Hacker News new | past | comments | ask | show | jobs | submit login
Man jailed 16 months, and counting, for refusing to decrypt hard drives (arstechnica.com)
667 points by doener on Feb 12, 2017 | hide | past | web | favorite | 485 comments

I have a question...

Suppose the suspect Alice only has a portion of the key. Someone else (Bob...) has the remaining key bits.

Alice is busted, and 'compelled to give the key', and DOES provide her portion of the key.

Bob is never found.

Then Alice would be indefinitely imprisoned, even if she would have actually complied with the court order.

It seems unethical, to me.

Bonus question: Alice pretends that Bob exists, but actually he does not, but police cannot prove that. What then?

A possible answer to the first question: Alice is not compelled to provide the key. She is compelled to decrypt the drive. Obviously she can't do that without Bob. Alice is screwed and will spend the rest of her life in prison.

Seems harsh.

> A possible answer to the first question: Alice is not compelled to provide the key. She is compelled to decrypt the drive. Obviously she can't do that without Bob. Alice is screwed and will spend the rest of her life in prison.

Yes, and in this scenario she would not be held in contempt, so your hypothetical does not apply.

You can only be held in contempt for refusing to comply with court orders, not for the failure of a desired outcome.

Let's put it another way: you are totally misunderstanding why this fellow is in jail. It is not because the hard drive remains encrypted - it is because he defied a court order to decrypt it. Granted, if the drive were decrypted by other means he would likely be let out of prison because the point of holding him for contempt would be frustrated - but that does not mean that he was put into jail because the drive was not decrypted. Contempt is solely about defying court orders.

If Alice gave over her half of the key, she would have complied with the order, therefore, there would be no grounds for contempt.

There's no observable difference between inability to produce a result and refusing to produce a result. How do they know he didn't just forget the password? Or that the password was recorded somewhere that he no longer has access to? After sitting in jail for many months, it is very easy to forget a password that you no longer use regularly.

There's also no directly observable difference between killing with or without intent, which is why we have murder trials. The ability to decrypt data can be inferred from the surrounding circumstances, which is what happened here[1]:

> The defendant did not testify at the hearing and did not offer any other evidence or testimony in support of his contention that memory failure prevented him from complying with the court's order. On September 14, 2015, the court issued an order granting the government's motion, App. 6-10, finding that Doe was engaged in a “deliberate ruse” in claiming memory failure as to the external hard drives and that he intentionally disobeyed the court's orders directing him to decrypt the devices.

[1] Government brief, p 12: https://arstechnica.com/wp-content/uploads/2017/02/fedsrawls....

Yes, the court system exists precisely to determine fuzzy things like this.

I'm still curious, what kind of evidence or testimony might be considered believable in this case. Whether someone remembers a particular sequence of words and symbols seems like a thing that's very hard to determine, and by its nature it's unlikely there is any evidence either way.

From the quote you give (and I'll admit I have not read up on this case beyond the article, so it's possible I'm missing something), it sounds like he claimed he didn't remember the password, the court responded with "I don't believe you because you haven't proven that you don't remember it, so have fun in jail until you decrypt."

How would you prove, if you were brought into court, that you don't remember a specific password?

By giving credible oral testimony. The defendant chose not to do that, perhaps because it would have exposed him to cross-examination, and perjury charges if his implausible story was rejected (he remembered other passwords and had been caught with child pornography on other encrypted volumes, and the government may have had evidence about how recently and frequently he had decrypted the external drive, because they were able to decrypt his OS drive). Hopefully, if you really did forget a password you'd be able to give a believable explanation that holds up under cross-examination.

>credible oral testimony.

So the system as it stands is you can be jailed indefinitely because a judge does not believe you actually forgot a password? That doesn't sound ideal.

He gave no testimony, so there's nothing to disbelieve. Everyone has the right to not self incriminate, but that's not a get out of jail free card.

Honestly, what do you envision as an ideal system? The legal system can't be structured like software. You have to be able to cope with unknowns, things that cannot be proven 100%, and people who won't cooperate. This stuff isn't binary.

Regardless of cooperation I disagree with indefinite detention. Write a law that requires you to hand over a key to law enforcement(this will likely require a constitutional amendment) with a specific penalty or follow the constitution as written.

well you can start by codifying your laws and getting rid of juries. there's different types of legal systems.


civil law / roman law, as used in a large part of the world including Europe. (different from civil law as the term is used in the US)

things are quite a lot more clear cut if you just codify (yes, exactly like code, our law books look like code in human language, precisely worded) instead of reinterpreting the law on case by case basis and some ancient writings reinterpreted to fit a modern setting (even they were made by smart folks, it's still almost religion)

This doesn't answer the parent's point. Most cases turn on the facts, even in civil law systems. Defendants still get locked up when judges don't believe them, and judges can still get the facts wrong.

Most U.S. federal law is codified, including the contempt provision that applied here (18 U.S. Code § 401). Codification does not remove the need for courts to resolve ambiguities. The constitutional right in this case is a good example: there is no explicit privilege against self-incrimination in the European Convention on Human Rights, yet the European Court of Human Rights has found that Europeans do have this right, and has explained its scope by 'reinterpreting the law on a case by case basis' [1].

[1] http://cardozolawreview.com/Joomla1.5/content/30-3/ASHWORTH....

Preposterous. Are you serious?

If I ask you to sink 10 baskets and then 0 baskets are made, there is an extremely obvious difference between 10 airballs and refusing to step onto the court.

Stop thinking like a software engineer and start thinking like a human observer. The court system does not use Jenkins to test conditions in the real world - the court system's "runtime" are the faculties of observation and reason of the judges and juries. There are countless, extraordinarily obvious differences between refusing to comply with an order and complying with an order but failing to produce the desired result. In other words, humans do not judge compliance based on satisfaction of test conditions that have to be written down and then run by a computer - they use their own eyes, ears and brains.

As a result, the difference between genuinely not remembering a password or trying, but failing, to decrypt a drive, is totally and obviously different than telling a judge to take a hike, claiming "fifth amendment" or giving testimony that is obviously untruthful. Frankly, this statement:

> There's no observable difference between inability to produce a result and refusing to produce a result

Is just outrageous. There is no difference between failing to detect the higgs boson and not even trying to detect it? I posit that these two scenarios are outrageously different: (1) building the LHC and not finding the higgs boson and (2) not buidling the LHC. Both situations have failed to detect the higgs boson - but they are, in all other respects, remarkably different. I genuinely cannot believe that you hold this point of view to be true.

There's no observable difference between trying and failing, and refusing by pretending. We can obviously observe an open refusal.

I disagree, and the court system is predicated on this idea.

Judging the credibility of testimony is not only one of the primary activities of judges and juries, but, again, I categorically do not believe that you truly believe there is no difference, whatsoever, in indicia or outward evidence, between telling a lie and telling the truth. It's not a remotely credible position to take. It is absolutely the case that humans can be very bad at judging the difference between lying and telling the truth, but the assertion that there is no observable difference is nonsense. It is the reason there are such a thing as "good" actors and bad actors. It is the reason that athletic events in movies are staged, as opposed to actually performed. It is why special effects exist.

Additionally, these judgments are made in context. You aren't judging the atomic, context-less testimony of a spherical witness on a perfectly cubical witness stand suspended in an infinite vacuum. You are judging a human, sitting in a court, in the context of a whole host of other evidence and testimony. So, basically, you are making one of two claims: (1) that humans cannot judge the difference between truth and lies and (2) that it is improper for humans to make these judgments in the context of criminal justice. I disagree with both, but in this case all that matters is the latter - I will cede that it is often the case that humans mess up on individual judgments, but this does not mean that putting humans in charge of these decisions is not the best option we have when it comes to criminal justice.

What you are pointing out is that justice gets tested at the edge cases - and what we have here is an edge case. I understand the engineer's desire to have proof-positive, objectively testable indicia to differentiate between different case-states - in this instance, the difference between being a convincing liar and telling the truth - but that is the central reason we have a court system that is populated and run by humans and not machines. Our "best guess" is what it comes down to. This does, in fact, result in miscarriages of justice - there are supposed to be correcting mechanisms built into this system to compensate for this as well, and the general release-valve for these errors is the idea that you are supposed to be innocent until proven guilty. We have, in fact, stumbled upon a bug in this system here - judges can incarcerate individuals for contempt indefinitely, and this should not be the case. There are other factors going on in this circumstance that render the issue more complicated, and there are ways to address this bug with procedure - hearings, appeals, evidentiary testimony or expert testimony - but to simply state that the solution is to make the system recognize that it is impossible to tell the difference between truth and lies is an absurd notion that totally undermines its very foundation. It is not just throwing the baby out with the bath-water - it is then bulldozing the house too.

It is a primitive, or axiom, of the court system, that humans can be asked to make value judgments about the truth and falsity of assertions presented to them and to judge the veracity of the witnesses making those statements. If you categorically disagree with that axiom, you disagree with the entire jurisprudence system. In this case, I'd like to quote Churchill, when talking about Democracy:

"It's the worst form of Government, except for every other."

If you have a better idea about how to run the court system, I'm all ears.

In my attempt to be clear about the piece of your rant I was calling attention to, I was imprecise. Your previous comment had been directed at asserting there was obviously a difference between someone verbally stating refusal and someone attempting to comply. I can see how you could choose to read that into what the other poster said, but it is not a charitable interpretation.

> There's no observable difference between inability to produce a result and refusing to produce a result.

I don't see how that is open to interpretations, regardless of charitability. I think it is total, unabashed poppycock.

> How do they know he didn't just forget the password? Or that the password was recorded somewhere that he no longer has access to?

Credible testimony and other evidence.

> After sitting in jail for many months, it is very easy to forget a password that you no longer use regularly.

Right, and that is not the issue. Obviously the judge did not find this guy to be credible in the first instance.

That having been said, I'm a corporate lawyer, so my apologies if I was unnecessarily aggressive in my reply to your post. It is something I always have to watch out for, but your points are appreciated and thanks for taking the time to engage.

> I don't see how that is open to interpretations,

I can see a few things the author might be trying to convey. The most interesting would probably be "[There are cases where t]here's no observable difference [...]". I think the alternative I suggested ("[...] produce a result while pretending not to.") is better supported as the authors probable intent (while being a stronger statement and correspondingly less likely to be accurate).

In any case, pragmatics + charity should tell us someone wasn't asserting we can't tell the difference between a person saying "I can't" and a person saying "I won't", and if you can't figure out what else they might have meant the first thing to do is ask.

> it is very easy to forget a password that you no longer use regularly.

Heck, some weeks ago I forgot part of a passphrase I did use regularly. Fortunately, I remembered enough of it that I could feasibly brute force the rest.

From the article: "Rawls, the government argues, (PDF) "repeatedly asserts that the All Writs Act order requires him to divulge his passcodes, but he is incorrect: the order requires no testimony from [Rawls], and he may keep his passcodes to himself. Instead, the order requires only that [Rawls] produce his computer and hard drives in an unencrypted state.""

That does not change the parent's point – he is in contempt for refusing to comply, not for being unable to comply. Contempt must be willful: https://www.justice.gov/usam/criminal-resource-manual-753-el...

Yes, and the people who are holding him in a cage are the people deciding whether he is unable or unwilling. Not exactly any consolation.

Yes, the state ultimately decides whether someone's behavior justifies their detainment or not. Is this really news to you? Should they just let him go because he said "Shoot, turns out I don't remember!" How would any criminal justice occur if we let people off with flimsy excuses like that?

Most of the time, absolute certainty that someone is guilty is not possible; that's why the criminal standard is "beyond a reasonable doubt", not "proven to the point of mathematical certainty".

In this case, the simple fact is that the court does not believe Rawls's assertion that he is unable to comply, so he remains detained on contempt. This will change once the court is convinced that Rawls is indeed no longer able to comply.

Beyond a reasonable doubt does not mean "hurr guilty cause i tink u lying cause i don like ur face". Observers cannot be relied on to make correct judgements and the observers of the observers cannot be relied on to assess if they made a correct judgement. Indefinite imprisonment via unconstitutional contempt of court laws is the real issue here and not encryption.

> should they just let him go because he said "Shoot, turns out I don't remember!"

No, I don't think any private individual should be jailed for failing to decrypt data, regardless of whether they are able to, as part of a case wherein they are the accused. This should be a basic fundamental right of the accused, and I think the current working interpretations of the fifth amendment are unjust.

> How would any criminal justice occur if we let people off with flimsy excuses like that?

Justice in my view is the presumption of innocence, with the duty to demonstrate guilt beyond reasonable doubt placed on the prosecution. Forcing accused to decrypt data obviously helps the prosecution, but so would warrantless searches, and I oppose both for precisely the same reason.

>Justice in my view is the presumption of innocence, with the duty to demonstrate guilt beyond reasonable doubt placed on the prosecution. Forcing accused to decrypt data obviously helps the prosecution, but so would warrantless searches, and I oppose both for precisely the same reason.

Warrantless searches are unjust because the police can come in and execute them without oversight. In this case, the neutral overseer (the court) has directed the accused to comply with a request from the investigators.

Warrants are a check against rampant tyranny. They are issued or declined by an independent judicial officer whose incentives are, at least theoretically, not aligned to favor either party.

Warrants don't exist because we think it's unfair to comply with reasonable requests from the organs of the state in the their pursuit of justice, even when you're among the accused. Rather, they exist to make sure that the requests remain reasonable and fair and serve the interests of justice.

Like many things in our government, these are checks to limit and constrain the power of distinct government bodies and ensure that they do not get out of control. It is incorrect to assume that these restrictions exist for the convenience of criminal suspects, because they don't.

Just because one branch of government performs an action rather than another does not change my views of the action. A court cannot compel someone to testify against themselves just because they're the court, right?

No entity exists neutrally; that is fucking niave. Courts can favor accused police and political officials. The laws must then be designed not to act to grant power to an assumed neural party, but set the stage where all parties have equal power within the confines of the legal process. A fair race.

>This should be a basic fundamental right of the accused

Well, it's not, and that's a terribly naive viewpoint. This is akin to a legal search. Are you also against those? How is this any different than compelling a suspect to e.g. open a safe in their home?

It's very much unlike a legal search. Legal searches require no participation on the part of the accused. I do also oppose compelling an accused person to open a safe, but I have no problem with the authorities breaking into a safe with a warrant. Likewise I have no problem with the authorities confiscating a hard drive and performing any transformations to the data they please

Ah, yes... the legal equivalent of "I'm not touching youuuuu...."

That's like being forced to translate your own notebook written in code.

Not my problem, get your own codebreakers to do it.

It's different because you can't verify the authenticity of the custom hand-rolled cipher. This is a request for the accused to produce the keys only, not to do the work of manually decoding.

In a way still testimonial. I must provide secrets that reveal information about myself.

It is literally the same as ordering me to tell them how to make sense of the unreadable data.

I'm not giving them a plaintext copy of something already existing elsewhere (assuming no unencrypted backups), but producing new information for them.

And unless you used FDE with full authentication (AEAD), which almost nobody does, there's nothing that says that this particular ciphertext represents the exact plaintext I've had at any given point in time.

With XTS mode (Truecrypt) you can cut and paste together different blocks from different ciphertexts under the same key for as long as they're in the right positions. Depending on how much you know about the computer and if you've got access to multiple backups, you can splice together something that even if it doesn't contain anything illegal, it would look suspicious and incriminating.

Consider for example LE getting your full file version history of a container from Dropbox.

And revealing the keys is a kind of testimony that you have had read/write access to the drive, and that it indeed is encrypted (not just random).

No, you're exactly wrong. The demand on Rawls is that he do whatever work is necessary to produce the drives in an unencrypted state. If he hid a printout of the password on Mount Everest, that means he is compelled by the court to climb Mount Everest.

I'm speaking in practical terms here. I haven't read the actual order, but I understand the language of the order may technically require him to do the work necessary to render his drives in a decrypted state. That's because they expect the only requirement to be entering the key.

If he had a password hidden on Mt. Everest and demonstrated that to the court's satisfaction, and then cooperated with the court's order to reasonably assist in decryption (e.g., allowing the court access to the sherpa that routinely retrieves this key and enters it to decrypt his disks via some remote mechanism), I assume he would be considered compliant.

And that is the fucking problem. It's a principled issue and you admit that it is. What your arguing about is how much is enough to violate the principle. Since people can only agree on principles, you shouldn't kill, then the law needs to fucking operate on principle alone.

This explanation (and the other forms in which it's presented in this thread) is really troubling to me. It sounds like in order to offer a defense of the inability to comply with the order, the accused has to provide evidence which could be used against him in the trial. In your example, the existence of the password on Mt Everest could be used against him, and was evidence the prosecution probably could not have discovered but for his compelled testimony. It's even more troubling in the case of the Sherpa: revealing the identity of an accomplice (as it were) is surely self-incriminating!

But if this were really how he obtains the password (and similar schemes of off-site passwords and accomplices aren't so outlandish in the case of servers which might require the keys on reboot a few times per year), how could he possibly defend himself from the contempt charge? It sickens me to imagine being in the same situation. If this isn't an instance of the cruel trilemma, I don't know what is =(

Isn't the grandparent quote stating the opposite of what you've said here?

Technically, maybe. The court's language is meant to clarify that the accused does not have to disclose his key, he need only unlock his disks. There is no reasonable expectation that this would require a significant effort or testimony on his part.

His case hinges on whether he can prove that the work necessary to decrypt the disks, which is understood to mean entering the keys which he remembers, is testimonial self-incrimination and thus illegal under the Fifth Amendment.

Believe it or not, most judges are aware of smartasses and are not required to accept "Well, I don't remember, and you can't prove that I do, so ha! You have to let me go now!" The evidence surely indicates that this man used his computer regularly, which necessarily required unlocking his disks, and that means that by all rational conclusions he is, or at least was, capable of complying with the order.

Until the court is fully convinced that he is no longer capable of complying, or until the order is dropped, modified, or stayed, Rawls will remain detained for his failure to comply.

> There is no reasonable expectation that this would require a significant effort or testimony on his part.

Whether or not this is true is precisely the crux of the matter. Your comment echoes the government's position: Decrypting the hard disk is not equivalent to testimony, and is therefore not protected by the fifth.

The defence and EFF's amicus brief argue instead that we live in a world where our phones and computers are effectively an extension of ourselves, and asking to decrypt those is equivalent to forcing you to testify on your most intimate secrets, which is most certainly not kosher.

> The evidence surely indicates that this man used his computer regularly, which necessarily required unlocking his disks, and that means that by all rational conclusions he is, or at least was, capable of complying with the order.

Well that is understandable but what if he burned the passwords just before he got arrested, heck he might even chewed them up and those are long gone. How would they find out? If he is a such dangerous child molester should they go full Sam L.Jackson Unthinkable style on him?

How far can court orders go? Let's say he was a crooked accountant and the police couldn't understand his spreadsheet. Is he obligated to show him what he was doing?

To me this is what the disk encryption is like. The cops can't understand how to read the disk. Is he obligated to help them? What if the pictures in there are encoded using a weird format? Should he be forced to produce a program to read them?

How does the Fifth Amendment apply here?

What if the fellow made a sworn statement he doesn't remember his credentials? It happens to me on a regular basis.

IIRC, the I don't recall defense has worked wonders for others in the past.

I wonder if he had an encryption scheme that deleted the data in the event of n password failures and also something of legal value like bitcoins on the drive. Perhaps, then he could argue that knowingly attempting to log in using potentially incorrect passwords constitutes undue harm.

Such a scheme could probably be circumvented by making copies of the encrypted file (or the entire disk), or denying the decryptor write access etc.

I co-authored a project that works on Debian that do unattended reboots of encrypted disk drives which allows for scenarios where Alice don't know any part of the key. Every time the machine boots up bob get a request on the network and he can chose to approve or deny. Bob in turn could be in a different country which would make coercion a bit hard.

(Project called Mandos)

I think I remember you giving a talk about this at SmashTheStack in Malmo, Sweden.

I believe I asked then about maybe having support for non-debian systems and eventually something like Windows in the distant future.. What kind of support would you need for it to be worthwhile investing in that?

(Other co-author here.) We did do that, yes.

(I’m not sure what support or investing would mean in this context.) A Windows programmer could probably port the server side program (which holds the passwords) relatively easily, since it is currently implemented as a normal daemon in Python, and could therefore conceivably be ported or re-written to suit any Internet-connected platform, and the network protocol is fully documented. The client program (which receives the password and uses it to de-crypt the disk), on the other hand, is not so simple to implement. But the problem is not the network protocol; that is relatively simple. The hard part is instead running in the limited environment which exists before the password is available. In Debian, this means writing a program to run in the initramfs system where a kernel is available, but no networking is configured, and no standard system services are available. I have no idea what this would mean in a Windows context. I have toyed with the idea that it might be technically possible to re-write the client to run in the EFI environment, but I have not looked into it – it may or may not be feasible; would one have to write one’s own ZeroConf library? How about a TLS library supporting OpenPGP keys (as per RFC 6091)? How would one even provide a password for unlocking the disk to, for instance, VeraCrypt? Would one have to write the whole thing as a kind of module in VeraCrypt, if such a thing is even supported? I haven’t the foggiest notion of any answers to these questions, and I’m not a Windows nor a macOS programmer, and we implemented it on Debian since that is what we used at the time (and still do). Also, I’m gainfully employed full-time, so I’m not really looking for more work. To sum up, I would not personally be very suited for this kind of work due to inexperience on other platforms, nor could I take it on even if I were, due to personal time constraints. However, I would gladly support (by being available on the Mandos development mailing list) anyone doing this kind of work.

Had to reset my password to login to write this.

I love the idea of Mandos, but I've had some trouble setting it up and getting it working in the past :( And there doesn't seem to be much help on the internet; most guides are flimsy with no real information in them

I’m both sorry and surprised about that, since I thought we had documented everything appropriately. The thing to do after installing the mandos-client package, for instance, is to read /usr/share/doc/mandos-client/README.Debian.gz. That file contains the instructions for setting it up, and also the command to verify that it works before rebooting.

>Alice pretends that Bob exists, but actually he does not, but police cannot prove that. What then?

Well it's pretty obvious what happens then. The police claim Alice is lying and hold her in contempt indefinitely. The man from the article claims that he doesn't remember the passwords anymore and can't possibly comply, he's still being held in contempt even though there's nothing concrete to show that he still knows the password.

Not just unethical. Illegal. Indefinite detention without charge is against the law.

What's the current status on §§ 1021-1022 from the 2012 NDAA bill? [1] Did that become law as it was written, and is it still active? It made provisions for the US military to indefinitely detain US citizens without due process. I've found these things difficult to keep track of frankly, with so many egregious laws from just the last ten years.

[1] https://www.aclu.org/news/president-obama-signs-indefinite-d...

Wikipedia indicates that it's still in effect.


This is mainly because nobody has standing to challenge the law. To my knowledge, no US Citizen has yet been detained as an enemy combatant since the law was passed. It will be an interesting court case once that happens.

Obama quietly signed the following in January: https://www.congress.gov/bill/114th-congress/senate-bill/294...

Quietly? is that a necessary or even applicable verb here? It's public record, he was the President of the United States, and it's a major budgetary act for the biggest military in the world and covered by hundreds of news agencies. Are you quite sure he signed it quietly?

Well I can't edit my now-0 comment, but the point is, slipping in words like "quietly" assigns an intent which may not be present. As though Obama were trying to sneak the NDAA past everyone.

It's hard to covertly sign any legislation as the president, notwithstanding secret courts and laws (fisa, patriot act secret interpretations, etc).

Just saying, we don't need to try to make people think a certain way by guiding them with weasel words, people can read facts and make a judgement, without trying to subtly assign some bias in either direction.

Doesn't this boil down to the "I am willing but unable" situation? The man in this case was the "unwilling but able" situation. My question is wouldn't the man be shifted into the former situation if he just claimed to be now willing but to have forgotten his keys.

He did claim he'd forgotten the keys. Maybe he changed his mind on that later, but I haven't seen any statement of the sort.

This is a gambit that is often tried by folks in this situation. There is a famous case where someone was held in contempt for decades that you can read about on Wikipedia. At first he refused to turn over ordered monies, but later he had "lost" the money.

So, I'd say, if you're going to try to go with the "I forgot" defense, you'd better be very sure not to give the court a reason to doubt your honesty (e.g. initially refusing then changing your story).

Agreed. I also think it's hard to make the "I forgot" defense without demonstrating an effort to comply. "I tried to help but can't remember", while still suspect, is more compelling than "I can't remember and I don't feel like trying".

Although that makes me wonder if there's any legal incentive not to attempt to comply if you're not confident you remember. Maybe there's some greater legal vulnerability if the failed attempt is interpreted as deceit and treated more seriously than refusal.

The one bright spot is this leads me to hope they can't decrypt at will via some non-public method.

Or they're just not willing to divulge the methods existence for a kiddy porn case.

Using the same two-key method, attorney–client privilege might be of use, though not sure:


IANAL, but it would fail to meet the basic criteria, as the communication was not for the purpose of securing legal advice and, the prosecution would argue, the communication was made for the purpose of committing a crime.

IANAL, but what if the same keys were also used to encrypt client-attorney communications?

They compel you to release everything, but don't allow the client-attorney communications to be used as evidence.

Alice can also just embed the message into the noise of a JPEG file. A noisy image can be used for plausible deniability.

Or Alice can just claim that the random file is the key to another encrypted file :)

Alice has created a file containing random data. Authorities think it is an encrypted volume and wants Alice to give up the key. Alice has no way to prove it is just a file with random data and is imprisoned indefinitely for essentially having a file with random data =]

Mallory has created a file containing random data and planted it on Alice's drive. Then Mallory phones in an anonymous tip to the police...

Nice, even in times of Stalinistic oppression things weren't as easy...

So typing the simple command

    cat /dev/random > filename 
can actually get you imprisoned. Good to know.

Alice is able to switch the tracks on a trolley hurtling towards the encrypted only copy of the rest of her key towards a track where Clive, the only person who knows the key to that secondary encryption, is tied...

Interesting thought experiment, but ultimately flawed. For this to make any sense, you first need to answer a question: Why are the authorities looking at Alice's computer in the first place?

Also, it's extrapolating a lot from a case that's actually a fair bit less sinister than what you're suggestion. Facts of this particular case here are that:

  1. The guy was a suspect to begin with, and they had
     enough evidence of him doing something wrong (from
     the Usenet side of the operation) that they got a
     warrant to search his computer.
  2. The disks are encrypted with off-the-shelf OS-provided
     full-disk encryption, which is relatively easy to verify,
     rather than some "purely random data that might or might
     not be encrypted".
  3. At no point has he denied having access to the keys (at
     which point it would essentially stop being a 5th amendment
Now, I'm actually of the opinion that he should _not_ have to decrypt those disks, but that's strictly a fifth amendment thing, rather than the more convoluted scenario you're suggesting.

Not sure what the man's crime is here. Does he even remember his keys after sixteen months in the slammer? I don't even remember my Gmail password after 16 days of vacation. Basically, like the article says, it like not opening a safe for an inquisitor: you are damned if you do, you are damned if you don't. Encryption is nothing new people, you are just putting your data in a safe.

We have a tendency to misconstrue, willfully misinterpret, or altogether ignore the law when it comes to prosecuting individuals who we believe to be standing on much lower moral ground. We do so because we want so badly to punish the accused that we are willing to reduce or eliminate greater good that some privacy laws are aiming to provide (i.e. Trumps silly travel ban which is based on his hatred of Muslims built upon imaginary news stories and personal exaggerations of particular recent events -- all laws out the window)

This was pretty much inevitable :(

> Encryption is nothing new people, you are just putting your data in a safe.

Well, you could also be held indefinitely for refusing to provide the combination for a safe. If there were safes that could keep them out indefinitely, anyway.

I suspect that they nailed him using ICAC's Black Ice app. It's a hacked version of the Freenet client that logs peer IPs, and tracks hashes that they handle. So his mistake was assuming that deniability was adequate, and failing to hit Freenet via Tor.

Edit: 2016-05-26 - Police department's tracking efforts based on false statistics: https://freenetproject.org/news.html#20160526-htl18attack

> Well, you could also be held indefinitely for refusing to provide the combination for a safe.

Is there case law supporting that? Traditionally I think the combination would be considered forced testimony.

Sorry, I got confused. In the US, keys can be compelled, but not combinations.[0] But the tide seems to be turning :(

0) https://www.quora.com/Can-a-search-warrant-compel-me-to-unlo...

Thanks for the background, but somebody has to say it: his failure was looking at child pornography.

>his failure was allegedly looking at child pornography


It doesn't matter what they accuse him of, until they prove it, he's innocent.


I don't care what the charge is, if the government can not prove their case without compelling the person to testify / provide evidence against himself the judge needs to throw that case out. This is terrifying that anyone could be jailed for using what anyone would consider their 5th amendment right.

He's innocent in court (and my non-lawyerly (aka worthless) sense says the fifth amendment favors him).

But we're not a court, and our standard for speech shouldn't be "beyond a reasonable doubt". The parent poster was right. His failing was looking at child pornography.

What should our standard be? Being accused equals being guilty?

Tread carefully. The protections you give others are the protections you'll enjoy yourself if needed. And hoping you'll never need them is a very shortsighted strategy.

Well said.

But we're not a court, and our standard for speech shouldn't be "beyond a reasonable doubt". The parent poster was right. His failing was looking at child pornography.

That's what you think until you're falsely accused of such a crime...

For everyone who's poo-poohing this, go read the government's brief (https://arstechnica.com/wp-content/uploads/2017/02/fedsrawls...). There are logs that show him visiting child pornography groups, there are recorded requests of him accessing files whose hashes matched child pornography, his sister says he showed her child porn and told his entire family that he had a problem with child pornography, and he admitted that he may have been emailed child pornography.

Now, replace child pornography with any other thing. Would you question me saying that he'd been downloading that thing?

Says who? Neither of us saw it, so we can't know.

There's a procedure though that we use to determine the likelihood of someone's guilt, based on evidence and legal arguments. Would you like to hear about it?

I think it's legitimate to say, in a discussion like this one where we're not dealing with punishment, that we should hold to a weaker standard (preponderance of evidence?) than should a criminal court.

That said, as far as I'm aware the only evidence we've seen is that he's been accused of the crime. I don't what portion of accusations are false (or even a proxy like conviction rate in comparable situations).

That might seem reasonable at first glance, but it tends to turn into a witch hunt — especially with modern day communication channels.

That is, you are effectively dealing with punishment (by treating a suspect as a criminal and tarnishing their reputation before being convicted) by not applying the same rigour as the courts.

I agree that social condemnation - especially mass condemnation - is a form of punishment, and should be treated with corresponding care. But I reject the attempt to extend that to all related reasoning - it is specifically a question of requiring a high confidence for punishment.

There's a lot more evidence in the government brief, which was linked in the article.

Fair enough.

This is not an activity I want to engage in or even associate with people who do, but a nonviolent private activity is not a reason to violently persecute someone, especially to this degree.

It's not a private activity, it directly supports an industry of violence against children

You can make the same argument for the adult porn industry, and that leads to one of two conclusions:

- That the viewer of adult porn shouldn't be prosecuted for viewing porn.


- That there is a societal / governmental acceptance of the exploitation of men and women, as long as they are adults.

The easy argument out of this hypocrisy is to claim that while children can never consent, adults can, but then that opens the can of worms of whether they're "consenting" under coercion, like under threat of not getting hired again to do work or if they're enslaved, and the answer to that is that it depends on the case.

At this point it turns political, with one side generalizing that most do consent, and another side also generalizing that most do not consent, and reaching an agreement is impossible because there is a half-truth to both sides, and after a lot of heated arguments, people get worn out, and nothing gets resolved.

So instead I'm just going to direct people to read up on the topic of victimology, which is a sub-genre of criminology, specifically how it affects human traffic (which are >90% women, and has a total volume of enslaved people higher than it was when slavery was legal) and get informed and then make up their own mind about it without bothering others.

Or you can make the same argument for the diamond industry. Buying a diamond you are committing a crime against humanity, as you are supporting war, slavery and a whole lot of violent stuff somewhere in Africa.

I'm surprised you haven't been called a pedophile/pedophile supporter yet. Every time I tried to have that argument, it happened (tho not in HN).

And that is the reason you can never have a rational discussion about the subject. No matter how strong the arguments you present, the other side can always say "b... but... but think about the terrorists and the paedophiles!" and if you reply you get called a sympathiser - for having a rational discussion.

Welcome to 2017.

Or 16, 15, 19xx, 18xx. Principled defense of something seen as morally wrong was always fraught with "so, you defend it, so, you must like it. Probably, you even do it, don't you?"

It's one of the first strategies in the book of shutting down your opposition and probably was one of the first things people tried the moment discussions started.

Yet another reason a universal basic income makes sense. Slavery by another name becomes much less likely.

This is a tenuous argument at best, even more so considering the protocol in question is freenet. Sure it's possible to force a commercial model onto any system, but I'd think freenet would be an especially terrible way to monetize. (And "industry" - seriously??)

Furthermore, there is presumably enough existing child pornography out there to satiate any viewer for their entire life. Perhaps increasing access to it is the way to discourage more being made! At any rate, paying for it could still be a crime, as opposed to the insanity of strict liability for bitstring possession.

I've seen articles about people using CGI as bait to fight it.

Supporting or undermining it by unpaid distribution of its disgusting output material? If he was directly supporting it, he would be already convicted based on tracing the payments, I guess.

And if obtaining and distributing the output material of a content industry without payment is supporting the industry, let that be put in writing…

> directly supports an industry of violence against children

Not necessarily, and even so, can it be proven?

If I see proof (undoctored video) of a dog being beheaded (a child being sexually abused) I think I'm safe to conclude that a dog was killed (a child was raped).

If then that video was sold (or distributed in any way) to fetishists of dog beheading I could conclude that there is some kind of commercial (distribution) process going on here.

Note for children: I'm using parenthesis in a way that shouldn't be done.

My point was that the distribution of the material, especially free of charge does not necessarily encourage further abuse, nor does its possession. I do not know, though I admit that I suspect that the abuse would be encouraged because it is being paid for.

Edit: In my opinion, the following offences ought to exist with relation to child pornography and abuse:

(1) Child abuse is an offence as it currently stands, or with revised ages of consent to better reflect philosophical, scientific and psychological evidence (2) The act of recording of abuse with majority or express intention of furnishing the material for charge or otherwise in order finance or encourage continuing abuse is an offence

I think the second part needs some elaboration. I don't think that recording a certain act taking place ought to be illegal, nor I do I think it ought to be illegal to share that material with others. However this presents a dilemma: the abuse may be encouraged by the fact that the material is being sold or even enjoyed. If this encouragement to continue abuse can indeed be proven in a court of law, by some standard deemed appropriate (either the standard 'beyond a reasonable doubt' or the more strict 'balance of probabilities') then the act of making the recording and the act of furnishing the recording, I believe, ought to be an offence.

On the other hand, if the recordings are made merely to provide the enjoyment of others, and not for the purpose of encouraging abuse, I do not think there should be an offence.

At the risk of over-emphasising the point: A child abuser may be encouraged by (i) money (ii) the thought that people are watching the recording (there may be further motivations).

If it can be proven that abuse continued and the abuse was contingent on one or more of these factors, there is sufficient reason to believe that the intent of the recordings aided another crime, which I think may be sufficient to culminate in an offence.

Well, enjo-kōsai is merely controversial in Japan. But bare female skin is illegal in Saudi Arabia.[0] De gustibus non est disputandum. What's key is mindfulness.

0) http://livinginsaudiarabia.org/73/pornography-in-saudi-arabi...

But without 100% proof he can't be jailed. The prosecutors don't have enough evidence to prove it, so how can he be jailed for it already?

"Innocent until proven guilty" is the foundation of our legal system

There are other precedents I think.

Here (Sydney Australia) the penalty for refusing a roadside alcohol test is the same as the top range blood alcohol penalty. So you can refuse a test, and they'll penalise you assuming the worst-case result you could have produced.

I'm guessing this guy is in a quite perplexing quandary - he's betting on whether they'll keep him in jail for as long for refusing to decrypt the drives as they would for the crimes that decrypting the drives expose?

(At least I _hope_ that's his quandary - I sincerely hope the reality isn't that he's genuinely forgotten the passwords, and when the FBI/NSA _finally_ bruteforce it, they end up with baby photos, teenaged angst poetry, and a few bittorrented Hollywood movies... That does, at least, seem quite unlikely...)

If he was using Freenet, there's no doubt that his node handled chunks of CP files, and that at least some of those chunks remain on the drive. Let's say that he never viewed any CP. Even then, can he be sure that investigators won't discover evidence that could be spun to demonstrate that he did view CP?

It is quite a quandary :(

If you didn't request it, your node won't hold decryption keys to the files.

Might not help him if they believe that the encrypted keyless fragments is enough (which would be a horrible legal argument).

That's true, of course.

But LEA are selecting nodes based on the hashes of those fragments. Many of them won't have cached CP fragments, but merely relayed them. But if his node did, prosecutors could argue that they've identified CP on his computer based on hashes, and have experts testify about reliability, etc. How many jurors would understand Freenet design?

He's not jailed for having CP. He's jailed for contempt.

How can they prove he is in contempt of the court? Someone who forgot the password would very well be found in contempt of the court, despite not doing anything wrong. How can you jail someone for being in contempt of the court when there is no proof that he has the password?

In fact, it seems dangerous for the judge to be able to jail anyone without a jury verdict. It seems to bypass legal protections.

> But without 100% proof he can't be jailed.

The standard is not "100% proof". Perhaps you should learn something about the legal system.

The standard for US criminal law is "proof beyond a reasonable doubt". I think "100% proof" is a close enough summary of that phrase... If the proof doesn't 100% convince the jury, then reasonable doubt still exists and prosecution should fail.

Beyond reasonable doubt can admit that doubt does exist, it's just not reasonable to entertain it. 100% proof strongly implies that there is no doubt at all.


I don't think there's a difference. For instance, let's say we have a video of little Timmy shoplifting a candy bar. Clear face shot, maybe the video even has sound and there's a vocal-print match. Pretty slam-dunk case, right? Not much room for reasonable doubt there.

Oh, but you see, little Timmy was actually being telepathically controlled by a diabetic alien about to pass out from hypoglycemia, who had him steal the candy bar. Can you prove this was not the case?

This is what reasonable doubt protects against. There will always be the ability to create a (probably fanciful) scenario in which the defendant is not guilty. An unreasonable scenario, one might even say. Being able to convince the jury beyond reasonable doubt is as close to 100% proof as you are reasonably going to ever get.

> Beyond "the shadow of a doubt" is sometimes used interchangeably with beyond reasonable doubt, but this extends beyond the latter, to the extent that it may be considered an impossible standard. The term "reasonable doubt" is therefore used. [Emphasis mine]

I understood that reference to "Impossible standard" to mean from a jurisprudence perspective.

If you want to insist that "100% proof" and reasonable doubt are the same, that's of course your choice. I think you'll find that people will tend to disagree with you.

Fair enough. I think anything beyond this point dives pretty fast into a philosophical debate on "knowability", which I don't think either of us are actually interested in. Cheers.

Indeed! I'm sure there's a lot of great judicial literature on the topic if you're interested in diving further. My armchair is pretty comfy though, and I think I'm likely to doze off before getting too deep into it. :)

That seems like a silly distinction. It's easy to come up with "unreasonable doubt" for any argument.

"I doubt that, because a fairy whispered something to me in my sleep."

I've expressed my layman's understanding of reasonable doubt. How does your understanding differ?

> I think "100% proof" is a close enough summary of that phrase...

Not even close.

Do you have any refutation to the logic in the rest of my post? Or is "nope neener neener" the only thing I get?

That's just semantics. He's jailed without a conviction at this point.

Maybe. But we don't know whether he looked at CP or not.

And lets face it, the NSA claim - and win in court with this claim - that "collecting and storing" personal communications doesn't count as surveillance, until a human queries the database and reads from the collected interceptions.

While a personal hard drive full of child porn is unlikely to be "innocently" explained away quite that easily, I wonder if owners of, say, usenet binary hosting newsservers ever need to claim that defence?

Bogus defense IMHO. Acquiring the ability to query a database is enough to constitute surveillance. I wonder if my land lord could use the same logic to legally record me in the shower.

We have to understand that, much like it's a military's responsibility (and desire) to go to war, it is the goal of spy agencies to gather all the intelligence it possible can. In both cases it is up to law making bodies comprised of "the people" to check these agencies' ambitions.

I completely agree with you. It baffles me that anybody can stand up in front of their peers and claim "bulk collection" doesn't violate your privacy until/unless some human ever reads the data you've collected, and it's beyond parody that a judge in a court agreed with this example of mental gymnastics...

>until a human queries the database and reads from the collected interceptions.

Didn't it go further than this? Just searching the data for some signal wasn't a "search" because a machine did it, it was only a "search" if you were a match and if you were a match then they had "probable cause" for the search.

Not entirely sure how accurate that is but FWIW it seemed like that was the accepted reading of the twisted reasoning on HN back when that came out.

It's actually pretty clear that he did if you look at pages 3–10 of the government brief. The government just doesn't know exactly what's on the encrypted external hard drives, but they suspect it's a lot more child pornography, which could bolster the case against him: https://arstechnica.com/wp-content/uploads/2017/02/fedsrawls...

His crime is disobeying a court order, which is a crime that you can go to jail for. Just like if you had the key to a safe, and the court orders you to open the safe, you would go to jail if you refuse to do so. If he forgot the keys he could have told the court that and the court would evaluate his credibility.

*edited changed from key to combination because combination locks are protected by the 5th amendment and keys are not.

The courts can compel you to turn over something that you have. Something that you know is protected by the fifth amendment, in particular for combination locks.



JUSTICE STEVENS, dissenting.

A defendant can be compelled to produce material evidence that is incriminating. Fingerprints, blood samples, voice exemplars, handwriting specimens, or other items of physical evidence may be extracted from a defendant against his will. But can he be compelled to use his mind to assist the prosecution in convicting him of a crime? I think not. He may in some cases be forced to surrender a key to a strongbox containing incriminating documents, but I do not believe he can be compelled to reveal the combination to his wall safe -- by word or deed.


...you just pasted the text from the ONE dissenting judge; the other EIGHT disagreed and ruled in the opposite.


Per my other reply, the case he was dissenting about was not about being compelled to provide the combination for a lock. The dissent simply contained a supreme court judge's opinion regarding combination locks. If you can find actual caselaw for combination locks, I'll take it. Otherwise, I'll take the supreme court justice's opinion.

The other eight unanimously agreed with him, they disagreed that the particular case was analogous to a combination, the other justices were of the opinion that it was really a "key".

great, now look up what "dissent" means. Dissent is legal mumbo jumbo for "stuff that ain't law."

When you have a panel of judges, we go with the decision of the majority of judges. The decision of the minority of the judges is still published under the heading "dissent." It isn't the ruling and it doesn't affect the law, but it's published just to note that they disagreed and their reasons.

There are some 5th amendment encryption cases where there is a question about whether the government has shown that there is a reasonable certainty that the files contain the evidence being sought. In those cases the 5th amendment would act to protect the info. That doesn't seem to be the case here and in that case, it seems like clear law that he would have to give up the data.

I am well aware of what "dissent" means. Fortunately, this is a supreme court justice talking about a case that was not about a combination lock. Unless you can show something that says that you can be compelled to open a combination lock (I couldn't), I'll take the supreme court justice's word for it.

You're right, combination locks are protected by 5th amendment as Testimonial evidence. I was wrong in my original post, however this doesn't apply to computer encryptions which the court seems to treat more like keys to a safe which are not protected, I'll correct my post accordingly thanks.

So if I put a dial interface on my computer I can't be compelled to give up my "combination"?

You're combination is protected under the fifth, but you can be compelled to unlock your computer using that combination, which is exactly what the judge is ordering in this particular case.

And don't complain too me that it's essentially the same thing; this is the judge's reasoning, not mine.

> His crime is disobeying a court order, which is a crime that you can go to jail for.

Sure, but isn't the question whether he should go to jail indefinitely? If defying a court order is a crime, then perhaps it should have a well defined jail term.

It does, the term is "until you comply".

That's not what well-defined means. You might as well say we should jail people until their victims feel better.

Furthermore, there's no evidence demonstrating he actually can comply.

What about the 5th amendment? I think we can agree without too much of a stretch that our storage data is just an extension of our mind (verily, suppose someone had illegal data stored on their drive and an idedic memory? Destroying the data on the hard drive wouldn't destroy the data in their mind), and thus just as protected by our right not to testify against ourself?

His crime is disobeying a court order, which is a crime that you can go to jail for.

That's not his crime, or as the subtitle below the story's headline states: "He's not charged with a crime." He's held in custody, not serving a sentence for a crime of which he has been convicted. He has never been convicted of any crime by any jury. That's a huge difference, both legally and morally.

Some are arguing that the court has no right to order him to do so. 5th amendment and some case rulings are mentioned.

> Encryption is nothing new people, you are just putting your data in a safe.

I know this is an old argument, but what if I put the contents in a paper shredder, in the safe? It's still the data, it's just that it went through the shredder. Why is ok for the government to compel you to change the state of the data from encrypted to unencrypted? They couldn't compel Apple write software to decrypt a phone. Why can they compel me to write an encryption key to decrypt data.

Discloser all of my data is encrypted, and if the government asked I would really be torn about giving them keys.

Or, what if you had a paper in a safe that was written in an invented language? They may be able to compel you to open the safe (i.e., provide a BIOS password), but can they compel you to teach them how to read that invented language?

That's actually a much better example. Seriously, can they? It seems ridiculous, but then compelling you to decrypt anything is obviously ridiculous as well. Maybe you are reading and writing this data as is, who is to say?

I guess, the real reason why this question stands is that nobody gives a fuck about logic and solid law, someone (obviously) just wants it to be a crime and it is easy to sway public opinion in a way that allows for it to account as one. Which, again, reminds us that the current state of the law is that it is rotten by default.

>They couldn't compel Apple write software to decrypt a phone.

no, they didn't compel apple

FBI tried but didn't get their will through

> Not sure what the man's crime is here.

He didn't commit a crime. He is being held in jail for contempt of court. This is how the system works. This is no different than if a judge demanded that you turn over any other form of evidence - it should not be so shocking that you can be held in contempt for refusing to obey a court order.

It is bad, however, that he is being let to rot indefinitely. That is the problem here - not that he was jailed for contempt in the first place.

I would dare say that the really bad part is that there's no way to know for sure if he can even comply with that order. As I understand, he claims that he has forgotten the password. Obviously, it's a convenient excuse, but it's not something utterly improbable. What if he actually did forget the password? Why is the word of the judge alone sufficient to assume otherwise? There seems to be an obvious lack of checks here.

> Why is the word of the judge alone sufficient to assume otherwise? There seems to be an obvious lack of checks here.

Because the judge's finding is based on evidence – see my other comment[1]. The judicial power to make findings of fact is checked by the appeal process, which is now underway.

[1] https://news.ycombinator.com/item?id=13633968

> He didn't commit a crime. He is being held in jail for contempt of court.

The problem is that contempt isn't classified as a crime and so it doesn't have a fixed term. There are moral hazards with having fixed terms like this, but the moral hazards of not having them, like this case, seem worse.

The difference is that the authorities can crack open a safe without the suspect cooperating. But it's virtually impossible to decrypt something without the receiving the key.

Unless it's something akin to a Da Vinci cryptex that destroys the contents when forced open. Just scaled up to modern day encryption levels.

I thought the U.S had better key disclosure law[1] than other countries? Personally I would rather not self-incriminate myself by revealing a key, no matter how draconian and lengthy the sentencing was. Why, you ask? Well I consider all my own personal data likened to an extension of my own mind, and revealing a key is like slicing a thin part of my brain and attempting to pick its contents. Never a gentlemanly thing to do in any circumstance.

In terms of being stopped and searched when traveling, I just carry a TailsOS bootable live USB. My laptop doesn't have a hard-drive and boots entirely from my TailsOS USB stick. I did not enable any persistent storage and any bookmarks I need to remember, I simply remember them by rote, like in that movie The Book of Eli[2]. My threat model is such that I don't want anybody knowing my business when traveling. The intrusiveness should only go so far as one question, like "Business or Pleasure?" and that's all.

[1] https://en.wikipedia.org/wiki/Key_disclosure_law#United_Stat...

[2] https://en.wikipedia.org/wiki/The_Book_of_Eli

If you need to cross a border, you will find that the border agents think they have the right to compel you to boot your laptop, including entering any secret or attaching any device required to do so. I doubt that they could ultimately stop you returning to your own country if you held out, but they could stop you leaving, and they could certainly make your life pretty miserable.

In my opinion you'd be much better with a laptop that booted to windows and looked like it had some simple things installed under a password you don't mind giving them. Then they'll probably never get around to asking you about the usb stick your tailsOS is installed on.

You can now get extremely large usb sticks in very small form factors. I have been toying with the idea of creating something that looks exactly (and nonsuspiciously) like a usb 'charging cable' but with built in memory. Ideally if it's plugged into power or a laptop, it just appears as a normal usb cable, but if the microusb end is not plugged in, it shows as a large memory stick you could also boot from.

There's nothing about TailsOS that could arouse suspicion if there's nothing persistent on it that could arouse suspicion, or draw more attention to you. TailsOS is strictly a utility like a wrench or a screwdriver. Providing you exit TailsOS properly and watch the screen as it's wiping the memory to ensure it has infact wiped. TailsOS can prove to be an innocuous O.S after you unload it from memory. They might ask questions, but they have nothing on you.

Bringing a Windows OS is stupid as Windows doesn't clean up properly after shutting down and leaves a forensic footprint which is difficult to cleanup unless you use something like Bleachbit[1] or CCleaner after using Windows. You typically want to offload cleaning up to the O.S level and avoid using such tools such as CCLeaner in the first place (Keep in mind, since this is Windows, there are issues with free space on the drive that leave deleted files remaining on the hard-disk, even after explicitly stating they should be deleted).

With TailsOS, In other words, you can browse freely and with peace of mind that you won't leave a forensic footprint behind, giving you an upper-hand over other passengers who have to self-censor their browsing for fear of scrutiny at a later date from border officers.

[1] https://www.bleachbit.org

[2] https://www.piriform.com/CCLEANER

That isn't an issue with Windows but with all file systems. When you delete a file it does not remove the data it marks the area it resides as "free" allowing anything to be saved there.

Even tails if not immune to this unless you use some secure wipe tool. Even they flash drives have wear level management that loves data around to make the wear on each chip equal so you can't be sure its even gone.

Windows doesn't wipe the memory properly though, and the default browser (MS Edge for Win10, and plain old IE for older versions), are awful default browsers, forensically speaking.

I'll leave this link here for those who use Tails and need to wipe files and other data, either there and then, or after the fact of deletion (clearing files from free space):


Wow this is an innocent perspective. TailsOS would definitely raise suspicion even if you otherwise seemed as pure as the driven snow. Suspicion will prompt a deeper investigation, which is what you don't want.

> Bringing a Windows OS is stupid as Windows doesn't clean up properly after shutting down

I think you misunderstand my suggestion. You have a windows install that you don't actually use for anything. This is because a windows install is a normal thing for someone to have. You can keep your usb booted, forensic OS but make sure you're running it on something that they've seen a million times before, not some sort of l33t uber laptop without a harddrive.

The point is to look normal.

Or just make GRUB invisibly boot to a default Windows install unless a key is pressed. They'll never see the other OS. A Tails install on a USB stick might raise questions if they bother to look at it.

Very interesting. You don't have any need for persistent storage that exceeds the amount of information that can be remembered? (E.g. work artifacts, photos, passwords)

I don't want to assume on spaceboy's behalf, but I think all you need is to remember a master password to some sort of (online) password manager. From there you could use cloud services (eg. Dropbox) to access such documents.

Securing cloud hosted documents is obviously another discussion.

I have tried deterministic password managers, but as with most solutions they have flaws and tradeoffs[1] to consider.

[1] https://tonyarcieri.com/4-fatal-flaws-in-deterministic-passw...

[2] Also related: https://news.ycombinator.com/item?id=13016132

Remote storage is an option.

From what I understand our legal system was designed to fail "open". Or rather that we are willing to let a guilty person go free rather than an innocent person go to jail.

I know everyone wants to have a perfect justice system but we have to ALSO decide which direction we would like it to fail until that time comes (never). In essence cases like this are more about this question. When the system fails, which direction do we want it to fail in?

As a starting point, see the Wikipedia article on Blackstone's formulation [1]: "It is better that ten guilty persons escape than that one innocent suffer". It refers to an interesting article, "n Guilty Men" [2].

[1]: https://en.wikipedia.org/wiki/Blackstone%27s_formulation

[2]: http://www2.law.ucla.edu/volokh/guilty.htm

Thanks, these are interesting reads.

I've always been confused by this proposition; If there is an innocent person convicted of a crime, then there also has to be a guilty person that has gone free.. so it seems the ultimatum has to be

"are we are willing to let a guilty person go free rather than let a guilty person go free and an innocent person go to jail."

Which has a much more obvious answer..

That's assuming a hypothetical crime actually happened in the first place. In many cases it's possible that no crime ever happened. (For example, if the man in the article never actually had child porn that doesn't mean someone else did.)

Yes you are right, this is the exception.

Although, thinking about it from the point of view of someone being Convicted of a crime that never happened is fair enough, But when someone is not convicted of a crime that never happened we are not 'letting a guilty person go free' so both options in the ultimatum are broken with this.

Let's say you have 200,000 suspected criminals, some % of which are criminals. How many of them are you willing to put in prison? If it's looking that most likely around 30% are guilty, do you put 60,000 in prison and say "oh well, some false negatives, some false positives, whatever"

or do you just put 30,000 in prison to prevent most innocent persons from going to jail? Then you are letting half of the guilty people go free

It's a question of how many innocent people you are willing to jail to catch more real criminals

Or to give it an engineering flavor, the ROC: https://en.wikipedia.org/wiki/Receiver_operating_characteris...

It seems we accept a higher FAR (False Alarm Rate, a diagnostic which gives a false positive) for certain communities (poor people, minorities) than others.

The consequence matters too: even people who support the retributive aspect of the death penalty may reject it in practice because of the excessive false conviction rate.

I see what you are getting at, but it would still be;

60,000 = "oh well, some false negatives, some false negatives AND false positives, whatever"

30,000 = "oh well, some false negatives"

Although i get the feeling we are moving into semantics, its just always bothered me the way this was worded. Anyway thanks for that perspective, made me think.

You have an interesting point. I think the struggle that I see as a layperson, is that the system fails hard when it fails.

Let me ask a question, is jail the appropriate sentence for a contempt of court charge? This is not the first time, reporters have been jailed for many months bc of contempt of court charges. Is this the appropriate sentence for the crime of not complying with a court order?

I don't know what the alternative would be... also, on the question of guilt vs. innocence. I can see myself agreeing with you that since the state has such a high burden of proof to meet, that the defense has a an implicit advantage, the issue is that the statistics are showing a far greater issue of a imbalance of justice being applied at different levels of society. There is no good reason that I can see where an innocent poor person goes to jail because of a bad defense, vs a guilty rich person who gets off because of a great defense.

Justice is supposed to be blind.

Well I would consider myself a layperson and welcome anyone with actual experience to help educate me on the subject matter. I'm saying this because I'm just offering my own opinions.

In reference to your question I'll pose another question: "Should this be counted as being in contempt of court?"

As to the innocent people going to jail because of bad defense, I think this is why we need to fail in the direction of the innocent. I'd personally rather guilty men go free than innocent men be imprisoned. I think if we're going to figure out the limitations of the 5th Amendment in the digital age we need to decide which direction the system is going to fail. I think many on HN will agree with me, but I'd be interested to know what the country as a whole believes (if anyone has that info).

That was before the for profit prison industry became a cancer that incentivized keeping non-violent people in prison.

I think that's most of it, but I also think there's been some weird shift in the way police and prosecutors behave over the last decade. Much has been written how we now effectively have debtor's prisons. People are fined and imprisoned because they can't pay the fines.

The crazy part for me is that this has all happened while the crime rate has been steadily going down, so there's not even a justification for it (from a crime standpoint).

Professor Orin Kerr has wrote about this exact case extensively, and provides a good insight into all legal aspects. I think it is well worth a read, especially the part about the 'forgone conclusion'.


Right. Well that changes things. There is some evidence of the contents. I wonder if there are hash values for those 20,000 CEM files and if they are still on freenet. If so LE could aquire, via the hashes, from the network, and prove, without opening the drives, what the contents are. At least it becomes a strong circumstantial case. If you were relying on a single file you could claim the odds of hash collision etc, but after a few hundred I think you are well past that. There is a pattern of behaviour here.

*edit - aquire not require..

> If so LE could aquire, via the hashes, from the network, and prove, without opening the drives, what the contents are.

Except those files may have been deleted already. You can't prove that you will find anything incriminating on that drive.

Speaking from experience of 1 month vacation I'm not sure I'd be able to decrypt after 16 months of not touching a keyboard.

My most important passwords (passphrases for gpg used by password managers and luks) are in my head and muscle memory.

When I update passwords I tend to have them written down until I've typed them enough times.

So after a months vacation I often struggle to remember my work password for example. While using phrases makes all this easier these days, 16 months is a long time to presumably spend without your keyboard.

If he were being forced to divulge the physical coordinates of a hidden thumb drive, it's highly likely he'd get Fifth Amendment protection.

But being forced to divulge the virtual coordinates of his hidden data is somehow different...

I like that metaphor. Encrypting data isn't so much like locking it in a safe as it is hiding it somewhere in the key space. The safe metaphor breaks down because you can drill a hole in the safe to see if there is anything inside. But you can't prove that some encrypted data exists any more than you can prove that a particular item is sitting around somewhere on Earth.

Seems to me the 5th should protect him. Question is, is that a good thing?

Should law enforcement have a right to search through court orders? In a world of unbreakable locks it seems very hard to get justice unless the law can do proper searches. If we end up in a world of unbreakable encryption everywhere, seems to me, criminal activity will have huge benefits. If we can't control crime, we can't have a just society. We can't protect a individuals rights if they are undermined by criminals. Of course, it's also hard if the state has too much power to protect and individuals rights. But somewhere we need pragmatic compromises.

If the only trace a criminal activity leaves is on a single encrypted drive, is it important if it gets prosecuted or not?

The police does parallel construction to avoid admitting access to illegally collected evidence, civil forfeiture to punish people for things police doesn't like without having to prove anything, etc — incentives for police to step over the rules are a larger problem than unbreakable encryption right now.

This is probably a lot less black and white then it might seem at first. If there is sufficient evidence, one can obtain a search warrant and this forces you to possibly act against your own best interest by allowing the police to search your home. On the other hand you can usually not be forced to testify against yourself.

So this becomes the question where decrypting a hard drive lies on this spectrum. Is it more like testifying against yourself or is it more like allowing the police to search your home? Assuming one agrees with the way testifying against yourself and searching your home is currently handled by the law.

> one can obtain a search warrant and this forces you to possibly act against your own best interest by allowing the police to search your home.

In Germany you never have to actively help the police even if they come with a warrant. They can't even compel you to open the door of the house or a physical safe. They will of course come in anyway and send you the bill for the locksmith, but it's your perfect right to just sit there and do nothing.

So with the hard disk encryption it's actually exactly the same: You don't have to help in any way, but of course the police can still take the drive and try to decrypt it. If they can't decrypt, well, bad luck. Not your problem, you don't have to help.

You made me realize that I was probably wrong here, i.e. you do not have to allow the the police to enter your home acting against your own best interest, and as far as I can tell this also applies to the USA.

This raises the question if there is any other situation where you have to act against your own best interest, otherwise my initial argument falls apart and it seems unreasonable to try to force someone to decrypt his hard drive.

Another question is, how far can I push the search warrant scenario? Am I allowed to use force against the police to prevent them from entering in the same way I may use force against burglars? Am I allowed to shoot at the police? Not that it would buy you much, it is pretty unlikely that you can hide at home forever, but from a purely theoretical standpoint?

I'd guess no one can fault you for assuming it's a home invasion in case the LE fail to identify themselves.

The downside is that you'll probably end up dead, since the police (in the US especially) have a record of killing even people who don't shoot at them.

Pretty sure that you don't have to help them but you can't stop them. So it will all depend on which side of the fence you land.

Whether not giving up keys is jot helping or is it stopping them.

A search warrant does not really require the target to 'allow' the police to search; the target could choose not to cooperate and police would break into the home, for example. As far as I can see, it is lawful to the target to do this. Similarly, in Rawls's case, the government is free to attempt to bruteforce the passphrase without Rawls's cooperation.

The comments here made me realize that I was probably wrong about the required cooperation in case the police shows up with a search warrant.

Obviously the former. The home search is analoguous with handing the hard drive to the police (they're free to search it). Giving the key is analogous to voluntarily digging up a secret stash in your back yard. And I disagree with it not being black and white, if you didn't already notice that. Rights are rights.

As I just wrote in other replies, I was probably wrong with regard to search warrants. Therefore my argument that sometimes you already have to act against your best interests falls apart unless someone can point at a better example than a search warrant.

Rights are rights.

But we make up those rights. If there is a right to not to incriminate oneself that applies in all circumstances, then I am of course with you, you should not be forced to decrypt the hard drive.

My point was that I am not sure if such a right applying in all circumstances exists and I thought the search warrant scenario proved that to not be the case but that turned out to be wrong.

I really hate to be writing this but it seems like the only solution...

Doesn't this whole situation and the threat thereof go away for 99.9% of the population if we decriminalize possession / "viewing" of child pornography? [Note: you could still be severely prosecuted for making it]

There doesn't appear to be anything else in the digital realm that can get you in such legal trouble. The only other thing I could think of is national defense espionage, or rogue WMD plans. And on these counts, 99.9% of people are going to be very difficult to put a plausible frame job for these crimes. Sure the 0.1% with security clearance could be framed here, but as far as I understand, that's a personal decision and risk each person go to make for themselves.

If you deny the prosecution the ability to use reasonable suspicion of CP to search, or compel a decryption of your digital files, it's going to be a long time before another case like this.

No, plenty of other stuff is illegal; just off the top of my head: Possession of copy-righted material Possession of hacking tools Evidence of hacking Data from corporate espionage Accounting fraud Fraud (e.g. fake credit info) Evidence of other crimes (e.g. account books of drug deals) Plans to commit other crimes

The list goes on. It just so happens the FBI is obsessed with CP, but if you decriminalize that, we'll have the same problems with other crimes.

This is a helpful brainstorm. But let me explain why I think these are far less worrisome.

Take corporate espionage: sure proprietary files from my employer could end up on hard-drive. But that would mean the FBI is willing to in addition to frame me, pay someone to go in and steal from my company. That's the type of thing that get's someone's boss's boss canned.

Do you see how high the conspiracy is going here? And do you know how messy this type of action gets when you need all these different nefarious actors executing FrontPageHeadline news if caught.

As far as the Drugs.xls, or the MobsterAccountPayable.xls, there already exists much legal room to disqualify a one-off document, without some kind of physical evidence - e.g. a guy wearing a wire says "Hears the money to pay Tony the Muscle" and you say "cool" or the guy who runs a storage facility says thats the guy who came in two months ago and rented that locker where the drugs were found. That's why the police are so obsessed with getting these type non-digital evidence: because a conviction on pure digital grounds is almost impossible with a halfway decent lawyer.

The thing about CP it doesn't have to be congruent with any other aspect of your life or be verified by anything physical or any witness. Even the motive/rationale is he had disturbing sexual impulses deep in his heart and its common sense that he wouldn't revel these to anyone so let's just assume he does.

I'm curious why he doesn't just claim that he forgot the key. There's no way to prove conclusively that he's lying, and a judge cannot jail someone for disobeying a court order that they have no way of obeying. If he's told them he knows it and just won't give it to them, then this bridge is probably burned, but it's probably his only shot. Absent a ruling from the Supreme Court on this issue, they can and will hold him until he complies, dies, or has already served the maximum possible sentence for the crimes he is suspected of committing.

Don't doubt that a judge can't or won't hold you indefinitely if they think you are lying. This guy was held for 14 years because the judge was convinced he was hiding assets in a civil case (divorce):


I mention this because there are parallels. In each case the man would say "I don't have the (key|money)" and in each case the judge can effectively sentence them to indefinite jail.

What happens if the drives develop bit rot over those 16 months preventing them from ever being decrypted? Based on the wording of what he is in contempt of, it sounds like he would sit in jail until death. To me, it sounds like the prosecution is trying to play a word game to get around 5th amendment protections.

investigators image drives, they dont work with the originals.

I know that, but read the exact wording they used to define why he is in contempt and what he has to do. That's the important part.

But I'll play along with your pedantic game. First, the wording says to give over his computer and hard drives. What if those hard drives failed? He can't handover the literal hard drives anymore.

Ok, you say it can be any hard drive then. The court will provide replacements and the disk images. If investigators providing those materials is allowed as a means to allow Rawls to complete said task, that means Rawls is allowed access to materials the court (or prosecution or him or some other entity) deems necessary. Not a big deal, right? Wrong. Going down that rabbit hole can lead to a slippery slope where courts can abuse the power of the wording to indefinitely contain anyone given that they assign them a task that "can" be completed with the given materials. However, the feasibility of the task may or may not be reasonable.

It's the twisting of the law through evasive language that is the problem here. They are deliberately avoiding the 5th Amendment by deploying language that skirts the letter of the law and ignores the intention/spirit of it.

As expected on HN I am not surprised to see people defending one's right to privacy and encryption. However, what's the solution then ? If all the "bad guys" who distribute illegal material do so encrypted volumes and refuse to give up the decryption key then what do we do ? It's a different world now; the police can't just take a drill out and open the safe.

They can hack his computer before nabbing him, grab tons of his data from connected providers, get a warrant to sneak in and plant one of several type of bugs that would allow them to aquire his pass phrase. Burst in while the machine is on and aquire the unlocked data or get the key from ram.

Failing that they can convict him based on other evidence or at least convince him that they can and cut a deal for access.

In the vital cases which are normally cited as examples of why we must allow cops to violate our right options abound.

What's left is petty crap and police incompetence which serve as poor justification for giving up our rights.

>As expected on HN I am not surprised to see people defending one's right to privacy and encryption. However, what's the solution then ? If all the "bad guys" who distribute illegal material do so encrypted volumes and refuse to give up the decryption key then what do we do ?

Why do we care for people distributing "illegal material" in the first place?

And how come this "illegal material" doesn't ever get decrypted? Catch them then.

> Why do we care for people distributing "illegal material" in the first place?

Is "distributing child pornography should not be a crime" really the hill you want to die on?

Omg people watching illegal porn is so bad that we should give up our privacy.

One day, some one is going to pass a law or do something that you don't like because the government will have unprecedented access and control of information flow. They can stop you seeing or even sharing. And it may be happening already but nobody knows.

I should not like to think anyone mistook me to be arguing in favor of restrictions on cryptography in general, because someone might use it in the commission or furtherance of a crime.

But responding to a case where cryptography is (maybe) used to conceal evidence of possession and/or distribution of child pornography, with, and I paraphrase, "why do we care about this kind of nonsense?", does not advance the cause of encouraging moderate legislation and jurisprudence on this subject.

At the very best, it makes one who advances such an argument look like so completely detached a privacy absolutist as to defend even the vilest of crimes in cases where it might overlap with his pet issue in a potentially negative way.

At only slightly less than the very best, it opens anyone who advances such an argument to allegations of wanting the distribution of child pornography to proceed untrammeled by law, and to those allegations being supported by citation of arguments like 'coldtea's, made in threads like this one.

I get that many here are very theoretically minded sorts, and that, being "systems thinkers", are much happier designing the perfect system of laws and judgment on a clean sheet of paper, rather than dealing with anything so messy as the diversity of politics and opinions which has such a significant impact in reality. I used to be such a person myself. It didn't help me understand a damn thing about the world in which we all actually live, and it made me a pointless nuisance rather than an effective agent in convincing people that even such a hot-button issue as child pornography is not an excuse to abandon all nuance.

I don't demand that my interlocutors, here or elsewhere, develop the same understanding, although I think it'd be a brilliant idea if they did. But I do ask, at minimum, that when they say ill-thought-out and pointlessly absolutist things which tend to make it harder for me to actually convince actual people that at-rest encryption is not dangerous but compelling those accused of criminal activity to divulge encrypted data is, they not act so surprised when I push back on that.

> At the very best, it makes one who advances such an argument look like so completely detached a privacy absolutist as to defend even the vilest of crimes

Oh come on, now who's being hyperbolic. Possession of child porn is clearly not the vilest of crimes, as child molestation is obviously much, much worse. And don't pretend like those are remotely the same.

I intended that to refer to both child pornography and child sexual abuse, although I appreciate I could've been more clear there.

And in any case, I don't think I strayed very far, if at all, into hyperbole, even taken verbatim. Child pornography may not be the same thing as child molestation, but it's still plenty vile nonetheless.

> Child pornography may not be the same thing as child molestation, but it's still plenty vile nonetheless.

More hyperbole. You really think young cartoon characters conducting sexual acts, which is illegal child porn, is as vile as perfectly legal scat porn? Or is your claim once again hyperbolic because, a) it's not your sexual preference, and b) you assumed, wrongly, that everything classified as child porn is necessarily harmful to children?

Where have I said anything of the sort? For all the accusations of hyperbole you're throwing around, you sure do seem to be more inclined to answer the points I haven't made than to answer those I have.

I'm responding to the literal meaning of your words. No one can divine your intended meaning.

You even said that my interpretation of your literal words was not far from your intent, and doubled-down on your claim that child porn is almost as vile as child molestation. I then pointed out that some cartoons are considered child porn, and contrasted that with legal porn that's also widely considered to be vile, then asked if you stand by your claim that underage cartoon sex is really more vile than this type of legal porn (which doesn't even touch on the issue of why vileness is a meaningful metric of legality, as opposed to something obviously meaningful like harm).

So I can't see how I'm arguing in bad faith.

US federal law [1], per the Department of Justice, disagrees:

> Visual depictions include photographs, videos, digital or computer generated images indistinguishable from an actual minor...

No language exists to include depictions of the sort you describe, which are trivially distinguishable from an actual minor.

Perhaps you argue from the law of a specific US state, but you need in that case to name the state on whose laws you base your argument, and explain why they have a stronger bearing on the matter at hand than the laws of the nation entire.

If you're going to continue to accuse me of engaging in hyperbole, authoritarianism, ignorant pseudoscientific wittering, and whatever else you can think of, that is of course your privilege, and I would never dream of suggesting you demur. But will you please leaven it a bit with actual substance, as in your comment full of rich, meaty counter-citations to my hypothesis around reinforcement, a comment which I look forward to perusing? That was an excellent comment, and I appreciate it! Quite aside from the tantalizing possibility of learning something new and thus improving my understanding of reality, one does eventually grow tired of the same thing over and over; a bit of variety appeals.

[1] https://www.justice.gov/criminal-ceos/citizens-guide-us-fede...

Tell that to the people actually serving time for cartoon child porn:


The, what, half-dozen or so of them, almost all of whom actually did possess, and were charged with crimes revolving around, actual child pornography as well?

I think people can argue all they want about making exceptions to various beliefs in various circumstances but I for one am happy privacy absolutists and people like RMS and the like exist.

Police have more than enough tools to catch people using encryption without the ability to compel people to decrypt data. At the end of the day if you have to try force someone to enter a password or fetch you a key then you already fucked up and should have to admit your failure and try assemble a case with what you were able to get before you fucked it up by not getting the data in-flight or otherwise unencrypted.

No, it's the "abolish BS laws" hill.

How about creating child pornography being a crime? That's what's actually hurtful.

One of the goals of anti-distribution laws is to quell e.g. a local market for foreign exploitation. It's similar to banning the trade of ivory - sure, it's illegal to hunt elephants in most jurisdictions, but it's sadly hard to enforce in some parts of the world. It's even harder to enforce when the promise of wealth inspires the desperate to violence - hence the goal of e.g. "conflict free diamonds" as well. It's taking the laws of supply and demand, and using them to apply an economic answer - reducing demand - to reduce supply.

Ah, so like prohibition ? Cause that worked so well for alcohol and drugs ?

The production of alcohol and many drugs involves a bit less fundamental horror - not that you want a meth lab next door.

Regardless, if you're saying we should focus more on treatment and less on caging people, I can get behind that. If you're saying we should just abolish the law and do nothing on the consumption side - we likely disagree on the harm done or the role of government in society.

> if you're saying we should focus more on treatment and less on caging people, I can get behind that

Same. But just lately it seems like the push is toward normalization, and that complicates the matter considerably.

Pretty sure that already is a crime. But I gather there's a large quantity of the stuff that exists already. Your proposal ignores it - legalizes its distribution, in fact. Why?

Actions such as crimes are traditionally illegal. Information about actions such as crime is traditionally legal. Should we ban all recordings of any crime under moralist or flimsy arguments such as that they encourage others to commit the crimes recorded?

Not only would this expand the scope of "criminal" to include people who have not committed such crimes (and may never do so), but I think it's a futile and petulant exercise, albeit one with benefit to intrusive law enforcement (and I'm echoing feedback provided elsewhere in this thread).

Images and videos of child sexual abuse aren't just "information about [...] crime"; their creation, possession, and distribution are all actions which themselves qualify as criminal under modern American jurisprudence. This is generally justified on the grounds of ongoing harm to the victims, which, while not unreasonable, I think might be a weaker argument than that distribution in particular may make and expand a market even when not done for money, in the same fashion that sharing pirated content tends to be a good way of gaining access to more of the same.

In any case, these are all currently crimes in their own right, so they fall under your first category, rather than your second, so I'm not quite clear what sort of point you're making here.

I think his point is that for pretty much every other crime - from murder to jaywalking - possession of evidence relating to that crime is not itself illegal. I know that if I ended up recording a murder (FPV drone) I'd turn that over to the police no question, but for CP? Drone camera, meet thermite.

Let's not be absurd, shall we? You'd be extremely well advised to make an immediate report of the crime, and you would certainly leave your drone's memory card as evidence, but other than that, I don't see what you'd have to worry about - and I've myself been involved in a couple of reports of possession of child pornography, back in my retail storefront IT days. It was really nothing like the Spanish Inquisition.

>these are all currently crimes in their own right, so they fall under your first category, rather than your second, so I'm not quite clear what sort of point you're making here.

I was answering the question below:

>Your proposal ignores it - legalizes its distribution, in fact. Why?

If, in response to my answer, you conclude that committing a crime is an action tantamount to sharing, viewing, or possessing information about it, I disagree, and I think your outlook is frighteningly authoritarian. "Action" was a poor word choice. "Actions which entail direct harm", such as raping a child, should be illegal, I should've said. "Actions which entail indirect harm", such as possessing, sharing, or viewing data, should not be, in my opinion.

That doesn't matter if you're ignoring actions' directness and level of harm altogether and arguing that, since a judicial body classifies an action as a crime, it is a crime, and so I should agree that it should be a crime. But, in that case, I also disagree, and I think you're being a poor advocate for orthodoxy.

>ongoing harm to the victims, which, while not unreasonable, I think might be a weaker argument than that distribution in particular may make and expand a market even when not done for money

Here, I think you're doing it more justice. Incidentally, though, I'm the other way around. The "harm to victims" angle is much more salient than the "increasing demand" one, but both are pretty spurious to me, and certainly seem like underwhelming reasons to imprison and permanently cripple the lives of people whose only actions consisted of manipulating bits in storage media to the direct harm of no one.

Well, what makes a crime is a law stating that such-and-so action is a crime, so I suppose I'd say that, since a legislative body classifies an action as a crime, it is pretty much by definition exactly that. We're discussing whether this specific action should be a crime, which is a separate conversation altogether, and one I think best carried out without reference to some sort of nebulous Platonic ideal of crime, to which you seem implicitly to appeal.

You're also underplaying your hand here somewhat, I think - either that, or you find your own arguments unconvincing. You've already conceded, in your concept of "indirect harm" (still harm, but less so?) and the weaksauce relative-injury argument which constitutes your last paragraph, that the distribution of child pornography does inflict ongoing harm on those abused in order to produce it - but you don't think that that harm suffices to justify the injury inflicted upon those who engage in such distribution, but not such production, in the course of being convicted of and punished for that crime. That the former are innocent, and the latter are not, seems not to move you; your concern appears instead to be purely utilitarian.

I don't suppose it would be surprising if you were indeed unconvinced of this - it strikes me as a very difficult position to defend! But I'd be interested to see whether and how you do so, nonetheless. Or perhaps I've misgathered your point?

Why not? It doesn't hurt anybody physically anymore, and if it keeps those people of the streets on on their screens, even better. It's not like they're gonna be cured of their tendencies if they don't have access to such material.

Are you sure? There's a strong neurocognitive argument to be made that reinforcing the tendency, by repeatedly acting on it with pornography to the end of, among other things, rather strongly triggering the dopamine reward system, will tend to strengthen the interest by reinforcing the circuits which interact with it, and vice versa.

I don't think anyone would argue this "cures" the tendency - certainly I will not! But, at the very least, I can't see how it could do other than make a pedophile less likely to graduate to child molesting, to have built a strong habit of not acting on the urge - and, again, vice versa.

There are also other forms of harm than the physical. I am not myself moved to dismay by the possibility of images of my own abuse circulating on the Internet, although that may have more than anything to do with the fact that, to the best of my knowledge, no such images were made, and in any case said abuse occurred long before the dawn of the era in which such distribution became trivially simple. But I hardly imagine it is my place to tell someone who does find such a possibility - or a certainty - dismaying, that she is wrong to feel that way, or that she should not consider herself to be harmed thereby. Nor do I believe it is anyone else's place to do so.

> Are you sure? There's a strong neurocognitive argument to be made that reinforcing the tendency, by repeatedly acting on it with pornography to the end of, among other things, rather strongly triggering the dopamine reward system, will tend to strengthen the interest by reinforcing the circuits which interact with it, and vice versa

Reinforcing the circuits to reward yourself with more porn, not with molesting children. Your whole point is exactly the kind of pseudo scientific rationalising every authoritarian uses to push their "moralistic" agenda.

Real studies have actually shown that exposure porn reduces recidivism and tendencies to molestation, except in a small class of pedophiles which already have violent tendencies.

That's a counterintuitive result, and I would be very interested to learn more about it. Rather than sling accusations of pseudoscience and authoritarianism, will you cite some of these studies?

I'm surprised you think whatever intuitions you may have developed on such a complicated subject as human sexuality and neurology actually mean anything. Plenty of people with just as much confidence as you that ordinary porn was harmful were similarly surprised decades ago when rape and sexual assault rates continued to fall despite the continued spread of porn. Why would pedophilia be any different than any other sexual fetish in this respect [1]? In fact, there exists direct evidence that legalized child porn reduces sexual abuse against children [3].

All of the studies purporting to demonstrate links between possession of child porn and child molestation are plagued with methodological errors [2]. This issue is so emotionally charged that most of the science around it is garbage. The stigma against child porn is no different than claiming that consumers of staged rape fetish porn must all be closet rapists, and viewing this porn will simply make them act on it. It's a patently absurd claim.

About the only possessors of child porn that are at high risk of molesting a child are the ones that actually produce it, and so had already sexual abused children [4].

[1] http://www.jstor.org/stable/1123799?seq=1#page_scan_tab_cont...

[2] https://www.fd.org/docs/training-materials/2012/FJC2012/Chil...

[3] http://link.springer.com/article/10.1007%2Fs10508-010-9696-y

[4] https://www.ncbi.nlm.nih.gov/pmc/articles/PMC2716325/

Thanks very much for the links, and for the substantive comment! I look forward to reviewing them at my earliest opportunity.

Is there really such a strong argument about not reincorcing etc?? There were people with such tendencies for millennia before there was even the possibility of photographic reproduction of such images.

There were also people for millennia who died of diseases now easily treatable and indeed routinely treated. Does this constitute an argument against modern medicine?

This sounds like a strong argument is there peer reviewed support for it?

In pedophilia specifically? I doubt it. But it's not a far inference from dopamine's role in sexual arousal and satisfaction [1], and its role in drug addiction [2].

While it would be a stretch to postulate that the effect of child pornography on those disposed to it exactly matches that of drugs which provoke massive dopamine release on those who take them, the effects of dopamine on sexual behavior in the human male, and its role in the brain's reward system in general, lend I think considerable plausibility to the hypothesis that engaging in pedophilic behavior centered around child pornography, and obtaining sexual satisfaction thereby, tends to potentiate further engagement in the same behavior.

[1] http://www.sciencedirect.com/science/article/pii/01497634940...

[2] https://www.ncbi.nlm.nih.gov/pmc/articles/PMC2696819/

Is it reasonable to suppose that perverts would be more likely to offend or just consume more porn?

Empirical studies have actually shown that consumers of child porn are unlikely to molest children. Those that are arrested for possession of child porn AND have a high likelihood of future molestation ALREADY had a history of molestation.

This shouldn't be surprising. Consumers of rape fetish porn are unlikely to actually rape someone, but actual rapists are likely to consume rape fetish porn. Furthermore, in countries where porn of all kinds was legalized, including child porn, enjoyed falling rates of child molestation.

The OP is making some of the same old arguments people have trotted out against porn for decades, just couched in pseudo neuroscience. The fact is, we don't understand these relationships to the degree the OP needs to justify his causal claims.

Maybe, maybe not. That's a fraught subject around pornography in general, with tendentious argumentation on every side.

On the other hand, children are extraordinarily vulnerable to many forms of abuse, this among them. In a system of laws one of whose explicit purposes is to afford those vulnerable to mistreatment protection under law, I don't think it is on its face unreasonable to argue that children merit extraordinary protection as well. While there is perhaps a fair question to be asked around whether the sort of law under discussion actually serves that end, I would at the very least suggest anyone raising the question in a serious way be very well prepared to answer objections and counterarguments of every imaginable sort.

I can see the point I think. Shouldn't time be sound going after the people making the material?

You could argue that looking at CP is no different then looking at a murder photo.

Both are a picture of a crime you didn't commit.

>Is "distributing child pornography should not be a crime" really the hill you want to die on?

nice counterargument

If you wont stand up for the rights of even the most vile of humans, you deserve none.

I don't believe I have failed to do that. The conversation here revolves around 'coldtea's rather remarkable claim that distribution of child pornography should not constitute a crime.

Were I, though, for some unaccountable reason required to clarify my opinion on Rawls' situation despite it being in no way pertinent to the discussion at hand, I would note that I consider his treatment in contravention of both the right to speedy trial and, although I'm not as sure about this one, habeas corpus as well. The case as a whole, and the prosecution's attitude toward it, strike me as a solid example of the troubling habit of overreach our legislative and law-enforcement communities seem to be developing toward strong cryptography, which is as morally neutral as any other technology.

On the other hand, it's rather difficult to argue other than that a government unable to maintain order is unable to effectively govern, and not at all difficult to understand how, viewed from such a perspective, effectively impermeable cryptography might well seem an imminent danger to the security of the state and of those of its citizens not engaged in the sorts of activities which tend to undermine the ability of the government to maintain order. I understand that, especially since last November, the Overton window around opinions on the United States government has shifted such that mere deep and lasting mistrust seems absurdly moderate. But there is nuance here, and to ignore it in search of easy answers is as foolish in this context as in every other.

And quite aside from all that, there is the strong utilitarian argument to be made that this is not the hook on which to hang your defense of encryption, privacy, et cetera. Pedophiles and child molesters come in for about the strongest opprobrium our society ever brings to bear. Do you really not have anyone else around whom to build this case, so that you might have an easier time arguing against such mistreatment of someone as yet convicted of no crime? If you exclude refusal to decrypt a volume on demand from the permissible causes for a finding of contempt, you solve this fellow's problem, too. Can you really not find any way to do that that doesn't involve putting him front and center, where it is literally impossible to separate the substance of the issue from the allegations of extreme unsavoriness which will be leveled against his character, and by extension yours as well?

Remember, if you're going to make a meaningful contribution in this realm, you must of necessity do so in the world where we actually live, not the one where you'd prefer that we did. In the world where we actually live, pedophiles and child molesters are the lowest of the low, and even the mere accusation of involvement in such activities is often enough to ruin lives. It's already hard enough to sell the argument you're making. Why is it worth your while to make it a whole lot harder?

Gather evidence instead of hoping you can convict someone of evil-doings based on their own records?

If all the "bad guys" who distribute illegal material do so encrypted volumes and refuse to give up the decryption key then what do we do ?

"Bad guys" still have fifth amendment protection. You prosecute, satisfy the burden of proof and hope a jury convicts. That's what you do.

Outside of that, if you really want this changed, petition your representative to repeal the fifth amendment, I suppose?

need to stop thinking from an american centric perspective.

This is in response to a news story that happened in the United States, I thought we were remaining in that context. And if I'm to think outside of an American-centric viewpoint, what governing body do you point to that would protect someone's rights from being forced to provide evidence against themselves when being charged with a crime?


Is this something that ought not be considered either?

I think it is right to think in a american context here because no other western country would hold someone for so long just because he probably forgot his password. This is obviously a american issue.

  "bad guys" who distribute illegal material
Honestly, I fail to see how or why this should be a problem, considering that no actual injuries are inflicted in the storage or possession of ones and zeroes.

Sure, that's an obtuse abstraction, but honestly, the buck stops there. At the end of the day, they have a circuit encoded in a given state. Magnetic media that can be arbitrarily degaussed.

It's not real.

Stop prosecuting it.

So, okay, you wanna argue. Let's get more specific.

Bad things people can "have" encoded on their digital storage media:

  1. stolen economic identifiers, such as credit 
     card numbers, and other mechanisms of fraud

  2. raster graphics and audio depicting nudity, 
     or evidence of events that have since transpired, 
     and prove culpability, via direct participation
     rather than simply the hoarding of collectible
     media files of whatever persuasion

  3. preferences and settings that can correlate 
     identity in other crimes, subscriber information
     such IMEI numbers and MAC addresses, and more

  4. classified information restricted from being
     leaked among state actors or the general public

  5. intellectual property that translates directly
     to business opportunities, insider trading,
     corporate espionage and other white collar 

  6. copyrighted music and movies, oh noes!
Listen. If it can fit onto a credit card sized device, it's already too late. So nothing is being stopped by this sort of search.

The demand for relinquishing data, in any such situation is not unlike demanding all the things that people write on napkins and envelopes. Every scrap of paper in someone's pocket. Movie tickets, dry cleaning stubs, match books, and so on. Evidence of a crime? Possibly. Is everyone guilty until proven innocent? Gee, I don't know. Maybe we should just make everyone empty their pockets, and take pictures, just in case.

The fact of that matter is that these are essentially fishing expeditions for item #3.

It's not about "illegal data" at all, nothing is ever going to divert ones and zeroes as contraband. That simply doesn't happen, and doesn't work. It's about coming up with reasons to harass people, as vectors into prosecuting other crimes. Smoking out the paranoid, so that they crack under the pressure of getting sweated down in the hot seat.

If it is all 1s and 0s, I am curious how you feel about the NSA having a good deal of your personal information stored on their drives?

The obvious retort is that having it on a hard drive isn't the crime, the act of collecting it is. So it's the act and not the possession that is the crime.

I would note as a counter-counter argument that we often make things illegal that are not in themselves harmful, but can lead to harm.

Do we get to choose to live in a world where that isn't the case? No? Hey that sounds like a good reason to have fewer laws we can be parallel-constructed into violating.

> Do we get to choose to live in a world where that isn't the case?

Kind of. I do my best to avoid any relation with the U.S. including avoiding visiting it, taking up a job or incoorperate there. So even thought i am monitored by some shitty govs, there is no legal way that it means anything.

>Do we get to choose to live in a world where that isn't the case? No?

Why not?

Or, maybe a better question is, why do you think you could legalize child porn easier than we could outlaw or end programs like PRISM?

Few powerful forces oppose legal child porn. Very little money is on the line with CP and very few powerful people would be diminished if CP was legal.

To outlaw or end programs like PRISM you'd have to take on the entire political establishment, the military industrial complex and all branches of the judiciary and law enforcement.

It'd be far easier to legalize CP than do away with PRISM and the like.

This is the right way to analyze the situation, except we must remember that CP is of instrumental value to the legal racket, which is closely allied to MIC. CP gets them in all sorts of dubious positions, and spending lots of sweet taxpayer money, that they otherwise couldn't justify. "Legalizing CP" wouldn't have the effects we seek on the legal system as a whole, because they'd substitute some other issue (if one had to guess, "intellectual property" probably has the interest of various power players...) so they could continue business as usual.

Well if it's encrypted, how will you get a warrant for unknown data. And if you do have proof, then why do you need the data ? In these cases I think the only reliable and best way is to obtain the data by infiltration.

It's a bit like asking a burglar to break in. You either have enough proof, or you catch them in the act.

As I see it, the root question is "Would we rather guilty men go free or innocent men be condemned?" We can't have a perfect justice system, so which direction are we going to choose?

There is no god given right that demands to upturn every stone. Live with the fact that there is no solution that lets you look into the drives. Period.

I see these assholes as canaries. I don't mean to defend them in any way. But if they're vulnerable, so are we. At least potentially.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact