CyberLaw Blog

Archive for the ‘PGP’ Category

MPs’ Pretty Good Privacy ‘ban’ finally explained: “

Parliament misunderstands privacy, not for the first time

MPs have been told once again that they can’t use PGP to encrypt their email because of supposed compatibility problems between the encryption software and VPN remote access software installed on parliamentary computers.…

“

(Via The Register – Public Sector.)

TechLaw: Boucher Court: No Right to Refuse to Produce Encrypted Data

February 24, 2009
Boucher Court: No Right to Refuse to Produce Encrypted Data

Late last week a federal court in Vermont decided that a criminal defendant’s compelled act of producing unencrypted contents of an encrypted laptop is not protected by the Fifth Amendment’s privilege against compelled self-incrimination. The closely watched case of United States v. Boucher is a throwback to cyberlaw’s Cryptozoic Era, the days of Clipper Chip, CALEA, United States v. Bernstein, the shadowy legal status of PGP, and crypto export regs. The court’s resolution of this issue is not going to satisfy everyone, especially persons who believe that encrypting their laptops is a good protection against suspicionless border searches.

However, the court’s ruling neatly solves the government’s problem with gaining access to the growing amount of encrypted data the is being created in response to privacy, data breach, and identity theft concerns. As I read this opinion, so long as the government has a general idea of what might be hidden among the encrypted data, and it can point at the computer housing it, there is no Fifth Amendment impediment to a demand for production of that data in an unencrypted format.

Following his arrest for transportation of child pornography and seizure of the laptop containing the evidence against him, Boucher claimed that his refusal to tell police the password protecting an encrypted portion of the laptop’s hard drive is protected by the Fifth Amendment’s privilege against compelled self-incrimination.

A magistrate judge agreed with Boucher in United States v. Boucher, No. 2:06-mj-91 (D. Vt. Nov. 29, 2007), and it quashed a grand jury subpoena directing Boucher to divulge the password. The magistrate concluded that the act of entering the laptop password was a testimonial act under the privilege. The legal ins and outs of the case are dissected by Prof. Orin Kerr in this Volokh Conspiracy post, and I commend anyone who wants to understand this area of the law better to go there and read it.

Last week, the district court reversed that ruling, though ‘reversed’ is probably not the correct word, since the district court decided a slightly different issue than the magistrate. This is because, on appeal, the government changed its legal approach to the case. Rather than demanding that Boucher give authorities his password, it instead demanded that Boucher turn over the contents of his encrypted hard drive in an unencrypted format. Looking at the case this way, the district court decided that the Fifth Amendment did not give Boucher a constitutional right to refuse.

Any evidence of child pornography on the defendant’s laptop is not protected by the Fifth Amendment because this evidence was voluntarily created by the defendant. The question faced by the district court was whether the act of producing the contents of the laptop was itself a compelled communication of incriminating facts. Courts have held that compelled production of incriminating documents would not violate the Fifth Amendment in two situations: (1) if the existence and location of the evidence was previously unknown to the police or (2) if the act of production would implicitly authenticate the evidence. The district court decided that neither circumstance was present in this case. The government already knew that unencrypted portions of the laptop’s hard drive contained child pornography. And, as for the second circumstance, the government promised the court that it would not use Boucher’s act of producing the contents of the laptop to prove that the child pornography it contained belonged to him.

The court said that the encrypted portions of Boucher’s laptop were similar to the daily calendar at issue in In re Grand Jury Subpoena, 1 F3d 87 (2d Cir. 1993). In that case, the government subpoenaed the original of the defendant’s daily calendar, at a time when it already had a copy of that document. The Second Circuit ruled that the Fifth Amendment would not be violated by compelling production of the original, since the existence and location of the calendar were a foregone conclusion and the defendant had already testified about his possession and use of it.

The court reasoned that the compelling Boucher to produce the vast expanse of unknown, encrypted data on his laptop ‘adds little or nothing to the sum total of the Government’s information’ (quoting the Supreme Court’s opinion in Fisher v. United States, 425 U.S. 391 (1976) about him, so it was not therefore protected by the Fifth Amendment privilege. No doubt many will find this to be a weak spot in the court’s opinion. The Second Circuit may weigh in too; the defendant has already filed an interlocutory appeal to that court.

The decision can be accessed here as a PDF file.

Posted by Thomas O’Toole on February 24, 2009

Judge orders defendant to decrypt PGP-protected laptop | Politics and Law – CNET News

February 26, 2009 1:30 PM PST
Judge orders defendant to decrypt PGP-protected laptop
by Declan McCullagh

A federal judge has ordered a criminal defendant to decrypt his hard drive by typing in his PGP passphrase so prosecutors can view the unencrypted files, a ruling that raises serious concerns about self-incrimination in an electronic age.

In an abrupt reversal, U.S. District Judge William Sessions in Vermont ruled that Sebastien Boucher, who a border guard claims had child porn on his Alienware laptop, does not have a Fifth Amendment right to keep the files encrypted.

‘Boucher is directed to provide an unencrypted version of the Z drive viewed by the ICE agent,’ Sessions wrote in an opinion last week, referring to Homeland Security’s Immigration and Customs Enforcement bureau. Police claim to have viewed illegal images on the laptop at the border, but say they couldn’t access the Z: drive when they tried again nine days after Boucher was arrested.

Boucher’s attorney, Jim Budreau, already has filed an appeal to the Second Circuit. That makes it likely to turn into a precedent-setting case that creates new ground rules for electronic privacy, especially since Homeland Security claims the right to seize laptops at the border for an indefinite period. Budreau was out of the office on Thursday and could not immediately be reached for comment.

The Fifth Amendment says nobody can be ‘compelled in any criminal case to be a witness against himself,’ which Magistrate Judge Jerome Niedermeier ruled in November 2007 prevented Boucher from being forced to divulge his passphrase to prosecutors.

Originally, the U.S. Department of Justice asked the magistrate judge to enforce a subpoena requiring Boucher to turn over ‘passwords used or associated with’ the computer. In their appeal to Sessions, prosecutors narrowed their request and said they only want Boucher to decrypt the contents of his hard drive before the grand jury, apparently by typing in his passphrase in front of them.

At issue in this case is whether forcing Boucher to type in that PGP passphrase–which would be shielded from and remain unknown to the government–is ‘testimonial,’ meaning that it triggers Fifth Amendment protections. The counterargument is that since defendants can be compelled to turn over a key to a safe filled with incriminating documents, or provide fingerprints, blood samples, or voice recordings, unlocking a partially-encrypted hard drive is no different.

Barry Steinhardt, director of the ACLU’s technology and liberty program, said on Thursday that the opinion reached the wrong conclusion and that Boucher ’should have been able to assert his Fifth Amendment rights. It’s not the same thing as asking him to turn over the Xeroxed copy of a document.’

‘There is no distinction’ between requiring a defendant to turn over the passphrase or type it in himself in front of a grand jury, Steinhardt said. ‘Either of those things results in an encrypted set of files being brought into plain view.’

Judge Sessions reached his conclusion by citing a Second Circuit case, U.S. v. Fox, that said the act of producing documents in response to a subpoena may communicate incriminating facts in two ways: first, if the government doesn’t know where the incriminating files are, or second, if turning them over would ‘implicitly authenticate’ them.

Because the Justice Department believes it can link Boucher with the files through another method, it’s agreed not to formally use the fact of his typing in the passphrase against him. (The other method appears to be having the ICE agent testify that certain images were on the laptop when viewed at the border.)

Sessions wrote: ‘Boucher’s act of producing an unencrypted version of the Z drive likewise is not necessary to authenticate it. He has already admitted to possession of the computer, and provided the government with access to the Z drive. The government has submitted that it can link Boucher with the files on his computer without making use of his production of an unencrypted version of the Z drive, and that it will not use his act of production as evidence of authentication.’

The defendant is a Canadian citizen who is a lawful permanent resident in the United States and lived with his father in Derry, N.H.

Boucher was initially arrested when customs agents stopped him and searched his laptop when he and his father crossed the border from Canada on December 17, 2006. An officer opened the laptop, accessed the files without a password or passphrase, and allegedly discovered ‘thousands of images of adult pornography and animation depicting adult and child pornography.’ Boucher was read his Miranda rights, waived them, and allegedly told the customs agents that he may have downloaded child pornography. But then–and this is key–the laptop was shut down after Boucher was arrested.

It wasn’t until December 26 that a Vermont Department of Corrections officer tried to access the laptop–prosecutors obtained a subpoena on December 19–and found that the Z: drive was encrypted with PGP, or Pretty Good Privacy. (PGP sells software, including whole disk encryption and drive-specific encryption, which can be configured to forget the passphrase after a certain time. That would effectively re-encrypt the Z: drive.)