Hacker News new | comments | ask | show | jobs | submit login
Indefinite prison for suspect who won’t decrypt hard drives, US government says (arstechnica.co.uk)
266 points by LukeB_UK on May 17, 2016 | hide | past | web | favorite | 216 comments



The best part of this whole story is the unintended consequence of attack. Don't like someone, encrypt a zip drive with drivel, toss it in his car and call the cops. Say you saw him looking at what could be kiddie porn. The guy doesn't know the password. Life in prison. No excuse.

This applies not merely to Bob in Accounting that's a dick, but to everyone: Congress! Start sniping political enemies. A jump drive here. A hard drive there. Soon, you could have 6 or so Congressional individuals going to jail for a child porn ring. The Feds would think it's a great prisoner dilemma. No one's turning on each other. Again, anonymous tip claiming that the right honorable Representative Duggans was watching kiddie porn late at night in his office. The same tipster told the police that while he was jacking it he thanked Representative O'Connel for the present over the phone (make sure to wait for an actual call so their is evidence).

Sure eventually all of this will die down. Until then, for $100 bucks and a few hours you can sit back, eat some popcorn and watch the system implode. Do it right and you'll get years of fun for everyone.


This would work for your average Joe, but not for Congressmen. Unless somebody more powerful than them want them gone, they will have the resources to just deflect the problem. Honestly, how many politicians have you seen going to jail ? Does it match the global % of population in jail ?


it's almost as though congressmen undergo some kind of selection process which attempts to find responsible, non-criminal members of society


That would be a good hypothesis if politicians wouldn't be constantly being caught lying, cheating and breaking promises, starting wars or saving bankrupt industries with people's money. But since they do that, with little consequences, the theory that they are actually good at getting what they want without paying the cost we would pay for something far smaller seems more likely.


Being a terrible person isn't against the law.


That's a good point :) But they are breaking laws in the process. God, the US government is even breaking the habeas corpus, the most important law of all, and nobody bats an eye.


Think you missed the sarcasm.


sametmax disagreed with the sarcasm.

So do I. There is a selection process. It is not selecting for non-criminality. It isn't selecting for criminality necessarily either, but it certainly is not strongly selecting against, in the sense intended.


Oh they undergo a selection process alright.


leak it to the press. you cannot deflect this type of accusation, at least not easily.


More likely yes. If you manage to get it to the right people, and not get it confiscated, and get it on display, then yes. It's a lot of if, but the odds are definitly better.


That's not what happened here. Read the DOJ's filing.

* The accused admitted to knowing the password and refused to provide it, on the auspices of not wanting investigators snooping through his files. Only later did they claim to have "forgotten" it.

* Prosecutors entered into evidence multiple factual claims establishing that the accused knew the password; for instance: years of eyewitness testimony demonstrating the accused entering the password from memory.

Whenever you get to an alarming conclusion like "this means forgetting the password to your laptop means life in prison", chances are, you've missed relevant details.


I have logs on my site showing many users who enter their passwords from memory regularly only to forget them months later after not using them.

Since the user hasn't been made to recall the password for months, it's plausible that he forgot it. I know I have personally forgotten passwords to accounts after months of disuse.

For instance, I had an old yahoo email account for many years. I didn't use it for about six months before they announced they would start re-purposing accounts that went unused for more than a year. I was unable to remember the password as well as the email account I had associated with that account for password reset. I ended up losing the account.


My point is just this: the notion that you have or haven't forgotten your password is something that gets argued in court, just like everything else.

Tech people have a bad habit of pretending that the uncertainties that our work generates are the first uncertainties the court system has ever dealt with.

But most of criminal law turns in large part --- mens rea --- over a court making decisions about what's in the head of the accused!


That is decided during a trial, and the decision is the outcome of the trial. The 6th amendment says "In all criminal prosecutions, the accused shall enjoy the right to a speedy and public trial", the 7th amendment says "the right of trial by jury shall be preserved", and the 5th amendment says "nor be deprived of life, liberty, or property, without due process of law".

I would interpret what is happening as a de-facto trial by judge, not peers, and thus a deprivation of liberty without due process of law, which must include a trial by peers.


The good news is: a judge can't hold you in contempt for relying on your Constitutional rights. So either it's going to be Constitutional for the state to demand encryption to be unlocked, or "indefinite" contempt detentions will be overturned by a superior court.


I have no problem with the state punishing someone for failing to provide something that has been deemed lawful to solicit, but failure to comply should result in another trial of some sort (possibly after a set period, so it's not immediate and abused). Based on the bill of rights, I believe you should not be detained indefinitely without a trial for the charges you are being held for, full stop. That the offense happened during a trial, and a judge was present is irrelevant. Otherwise, the charges you are being detained for have not had a trial by peer. Not to mention, you've now been denied a speedy and public trial. You could try to make a case that you've prevented your own speedy and public trial, but until there's been a conviction on whether you need to comply, I don't see how that reasoning is sustainable.


This is a good point, and someone should appeal this type of punishment without jury trial.


This is a very old legal debate. It can be resolved politically by passing statutes limiting the application of contempt rules, but that seems unlikely to happen soon.


>But most of criminal law turns in large part --- mens rea --- over a court making decisions about what's in the head of the accused!

That doesn't stop all these uncertainties affecting the outcome ("and the prosecution would like to note that the accused didn't provide the password, pretending that he doesn't remember it/know it" can turn jurors against someone, even if its BS).

How many people were accused and convicted with BS technical certainties (but actual scientific uncertainties) like the bogus "hair matching"?


Of course uncertainty affects the outcome. Of course the system makes the wrong decision on occasion. It's a human institution.


Yes, but it has grown a little too inhuman in practice in a country that's 5% of the world's population but has 25% of the world's inmates.

(Plus practices like the death penalty, private prisons, abuse of solitary confinement for long periods, down to contractors overcharging 10x for prison phone calls. One would compare that with the 3rd world, not the modern Western world).

If anything it needs more limitations to prosecution and uncertainties that work in favor of the state, not less.


I agree that sentences in the US are across the board too long but am not sure what that has to do with compelled decryption of hard drives.

The court system didn't make sentences too long. They were dragged there, kicking and screaming, by a polity that overwhelmingly demanded tough-on-crime statutes and tough-on-crime prosecutors, and passed laws to ensure that the courts complied.


Most of criminal law is therefore undecidable and insane, so far as I can see, amounting to little more than a thin coat of gloss over a clumsy, ignorant, violent, and almost entirely unaccountable iron fist.


Mens rea used to be a key part of the law, but most new legislation is now strict liability.


I don't know whether that's true or not (it's certainly a libertarian talking point I'm familiar with), but most criminal statutes are not strict liability.

This argument is besides the point, though. I'm not saying that contempt rules are OK because the underlying crimes require the state to prove mens rea. I'm saying, the court has for centuries been charged with ascertaining truths that are in some sense unknowable, because they depend on determining what someone was thinking. This isn't a new challenge for the court.


> I have logs on my site showing many users who enter their passwords from memory regularly only to forget them months later after not using them.

I just had to reset passwords to gitlab root and root on docker image after other admin went on holiday for 3 weeks and forgot both...


Also, he showed his own family child porn, and they have actually found searches for child porn in a VM on the computer.

>Whenever you get to an alarming conclusion like "this means forgetting the password to your laptop means life in prison", chances are, you've missed relevant details.

Unfortunately responses like the parent comment are predictable on HN. There is the constant narrative that the government is out to get us all. Yet the example given is someone who already has a lot of evidence of child porn, and a frickin police officer no less.


Then he should be sentenced on the other evidence anyway. The failure to provide additional incriminating evidence could be used as an aggravating circumstance in the ruling, not as a separate crime with infinite detainment.

(edit: replaced punishment with detainment, it's probably more neutral)


>Then he should be sentenced on the other evidence anyway

Yes, probably. I'm not really convinced that this isn't a violation of the fifth amendment, but I'm not a lawyer.

I suspect a jury would find him guilty anyway, and the fact that he refuses to decrypt his hard drive will likely not help his chances of convincing a jury that he's innocent.


For the punishment to be infinite, wouldn't the courts at every level up to SCOTUS would have to agree to its reasonableness?

(Subtextually, I'm saying: the punishment isn't infinite.)


Why?

He's in possession of data deemed contraband, but apparently not linked to distribution. The police need to demonstrate possession and can do so when their search is complete.

The police did an investigation, obtained a warrant to search for the contraband and seized the hard drive. The defendant was ordered by the judge to decrypt the drive per the warrant, and refused to follow the order. He's in contempt of court, and he can get out of jail very easily -- by complying with the order.


Should this work in the same way when other "data" is in the possession of the accused? Say, a murder suspect is considered by the judge as knowing the location of the victims body, and by refusing to tell the court, the suspect is detained as being in contempt of court.


The murder suspect has the right to refuse to testify against himself. The interesting part here is that this poor fella doesn't face any charges right now, so he has no such right. This is what makes it possible for the judge to jail him.


Unless, of course, he actually has forgotten the password after 7 months+ of not using it.


Because we have the 5th amendment.

   nor shall be compelled in any criminal case to be a witness against himself
As I understand it, Miranda established that the 5th amendment applies to all interactions with law enforcement, not just answering questions in court. So they can search the hard drive all they want, but the constitution protects us from being required to disclose what's in our heads which, in this case, should include the password.


> As I understand it, Miranda established that the 5th amendment applies to all interactions with law enforcement, not just answering questions in court. So they can search the hard drive all they want, but the constitution protects us from being required to disclose what's in our heads which, in this case, should include the password.

The privilege against self-incrimination applies to any interaction which they introduce into evidence against you in a criminal case, or from which they derive information on which they then gather other evidence that is used against you in a criminal case.

It doesn't actually protect you against the police doing anything, or forcing you to provide information (other Constitutional provisions may, however), it just protects you against certain information being used against you in criminal court.


There's no criminal case right now, so the fifth amendment doesn't apply.


Miranda vs Arizona established that 5th amendment protections apply outside of a criminal case. That's why police have to read the Miranda warning when arresting someone. He's been arrested and read his Miranda rights and is invoking them.


> Miranda vs Arizona established that 5th amendment protections apply outside of a criminal case.

No, Miranda vs. Arizona set standards for how 5th amendment protections apply in a criminal case, and established remedies for violation of those protections in such case.


To be sentenced he would have to be charged, which he still isn't after 7 months...


It's not a punishment. It's being held in contempt of court for refusing to obey a court order. He holds the keys to his own freedom; he has to provide the password.


Detention is punishment for the offense of contempt.


>There is the constant narrative that the government is out to get us all.

And historically, from Jim Crow laws, to J.E. Hoover and McCarthy, and onwards to Snowden, this is wrong, because?


>And historically, from Jim Crow laws, to J.E. Hoover and McCarthy, and onwards to Snowden, this is wrong, because?

Most of the examples you gave are historical. Regarding Snowden: has anything been used against anyone? I'm not condoning the snooping, BTW.

I think when you compare the US government to the likes of Russia and China, you'll see that the US is really not "out to get you". Certainly in this case it's pretty obvious that the govt isn't out to get an innocent person. There is a lot of strong evidence already that he has been collecting child porn. That of course doesn't mean that illegal procedures should be used to obtain more evidence, but we shouldn't get hysterical about it and say that the govt is going to use this to frame innocent people.


>Most of the examples you gave are historical.

Historical doesn't mean "belonging to lore" or "ain't gonna happen again". It precisely means "this things happen". And I don't consider stuff from 40 and 60 and 80 years ago as "deep history", like it's the Roman times or something and now we're totally different. In some cases those that did or suffered those things are still alive. In others, their direct 1st-gen legacy (sons, proteges, people they mentored etc) still rule.

>I think when you compare the US government to the likes of Russia and China, you'll see that the US is really not "out to get you"

Not sure what this means. With 25% of the world's inmates in only 5% of the world's population, I'd say it's very much out to get a heck of a lot of its citizens. And in prison conditions that compared to places like Germany or Sweden are like third world dungeons. The only way not to see this is to conveniently consider all those people are somehow subhumans, or criminals who "deserve it" (then one has to wonder why in the US 10x more of the population "deserve" such a fate compared to those in the German or the French population).

Or maybe let's talk police shootings? One is much more probable to get shot in the US ('walking while black' et al) than most parts of the world, China and Russia don't even compare.

Or are those not part of the government, and those laws and that climate is not fostered by government policies and political demagogy?


> I think when you compare the US government to the likes of Russia and China, you'll see that the US is really not "out to get you".

Have you any evidence that the US Government has changed their modus operandi?

Programs like COINTELPRO weren't public knowledge until some time afterwards, ditto "rendition" of terrorism suspects for overseas torture. Snowden has demonstrated that your Government still engages in widespread illegal activity.

I'd say the only reason such abuse seem "historical" is that we're unaware of the abuses going on right now.


>I'd say the only reason such abuse seem "historical" is that we're unaware of the abuses going on right now.

That's my point. The US government may or may not be mildly abusing it's citizens by spying on them illegally, it's hard to know. Compare to Russia or China where it most certainly is vehemently abusing people it disagrees with.

Also, I think the rendition was only for non-citizens. The US doesn't really give much of a shit about you if you're not a US citizen.



> Whenever you get to an alarming conclusion like "this means forgetting the password to your laptop means life in prison", chances are, you've missed relevant details.

Was OP's comment edited after you replied? I read nothing implying the OP concludes forgetting one's password means life in prison. I read a seemingly tongue-in-cheek, obviously hyperbolic bit of nonsense about using this as a vector for watching the world burn because people couldn't prove otherwise. Sure, OP is stretching for effect, but it doesn't seem OP missed relevant details.


>That's not what happened here.

No, but that's what can happen if providing a password becomes mandatory.


Huh? Providing a password was made mandatory here, and, as I pointed out, the state's case is based on evidence establishing that the accused knows the password and is simply being intransigent. The state was not able to, on a whim, suggest the accused had a password they didn't actually have.


In this case. In the general case, like it happens in the UK already, they can end up just demanding a password.


Or you could just put actual kiddie porn on the planted hard drives and save yourself this entire legal conundrum.


Then you have gotten your hands very much dirtier than necessary. A good attack should not put you at such risk.


Coming up with real fake evidence is a lot harder than just coming up with a random blob that the cops think is evidence the suspect is hiding.

E.g. are you really able to carefully craft a filesystem image that you're sure has no metadata that proves the innocence of the suspect?


Eh, not so hard. Proxy their internet for a browsing session, and you put thumbnails of images in their cache. If they have any encrypted drive, or any encrypted blobs (could push those into their cache as well), and they're not going to have a great day.

Cached images has been enough to put away more than a few folks - there was also recently a story about using exactly that tactic against a suspected spy.


This is really moving the goalpost from the grandparent's comment of "encrypt a zip drive with drivel, toss it in his car and call the cops".

Yes of course you can get an active MiTM session going you can do a lot of shady stuff.


It can easily be used in tandem with the encrypted drive, to create probable cause to suspect the drive.

And MiTM is far too simple to do. One of my friends was able to rickroll many a person with about $100 of gear. It was always troubling to watch my computer connect to my home network while at a conference, with no real notification to me.


This also tends to require that you look at CP in some way. I'll pass on that...


A woman tried that on her ex-husband, got caught, and went to jail. Read the related note here:

http://blogs.harvard.edu/philg/2016/05/14/what-if-youre-in-p...


Why go through the trouble to find kiddie porn when you can just cat /dev/urandom?


But then the detention won't be indefinite.


> Don't like someone, encrypt a zip drive with drivel, toss it in his car and call the cops.

So data has become new drugs ;)


A zip drive with no fingerprints of the person it supposedly belongs to? Not very convincing.

Also in this case the prosecution apparently has a bit more information that just "he did it":

A subsequent forensic exam of his Mac Pro computer revealed that Doe had installed a virtual machine ... the examiner found one image of what appeared to be a 14-year-old child wearing a bathing suit and posed in a sexually suggestive position. There were also log files that indicated that Doe had visited groups titled: “toddler_cp,” “lolicam,” “hussy,” “child models – girls,” “pedomom,” “tor- childporn,” and “pthc,” terms that are commonly used in child exploitation.

... The exam showed that Doe accessed or attempted to access more than 20,000 files with file names consistent with obvious child pornography... and that he used the external hard drives seized by Delaware County detectives to access and store the images.


Wouldn't stop the police from keeping him behind bars. "He went through the trouble of encrypting the drive and keeping it clean from prints, but we found it in his car. He's clearly a well organized, determined child porn consumer."

Perhaps you have too much faith in law enforcement, or I have grown too cynical by what I perceive as the dawn of a new era of police states.


I am no fan of compelled decryption, and believe it is a violation of 5th amendment rights. That being said, I think the government's argument is stronger than usual having proven that he has accessed files regularly in the encrypted drive by showing logs of regular access to content with suspicious filenames.

The police have a fundamentally different argument here than "it happened to be in his possession".


I agree, and looking at the story that is available to us here, the guy in question is very suspect.

However, that does not mean we can or should change the rules (or define new rules) to put him in jail. I'd prefer they use another way to convict this guy. I'm also careful not to condemn a suspect based on what the media reports about him and his case (the court of public opinion is a dangerous thing).

The fifth amendment is one of the few defenses you can call on when facing the incredibly skewed US legal system, and should not be chipped away at, even in a case like this.


>That being said, I think the government's argument is stronger than usual having proven that he has accessed files regularly in the encrypted drive by showing logs of regular access to content with suspicious filenames.

I'm not sure why the case has to stop while the drive remains encrypted then. If they do get the drive decrypted and find nothing (perhaps he held no files and is protesting against forced decryption or they simply have the wrong drive) that will hurt the prosecution.

To me, the judge has basically said you can be locked up indefinitely for accessing suspicious file names. I'm not going to lie though, 20,000 entries would make me pretty fucking suspicious. I think almost all of us would immediately report that to the cops if we saw that in our networks without verifying what's inside.


I agree that the case here is a bit more compelling. You're also correct in the lack of some evidence in the attach scheme.

You can overcome the fingerprints by handing things out for free. Here's a jump drive from some corp. You can also it in a cup holder. The person would touch the jump drive while being a bit perplexed. If you know the person, you can probably get them to hold it for you by simply handing it to them.

Yes, you have to be more involved, but at the same time it's doable.


This is an important constitutional issue! The subject may be deplorable, but the root issue is not.

If it is a "foregone conclusion", then they should have no problem convicting the guy without forcing him to testify against himself. If it is not a "foregone conclusion", then they have been lying and are illegally (unconstitutionally) depriving him of his freedom for months, without even charging him with a crime!


>Investigators say they know child porn is on the drives. His sister saw some of it and the suspect is said to have shown his family an illicit video, too.

So that's their basis for this "foregone conclusion" apparently. That at one point in time it was witnessed.

That is very dangerous logic.

The sadest thing in this is that it took child pornography to make the headlines, not political activism or journalism but the most despicable crime in our modern society.


A witness and some traces of keywords used on the suspect computer. I would not be too surprised if that was enough for a conviction, but the question remains on why the decryption should be necessary if the judge is already convinced beyond doubt that the accused is guilty. Its not like the courts put convicted murderers under contempt orders for failing to say where the body is buried.


"Its not like the courts put convicted murderers under contempt orders for failing to say where the body is buried."

I (can only) presume that this is not something easily comparable to a murder. This is more like catching someone with illicit drugs, where the possessed quantity can be essential to establishing the due penalty.


It's also totally insignificant. He could have broadcast it all over Times Square. That in no way waives his right against self-incrimination under the Fifth Amendment.

Also, every prosecutor in history has thought their entire case in chief was a "foregone conclusion." That's totally irrelevant.


It's baffling to me that people are treating "he will be found guilty" as evidence that he's already guilty and can be punished freely. We've got a code of laws specifically designed to avoid Inquisition-style "accusation of guilt is presumption of guilt" thinking.


In the past in Europe, there existed the concept of "partially guilty." Someone got shot and you were seen in the vicinity of the crime scene with a gun? You're 25% guilty. Then you're tortured (since you're 25% guilty, it's not torture of an innocent, but punishment), and under torture you "confess", making you fully guilty.

Source: Foucault's Discipline and Punish


That's absolutely fascinating, thank you. I need to finally suck it up and go read Discipline and Punish.

As much as I'm not on board with "confession through torture", I wonder if non-boolean guilt could help sort out some of the dumber quirks of our legal system. As is we just have "innocent" and "guilty" (which is either 51% chance of guilt in civil cases, or 'beyond reasonable doubt' in criminal ones).

But we're clearly fumbling around for new values. The Supreme Court decision about retrials (that "probably would have been found innocent at original trial" is not enough to justify a retrial) clearly makes more sense in terms of real-valued guilt - we can then set some actual standard for retrial, which is different from the standard for conviction. Perhaps you get convicted at 90% guilty in criminal cases, but don't get to open a retrial unless your estimate drops to 70% guilty.

Now I'm fascinated. What would real-valued guilt look like in a modern system?


Upvote upvote upvote. This is a non issue. Indefinite detention is unconstitutional I don't care what a judge says. This isn't debatable, very few things are this clear.


Pedophilia is the new red scare


Don't forget terrorism.


Pedophilia is, sadly, far from being just a scare.


Pedophilia is a sexuality. Some people are just that way inclined. Don't confuse child abuse with sexuality the way people used to do about gays. That's extremely harmful to actual pedophiles who may have done nothing wrong. It's not even classified as a disease unless it causes problems for the person afflicted with it.


I wouldn't be so quick to claim they're doing nothing wrong.

Every year, rhinos in Africa are threatened by poachers in Africa who want their horns for the black market in China. Every person who buys rhino horn in Africa, every person who is in a position to fight the unnecessary consumption of endangered animals and doesn't, is complicit in the destruction of their species.

You don't get a pass because you aren't the one who actually killed the rhinos, or abused the children. Those rhinos wouldn't have gotten killed, those children wouldn't have gotten abused, if the demand weren't there. You don't get a pass because you "needed" rhino horn, or because you have a non-standard sexuality.

The only socially-acceptable response to your needs is to not contribute to the exploitation of others.


The person you are replying to wasn't saying that paedophiles who look at child porn aren't doing anything wrong. If he was, your rhino analogy would be a good one, and is the reason nearly everyone agrees that child porn should be illegal even if you are only viewing it. But he was saying that a being attracted to children is in itself not doing anything wrong. Plenty of paedophiles don't look at child porn, do anything to children, or negatively affect children in any way.

The rhino equivilent would be if you wanted to use rhino horn but because you know it would be wrong to, you never do use it. Not only are you not the one shooting the rhino, you're not creating demand for shooting rhinos either.


> Plenty of paedophiles

Citation needed for that "plenty".


https://www.youtube.com/watch?v=radN3-O91FA

The pigeon makes reference to a child gymnast, then there's the comment about hitting on a teen boy. Humans, generally, first learn about physical desire and sexuality in their adolescence (specifically during and following puberty). Sexual attraction for individuals with the characteristics we initially found attractive, never really leave our psyche. This puts most humans in the category of "paedophiles" in the sense that the attraction is there, albeit small. It's such a culturally understood concept that I'm surprised when it has to be explained.


> But he was saying that a being attracted to children is in itself not doing anything wrong.

> The rhino equivilent would be if you wanted to use rhino horn but because you know it would be wrong to, you never do use it.

I would argue that both of these things are wrong, though not as wrong as actually acting on the desires. I don't think there should be any legal consequences for the thoughts in your head, but the social stigma and pressure to change those thoughts is very much needed and is a useful social tool for protecting vulnerable classes.

Let's introduce another analogy. Racism is wrong, if you think racist thoughts, even if you never act on them, then you are contributing to the denigration and subjugation of people of color. The only socially-acceptable response to having racist thoughts is to work to change those thoughts.

Paedophilia may be sexuality, and yes, it was wrong to demonize homosexuality, but unless you're arguing that one day we'll look at paedophilia the same way, then you can't put them in the same boat morally.

Celibacy is an acceptable response to paedophilic sexuality, but a better one is to stop being a paedophile. Sex therapists exist, it is something you can work on. It's worth it to at least try.


>even if you never act on them, then you are contributing to the denigration and subjugation of people of color.

How so? I sometimes think racist (and sexist, and...) thoughts, but I know they are wrong, so I don't act on them. How am I contributing to the oppression of people of the ethnicity I have racist thoughts against?

(Incidentally I think "people of color" is a pretty racist term, since it lumps all non-white ethnicities together.)

>Paedophilia may be sexuality, and yes, it was wrong to demonize homosexuality, but unless you're arguing that one day we'll look at paedophilia the same way, then you can't put them in the same boat morally.

Well I do argue that. Just as homosexual rape is a crime (although often treated as a joke, c.f. prison rape), child rape is a crime. No matter the sexual orientation of the perpetrator.

>but a better one is to stop being a paedophile

Since when can sexual orientation be changed? According to Wikipedia:

There is no evidence that pedophilia can be cured. Instead, most therapies focus on helping the pedophile refrain from acting on their desires


> How so? I sometimes think racist (and sexist, and...) thoughts, but I know they are wrong, so I don't act on them. How am I contributing to the oppression of people of the ethnicity I have racist thoughts against?

So do I. Whenever I do, I work to try to understand where the thought came from, and how, if millions of people also had that same thought, what the consequences for minorities would be. I feel it's my obligation to understand the deeper psychological dynamics at play.

One's thoughts can't be controlled like one's hands can be, but that doesn't mean you can't work on them.

> (Incidentally I think "people of color" is a pretty racist term, since it lumps all non-white ethnicities together.)

More racist or less racist than the n-word? And why would lumping them together be racist? Terms by themselves are not racist, it's how you use them that matters.

> Well I do argue that. Just as homosexual rape is a crime (although often treated as a joke, c.f. prison rape), child rape is a crime. No matter the sexual orientation of the perpetrator.

Still waiting on the argument that we'll one day be as accepting of paedophilic sexuality as we are of homosexuality. Yes rape is a crime, but criminality is not the point of contention here, morals are. You and others seem to be arguing that morality is not useful as a social tool, that one should not feel bad about thoughts that one has that could exacerbate social problems. That we should draw the line at legal consequences for actions and treat the mind as sacrosanct. I very much disagree, racism has taught us that the law can itself be used to perpetuate evils.

> Since when can sexual orientation be changed? According to Wikipedia:

Thanks for the pointer to Wikipedia. (not being snide, I didn't do my research before opening up my mouth this time) It still looks like an active area of research and I'm hopeful that new therapies will emerge in the future.

I do think sexuality is at least somewhat malleable. I could never see myself becoming homosexual, but I can easily see how I could have been or could in the future become bisexual. I would be adding a new sexuality on top of my old one, figuring out a new way to have that experience.

I fail to believe paedophilia is the only mode of sexuality that's open to most or even a significant fraction of paedophiles.


>I do think sexuality is at least somewhat malleable. I could never see myself becoming homosexual, but I can easily see how I could have been or could in the future become bisexual. I would be adding a new sexuality on top of my old one, figuring out a new way to have that experience.

I won't go into a long story but TLDR: I thought of myself as gay from puberty until a couple of years ago, I am now entirely bisexual. I don't know if the side of me that is attracted to women (I'm a guy) didn't exist a decade ago and my sexuality changed, or if it did exist and I just didn't know how to access it. But it certainly was a definitive change, previously there just wasn't any sexual feeling towards women in my head, ever. Despite this personal experience of sexuality being malleable in at least some form, I am still entirely confident that homosexuality (including the gay side of bisexuality) cannot, at least with our current scientific knowledge [0] be purposefully changed, and while I'm lucky enough not to have a personal anecdote about paedophilia, everything I've read up on the subject makes me believe the same goes for that.

[0] I say current scientific knowledge because who knows, maybe in X years/decades/centuries we'll fully understand the human brain and be able to modify it as precisely as you can modify a computer program. Setting aside the fact that this advance in science/technology would probably do far more to scare me in terms of how it could be used negatively vs. benefits such as removing the attraction to children from paedophiles, since we are no where near being able to do this we might as well keep the debate within the frame of what we actually can achieve in the foreseeable future.

> I fail to believe paedophilia is the only mode of sexuality that's open to most or even a significant fraction of paedophiles.

It's known that there are paedophiles who no matter how hard they try, and get supported with therapy/etc., never find themselves attracted to adults. It's also known that there are paedophiles who find adults as attractive as children, or also attractive but more/less so than children. It's very hard for anyone to find out how many of each because paedophiles in general often prefer not to talk about their condition, even to medical professionals, and especially paedophiles who can be happy in adult relationships probably don't have much motivation to think about fixing their attraction to kids, since they can have a sexually-fulfilling life without them.

(Incidentally, my gay->bi sexuality is why I find the subject of paedophilia from a medical point of view fascinating, since it does seem that they are very similar things biologically, just not culturally. And no, I don't mean that because they are similar biologically that they should be similar culturally, I fully approve of saying homosexual relationships are good and adult/child sex relationships are bad.)


It's really important to separate what someone thinks from what someone does. Having violent thoughts about people is very common, acting on them far less so.

Someone who reads sick fiction and or looks at man made images is hardly harming anyone. I mean Vorarephilia is also a thing, and they can get off watching monster movies. But, there are very few actual cannibals out there.

At best you could make a comment based on reproductive success in our culture. But, I have trouble going from there to paying to lock people up.


> It's really important to separate what someone thinks from what someone does.

I agree. That's why I said that people shouldn't be subjected to legal consequences for their thoughts. They should definitely not be morally absolved.

> Having violent thoughts about people is very common, acting on them far less so.

I would argue that a person that looks at paedophilic content is arguably being violent themselves. If you went to a ancient Roman gladiator arena and eagerly watched the bloodsport, or to a current-day dogfighting event as a spectator, then you are participating in the violence, even if you aren't actually conducting any of it. What separates bloodsport from horror movies is that in movies, nobody is actually getting hurt.

There is definitely a relative aspect to right and wrong, and we all have ways in which we are wrong. It's important to recognize what is wrong and what is right, and to work to become more right over time.


If someone watches 'gladiator' the movie then real people are not actually being harmed. IMO, it's harder to suggest that watching fake content is also wrong.

Now, extend that to fringe Anime and there is now sick content that's was not harmful to create. I don't see how your suggesting there is an actual difference between movie types assuming all actors are adults and blood was faked etc.


The difference is of degree and not kind. When you add reality to content it makes it both morally and psychologically worse. In between the real and the completely fake is the very convincing. Snuff films fill this niche. In between snuff films and Gladiator would be your fringe anime.

Fake content isolates negative aspects of experience and presents it in a comforting bubble where you don't have to contemplate all of the nasty context surrounding the portrayal if it were real. As content acquires more reality that bubble is progressively burst.

I've watched lots of questionable content over the years, but the things I've seen that have left the nastiest impressions were always real or based on the real. The audio of the Jonestown massacre was among the most horrifying things I've ever came across.

If you're watching real content of real kids really getting abused, that's probably one of the worst things you could ever do short of actually doing what was in the video. But the difference between enjoying that and the less graphic is one of degree and not kind.


You are making a psychological argument not a moral one. Actual evidence suggests things like violent video games actually reduce violent crime in society. So, your going to need actually evidence to support that line of thinking and I don't think it exists.


The moral argument only works if there's a real psychological component. You can't consider them in isolation. It wouldn't be morally wrong if it weren't also psychologically harmful.

Can you make an argument that easily accessible kiddie porn is going to reduce child violence? Even if you could, I would hesitate to make even the fake stuff legal unless the science was very conclusive. I'd argue that with kiddie porn, the default should fall on 'no' and not 'yes'.

That said, it's really difficult to draw a line here. Content creators are going to find ways around any laws we pass. That's why we need a moral component, so that we can enforce these things not just legally, but also socially.


Don't move goal posts, has no effect is enough to make it harmless with that line of thinking. So, if you want to use it you need to demonstrate harm.

Sure, it's easy to make a counter argument along the lines of "Making things taboo adds to their appeal. Supervised underage drinking seems to have a long term positive impact." However, that's also meaningless unless you study the issue.

I really don't know, but I also accept I don't know.

PS: This is one of those issue people don't approach rationally. It's as if gathering evidence is already admitting you might be wrong.


> So, if you want to use it you need to demonstrate harm.

That's a false dichotomy. We cannot have perfect knowledge about everything that could possibly help or harm society. We need to retain the ability to act in its absence.

> I really don't know, but I also accept I don't know.

Not all things should be treated this way, but in the case of kiddie porn, I'd argue that defaulting to the stance that all conduct in this space being morally wrong, perhaps even criminal, is justified.

It's tempting to want an ideological framework that preserves sanctity of thought so that we don't have to consider that we, ourselves might be morally wrong on occasion, but the world doesn't work that way. The mere fact that millions of people want something is enough to create a market in violence and suffering. Whether it's children, rhinos, or slaves. (I use market in a non-economic sense here, any venue for satisfying a desire is a market)


I get where you are coming from. I think the sanctity of thought needs to be maintained so you can examine new evidence with minimal bias.

However, as something to consider. There is a very long history of things people assume without evidence being wrong. Abstractly, unsupported ideas are random in nature and the number of true ideas are vastly outnumbered by the number of wrong ideas. So, IMO the default assumption for unsupported ideas should be they are false.

Anyway, nice chatting with you.


So what if they turn out to be wrong later? Fighting paedophilia makes the world better now. Unless you are arguing that is not the case.

Look, at some point this is going to boil down to a simple question. Do you really consider sanctity of thought to be more important than the security of the people those thoughts threaten? Because to a very, very real extent, the thoughts themselves threaten. They create threatening atmospheres and markets in cruelty and suffering.

We're not talking about rights here. We can fight paedophilia completely within the current constitutional framework using completely aboveboard laws. We are talking about nothing more than social pressure of making people feel bad about thoughts that they have that are bad. Simple, uncomplicated moral pressure.

Sex with children is wrong and you deserve whatever happens to you if you do it. Can you at least agree with that?


> So what if they turn out to be wrong later?

A peasant picks up a rock and due to a local legend decides it prevents tiger attacks. So, they carry it around for the rest of their lives. Not a big deal right?

Well, what if they have their tiger rock, hippo rock, fire rick, snake rock, cancer rock, martian rock, ... Until they are not willing to leave the house without 150 pounds of rocks in a backpack.

Individually each issue may have been tiny. But, each and every one of them are also a drain. Also, they may get eaten because they falsely assume they are safe when in imminent danger. Or in this case you might assume your fighting when in fact your just making things worse.

So, even if the cost is low and it might be true, avoiding wrong ideas is still valuable.

PS: As to actual direct harm, sure shoot em. But, that's really not what I have been talking about.


I think it's important to recognize that the violence of gladiatorial combat was both legal and accepted in Roman culture, where as dog fighting isn't today. So, it's a little unfair to compare the two as if they're equivalent moral issues.

Of course that hinges on the fact that you accept that morality is a cultural construct and not absolute, which is a philosophical rabbit hole.


More like 3D printed replicas of rhino horns being illegal, because they're shaped like poached horns.

You've implied that there are perfectly normal people who choose a career in child abuse for the money.

This subject is yet another instance of society's moral panic "war on X", collateral damage be damned. I mean, who cares about the absurdity of persecuting possession of information, those people are fucking revolting!


1) Are you advancing the argument that abuse of children is an economic response to demand, and not that the perpetrator wanted to do it in the first place? 2) How does this argument explain the illegality of drawings depicting underage sex with none of the depictions being based on a real-life individual?

Somewhat unrelated (I'm not trying to set up a straw man here), I believe that it's more consistent to believe that society finds paedophilia to be disgusting and that due to their disgust that paedophiles should be jailed. I believe that this is due to the conflation of thoughts with actions, and the belief that someone with those thoughts will always be prone to action. It's a somewhat risky viewpoint to espouse that "paedophilia in and of itself should not be illegal, abuse of a victim should" given the fervor of the people against paedophilia, but I think it is more congruent with a living in a free society. It's a shame that anyone suggesting nuance there is usually then associated with paedophiles in the mind of the person hearing the argument.


> Are you advancing the argument that abuse of children is an economic response to demand, and not that the perpetrator wanted to do it in the first place?

There is abuse of children, then there's the act of making recordings of it for others to consume. The latter certainly functions on a demand curve, as it takes more work to produce something than it is to just do it.

> How does this argument explain the illegality of drawings depicting underage sex with none of the depictions being based on a real-life individual?

There probably isn't much rationality to it. Legislation is more of a political process than a rational one.

> I believe that it's more consistent to believe that society finds paedophilia to be disgusting and that due to their disgust that paedophiles should be jailed.

I would agree with that assessment. But there's also a shocking amount of truly, unbearably horrific content in the world. Disgust may not be the most rational basis to make something illegal on, but it's better than nothing. Laws are intended to be iterated on over time, a more nuanced view will eventually prevail, though it might take decades.

> It's a somewhat risky viewpoint to espouse that "paedophilia in and of itself should not be illegal, abuse of a victim should" given the fervor of the people against paedophilia, but I think it is more congruent with a living in a free society.

Paedophilia is not illegal. It's child abuse and possession of child pornography that's illegal. You can't convict someone of being a paedophile, there's no law against it.


> There is abuse of children, then there's the act of making recordings of it for others to consume. The latter certainly functions on a demand curve, as it takes more work to produce something than it is to just do it.

With the Rhino argument, the entire reason for the act occurring is economic (kill rhino, collect horn, get paid). For paedos, the act occurs because they want to do it. Being able to gain social standing or affirmation is secondary. People record child pornography for posterity without distributing it.

> There probably isn't much rationality to it. Legislation is more of a political process than a rational one.

Agreed, and that is the thesis of my argument.

> I would agree with that assessment. But there's also a shocking amount of truly, unbearably horrific content in the world. Disgust may not be the most rational basis to make something illegal on, but it's better than nothing. Laws are intended to be iterated on over time, a more nuanced view will eventually prevail, though it might take decades.

Disgust is not a reasonable basis for making something illegal. At a bare minimum, I believe that the first amendment rights of people drawing depictions of child abuse are being violated. But it's "icky" and not politically viable to defend, so nobody defends them.

> Paedophilia is not illegal. It's child abuse and possession of child pornography that's illegal. You can't convict someone of being a paedophile, there's no law against it.

Possession of something that depicts, but is not, child pornography is also illegal (and to your point, irrational to make illegal).

At the risk of losing my footing to try to make a point, I think it's somewhat similar if someone said "Being homosexual isn't illegal but engaging in any act whatsoever, whether it victimizes anyone or not, is." We've already ruled that sodomy laws violate people's constitutional rights. I'm not saying that paedophiles should have the right to express their affinity with children (they cannot consent), but removing all outlets for it smacks of trying to pray the gay away.

I think our nation would be far more sane if we decriminalized mere possession of child pornography, as disgusting as it is. I would rather have my fifth amendment right not to decrypt a drive than catch people that have not directly (and I would argue also not indirectly) harmed anyone by viewing images.


> People record child pornography for posterity without distributing it.

Doesn't matter, this material leaks out into the world and becomes part of sharing networks. In these networks, paedophiles can live and participate in a world in which these thoughts and this behavior is OK. With social validation eventually comes boldness and the willingness and desire to create ones own content.

Do you have a hobby? I like food. I like talking about food, cooking food, I take pleasure in being able to discern subtle flavorings in dishes and having an appreciation for real Chinese food as opposed to bland American Chinese shit.

All of that time and effort I put into food, there are vast numbers of paedophiles that do this for videos of children being abused. Without the moral stigma, these people will get bolder and bolder, and before you know it, there's a paedophile political lobby just like the gun and homosexual rights lobby.

Is this a world you want to live in? Countenanced with this, is disgust as a source for the political capital to fight paedophilia really such a bad thing? Do you really want to grant legitimacy to that way of life? Because that's where your line of thought goes.

Yes, it's awful that if you are wired that way, you're pretty much fucked and that's terrible and I feel bad for you. But it's really, really morally fucked up and repugnant and wrong to allow yourself the inner freedom to explore your sexuality on these networks if that's the case. You deserve to be locked up and shamed if you give in to your urges.

There's no easy way through this.


I do agree that there's no easy way thought this, and it sounds like we'll likely have irreconcilable viewpoints. I hope that you will at least seek to ensure that the constitutional rights everyone are upheld, even for people that you find repugnant. If we don't uphold fundamental rights for the worst of us, the powers that be can use that as the thin edge of the wedge to remove those rights for the rest of us. It was enjoyable to converse with you, have a good one.


Yes, I do believe in constitutional rights for everyone. If I have led you to believe otherwise, please tell me which constitutional rights I am implying should be withheld from which group of people. If it's freedom of speech for paedophiles, then I believe the Supreme Court has set clear precedent that the ban on child pornography is an allowable restriction on speech, correct me if I'm wrong.


Personally, I'm all for fighting pedophilia and every other form of child abuse, but this: "every person who is in a position to fight the unnecessary consumption of [your condemned choice] and doesn't, is complicit in the destruction of [whatever]" is a nasty fallacy that should be stopped on the spot every single time! Otherwise there is no limit to the liabilities under which anyone can be subdued!


I wouldn't call looking at pictures (even of victims of child sexual abuse) "the most despicable crime in our modern society". The child sexual abuse itself is worse.

Also torture, wars of aggression, mass poisoning...


I was thinking of a modern twist of pedophilia where digital media has become a way to spread the product of child abuse.

But maybe also that it's more relevant today due to the people being more informed and connected.

So I was actually separating it in its modern form from much older issues like war, torture and poisoning for example. But that's a non issue really, sorry for unclear phrasing.


It is not in fact settled law that unlocking an encrypted drive is testimonial. It's also worth remembering that the primary motivation for 5A is to prevent false, coerced testimony and torture; when SCOTUS eventually deals with this, they could find that no protected substantive rights are threatened by demands to unlock encrypted media.

We're unlikely to get it both ways: both a right to strong encryption without government interference and a right to defy court demands to decrypt specific files. But we'll see.


Realistically, how can we differentiate between a suspect who's refusing to unlock something, and a suspect who has genuinely forgotten his password?

I know for myself, even with passwords I use multiple times a day from memory, it only takes a couple of months of not using them before I cannot recall them again. This guy has been locked up for 7 months.

See also the numerous people who stored bitcoin in brain wallets (bad idea), who now cannot reclaim their money despite considerable financial incentive to do so.


There is no foolproof way, but uncertainty is something the law has dealt with for centuries, and isn't unique to this situation. The short answer is: it gets argued in court like everything else.

If cryptography introduces too many new cases of contempt, we'll need to rework the contempt system, and, in particular, introduce juries to the process (perhaps for contempt sentences exceeding a certain number of weeks).


> uncertainty is something the law has dealt with for centuries, and isn't unique to this situation. The short answer is: it gets argued in court like everything else.

Yes, precisely. This is a specific point I have seen programmer types uniquely vulnerable to tripping over.

Courts, generally, aren't like computers, where a little technicality will override common sense completely in a literalistic following of instructions. Sure there are exceptions to this rule, but for the most part a court proceeding has humans running it that live in the actual society and have some ability to factor in not just the rules but also the consequences, including unintended ones, of their actions.


"Courts, generally, aren't like computers, where a little technicality will override common sense completely in a literalistic following of instructions."

True, and in rare cases where something like that does happen, it's probably going to be a lot more amenable to sensational reporting, so more likely to be widely reported.


He isn't getting the chance to argue it in court, from what i've seen.


Have you read the filings? It sure seems like he has.


> I know for myself, even with passwords I use multiple times a day from memory, it only takes a couple of months of not using them before I cannot recall them again. This guy has been locked up for 7 months.

You have the timeline reversed. He's been locked up for 7 months because he refuses to decrypt the drives.


But still - not being able to recall a password NOW is real possibility.


> We're unlikely to get it both ways: both a right to strong encryption without government interference and a right to defy court demands to decrypt specific files.

What about the plausible deniability that is provided by some encryption softwares (Truecrypt was one of these when it was still relevant and considered secure, I don't know about current ones)? If the suspect decrypts an encrypted volume and can deny plausibly that there is another one hidden within, is he supposed to remain in jail until he decrypts a volume providing evidence of crimes he might have committed?

In my opinion this is the reason why "I have forgotten the password" should be accepted as an answer, for the two situations are similar: either there is enough evidence to convict the guy and other evidence is not really needed, or there is not and the burden of the proof should not be on the suspect.


Defying court demands should always be an option - such actions can be a crime, and it can be adequately punished, but it certainly is an option that can happen, and if a person does defy court demands, then consequences should require the following:

1) There is a proper verdict that the person has actually defied the court (as opposed to forgotten the password or the encrypted data not being his in the first place) - this has not happened in this situation, we have only claims by the prosecution not verified by the court;

2) the guilty person receives an appropriate punishment for this crime - and indefinite imprisonment (e.g. life sentence if the person doesn't yield) is not valid even if the person is guilty of everything claimed.


I think people are undervaluing this point. Sure, you can say he's probably guilty, but the entire point of a jury trial is to determine that!

"That guy's totally guilty" isn't a basis for any kind of prejudicial action - either you have enough info to try him, or you don't have enough info to hold him on suspicion.


I kind of agree that if the government had evidence to convict or even charge him of a crime the burden is on the government.

Though we all hate the underlying accusation and no one wants to protect this kind of activity, it is important that the government play by the rules. To do otherwise sets the precedent for future abuse on less heinous cases.


Even if they have enough testimony to convict him, they may be more interested in forensic clues about where he obtained his files.

Decrypting his hard drive may lead to other charges against other people. If he knows that he can incriminate others, he may be waiting for a deal.

They're playing hardball with him right now. After six months in jail, watch them offer him a deal if he unlocks the hard drive. He gets a firm but reduced sentence (including time served) and they get more bad guys.

(Why yes, I have watched too many episodes of Law & Order, why do you ask?)


First sentence of the article says he's already been there 7 months.

They won't get 'more bad guys', they just want to prove that they can do this to anyone who doesn't obey.


Or they want to identify the child victims of sexual abuse, and want to make sure those children are safe, and that the people abusing them and taking photos of that abuse are prosecuted.


Somehow unethical law precedent always seems to come at the aid of women and children. I have a very hard time buying into that overused excuse. How likely do you think it is that the children fall into their jurisdiction? Much less even, do you think they'll be able to identify young undocumented children?


>How likely do you think it is that the children fall into their jurisdiction?

Since child porn is illegal just about everywhere (although the definition of "child" may vary), it should pose no problem to notify the authorities in the country of origin.


The definition of 'child porn' differs greatly as well, more than the definition of 'child' I'd wager.


Exactly, unethical laws are always passed on emotions (supposedly to protect the women and children). Think of how nazi germany started cracking down on jews - some of the very first laws were that german women couldn't work in jewish houses, and Hitler rolled the ball from there.

The new age model is to convict ten innocents than let one guilty suspect go.


Police have international co-operation to identify, find, and protect the victims of child abuse.


The article did specify that the files were obtained through Freenet, a distributed information storage and retrieval system where all the files are shared and distributed to any node that requests it. I would be surprised if agencies against sexual abuse of children do not already operate nodes that siphon up all data it can get.


It is because the subject is deplorable that this is an issue. It is literally the only issue that would allow this trojan into the legal system.


> This is an important constitutional issue! The subject may be deplorable, but the root issue is not.

Guilty unless proven otherwise. That's what constitution says.


I find this interesting, as I would almost certainly have forgotten my password by now, it only takes me 4-6 months of never using a password to forget it, so I wonder what happens if you can't decrypt your drives, due to honest forgetting from sitting in jail refusing to, or from some sort of deadman's switch or similar that drops keys after N days.


> or similar that drops keys after N days

This cannot exist on "dumb" hardware.


>... it's a "foregone conclusion" that illegal porn is on the drives, ...

Obviously not if the government needs the suspect to tell them where to find the porn in the keyspace. The porn at this point literally does not exist on the computer. The government is asking the suspect to find it for them there.

So the question here is; can the government compel someone to help the government find evidence against them?

This reminds me of something a Pakistani coworker said. He said that in the area of Pakistan he grew up in they had the best police force anywhere. There were no unsolved crimes. Someone always confessed...

So this is the same sort of thing. Torture someone long enough with indefinite detention and they will eventually come up with something to indict themselves with. There has to be something illegal in any well used computer.


Pretty sure that's in violation of the fifth amendment (self-incrimination).


Contempt is appealable, and in stories about appeals for long contempt sentences it appears that the likely sentence for the underlying matter is a factor. So, as a practical matter, this might mean that refusal to unlock a drive will net you the same sentence as if you were tried and found guilty for whatever crime was supposed to be on the drive.


This effectively makes forgetting one's password a crime with a lifetime jail sentence... Not bad, not bad


No it doesn't. They found evidence on his computer that strongly suggests there is child porn on the encrypted drive, there are witnesses that claim "John Doe" showed them child porn and he admitted to knowing the password initially, it was only later he claimed he forgot.

Prosecutors need sufficient evidence to obtain from a judge warrants, and in this case a decryption order, before they can hold you in contempt of court.

Of course, the evidence required for a warrant is still typically less than what is necessary to convict. The issue here is something to do with fifth amendment rights, which honestly I don't know a lot about because I'm Australian.


Thats pretty scary.

I've travelled with encrypted drives where I didn't know the password before. (Forgot it & was bringing the drive to someone for their own use after formatting).


I agree with the overall idea that this is an interesting/problematic case, but I think the discussion would be better served if we stopped assuming that the authorities here are morons.

No, forgetting your password is not a lifetime sentence. No, not knowing the password for an item you've never seen is not a lifetime sentence either. Refusing to obey a judge's order, however, will get you in trouble. Again, these people are not morons, and if they say the guy is only pretending to have forgotten his password (a dishonest criminal? shocking), they might have a good reason.


The reasons are stated in the article (the suspect never mistyped his password, and always remembered it), and addressed by the commentators you criticize (under pressure and after seven months without typing it, it is not impossible that you forget a possibly complicated password).

Even if you think that chances are high that the guy both is guilty of some crime and remembers the password, that still leaves the "what if he is actually innocent and actually forgot his password" case. Indefinite prison sure seems a hard sentence in the latter case, which you cannot refute beyond reasonable doubt.


> The suspect never mistyped his password, and always remembered it

They even went so far as to say he always got it right on the first try.

I found that very interesting... How would they possibly know that? If they had a key logger obviously they would already know the password.

Does FileVault store some indication of failed login count? That isn't reset after a valid login?


Actually, does this mean that Apple could be logging successful / unsuccessful decryption counts for FireVault volumes? Is there some sort of lock-out feature they are running?


He was in jail for seven months for the contempt charge under discussion -- it's not like he didn't know that's what they wanted from him when he went in.


Apart from the obvious assault on the presumption of innocence here, is there a cryptographic file-system that stores a secret X and Y that given a key k_x would decrypt the content X and given k_y would decrypt the content Y without revealing to an attacker that there are multiple contents?

If yes, than one could store a real secret X and store a false secret Y, something that looks like a secret enough to be perceived as a secret. Then in case of torture, government persecution, etc, the victim could reveal only Y.


> His sister saw some of it, and the suspect is said to have shown his family an illicit video, too.

> Within the virtual machine the examiner found one image of what appeared to be a 14-year-old child wearing a bathing suit and posed in a sexually suggestive position. There were also log files that indicated that Doe had visited groups titled: “toddler_cp,” “lolicam,” “hussy,” “child models – girls,” “pedomom,” “tor- childporn,” and “pthc,” terms that are commonly used in child exploitation.

> The exam also found that Freenet, the peer-to-peer file sharing program used by Doe to obtain child pornography from other users, had been installed within the virtual machine. The exam showed that Doe accessed or attempted to access more than 20,000 files with file names consistent with obvious child pornography... and that he used the external hard drives seized by Delaware County detectives to access and store the images.

They have a pretty strong amount of evidence that what's in those drives will be CP.


This is known as deniable encryption.

https://en.wikipedia.org/wiki/Deniable_encryption


TrueCrypt has a feature like this. Not sure if its efficacy but the idea is that you have a password that decrypts to one thing and password that decrypts to another, I believe?


Yes, this was a feature of Truecrypt, though I'm not familiar with the underlying crypto.


It just uses data layout. Normal volumes have some wasted space filled with random data. Volumes with hidden volumes inside them fill that space with a second header. If the outer volume is naively mounted, writes can destroy the data stored in the inner volume.


I'm quite surprised that they can break Freenet but can't break FileVault (I remember reading an article about a Filevault master password that is short and brute-forceable but can't find it atm). I would have bet the other way around.


Freenet has only symbolic privacy protection for downloaders. Privacy is supposed to come from your node requesting not only blobs it is downloading for itself, but also blobs other nodes have requested from it. Unfortunately, as far as I understand, freenet's routing algorithm is such that these two classes of requests come from blatantly different statistical distributions. The further a requested blob is from a node's address the more likely it is the node is requesting the blob for itself. Another layer of protection is the blocks being encrypted, but if they are publicly published that can be changed with a bit of scraping.

What this means is that by running a single freenet node you can monitor half a hundred others. What's surprising is that it hasn't been done earlier. You don't even have to commit a crime to do it as a civilian.

This could have been avoided if freenet was hoisted on top of tor (not totally trivial because freenet runs over udp) or had an onion routing layer of its own. If the glaring privacy flaw was fixed freenet would have amazing properties which tor lacks, namely very safe and scalable (no dos unless you take down the whole of freenet) static hosting and non-realtime communication in general, and utter censorship resistance. Trying to figure out who has a blob only spreads it around more.

It's a shame the ideas behind tor and freenet haven't come together in a popular project.


This certainly points towards having more widespread support for plausible deniability, no? Are there any mass encryption tools that are reasonably simple to set up providing this (besides TrueCrypt Hidden Volumes)?

Would someone continue to be held in contempt if they furnished a decrypted drive that didn't contain the information that court held as a "foregone conclusion" that it contained?


Tails combined with any encrypted cloud hosting service accepting anonymous payments (e.g. mega.nz, though I'm sure there are ones with better desktop integration) would offer more deniability than any local solution could, though it's debatable if paying is reasonably simple.


Why besides TrueCrypt?


because it's supposed to be broken and/or backdoored since may 2014 when the development abruptly stopped and weird warnings appeared on the official site to switch to alternative programs


There's no evidence it's been "backdoored since may 2014." There were no changes at that point in time.


"supposed [...] since may 2014"


Although, who really knows at this point. Judge for yourself what happened: https://mastermind.atavist.com/he-always-had-a-dark-side


In the UK, this is actually legal sadly.


Sections 49 & 53 of the RIPA allows for up to two years imprisonment for failing to provide unencrypted copies of key material. Not quite the same as life. Although I wouldn't be surprised if they managed to abuse it in this way.


This case involves "child indecency", and so would be 5 years. But yes, there appear to be better protections.

http://www.legislation.gov.uk/ukpga/2000/23/part/III

    (5)A person guilty of an offence under this section shall be liable—
      (a)on conviction on indictment, to imprisonment for a term not exceeding [F15the appropriate maximum term] or to a fine, or to both;
      (b)on summary conviction, to imprisonment for a term not exceeding six months or to a fine not exceeding the statutory maximum, or to both.

    [F16(5A)In subsection (5) ‘the appropriate maximum term’ means—
      (a)in a national security case [F17or a child indecency case], five years; and
      (b)in any other case, two years.


> Although I wouldn't be surprised if they managed to abuse it in this way.

Simple. Imprison someone for two years. Demand they provide key material again. Rinse and repeat.


Idk how it works in the UK, but in the US you can't charge someone for the same crime twice.


.. Unless they've committed it twice. 'Failure to abandon your fifth amendment rights', 05/2016. 'Failure to abandon your fifth amendment rights', 05/2018. 'Failure to abandon your fifth amendment rights', 05/2020. etc.


Seven months imprisoned without trial and counting. The technicalities about contempt and hard drives are a distraction; the real injustice is that, as a routine matter, the US government no longer gives trials without extensive pre-trial punishment.


and what happens if I forgot my password?


It's told in the headline, I believe...


>The defendant, who is referred to as "John Doe" in court papers, claims he forgot the passwords. The suspect's identity is Francis Rawls, according to trial court papers.

> In fact, Doe had multiple layers of password protection on his devices, and he always entered his passcodes for all of his devices from memory. Doe never had any trouble remembering his passcodes (other than when compelled to do so by the federal court), never hesitated when entering the passcodes, and never failed to gain entry on his first attempt.


Which in itself isn't really valid. Under immense stress, memory fails. I'd wager facing a long prison sentence for a crime that will make you a big target in an already hostile environment would be pretty stressful.


I was going to comment the same thing. If I'd been imprisoned for 7 months, there's a good chance I'd forget my password manager master password too... I remember it now because I enter it multiple times a day. After 7 months, under duress and stress? I'm not sure if I would...


Meanwhile a laptop I didn't access for 3 months has a boot password (that I must not have needed for >3 months ontop of that) is now locked away and without any ability for me to login to.

And that was without going to prison


Open it up and remove the CMOS battery for a while then replace it. That will remove a BIOS password. OTOH, if you encrypted the drive...


> if you encrypted the drive...

Yep, LUKS AES-256. I seem to recall someone demonstrating how to crack LUKS for fun, but I can't remember where I found that article, nor enough keywords to find it again. I might just be failing at Google, mind.


Unfortunately this won't work on most modern systems where the password hash is held in nonvolatile memory, rather than a battery-backed volatile store.


I'm not so sure. It's going to be on your mind constantly, surely.


I forgot my previous master password a month or two after I changed it.

But the point is, after many months (eg 7) plus stress... many people would. Not everyone, but enough people that I don't think you can blanket say "you surely know it, hand it over".


But not while you were in prison for not revealing it. Surely you'd be lying there at night and passwords would be all you could think about!

I keep going over where I went wrong in the exams I did a month ago and I've already had the results with all at 90%+ (yeah r/iamverysmart, I know)


I think people are different.

There was one rather important password that I hadn't used in a few months before I needed it. I tried for a week to remember before eventually resetting it.

Of course, if I were arrested tomorrow, I'd be able to remember my master password. I'd probably still remember it a month from now too, but a few months later not so much.

So the question is: if he was lying at first, but now no longer is, what does that mean for him, legally?


You could be lying. What is more interesting to me is what happens when you destroy the crypto key (usb token or a smartcard), so no one ever can decrypt it.


Then you will probably get charged with destruction of evidence, and punished accordingly. Either there is evidence that you willingly destroyed it, or there isn't and you are acquitted.

That situation seems a lot less abstract and certainly less disconcerting than being jailed indefinitely for not remembering a passphrase (or claiming you can't).



The exam showed that Doe accessed or attempted to access more than 20,000 files with file names consistent with obvious child pornography

Is nobody else alarmed that OS X apparently logs any and all( or at least 20k records )file accesses by default? This is way too many to be found in the HFS journal, so it's clearly intentionally logging all accesses.

Edit: They also appear to have been able to deanonymize the defendant's FreeNet usage, though this could have easily been OPSEC violations rather than technical shenanigans.


Scary sh#t. What if inmate forgot the password? I cannot remember 4-digit PIN on a year old card I hardly used.


Ars Technica chose to illustrate this article with a perspective-distorted screenshot of md5-crypt-encrypted passwords, the entire point of which is to prevent the person who has the encrypted password from being able to decrypt it.


The ACLU or EFF need to jump on this case. The precident set by this is too important to leave to some randomly assigned public defender.


What would happen if the suspect destroyed keys prior to arrest? (ignoring the similar difficulty of proving this)


One more reason to have plausible deniability features.


Why doesn't the Fifth Amendment cover this?


For much the same reason that it's not against the fifth amendment to ask a suspect to unlock a safe.

http://lawcomic.net/guide/?p=2897


It does IMHO, but the court apparently disagrees.



what would happen if a suspect destroyed the keys?


Obligatory XKCD: https://xkcd.com/538/


In case you're curious, this is often called rubber-hose cryptanalysis:

https://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis


In Russia, if you are curious this is often called rectal high temperature cryptanalysis. There is manual.

http://lurkmore.to/%D0%A2%D0%B5%D1%80%D0%BC%D0%BE%D1%80%D0%B...


I wish HN software would automatically start flagging comments that only contain a link to an xkcd strip.


"USA land of the free..." Really what happened with your country ? In EU you can't imprison someone for not decrypting hard drive if he says it can incriminate him, everyone understand this but not the biggest democracy in the world?


The whole EU? No, a small island has some lunitic laws.

https://en.wikipedia.org/wiki/Key_disclosure_law#United_King...


Well, to be fair the UK is more like the 51st state than part of the EU.


Not all EU, but countries like Poland, Netherlands etc. can't make you decrypt if you are suspect.


Well, their democratically elected leaders said the idea of "innocent until proven guilty" is obsolete and probably supports terrorism. Democracy is a political system, not a synonym of being thoroughly good and fair.

As for "land of the free", that's propaganda.


Neither British common law or Continental law systems have any mechanism to challenge this type or behavior.

At least in the US, there's an absolute right against self-incrimination, guaranteed by the Fifth Amendment. The higher courts have been pretty clear, going all the way back to combination locks, that coercing a password would constitute requiring a defendant to incriminate him or herself.

The actions of the judge should be overturned based not only on existing precedent, and principles of fairness and good faith, but also because they violate the privilege against self-incrimination.


> or Continental law systems

Huh? What gives you that idea (at least for Germany [0], Switzerland, France(-ish), etc. it is demonstrable false)?

Even the European Court of Human Rights holds that you have the right to remain silent despite there not being a article specifying this as such.

[0] And it does indeed extend to passwords here


Germany, France, and Britain use a form of so called "right to remain silent," but the prosecutor is allowed to submit silence as evidence of guilt in and of itself.

That is extremely different than a prohibition against self-incrimination.

In France, you actually have to take the stand at trial. However, if you do so under the coercion of the court, you cannot be prosecuted for perjury for anything you say during your testimony. So essentially you can lie, in matters both small and large.


> but the prosecutor is allowed to submit silence as evidence of guilt in and of itself.

In Germany they are not allowed to do that (the police might tell you that, but they tend to be somewhat misleading).

> That is extremely different than a prohibition against self-incrimination.

And this prohibition is actual a central principle of the German law system (and the right to remain silent follows from this).

And the common advice from lawyers here is exactly the same as it is in the US, do use the right to remain silent. Even if you are innocent.. you have nothing to gain by talking (especially without lawyer present).


I was referring to other countries in EU like NL or PL etc.


Then you really should have specified that, rather than wording it like these protections apply to all EU nations.


Let's not use euphemisms like "kiddie porn" and realize the danger that child pornography feeds the child slavery industry. The core issue is that the suspect is potentially hiding his network, clients or victims' identities. Until he surrenders his hard drives, the truth may never come out.


If there is useful information for law enforcement unrelated to the case at hand, it seems that we have plenty of already-existing mechanisms. They could offer him immunity in exchange for unlocking the drive, thus completely skirting the fifth amendment issue, or they could convict him based on other evidence, and offer favorable sentencing in exchange for unlocking the drive.

The fact that he is being compelled to offer evidence against himself seems like the dubious part of this whole proceeding.




Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: