Wednesday, December 26, 2007

Encryption Passwords and the Fifth Amendment

The case isn't pretty, but the reading of the case law around this is pretty frightening. In this case the Judge finds that subpoenaing the password to open an encrypted file or directory is a violation of the fifth amendment. Orin Kerr pretty clearly shows why he disagrees, and I find it disturbing that case law does in fact fly in the face of logic, never mind common sense.

The case is found here.
A federal judge in Vermont has ruled that prosecutors can't force a criminal defendant accused of having illegal images on his hard drive to divulge his PGP (Pretty Good Privacy) passphrase.

U.S. Magistrate Judge Jerome Niedermeier ruled that a man charged with transporting child pornography on his laptop across the Canadian border has a Fifth Amendment right not to turn over the passphrase to prosecutors. The Fifth Amendment protects the right to avoid self-incrimination.

A second reason this case is unusual is that Boucher was initially arrested when customs agents stopped him and searched his laptop when he and his father crossed the border from Canada on December 17, 2006. An officer opened the laptop, accessed the files without a password or passphrase, and allegedly discovered "thousands of images of adult pornography and animation depicting adult and child pornography."

Boucher was read his Miranda rights, waived them, and allegedly told the customs agents that he may have downloaded child pornography. But then--and this is key--the laptop was shut down after Boucher was arrested. It wasn't until December 26 that a Vermont Department of Corrections officer tried to access the laptop--prosecutors obtained a subpoena on December 19--and found that the Z: drive was encrypted with PGP, or Pretty Good Privacy. (PGP sells software, including whole disk encryption and drive-specific encryption. It's a little unclear what exactly happened, but one likely scenario is that Boucher configured PGP to forget his passphrase, effectively re-encrypting the Z: drive, after a few hours or days had elapsed.)

So the lesson I get from this is:

Password protect your computer and don't let anyone in without a warrant.
Never waive your Miranda rights.
If you're going to encrypt use something smart like TrueCrypt.

No comments: