An interesting case is brewing in Vermont. It seems that Sebastien Boucher, a Canadian that is a permanent US resident, was entering the US when one of the border guards asked to see his laptop. The guard allegedly observed child pornography on the laptop and immediately arrested Boucher. Sounds like an open and shut case but it isn't.
Boucher secured his laptop hard disk with PGP Whole Disk Encryption. This means that the investigators cannot confirm the border guard's allegations of child pornography on the laptop. The prosecutors bypassed this speed bump by getting a subpoena from a Grand Jury forcing the Boucher to cough up his password. However, Boucher claims that giving up his password would lead to self-incrimination and invokes the Fifth Amendment to maintain the secrecy of his disk encryption password. Jerome Niedermeier, a US Magistrate Judge in Vermont, agrees.
The interesting thing is that people can be forced under subpoena to turn over keys to a locked container containing incriminating evidence. As best as I can tell, a memorized authentication token, such as a password, must be spoken or written to be usable by others. Because of the manner in which it must be shared, memorized authentication tokens are considered testimony. The federal judge is therefore protecting the accused's right against self-incrimination, which is clearly protected by the Fifth Amendment. Presumably, this is in contrast to producing a key to open a safe, which could be considered submitting evidence. This is the only way I can find to split this hair.
Regardless of the legal precedents in play, I don't see the difference between a physical key and a password. They are both authentication mechanisms that control access to a resource. Is the fact that one has a physical manifestation and the other does not really have that much impact? Disclosing either has the same outcome.
I have to wonder if someone that had memorized the combination to a safe containing incriminating documents would be afforded the same protection as our alleged pedophile.
I'd appreciate any insight from anyone resembling a legal professional. Heck, even if you're not, other opinions are welcome. I agree with the Tech Dirt article that this will probably end up in the Supreme Court eventually. Until then we won't have a definitive answer but it will be fun to argue about in the meantime.
Boucher secured his laptop hard disk with PGP Whole Disk Encryption. This means that the investigators cannot confirm the border guard's allegations of child pornography on the laptop. The prosecutors bypassed this speed bump by getting a subpoena from a Grand Jury forcing the Boucher to cough up his password. However, Boucher claims that giving up his password would lead to self-incrimination and invokes the Fifth Amendment to maintain the secrecy of his disk encryption password. Jerome Niedermeier, a US Magistrate Judge in Vermont, agrees.
The interesting thing is that people can be forced under subpoena to turn over keys to a locked container containing incriminating evidence. As best as I can tell, a memorized authentication token, such as a password, must be spoken or written to be usable by others. Because of the manner in which it must be shared, memorized authentication tokens are considered testimony. The federal judge is therefore protecting the accused's right against self-incrimination, which is clearly protected by the Fifth Amendment. Presumably, this is in contrast to producing a key to open a safe, which could be considered submitting evidence. This is the only way I can find to split this hair.
Regardless of the legal precedents in play, I don't see the difference between a physical key and a password. They are both authentication mechanisms that control access to a resource. Is the fact that one has a physical manifestation and the other does not really have that much impact? Disclosing either has the same outcome.
I have to wonder if someone that had memorized the combination to a safe containing incriminating documents would be afforded the same protection as our alleged pedophile.
I'd appreciate any insight from anyone resembling a legal professional. Heck, even if you're not, other opinions are welcome. I agree with the Tech Dirt article that this will probably end up in the Supreme Court eventually. Until then we won't have a definitive answer but it will be fun to argue about in the meantime.
2 comments:
Interesting question, and I don't know the answer, but FWIW: A. Michael Froomkin's 1995 paper, The Metaphor Is the Key: Cryptography, the Clipper Chip, and the Constitution mentions that topic in Sec. IV(B)(2)(a), second para.
"Simply putting something into a safe does not, however, ensure that it is beyond the law's reach. It is settled law that a criminal defendant can be forced to surrender the physical key to a physical safe, so long as the act of production is not testimonial. Presumably a similar rule compelling production would apply to a criminal defendant who has written down the combination to a safe on a piece of paper. There appears to be no authority on whether a criminal defendant can be compelled to disclose the combination to a safe that the defendant has prudently refrained from committing to writing, and in Fisher v. United States, the Supreme Court hinted that compelling the disclosure of documents similar to a safe's combination might raise Fifth Amendment problems. Perhaps the combination lock problem does not arise because the police are able to get the information from the manufacturer or are simply able to cut into the safe. These options do not exist when the safe is replaced by the right algorithm."
I don't know whether there are any newer relevant court cases.
Maybe the government should just invest in a bunch of high-end video cards. Brute forcing the password would be analogous to opening a safe with a cutting torch.
Post a Comment