Hot on the heels of SOPA, PIPA, and The Megaupload Raid™ comes a frustrating ruling by a U.S. district court judge in Colorado regarding a defendant in a bank fraud case. The gist is that the defendant has an encrypted drive on her laptop and forcing her to divulge the contents of said drive does not violate her fifth-amendment rights against self-incrimination. Let that sink in for a minute. If it sounds ridiculous, that’s because it is. It’s a lot like asking Mitt Romney to reveal his tax returns while also arguing that it won’t require him to reveal himself as a typical tax-minimizing, asset-maximizing, do as I say and not as I do individual.
The facts that Mitt Romney is a tax-minimizing, asset-maximizing, do as I say and not as I do individual and that this defendant is in all probability guilty are both entirely beside the point. Guilt and innocence aren’t what’s being debated. What matters is whether forcing (in the public pressure sense, people, not a legal drag-him-to-court sense) Romney himself to reveal his tax returns or the defendant herself to provide the contents of her encrypted drive will then result in their own incrimination. If either act does so, than you have by definition incriminated yourself. It doesn’t get any simpler than that. It’s not a gray area. It’s not up in the air. It’s not up for debate.
The real debate of course is a matter of judicial precedent and legislating from the bench. There are a few key points and distinctions that keep getting bandied about that I’d like to enumerate and then discuss:
- The point about the legal definition of “testify”.
- The distinction between providing one’s password to encrypted material, ostensibly an invasion into the consciousness of the individual, and providing the contents of encrypted material, ostensibly a legitimate collection of evidence.
- The distinction between “real” property and “intellectual” property, and the process by which one “seizes” either entity for collection of evidence.
- The point about the relative difficulties of obtaining evidence depending on the type of obfuscation used (keypad safe, lockbox, encrypted volume) when a defendant is uncooperative, and what that says about the delivery of justice
Legal definition of “testify”
This is one of the most annoying pieces in the public discourse about the topic. It shows just how far behind the law is on technology and common sense. There are varying legal perspectives that I’ve heard tossed about. They go like this:
Things that are testifying
Things that aren’t testifying
Of course it’s ridiculous. There are numerous problems with this sort of thinking apart from its self-evident stupidity.
“You’re not testifying, you’re just writing down the words that are in your brain rather than speaking them!” If my testimony –and that’s exactly what it is– of a hand-written password is going to then be used by you to incriminate me, than you have just forced me to testify against myself. Plenty of prosecutors have already realized this and so move on to the next strategy.
“You don’t have to tell us the password, but you do have to put it onto the device in question. That way, we haven’t forced you to testify!” If my testimony –and that’s exactly what it is– of providing the private key to the computer in the courtroom is then going to be used by you to incriminate me, than you have just forced me to testify against myself. It seems the prosecutors and courts in general still haven’t realized this and so keep playing the “we don’t actually know your private key” card.
As a defendant, you have absolutely no reasonable expectation of “privacy” upon furnishing the password. This is primarily due to the stated fact that the courts are gathering evidence. That means by default that your private key is going to be recorded, whether the court monitor is standing over your shoulder or not. According to them it’s evidence! So the implication that the courts have somehow magically sidestepped the issue of self-incrimination is bunk. We have demonstrated that asking for the password, and having the password inputted, both result in self-incrimination.
On writing down, typing in, and gathering evidence
The previous section already touched on the distinction between asking for the password to encrypted volumes and the contents of –by inputting the password– said volumes. As demonstrated previously, they’re equivalent actions. There is no difference in the two. They are both testimony. And if we are to consider those actions testimony than we have a self-incrimination violation. But many regard such actions as legal collection of evidence, regardless of whether they are also testimony. This is a far more mature argument for supporting the Honorable Blackburn’s opinion. But it is still invalid. It is not a legal and legitimate gathering of evidence, because of the distinction between real and intellectual property, and the resulting necessary invasion into the consciousness of the defendant and the inevitable testimony by said defendant that would have to ensue in order to continue collecting said evidence.
Consider. The right against self-incrimination obviously does not grant a “hands-off” attitude regarding any evidence at all. We don’t cry “self-incrimination” and demand a mistrial when we’re caught with our smoking gun in our blood-red hands. And it’s not a violation of the fifth amendment to raid someone’s house and use the discovered narcotics and cash in the process of obtaining a conviction. And many will argue that forcing one to provide the password to an encrypted volume does just that; gathers evidence. The argument is that, just as we can gather evidence from the physical properties of drug dealers… by breaking past gates and locked doors in the process if need be… and gather incriminating paperwork… by breaking cabinet locks and reconstructing shredded documents if need be… and seize the contents of safes… by drilling into them if need be –than so too can we seize the contents of encrypted volumes… by force if need be.
My computer and my password
But notice all of the options available to the prosecutor: breaking locks, drilling into safes, reconstructing shredded documents. The defendant may cooperate if he so chooses. He can let the police into his residence upon the delivery of a warrant. He can provide the keys to locked doors. He can even provide the combination to safes if he so chooses! Hell, if he’s guilty he could very well plea bargain his way into a reduced sentence. But he doesn’t have to, and it’s not game over for the prosecution if the defendant is uncooperative. Those gates can be knocked down, the locks broken, and the safes torn apart by blow torches and diamond saws. The cooperation of the defendant is not a necessary condition to the collection of evidence. From all of this it is perfectly clear that the use of force is fair game in obtaining physical evidence against the defendant, so long as we have never invaded his consciousness ; never used force against the defendant himself.
That is where the distinction between real and intellectual property comes into play.
Remember that in all ordinary evidence gathering the cooperation of the defendant is not required. At no point does the defendant have to do anything for the prosecution. And the prosecution will take the lack of cooperation straight to the judge and jury in the form of harsher sentences. But, if the defendant’s cooperation becomes a necessary condition to the continued gathering of evidence –say, by providing a private key, held within the defendant’s mind, to an encrypted volume, housed on his physical computer– than that gathering of evidence transforms into a demand for testimony, as the prosecution is then invading the defendant’s consciousness in order to force his cooperation by said testimony. At this point, it is no longer a legal, legitimate search for evidence and is instead a demand from the prosecutor upon the defendant to give self-incriminating testimony.
The bad boys get away!
I understand the frustration behind this reality. Pick a strong password and keep your mouth shut, and you can’t be touched! This is the fear behind the Honorable Blackburn’s opinion and that of many others. However, it is fear fueled by a myopic vision of the procedures and abilities available to a prosecutor. There are plenty of tools available to obtain encrypted material. If you think the only option is the humble bruteforce, than perhaps you should consider some “preventative maintenance” rather than waiting until after-the-fact to try and “repair” the situation and gather evidence the hard way.
What I mean is that it is indeed unfeasible to straight-up “crack” this sort of encryption when done right. It may one day become easy –and that possibility alone throws a completely new wrench into the question of the legality of gathering such evidence, but won’t be considered for now (suffice it to say, I believe if you can bruteforce it, it’s fair game). I’m more concerned with the here and the now. And right now, there are all kinds of options available to those who wish to gather encrypted evidence if they know where to look.
The typical full disk encryption found on all major operating systems these days necessitates the provisioning of the private key upon boot up, to be stored in memory –or on some other device if done via hardware encryption– in order to write to disk and perform the various operations the device then carries out. What does this mean to the savvy evidence collector? Grab that machine while it’s on, and don’t you dare disconnect it from its power source. Splice the AC line that’s feeding it power in order to cart it off if need be! Could this be thwarted with the appropriate counter-measures? Of course. But then you have a legal destruction of evidence charge just handed to you on a silver platter. And that doesn’t even consider the possibility of cold-boot attacks on the key. The venerable trojan, in all of its software and hardware forms, is another easy tool that can tackle full disk encryption as well as containers. This can obviously provide not just the private key but any other juicy keystroke information that might not have been permanently stored on the device. Finally of course is good old-fashioned social engineering. If anyone else has knowledge of that private key, than the court may request testimony. And that individual may, for any number of reasons, willfully provide that evidence.
The simple conclusion is that forcing a defendant to provide private keys constitutes testimony and that this then is a fifth amendment self-incrimination violation. The assertions that it is legal evidence gathering are wrong. The defendant’s cooperation becomes a necessary condition to the gathering of evidence and this transforms the evidence gathering process into a demand for testimony that would necessitate invading the defendant’s consciousness in order to force his cooperation by said testimony. Finally, the implication that this grants criminals a “Get Out of Jail Free card” is myopic and reflects a poor understanding of effective evidence gathering techniques. There are already wildly effective tools in place for legally capturing such evidence without ever needing to violate the defendant’s fifth amendment rights.