Suppose that I’m a criminal.
Police bust me and seize my computer.
But not being dumb, I have encrypt my files
with a good encryption program (PGP).
Could they do anything to force me to
reveal my password?
I don’t think so. Torture is illegal.
I guess they could plea-bargain for the password, or threaten you with a more serious charge, but that’s not really forcing you.
Generally not regarded as a violation of the Fifth Amendment. Several such orders in low courts. Not tested yet all the way to the Supreme Court. It’s like asking for the keys to your safety deposit box (or personal safe with anti-tampering explosive device) etc.
If you ever get in this situation, do not say “I forgot the password.” Ensures a lot of jail time for contempt of court.
There’s some legal discussion about this between Randy and Avi in Stephenson’s “Crytonomicon”. (Hey, if you skip the appendix it’s a mere 910 pages long.) While a novel, Stephenson can be relied upon to research such facts thoroughly.
FtG
Personal Trivia: 1 week after RSA encryption was invented (the basis for PGP), I was in the back seat of a car with 2/3 of RSA!
I think all they can do it get you for contempt of court and hold you till you give them what they want. In some ways tourcher seems better.
Isn’t the burden of proof on the cops to show that you have something illegal in those encrypted files before demanding the passphrase?
–Nut
Nope, just a reasonable articulable suspicion that evidence pertaining to the crime in question is contained within the files on the drive. That’s enough to get a warrant to sieze the computer. A court order compelling the defendant to disclose the password might then be issued if the prosecuting authority asks the judge for it, assuming a warrant has already been asked and granted. The defendant is obligated to produce any evidence requested by warrant. It might be assumed by the court that the password is part of the computer for this purpose. IANAL, but a former cop, so I’m not up on recent case law relating to anything this specific.
Evidence is collected because it might shed some light on the guilt of the defendant. There is no burden to prove that evidence is damning before requesting a warrant to sieze it, only that it has some bearing on the investigation.
Slightly OT but apropos to the discussion is the recent case where the FBI used a keyboard monitor on a reputed mob member’s computer to obtain his PGP passphrase.
http://www.help.com/cgi-perl/question/2/285/293/294?sidx=2102760
In this case, the FBI had a search warrant to enter the premises but they did not have a wire-tap warrant to authorize surrveillance. They claim this is sufficient because the keyboard monitor recorded keystrokes but did not transmit them to the agents in real time. They used another warrant to re-enter and retrieve the recording device.
AFAIK, the legality of this is still being debated, but the important point is that law enforcement in general and the FBI in particular is getting more savvy about encryption. With tools like keyboard monitors and Carnivore to monitor network use, having to ask the target of an investigation for the decrypt key may be a thing of the past.
This is where steganographic file systems come in. With one of these, you can give them a password, which will reveal something unimportant that you’ve encripted, porn perhaps. Your real info is still hidden there, under another password, but they can’t tell that.
Or in many cases you could just use ordinary steganography. Be careful which program you use, because in some cases a good analyst can tell that there is something hidden, but not what. But they probably wouldn’t analyze all your pictures and music unless they knew you were hiding something.
or better yet, don’t do any illegal activities. 
Steganography works great for files that you transmit or store on other servers, but the OP is asking about a case where the authorities seize your workstation. In that case, your steganography program will be installed, so they’ll know exactly what you use and will be able to analyze your files accordingly. It would still come down to a “give us your password” issue.
The only alternative would be to uninstall your steg program every time you stood up and reinstall every time you needed it. That works for certain archive materials, but not day-to-day use.
In this case, steganography might give you a moment of plausible deniability, but it wouldn’t stand up to analysis.
Crypto is not just for criminals. I don’t do anything illegal, and I encrypt quite a bit of stuff. Mostly it’s business-related material because I telecommute and transfer lots of proprietary and confidential material over the Internet. Your sentiment is a variation on the old “if you don’t do anything wrong, you have nothing to worry about” which is frequently used to justify erosion of personal rights and privacy.
The “right” answer in my opinion is to encrypt everything of any importance and be perfectly willing to provide duly authorized law enforcement officials with the passwords.
This is an encrypted file system that lets you set any number of files that are encrypted. Supposedly there is no way to tell how many so you can give some of the passwords out for it but they have no way of knowing if you have given all of them. I have not tried it and it really looks like it is a pain in the ass to use. Keeping track of what stuff goes in what file system and making sure that you have enough reasonable stuff in the file systems that you are willing to give up so that it looks like you have told every thing looks like it would be really hard to do consitantly.
Also England has a specific law stating that you have to give the passwords to the police. As has been pointed out in the US you can be held in contempt of court for not giving out passwords.
Also you need to encrypt certain communications to keep them out of the hands of criminals. When you purchase something online most websites take you financial information in an encrypted webpage.
People should be able to encrypt all communications between individuals. Those communications are nobodies business but the people communicating. If law enforcement decides that it needs access to them it should get a warrant.
I wish I could find my link … I read an open letter on the 'net to the M.P. who proposed this law from someone in the U.K. who was protesting it. He threatened in the letter to send him an encrypted file, and anonymously notify Scotland Yard that the M.P. had information on his computer incriminating him in a felony. Just try to prove you don’t have the key, he said. I wonder if the guy ever followed through on his threat?