Hacker News new | comments | show | ask | jobs | submit login
Man jailed indefinitely for refusing to decrypt hard drives loses appeal (arstechnica.com)
319 points by davesailer 247 days ago | hide | past | web | 393 comments | favorite



This reads as extremely bizarre. I mean, reading the fifth amendment makes it pretty clear - no one should be compelled to witness against oneself. However, it looks like the current executive and judicial are thinking "well, those Founders were just idiots for putting such an amendment in, clearly it'd be much easier to prosecute people if we could compel them to witness against themselves, so why don't we just ignore it and put people in jail indefinitely until they agree to witness against themselves?". Terrifying that it is so easy for them to completely ignore all constitutional protections.


Your interpretation of the 5th amendment is quite different than it has been historically interpreted by the courts.

For example, in a trial, the prosecutor might subpoena some documents and you cannot refuse to turn over those documents, unless doing so would trigger a 5th amendment assertion. Turning over the documents implicitly testifies to at least two important pieces of information: that the documents exist and that you know about the documents.

So if you're asked for the documents and the prosecution has no evidence that the documents exist or that you know about them, the 5th will cover you.

However if during a police interrogation you admit that the documents exist, when they are subpoenaed, you can't withhold evidence.

I imagine that the 5th will work much the same with passwords. If it is known that you have the ability to unlock the device, refusing to do so will be withholding evidence.

However if revealing the password implicitly reveals the hitherto unknown information that you know the password, 5th will work.


So here's my concern: guy's now been in jail without charge for 18 months. The prosecutors say his guilt is a foregone conclusion, but apparently it's not foregone enough that they're willing to go ahead and prosecute without the contents of his hard drive. They're gonna hold off until they get what they need.

We're starting to get to the edge of the point where this guy might legitimately forget his password. I think we can assume the FBI has been running a common passwords/dictionary attack with common password symbol substitutions for the last 18 months, and apparently they haven't found the answer, so this password is probably a pretty good one that's not based on a word or even a sentence.

If he stays in jail without trial for another two years and then says "I can't remember my password any more", what should we do?


> So here's my concern: guy's now been in jail without charge for 18 months. The prosecutors say his guilt is a foregone conclusion

That's not what the "foregone conclusion" stuff is about, at all. They're not saying "it's obvious he's guilty so the 5th amendment does not apply." The 5th amendment doesn't apply to handing over evidence, period. It's about the circumstances under which handing over evidence (which ordinarily does not implicate the 5th amendment) involves implicit statements or assertions by the defendant (which does). Read the subpoena example in the opinion, it clarifies.


Take this comment as what I think 5th amendment should imply, not how it is currently applied by the courts.

The concept of forgone conclusion is very weird. Imagine that I tell someone that I maintain a diary with log of all the events everyday. Then I tell this to my friends, family, (the police), etc.

Let's say the prosecution can prove that I was at a spot where something illegal happened. If they knew I wrote a diary everyday, they can compel me to produce my diary, which will then be used against me (if needed).

If on the other hand, I tell everyone (and the police) that I have photographic memory and remember anything I see and do, that information is protected by fifth amendment. So in this case, I won't provide something that will be used against me.

It is very weird that when the plain words of the amendment read "compelled in any criminal case to be a witness against himself", it is only thought to include literal production of testimony from mind as confession, while on the other hand, the first amendment is not read literally to allow only freedom of (say) owning a press, the press being a physical printing press.


What is weird is basing a legal system around the constant re-interpretation of documents written hundreds of years ago and the implication that subtle nuances in ancient wording reveal a thus far hidden intent that somehow predicted today's technological advancements, society, their relevance and how these texts should be applied in today's light.


None of that is why I'm bringing it up. I bring it up to point out that we have no reason to believe that the prosecution won't request indefinite detention until he gives up the password, even if it might be impossible for him to do so.


Good point, I definitely can't remember my more complex passwords for more than a month or two if I'm not using them.

It is also not too hard to essentially forget a complex password by either 'blanking it out', or associating it with multiple similar paswords during recall.

There are no easy solutions to encryption in this context, apart from what it clearly tells us: That society needs to focus on prevention and care, and not rely on policing and punishment to keep society safe as much as now.


Civil contempt is coercive, not punitive. In theory, he gets released when it's clear that he won't decrypt the drive even if indefinitely incarcerated. So in principle, in the event you describe, we let him out.

Of course, knowing that he actually has forgotten the password is somewhat tricky, so what would actually happen is anyone's guess.


He goes free in 14 years or sets a new record. Up to the judge.

http://abcnews.go.com/2020/story?id=8101209&page=1


That guy sets a new record for cussedness.


> what should we do?

Release him and pay millions in compensation for violating his writ of Habeas corpus.


A court granted him a writ of habeas corpus? When? That changes everything if true, but I'm pretty sure you're mistaken.


That's not what Habeas corpus is. Contempt is 100% lawful.



Perhaps the FBI have unlocked it, but them having the password doesn't prove that the accused had it. My guess is they wouldn't be pushing on with the case if they didn't know for sure that access would 'demonstrate' criminality. Similarly I imagine the accused knows that if they admit access they're going to spend a lot longer incarcerated. An impasse for our times


That is precisely the scenario that actually would violate the Fifth Amendment, because it forces him to be a witness against himself.


So if, for example, a person had illicit photos/documents in a safe, then the police couldn't ask them for the combination? Or if they gave the combination the evidence then retrieved would be inadmissible?

Surely it's the pre-existing evidence that [potentially] stands against the accused, not their "speech" that enables access to that evidence.

Who does such an interpretation of The Fifth protect?


As the courts have interpreted it, 5A protects you if they can't even prove the safe is yours, or if otherwise admitting that you know the combination or that you know what's in the safe would result in incriminating testimony. 5A doesn't apply here because they know the device is his, and that prior to his arrest he had regular access to it. It's not incriminating testimony, it's delivery of evidence in a criminal trial subject to a lawful subpoena.


Delivery of evidence is delivering the hard drive; changing the state of the evidence is a concretely different thing.

It amounts to interpreting the existing evidence for law enforcement.


> I think we can assume the FBI has been running a common passwords/dictionary attack with common password symbol substitutions for the last 18 months

I would like to believe they do... But I don't think they'd bother with that.


How many 20 characters passwords could we try in 600 days ? And by imaging the original drive unto multiple others ?

I mean 18 months. It's a lot.


Not worth the resources though.


Well, certainly not if the judge is willing to allow indefinite detention without trial. That's one of the key concerns I have with this case. I'm not seeing presumption of innocence play out here.

The west used to mock and deride the USSR for this kind of thing.


There are, as far as I can tell some weaknesses in that argument, at least from a lay perspective.

- There must be evidence that I can unlock the device for the two situations to be equivalent, and the request must be for specific documents known to exist. If they don't exist all evidence found must be invalidated because the cause for the search was invalid.

- If evidence of ability to unlock the device does not exists, but the assumption is that since it's mine I can unlock it, I think the analogy is slightly flawed. Since the ask is now not about producing a specific thing I'm known to possess, I'm indirectly being asked to produce a document (password), albeit not in material form but typed on a keyboard. Since it's never been proved that I actually am able to open it, the situation is not equivalent, but more like there being a safe in my house that nobody has seen me open, no key is know to exist, but since I own the house I am assumed to be able to open it, and I'm held in contempt because I say I can't or won't open it. It's not too uncommon for a house to contain a safe the current owner can't open, but it does not lead to the same situation since it can usually be forced open. The only difference with good encryption is that the option to use force has become increasingly impotent.

- Unlocking a computer without proper limits and auditing of the search is also more like being asked to give access to any document storage rooms I own or have access to. Reason being that unlocking a device will in many cases give access to more than the bare contents of the drive, giving access to emails, Dropbox, and other logged on applications and sessions. Since parallel construction appear to be a thing, it's ripe for abuse.

Maybe there needs to be a process where independent auditors can, under surveillance of the defendants lawyer produce named documents from seized evidence, as giving police and/or prosecutors blanket access to devices entire content could create lots of opportunities to create parallel construction stories for any content found not under the current warrant, and as bizarre parallel construction is, it appears to have been used.


>Your interpretation of the 5th amendment is quite different than it has been historically interpreted by the courts.

Part of the issue seems to be the courts are very proficient in coming up with very interesting interpretations. It feels a lot like a literature or art interpretation class, where everything is BS but a lot of people have a bunch of rules convincing them they aren't. Then again, the founding father's weren't too much different.

Founding fathers: "All men created equally".

Also founding fathers: owns slaves (some at least)


The word "witness" is a legal term with a specific meaning. It requires providing testimonial evidence. The landlord that unlocks the defendant's apartment where the bodies are stored in the fridge is not a "witness" even though he helped the police get evidence.


And here we are, talking about a guy presumed to have some information on his head, arrested for refusing to disclose that information, in a thread about legal professionals creating BS, with somebody arguing that "witness" has a legal meaning that does not cover people disclosing information they have on their heads... Or, at least not on this case.


> arrested for refusing to disclose that information

The information in the guy's head is the password. They're not asking him for the password. They're asking him to perform the action of decrypting the drive. They explicitly told him he could keep the password secret.


Yep, that's really a very good non-BS interpretation that does not harm common sense in any way.

In related murder news, murder suspect detained indefinitely until he shows hidden body to the police. They don't want him to tell them where is the body, they just want him to drive them there so they can dig it up.


Your comparison between decrypting a file and locating a body neatly demonstrates the conflict at the heart of this case. The conflict is formally known as the "foregone conclusion doctrine."

There was an excellent discussion of this case and the principles behind this doctrine in the Washington Post last year:

https://www.washingtonpost.com/news/volokh-conspiracy/wp/201...

Orin Kerr does an excellent job explaining why he thinks the doctrine applies to decrypting files. You might enjoy reading it.

The appropriate analogy to this case is not "until he shows hidden body to the police" but "until he opens the door to his garage where they have reason to believe there is a body".


Yet another article assuming that telling a decryption key is the same as delivering a document you possess.


The defendant in question here is not being asked to tell anyone their encryption key. They are, in fact, being asked to deliver a collection of documents they possess.


No, they are being asked to transform a collection of documents they possess, using information they allegedly possess in their mind about those documents, and deliver the product of that transformation.


That's a characterization I can agree with. But that transformation still isn't, in my mind, testimony. It's an action.


How can disclosing some data that is a function of information you have on your mind not be testimony?


Because it isn't revealing information that only exists in your mind. Keep in mind the reason the 5th Amendment exists: the prevent the government from having an incentive to coerce false testimony through torture.

An evil government could coerce someone to falsely say "I did it!"

An evil government cannot coerce someone to falsely type a password into a terminal to decrypt files with incriminating evidence. Because if it's false that evidence simply won't exist.


> Keep in mind the reason the 5th Amendment exists: the prevent the government from having an incentive to coerce false testimony through torture.

Thats not the sole purpose of the self-incrimination protection (which is, also, far too focussed in it's protections to meaningfully effect that end, since historically false testimony coerced through torture was very often sought from people other than the person it was used against.)

> An evil government cannot coerce someone to falsely type a password into a terminal to decrypt files with incriminating evidence.

Sure they can, or, rather, if they claim to know already what is on the drive and reject any decryption which does not match their claimed knowledge, they can punish someone for non-compliance until they either tire of punishment or the target somehow manages to produce a result that matches the expectations.


You know what would be handy? If you were to codify these reasons and purposes unambiguously in a single, agreed upon, authoritative place (say, a law book or something), so you don't need to divine meaning from ancient texts and have the same silly discussion every time the subject comes up.

Take a look at the legal system of just about any non-English speaking country, to see how this could possibly work.

(Admittedly, it makes for great film scripts and courtroom scenes, which are valuable and important export-products of the US, but having clearly defined and agreed upon laws and rules is kind of important too)


True. It's also to prevent someone from ever being put in the position of having to choose between lying and self incriminating.

But again, that doesn't apply in this case.

or the target somehow manages to produce a result that matches the expectations.

This is an impossible end state. You might have a point if the password was a one time pad or something like that but that's not the case for the case in question.


You are correct in that as a non-lawyer (I am a non-lawyer as well) you cannot read the law and reliably, confidently understand what it means, much in the same way a non-programmer cannot read read code and understand what it means.

There is a problem with this which is that non-lawyers are required to comply with the law but that's not really the issue here.

If you're trying to argue courts have gone through mental contortions to derive radical insane re-interperetations of the law that completely change its intent and meaning 180 degrees, and that the entire legal orthodoxy has gone through the same contortions in order to be able to practice law in its current state, you can do that and it's reasonable, but you should use better examples like e.g. the commerce clause, not slavery. Slavery was most definitely intentionally allowed, no interesting interpretation necessary.


>Slavery was most definitely intentionally allowed, no interesting interpretation necessary.

Legally yes. I was talking referencing how the founding fathers were not consistent in matching the government they created with some of their prior statements which were part of the reason they were in a position to create the government. Largely I said this to preempt the oft response that the founding father's weren't consistent with their own view of rights.


Well, they were consistent; its just that their definition of "men" is different from yours, and its been shifting with time.

And hence we have lawyers and judges interpreting the law. Because the whole foundation (the people, and their opinions) is unstable over time.


Have you ever read up on why Jefferson chose those words?


They thought British would beat confessions out of people which still somewhat happens.


The police are asking this guy to produce a document that does not currently exist. The police are effectively asking this guy to take a document they do have and is useless (the encrypted hard drive), and using the contents of his own mind to transform it into a document that is useful to them.


Right, but in that case the court is asking for specific documents which it knows exists.

In this case, the court is asking the man to provide evidence which the court is not aware of. And there also might be evidence for other crimes which the court isn't aware of.

This is also a right to privacy issue.


If the court knew that the documents existed, he would have been convicted for possession of child porn by now. The court thinks that the documents exist, but obviously they can't prove it.


If a confession can be evidence of being guilty, refusing to confess is to withhold evidence?


But you don't yet know that it's evidence of guilt. Additionally, testimony can be counted as evidence, yet the 5th Amendment allows you not to testify if doing so would incriminate you. So something being evidence is not unconditional in needing to be turned over.


Let's say a guy has some documents that he happened to show someone that can implicate him in a crime. The person he showed it to testifies that the guy showed it to him/her. Can he be held until he turns over those documents?


Well, seeing that this is what is currently happening, I'd say the answer is "Yes."


But passwords and hard drives are not documents. What's on it are "documents" but it's akin to refusing to pull memories out of your brain.


The purpose of the prohibition against testifying against oneself in the 5th amendment is not a protection of one's privacy (as many here seem to believe). It is to precent coerced false confessions. The difference between false testimony and a falsely revealed password is that the testimony is not obviously false but the password will be.


The argument made in the article is that it's a "foregone conclusion" that there's child porn on the drives, so decrypting them isn't self-incriminating because they already know what's on the drive.

That said, personally I don't buy it. What if there's evidence of other illegal acts on the drive too, ones the police don't know about? Then decrypting the drive would definitely be incriminating because it would tell police about the other illegal stuff, stuff which fails the "foregone conclusion" test.


> The argument made in the article is that it's a "foregone conclusion" that there's child porn on the drives, so decrypting them isn't self-incriminating because they already know what's on the drive.

The immediate thought that comes to my head when they say this is: Then whats the problem? You can prove it, so why do you need more proof? Unless your possibly maybe your case isn't rock solid or you want to find more crimes.


Similarly, if the police have a reasonable suspicion that there are illegal materials in your home, they should never be allowed to enter and search it against your will. Either they have enough evidence to charge you or they don't, right? So why bother searching? It doesn't matter if you have a nuclear weapon in your basement, if you say no they aren't allowed to come in and check/collect evidence that makes them certain no matter what the Geiger counter outside says.

Your reasoning invalidates all searches, all warrants, and it's everywhere in this thread, it's insane.

I'm all for security, privacy, encryption, Tor, but if the police have a strong enough reason to think I'm committing a horrible crime, and have convinced a judge to sign off on it, then yeah absolutely they should be allowed to search my computer. I don't get to say "Joke's on you g-man, we both know I'm a criminal and the evidence is right here and I can get into it, but I won't let you in until you've cracked my secret code!" The alternative is for them to just always assume encryption/Tor == criminal. The point is they can search /when they have a very good, explicit reason given to a judge/, not go on fishing expeditions or passively collect everything. You probably will lose your privacy for a little while if you're a reasonable target in a serious police investigation, that's always been the case, and it always will be.


It's a bad analogy, the police don't need your permission to gain access to your home.

It'd be akin to the police coming across a written document in rot13 and jailing you indefinitely until you show them how to decrypt it.

What if it turns out to be a grocery list and you used rot13 just as a matter of course? You went to jail over a grocery list?

I don't think you can compare searching a house to forcing the decrypting of the hard drive.

I run my own XMPP server to keep in contact with a few people (1 friend in china, and my gf during the day). I absolutely encrypt all of it, you're telling me it's ok for them to jail me indefinitely because they believe I've said something in the logs that I shouldn't have.

And that's bullshit, there are legitimate reasons why people encrypt things.


The fact that police can't access your data without your permission is a technical reason, not a legal reason. Warrants say the police can search your home. Everything in your home. The data on the machines in your home. If a police officer knocks on your door and presents a valid warrant and you say "good luck, I've booby trapped my home as a fortress with shotguns and explosives and I refuse to disable them" you will be locked in jail until you do. Police don't have to deal with your bullshit when a judge orders you to do something and you refuse to comply. They just lock you in jail until you do what they say.

And no, none of your examples are appropriate. If the police could prove you had a grocery list had all of the items used in a crime and could tie you to it, went to a judge, got a warrant, and ordered you to turn over that list, you'd have to do it. If it's encrypted in some scheme you have to show them the real data. It's not the cops' job to work their way around every weird little obstacle you put in their way when they have a lawful order requiring you to hand over information.

In your scenario, if they had a warrant for your grocery list or XMPP server data, you wouldn't be "jailed indefinitely", you'd be jailed until you complied with a lawful order to turn over the data you possess. I don't know where you got the idea you'd be jailed indefinitely because of the content of the chats, that one came out of nowhere. If they discuss crimes you've committed you'd be jailed for those crimes, not indefinitely. After you turn over the logs. If you refuse you're breaking the law. If you don't have access, you can go ahead and try to prove that to the judge, or convince the judge you forgot your password. But the police can provide evidence to suggest you DO have access, you are just willfully refusing to give it up. Like, e.g. logs of you accessing it successfully, recently.

Yes there are legitimate reasons people encrypt things. I encrypt everything, all the time, just for the sake of doing it. I use Tor for my fairly mundane browsing all the time because I value my privacy.

But encryption does not mean "I never have to give anything to the authorities, under any circumstances, no matter what, and there can't ever be any consequences for me if I refuse when they go through proper channels and ask". Encryption does not mean you don't have to comply with the law.


> The fact that police can't access your data without your permission is a technical reason, not a legal reason. Warrants say the police can search your home. Everything in your home. The data on the machines in your home. If a police officer knocks on your door and presents a valid warrant and you say "good luck, I've booby trapped my home as a fortress with shotguns and explosives and I refuse to disable them" you will be locked in jail until you do. Police don't have to deal with your bullshit when a judge orders you to do something and you refuse to comply. They just lock you in jail until you do what they say.

When you start using such bullshit, outlandish arguments, you've lost the point.

> In your scenario, if they had a warrant for your grocery list or XMPP server data, you wouldn't be "jailed indefinitely", you'd be jailed until you complied with a lawful order to turn over the data you possess.

They have the data. What they don't have is an ability to interpret the data, but they most definitely have been given the data.

If that's really your measuring stick, then they need to let this guy go because they have the data in their possession.

What next, we're going to jail someone indefinitely (oh I'm sorry, not indefinitely, just "until they comply"...) because they refuse to read off their grocery list, which they wrote down in french because the police can't find someone else to read it for them?

no, fuck that, it's all splitting hairs.

"We don't want him to give us the password, just force him to unlock it for us, so it's totally not the same thing!".

Right...

Oh also.... you're wrong about the warrant point.

http://criminal-law.freeadvice.com/criminal-law/arrests_and_...

> Actually, the police might not be able to search anywhere just because they have a search warrant, there is a requirement that a warrant describe specifically the place to be searched and the items to be seized. Although it is possible that a warrant will give police a general license to search anywhere in a home, it is also possible that the search might be limited to specific areas in the home.

Maybe you live in a different country, but in the US it's typically understood that a warrant is meant to be specific to avoid the issue with police getting a warrant to look for a stolen bike and going through your toilet looking for hidden drugs.


I would suspect that the footage itself can be very valuable in terms of further investigations, so they're pushing for it because it will benefit them in future. The man will end up in prison anyway, so it's not like the law enforcement has something to lose.


No, that means that he's jailed indefinitely for possibly imaginary reasons that have nothing to do with the case at hand.

> The man will end up in prison anyway

But may actually end up longer in prison for contempt of court.


yeah, if it's a foregone conclusion, then why isn't the trial over and time being served?


Where's the mandatory minimums for possession of child porngraphy? The zero tolerance? Our prisons fill with drug offenders, yet we give sex offenders a scarlet letter + probation?


I don't think drug offenders should be put in prison since it's a victimless crime. I think child porno while much more serious does invoke some of that chain of reasoning.

To me there is a big difference between a guy who found some on the internet and someone who produces or pays for it.

I would be wary of putting in minimum sentencing for such crimes unless it was only targeted towards those producing/paying as you can reach murky area's. Two i can think of off the top of my head would be finding images inside someone's browser cache who browses a site like 4chan where people will post it randomly.

That and art, if someone draws child pornography is that a crime? If blizzard says one of their overwatch characters is 17, are the people who make those animated porno videos making child porn? And are the people watching it consuming child porn?


There was a sex offender who wrote on paper fictional stories of child sex and he was put back into jail for a violation of his parole (for writing it, never shared it).

If you have child pornography the law considers it the same as taking the photo and you can be sued civilly by the victims.

People love it when lawmakers make more laws.


Remember that parolees are still under sentence. There are almost always restrictions on parolees that go beyond those on the general population - that is the whole point of the parole system, you agree to live under sometimes onerous restrictions in return for being allowed out before your sentence is up.


> That and art, if someone draws child pornography is that a crime? If blizzard says one of their overwatch characters is 17, are the people who make those animated porno videos making child porn? And are the people watching it consuming child porn?

The answers to these questions are obvious: no and no.

If the answers are any different or short of being absolute, then that's a clear hole in the first amendment.


> The answers to these questions are obvious: no and no.

Tell that to Chris Handley [1]. He imported a pornographic comic book from Japan, a postal inspector got his panties in a bunch over it, and a prosecutor pushed for 15 years in prison and life as a sex offender unless he plead guilty.

Knowing he'd probably lose in front of a jury of his peers [2], and being blackmailed with the threat of 15 years, he took a plea for six months in prison. Wasn't even afforded the right to a fair trial.

Oh, and it's not just pictures, either. Textual, fictional stories can be "obscene" as well. It is possible to write a fake story in a Hacker News comment that can get you 15 years in federal prison in the US.

[1] http://cbldf.org/about-us/case-files/cbldf-case-files/handle...

[2] it's deemed "obscene", which is a magic "get out of Free Speech free" card, so it falls under the Miller Test. You could get a jury in a very deep red county to find two fully-clothed males kissing as "obscene" if you wanted. "Obscenity" is the thing that needs free speech protections the most.


> "Obscenity" is the thing that needs free speech protections the most.

Agreed.

I'm even of the mind that mere possession of any piece of media cannot be properly regarded as criminal, precisely because it interferes with the far more important right to free speech.

It seems to me that prohibiting the creation or sale of child porn is more appropriate.


In an ideal world, I want possession of real CP to be a crime ... that is, if it could stop there. I would be willing to accept that small bit of cognitive dissonance / hypocrisy. I'm very sympathetic to the victims of abuse having their images out there being sold and traded online.

But then you have cases like Handley where cartoons are criminalized (which I consider to be a thought crime), and cases like this story where it's used to basically eviscerate the fifth amendment ... and it really makes it clear: you cannot have exceptions to free speech, or it will continue to grow and gut everything else. It's not a "slippery slope" argument ... the slope has already happened -- we're seeing it right now. An appeals court just said you can rot in jail for the rest of your life if you forget your password. And they're going to get away with it because of the horrific spectre of CP ( parodied well here: https://www.youtube.com/watch?v=sdu4wSBZqMM )

As much as I abhor the content, I really believe prosecutors should be going after the producers, the sellers, the people collecting ad revenue off of hosting this stuff, and of course, the actual abusers themselves.

I'd like to see the people with paraphilias they didn't ask for have access to proper counseling, access to anti-androgens, etc.

But we don't live in a country that wants to help people. We live in one that wants to punish people -- even if that results in more victims.


>In an ideal world, I want possession of real CP to be a crime ... that is, if it could stop there.

I partially disagree with this. I think it should only be a problem if it's actually real, and can be proven to be, and thus can be proven to have an actual victim. And that victim needs to actually be a child.

In today's age of Photoshop and life-like realistic rendering programs, it's entirely possible to create stuff that looks real, and really isn't. It's also possible for models/actors to look less than 18, while not really being that young. How do you tell for sure that a person in an image is 17 years and 364 days, and not 18 years? Pretty soon, the rendering technology will be so realistic you'll be able to create movies with fake humans that look entirely real. So if someone buys this software and makes some naughty stuff with it, why should they get in horrible trouble and spend decades in prison, when someone else can buy the same software, buy the same digital assets of child models (which aren't really real children, just fake but realistic looking children), and then make movies of these "kids" being slaughtered by dinosaurs or mowed down with machine guns or something, and that's perfectly OK?

The bottom line is: victimizing innocent people should absolutely be illegal and punished. Anything which doesn't victimize an actual person should not.


years ago I read an article by Bruce Schneider in which he said he doesn't put a password on his home wifi. Anyone who wants to connect to it can.

His argument was that if someone downloaded illegal materials like cp and his network was password protected, they would argue that it had to be him (when we know this isn't even remotely true as software people).

The thing is, I kind of dismissed it and then several years after reading that I came across an article that just floored me. A cop was accused of accessing cp evidence repeatedly (presumably for himself). The article quoted the chief of police as having said "we know it was him because he used his password to log in and it's IMPOSSIBLE for anyone else to have gotten into it".

I've emphasized the word impossible.

I went home that night and opened up my home wifi and I've ran it that way ever since. The idea that a police chief would believe it's impossible for anyone else to get into an account because it's password protected is about some of the scariest shit I can imagine.

And what's scarier in my mind, is how easily people are swayed. Look at how many people are arguing that it's ok to jail this guy indefinitely for refusing to give the police a password. And they BUY the argument that because the police are only asking him to perform an action (enter the password) and not actually give them the password it somehow changes anything instead of it being bullshit hairsplitting by officials.

I'm not really a tin-foil hat sort of person, but the people who can buy that without blinking are a part of the reason why we can't have things like free speech, only acceptable speech.


> parodied well here: https://www.youtube.com/watch?v=sdu4wSBZqMM

You may enjoy Chris Morris in this Brass Eye special "Paedogheddon":

https://www.youtube.com/watch?v=RcU7FaEEzNU

(if you enjoy absurdism and black comedy -- I find absurdism to be an especially good fit for satirizing the Kafkaesque)


> I'm even of the mind that mere possession of any piece of media cannot be properly regarded as criminal, precisely because it interferes with the far more important right to free speech.

While I agree in principle with the sentiment, by calling it "piece of media", you presume it to be something inert.

Stepping outside the context of obscenity for a bit, code is data and data is code. It used to be (50-100y ago) a reasonable valid argument that any media is "just words" or images, unable to hurt anyone/thing unless interpreted and acted upon by human volition. However in today's information technology-enabled society, we have automated systems and machines that will consume the data on a piece of media, and automatically perform real-world actions that have large consequences and may hurt people.

Weaponized exploit code (etc) can exist on a piece of media, and you can imagine how a rule that "mere possession of any piece of media cannot be properly regarded as criminal" can somehow always be wrangled into a loophole that abuses this rule. Information is a very weird and fluid beast, just look at the oddities around "illegal primes" or "coloured bits", to see where computational science and law collide.

I believe that our old intuitions about the fundamental nature of "information" are being challenged in a way. I don't have solutions or answers, either. I want the freedom too, but saying it's "just information" on a piece of media is a bit too quick.


"18 U.S. Code § 1466A - Obscene visual representations of the sexual abuse of children

Any person who, in a circumstance described in subsection (d), knowingly produces, distributes, receives, or possesses with intent to distribute, a visual depiction of any kind, including a drawing, cartoon, sculpture, or painting, that (1) (A) depicts a minor engaging in sexually explicit conduct; and (B) is obscene (...) or attempts or conspires to do so, shall be subject to the penalties provided in section 2252A(b)(2), including the penalties provided for cases involving a prior conviction. It is not a required element of any offense under this section that the minor depicted actually exist."


> (B) is obscene

Those two words are hiding a lot. For example, it's probably not obscene in Oregon, since part of the Miller test defers to state law and we have a stronger state equivalent of the 1st amendment in our state constitution that would allow it.

And if you wrapped it in a story(like a manga or comic), it would be easier to argue that it has literary or artistic merit. Though, a "states' rights" argument would probably be more likely to succeed.


My comment wasn't meant to speak to the test of the federal register, under which a huge part of the everyday lives of Americans are federally prohibited.

I was more speaking to the question, "is it a crime?" IE, is it a crime in any sort of common-law sense and the proper purview of a government in a functionally free society.

In that sense, I do not believe that the wholesale fabrication of any form of media is a crime.


In Australia, cartoon child porn is also illegal.


In fact, IIRC even actual porn containing only provably adult actors is illegal if a judge decides it looks like someone might be underage.


I remember reading about a case where a porn star actually showed up to a trial of her own volition and showed the judge her license to prove she was over 18 when she did the film.

Had she not responded when the guys lawyers contacted her, the accused would've gone to jail for child porn.

That's how insane and scary these laws are. I'm all for coming down hard on someone for having cp, but it wasn't cp, just a young looking actress.


Keep in mind that a 17 year old taking a nude picture of themself is in possession of child pornography. Do you want a harsh minimum sentence for that?


You gotta cut the government some slack here, they have contracts with private prison providers and quotas to fulfill. Can't have compassion and reason get in the way of that.

Also think of the children.


Times are moving faster, you have to adapt. Efficiency is trump. Children are no exception here. You gotta see that there is just no time for things like 'being a child'.


With private prisons only holding about 8.4%[1] the total state/federal inmates, do you perhaps mean prison guard unions?

[1]http://www.salon.com/2016/08/24/private-prisons-are-not-the-...


Try them as an adult?


I don't understand.


A minor possessing selfies of a nude love relation should clearly be tried as an adult. For maximum ironic force.


Also keep in mind that urinating on a wall in front of a police officer can get you "sex offender" status.


The problem has to do with precedent. If the prosecutors give up on this issue, then future defendants can cite this case in their defense.


That's like saying "The jury found you guilty of shoplifting, therefore we will put you in jail indefinitely until you confess". Sure them confessing after the conviction adds no information, but you still can't compel someone to do it under threat of a life sentence.


I'm not sure I understand something, either their argument about hashes, or how whole disk encryption works. I assumed that whole disk encryption meant that the disk, unencrypted, has high entropy, so the whole thing equally looks like snow. Doesn't FileVault encrypt the whole disk? So, where's this hash?


The defendant provided the password to his iphone (that contained highly-unsavory media of his nieces), which contained an unlock code for his laptop (filevault backup decrypt key). He connected the external drives to this laptop, and when he'd transfer media from his laptop to the drives, logging would occur with the file checksums. The hash/checksum is on the laptop with the filepath to the identified external drives, and because the hashes match known media of child victimization, the prosecution knows exactly where the evidence exists on the drive, once decrypted.


If the hashes are known to match, there is really no need for the original pictures, the evidence is already there?

This makes it sound more like it's a fishing expedition for evidence to use in other investigations, or to find evidence for a more severe punishment, both of which one can morally agree or disagree with, but is it how justice should work? I honestly don't know, but I think probably not.

It's a detestable crime, which is exactly why we must not allow the law to be bent out of shape because of that, as the results will be used in other cases where our moral compass maybe wouldn't sway our judgement as much.

The only justice we can enact, flawed at rational reasoning as we are, is a dispassionate justice. One where we as much as possible defer to the few rational facilities we have. Weak, but nonetheless, logical and rational thinking, is what we must base our arguments upon, as we are so easily swayed by our instinct to protect our children at any cost, often with little regard to what consequence it might have in a distant future.


I'm confused by your reasoning here. If we agree that the files are definitely on the system how is it a "fishing expedition" to want to see those files for further investigation. A fishing expedition would be forcing everyone to submit their devices for inspection on the off chance of finding evidence - this case is one where the evidence is known to exist and a person is refusing to hand it over.

The less emotive case would be the hard drive contained bank statements for tax avoidance - and I would still think that a court should be able to compel someone to produce that.


> this case is one where the evidence is known to exist

If that's the case the files aren't needed, they want to see the drive contents on the off chance of finding some other evidence.


Would you like to go to trial and attempt to persuade 12 non-technical jurors that "hashcodes" unequivocally demonstrate beyond any reasonable doubt that there is child porn on the external hard drive?

It's a foregone conclusion technically that the illegal content is on the hard drive. His guilt is not a foregone conclusion (not in the US anyway).

If you visit https://www.justice.org/sections/newsletters/articles/fifth-... and search for "foregone conclusion" you will get some good info.

The file hashes basically takeaway any good self-incrimination argument he could make and there might also be evidence of further criminality on the hard drive.


So it's True, but not True-to-a-jury True.

Sorry, but legally, the latter should be the only standard of truth. If he exposes himself to a higher standard of guilt, then he is incriminating himself.


But are we not just in the world of normal warrants here?

To my mind private spaces (be that my house or my hard drive) should have some protection, but it seems reasonable that that is less than my personal freedom.

I have no issue with a warrant being issued on a balance of probabilities basis in order to find evidence to convict a person based on beyond a reasonable doubt.

And all this ignores the possibility of discovering further crimes and accomplices by investigating the contents of this drive - if there is a balance of probabilities likelihood of find those on the drive I don't see any problems with compelling this to be revealed.


> I have no issue with a warrant being issued on a balance of probabilities

The problem with this is it isn't consistent with how the law works in other cases. For example, A judgment of 'guilty' is considered absolute, not probabilistic.


This is only part of their motivation. The other is that the prosecutor likely wants to avoid setting a precedent that future defendants can cite in their defense.


> If we agree that the files are definitely on the system [snip]

then prosecute him and be done with it. Anything else is either a fishing expedition or we don't all agree that the files are definitely on the system... in which case it's still a fishing expedition.

hashes can be inaccurate, it isn't a foregone conclusion in reality, just in their opinion.


> hashes can be inaccurate, it isn't a foregone conclusion in reality, just in their opinion.

Not really, no. The chance of multiple hash collisions on a set of arbitrary images is a near impossibility.


near is not the same thing as impossible.

I told this story before, but I once read an article about a police officer who said it was impossible for another person to have logged into an account because it was password protected, when we know that's not even close to being true.

impossible and improbable are not the same thing, and I sure as shit don't feel comfortable making the case that it's 100% locked in because of a hash.

The requirement should be for them to look at the actual content, not the hash.


> near is not the same thing as impossible. I told this story before, but I once read an article about a police officer who said it was impossible for another person to have logged into an account because it was password protected, when we know that's not even close to being true.

That's not even the same realm as this case:

> The Forensic examination also disclosed that Doe had downloaded thousands of files known by their “hash” values to be child pornography[0]

Thousands of hash collisions would require prior knowledge of the values and a concerted effort to deceive. It would be more realistic to say that human perception is broken when looking at the media than it is to argue with the mathematical reality at play here.

> The requirement should be for them to look at the actual content, not the hash.

Refusing the evidence known to exist and definitely covered by probable cause is why the defendant is still in custody.

[0] https://arstechnica.com/wp-content/uploads/2017/03/rawlsopin...


No one is arguing with the legal argument, there are a lot of legal arguments that most people don't believe should exist.

So using the law to defend yourself doesn't really apply here.

> Thousands of hash collisions would require prior knowledge of the values and a concerted effort to deceive. It would be more realistic to say that human perception is broken when looking at the media than it is to argue with the mathematical reality at play here.

This confidence is why my anecdote applies. That confidence is flat out scary when you hear people in law use terms like "impossible" or "virtually impossible" when speaking about things that are not.


This is about the only way I'm ok with what they are doing. If this is the case, then I'm 100% ok with compelling him to unlock the drive for the sole purpose of accessing those files. Anything else on the drive should be off limits as it then becomes testimonial.

To me the danger is, what if this person committed other crimes and by unlocking the drive he give the prosecution info about those crimes. In a world where the investigators and/or prosecution have gotten away with parallel construction I wouldn't expect them to play fair. I mean, realistically it sounds like they guy is guilty as sin. That being said, I'd rather he get away with those hypothetical crimes than we start allowing situations like this to happen.

So, to recap, make him unlock to read the known files (by exact path) and nothing else on the drive.


To me, this whole thing smells of the classic tactic of telling the guy, "We know you're guilty; just confess, and we'll go easy on you." Which, of course, is a lie.

So I am of the opposite opinion. If the hash information isn't enough to try him with, then I'd rather he go free, than set a precedent that it's acceptable for a court to compel someone to decrypt information because someone in law enforcement just "knows" the evidence is there. Because once this order is allowed to stand, the level of certainty required to compel decryption is going to continually be lowered.


> To me, this whole thing smells of the classic tactic of telling the guy, "We know you're guilty; just confess, and we'll go easy on you." Which, of course, is a lie...If the hash information isn't enough to try him with, then I'd rather he go free, than set a precedent that it's acceptable for a court to compel someone to decrypt information because someone in law enforcement just "knows" the evidence is there.

I'm sympathetic to why you'd be cautious, but that's not fitting in this case -- this is a highly specific case with a number of circumstances that meaningfully differentiate it from the generic case of providing decrypted media. He's guilty and the checksums are enough to convict him (we're talking many checksums, metadata, partial confessions) and this is about him frustrating the discovery process.

> Because once this order is allowed to stand, the level of certainty required to compel decryption is going to continually be lowered.

This is a slippery slope fallacy. I had some leaning towards this perspective, but then I read the source document, which goes into far more detail. There's a definite nuance to this case.


I appreciate what you're saying about a slippery slope, but I don't find that the nuance of this case necessarily makes it a fallacy. The judge has compelled decryption based on hashes of files left around in logs on the hard drive, but what if an ISP reports that files with those hashes have been downloaded by a particular IP address?

The FBI gets a warrant, executes a raid, picks up every piece of electronic equipment in the place, but can't find the files the ISP says should be there. Can the defendant, in this case, be compelled to decrypt an encrypted hard drive file or partition at this point, because law enforcement "knows" that those files are somewhere in his (digital) possession? What if it were a guest in his house? What if it were the neighbor, stealing wifi?

Based on this precedent, I think another judge could find reasonable cause to compel in that scenario. Is this a violation of the 5th Amendment? The defense FOR the judge's actions in this case -- based on other reasoning in this thread -- is that only files with those hashes could be used against him, at this point. In this hypothetical case, though, what if LE found OTHER files of child pornography? Would they be admissable? Alternatively, if they found other material (e.g, bomb-making), could it be used against him in a separate case? I'm not sure I trust the government in either one of these situations.

It seems highly likely that we'll get a government employee's opinion on precisely this scenario someday, and I don't think that this employee is going to find in a manner against his employer. As with so many other of the Constitutional protections of the Bill of Rights, they've slowly been chipped away in precisely these kinds of legal "corner cases." Sue me for being paranoid.

Have we not spent the past couple of years confirming that the "slippery slope" of catching "bad guys" has, in fact, completely eliminated the protection of the 4th Amendment for communications? You could argue that it hasn't, because the government hasn't prosecuted a citizen based on the warrantless, wholesale monitoring of any and all electronic communications -- THAT WE KNOW OF -- but it's extraordinarily clear that shouldn't be happening in the first place, according The Constitution.


I'm glad you didn't take offense to me making reference to the fallacy as I appreciate our conversation and wasn't sure how else to express that thought.

If you haven't done so, check out the source document for the article as Arstechnica didn't include some important details (and the headline "Man jailed indefinitely for refusing to decrypt hard drives loses appeal" talks past what is actually happening): https://arstechnica.com/wp-content/uploads/2017/03/rawlsopin...

> ...but what if an ISP reports that files with those hashes have been downloaded by a particular IP address? ... but can't find the files the ISP says should be there.

I think this case is particular due to the lack of breaks in the chain. In your hypothetical, law enforcement and the prosecution have _vastly less information_ than in this actual case.

Law enforcement knew the path from a remote source, to (presumably dhcp lease based) ISP records, to the laptop that accessed the content (known to be the defendant's), to checksums in logs matching a physical drive (also known to be the defendant's). Coupled with other evidence, the defendant frustrating the process by pretending to no longer know the decryption phrase, and partial admissions of guilt by the defendant, this is a vast distance than a hypothetical case of "someone from this IP address downloaded Game of Thrones Season 1 from bittorrent, so hand over anything that can store bytes" (to use a far less disgusting crime to help keep emotion away from the discussion).

> Based on this precedent, I think another judge could find reasonable cause to compel in that scenario.

Luckily, the US justice system is built on nuance; this case wouldn't hold up as a generalizable excuse to compel decryption -- which is why they're invoking the foregone conclusion rule to secure the production of evidence based on the enormity of the other factors.

> In this hypothetical case, though, what if LE found OTHER files of child pornography? Would they be admissable?

I honestly don't know. In this case, the defendant is refusing to provide (multiple pieces of) evidence that is known to exist by checksum and direct file path.

> Alternatively, if they found other material (e.g, bomb-making), could it be used against him in a separate case?

Having information on how to construct a bomb is not illegal, any more than getting a degree in chemistry is illegal, but plotting to kill people with a bomb is legally actionable.

> I'm not sure I trust the government in either one of these situations.

I agree with you, but on a different shade of the argument. I'm suspicious that the ecosystem of justice is built on securing convictions as opposed to seeking objective truths. In this case, I support the government/court based on the information I have.

> As with so many other of the Constitutional protections of the Bill of Rights, they've slowly been chipped away in precisely these kinds of legal "corner cases."

I don't know which other cases to which you're referring, but the argument to be made here is that this isn't a corner case. This is having mathematical certainty that the defendant has evidence and is refusing to hand it over.

> Sue me for being paranoid.

No law against being paranoid :)

> but it's extraordinarily clear that shouldn't be happening in the first place, according The Constitution.

Actual question: where in the constitution is this clearly stated?


> Actual question: where in the constitution is this clearly stated?

You're obviously way more legally savvy than I am. Just goes to prove that a _little_ knowledge is a dangerous thing. Totally agree on the "securing convictions" motivation.

I'm referring to the 4th, about needing a warrant to intercept communications. Is that not clearly stated? Maybe my ignorance is showing again. Doesn't the 4th -- on the face of it -- preclude any system of wholesale collection of electronic communications?


> You're obviously way more legally savvy than I am. Just goes to prove that a _little_ knowledge is a dangerous thing.

Oh no, don't feel that way. The law is a man-made thing at the intersection of logic and opinion, which is why there's so many laws and tests -- if you haven't read the source document that's linked in the Arstechnica article, I would, as it has a lot of important detail.

> I'm referring to the 4th, about needing a warrant to intercept communications...Doesn't the 4th -- on the face of it -- preclude any system of wholesale collection of electronic communications?

Law enforcement were specifically targeting traffic expected to have child pornography and the people trying to exchange it on freenet who join very-special-purposed groups. Peer-to-peer platforms depend on people being free to join, and having special-purpose groups really helps with the "probable cause" condition of the 4th.

On the back of that, the defendant gave them confirmation of his illegal acts, so this case is about recovering evidence known to exist.


Wow, that's a lot against this guy, but hypothetically couldn't compelling him to decrypt his drives based on a file hash set a dangerous precedent where police can just plant file hashes somewhere to get access to anyone's drives? Sort of the high tech version of the drug dogs that would signal on cue.


They could also plant an unencrypted drive and skip the whole getting the password step.


Then they would need access to the images and not just knowledge of the hashes.


If they're going to ignore that pesky 'staying within the law' step they might as well just lock him up indefinitely right now.


They're staying within the law -- the defendant being in violation of the law is why an order to comply was filed and why we have access to the court of appeals document.

If you don't like the process, that's a different conversation.


Eighteen months without a charge. I think they're way ahead of you. IMO, they've already abrogated his 6th-Amendment right to a speedy trial as well.


There are a lot of things that waive the speedy trial right. If a defendant files pretty much any kind of motion, the speedy trial timeframe goes out the window.


That's actually where I was going with that - maybe I should have put that /s or ;) at the end of the post after all. :)


I hope it is not sha-1


this reasoning also applies to search warrants. I believe those legal tools are simply necessary to allow criminal investigations.


It's not bizarre at all. "To be a witness against himself" is not metaphorical or ye olde English. It literally means what it says--the government can't force someone to testify against himself (i.e. to provide a confession). If the Founders had meant to say that the government can't compel someone to cooperate in an investigation at all, they would have said that.


Ahh yes, they spell out their interpretation clearly in the companion manual to the constitution.


The companion manual is called a dictionary. The word "witness" means someone who provides testimony based on personal knowledge.

If the framers had meant to say "provide evidence" instead of "be a witness" they would have said that. They were lawyers and those words were commonly used legal terms that meant the same things they do today.


I think it's about the meaning of words when the text was written.

"To bear arms" doesn't mean to have human arms, after all


I don't agree that testifying is the same as confessing. To testify is to provide a testimony (under oath), which is broader than an actual confession. The reasoning behind the 5th amendment is that nobody should be put in a position where they either have to lie, incriminate themselves, or be held in contempt of court.

If the government can't compel someone to say when, where and how they disposed of the bodies, then they also can't make someone explain how they encrypted some files.

In case they can confirm the existence of files some other way I guess you could make the case that the government can force someone to produce those files. Of course this won't tell them anything they didn't know already (which is kind of the point). Making someone produce files that may or may not exist is the same as making them testify that those files exist and that they have access to them, which I would argue falls under the 5th amendment.


The Constitution is extremely​ abbreviated because it was written by hand. Your arbitrary definition of "witness" isn't more or less correct then someome else's; these terms are negotiated over the centuries with a great deal of context.

The Fifth Amendment has been consistently interpreted to mean far more than "confession"


The Constitution is extremely​ abbreviated because it was written by hand.

?!


It's not as black and white as you make it.

If there is a warrant to search my property, I am obligated to assist if required. E.g. open the gun safe. (Hey, speaking of guns...You know what other antedquated amendment from the Founding Fathers would be really convenient to ignore...)

Now, AFAIK, no one has tested whether that still hold true of a combination safe, where the access substaintivly requires information from the accused.

And a combination safe is very similar to an encrypted drive.


"...LOCKED CONTAINERS - AN OVERVIEW: John P. Besselman Senior Legal Instructor

Law enforcement students often ask the question “can I search a locked container?” A better question to ask may be “when can I search a locked container?” The fact that a container is locked may not increase the possessor owner’s expectation of privacy but does limit the law enforcement officer’s access to the secured area. The ability to search a locked container will depend on the justification the law enforcement officer has for intruding into the area. The purpose of this article is to examine the different legal avenues a law enforcement officer can use to search locked containers. ..."

https://www.fletc.gov/sites/default/files/imported_files/tra...


Personally, I find the Genius analysis of JayZ much more readable:

    Well, my glove compartment is locked
    So is the trunk in the back
    And I know my rights, so you gon' need a warrant for that

And the analysis: https://genius.com/17560


There is law review paper[0] about this song.

> And I know my rights, so you go’n need a warrant for that . . . If this Essay serves no other purpose, I hope it serves to debunk, for any readers who persist in believing it, the myth that locking your trunk will keep the cops from searching it. Based on the number of my students who arrived at law school believing that if you lock your trunk and glove compartment, the police will need a warrant to search them, I surmise that it’s even more widespread among the lay public. But it’s completely, 100% wrong.

Caleb Mason, "JAY-Z’S 99 PROBLEMS, VERSE 2: A CLOSE READING WITH FOURTH AMENDMENT GUIDANCE FOR COPS AND PERPS", http://web.archive.org/web/20130216120816/http://slu.edu/Doc...


> If there is a warrant to search my property, I am obligated to assist if required.

I'm not sure that's true, the police are authorized to break whatever they need to if you don't assist.

As for combo safes, this seems like a good overview: http://blogs.denverpost.com/crime/2012/01/05/why-criminals-s...


Yes, they can proceed without your assistance. Also, they can charge you with obstruction with justice.


Are you sure about that? I don't think warrants require you to assist the police in their search, you simply can't obstruct them, so they can't charge you with anything.


That you can be forced to produce a known piece of physical evidence is the premise of the very article you quoted, so yes, I am pretty sure.


What's the penalty that goes with such a charge?


IDK, but you can't keep breaking the law, and have penalties stop. So it won't be one-and-done.


Yeah, but in this case you have to weigh it against the penalty for being proven guilty.

Maybe indefinite detention, and a chance at public attention is better than life in prison as a convicted child molester.


If I'm reading things correctly (IANAL, so it's very possible that I am not), it seems like there's not a lot of consensus. Some rulings say that the court can't compel you to disclose or use a password. Others say that per the Fifth Amendment it can't compel you to reveal "the contents of your mind", but can compel you to produce the protected items without disclosing the password, as those are covered by the Fourth Amendment rather than the Fifth. Yet others say that this is all bullshit and a password is merely a component of a mechanism, legally no more privileged than a physical key used to lock a file cabinet or storage room.


What happens when I ask for you to produce the password required by this super highly technical algorithm (insert lots of jargon to make the jury's eyes glaze over) called xor which will take the given file and turn it into another file that contains something illegal? Can you prove there isn't a password? Can you prove they didn't forget the password? Should forgetting a password for an encrypted file containing unknown material be cause for a life sentence?


I wonder how could one could be safe against the next hypothetical situation.

Lets suppose that there is someone motivated enough to distroy you. This people has months to mess with your system and substitute your usual decrypt command with a slightly modified version that 1) decrypts a file as usual when entered the right password and 2) runs a last extra line of code that inserts a child porn image or short video in the file. The timestamp of the decrypted file was changed to now. So you will not suspect that the file has been significatively modified also in the same operation. If the decrypt executable is closed and not easily available to examine... what could you do to prove your innocence?

Is possible for the jury (or the lawyer) to re-encrypt the file again exactly as in the first time to detect if the file was changed?


> I am obligated to assist

What does that mean though? obligation is given meaning by the penalty for not complying.


I don't think anyone would ever test this theory its too easy just to force the safe.


Not quite, IMO -- combination safes can be feasibly opened without the combination.


Encrypted drives can be opened without the password. Difficulty varies of course, but it can be done (e.g. iPhone).


> Encrypted drives can be opened without the password.

No, they can't. The way it's done is by trying many passwords until the right one is found. Once you have the right password, you can use it to decrypt the drive's contents, but then you are "opening it with the password".

(IIRC, there were some bad "hardware encryption" HDDs where the password wasn't actually used to encrypt the drive's contents, just verified against something in the drive's NVRAM; these can be bypassed. But that's not the case here.)


> IIRC, there were some bad "hardware encryption" HDDs

About those: http://www.h-online.com/security/features/Enclosed-but-not-e...

Sadly the images appear to be not working. But they were very clear: what should have been a point cloud had clear lines.


Yes they can. It's not my fault the government has access to shit hardware or that it'll take a really long time. Encryption is just a really big combination lock with a very long series of inputs.


I put you in a room with an encrypted drive and no password, and you will eventually be able to open the drive.

That you acquire the password in the process of opening it is immaterial.


That was only because they chose a weak password. With a 100+ bit password, it's impossible.


Improbable.


When the average time to unlock is equal or greater to the probably heat death of the universe this distinction ceases to matter.


You could also get it right on the first guess, so its improbable not impossible.


True, though 100 bit passwords are extremely uncommon. Even deadhorsebatterystaple claims to be less than 50.


it's not similar at all. No one can prove that an encrypted drive is an encrypted drive and not a random number. whereas a safe is plainly a safe.


While it's true in a mathematical sense that one may not be able to prove that a sequence of seemingly random bits is an encrypted files that is not true in a legal sense. The law isn't about proving things 100%. The law is about weighing the available evidence and proving things to various standards (preponderance of the evidence, beyond reasonable doubt, etc).

For example if if there are server logs showing I downloaded illegal files, and there are people who testify that I talked about downloading illegal files, and there is non pre-installed software on my computer that is used for encryption then probably that sequence of random bits is an encrypted file.

Maybe you can't prove it mathematically, but you can prove it legally.


the standard is "beyond reasonable doubt".

A doubt which you cannot reason away is reasonable, by definition. Therefore it is below the threshold of legal proof.


That's not what the legal term "beyond reasonable doubt" means. Beyond reasonable doubt means that a reasonable person would have no doubt that the party in question was guilty.


An encrypted drive will typically contain metadata identifying it as such, so no.


There is something, I believe called shadow volumes, which are completely metadata less encrypted containers living in a sea of random numbers. While you could claim that the existence of a program able to acess such a volume would be equivalent to metadata, no actual metadata needs to exist, and the random sea could contain one or ten volumes, which without a password you could never know, only guess or assume.

It is could even be possible, even likely, to create encryption schemes where several different encrypted volumes could share the exact same data blocks using something similar to homomorphic encryption. Which raises and obvious question: If the unlocked drive did not contain the data sought, can we hold someone in contempt after they did what we asked from them simply because we didn't find what we were looking for? Because we truly can't know if there is several encrypted volume in the same space without assumptions about information entropy and inaccessible configuration data.

Thankfully homomorphic encryption is not really practically viable today, so that particularly nasty can of worms is not imminent to solve, but we might be well served to let out decisions be informed by it, as it breaks most assumptions of what can be known, and what can't.


Can you explain wherein this obligation is spelled out?


"no one should be compelled to witness against oneself"

More specifically, no one should be compelled to assist the government in one's own prosecution.


The text of the fifth amendment says no one should be compelled "to be a witness against himself." It prohibits one specific way in which someone might be compelled to assist in one's own prosecution.


The supreme court is unelected, and are the supreme authority in this nation, above president and congress. the solution is simple - make the supreme court stand up to elections.

America has had atrocious decisions from the supreme court. In Dred Scott, they said black people have no rights because they are black. In Roe v Wade, the abortion laws of 47 states were struck down by 5 oligarchs. No matter what you believe about black people or abortion, it isn't right that 5 unelected people should determine the fate of a nation, able to overrule every state and federal law with no consequences.


I don't see U.S. (or any) elected officials, including Congress and the White House, making better decisions. All have made atrocious decisions.

The argument in the parent is well-worn, but it fails serious consideration if it ignores the facts that the U.S. courts interpret laws made by the elected officials, that the judges are appointed by elected officials, that their unelected status is established by elected officials and a national referendum (i.e., the votes that established the Constitution), and the reasons for their unelected status.


If 47 states still wanted abortion to be illegal, they could certainly have made a constitutional amendment through their elected representatives in Congress and state legislatures. The fact is the restrictions were quickly eroding at the time of Roe and 20 states had already passed laws making specific exceptions including 3 where it was legal.


The supreme courts and indeed the judicial branches role is spelled out in the constitution they aren't given unlimited discretion to rule by fiat they are given the power within the boundaries written into law by the legislative and enacted by the executive to interpret the law. Don't like their interpretation? The other branches have the power to change the underlying law. Your statement is the sour grapes of those whose wishes are too unpopular to become the law of the land.


Democracy isn't an end in itself. The Supreme Court has consistently made better decisions than the democratically elected branches of government.


I agree that the sheer power and reach of SCOTUS today, and increased partisanship in practice (even though everyone pretends it's a non-partisan body), does necessitate some reform. But electing judges makes no sense - you might as well then just give the fullness of power to Congress, a la UK's parliamentary sovereignty.

What I think we should do is revisit what exactly SCOTUS does, and why. Right now they basically have the final say in any question of constitutionality, and the outcomes are either "it's constitutional" or "it's unconstitutional". I think that's wrong - the third possible outcome should be "Constitution is ambiguous on this". Currently this gets folded into one of the other options, depending on the majority of the court, but I think it's a poor model - if Constitution really is ambiguous, I don't want a simple majority of a few unelected people, many of whom are quite partisan, to make that decision.

Instead, I think this option (ambiguity) should be explicit. The way it would work is something like this - if the court decision is unanimous (or maybe with at most one dissenter) one way or the other, then it's assumed that the Constitution is really unambiguous on the subject, and that's the ruling - same as now.

But if you get a bigger split, then the ruling is automatically "ambiguous". At that point all the disagreeing parties on the court should have to sit down and write a short opinion on what changes to the Constitution they would require to make the other side's opinion unambiguously correct (if there are more than two sides - which can be the case if different judges rule the same way for different and unrelated reasons - then such opinions should be written for all parties other than the one in question).

Then, those opinions are automatically submitted as proposed constitutional amendments to the states for ratification, per usual procedure, except that each state can only ratify one at a time, and there's a reasonable time limit. If one of the amendments wins, then (since all judges have already stated under oath that this is what is required to remove any ambiguity) the ruling is in favor of the corresponding opinion.

If none of the amendments get the requisite majority of state ratifications, then court decides based on simple majority, just like today - but the resulting decision is not considered binding precedent, and only applies to that one case. If the same ambiguity arises in future cases, the process has to be repeated.

Ideally, this should be combined with a lower bar for constitutional amendments - 3/4 of states is really quite ridiculous, given the sheer number of them, and population differences. Something like 2/3 would be more sensible. Although ideally it should incorporate direct popular vote in a referendum as well, in a series of cascading vetoes to check each other - e.g. 2/3 of popular vote is enough to amend, but a simple majority of states can veto that, but 3/4 of popular vote can override the veto.


This is the part of the system which makes me scratch my head.

The constitution is the source of where the courts derive their power. Being able to change the level of power you have seems to be against the constitutions purpose of defining, limiting, and binding the Govt.

Article III, Section 2, Clause 1 of the Constitution states:

The judicial Power shall extend to all Cases, in Law and Equity, arising under this Constitution,

.... Not OVER the constition... Under it.


That kind of parsimonious interpretation has no legal bearing. A dispute over the meaning of the Constitution would naturally arise under [the laws of] the Constitution.

It should also be noted that it was long-standing British common law that courts ruled on the interpretation of law, and that there was ample precedent in the US revolutionary period of state Supreme Courts voiding state laws under state constitutions. Virtually every reference to the notion of questions of constitutionality pre-Marbury v Madison accepts that the judicial courts would play a role in this regard. The only extent to which the decision would have been surprising would have been in arguing whose opinion won it in the case of conflicts. (Note that nullification crises continued up to the Civil War).


This makes a lot of sense. How'd you "bootstrap" such a system in place?


It would require a constitutional amendment.


Checks and balances


Yes!

Diversity. All systems have failure modes (current fav: utility monsters).

By combining multiple systems, you limit the severity of a failure of any one system. All participating systems must be in a failure mode for the overall systems to be in a failure mode.

If the Supreme Court were elected, it would suffer from basically the same failure modes as other elected offices, and would be able to provide a systemic durability against those failure modes.


Some discussion overlooks that this is a special case:

... the appeals court, like the police, agreed that the presence of child porn on his drives was a "foregone conclusion." The Fifth Amendment, at its most basic level, protects suspects from being forced to disclose incriminating evidence. In this instance, however, the authorities said they already know there's child porn on the drives, so Rawls' constitutional rights aren't compromised.

The Philadelphia-based appeals court ruled:

Forensic examination also disclosed that Doe [Rawls] had downloaded thousands of files known by their "hash" values to be child pornography. The files, however, were not on the Mac Pro, but instead had been stored on the encrypted external hard drives. Accordingly, the files themselves could not be accessed.

The court also noted that the authorities "found [on the Mac Book Pro] one image depicting a pubescent girl in a sexually suggestive position and logs that suggested the user had visited groups with titles common in child exploitation." They also said the man's sister had "reported" that her brother showed him hundreds of pictures and videos of child pornography. All of this, according to the appeals court, meant that the lower court lawfully ordered Rawls to unlock the drives.


The critical question is, why haven't they charged him? It is disingenuous of them to bring up the evidence they currently have essentially in an attempt to demonize him. Their evidence is sufficient or it isn't; if it is they should charge him; if not they're demanding self-incrimination.


You need to distinguish between requiring the defendant to turn over incriminating evidence (which the 5th amendment does not protect), and requiring the defendant to make incriminating statements (i.e. to provide incriminating testimony).

Sometimes, the act of producing evidence in response to a government request involves the defendant making implicit incriminating assertions. If the government says "produce all your cooked accounting books," handing over those documents implicitly communicates the assertions that (1) certain books exist; (2) those books are doctored; and (3) you have ownership/control over them. However, say the government asks you for your bank records. When you hand them over, you're implicitly saying "I have bank records," and "these are my bank records." That's not incriminating -- even if the bank records themselves might contain incriminating evidence.

The "foregone conclusion rule," says that the act of production is non-testimonial when the incriminating facts are already known.[1] If the existence of doctored books is already known by other means, the act of producing them doesn't communicate anything to the authorities. The books themselves are obviously communicated, but the 5th amendment does not protect the underlying evidence. It protects the implied statements by the defendant about the underlying evidence.

Hence the threading the needle in the opinion. They're not asking the guy to make incriminating statements about the existence of incriminating evidence. They're asking him to turn over the incriminating evidence they already know exists.

[1] Note that the Court is not saying "we already know he's guilty so the 5th amendment doesn't apply."


Quite aside from anything else, can someone explain whether or not the same logic would apply to (for example) asking someone to open a safe vs. the code to open the safe. It seems like this ruling would say that failing to open the safe is functionally the same?

As a gratuitously distorted example, lets say i had cooked accounting books in a spreadsheet on my computer, and they were encrypted by a random password that /i/ do not know, but have on a memory stick in a safe. It seems that logically that would be equivalent, but i also am very much not a lawyer so am perfectly willing to accept i am missing nuance of the law.

Outside of the law i don't like the forgone conclusion stuff - for example, revolution period you could say hanging out with revolutionaries regularly could reasonably conclude your documents include a calendar for revolutionary meetings so you should be required to provide that information and/or information required to receive that. Obviously that's some contorted logic but i don't think it's that far removed from this.

I would argue that a hash match should be sufficient, and i would be convinced that (absent other information and details) this was evidence that he's a pedo, but i can see how a lawyer could create reasonable doubt where in reality there is none (specifically referring to hashes here, nothing else).

Of course i can't serve on a jury (and apparently knowing what you're talking about may be disqualifying? :-/)


> Quite aside from anything else, can someone explain whether or not the same logic would apply to (for example) asking someone to open a safe vs. the code to open the safe. It seems like this ruling would say that failing to open the safe is functionally the same?

Basically, judges don't agree on which way this scenario comes out.

> Outside of the law i don't like the forgone conclusion stuff - for example, revolution period you could say hanging out with revolutionaries regularly could reasonably conclude your documents include a calendar for revolutionary meetings so you should be required to provide that information and/or information required to receive that.

The "foregone conclusion" stuff is narrower than Ars makes it out to be. The gist of the 5th amendment is that the government can make a defendant do things but not transfer information.[1] Sometimes, an action can implicitly transfer information. The foregone conclusion rule just says that if the government already has the information, then the action does not additionally transfer information.

In your hypothetical, the foregone conclusion rule would not apply because even if the government "could reasonably conclude" that you have a calendar, producing it would still confirm that conjecture (and thus transfer information). But if the government knows you have the calendar, however, because your sister testified that you keep a calendar of revolutionary meetings, then producing it becomes a pure action.

[1] I'd actually argue that the gist of the 5th amendment is even narrower than that: the government literally can't put you on the stand to testify against yourself, or enter into evidence a coerced confession. That's it.


How this works if there is other evidence in the HDD, for example piracy, list of stolen goods, location of bodies he buried. How 'foregone conclusion' can be applied?


Thanks for the answer! :D


a safe will simply be cracked if there is a warrant. easy as that.


Kind of missing the point: let's say it's a safe that is incredibly difficult to crack, and there's a 90% chance of making a mistake that will trigger a failsafe that will destroy the contents of the safe. In that scenario, the authorities would be unlikely to attempt to crack it.


If I understand the parent post, it's basically protecting you against the "leading questions" of investigation...?

You opening the safe cannot be used as evidence against you; that would cause your action to be "testimonial", and protected. The contents of the safe are evidence, and not testimonial.

If I'm understanding this correctly; it would be like saying "open the safe with the illegal weapons in it", and pointing at the safe. If you open it, does that mean you're admitting the weapons are illegal?


> If I'm understanding this correctly; it would be like saying "open the safe with the illegal weapons in it", and pointing at the safe. If you open it, does that mean you're admitting the weapons are illegal?

Kind of, yes. The non-contrived situation where this comes up is with subpoenas. A subpoena will request specific documents or specific kinds of documents. Responding to the subpoena requires making judgments about what documents are responsive to the request, and there is an implicit assertion that documents produced fall within the scope of the subpoena request.

So the government cannot, for example, make you "produce all accounting records containing false numbers." Producing documents in response to that comes with the implicit admission that the accounting records are false. The government can eliminate that problem simply by asking for all accounting records.


Thanks for the lucid explanation.

What befuddles my non-lawyer mind is that why such evidence is needed in the first place. If it's established firmly that someone has piles of illegal files, then for the sake of their incrimination, why do the files need to be produced at all?

If on the other hand, the files are being requisitioned for purposes unrelated to the the defendant's current outstanding culpability, then what laws does that kind of thing fall under?


IANAL, but from reading about this case (and opinions from actual lawyers), I believe it's because they actually don't have the evidence to convict (or they believe the evidence they have, absent the files on the encrypted drive, are not enough, or at least not enough for the sentence they want). They know the evidence on the drive exists, but cannot get up in front of a judge and jury and say "because we found these hashes in the logs, we know there are these files on the drive". They have to actually produce the files themselves.

So, you might say, ok, then that means asking Rawls to unlock the drives is asking him to incriminate himself, and that's not cool. But still, go back to the "foregone conclusion" bit: this isn't a fishing expedition to see if they can find evidence of wrongdoing. They're not asking him, "Hey, do you have any child porn on your hard drives? If so, give them to us." If that were what they're doing, Rawls would be perfectly in the right to say, "I do not have any files to give you". They know, based on the log files, that the incriminating files are on the drive. They are merely requiring Rawls to produce evidence that they know exists, and his refusal to do so is unlawful. Just as if someone refused to turn over bank records that the authorities knew existed.

I know I'm not explaining this perfectly (IANAL, as I said), but hopefully this helps?


I'm not so confused about the legality here as much as I don't understand why they need the files at all if they have irrefutable evidence that he has them.

If I have sales receipts and camera footage showing you purchased 100 Led Zeppelin CDs, do I need to see the CDs in person before I know you have good taste in music?

I'm guessing this has something to do with the subtleties of admissible evidence versus 4th amendment stuff.


If you refuse to hand over subpoenaed evidence you can be held in contempt of court which usually results in some sort of fine, but could potentially result in jail time. Note that this all occurs before your conviction, so time spent in jail for contempt does not count towards your eventual sentence.


Yes, but why are the files needed if it is know which files the drive contains based on hashes, as thousands of hashes matching known images should be plenty to convict on ?

Maybe the hashes can only tell that some drive contains the images, and the prosecutor believes it is this particular drive, and tries to avoid having to deal with that defense ?

If there is evidence that the particular drive contains those images, why bother with the drive at all ? This is the part that doesn't make sense to me.


Because without the images, you have to lead a jury through the fundamentals necessary to make them believe, beyond a reasonable doubt, that the presence of certain strings of hexadecimal digits in a log file is conclusive evidence in its own right. Because failure to do so means that the defendant walks free. Because as long as he's in contempt, he's behind bars indefinitely, so why attach a specific term to his incarceration unnecessarily?


>However, say the government asks you for your bank records. When you hand them over, you're implicitly saying "I have bank records," and "these are my bank records." That's not incriminating -- even if the bank records themselves might contain incriminating evidence.

Here's what I'm missing: why doesn't, in a similar vein, the government simply ask him to unlock the hard drives without any claimed assumption as to their contents?


I suspect that's what happened. But the court gets into the whole issue with Fisher to address an argument that the defendant made. IMHO it was unnecessary to even go down that road.


I must say I find this logic quite unconvincing.

What is a confession but a piece of evidence stored in memory made of biological matter?

How is it different to grant a confession where the memory is electronic rather than biological?


I see a pretty bad course of events.

"Lay inside this fMRI machine for an accurate brainscan if you are lying, and image retrieval of the time in question. Or you will be put in jail until you do."

And I also seem to remember a certain dead salmon who in an fMRI, showed amazing brain activity(!).


> "Lay inside this fMRI machine for an accurate brainscan if you are lying, and image retrieval of the time in question. Or you will be put in jail until you do."

Yeah, exactly.

It seems to me that unless we decide that memories stored in digital media is subject to the same sorts of rights against intrusion from the state as memories stored in biological media, the scenario you describe is inevitable precisely because the line between these two types of memory will be increasingly blurred.


And for ease of reading, I'll reply to my own comment with other interesting issues:

* "The fact remains that the government has not brought charges," [his attorney] Donoghue said in a telephone interview. It seems a warrant is at issue, if I understand correctly.

* The contempt-of-court order against Rawls was obtained by authorities citing the 1789 All Writs Act. The All Writs Act was the same law the Justice Department asserted in its legal battle with Apple

* The authorities, however, said no testimony was needed from Rawls. Rather, they said, (PDF) "he can keep his passwords to himself" and "produce his computer and hard drives in an unencrypted state."

* My completely amateur thoughts: If they already can prove he has child porn, then they don't need the additional evidence. If they do need the additional evidence, then he is incriminating himself.


> My completely amateur thoughts: If they already can prove he has child porn, then they don't need the additional evidence. If they do need the additional evidence, then he is incriminating himself.

Except that's not how it works, and that's not what the 5th protects against. Let's say you have bank records that incriminate you in some money-laundering scheme. The authorities know that you have these records, because an associate of yours has informed them that you do. The protection against self-incrimination is about transfer of information, not about pure action (even if that pure action implicitly transfers incriminating information). The incriminating information would be "I have bank records that detail illegal activity". The authorities already know that; they do not have to ask you to provide that incriminating information. However, it is absolutely within their rights to say "give me all your bank records dated from X to Y", and yes, you must comply.

Sure, you can try to provide incomplete or doctored records, but if they're able to prove that they're incomplete, you're in contempt of the court order, and they'll likely add obstruction of justice or evidence tampering to the list of charges.

In the narrowest possible view, the 5th protects you from being put up on the stand and to be coerced into a confession. Some/many judges interpret it a bit wider than that, but it seems few would find the request that Rawls turns over the files in question to be problematic.


And what happens if the one who testified that you do have the records lied? Do you go to prison for not producing documents you do not have? How would you prove you don't have them? What if you had them but shredded them once you didn't need them (because you shred all bank information, nothing special about these records)?


"My completely amateur thoughts: If they already can prove he has child porn, then they don't need the additional evidence. If they do need the additional evidence, then he is incriminating himself."

That's a good point. They either have proof he downloaded child porn or they don't. They're definitely trying to do more than prove it. Probably set a precedent increasing their power as usual.


"so you, Mr expert witness, are telling me that hashes collide? What's that you say, there are actually people who actively look for and produce such hashes for fun?? Ladies and gentlemen of the jury..."

And so on. I'm pretty sure pedophile is near the top of the "you better make damn sure they don't get off" list.


>I'm pretty sure pedophile is near the top of the "you better make damn sure they don't get off" list.

It's not illegal to be a pedophile. It's illegal to possess child pornography.


They have some evidence that he downloaded child porn, but it's the trial and jury that will evaluate if it's sufficient beyond all reasonable doubt. If they believe that current evidence has some chance of being not sufficient and there's extra incriminating evidence, then it's their right and duty to obtain that before passing it on to the court.

You can't answer the question "if they can prove" before court, as it's decided only then. You must finish the evidence gathering before you have a judgement on that.


It could be that they want the drives unencrypted in order to help other investigations into the sources of the material, and think it will be better to compel him to release it before sentencing so he can't use it as leverage to lessen his sentence.


This is my best guess also, it does however not appear to be in the spirit of the law.


They want to establish useful precedent ideally


I've never understood the foregone conclusion doctrine. If it's a foregone conclusion, the search should be unnecessary, not a special privilege.

IIRC, he also stated that he has forgotten his password (and after 18 months, it has become believable).


The forgotten password is my concern here, God help you if you're an innocent person in this situation!

Edit: whether or not it's true in this instance.


It's a forgone conclusion that the Constitution is inconvenient to law enforcement, so they ignore it or try to change its meaning.


The existence of the child porn might be a forgone conclusion, but there is a lot of other stuff on the hard drive. And that other stuff is not a forgone conclusion. So by decrypting the hard drive, he would be giving them information that is not a forgone conclusion.


I believe the persecution would argue that any newly discovered evidence can simply be excluded by the court. The legal system's philosophy is that it should be all-powerful, and that it will parcel out what it deems to be our rights.

Of course, Free people know that rights are obtained and maintained by individuals themselves - eg the second amendment.


Sitting directly in front of me are two moderately large encrypted hard drives the passwords for which I forgot. If I get a subpoena to produce their contents, I will potentially remain in jail of the rest of my life for the crime of being forgetful.

That judge's behavior and (the laws that enables it) is sickening. You either have enough evidence to convict a person, or you don't.


The Court's opinion explicitly addresses that (at 18-19). It first recognizes that impossibility of compliance is a defense to a contempt charge. But it then explains why the trial judge reasonably did not buy that argument:

> At the contempt hearing, the Government presented several witnesses to support its prima facie case of contempt. Doe’s sister testified to the fact that, while in her presence, Doe accessed child pornography files on his Mac Pro computer by means of entering passwords from memory. Further, a detective who executed the original search warrant stated that Doe did not provide his password at the time because he wanted to prevent the police from accessing his computer. Doe never asserted an inability to remember the passwords at that time.


Unfortunately the opinion seems to show serious forgetfulness on their own part. On page 7, "Doe, however, stated that he could not remember the passwords necessary to decrypt the hard drives and entered several incorrect passwords during the forensic examination." These events took place after the original search warrant but before the finding of contempt. It's curious that these facts are included in the background section but not the legal analysis.


18 months later, though, it is completely plausible that he really has forgot. I don't think I would remember a complex password that I haven't used for 18 months. Hell, I sometimes have to reset simple passwords that I created last month. If you don't use knowledge, you forget it.


Perhaps, but the judge can only make judgements based on the arguments presented.

If the defendant wanted to argue that he no longer remembered the password (but would be willing to decrypt the drive if he could), then that's something that the judge would consider. But a judge can't (and won't) simply say "Oh, maybe he hasn't complied because he just forgot the password. I'm going to let him off"


Its literally impossible to prove someone has or hasn't forgotten something. You shouldn't be able to jail someone indefinitely for not producing something you can't prove exists.


Yes, but that's fairly well tested ground and isn't unique to this case.

Witnesses (in the sense of being called to that stand in a courtroom) are frequently asked to tell the court what they saw/heard/did, or from where/whom they received information. Refusing to answer may get them pulled up on contempt charges, and if they claim not to remember then the judge needs to decide whether they are lying.

Given the impossibility of proving (in an absolute sense) that the witness does in fact remember (at that exact moment), it's a game that witnesses are likely to get away with (hence the standard "I don't recall" answer from politicians and beuracrats​), but it's not a universal solution to the "I don't want to tell you" scenario.


I think that the difference is that people are generally good at remembering the details that judges are normally interested in. People are notoriously bad at remembering passwords.


That's not something that's going to trouble US authorities given that the US invasion of Iraq was alleged to have been because the Iraqi leadership couldn't demonstrate that there were no "weapons of mass destruction" hidden somewhere in the country.


Our justice system, by and large, rests not on proving the truth or not, but on a (idealistically) rational group of peers deciding both on the probability that a crime occurred and the justification/reasoning of both the crime itself and the law criminalizing it. Beyond that, it rests on a legal system (police, courts, etc) that, by and large, also act on notions of reasonability and discretion to bring forth evidence that will inform a jury's decision. As we have seen in many high-profile examples, the system is imperfect - it is human, and in many prominent cases (from exoneration of lynchers in the 1930s to indefinite detention today) it fails in disturbing ways. It is because of intentional vagueness that these failures arise, but it is also by this vagueness that unique exceptions arise. In this case, I don't think that the decision necessarily sets precedent for all of us with hard drives for which we have forgotten the password. I don't necessarily agree with the indefinite detention (although I do not claim to know the scope of other investigations that might rely on the evidence on those drives), but I think the circumstances are positioned such that this decision is an exception to our system rather than the beginning of a slippery slope. Of course i might be wrong, but I wouldn't decry the end of privacy just yet.


When the original case surfaced I was wondering the same. If they had (real) evidence that your encrypted hard drives have CP, then I'd be okay putting you in jail (;

However, if that was the case then they wouldn't need to decrypt the drives, so this whole case smells quite a bit.

AFAIK there is a similar situation in the airport immigration; if you are an US citizen and don't want to provide a password for an encrypted device, they'll make you have a bad time, then throw the device and then let you in. Same for foreigners except with a flight back instead of letting them in. The bad time they give you basically depends on the immigration officer.


mmm this poses an interesting question: what if a defendant/suspect cannot remember the password? Does anyone know if there is any comparable precedent regarding forgetting things?


If you're a politician, "I don't recall" seems to work wonders for depositions.


Only if you are too powerful to jail


More and more I'm convinced that the only solution is data destruction on a fail-deadly system. Like a warrant canary, if it's your default operation, you should be alright. As I always add though, don't keep your family photos on that drive.


I don't understand what a fail-deadly drive would look like. Can you give an example?


I'd imagine you'd have to do a task (like inputting a passcode) every so often or the drive would be made inoperable.

For SSD's it'd be as simple as an automatic single pass overwrite and a new encryption key. For HDD, the hyper-paranoid could rig their drives with small explosives to fracture the platters.


^This. In fact you can buy readymade solutions now which physically destroy the NAND gates on the input of a code, or as you say, if you fail to input a code within a time limit.


An example I've given here before is: http://securedrives.co.uk/

There are other solutions though, and of course you can make your own if you feel confident about it.


Unless you've been engaging in online noncery and have amassed a gigantic collection of photographs and videos of child abuse like the scumbag described in the article has evidenced, you should be absolutely fine. It's certainly not the judge's behaviour that is sickening here.


"You've got nothing to hide" is not a valid argument.


But the guy clearly had a massive stash of child pornography to hide, so I'm not really sure what your point is.


Isn't the man innocent until proven guilty?


The court accepted evidence that he'd downloaded and shared all manner of such filth, including both technical evidence and testimony from his sister.


Then why couldn't they convict him on that evidence?


This is my main gripe. You either have the evidence to put the defendant in jail or you don't. If you don't have enough evidence to support putting him in jail, you let him free.

Innocence until proven guilty. I don't want to live in a society where law is determined by emotions and personal bias, even if some criminals end up escaping justice.

Side note: I can't believe I feel the need to state this, but evidently it needs to be stated (from comments in this thread): these two drives where set up as part of a backup solution. They contain my personal data. They do not contain child pornography.


The ability to convict a particular case on a particular set of evidence is unknowable before trial, where the facts are decided by a jury. It would be irresponsible for a prosecutor to attempt a trial if they know stronger evidence is available.

The prosecution was able to convince a judge that there is encrypted child pornography on those drives. The judge can't force a jury to accept that (a ruling of fact), but (s)he can make a ruling of law that the defendant no longer has a fifth amendment defense to producing a decrypted version of those drives.


Here's a recording of the oral arguments for the US Court of Appeals, Third Circuit back in September: http://www2.ca3.uscourts.gov/oralargument/audio/15-3537USAv....

The gov's argument seems to be that because the defendant doesn't have to give the government the password but rather produce the decrypted hard drives, his actions aren't protected under the fifth. Analogy drawn with unlocking a safe.

EFF counter-argument to the safe analogy is that the encrypted documents do not simultaneously exist in a decrypted form protected by an obstacle, like a safe, but rather are produced as an act of translating the data from decrypted to unencrypted form; the government already has the data on the drives, they just can't understand it without the contents of the defendant's mind.

Justices then press the gov lawyer on whether there are fourth amendment issues in the case, as in whether the government can search all files on the hard drive, if decrypted, for evidence of criminality beyond the specific files they seek. Gov lawyer punts on the issue.

Basically it seems like a steep hill for proponents of encryption. The justices talk about how we're heading for a world where almost everything is encrypted, and encryption proponents are asking the government to give up an enormous amount of power.


The distinction is interesting. I wonder if there's a precedent somewhere in which someone wrote a diary in some form of code and was asked to produce the unencrypted diary.


Can you be compelled to provide something that you don't have access to? Were anyone else in this situation, wouldn't it be plausible to simply claim you don't know that password?


I've wondered about scenarios where you can legitimately claim to not know the password to decrypt a drive. A few different cases I can think of which may be ruled differently by a court.

1) I use a password manager so I don't know the password. However, I have the means to acquire the password.

2) I use a password manager but somehow lost access to it unintentionally.

3) I use a password manager and lost access to it by design. (eg. Using a dead man's switch of some kind that deletes it if I don't "check in" for some period of time)

4) I used to know the password. However, I suffered a traumatic brain injury and cannot recall it.

I obviously don't have the answers but I think these are interesting to think about as different points in a large legal grey area.


one i've ben thinking of is a shuffled keymapping or keyboard - you know what password you type, but not what it actually translates into.


Not bad, but that key-map would have to be accessible unencrypted from the encrypted device no? Unless somehow hard-mod a physical keyboard or something?


There is ample precedent for forgetfulness in the courts. Imagine a scenario where you are called as a witness in a case against someone else and you say that you can't remember what you saw. If there is evidence to support the idea that you are lying (say, you're being asked an easy question about something that happened yesterday) you can be held in contempt.

If there is reason to believe that you are telling the truth (say, you're being asked which of two parking spaces you saw a car in 10 years ago) then you're fine.

Same thing goes here. Rational disinterested people (a judge or a jury) will look at the available evidence and make their best judgement about whether you are telling the truth when you say you can't remember.


Thought experiment: What if there were an encryption system whereby if a user inputs one decryption key, the encrypted data decrypts to one set of values and if the user uses a second key, it decrypts to a second set of values.

Sure, in order to encode both sets of data into a single encrypted result would require more storage space, but that is a small price to pay for protection against self incrimination from our ever growing police and surveillance state.

The end of the article captures why this idea would be so effective, viz. "The authorities, however, said no testimony was needed from Rawls. Rather, they said, 'he can keep his passwords to himself' and 'produce his computer and hard drives in an unencrypted state.'"

It is absolutely true and valid that the government has the right to compel people to hand over evidence that they are KNOWN to possess (in the same way that legal discovery is essential to civil cases). The line the government is drawing between self-incrimination and forced cooperation in an investigation is they they don't want him to tell them the password or what is on the drives -- they simply want him to hand over the drives in an intelligible state. Thus, if one could decrypt the drives to an intelligible set of data but not the data they desire, then you would be complying with the court order and could not be held in contempt.

Can someone on HN who knows more about cryptography help poke holes in my idea?


Truecrypt has hidden volumes.

There's also https://en.wikipedia.org/wiki/Rubberhose_(file_system) and others: https://en.wikipedia.org/wiki/Deniable_encryption

Same general principle, you allegedly can't prove the hidden volumes exist unless you have the decryption key.


This is possible, at least in some contexts. I'm no expert, but the bitcoin wallet, Trezor, has implemented this - known as "plausible deniability".

The idea is if you are compelled somehow by force to unlock your bitcoin wallet, you can use a secondary password that assumingly has less bitcoin than your regular bitcoin wallet.

https://news.bitcoin.com/bitcoin-wallet-plausible-deniabilit...


Thought experiment: What if you kept two sets of bank records for your business. One set of bank records were truthful and demonstrated your guilt. The others were falsified and demonstrated your innocence.

What would happen if, after your bank records were subpoenaed, you hand over the falsified records?

Well, you'd be committing a crime. Maybe you get away with it, or maybe law enforcement figures it out and you get caught. Depends on how clever of a criminal you are.

Same thing here with your double-plaintext encryption.


Hmm... I believe there may be a distinction here. Decrypting to the false virtual contents would be more like presenting a copy of the bank records that were correct, but the file had been corrupted and the data was unusable. However, the corrupted but true records had been created before the subpoena (not trying to obstruct) and were handed over in good faith.

You wanted the contents of this drive? Here they are!

The owner of the drive is definitely in a legal and moral grey area, but it would be supremely difficult to prove mens rea in this case.

Interesting thought experiment: What happens when someone fills a hard drive with junk data and then encrypts it, then gets subpoena'd for the unencrypted contents of the drive?


The scenario you describe is not at all like the situation at hand. Data corruption and encryption are not the same thing as encryption is a fully reversible process.

Further, the owner of the drive is not in a legal or moral grey area. They are in a "black" area where it's quite clear that they are being intentionally deceptive in defiance of a court order.


> Sure, in order to encode both sets of data into a single encrypted result would require more storage space, but that is a small price to pay

You moved on from this aspect too quick. The "price being paid" isn't the economic cost of more storage space, but the technical fact that your ciphertext is clearly capable of containing more information, and therefore probably does. This is a fundamental constraint of steganography.

The general answer to this is to align the size of the ciphertext with some larger more-fixed volume size that has another plausible reason for existing. With Truecrypt you could say "I created a 1GiB volume as a nice round number for future storage, even though I only ever stored 100MB on there". With a general steganographic filesystem you could say "I bought a 4TB disk even though I didn't put much on there", etc.

But note these arguments are only suggestive and not open-and-shut. If one has a data-hoarder amount of hard drives but only reveals enough data on them to fill up a decade-old single drive, they aren't going to be believed.


You can't get two different sets of cleartext from the same ciphertext (except collisions, which is impractical and can be excluded for practical purposes). Of course, you can store few sets of ciphertext and decrypt depending on provided key/password, but watching disk IO may reveal that parts of disk are getting skipped. Basically, it all boils down to the competency level of the examiner.


Well, having an encrypted storage that uses interleaved blocks for storage would allow you to have multiple versions of the data at the cost of 2x (or #x) the data storage of the largest partition. You could even throw in some parity to make the image resilient to damage. Software could then use the key provided to find the set of blocks it opens. Software wouldn't need to know anything beyond the basics of block size and number of parity blocks after it was created. Each read/write would read all the parallel blocks at once and write them all at once. All watching that would do is let you know which blocks changed. And that is assuming you can observe usage beforehand. If not, then you have no idea how many real data partitions there are or if you were given a bogus password. That being the idea behind plausible deniability.


Encrypted data should be indistinguishable from random, so if you had an encryption system that randomised the unused portion of your disk nobody except yourself would know whether there was data there or not.


They also have a set of hashes of files they expect to find. If they don't find those files, they'll probably ask more questions.


How can they be sure that files weren't deleted?


You want to outsmart the cops, be my guest.


I think this is wat TrueCrypt does (did).


More

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: