Hacker News new | past | comments | ask | show | jobs | submit login
Court rules that people can't be locked up indefinitely for refusing to decrypt (techdirt.com)
449 points by danso 7 days ago | hide | past | web | favorite | 172 comments

> The Fifth Amendment gives witnesses a right not to testify against themselves. Rawls argued that producing a password for the hard drives would amount to an admission that he owned the hard drives. But the 3rd Circuit rejected that argument. It held that the government already had ample evidence that Rawls owned the hard drives and knew the passwords required to decrypt them. So ordering Rawls to decrypt the drives wouldn't give the government any information it didn't already have. Of course, the contents of the hard drive might incriminate Rawls, but the contents of the hard drive are not considered testimony for Fifth Amendment purposes.

It sounds like this ruling is more against indefinite detention than a ruling that allows you to invoke the 5th before handing over your passwords. The quoted text above [1] tells me that the courts have thus far not recognized any right to keep your data encrypted against the wishes of law enforcement. Maybe it means they can only lock you up for 18 months, but I don't see how this changes things appreciably. I guess if the crime you're accused of carries a sentence worse than 18 months, it might be worthwhile, but who knows...

[1] https://arstechnica.com/tech-policy/2020/02/man-who-refused-...

> Rawls argued that producing a password for the hard drives would amount to an admission that he owned the hard drives. But the 3rd Circuit rejected that argument. It held that the government already had ample evidence that Rawls owned the hard drives and knew the passwords required to decrypt them. So ordering Rawls to decrypt the drives wouldn't give the government any information it didn't already have. Of course, the contents of the hard drive might incriminate Rawls, but the contents of the hard drive are not considered testimony for Fifth Amendment purposes.

This would seem to imply that if the government has ample evidence that you murdered someone, they can require you to admit to it in court.

They can't require you to personally admit to it, but if they know about a notebook where you wrote it they can require you to give up the notebook. (The rule makes more sense if you think about it in terms of financial crimes; it'd be hard to ever prosecute someone for fraud if they didn't have to give up their books.)

Using the same logic, they could subpoena the grave that the body is buried in as the existence of such grave is a forgone conclusion (a shovel and dirt found in the car, a hole in the ground must exist) and thus would not be a testimony. The accused in that case is also a witness in that they witnessed the grave where the body rest. If they lead the police to a different hole then analyze of the dirt can prove contempt of the court.

The rule make very little sense. I would not bet in favor of it continuing for long. The whole idea that the prosecutor is only asking for the container and not the content was extremity transparent to begin with, and judges who have rejected that argument have said just that. In that case the conclusion the judges made is that a request for the container (ie the unencrypted device) is the same as a request for the information itself, and thus should be seen as such.

There's no pretense that the prosecutor isn't asking for the content. Of course they are. It's just not a Fifth Amendment violation for the government to look at content you've written, even if that content incriminates you.

Asking an accused to provide that content directly is tantamount to testimony, as the Eleventh Circuit concluded. To quote: "the decryption and production would be tantamount to testimony by Doe of his knowledge of the existence and location of potentially incriminating files; of his possession, control, and access to the encrypted portions of the drives; and of his capability to decrypt the files."

It all comes down to the duck test. Is the request for the decrypted container similar as asking directly for the content to be written down by the accused, or spoken about in the form of a testimony? Does it has the same purpose and the same result?

So if they already have a pretty darn good idea you murdered someone and the government asks you where the body is and you refuse to tell them and they lock you up then that's not a 5th amendment violation?

In the hard drive case and the hypothetical body location case the government is trying to compel speech that directly leads to incriminating evidence. That seems like a solidly 5th amendment issue to me.

> The rule makes more sense if you think about it in terms of financial crimes; it'd be hard to ever prosecute someone for fraud if they didn't have to give up their books.

I don't think these two situations are the same. When you run a business there are legal requirements to retain data, and provide that data when audited. The police telling you to tell them were you placed a notebook doesn't seem like an equivalent situation. And how can the police prove you wrong if you say you forgot where you placed it? In fact this is what the defendant alleges:

> A judge ordered Rawls to decrypt the hard drives. In its recent ruling, the 3rd Circuit Court of Appeals described what happened next. Rawls "stated that he could not remember the passwords necessary to decrypt the hard drives and entered several incorrect passwords during the forensic examination."


> And how can the police prove you wrong if you say you forgot where you placed it?

By producing other evidence that suggests that you’re lying (eg. metadata or witnesses suggesting that you recently entered the correct password). In this case the judge had to reject Rawls’ claim of lost memory in order to find him in contempt. Maybe the judge’s finding of fact was wrong, but that’s not what the case is about now.

> By producing other evidence that suggests that you’re lying (eg. metadata or witnesses suggesting that you recently entered the correct password).

People have forgotten passwords in a matter of minutes in some cases. Not to mention, this guy has been held in prison for 4 years. Plenty of time to forget a password. Forget the password to an encrypted drive is a life sentence?

What if you don't give up your books that you're legally required to keep? What happens? How did they get them?

My point is a company handing over books is not the same situation as the police commanding you to tell them where you put a journal. A company's financial records are something they are specifically required to keep and provide by law. If they don't have their books in their possession then they're in violation of the law. The government doesn't even need any suspicion, any company can be audited.

The GP's point was that, if the bar for the 5th amendment is that you may be required to provide testify against yourself as long as the government already knows the piece you are required to testify about, it's not clear how that wouldn't apply to you being required to admit your guilt when the government has sufficient evidence that you are guilty.

I'd also note that giving the government your books is required by financial laws as a condition do being allowed to do business, it's not testimony or your general obligation of cooperating with an investigation.

Generally speaking, any non-testimonial evidence entered into court must be backed by a witness testifying to the nature, content (e.g. literally reciting the incriminating parts), and origins of the evidence. And that person has to have had a proper relationship to the evidence to do so, which is usually the person with the most direct and close relationship to an item or act. For example, if you want to enter verbal statements into evidence, the best and proper person to testify to them is usually the person who made the statement, not a listener.

Another way to look at it is that the only real evidence in court is witness testimony; everything else is just window dressing. Thus we have the Fifth Amendment: "[no person] shall be compelled in any criminal case to be a witness against himself."

How does that get turned into a rule that a defendant can't be forced to divulge information outside court? Because to be admissible in court such information would normally require the defendant to be a witness. If it's not admissible then there's no legitimate basis for the state to compel an act. That leads to two corollaries: 1) if the person isn't a defendant, or is given immunity, he would never be required to be a witness against himself (just a witness against someone else), and thus the Fifth Amendment isn't implicated; 2) if the evidence obtained from the information would be admissible without the defendant's testimony, the Fifth Amendment likewise isn't implicated.

#2 is the case here. Because the government can already show ownership of the hard drives through other witness testimony (e.g. testimony of a relative, purchase receipts, etc), it would be categorically unnecessary for the defendant to testify in court to the incriminating act of divulging the password. However, if for some reason it later turned out that the government couldn't show ownership independently, then of course the hard drives would be inadmissible; not because of the forced password disclosure, per se, but simply because the defendant himself couldn't be compelled to be a witness to his act of divulging the password--an investigator couldn't testify that the defendant disclosed the password as that would be hearsay.[1] But such a turnaround is rare as a court won't compel disclosure unless it's clear there's ample independent and admissible evidence of ownership.

[1] There are lots of exclusions and exceptions to hearsay, especially regarding defendant admissions, but they're disallowed if they would effectively nullify the spirit of the Fifth Amendment if permitted for compelled acts. If you're a strict textualist, as most conservative-leaning people believe themselves to be, then one would presumably be okay with permitting those exceptions, particularly those exceptions which existed at the time of ratification of the Fifth Amendment.

I have a very strong suspicion that most of the Circuit courts are not going to follow this analysis. Based on the continual erosion of individual applicability of the 4-6 amendments, I would say the more like argument and opinions will focus on distinguishing these types of cases (forced decryption) from testimonial precedent. They will then proceed to, or try to, align the context with the clearly allowable compelling of DNA, fingerprints, physical appearance and other visual identifiers.

I don’t particularly like that train of thought, but given (for example) the higher court’s willingness for the sentence “I want a lawyer, dawg” to be a request for canine companionship and not one asserting a 6th amendment right to counsel, I don’t think I’m wrong.

Maybe I'm misunderstanding you, but my analysis justifies the legitimacy of forced disclosure, at least in similar situations [EDIT: as I assumed]. And that's exactly why I agree with you that eventually the rule will be firmly established that forced disclosure of passwords is lawful.

I think some courts have been squeamish about forced disclosure, sometimes because they hold a more liberal interpretation of the Fifth Amendment that relies on broader principles, sometimes because the situation is often far more complex and uncertain (if not completely incomparable to the hypothetical context I relied on) and they rightly err on the side of protecting the defendant's rights.

In this [EDIT: hypothetical] case I believe this analysis is the correct one, not just because of the text but also the purpose and history of the Fifth Amendment. It's not the proper vehicle to push other principles and legal theories that would restrict such forced disclosure. I lean rather liberal when it comes to constitutional interpretation, but at the same time rights built on sand aren't rights you can rely on. The law in this area seems muddy and precarious precisely because the liberal narrative is too incoherent. (Note: The liberal narrative in this case--that forced disclosure of a password is categorically barred, notwithstanding the intricacies of the rules of evidence--isn't politically partisan. Thus my subtle dig at contemporary conservative constitutional interpretation, which is often incoherent itself.)

EDIT: To be clear, in the case discussed in the article almost everything is more complicated than the simple hypothetical. I was responding at a point in this thread where the discussion already had become abstract.

I think we are agreeing on the end result, I was just suggesting that I don’t think the courts are going to be keen delve into 5th amendment intricacies and how speech may be compelled. I was just offering what I think will be the path of least resistance in the opinions in this area. I think your argument and reasoning is sound, I just think the courts are going to dodge any discussion of that by deciding prematurely that this area is like DNA(in the context of forced blood draws) and just rule, punting on the reasoning you put forward.

An unecessary personal detail: I wouldn’t describe myself as leaning liberal on constitutional interpretation (although all my Writs would lead one to assume I am firmly in favor of it), I certainly see myself as a die hard centrist in this area.

This doesn’t sound right to me. As you point out, admissions are an exception to the hearsay rule. They are routinely admitted as evidence in cases where the defendant later retracts the admission and pleads not guilty. There is no Fifth Amendment violation or calling of the defendant as a witness for the prosecution.

I have never seen any authority for the view that the Fifth Amendment was intended literally to prevent the accused from being called as a prosecution witness at trial, as opposed to creating a general privilege against self-incrimination. For example, in Brown v. Walker (1896) [1], an early Fifth Amendment case, the Supreme Court said:

> the States, with one accord, made a denial of the right to question an accused person a part of their fundamental law, so that a maxim which, in England, was a mere rule of evidence became clothed in this country with the impregnability of a constitutional enactment.

[1]: https://supreme.justia.com/cases/federal/us/161/591/

> it'd be hard to ever prosecute someone for fraud if they didn't have to give up their books.

I'm pretty sure it's relatively simple for police to break into offices and take financial records. I would imagine it happens relatively often, because simply asking a suspect to give up their books seems more likely to result in them attempting to hide or destroy their books.

The reason police and prosecutors don't like encryption is because they can't use violence to acquire what they want, at least directly. They need new (or at least specifically-clarified) laws about what they can do to you to make you decrypt your data.

I would say that police use ‘violence’ to acquire what they want all the time and the de-encryption of data is potentially no different. It would be a foolish mistake to ignore the State’s monopoly on force. While there is certainly a difference between the threat of violence and the application of violence, it is more the general ability of the State to utilize force for those aims society has agreed are within the State’s remit. While it may not be ‘violence’ per se, detention and deprivation of freedom are certainly applications of force and said detention is often preceded by actual violence to secure an individual for that detention. I am certain that periods of detention are enough to make a decent percentage of even the most principled individuals turn over their data. It is clear game theory, if I can be held for multiple rounds of incarcerations while keeping the data, but I can reasonably expect some determinate sentence from something in the data, is the trade-off worth it? Law enforcement doesn’t need the clarity of law, individuals need clarity of law to restrict those officers.

It's called rubber hose cryptanalysis for a reason. Holding you in prison at all (let alone indefinitely) requires violence. Violence is applied to get the defendant to reveal their decryption keys.

> attempting to hide or destroy their books

This is precisely why "Obstruction of Justice" is a criminal offense with severe penalties available. The question then becomes: is deliberately encrypting and refusing to provide access to those books obstruction?

I know the folks here would argue otherwise, but IMHO it's not at all a clear argument legally. The original reasoning behind the fifth amendment was that without that protection the government would be tempted to use coercive tactics to induce a false confession. It's designed to prevent the torture of accused witches, not to be a literal get-out-of-jail-free card for crypto nuts.

> is deliberately encrypting and refusing to provide access to those books obstruction?

Since email deletion policies aren't obstruction until you're told to suspend them, there's no way an encryption policy is obstruction.

> to be a literal get-out-of-jail-free card for crypto nuts

Pff. It's not like simply not writing things down is a get out of jail free card.

To not encrypt your books for a business would be negligence; I assume you leave all your valuable information as clear text for the convenience of future investigations?

I wrote "is deliberately encrypting and refusing to provide access to those books obstruction?". And again, I don't think that argument is anywhere near as clear cut as you want it to be. The fifth amendment, again, is intended to prevent torture, not to prevent the collection of evidence in a criminal investigation.

So technicalities like you're invoking (is refusing to do something "obstruction" or not?) need to be balanced against technicalities on the other side (is providing a decryption key "testimony"?). And when courts have had to make decisions like this they've almost always done it by splitting the difference in some way instead of finding an absolute interpretation on one side or the other.

Oh, after the fact? I would agree that is definitely obstruction. Before the fact - maybe for business, but not for personal. 5th amendment is to protect against forcing someone to provide evidence against themselves whether that is through torture or coercion, it does not matter.

But again you face the technicality: is providing access to already-existing documents "testimony" in the sense the fifth amendment intends? You can't torture someone into producing documents that don't exist, obviously! Nor is going to jail for obstruction of justice "coercion", effectively by definition.

I'm not saying I disagree with you in principle, I'm saying that very reasonable courts might not. This isn't a cut and dry argument, at all.

> I'm pretty sure it's relatively simple for police to break into offices and take financial records. I would imagine it happens relatively often, because simply asking a suspect to give up their books seems more likely to result in them attempting to hide or destroy their books.

No, this requires a warrant in the US for it to be lawfully used as evidence.

It's worth noting that the defendant in question was told to unencrypt the devices by the courts, which is pretty much in effect the same thing as a warrant, so it's not as if the government was torturing him to decrypt the data; the court had already decided it was material evidence in a case.

This is encryption we are talking about. The government is asking the suspect to find one key in a vast key space. So the actual question would be; can the government force the suspect to find the notebook for them if the only thing the government can prove is that the notebook exists some place where the suspect has deliberately hidden it?

but if they know about a notebook where you wrote it they can require you to give up the notebook

But if you wrote in a made-up language that only you know, can they force you to translate it?

How would you know the translation was accurate if it was done?

Good question, similarly how do you know the right encryption key was given, maybe there's a hidden volume that you can only see if you have the right key.

How do they know you didn't lose or destroy the notebook?

Which of course is not how justice works, at least in USA. Here you are innocent until proven otherwise. Mere decline to produce a notebook (with or without evidence of crime in it) is in no way shape or form an admission of guilt or a proof of itself good enough to find you guilty. Look no further than the most important case of modern history - impeachment of Donald J. Trump. During Senate hearing Mr. Trump’s lawyers argued how important it is to forbid judges and juries from finding someone guilty merely on fact they invoked their fifth ammandment right. At the end Mr. Trump was acquitted in part based on this defense. And what’s good for a President of the country that is a beacon of justice and freedom, cannot be less good for an average Joe Doe.

As a semi-counter-point: 1) the argument, made by every criminal defense attorney in trial ever, that a jury can not infer anything from a defendant’s exercise of his/her 5th amendment right to remain silent is basically pointless. Juries, and individual jurors in the vast majority, do not buy it, they don’t accept it as the law in their minds, and they certainly factor it into deliberations;

I in no way want the following to appear that I have an opinion as to anything regarding Trump’s anything, but

2) Trump was acquitted because of the way the US impeachment process is set up, if I am sure of anything, it is the fact that no votes to acquit where based in any way on Seklow’s arguments about presumption based on the 5th amendment.

Politicans who found Mr. Trump not guilty have stated its in part because of lack of evidence otherwise. Everyone welcome to keep downvoting, but I will remain certain in USA you are innocent until proven guilty. You don’t have to prove your innocence. And many cases - even the big ones like Casey Anthony, OJ, Zimmerman, now Weinstein - prove that fifth amandment works.

You are not innocent until proven guilty; you are presumed innocent until proven guilty beyond a reasonable doubt. You are guilty, or you are innocent, from the beginning; only, we admit uncertainty in the presence of reasonable doubt, which evidence and argument need erode to prove guilt.

I'm afraid it's not quite so absolute. Consider a murder case in which the defendant admits to killing a person, but pleads self defense. It is certainly a fact that he killed the person, but whether it was self defense or not (i.e., whether he is guilty or innocent) depends entirely on the interpretation of the law and the events that occurred. Absent a finding of law, his guilt or innocence simply can't be established. If we hold the presumption of innocence and the absolute idea that he either is guilty or not, then we would have to conclude he is innocent, rather than taking the more rational view that we simply don't know.

Impeachment isn't a criminal trial.

While this is true, there is no dispositive ruling on the totality of criminal procedural law as it applies to impeachment. The 1936 impeachment of Judge Ritter was the first point a defendant in an impeachment trial appealed to a court to assert his procedural/constitutional rights had been denied by the Senate. It is clear there are procedural requirements the Senate must honor, but the full extent is not clearly defined. For a decent review of the area as it stood in 1993, prior to the Clinton trial, see [0].

0 —> https://digitalcommons.law.umaryland.edu/cgi/viewcontent.cgi...

If you're innocent, why are you taking the Fifth Amendment? The mob takes the Fifth.

This explains why an innocent person should take the fifth: https://www.youtube.com/watch?v=d-7o9xYp7eE

Taking the fifth in a courtroom is rather different than not talking to police without a lawyer.

The two are related. In practice no indictment will issue if the prosecutor doesn't think they can win without the defendant's testimony, and in practice the defendant's statements to police are used to impeach them at trial (because the hearsay rule allows that hearsay) and thus make a part of the case just as much as if they made those statements in court, in the witness box. No case -> no trial, no trial -> definitely no testimony.

Watch that video. Then watch it again. Schedule a yearly watching or three.

> If you're innocent, why are you taking the Fifth Amendment?

Because innocent people do get wrongly convicted. If you don't want to be that innocent person, you might have to assert your rights, including your Fifth Amendment rights.

Note that the Fifth Amendment does not say that you can't be forced to incriminate yourself, as many TV courtroom dramas wrongly imply. Statements like "the mob takes the Fifth" are based on that kind of incorrect reading of the Amendment.

The Fifth Amendment actually says that you can't be forced to be a witness against yourself. A witness can provide testimony that looks incriminating even if the defendant is actually innocent, and such testimony can lead to an innocent person being wrongly convicted. The Fifth Amendment is there to help reduce the chances of that happening.

Thanks for taking time to answer properly, and I agree wholeheartedly.

My post was above was a bit naughty, as I was quoting the current president (in response to a post discussing his recent impeachment) without revealing that it was a quotation.

Because anything you say may be used AGAINST you in the court of law. Nothing you say can be used to help you.

It was a little underhanded of me to write that without quotation marks, but the words I posted above were famously uttered by the current President in 2016, when criticizing someone else for relying on the 5th amendment. My point is that his idea of justice is actually extremely variable depending on what benefits him at any given time.

> This would seem to imply that if the government has ample evidence that you murdered someone, they can require you to admit to it in court.

They can require you to tell them where the body is if you “encrypted” its location (i.e. buried it somewhere)

More that if they know you wrote down where the body is, they could require you to produce that piece of paper.

It's more like they can make you open a safe. It's too bad for you if you kept someone's head in that safe.

No, it's not more like making you open a safe.

Telling someone the encryption key is being compelled to act as a witness against yourself, which the 5th amendment provides protection against (if used).

No it's not. The information you provide (the password) is not admitted as evidence in the trial. It's more like being compelled to act as a confidential informant against yourself.

There's no prospect of this being used to bring about a wrongful conviction through coercing a confession.

If the key is not evidence then how can they prove that they got the incriminating files from the encrypted drive?

A forensic scientist would testify that they extracted the files from there.

It is exactly the same as when a confidential source gives up an address (for example) the source never gets into evidence.

The whole point of strong encryption is to prevent adversaries (including forensic scientists) from extracting any information without possession of the key.

If the key involves a password that you, a human, have memorized in your squishy pink organ, it's privileged under the Fifth Amendment. (This hasn't been tested in court yet, of course. There's no precedent to fall back on.)

Encryption is different in that all safes can be opened with physical access and a few days of expert work at most.

It's complicated - the guy claimed he forgot his password. So what does the law do at that point?

That seems like a plausible excuse. Years ago I encrypted an email archive with what I thought was an easy to remember password. But I've forgotten the password. I remember some of the password so I wrote a password cracker to try variants of that, but I still can't get in.

If the feds seized my hard drive and wanted me to decrypt that file, can they lock me up until I give up the password even if I really have forgotten it?

I suppose the judge will consider such factors as whether the drive is attached to your computer or shows signs of recent use. If your shell history shows you mounting the drive the day before arrest, that wouldn't play well.

To lock up people forever for such things is to me unthinkable. There is no established responsibility to remember you password, or keep it safe. Memory failures are not very predictable

The law often uses the "reasonable person" as a standard to measure such responsibilities. So would it make sense for a reasonable person to forget a password they typed in only yesterday (and/or perhaps many times before)?

So would it make sense for a reasonable person to forget a password they typed in only yesterday

Judging by our password reset request tickets, I can say "yes"

I've even forgotten a password just minutes after typing it. And I can't even tell you my desktop password despite typing it a dozen times a day for nearly 6 months. I once tried to give my wife the password over the phone and I couldn't do it without a keyboard to silently type on.

I think all of these are taken into account. The defendant is usually given opportunity to just type the password to decrypt the drive.

Usually only passwords are assumed to be remembered that are used many times with no sign of changing it.

Still, the defendant can claim that the whole ordeal of arrest and trial took a serious toll on his/her memory. Of course the judge might or might not believe it.

I don't think you've ever worked at a corporate help desk -- people do forget passwords, even ones they've used for months - they'll swear up and down that the AD server is wrong.

I once helped a professor decrypt a zip file by brute forcing the password (it was only 6 characters long). He swore it was his wife's name and that the file must be corrupt because he surely knows how to type her name. Turned out that it was a misspelling of her name, and he said "Oh right, I misspelled it to make it harder to guess".

I did, I forgot passwords that were long and complex too. I forgot new passwords regularly after thinking okay, now I got it.

I'm just claiming that this is how courts operate, not that it's the best thing ever and that it's infallible.

I once forgot a 4 digit pin code I had used hundreds of time. It was scary, I thought I was going insane. I had to have it reset. (What I think happened is that I inverted two of the digits.)

Exactly same thing happened to me few months ago. Similar thing not that long before that with normal password. I was afraid that my memories are starting to fail me (we have a Alzheimer disease in our family, but I'm still way too young for that). And when I was teen, I kept encrypted text files with passwords, for which I managed to forget password too. I was lucky that I still remembered most of the passwords inside and was able to reset the rest.

That depends. I don't "remember" any of my passwords because I use a software program to randomly generate them as I need them and them store them for me. Occasionally, my password manager doesn't prompt me to save this new password and by the time I realize it, my clipboard has forgotten it or I've filled it with something else.

More than once, the first thing I've done after confirming a new account via email is reset my forgotten password. Am I guilty if I didn't bother to reset it right away?

By that standard, an innocent, unreasonable person would go to jail.

It’s not contempt if you forget the password, but saying you forgot doesn’t mean the judge has to believe you.

Yes, I'm wondering about the law regulation in such cases too

The court decides whether that is true or not, just like when you kill someone but claim you were acting in self-defence.

Also worth noting that the court appears to only be saying that he can't be locked up because the government likely doesn't need the evidence to convict him. That is the stipulation under which he is getting out of jail for contempt. If the government did actually need to compel that evidence to make their case, they would be able to hold him idefinitely. Or else at least this ruling doesn't say otherwise.

I guess if the crime you're accused of carries a sentence worse than 18 months, it might be worthwhile, but who knows...

But in the US a criminal record can haunt you for decades. At job applications or housing applications. Elections. And many other bad things that haunt people for a long time. 18 months is horrible too but better then a criminal record haunting you.

Are there no legal precedents for this? I mean the non-digital equivalent must have occurred already. Somebody has some secret books, and/or information. And buries them in the desert.

Were they required to reveal the location?

but its private speech or so it can be argued that way and that is in fact protected by the US Constitution as we can say stuff in private that we may not be allowed in public spaces public speech.

My most important passphrases are very complicated, and I lose the ability to reproduce them from muscle memory (the only place they exist) after a few days of non-use. How can you prove passphrases are remembered?

They don't have to prove that you remember the passphrases. They just have to show that the encrypted devices/partitions/whatever were in your custody at the time of encryption.

Then you have to (a) show why you weren't the one to encrypt the devices or (b) make a 5th Amendment argument about why you don't have to turn over the encryption key during which time you may be incarcerated. "I forgot" is generally not a valid defense.

> "I forgot" is generally not a valid defense.

Am I the only here who had to re-install Linux after x weeks or months of uptime because the LUKS password was forgotten? It happened to me more than once.

How is it "generally not" (but sometimes yes?) a valid defense when it's a fact that people are losing their passwords?

The internet is full of messages like: "I forgot my LUKS password but remember it had the name of my dog in it" (not advising to do that btw), "Is there a way to crack my own password?"

P.S: I've got backup of all my files and configuration files, so re-installing Linux ain't a problem: theft / flood / fire / full-disk encryption password lost... I wouldn't lose anything.

Yea, makes no sense to me. I’ve forgotten many passwords for things I thought I’d never forget, including a bitcoin wallet. I can only imagine how hard it would be not using the password for months or years because law enforcement seized your device, and then having to produce it.

> "I forgot" is generally not a valid defense.

The number of times that people invoke "I don't recall" while giving testimony under oath says otherwise.

When they start applying these standards to politicians, then I'll be ok with it trickling down the people.

It's really a different situation. The ruling party is basically above the law in the US, thanks to presidential pardons and control of the impeachment process.

Sure. It's a false hypothesis, so it will never happen, and I can consistently say that I'll never be ok with this being applied to the people.

You're halfway to an important insight, but your partisanism is blinding.

We're talking about two very different things.

And for the record, a defendant claiming "they forgot" something within their control is valid circumstantial evidence of guilt or responsibility.

When claimed by the police or prosecution witness, it's just as much valid evidence against guilt, and has been used many times to get defendants off.

Basically, it's valid circumstantial evidence against the party/side that makes the claim of forgetfulness.

"I encrypted the device but don't have the key" isn't a defense to being compelled to decrypt the device?

No, they can hold you in contempt for up to 18 months in federal court, or indefinitely in many state courts.

OTOH, if you were to argue that it's not your device, or that you weren't the person that encrypted it, that's a very different situation.

This is incorrect. You can’t be held in contempt for failing to comply with an order you can’t comply with, for example due to a loss of memory. In this case the court did not believe that the defendant had forgotten the key.

Whether you actually have lost your memory is a factual question to be determined by a trier of fact. Generally, most triers of fact rule against the forgettor if forgetting benefits them.

OTOH, if a witness forgets, they would not be held in court, because there's no benefit to them forgetting, and so their loss of memory is believable.

Just to clarify, and your comment framed the apparent misunderstanding in the thread perfectly:

This ruling only says that the confinement period for contempt of court, where the court has order an individual to de-encrypt some data, is too long if it is more than 18 continuous months. This does not mean that after serving that sentence and upon subsequent release, that further refusal after another court order and hearing can not result in another sentence for contempt.


I don't think people are downvoting you because they disagree with your assertion that the court system is in some way bad, they're downvoting you because you're just basically saying 'courts sux man' with no further information, which adds nothing to the discussion.

Also now they're probably downvoting you because you're calling them 'bootlickers'.

I led with substantive comments. The greater issue is nerds live in an overly comfortable fantasy world, and it's painful to acknowledge the true nature of the power structures we inhabit and are subject to, in all their ugliness. Much easier to distract yourself litigating the sophistry that blankets all of these things. God forbid somebody tugs on the blanket.

> "I encrypted the device but don't have the key" isn't a defense to being compelled to decrypt the device?

Try to think about it from the court's point of view. The truth could be:

A. You legitimately forgot.

B. You're lying.

I know which one Occam's Razor favors.

The whole point of a justice system is that Occam and his Razor are a terrible way of determining guilt.

Yeah, I'd bet that most people claiming to have forgotten a key or password are lying. But so what? How do you differentiate those who're concealing vs. those that legitimately don't know the string of characters? If they float, they're a witch, if they sink, then I guess they're not? (That's what 18 months for contempt is akin to)

You differentiate them using circumstantial evidence. Was the encrypted disk found under a pile of dust in the attic? Then to forget the password is quite believable. Is there independent, convincing evidence that you regularly and recently used the password? Then you’re probably lying. Or maybe you’re just really unlucky. Wrongful convictions do happen.

I don't. I have users that forget their password 5 minutes after they set it.

Happened to me as well (multiple times). I blame copy pasting instead of repeating the password.

Encrypting a device to securely wipe it is not unheard of. Similar to running dd over it, but more noise to hopefully remove any lingering magnetic patterns. In such a case there's no need to retain the key.

But it could also be that you legitimately accounted for such threat of the government trying to force you to decrypt your disks and made keys volatile and unrecoverable.

A. You're innocent.

B. You're guilty.

Uh, this is the essential question to begin with. The judge doesn't decide this unless you're in clown court.

Guilt or innocence is a question of fact, in the US court system. It is a determination that is left to the ‘trier of facts’ that can be a judge or a jury depending on defendant choice and statutory law for each particular jurisdiction. There are many defendants who choose to have a ‘trial by judge’ and waive a jury. It happens often and it happens for many reasons, and those facts make your assertion about a ‘clown court’ wrong.

I do understand the meaning and most likely intent of your post, but the language used is less effective than it could be.

I carry an open disdain for lawyers and their equivocal notion of "argument". You understood me; my language and its assertion are sound.

You don't want to go into any of those reasons people waive a jury, right?

I can say for certain that some people waive a jury when the judge is known to more often than not find defendants not guilty of Distributing Controlled Substances and instead is likely to only convict on simple possession. I can say for certain that some people opt for a trial by judge when they know that said judge often finds prosecutor arguments based on co-conspirator testimony or testimony of snitches are not reliable. Like I said, there are many reasons a defendant may opt away from having a jury trial. Also, I don’t see how your disdain for lawyers is relevant to the concept of a judge vs jury trial.

Hypothetically, he might have remembered his real password but the Government didn’t protect the bit-rot capable hard drive and it is the hard drive that is now bad. May be sector level checksums and probabilities rule them out but it is possible in the grand scheme of things

I wonder how it would work out if you confidently gave the wrong password.

Edit: I guess this case actually answers that, to some extent. Before he said he forgot the password, he tried a couple for them.

The idea of being locked up for not handing over a password terrifies me.

I was deployed a few years ago and living in the conexes. I was bored and decided to go all out on encrypting everything. I picked a completely random 16 character password (I piped the output from /Dev/urandom through some tr command that only allowed typeable characters through) and committed it to muscle memory. I used this laptop every day for about a month before I went home. I took about a one week vacation midway home.

With the break and change in surroundings I completely forgot the password. No idea what it was. I tried for about a week before I have up and reformated it. I don't encrypt my computer any more.

That's a crime they can lock you up for life for? Crazy talk.

It's enough that I fill unused drives with /dev/random. Good luck to me proving that it is not encrypted data (and vice versa). Headers are irrelevant, they are no different than a paper label on the hdd saying "encrypted".

Usually they establish the presence of encrypted stuff via witnesses and via thumbnails left in cache and logs, symlinks, etc. referring to it.

My understanding is that if there is evidence that you were committing crimes with connection to this encrypted data, there is a problem for you. Otherwise, this is not a problem.

That sounds like a very dangerous assumption. You don't get to decide that you have nothing to hide. They do.

Evidence which could be spurious, arising of actions of an unrelated third party.

It is not a crime if, as a matter of fact, you forgot the password. As always, it’s up to the court to decide that fact after looking at the evidence.

How could a court possibly correctly deduce whether someone has forgotten a password?

They can't. That's why we have to say that you cannot be compelled to produce a password, because the alternative is that you go to jail for forgetting.

Read the judgment linked in the article:

> Following the forensic examination, the Government moved to show cause why Rawls should not be held in contempt for his failure to comply with the Decryption Order. Two hearings were held on the issue in which, “Rawls offered no on-the-record explanation for his present failure to comply.” Based on the evidence presented, the District Court found that Rawls remembered the passwords needed to decrypt the hard drives but chose not to reveal them because of the devices’ contents.

The legal process may not satisfy your epistemological requirements, but it allows courts to make these findings. The Fifth Amendment has nothing to do with “going to jail for forgetting.”

The problem with this new territory is exactly the unsettled issue of whether providing a password is testimonial and protected.

The protection against self-incrimination is/was a protection against being put on trial and being forced to say or give testimony that you took part in or committed a crime. It is not a protection against any and all evidence from being produced against you.

In a previous age, not saying words was enough protection, because evidence was usually physical (objects). The novel problem now is that the types of evidence being protected by passwords (and the method of protection) now are so closely linked that it's quite difficult to say whether being compelled to reveal a password is testimonial.

Suppose a suspect murdered someone and was seen putting the weapon in a safe, where the combination was known to be written in a person's private papers. Those papers could be compelled to be revealed without jeopardizing privilege because the discovery of the combination is not forcing a person to testify. Even compelling the person to reveal the combination might not be testimony. And in any case, the safe could be opened with much effort and a blowtorch.

But now, the safe can never be cracked, and the person's knowledge of the password is the only thing that will open it. The person revealing the password will surely confirm his/her guilt, so it now feels very much like the info/knowledge is self-incriminating testimony.

Modern problems. They need some court resolution at a high level.

In Germany is rule is simply that you are not required to do anything to actively help our own prosecution.

They want to take your fingerprints? You don't need to help by lifting your arm. They want you to open a safe? No need to tell them the combination, through they will crack it open if you refuse. Same with encryption keys, you don't need to say anything. Telling the truth? As the accused you're allowed to lie in court however you want.

If you do get sentenced you can get a reduced sentence if the court thinks that you've been cooperative. But you can never get punished simply for the fact that you didn't help with your own prosecution.

Unrelated and commented on the dupe thread but there is a similar case going on in the EU right now that is set to be appealed at the European Court of Human Rights. Last week the highest court of Belgium ruled that passwords to IT systems were not covered by the right not to incriminate one-self. And they also ruled that you could be jailed for up to 3 years for refusing to provide said passwords. This was in the case of an alleged drug dealer refusing to unlock his iphone. There is no appeal left for him at the national level and he's now set to appeal the decision at the ECHR which if not overruled might finally set the precedent for the whole EU. This little story deserves some follow up imho.

> As the accused you're allowed to lie in court however you want.

Really? I'm interested to know how this works, and how it is not perjury.

Lying is not illegal. Lying under oath is illegal. In Germany, judges rarely require witness to swear under oath.

There also aren't juries in Germany.

There also isn't cross-examination in Germany.

The English way of law isn't the only way.

In Germany only witnesses are required to tell the truth (even without oath), but not the ones accused of a crime.

> The problem with this new territory is exactly the unsettled issue of whether providing a password is testimonial and protected.

I can see no possible correct answer than "yes, absolutely, it is testimonial."

If I may take some minor artistic liberty and change the words without changing the scenario:

Consider a person on trial for murder, and the prosecution believes they wrote down where the body is buried on a piece of paper. The paper's got blood on it and was found next to a hatchet and duct tape. Gee shucks though, it's written in an ancient dialect of Silbo Gomero and they're the last person alive who speaks it. The prosecution would really love to have that evidence for their case. Can they make the defendant translate it for them?

Absolutely not, right? That's clear-as-day 5th amendment, if-I-translate-this-for-you-I'm-incriminating-myself territory.

It is the exact same concept with encryption. There is a piece of information unintelligible to an adversary (prosecutor), that the adversary believes (due to surrounding known evidence) would further their case. The only way to transform the information into something useful for the prosecutor is with the help of the defendant, using knowledge that exists only in the defendant's mind (password).

Asking the defendant to create the evidence against themselves (evidence that does not exist until the defendant creates it, mind you - not something like the contents of a safe where the physical evidence exists whether the defendant wills it or not) is a 100% textbook 5th amendment violation.

I really feel that if someone sees this any other way, they fundamentally misunderstand how encryption works. The documents the prosecution wants do not exist unless the defendant (re)creates them, and you can't ask someone to create evidence (testimony) against themselves (5th amendment, again).

It's not a modern problem. You could always rig a tamper-proof device (eg booby trap) to destroy evidence if forced without the key.

While true, this is also a much more modern problem than the authors of the US constitution were subject to.

If you stab people, you can wipe the blood off the knife. If you shoot someone, there was not a way to associate a projectile with a firearm. (Assuming the dubious merits of "firearm forensics".) Back in the good ol' 1780s, there's no presecutorial evidence to be gained by inspecting my safe because you cannot show that the knife/gun inside was the murder weapon.

That’s quite a different problem, because if the booby trap goes off, the person who set it can’t be compelled to un-destroy the evidence.

Not entirely if you account for secure elements which might erase the secretif the wrong pin was entered too many times or if an wipe code was entered.

> seen putting the weapon in a safe, where the combination was known to be written in a person's private papers

Replace combination by password. Your example still works. If evidence is "locked" on an encrypted storage device and the password is in unencrypted plaintext form, it can be still used to "crack" the encryption without effort.

But could you force the suspect to tell you the safe combination in your example ?

According to this article, the court can’t seem to understand why the prosecution is going to such lengths to compel production of password. Is they court willfully ignorant or is the article misleading?

It seems pretty clear the prosecution was trying to use this case to set a precedent that not producing a password means you stay in jail forever. That the accused is all but convicted for child porn makes it easy, from a PR standpoint, for the prosecution to play hardball. If it was a journalist or a whistleblower, amicus curae brief would be stacked to the rafters.

I wonder if it is possible to get the charges dropped because he was denied the right to a speedy trial.

The government’s behavior on this is reprehensible, and, frankly, I’m more worried about abusive prosecutors than pedophiles.

I wish people would stop linking to Tech Dirt, when there are alternatives (https://arstechnica.com/tech-policy/2020/02/man-who-refused-...). Tech Dirt is a self-proclaimed rumor mill site, similar to the The Sun.

Advocacy groups wear their bias on their chests proudly. "Neutral" news purveyors hide their bias behind misleading headlines and selective reporting. I would much prefer to read about something related to digital privacy in Tech Dirt. Not that I have anything against arstechniaca in particular.

Can you link me to an example of a false rumor Tech Dirt has spread?

EDIT: As danso points out, this issue probably wouldn't even have been reported by ars if Tech Dirt hadn't done the actual work of digging up the court documents, so complaining about the admittedly outraged tone of their articles is just petty.

Funny, I much prefer the journalistic style of Tech Dirt, who at least bother to cite and quote from their primary sources. Comparing it to a former porn magazine is unfair.

I don’t typically goto TechDirt if I can find an original source (that isn’t hard paywalled or 50% video ads), but in this case, the writing and reporting was fine and the original court doc is included. Also, the Ars story you provide links to the TechDirt story in its opening sentence.

I've always thought that TechDirt should be named The Daily Outrage with the tag line A Place for Clicks.

There's a certain irony in the coincidence of the defendant's name being "Rawls", who was a political philosopher [0] that sought to define what "justice" should be within political society...

his work "Justice as Fairness" "describes a society of free citizens holding equal basic rights and cooperating within an egalitarian economic system."

[0] https://plato.stanford.edu/entries/rawls/

A surprising but welcome ruling. This case is yet another example of the government using the repugnancy of a crime to attack fundamental rights. It's happened before, it's happening now, and it will happen again.

Alleged crime.

And this is braindead simple application of the Fifth Amendment. The courts are a joke.

This is not braindead simple 5th amendment stuff. Among the unsettled the questions in this case: (1) is providing a decryption key a testimonial act? (2) are the contents of the drives would constitute testimony protected by the 5th Amendment?

Courts have come to different conclusions on both questions. Experts disagree on both questions. Even the precursor question (is requiring a defendant to provide the combination for a safe subject to the 5th Amendment?) is unsettled.

The court in this case came down on the side of treating the decryption key as a testimonial act, but avoided dealing with the 5th Amendment issues.

(1) is obviously true. Nobody can dispute this in good faith, even if the jurisprudence is hard to settle among bad actors. Prosecutors are simply upset technology makes the 5th powerful.

(2) is obviously false. You can't get to it without testimony, though, so too bad. This is the intention of the 5th.

The court avoided the 5th Amendment issues because, again, the courts are a joke.

(1) is not obviously true. Even judges known to favor defendant's rights can't agree whether this would constitute a testimonial act. Claiming otherwise suggests that you don't understand how the law works, how the technology works, or both.

(2) is not obviously false, because you're conflating two separate things: the encryption key and the contents of the encrypted device. Using the analogy of a locked safe: a picture taken by the defendant, for example, would be testimonial, but a picture taken by a third party would not. There's no way to know without actually reviewing the contents.

If you have a simplistic understanding of the law, it's easy to make black and white statements. But the law is not deterministic code, and has never worked that way.

I dunno what the law says. However, it is very easy to imagine a situation where someone LEGITIMATELY cannot decrypt the device. Is indefinite detention without even a criminal charge a valid punishment for that? We can make analogies all day "is it testimony? Is it like the code to a safe?"... But there is a real concrete fact that the government wants to be able to imprison someone indefinitely, without a jury trial, for claiming not to know something when there is certainly a reasonable doubt about them knowing it.

So, whatever they have to do with the analogies, this decision cannot go the way the prosecutor wants it to.

Is indefinite detention without even a criminal charge a valid punishment for that?

The defendant was charged with child pornography offenses.

But there is a real concrete fact that the government wants to be able to imprison someone indefinitely, without a jury trial, for claiming not to know something when there is certainly a reasonable doubt about them knowing it.

The defendant was claiming to forget the encryption key to a device because it allegedly contained a massive trove of photos that would likely get him locked away in prison for life. Said device was one he had owned and used for years, including shortly before he was arrested and the device confiscated (based on testimony of his sister). It's not reasonable to believe that he just conveniently forgot his encryption key as soon as he was arrested, especially when forgetting the key was beneficial to him in the underlying proceeding.

However, it is very easy to imagine a situation where someone LEGITIMATELY cannot decrypt the device.

Yes, but this isn't that situation. And this ruling benefits that hypothetical person.

this decision cannot go the way the prosecutor wants it to.

We agree on that, but it didn't need to. The prosecution already had a strong case against him on the underlying criminal charges. They got what they wanted -- a deterrent to others trying to do the same thing just to avoid jail time.

> the government wants to be able to imprison someone indefinitely, without a jury trial, for claiming not to know something when there is certainly a reasonable doubt about them knowing it.

This is incorrect. The judge could not have found Rawls in contempt if the judge was not satisfied that he intentionally failed to comply with the password disclosure order.

The person isn't claiming they don't know the password though. The person is claiming they don't have to provide the password. If they claimed they don't remember the password the prosecutor would have to convince the judge he is lying about that.

A minor miracle, while Chelsea Manning still rots in Alexandria City Jail for not cooperating with the political persecution of Assange.

It's so great, that Obama "commuted her sentence". Clearly that was a meaningful action that significantly affected something.

He commuted her sentence for a different crime. He didn't give her a pass to commit contempt going forward.

A different crime based on the same original actions. It's way too close to double jeopardy for my liking.

The jury is still out on that one. In the meantime, she is being illegally held.

If he hadn't commuted that sentence, how would they be pressuring her to lie about Assange right now? They tortured her for years. There's not much they could have done to escalate from that.

Idea: write malware that drops random data/encrypted files on the infected devices drive but is otherwise harmless, distribute widely. Bam! Plausible deniability for everyone.

Malware? Include with the operating system, to use the unused part (which might be all of it) of the encrypted partition for random data. Anyone who has no encrypted files, will not know the password to decrypt it, because there isn't any.

We sort of already have this, since stegfs provides an existence proof:


One problem with this is even after fully cooperating, the prosecution can still claim you're hiding more.

Alternatively, the rule becomes: secure your computer, or end up in jail.

What about if your password itself is an admission of committing a crime? Like your pass phrase is "IMurderedJeffreyEpstein"

"I can't, your honor, the password itself is a confession." Is now my newest password.

In the past, they've offered to exclude the contents of the password from the trial to answer that.

Maybe in this case, it is somehow clear that there is encrypted stuff and the government is also sure who can decrypt it (who owns the key to decrypt it.) But since a variety of Deniable encryption[0] exits, what happens when they think there is something to decrypt when there isn't? Or when they can't prove it but they want to believe there is something there?

[0] https://en.wikipedia.org/wiki/Deniable_encryption

>>Since that day, more than four years ago, Rawls has been held in federal custody. Rawls seeks release arguing that 28 U.S.C. § 1826 limits his maximum permissible confinement for civil contempt to 18 months.

This much jail times ruins almost everyone, think of the mess it makes in your life /job/relationship /fiances. But I guess it beats doing xx years if you provide the passwords and evidence found there is used.

It's no mistake that they select the most unsympathetic people to try to weaken the protections for us all.

If your password itself was an admission of guilt then would that count as testimony and protected under the Fifth Amendment?

If you pleaded the fifth on your password, the court might be able to compel you to enter the password such that they don’t get the password but do get the data.

The next question is, if doing so immediately decrypts a file (e.g. a text file) which is a direct admission of guilt, can you plead the fifth against the decryption process itself, esp. if the government isn’t already aware that such a “guilt declaration” exists?

What if you testified that you forgot the password (if password was used). Unbelievable it might seem, let’s say you set up the passwd 1 week before the deed, it is a possibility and IMO they would have to prove otherwise (+ good luck with the decrypting)

mods: can we edit the title to mention that this is about the US? US law != global law.

How can they prove that the person didn't forget the password / no longer has access to it?

I'm pretty careful with that stuff but still it happened to me before.

Came there to read the article, then saw their informed consent form. By far the best one I've seen up to now, my commendation for that.

So 365 days or so, just not indefinite.

so they can keep you 4 years if they have nothing on you?

> Man Who Refused To Decrypt Hard Drives Is Free After Four Years In Jail

18 months is the new limit. It only applies to federal courts though.

it is still wayyyyyyyyyyyy too long.

Applications are open for YC Summer 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact