Gideon brings us news of a federal case in Vermont in which the judge has refused to force the accused to reveal the password that he used to PGP-encrypt the kiddie porn on his computer, even though the accused had already used the password to show agents what was on the computer.
This is, of course, a good ruling for liberty. In a world of sneak-and-peaks and warrantless wiretaps, it allows us to maintain a preserve of privacy into which the government cannot force its way. Apparently the USCBP doesn't yet have the quantum computers that would be needed to crack the RSA algorithm. If NSA's got that technology, they're not sharing. Download PGP today, and start using it.
According to the Washington Post article,
Orin S. Kerr, an expert in computer crime law at George Washington University, said that Boucher lost his Fifth Amendment privilege when he admitted that it was his computer and that he stored images in the encrypted part of the hard drive. "If you admit something to the government, you give up the right against self-incrimination later on," said Kerr, a former federal prosecutor.
That reminded me of one of our law school classmates who, when we were discussing the law of rape in first-year criminal law class, asked the professor, "if you consent to have sex with someone once, does that mean you've consented for always?"
Um, no.
6 comments:
Hi Mark, Michael here...
Don't be too worried about the quantum computer end-run around RSA encryption. As you know RSA is based on the extreme difficulty of factoring very large numbers which have only two factors, both themselves very large prime numbers.
There's an algorithm for using quantum computing on this problem--Shor's algorithm--and given we can do 4-bit quantum now, it's a matter of engineering not theory to get further.
BUT: There's a whole different set of computationally hard problems not yet tackled by a quantum algorithm called "Elliptical Curve Cryptography".
One bad thing...all meaningful IP for it is tied up on one company making it difficult to do without their licence.
I believe you were in gay Paree when this was first posted:
http://blog.simplejustice.us/2007/12/15/subpoena-quashed-for-encryption-password.aspx
Hi, Michael. So you're saying you don't think NSA is reading our PGP-encrypted mail yet?
What's the company with all the IP?
SHG,
Ah, yes. Paree. I remember it well.
Strong encryption, like the algorithms used by PGP and others, are really good. Trying to defeat those is usually a waste of time and resources.
However, security is one of those things that are only as good as its weakest link. A secure encryption scheme is worthless if you save the password in an unencrypted file on the computer, or worse yet, leave it on a post-it note by your monitor. The FBI has successfully used warrants to install trojans and keystroke loggers to find passwords for strong encryption, which have resulted in convictions. There are quite a few methods for cryptanalysis that do not require actually attacking the algorithm.
Mark, I'm not entirely convinced that the rape analogy is, well, analogous. In essence, the suspect "confessed" to a law enforcement officer who did not record the confession, and the authorities are trying to get him to confess again.
Now, I'm not a lawyer, just some ordinary citizen who really cares about civil liberties, so I'm curious - would the border patrol officer's testimony be good enough in court? Or would the prosecutor really have to produce the physical evidence to have a case?
And Michael - there are plenty of open-source/free implementations of Elliptical Curve Cryptography out there. Are you saying that there are proprietary algorithms that are better, or that these algorithms are not free to use without a license? That's what always irritated me about crypto algorithms - the source should be published and peer-reviewed to ensure security, but that just makes it easy to use without a license, especially non-commercially.
Shane,
I will immediately eat the post-it with my password.
The government doesn't have any right to get you to confess, even if you confessed before. You don't waive the Fifth forever by running your mouth once. For example, the government can't call even a confessing defendant to the stand to testify.
The government may still have enough evidence to prove the case. It may be that, as usual, they're just trying to make their job as easy as possible. When we confess, all we do is make the government's job easier.
Oh, yeah, you're right. I guess what I was talking about is entirely irrelevant to the issue at hand, which is whether the authorities can compel self-incriminating testimony.
One such solution to this kind of case is a high/low password system where an encrypted volume is created with 2 passwords, one that allows access to the real deal and one that allows access to a decoy volume with sensitive but nonincriminating data. I'm not sure if PGP can do this, but the free program TrueCrypt can.
Post a Comment