Man Sues Compaq for False Advertising

Convicted felon Michael Crooker is suing Compaq (now HP) for false advertising. He bought a computer promised to be secure, but the FBI got his data anyway:

He bought it in September 2002, expressly because it had a feature called DriveLock, which freezes up the hard drive if you don't have the proper password.

The computer's manual claims that "if one were to lose his Master Password and his User Password, then the hard drive is useless and the data cannot be resurrected even by Compaq's headquarters staff," Crooker wrote in the suit.

Crooker has a copy of an ATF search warrant for files on the computer, which includes a handwritten notation: "Computer lock not able to be broken/disabled. Computer forwarded to FBI lab." Crooker says he refused to give investigators the password, and was told the computer would be broken into "through a backdoor provided by Compaq," which is now part of HP.

It's unclear what was done with the laptop, but Crooker says a subsequent search warrant for his e-mail account, issued in January 2005, showed investigators had somehow gained access to his 40 gigabyte hard drive. The FBI had broken through DriveLock and accessed his e-mails (both deleted and not) as well as lists of websites he'd visited and other information. The only files they couldn't read were ones he'd encrypted using Wexcrypt, a software program freely available on the Internet.

I think this is great. It's about time that computer companies were held liable for their advertising claims.

But his lawsuit against HP may be a long shot. Crooker appears to face strong counterarguments to his claim that HP is guilty of breach of contract, especially if the FBI made the company provide a backdoor.

"If they had a warrant, then I don't see how his case has any merit at all," said Steven Certilman, a Stamford attorney who heads the Technology Law section of the Connecticut Bar Association. "Whatever means they used, if it's covered by the warrant, it's legitimate."

If HP claimed DriveLock was unbreakable when the company knew it was not, that might be a kind of false advertising.

But while documents on HP's web site do claim that without the correct passwords, a DriveLock'ed hard drive is "permanently unusable," such warnings may not constitute actual legal guarantees.

According to Certilman and other computer security experts, hardware and software makers are careful not to make themselves liable for the performance of their products.

"I haven't heard of manufacturers, at least for the consumer market, making a promise of computer security. Usually you buy naked hardware and you're on your own," Certilman said. In general, computer warrantees are "limited only to replacement and repair of the component, and not to incidental consequential damages such as the exposure of the underlying data to snooping third parties," he said. "So I would be quite surprised if there were a gaping hole in their warranty that would allow that kind of claim."

That point meets with agreement from the noted computer security skeptic Bruce Schneier, the chief technology officer at Counterpane Internet Security in Mountain View, Calif.

"I mean, the computer industry promises nothing," he said last week. "Did you ever read a shrink-wrapped license agreement? You should read one. It basically says, if this product deliberately kills your children, and we knew it would, and we decided not to tell you because it might harm sales, we're not liable. I mean, it says stuff like that. They're absurd documents. You have no rights."

My final quote in the article:

"Unfortunately, this probably isn't a great case," Schneier said. "Here's a man who's not going to get much sympathy. You want a defendant who bought the Compaq computer, and then, you know, his competitor, or a rogue employee, or someone who broke into his office, got the data. That's a much more sympathetic defendant."

Posted on May 3, 2006 at 9:26 AM • 49 Comments

Comments

AGMay 3, 2006 9:39 AM

"sympathetic" All he needs is a good lawyer. Sympathy is manufactured from what I have seen.

DeweyMay 3, 2006 9:55 AM

I wonder when the legal concept of "this fine print specifically rejects everything else we've ever said" was found acceptable.

I'm happy to buy cheap computers based on *my* knowledge rather than advertising claims but there really needs to be a relation between what they claim and the truth.

remijnjMay 3, 2006 10:02 AM

@Dewey

It's not acceptable at all. But i'm not sure in what country you live. Where i live (the Netherlands) they can't disclaim everything like that (they still get away with lots of stuff though).

This is called consumer rights. A good example of this is the warranty period. If the product dies outside of the warranty but before the normal lifetime of this product (like a washing machine breaking in year 2) you might get it fixed for free anyway. This does involve a lot of legal work though.

Ed T.May 3, 2006 10:21 AM

"...if one were to lose his Master Password and his User Password, then the hard drive is useless and the data cannot be resurrected even by Compaq's headquarters staff..."

Nowhere here do I see anything that says the data can't be recovered by FBI forensics experts -- and I wouldn't be surprised if the DoJ doesn't file a 'friend of the court brief' to dismiss, based on the fact that the gov't would not necessarily want it publicized if they had backdoors through encryption schemes.

~EdT.

Jason LashMay 3, 2006 10:21 AM

Wasn't HP's claim that the dirve can't be accessed without the password? Did they ever say there was only one password? If the FBI had another valid password, then there probably isnt a legal case. HP may very well have kept to their claim if the FBI accessed the drive using a valid backdoor password =) Interesting, though. This might get interesting if it goes the route of the Florida DUI case that was thrown out over failures to open the source

However, its interesting to see that the files he manually encrypted are still safe. Like I said in the BitLocker discussion, don't worry about securing the entire drive. That just adds overhead. Worry about securing just the files and documents of interest and use a solution that we as a community agree is valid (at least for now).

JeffMay 3, 2006 10:51 AM

Dumb question. Does anyone know whether the password encrypts the data on the hard drive or only disables the drive circuitry?

I had thought that these types of hard drive passwords only disabled the drive circuitry and that anyone with the right equipment (read, the FBI) could disassemble the hard drive, replace the chips or zero out the password in the eeprom, and get the thing working again.

Does anyone here really know?

dragonfrogMay 3, 2006 11:02 AM

There's a Compaq whitepaper on DriveLock here:

ftp://ftp.compaq.com/pub/supportinformation/papers/na118a0598.pdf

Nowhere in the document does it mention encryption.

From my brief skim of the document, it looks like it's a password protection scheme, such that if the user fails to enter the right password, the drive's firmware will refuse to respond to read / write requests. The data is always left on the platters in the clear; the drive just won't read it.

Pure speculation here: HP was telling the truth when they said the drive would become unusable without the right passwords. However, they did not cover the scenario where someone builds a _new_ drive, combining the logic board from a drive with a known password, and the platters from a drive with an unknown password.

There might be other ways to access the data, e.g. reflashing the drive's PRAM. In that case, it would be the same drive that became usable - and the advertising would have been false.

CheburashkaMay 3, 2006 11:10 AM

There's one single major defect in this case: The Plaintiff has no cognizable damages.

Let's say he wins (and it seems he has a reasonable shot of establishing breach of warranty). What does he get? His money back! That's what you get in a breach of contract case - your money back.

What he seems to be asking for is what's called "consequential damages," the secondary effects of the breach of contract. Its true that in some circumstances, you can get those.

But here, what he's claiming is, that but-for the breach of contract he would not have been rightfully convicted of a crime which he actually committed. It would be absurd to compensate him for being sent to prison, for a crime he committed, on the theory that he wouldn't have gotten caught if Compaq had kept up its end of the contractual bargain.

aikimarkMay 3, 2006 11:10 AM

I don't think the FBI needs a backdoor to read a hard drive. They have equipment that can read data off the platters without relying on a functioning drive, much like a data recovery company will do. This drive was functioning, but locked at a BIOS level. Moreover, once you get into the drive (physically, from another motherboard, or operating system) you might circumvent the DriveLock protection.

============================
Does anyone know if being forced to give up your password violates 5th ammendment protections of self incrimination?

Can a judge jail a suspect on contempt of court if they don't unlock their hard drive? If so, for how long?

CathyMay 3, 2006 11:13 AM

That Connecticut lawyer seems confused:

"'If they had a warrant, then I don't see how his case has any merit at all,' said Steven Certilman, a Stamford attorney who heads the Technology Law section of the Connecticut Bar Association. 'Whatever means they used, if it's covered by the warrant, it's legitimate.'"

As the article reads, he isn't suing because Compaq gave the FBI his data. He's suing because Compaq was *able* to give the FBI his data despite having represented that this would not be possible. It's that representation that's providing the cause of action for his suit, not the actual delivery of the data itself.

BrianettaMay 3, 2006 11:13 AM

"if one were to lose his Master Password and his User Password, then the hard drive is useless and the data cannot be resurrected even by Compaq's headquarters staff"

Perhaps Compaq's headquarters are staffed by non-technical, administrative and support staff. They neglected to mention the rest of the organisation.

Ken HaglerMay 3, 2006 11:25 AM

The merits of the case are irrelevant. The only thing that matters here is that he's suing someone in a government court for collaborating with the government. This case is just as pointless and hopeless as suit against AT&T for collaborating with the NSA.

Owen CunninghamMay 3, 2006 11:31 AM

How much do you want to bet that the DriveLock claims would hold up in court if they were being tested in the other direction? A user buys DriveLock and encrypts his data, trying to be a good netizen and follow all the exhortations to practice good security he reads in his e-newsletters. Then he forgets the password and can't get at his critical business documents, and sues HP when they refuse to help him get the data back.

RichMay 3, 2006 11:38 AM

The best approach would have been to guess the password -- often not too difficult to do. I know foresnsics cases where that has worked. I cannot find anything in this article to indicate that didn't happen.

Dr. LMay 3, 2006 11:45 AM

Along with the standard computer warranty agreement which said that if
the machine 1) didn't work, 2) didn't do what the expensive
advertisements said, 3) electrocuted the immediate neighborhood, 4)
and in fact failed entirely to be inside the expensive box when you
opened it, this was expressly, absolutely, implicitly and in no event
the fault or responsibility of the manufacturer, that the purchaser
should consider himself lucky to be allowed to give his money to the
manufacturer, and that any attempt to treat what had just been paid
for as the purchaser's own property would result in the attentions of
serious men with menacing briefcases and very thin watches. Crowley
had been extremely impressed with the warranties offered by the
computer industry, and had in fact sent a bundle Below to the
department that drew up the Immortal Soul agreements, with a yellow
memo form attached just saying: "Learn, guys."

-- a footnote from Neil Gaiman and Terry Pratchett in "Good Omens"
(Crowley is one of the main characters, and a servant of Hell)

JeffMay 3, 2006 11:59 AM

@aikimark

>Does anyone know if being forced to give up your password violates 5th ammendment protections of self incrimination?

yes, someone knows, and no, it doesn't. Unless I misremember the precedent (this isn't my area of the law, so don't bank on my recollection), the 5th amendment protection only applies to oral statements that directly incriminate and not to non-incriminating statements which lead to incriminating evidence. And it certainly doesn't apply to existing documents that you are trying to keep out of the hands of police.

So, in an encryption case, the password itself isn't incriminating, the documents are. So, you can't rely on the 5th amendment protections there. Furthermore, the documents are pre-existing and therefore the gov't has the right to get them to use against you. It was your choice to create those documents. Once you did, you lost your 5th amendment rights regarding them.

Pat CahalanMay 3, 2006 12:09 PM

One advantage to this being in the press, regardless of the outcome, is that people are becoming more aware that computer hardware and software companies are empowered essentially to screw their customers.

Most people (this particular blog's readers excluded) *don't* read EULAs or computer warranties. They have no idea how much trust they are putting in their vendor(s).

Awareness raised is a good thing. Enough of these cases, and people may start pushing for liability laws.

Nick BrownMay 3, 2006 12:12 PM

aikimark: You don' t know what you are talking about.

DriveLock does NOT provide protection at the BIOS level. It provides protection at the hard drive firmware level. DriveLock is another term for "ATA-3 Security Mode."

Switching motherboards won't do squat to get around DriveLock. You need to either re-chip the firmware on the hard drive, or read the platters directly. Or, obviously, know the master password if one is set.

another_bruceMay 3, 2006 12:17 PM

@jeff
as a california lawyer who retired in 1995, i question your response to aikimark. so far as i am aware, the fifth amendment **does** protect you from being forced to disclose something that could lead to incriminating evidence.
remember "you have the right to remain silent..."? so far as i am aware, only one u.s. supreme court case has eroded your right to maintain perfect silence in the cop shop. that case was hiibel v. some court in nevada, and the u.s. supreme court held that a state law requiring you to identify yourself to law enforcement was constitutional. (the decision does not require you to provide documentary identification under these circumstances, just tell them your name). i'm pretty sure that if passwords were added as an exception, i would have heard about it.
the prosecutor still has the option of convening a grand jury, giving the defendant use immunity, swearing him in and asking for the password. he doesn't answer the question, that's contempt of court and he goes to jail for the remaining term of the grand jury (and then the prosecutor convenes a new one). that doesn't violate the fifth amendment.
in the united kingdom, the subjects do not enjoy as many civil rights as we do, and i remember reading about parliament criminalizing nondisclosure of passwords.

CheburashkaMay 3, 2006 12:23 PM

"As the article reads, he isn't suing because Compaq gave the FBI his data. He's suing because Compaq was *able* to give the FBI his data despite having represented that this would not be possible. It's that representation that's providing the cause of action for his suit, not the actual delivery of the data itself."

That's wrong. One of the elements of almost every civil cause of action in the United States is damages. In this country, we sue each other for money. If you don't have damages, even if there was a violation then (except in certain rare exceptions) you aren't entitled to get any money.

Cases are routinely dismissed for the reason that plaintiffs failed to allege damages or, as a matter of law, are not entitled to any damages.

JeffMay 3, 2006 1:13 PM

@ another_bruce

Re: 5th Amendment & passwords

As I said, this isn't my area of the law and I'm extrapolating from the cases that I'm aware of that address existing documents and required production of physical keys, etc. As far as I know, there aren't any cases that have directly addressed this issue. If anyone knows of one, a pointer would be great.

I do know that this had been a much discussed topic in law review articles, etc. Personally, I'm on the fence. With probable cause and a court order, I have to give up my safety deposit box, my computer hard drive, my storage boxes in may attic, etc. I'm not sure why my encrypted data should be any different and I'm not sure that the Supremes would disagree with that.

JeffMay 3, 2006 1:16 PM

@ another_bruce

>this might be helpful:
>http://www.lawtechjournal.com/articles/2004/02_040413_clemens.php

Funny. After your first post, I jumped to google as well and saw that. I somewhat relieved that most of that article (while written in a tone denoting certainty) actually was based on policy arguments, not actual case law.

I'll try to find time to look for actual cases later this afternoon.

Pat CahalanMay 3, 2006 1:26 PM

From http://www.dcbar.org/for_lawyers/washington_lawyer/november_2003/spectator.cfm

"What if you kept a personal diary and you were served with a grand jury subpoena directing you to produce the diary? Would the Fifth Amendment give you the right to refuse to disclose what is written.

The Fifth Amendment protects you from being compelled to be a witness against yourself. It was interpreted in Boyd v. United States, 116 U.S. 616 (1886), to include personal papers if what is in those papers would tend to incriminate. For many years nobody questioned the reasonableness of Boyd.

In the last 35 years the Court has been predisposed to narrow the Fifth Amendment protection. It did so by discovering that the word witness excludes personal papers because a witness is someone speaking, and what you say does not include what you say to yourself in your own personal papers.

There is no scientific test or linear deductive logic that can prove Boyd is wrong and these latter-day interpretations of the meaning of the word witness are right. It’s like a recent president’s statement, that it all depends on what the meaning of the word is is.

To prove the point, I direct your attention to the concurring opinion of Justices Thomas and Scalia in United States v. Hubbell, 530 U.S. 27 (2000). It seems they are nostalgic for the good old Boyd days when privacy was of significance and when the Fifth Amendment protections included personal papers:"

I imagine "diary" ~ "personal papers" ~ "personal data" as a legal argument.

But yes, this (and other references I've seen) seem to indicate that this is not established law.

Yet.

radiantmatrixMay 3, 2006 2:05 PM

@Jeff:

"With probable cause and a court order, I have to give up my safety deposit box, my computer hard drive, my storage boxes in may attic, etc. I'm not sure why my encrypted data should be any different and I'm not sure that the Supremes would disagree with that."

I'm not sure I do either, but encrypted data *is* a little unusual. Now, I'm not an attorney, so I'd be happy to be corrected if my theory is way off here -- and it's meant to be a logical theory, not a legal theory; I'm well aware that they don't always align. ;-)

Say I have a combination safe in my home. If I am presented a warrant, I'm pretty sure I'd have to not only turn over the safe (if practical), but also either provide the combination or unlock the safe for the warrant-bearing officials. If I then have incriminating documents inside, I'm likely screwed.

Similarly, if I have encrypted files, and am presented with a warrant, it stands to reason that I would be compelled to either reveal the "combination" (key passphrase, for example) or decrypt the data in the presence of the officials. If the decrypted documents are incriminating, I'm still screwed.

The practical difference is this. If "under the stress of interrogation", I forget the combination to a safe, the feds can still open it. Relatively trivially, in fact. With strong enough encryption, discovering the incriminating documents becomes an impractical problem. It might as well be impossible to break.

Depending on what those documents incrimiate one for, and the strength of the DA's case without them, a defendant might make a very practical decision to accept contempt/obstruction sentencing (a few years at worst) rather than be held for a life sentence or whatnot.

Add in encryption that is deniable, like some of the options offered by TrueCrypt and similar products. Now it is very impractical to compel anyone to reveal something they *might* know.

another_bruceMay 3, 2006 2:20 PM

@jeff and radiantmatrix:
they can make you turn over encrypted data, no problem. it's just an object, files stored on a drive, and you discharge your responsibility by handing them the drive.
a memorized password is not the same thing as encrypted data, it's a fundamentally testimonial thing based on electrochemical reactions in your noggin, which enjoys a much higher level of constitutional protection than your hard drive.
as the article i cited noted, you can be forced to give up a physical key to a lockbox, but you can't be forced to give up a memorized combination, and that's all a password really is.

RobMay 3, 2006 3:32 PM

Why would it have anything to do with Microsoft? We're talking about drive level encryption, Microsoft are not involved. Please, if you're going to slam Microsoft or anyone get your facts straight.

Jeremy BraytonMay 3, 2006 4:33 PM

The obvious choice of anyone with incriminating digital evidence is a "dead man's switch" which if not pressed will securely erase key data (or all data) on your drive. A semi-cheese movie with Patrick Stewart provided the idea here: http://www.imdb.com/title/tt0120051/.

The key is having your computer up at all times and a relatively quick timer so that in the event you are in jail, it'll do it's thing before the Feds can get their grubby little hands on it. There's a lot of liability in this so if you are working with others and can have them press the secure delete key before Mr PoPo gets there that may be a safer option.

If they're as smart as I think they are, they'll never fire up your computer specifically but instead place anything that has potential evidence on it onto a system of their choice. This way if you placed a trap like "guess my password wrong 3 times and the drive hoses" they'll be able to circumvent any such things. Since there is no consumer technology in existance that will fry your contents when viewed from another device, you're best bet is to provide some kind of mechanism that uses your own computer to secure it's contents.

Of course the more logical answer to all of this is to either not be a criminal in the first place or just don't get caught. While I may think about this stuff a little too much for my own good, it does not mean I have such a system in place or a need for such a system. I just know that if I were a criminal that either needed or stored large amounts of incriminating digital evidence, I would need a way of getting rid of it QUICKLY and as securely as possible.

not Florian PfaffMay 3, 2006 4:39 PM

"The merits of the case are irrelevant. The only thing that matters here is that he's suing someone in a government court for collaborating with the government. This case is just as pointless and hopeless as suit against AT&T for collaborating with the NSA."

What if your lawyer/doctor/therapist voluntarily "collaborated" with the government and gave up the incriminating secrects you told them under the assumption they would have to keep them private? I would think that -- at least under certain circumstances -- collaborating with the government *can* be illegal.

As a more extreme example, the German constitution ("Basic Law") even warrants every citizen the "right to resist" if they threaten fundamentals such as the rule of law, democracy etc. For instance, I would think that since the German constitution criminalizes (even the preparation of) the assault on another country, fighting in Afghanistan is -- in my layman's view -- a criminal act under current German law (paragraph 80 penal code), with minimum sentence of 10 years in prison. See http://www.iuscomp.org/gla/statutes/StGB.htm#BIi for an English translation of the law, it seems fairly clear on the matter.

Pat CahalanMay 3, 2006 4:57 PM

> The obvious choice of anyone with incriminating digital evidence is a "dead
> man's switch" which if not pressed will securely erase key data (or all data) on your drive.

If I had to crack one of these right now the first thing I would try is

4 8 15 16 23 42

quincunxMay 3, 2006 6:38 PM

"One advantage to this being in the press, regardless of the outcome, is that people are becoming more aware that computer hardware and software companies are empowered essentially to screw their customers."

That would only be true if they were in the escort service industry.

This is an incorrect outlook, that is so pervasive in our culture - the idea that you buy a good or service because it is PERFECT. If it is not perfect then we must have some overarching bureaucrats create some unworkable patches of laws to ensure that it is PERFECT. Such a process will not work, you will not learn anything, and will complain the next time the same thing happens despite all the beautiful laws you thought would help.

The correct way to look at why you buy goods and services is: it is better than you can make yourself, it's better than the competition, or you don't want to invest the time & energy into making it yourself.

This is not the case of a vendor failing to protect the privacy of their customers, but the case of them having to comply with regulation. There is no reason for them to have a "backdoor" other than liability against GOVERNMENT.

"Awareness raised is a good thing. Enough of these cases, and people may start pushing for liability laws."

Yes & No.

Awareness raised is a good thing.

But the best course of action is to switch to other vendors via the competitive process - and to eliminate existing government laws that violate your privacy.

"Most people (this particular blog's readers excluded) *don't* read EULAs or computer warranties. They have no idea how much trust they are putting in their vendor(s)."

EULAs don't mean much. It is the way they are enforced. You still can't sell yourself into slavery under any type of contract.

The problem is INTERPRETATION of the contract. And as you've mentioned in regard to the fifth amendment, the law is becoming irrelevant and perverted, because it is in the hands of the very institution that legislates.

Pat CahalanMay 3, 2006 7:24 PM

@ quincunx

> This is an incorrect outlook, that is so pervasive in our culture - the idea that
> you buy a good or service because it is PERFECT.

I agree, that is an incorrect outlook. I also agree that it is very pervasive in our culture. I don't think that goods or services need to be perfect.

On the other hand, they do need to measure up to their advertised abilities. If a product is advertised as secure, it needs to be secure. If you are selling a device that is supposed to provide a service, and the device fails to provide that service, you ought to be held liable.

That may not be the case in this instance. Quoting from above: The computer's manual claims that "if one were to lose his Master Password and his User Password, then the hard drive is useless and the data cannot be resurrected even by Compaq's headquarters staff"

If this is accurate, it sounds to me like Crooker has a case. From the descriptions I'm reading here, losing your passwords does indeed render the hard drive useless, but it does not affect the data at all. That is counter to their claim. They are implying that the data cannot be resurrected "by anyone" [edit mine], not even Compaq headquarters staff.

> This is not the case of a vendor failing to protect the privacy of their
> customers, but the case of them having to comply with regulation.

We actually don't know that at all.

> There is no reason for them to have a "backdoor" other than liability against GOVERNMENT.

Crooker assumes that Compaq had a back door into his drive, because he's not aware of any other way the FBI could have retrieved his data.

There have been other proposed methods here on this thread as to how the law enforcement agencies got to his data. They may not have a magic back door key at all.

> But the best course of action is to switch to other vendors via the
> competitive process

You have two assumptions here -> one is that there is another vendor available and the second is that the other vendor delivers on his promises. Since you don't seem to agree with the concept of liability, how can you propose we find this other mythical vendor? Trial and error?

> The correct way to look at why you buy goods and services is: it is better
> than you can make yourself, it's better than the competition, or you
> don't want to invest the time & energy into making it yourself.

You're missing the absolute most common case: you don't have the ability to produce the item yourself in the first place. Moreover, you don't have the ability to properly test claims put forth regarding possible solutions by different vendors, because you lack the expertise or equipment.

I know a little about metalworking and stress, but I possess neither the tools nor the skills necessary to test a structural beam provided by a steel manufacturer to prove that it matches the stress characteristics the manufacturer claims.

> And as you've mentioned in regard to the fifth amendment, the law is
> becoming irrelevant and perverted, because it is in the hands of the very
> institution that legislates.

The interpretation of the law is changing, for certain, but "nor shall be compelled in any criminal case to be a witness against himself" isn't well defined in the Constitution. What does it mean to "witness"?

Does it mean "testify against yourself on the stand"? Does it mean "anything authored by the defendant can't be entered into evidence"? Does it mean "documents intended to be private can't be entered into evidence"?

Even if it was well defined, technology has certainly changed since the 1700s and a more literal definition isn't going to cover all the cases that exist today... that doesn't necessarily mean that it's becoming "irrelevant" or "perverted".

AnonymousMay 3, 2006 9:39 PM

The dead man's switch idea is backwards. Instead of having to trigger a switch while the machine is powered on, you want to keep the key in volatile memory so that it is lost if the machine's power is cut. While it is possible to see what values were in dram recently, this is going to be very expensive to do and probably have a high chance of failure.

Another KevinMay 3, 2006 9:58 PM

It's actually possible that Compaq was telling the truth. Consider a scenario where the manufacturer, willingly or otherwise, communicates the master passwords of newly-manufactured hard drives to the law enforcement agencies, but does not retain them internally. In that case, the backdoor is there - but neither the consumer nor the manufacturer can exploit it post-sale; only the agencies can.

quincunxMay 3, 2006 10:39 PM

"If a product is advertised as secure, it needs to be secure."

In the long run every such claim is fraud.

Should the government be held liable for claiming that DES is secure? Not that they are liable for anything.

"If you are selling a device that is supposed to provide a service, and the device fails to provide that service, you ought to be held liable."

Up to what point?

Company employees are selling their labor services advertising that they can make things secure - I'm sure you don't think they are to be held liable, but they are certainly defrauding their employers, right?

"You're missing the absolute most common case"

No. The absolute most common case is that you don't buy the product.

"Does it mean "testify against yourself on the stand"? Does it mean "anything authored by the defendant can't be entered into evidence"? Does it mean "documents intended to be private can't be entered into evidence"?"

I think it's pretty clear. You don't have to say anything. You don't have to tell them where any documents are. But if they figure it out by themselves - then yes they can use it (unless they violate Amnd#4)

The last thing I want is for someone to rule that one is compelled to provide secret passphrases or keys to incriminate themselves.

CathyMay 4, 2006 9:10 AM

"That's wrong. One of the elements of almost every civil cause of action in the United States is damages. In this country, we sue each other for money. If you don't have damages, even if there was a violation then (except in certain rare exceptions) you aren't entitled to get any money."

Yes, that's true - that the data was divulged goes to damages. But that's an element to sustaining the cause of action, not the core of it.

Jan Theodore GalkowskiMay 4, 2006 9:15 AM

suppose instead of Drivelock or something comparable, a user used PGP's encrypted disk capability, something available in their PGP Desktop? presumably the data is safe then.

the question is, if the FBI has a warrant, does that compel the owner to provide the private key needed to decrypt the drive? i would think not, since such cooperation could, in some circumstances, amount to self-incrimination.

so, given the increasing intrusiveness of the intelligence agencies and the FBI, at least as reported, why aren't more people encrypting their emails and their hard drives? i mean, people are buying and using shredders more to protect against privacy? is it because they are ignorant of these technologies? is it because they are inherently inconvenient? or is it because people are being discouraged from doing so -- or the technology vendors being discouraged from selling -- because the intelligence agencies know if the practice was widespread, they'd have a much tougher time.

and, finally, wouldn't a smart criminal be sure to use these technologies? doesn't anyone sell cell phones, for instance, which encrypt the datastream using public key?

AEMay 4, 2006 9:49 AM


Is the fact that Crooker used Wexcrypt to encrypt some of his files, not a sure sign that he too didn't believe that Drivelock was fully secure?

AkosMay 4, 2006 11:07 AM

> The obvious choice of anyone with incriminating digital evidence is a "dead
> man's switch" which if not pressed will securely erase key data (or all data) on your drive.
Even better having two passwords.
One for the use of the data and another to destroy the data.
If somebody forces you to give them the password for your secret data you just give them the one which if entered starts to destroy the data while presenting them to something harmless instead.

Pat CahalanMay 4, 2006 1:47 PM

@ quincunx

> In the long run every such claim is fraud.
>
> [snip]
>
> Up to what point?

You're begging your own question here. If you say that a blanket claim of "secure" is fraud, you shouldn't turn around and say "Up to what point?" Well, duh, up to the point of their claim. If a tire company claimed that their tires would last forever without blowouts, as soon as one blew out they should be held liable. If the tire company claims that the tire will last 50,000 miles without a blowout, then they're covered up to the point of their claim.

Basically, if you're in the security business, you should not be making claims in your advertising you can't support. If you do, you're committing fraud (your word), and you should be held liable for that fraud. Period. Claim that your crypto requires 10^n operations to brute force. Claim that your crypto has no known breaks. Claim that you're using some standard crypto algorithm (whatever) and let your customer decide how secure it is. You're okay up to that point.

Claim that it's unbreakable, and someone should be able to sue you if its broken.

> Company employees are selling their labor services advertising that they can
> make things secure - I'm sure you don't think they are to be held liable,
> but they are certainly defrauding their employers, right?

First, I don't believe that this is true at all in the general case. I know a few software developers, and I don't recall any of them ever being asked if they write secure code during their interview process.

Second, employees can definitely be held accountable. If you write dreck code, your manager can fire you.

Finally, you're trying to pull the discussion into an entirely different arena. This comparison only holds true if you consider "a company" to be functionally equivalent to "a customer" (or "an employee") and "a product sold by a company to a customer" to be functionally equivalent to "employee's labor sold to a company". A corporation is a legal entity, but it is obviously *not* equivalent to an employee or a customer.

If you want to discuss liability vs accountability in the context of entity relationships, we'll have to back up quite a bit and discuss some definitions before we can go forward. Again, this is an economics discussion and we should take that up elsewhere...

> No. The absolute most common case is that you don't buy the product.

I disagree. If Joe Average Consumer wants to buy a washing machine, he's going to buy *some* washing machine from *some* vendor. He might not buy Maytag's particular model. He still wants a washing machine, and he's going to buy one.

If he buys Whirlpool's washing machine because Whirlpool advertises the machine as having a certain energy consumption rating, and he's trying to cut down on his monthly bill, but the machine uses more power than its supposed to, Whirlpool should be liable.

> I think it's pretty clear. You don't have to say anything. You don't have
> to tell them where any documents are. But if they figure it out by
> themselves - then yes they can use it (unless they violate Amnd#4)

Agreed. Assuming of course"they figure it out by themselves" doesn't involve them doing something illegal.

> The last thing I want is for someone to rule that one is compelled to provide
> secret passphrases or keys to incriminate themselves.

I think we're on the same page here.

Tony BryantJuly 28, 2008 3:51 AM

I am not condoning the crime that this man committed, but Compaq should also pay for their actions. They lied the customer, and thus must pay. They can then sue the government for making them lye to the public.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..