Hacker News new | comments | show | ask | jobs | submit login
Man jailed indefinitely for refusing to decrypt hard drives loses appeal (arstechnica.com)
319 points by davesailer 334 days ago | hide | past | web | favorite | 393 comments



This reads as extremely bizarre. I mean, reading the fifth amendment makes it pretty clear - no one should be compelled to witness against oneself. However, it looks like the current executive and judicial are thinking "well, those Founders were just idiots for putting such an amendment in, clearly it'd be much easier to prosecute people if we could compel them to witness against themselves, so why don't we just ignore it and put people in jail indefinitely until they agree to witness against themselves?". Terrifying that it is so easy for them to completely ignore all constitutional protections.


Your interpretation of the 5th amendment is quite different than it has been historically interpreted by the courts.

For example, in a trial, the prosecutor might subpoena some documents and you cannot refuse to turn over those documents, unless doing so would trigger a 5th amendment assertion. Turning over the documents implicitly testifies to at least two important pieces of information: that the documents exist and that you know about the documents.

So if you're asked for the documents and the prosecution has no evidence that the documents exist or that you know about them, the 5th will cover you.

However if during a police interrogation you admit that the documents exist, when they are subpoenaed, you can't withhold evidence.

I imagine that the 5th will work much the same with passwords. If it is known that you have the ability to unlock the device, refusing to do so will be withholding evidence.

However if revealing the password implicitly reveals the hitherto unknown information that you know the password, 5th will work.


So here's my concern: guy's now been in jail without charge for 18 months. The prosecutors say his guilt is a foregone conclusion, but apparently it's not foregone enough that they're willing to go ahead and prosecute without the contents of his hard drive. They're gonna hold off until they get what they need.

We're starting to get to the edge of the point where this guy might legitimately forget his password. I think we can assume the FBI has been running a common passwords/dictionary attack with common password symbol substitutions for the last 18 months, and apparently they haven't found the answer, so this password is probably a pretty good one that's not based on a word or even a sentence.

If he stays in jail without trial for another two years and then says "I can't remember my password any more", what should we do?


> So here's my concern: guy's now been in jail without charge for 18 months. The prosecutors say his guilt is a foregone conclusion

That's not what the "foregone conclusion" stuff is about, at all. They're not saying "it's obvious he's guilty so the 5th amendment does not apply." The 5th amendment doesn't apply to handing over evidence, period. It's about the circumstances under which handing over evidence (which ordinarily does not implicate the 5th amendment) involves implicit statements or assertions by the defendant (which does). Read the subpoena example in the opinion, it clarifies.


Take this comment as what I think 5th amendment should imply, not how it is currently applied by the courts.

The concept of forgone conclusion is very weird. Imagine that I tell someone that I maintain a diary with log of all the events everyday. Then I tell this to my friends, family, (the police), etc.

Let's say the prosecution can prove that I was at a spot where something illegal happened. If they knew I wrote a diary everyday, they can compel me to produce my diary, which will then be used against me (if needed).

If on the other hand, I tell everyone (and the police) that I have photographic memory and remember anything I see and do, that information is protected by fifth amendment. So in this case, I won't provide something that will be used against me.

It is very weird that when the plain words of the amendment read "compelled in any criminal case to be a witness against himself", it is only thought to include literal production of testimony from mind as confession, while on the other hand, the first amendment is not read literally to allow only freedom of (say) owning a press, the press being a physical printing press.


What is weird is basing a legal system around the constant re-interpretation of documents written hundreds of years ago and the implication that subtle nuances in ancient wording reveal a thus far hidden intent that somehow predicted today's technological advancements, society, their relevance and how these texts should be applied in today's light.


None of that is why I'm bringing it up. I bring it up to point out that we have no reason to believe that the prosecution won't request indefinite detention until he gives up the password, even if it might be impossible for him to do so.


Good point, I definitely can't remember my more complex passwords for more than a month or two if I'm not using them.

It is also not too hard to essentially forget a complex password by either 'blanking it out', or associating it with multiple similar paswords during recall.

There are no easy solutions to encryption in this context, apart from what it clearly tells us: That society needs to focus on prevention and care, and not rely on policing and punishment to keep society safe as much as now.


Civil contempt is coercive, not punitive. In theory, he gets released when it's clear that he won't decrypt the drive even if indefinitely incarcerated. So in principle, in the event you describe, we let him out.

Of course, knowing that he actually has forgotten the password is somewhat tricky, so what would actually happen is anyone's guess.


He goes free in 14 years or sets a new record. Up to the judge.

http://abcnews.go.com/2020/story?id=8101209&page=1


That guy sets a new record for cussedness.


> what should we do?

Release him and pay millions in compensation for violating his writ of Habeas corpus.


A court granted him a writ of habeas corpus? When? That changes everything if true, but I'm pretty sure you're mistaken.


That's not what Habeas corpus is. Contempt is 100% lawful.



Perhaps the FBI have unlocked it, but them having the password doesn't prove that the accused had it. My guess is they wouldn't be pushing on with the case if they didn't know for sure that access would 'demonstrate' criminality. Similarly I imagine the accused knows that if they admit access they're going to spend a lot longer incarcerated. An impasse for our times


That is precisely the scenario that actually would violate the Fifth Amendment, because it forces him to be a witness against himself.


So if, for example, a person had illicit photos/documents in a safe, then the police couldn't ask them for the combination? Or if they gave the combination the evidence then retrieved would be inadmissible?

Surely it's the pre-existing evidence that [potentially] stands against the accused, not their "speech" that enables access to that evidence.

Who does such an interpretation of The Fifth protect?


As the courts have interpreted it, 5A protects you if they can't even prove the safe is yours, or if otherwise admitting that you know the combination or that you know what's in the safe would result in incriminating testimony. 5A doesn't apply here because they know the device is his, and that prior to his arrest he had regular access to it. It's not incriminating testimony, it's delivery of evidence in a criminal trial subject to a lawful subpoena.


Delivery of evidence is delivering the hard drive; changing the state of the evidence is a concretely different thing.

It amounts to interpreting the existing evidence for law enforcement.


> I think we can assume the FBI has been running a common passwords/dictionary attack with common password symbol substitutions for the last 18 months

I would like to believe they do... But I don't think they'd bother with that.


How many 20 characters passwords could we try in 600 days ? And by imaging the original drive unto multiple others ?

I mean 18 months. It's a lot.


Not worth the resources though.


Well, certainly not if the judge is willing to allow indefinite detention without trial. That's one of the key concerns I have with this case. I'm not seeing presumption of innocence play out here.

The west used to mock and deride the USSR for this kind of thing.


There are, as far as I can tell some weaknesses in that argument, at least from a lay perspective.

- There must be evidence that I can unlock the device for the two situations to be equivalent, and the request must be for specific documents known to exist. If they don't exist all evidence found must be invalidated because the cause for the search was invalid.

- If evidence of ability to unlock the device does not exists, but the assumption is that since it's mine I can unlock it, I think the analogy is slightly flawed. Since the ask is now not about producing a specific thing I'm known to possess, I'm indirectly being asked to produce a document (password), albeit not in material form but typed on a keyboard. Since it's never been proved that I actually am able to open it, the situation is not equivalent, but more like there being a safe in my house that nobody has seen me open, no key is know to exist, but since I own the house I am assumed to be able to open it, and I'm held in contempt because I say I can't or won't open it. It's not too uncommon for a house to contain a safe the current owner can't open, but it does not lead to the same situation since it can usually be forced open. The only difference with good encryption is that the option to use force has become increasingly impotent.

- Unlocking a computer without proper limits and auditing of the search is also more like being asked to give access to any document storage rooms I own or have access to. Reason being that unlocking a device will in many cases give access to more than the bare contents of the drive, giving access to emails, Dropbox, and other logged on applications and sessions. Since parallel construction appear to be a thing, it's ripe for abuse.

Maybe there needs to be a process where independent auditors can, under surveillance of the defendants lawyer produce named documents from seized evidence, as giving police and/or prosecutors blanket access to devices entire content could create lots of opportunities to create parallel construction stories for any content found not under the current warrant, and as bizarre parallel construction is, it appears to have been used.


>Your interpretation of the 5th amendment is quite different than it has been historically interpreted by the courts.

Part of the issue seems to be the courts are very proficient in coming up with very interesting interpretations. It feels a lot like a literature or art interpretation class, where everything is BS but a lot of people have a bunch of rules convincing them they aren't. Then again, the founding father's weren't too much different.

Founding fathers: "All men created equally".

Also founding fathers: owns slaves (some at least)


The word "witness" is a legal term with a specific meaning. It requires providing testimonial evidence. The landlord that unlocks the defendant's apartment where the bodies are stored in the fridge is not a "witness" even though he helped the police get evidence.


And here we are, talking about a guy presumed to have some information on his head, arrested for refusing to disclose that information, in a thread about legal professionals creating BS, with somebody arguing that "witness" has a legal meaning that does not cover people disclosing information they have on their heads... Or, at least not on this case.


> arrested for refusing to disclose that information

The information in the guy's head is the password. They're not asking him for the password. They're asking him to perform the action of decrypting the drive. They explicitly told him he could keep the password secret.


Yep, that's really a very good non-BS interpretation that does not harm common sense in any way.

In related murder news, murder suspect detained indefinitely until he shows hidden body to the police. They don't want him to tell them where is the body, they just want him to drive them there so they can dig it up.


Your comparison between decrypting a file and locating a body neatly demonstrates the conflict at the heart of this case. The conflict is formally known as the "foregone conclusion doctrine."

There was an excellent discussion of this case and the principles behind this doctrine in the Washington Post last year:

https://www.washingtonpost.com/news/volokh-conspiracy/wp/201...

Orin Kerr does an excellent job explaining why he thinks the doctrine applies to decrypting files. You might enjoy reading it.

The appropriate analogy to this case is not "until he shows hidden body to the police" but "until he opens the door to his garage where they have reason to believe there is a body".


Yet another article assuming that telling a decryption key is the same as delivering a document you possess.


The defendant in question here is not being asked to tell anyone their encryption key. They are, in fact, being asked to deliver a collection of documents they possess.


No, they are being asked to transform a collection of documents they possess, using information they allegedly possess in their mind about those documents, and deliver the product of that transformation.


That's a characterization I can agree with. But that transformation still isn't, in my mind, testimony. It's an action.


How can disclosing some data that is a function of information you have on your mind not be testimony?


Because it isn't revealing information that only exists in your mind. Keep in mind the reason the 5th Amendment exists: the prevent the government from having an incentive to coerce false testimony through torture.

An evil government could coerce someone to falsely say "I did it!"

An evil government cannot coerce someone to falsely type a password into a terminal to decrypt files with incriminating evidence. Because if it's false that evidence simply won't exist.


> Keep in mind the reason the 5th Amendment exists: the prevent the government from having an incentive to coerce false testimony through torture.

Thats not the sole purpose of the self-incrimination protection (which is, also, far too focussed in it's protections to meaningfully effect that end, since historically false testimony coerced through torture was very often sought from people other than the person it was used against.)

> An evil government cannot coerce someone to falsely type a password into a terminal to decrypt files with incriminating evidence.

Sure they can, or, rather, if they claim to know already what is on the drive and reject any decryption which does not match their claimed knowledge, they can punish someone for non-compliance until they either tire of punishment or the target somehow manages to produce a result that matches the expectations.


You know what would be handy? If you were to codify these reasons and purposes unambiguously in a single, agreed upon, authoritative place (say, a law book or something), so you don't need to divine meaning from ancient texts and have the same silly discussion every time the subject comes up.

Take a look at the legal system of just about any non-English speaking country, to see how this could possibly work.

(Admittedly, it makes for great film scripts and courtroom scenes, which are valuable and important export-products of the US, but having clearly defined and agreed upon laws and rules is kind of important too)


True. It's also to prevent someone from ever being put in the position of having to choose between lying and self incriminating.

But again, that doesn't apply in this case.

or the target somehow manages to produce a result that matches the expectations.

This is an impossible end state. You might have a point if the password was a one time pad or something like that but that's not the case for the case in question.


You are correct in that as a non-lawyer (I am a non-lawyer as well) you cannot read the law and reliably, confidently understand what it means, much in the same way a non-programmer cannot read read code and understand what it means.

There is a problem with this which is that non-lawyers are required to comply with the law but that's not really the issue here.

If you're trying to argue courts have gone through mental contortions to derive radical insane re-interperetations of the law that completely change its intent and meaning 180 degrees, and that the entire legal orthodoxy has gone through the same contortions in order to be able to practice law in its current state, you can do that and it's reasonable, but you should use better examples like e.g. the commerce clause, not slavery. Slavery was most definitely intentionally allowed, no interesting interpretation necessary.


>Slavery was most definitely intentionally allowed, no interesting interpretation necessary.

Legally yes. I was talking referencing how the founding fathers were not consistent in matching the government they created with some of their prior statements which were part of the reason they were in a position to create the government. Largely I said this to preempt the oft response that the founding father's weren't consistent with their own view of rights.


Well, they were consistent; its just that their definition of "men" is different from yours, and its been shifting with time.

And hence we have lawyers and judges interpreting the law. Because the whole foundation (the people, and their opinions) is unstable over time.


Have you ever read up on why Jefferson chose those words?


They thought British would beat confessions out of people which still somewhat happens.


The police are asking this guy to produce a document that does not currently exist. The police are effectively asking this guy to take a document they do have and is useless (the encrypted hard drive), and using the contents of his own mind to transform it into a document that is useful to them.


Right, but in that case the court is asking for specific documents which it knows exists.

In this case, the court is asking the man to provide evidence which the court is not aware of. And there also might be evidence for other crimes which the court isn't aware of.

This is also a right to privacy issue.


If the court knew that the documents existed, he would have been convicted for possession of child porn by now. The court thinks that the documents exist, but obviously they can't prove it.


If a confession can be evidence of being guilty, refusing to confess is to withhold evidence?


But you don't yet know that it's evidence of guilt. Additionally, testimony can be counted as evidence, yet the 5th Amendment allows you not to testify if doing so would incriminate you. So something being evidence is not unconditional in needing to be turned over.


Let's say a guy has some documents that he happened to show someone that can implicate him in a crime. The person he showed it to testifies that the guy showed it to him/her. Can he be held until he turns over those documents?


Well, seeing that this is what is currently happening, I'd say the answer is "Yes."


But passwords and hard drives are not documents. What's on it are "documents" but it's akin to refusing to pull memories out of your brain.


The purpose of the prohibition against testifying against oneself in the 5th amendment is not a protection of one's privacy (as many here seem to believe). It is to precent coerced false confessions. The difference between false testimony and a falsely revealed password is that the testimony is not obviously false but the password will be.


The argument made in the article is that it's a "foregone conclusion" that there's child porn on the drives, so decrypting them isn't self-incriminating because they already know what's on the drive.

That said, personally I don't buy it. What if there's evidence of other illegal acts on the drive too, ones the police don't know about? Then decrypting the drive would definitely be incriminating because it would tell police about the other illegal stuff, stuff which fails the "foregone conclusion" test.


> The argument made in the article is that it's a "foregone conclusion" that there's child porn on the drives, so decrypting them isn't self-incriminating because they already know what's on the drive.

The immediate thought that comes to my head when they say this is: Then whats the problem? You can prove it, so why do you need more proof? Unless your possibly maybe your case isn't rock solid or you want to find more crimes.


Similarly, if the police have a reasonable suspicion that there are illegal materials in your home, they should never be allowed to enter and search it against your will. Either they have enough evidence to charge you or they don't, right? So why bother searching? It doesn't matter if you have a nuclear weapon in your basement, if you say no they aren't allowed to come in and check/collect evidence that makes them certain no matter what the Geiger counter outside says.

Your reasoning invalidates all searches, all warrants, and it's everywhere in this thread, it's insane.

I'm all for security, privacy, encryption, Tor, but if the police have a strong enough reason to think I'm committing a horrible crime, and have convinced a judge to sign off on it, then yeah absolutely they should be allowed to search my computer. I don't get to say "Joke's on you g-man, we both know I'm a criminal and the evidence is right here and I can get into it, but I won't let you in until you've cracked my secret code!" The alternative is for them to just always assume encryption/Tor == criminal. The point is they can search /when they have a very good, explicit reason given to a judge/, not go on fishing expeditions or passively collect everything. You probably will lose your privacy for a little while if you're a reasonable target in a serious police investigation, that's always been the case, and it always will be.


It's a bad analogy, the police don't need your permission to gain access to your home.

It'd be akin to the police coming across a written document in rot13 and jailing you indefinitely until you show them how to decrypt it.

What if it turns out to be a grocery list and you used rot13 just as a matter of course? You went to jail over a grocery list?

I don't think you can compare searching a house to forcing the decrypting of the hard drive.

I run my own XMPP server to keep in contact with a few people (1 friend in china, and my gf during the day). I absolutely encrypt all of it, you're telling me it's ok for them to jail me indefinitely because they believe I've said something in the logs that I shouldn't have.

And that's bullshit, there are legitimate reasons why people encrypt things.


The fact that police can't access your data without your permission is a technical reason, not a legal reason. Warrants say the police can search your home. Everything in your home. The data on the machines in your home. If a police officer knocks on your door and presents a valid warrant and you say "good luck, I've booby trapped my home as a fortress with shotguns and explosives and I refuse to disable them" you will be locked in jail until you do. Police don't have to deal with your bullshit when a judge orders you to do something and you refuse to comply. They just lock you in jail until you do what they say.

And no, none of your examples are appropriate. If the police could prove you had a grocery list had all of the items used in a crime and could tie you to it, went to a judge, got a warrant, and ordered you to turn over that list, you'd have to do it. If it's encrypted in some scheme you have to show them the real data. It's not the cops' job to work their way around every weird little obstacle you put in their way when they have a lawful order requiring you to hand over information.

In your scenario, if they had a warrant for your grocery list or XMPP server data, you wouldn't be "jailed indefinitely", you'd be jailed until you complied with a lawful order to turn over the data you possess. I don't know where you got the idea you'd be jailed indefinitely because of the content of the chats, that one came out of nowhere. If they discuss crimes you've committed you'd be jailed for those crimes, not indefinitely. After you turn over the logs. If you refuse you're breaking the law. If you don't have access, you can go ahead and try to prove that to the judge, or convince the judge you forgot your password. But the police can provide evidence to suggest you DO have access, you are just willfully refusing to give it up. Like, e.g. logs of you accessing it successfully, recently.

Yes there are legitimate reasons people encrypt things. I encrypt everything, all the time, just for the sake of doing it. I use Tor for my fairly mundane browsing all the time because I value my privacy.

But encryption does not mean "I never have to give anything to the authorities, under any circumstances, no matter what, and there can't ever be any consequences for me if I refuse when they go through proper channels and ask". Encryption does not mean you don't have to comply with the law.


> The fact that police can't access your data without your permission is a technical reason, not a legal reason. Warrants say the police can search your home. Everything in your home. The data on the machines in your home. If a police officer knocks on your door and presents a valid warrant and you say "good luck, I've booby trapped my home as a fortress with shotguns and explosives and I refuse to disable them" you will be locked in jail until you do. Police don't have to deal with your bullshit when a judge orders you to do something and you refuse to comply. They just lock you in jail until you do what they say.

When you start using such bullshit, outlandish arguments, you've lost the point.

> In your scenario, if they had a warrant for your grocery list or XMPP server data, you wouldn't be "jailed indefinitely", you'd be jailed until you complied with a lawful order to turn over the data you possess.

They have the data. What they don't have is an ability to interpret the data, but they most definitely have been given the data.

If that's really your measuring stick, then they need to let this guy go because they have the data in their possession.

What next, we're going to jail someone indefinitely (oh I'm sorry, not indefinitely, just "until they comply"...) because they refuse to read off their grocery list, which they wrote down in french because the police can't find someone else to read it for them?

no, fuck that, it's all splitting hairs.

"We don't want him to give us the password, just force him to unlock it for us, so it's totally not the same thing!".

Right...

Oh also.... you're wrong about the warrant point.

http://criminal-law.freeadvice.com/criminal-law/arrests_and_...

> Actually, the police might not be able to search anywhere just because they have a search warrant, there is a requirement that a warrant describe specifically the place to be searched and the items to be seized. Although it is possible that a warrant will give police a general license to search anywhere in a home, it is also possible that the search might be limited to specific areas in the home.

Maybe you live in a different country, but in the US it's typically understood that a warrant is meant to be specific to avoid the issue with police getting a warrant to look for a stolen bike and going through your toilet looking for hidden drugs.


I would suspect that the footage itself can be very valuable in terms of further investigations, so they're pushing for it because it will benefit them in future. The man will end up in prison anyway, so it's not like the law enforcement has something to lose.


No, that means that he's jailed indefinitely for possibly imaginary reasons that have nothing to do with the case at hand.

> The man will end up in prison anyway

But may actually end up longer in prison for contempt of court.


yeah, if it's a foregone conclusion, then why isn't the trial over and time being served?


Where's the mandatory minimums for possession of child porngraphy? The zero tolerance? Our prisons fill with drug offenders, yet we give sex offenders a scarlet letter + probation?


I don't think drug offenders should be put in prison since it's a victimless crime. I think child porno while much more serious does invoke some of that chain of reasoning.

To me there is a big difference between a guy who found some on the internet and someone who produces or pays for it.

I would be wary of putting in minimum sentencing for such crimes unless it was only targeted towards those producing/paying as you can reach murky area's. Two i can think of off the top of my head would be finding images inside someone's browser cache who browses a site like 4chan where people will post it randomly.

That and art, if someone draws child pornography is that a crime? If blizzard says one of their overwatch characters is 17, are the people who make those animated porno videos making child porn? And are the people watching it consuming child porn?


There was a sex offender who wrote on paper fictional stories of child sex and he was put back into jail for a violation of his parole (for writing it, never shared it).

If you have child pornography the law considers it the same as taking the photo and you can be sued civilly by the victims.

People love it when lawmakers make more laws.


Remember that parolees are still under sentence. There are almost always restrictions on parolees that go beyond those on the general population - that is the whole point of the parole system, you agree to live under sometimes onerous restrictions in return for being allowed out before your sentence is up.


> That and art, if someone draws child pornography is that a crime? If blizzard says one of their overwatch characters is 17, are the people who make those animated porno videos making child porn? And are the people watching it consuming child porn?

The answers to these questions are obvious: no and no.

If the answers are any different or short of being absolute, then that's a clear hole in the first amendment.


> The answers to these questions are obvious: no and no.

Tell that to Chris Handley [1]. He imported a pornographic comic book from Japan, a postal inspector got his panties in a bunch over it, and a prosecutor pushed for 15 years in prison and life as a sex offender unless he plead guilty.

Knowing he'd probably lose in front of a jury of his peers [2], and being blackmailed with the threat of 15 years, he took a plea for six months in prison. Wasn't even afforded the right to a fair trial.

Oh, and it's not just pictures, either. Textual, fictional stories can be "obscene" as well. It is possible to write a fake story in a Hacker News comment that can get you 15 years in federal prison in the US.

[1] http://cbldf.org/about-us/case-files/cbldf-case-files/handle...

[2] it's deemed "obscene", which is a magic "get out of Free Speech free" card, so it falls under the Miller Test. You could get a jury in a very deep red county to find two fully-clothed males kissing as "obscene" if you wanted. "Obscenity" is the thing that needs free speech protections the most.


> "Obscenity" is the thing that needs free speech protections the most.

Agreed.

I'm even of the mind that mere possession of any piece of media cannot be properly regarded as criminal, precisely because it interferes with the far more important right to free speech.

It seems to me that prohibiting the creation or sale of child porn is more appropriate.


In an ideal world, I want possession of real CP to be a crime ... that is, if it could stop there. I would be willing to accept that small bit of cognitive dissonance / hypocrisy. I'm very sympathetic to the victims of abuse having their images out there being sold and traded online.

But then you have cases like Handley where cartoons are criminalized (which I consider to be a thought crime), and cases like this story where it's used to basically eviscerate the fifth amendment ... and it really makes it clear: you cannot have exceptions to free speech, or it will continue to grow and gut everything else. It's not a "slippery slope" argument ... the slope has already happened -- we're seeing it right now. An appeals court just said you can rot in jail for the rest of your life if you forget your password. And they're going to get away with it because of the horrific spectre of CP ( parodied well here: https://www.youtube.com/watch?v=sdu4wSBZqMM )

As much as I abhor the content, I really believe prosecutors should be going after the producers, the sellers, the people collecting ad revenue off of hosting this stuff, and of course, the actual abusers themselves.

I'd like to see the people with paraphilias they didn't ask for have access to proper counseling, access to anti-androgens, etc.

But we don't live in a country that wants to help people. We live in one that wants to punish people -- even if that results in more victims.


>In an ideal world, I want possession of real CP to be a crime ... that is, if it could stop there.

I partially disagree with this. I think it should only be a problem if it's actually real, and can be proven to be, and thus can be proven to have an actual victim. And that victim needs to actually be a child.

In today's age of Photoshop and life-like realistic rendering programs, it's entirely possible to create stuff that looks real, and really isn't. It's also possible for models/actors to look less than 18, while not really being that young. How do you tell for sure that a person in an image is 17 years and 364 days, and not 18 years? Pretty soon, the rendering technology will be so realistic you'll be able to create movies with fake humans that look entirely real. So if someone buys this software and makes some naughty stuff with it, why should they get in horrible trouble and spend decades in prison, when someone else can buy the same software, buy the same digital assets of child models (which aren't really real children, just fake but realistic looking children), and then make movies of these "kids" being slaughtered by dinosaurs or mowed down with machine guns or something, and that's perfectly OK?

The bottom line is: victimizing innocent people should absolutely be illegal and punished. Anything which doesn't victimize an actual person should not.


years ago I read an article by Bruce Schneider in which he said he doesn't put a password on his home wifi. Anyone who wants to connect to it can.

His argument was that if someone downloaded illegal materials like cp and his network was password protected, they would argue that it had to be him (when we know this isn't even remotely true as software people).

The thing is, I kind of dismissed it and then several years after reading that I came across an article that just floored me. A cop was accused of accessing cp evidence repeatedly (presumably for himself). The article quoted the chief of police as having said "we know it was him because he used his password to log in and it's IMPOSSIBLE for anyone else to have gotten into it".

I've emphasized the word impossible.

I went home that night and opened up my home wifi and I've ran it that way ever since. The idea that a police chief would believe it's impossible for anyone else to get into an account because it's password protected is about some of the scariest shit I can imagine.

And what's scarier in my mind, is how easily people are swayed. Look at how many people are arguing that it's ok to jail this guy indefinitely for refusing to give the police a password. And they BUY the argument that because the police are only asking him to perform an action (enter the password) and not actually give them the password it somehow changes anything instead of it being bullshit hairsplitting by officials.

I'm not really a tin-foil hat sort of person, but the people who can buy that without blinking are a part of the reason why we can't have things like free speech, only acceptable speech.


> parodied well here: https://www.youtube.com/watch?v=sdu4wSBZqMM

You may enjoy Chris Morris in this Brass Eye special "Paedogheddon":

https://www.youtube.com/watch?v=RcU7FaEEzNU

(if you enjoy absurdism and black comedy -- I find absurdism to be an especially good fit for satirizing the Kafkaesque)


> I'm even of the mind that mere possession of any piece of media cannot be properly regarded as criminal, precisely because it interferes with the far more important right to free speech.

While I agree in principle with the sentiment, by calling it "piece of media", you presume it to be something inert.

Stepping outside the context of obscenity for a bit, code is data and data is code. It used to be (50-100y ago) a reasonable valid argument that any media is "just words" or images, unable to hurt anyone/thing unless interpreted and acted upon by human volition. However in today's information technology-enabled society, we have automated systems and machines that will consume the data on a piece of media, and automatically perform real-world actions that have large consequences and may hurt people.

Weaponized exploit code (etc) can exist on a piece of media, and you can imagine how a rule that "mere possession of any piece of media cannot be properly regarded as criminal" can somehow always be wrangled into a loophole that abuses this rule. Information is a very weird and fluid beast, just look at the oddities around "illegal primes" or "coloured bits", to see where computational science and law collide.

I believe that our old intuitions about the fundamental nature of "information" are being challenged in a way. I don't have solutions or answers, either. I want the freedom too, but saying it's "just information" on a piece of media is a bit too quick.


"18 U.S. Code § 1466A - Obscene visual representations of the sexual abuse of children

Any person who, in a circumstance described in subsection (d), knowingly produces, distributes, receives, or possesses with intent to distribute, a visual depiction of any kind, including a drawing, cartoon, sculpture, or painting, that (1) (A) depicts a minor engaging in sexually explicit conduct; and (B) is obscene (...) or attempts or conspires to do so, shall be subject to the penalties provided in section 2252A(b)(2), including the penalties provided for cases involving a prior conviction. It is not a required element of any offense under this section that the minor depicted actually exist."


> (B) is obscene

Those two words are hiding a lot. For example, it's probably not obscene in Oregon, since part of the Miller test defers to state law and we have a stronger state equivalent of the 1st amendment in our state constitution that would allow it.

And if you wrapped it in a story(like a manga or comic), it would be easier to argue that it has literary or artistic merit. Though, a "states' rights" argument would probably be more likely to succeed.


My comment wasn't meant to speak to the test of the federal register, under which a huge part of the everyday lives of Americans are federally prohibited.

I was more speaking to the question, "is it a crime?" IE, is it a crime in any sort of common-law sense and the proper purview of a government in a functionally free society.

In that sense, I do not believe that the wholesale fabrication of any form of media is a crime.


In Australia, cartoon child porn is also illegal.


In fact, IIRC even actual porn containing only provably adult actors is illegal if a judge decides it looks like someone might be underage.


I remember reading about a case where a porn star actually showed up to a trial of her own volition and showed the judge her license to prove she was over 18 when she did the film.

Had she not responded when the guys lawyers contacted her, the accused would've gone to jail for child porn.

That's how insane and scary these laws are. I'm all for coming down hard on someone for having cp, but it wasn't cp, just a young looking actress.


Keep in mind that a 17 year old taking a nude picture of themself is in possession of child pornography. Do you want a harsh minimum sentence for that?


You gotta cut the government some slack here, they have contracts with private prison providers and quotas to fulfill. Can't have compassion and reason get in the way of that.

Also think of the children.


Times are moving faster, you have to adapt. Efficiency is trump. Children are no exception here. You gotta see that there is just no time for things like 'being a child'.


With private prisons only holding about 8.4%[1] the total state/federal inmates, do you perhaps mean prison guard unions?

[1]http://www.salon.com/2016/08/24/private-prisons-are-not-the-...


Try them as an adult?


I don't understand.


A minor possessing selfies of a nude love relation should clearly be tried as an adult. For maximum ironic force.


Also keep in mind that urinating on a wall in front of a police officer can get you "sex offender" status.


The problem has to do with precedent. If the prosecutors give up on this issue, then future defendants can cite this case in their defense.


That's like saying "The jury found you guilty of shoplifting, therefore we will put you in jail indefinitely until you confess". Sure them confessing after the conviction adds no information, but you still can't compel someone to do it under threat of a life sentence.


I'm not sure I understand something, either their argument about hashes, or how whole disk encryption works. I assumed that whole disk encryption meant that the disk, unencrypted, has high entropy, so the whole thing equally looks like snow. Doesn't FileVault encrypt the whole disk? So, where's this hash?


The defendant provided the password to his iphone (that contained highly-unsavory media of his nieces), which contained an unlock code for his laptop (filevault backup decrypt key). He connected the external drives to this laptop, and when he'd transfer media from his laptop to the drives, logging would occur with the file checksums. The hash/checksum is on the laptop with the filepath to the identified external drives, and because the hashes match known media of child victimization, the prosecution knows exactly where the evidence exists on the drive, once decrypted.


If the hashes are known to match, there is really no need for the original pictures, the evidence is already there?

This makes it sound more like it's a fishing expedition for evidence to use in other investigations, or to find evidence for a more severe punishment, both of which one can morally agree or disagree with, but is it how justice should work? I honestly don't know, but I think probably not.

It's a detestable crime, which is exactly why we must not allow the law to be bent out of shape because of that, as the results will be used in other cases where our moral compass maybe wouldn't sway our judgement as much.

The only justice we can enact, flawed at rational reasoning as we are, is a dispassionate justice. One where we as much as possible defer to the few rational facilities we have. Weak, but nonetheless, logical and rational thinking, is what we must base our arguments upon, as we are so easily swayed by our instinct to protect our children at any cost, often with little regard to what consequence it might have in a distant future.


I'm confused by your reasoning here. If we agree that the files are definitely on the system how is it a "fishing expedition" to want to see those files for further investigation. A fishing expedition would be forcing everyone to submit their devices for inspection on the off chance of finding evidence - this case is one where the evidence is known to exist and a person is refusing to hand it over.

The less emotive case would be the hard drive contained bank statements for tax avoidance - and I would still think that a court should be able to compel someone to produce that.


> this case is one where the evidence is known to exist

If that's the case the files aren't needed, they want to see the drive contents on the off chance of finding some other evidence.


Would you like to go to trial and attempt to persuade 12 non-technical jurors that "hashcodes" unequivocally demonstrate beyond any reasonable doubt that there is child porn on the external hard drive?

It's a foregone conclusion technically that the illegal content is on the hard drive. His guilt is not a foregone conclusion (not in the US anyway).

If you visit https://www.justice.org/sections/newsletters/articles/fifth-... and search for "foregone conclusion" you will get some good info.

The file hashes basically takeaway any good self-incrimination argument he could make and there might also be evidence of further criminality on the hard drive.


So it's True, but not True-to-a-jury True.

Sorry, but legally, the latter should be the only standard of truth. If he exposes himself to a higher standard of guilt, then he is incriminating himself.


But are we not just in the world of normal warrants here?

To my mind private spaces (be that my house or my hard drive) should have some protection, but it seems reasonable that that is less than my personal freedom.

I have no issue with a warrant being issued on a balance of probabilities basis in order to find evidence to convict a person based on beyond a reasonable doubt.

And all this ignores the possibility of discovering further crimes and accomplices by investigating the contents of this drive - if there is a balance of probabilities likelihood of find those on the drive I don't see any problems with compelling this to be revealed.


> I have no issue with a warrant being issued on a balance of probabilities

The problem with this is it isn't consistent with how the law works in other cases. For example, A judgment of 'guilty' is considered absolute, not probabilistic.


This is only part of their motivation. The other is that the prosecutor likely wants to avoid setting a precedent that future defendants can cite in their defense.


> If we agree that the files are definitely on the system [snip]

then prosecute him and be done with it. Anything else is either a fishing expedition or we don't all agree that the files are definitely on the system... in which case it's still a fishing expedition.

hashes can be inaccurate, it isn't a foregone conclusion in reality, just in their opinion.


> hashes can be inaccurate, it isn't a foregone conclusion in reality, just in their opinion.

Not really, no. The chance of multiple hash collisions on a set of arbitrary images is a near impossibility.


near is not the same thing as impossible.

I told this story before, but I once read an article about a police officer who said it was impossible for another person to have logged into an account because it was password protected, when we know that's not even close to being true.

impossible and improbable are not the same thing, and I sure as shit don't feel comfortable making the case that it's 100% locked in because of a hash.

The requirement should be for them to look at the actual content, not the hash.


> near is not the same thing as impossible. I told this story before, but I once read an article about a police officer who said it was impossible for another person to have logged into an account because it was password protected, when we know that's not even close to being true.

That's not even the same realm as this case:

> The Forensic examination also disclosed that Doe had downloaded thousands of files known by their “hash” values to be child pornography[0]

Thousands of hash collisions would require prior knowledge of the values and a concerted effort to deceive. It would be more realistic to say that human perception is broken when looking at the media than it is to argue with the mathematical reality at play here.

> The requirement should be for them to look at the actual content, not the hash.

Refusing the evidence known to exist and definitely covered by probable cause is why the defendant is still in custody.

[0] https://arstechnica.com/wp-content/uploads/2017/03/rawlsopin...


No one is arguing with the legal argument, there are a lot of legal arguments that most people don't believe should exist.

So using the law to defend yourself doesn't really apply here.

> Thousands of hash collisions would require prior knowledge of the values and a concerted effort to deceive. It would be more realistic to say that human perception is broken when looking at the media than it is to argue with the mathematical reality at play here.

This confidence is why my anecdote applies. That confidence is flat out scary when you hear people in law use terms like "impossible" or "virtually impossible" when speaking about things that are not.


This is about the only way I'm ok with what they are doing. If this is the case, then I'm 100% ok with compelling him to unlock the drive for the sole purpose of accessing those files. Anything else on the drive should be off limits as it then becomes testimonial.

To me the danger is, what if this person committed other crimes and by unlocking the drive he give the prosecution info about those crimes. In a world where the investigators and/or prosecution have gotten away with parallel construction I wouldn't expect them to play fair. I mean, realistically it sounds like they guy is guilty as sin. That being said, I'd rather he get away with those hypothetical crimes than we start allowing situations like this to happen.

So, to recap, make him unlock to read the known files (by exact path) and nothing else on the drive.


To me, this whole thing smells of the classic tactic of telling the guy, "We know you're guilty; just confess, and we'll go easy on you." Which, of course, is a lie.

So I am of the opposite opinion. If the hash information isn't enough to try him with, then I'd rather he go free, than set a precedent that it's acceptable for a court to compel someone to decrypt information because someone in law enforcement just "knows" the evidence is there. Because once this order is allowed to stand, the level of certainty required to compel decryption is going to continually be lowered.


> To me, this whole thing smells of the classic tactic of telling the guy, "We know you're guilty; just confess, and we'll go easy on you." Which, of course, is a lie...If the hash information isn't enough to try him with, then I'd rather he go free, than set a precedent that it's acceptable for a court to compel someone to decrypt information because someone in law enforcement just "knows" the evidence is there.

I'm sympathetic to why you'd be cautious, but that's not fitting in this case -- this is a highly specific case with a number of circumstances that meaningfully differentiate it from the generic case of providing decrypted media. He's guilty and the checksums are enough to convict him (we're talking many checksums, metadata, partial confessions) and this is about him frustrating the discovery process.

> Because once this order is allowed to stand, the level of certainty required to compel decryption is going to continually be lowered.

This is a slippery slope fallacy. I had some leaning towards this perspective, but then I read the source document, which goes into far more detail. There's a definite nuance to this case.


I appreciate what you're saying about a slippery slope, but I don't find that the nuance of this case necessarily makes it a fallacy. The judge has compelled decryption based on hashes of files left around in logs on the hard drive, but what if an ISP reports that files with those hashes have been downloaded by a particular IP address?

The FBI gets a warrant, executes a raid, picks up every piece of electronic equipment in the place, but can't find the files the ISP says should be there. Can the defendant, in this case, be compelled to decrypt an encrypted hard drive file or partition at this point, because law enforcement "knows" that those files are somewhere in his (digital) possession? What if it were a guest in his house? What if it were the neighbor, stealing wifi?

Based on this precedent, I think another judge could find reasonable cause to compel in that scenario. Is this a violation of the 5th Amendment? The defense FOR the judge's actions in this case -- based on other reasoning in this thread -- is that only files with those hashes could be used against him, at this point. In this hypothetical case, though, what if LE found OTHER files of child pornography? Would they be admissable? Alternatively, if they found other material (e.g, bomb-making), could it be used against him in a separate case? I'm not sure I trust the government in either one of these situations.

It seems highly likely that we'll get a government employee's opinion on precisely this scenario someday, and I don't think that this employee is going to find in a manner against his employer. As with so many other of the Constitutional protections of the Bill of Rights, they've slowly been chipped away in precisely these kinds of legal "corner cases." Sue me for being paranoid.

Have we not spent the past couple of years confirming that the "slippery slope" of catching "bad guys" has, in fact, completely eliminated the protection of the 4th Amendment for communications? You could argue that it hasn't, because the government hasn't prosecuted a citizen based on the warrantless, wholesale monitoring of any and all electronic communications -- THAT WE KNOW OF -- but it's extraordinarily clear that shouldn't be happening in the first place, according The Constitution.


I'm glad you didn't take offense to me making reference to the fallacy as I appreciate our conversation and wasn't sure how else to express that thought.

If you haven't done so, check out the source document for the article as Arstechnica didn't include some important details (and the headline "Man jailed indefinitely for refusing to decrypt hard drives loses appeal" talks past what is actually happening): https://arstechnica.com/wp-content/uploads/2017/03/rawlsopin...

> ...but what if an ISP reports that files with those hashes have been downloaded by a particular IP address? ... but can't find the files the ISP says should be there.

I think this case is particular due to the lack of breaks in the chain. In your hypothetical, law enforcement and the prosecution have _vastly less information_ than in this actual case.

Law enforcement knew the path from a remote source, to (presumably dhcp lease based) ISP records, to the laptop that accessed the content (known to be the defendant's), to checksums in logs matching a physical drive (also known to be the defendant's). Coupled with other evidence, the defendant frustrating the process by pretending to no longer know the decryption phrase, and partial admissions of guilt by the defendant, this is a vast distance than a hypothetical case of "someone from this IP address downloaded Game of Thrones Season 1 from bittorrent, so hand over anything that can store bytes" (to use a far less disgusting crime to help keep emotion away from the discussion).

> Based on this precedent, I think another judge could find reasonable cause to compel in that scenario.

Luckily, the US justice system is built on nuance; this case wouldn't hold up as a generalizable excuse to compel decryption -- which is why they're invoking the foregone conclusion rule to secure the production of evidence based on the enormity of the other factors.

> In this hypothetical case, though, what if LE found OTHER files of child pornography? Would they be admissable?

I honestly don't know. In this case, the defendant is refusing to provide (multiple pieces of) evidence that is known to exist by checksum and direct file path.

> Alternatively, if they found other material (e.g, bomb-making), could it be used against him in a separate case?

Having information on how to construct a bomb is not illegal, any more than getting a degree in chemistry is illegal, but plotting to kill people with a bomb is legally actionable.

> I'm not sure I trust the government in either one of these situations.

I agree with you, but on a different shade of the argument. I'm suspicious that the ecosystem of justice is built on securing convictions as opposed to seeking objective truths. In this case, I support the government/court based on the information I have.

> As with so many other of the Constitutional protections of the Bill of Rights, they've slowly been chipped away in precisely these kinds of legal "corner cases."

I don't know which other cases to which you're referring, but the argument to be made here is that this isn't a corner case. This is having mathematical certainty that the defendant has evidence and is refusing to hand it over.

> Sue me for being paranoid.

No law against being paranoid :)

> but it's extraordinarily clear that shouldn't be happening in the first place, according The Constitution.

Actual question: where in the constitution is this clearly stated?


> Actual question: where in the constitution is this clearly stated?

You're obviously way more legally savvy than I am. Just goes to prove that a _little_ knowledge is a dangerous thing. Totally agree on the "securing convictions" motivation.

I'm referring to the 4th, about needing a warrant to intercept communications. Is that not clearly stated? Maybe my ignorance is showing again. Doesn't the 4th -- on the face of it -- preclude any system of wholesale collection of electronic communications?


> You're obviously way more legally savvy than I am. Just goes to prove that a _little_ knowledge is a dangerous thing.

Oh no, don't feel that way. The law is a man-made thing at the intersection of logic and opinion, which is why there's so many laws and tests -- if you haven't read the source document that's linked in the Arstechnica article, I would, as it has a lot of important detail.

> I'm referring to the 4th, about needing a warrant to intercept communications...Doesn't the 4th -- on the face of it -- preclude any system of wholesale collection of electronic communications?

Law enforcement were specifically targeting traffic expected to have child pornography and the people trying to exchange it on freenet who join very-special-purposed groups. Peer-to-peer platforms depend on people being free to join, and having special-purpose groups really helps with the "probable cause" condition of the 4th.

On the back of that, the defendant gave them confirmation of his illegal acts, so this case is about recovering evidence known to exist.


Wow, that's a lot against this guy, but hypothetically couldn't compelling him to decrypt his drives based on a file hash set a dangerous precedent where police can just plant file hashes somewhere to get access to anyone's drives? Sort of the high tech version of the drug dogs that would signal on cue.


They could also plant an unencrypted drive and skip the whole getting the password step.


Then they would need access to the images and not just knowledge of the hashes.


If they're going to ignore that pesky 'staying within the law' step they might as well just lock him up indefinitely right now.


They're staying within the law -- the defendant being in violation of the law is why an order to comply was filed and why we have access to the court of appeals document.

If you don't like the process, that's a different conversation.


Eighteen months without a charge. I think they're way ahead of you. IMO, they've already abrogated his 6th-Amendment right to a speedy trial as well.


There are a lot of things that waive the speedy trial right. If a defendant files pretty much any kind of motion, the speedy trial timeframe goes out the window.


That's actually where I was going with that - maybe I should have put that /s or ;) at the end of the post after all. :)


I hope it is not sha-1


this reasoning also applies to search warrants. I believe those legal tools are simply necessary to allow criminal investigations.


It's not bizarre at all. "To be a witness against himself" is not metaphorical or ye olde English. It literally means what it says--the government can't force someone to testify against himself (i.e. to provide a confession). If the Founders had meant to say that the government can't compel someone to cooperate in an investigation at all, they would have said that.


Ahh yes, they spell out their interpretation clearly in the companion manual to the constitution.


The companion manual is called a dictionary. The word "witness" means someone who provides testimony based on personal knowledge.

If the framers had meant to say "provide evidence" instead of "be a witness" they would have said that. They were lawyers and those words were commonly used legal terms that meant the same things they do today.


I think it's about the meaning of words when the text was written.

"To bear arms" doesn't mean to have human arms, after all


I don't agree that testifying is the same as confessing. To testify is to provide a testimony (under oath), which is broader than an actual confession. The reasoning behind the 5th amendment is that nobody should be put in a position where they either have to lie, incriminate themselves, or be held in contempt of court.

If the government can't compel someone to say when, where and how they disposed of the bodies, then they also can't make someone explain how they encrypted some files.

In case they can confirm the existence of files some other way I guess you could make the case that the government can force someone to produce those files. Of course this won't tell them anything they didn't know already (which is kind of the point). Making someone produce files that may or may not exist is the same as making them testify that those files exist and that they have access to them, which I would argue falls under the 5th amendment.


The Constitution is extremely​ abbreviated because it was written by hand. Your arbitrary definition of "witness" isn't more or less correct then someome else's; these terms are negotiated over the centuries with a great deal of context.

The Fifth Amendment has been consistently interpreted to mean far more than "confession"


The Constitution is extremely​ abbreviated because it was written by hand.

?!


It's not as black and white as you make it.

If there is a warrant to search my property, I am obligated to assist if required. E.g. open the gun safe. (Hey, speaking of guns...You know what other antedquated amendment from the Founding Fathers would be really convenient to ignore...)

Now, AFAIK, no one has tested whether that still hold true of a combination safe, where the access substaintivly requires information from the accused.

And a combination safe is very similar to an encrypted drive.


"...LOCKED CONTAINERS - AN OVERVIEW: John P. Besselman Senior Legal Instructor

Law enforcement students often ask the question “can I search a locked container?” A better question to ask may be “when can I search a locked container?” The fact that a container is locked may not increase the possessor owner’s expectation of privacy but does limit the law enforcement officer’s access to the secured area. The ability to search a locked container will depend on the justification the law enforcement officer has for intruding into the area. The purpose of this article is to examine the different legal avenues a law enforcement officer can use to search locked containers. ..."

https://www.fletc.gov/sites/default/files/imported_files/tra...


Personally, I find the Genius analysis of JayZ much more readable:

    Well, my glove compartment is locked
    So is the trunk in the back
    And I know my rights, so you gon' need a warrant for that

And the analysis: https://genius.com/17560


There is law review paper[0] about this song.

> And I know my rights, so you go’n need a warrant for that . . . If this Essay serves no other purpose, I hope it serves to debunk, for any readers who persist in believing it, the myth that locking your trunk will keep the cops from searching it. Based on the number of my students who arrived at law school believing that if you lock your trunk and glove compartment, the police will need a warrant to search them, I surmise that it’s even more widespread among the lay public. But it’s completely, 100% wrong.

Caleb Mason, "JAY-Z’S 99 PROBLEMS, VERSE 2: A CLOSE READING WITH FOURTH AMENDMENT GUIDANCE FOR COPS AND PERPS", http://web.archive.org/web/20130216120816/http://slu.edu/Doc...


> If there is a warrant to search my property, I am obligated to assist if required.

I'm not sure that's true, the police are authorized to break whatever they need to if you don't assist.

As for combo safes, this seems like a good overview: http://blogs.denverpost.com/crime/2012/01/05/why-criminals-s...


Yes, they can proceed without your assistance. Also, they can charge you with obstruction with justice.


Are you sure about that? I don't think warrants require you to assist the police in their search, you simply can't obstruct them, so they can't charge you with anything.


That you can be forced to produce a known piece of physical evidence is the premise of the very article you quoted, so yes, I am pretty sure.


What's the penalty that goes with such a charge?


IDK, but you can't keep breaking the law, and have penalties stop. So it won't be one-and-done.


Yeah, but in this case you have to weigh it against the penalty for being proven guilty.

Maybe indefinite detention, and a chance at public attention is better than life in prison as a convicted child molester.


If I'm reading things correctly (IANAL, so it's very possible that I am not), it seems like there's not a lot of consensus. Some rulings say that the court can't compel you to disclose or use a password. Others say that per the Fifth Amendment it can't compel you to reveal "the contents of your mind", but can compel you to produce the protected items without disclosing the password, as those are covered by the Fourth Amendment rather than the Fifth. Yet others say that this is all bullshit and a password is merely a component of a mechanism, legally no more privileged than a physical key used to lock a file cabinet or storage room.


What happens when I ask for you to produce the password required by this super highly technical algorithm (insert lots of jargon to make the jury's eyes glaze over) called xor which will take the given file and turn it into another file that contains something illegal? Can you prove there isn't a password? Can you prove they didn't forget the password? Should forgetting a password for an encrypted file containing unknown material be cause for a life sentence?


I wonder how could one could be safe against the next hypothetical situation.

Lets suppose that there is someone motivated enough to distroy you. This people has months to mess with your system and substitute your usual decrypt command with a slightly modified version that 1) decrypts a file as usual when entered the right password and 2) runs a last extra line of code that inserts a child porn image or short video in the file. The timestamp of the decrypted file was changed to now. So you will not suspect that the file has been significatively modified also in the same operation. If the decrypt executable is closed and not easily available to examine... what could you do to prove your innocence?

Is possible for the jury (or the lawyer) to re-encrypt the file again exactly as in the first time to detect if the file was changed?


> I am obligated to assist

What does that mean though? obligation is given meaning by the penalty for not complying.


I don't think anyone would ever test this theory its too easy just to force the safe.


Not quite, IMO -- combination safes can be feasibly opened without the combination.


Encrypted drives can be opened without the password. Difficulty varies of course, but it can be done (e.g. iPhone).


> Encrypted drives can be opened without the password.

No, they can't. The way it's done is by trying many passwords until the right one is found. Once you have the right password, you can use it to decrypt the drive's contents, but then you are "opening it with the password".

(IIRC, there were some bad "hardware encryption" HDDs where the password wasn't actually used to encrypt the drive's contents, just verified against something in the drive's NVRAM; these can be bypassed. But that's not the case here.)


> IIRC, there were some bad "hardware encryption" HDDs

About those: http://www.h-online.com/security/features/Enclosed-but-not-e...

Sadly the images appear to be not working. But they were very clear: what should have been a point cloud had clear lines.


Yes they can. It's not my fault the government has access to shit hardware or that it'll take a really long time. Encryption is just a really big combination lock with a very long series of inputs.


I put you in a room with an encrypted drive and no password, and you will eventually be able to open the drive.

That you acquire the password in the process of opening it is immaterial.


That was only because they chose a weak password. With a 100+ bit password, it's impossible.


Improbable.


When the average time to unlock is equal or greater to the probably heat death of the universe this distinction ceases to matter.


You could also get it right on the first guess, so its improbable not impossible.


True, though 100 bit passwords are extremely uncommon. Even deadhorsebatterystaple claims to be less than 50.


it's not similar at all. No one can prove that an encrypted drive is an encrypted drive and not a random number. whereas a safe is plainly a safe.


While it's true in a mathematical sense that one may not be able to prove that a sequence of seemingly random bits is an encrypted files that is not true in a legal sense. The law isn't about proving things 100%. The law is about weighing the available evidence and proving things to various standards (preponderance of the evidence, beyond reasonable doubt, etc).

For example if if there are server logs showing I downloaded illegal files, and there are people who testify that I talked about downloading illegal files, and there is non pre-installed software on my computer that is used for encryption then probably that sequence of random bits is an encrypted file.

Maybe you can't prove it mathematically, but you can prove it legally.


the standard is "beyond reasonable doubt".

A doubt which you cannot reason away is reasonable, by definition. Therefore it is below the threshold of legal proof.


That's not what the legal term "beyond reasonable doubt" means. Beyond reasonable doubt means that a reasonable person would have no doubt that the party in question was guilty.


An encrypted drive will typically contain metadata identifying it as such, so no.


There is something, I believe called shadow volumes, which are completely metadata less encrypted containers living in a sea of random numbers. While you could claim that the existence of a program able to acess such a volume would be equivalent to metadata, no actual metadata needs to exist, and the random sea could contain one or ten volumes, which without a password you could never know, only guess or assume.

It is could even be possible, even likely, to create encryption schemes where several different encrypted volumes could share the exact same data blocks using something similar to homomorphic encryption. Which raises and obvious question: If the unlocked drive did not contain the data sought, can we hold someone in contempt after they did what we asked from them simply because we didn't find what we were looking for? Because we truly can't know if there is several encrypted volume in the same space without assumptions about information entropy and inaccessible configuration data.

Thankfully homomorphic encryption is not really practically viable today, so that particularly nasty can of worms is not imminent to solve, but we might be well served to let out decisions be informed by it, as it breaks most assumptions of what can be known, and what can't.


Can you explain wherein this obligation is spelled out?


"no one should be compelled to witness against oneself"

More specifically, no one should be compelled to assist the government in one's own prosecution.


The text of the fifth amendment says no one should be compelled "to be a witness against himself." It prohibits one specific way in which someone might be compelled to assist in one's own prosecution.


The supreme court is unelected, and are the supreme authority in this nation, above president and congress. the solution is simple - make the supreme court stand up to elections.

America has had atrocious decisions from the supreme court. In Dred Scott, they said black people have no rights because they are black. In Roe v Wade, the abortion laws of 47 states were struck down by 5 oligarchs. No matter what you believe about black people or abortion, it isn't right that 5 unelected people should determine the fate of a nation, able to overrule every state and federal law with no consequences.


I don't see U.S. (or any) elected officials, including Congress and the White House, making better decisions. All have made atrocious decisions.

The argument in the parent is well-worn, but it fails serious consideration if it ignores the facts that the U.S. courts interpret laws made by the elected officials, that the judges are appointed by elected officials, that their unelected status is established by elected officials and a national referendum (i.e., the votes that established the Constitution), and the reasons for their unelected status.


If 47 states still wanted abortion to be illegal, they could certainly have made a constitutional amendment through their elected representatives in Congress and state legislatures. The fact is the restrictions were quickly eroding at the time of Roe and 20 states had already passed laws making specific exceptions including 3 where it was legal.


The supreme courts and indeed the judicial branches role is spelled out in the constitution they aren't given unlimited discretion to rule by fiat they are given the power within the boundaries written into law by the legislative and enacted by the executive to interpret the law. Don't like their interpretation? The other branches have the power to change the underlying law. Your statement is the sour grapes of those whose wishes are too unpopular to become the law of the land.


Democracy isn't an end in itself. The Supreme Court has consistently made better decisions than the democratically elected branches of government.


I agree that the sheer power and reach of SCOTUS today, and increased partisanship in practice (even though everyone pretends it's a non-partisan body), does necessitate some reform. But electing judges makes no sense - you might as well then just give the fullness of power to Congress, a la UK's parliamentary sovereignty.

What I think we should do is revisit what exactly SCOTUS does, and why. Right now they basically have the final say in any question of constitutionality, and the outcomes are either "it's constitutional" or "it's unconstitutional". I think that's wrong - the third possible outcome should be "Constitution is ambiguous on this". Currently this gets folded into one of the other options, depending on the majority of the court, but I think it's a poor model - if Constitution really is ambiguous, I don't want a simple majority of a few unelected people, many of whom are quite partisan, to make that decision.

Instead, I think this option (ambiguity) should be explicit. The way it would work is something like this - if the court decision is unanimous (or maybe with at most one dissenter) one way or the other, then it's assumed that the Constitution is really unambiguous on the subject, and that's the ruling - same as now.

But if you get a bigger split, then the ruling is automatically "ambiguous". At that point all the disagreeing parties on the court should have to sit down and write a short opinion on what changes to the Constitution they would require to make the other side's opinion unambiguously correct (if there are more than two sides - which can be the case if different judges rule the same way for different and unrelated reasons - then such opinions should be written for all parties other than the one in question).

Then, those opinions are automatically submitted as proposed constitutional amendments to the states for ratification, per usual procedure, except that each state can only ratify one at a time, and there's a reasonable time limit. If one of the amendments wins, then (since all judges have already stated under oath that this is what is required to remove any ambiguity) the ruling is in favor of the corresponding opinion.

If none of the amendments get the requisite majority of state ratifications, then court decides based on simple majority, just like today - but the resulting decision is not considered binding precedent, and only applies to that one case. If the same ambiguity arises in future cases, the process has to be repeated.

Ideally, this should be combined with a lower bar for constitutional amendments - 3/4 of states is really quite ridiculous, given the sheer number of them, and population differences. Something like 2/3 would be more sensible. Although ideally it should incorporate direct popular vote in a referendum as well, in a series of cascading vetoes to check each other - e.g. 2/3 of popular vote is enough to amend, but a simple majority of states can veto that, but 3/4 of popular vote can override the veto.


This is the part of the system which makes me scratch my head.

The constitution is the source of where the courts derive their power. Being able to change the level of power you have seems to be against the constitutions purpose of defining, limiting, and binding the Govt.

Article III, Section 2, Clause 1 of the Constitution states:

The judicial Power shall extend to all Cases, in Law and Equity, arising under this Constitution,

.... Not OVER the constition... Under it.


That kind of parsimonious interpretation has no legal bearing. A dispute over the meaning of the Constitution would naturally arise under [the laws of] the Constitution.

It should also be noted that it was long-standing British common law that courts ruled on the interpretation of law, and that there was ample precedent in the US revolutionary period of state Supreme Courts voiding state laws under state constitutions. Virtually every reference to the notion of questions of constitutionality pre-Marbury v Madison accepts that the judicial courts would play a role in this regard. The only extent to which the decision would have been surprising would have been in arguing whose opinion won it in the case of conflicts. (Note that nullification crises continued up to the Civil War).


This makes a lot of sense. How'd you "bootstrap" such a system in place?


It would require a constitutional amendment.


Checks and balances


Yes!

Diversity. All systems have failure modes (current fav: utility monsters).

By combining multiple systems, you limit the severity of a failure of any one system. All participating systems must be in a failure mode for the overall systems to be in a failure mode.

If the Supreme Court were elected, it would suffer from basically the same failure modes as other elected offices, and would be able to provide a systemic durability against those failure modes.


Some discussion overlooks that this is a special case:

... the appeals court, like the police, agreed that the presence of child porn on his drives was a "foregone conclusion." The Fifth Amendment, at its most basic level, protects suspects from being forced to disclose incriminating evidence. In this instance, however, the authorities said they already know there's child porn on the drives, so Rawls' constitutional rights aren't compromised.

The Philadelphia-based appeals court ruled:

Forensic examination also disclosed that Doe [Rawls] had downloaded thousands of files known by their "hash" values to be child pornography. The files, however, were not on the Mac Pro, but instead had been stored on the encrypted external hard drives. Accordingly, the files themselves could not be accessed.

The court also noted that the authorities "found [on the Mac Book Pro] one image depicting a pubescent girl in a sexually suggestive position and logs that suggested the user had visited groups with titles common in child exploitation." They also said the man's sister had "reported" that her brother showed him hundreds of pictures and videos of child pornography. All of this, according to the appeals court, meant that the lower court lawfully ordered Rawls to unlock the drives.


The critical question is, why haven't they charged him? It is disingenuous of them to bring up the evidence they currently have essentially in an attempt to demonize him. Their evidence is sufficient or it isn't; if it is they should charge him; if not they're demanding self-incrimination.


You need to distinguish between requiring the defendant to turn over incriminating evidence (which the 5th amendment does not protect), and requiring the defendant to make incriminating statements (i.e. to provide incriminating testimony).

Sometimes, the act of producing evidence in response to a government request involves the defendant making implicit incriminating assertions. If the government says "produce all your cooked accounting books," handing over those documents implicitly communicates the assertions that (1) certain books exist; (2) those books are doctored; and (3) you have ownership/control over them. However, say the government asks you for your bank records. When you hand them over, you're implicitly saying "I have bank records," and "these are my bank records." That's not incriminating -- even if the bank records themselves might contain incriminating evidence.

The "foregone conclusion rule," says that the act of production is non-testimonial when the incriminating facts are already known.[1] If the existence of doctored books is already known by other means, the act of producing them doesn't communicate anything to the authorities. The books themselves are obviously communicated, but the 5th amendment does not protect the underlying evidence. It protects the implied statements by the defendant about the underlying evidence.

Hence the threading the needle in the opinion. They're not asking the guy to make incriminating statements about the existence of incriminating evidence. They're asking him to turn over the incriminating evidence they already know exists.

[1] Note that the Court is not saying "we already know he's guilty so the 5th amendment doesn't apply."


Quite aside from anything else, can someone explain whether or not the same logic would apply to (for example) asking someone to open a safe vs. the code to open the safe. It seems like this ruling would say that failing to open the safe is functionally the same?

As a gratuitously distorted example, lets say i had cooked accounting books in a spreadsheet on my computer, and they were encrypted by a random password that /i/ do not know, but have on a memory stick in a safe. It seems that logically that would be equivalent, but i also am very much not a lawyer so am perfectly willing to accept i am missing nuance of the law.

Outside of the law i don't like the forgone conclusion stuff - for example, revolution period you could say hanging out with revolutionaries regularly could reasonably conclude your documents include a calendar for revolutionary meetings so you should be required to provide that information and/or information required to receive that. Obviously that's some contorted logic but i don't think it's that far removed from this.

I would argue that a hash match should be sufficient, and i would be convinced that (absent other information and details) this was evidence that he's a pedo, but i can see how a lawyer could create reasonable doubt where in reality there is none (specifically referring to hashes here, nothing else).

Of course i can't serve on a jury (and apparently knowing what you're talking about may be disqualifying? :-/)


> Quite aside from anything else, can someone explain whether or not the same logic would apply to (for example) asking someone to open a safe vs. the code to open the safe. It seems like this ruling would say that failing to open the safe is functionally the same?

Basically, judges don't agree on which way this scenario comes out.

> Outside of the law i don't like the forgone conclusion stuff - for example, revolution period you could say hanging out with revolutionaries regularly could reasonably conclude your documents include a calendar for revolutionary meetings so you should be required to provide that information and/or information required to receive that.

The "foregone conclusion" stuff is narrower than Ars makes it out to be. The gist of the 5th amendment is that the government can make a defendant do things but not transfer information.[1] Sometimes, an action can implicitly transfer information. The foregone conclusion rule just says that if the government already has the information, then the action does not additionally transfer information.

In your hypothetical, the foregone conclusion rule would not apply because even if the government "could reasonably conclude" that you have a calendar, producing it would still confirm that conjecture (and thus transfer information). But if the government knows you have the calendar, however, because your sister testified that you keep a calendar of revolutionary meetings, then producing it becomes a pure action.

[1] I'd actually argue that the gist of the 5th amendment is even narrower than that: the government literally can't put you on the stand to testify against yourself, or enter into evidence a coerced confession. That's it.


How this works if there is other evidence in the HDD, for example piracy, list of stolen goods, location of bodies he buried. How 'foregone conclusion' can be applied?


Thanks for the answer! :D


a safe will simply be cracked if there is a warrant. easy as that.


Kind of missing the point: let's say it's a safe that is incredibly difficult to crack, and there's a 90% chance of making a mistake that will trigger a failsafe that will destroy the contents of the safe. In that scenario, the authorities would be unlikely to attempt to crack it.


If I understand the parent post, it's basically protecting you against the "leading questions" of investigation...?

You opening the safe cannot be used as evidence against you; that would cause your action to be "testimonial", and protected. The contents of the safe are evidence, and not testimonial.

If I'm understanding this correctly; it would be like saying "open the safe with the illegal weapons in it", and pointing at the safe. If you open it, does that mean you're admitting the weapons are illegal?


> If I'm understanding this correctly; it would be like saying "open the safe with the illegal weapons in it", and pointing at the safe. If you open it, does that mean you're admitting the weapons are illegal?

Kind of, yes. The non-contrived situation where this comes up is with subpoenas. A subpoena will request specific documents or specific kinds of documents. Responding to the subpoena requires making judgments about what documents are responsive to the request, and there is an implicit assertion that documents produced fall within the scope of the subpoena request.

So the government cannot, for example, make you "produce all accounting records containing false numbers." Producing documents in response to that comes with the implicit admission that the accounting records are false. The government can eliminate that problem simply by asking for all accounting records.


Thanks for the lucid explanation.

What befuddles my non-lawyer mind is that why such evidence is needed in the first place. If it's established firmly that someone has piles of illegal files, then for the sake of their incrimination, why do the files need to be produced at all?

If on the other hand, the files are being requisitioned for purposes unrelated to the the defendant's current outstanding culpability, then what laws does that kind of thing fall under?


IANAL, but from reading about this case (and opinions from actual lawyers), I believe it's because they actually don't have the evidence to convict (or they believe the evidence they have, absent the files on the encrypted drive, are not enough, or at least not enough for the sentence they want). They know the evidence on the drive exists, but cannot get up in front of a judge and jury and say "because we found these hashes in the logs, we know there are these files on the drive". They have to actually produce the files themselves.

So, you might say, ok, then that means asking Rawls to unlock the drives is asking him to incriminate himself, and that's not cool. But still, go back to the "foregone conclusion" bit: this isn't a fishing expedition to see if they can find evidence of wrongdoing. They're not asking him, "Hey, do you have any child porn on your hard drives? If so, give them to us." If that were what they're doing, Rawls would be perfectly in the right to say, "I do not have any files to give you". They know, based on the log files, that the incriminating files are on the drive. They are merely requiring Rawls to produce evidence that they know exists, and his refusal to do so is unlawful. Just as if someone refused to turn over bank records that the authorities knew existed.

I know I'm not explaining this perfectly (IANAL, as I said), but hopefully this helps?


I'm not so confused about the legality here as much as I don't understand why they need the files at all if they have irrefutable evidence that he has them.

If I have sales receipts and camera footage showing you purchased 100 Led Zeppelin CDs, do I need to see the CDs in person before I know you have good taste in music?

I'm guessing this has something to do with the subtleties of admissible evidence versus 4th amendment stuff.


If you refuse to hand over subpoenaed evidence you can be held in contempt of court which usually results in some sort of fine, but could potentially result in jail time. Note that this all occurs before your conviction, so time spent in jail for contempt does not count towards your eventual sentence.


Yes, but why are the files needed if it is know which files the drive contains based on hashes, as thousands of hashes matching known images should be plenty to convict on ?

Maybe the hashes can only tell that some drive contains the images, and the prosecutor believes it is this particular drive, and tries to avoid having to deal with that defense ?

If there is evidence that the particular drive contains those images, why bother with the drive at all ? This is the part that doesn't make sense to me.


Because without the images, you have to lead a jury through the fundamentals necessary to make them believe, beyond a reasonable doubt, that the presence of certain strings of hexadecimal digits in a log file is conclusive evidence in its own right. Because failure to do so means that the defendant walks free. Because as long as he's in contempt, he's behind bars indefinitely, so why attach a specific term to his incarceration unnecessarily?


>However, say the government asks you for your bank records. When you hand them over, you're implicitly saying "I have bank records," and "these are my bank records." That's not incriminating -- even if the bank records themselves might contain incriminating evidence.

Here's what I'm missing: why doesn't, in a similar vein, the government simply ask him to unlock the hard drives without any claimed assumption as to their contents?


I suspect that's what happened. But the court gets into the whole issue with Fisher to address an argument that the defendant made. IMHO it was unnecessary to even go down that road.


I must say I find this logic quite unconvincing.

What is a confession but a piece of evidence stored in memory made of biological matter?

How is it different to grant a confession where the memory is electronic rather than biological?


I see a pretty bad course of events.

"Lay inside this fMRI machine for an accurate brainscan if you are lying, and image retrieval of the time in question. Or you will be put in jail until you do."

And I also seem to remember a certain dead salmon who in an fMRI, showed amazing brain activity(!).


> "Lay inside this fMRI machine for an accurate brainscan if you are lying, and image retrieval of the time in question. Or you will be put in jail until you do."

Yeah, exactly.

It seems to me that unless we decide that memories stored in digital media is subject to the same sorts of rights against intrusion from the state as memories stored in biological media, the scenario you describe is inevitable precisely because the line between these two types of memory will be increasingly blurred.


And for ease of reading, I'll reply to my own comment with other interesting issues:

* "The fact remains that the government has not brought charges," [his attorney] Donoghue said in a telephone interview. It seems a warrant is at issue, if I understand correctly.

* The contempt-of-court order against Rawls was obtained by authorities citing the 1789 All Writs Act. The All Writs Act was the same law the Justice Department asserted in its legal battle with Apple

* The authorities, however, said no testimony was needed from Rawls. Rather, they said, (PDF) "he can keep his passwords to himself" and "produce his computer and hard drives in an unencrypted state."

* My completely amateur thoughts: If they already can prove he has child porn, then they don't need the additional evidence. If they do need the additional evidence, then he is incriminating himself.


> My completely amateur thoughts: If they already can prove he has child porn, then they don't need the additional evidence. If they do need the additional evidence, then he is incriminating himself.

Except that's not how it works, and that's not what the 5th protects against. Let's say you have bank records that incriminate you in some money-laundering scheme. The authorities know that you have these records, because an associate of yours has informed them that you do. The protection against self-incrimination is about transfer of information, not about pure action (even if that pure action implicitly transfers incriminating information). The incriminating information would be "I have bank records that detail illegal activity". The authorities already know that; they do not have to ask you to provide that incriminating information. However, it is absolutely within their rights to say "give me all your bank records dated from X to Y", and yes, you must comply.

Sure, you can try to provide incomplete or doctored records, but if they're able to prove that they're incomplete, you're in contempt of the court order, and they'll likely add obstruction of justice or evidence tampering to the list of charges.

In the narrowest possible view, the 5th protects you from being put up on the stand and to be coerced into a confession. Some/many judges interpret it a bit wider than that, but it seems few would find the request that Rawls turns over the files in question to be problematic.


And what happens if the one who testified that you do have the records lied? Do you go to prison for not producing documents you do not have? How would you prove you don't have them? What if you had them but shredded them once you didn't need them (because you shred all bank information, nothing special about these records)?


"My completely amateur thoughts: If they already can prove he has child porn, then they don't need the additional evidence. If they do need the additional evidence, then he is incriminating himself."

That's a good point. They either have proof he downloaded child porn or they don't. They're definitely trying to do more than prove it. Probably set a precedent increasing their power as usual.


"so you, Mr expert witness, are telling me that hashes collide? What's that you say, there are actually people who actively look for and produce such hashes for fun?? Ladies and gentlemen of the jury..."

And so on. I'm pretty sure pedophile is near the top of the "you better make damn sure they don't get off" list.


>I'm pretty sure pedophile is near the top of the "you better make damn sure they don't get off" list.

It's not illegal to be a pedophile. It's illegal to possess child pornography.


They have some evidence that he downloaded child porn, but it's the trial and jury that will evaluate if it's sufficient beyond all reasonable doubt. If they believe that current evidence has some chance of being not sufficient and there's extra incriminating evidence, then it's their right and duty to obtain that before passing it on to the court.

You can't answer the question "if they can prove" before court, as it's decided only then. You must finish the evidence gathering before you have a judgement on that.


It could be that they want the drives unencrypted in order to help other investigations into the sources of the material, and think it will be better to compel him to release it before sentencing so he can't use it as leverage to lessen his sentence.


This is my best guess also, it does however not appear to be in the spirit of the law.


They want to establish useful precedent ideally


I've never understood the foregone conclusion doctrine. If it's a foregone conclusion, the search should be unnecessary, not a special privilege.

IIRC, he also stated that he has forgotten his password (and after 18 months, it has become believable).


The forgotten password is my concern here, God help you if you're an innocent person in this situation!

Edit: whether or not it's true in this instance.


It's a forgone conclusion that the Constitution is inconvenient to law enforcement, so they ignore it or try to change its meaning.


The existence of the child porn might be a forgone conclusion, but there is a lot of other stuff on the hard drive. And that other stuff is not a forgone conclusion. So by decrypting the hard drive, he would be giving them information that is not a forgone conclusion.


I believe the persecution would argue that any newly discovered evidence can simply be excluded by the court. The legal system's philosophy is that it should be all-powerful, and that it will parcel out what it deems to be our rights.

Of course, Free people know that rights are obtained and maintained by individuals themselves - eg the second amendment.


Sitting directly in front of me are two moderately large encrypted hard drives the passwords for which I forgot. If I get a subpoena to produce their contents, I will potentially remain in jail of the rest of my life for the crime of being forgetful.

That judge's behavior and (the laws that enables it) is sickening. You either have enough evidence to convict a person, or you don't.


The Court's opinion explicitly addresses that (at 18-19). It first recognizes that impossibility of compliance is a defense to a contempt charge. But it then explains why the trial judge reasonably did not buy that argument:

> At the contempt hearing, the Government presented several witnesses to support its prima facie case of contempt. Doe’s sister testified to the fact that, while in her presence, Doe accessed child pornography files on his Mac Pro computer by means of entering passwords from memory. Further, a detective who executed the original search warrant stated that Doe did not provide his password at the time because he wanted to prevent the police from accessing his computer. Doe never asserted an inability to remember the passwords at that time.


Unfortunately the opinion seems to show serious forgetfulness on their own part. On page 7, "Doe, however, stated that he could not remember the passwords necessary to decrypt the hard drives and entered several incorrect passwords during the forensic examination." These events took place after the original search warrant but before the finding of contempt. It's curious that these facts are included in the background section but not the legal analysis.


18 months later, though, it is completely plausible that he really has forgot. I don't think I would remember a complex password that I haven't used for 18 months. Hell, I sometimes have to reset simple passwords that I created last month. If you don't use knowledge, you forget it.


Perhaps, but the judge can only make judgements based on the arguments presented.

If the defendant wanted to argue that he no longer remembered the password (but would be willing to decrypt the drive if he could), then that's something that the judge would consider. But a judge can't (and won't) simply say "Oh, maybe he hasn't complied because he just forgot the password. I'm going to let him off"


Its literally impossible to prove someone has or hasn't forgotten something. You shouldn't be able to jail someone indefinitely for not producing something you can't prove exists.


Yes, but that's fairly well tested ground and isn't unique to this case.

Witnesses (in the sense of being called to that stand in a courtroom) are frequently asked to tell the court what they saw/heard/did, or from where/whom they received information. Refusing to answer may get them pulled up on contempt charges, and if they claim not to remember then the judge needs to decide whether they are lying.

Given the impossibility of proving (in an absolute sense) that the witness does in fact remember (at that exact moment), it's a game that witnesses are likely to get away with (hence the standard "I don't recall" answer from politicians and beuracrats​), but it's not a universal solution to the "I don't want to tell you" scenario.


I think that the difference is that people are generally good at remembering the details that judges are normally interested in. People are notoriously bad at remembering passwords.


That's not something that's going to trouble US authorities given that the US invasion of Iraq was alleged to have been because the Iraqi leadership couldn't demonstrate that there were no "weapons of mass destruction" hidden somewhere in the country.


Our justice system, by and large, rests not on proving the truth or not, but on a (idealistically) rational group of peers deciding both on the probability that a crime occurred and the justification/reasoning of both the crime itself and the law criminalizing it. Beyond that, it rests on a legal system (police, courts, etc) that, by and large, also act on notions of reasonability and discretion to bring forth evidence that will inform a jury's decision. As we have seen in many high-profile examples, the system is imperfect - it is human, and in many prominent cases (from exoneration of lynchers in the 1930s to indefinite detention today) it fails in disturbing ways. It is because of intentional vagueness that these failures arise, but it is also by this vagueness that unique exceptions arise. In this case, I don't think that the decision necessarily sets precedent for all of us with hard drives for which we have forgotten the password. I don't necessarily agree with the indefinite detention (although I do not claim to know the scope of other investigations that might rely on the evidence on those drives), but I think the circumstances are positioned such that this decision is an exception to our system rather than the beginning of a slippery slope. Of course i might be wrong, but I wouldn't decry the end of privacy just yet.


When the original case surfaced I was wondering the same. If they had (real) evidence that your encrypted hard drives have CP, then I'd be okay putting you in jail (;

However, if that was the case then they wouldn't need to decrypt the drives, so this whole case smells quite a bit.

AFAIK there is a similar situation in the airport immigration; if you are an US citizen and don't want to provide a password for an encrypted device, they'll make you have a bad time, then throw the device and then let you in. Same for foreigners except with a flight back instead of letting them in. The bad time they give you basically depends on the immigration officer.


mmm this poses an interesting question: what if a defendant/suspect cannot remember the password? Does anyone know if there is any comparable precedent regarding forgetting things?


If you're a politician, "I don't recall" seems to work wonders for depositions.


Only if you are too powerful to jail


More and more I'm convinced that the only solution is data destruction on a fail-deadly system. Like a warrant canary, if it's your default operation, you should be alright. As I always add though, don't keep your family photos on that drive.


I don't understand what a fail-deadly drive would look like. Can you give an example?


I'd imagine you'd have to do a task (like inputting a passcode) every so often or the drive would be made inoperable.

For SSD's it'd be as simple as an automatic single pass overwrite and a new encryption key. For HDD, the hyper-paranoid could rig their drives with small explosives to fracture the platters.


^This. In fact you can buy readymade solutions now which physically destroy the NAND gates on the input of a code, or as you say, if you fail to input a code within a time limit.


An example I've given here before is: http://securedrives.co.uk/

There are other solutions though, and of course you can make your own if you feel confident about it.


Unless you've been engaging in online noncery and have amassed a gigantic collection of photographs and videos of child abuse like the scumbag described in the article has evidenced, you should be absolutely fine. It's certainly not the judge's behaviour that is sickening here.


"You've got nothing to hide" is not a valid argument.


But the guy clearly had a massive stash of child pornography to hide, so I'm not really sure what your point is.


Isn't the man innocent until proven guilty?


The court accepted evidence that he'd downloaded and shared all manner of such filth, including both technical evidence and testimony from his sister.


Then why couldn't they convict him on that evidence?


This is my main gripe. You either have the evidence to put the defendant in jail or you don't. If you don't have enough evidence to support putting him in jail, you let him free.

Innocence until proven guilty. I don't want to live in a society where law is determined by emotions and personal bias, even if some criminals end up escaping justice.

Side note: I can't believe I feel the need to state this, but evidently it needs to be stated (from comments in this thread): these two drives where set up as part of a backup solution. They contain my personal data. They do not contain child pornography.


The ability to convict a particular case on a particular set of evidence is unknowable before trial, where the facts are decided by a jury. It would be irresponsible for a prosecutor to attempt a trial if they know stronger evidence is available.

The prosecution was able to convince a judge that there is encrypted child pornography on those drives. The judge can't force a jury to accept that (a ruling of fact), but (s)he can make a ruling of law that the defendant no longer has a fifth amendment defense to producing a decrypted version of those drives.


Here's a recording of the oral arguments for the US Court of Appeals, Third Circuit back in September: http://www2.ca3.uscourts.gov/oralargument/audio/15-3537USAv....

The gov's argument seems to be that because the defendant doesn't have to give the government the password but rather produce the decrypted hard drives, his actions aren't protected under the fifth. Analogy drawn with unlocking a safe.

EFF counter-argument to the safe analogy is that the encrypted documents do not simultaneously exist in a decrypted form protected by an obstacle, like a safe, but rather are produced as an act of translating the data from decrypted to unencrypted form; the government already has the data on the drives, they just can't understand it without the contents of the defendant's mind.

Justices then press the gov lawyer on whether there are fourth amendment issues in the case, as in whether the government can search all files on the hard drive, if decrypted, for evidence of criminality beyond the specific files they seek. Gov lawyer punts on the issue.

Basically it seems like a steep hill for proponents of encryption. The justices talk about how we're heading for a world where almost everything is encrypted, and encryption proponents are asking the government to give up an enormous amount of power.


The distinction is interesting. I wonder if there's a precedent somewhere in which someone wrote a diary in some form of code and was asked to produce the unencrypted diary.


Can you be compelled to provide something that you don't have access to? Were anyone else in this situation, wouldn't it be plausible to simply claim you don't know that password?


I've wondered about scenarios where you can legitimately claim to not know the password to decrypt a drive. A few different cases I can think of which may be ruled differently by a court.

1) I use a password manager so I don't know the password. However, I have the means to acquire the password.

2) I use a password manager but somehow lost access to it unintentionally.

3) I use a password manager and lost access to it by design. (eg. Using a dead man's switch of some kind that deletes it if I don't "check in" for some period of time)

4) I used to know the password. However, I suffered a traumatic brain injury and cannot recall it.

I obviously don't have the answers but I think these are interesting to think about as different points in a large legal grey area.


one i've ben thinking of is a shuffled keymapping or keyboard - you know what password you type, but not what it actually translates into.


Not bad, but that key-map would have to be accessible unencrypted from the encrypted device no? Unless somehow hard-mod a physical keyboard or something?


There is ample precedent for forgetfulness in the courts. Imagine a scenario where you are called as a witness in a case against someone else and you say that you can't remember what you saw. If there is evidence to support the idea that you are lying (say, you're being asked an easy question about something that happened yesterday) you can be held in contempt.

If there is reason to believe that you are telling the truth (say, you're being asked which of two parking spaces you saw a car in 10 years ago) then you're fine.

Same thing goes here. Rational disinterested people (a judge or a jury) will look at the available evidence and make their best judgement about whether you are telling the truth when you say you can't remember.


Thought experiment: What if there were an encryption system whereby if a user inputs one decryption key, the encrypted data decrypts to one set of values and if the user uses a second key, it decrypts to a second set of values.

Sure, in order to encode both sets of data into a single encrypted result would require more storage space, but that is a small price to pay for protection against self incrimination from our ever growing police and surveillance state.

The end of the article captures why this idea would be so effective, viz. "The authorities, however, said no testimony was needed from Rawls. Rather, they said, 'he can keep his passwords to himself' and 'produce his computer and hard drives in an unencrypted state.'"

It is absolutely true and valid that the government has the right to compel people to hand over evidence that they are KNOWN to possess (in the same way that legal discovery is essential to civil cases). The line the government is drawing between self-incrimination and forced cooperation in an investigation is they they don't want him to tell them the password or what is on the drives -- they simply want him to hand over the drives in an intelligible state. Thus, if one could decrypt the drives to an intelligible set of data but not the data they desire, then you would be complying with the court order and could not be held in contempt.

Can someone on HN who knows more about cryptography help poke holes in my idea?


Truecrypt has hidden volumes.

There's also https://en.wikipedia.org/wiki/Rubberhose_(file_system) and others: https://en.wikipedia.org/wiki/Deniable_encryption

Same general principle, you allegedly can't prove the hidden volumes exist unless you have the decryption key.


This is possible, at least in some contexts. I'm no expert, but the bitcoin wallet, Trezor, has implemented this - known as "plausible deniability".

The idea is if you are compelled somehow by force to unlock your bitcoin wallet, you can use a secondary password that assumingly has less bitcoin than your regular bitcoin wallet.

https://news.bitcoin.com/bitcoin-wallet-plausible-deniabilit...


Thought experiment: What if you kept two sets of bank records for your business. One set of bank records were truthful and demonstrated your guilt. The others were falsified and demonstrated your innocence.

What would happen if, after your bank records were subpoenaed, you hand over the falsified records?

Well, you'd be committing a crime. Maybe you get away with it, or maybe law enforcement figures it out and you get caught. Depends on how clever of a criminal you are.

Same thing here with your double-plaintext encryption.


Hmm... I believe there may be a distinction here. Decrypting to the false virtual contents would be more like presenting a copy of the bank records that were correct, but the file had been corrupted and the data was unusable. However, the corrupted but true records had been created before the subpoena (not trying to obstruct) and were handed over in good faith.

You wanted the contents of this drive? Here they are!

The owner of the drive is definitely in a legal and moral grey area, but it would be supremely difficult to prove mens rea in this case.

Interesting thought experiment: What happens when someone fills a hard drive with junk data and then encrypts it, then gets subpoena'd for the unencrypted contents of the drive?


The scenario you describe is not at all like the situation at hand. Data corruption and encryption are not the same thing as encryption is a fully reversible process.

Further, the owner of the drive is not in a legal or moral grey area. They are in a "black" area where it's quite clear that they are being intentionally deceptive in defiance of a court order.


> Sure, in order to encode both sets of data into a single encrypted result would require more storage space, but that is a small price to pay

You moved on from this aspect too quick. The "price being paid" isn't the economic cost of more storage space, but the technical fact that your ciphertext is clearly capable of containing more information, and therefore probably does. This is a fundamental constraint of steganography.

The general answer to this is to align the size of the ciphertext with some larger more-fixed volume size that has another plausible reason for existing. With Truecrypt you could say "I created a 1GiB volume as a nice round number for future storage, even though I only ever stored 100MB on there". With a general steganographic filesystem you could say "I bought a 4TB disk even though I didn't put much on there", etc.

But note these arguments are only suggestive and not open-and-shut. If one has a data-hoarder amount of hard drives but only reveals enough data on them to fill up a decade-old single drive, they aren't going to be believed.


You can't get two different sets of cleartext from the same ciphertext (except collisions, which is impractical and can be excluded for practical purposes). Of course, you can store few sets of ciphertext and decrypt depending on provided key/password, but watching disk IO may reveal that parts of disk are getting skipped. Basically, it all boils down to the competency level of the examiner.


Well, having an encrypted storage that uses interleaved blocks for storage would allow you to have multiple versions of the data at the cost of 2x (or #x) the data storage of the largest partition. You could even throw in some parity to make the image resilient to damage. Software could then use the key provided to find the set of blocks it opens. Software wouldn't need to know anything beyond the basics of block size and number of parity blocks after it was created. Each read/write would read all the parallel blocks at once and write them all at once. All watching that would do is let you know which blocks changed. And that is assuming you can observe usage beforehand. If not, then you have no idea how many real data partitions there are or if you were given a bogus password. That being the idea behind plausible deniability.


Encrypted data should be indistinguishable from random, so if you had an encryption system that randomised the unused portion of your disk nobody except yourself would know whether there was data there or not.


They also have a set of hashes of files they expect to find. If they don't find those files, they'll probably ask more questions.


How can they be sure that files weren't deleted?


You want to outsmart the cops, be my guest.


I think this is wat TrueCrypt does (did).



This case is interesting. If I'm reading https://en.m.wikipedia.org/wiki/United_States_v._Hubbell correctly, the fifth amendment only applies if "they don't know what they're looking for." In this case, because there is (enough) evidence of CP on his computer, they are subpoenaing him to produce the unencrypted drives. In some sense, they're not asking for a password - they're asking for the drive contents, which they know to at least partially be illegal. IANAL though.

Assuming that interpretation of the 5th is correct, subpoenas can easily be used to access encrypted information. I just hope the judges that decide when to grant subpoenas know where that line is.


It is amazing that anything produced would be admissible.

I don't see how this is different than having circumstantial evidence that someone is a murderer, so ordering them to lead you to where they buried the body.


I think they key is that the evidence is beyond circumstantial - they have concrete evidence that he uploaded files that were CP from that computer. It's a bit worrying why that isn't circumstantial (hacked computers aren't a thing?), but maybe the standard for issuing a subpoena is lower than guilt but higher than circumstantial.

Sounds like the only right answer for your password is "I do not recall"


This might be a stupid thought but if they already have enough concrete evidence against the suspect, why do they require the contents of the drive?


My guess would be that they suspect him of producing child porn, and they want the those files so they can add it to the list of hashes (they know there were hashes of child porn sent to his computer, but they don't know which hashes/files were child porn that he sent that was originally produced by him) and/or they want to get at evidence he likely has on other child porn producers.


I see two possibilities.

1. They don't have enough evidence to convict, and know it, and thus are waiting for this evidence. The problem here being a question of how are they sure enough of guilt to hold him in jail for so long.

2. They do have enough evidence to convict, but they rather have a precedent destroying (or weakening) encryption. This would be like the San Bernardino iPhone case.

I'm not sure which possibility is worse.


My bet would be to up the sentence. Go from 2 counts of CP to 200 - 5 years in jail to life sentence.


Doesn't that bring the question back to the 5th amendment on the other 198 counts?


But then that seems to undermine the whole argument, because they actually are requiring the suspect to incriminate himself.


Each photo in possession is a separate crime and they, presumably, know about and want a single photo. However different legal doctrines say, if they find more in the normal course of events, they are now admissible and can be used to create new charges.


> However different legal doctrines say, if they find more in the normal course of events, they are now admissible and can be used to create new charges.

Sure, but that's not the case here. They apparently already know he possesses a certain number of such photos, and now are now trying to compel him to incriminate himself further.


So if I forget my password, I can be in jail forever?


Reading this story actually makes me ill. When a technical defense protects you from the state, they jail you for contempt.

When you say, "but we have a constitutional amendment that protects us from self-incrimination", they say "sure but that doesn't apply here."

And of course it is child porn that is in question. It is a mere crime to "possess" it, that is to say, possess a hard drive on which images are found.

It goes without saying that images, at any point in time before, after, or during an investigation, can appear against your will on your hard drive.

But since it is so morally outrageous, it is the go to charge that prosecutors use to jail their personal and political enemies. Or just soft targets, I guess...


If that's all they had, I'd probably agree with you. But that's not. They have:

* Backup logs that show hashes of files that match that of known child porn image files.

* Testimony from the guy's sister that she has seen him decrypting the drives, and that he showed her child porn from the drives.

So yes, what you're saying is true, but in this case, I'm (reluctantly) on the side of the authorities.


I can see where you are coming from, and I really want to avoid commenting on if he is truly a pedo.

I agree with the poster below you that they should charge him if they do have that evidence.

But if they are holding him in contempt while waiting to force decrypt so that legal precedent can be set, or if they're holding him so that this way he is in jail without getting credit for time served on his potential cp charges, then this is all a pretty hefty abuse of due process and etc.

We really need to defend even the worst people's right to a decent correctional experience. Why?

Because if you are ever wrongfully imprisoned, you would want the same. And it really does happen!


The problem is it feels like they're using this case, where the guy is obviously guilty, to set a precedent despite having enough evidence to convict him already.

Maybe next time they won't have evidence, but there's a handy encrypted drive to get someone with instead.


Those are my sister's hard drives, I allow her to use my computer when she visits. Please ask her to decrypt them as I don't know the password.


Which should be plenty to convict on if the evidence and testimony is reliable, shouldn't it ?


That would be an interesting case but that's not what seems to be argued here. The state is arguing that they have enough evidence that "the presence of child porn on his drives was a 'foregone conclusion.'". It's likely the defendant didn't use forgetting-the-password as a defense because it was obvious via IP traffic and witness testimony that he had regularly and recently used his computer.

The ruling here seems focused on the point of whether the knowledge/use of a password constitutes self-incrimination, which people have a Constitutional right not to engage in. IANAL, but it seems akin to arguing that you have a Fifth Amendment right not to give up a DNA sample.

edit: Looks like I'm wrong, defendant did use forgetfulness as a defense at one point, though that was ultimately not his only reasoning for appeal.

Look at page 7 of the document here:

https://arstechnica.com/wp-content/uploads/2017/03/rawlsopin...

        Approximately one week after the Quashal Denial,
        Doe and his counsel appeared at the Delaware County Police
        Department for the forensic examination of his devices. Doe
        produced the Apple iPhone 6 Plus, including the files on the
        secret application, in a fully unencrypted state by entering
        three separate passwords on the device. The phone contained
        adult pornography, a video of Doe’s four-year-old niece in
        which she was wearing only her underwear, and
        approximately twenty photographs which focused on the
        genitals of Doe’s six-year-old niece. 


        Doe, however, stated
        that he could not remember the passwords necessary to
        decrypt the hard drives and entered several incorrect
        passwords during the forensic examination. The Government
        remains unable to view the decrypted content of the hard
        drives without his assistance.

However, in the next paragraph, the document refers to a ruling in which the court found that there was enough evidence to show that the suspect "remembered the passwords needed to decrypt the hard drives but chose not to reveal them because of the devices' contents". I imagine the details of that evidence was in the Oct 5., 2015 hearing in which the suspect "neither testified nor called witnesses. He offered no physical or documentary evidence into the record and provided no explanation for his failure to comply with the Decryption order".


> Forensic examination also disclosed that Doe [Rawls] had downloaded thousands of files known by their "hash" values to be child pornography. The files, however, were not on the Mac Pro, but instead had been stored on the encrypted external hard drives. Accordingly, the files themselves could not be accessed.

He was running a Freenet node. Investigators were also running Freenet nodes, which peered with his. The were using a tweaked Freenet client that logs lots of stuff. So they know that chunks of child porn files went to his node. What they arguably don't know is whether he requested them, or merely relayed requests from other peers. But they have experts who will bullshit convincingly enough about that.

Edit: The Freenet Project, in my opinion, has irresponsibly relied on "plausible deniability".


Interesting, didn't think it could be Freenet related, as lists of hashes during synchronisation was stated. If so it could explain why the prosecution want the drive decryped although they on the surface seems to have enough evidence.

But then the foregone conclusion argument could to be slightly disingenuous, depending on exact details which appears to be unknown at the moment?


By running their own Freenet nodes, investigators can create databases of observable chunk hashes and file content. And they can see traffic to peers. So they know that his node handled child porn.

But they can't really know that he was looking at child porn without finding saved files. They may also be interested in communications with other potential suspects.


2016-05-26 - Police department's tracking efforts based on false statistics

https://freenetproject.org/news.html#news


If it's a foregone conclusion, why don't they charge him under CP laws and be done with it? Looks like it's either not as foregone as they try to present it, or they try to use it to establish a precedent (or probably both) and latch on this case because of the defendant being so unsympathetic.


The self-incrimination clause was motivated by the practice of forced confessions, which were elicited by threats, indefinite detention and torture. You can get a DNA sample with a cotton swab, but it takes much worse to extract information from someone's mind.


It's not only because of the amount of force used. It's also because of the power it gives to the police.

If they had a mental scanner that allowed to get information out of people's brain without keeping them in jail forever or torturing them, it still be a problem - because without controls on it what the police would do is just round up everyone looking suspicious enough, brain-scan them en masse and use all the information gathered. And of course they would claim "if you're a honest man, you don't have a reason to be concerned".

So it's not only about torture & detention, it's about not giving police the power to own any information they'd like to have just because they want it. We have "due process" because police and state power is huge even as it is, without strict controls on it a private citizen has very little chance to resist any abuse and to correct any error.


> IANAL, but it seems akin to arguing that you have a Fifth Amendment right not to give up a DNA sample.

It's not equivalent. The Supreme Court has mentioned in past decisions that combo locks may well count as products of the mind, and so fall under 5th protection, where key safes and compelled DNA gathering do not. See: http://blogs.denverpost.com/crime/2012/01/05/why-criminals-s...


It would be interesting to know why he has not used this excuse.

Imagine having encrypted disk format where fast delete happens by writing over the main key in the volume header with random data and not all zero or some other magic value. You could have lots of deleted disks and memory sticks and go to jail because you can't decrypt them when asked.


It's possible that the suspect wasn't thinking things through when he was hit with the search warrant. It says that he gave them his iPhone 5S password but not his Mac password, or the passwords for the hard drives. They apparently were able to get into the Mac (maybe the password was the same as his iPhone?) but not his hard drives. He is said to have "refused" to give those passwords. I suppose he gave up the ability to maintain a consistent defense when he said "No, I don't have/want to" instead of "I forgot".

https://arstechnica.com/wp-content/uploads/2017/03/rawlsopin...

I'm confused by this statement in the above ruling:

    The Forensic examination also
    disclosed that Doe had downloaded thousands of files known
    by their “hash” values to be child pornography.


    The files, however, were not on the Mac Pro, but instead had been
    stored on the encrypted external hard drives. Accordingly,
    the files themselves could not be accessed.
So forensic analysis of the Mac revealed that he downloaded known porn files (identifiable by the database of hashes that law enforcement uses)...but don't you need access to the actual file to be able to calculate its hash? If the files were moved to, or downloaded right to the encrypted drives, how could forensic analysis reveal the files' hash values?


As an example of p2p, when a user attempts todownload the song “In the AirTonight,” Gnutella will notlook at filenames, but rather, for other computers sharingthat file based upon its SHA-1 hash value. If,“In the AirTonight” is being shared by multiple users then it is possible for the Gnutella network to obtain parts of the filefrom several users; instead of the user downloading theentire song from one computer, he or she will get a smallpiece from several different users sharing the same file.This allows a computer to simultaneously download different portions of the song, making the entire downloadprocess faster and more reliable.


One can know the hash of the file without having it - i.e. if one got the hash as an ID from the file exchange network, and LEOs have the logs suggesting that has was used to download these files - but they don't have the files themselves.


I'm assuming the files were downloaded using Bittorrent or some other file sharing service, and the hashes of the downloaded files were logged on his Mac.


Ah, that makes perfect sense. Since they could log into his Mac, looking at the Bittorrent metadata would be trivial (apparently he didn't clear history, or at least do so securely), and some clients would indicate not only the downloaded file, but where it was saved to locally.


The prosecution would say that he frequently accessed the computer (which they could prove with forensic analysis) and argue it unlikely that he forgot his passphrase. The judge would accept that argument.

It's scary to me because I've forgotten my encryption passphrases more than once, and I'm highly-educated.


After 18 months I definitely would be unable to comply to unlock the drive if the password was even remotely complicated.

Seems like the proper thing to do with a drive you forget the password to is to zero the drive.

I know I have encrypted archives of very mundane data in incremental backups which I have no clue as to what the password is, and due to the technology involved it's almost impossible to remove the files without risking to compromise the ability to restore other files. Ooops.


Yes.

But that's not all.

Depending on the country, your origin, your job, your beliefs, your principles, your preferences or whatever, a government could jail you just for being you. Forever.


Nit: He is pleading the fifth, not claiming he forgot his password, no? I agree with the sentiment that this possibly sets a bad precedent.


just Hardcode it into the dna of your gut flora using CRISPR.

If they ask for you password, give them a sample.


If they "know" that you have something illegal, yes.


Assuming it's shown to be a foregone conclusion you have child porn on your machine, yes.


Then why hasn't this person been prosecuted yet? Are they just wanting him to give up his credentials so that they can refer to this case as a precedent?


They clearly don't need to prosecute him now, since it looks like he can be jailed indefinitely and everyone's cool with it. Scary stuff.


Subtle point: "they" don't want or care about his credentials -- they want the underlying evidence for which they know exists (check out "The foregone conclusion doctrine" in page 34 of the source document[0]) and they know that he is capable of providing said evidence.

> > Here, based on Doe’s own statements, the testimony of his sister, and forensic analysis of the hard drives seized from Doe via a search warrant, the government already knows that Doe possessed and owned the hard drives, that he can decrypt them, and that they contain child pornography.[0]

Based on computer logs (of checksummed files being transferred to drives (and, importantly, knowing those filepaths) he admits to owning), online activity, witnesses, his own admission, and his unlocking of his phone provided the evidence needed to reasonably detain him on suspicion of a serious crime. The defendant is known to collect child pornography, even provably sourcing his own from family members -- again, the source document provides far more detail.

Further, my understanding is that the complication is his refusal is frustrating the process of deciding exactly which crimes for which to charge him and he is acting in defiance of a court order (to produce evidence).

[0] https://cdn.arstechnica.net/wp-content/uploads/2017/02/fedsr... (warning: some parts are sickening)


Same. I can't understand why, if it's a foregone conclusion, the other stuff can't be used to convict him.


A possibility is that if they prosecute based on what they have now, then he will _never_ decrypt it - they may be aiming to break up a porn-ring or the actual producers, and he may have very valuable data on the drive, that may potentially save lives


If this were the case, they would provide him immunity in exchange for cooperation in prosecuting up the "food chain" like they do with mobsters.


I think this is just a thing that happens in the movies. Also, check out the source document and let me know if you think someone found guilty of the described acts deserves immunity.


It's not really a matter of my opinion on the specific case. Even with the full documents, there is no way that I'd have enough information to judge fairly, so I wouldn't try to.

I'm just saying that they have a way out, and it seems that they've made the judgment that the potential of finding other criminals (if that's even a motivation) for them is not worth it. And the courts are making the downside "indefinite prison", which isn't much of a downside for the prosecutor.

I think you can expect this to be used far more broadly if this is allowed. If I were a prosecutor I'd probably abuse the power too as yet another lever to use to get my way.


What? It happens all the time on regular cirminal cases. Movies didn't​ invent "informants".

Immunity can mean being convicted for lesser offenses, or negotiating a less than maximal punishment.


Then charge him for it. This is such an insane precedent to set, I cannot believe anyone is OK with this like we don't have a long and proud history of railroading people we disagree with for any number of stupid reasons.


This is an interesting contrast to the article reported this past week about Nigel Lang, a black man in the UK who was accused of having or sharing child porn because of an extra digit added to an IP address during investigations[1].

One relevant section from the apology/explanation letter: "The issues around the downloading of IIOC [indecent images of children] are that statistically out of a cohort of offenders, the predominant characteristic is that the offence will be committed in the main by white males. Only a very small percentage will be black, around 3%, and only around 2% will be female. Consequently, any arrests that are made for this offence will revolve around the male in the address as the starting point for the investigation."

Notably Rawls (the man indefinitely jailed) is black.

[1] https://www.buzzfeed.com/matthewchampion/this-mans-life-was-...


Please note that his sister testified against him:

> As part of their investigation, the Delaware County law enforcement officers also interviewed Doe’s sister, who had lived with Doe during 2015. She related that Doe had shown her hundreds of images of child pornography on the encrypted external hard drives. She told the investigators that the external hard drives included “videos of children who were nude and engaged in sex acts with other children.”

There's no racial conspiracy here, the guy is just a disgusting paedophile.


> The issues around the downloading of IIOC [indecent images of children] are that statistically out of a cohort of offenders, the predominant characteristic is that the offence will be committed in the main by white males. Only a very small percentage will be black, around 3%, and only around 2% will be female.

That's quite a remarkable statistic. I wonder why.


Black people constitute around 3% of UK population.

https://en.wikipedia.org/wiki/Black_British


Fewer black people for one.


US is like 12% black, no (and 50% female)? Doesn't explain the discrepancy.


The quote is from a UK report


In that case it lines up exactly


It's nice to see white folks be the victims of racial profiling once in a while.


Is racial profiling ever truly nice to see?


Almost like they chose this particular topic to set a precedent...


Or, this is a case in which a defendant had a non-foreign-government reason to accept whatever consequences come from not cooperating (thus not having political machinations at work) and it's a case with real human harm that makes it worth pursuing for the prosecutor.


It goes to show that regardless of what protection encryption theoretically provides, security is only as good as the weakest link in the chain. Torture in some fashion is _always_ an option to force decryption.

The same goes for constitutional protections. The more time goes on, the more constitutional protections will be attacked and minimized.

The fact that a child pornography case is being used to break encryption via the courts should come as no surprise. Emotion is being used to broaden the power of the courts.


It's my understanding that, while one is obligated to comply with a warrant granting police access to places or materials in one's control, one cannot be compelled to aid them in their search or understanding. In other words, if presented with a warrant, a person would be required to grant access to a home or to hand over an accounting ledger, but the Fifth Amendment protects against being compelled to tell police where in the home drugs are hidden or which line items in the ledger contain embezzlement. A warrant grants the police the right to search, but not the right to find.

With that in mind, here's a thought exercise:

Let's say that I'm caught on camera signing a document with a man who later kills my business partner. The camera then records me going into my warehouse with the document and emerging later without it. The police, believing that I arranged the murder and that the proof is in the document, duly obtain a warrant to search the warehouse.

The warehouse is large and when the police enter, they find it is stacked floor to ceiling with sheets of paper, all indistinguishable except for their contents. They estimate the number of pages to be in the billions -- far too many for them to feasibly comb through.

If I understand the right against self incrimination correctly, I can't be forced to tell the police where I hid the specific piece of paper they're looking for.

Why is this different from finding a password? Assume we use a 43 character password (since the encryption key is AES 256, a password longer than 43 characters wouldn't add additional security). If this is the case, approximately 1.01e86 - 1 passwords effectively yield a garbage document, and 1 password produces the document the police are looking for. If one can't be compelled to help the police find the solution in a physical search space, why can one be compelled to help find one in a digital search space?


It seems like the law is kind of ambiguous on this (https://en.wikipedia.org/wiki/TrueCrypt#United_States_v._Joh...), unless my interpretation is completely flawed. I wonder if this will have to go to the Supreme Court at some point.


In this case, the 3rd circuit applied the same standard as the 11th (the government can compel decryption if they know what is on the drive), so it doesn't yet create a circuit split.

However, they don't decide that that is the right standard. In a footnote they suggest that the correct standard would be more lax (the government can compel decryption if they know the person knows the password). So if a case comes up where they rule that way, it would create a circuit split and lead the supreme court to take the case.

Orin Kerr writes a column about it here: https://www.washingtonpost.com/news/volokh-conspiracy/wp/201...


The scary part is that someone can be jailed indefinitely. I had no idea that was legally possible.[1] But it's CP so it's an easy sell.

[1] https://en.wikipedia.org/wiki/Indefinite_imprisonment


After 18 months in jail, can't the accused legitimately say that he forgot his password? I don't know if I would remember a relatively complex password if I were stuck in s jail cell for 18 months with no computer or ability to type it in every few days.


This reminds me that I need to wipe the drive I was using to test Bitlocker, as I typed in a random password and have long since forgotten it. I can only imagine the Kafkaesque horror of being imprisoned until I decrypt it, spending decades trying to brute force it.


Although most of the comments here have to do with legality, I am more concerned with the technical aspect. The prosecutors say they know that he has porn because the hash values they obtained are identical to the hash values of porn images.

Are hash collisions not a consideration? Can hash values be as incriminating as direct evidence?

Is it possible to take a hash of a benign image (kitten?) and encrypt it with an algorithm that gives a result which is identical to an unencrypted hash value of a pornographic image?


I'm wondering how they obtained the hashes. You can't hash images on an encrypted drive. How are they able to obtain a hash of an image without actually having the image? Were the hash values from what he has downloaded stored somewhere?


> Are hash collisions not a consideration?

His defence team would be hopelessly incompetent if they didn't mention that if it was a realistic possibility.


I'm surprised he hasn't argued there's evidence of a different crime on the disk(s), as a reason why he is refusing under the Fifth.

Edit: Thanks for the downvotes :)


They'd offer him immunity on the "different crime", then he'd have no defence.


That would work? Not a lawyer or American so

(Thanks for the upvotes, and pmyteh for replying)


What happens if this guy just claims that he forgets the password and sticks to his story? Will he be effectively imprisoned for life, whether true or not?


if they imprisoned him in a way which is later seen as unlawful he can get a huge payout. why not just stick to your guns and get $1m+ for sleeping in bed and doing a few push up.


"The fact remains that the government has not brought charges," Donoghue said in a telephone interview. "Our client has now been in custody for almost 18 months based on his assertion of his Fifth Amendment right against compelled self-incrimination."

This should be simple, either they have enough to charge him or not.


If they've got the evidence, legitimately charge him then? If it's sufficient, let a jury of his peers convict him then.

How is this any more complicated than that, no matter how you frame it? We have laws as a check and balance system for a reason, apparently the US courts are slowly forgetting it or something...


Is there a charitable interpretation of this that I'm not seeing? Or is this truly as terrifying as it appears?


Head's up that the source goes into some detail and is a miserable, sickening read.

Per the source (https://cdn.arstechnica.net/wp-content/uploads/2017/02/fedsr...), the prosecutors already have a case based on checksums of the media that the defendant had downloaded, and per the logs, stored on his external hard drive. I imagine that the prosecution wants the media so they can perform harm reduction services for the identified, affected children and/or improve their data for going after other/future child abusers.


But harm reduction and improving data for other cases is not the intended use of warrants and contempt of court, or is it?


No, and thanks for catching that.

My understanding is that the prosecution doesn't need the decrypted data to secure a guilty verdict, but as they're entitled to it, they likely want it for secondary benefit.


Nope. If this becomes widespread precedent, encryption is no longer viable in the US.


I think we’re about to see an increase in interest in deniable encryption.

A simple solution is to have your encryption software automatically add a large garbage file inside every encrypted volume. When you have something to hide, replace the garbage file with your new encrypted data.

This lets you nest your encryption to arbitrary depth, allowing plenty of room for plausible deniability. E.g. you could put your financial records at the first level, pictures from an erotic crossdressing forum at the second level, and the stuff you’re ACTUALLY hiding at the third level.


That's an interesting idea. But it arguably wouldn't have helped Mr. Rawls. Investigators claimed to know what they sought, so they'd still argue that he was holding out.

Maybe it's safer to keep encrypted stuff anonymously in cloud storage. Mr. Rawls could have run his Freenet node on an anonymously-leased VPS, used Tor onion services for the various WebGUIs, and accessed it all via Tails. There would have been nothing local to go after.


Rawls’ is an odd case. If the reports are accurate, he seems to have believed that a strong password on his hard drive gave him legal immunity, and didn’t really try to conceal what he was doing.

Nonetheless, a line has been crossed, and cyber-libertarians have been predicting this breach for as long as I can remember. There’s nothing cyber-libertarians love more than a technical solution to state oppression.


Well, he was using Freenet without obscuring his IP address. That's pretty much not "really try[ing] to conceal what he was doing". But that's what Freenet devs have recommended, crooning of "plausible deniability".


Quite a minefield of legal issues. Indefinite detention pretty much seems like an abuse of the court's power to find people in contempt. He should get charged with a real crime like obstructing justice and serve a sentence for it, if they have the evidence for that, but this is absurd.


They are doing the same inquisidores did, they are torturing someone to confess (in this case decrypt)


Can you refuse a search warrant? My understanding (albeit limited) is that you can't, if it's been signed by the proper legal authority. Is refusing to unlock the HDD the same as refusing to unlock a room, when presented with a lawful warrant? I would think so.


This raises an interesting idea: why not create two passwords for encrypted drives, one password decrypt the drive, another password completely wipes the drive. This way if someone is forced to give a password to decrypt something, that password renders the data moot.

Thoughts?


Here's mine: destruction of evidence is a crime.

Probably not the best idea.

Hiding the partition or otherwise making the encrypted data hidden is probably your only bet.


Which would you rather go down for: destruction of evidence, or what's in your hard drive? I'm asking a technical question, not a legal one. There are many instances where this would be preferable than giving up the data.


If someone released such a tool, the feds would make sure to clone your hard drive before supplying the password to it, or write a patched version of the tool that reads it to remove the disk wiping call.

And then you'd be in really hot water.


I expect cloning to already be standard forensic procedure, but perhaps I'm wrong. If not, it should be.


yep. Work on the copy, or the copy of the copy in my case. It's digital with a hash, not a vhs tape


Ah cloning, very good point. So that raises a new question: Is there any way to prevent decryption of a drive, when the password is forcibly obtained?


An interesting talk on disk antiforensics: https://www.youtube.com/watch?v=qZtkANvDxZA

Of course, having watched this, the feds might look for such tricks...


That's why you say "There is nothing on that drive! Here you can have the password."


An actual forensics investigator will not work on a single copy of any data -- they'll make a bit-for-bit image of the hard drive in question and just work with an image.


I've thought of this but it usually takes some time to overwrite a lot of data. I'm not savvy enough to know if there's a way to nuke the data that quickly, other than non-software methods.

A friend of mine used to keep a massive electromagnet in is PC tower, that would theoretically wipe the hard drives when switched on. We never tried it. (He wasn't dealing in CP, just pirating mass quantities of movies and music).


FDE best practices are to encrypt the entire drive with a random key, and encrypt that random key with a derived key (key-encrypting key, or KEK) based on password. You don't have to nuke the whole drive; just the sector with the KEK-encrypted drive key.


Thanks, that helps me understand.


I think a better idea would be have it change the password/wipe data in the event that you do not log in within X amount of time (Think Lost). Keep your mouth shut for X time and there is nothing you can do to help them.

Speaking out my ass (IANAL) this is a deadman meant to protect against any attacker not necessarily law enforcement, this might be enough to keep you away from destruction of evidence charges.


You would need something more sophisticated that produced innocuous, but believable, data when given the distress key. Still criminal though.


Or easier to implement, something that accepts the distress key, says it is starting to decrypt, then spews tons of fatal checksum errors, "corrupted block", and so forth.


If they already know it's on there, then isn't that enough to build the case and just try him as is?


The sad part is he has provided the password, but it's "fuckoffI'llnevertell"


and this is why the software you use to encrypt hard drives should support plausible deniability. You give away the (other) password and the decrypted drive contains nothing but cat pictures.


The problem with that is, that prosecuters will then assume, that there still might by naughty stuff hidden. With hidden volume cryptography it's impossible to prove that one presented keys to the entirety of encrypted data.

From an information theory point of view, if each and every available bit was used it could be proven that the total entropy of the cleartext sums up to the total entropy of the ciphertext. In practice the amount of cleartext entropy will always be significantly lower than the entropy of the ciphertext.


This. This is actually a good solution. Not cat pictures though, it would need to be something at least shameful, maybe even lightly criminal. This would work as an alibi for why you are encrypting the drive.


Or deeply personal like a journal.


On the third failed try, it should re-encrypt the drive with a random key.


Will it also re-encrypt the backup image the LEO made?


Quantum crypto. Spooky encryption at a distance.


Or, you know, just be a decent person and don't download huge swathes of child pornography.

To be honest, it's quite disgusting that you're most concerned with how to hide such horrendous material.


I highly doubt the parent poster was in any way contemplating how to hide child pornography, that is quite an unfair interpretation. Hiding illegal material is probably the least of concerns for most people here, but there are plenty others, I've written a few of them below.

One issue out of many, is that many who has worked with and used computers for decades has encrypted drives or volumes in a drawers, or closet which they have forgotten the password to, and could in a very theoretical sense be held in contempt if they were to be prosecuted for something and the prosecutor by some reason got a warrant for that drive.

Another is that according to what I have read the prosecutions appears to have enough to convict, so maybe setting a precedent that could be - but not necessarily is - dangerous to society might not be warranted here.

Yet another is that lots of people feel that it is their right and liberty to be able to store their personal information where it is safe from anyones eyes, even when it is completely legal. The inability to keep the private private feels like having a camera in you bedroom that you have been promised will never be turned on to film you, but the blinking red LED causes a relenting unease prompting you to wear a pyjamas to bed, even though you really like to sleep naked. This is called a chilling effect, where knowledge of surveillance or that someone can probe your most private writings and pictures causes you to not write and makes those images in the first place.

Every crime is a tradegy, but nothing creates more tradegy than legal systems or governments run amok. History teaches us that no government is safe from becoming a tyrant. This is why law enforcement sadly must always be ineffective, as the power wielded by government through law enforcement would otherwise become far too great. This is more important today than it has ever been because today we could probably implement an almost perfect police state, a perfect prison, the perfect nightmare from where there is no return. A place where no revolution is possible, no dissent is ever visible, and the fear is total and all encompassing.


The problem with privacy extremists is that they are ruining the ideal of justice with their hardline stance on keeping things secret from the authorities. In effect, this stance is just pandering to child abusers, terrorists, etc. while offering very little positive to society in return. Everyone needs some level of personal transparency to the rest of society, for the collective good of society.


Is this another case of "encryption works"?!


what if there was a password to decrypt the drive into rick astley on a loop?


What would happen if he lobotomized(carefully and mildly) himself, and legitimately could not remember his encryption keys/pw nor the reason he performed lobotomy?


We detached this subthread from https://news.ycombinator.com/item?id=13920677 and marked it off-topic.


Or very carefully shot himself in the heart?


Surely this layman knows enough about the brain to know how to lobotomize himself such that he forgets his passwords, but not such that he forgets how to perform a self-lobotomy!


That's easy, just snip the blue neurons. Or was it the red ones? No, definitely blue. (Snips red neuron.)


[flagged]


We've banned this account for posting unsubstantive comments and ignoring our request to stop.


The Zaphod Beeblebrox strategy!


Okay now, what if my password is the hash of a CP Picture, then there would be no way for me to offer that password without committing a crime in the first place. So in that case you would be safe. Or when the password would be some file that could incriminate me




Applications are open for YC Summer 2018

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: