Referring to this story of a teenager in the UK who has been sentenced for refusing to give police the password to his computer.
Keeping discussion aside from the nature of the investigation or the rights and wrongs of what he did would he have received a similar sentence in the USA?
I am aware that in the USA you have an amendment to the constitution which states that no person shall be forced to be a witness against themselves. Does this therefore mean that a person suspected of holding criminal information on their computer can’t be forced by law to give the password to access the information?
I am a lawyer, but this isn’t my specialty per se, but I’d be hard-pressed not to find that a violation of Fifth amendment by the police. The defendant is being required to supply evidence against themselves. Any evidence obtained from that search would be inadmissible.
Incidentally, from speaking once or twice with a police officer involved in computer crimes/child porn, there’s not too many people out there that can create a password that couldn’t be cracked by the police’s own computers. In that case, provided they had the proper warrant to search the defendant’s files, any evidence they got would be likely admissible.
Those with more knowledge/ready access to cites will be along shortly, but I pretty sure I’m generally correct.
On edit, you asked a slightly different question that I thought. If that person was not a target of a criminal investigation himself and there was nothing on his computer that could incriminate HIM, he might be compelled to give up his password. For example, the computer owner’s friend was using the computer for some malfeasance. Then I don’t think the 5th would apply in this case. Maybe. Hedging my bets a bit here.
I always thought that if you were going to keep dodgy stuff on your computer, that you should always have a program loaded that would essentially slag the data so it could not be retrieved … so if it looked like you were going to get caught you could simply slag it.
I would imagine in most cases that you wouldn’t get chance to destroy the data once the police had taken an interest. It would be more along the lines of ‘kick the door in, arrest the guy and seize his computer’.
There are plenty of programs that provide very heavy full disk encryption of the HDD, usually used by businesses to prevent theft of data. It would seem quite trivial for a child pornographer to protect their deeds in this way and avoid prosecution (by this evidence at least).
The police could break into his house, and install a keylogger (a physical device in the keyboard or computer) to get the password. I don’t know if that’s common in ordinary criminal cases though.
I believe on appeal the US government successfully argued that since the password itself wasn’t incriminating, and the laptop itself has no constitutional rights, the defendant could be forced to give up the password. It is like the curious argument that the police can seize your property (say your money or your car) and then require you to prove that no crime was committed in order to get your property back. Since money doesn’t have any constitutional rights, the government sets whatever laws they want. That one has been upheld by the US supreme court.
IANAL, but Wikipedia tells me that the government won on appeal because Mr. Boucher’s “initial cooperation in showing some of the content of his computer to border agents, producing the complete contents would not constitute self-incrimination.”
So the lesson here to me, is DON’T COOPERATE WITH THE COPS, EVER.
Can we take the technology angle out of the picture and ask an analogous question? I am suspected of a crime. The police have a search warrant. I have a locked safe in the basement. The police wonder if there might be evidence in it. Can they compel me to give them the combination? Or is that a violation of 5A?
Damn…thats a fair question. Bricker would be able to answer this more definitively, but I could make the argument that being compelled to give up the combination is 5th amendment violation. You are being forced by government actors to incriminate yourself, or to provide the pathway to incriminate yourself. I gotta think a court would not look too kindly on that, even if the search warrant specifies the contents of the safe. Furthermore, if you were being held in custody, they are more or less forcing you to give up your right to remain silent.
From the other side, I could see an argument that giving up the combination itself is not inherently incriminating. (EDIT: There was a case where a police officer asked for the suspect’s name on a traffic stop and a 5th Amendment argument was brought up in court. I believe the court ruled that a name by itself isn’t incriminating in most circumstances. I could see the state trying that line of reasoning with a safe combination. I don’t know how well that argument would fly here, especially if the search warrant specifies the safe’s contents.)
Again, smarter and more experienced attorneys than I should be to explain it better.
I would love to hear input on the likely outcome of forgetting the pass phrase (or safe combination). There are encrypted files on my computer that I rarely access (which don’t contain anything illegal FTR) which it may take me a couple tries to get the pass phrase right. It is hardly an impossibility that someone might forget, and the court can’t prove that you didn’t forget. So what can they do in this case?
I think the takeaway from Boucher is that the government can compel you to open the safe, but cannot use against you the fact that you knew how to open the safe.
If they don’t believe you, you’re going to have a looooong time, and a strong motivation, to try and remember it. If you really forgot it: sucks to be you.
There’s very few encryption programs out there that can’t be cracked with the proper know-how and motivation. Most major police departments have a computer crimes department that specializes in this sort of thing. Smaller police departments can send the hard-drive to their state police to crack and there is always the FBI. I don’t think it much matters if you remember the password or not. They’ll get in.
If one uses a solid encryption program, like PGP, with appropriately long and stronger passwords, there is no known method of electronically breaking the encryption.
Naturally, it remains vulnerable to rubber-hose cryptanalysis.
Are those programs in common use (or available) to laypeople? I honestly was under the impression (based on a conversation with an admittedly extremely boastful Delaware State Police official) that 99% of the encryption he ran across could be cracked without much difficulty.
Yes, there are plenty of great encryption tools available which are generally believed by security experts to be uncrackable even with the best tools, hardware and expertise money can buy. Bricker already mentioned GPG. TrueCrypt is another highly-regarded tool. The full-disk encryption facility of Linux also falls into this category.
Usually, the weak point is the password. You can use the world’s best encryption algorithms, but if your password is just 7 characters long, or can be found in a dictionary, then it’s only a matter of time to crack it.
And of course, as has already been mentioned, there are other options such as keyboard loggers, and there is “rubber hose cryptanalysis” and its slightly more civilized brother: jailing the suspect until he volunteers the password. But yes, when it comes to the strength of the encryption algorithm itself, ordinary consumers have access to tech which rivals anything available to the military.
These things are not mutually exclusive. Computer security is a “weakest link in the chain” deal. There is lots of freely available encryption software (e.g., truecrypt or any of the other software listed here), but that doesn’t mean it’ll be used properly.