Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: Giant Stuffed Squid |
| More Voting Machine News »
December 24, 2007
PGP and the 5th Amendment
A Vermont federal judge has ruled that a person cannot be compelled by police to divulge his PGP key. This is by no means the end of the legal debate (Orin Kerr comments), but it's certainly good news.
EDITED TO ADD (1/16): The case is being moved to Federal court.
Posted on December 24, 2007 at 6:49 AM
• 58 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I've always wondered how the technology like PGP and TrueCrypt (and, to a similar extent, FileVault on MacOS X) would reconsile itself when used to secure data which, when used as evidence, would be damning to the defendant.
It seems, though, that the U.S. Gov't has a convenient way of bypassing the ramifications of this ruling by simply declaring someone an enemy combatant and away we go with the constitutional protections.
It'll be interesting to see if this ruling holds up:
What the privilege protects against is compulsion of ''testimonial'' disclosures; requiring a person in custody to stand or walk in a police lineup, to speak prescribed words, to model particular clothing, or to give samples of handwriting, fingerprints, or blood does not compel him to incriminate himself within the meaning of the clause, although compelling him to produce private papers may.
@Pavel: The problem with such cynicism is that there is a legal standard for being an enemy combatant. Simply because I am arrested for theft does not mean I could even declared an enemy combatant in any court in the U.S..
Some people hate to believe it, but it turns out there really are ways to illegally conduct war that put you outside the Geneva Convention. And when you are outside those conventions you are a war criminal.
We must be as vigilant in making sure the definition is used properly as we must be vigilant to ensure our own personal rights are protected against self-incrimination, double jeopardy, and so on and so on. But wholesale sarcasm that no one could possibly ever be an illegal combatant is blinded with pure hate towards something (probably politically motivated hate), and an absence of reason.
As for whether people can be compelled to turn over PGP keys, I find the issue unclear. I do not believe a person should be rewarded merely for having the foresight to encrypt something incriminating. Otherwise, why not just say something stored in a safe is protected? I do want to see warrants, and there are so many exceptions for warrantless searches (and have been long before 9/11) that the rule can be a formality sometimes.
Well, the part of the 5th that applies is "nor shall be compelled in any criminal case to be a witness against himself", right. Doesn't that really just mean you can't be forced to testify under oath against yourself. Of course any "physical" evidence is fair game with a warrant. I still fail to see how this is any different than the locked safe. It would be nice if we could prevent the authorities from carrying out "fishing expeditions". They need to have a reason to search of course. If you came up with the perfect unbreakable physical security system, how would that be different than this unbreakable encryption when it comes to evidence gathering.
Somebody please make a good enough implementation of a OTP. So I could give some other key to the police... :)
Unil then, the state will ask your keys regardless of whatever policy they hold...
You can be compelled to produce a key to your safe; there's no reason you can't be compelled to produce a key to your files. I fail to see any reason to celebrate here. To my mind, the only possible defense against producing the key is that the person who encrypted the files has a reasonable expectation of privacy above and beyond someone who keeps papers in a safe.
According to this ruling, any criminal who exercises minimal care in securing his laptop has absolute immunity from producing files as evidence.
Ah, if only the folks at Enron had thought to encrypt their audits... And yes, I know the difference between audits at a publicly-held company and criminal complaints. But pick your poison -- terrorist, drug dealer, or mortgage-loan weasel -- and ask yourself if they should have immunity.
Merry Christmas or even some peaceful days
to Bruce, his family members and all the nerds around here! But sorry, i can't resist on the following groaner: Is this a Huffmann tree behind you? (duck and cover)
I think ultimately the Supreme Court will decide that providing a password isn't testimony and thus not protected -- especially since in this case the police didn't want him to write it down, but to input it into the computer so they could look at the files.
However, I wonder what would happen if someone were to use Password Safe and keep the passwords on a thumb drive, then, when they discover the cops are after them, to smash the drive with a hammer and start tossing little bits of circuit board from a car window. They could say, "I've got no clue what the password is," and for all intents and purposes the files would be permanently locked.
A blow against Rubber hose cryptanalysis? Probably for the moment. Give them a big enough excuse (Children at risk, state secrets at risk, children with state secrets, etc.) and they will use any means necessary to take you keys from your cold dead hands.
For any legal failings the US might have, concepts like the 5th Amendment rights would be nice to have in the UK. Instead we have RIPA, basically a prohibition on secrets in a world where people use electronics as extensions of their brain.
Interestingly, enemy combatants are (theoretically) still entitled to the Geneva protections, unlawful combatants are not. However, since there is no definition of UC, and instead it is determined by a military tribunal using secret evidence, it is not unreasonable to expect that there are few protections should the government decide to put you on that track.
As for encryption, using TrueCrypt 'plausible deniability' approach will help until you are waterboarded. I use a key I remember AND a fingerprint coded fob with an encryption key file, which I would destroy if necessary. Then waterboarding won't help...of course, I'm in deep doo doo if I ever lose that fob...
"Senator, I have no recollection of that password."
If US senators and presidents can get away with it, so can the average US citizen. There are no perks but what the citizens are also allowed.
If you believe that, then you are pretty naive. In the US, as far as the Feds are concerned, if you are not part of the ruling class, you have no rights. Less so if you are not a citizen. (You are assumed to be a criminal terrorist unless proven otherwise if you are not a citizen. And even then, you are under suspicion.)
The comparison to safes is interesting. What would the police do if you said you lost the combination to your safe? What would they do if you said you forgot your passphrase?
To my mind, the bigger worry is not that you can be compelled to give up your passphrase (although that's not good), it's that you could theoretically be kept in jail forever simply for having a bad memory.
With a safe, you can always open it, one way or the other.
Good encryption can't be broken with today's technology.
Interesting. I am not so sure about the safe aspect, but I can't see how the DNA or blood sample one plays. DNA cannot, by itself, be illegal; at best it can provide a standard to measure some evidence by. Thus giving your blood cannot alone condemn you; they need something to compare it to that is related to the crime. However, the contents of a drive can be illegal in and of themselves. This seems like a very crucial difference to me.
"Good encryption can't be broken with today's technology."
More often than you think, it can. There's invariably a weaker link than the encryption algorithm.
I fail to see why this is 'good news'. I don't like the government prying into anyone's affairs without good cause. But if there is good cause (and from what I read there is in this case) why should obtaining a PGP key (and pass-phrase) be any different than obtaining a key to a safe? There is a public interest to have effective law enforcement.
PS: In any case the Federal officers that checked the notebook and shut it down should be sent a.s.a.p. to a IT-forensics course.
"There's invariably a weaker link than the encryption algorithm."
For example, threatening people with a lifetime in jail unless they hand over the keys.
Hi, I'm not trying to be smart here, but as a geek, I just have to ask about this paragraph from the wired article:
Finally, even if the foregoing considerations require the government to grant act-of-production immunity to compel production of a key, the scope of the immunity should be quite narrow. The contents of the key are not privileged, and it is the contents that will be used to decrypt a document. Therefore, the government can use the contents of the decrypted document without impediment. Unless the government cannot authenticate the document to be decrypted without using the act of production of the key, granting act-of-production immunity should have little effect.
Translation: Giving a defendant limited immunity in terms of forcing them to turn over the passphrase can lead to a conviction. That's because the fellow technically isn't being convicted based on his passphrase; he's being convicted for what it unlocks. Isn't the law grand?
it appears to me from reading this that should one be engaging in things one would not be incriminating one's self for, any real-world-rule for passphrase generation would have to lead to a set of passphrases that would explicitly admit any and all wrong-doing for which one would like to have immunity before the law.
as in.. if you've done 'x', then you're passphrase should be
'i,name, am involved in x, the bodies are buried...'
it sounds to me as if a structure like this would splice the immunity one might be granted for the revelation of a now(?) self-incriminating(?) passphrase to whatever incriminating materials might be stored under that passphrase.
in other words, i don't quite see that or how this bit of legal sophistry would stop any kind of recursive use of immunity here.
I'm wondering if this was just a pretty thought or if the notion of an incriminating pass-phrase is a legit bit of kung-fu one should think about some more.
thanks for your insights!
The 5th amendment was intended to stop people from being compelled to say things by the police through torture. They shouldn't be able to compel you to say anything. The founding fathers didn't know anything about encryption keys (or safe combinations) so they couldn't make the amendment explicit enough.
I'm really curious how the whole "I forgot the passphrase" defense is going to be received. Typically, someone who is going to go to the trouble of using PGP whole disk encryption or something similar is very likely to take the time to create a strong password.
For example, I have a very strong 60-70 character password.
Note that the defendant's computer was seized in December 2006, so this is about a year later. I could easily genuinely forget my 60-70 character password in a year, especially if there's no court order that I have to take steps to perserve said password.
Barring such an order, I could probably take steps to intentionally forget my password.
Even in the worst case scenario, I'm assuming legal repercussions for not producing a PGP passphrase are going to be significantly less than the legal ramifications for possession of child pornography.
If the prosecution appeals and ultimately prevails, it will be time to revise the Miranda warning, won't it?
"Even in the worst case scenario, I'm assuming legal repercussions for not producing a PGP passphrase are going to be significantly less than the legal ramifications for possession of child pornography."
If it in decided that it should be possible to compel people to give up their keys, then sentencing reveals an interesting paradox. To be effective, the sentence for not revealing the key must be at least equal to the sentence for the crime that the person is being charged with, otherwise a person who knows that revealing the key will prove his guilt will just stay silent and take the lesser sentence. But to be just, the sentence for not revealing the key must be short so as not to place an undue burden on innocent people who have forgotten the key, possibly due to the shock of interrogation and incarceration. These two considerations are mutually contradictory, so we can conclude that such a thing cannot be both effective and just. Which one is chosen will reveal a great deal about the people who do the choosing.
Let me try to pull a twist here: an authorized search shows that the defendant has a key to a safe, but the safe itself is nowhere to be found. Could the defendant be compelled reveal the location of that safe?
@Michael Ash and Brian Carnell wrt. forgotten passphrases
The concern is not just theoretical. I have lost some data due to forgetting the passphrase to an encrypted volume (nothing too important, but annoying enough to justify spending several hours trying to figure out my own passphrase via brute force - as I thought I remembered part of it - to no avail).
For this reason alone, no reasonable justice system should punish anyone for refusing to decrypt files. An exception to this would be files that they had a specific legal responsibility to keep, in which case the refusal/inability to decrypt should be considered equivalent to having destroyed those files.
If the government can compel you to hand over the keys to a safe, can they also require you to give over the combination to a combination safe if it is not written? Is there any difference between these analogies, given that one is physical and one is mental?
Which analogy fits encrypted files better? Would it matter if your password was written down?
To put a further wrench in the works, what if the government suspected you of using the "plausible deniability" feature of software like TrueCrypt. If you tell them that you did not use the feature, but they still believed that you did, would that constitute withholding an encryption key? Wold they still prosecute even if you have given them the main key and claimed that you did not have a hidden key?
If they did, what would happen to a person who did not have a hidden key and was more then willing to help the police or goverment, but was not believed?
Given that the human mind is the last and perhaps only bastion of privacy left, it is quite impossible for anyone to tell if I am telling the truth when I tell them I forgot the password. A polygraph would only register stress and under the stress of the moment, I could even forget my own name.
This leads me to another question re passwords. Is it possible to compel me to surrender the password to all passwords, i.e. the password to the Password Safe, if that allows them to then go on a fishing expedition to find something to hang on me?
Or, can I require them to give me access to the laptop to retrieve the one password they are interested in obtaining?
In true national security/life-or-death situations I might feel compelling a defendant (how?) to reveal a password is legitimate. But in the normal process of prosecuting a crime, I feel a defendant has the right to say nothing, period. My analogy is "should a defendant be forced to show where he buried the bodies?" - well, no, it's the police's job to find them. The police have the right to try to (upon a warrant) break his encryption, just like they have a right to drill into his house safe. That's about it.
I just keep all of my notes in an unintelligible shorthand. They may be able to compel me to provide my PGP key. However, I'm the only person capable of understanding what I wrote. Compelling me to translate it would cross the 5th Amendment line, I think.
The worst thing that should happen to a person who refuses to divulge an encryption key under subpoena, is the same that would happen to them if they shredded or burned subpoena'd papers.
Sure, here is the key. They open the file only to find my financial spreadsheet. What is that .tmp file? Isn't that a temporary file?
Imagine having your most deepest feelings and thoughts exposed, even if they aren't illegal.
What about safe combinations? Do you need to tell them? A key can be demanded because it is a physical object, a combination is a memory, a thought, and might be protected. I do not see much of a difference between a combination to a safe and a passphrase to a crypto container
In my opinion, it is never the duty of the defendant to assist the prosecution in prosecuting them.
Vermont, last bastion of the beleaguered Constitution.
"Oh, say does that battered parchment still (hold) sway?"
@ Swashbuckler: you are generally correct. But taking a blood sample is usually treated differently for two reasons. One, the examples you list are things that we leave or expose when we go out in public: our voice, our visage, our fingerprints. If the general public can see it, usually the police can also. Two, taking blood is invasive.
(I say "usually" because I'm familiar with all state laws.)
Interesting question about safe combinations. Anyone know the answer? Of course, most safes can be drilled pretty easily. This is another example of a right (either a defendent's or the police's) that is bounded and protected by something other than the status of the right itself. For example, the greatest legal protection for privacy was the law of trespass: before the internet, it was hard to invade someone's privacy without invading property, and so property law was (generally) sufficient to protect privacy. Now that this is not the case, we're adrift and can't use the old system as a model for the new.
@ Michael Ash: by your logic, the penalty for perjury should be as harsh as the penalty for the crime lied about. (Not saying this is a good or bad thing, just observing.) But, of course, the penalty for perjury as harsh, and is usually a slap on the wrist.
Police shouldn't be able to get people to give up their encryption keys on their own, but it should be able to be required with a warrant. Otherwise, it is no different than a criminal putting the murder weapon in a safe and investigators not being able to get a warrant to open the safe.
Balance and due process.
@Harry: by your logic, the penalty for perjury should be as harsh as the penalty for the crime lied about. (Not saying this is a good or bad thing, just observing.) But, of course, the penalty for perjury as harsh, and is usually a slap on the wrist.
I've actually thought about this a great deal and as a normally very opinionated person, I must admit the issue of perjury leaves me on both sides of it.
On one hand, there has to be a very strong incentive for someone to not want to lie in court. If perjury is a slap on wrist, what person who has committed a horrible crime wouldn't risk a slap on the wrist in exchange for lying to get out of a tougher sentence? If the sentence could be very harsh, the person may not go this route knowing that it would be another harshly punishable crime that they could get in trouble for later.
On the other hand, if the penalty for perjury is similar in harshness as the crime itself, it could create a type of double jeopardy. Try one for murder, and he gets off. Then try him again for perjury, which would basically be a trial for murder all over again--convince a different jury that he is guilty based on the same evidence the prior jury acquitted him on, just say it is proof of perjury instead. Double Jeopardy (or even moreso, considering every new trial would create a new opportunity for a perjury trial).
A bit off topic, but in the end, I would have to say that though there are benefits both ways, harsh perjury sentences are probably not the best way to discourage perjury since they can indirectly bypass double jeopardy.
Happy New Year
The discussion of perjury is irrelevant because, due to the 5th amendment, the person committing perjury is not generally going to be the person going to jail. Any time you would have to lie to protect yourself, just don't answer. In situations where you must answer, it's going to be somebody else going to jail when you do.
Regardless of how the law evolves, PGP buys you time, control and some options. The safe analogy breaks down here because the safe can be opened, but it appears that PGP is more secure. Even though you may go immediately to jail for not complying with a subpoena, at least you have time to consult an attorney and organize your defense. You still control the information. You and your lawyer can set the context for your cooperation. If you didn't commit any crimes, your lawyer may ask the court to invoke special procedures for handing over the data. These procedures (a Special Master?) would protect your interests and prevent the cops from engaging in fishing expeditions. Even if you initially refuse to cooperate with a subpoena, I think the court would be forgiving if you eventually do cooperate and it's revealed that you're not a criminal.
If you are a criminal, data encryption is not the root cause of your problems, and PGP isn't going to get you off the hook.
I wonder if (in a place like the U.S.) saying you forgot the passphrase would work. You might even say, "it was something like" and throw out a sketchy red herring.
That being said, the deniable encryption provided by something like TrueCrypt is probably better here. :-D
"There's invariably a weaker link than the encryption algorithm."
Forgetting the human factor - which, of course, is most likely the weakest link of all - the implementation comes to mind here.
Or, to sum it up in a three-letter example: WEP. :-)
"In the US, as far as the Feds are concerned, if you are not part of the ruling class, you have no rights."
I don't think things are quite that extreme in the States - at least not yet.
We shouldn't lump all legal situations together. A defendant or suspect in a criminal matter could rightfully invoke the Fifth Amendment. A journalist or blogger might invoke the First Amendment. An accountant, for example, who keeps client files encrypted when not in use (a good move) would be expected to present subpoenaed data in unencrypted form (which, by the way, beats turning over your encryption key and letting the authorities decrypt); refusal to do so would likely result in a contempt charge. Subpoena situations generally, I hope, allow the served party to decrypt. In criminal matters, subjects of search warrants would be asked for an encryption key during a search or after seizure of computer and encrypted data. It would be helpful to be aware of what legal situations could arise, especially criminal ones, while considering how one would answer a demand for one's encryption key.
@John W: "Police shouldn't be able to get people to give up their encryption keys on their own, but it should be able to be required with a warrant. Otherwise, it is no different than a criminal putting the murder weapon in a safe and investigators not being able to get a warrant to open the safe."
Can at least an itty-bitty, teeny-tiny amount of common sense be deployed here? If someone suspects a murder weapon (or whatever) is in a safe (or whatever), the government will issue a warrant, and if necessary, a locksmith employed. The absolute worst case situation is that the safe can be destroyed to open it.
What similarity does this situation have to a "you must speak the magic password to us now"? No one is allowed to destroy human lives (or minds) for failing to answer a question, and this is a pretty damn good thing if people actually sit down and _THINK_. If criminals can conceal evidence by this trick, well, _WAKE THE HELL UP_: destruction of evidence is a common event in the life of a criminal. People dispose of weapons by dropping them into rivers, bury the bodies, and they have even been known to throw away incriminating clothing. Yet we still manage to obtain convictions .. and even honourable ones that do not require what amounts to torture ("tell us the secret or else").
I think this is a good ruling. I don't see anything in the Constitution that says a defendant must cooperate in any way with his prosecutors. Sure, the State has a right to search, but they do not have a right to find anything. Whether it is a body, ill-gained loot, or an electronic document, the defendant still has a right to remain silent. The burden of finding evidence should remain solely with the State, and that includes passwords.
One possible exception I can think of, though, is a business computer, where records may be understood in advance to be viewable by government regulators. In that case, one could argue for destruction of evidence (or at least regulatory non-compliance) charges if a password is not divulged. And maybe even in a private case that could be argued, but you'd expect that at least there would have to some additional evidence that a crime had indeed occurred, and that evidence of the crime was in the encrypted file(s). But that's a big if in my mind.
"A defendant or suspect in a criminal matter could rightfully invoke the Fifth Amendment. A journalist or blogger might invoke the First Amendment. An accountant, for example, who keeps client files encrypted when not in use (a good move) would be expected to present subpoenaed data in unencrypted form"
Good point. Generalizations can be bad news - issues are rarely black and white.
"I don't see anything in the Constitution that says a defendant must cooperate in any way with his prosecutors."
I agree - the hell if anyone should be compelled to put a noose around their own neck.
The reality of the situation is that people forget their passwords all the time. Regardless of what the law is now, eventually, possibly after a few unfair convictions, it will be understood that you cannot threaten someone with jail for not divulging something that he may not even know. Human memory is faulty, and with the length of criminal proceedings in this country, even if the individual did know a password at some point, odds are good that he will forget it after a year or more of not using it.
I don't particualarly care what the outcome of this trial is or what will happen on appeal. People will not be regularly sent to prison for forgetting a password in any country worth living in. And I will refuse to live in the US if that were the case.
Also, there is simply no way the penalty for refusing to hand over a password (or forgetting a password) could ever be the same as a conviction for child porn. This is nonsense. Even if he were to spend equal time in prison (which he wouldn't), he wouldn't be labelled a sex offender for the rest of his life for refusing to hand over a password. That fact alone may be worth an extra year in prison. A conviction for contempt (or whatever) just puts him in the same league as Clinton. In other words, it's not anything to feel shame over for the rest of your life. There is absolutely no conceivable incentive for him to ever hand over the password.
Furthermore, even if he were to hand over the correct password, some type of corruption of the data could lead the password to show up as wrong (even if it's right)! You can clearly see that you can never prove that the defendant is not cooperating.
Cryptography is what will allow the common man to have some semblance of privacy in this world. And I, for one, am thankful for it.
In any case, the plausible deniability that TrueCrypt offers is definitely the way to go.
@curiousOne [looking to invoke Fifth Amendment protections against self-incrimination to avoid divulging decryption passphrases]: "if you've done 'x', then your passphrase should be 'I,name, am involved in x, the bodies are buried...'"
I was thinking along the same lines myself.
I don't think the "I am involved in x" part is any use, as there is no implication that the passphrase is a true statement, so a passphrase stating your involvement is not self-incriminating.
However, looking at the findlaw.com article linked to in the second comment (by Swashbuckler), just before the link to footnote 177 it says "A witness has traditionally been able to claim the privilege... when [his answer] might be exploited to uncover other evidence against him". So if the passphrase says where the bodies are buried, then I think it probably should be protected by the Fifth Amendment.
The views expressed above are entirely those of the writer and do not represent the views, policy or understanding of any other person or official body.
Here in the UK, you have a right to remain silent. This surely must mean that you don't have to say anything.
"in the UK, you have a right to remain silent"
Err not sure of which bit of the U.K. you live in.
Under amongst others RIPA and the ECA you do not have the right to withold your encryption keys... If you chose to then you can be sentanced infront of a closed court to several years in jail.
Now if you had commited some crime where you thought you might get more years then good luck to you it's an option you might consider.
But then there is the yet untested argument that you could also be done for purjury which caries a maximim of 6years, or if you are realy unlucky and it can be show (or they belive) that it involved payment by local or central govenment or that it was under either or quangos etc authority then you might have commited "malfeisence in public office" which as it is fairly aincient law has no limit on the tariff. Oh and remember it is upto the judge to decide how the sentances are to be run (concurently or consecutivly).
Next you need to remember the wording of the caution under PACE84 "...but if you do not say something that you later relie on in court..." that is if you do not cough your guts up when asked then the judge can use it against you in their summing up. Remember though that the Police or other prosecuting authority is not required to show you the evedence against you untill a very short time before your trial. Nor are they required to tell you the truth unless it's in a witness statment.
And now their is the "bad charecter" refrerance trick. Basicaly it alows the prosecution to use hearsay against a defendent and you have little or no deffence against this load of cobblers. And specifficaly as the defendent you arenot alowed to say anyhting in return about the prosecution witnessess. It has already been missuesed by Ofcom against the directors of a company. Neither of whom had in any way broken the law.
So yes in theory in the U.K. you have a right to not say anything of importance but in the same way it is theoreticaly possible that a milk bottle will not shatter if you drop it on concreate from a thousand feet up.
I live in the Midlands, Leicester to be more precise.
I have no criminal record, and as for bad character. They would find it almost impossible to find people who know me at all let alone speak badly about me, I am a private person. If you like a loner. I also have learning difficulties & this is medical fact. As for the police, not being truthful well all interviews are recorded, and I'm entitled to a copy of the tape.
l'd say nothing in interview, other than the word no comment. My opinion would be and is let them prove it.
Just use a Puppy linux LIVE CD.
E-mail your sh!t to your self encrypted.
You do not need a hard drive installed in the computer to do this.
Have any of you people been following the Fumo trial in PA? All of the information and emails were PGP encrypted and the Goverment was able to obtain all of it! They had to make a deal with one defandant because in 3 years they couldn't crack his PGP disk pass phrase
PGP creates a header on every file identifying what program created it.Who says you even have to use PGP?.
You could be running WINE inside Live Linux with a WIN program inside wine such as hmmmm. OMZIFF????
Yeah what type of encryption do you want to run today?.
Omziff supports 5 different types and produces NO HEADERS on the output file.
If you look at a file encrypted by omziff ,say you select BLOWFISH or TWOFISH -the output file in a hex editor would show no header.
The first few bytes are only the same if the same password is selected along with the same encryption type.
The first few bytes of the output is a MD5-(usually the same every time with same password)
There are so many MD5 outputs out there i highly doubt there would even be a chance of a hash collision if the md5 would be extracted.
Looks around for any men in black watching me.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.