back to article Showdown over encryption password in child porn case

A bid by the US government to force a child porn suspect to surrender his encryption password has sparked fierce debate about whether the move violates constitutional protections against self-incrimination. The case, which is reported here by The Washington Post, is likely the first time a court has waded into the issue. It …

COMMENTS

This topic is closed for new posts.
  1. Charles Manning
    Coat

    Just the same as the old days

    Nothing new here.

    Not surrendering a password is just the same as not surrendering the keys to a safe that holds evidence or not revealing where some documents/loot are hidden.

    Surely there is suficient pre-computer-age precedence to be able to make a rational decision.

    There's far too much knee-jerk that computers/internet change everything legally/morally etc, bit in truth they do not. This silliness is found in copyright, unauthorised access, privacy etc.

    Caption is Big Brother searching your ccoat pockets for evidence.

  2. This post has been deleted by a moderator

  3. Anonymous Coward
    Anonymous Coward

    @charles manning

    One problem with your reasoning is that you could destroy someone by sticking an encrypted file full of rubbish on their machine, and turning them in. They can't provide the key because they haven't got it, and unlike a safe it's physically impossible to get at the data.

    So anyone with any encrypted file for which they haven't got the password can be locked up for anything - because they can't prove they didn't do it. And the law is innocent until proven guilty, not the other way around. If you alter this, you're done for as a free society.

  4. Anonymous Coward
    Flame

    @charles manning

    You've rather missed the point, haven't you? There are plenty of precendents - the question is, which one to choose? Is a password like the keys to the safe (which you can be compelled to provide), or like the combination to the safe (which you cannot be compelled to provide)?

    Even a cursory reading of the article would have made this fairly obvious. I therefore generously conclude you didn't read the article before posting.

  5. Chris C

    Guilty unless proven innocent (and then, quite possibly, still guilty)

    Doesn't the U.S. proclaim that suspects are "innocent unless proven guilty"? Actions like this one are directly contradictory to that. Forcing a suspect to reveal the contents of their computer, home, safe, or whatever else in order to prove there is no usable evidence against them can only be interpreted as the suspects having to prove their innocence. In other words, guilty unless proven innocent. We've known for a long while that that's the way people have been treated, but this shows it with astonishing clarity.

  6. Adrian Esdaile
    Pirate

    @ Human - I'd watch your HDD if I were you...

    Say someone were to plant some kiddie-pr0n on YOUR hard disks... would you be happy with The Beak saying "shred 'im"?

    After all - possession is proof in the digital world; just ask the RIAA!

  7. Anonymous

    They have no right to the information

    It doesn't matter and is completely irrelevant if he's a pedophile pornographer, a terrorist or terrorist sympathiser, a snuffer or a serial killer.

    They have no right to the information and that's final.

  8. Tuomo Stauffer
    Black Helicopters

    Interesting but

    I can fully understand the frustration cops are feeling. But before we have a "a code of ethics" which would keep any information spreading I also can understand EFF and other such organizations. But politics make it difficult, in child porno cases they really should have access to everything BUT if found that it wasn't - nothing should slip out, it destroys lives, families, careers, etc. In terrorism it is even more difficult - you even think differently (or have some weird name/looks) than the ruling class, you are a terrorist. In child porno cases it is more black&white but when the same rules are applied to politics / business it will not work, they are ideas, not facts. Todays unfortunate reality is that even a suspect is often already in trouble and there are no safety or recovery policies or mandates to make that right after a mistake. Who is going to get your family back or fix your credit or reputation or lost whatever after a such incident?

    Maybe there should be a politically and business independent third party which has rights / access to this information and can make the decisions if it should given further to other institutions. There are a lot of good people and (IMHO) many really are in standard police organizations but not all.

    Or maybe we should get the Hammurabi code / law back?

  9. Maisie Donaldson

    Whatever we do, protect the bad guy

    It's like an episode of Law and Order - the system bending over backwards to protect the vile criminal. Ebveryone wants to see him get his just deserts but the greasy lawyer bangs on about the constitooshum and the judge says "the smoking gun is ruled out". Well bollocks to that. If someone sets up an encrypted system to hide his criminality - in this case participation in industrial child rape - then he has to open the door or be punished for it.

  10. Steve Welsh
    Alien

    EErrrrmmm

    they are encrypted by the military-grade Pretty Good Privacy program.

    Well if that's true, I guess that I'm pleased that I'm using GPG.

    I wonder if it's military-grade too????

  11. Name

    Who even THINKs it would be right??

    Who even THINKS it would be right to try and coerce something out of someone's head!!??

  12. Ed
    IT Angle

    Forget it!

    Couldn't you just happen to forget your password/encryption key?

  13. Graham Marsden
    Stop

    A cynical thought...

    I have to wonder whether this case is being pushed by the US Government because what they *really* want to do is to ensure that *everyone* can be forced to reveal encryption passwords etc, but they're doing it by picking the "soft target" of child porn on the grounds that most people do not apply logical thought where children are concerned.

    Of course once they have the precedent that someone can be required to incriminate themselves in this way, they can then extend it to "terrorist suspects" and from there it's plain sailing down the line to allowing the RIAA to say "well we think he has encrypted MP3s on his hard drive..."

  14. Highlander

    Only one person really got the point

    This is an almost classic text book example for legal students.

    If you take the emotionally charged offense out of this and replace it with some incredibly boring white collar crime, where no one has in any way been hurt, then the whole thing has a different complexion. This is not about this one defendant it's about a pretty fundamental principle of US law. You can't be compelled to incriminate yourself. By divulging a piece of information this person could easily incriminate himself, he can't be compelled to do so. It doesn't matter if the files on his hard disc contain child porn or copyrighted poetry, you can't compel him to give up the password. If you do you destroy a fundamental protection in this society. There really shouldn't even be any debate on this point.

    That said, if this guy is what they say he is, then I hope that with the evidence they have they still have what they need to put him away for a long enough for him to become acquainted with Bubba and his friends inside....

  15. Mike Hocker
    Alert

    slippery slope

    I find it astonishing that an accused could be compelled to provide a passphrase which clearly will lead to incrimination (this case is a poster case, everyone hates this type of pr0n person so eroding of civil liberties is much easier-- too few think of the unintended consequences down the road.).

    The accused is an idiot anyway, not having a screen password (HELLO?), having file names that attract attention, and not even being bright enough to generate a lie-- "I keep the passphrase on a piece of paper, and when the border police seized the machine I ate the paper and Lordy, I can't remember what the passphrase is!" or some such.

    The persons really wanted are the ones who generated the source files. Send those perps to @Human for a thorough maceration.

  16. Mark Randall

    Water

    I wonder how long before the CIA starts water-boarding him to get him to give up the information.

    If he is guilty then he should be locked up for a long time, but it seems at this point they have no evidence.

  17. jerry

    How is a law forcing people to turn over their passwords going to prevent terrorism?

    I guess if there's a law that says they have to turn over their passwords, that they will say, shuck, darn, we shouldn't even bother encrypting our passwords now!

    Or that if they did encrypt their password they will give up the codes to the dirty bomb location because they don't want to go to jail?

  18. Anonymous Coward
    Anonymous Coward

    Military grade

    You hear this phrase all the time when some criminal has been caught - "... was protected with military grade encryption..." So what is that exactly? 256-bit AES was classed beyond that at one point, but is so common now as to make the designation "military grade" worthless. I bet current "military grade" offerings go beyond key length into other realms.

    Well it's not entirely worthless - it does give a lovely dramatic CSI spin on the story, and perception is everything. The truth is the media love a good whodunnit techno wankfest, and people go all glassy-eyed and weak at the idea of dirty paedophiles being outsmarted by the suited good guys.

    /rant

  19. Herby

    How to get someone convicted:

    If this goes thru, all you need to do is send someone a file of garbage maybe with the first characters in plain text that say 'this is child porn' (or equivalent). If the name of the file is equally incriminating, they will try to compel you to give up the password. Nice try, but I don't know the password. Why is the file on your disk, obviously it is bad, etc...

    This is a very slippery slope!

  20. Ole Juul

    So many questions

    If you can't unencrypt the files then how do you prove that the Customs and Border Protection inspector is telling the truth?

    Since the files were copied peer-to-peer, if they do get unencrypted then could the inspector(s) not be charged with distributing child pron?

    People often get nervous or confused when under pressure. How do you prove that the suspect can remember the password?

  21. James Condron

    Incrimination

    The way I understand it, you can only incriminate yourself if you've done something wrong.... by claiming you'd incriminate yourself you're admitting you've done wrong more or less(... this being semantics, not legal understanding.)

    Its almost an extension of the whole 'If you've nothing to hide you're safe' idea, but theres a good argument there- if you're innocent why not give up your password/key and then change it and re-encrypt to ensure the police wont get in again?

    Its a horrible suggestion, but there must be a way to safeguard computer users whilst not extending this to people such as paedophiles.... No one will develop a method because it could be political suicide depending on the spin, and it'd be difficult- better to declare everyone a 'h4xx0r' and using escrow or putting in backdoors

  22. Matt

    Activist judges folks

    Once upon a time in America we had judges who strictly interpreted the law and only ventured forth opinions in uncharted territory when the Legislature hadn't addressed the issue.

    Then sometime in the 1950s we lost that. They declared the Constitution was a "living document" that needed to be reinterpretted to fit contemporary values by the courts, not amended by a Constitutional process. This isn't mere hyperbole -- one of the Justices in the early 1960s became physically ill and retired early when the court imposed one man, one vote -- because as much as he supported the principle, it sickened him to see the Supreme Court violating the seperation of powers and imposing new law on the Legislatures.

    So in a country where the Police are allowed to implement such unreasonable searches as Drunk Driving checkpoints that stop everyone going through a spot without cause to intimidate them into having a conversation (i.e waive their right to remain silent)...it gives hope to activist Prosecutors that a Judges somewhere will similiarily figure it's good to reinterpret the Constitution to allow this too.

    But hey, if it's:

    a) Drunk Driver

    b) Drug Dealer

    c) Child Pornographer

    d) Terrorist

    then you have good reason to believe in a living consitution to meet the needs of prosecuting those really bad guys. If it just sets precedent for everyone else, hey, what are you trying to hide Comrade?

  23. Anonymous Coward
    Paris Hilton

    Here's an idea...

    Okay. Create an encryption scheme so that entering A Fake Password will reveal perfectly-legal public-domain pictures of puffy clouds, colourful flowers, and perhaps an extremely contented cow relaxing on the XP Bliss hillside.

  24. Mahou Saru

    Jumping the gun

    The prosecutor jumped the gun. They didn't catch the guy in the act and now they want them to incriminate themselves. New technologies means the police and prosecutors need to learn new techniques, if they screw up and let a pedo off that is their fault for not doing their jobs right in the first place.

    Terrorists who are willing to blow themselves up are not likely to meekly hand over their passwords, who are they kidding...

  25. Bryce Prewitt

    Just like communism, it's all a red herring.

    Anytime prosecutors or the gov't need to dangle the proverbial carrot to prove a point then you can automatically assume their position has both a hidden agenda and is so overtly amazingly incredibly wrong.

    Highlander is the only person with any brains in this thread. Unfortunately, as the internet so often proves, most people are knee-jerk reactionists that couldn't give two shits less about anyone else's rights.than their own.

  26. Simpson
    Alert

    It would have been easy

    if it was Windows EFS.

    The issue of forcing someone to self incriminate, should not even be an issue. The government is asking for the right to imprison a person (for contempt), unitl they agree to testify against themself. This can't happen...

    The prosecutors should not have charged the person. They should have offered a plea bargain, in return for cooperation. While retaining the hammer of a future charge. Something like "in the next few years, we will be able to decrypt this drive. If you don't take the plea now... it will not be offered to you when we decrypt the drive, and when we do.... we will put you in prison forever".

    The biggest mistake, is that the officer copied the drive. The officer should have seized the computer. Then they would have a chance. Since they copied the drive, they may never be able to decrypt it.

    I don't know too much about PGP, but I know a little about EFS (windows encrypted file system). With EFS, you (at least I) am done if the OS takes a crap and needs reinstall, or if you copy the data and try to decrypt on another system. But on the same system... that's easy. All you need is an administrator group account to retreive the data, then run xcopy as local system.

    But trying to crack encryption on a copy runnning on another system, that could be tough.

    What kind of cop would see files named 'Raping two year old', and not seize the computer? What an idiot. That is where the case fell apart, now they are just trying to save face.

  27. Anonymous Coward
    Coat

    What've you got to hide?

    I agree with James Condron, by hiding the encryption, you're in fact stating you're hiding something incriminating and should be treated as such.

    If you're suspected and find yourself within a trial, be it for terrorism or child porn charges and have nothing to hide, surely you'd want to give over everything you can and be as co-operative as possible to clear your name.

  28. Anonymous Coward
    Anonymous Coward

    @ Chris

    re: Military Grade

    This term is still in use for historical reasons. Back when internet explorer only included 40 bit encryption for SSL in the UK (1997 or earlier IIRC), 128 bit encryption was designated "military grade" which prohibited its export from the US. Anyone with a clue could download it anyway, so it was never going to last.

    I sign my stuff with 1024 bit encryption anyway, as it is quite sufficiently overkill for the stuff I'm protecting. I do a fair amount of SSHing to my servers across the net and the key is the only way in so I'd like it as secure as possible.

  29. tfewster Silver badge
    Thumb Down

    Common sense?

    As I see it, the evidence is there in the filenames, and it's up to the defendant to prove that that the files are not illegal.

    How is this different from less emotive cases, e.g. joyriding? "Is this your car sir? Can you tell me the registration number?" or suspected stolen goods "Can you prove you bought this? Do you have a receipt or bank statement showing the purchase?"

    If he "forgot" the password, it's not proof either way, but I bet a jury would find that suspicious. As for planted "evidence" - It can happen with unencrypted files & physical items too.

    Fortunately it sounds like there is enough unencrypted evidence to convict him.

  30. Sampler

    Little surprised

    Often I read stories how the Americans make legal precedents with some very unnerving consequences so it's refreshing to see so many back the idea that passwords shouldn't be demanded to be handed over - unlike a law they snuck in over here in blighty where we're now compelled to.

  31. Anonymous Coward
    Anonymous Coward

    Lucky Americans!

    You US people should think yourselves lucky. This side of the pond in the UK, we have the "Regulation of Investigatory Powers" act that means they can force you to hand over your password and if you don't it's up to two years in the slammer for you. Quite what happens if you genuinely forget your password has never been considered.

    The police in this case are being stupid. Just go to his ISP and demand the logs of his Internet traffic for the last 6 months. If he's visited any kiddy porn sites they can get him on that.

    It's a classic case of "innocent until proven guilty" - if they can't prove him guilty without forcing him to incriminate himself, then he has to be found innocent.

  32. Tim
    Unhappy

    What a thoroughly depressing case, in every way

    A stupid, vile defendant and a dangerous attack on very old rights.

    As Highlander has pointed out, there is already evidence - the two videos mentioned in the article which I can't bring myself to name here.

    It would be a great shame if a legal precedent to force disclosure of keys resulted from this case when there is already plaintext CP on his laptop. More than likely the police ballsed up the chain of evidence which is why they claim to need the keys. Or, perhaps, there isn't enough plaintext CP to send him away for a really long time.

    I believe we already have such a law (not a precedent, a real law) in our damp, grey land of fear. It is supposed to apply to terrorist cases but we've already seen how willing the police are to extend anti-terrorist powers to everyday life. I'm sure the courts will follow soon.

    Best start using http://www.truecrypt.org (it solves many of these problems and I don't mind posting it here because I hope there are no CP-addicts among El Reg's readership.)

  33. Anonymous Coward
    Anonymous Coward

    The Border Inspector

    "The case concerns the investigation of Sebastien Boucher for possession of child pornography. In late 2006, the Canadian citizen with legal residency in the US was crossing the border into Vermont when a US Customs and Border Protection inspector searched his laptop"

    What right did a US Customs and Border Protection Inspector have to search someone's laptop while crossing the border in the first place?

  34. Matt Davey

    @Tim (truecrypt)

    Truecrypt looks interesting, but given that it is open source it would, I suspect, be pretty trivial to break 'plausible deniability' by demonstrating the supplied password was for the 'outer volume' and not for the 'hidden volume'.

  35. Anonymous Coward
    Anonymous Coward

    blah

    if this was a fraud case, or some other "lower" crime they wouldn't have a hope in hell of compelling it. It seems the world works like this

    Want something digital forced through the courts by creating a precedent?

    Get a CP case to set the precedent becouse everybody will be on the side of the law when it comes to CP evidence be dammed. (Or dress something up as CP so you can get good headlines and throw a few innocent people in jail - drawings say - that illustration is only 10 years old! Somebody mongled mind loli to create it! Your a peado!)

    However as Tim said as there's already evidence on his machine *shrugs* thats pretty compelling and will plant doubt in the jurys mind anyway, he has video's x and y and over 20gb of encrypted files named a and b.

  36. Andy Worth

    @Bryce Prewitt

    "Highlander is the only person with any brains in this thread................................most people are knee-jerk reactionists that couldn't give two shits less about anyone else's rights.than their own"

    Sounds like a knee-jerk reaction to me, considering at least half the people who have posted on this thread seem to agree with the same basic principle that Highlander stated. In fact, if you look at the post directly above Highlanders, it more or less echo's the exact sentiment of a hidden agenda by the government that you state in your own post. So by your own admission (of sharing a sentiment with someone with no brains) you prove that you have no brains.

    That said, I happen to agree with both Highlander, Graham Marsden and yourself in that firstly, regardless of the nature of the accusations they have no right to force him to incriminate himself, and secondly that THIS case is probably being pushed as it is a soft target to push their hidden agenda. The US government almost certainly wants to change the law so that you essentially incriminate yourself by refusing to hand over your password - in which case any illusion of privacy is blown to shreds.

    For example only, lets say that I enjoyed cross dressing (I don't, but I have a relative who does), and I had some encrypted files on my PC with some pictures and emails that I didn't want my wife/kids to see (I don't have a wife/kids either IRL). At the end of the day, it's none of the governments business what is in those files (as it's perfectly legal) and could potentially ruin my marriage/life if it came out. But a law like this would force me to reveal my secrets, just because refusal to do so would "prove" me guilty.

    As Graham says, assuming they succeed, how long before the RIAA (and the like) start using it in their own cases? The simple fact is that they are using a case that provokes a high emotional response to push their agenda.

    Another poster also mentioned if that was the case, what's to stop someone from dumping an encrypted folder onto someone elses PC and grassing them up? The "suspect" would be guilty simply by "refusing" to give up the password that in truth they do not know.

    All that said, if the guy really is guilty I hope he gets what he deserves, but it doesn't change the facts.

  37. Anonymous Coward
    Anonymous Coward

    @Mike Hocker

    "The persons really wanted are the ones who generated the source files. Send those perps to @Human for a thorough maceration."

    A very admirable thought but what if the contents of the encrypted information shows that he was one of the content generators.

  38. heystoopid
    Alert

    Hmm

    Hmm , the US can actually bypass any constitutional court ruling by merely sending you before a Grand Jury which ends the deadlock , then jail you for contempt for the duration for not answering the question and reconvene ad infinitum !

  39. Anonymous Coward
    Paris Hilton

    @Here's an idea...

    TrueCrypt (http://www.truecrypt.org) supports "hidden volumes" which does exactly what you propose.

    Must also comment that popular notion that possession of immoral films and pictures should render a long prison sentence. If the case only involves possession and not (coerced) production I really don't see why this man should deserve a prison sentence. Current morality standards and law should not be mixed.

    Why Paris? 'cos I looove her movies :)

  40. Anonymous Coward
    Anonymous Coward

    Adding in the emotional aspect

    "If you take the emotionally charged offense out of this and replace it with some incredibly boring white collar crime, where no one has in any way been hurt, then the whole thing has a different complexion. This is not about this one defendant it's about a pretty fundamental principle of US law."

    That's fine and sensible, but look above and see the commenters trying to *enhance* the emotional aspect. Our politicians play this game these days with full on effect, and that the 'terrorism' thing has given them a major weapon.

    'Cyberterrorist' for example, trying to add the fear of terrorism to turn boring white collar Internet flame wars into a thing where we can sacrifice freedom of speech to protect ourselves from. 'Internet Predators' another demonizing usage to strike fear of the net into the average punter.

    At the base level we need the crusty old judges to hold the line here. I'd personally like to see Blair's anti free speech law overturned, and his attacks on privacy undone. There were a bunch of laws he created that clashed with the Human Rights act, and were driven through by appealing to irrational emotional fears that need to be looked at again.

  41. Anonymous Coward
    Anonymous Coward

    So let me get this straight....

    f they have a safe, with physical keys they have hidden, then its okay to force them to extract the imformation from their head as to the location of the keys so they can hand them over.

    If however its an ecrypted file and the keys are in their head its a no no?

  42. Steve Browne
    Thumb Up

    Rights

    I have always asked people when sprouting off about their rights, "Will you defend the rights of those whom you despise?". If they answer "no" they have no cause to have any rights themselves. Either rights apply universally or they are not rights.

    Bear in mind, and this case is an excellent example, rights are about curbing the power of the executive against the people.

    As there is already precedent and a constitutional bar (in the US) to demanding knowledge with which to prosecute someone, a rule which has been used by presidents to avoid prosecution, there is no ground to demand decryption keys to open the files.

    The government always uses emotional cases to bring about changes in the law which they know are controversial. Mainly targeted at free speech, by using the pornography industry as an example. This is despite the US constitution denying them the power to introduce such laws.

    If you hear a politician claiming to be "protecting our children" you can safely bet that is the last thing on his mind. What is really wanted is to make gaining convictions easier, which is a step in the wrong direction. Somewhat like Tony Bliar attempting to remove the right to a jury trial.

    When they came for animal rights protester, I did nothing, because I was not an animal rights protester. When they came for the paedophiles, I did nothing because I was not a paedophile. When they came for the muslims, I did nothing because I am not a muslim.

    Rights are worth defending, even for those whom you despise. Permitting the government to remove YOUR rights because you don't like someone is just plain stupid. Once lost, they are a bugger to get back. There is never any greater good, and it is often used by religious nuts (George Bush & Tony Bliar) to force therio private agenda on unsuspecting others.

    Enough have been removed under fraudulent pretexts, stop it now.

  43. Spleen
    Black Helicopters

    Tough tits

    If I'd committed some horrible crime and the police were knocking at my door, I think it's fair enough that I don't open it. You want to get in so badly, get out the battering rams. Same applies to encrypted files you want to look at. Can't crack the encryption? Boo hoo hoo, go off and find some comatose diabetics to Taser(TM) until you feel better.

    There is a valid argument that if the police are able to gain entry to your house they should be able to gain entry to your encrypted files, US-specific constitutional arguments aside, but I find the dilemma is made much easier by the fact that the police have far too much power already. I'm not inclined to be reasonable until they give some of the more flagrantly authoritarian powers up.

  44. adnim

    very difficult choice

    The state/controllers of power and liberties such as governments are not always right, one doesn't have to look far to see this, even here in the UK.

    A terrorist is a relative term depending on which side of the fence one sits. There are oppressive governments out there, governments who will send the police/protectors of their power base to arrest/drag off and murder dissenters to the status quo. Does fighting government oppression make one a terrorist? Does standing in front of the tanks of an oppressive government make one a terrorist?

    Paedophilia is a more clear cut case, one either sexually abuses or encourages the sexual abuse of children or one doesn't. And the vast majority of the population of this planet would agree child abuse is out of order to say the very least.

    Unfortunately, both these types of person may rely on encryption to protect themselves from the law, whether that law is a good and just one or not.

    So the data of the innocent(again a relative term) and the righteous are protected along with that of paedophiles, or neither are protected.

    I am of the opinion that a person has a right to privacy, and if that person has encrypted files they should not be forced to reveal passwords. Sadly this protects the paedophiles too.

    Unfortunately one does not have to visit kiddie porn sites to download images of abused children. There are binary newsgroups with titles that bear no indication of the off topic posts that maybe in there. Encrypted torrents may also be used to disseminate child porn. It is not always a clear cut case of examining ISP logs to prove child porn was downloaded. However traffic can be sniffed and any unencrypted packets re-assembled. Humans make mistakes, If enough time and resource is dedicated to monitoring suspected paedophiles, they will be caught.

    A filename does not always reflect the content of the file. I used to hide some system passwords in text files and rename them to such things as wallpaper1.jpg and put them in a folder of wallpapers. It is no big deal to rename say childabuse.jpg to readme.txt.

  45. Bill Fresher

    Unbelievable

    Government: "Supply us with evidence that you've done something illegal. If you don't we'll send you to prison".

    hahahahahaha.

  46. Rafael
    Joke

    Bah!

    Send the disk or whatever to Hollywood. I bet Sandra Bullock or Keanu Reeves can crack its protection and give the police the contents in seconds.

    The best post in this thread was the one with "by hiding the encryption, you're in fact stating you're hiding something incriminating and should be treated as such"... posted by a Anonymous Coward, who apparently does not have anything to hide. Oh, the irony!

  47. Karl Lattimer

    Anyone else thinking about the RIP bill

    Doesn't the RIP Bill in the UK require you to incriminate yourself in such cases?

    Providing encryption keys on request or face upto 2 years jail time? If that's the case then the scenario mentioned by David Wiernicki is possibly in the UK.

  48. Ash
    Unhappy

    Bizarre...

    Over in the UK, this wouldn't be an issue.

    We're already fucked.

  49. Mark

    @Maisie

    They are not a criminal until they've been proven guilty.

    If you still don't like it, how about this scenario.

    I guess you've got kids. A child is three times more likely to be sexually abused by their immediate family than a random J Public. Therefore I suspect you're a child molester.

    Now prove yourself innocent.

    Even if you do, do you think the neighbourhood will think you innocent?

    Oh, and just to get you in a double-bind, if you don't have kids, you're probably broody so you're likely to plan a child abduction...

    We can't assume people are guilty just because we hate the crime they did. And if we find this person guilty without this evidence, although we could then require them to give up the keys, why bother: they're already guilty.

    The problem isn't that the law protects the guilty but that the truly innocent think they have nothing to fear and don't know their rights. So they give information to the police that the criminal element know they don't have to (or hope they don't, but then if the police lie about their powers, why don't the public lie about their rights...?). Not knowing your legal rights (and the police/etc not telling you them) is the problem.

  50. Anonymous Coward
    Stop

    A point...

    It seems to have been missed so far so I shall weigh in with it (apologies if someone has posted the same in the time it took me to write this). The law does not and should not (as has been stated) protect everyone else's encrypted files while not allowing the paedophiles to keep their systems encrypted. Only AFTER the case has been made and proven are they paedophiles. Until then they are SUSPECTS. This is a very clear distinction and needs to, apparently, be made again and again. How do you decide who is the paedophile/terrorist and therefore has NO right to data secrecy and who is the protective parent who does not want his child's photos and school reports from being stolen over the Internet? What is to stop the authorities from deciding they do not like someone who HAPPENS to have some form of encrypted file of any kind on their system and they claim it is child porn? Are they now a paedophile because the trigger-happy police say so? Or do they still get the rights of the many? The whole point of a fair and democratic system of law is that the rights apply to ALL people. Not to the privileged few who are assigned by government.

  51. Mahou Saru
    Thumb Up

    @something to hide and unbelievable

    @something to hide - All the laptops I set-up are encrypted. If they weren't I personally feel I am not doing my job as a technician, as one of my responsibilities is to ensure that the data does not fall into the wrong hands. Does that mean my org or I have something to hide? You bet we do, just as the UK gov should have hidden all that data they recently lost.

    Consider another scenario, lets say your home computer. Laptops and computers are not that valuable any more, and the naughty people (aka thieves) not stupid. Why try to sell a laptop for a few pounds (hey I don't know how much hot lappies go for), when they can sell the laptop and use any data they find on it to do some ID theft which might end up as a £10k loan or something nasty like that.

    Basically everyone has something to hide from someone, it is the same as ensuring you have locked the door on your house.

    @unbelievable - no body likes a spanish inquisition :p

  52. Bill Smith
    Alien

    Ikabod

    Authorities raid Ikabod's house knowing he is part of a terrorist group. In his house they find a computer which they suspect holds data relating to a planned attack. The data is encrypted. Do the authorities force Ikabod to hand over the keys to the encryption or do they wait..... tick tock tick tock.... oh dear, New York appears to have been the target for a radioactive bomb, oh well at least we can rest easy knowing Ikabods human rights were not compromised.....

  53. Mark

    @James Condron

    so by upholding your rights to a fair trial you think this is an admission of guilt? So is it only the guilty plead "not guilty"?

    The jails are full of innocent people who thought that saying "yes, but..." will be listened to in court after the comma when the judge has asked "how do you plead?".

  54. Anonymous Coward
    Anonymous Coward

    PGP? Military Grade?

    So that's how the terrorists get our data.

  55. Anthony Sanford
    Stop

    European Court

    According to the European Court, the privilege

    "is primarily concerned, however, with respecting the will of an accused person to remain silent. (...) it does not extend to the use in criminal proceedings of material which may be obtained from the accused through the use of compulsory powers but which has an existence independent of the will of the suspect such as, inter alia, documents acquired pursuant to a warrant, breath, blood and urine samples and bodily tissue for the purpose of DNA testing."

    From what I can see this means that you have the privilege of non self-incrimination as long as its a matter of will, i.e. a confession.

    This may be the reason that the RIP bill has never been tested in the UK, it could be ground for appeal and the UK government just want the RIP around to scare suspects.

  56. Craig
    Unhappy

    The initial search

    I think it's pretty outrageous his laptop was searched for no reason in the first place! I despise having to take it out of it's case during a security check; I would probably refuse to turn it on.

  57. Steve
    Pirate

    amazing

    The number of people that wish to reverse the 'innocent until proven guilty' basis of US (and UK) law.

    Not to mention those that think that exercising the right to not incriminate yourself is automatically incriminating and thus you're guilty.

    Is there any wonder that civil liberties are disappearing when people have these attitudes.

  58. Anonymous Coward
    Anonymous Coward

    re: The Border Inspector

    they can do it at customs when your going into or out of security - so I wouldn't be suprised if it;s the same at the US/Canadian border.

    Seriously the files aleady evident on the guys machine leave him hard to defend, but it would be very sad if the case was used to set a precedent for compelling people to release keys and passwords.

    It bugs me how people like forcing through laws/precedents where none are needed.

    Here you have a case where a person has child pornography on his laptop, he also has a number of encrypted files. Although getting access to those encrypted files may add more weight to the case having them still encrypted still lends a good dose of doubt.

    It's the same here in the UK with my most loathed bit of proposed law(s) the extreme pornography law, and the recommendation to make drawn pornography of flat chest equivelent to Child Pornography.

    In the illustration (lolicon) recommendation they cling to the fact that it may be used for "grooming" however Grooming is already illegal whether you use a manga, a barbi or CP.

    One of the claims in the recommendation was that in one instance they had arrested someone who had lots of lolicon (illustrations) but no CP, and they were annoyed they couldn't arrest him (becouse he hadn't broken any laws - that would include grooming).

    Similar that extreme pornography that it makes you go out, rape and murder women.

    Anyway - this superhero hopes the guy gets his 20 years.

  59. Anonymous Coward
    Anonymous Coward

    Re: Unbelievable

    If the guy hasn't done the crime in question, then he could hand over the key.

    I suppose this idea exists so that he can't be compelled to make public somethign that is otherwise unrelated to the case, be it another criminal activity, or something embarrassing but benign like being a commie or a muslim fundamentalist.

    Maybe the solution is that he be compelled to provide the key but such content is then restricted in who gets to see it?

    It's technically interesting as it demonstrates that the police are unable to crack PGP. I believe there was some suggestion that the reason the police wanted 90 days detention in the UK was so that they could decrypt files - it's clearly not possible.

    @David Wiernicki

    If you wanted to set someone up, you could of course, stick kiddie porn on the victims machine unencrypted and then they would carry the stigma of perversion for the rest of their days. It seems that you can be convicted because something is on your computer, it's then up to you to prove innocence.

  60. Anonymous Coward
    Anonymous Coward

    A solution

    Whilst agreeing with the basic principle that you are innocent until proven guilty and that you should have the right to remain silent this case is rather different in that the person has already been found guilty of a crime and the police have a more than reasonable suspicion of further wrong doing relating to that crime. In cases like this the guilty party has decided to break the law so laws made to protect innocent people, which he isn't, should not apply. Simple, you keep your privacy laws and nail the bastard properly.

    Note that the phrase "relating to the that crime" would prevent the police from trying to pin a new crime on someone just because they commited the same sort of crime previously.

  61. George Jenkins

    Even if he is 'forced' to reveil his password....

    Apart from the legal issues such as precedence and such, the point is almost moot anyway. Once the court decides he has to reveal his password (In first person):

    Feds: You must now reveal your password!!!!

    Suspect: OK, the password is 'sw0rdfish'

    Feds: That didn't work.

    Suspect: Well, I swear my password is/was 'sw0rdfish'. Either I must have forgotten, or its been corrupted somehow.

    (Idea credit to someone else on a similar article)

    George.

  62. Anonymous Coward
    Pirate

    UK Law

    In the UK, what the authorities want is the data, not the key :

    "In almost all cases, disclosing the plain text of decoded encrypted material, rather than the decoding key, will be a sufficient response to a decryption notice. Keys are only required in special circumstances."

    Also, it's not your ordinary court or police officer who can request the key:

    "Law enforcement agencies cannot lawfully obtain keys unless they have the appropriate permission of a judicial authority, the chief officer of police, the Commissioner of Customs and Excise, or a person of or above the rank of brigadier or its equivalent."

    That said, it's still concerning. Suppose you "hid" the data - e.g. put it on remote server hosted in Syria (or North Korea, or Cuba or other "Axis" state). What if you be forced to disclose the location (I can see this coming) ? Here's a scenario:

    Court: "We require you to tell us where the illegal material is"

    Person: "What illegal material - I don't have any"

    Court: "Tell us where it is or you'll face 2 years in Jail"

    Person: "I don't know what you're talking about"

    Court: "We have seen a text on your PC's hard disk which contains the words "child porn" - we want the rest of the data

    Person: "That's part of the weekly email from The Register, I'm innocent, I don't have any child port"

    Court: "Guilty. 2 years for withholding information"

    Of course, if it's not child porn but terrorism then it's 5 years in Jail.

    The most worrying thing about the UK legislation is the requirement to keep the notice that you've been asked to decrypt data secret:

    "Section 49 notices may contain a provision requiring the person to whom the notice is given and every other person who becomes aware of it or of its contents to keep secret the giving of the notice, its contents and the things done to comply with it. The inclusion of a secrecy requirement in a notice requires the consent of the person granting permission for the notice to be given or for the person giving the notice to have that permission. However, the notice should also inform the recipient that he (or she) may nonetheless approach a professional legal adviser for advice about the effect of the provisions of Part III of the Act. In addition, it is not the intention of the Act to penalise individuals within organisations who, for example, have been given a notice imposing a disclosure requirement but need the assistance of another colleague in order to comply with the notice."

    The UK legislation on key disclosure can be found here:

    http://security.homeoffice.gov.uk/ripa/encryption/disclosure-of-keys/

  63. Anonymous Coward
    Black Helicopters

    Military Grade Encryption

    Military grade encryption will involve long bit keys AND double or triple encryption. I think in the US double encryption is prohibited.

  64. Anonymous Coward
    Anonymous Coward

    @Mark

    "We can't assume people are guilty just because we hate the crime they did"

    Surely we *can* assume people are guilty for this.

    I agree we can't assume people are guilty because we hate the crime they are _accused of_ though.

    On the other hand if he has a file called "raping a two year old...." then I suspect the onus would be on him to show the file was innocuous.

    To use an example without the technology angle:

    You go into an airport with a small bag and shout "I have a bomb"

    You then refuse to show anyone what is in the bag (and thus incriminate yourself).

    Although technically innocent no one is going to mourn your bullet riddled cadaver.

    Just another happy thought for teh day

  65. Mark
    Flame

    Everyone should remember that

    Reading your rights is named after a thoroughly unpleasant guy (Miranda), a case which has gone on to substantially improve police treatment of accused, both in the USA and round the world.

    The law has a duty to ensure that everyone has a degree of protection from the state, and unfortunately it has to protect the unsavoury as well as the righteous, because it cannot separate the two beforehand.

    Basically, it seems the police screwed up the gathering of evidence, and if they do then the case should be thrown out. The law is designed to ensure the accuser has to meet standards in order to protect the individual, and this case is no different.

  66. Tom Kelsall

    @ Everyone

    1. You can't treat him as a crim just because he refuses to give up a password. Innocent until PROVEN guilty does NOT MEAN "Innocent until he refuses to incriminate himself."

    2. Even if they set this precedent, and "compelled" him to reveal his password, who's gonna make him do it?! Are they going to torture him until he squeals? If he doesn't even know the password, what are they going to do to him?

    This whole debate is pretty dumb... after all the Police have access to some pretty powerful decryption kit... why don't they spend the time decrypting it instead of this silly legal challenge? He'll never reveal his password even if legally compelled to - so they should concentrate on building the evidence themselves... it's called "Police Work".

  67. The Mighty Biff
    Pirate

    re Ikabod

    Oo ! Scary terrorists !

    Sigh.

    I don't imagine Ikabod is going to reveal his password to the infidel policemen just because the law says he has too. After all he is planning to nuke New York which is also, like, totally illegal.

    I expect in your world, the police really ought to be allowed just to pop a cap in any bad guys like him. I mean, they know he's evil right ? Although that didn't work out so well for Jean Charles de Menezes, or the Forrest Gate 'terrorists'.

    Still, a few dead innocent folk is a price worth paying. Oo. I hope one of them's not me though !

    Mind you, Judge Dredd always got it right...

  68. Brev
    Paris Hilton

    Is bad memory a crime?

    It would seem we are now a criminal for not being able to remember a piece of information. Think about how often you need to ask for a password reset. It is unreasonable to expect everyone to be able to remember every encryption key they ever use.

    The fact is no government likes anyone to be able to evade it's control because they want to 'govern' in the way they see fit. Threaten that and your so called 'rights' are unlikely to count for much, even in a 'democratic' country.

  69. Mark

    Re: Ikabod

    So Ikabod, afraid of three years in jail hands over the key that then proves the conspiracy and he's jailed for ten.

    Hang on...

    Or do you beat the crap out of Ikabod until you get it? If so, if it is unsuccessful is it because there was no bad thing being done? If so, surely those doing the beating should be beaten too, for severe and continual assault and torture. The one who issued the command should be done for kidnap and accessory. Not doing this but allowing "persuasion" means that any suspicion is enough to have YOU tortured. Putting these requirements in means that anyone doing such barbaric acts must be so certain of their rightness that they are willing to undergo them themselves if it wasn't needed.

  70. TrishaD

    @ Tom Kelsall

    'This whole debate is pretty dumb... after all the Police have access to some pretty powerful decryption kit... why don't they spend the time decrypting it instead of this silly legal challenge? He'll never reveal his password even if legally compelled to - so they should concentrate on building the evidence themselves... it's called "Police Work".'

    That was my first thought. But the implication from the Washington Post article appears to be that a 'government forensics specialist' has spent almost a year trying to crack the encryption. While cracking PGP would seem a pretty tall order, surely using a password cracker to throw random passwords at it would stand a fair chance of success, given that most non-techie people dont really get the need for complex passwords?

    Breaching civil liberties for the greater good is at least debatable. Breaching civil liberties because your police arent up to the job certainly isnt ....

  71. Juliette Martens

    @Maisie

    First of all, the guy is not a criminal - yet - he hasn't been convicted and should as such still be presumed innocent. Second, the same "consitooshun" that you derisively dismiss is what distinguishes a state based on justice from a police state. You may look at civil rights promoters as hippy scum who stand in the way of giving an evildoer a good thrashing, but without those civil rights you could be burned on the stake "because the neighbour says so". You probably won't, but who can be certain without a good set of laws which are actually being put into practice? The fact that childporn is involved is completely beside the point - I'm all for harsher punishment (to say the least) than for a burglary, but that is once the guy has been convicted. The legal system should not be bended to accommodate the feeling of "the general public".

    On a slightly different note, in Holland a suspect is only named with his first name and the initial of his last name; it's a much better practice as this way if you're innocent you could possibly still carry on with life without people shying away from you on the street (they continue initialling once the person's been convicted but that's a different story). Especially for something like child porn - imagine if this guy actually IS innocent and someone planted stuff on his computer; do you really think he'll be able to get a job again? Same thing with the guy accused of Madeleine McCann's abduction in the early stages - he's been released and cleared but everyone knows his face and name - his reputation's gone for good.

  72. Anonymous Coward
    Anonymous Coward

    wrong encryption key

    All you have to do is give the wrong encryption key. When they come back to you and say "that wasn't the right key - all we got was random characters" then you reply "yes, that's what the file contained". As far as I know it isn't illegal yet to store meaningless junk on your computer.

  73. Anraí MacCoilín
    Joke

    @ Mark

    "The jails are full of innocent people who thought that saying "yes, but...""...

    Hahahaha, full of innocent people... um, no, there are plenty of people who have been wrongfully imprisoned, but I wouldn't go so far as to say it's full of them

  74. Paul Banacks
    Flame

    A very very slippery slope...

    A while ago, Speed Cameras faced a challenge in the European courts. The plaintiffs argued that their right to not incriminate themselves was violated because they were forced to identify the driver at the time the camera snapped them. Failure to identify the driver is a criminal offense.

    The defense (or judge, whatever) in this case successfully argued that by driving a car, you accept the rules - one of which is to incriminate yourself if you're caught speeding.

    I can see a future judge saying, "by using a computer you accept the rules of doing so, one of which is to provide keys when required to do so by law enforcement authorities..."

    Both of these situations are completely unacceptable. As a fundamental principal of justice, the right not to incriminate yourself should be absolute in all cases.

  75. heystoopid
    Paris Hilton

    Ah just had a very evil idea

    Ah just had a very evil idea put all the er questionable files flics and piccies encrypted with blowfish or better on large flash drives for a number of reasons

    1/ they will break the maximum 100K write cycle barrier if they resort to brute force thus destroying the evidence !

    2/ the laws of physics of these drives are immutable and set in silicon so as to speak and effectively these devices unless refreshed with the correct data will lose their memory of events over time !

    3/ most police evidence rooms suffer from a vicious attack of the blue finger of theft more so then you think and since these devices are very light easily hidden and transported or substituted for the smaller drives and then placed in your blue coat pocket straight out the door so as to speak only to be reformatted and recycled by the very same rozzers that tried to send you up river thus eliminating the chain of evidence for you without bribes !

  76. Ed Mozley
    Happy

    They should do what they do in the UK

    This is from

    http://www.schneier.com/blog/archives/2007/11/animal_rights_a.html

    In early November 2007 about 30 animal rights activists are understood to have received letters from the Crown Prosecution Service in Hampshire inviting them to provide passwords that will decrypt material held on seized computers.

    The letter is the first stage of a process set out under RIPA which governs how the authorities handle requests to examine encrypted material.

    Once a request has been issued the authorities can then issue what is known as a Section 49 notice demanding that a person turn the data into an "intelligible" form or, under Section 51 hand over keys.

    Although much of RIPA came into force many years ago, the part governing the handing over of keys only passed in to law on 1 October 2007. This is why the CPS is only now asking for access to files on the seized machines.

    Alongside a S49 notice, the authorities can also issue a Section 54 notice that prevents a person revealing that they are subject to this part of RIPA.

  77. Anonymous Coward
    Anonymous Coward

    @Bill Smith

    Authorities raid Bill Smith's house knowing he is part of a terrorist group - he isn't really, they've mixed him up with another Bill Smith. In his house they find a computer which they suspect holds data relating to a planned attack. The data is encrypted. Do the authorities force Bill Smith to hand over the keys to the encryption or do they wait..... tick tock tick tock.... oh dear, New York appears to have been the target for a radioactive bomb & the real terrorist Bill Smith has been seen leaving the country, oh well at least we can rest easy knowing that non-terrorist Bill Smith has had his human rights compromised and is sitting in prison for contempt of court because he refused to give his encryption key.

  78. Adam
    Boffin

    great so possible kiddy porn dude can use encryption

    but the uk government cant... wonderful. maybe if he's set free they could hire him as a consultant?

    mgk

  79. Jason Hall

    plan

    So... how about all of us on here make some encrypted files.

    Nothing nasty in them... just a text file/jpg saying "f*ck off, this is private" and start leaving them on all our friends pc's, all pc's in internet cafes, and email to everyone we know.

    Let us slowly fill every pc in the land with DANGEROUS NASTY ENCRYPTED FILES.

    Just a thought.

  80. James Shields
    Flame

    24 Show Lovers

    I love how there's always some ignorant git who cites the ticking bomb problem as a reason to throw out any and all of the Rules of Law that separate us from barbarism.

  81. Joe K
    Stop

    Christ almighty

    You could have labelled this NSFW!

    Those horrific descriptions alone have no doubt got me targeted on my works firewall, as well as the governments most probably.

  82. Jim Lewis
    Unhappy

    convicted, then what

    on a related note, even when paedophiles have been successfully identiified and brought to book, we still don't have a coherent plan for what to do with them long term.

    The issue is so emotive that noone seems to engage with it properly.

    I have heard of several occasions when paedophiles, unable to control their impulses, have begged the authorities to take them into custody, but are refused as the system is designed to deal only with people who have committed a crime.

    I'm pretty sure that the sex offenders register is counter to the human rights charter, but it's ok as these are sex offenders, (see wrongful murder of suspected kiddie fiddlers in cases of mistaken identity ad in finitum in register passim).

    As far as I'm concerned this is a mental health issue, and mental health care provision is something we don't seem to do very well in the UK.

    Demonising and criminalising some of the most damaged people in society and eroding our own civil liberties to do it is just plain bizarre.

  83. Anonymous Coward
    Anonymous Coward

    @ Jason Hall

    I'm a big ugly hairy man. I'm going to take a photo of myself in a provocative pose dressed in lady's underwear and store it on my computer as an encrypted file. Then if anyone ever demands passwords I'll grudgingly give them the one to that file and say I'd rather they didn't see the other ones. If the photo is embarrassing and revolting enough it might just work.

  84. Sean M

    Why he wouldn't give them the password even if there is no child porn there

    A reason why he would not give them the password, even if there is no child porn in the encrypted files, is because there might be something else in there that could incriminate him of a different crime.

    To take an example (to choose a popular one), there are copyrighted films or songs there.

    Now this may cost him a huge fine (and maybe a prison sentence?) Whereas if he ran the "can't incriminate myself" defense throught the courts and won, he gets away with it.

    And yes, that would mean he is innocent of the crime they accused him of (having encrypted child porn), but has incriminated himself as guilty of another crime they didn't know he had done. Hence the constitutional protection.

    Perhaps you say that he is still guilty, so who cares? Take another example then. He has files in there that suggest he is guilty of tax evasion. He knows that he is innocent, he is certain that he can prove he is innocent, but also knows that it would probably take some time in jail (or a big bail bond) and a huge legal fight to do so. It is therefore better in his case to run the "can't incriminate myself" defense, even though there is no child porn there and he is innocent of everything else.

  85. A J Stiles
    Unhappy

    Obvious agenda

    It's obvious what the agenda is.

    Accuse someone of a Really Nasty, Emotionally-Charged Crime (the sort which makes people forget they are human). Whip up the public into a hate frenzy until World+Cat are demanding that he hand over encryption keys. Create legally-binding precedent. Wait awhile. Use legally-binding precedent That You Prepared Earlier in future cases; probably less emotionally-charged, maybe even where public sympathy would otherwise lie with accused. (Minor copyright violation, anyone?)

    This is almost certainly why they tested out the UK RIP act (which quite probably breaches the Human Rights Act) with a case against an animal liberationist who was unlikely to garner public sympathy.

    Anyway, however distasteful you may find the subject matter, and however deeply ingrained your mediaeval superstitions, *merely looking at pictures* should never be illegal in and of itself; and that goes double if measures were taken to prevent other people from seeing them by accident. The alternative is Thoughtcrime and a police state.

    If the defendant actually abused a child, then by all means punish him for that. But looking at pictures IS NOT THE SAME THING as actually abusing a child -- or are we going to start fining people for speeding if they look at pictures of sports cars?

    You may as well consider the "evidence" to be destroyed, and proceed along those lines (there must be past cases where evidence has been destroyed, and any remains are either utterly unidentifiable or indistinguible from something innocuous). Even if the authorities *can* break PGP, it would be suicide to admit to the fact.

  86. Dave

    Strange...

    I encrypt all my personal data and name them with child pornography names. Wonder if this guy did too?

    (In all seriousness, though, I DO rename private stuff, (like banking details) with irrelevant names)

  87. Rick Slade
    Thumb Up

    Matt has the Idea

    He only has a partial list:

    a) Drunk Driver

    b) Drug Dealer

    c) Child Pornographer

    d) Terrorist

    e) Rowdy Teenagers

    f) Religious cults

    g) Calm teenagers

    h) Baptists

    i) Those pesky Libertarians

    j) Mal-contents

    k) The political opposition

    l) That weird guy down the street

    m) Catholics

    .....

  88. Mark

    @Anraí MacCoilín

    If I've told you once, I've told you a million times...

    :-)

  89. Claus P. Nielsen
    Black Helicopters

    Re: Plan

    I've had a similar idea for a while now.

    I would like to expand on the plan a little though.

    1: make a small piece of SW, that generates random garbage files (of user specified sizes)

    2: Distribute this SW to anyone interested.

    3: Routinely fill unused areas of your Harddrive with files generated using this SW.

    4: Hide any (encrypted) files you have among these (you could have a whole series of files named myfile1, myfile2, etc. and then let the actual file be number 11 in all cases so you can find it again easily).

    5: Transmit these nonsense files to other users who you also send encrypted files to (or to people you don't send encrypted files to - you can always add a note saying that the file is garbage - even if it is actually not).

    This would enable you to always claim that any encrypted file found on your harddisk is just a garbage file "See - I have a program that generate such files".

    It would also mean that anybody trying to break encryption on your mail would have the added problem of determining whether the message was indeed a message or simply garbage.

    Potentially this could bring Internet snooping operations to a halt if enough people started doing it. Breaking the encryption on total garbage takes infinity time and ressources :-)

    I don't know whether this would make the world a better place though. There is probably a way around this method too.

  90. Franklin

    It's been interesting...

    ...too see how this has played out in the media.

    The first media report I read about this case, about two or three weeks ago, claimed that the border patrol agent had seen the unencrypted files, and that some of the files were of cartoon characters who appeared to be under age. (This brings a lot of questions to my mind: How old does a cartoon need to be in order to be of legal age? Does the law protect cartoons? Do you need to see a cartoon driver's license before you can show a cartoon having sex?)

    Then, as time has gone on, the stories I've read have changed in character. The customs agent didn't see the pictures; he only saw the file names. The pictures weren't cartoons; they were actual pictures of real child porn. (There's a contradiction here: if the customs agent only saw file names, how does he know they were real pictures of actual child abuse?) The files weren't encrypted at first; they were stored in an encrypted disk image that was available at the time the computer was first inspected but are not available now. No, no, wait, they were always encrypted.

    This makes me extremely suspicious and skeptical of the custom agent's claims.

    On top of that, seems to me that the real meat and potatoes of police work is in, you know, finding evidence of a crime. If the police need the suspect's active cooperation in order to build a case, sounds to me like the police aren't, y'know, doing their jobs.

  91. Marco

    Re: A cynical thought...

    >>> I have to wonder whether this case is being pushed by the US Government because what they *really* want to do is to ensure that *everyone* can be forced to reveal encryption passwords etc, but they're doing it by picking the "soft target" of child porn on the grounds that most people do not apply logical thought where children are concerned.

    Mr. Marsden, your thought is much less cynical than realistic. In the world out there are a lot of people whose basic, if not only, reaction to this is: You have to get those bastards.

    Do they consider the further implications? Bah, you'd have to start by telling them what "implication" means. Even here, at El Reg, which appears to be read and commented on by people who are quite intelligent and literate when it comes to computers, you encounter the same shortsightedness.

  92. Mahou Saru

    Terrorist won't follow the law

    Lets drop the whole FUD with terrorist scenarios. A terrorist won't be handing over their encryption keys no matter how many of our rights have been violated. I am guessing that a law enforcement agency would most probably be using the rubber hose cryptanalysis technique then wave a warrant at the suspect to hand over their keys if they were trying to prevent an explosive device from killing people. I guess I might have watched too much 24, but Guantanamo Bay tells me different.

  93. Damian Gabriel Moran
    Coat

    @ Rick Slade

    hang on there, I am that weird guy down the street!

  94. Mike Silver badge

    Full Jails

    Actually, given the extreme overcrowding in many states (e.g. The Guvernator's CA), it is possibly true that the jails are full (100% capacity) with innocents, and the other 200% of capacity occupants are guilty. :-)

    I suppose we could consider reducing sentences for possession of crack cocaine, or relocate some of the paedos to the (nearly empty) cells reserved for option-backdaters, but I doubt that will happen.

  95. Tim Coughlin

    @Paul Banacks & @Heystoopid

    Paul, I think you're missing the massive differences between the rights that you agree, in writing, to relinquish to obtain a drivers license and the right (by US standards) to remain silent and not incriminate yourself. Heystoopid, good thought about the grand jury. I'm not sure how refusing to hand over evidence would work out in that case, but I wouldn't like to find out...

  96. Bounty

    everything is a compromise in anarchy

    I have a key. Your wife has been recently chained to the bottom of the pool. (combo or key lock, either will do) I will not give you my key. Would you take the key from me... physically assaulting me... STEALING MY KEY!... how dare you. Maybe there is a guy on the other side of the pool maybe with a key as well. Personally, I would start compelling people with all my power to come up with keys. "Rights" be damned. Also, I (as the pool boy) wouldn't want to cough up a key that wasn't related.

    I think maybe if they have enough evidence to convict this guy, they should be able to tack on 2 more years for the encrypted file. If they don't have enough to get the guy as is, then they screwed up, and or he is fully innocent and should walk.

    Also, the planting evidence argument shouldn't work as I could plant a dead body in your basement... doesn't mean we should let everyone with a dead body in their basement go, cuz it could be planted. You still have to convince a jury, beyond resonable doubt or something. (resonable being the important part, if the guy has kiddie porn + encrypted file, I'd say it's reasonable that the file is the really bad stuff)

    I am open to suggestions, and willing to hear other arguements though.

  97. Anonymous Coward
    Anonymous Coward

    @Matt Davey

    Truecrypt has practically flawless plausible deniability, and there is no way to tell under most circumstances whether (a) a file is even encrypted by TC, or (b) an encrypted volume also contains a hidden volume. See here:

    http://www.truecrypt.org/docs/?s=hidden-volume

  98. Martin Usher

    How do you know the file is encrypted?

    I would have thought that the police were only guessing that the random data that they see on the computer is an encrypted file containing something incriminating. Unless the suspect was stupid enough to tell them that this is the case, that is.

    The safe argument doesn't work. A safe is a secure container for holding things so its mere physical existence is proof that there are things that might be held in it. Random data is just that. Noise. It could be anything. Its only assumed to be child porn in this case because the person they're bothering for the key has been defined as someone they suspect of possessing child porn -- a self fulfilling prophecy.

    The argument that "terrorists could hide their activities" doesn't work either. Terrorists already hide their activities, if they didn't they wouldn't be terrorists, they'd be prisoners.

  99. Anonymous Coward
    Anonymous Coward

    It's not a showdown you damn fools.

    The whole point to the 5th amendment was to make things clear so fools could't come along later and try to "think" about it as if they have something important to say. Yes, preserving rights has cons as well as pros, as always there is a balance that we can't selectively ignore when it suits us because that wouldn't be just.

    Those enabling child pron should be locked away but we can't ignore the basic foundation in order to get there.

  100. Anonymous Coward
    Anonymous Coward

    A title is required.

    but are we being lied to here.

    We were first told that the guard saw file names and witnessed the CP

    However we have now also heard that the guard saw cartoon pronz

    I think we should call bulls--t until we have more information.

    Was it really CP or was it drawings?

    Were there really encrypted files or are the police trying to save themselves from a big hole?

    What's the real story? What evidence do they really have? Can we have some investigation please.

  101. Matt

    Two Factor Authentication

    >While cracking PGP would seem a pretty tall order, surely using a password

    >cracker to throw random passwords at it would stand a fair chance of success,

    >given that most non-techie people dont really get the need for complex

    >passwords

    My guess is a lot of people in these nefarious circles do understand strong passwords -- and even if they have a weak one, many are smart enough to use two-factor authentication. You probably don't want the 2nd factor to be your fingerprints which you can be forced to provide :D

    Yeah, you can rainbow table at the password.

    So you use passphrase like, "Whn in th Cours of human vnts it bcoms ncssary for on popl to dissolv th political bands which hav connctd thm with anothr and to assum among th powrs of th arth, th sparat and qual station to which th Laws of Natur and of Natur's God ntitl thm, a dcnt rspct to th opinions of mankind rquirs that thy should dclar th causs which impl thm to th sparation."

    Very common phrase, not that tough to memorize, readily available in most libraries or having a book with that phrase in your house isn't attention getting in case you forget it. And deleting the "e"s just make it that much tougher for a rainbow table to be generated since plain words alone aren't enough. That would take one heck of a rainbow table to match.

    But that's absolutely useless without knowing the keyfile.

    So I open up my favorite ASCII editor and from memory, or just a common history book in my house or any library, type out:

    "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized. "

    And now let's reverse a couple lines...

    "but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized. The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue,"

    And let's use search-and-replace to get rid of "u" and replace "a" with "xyz734" and finally just sequentially change the 4 in a repeating pattern that's easy to memorize but means simple substitutions alone are not sufficient:

    "bt pon probxyx734ble cxyx735se, spported by oxyx736th or xyx737ffirmxyx738tion, xyx739nd pxyx734rticlxyx734rly describing the plxyx733ce to be sexyx732rched, xyx731nd the persons or things to be seized. The right of the people to be secre in their persons, hoses, pxyx734pers, xyx735nd effects, xyx736gxyx737inst nrexyx738sonxyx739ble sexyx734rches xyx733nd seizres, shxyx732ll not be violxyx731ted, xyx734nd no wxyx735rrxyx736nts shxyx737ll isse"

    Save it, open the encrypted partition using my password and the keyfile. Then use a shredder program to erase the keyfile -- after all, I know the three simple steps to recreate it in the future.

    Oh, and you might even give them plausible deniability and a low-value "win" -- an encrypted partition within and encrypted partition that can not be proven to exist by the standards of a court of law. So you put the child porn you only obtained off the internet in the outer partition, "Blimy, you got me, I give up! Give me my 2 years in jail and 10 years of probation!" Of course the pictures you produced yourself are hidden in the inner encrypted partition you don't tell them about.

    Will this save you from active police or intelligence surveillance? Nope. Keyloggers, hidden cameras, etc could all provide the clues they need to figure out what you're doing.

    But it will pretty darn well fustrate them if they didn't do the surveillance and are instead relying on you being intimidated to being self incrimination.

  102. Morely Dotes

    The problem is...

    ...That neither PGP nor GPG has a built-in "wipe the data" command which can be triggered by entering a specific passphrase which is different from the decryption key.

    "Oh, you wanted the decryption key? You should have said! I thought you wanted to deprive me of the files, so I gave you the *other* passphrase!"

  103. Demian Phillips
    Black Helicopters

    double encryption is illegal?

    I guess I will have to turn myself in for my 2x ROT13 scheme. All the rest of you should as well I can see this whole site is full of postings using it.

  104. I.M.Fantom
    Jobs Horns

    Use TruCrypt instead of PGP

    In TruCrypt everything is encrypted including directories and directory entries.

    What is lacks and is needed is a 2nd password that would trigger an "autodestruct" of the data. That way, "give me the password" would result in the destruction of the data that is encrypted.

    Or perhaps a "autounecrypt" of data to all "aaaaaaaaaaaaaa" or random characters with a CRC Error found message.

  105. Jim Noeth

    How do they know the files were encrypted

    How do they know that the files are actually encrypted and not just an unencrypted file containing random data (such as some kind of test samples)? In that case there is no decryption key, so now the guy goes to jail for not providing something that doesn't exist.

  106. Anonymous Coward
    Paris Hilton

    "If you've got nothing to hide..."

    is a really weak argument.

    I think that you could be carrying a concealed weapon. If you've got nothing to hide... you should cease wearing clothing from now on just to be on the safe side.

    I think you keep your doors and windows locked when you go to work is because you're secretly making bombs for <insert terrorist group here> and you're trying to stop everyone from finding out. If you've got nothing to hide... make sure you leave all of your doors and windows unlocked and open at all times from now on.

    I think you may have the details of a terrorist plot concealed in your credit card details. If you've got nothing to hide... then post them immediately so that the rest of us can be sure that you're not hiding something.

    I think that you may have secret messages detailing potential terrorist targets in film you're putting together. If you've got nothing to hide... then post everything you've shot so far for Bond22/Harry-Potter-6/Indiana-Jones-4 to YouTube.

    I think you've got links to kiddie-porn in the source code for your yet-to-be-released program. If you've got nothing to hide.. then post all of the source code for the current build of the next GTA/Halo/whatever to usenet.

    If you think that "if you've got nothing to hide" is a valid argument for compelling people to surrender passwords... the first thing you should try to hide is that you don't really have a brain.

    //Paris: Because she shouldn't hide anything. :)

  107. Anonymous Coward
    Anonymous Coward

    Encrypted Message Number 2

    You've downloaded & read my previous message.

    Its in Code

    Its on "your" hard drive

    Now give me the password!

    Can't? 2 years in the slammer for you then.

  108. Michael

    Yay for Miranda Rights!!

    "You have the right to remain silent..."

    It's not so much an issue of rooting for the bad guy, it's an issue of determining if "the guy" is good, bad, or neither.

  109. mario

    and so it goes ...

    So child porn and terrorism are the hammer and chisel used to streamline the constitution for smooth executive outcomes these days ...

    Hm, where again did all this happen before?

    Maybe I check out my grandfathers chest on the attic for his old brown "been there, done that" T-Shirt.

    Word of warning from germany, this is ...

  110. Frank Thomas
    Boffin

    @tfewster

    Your forgetting several of the pillars of American law. the first is "Innocent until proven guilty", and to support that, we have concepts like the 5th amendment rights, and most importantly burden of proof. the prosecution is tasked with proving the guilt of the defendant. if the defendant we're to hold the burden of proof, then it would be guilty until proven innocent.

    the cost of freedom is that you have to occasionally let bad stuff happen, because in order to prevent it, you give away your freedom. to be free you have to take a black-eye every once in a while.

  111. Anonymous Coward
    Pirate

    Cunning plan

    Heh, I can see the RIP being used to great effect by disgruntled spouses wanting to get a bit of revenge on their partner. Just "cat /dev/urandom > /home/gay_child_dog_porn.encrypted_mpeg" and shop em to the cops for an immediate two year prison sentence for not being able to provide a valid decryption key... And you'd get a neat divorce settlement out of it I'd imagine. And best of all it's risk free as you didn't have to go searching the net to find some real CP to plant unencrypted (or a dead hobo to hide in their basement). In fact this really is a convenient way to stich up anyone - be it a rival for promotion/election, the guy who pulled that girl from accounts you fancy, your boss you can get em out of the way risk free in just a couple of mins alone with their computer... Awesome.

  112. Joe M

    @Rafael and the Steves

    Bravo Rafael! You made my morning.

    Double bravo to Steve and Steve Browne. Lucky we always have guys like you in the crowd.

  113. Edward Lilley
    Stop

    On a slightly similar note...

    I don't know about anyone else, but I am moderately annoyed that criminals (or at least certain types thereof) do not have the right to vote.

    Hang on a minute: surely if thieves make up the majority of the population, and they want to vote to make theft legal, what is wrong with that? Democracy is what the majority of the people want (or maybe a slight compromise), and the whole point is that laws are brought about by popular demand, whatever their supposed 'morals' are.

    Also, I agree that this case has an eeeevil hidden agenda

  114. J
    Paris Hilton

    First...

    First they came for the paedophiles but I...

    Then they came for the terrorists but I...

    Then they came for Paris Hilton, and the whole IT world started a riot.

    PH because she is a child at heart, I mean, mind.

  115. Rick Eastwood
    Stop

    What the F%%^ is A J Stiles on ?

    How can that guy in all seriousness suggest that looking at child porn shouldnt be illegal? It should be totally illegal and rightly these people are dealt with by the law. Im not getting into the rights and wrongs of the encryption debate or whether looking at images makes you want to commit the act itself but come on. Thats just mental to suggest that anyone should be allowed to look at CP images. The kids are being abused and put onto the internet for gods sake. A J Stiles, how would you feel if your kid was one of those unfortunate kids ?

    Get real cos if you think it shouldnt be illegal to look at CP images you're seriously warped.

    "RANT OVER"

    Can i go back to thinking of happy things now please ?

  116. Edward Lilley

    Except

    "Get real cos if you think it shouldnt be illegal to look at CP images you're seriously warped."

    The person looking at the images is not necessarily the person who abused the child in the first place, and he might not be the person who distributed the images either. Sure, the producers (abusers) and the distributors should be prosecuted, but the government has no right to stop people looking at images that they have already in their own possession (whether they had to break the law to obtain those pictures is another matter).

  117. Ed Gould
    Gates Horns

    What if.....

    What if someone came up with an absolutely fool proof cryptographic program (for the sake of naming it called it quantum crypto.

    Some how this program was linked directly with your brain. The program would ask your brain what the key was and zip the file(s) would be unencrypted. Using some if the people's postings here the government could ask and would have to give access to your brain to decrypt the file. That is about as basic government infringement can get, access to your brain. So, if I am understanding some of the points is that of course if you don't give the key to the government you have every right to commit suicide.

    Torture is always an option and I would not go near any water boards for the next 100 years. If you were over on the other side of the pond couldn't you just claim a stroke?

  118. A J Stiles

    @ Rick Eastwood

    There is a world of difference between looking at pictures and abusing children.

    If your kid is abused, that's bad. But if your kid has ALREADY been abused and someone else LOOKS AT A PICTURE of your kid being abused, it doesn't make things any worse. (That's the "mediaeval superstition" to which I was referring. A photograph cannot, in practice, convey information to the subject depicted, irrespective of what you believe.)

  119. Anonymous Coward
    Boffin

    Supply and demand

    If there weren't any people PAYING to look at CP pictures, there would be far fewer CP pictures being taken in the first place.

    There are schemes to hide a picture within a picture (using stenography) and then encrypting the result. You have 2 passwords, one of which reveals the "innocent" picture, the other reveals the "real" picture. The trouble with the scheme is that any half-wit cryptoexpert will spot it a mile off (the picture file would be bigger than it needed to be for instance). The same is true for TruCrypt based schemes. There are also various schemes for spotting encrypted files (for instance encrypted files are virtually incompressible)

  120. Joe

    "double encryption is illegal?"

    "I guess I will have to turn myself in for my 2x ROT13 scheme. All the rest of you should as well I can see this whole site is full of postings using it."

    Don't you realise that double ROT-13 is simple to crack with todays' powerful CPUs?

    I use 16xROT13 as a minimum, and I have plans to move to 256x or even 1024x as my needs for privacy grow.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2020