Schneier on Security
A blog covering security and security technology.
« Supreme Court Rules that GPS Tracking Requires a Warrant |
| Evidence on the Effectiveness of Terrorism »
January 25, 2012
Federal Judge Orders Defendant to Decrypt Laptop
A U.S. federal judge has ordered a defendant to decrypt her laptop.
EDITED TO ADD (2/14): The ruling. And a good analysis.
Posted on January 25, 2012 at 1:56 PM
• 121 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
So if the penalty for contempt is the same or more favorable than what she is being charged with, why should she not fight it?
This is just like being requested by subpoena/warrant to open a safe. The act of providing evidence is not protected. It is not considered testifying against oneself. Whether this is right or wrong is up for debate.
It seems that providing the combination to a safe has always been protected, while providing the key to open the same safe has not been protected. Therefore, if a smartcard were required to decrypt the hard drive, it would be (supposedly) different than this case where it is passphrase-protected.
Grey area indeed.
I wonder if an appeal would make it to the Supreme Court.
I also wonder how law enforcement will limit m-discovery(mind discovery) to specific keywords if the contents of one's mind was not protected.
Sadly they have the power to force you to decrypt information in the UK. I've always wondered though where the burden of proof would fall if say I told them I had forgotten say a passphrase. Would they assume I was lying or does the burden of proof fall on the police to prove I have not forgotten my passphrase.
@C I had never thought about how items such as smartcards effect these type of cases.
Fingerprint lock the device, then lose your finger if they want you to unlock it! Use one you won't miss too much, like your pinky! This is from the department of crazy notions department... :-)
I see a new market:
Encryption software that will automatically change the passcode or destroy the encrypted data if a user doesn't access it within X days.
"Sure I'll give you the passphrase, judge. But the software has already changed it to something random, so it won't do you any good."
I wonder if there is a encryption software that allows for an alternate passphrase that destroys the data for good? "There, I typed it in ... oopsie, looks like its all gone"
@Spaceman Spiff- lol Thank god I kept my grandads old cigar cutter ;-)
@bruce Somewhat similiar case of a UK male ordered by courts to decrypt his data, albiet under differing circumstances and you have more than likely seen said article.
woops forgot the link for said article hxxp://bit.ly/8LYyh0 (El Reg)
The assertion that "The act of providing evidence is not protected" is functionally equivalent to testifying against yourself, in that you are forced to participate in your own prosecution.
I wouldn't cooperate. And yes, whatever that entails, no cooperation. The game is rigged, so GFY.
It depends on the jurisdiction on how a judge may view it. In general, my understanding is that the court can compel you to turn oiver something you HAVE, but not compel you to discuss something that you KNOW. That is, they can not compel you if you can claim the right to not incriminate yourself. A judge can compel you, for instance, to testify to what you know about someone else or some other situatoin that will not incriminate you. Or, if it could incriminate you as well as others, if they offer immunity.
I still want to start the 'Random Data Exchange'. Every day or two, you email someone about 30-40kb of totally random data.
And someone else, randomly selected, sends the same to you.
The end result is that everyone winds up with dozens of completely random data files. Since well-encrypted data is indistinguisable from random noise, ANY encrypted file becomes just another block of random data...
Reply to ZG
The alternate password you suggest might trigger destruction (scrubbbing) of only part of the data leaving only innocent looking files. "See, there are only my family pictures, some music , eBooks and private letters. Nothing to see here."
For an informed analysis of the legal issues, I recommend the following Volokh Conspiracy post:
The key sentence from that analysis: "[T]he Court is not saying that there is no Fifth Amendment privilege against being forced to divulge a password".
The author is an actual lawyer, not just someone who plays one on the Internet.
It seems to me that any policy requiring someone to divulge a password must either be unenforceable, because criminals can refuse by falsely claiming they can't produce it (for any of numerous reasons), or else entail severe punishments for completely innocent people who honestly can't.
Has this judge ruled yet on which of those he thinks is supported by the law?
Maybe a software designed to silently fail and wrongly decrypt the data upon introducing a wrong password, instead of alerting "Wrong Password"? You just give the judge a wrong password, the software runs and shows 100%, and you say "That's what I have on my laptop: pseudorandom bits. Prove me wrong".
@CSTAR - Thats an even better idea! We should start a company.
You can use truecrypt to hide one set of files within another, with different passwords revealing a different set.
> I've always wondered though where the burden of proof would fall if say I told them I had forgotten say a passphrase.
The judge gets to decide whether to accept your explanation (the burden of persuasion is on you), and IMO "I forgot the key" is unlikely to fly.
The penalty for contempt can be as much as a conviction, i.e., the judge can lock you up for the same amount of time that you could be imprisoned if you were convicted, but the imprisonment for contempt can only continue as long as you are able to comply with the order. If you can prove to the satisfaction of the court that you are unable to comply, then they are required to lift the contempt.
The solution therefore might be some kind of time lock, i.e., a passphrase is used to decode the data encryption key which is stored on the disk controller in non-volatile member. If the disk is not unlocked at least one per week, then the drive controller, powered by an internal battery, wakes itself up and erases the data encryption key, preventing the data from ever being decrypted.
To counter this technology, Congress or the state of jurisdiction would have to pass a law prohibiting the use of this technology. The net result would be that it might not be possible to convict you for whatever was on your drive, or hold you in contempt for not decrypting it, but it would be possible to convict you for using a forbidden technology that prevents your drive from being lawfully accessed.
Of course if there were only two passwords, the government (the Syrian one that is, the americans would never do that, and I really trust them a lot) could demand that you give them both. Its conceivable they could copy the images the disk other disks. To counter the (Syrian) government, you would have an option of picking an integer n (I'll pick 563) and having 562 bad passwords and 1 good one. When the (syrian) officials come at me I'll give them 466 bad passwords.
I don't think TrueCrypt would get by the (Syrian) government since they could easily require you to give them both the passwords. Am I missing something?
Read the actual judgement. It's pretty narrow.
The judge isn't requiring her to reveal her key. He's requiring her to produce unencrypted versions of documents she has admitted exist on the hard-drive. He goes further to give her immunity from ANY prosecution relating to those files (so they can't possibly incriminate her, hence the fifth amendment is not relevant).
If she had kept her mouth shut in jail and not admitted on tape that she possessed the documents and that they were on the hard-drive and that she owned the laptop, she would probably not be compelled to decrypt the drive.
So this case isn't really the precedent either way about decryption keys that people think it might be.
A physical analogy would be: if you hide some physical document somewhere and no one has found it yet, you're not compelled to admit that it exists (much less where it is) when asked. But if the state can prove you admitted to the document's existence and that you knew where it is hidden, then you can be held in contempt if you don't produce it. You don't have to reveal the secret hiding place (the passphrase, something you know) but you do have to produce the document (something you have).
"There is little question here but that the government knows of the existence and
location of the computer’s files. The fact that it does not know the specific content of
any specific documents is not a barrier to production."
"4. That on or before February 21, 2012, defendant, Ramona Camelia Fricosu,
SHALL PROVIDE counsel for the government in this case with an unencrypted copy of
the hard drive of the Toshiba Satellite M305 laptop computer, serial number
"5. That the government SHALL BE precluded from using Ms. Fricosu’s act of
production of the unencrypted contents of the computer’s hard drive against her in any
There should be 3 parts to the password. Each part is told yo a friend residing in a different jurisdiction. Once they independently assess the situation, they tell you/enter online their part of the password; you really don't even know the password. And the court can't ask for what's stored on the HDD as they have to order all the people residing outside jurisdiction
@some of the posters above:
Deletion on wrong pass just does not work.
You are being naive if you think like that.
The first thing when securing a hdd after all is copying it ... so any destruction on bad pass is helping you nothing! Same goes for destroying after x day not used. Thats just not possible... or only possible if your phsical media is volatile and will do this automatically i.e. some DRAM that is not refreshed for a few seconds will be completely lost.
On the contrary by actively trying to destroy your own data i.e. potential proofs of a case, this might have legal consequences for you even if not giving out your passphrases wouldn't have any.
(I don't even play a lawyer on the Internet, but I'll offer some probably-wrong discussion points anyway.)
If you refuse to decrypt, you can be jailed for contempt.
If you claim that you can't decrypt, but the judge doesn't believe you, you can be jailed for contempt.
If it is in fact true you can't decrypt, because you've done something (like destroyed the sticky-note on which your long and complicated passphrase was written) or because you've failed to do something (like disclose that the drive will destroy the encryption key on its own after some kind of timer expires), and a prosecutor can provide sufficient evidence to a jury that what you did or failed to do caused you to be unable to decrypt, then you can be indicted, tried, convicted, and jailed for obstruction of justice.
So if you want to avoid turning over your data *AND* stay out of jail, then you will need an explanation of why you can't decrypt the data which the judge believes and which isn't your fault.
Good luck with that. Judges aren't stupid. "I forgot" isn't going to cut it [hello contempt], and neither is "Ha ha you entered the wrong password and triggered the self-destruction sequence neener neener" [hello obstruction].
... all of the above first assuming that the demand for decryption isn't prohibited by the Fifth Amendment, which clearly it isn't in at least some cases, but maybe is in others. I think. Maybe. Did I mention I'm not a lawyer?
TrueCrypt offers a "hidden system partition" option. You can install your OS, encrypt it with one password, and then create a "hidden system partition" that is encrypted with a different password. When you're doing your normal work, you enter the second password. When you're being forced to enter your password by the government, you enter the first password. There's no way to tell if there's a hidden partition, so the government can't prove you're holding out on them. Just make sure you log into the first partition occasionally and update some files to make it look like you're actually using that partition.
Zach - thanks for the link to the judgment.
Regarding the judge's grant of immunity - your statement "He goes further to give her immunity from ANY prosecution relating to those files" isn't quite correct. The immunity only applies to the act of providing the unencrypted data, not to the data itself.
In other words, the prosecution is restricted from saying "Here's the incriminating file from the laptop, and we know that she had control of the laptop because she gave us the data." But they can say "Here's the incriminating file." And they can say "... and we know that she had control of the laptop because she said so in her taped phone call with her co-conspirator."
If the (Syrian) government has reasonable suspicion that there is a hidden partition --- governments (Syrian) are suspicious entities---- , I think they have "tricks" up their sleeves to get the second password out of you.
Also, regarding TrueCrypt's hidden partitions:
Yes, there's no way for the government to prove that the "clean" partition is a decoy. But they don't need to prove it. They only need to convince a judge. If the judge thinks you haven't provided the real password to get to the real data, he'll hold you in contempt.
Do you really think a judge is going to believe "Honest, I'm not hiding anything" any more than they'll believe "Dur, I forgot my password" ??
Do you really think your decoy partition won't have any evidence of being a decoy when subjected to competent forensic investigation? Things like file timestamps, URL histories, system logs, etc showing usage patterns that don't correlate with other evidence of how and when you use your laptop? Do you really think there won't be other evidence of the existence of incriminating material (such as, in the present case, a jailhouse phone call saying "oh yeah that's right it was on your laptop wasn't it")?
Good luck with that.
TrueCrypt isn't a solution. In fact, it may get you in more trouble.
Example: They have network logs showing that you accessed website X at 9pm on Tuesday. Your "fake" TrueCrypt OS shows no file changes or browser cache entries for 9pm on Tuesday. Therefore, the court has proven that you have another partition, and you are deliberately hiding evidence.
I'm with Eddie, et al, on Truecrypt's hidden partition feature. It's useless in any situation where your opponent knows anything at all about Truecrypt.
In fact, worse than useless: you had better use Truecrypt, and use the feature, so that you can give your opponent both passwords and avoid the consequences. Because "I didn't use the hidden partition feature" or even "I didn't use truecrypt" are no more believable than "I can't remember the passphrase".
(Also, "this is just random bits" is completely unbelievable ... even if true.)
I agree, TrueCrypt is not a full proof solution; especially against a "Rubberhose Attack" as CSTAR has implied. As far as convincing a judge, there does remain a heavy burden of proof on the prosecution to do such. If a judge is worth their salt, then just being presented with the argument,"This "random set of bytes" POTENTIALLY may be a hidden partition" should not be enough of an argument to sway such a decision; but that is just wishful thinking on my part.
Also, I agree with the point eddie made about having a competent forensic examiner. I think too many people use TrueCrypt (although easy to use and setup) and do not apply other best practices/precautionary measures with it; in some cases that is why in the end LE is able to make cases without even having to crack and encrypted volume. For example, lets say a user is using the encrypted volume feature, and all the documentation they may be generating is saved directly to this encrypted volume - well depending on the application being used to generate such documentation, it may be writing temporary copies elsewhere (somewhere in the clear).
As a side note - the idea of having some kind of self-destruct mechanism is possible, but not in the way mentioned so far.
If it's possible to access the encrypted data, then it's possible to copy the encrypted data. A self-destruct mechanism implemented in the encryption/decryption driver (like TrueCrypt) could only destroy the copy that it's run against; the attacker simply needs to have additional copies of the encrypted data to try, try again. Standard drive imaging techniques will do this just fine.
However, IronKey makes a USB drive where the encryption/decryption is done in hardware on the drive itself. The computer you plug it into can't access the encrypted data, and the drive will only provide the decrypted data to the computer after the computer provides the correct passphrase to the drive. Also, the drive can be configured to erase itself after a certain number of bad guesses - and again, this is done by hardware in the drive, not the computer.
If IronKey added a battery and a clock to the drive, they could implement the kind of self-erasing deadman switch that ChillyW hypothesized above. But it has to be done in the drive hardware, not in software on the computer.
I think in end, it depends on the person being put under the microscope, as to how much they are willing to give up for whatever they may be hiding, regardless of the circumstances of the case/situation. Very few are willing to challenge the laws that may be set in place, by taking a stance for what they may protest to believe in.
it's a good thing truecrypt offers a solution for this, which is handy if you like saying "how do you like them apples?".
Bashar al-Assad does not like apples, not today.
Here's an idea for a deadman switch that you could actually make work right now with a bit of effort.
Make your passphrase something long and random such that you can credibly claim it is too hard for you to remember. Write an app for your phone that stores and displays your passphrase, but which will securely destroy it if you don't use it once every X days. Be sure to disguise the app - maybe it looks like some kind of game, and to get the password to display you have to enter a secret (but simple) sequence.
When you get busted and the government seizes your laptop and phone and every other electronic device within sight, STFU and get a lawyer (who will also tell you to STFU).
You may still later get nailed for obstruction of justice if you don't take some kind of action to prevent the password from being destroyed, like telling the government "Hey, my password is on my phone and it's going to be destroyed tomorrow. You know, just FYI." Did I mention I'm not a lawyer? But at least they won't be able to get to your data.
"Write an app for your phone that stores and displays your passphrase"
stores -> securely stores
Whatever securely stores means is (TBD). Maybe you can contract Microsoft for a lovely app, j/k.
Obviously, this needs to go to SCOTUS, since previous rulings have said the 5th prevents forcing you to give a password.
The funny thing is that if SCOTUS says the password is not evidence, but a key that you have to give up, then just keep the key on a disposable USB, which you can easily destroy when necessary. You can't get hit with destruction of evidence, because it's not.
Re eddie: ideal would be a hardware encrypted device that allows a distress password that will replace the data key with the distress one and zero the drive. Look, empty!
@moogman - the burden of proof in the UK.
Nearly 20years ago the police came to give a seminar to us at Cambridge about that.
We asked how we could prove that random data from eg a Monte Carlo simulation, wasn't encrypted and we didn't have the key.
We were told not to worry because the law was only for terrorists!
@eddie - "IronKey is .... company located in Sunnyvale, California"
Which means that given a warrant - or just a quiet word from a 3letter agency - they will hand over the backdoor, or the debug tools to extract your password
The "nuke" option in an encryption product is useless - bitwise copies are usually made/hashed/signed by standard procedure. Nevermind the destruction of evidence issue.
Truecrypt's hidden volume is a nice touch... and one that could (in theory at least, given sufficient CPU) be recursed indefinately.
A model where external keyfiles that are auto-wiped if not accessed at least once every x amount of time interests me here - If I have been out of touch with my data for x minutes, perhaps I no longer trust myself not to reveal it. Possibly better is a trust model where an out-of-country accomplice is the only holder of said keyfiles for my machine.
If planning on being accused, (whether a criminal or just a person with strong views on privacy) it would be interesting to see what happens if said person seeds his/her residence with tons of media (CDs/DVDs/HDs/etc.) containing files whose sizes are multiples of 512, and whose contents were generated from /dev/urandom. If /boot is on a separate partition, it is nearly impossible (perhaps impossible?) to determine whether the remaining drive contents are encrypted or are simply random data. I like the idea of being able to tell judge+expertwitness+world truthfully and honestly: "It's not encrypted" when the judge is demanding that I decrypt it.
Use a passphrase like "Yesterday I killed 300 men and buried them on the desert" or "Years ago, I stole an apple from the store below my home".
Tell the judge you can't reveal the password because you would be incriminating yourself of **another** crime; appeal to the Fifth. Get out of jail. Done.
Here's another deadman-switch idea, based on a comment by John Fleming in the Volokh thread.
Store your secret data on a mountable encrypted volume, as opposed to using whole disk encryption (although you could certainly do that in addition). Write a script or program which mounts the volume, acting as a front end to whatever program is actually doing the mounting. Your front end will accept a passphrase from you (as usual), but will then XOR it with an internal secret key (hereafter ISK) to create the passphrase that it uses to mount the encrypted volume.
You also have to use the front end to create the encrypted volume in the first place. When you do, you provide the passphrase you want to use, and it randomly generates the ISK, then uses the XOR of the two to create the volume. But it doesn't tell you what the ISK is - it's kept secret even from you.
The front end is careful to only ever store the ISK in volatile memory under normal circumstances. However, you can give it a command to write the ISK to disk.
The front end is also configured to start automatically when your system boots, and upon startup, it reads the ISK from disk (if present) and then securely erases it, once again storing it only in memory.
So how does all this help?
Under normal circumstances, you can mount and unmount your encrypted volume by supplying your passphrase for the volume, as usual. However, before you shut down your computer, you must command your front end to write the ISK to disk. If your computer is shut down without you having done this first, then your encrypted volume will be lost forever.
This type of deadman switch would be most useful for computers that you expect to be left on all the time, like, say, servers, or maybe home workstations. The scenario is that the cops bust in while the computer is running and shut it down without your assistance (one way or another) in order to cart it off to their forensic lab where they'll image all the drives. It wouldn't help in various other circumstances, such as the cop on the scene demanding you mount the volume right there and then, or them seizing your laptop while it's powered down.
But in the case of a server, a deadman switch like this might not only protect your data, but it might also (maybe - I'm not a lawyer) protect you from an obstruction of justice charge. The data would be lost as soon as they shut it off, and (I think, maybe) you'd be under no obligation to tell them that.
Of course, the downside here is that if your system crashes or loses power, your data is lost. Oh well. It's a trade-off. Get a UPS and make backups (which you encrypt to a public key whose private component is a split secret between several trusted third parties in diverse jurisdictions).
Something to think about, anyway.
@n: "No, I'm not hiding anything: it's just I was using Firefox's private mode".
Anyway, you made a point. The thing with a hidden partition is to use it *exclusively* for your Very Bad Things(TM), and use the other one not as a decoy but for real purposes.
That's better said than done, though, because lately, the lobbyists trying to push things like SOPA and PIPA want to make illegal almost anything that doesn't render them revenue.
That type of functionality is built-in to products like BestCrypt.
Phasphrase + Salt Value (20-bytes) is hashed 1024 times, where result is the actual key for the volume being created (which the end-user will have no knowledge of). The 1024 iterated hashing is meant to slow down any brute-force attempts.
My understanding was that LE officers *don't* shut down computers they seize, in order to counter a scenario like the one you describe. The information they want might only be in RAM, and they don't want to lose it... so standard procedure is to hook the machine up to a UPS and cart it off, state unchanged.
Never experienced this myself, this is just what I've heard.
@cipherpunk: What I was contemplating was different from using salt or using multiple hashing rounds. It would be more like keeping the salt only in memory and not on the disk until the user purposefully shut down the system (note - the salt, not the encryption key or the passphrase), with the intention being that a non-purposeful shutdown would render the volume unrecoverable even with the passphrase.
Does BestCrypt do something like that?
Both are easily defeated with dictionary based attacks. This is why a mix of ABC, 123, !@# is a better idea than complete words.
@tom: Not applicable to things with a battery like laptops, but good luck trying to plug the system to a UPS without unplugging it from the power line first (maybe doing some electronics to the cord...).
You still could implement a network disconnection event handler which "forgets" the password after a period of time.
I'm surprised nobody has brought up the idea of chaffing and winnowing the encrypted data:
The idea is to have N (2?) disk images -- one disk image is the one you want to keep private, and the other N-1 are disk images you don't mind revealing.
Encrypt each image, block by block, with separate keys. Then, compute the MAC for each block, using the same key as the encryption key for that block. Then, insert noise, and interleave the disk blocks.
When the Syrian guy holds a gun to your head, you give them the password for the innocuous data.
As mentioned above, perhaps even have multiple disk images, with increasing amounts of interesting (to the attacker) information. Gain credibility with the attacker by putting up some resistance before revealing the key for one of the innocuous images.
For the local cop, reveal the key for the image with photos of kitties and fluffy clouds after he asks with a firm voice.
For the Syrian guy, wait until he waterboards you, and then reveal the key for a more interesting image -- one that they'd believe you'd protect until you're waterboarded...
Wouldn't that work?
The obvious solution, which I don't believe anyone has mentioned yet, is to have a very long, random password that is way too complex to remember, and have it printed out on a paper that you carry with you. If you find yourself in a situation where the encrypted contents of your hard drive might be used against you, just destroy the paper. As the cnet.com page referenced above says:
"Dubois said that, in addition, his client may not be able to decrypt the laptop for any number of reasons. 'If that's the case, then we'll report that fact to the court, and the law is fairly clear that people cannot be punished for failure to do things they are unable to do,' he said."
For additional security, you can conceal the password within a grid of random characters and read it out by following a memorized pattern through the grid. If you find yourself beginning to memorize the password, all you have to do is make a new grid with different random characters and follow the same memorized pattern through it to read your new password.
@it ", but good luck trying to plug the system to a UPS without unplugging it from the power line first"
Here is a product called Hotplug that lets you transport a live computer without shutting it down.
@Dr. Athe: I'm not a lawyer, but I suspect that any kind of password destruction accomplished by a deliberate act (like eating the stickynote you've written your password on) could be prosecutable as obstruction of justice or some similar thing. That's why I suggested a couple of different types of deadman switches, where the password is destroyed without you doing anything. I don't know if that would actually avoid prosecution or not.
The lawyer's comment quoted by cnet is referring to punishment for contempt of court. You can't be held in contempt for refusing to do something that you can't do. And if his client can show that she can't produce the unencrypted data - for one of those any number of reasons he mentioned - and can show it convincingly enough that the judge agrees that she can't do it, then yes, she can't be punished for failing to produce the unencrypted data.
But you could still be punished in your scenario for eating your password. It's a different type of offense.
Speaking of offensive, have you considered taking a shower? ;-)
Why make it complicated?
I would propose deception: Use two passwords, one of which only decrypts an innocuous subset of the data file.
Some files compress more than other, and compression schemes vary, so unless you make it really obvious if you plan it right, there is no way to determine if all encrypted data is decoded or not.
You could even onion-peel it, layers within layers.
I was reminded of this by an old Mac trojan script, that simply generated thousands of folders within folders until the maximum were reached and the computer crashed. You could not even delete the thing the normal way...
OK, never mind that - LWR above was a lot clearer in stating the same thing.
@malachi J: So they really do the wire cutting and such... interesting, didn't know about that, thanks for the info. Nonetheless, you could still do the network disconnection thing (which of course could be circumvented as well, with a rogue router for instance)
LWR, I think you need to learn the Revolver Ocelot school of interrogation, from Metalgear Solid:
"B-but I gave you what you wanted, you don't have to-"
"That's not how this works. I can't trust any information you give me until I'm sure you're not capable of concentrating hard enough to tell a lie. Don't worry, I doubt it'll take very long to reach that point"
It's comic #497 @ gigaville
Moogman: I think the judge's power of contempt is pretty much plenary -- there would be no burden of proof involved. Imprisonment for contempt can be indefinite, with little recourse for the victim.
Let's remember that there are methods that would not work if you were arrested by the Syrian secret police, but would if we are talking about LE in a Western democracy.
What a strange country where a judge can (ab)use his authoritative power and coerce you into revealing the password to your personal, privately-owned computer.
In Germany, the judge would face a mininum-6-month prison term (§240 (4) 3. StGB) for such actions.
No, BestCrypt does not offer that functionality. Good idea to consider. Good thing about BestCrypt is the company is from Finland I believe, where they emphasize in their FAQs that they have no obligation to any country to have or provide a backdoor in their tool. And they welcome anybody to prove otherwise.
You said "Use a passphrase like "Yesterday I killed 300 men and buried them on the desert" or "Years ago, I stole an apple from the store below my home".
Tell the judge you can't reveal the password because you would be incriminating yourself of **another** crime; appeal to the Fifth. Get out of jail. Done."
Wont work. A judge can simply say "Fine, I'll grant you immunity from prosecution on whatever crime you will admit to so long as we find it to be true."
Then you are off the hook for your 'admission' so you cant be prosecuted on it. So its no longer a 5th amendment issue, so you can give up your password.
In the legal system deals are often worked out where to secure another conviction they'll grand immunity for some actions.
Nice idea, but they've already got a way around it. And since they will not believe that your password will be a confession, they'll assume your lying just like 'i forgot'
Once again, the best solution is for everyone to have enormous blocks of totally random data - for which there is no key - lying around on their hard drives.
Of course, given any plaintext, a key (one-time pad) can be generated that will "decrypt" that random data into the plaintext.
Deadman switch has been done by CAPCOM and others. Do a search for "suicide batteries". Usually the way suicide batteries work is, the batteries supply power to a bit of RAM that holds a decryption table. This table is the key to decrypting the encrypted program stored in the board's ROMs. When the battery dies, this table goes away and the program code can no longer be decrypted. The CPU no longer has valid code to execute. The board stops working. See http://www.arcadecollecting.com/dead/dead.html
@C (Jan 25; 2:17pm): "It seems that providing the combination to a safe has always been protected, while providing the key to open the same safe has not been protected. "
What constitutes a safe? Maybe carry your laptop in a briefcase with a combination lock. OK, this might need to be in the hold of an aircraft because of 'hand luggage' rules. I concede this might not work in Syria.
I never understand the complaints against being told to decrypt data.
If you're arrested then you're in the hands of the law.
They can enter into your house, grab your bank data, track down assets worldwide and open your safe. Why do you think your password should be any different?
And all this us perfectly understandable and acceptable in any democratic country.
Why should people be allowed to get away with breaking the law?
And please don't turn this into some, "I've got nothing to hide..." argument.
United states v Hubble
"It is also well settled that compelled testimony communicating information that may lead to incriminating evidence is privileged even if the information itself is not inculpatory."
Truecrypt isn't a castiron solution but it does increase the burden on the opponent.
For example if I'm embezzling money then it's obviously better for my defence if my records are in a hidden volume that they can neither prove nor disprove than if they just had them in plain text.
It may well be that they could draw circumstantial evidence from what may or may not tally in your logs vs some remote server but that is far weaker evidence. I suppose you could even cast doubt on that by using a deliberately weak network connection, e.g. WEP and claiming someone else broke into your network and was trying to frame you.
> They can enter into your house, grab your bank data,
> track down assets worldwide and open your safe.
Yes, *they* can do all that. *I* don't have to do anything.
> Why do you think your password should be any different?
Because *I* would have to cooperate.
> Why should people be allowed to get away with
> breaking the law?
> And please don't turn this into some, "I've
> got nothing to hide..." argument."
It's more like an "innocent until proven guilty" argument...
> The first thing when securing a hdd after all is copying it ... so any destruction on bad pass is helping you nothing!
As if bit to bit copying an HDD were simple.
First, if to run the copying software, you have agreed to Windows EULA, even the original HDD has no place in a court of justice.
Two, to really copy an HDD, you have to have perfect knowledge of the HDD specifications, what is written in it and what is not written in it.
I would bet you a pint that I can create and HDD that cannot be entirely copied by those "hardware HDD copying machine not based on Intel processor" where all the software (from the reset vector, no BIOS nor SMM) is under a full liability license.
And I am not even sure those copying machine even exists, whatever the price you want to pay.
> Once again, the best solution is for everyone to have enormous blocks of totally random data - for which there is no key - lying around on their hard drives.
Those are "one time pad" encryption files: they exists (and are identical) in two different computers, and the sender of a message will give the needed offset to be able to decrypt said message.
As such, pure fully random (not pseudo random) file content that no intelligent person would ask to decrypt.
The UK's law goes further and gets sillier.
Although it does have the useful side effect of requiring everyone to be an English-Lit major and theologian.
Concerned that there may be secret messages that weren't encrypted - you are required to explain any text that may have a deeper hidden meaning.
So expect to have a long interview with a truncheon wielding plod about what this "to be or not to be" really means within the context of the text. If you have a Torah lying around you are probably going to be spending a couple of millennia explaining it's hidden meanings!
Remember the UK doesn't have a right to silence or self-incrimination.
The analysis is simple. If you have confidential data that does not implicate you in any wrongdoing, simply take a picture of yourself doing something illegal, and encrypt the picture along with the data. Then you know for certain that decrypting the data would incriminate you and therefore you should be protected by the 5th amendment.
If the supreme court fails to recognize the obvious, then a new tool for generating multiple decryptions out of one encrypted payload will defer the debate some other legal hair splitting.
If you want a random password that is probably not possible for you to remember, not written down, easy to destroy with no traces, but still usable, take a deck of playing cards. Shuffle them well, and use the cards themselves as a password:
Shuffle the deck, or drop it, and password is gone forever.
UK certainly does have a right to self-incrimination.
"[T]he Court is not saying that there is no Fifth Amendment privilege against being forced to divulge a password".
When did the 5th amendment become a privilege?
This is why you use Truecrypt deniable encryption. Give the court the decoy key or say you forgot the password.
So how could this be used against a law-abiding citizen? If I'm not involved in crime, but say I'm in a pro-peace organization that peacefully protests wars, and I'm arrested for protesting. Would it matter whether my hard drive, showing communication about the protest, is encrypted? It seems the "good fight" has already been lost since I could be arrested for such things and held indefinitely. So I wonder if there's any point to encrypting a non-moving hard drive in the first place, for those of us not involved in crime. Exception: portable hard/flash drives, since they could be stolen.
@chris S. You are looking at this from a good angle. Focusing on the individual misses something important. For example, The Wall Street Protestors/tea party protest and it's already been shown that law enforcement are monitoring and identifying who they are. Let's carry the exercise farther. Some protestor does something stupid, now law enforcement egged on by politicians grab an organizer and wants to know everything...then what? The government and law enforcement are gathering information..I would prefer to hope for good goals, but it only takes one bad apple to have access to all the data being gathered...or nixon/j edgar hoover... :(
Zach - that is not what the judge said. The prosecution can use the files as they see fit. What they cannot use against her is the process or act of decrypting the files. That adds zero to the case. Just because something in encrypted does not imply or prove a causal relationship to guilt or innocence.
@Chris S.: So how could this be used against a law-abiding citizen?
Ahh, but you not a law-abiding citizen. Books such as "Three Felonies a Day: How the Feds Target the Innocent" show example after example of how "law-abiding citizens" like you break the law every day.
3 hots and a cot! Don't forget to spread em so they can admire your rectum.
A criminal has no problem telling the court a lie. Having multiple passwords for different volumes, 'forgetting' your password, etc. are criminal activities.
The question for us should be, how can I maintain privacy using encryption in the U.S. without having to become a criminal?
The 4th Amendment allows a court to obtain and examine anything they want. If it can be proven you know where something is or it is under your control, you can be forced to produce it.
The 5th Amendment protects the contents of our mind from being used against us in a criminal matter.
I believe this judge got it wrong. He is saying the defendant must assist the prosecution in understanding what they have in their possession.
The 4th states the prosecution is entitled to the contents of the laptop. And they have that.
What they do not have is an understanding of what is in their possession. And they need the defendant to reveal the key to that information.
Let's suppose the prosecution has obtained a warrant for the contents of a file cabinet in the defendant's home. The defendant must provide them access to that cabinet so the prosecution may review its contents.
Suppose there is a paper within that file cabinet that says:
"Mr. A will tell Mr. B to transfer Alpha to Mr. C."
It seems obvious A, B, C and Alpha are codes designed to prevent the identification of the parties involved and what is being transferred amongst them.
The 5th clearly prevents the court from compelling the defendant to identify A, B, C or Alpha from his memory. (If the cross-reference keys were documented on a physical media, the court could compel the defendant to produce that media.)
Now relating this to the encrypted hard disk at issue. The prosecution has the contents of the physical media, but cannot understand. They need the defendant to help them translate the information they have in hand.
The 5th should prevent the court from compelling the defendant from having to provide that assistance. If it does not, encryption is of no use to honest, law abiding citizens looking to protect themselves from the government wanting access to their private documents.
The law themselves don't even follow the law, let alone teams of lawyers hired by corporations to twist it however they want (recall Apple hiring goons to pretend to be cops and search a guy's house/computer/threaten him) so why should any of us do so? They have zero respect for our rights and will leave us to rot using unlimited resources to find loopholes so who in their right mind wouldn't claim they forgot the password, and twist the law to their own benefit.
Try crossing the border and refusing to decrypt your hard drive see what happens. Indefinite detention without a trial that's what. How can this be? Loopholes in the customs act
-----BEGIN PGP SIGNED MESSAGE-----
Late to an interesting discussion. I proposed numerous solutions to these problems a while back on this blog. The common thread of my rubberhose-resistant solutions is that they require the user's action plus an entity/process outside of user control. Involving a citizen in a non-cooperative, foreign jurisdication possessing half the key or the authorization system helps. Here's a few for you all to chew on.
Method 1: Don't possess any visible encrypted data or do suspicious things at the house. Put the data in a TrueCrypt volume (convienence & anti-theft) on an easily hidden flash drive. Hide it well. Use other people's open or insecure WiFi's, change your MAC, and use a RAM-based Linux distro. You pretty much never run into your problem with the authorities that way.
Method 2: Store the brute-force resistant passphrase or key on a piece of paper in a location. If you know the seizure is coming, an accident (or crime) occurs that results in loss of that container's contents. House robbed, workshed vandalised/burned, wallet stolen, etc.
Method 3: Pay someone to pretend to be a client of yours. The encrypted data is the clients data. The filesystem, user and client each have something that is used to create the key. You can ask the client for their portion and they officially refuse. You cooperate with authorities all you want, but the foreign authorities don't. You legally "can't" get the data.
Method 4: Use a desktop and a desk. Put in some cheap (and highly reliable) computing devices with Bluetooth or IR ports. These aren't visible. The desktop listens for their authenticated signal (which is preferrably 1ft max). If all fail, it' permamently erases its portion of the key. Investigators and thieves often grab shit before you even have a chance to ask them what they're doing. This might get disputed in court with "he said she said" kinda BS. Unless the conversation with the police is recorded or you used the right to remain silent "as instructed by an attorney." Might get somewhere, might not. Also, one can drill through the bottom of the desktop & slip easily dislocated cords between the PC and monitoring devices.
Method 5: Portable workstation/desktop. Several methods of finding location built-in. TPM, etc. A foreign authorization system authenticates the system & checks its signed location data. The authorization system will only unlock the HD contents when it's in a certain location. Moreover, for security purposes, the firm doing this requires the user to enter the location alone & authenticate themselves & the area on camera.
Method 6: Tamper-resistant chips for keygen, key storage, and crypto operations. Chip is used by user's device for crypto stuff. Decryption requires user's authentication and onboard key material. The algorithm is unknown. Chip can be programmed to automatically zeroize itself after a certain period of time if the user doesn't perform a required action or upon remote command over cellular network. This might be deniable if the suspect was simply arrested and the erasure happens before interrogation or questioning.
Method 7: Deniable decryption. One person mentioned a one-time pad. Several have hinted at multiple decoy partitions in a sea of randomness. This has already been done in practice in UNIX-like OS's: Rubberhose. Bruce wrote about this here, with more interesting comments.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
-----END PGP SIGNATURE-----
Edit above to add:
Another trick is to intentionally infect your computer with a password or public-key protected trojan. Use AV info sites to name all the files, registry entries, etc. properly. Put the files you're guarding in an obscure directory. Put a bunch of shocking porn, anarchist writings, drug cookbooks, etc. in similar directories. The way you get to your files is a hidden USB drive or something. This also contains a program that randomly accesses sites known to be affiliated with malware infection, possibly posting random stuff from the directory & occasionally downloading text from somewhere like Rense. Maybe some decoy PC's routing C&C-looking requests through proxies in China & Russia.
The purpose? To make it look like your PC is infected & hackers are using it (or previously used it) to store questionable or illegal material. Generally, if the feds think you got hacked as part of a botnet, they don't treat you like your guilty of doing it yourself. Deniability. ;)
Nobody has remarked on this yet...
The court knows the files exist. Whether locked in a safe or encrypted does not matter. They can order them produced.
There seems to be an issue with how the court knows the files exist. It could well be fraudulent. They let somebody else off easy who agrees to testify such files exist. Now you have a difficult situation for the defendant...
We are looking at a fishing expedition. They are not saying produce file X. They want it all. That's disturbing.
There's the immunity. It's appears these files can be used against her for criminal prosecution. That's unusual. Normally immunity is granted against criminal prosecution. However independent civil penalties, either based directly off this evidence or for the mere act of decrypting, can then be brought forth. A catch-22. Either way you get destroyed.
Basically, your screwed. That's the American court system.
To all these people saying that a "killswitch password" would be pointless because they would have a backup of your drive. Isn't it obvious that the software would be configured to NOT pop up a window saying "Deleting incriminating files now".
The deletion would be silent and could be configured to only act on specified files, then the "safe" files could be left while the incriminating ones are deleted. Since it is an encrypted volume, there is no way for them to know how full the volume actually was.
If they don't know files have been deleted, then they wouldn't go restoring the backup to try again, they would just assume that the files they expected to find, just weren't there.
@Q - That is the point of having a lot of truly random files lying around. If you have a gigabyte labeled 'Random Grunge 1117650' and another gigabyte labeled 'Random Grunge 2234564', and if they're both random, there is no key.
If the file 'Random Grunge 1717449' happens to be something you'd rather the authorities not have access to, there's no way to tell it from all the others - And there is plausible deniability for pointing out there is no key to random data.
(Well, there is - As was pointed out, given a desired plaintext, you can easily generate a key that'll "decrypt" the random data into any plaintext you want. But that's hardly playing fair)
So again - If you're worried about law enforcement seizing and searching your computers, have lots and lots of random blocks of data on them.
Given the existence of a 'Random Data Exchange', it's not that unreasonable that you might have large, completely random, files on your hard drive...
And when they demand you give them the key to decrypt them, you can tell them there is no key. The data is random.
Of course, you might get thrown in jail anyhow, but how do you prove a negative? That there is no key? Most judges will be receptive to an argument along those lines.
@Nick N: "The deletion would be silent"
Such a thing would likely be one of the advertised features of the used software which renders it pointless.
Unless you program such a tool by yourself and can make 'them' to use it without prior analysis, assume that they know about any and all features of the software, including "silent deletion".
And even if your deletion actually happens (i.e., they are not using a suitably patched version of the tool), a simple hash comparison between the original/silently scrubbed file and its backup would reveal the tampering.
In fact, it would be really counter-productive if any tool ever implemented such a "sensitive files list" that you suggest.
What do you want: access to your files when your own computer/O.S. is currently running.
What do they want: off-line decryption of files, they cannot afford running your O.S.
Solution: the only decryption software wich will work cannot be run off-line; and booting your O.S. will always modify the HD content.
I'll say it one more time (to a probably dead thread, by this time). If the officer investigating knows about Truecrypt, all he has to do is ask for two passwords.
"There is no second password" (or "I forgot the password" or even "that's just random data") might be a valid defence in the US; I don't know. But the US would the exception. It is, most certainly and explicitly, not a defense in the UK. Those who campaigned against RIPA were quite certain of that. Yes, our law is that stupid. And of course it's also no defence anywhere where they use rubber hoses.
Intruders can't ask for something they don't know about, and if it's the government, they are not allowed to ask for additional incriminating but unspecified evidence. Warrants are not generally issued for fishing expeditions.
So the problem might be solved by encrypting your sensitive files with a private key, then send them to a friend via Skype with an index of metadata, then erase them locally, including the index and the Skype history. When it's time to retrieve something, ask the friend to send the index, then select what you need, then he sends it back, then you again wipe the history.
My deadman switch scheme:
First of all, your computer is physically wired to shut down and wipe the RAM if touched improperly. Make sure that the police can't just take it, it will power down if they do.
Two: To make sure you CAN NOT decrypt the drive if the computer is improperly shut down, at every boot a new key is generated, and the entire drive is reencrypted with it. This key is NOT written to the disk until you enter the current passphrase and a new one for storing the fresh key, encrypted.
Use multi-factor auth so that you need some USB key to do it. Plugging in the wrong one should also trigger shutdown.
Improper shutdown equals lost decryption key which means that you CAN NOT decrypt it. Thus, no "contempt". And since it's not you who powers of the computer or triggers the shutdown, there's no "obstruction of justice".
But if they get it while it's off and you know a valid password or you're next to the computer while it's on, they can probably get the password from you in one way or another.
I see people are posting fake scenarios where TrueCrypt doesn't work, but it can be made to work in all of them.
For example in the "we have network access logs, so we know you had activity that's not being shown between these hours" you're assuming that entire drive (and therefore all activity) is being encrypted, rather than just a single file or subset of files.
Also, there is no limit on the number of hidden files (and files within files) you can have, so "forcing" me to give you the password to my secondary container is useless -- I could have a hundred of them.
If you use TrueCrypt, what's to stop a court from using this to keep someone in jail for contempt of court essentially forever? Every time you give them the key for an encrypted volume, the court asks you for the key to the encrypted volume hidden inside this one. Eventually you'll give them the last key and they'll ask you for the next key. You'll say there's no more, the court will say it doesn't believe you, and then they can put you in jail for contempt because you can't reveal the key for a non-existent hidden volume!
@ Natanael L,
My deadman switch scheme
Both Nick P and myself have discussed "deadmens switches" at length in the past. Have a google back on it.
Some suggestions, firstly never ever store the key on semi-mutable memory it all suffers from a retention issue that means it cannot be reliably erased.
This also applies to fully mutable memory such as RAM which suffers "burn in" RobertT has given the details of what happens on the chip and how it might be accessed in the past.
The simple (but not entirely reliable) solution is to store the key as two seperate numbers that need to be added together or XORed etc to make the actual key. Each time the timer interupt comes around it randomly changes the values, such that the only constant is the "difference" or "shadow" that is the actual key.
To make it more reliable, don't actually store the key even as a shadow, what you do is if using AEs or DES or other similar encryption with a "key expansion function" is to store the individual round keys as shadows that get computed once.
A further trick is to actually store the shadow pairs in a couple of circular buffers who's lengths are different and have no prime factors with the number of rounds or each other. So for say a 16 round encryption one buffer is 17 long the other 19. You then keep the "base pointers" in registers within the CPU. You also arange that the constructed round key only ever appears in a CPU register and not even in the CPU cache.
Oh and when using the system you need a real "deadmans switch" my sugestion would be a simple preasure switch on the table leg which you keep your thigh pressed up against. If you think about it if you position your leg correctly, even if they put one through the back of your head they are not going to stop your thigh moving off of the switch, likewise for any less violent action. If you use the above key shadow scheme then the switch needs do little more than turn off the PSU.
Also if you want to make life difficult most computer Switch Mode Power Supplies (SMPs) have a fairly simple feedback loop to keep the voltages at the required level. A very simple circuit modification would make the PSU output a significantly different voltage, that would be quite detrimental to the computer mother board hard disks etc.
Thus wiring up the deadmans so it resets the CPU and then fritses the power supply levels will leave your "eager beaver fed" etc with a major problem...
Oh and just to rub it in the recipy for thermite is easily obtainable as is the design of current initiated igniters (ie magnesium ribbon used as an electrical fuse) if a lump the size of a harddrive unit is mounted above the hard drive with the platter side upwards and a "puddle dam" of fire clay to keep the molten thermite on top off the drive will efffectivly make the drive contents irrecoverable.
> "There is no second password" might be a valid defence in the
> US; I don't know. But the US would the exception. It is, most
> certainly and explicitly, not a defense in the UK.
I have found nothing in that UK law that forces you to hand over a password that doesn't exist. (Truecrypt hidden volumes are a completely optional feature that I, for example, don't use.)
Hence, while you likely cannot deny the existence of a particular Truecrypt container, you can plausibly deny the existence of a hidden volume within it.
The prosecution would have to face at least a minimal burden of proof before a convistion becomes possible - beyond a simple "we haven't yet found what we're looking for but we really really want to find something". In fact, the same burden of proof likely is required for the *first* password. The RIPA cases I have heard of, did not involve Truecrypt but rather other encryption products that use easily identifyable file formats (e.g., '---BEGIN PGP MESSAGE---' and the like).
Disclaimers: IANAL and I'm not talking about torture scenarios.
"Oh and just to rub it in the recipy for thermite is easily obtainable as is the design of current initiated igniters (ie magnesium ribbon used as an electrical fuse) if a lump the size of a harddrive unit is mounted above the hard drive with the platter side upwards and a "puddle dam" of fire clay to keep the molten thermite on top off the drive will efffectivly make the drive contents irrecoverable."
Great minds think alike. Thermite is my personal favorite solution to many digital forensics issues. Of course, it's less applicable here because it's a lot less safe in a household than tamper-resistant chips safely storing the key & overwriting it. As for chip burn-in, my designs have the memory regions regularly change & be overwritten. Simple solution that should work.
From all the half-knowledge that some people here display, I deduce that law enforcement will have rich pickings. (Quite a few people also get it.) Just let me state that crypto is not the solution as long as they can demand passwords, as quite obviously if they can demand passwords, they do not need to prove that you actually have the password (as that is impossible) or that that random looking data is encrypted (as that is impossible as well).
There are only two practical solutions:
a) Do not have the data on you and be able to prove it. E.g. random-wipe for data is out, always make sure to zero-wipe as last pass.
b) Make sure never to travel anywhere where they can demand passwords.
Everything else does not work. Accept it and move on. This is not a technological problem and cannot be solved by technological means.
I disagree. This is a combination of legal and technological issue. Some solutions I posted use multiple parties and jurisdictions to create systems where the owner *cannot* provide access even if they fully cooperate. The scheme, if offered commercially, would promote itself for protection of IP and classified information. Users would include big companies & government. That legitimizes it.
If an individual uses it, the court would have a hard time ruling they were guilty b/c their system was designed to be torture proof. That kind of thing is seen as a necessity for many individuals.
If the data is truly sensitive the only way is to make sure you dont even know the passphrase. If you never knew the passphrase you can never give it up.
* have all sensitive data in a encrypted partition
* when you want to access the data you call the password agency in a different country on the telephone
* you identify yourself and give the password agent your current ip address
* password agent connects remotely and accesses the webcamera
* you swirl the laptop around to show that there is no one else in the room with you, and that the room looks "innocent"
* once password agent is satisfied that the location looks legit, and he didnt see/hear anything to make him suspicious then the password agent unlocks the partition for you and mounts it.
I bet you could have a setup like this and sell it as a password escrow service or something.
Everything else does not work. Accept it and move on. This is not a technological problem and cannot be solved by technological means.
I disagree for a fairly fundemental reason but more importantly the problem is the legislators (as is quite common) don't understand the problem domain in it's totality.
That is whilst you cannot prove "you don't know something" you can prove that "you don't need to know something" and almost by definition this is what technology is all about.
Examples are, does a driver need to know how the engine works to drive the car? No. Does a typist need to know how either the typwriter/computer and the dictaphone actually work internaly to do their job? No. How about a person using an old style mechanical telephone or modern mobile/cell phone? No.
The list is almost endless, technology is almost always designed to hide the real functional details behind a much simpler to comprehend user interface so that the technology can be used by ordinary people not domain experts.
So I no more need to know the composition of the steel and forging process of making a hammer than I do of any other tool, the design is such that I can easily pick it up and as easily be able to use it to drive a nail into a piece of wood in my home.
For some reason we have not yet reached this transparent usability with crypto, and there almost appears to be a conspiracy to stop it being so. That is for some reason in general nobody seems to want to go beyond "something you know" stage and this is why legislators and thugish mentality types believe they will be able to extract it out of you...
If you think about it if you add a few more factors into the equation a system can be equally secure and knowledge of the encryption key ceases to be a requirmentt for the user.
The other factors being,
1, Something you have.
2, A place where you are.
3, A time at which you use it.
4, The way you use it.
So imagine you have a black box, inside of which is a tamper proof computer, which has the private key of a public key pair stored inside it as well as the hardware required to sit between the hard drive and your laptop/desktop computer and act as an Inline Media Encryptor (IME). It also has a communications channel so it can talk to other devices globally.
On the current assumption that Public Key Crypto is secure from attack. Then provided that the tamper proof computer is secure and it is not possible to get either the private key or other symetric keys out of it (only put them in) then it is quite easy to set up a secure system where the actual user has no knowledge of, nor has any need to know the actuall hard drive encryption key.
Put simply the users data administrator generats the public key pair, and puts the private key into the tamper proof device semi-mutable (Flash) storage and keeps the public key secure. They also then generate a symetrical key for use with the hard drive they also keep secure but put that in the fully-mutable (RAM) storage to load the data etc onto the hard drive. On turning off the device after loading the drive importantly the tamper proof device only has the private key in it.
If the device is captured by an enemy in the powered down state it is quite usless, even if the private key could be extracted it is of no use as the public key is unknown to the user, only their data administrator. The private key only becomes of use if the enemy also has copies of previous communications with the device from the data administrators key transfer agents.
However if we also use Diffie-Helman to generate a random symetric key for communications then even knowing the private key is of little use. So providing the user and data administrator are in different jurisdictions then using the legal process will be difficult at best.
But we can go better than this, the data administrator can use key transfere agents in multiple jurisdictions using a secret sharing scheme which needs M of N parts for the secret to be reconstructed. Thus the data administrator sends out to each agent one or more secret shares encrypted by the public key.
Importantly the resulting secret transfered to the tamper proof device does not need to be just the symetric key used for the hard drive it can be a whole host of information.
For instance the key might be encrypted under a time and location information as well as a user passphrase.
Thus to get the HD key the tamper proof device would have to be in a certain place at a certain time for the key to be recovered outside of that time or place the secret shares would be usless.
Importantly the user does not need to know either the time or the place when crossing a border they can be told that when they arive at their hotel etc.
Now as I indicated the data administrator can send several secret shares to each of their key transfer agents several shares.
This alows the agent to implement a duress protocol with the user thus the HD might require not just the key to the drive but individual keys for files etc the various agents can thus provide all some or none of the keys to the user.
Then there are a number of otther wrinkles you can add to the system. But importantly, all parties can show that they don't actually have the required keys, only secrets they cannot themselves unlock nore can anyone else, but importantly as they contain a time based component they have become usless because the tamper proof device will not accept them as valid.
It does not matter the size of your rubber hose or the length of time you can keep somebody detained, the tamper proof device does not care as it cannot be effected by either of them. Once the time period has expired the user, the agents and the data admin can hand over what they have it just won't do any good as long as the device remains tamper proof, and there are ways you can even ensure this after a given time widow as well...
Thus you have moved the problem into an area that the legislators and politicos let themselves down in virtualy every time in recorded history, they just can't cooperate with each other, let alone in a sufficiently timely manner. And even if they could there are ways to ensure they cann't as long as the device remains tamper proof for sufficient time.
And there you have it right at the beginning: The legislators do not understand the technology. That is the problem here. From the technological side, this would all be solved nicely, but until and unless the law does understands reality, this is meaningless. Hence it is not a technological problem as technologically this is solved.
Of course that does not include cases where the carrier of the data is willing to take everything the law can dish out. Then this is completely solved and hence not even a problem. But if that is not the case, then this is a legal problem, not a technological one.
http://xkcd.com/538/ really sums it up nicely: As long as it is acceptable to you to get beaten up and drugged, your data is already protected well by various technological things that can be done. But the problem here is that even perfect security does not spare you the torture as the law is (in some places) not in sync with technological reality. This clearly is a legal problem however, not a technological one.
All that tinkering with yet another unbreakable scheme just distracts from the real problem, namely that they can (and will) torture you even if it does not make any sense at all.
Deal with it, this is a case where life is unfair. Technology cannot fix that.
That the owner cannot provide the key is meaningless, as long as the law can demand it no matter what. And that is exactly the case here. After all, you could really have forgotten the password and there is no way for you to prove that. Consequentially, they cannot punish you for claiming so, right? Wrong. The law ignores reality and no amount of technology can fix that.
Just a little hint: How are you going to prove the scheme you describe is really what was used? Oops, you cannot. The crypto-area could still be encrypted with something else and the complicated scheme you claim has been used is just misdirection. So, no, just as you cannot prove that you really have forgotten that password, you cannot prove that you are cooperating fully (even if you are). And that is why this is a problem with the law, not the technology as you are required by these laws to prove things you cannot.
This is the kind of law that were used during the medieval with-hunts: If she swims, she is a witch an gets burned. If not, she is dead anyways. And that is what is wrong here, not some technical details.
@Gweihir: "That the owner cannot provide the key is meaningless, as long as the law can demand it no matter what."
They could *always* charge you with having yet another key, no matter how many keys you have already given, or, indeed if you even have encrypted files. Who knows what kinds of steganography you are using?
Same goes with torturers - you're simply screwed no matter what, even if you're completely innocent.
That, however, would make the whole discussion pointless.
The discussion becomes interesting when the prosecution has some proof requirements (legal, not mathematical -- which is a crucial difference!) before they can convict you for "refusing to decrypt".
Two defenses are imaginable:
- Denying the existence of data to decrypt.
- Denying the ability to decrypt.
The first would be rather difficult in most cases (although, as mentioned, I have yet to hear arguments "proving" the existence of a Truecrypt hidden volume that are found valid in a court). Clive's scheme is a solution for the second defence by a "timebomb" scheme (IMHO, there are simpler ways to accomplish this on a more basic level, but anyway).
Again, nothing can help you if they can just throw you in prison (or worse) for no real reason. But, in most jurisdictions, they cannot.
I agree with most of what you said. The thing is though that in many jurisdictions you can simply refuse to give up the key and they cannot hold it against you. Turns out this is far less of a problem for law enforcement than is often claimed. I had a chance some years ago to ask a member of the federal police task force for Internet crimes here about that and he basically said that most people were to stupid to encrypt or to do it right and that they were quite satisfied with just scaring the minority that got it right by investigating them. (This was about Child Pornography. The real kind, not "teen", or "lolita", or just nude pics, his words.) Given that they caught a guy yesterday in Germany looking at this type of "entertainment" in public on a subway on his tablet, I tend to agree. Most criminals are stupid in the first place.
But, yes, if they can demand the key, but have some requirements of proving that you actually can, then some of the elaborate schemes proposed here may help. Trouble is you cannot know what exactly will happen and which scheme to use. That said, I am not opposed to thinking about these schemes at all, I am just opposed to presenting them as reliable countermeasures, because they are anything but reliable due to unforeseeable non-technical circumstances. That is also why I call it a non-technical problem.
On the technological side, anything secure needs to respect KISS, and I think at least some solutions proposed here have left that far behind.
I've been following with interest the discussion of "technical problem vs. legal problem?" My take is that both are involved, at least in the USA.
Usual disclaimer: not a lawyer, and no deep knowledge; the following is from what I have read and learned from personal experiences, and may well be much flawed!
1. Contempt (the sanction used to compel production of evidence) is a kind of spooky area. In a contempt proceeding, there is no question of conviction or trial. The person held in contempt holds at every moment a "get out of jail" card, because (in principle) s/he can decide at any time to cooperate. I believe that for these reasons, contempt proceedings do not have the kinds of formal evidentiary rules that trials do. For this reason, some of the reasoning about "proof" in the comments here may not apply in the USA.
2. As far as I know, imprisonment for contempt is not limited to the sentence for the offense at issue, as one of the comments suggested. A friend was once threatened with indefinite imprisonment in a civil case, where no criminal penalty could have existed. And I remember a USA case in which a person was jailed for numerous years for refusing to disclose information.
3. It seems from my reading that courts will not apply the sanction of contempt against someone for failing to do what in fact they cannot do. Sometimes actual practice does conform to common sense, who knew? And much of the foregoing discussion has revolved around the question, "what does the authority believe you can and cannot do?"
So, a person facing a USA contempt sanction (like the woman in the news reports) would presumably prefer to be in a position, where she can persuasively maintain that she cannot decrypt the data.
It is here that system design considerations (such as those Nick and Clive have discussed) might be able to bolster the argument that decryption has become impossible. For such purpose, the more transparent the system is, the better! Perhaps the best mechanism would be a public internet service that stores keys, irretrievably erasing them under some defined set of circumstances. The publicly known characteristics of the service would attest to the impossibility of data recovery.
Naturally, this gets into all sorts of tricky cat-and-mouse games, and I wouldn't advise anyone to depend on such an arrangement without an exceedingly careful (and highly informed) risk analysis! For example, the key-storage service would need to be in itself trustworthy, and sufficiently beyond the reach of any potentially indicting jurisdiction that key erasure could not be preempted.
Of course, all this fairly academic. Those committing felonies - or appearing to do so - are at risk of losing their liberty!
... I am not opposed to thinking about these scheme scheme at all, I am just opposed to presenting them as reliable countermeasures, because they are anything but reliable due to unforeseeable non-technical circumstances. That is also why I call it a non-technical problem.
Ahh I think you missed the point of my scheme.
If you look back I said it was not possible to show you did not have the password, but it was possible to show you did not need to have the password.
Law is at the end of the day about "acceptable custom and practice" within society (effectivly morals pluss). As such the law changes all be it slowly to reflect societies changing.
For instance look at murder, the laws became steadily more and more strict and the punishments more draconian. But societies outlook changed away from an "eye for an eye" executions to life imprisonment (arguably a more draconian sentance) but in more recent times we accept that killing somebody is actually not unjustifiable. For instance a spouse subjected to long term abuse may eventually break under it and strike out, likewise with children and parents. We accept that sometimes the murderer is themselves a victim who has suffered far worse than a quick but violent end.
Society changes and the law plays catchup and is usually about twenty to fourty years or two generations behind (which is normaly a good thing).
The point of my system was thus to show repeatedly to the powers that be that indeed it is actually quite possible and importantly "reasonable" to not know the key, in the same way a driver does not need to know how a vehicles engine works.
Thus in time with the scheme or one similar it becomes "acceptable custom and practice" and thus "reasonable" in societies mindset.
And a judge or other official acting contary to this is thus behaving "unreasonably" to societies norms this creates a problem as the law will start to lose the respect of society and as such will lose it's authority. And as this cannot be alowed to happen the law will (as it has in the past) either become fallow or be superseded with time, usually to reflect the societal outlook.
Unfortunatly in recent times there appears to be an attempt on behalf of some to prevent societies attitudes changing by the process of instilling fear in the populous by sowing uncertainty and doubt and causing confusion in peoples minds to prevent them thinking about it (ie 9/11 response).
In the past a "closed society" would develop a state security system to do this by turning friend against friend, neighbour against neighbour and even child against parent. Historicaly the limit on this power was the cost of the surveillance both in terms of hard resources but also in human terms as well. In most cases this eventually led to revolution of one kind or another. We are still seeing this with the likes of "Arab Spring".
Again in the past an "open society" would suffer some event and security would be rampped up only to die away relativly quickly as the cost on resources made it prohibitavly expensive to the voters.
Sadly technology has become a "game changer" the power of technology is increasing way faster than the cost of the resources. In fact it's cost is now so low we can appear to give it away for free, because the information that can be gleened from it's use by ordinary people has a commercial value greater than the cost of the technology.
Governments have quickly realised that this is state or world wide surveillance for free, simply by passing laws to give them access to both the raw and processed data.
Thus technology has reached the point where it's effects are greater than even the law, and unlike times past the aims and objectives in gathering such information is stronger for commerce than it is for politicians.
The question from history then arises about societal uprising in the form of "luddites" smashing the technology that has caused them harm...
The 5th Amendment of US Constitution clearly put burden of proof in criminal case on Law Enforcement part of Executive Branch or/and Judicial Branch, not on the suspect (during interogation) or/and the defenedent (during the trial).
The existing practice of 'contempt of court' or 'obstructing of justice' applied to the accused person which refused to cooperate with any Government autority including Court in collecting, obtaining, producing, facilitating (e.g. providing key to the safe or key to decript files) ANY evidence (or not only oral tesimony)which lead to conviction is pure unconstitutional and just draconian.
Court may order Law Enforcement Agency to break the safe, decript the files and put cost on defendant which is not cooperating. Defendants cooperation is his/hers free choice, not duty to provide any incriminating evidence against him/herself under the intimadation of 'contempt of court' or 'obstruction of justice' jail time.
This seems like an idea case for using something like Ross Anderson's "The Eternity Service" ( paper here http://www.cl.cam.ac.uk/~rja14/eternity/...
It's a nice way for storing data online in a random and largely anonymous way.
Appreciate your thoughts, especially related to contempt.
@ vasiliy pupkin
There's a difference between legal theory and practice. I'm not going to bet everything hoping a judge doesn't screw me over, as plenty of people have been. Instead, I'd rather not have the capability to comply, which is more defensible. Where there's a defense...
A little trick i use is a modded controler board.
i have certain pins swaped on my drives...& the same pins swapped on the cable...
so if my drive is removed from my pc & plugged into somwhere else...the whole dirve shorts out...
poof...data sorta gone...unless they dissemble the drive & are carefull enough to move the platters etc...but the logic baord/controller holds the encryption key, so all they will have is the encrypted data
I remember something like this in the book Crypronomicon. But in that particular scenario, the cards were used for encrypting communications between prisoners. Thanks for reminding me. I could just see the TSA playing with stolen cards too.
What is the purpose of the 5th amendment? It's not to prevent self-incrimination - people are allowed to confess. The purpose is to avoid torture and pressure being applied to the suspect, to prevent the police becoming cruel. It seems to me the "right to remain silent" should be absolute.
Disturbing trend found while using iron key
paypal did not like fact I was using a "proxy" and shut down my account
upon calling them they told me they reduced password complexity from
32 char to 20 char .. Huh... and will not allow me to use there service while
using my iron key though I explain I travel and use this as security ..
I have a paypal OTP and this did not matter to them.. WOW..
Similiar problem found while using iron key with craig's list .
they prompted me to enter a real phone number. no VOIP etc.
basically they are requiring me to be tracked.. Same with paypal.
Not cool with this. Don't post much but thought this was a thing worthy of alert.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.