor summaries of a trial none of us attended. That could almost fit the definition of FUD.
You seem to have a good deal of useful insight into this discussion so I am surprised that you would characterize the discourse (including your own) as FUD. I have certainly learned quite a bit from you and others that has greatly enhanced my understanding of this ruling and the related legal issues.
I wasn't commenting this case particularly so I went and read the whole ruling (so this time I'm making a comment for this case particularly). It clearly states "S.M.’s testimony, if taken as true by the district court, could have been legally sufficient to support the convictions here." while also citing "legal practices of Minnesota". So even if they left out the encryption bit (which the court says was only somewhat relevant anyway) the crook would have been convicted. To me it looks like the justice happened.
One problem is appearance. Child porn cases are unsympathetic and tend to make bad law. There are a number of Fourth Amendment cases about the scope of searches in CP investigations, in which the defendants argue that seizing an entire computer is overbroad, akin to taking an entire filing cabinet rather than just the files related to the Enron accounting scandal that's the subject of the search warrant. In every case I've read, the challenge has been denied, at least in part because of judicial reluctance to appear to be helping CP downloaders hide their files. After the appeal is done, we are left with bad law, or at least worrisome dicta (language in an opinion that is not binding but can be influential) to deal with in the next litigation.
Permalink for this discussion on my blog, The Shout: http://www.granick.com/archive/...
This second pass on this case in this blog was actually much more enlightening than the first.
I actually didn't know much about PGP other than that it could be used to encrypt and decrypt files. I've simply never been that worried about my privacy.
It was only with this second pass that people highlighted the fact that PGP can do a "secure wipe" so that no evidence of the files exists any longer. That wasn't clear in the court judgment, so I'm wondering if the court (trial or appeal) was aware of or focused on that.
Given this "secure wipe" capability it seems like it will forever be impossible to convince a court that possession of such capability is any different than being suspected of a burlary and then begin found to be possessing burglary tools.
I don't see how any amount of education of lawyers, prosecuters, or the judiciary can compensate for that fact.
I can see one out: donate PGP to Microsoft so that they can permanently "integrate" PGP into the OS and file system. Then you will have taken away the "choice" which might have been construed by the court as evidence of intent.
-- Jack Krupansky
Ok, I just realized the wording "obvious crook" I used on the earlier post was somewhat bad. Better wording would have been "convicted crook".
What happened to beyond a reasonable doubt. If there's no evidence beyond a person's testimony, that's pretty poor unless there's a pattern to be found, such as lots of people coming forward. Otherwise, it's just an unfounded accusation.
This doesn't mean he's innocent, just that we don't convict people unless you have evidence. Crimes occur all the time without convictions, and people get off on all sorts of technicalities because of the "rule of law."
Having PGP and even investigating the law are suspicious, but they are not worthy evidence for a conviction.
"being suspected of a burlary and then begin found to be possessing burglary tools"
That's actually a good point. I'm sure "burglary tools" are seen as evidence on many burglary cases and also considered atleast somewhat relevant to those cases. Now shouldn't people who use the same tools (construction workers and locksmiths come to mind) be equally upset about it?
PGP is not usually the tool of choice for someone who wishes just to destroy data. Instead, it is most often used to encrypt stored data or for encryption of messages that travel via insecure media. So it is more likely that the PGP software was used to create secure files and distribute them. Moreover, PGP is not particularly designed to cover its tracks (unlike pure secure-wipe utilities) so its use should have been somewhat apparent to the digital forensics investigator, even if the suspect had advance warning. I realize this is speculation on the situation at hand, but I have never seen PGP used purely for data destruction.
There is a whole separate discussion regarding what constitutes a savvy encryption user, particularly with regard to a truly secure wipe (most refer to the DoD 5200.28-STD), but it is important to note that several widely relevant regulations are already in place that require companies to have a formal data destruction process with secure wiping of drives before disposal.
So, just as many people are beginning to parallel secure business practices and keep shredders at home to protect their privacy and identity information, I believe the trend is already towards increased awareness of secure wipe utilities for personal systems.
Incidentally the Mac OS X feature that is mentioned in this case (based on AES and not PGP) already includes a secure wipe feature. In fact, all you need to do to use the feature is create a "File Vault" to store your data and choose the "Use secure erase" option. Beware, however, that bugs may exist and forensics experts should be intimately aware of big ones such as the issue unresolved by Apple for almost two years:
Why not have the secure-storage and wipe on by default, to eliminate user choice? It adds some serious complications to credential/key management, including risk of accidental system unrecoverability. It also can seriously impact system behavior and performance. For what it's worth, I know very few people who advocate use of the Microsoft embedded encryption software (EFS).
One caveat to my last post, PGP does allow you to "right click" and chose "wipe" for any file on your system. My point was just that PGP is generally not the tool of choice for this type of use, just like a round-tip serrated bread knife is not usually a preferred terrorist weapon.
Look, in the end this guy got convicted because the jury believed the testimony of the girl who was the victim. He's not being convicted because he had PGP. He's simply being denied a new trial because the appeals court rejects his argument that the prosecutors should not have been allowed to bring up his use of PGP.
I really don't see the harm: if prosecutors can bring up "the defendant used PGP" and can't get the judge to toss it, the defense can immediately refute that "evidence" by showing just how common the use of encryption software is. Just open a connection to the local bank, notice the "https:" and explain what it means.
@Ari (Posted by: Ari Heikkinen at June 9, 2005 04:44 PM)
"so I went and read the whole ruling"
You appear to be the only one that has. Somehow the phrase "the existence of an encryption program on his computer was at least somewhat relevant to the state’s case against him" from the appellate court ruling has been translated into the completely unrelated conjecture that "the presence of encryption software on a computer may be viewed as evidence of criminal intent", with many wild and woolly conspiracy theories in between.
"at least somewhat relevant" does NOT = "evidence of criminal intent".
Be nice if actually reading the source material was a pre-requisite for publishing comments on it.
@David: "What happened to innocent until proven guilty?" What happened is that it isn't and never was the standard for admission of evidence. It's the standard for the jury to use when weighing the admitted evidence.
At lot of people seem to be running away with this.
Certainly, based on the evidence I've seen the *conviction* was suspect. But not much of the reporting has covered that, so it's hard to have an informed opinion.
What everyone is arguing about is whether the prosecution should be allowed to tell the court (jury?) that the defendant had PGP installed.
The defendant tried to claim that this evidence should not have been allowed in, and the appeals court stood by the decision to allow it in.
Imagine this scenario:
Lawyer: Did you find any pornographic photos on the defendant computer?
Police Investigator: No
L: So there were no photos then were there?
PI: If there were, then they had been deleted.
L: But if they had been deleted, wouldn't you be able to find traces of them?
PI: Not if the defendant used PGP to wipe the files.
The defendant's access to PGP is relevant. Whether it is *significant* is for the trial to decide. The decision that you're all complaining about is that the judge let the prosecution *mention it*.
Having a van isn't illegal. In most cases it isn't relevant. But if a kidnapping victim says that they were transported in a van, then it is relevant to say that the defendant's brother has a van and the defendant had access to it. It's not strong evidence. You don't convict based on that sort of evidence. But it is relevant, and the jury should get to hear about it and make up their own minds.
Add another kind of person who uses encryption at home. The preson who encrypts important files so that when (note: not if) someone hijacks his computer the files are safe. That kind of person is me. I'm to the point of getting a hardware based encryption device to plug may hard drive into.
After all the arguments it appears to boil to this,
1, A girl made a statment about the use of a "Digital camera" that was aledgadly used to photograph her.
2, No other physical or directly supporting evedence was offered by the prosecution.
3, Testomany by a retired Police Officer was not questioned during the trial.
4, The Evidence given by the police officer about PGP was at best (as we understand it) tenuous.
6, A judge allowed the supposed computer expertise by the defendent to be used to support the girls testomany.
7, During the trial the defence did not question this decision, or the supposed expertise of the defendant.
hmm... it was once said that "A bad defence is no defence" so it would appear for the defendent in this case as he was convicted.
Not being nasty in this particular case, but our discussion is not about him or his crime or for that matter his conviction or the veracity of the girls unsuported statments.
What is of concern is the side effect of allowing the PGP evidence to stand unchalenged as this can effect the out come of trials yet to be heard.
I think the general concensus is that as originally stated "Encryption As Evidence of Criminal Intent" has in fact not actually happened in this case, but it can be read as that at a future time.
The question is how do we as individuals correct the perception so that it does not effect us or those we know / care about in future times.
Any suggestions folks ?
Oh on a technical point, the use of PGP or other "secure erase" program is in no way sufficient to remove the traces of the file.
As mentioned earlier there might well be meta data left in the supporting file system structure.
There is also a "hole in the disk" of the same or similar size to the original file(s).
This hole contains statisticaly disimilar information to the other data on the disk and can be recognised. It only disappears from view when and if all the sectors have been overwritten a couple of times by real files.
So for a FAT style disk you could try,
secure deletion, then defrag, generate a large enough file to cover the sectors, move existing files from below the new file, generate a second file to fill these sectors, then delete the first file and defrag again. then delete the second file copy existing files into that hole and repeate the process a number of times.
The problem with the above ist that you then create statisticaly viewable traces in the date patterns / position of the files on the hard disk so you could still show there was "suspicious activity" on the hard disk.
There are (quite simple) ways to get around this but you have to ask yourself the question "How can I be sure"...
"You, sir, are a maroon". Ha!
I hope that was intended as a joke. The "sir" might have been a fuschia instead of a maroon.
Prosecutor - "We noticed that the machine had an application called a 'Recycle Bin'. Apparently the defendent had 'Deleting Capability'. Sounds like he had a clear 'consciousness of guilt' if you ask me."
@Clive: "Any suggestions folks?" Sure! Make sure that defendants have competent attorneys who can challenge prosecution experts, either by putting their own experts on the stand to testify about how common tools like PGP are and what law-abiding purposes they can serve, or by putting the defendant on the stand to testify about how PGP came to be on his computer and what he did (or planned to do) with it. If the defense had believed that the PGP evidence was going to convince even one juror to vote to convict, then they should have done that. If they didn't, then perhaps the defendant's next move should be to appeal on grounds that the failure of his counsel to understand the technical evidence presented by the prosecution deprived him of his right to adequate defense.
A testimony of a random J girl in US may be enough to put you behind the bars. That means trouble. Children may react unpredictably to different kinds of stress, sometimes they might intentionally act to set up a lawful adult as a child molester, and there is also Lolita stuff to handle, you know. But worst of all, some criminals may hire a random J 10 year old girl to organize a set-up of sort for a person the like to “remove in a clean way��? and rig a concocted case (there WERE such cases here in Russia, serious as a heart attack, dunno about US).
As a human being can not be encrypted/erased/firewalled, the only good choice is to AVOID ANY GIRL BELOW AGE OF 18 AS PLAGUE. Oh, better avoid boys below 18 too. And your own children also should be avoided, just in case. Send them to a college in Beirut and keep there until they reach 18. Make sure the distance between you and a child is never less than 100 meters. I just wonder if one should avoid animals under 18 in the US as well… That would mean avoiding most of them due to short lifespan.
Welcome to the USSA [/jk]
:D … ROTFLMAO
No offence meant, respected USA citizens. Every country has some legal malpractice.
I'm not fancy at writing here folks,so please excuse any typos and such.
Somewhere on the WWW i saw a story where a fella was prosecuted AND sued for something to do with mp3's and programs.
Seen a few other stories also related to erasing cache or (cache cleaners)
All this is pretty wild stuff.
I aint going to comment on any body's other comments here cause there is just too many lol. scares me that a body can be prosecuted for something that may have not even happend or just for making room on a HD using some freeware program got from a freeware site.
Makes me wonder if having a computer is really worth all this hubub.
If our judicial system is going to consider the meir act of cleaning up old files on a hard drive or deleting files (evidence) of some wrong doing well heck,i'd just soon take this machine to the curb or donate it to a church.
Iv'e been seeing alot of stuff recently online about thoughtcrimes.
I figure those are things they charge you for now just for thinking about them (scary).
I don't know anymore,i'm getting too old for this and this world is going down the crapper more and more every day.
I'm in retirement and my wife is too,all this new stuff scares the pants off us-cameras at street corners,people killing each other like crazy,wars,rediculous just rediculous.
Some how i wonder if those Amish folks 22 miles from us aint in one of those (see we told you so) situations.
Possibly in a --as young people would put it--(been there done that).
They wake up feed the chickens build furniture work hard all day they don't need computers,radio,tv,electricity.
This worlds in a mess--just an awfull mess.
Encryption as evidence.
Might just as well use a Slax Live CD
with Wine and some stand alone encryption on the CD as well.
Heck, there would not be any cache or registry entries or even used hard drive space cause Slax runs from RAM its self.
you can yank out the HD and it still works :-)
yes people you can now have your cake and eat it too.
Surf with impunity. lol
Puppy linux---looks like Win 98
D@m small linux
Many many small distros out there to protect your privacy oh and don't forget to get a flashram card --usb-----
unfortunately there are some bad eggs out there
Sound like this guy might have been a bad egg.
May I add a fourth category to the three already mentioned: Persons of ethnicities that were (and still are) chronically unpopular througout history. Thus in many instances this one is usually subsumed in the third.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.