Encryption as Evidence of Criminal Intent

An appeals court in Minnesota has ruled that the presence of encryption software on a computer may be viewed as evidence of criminal intent.

I am speechless.

Edited to add: The complete text is online.

Posted on May 26, 2005 at 8:17 AM • 73 Comments

Comments

JoeMay 26, 2005 8:52 AM

This really isn't that big of a deal. This is the same as finding a guy in a car, driving around a residential neighborhood slowly, and finding a ski mask, lock picking tools, and a flashlight in his car. Everything is legal, but may be admitted in court to try to prove criminal intent.

One piece of evidence alone will not help a prosecutor very much, but if you can get enough pieces of the puzzle together, the picture becomes alot clearer. FWIW

egeltjeMay 26, 2005 8:54 AM

No, the browser history was.
But the mere presence of encryption software was enough. He was finally convicted on the statement of the girl and his browser history (still pretty thin evidence...).

Clive RobinsonMay 26, 2005 8:57 AM

With out knowing the full in's and out's of the trial, it would be difficult to understand why the Judge made the comment.

However as a generall rule people who apparently make idiotic statments about a concept, either do not understand it or have been given a very biased explanation.

I would like to belive the later in this case

trixterMay 26, 2005 8:58 AM

I thought I read that in that case the 9 year old he was taking pictures of testified that he paid her money to photograph her nude and the fact that the person who did the forensic analysis of his system noted that he had pgp installed wasnt that important in that case.

Encase was the commercial software used to generate the report, that works by comparing all files on the system to a hash database to identify the files, anything that is unknown is manually inspected (if the person doing the audit has a clue anyway).

Now I dont have all the facts of this case becuase I am not going to pay to pull all the documents from pacer. But this quote is at least a little disturbing:

"We find that evidence of appellant's Internet use and the existence of an encryption program on his computer was at least somewhat relevant to the state's case against him," Judge R.A. Randall wrote in an opinion dated May 3.

They did say however:

Rather, Levie's conviction was based on the in-person testimony of the girl who said she was paid to pose nude, coupled with the history of searches for "Lolitas" in Levie's Web browser.

Ultimately its upto the jury to decide, not the courts and that is the right thing to do in most cases. He should not be let go just because they said he had pgp on his system. Infact had he gotten a new trial over this odds are with the in-person testimony of the girl herself, he would have been convicted again. With or without pgp.

With that said this does set up a trend that in itself should be investigated in future cases, mere possession should not be the only thing that causes the conviction, and in this case that was not what happened despite the people that insist that is the only reason he was convicted.

It was ruled by the court that possession of encryption software can be admitted as evidence, nothing more. Not proof of guilt, not the reason he was convicted, not anything else.

I do think the court was wrong to say that in *this case* possession of pgp was relevant to the case at hand since they provided no evidence in trial (all an appeals court can look at) that pgp was ever used. But this is also not the first time that irrelavent "evidence" has been used, there are cases where possession of a t-shirt was used to say the person must have committed a computer crime (specifically a defcon t-shirt), so this tactic is nothing new, and if anything should be challenged it should be the use of totally unrelated information to try to sway the jury.

Possession of crypto software can be valid evidence, albeit circumstantial. If a specific program is used to encrypt data and they find that program on the target computer (perhaps a trace by IP or something similar) now they have 2 bits of circumstantial evidence pointing to that system, its IP at the time the offense occured as well as the program that was used to generate the data that was part of the offense.

This is also not the first time that pgp specifically but other crypto programs have been used as evidence. People have sent encrypted data, and upon a raid they noticed the pgp program and the local files, the person revealed their key which was enough to decrypt the message and the whole of the content sent, fact that pgp was on the system, etc were all evidence. And it seems logical in those cases.

phizmMay 26, 2005 9:03 AM

It's stupid because there aparently weren't even any encrypted files involved in the case, but isn't having a brain/memory that stores information/secrets evidence of criminal intent anyway? Arn't we all just guilty but just dont know it yet.

_Can_ the National Security Agency break PGP?

BillWMay 26, 2005 9:05 AM

That's not really what he said in the quote. He said it was relevant and therefore admissable.

Evidence is not the same thing as a coherent case of guilt, is it?

clive robinsonMay 26, 2005 9:07 AM

@trixter

I would have to disagree, after all if the prosecution said "they had a stack of envolopes that could have been used to send photographs through the post" and thereby attempt to argue distrubution or some such

It would have been laughed at in court, and not just by the jury...

Heiner MeinersMay 26, 2005 9:07 AM

Speechless, but not surprised. We here in good old Europe wonder what is going on in the US of A. Years ago anybody here wanted to travel to the US, the land of freedom. If you ask people here today, no one wants to go. And that is true for many people I know.
It starts with all the data that is logged in the US whenever you enter a plane that comes near the US. It continues with the fingerprint taken at arrival. You think I'm a criminal? I can go without you!
Then there are the war against Irak and the Guantanamo prison. Who do you think you are, Mr. Bush?
Here in Germany the US regime is more and more seen as an evil state. It's a pitty for all americans, but your government will continue in this line. Everybody is a suspected criminal until proven otherwise. You have something to hide? You must be criminal! The court ruled in the line of the government. And I'm afraid it will get even worse.
The US government is overreacting like in the McCarthy aera.
I just wanted to give you a hint how the US of A are currently seen by the normal German/European people. Everybody here wonders why the wonderful citizens of the US accept all this crap.
Kind regards
Heiner

AnonymousMay 26, 2005 9:17 AM

Of course the presence of encryption software "may" be evidence of guilt.

Suppose that someone were prosecuted for sending threatening messages, and that those messages were PGP-encrypted to the recipient. Then one thing you might reasonably expect the prosecution to establish is that the defendent does actually have access to PGP. A copy of the software on his machine would therefore be evidence for the prosecution, just like his possession of a computer, and his use of an internet connection. But very few journalists would characterise this as "possession of a computer may be viewed as evidence of criminal intent".

If our hypothetical criminal was somehow dumb enough to sign the messages using a private key also on the machine, that might even be the evidence which swings the case. But again, so what?

This ruling doesn't sound like it sets a precedent, so if you reckon that in this case the prosecution was indeed acting out of line in introducing this evidence, I think you need to be a bit less speechless to put your point across!

Israel TorresMay 26, 2005 9:20 AM

"the presence of encryption software on a computer may be viewed as evidence of criminal intent."

... and everything private should be encrypted... funny that.

Israel Torres

Bob MonsourMay 26, 2005 9:29 AM

Here's a link to the decision from the Minnesota appeals court site:

http://www.lawlibrary.state.mn.us/archive/...

One of the 5 issues that the court addressed in the case was: "Did the district court err in admitting evidence concerning appellant’s internet usage and encryption capability for his computer?"

While I am quite surprised that they took the position they did in claiming that the evidence "was at least somewhat relevant to the state's case against him", the surrounding text seems to indicate a high level of reluctance on the part of the appeals court to reverse relevancy judgements. This, coupled with the fact that there seemed to be a large amount of evidence of the actual wrongful acts, seemed to leave the court too timid to reject this claim of admitting irrelevant evidence. That said, this seems to be a slippery slope of what is "considered evidence of criminal intent" (note that the appeals court did not use this language; it was the CNET article that chose these words).

Clive RobinsonMay 26, 2005 9:40 AM

@Heiner Meiners

I know that the UK is geographically not realy part of the European Union and in other respects as well ;)

But the UK has the RIPA (regulation of investigatory powers act) under which you can be sent to jail for atleast 2 years simply for not revealing your encryption key.

It was pointed out before it becam and act of parliment that the way it was written somebody only had to send you an encrypted message (witha a random key) for you to go to jail...

Just to make it worse, you where not alowed to talk to anybody about it...

So no it's not just the US of A that appears to be slightly out of whack with the common perception...

Oh and we are now expected to pay 180USD equivelent for a National ID card we don't want...

Tim VailMay 26, 2005 9:47 AM

Israel:

""the presence of encryption software on a computer may be viewed as evidence of criminal intent."

... and everything private should be encrypted... funny that."

But nothing should be private.

AnonymousMay 26, 2005 9:53 AM

@Tim Vail
"But nothing should be private."

Privacy is an illusion.

PeteMMay 26, 2005 10:00 AM

"An appeals court in Minnesota has ruled that the presence of encryption software on a computer may be viewed as evidence of criminal intent."

I've just read through the ruling and no where does it says that "the presence of encryption software on a computer may be viewed as evidence of criminal intent".

It said that the presence of this software was admisable in court and that that then the court “should rely in the last analysis upon [its] own experience, good judgment, and common sense��?

In other words whether the presence of this software indicated criminal intent was to be decided by the jury/court. What exactly is wrong with that?

Maureen HayMay 26, 2005 10:06 AM

@Clive

Circumstantial evidence is a chain - if I were being charged with mail fraud, the fact that I had thousands of envelopes on hand would be considered evidence. Not enough to mean anything on its own, but in combination with other evidence...

ArikMay 26, 2005 10:19 AM

IMHO, the only way to fight this kind of inferrence is to encrypt the Internet and our PCs

I mean it. Design each and every Internet protocol to be encrypted by DEFAULT. DNS queries, SMTP transactions, HTTP transactions, P2P queries and transactions, IMs, EVERYTHING. Install encrypted filesystems by default.

The technology exists, it is just not set-up by default, and is usually non-trivial to set it up that way.

There are obvious downsides, but in most cases they are outweighted by the advantages.

-- Arik

Heiner MeinersMay 26, 2005 10:27 AM

@Clive Robinson
> I know that the UK is geographically not realy part of the European Union and in other respects as well ;)

Well, the UK took part in the Iraq war. Their parliament is giving terror warnings as frequently as the US government is. Same paranoia there.

> Oh and we are now expected to pay 180USD equivelent for a National ID card we don't want.

Same here, because "they" want biometrics on the ID. And who drives us to have this? The request for this by the US government!

Mexico(?) did the right thing by requesting fingerprints from all US citizens entering the state! We should do the same. And request the flight passenger data as well. Maybe this would help waking up the people in the US.

Heiner

GordoMay 26, 2005 10:39 AM

@Heiner Meiner

Yes, as an American, I agree with you. The current administration seems to be steering us in the direction of a police state (and at what cost, and with what REAL benefit to security??). Many here are very unhappy about that.

In this particular case, of course the prosecution couldn't reasonably argue that the presence of a browser or email program could be evidence of criminal intent, because everyone has those things. But the prosecution, IMHO, unfairly took advantage of some public/government perception that the presence of encryption software is somehow sinister, and the courts weren't bold enough or rational enough, to object. What if the guy had been running Mac OS X, with FileVault (an option for an encrypted filesystem) built right into the OS? Pretty scary precedent. I can only hope for a legal test in a more sane court.

G

JohnJMay 26, 2005 10:48 AM

Windows XP has file & folder encryption built-in. I'm not commenting on how effective it is; just that it exists. So, is that an automatic circumstantial nail-in-the-coffin for anyone suspected of a crime that might involve a PC?

JarrodMay 26, 2005 10:54 AM

The section of the opinion that deals with this follows:

"Appellant first argues that he is entitled to a new trial because the district court erred in admitting irrelevant evidence of his internet usage and the existence of an encryption program on his computer. Rulings involving the relevancy of evidence are generally left to the sound discretion of the district court. ... And rulings on relevancy will only be reversed when that discretion has been clearly abused. ...

"Appellant argues that his 'internet use had nothing to do with the issues in this case;' 'there was no evidence that there was anything encrypted on the computer;' and that he 'was prejudiced because the court specifically used this evidence in its findings of fact and in reaching its verdict.' We are not persuaded by appellant’s arguments. The record shows that appellant took a large number of pictures of S.M. with a digital camera, and that he would upload those pictures onto his computer soon after taking them. We find that evidence of appellant’s internet use and the existence of an encryption program on his computer was at least somewhat relevant to the state’s case against him."

Put in context, it does seem to be relevant to the case, but nowhere does it say that it is evidence alone of criminal intent. Note that this opinion is considered a published opinion, meaning it is intended to be used more fully as precedent, though the precedent intended is mostly about double jeopardy. The section on encryption is not widely encompassing, and indeed doesn't even quite deal with encryption, but instead the right of the trial court judge to allow or disallow evidence as relevant as he sees fit. Allowing the trial court judges leeway without them worrying that every single decision they make is going to be second-guessed by the next level is an important part of the judicial system.

It is important to keep watch on these kind of decisions, but the panic responses that often follow news stories about these kinds of decisions do not help. If there are reasons to believe that the trial court judge abused his authority in allowing the presence of PGP as relevant evidence, then bring them forward. Such discussions are far more constructive in general.

xMay 26, 2005 10:54 AM

I use BestCrypt to encrypt all my (legal, non-sicko) porn. Should I just go ahead and turn myself in now?

Christian RomneyMay 26, 2005 11:17 AM

Actually it is Brazil demanding fingerprints of Americans, not that this has anything to do with the topic at hand.

Of course the NSA can break PGP, though I'm sure not with the ease you see Chloe and Edgar do it on "24". :)

The ruling is idiotic. The government is run by people who, by and large, are completely ignorant of these types of issues. The defense was remiss in not getting the likes of the EFF involved or calling Mr. Schneier as an expert witness. ;)

Just the same, I'm glad the scumbag is in jail and if he were in Florida we'd throw away the key.

RvnPhnxMay 26, 2005 11:30 AM

@PeteM
"In other words whether the presence of this software indicated criminal intent was to be decided by the jury/court. What exactly is wrong with that?"

Apparently we all aren't extremely intimate with the knowledge of what Minnesota evidentury addmission rules are, but I'll hazard a guess that--like most USA courts--a fact or object is not to be addmitted into evidence _unless_it_is_germane_to_the_charges_at_issue_ in the court case. In other words, the Trial Judge and the Appelate Court both believed that the mere presence of encryption software on the defendant's computer was an intrinsic part of constructing the case against him. It does not mean that encryption software alone could be used to construe guilt--it means that it is considered to be an essential part of the case against this man. This is what is really most disturbing. The encryption software could not possibly have anything to do with conversations had between this man and the child involved unless the conversation was in some sort of electronic communications medium (usually other than a telephone)--and if this was the case I have not found it noted yet.

Now, I have looked at the Decision, and all I can say there is that apparently is wasn't properly presented to the jurists that a browser history is not usually encrypted--nor that such encryption which does happen in web-browsing programs under normal types of use happens at the recommendation of the Federal Government (and others) and only affects the actual communication stream. (I ignore stored passwords here, since those are often considered to be separate from the actual act of using the internet according to most reasonable people.) This information, if it had been properly presented to the jurists, would likely have resulted in a much more useful guidance as to the issue of the use of encryption software as evidence of anything.

Davi OttenheimerMay 26, 2005 11:33 AM

"was at least somewhat relevant to the state's case against him"

Along that line of reasoning, the presence of a computer and a camera are somewhat relevant to the state's case...as the article suggests with OSX, does a computer itself now show criminal intent?

I have worked on computer forensics investigations for years and I once went to an EnCase course to get the inside scoop on their proprietary tools. I wasn't surprised to find the school attended mainly by law enforcement officers who were new to technology, but I was surprised that the Instructors spent more time discussing how to navigate the courts and convict child pornographers than how to ensure a sound technical conclusion. You'd be amazed how skilled the officers can become at proving guilt when there's little or no evidence to back it up. In retrospect, technology represented the unknown for many of the officers and it was clear that they feared anyone who appeared to embrace it faster than they could (most police departments are only just allowing younger more-qualified officers to have a hand in their information technology, instead of using an antiquated pecking order to nominate who gets to be on the "cyber" team).

This also reminds me of some cases in the late 1980s where police were accused of using excessive force (battered doors, guns, dogs, etc.) to seize BBS equipment, all because they suspected intent by operators to distribute illegal software and images. There was a quote (that might have been urban legend) about how afraid the officers were when sent to arrest the uber-hackers, as if the computers were some sort of evil machine where one touch of the keyboard could bring out super anti-cop robots. One can only wonder what the Judges think of encryption.

I am also reminded of early talks on the benefits of PGP, in light of police death squads who would terrorize peace workers to get lists of anti-deathsquad informants from computers. And then there was the famous case of the anarchist who police arrested on a train in Europe only to find that he had encrypted all his data with PGP. In that sense PGP did get a reputation for being a tool to protect against search and seizure...

So perhaps a good speech to the Judges would be something along the lines of "We will not be driven by fear into an age of unreason." (Edward R. Murrow)

Don SnabulusMay 26, 2005 11:45 AM

Using a web browser is evidence of criminal intent because it contains encryption software. All Internet users are under arrest and are hereby ordered to move away from the keyboard, place your hands on your head, and await the arrival of the authorities.

Of course, that scenario is ridiculous. However, this is yet another example of how corporations and public entities enjoy rights that private citizens don't have. If PGP is bad, so is SSL.

PGP is like a gun. Owning a gun does not mean that you are a murderer or a bad person. Matching a PGP key (if such a thing can be done) to an encrypted file would be the equivalent of doing ballistics testing on a gun.

I think ignorance of how computery things work was at play in the judicial ruling. Corporate interests are using this ignorance to push through badly-reasoned laws such as DMCA that threaten to turn commerce into a giant legal bottleneck.

carstenMay 26, 2005 12:03 PM

would be interesting if they could use this in the Enron case and go back and see if any of those guys used encryption and add that as evidence

Keith SchwalmMay 26, 2005 12:46 PM

This is the first step in the wrong direction. There has for some time been light discussion about relating the idea of "burglary tools" to possession of tools used in malicious cyber activities. It was always discussion though, recognizing there is no relation unless you really stretch it and proving intent is far too difficult. There are certainly pros and cons to doing it, but it never seemed to have legs.

Now, a court in Minn. has said otherwise. I would imagine it will not be long before that court recognizes possession of any tools identifying criminal intent as enough PC for further court ordered action.

It is a slipery slope!

--
-Ke

Daniel CidMay 26, 2005 1:22 PM

@Christian Romney

"Actually it is Brazil demanding fingerprints of Americans, not that this has anything to do with the topic at hand."

Brazil only started demanding fingerprints of Americans AFTER the USA added Brazil in their "non-trust" list. Btw, Brazil only demands fingerprints of American people, no one else (keeping a good diplomatic relation --you fingerprint us there, we do the same here)

Daniel Cid

Damien NeilMay 26, 2005 1:56 PM

The court has ruled that admitting evidence that the defendant had encryption software on his computer is not sufficient grounds to overturn a conviction. This is not at all the same thing as saying that possessing a copy of PGP is evidence of criminal intent.

Note again: The court is ruling on whether or not to overturn a conviction. The conviction was based on a variety of evidence, of which possession of PGP does not appear to be a significant part. The question was whether the prosecution introducing the possession of PGP as evidence was sufficient grounds to force a retrial.

RayMay 26, 2005 2:03 PM

"I know that the UK is geographically not realy part of the European Union and in other respects as well ;)

But the UK has the RIPA (regulation of investigatory powers act) under which you can be sent to jail for atleast 2 years simply for not revealing your encryption key."

Not anymore, thank Loki.

http://www.linuxsecurity.com/content/view/119193/

ScoteMay 26, 2005 2:07 PM

If the mere presence of *unused* encryption capabilities on one's computer can be used as evidence of criminal intent, then imagine how criminal it must be to *write* encryption software.

I think our illustrious host is scr*wed under this new standard.

Smog FarmMay 26, 2005 2:09 PM

I guess that means having a Windows OS (EFS, Passwords, VPN, etc) indicates criminal intent as well.

MarkMay 26, 2005 2:10 PM

If the mere presence of encryption software on a computer as admissible evidence of criminal intent is ludicrous. If this were the case, then every laptop computer used by employees at my company have evidence of criminal intent and should therefore be confiscated and evaluated. My company uses encryption on all laptop computers to assure their clients that should the laptop be stolen or otherwise "procured" the client data will not be readily available.

And what's this about the search word "Lolita"?!? Are you telling me that you can't research movies and books of the same title? What other illegal search terms exist? Can my children not investigate subjects that are "pre-teen"? What the hell is happening here?

I know, maybe we should insitute a state or government controlled internet proxy that tracks all search activites of all people who use the internet. Then HLS (or whomever else it is that is interested in being the morality police) can regulate and investgate all "heinous" criminal seaches. You know, I bet they could get help from the Chineese, as they are already doing this....

StefanMay 26, 2005 2:20 PM

Coming from the state that elected Jesse Ventura governor, I can't say it's very surprising.

A ReaderMay 26, 2005 2:30 PM

Not a lawyer but The Security And Freedom Through Encryption Act of 1999 specifically contains a provision stating that the use of encryption IS NOT probable cause to suspect criminal activity.
So I would think the appeals court would have a few words of comment on this case of "premature adjudication."

JonathanMay 26, 2005 2:41 PM

To my mind, this is very similar to obtaining evidence that someone was running a drug lab in his or her house, and adding the fact that he or she had a lock on his or her front door to the case, even though it wasn't used.

Could the lock have been used to prevent people from getting into the house? Yes. It can also be used to keep out criminals.

The bottom line for me is that there's no evidence (at least from the story writeups) that encryption was used in the commission of any crime. It seems to have been included in the case solely to paint a picture of someone who thought he had something to hide from the law. And that, to me, is a very troubling generalization.

JonathanMay 26, 2005 2:50 PM

Put in context, it does seem to be relevant to the case, but nowhere does it say that it is evidence alone of criminal intent.
---

The problem I have is that even in combination with other evidence, the mere presence of encryption software should not have been treated as evidence for anything. It's simply not relevant. There were no encrypted files found, nor any evidence the program had been used to destroy or conceal evidence. End of story.

It seems clear to me that the reason for including the presence of encryption software in the case was to play upon jury biases that the posession of encryption software is itself suspicious. In other words, many people would hear that encryption software was found and think "wow -- this guy had something to hide from the law". It's prejudicial, and nothing more. I'm not a lawyer, but I have a real hard time seeing how the law could be so divorced from basic logic on this.

Davi OttenheimerMay 26, 2005 3:22 PM

"the posession of encryption software is itself suspicious"

Exactly. That was my point about the BBS in the late 1980s, back when the posession of more than one computer at home and a "fast" network was itself suspicious.

Hadmut DanischMay 26, 2005 4:35 PM

Information hiding is a known discipline of cryptographers.

Now a new discipline should be started, the
algorithm hiding. (if it does not yet exist, please send me a pointer if you know of any papers).

How to design a strong encryption algorithm which nobody can prove to be an encryption algorithm.

grahamcMay 26, 2005 4:46 PM

"An appeals court in Minnesota has ruled that the presence of encryption software on a computer may be viewed as evidence of criminal intent."

This statement is wrong! The appeals court ruled on the issue (among others) that "Did the district court err in admitting evidence concerning appellant’s internet usage and encryption capability for his computer?".

The judgement explains that it is a ruling on relevancy, and such rulings will only be reversed where "The party claiming error has the burden of showing both the error and the prejudice." The ruling in effect says the lower court has discretion to allow evidence and the appellant did not prove that the lower court abused that discretion in admitting the evidence internet usage and the presence of encryption software. Hence the appeal on these grounds is denied.

Finally, the appeals court said that "was at least somewhat relevant to the state’s case". They did NOT say "the presence of encryption software on a computer may be viewed as evidence of criminal intent". The newspaper report quoted said that, not the court.

In other words, the appeals court ruled on a fine legal technicality, not on whether the presence of the software was evidence of criminal intent.

The newspaper's report is almost certainly legal hogwash, and certainly logical hogwash. It is inflammatory to repeat this hogwash.

Chung LeongMay 26, 2005 4:54 PM

"To my mind, this is very similar to obtaining evidence that someone was running a drug lab in his or her house, and adding the fact that he or she had a lock on his or her front door to the case, even though it wasn't used."

That's a false analogy. Locks on front doors are ubiquitous. The use of PGP is not. The software is only installed in a tiny fraction of all computers.

The purpose of circumstantial evidence IS to bias the jury--towards what's hopefully the truth. Ultimately the burden is still on the prosecutor to prove beyond a reasonable doubt. It's no different from admitting a witness's account of seeing a murder suspect walking near the house of the victim. Walking on the street is clearly not illegal. Even being near a crime scene isn't illegal. Nor does it mean anything by itself. It does enhance the believability of the prosecutor's hypothesis. The key question is likelihood: how big of a coincidence would it be that a suspect just happened to be near the crime scene or process a tool frequently used by the specific type of criminals? In the case of a lock it's simply a given that people would have it on their front door. Likewise for encryption in OSes and web browsers.

"...the use of encryption IS NOT probable cause to suspect criminal activity."

Probable cause deals with search without a warrant.

Davi OttenheimerMay 26, 2005 5:21 PM

"Locks on front doors are ubiquitous. The use of PGP is not."

It is more correct to say locks on doors are ubiquitous in the same way that the encryption is ubiquitous in computing -- usually available by default and often implemented weakly (to keep the honest people honest).

Davi OttenheimerMay 26, 2005 6:13 PM

Thanks for the text of the decision, Bruce. Here are some interesting excerpts:

[retired police officer who authored the EnCase Report, Brooke Schaub] "testified that he found an encryption program, PGP, on appellant’s computer; PGP 'can basically encrypt any file;' and, 'other than the National Security Agency,' he was not aware of anyone who could break such an encryption. But Schaub also admitted that the PGP program may be included on every Macintosh computer that comes out today..."

but the claim against relevance was based on the fact that

"there was no evidence that there was anything encrypted on the computer"

Very interesting. It's hard to tell from here, but it looks like files could have been encrypted and then sent via the Internet. Deleting a file in PGP usually performs a 3-pass secure wipe by default, so perhaps there is something relevant after all...

On the other hand it's hard to say why Schaub said PGP comes standard with every Macintosh. My guess is that was a reference to FileVault, which is actually AES-128. That mistake makes it somewhat obvious that Schaub is unfamiliar with encryption, and probably was not able to go beyond the basic functionality of EnCase.

And this points back to an important issue with "forensics experts" that sometimes end up getting stuck with the technical work. Can anyone really validate their expertise and skills before they are tasked with discovery, let alone asked to appear or defend a report in court? Does the average EnCase user know anything about encryption, or are they trained to treat it as evidence of criminal intent (or at least intent to evade EnCase)?

Second, the report implies a plausable connection between pictures, Internet use, and encryption:

"The record shows that appellant took a large number of pictures of S.M. with a digital camera, and that he would upload those pictures onto his computer soon after taking them. We find that evidence of appellant’s internet use and the existence of an encryption program on his computer was at least somewhat relevant to the state’s case against him."

So I have to admit it seems entirely possible that the state's case had something to do with the fact that pictures might be encrypted with PGP and then distributed. The intent of PGP encrypting illegal images is fairly clear, but the lack of encrypted data is odd. This suggests the investigation could be less about the data on the suspect's system (especially since PGP does a default 3-pass secure wipe) and more about how the private/public keys were handled relative to any online communication. After all, you can't post/email PGP encrypted information without a key exchange of some sort, so did anyone look into the keyring(s)?

Richard SchwartzMay 26, 2005 7:37 PM

In order to reject the appeal, the appellate court only had to find that the possession of crypto software had "a slight probative tendency" and that the danger of prejudice did not "substantially outweigh" the probative value. That's as far as this finding goes. The sky isn't falling.

(The quoted phrases above are taken from commentary on the Minnesota Rules of Evidence. Not sure if that's legislative commentary or judicial commentary, but it as posted here on the Minnesota state courts site http://www.courts.state.mn.us/rules/...

IMHO unless the prosecution introduced a claim that crypto tools are only useful to criminals, and unless the presiding judge prevented the defense from introducing contradictory evidence, then this is a pretty clear case and the appellate court ruled correctly. Most jurors in any typical pool wouldn't have known enough about crypto software to be prejudiced by the mere mention of it. By rejecting the appeal, the appellate court was really simply affirming that it was reasonable to believe that the attorneys were capable of arguing the pros and cons of the value of the evidence and the jury was capable of weighing those pros and cons and overcoming any slightly prejudicial tendency. That seems reasonable to me.

If the defense attorneys failed to counter any slight prejudice on the part of some jurors by introducing evidence that crypto software is commonly used for lawful purposes, it's their fault and not grounds for overturning the verdict.

-----


Unfortunately, the formatting on the site linked above is bad. Here are a few relevant excerpts. Should be more readable here...

Rule 401. Definition of “Relevant Evidence��? : Committee Comment--1977

... The rule adopts a liberal as opposed to restrictive approach to the question of relevancy. If the offer has any tendency to make the existence of a fact of consequence more or less probable than it would be without the evidence it is relevant. A slight probative tendency is sufficient...

Rule 403. Exclusion of Relevant Evidence on Grounds of Prejudice, Confusion, or Waste of Time : Committee Comment--1977

... The rule favors the admission of relevant evidence by requiring a determination that its probative value be “substantially��? outweighed by the dangers listed in the rule before relevant evidence will be excluded.

IlyaMay 26, 2005 8:55 PM

If encryption is an evidence of criminal intent then NSA is obviously a terrorist organisation.

grahamcMay 26, 2005 9:45 PM

"The sky isn't falling"

Richard Schwartz has above (Posted by Richard Schwartz at May 26, 2005 07:37 PM) injected a much-needed note of rationality. His analysis is somewhat more helpful than Chicken Little's, not to mention accurate.

Curt SampsonMay 26, 2005 10:10 PM

It's frustrating reading things like this because the blog entry is incorrect (the court did _not_ rule that it was "evidence of criminal intent"), there are various convincing posts here explaining the ruling that indicate this is not a big deal, and yet people are still responding to a straw-man argument, apparently not even having read the previous comments.

Bruce, are you still convinced that this is a bad ruling? I'm not. If you're not either, it might be a good idea to stop futher comments on this blog entry and put up a new entry clarifying the situation.

Curt SampsonMay 26, 2005 10:12 PM

Even worse, this "cryptography indicats crime" interpretation is spreading like wildfire: at least nine other blogs have trackbacked this one. How is this all ever going to be corrected?

JonathanMay 27, 2005 12:14 AM

Thank you for the legal analyses. You've helped to put things in perspective.

Chung,
I'm aware of the flaws in the analogy. However, I think that encryption software is widely available and used enough, and its many uses innocuous enough, that it amounts to a distinction without a difference.

AnonymousMay 27, 2005 4:48 AM

@Ray

No, the legislation which has expired is not the Regulation of Investigatory Powers Act 2000 (which allows the Home Office to demand that keys be handed over one at a time), it's the Electronic Communications Act 2000, which contains provision for establishing key escrow (which allows the Home Office to demand every key in the country all at once).

RIP is still in force.

Richard SchwartzMay 27, 2005 6:53 AM

I should clarify. The sky _may be_ falling. There are plenty of other worrisome signs that point toward that conclusion. But this court ruling isn't one of them ;-)

jayhMay 27, 2005 7:39 AM

>>To my mind, this is very similar to obtaining evidence that someone was running a drug lab in his or her house, and adding the fact that he or she had a lock on his or her front door to the case, even though it wasn't used.

I remember reading that in at least one state (Ind?) having a reinforce front door could get you an enhanced sentence in a drug conviction. The state demands you roll over for them.

Steve JonesMay 27, 2005 8:28 AM

Next I suppose they'll consider finding a knife in your kitchen is "evidence" on criminal intent to commit some gruesome attack on an innocent bystander.

DavidMay 27, 2005 10:28 AM

I see this one touched a nerve! Naturally, having encryption software isn't going to be a crime by itself, but if you are doing something criminal, and you also are encrypting that data, then clearly the encryption was used to help carry out the crime, and it does have meaning. Lots of normal things are not criminal by themselves, but they can be when used in a crime, and then those items can be used as evidence against the criminal.

A ProsecutorMay 27, 2005 10:37 AM

I think many people here are reading too much into this decision. No, using encryption is not a crime. Neither is having PGP on your machine. (By the way, I'm reasonably sure that OS X does not come with PGP loaded.) What stuff like this on your computer shows is that you possess at least some computer literacy. I can't tell you how many child pornography defendants I've prosecuted who get caught and say "I have no idea how these computers work, I just turn it on and press the internet button and this stuff starts coming up." Bull*%$&
Is it a crime, no. Is it relevant, yes.

Joe BuckMay 27, 2005 12:18 PM

You guys just aren't gettting it. The guy was convicted because the victim testified against him. He was asking for a new trial because the prosecutor got to bring up that he was using PGP. The appeals court said that it was "at least somewhat relevant", because the alternative would be to give a properly convicted sex offender a new trial. He was not convicted because of PGP being on his machine.

If prosecutors get to introduce use of PGP as evidence, defense attorneys can easily show that it's not relevant.

JonathanMay 27, 2005 12:31 PM

if you are doing something criminal, and you also are encrypting that data, then clearly the encryption was used to help carry out the crime, and it does have meaning.

Agreed. However, it should be noted that, at least in the stories referenced thus far, there has been no mention that the encryption software was used to facilitate the crimes in question.

Prosecutor, above, makes an excellent clarification, by the way.

AnonymousMay 27, 2005 12:34 PM

Sorry -- the above comment should have read:

"...if you are doing something criminal, and you also are encrypting that data, then clearly the encryption was used to help carry out the crime, and it does have meaning."

Agreed. However, it should be noted that, at least in the stories referenced thus far, there has been no mention that the encryption software was used to facilitate the crimes in question.

Prosecutor, above, makes an excellent clarification.

Kitchen Knives?May 27, 2005 4:23 PM

Steve Jones said:

"Next I suppose they'll consider finding a knife in your kitchen is "evidence" on criminal intent to commit some gruesome attack on an innocent bystander."

Ironically, I then read this, from the BBC. Granted, it's the medical profession, not the legal profession, making the comment, but I couldn't help but think of your comment here, Steve.

http://news.bbc.co.uk/2/hi/health/4581871.stm

Pure Genius, those A&E docs illustrate these days.

Vincent VerhagenMay 31, 2005 2:13 AM

Maybe we should start using the term "enveloping" in stead of "encrypting". Or is the possession of an envelope for your mail evidence for criminal intent too?

Bob ZagarelloJune 1, 2005 10:47 PM

@Heiner Meiners

I like your comments. You want to wake us up? You can't wake up dead people. They've come from TotenSchule. I've tried. It doesn't work. They are missing the bone in their head that says don't put your hand on the stove. They're the same ones that believe in the religion thing too, more so than they let on here. And they don't care about making other people dead. The Monstrous Head talks about freedom but he means nothing. He just pushes the right buttons. Their head is full of lies and WWII. They forgot about their failures in Korea and Vietnam and ignore all the evil they have done in the past in their name and are doing now. I pray to God for failure. Failure is what will redeem us all. What did He say at Golgotha? Forgive them, Lord, for they know not what they do.

SvenJune 13, 2005 4:44 AM

It should be noted that pretty much every Linux distriution comes with GnuPG, encrypting loopback-devices and such.

So, using Linux can be evidence of criminal intent, obviously.
The Windows-trolls have known ever since... ;-)

EzightOctober 10, 2007 8:06 AM

How bout a computer running with no hard drive at all.

Just a bootable 4 GIG flashram device with a built in Truecrypt volume 4 levels deep 3 fakes and 1 real core volume.

1 Microwave oven set to popcorn.

Slax linux
puppy linux
Knoppix
Mepis
Helix

All bootable from CD or flashdrive.
Or a nice Ramdrive--aka-IRAM CARD.

Don't pull the battery on that folks or bye bye goes all your data.
That little battery on that card keeps everything in the DDR on the PCI card.

By the way IRAM only hold like 6 gig now days.
Better off with a small flashram array,say like 5---4 gig sticks of USBflashram on a Powered HUB.

LeeNovember 21, 2008 3:13 PM

"If the glove don't fit, you must acquit!" Granted, there's a lot more to that trail, than just this, but just because I might happen to have a gun in the car and I'm driving in the direction of the bank, doesn't mean that I'm going to rob it (especially when the gun smith or the weapons range is only a few blocks further in the same direction)! If there's no evidence of wrong doing, there is no intent. Now that's all different when I park in front of the bank and leave the car running, and pull out a ski mask and run inside of the bank! But until that point, it's still just an assumption.

blacksheepNovember 9, 2009 12:11 AM

This is just one of many actions that occur daily in the US to take away the rights and freedoms guaranteed by the Constitution. I sent 10 years in the U.S. Air Force and was ready to lay my life down at any moment to defend this country. It now sickens me to think I stood to defend this system. The local, state, and federal governments are out of control. I love this country and the american people and would never bear arms against america. However, I do understand why milita groups and others opposed to the government are growing and becoming more violent. The actions taken by the government are breeding them.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..