Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
TrueCrypt User Held in Contempt of Court (truecrypt.org)
488 points by dcevansiii on June 24, 2011 | hide | past | favorite | 186 comments


First, there isn't enough information to know what it is this person has (or has not) done.

Secondly, the fifth amendment of the US Constitution allows you to refuse to provide testimony which you feel may incriminate you. Generally encryption pass phrases do not count as testimony, the legal system treats them as keys. And that would be covered under the fourth amendment which says the government cannot compel to you to give access to your property for search unless they have probable cause.

If they do have probable cause, they get a warrant which gives them the power to do the search temporarily and only for what they think exists. So if you get a warrant to search your hard drive for something, you are compelled to give them the password just like you are compelled to let them into your house if they have a warrant to search for something like drugs or guns or counterfeit plush toys.

However sometimes the courts do see it as a fifth amendment issue [1] and that has been under debate for a while. (As far as I can tell the legal theory is similar to the police not being able to compel you to tell them where you left the body in a capital crime.)

Disclaimer I am not a lawyer this isn't legal advice, and I've not followed up the cited case to see if it made it to the supreme court or not. Any circuit level decision would not be binding on different circuits.

[1] http://news.cnet.com/8301-13578_3-9854034-38.html

Follow up on the Boucher case: https://secure.wikimedia.org/wikipedia/en/wiki/United_States...

Where the fifth amendment defense was overturned.


What if your passphrase to your truecrypt container (let's say it contains, for the purpose of this thought experiment, child pornography) is the true statement: "I am [for this thought experiment] a child pornography collector."

Wouldn't it be a violation of the 5th amendment to be compelled to provide that passphrase, because it is an admission against interest and therefore would be admissible if you disclosed it? Wouldn't it also serve to waive 5th amendment privilege, and possibly put you at risk of being forced to take the stand?

If it were an admission of a different crime, a court could grant you immunity on those unrelated charges, but if it is relevant to the crime the government is investigating by asking you to reveal your passphrase... how can anyone, luddite judge or not, separate "key" from "testimony" in that circumstance?


Philosophically it's not a problem:

http://en.wikipedia.org/wiki/Use%E2%80%93mention_distinction

In the context of testimony, I'd argue (as a philosopher, not a lawyer) that a mention does not count as testimony and cannot be used against you. Obviously, an observation of the mention could lead the police to consider other avenues of investigation however.


The 5th amendment doesn't mean you can block normal legal proceedings just because they would happen to incriminate you.

You do have the right to remain silent, however. That might be a stronger defense.


That only means you don't have to say anything to the police while you are in custody but have not yet been charged with a crime, and your lawyer is not present. It's not meant as a blanket protection against having to give testimony.


It is blanket protection from testifying during any phase except if you've been given immunity. Then your testimony cannot be used against you and you can be compelled to testify.

http://en.wikipedia.org/wiki/Fifth_Amendment_to_the_United_S...

"If the government gives an individual immunity, then that individual may be compelled to testify. Immunity may be "transactional immunity" or "use immunity"; in the former, the witness is immune from prosecution for offenses related to the testimony; in the latter, the witness may be prosecuted, but his testimony may not be used against him. In Kastigar v. United States, 406 U.S. 441 (1972), the Supreme Court held that the government need only grant use immunity to compel testimony. The use immunity, however, must extend not only to the testimony made by the witness, but also to all evidence derived therefrom. This scenario most commonly arises in cases related to organized crime."


Yes, it is in fact a blanket protection against having to give testimony.


Providing a password is not testimony. You're not testifying to anything.


My understanding is that whether or not providing a password is or is not testimony is not clearly defined.

There have in fact been a few instances where judges have determined that providing a password does constitute giving testimony.

http://www.easterndistrictblog.com/?p=57

and older

http://mises.org/Community/blogs/crypto/archive/2007/12/18/c...


"Providing a password is not testimony. You're not testifying to anything."

Where did you put your ex-wife's body Mr Johnson, we know you killed her? Just point at the map, you do not even have to say anything.


More like: "Give us the keys to this safe." and assuming they have a warrant, they can ask for such things.


You also are missing the point of TrueCrypt: Plausible Dependability and multiple passwords for different content. It'd be like "Give us the key to this safe that unlocks the incriminating evidence, even though we have absolutely no way of knowing if you're hiding more or giving us the full truth".

You could have cat pictures encrypted with passphrase A and incriminating evidence (that stands up to the best forensic analysis currently available) encrypted with passphrase B and they wouldn't know which is which, if they unlocked ALL the data, or what.

Truecrypt is AMAZING and anyone holding onto stuff that might get them into trouble (esp. w/ foreign gov'ts) should use it.


Then what is it?


Providing access to subpoenaed evidence.

The evidence is what it is, the court is there to judge it.


Compliance doesn't require that you provide them with the passphrase. It simply requires that you provide access to the material. Typing your password into the computer to let them copy the material would suffice.


What if you pass phrase was "I have child porn on my hard-drive", then could you plead the fifth?


You could try. The judge could also demand that you provide your lawyer with the pass phrase and that the lawyer then enter that pass phrase when required to by the digital forensics team in such a way that does not reveal the password to the forensics team. The judge also has the authority to strike things from the record and could simple demand that you provide the pass phrase and that any mention of the actual pass phrase not be used in court and that any such usage will not be a part of the trial records. Either way, the 5th is a weak shield to try to hide behind in this case.


Wouldn't it be the same if you had child porn in your house?


I don't see how providing a passphrase is an admission of anything. You're not stating a fact, you're just providing the passphrase, which could be anything (true or false).


5th amendment is the right against self-incrimination. The response could provide self-incriminating evidence of an illegal act punishable by fines, penalties or forfeiture. Giving a password to your encrypted database could easily be interpreted as testifying against yourself as defined in the 5th amendment.

Relevant: http://www.youtube.com/watch?v=i8z7NC5sgik#at=950


You're admitting you have a passphrase, and therefore that you have access to the information it protects. This piece of information is non-trivial, as it eliminates one avenue of plausible deniability, and actions that implicitly provide this information are recognized as testimonial in nature.


"If they do have probable cause, they get a warrant which gives them the power to do the search temporarily and only for what they think exists. So if you get a warrant to search your hard drive for something, you are compelled to give them the password just like you are compelled to let them into your house if they have a warrant to search for something like drugs or guns or counterfeit plush toys."

Does US law require me to open the door of my house to the police if they have a warrant?

In lots of countries a warrant allows the police to search your house, but it does not require your cooperation. You may not actively hinder the police from doing their task, but you, e.g., do not need to open the door.


"Does US law require me to open the door of my house to the police if they have a warrant?"

Its a good question, you are required to co-operate with the authorities in the lawful execution of their job. The term 'lawful' is, of course, subject to legal interpretation.

Police have arrested people for filming them arresting others, typically the scenario is "They ask the person filming to stop while they are doing their job, person doesn't, they arrest them for interfering with an officer." (sister-in-law is a public defender, I get to hear all the excuses). So far the California lower courts are still fumbling around this issue. I expect it to make it to the ninth circuit sometime later this year or early next year.

The question of "Can you make a house that the police can't search without your co-operation?" is a good one, and I'll ask my lawyer friends if that approach has been taken yet. Generally a subpoena is the court ordering you to co-operate and generally you must (or be held in contempt of court).

So I expect such cases would go "give us your hard drive" followed by "give us the key", followed by a refusal, followed by a subpoena, followed by another refusal, followed by being in jail for contempt.

If you did shred your key so that you literally cannot decrypt the drive, then I would expect you to spend a few days in jail (so that the prosecutor could prove to themselves you are serious) and then they would return your drive after re-formatting it. How they would justify that I do not know but I know that they would try.


Intentionally making your data inaccessible (by encryption or otherwise) without a means of recovering it to attempt to prevent it being used against you in court could be considered destruction of evidence. If convicted of that, expect far more than a few days in jail, depending on how annoyed the judge is with you.


But it wasn't evidence when you encrypted it, right?


Typically, you are in trouble when you destroy evidence when you has reasonable cause to believe that it is evidence.

If I delete all of my email today, I'm not committing a crime. But if I find out that my company is being sued for breach of a contract that I was working on, deleting email becomes suspicious.


My attorney has advised me that the best thing in this situation is to have a personal data retention policy: "I delete my email the first monday of every month."

Then, do just that.

If a civil or criminal case is brought against you the law says you must stop any routine houskeeping tasks like that to preserve evidence, but the most you'd have then is 4 weeks worth. Much better than 4 years.


The flip side is I escaped being charged with conspiracy to launder money because I had kept email from several years prior in which I complained at length to my manager about how a particular client was behaving, and then escalated it to his manager. Both managers were implicated, but I could show that I'd reported the behaviour and been reassured by two people who I trusted that nothing illegal was going on.


Actually, I should elaborate: if it were just two people I trusted reassuring me it was fine, I would probably have still been on the hook for contributory negligence. What got me off completely was the fact that the responses I got from the senior manager said that he'd passed all of my information on to the legal team, who'd been over it with a fine-toothed comb and decided it was all above-board. What got HIM in trouble was that he'd never passed it on to legal at all.


Having lost the key for several of my spare drivers in the closet... How can that power abuse you describe be avoided on innocents?


Explain to the jury that you lost the key before you knew there was a criminal investigation. It only becomes illegal afterward.


don't they only have access to my stuff AFTER they showed probable cause.

does not make much sense to me...


I can tell you what happens if you don't cooperate. They break your door down and they search anyway. Still working on getting ours fixed.

There are two ways to avoid this, either build a house with no doors, or don't have one.


If you don't want to replace your door, I'm sure.


The fifth amendment defense was overturned in the Boucher case because: "A District Court judge agreed with the government, holding that, given Boucher's initial cooperation in showing some of the content of his computer to border agents, producing the complete contents would not constitute self-incrimination." [1]. Without Boucher having given up the names and titles of his files, it is entirely reasonable to expect that the fifth amendment would hold when testimony is asked without knowing what is inside the encrypted space.

[1] https://secure.wikimedia.org/wikipedia/en/wiki/United_States...


an EFF lawyer talked about this at toorcon last year and said the exact opposite of what you just said. What she basically said was that you can plead the fifth to not give up the password however the court can give you amnesty for whatever you say (the key) can not be used against you. The content that is found on the hard drive using that key could still be used against you. Once the court gives you amnesty you can no longer plead the fifth and if you still refuse they can hold you for an indefinite amount of time.


I find that problematic in a way. If in a murder case the defendent was given immunity for him to say the statement "the body is buried at xyz" would the corpse being found using that statement be used against him?

I can see this as still incriminating himself no?


bit late on the response but it's a different situation. Pleading the fifth isn't the same as not knowing or forgetting something. Murderers don't bury bodies then when caught say that they know where it's buried but aren't telling. Even if this was the case and they gave the defendant immunity for knowing where the body is, once they found the body they could use the body to try and find evidence to link the defendant to the murder. It's just like saying "ok well just because you know where the body is, it doesn't mean you murdered the person".


Good summary, the only difference between this and the house key example is that you can "forget" the password. When you "forget" there is nothing they can do besides say you are unstable and hold you in contempt of court.


True, and shredding a key would be no different than shredding evidence. You could be charged with destroying evidence but not the crime the evidence supported.


I dot think you'd be charged with destroying evidence, because that would be assuming that there would be evidence. Instead, I suspect you'd be charged with contempt or obstruction of justice, or something along those lines. Otherwise, yes, I think you're right.


Under civil law, a finding that evidence was destroyed implies a finding of the fact that the destroyed evidence would have supported. I'm not sure how this would affect a criminal law proceeding, though I'm reasonably the prosecutor would be allowed to introduce that fact to prove guilt. (Ultimately it would be up to the jury to decide.)


How could the court know what fact it would have supported?


Because the plaintiff claimed it.


Wait, did you just say that seriously?

Plaintiff: "There was a dead-body in the toilet, but the defendant has been regularly flushing, thereby destroying the evidence and proving his guilt."

Judge: "Well, if you say it, it must be true!"


I was referring specifically to civil matters, not criminal ones. A relevant example would be a claim that D defrauded P; a finding that D intentionally destroyed evidence that would prove the fraud could be used to support a finding of fact that the fraud occurred.


A time-dependent password option would be better such as so that in 90 days the password is void and all data is lost.


Assume a case like TrueCrypt's hidden volumes, where multiple keys decrypt different content. Could you use the key to decrypt the fake content, and then when asked if that key was the "real key", refuse to answer on Fifth Amendment grounds?


AIUI TrueCrypt has one hidden volume for every real volume, so it's reasonable for law enforcement to ask for the hidden volume if there's a real one. But what if there was a hard disk encryption system that allowed a large number of hidden volumes (say 1000), and a suspect provided police with keys for 5 of them -- how would the police know that there was any more? I think that this would give more effective plausible deniability.


Julian Assange has worked on a filesystem that does precisely that: http://en.wikipedia.org/wiki/Rubberhose_(file_system)


That's the whole point of this feature as far as I can tell: It should be impossible (ignoring flaws in the software/system) to know if there's a hidden volume. You give the key to the decoy, smile and ask if you can comply in any other way and move along. The english phrase that I see connected to this all the time seems to be plausible deniability [1]?

Since hidden volumes are an optional feature and - again, in theory - cannot be proven to exist, you can always claim that this is the only password. Even if the judge/attorney knows a thing or two about true crypt.

1: https://secure.wikimedia.org/wikipedia/en/wiki/Plausible_den...


>"So if you get a warrant to search your hard drive for something, you are compelled to give them the password just like you are compelled to let them into your house if they have a warrant to search for something like drugs or guns or counterfeit plush toys."

You might also be missing something about TrueCrypt: plausible deniability. You can have different passphrases that unlock different things. You could provide them with a passphrase the only unlocks innocent documents when really you have CP stored using a DIFFERENT pass phrase -- any this would stand up to any cryptographical analysis -- they simply cannot PROVE that the CP exists or even that more encrypted data exists.

The analogy to a key isn't quite valid here; it's more like the doors in that hallway in the matrix. If you use key A in the door, you will get content A. However, you can use a different key, open the door, and it'll go somewhere else entirely. Also, if you rip the door off the wall, there is just the wall behind it. Crazy stuff, that.


Depending on what's on the drive, obstruction of justice might carry a much less onerous penalty than what he'd otherwise be facing.

For instance, if it's child porn, he'd be labeled a sexual predator for life. If it's state secrets, he'd be facing treason and espionage charges. If it's mp3s.. financial ruin on top of the felony charge..


Aren't there statutes against forced self-incrimination by the court? I am definitely not a lawyer.


That exists to prevent the state from coercing a wrongful confession out of you. Compelling the truth out of you has no such moral hazard. I am not a constitutional scholar.


The truth you can tell is only a fraction of a larger truth encompassing the entire universe of facts for a case the government may be investigating. Even if your portion of that truth is completely free of any wrongdoing, when combined with the rest of the facts that may include lies or mistakes by other witnesses or incorrect analysis of physical evidence, you can end up getting into trouble for telling the truth.

But we have never held, as the Supreme Court of Ohio did, that the privilege is unavailable to those who claim innocence. To the contrary, we have emphasized that one of the Fifth Amendment's "basic functions ... is to protect innocent men ... 'who otherwise might be ensnared by ambiguous circumstances.' " Grunewald v. United States, 353 U. S. 391, 421 (1957) (quoting Slochower v. Board of Higher Ed. of New York City, 350 U. S. 551, 557-558 (1956)) (emphasis in original). In Grunewald, we recognized that truthful responses of an innocent witness, as well as those of a wrongdoer, may provide the government with incriminating evidence from the speaker's own mouth. 353 U. S., at 421-422.

-- Supreme Court in Ohio v Matthew Reiner, http://caselaw.lp.findlaw.com/cgi-bin/getcase.pl?court=US...


As is often the case with constitutional protections, the protection is a result of the English monarchy's abuse of power. In this case it is to prevent another star chamber[http://en.wikipedia.org/wiki/Star_Chamber] where "Court sessions were held in secret, with no indictments, no right of appeal, no juries, and no witnesses."

The fifth protect you from having to compel a statement, since you can then be declared guilty for either: any invented crime you testify you did (if you testify as they want you to); perjury (if you testify, but not what they want you to say); contempt of court (if you refuse to testify).


It's called the Fifth Amendment.

"nor shall be compelled in any criminal case to be a witness against himself"


The password that you are requested to provide to the court is not incriminating. There is no law against having passwords or using passwords. The Fifth Amendment doesn't apply. The incriminating part is the data on the drive ... and you are not being requested to testify ... it's there and has already been confiscated by the police using a legal warrant.

This situation stinks, for sure. If you want to protect yourself, use shadow volumes. Far better solution than questionable legal arguments.


"Questionable" is the key point here. We can't be sure if the defence holds water until it has been thoroughly tested in court.

As for shadow volumes, that's a whole other kettle of fish. I'm sure it won't be quite that simple - if your VLC history has a link to /shadow-volume/pirate_movie.avi then they may be able to compel you to decrypt it.


That's not what it would look like. VLC would have a link to D:\pirate_movie.avi but when you decrypt the volume, all it shows is a bunch of text files on D:\ ... because the password provided is a trigger for the software to show a bunch of text files, not your pirated movie collection.

Granted, if we were working for the prosecutor we would be able to put 2 and 2 together ... but ... these are the same morons who just a few days ago grabbed an entire rack instead of one server, not being able to tell the difference.

You're giving them too much credit.

Anyway, as of right now, cops/prosecutor only get real excited if there's naked children involved ... and frankly, you shouldn't be doing that sort of shit anyway. Just jerk off to normal porn like everybody else, problem solved.


And if they do put 2 and 2 together, now you have perjured yourself, not just refused to testify. Much worse.

> Just jerk off to normal porn like everybody else, problem solved.

sigh

First they came for those accused of pedophilia, and I said nothing because I wasn't accused of pedophilia.


Ironic invocation of Godwin's Law?


http://en.wikipedia.org/wiki/First_they_came...


> these are the same morons who just a few days ago grabbed an entire rack instead of one server, not being able to tell the difference.

The FBI agents who did that are very much not prosecutors (and we still don't know why the FBI did that; it may have been intentional).


THE WORLD MAY NEVER KNOW http://www.dedleg.com/wordpress/wp-content/uploads/2010/03/m...


Providing the password is an admission of knowing the password.


I'm not one either, but laws against self-incrimination do not mean you can withhold/destroy evidence.


To charge someone for withholding evidence, wouldn't you have to show that they had the evidence? For example, in the case of a deleted file, you would have to show that they deleted the file after being charged. Else deleting any file ever would potentially be a crime. Now consider the case there that file is the encryption key.


No one is withhold/destroying evidence in that case. it's there for anyone to see... encrypted.

Can I go to federal prison if the police ask to me translate some paper in foreign language I happen to have in my pocket and i refuse/don't know the language?


No, you couldn't be compelled to translate a document in a foreign language. The police have another way to get the information - ask someone else who knows the language to do it. You would be making their job harder, but not impossible. In the case of an encryption key, you might be the only one that can assist the investigation. So you'd be hindering it. At least that's how I'd see it.


The accused will often be the only one who knows how strong the encryption is, or how prevalent the foreign language is, so they're the only one who knows whether it is possible for the police to decrypt/translate without their cooperation. Thus, in reality, the determination of whether the accused can be compelled to provide the decryption information cannot depend on the strength of the encryption/obfuscation.


What if the language has very few speakers left in the world, including you? If only you speak the language, could they compel you to translate it? Or if only you and one other person in the world spoke the language, and neither of you wanted to translate it?


it may not even be a real language... you are distorting the point.

I myself may not know how to read what is on the paper


If it isn't a real language, that's a whole other set of circumstances. If it is a foreign language that is actively spoken, and the police have a reasonable way to get the document in question translated, you should have to help them. However, if they don't have a reasonable way and you are the only one that can help, then you could be compelled to do so. It is a question of what's reasonable.


ptomato's and jgmmo's answers are both right (I think), but seem a little contradictory. If I can be compelled to provide physical evidence, why can't I be compelled to provide mental evidence, e.g. testimony about my crime?


The legal apparatus you identify is based on the 5th amendment, interpreted through the lens of mythological, historical ideas of how "thought" is different from information recorded external to the brain.

If you think things are confusing now, wait until merely sticking electrodes on someone's head and making them think about certain things by talking to them, without requiring any voluntary response, can generate usable evidence.

Requiring someone to reveal a passphrase or access procedure to reveal encrypted or otherwise secured evidence, external to the brain, is the tip of the iceberg.


So basically we have a guy in jail who is claiming something and making a public appeal. However, we can find little or no independent information about his case. He provides little information about his case. Indeed, the jail site containing his photo says Charges Unknown.

Let's not jump to conclusions just yet. He was arrested on April 14th. Find out the full case history, what was said, what he's accused of, etc.

It's entirely reasonable to assist anyone who's rights are being violated. But keep that separate from what he's accused of.


With new laws giving more ability to charge people secretly, you'll see more and more people in this situation. Not saying that this is what's going on here, but the purpose of the secrecy provisions of the Patriot Act and similar is to make it harder to identify when citizens are being abused.


A little more info: http://www.ypsort.com/info/GA/3899392/

Searching on the address finds some info, but the names do not match up. There is a phone number listed however. Im not calling it though.


This is why you always have TrueCrypt use multiple volumes. This is exactly what plausible deniability is for.


The key is to put some stuff that's reasonably embarrassing in the fake volume, like nude pictures of yourself or weird fetish porn.


That would be perjury, though. You are now a Lying Guy, not just a Fifth Amendment Guy, and no amendment will be able to save you if they figure out that you gave a hidden volume password and claimed it as the "real" and only password.

I'm not saying plausible deniability is bad, just that it would be better not to rely on technical arms races to protect fundamental rights.

The Passive Aggressive Award will go to the guy who freely gives the real password to the feds when subpoenaed, but claims it is just a hidden volume password.


You generally give them the non-hidden volume password, not the hidden volume password. This is because, unless you tell them so (or they see you using it, or have spyware on your system, etc.), there is absolutely no way to prove the existence of a hidden volume from looking at the file. There's also no way to prove that a truecrypt file does not contain a hidden volume, which leads to some interesting problems if people catch on to the existence and usage of hidden volumes (I recommend creating a hidden volume in any encrypted container just so that you can show that there's nothing hidden in it. Truecrypt doesn't support more than one hidden volume in a single file, right?).

If you do accidentally tell them, it's a bad thing. Generally, you should only take advantage of this if 1) the punishment for whatever you have in the hidden volume is bad enough that the addition of perjury charges would be like adding a single spike to an atomic bomb, or 2) you are absolutely sure that they're not going to figure out the existence of it from anything you have lying around or other people.

This is not legal advice, I'm not a lawyer.


Actually, there are ways to prove a hidden volume indirectly. For example by the file names you opened or the last modification date of a truecrypt container file. There is an article about all the small things to watch on the Truecrypt website.


My small modification:

>There is an article about all the small things to watch on the Truecrypt website.

There is an article about all the tricky things to watch for. They're not any smaller than any other booleans on your system, and with software like encase, such inconsistencies will be found.


You're right, I butchered the jargon there. By "hidden volume" I meant the volume that is hidden during normal use, whereas the conventional meaning of that term is the volume that is hidden when you give the false password. Exact opposites.

> I recommend creating a hidden volume in any encrypted container...

Do you not want the recommendees to enjoy plausible deniability? After all, if they always create a hidden volume, they could reasonably be held in contempt for refusing to give two passwords for every volume.


I've always wondered how people would answer the "Your volume is 512MB, but this truecrypt file is 2GB. Explain please". question.

I guess they can't prove that there is a hidden volume, but I thought with Truecrypt they could not prove whether a file was actually a Truecrypt volume in the first place?


In truecrypt, the volume would report 2GB, not 512MB, and you have to be careful not to put in more than the invisible limit, otherwise the hidden portion will be corrupted/overwritten.


Truecrypt can have hidden volumes, the truecrypt file may be split into 1.5gb / 0.5gb. The truecrypt file reports 2GB, but different passwords mount different the different sized volumes, hence putting in the 512MB password will mount a 512MB volume of a 2GB file.


It works the way the parent says, not the way you say.


Oh, my bad then. I guess I should look at my volumes closer. :)


I have encrypted files/volumes that I don't remember the password for (it has been far too long). Surely not remembering is a valid defense.


The more interesting point is that he may not be using a password in the first place; TrueCrypt can do arbitrary keyfiles. Someone found[1] a post elsewhere on the forum citing a subpoena that required someone to "type the passwords or pass phrases necessary to produce the encrypted contents of drives". If that quote is from the same case, he may be physically incapable of carrying out the subpoena as ordered.

[1] http://news.ycombinator.com/item?id=2693754


If you really don't remember the passwords for your encrypted files, you might want to take the prudent action and delete them. It's not like they're of any use to you now.


Only if you're the Attorney General.


Interesting point. I was thinking of the exact same thing. I cringe to the idea that such a defense might lead to some creative rubber-hose cryptanalysis though. The way I see it, this guy is half-way there. I wish I could help him.


I'd also be much more likely to forget passwords (for real) after being locked up in jail (stressful and away from computer, so not logging in periodically). I think at the point of forgetting, the contempt charge would go away.


It's definitely not in Australia - and I'd be surprised if that defence worked anywhere else, either.

The law here says that you must assist the police to access data if ordered by a magistrate. The magistrate must be satisfied that you can provide that assistance, but he doesn't ask you before issuing the order - he makes the decision based on what the police tell him. Once that order is issued you commit an offence if you don't comply with it. Your reasons for not complying are irrelevant. (I'm not a laywer, etc...)


Just ask Alberto 'do not recall' Gonzales.


The author references a previous letter that describes what he's doing in jail. Can anyone find that?


I think this is the guy: http://florida.arrests.org/Arrests/Matthew_Bumgardner_548009...

Google searches for '"Matthew Bumgardner" arrest' or '"Matthew Bumgardner" truecrypt' were unhelpful. It appears that this story hasn't had any media attention.


If he's in Santa Rosa I don't think that's him. Santa Rosa is in California.


It's Santa Rosa county, which is in Northwest Florida.


Still seems low on details, but maybe this one?

http://forums.truecrypt.org/viewtopic.php?p=94607


"The user received a subpoena duces tecum requiring him to type the passwords or pass phrases necessary to produce the encrypted contents of drives seized 6 months earlier. The true crypt user has attempted to comply but he is still being held in contempt."

Did he forget his TrueCrypt password?


In the forum post he says "Tell them that True Crypt can use more than just a password."

Maybe he was using keyfiles?


Its a criminal case.,..which basically means if he judge requests a document that is encrypted on a hd than defendant cannot refuse or they are in contempt


I'm not familiar with US law.

In most European countries (that do not have specific crypto laws) you neither need to give the judge any information (except your name and address), nor help the prosecutor (i.e., the judge cannot order you to open a safe, but of course he can try to break the safe hismelf).


There was a similar issue in the UK recently: http://www.bbc.co.uk/news/uk-england-11479831


Yes, UK and (afaik) France have special laws that require you to surrender cryptographic keys.


Okay - but what if the argument is literally "I can't - the keyfile is lost"

or

Ignoring the details of this case, what if the court is ordering you to decrypt something that isn't even encrypted? It's just random data? They assume it is. You assume it isn't.

I suppose in this case, the fact that the someone of authority already saw unencrypted contents gives them enough reason to be confident the drive is encrypted and the defendant has the ability to decrypt it.


I'm partial to "I kept this week's password on a post-it note stuck to the keyboard. Did you lose the post-it?"


And if the document does not in fact exist?


Presumably there is some evidence that it does exist, or the judge wouldn't be asking for it. If you send an email to a buddy saying "I've got some great stuff on my encrypted hard drive", the court will likely be interested in seeing some of that great stuff.


i don't get it. Is "you have the right to remain silent" limited only to oral means of communication? Or does it include the right to remain silent with respect to any means of communication, including writing, keyboard typing, sign language gesturing, etc ...?


"the right to remain silent..." etc is the Miranda Act which applies when you are taken into custody but before you have been formally charged with a crime. It really just boils down to not having to say anything to the police without legal representation present. That no longer applies since he is now before a court and we can assume he has legal representation (or he was offered it and has refused).

To answer your question directly: No, it applies to all methods of communication.


i was under impression that the right to remain silent is valid even before the court. Anyway, googling it, stumbled upon interesting reading :

http://en.wikipedia.org/wiki/Right_to_silence#United_States

"...the U.S. District Court for Vermont ruled that because the defendant had already cooperated as far as he had and already potentially incriminated himself, by stating his ownership of his laptop and providing law enforcement with partial access to it prior to his arrest, that he must now surrender complete access to all information on that laptop, even encrypted and potentially self-incriminating or confidential information.[20] Because the defendant had cooperated in part already, the Court ruled that the defendant must continue cooperation and provide the decrypted and potentially harmful information to the government..."


i was under impression that the right to remain silent is valid even before the court

It is. That's what I meant by being in custody (arrested).


The 5th amendment was written specifically for criminal proceedings. Why does the judge's request override his right to refuse being a witness against himself?


What if you forget the password?


The same thing when they request a document that was lost in a fire: hope they believe you.


It's really not clear at all what the demand regards. 5th Amendment doesn't apply when the "papers" refer to someone else.


Searching for all posts by Bella1 that contain "Matthew", "jail", or "letter" doesn't find a previous letter. The closest thing is this post that provides case information (such as the case number, etc):

http://forums.truecrypt.org/viewtopic.php?p=94607#94607


I tried looking up the case number in PACER (http://www.pacer.gov/) but when I went to register I saw that they charge 8 cents for every page returned, that is every page of a document clicked on as well as every page linked to in a search result. Transparency comes with a price tag these days I guess.


They're public documents, too.

But this is why the RECAP project exists - to jail-break the PACER documents you pay for: https://www.recapthelaw.org/


If it was prohibitively expensive for you to view (as it is for me), it's not really transparent, is it?


The Judicial Conference waives fees if they amount to less than $10 in a quarter, I believe. So you get 125 pages free. Be aware that search results do count as a page, though.


I can't find anything either, and the fact that he doesn't include that in the letter sort of implies that it's something that'd immediately lose him any sympathy or backing, doesn't it?


Three things:

First, the guy could be accused of choking babies to death with child porn and that wouldn't make a damn bit of difference as far as his, and the rest of our, fundamental rights are concerned.

Second, accused (or even indicted) is absolutely different than convicted, which itself bears an indirect relationship to 'true'.

Third, courts typically don't post private proceedings on the internet - you'd be amazed how many things you wouldn't be able to "find anything" about via a google search. If he's being held for contempt in relation to a case that he's not actually a defendant in, I imagine it'd be really bloody difficult to find a whole lot about that online, and in either case I can't imagine any sane lawyer giving him the green light to post on the internet details about a case for which he's already being held in contempt.

But by all means, don't let me stop you from impugning the integrity of a man you admit to knowing nothing at all about.


> I imagine it'd be really bloody difficult to find a whole lot about that online, and in either case I can't imagine any sane lawyer giving him the green light to post on the internet details about a case for which he's already being held in contempt.

I can't imagine a lawyer giving him the green light to post on the internet asking people who don't know anything about the case to spam the judge and prosecutor, either.

In fact, he states that he doesn't have a lawyer.

If he expects people to write letters, he needs to explain WHY they need to write letters. That requires telling us what the case is actually about.


That's true. I've no strong opinons on the veracity of the man's claims, but I'm certainly not intending to write any letters without extremely strong and verifiable evidence that his story is as he claims. My point was just that the nature of the charges in the case and our ability to find anything about them have next to no bearing on principles in question, nor does the moral composition of the author, and I think there's danger in the idea that they would.


Sympathy for a particular individual is irrelevant here. Some rights should apply to everyone, regardless of what they are accused of. I believe that the right to encryption belongs to this domain of fundamental rights.


You are correct. That does not however change the observation that an explanation of his charges is conspicuously absent.


So far, it's not clear at this point this guy has actually been charged with any criminal wrongdoing. From what I've seen on the forum, here, and reddit, there doesn't appear to be a criminal charge reported. It's entirely possible that he is being held in contempt due to some civil case.

What you're trying to do here is obvious, and I don't like it one bit. Everyone is innocent until proven guilty. You're trying to introduce bias, and shame on you for doing it.


I am doing no such thing - shame on you for making assumptions about another's intentions.

The fact of the matter is that even if the first sentence of his message stated that he was being held on child pornography charges, I would still back his right to not have to reveal his key. That's ridiculously lazy policing.

However, the omission of what his charges are from such a thorough message is extremely conspicuous. I could pretend to be a string parsing robot and only act on what the message itself contained... Or I could use my full brain like a human and make some reasonable assumptions. He's probably been accused of something pretty bad to leave it out like he did.

It's funny that in then contest to appear dispassionate and just people, even in an intelligent community such as this, handicap themselves. We're not better for having done so.


So?


It's an observation. Draw your own conclusions.


Your onerous observation seems to be that rights are on a sliding scale according to what your crime is, which is total horseshit.


Until the 5th amendment and encryption issues get worked out, these drives should delete themselves upon unauthorized access.


Fifth amendment and encryption issues are already worked out. Just like you can be compelled to open a safe, you can be compelled to decrypt a volume.

A self-destroying drive would likely get you a conviction for obstructing justice, just like shredding the contents of a safe would.


I wouldn't say this issue is fully "worked out" yet.

Disclaimer: I am not a lawyer. Most of what I know about this is from the last twenty minutes of googling.

In 2007 a federal judge ruled that passwords aren't like keys to a safe, and that the government can't force somebody to hand them over. (United States v. Boucher http://news.cnet.com/8301-13578_3-9834495-38.html )

However, that decision was partially overruled in 2009. ( http://www.bennettandbennett.com/node/5608 ) The judge ruled that the defendant didn't have to provide his password, but he did have to provide the contents on the hard drive. In other words, if the defendant happend to have an unencrypted copy of the hard drive hidden away somewhere he could have offered that in place of the password.

Using your safe analogy, it would be like saying that you don't have to provide the government with the key to the safe, but you do have to provide them with an identical copy of everything contained within the safe.

Now, like me you're probably wondering how the government could prove that the contents you provide from a secondary source really matches up with what's on the encrypted drive. The Boucher case mentioned above was unique because border control agents had already viewed the contents of the guy's laptop in unencrypted form, so they knew what to expect. (In his case, child porn.)

From what I can find, there don't appear to be any laws in the U.S. (and no case law) which specifically require people to hand over their passwords at the government's request.

Here are two more links I found which were helpful: http://volokh.com/files/BoucherDCT.1.pdf and http://en.wikipedia.org/wiki/United_States_v._Boucher


And what happens in the xkcd-inspired future where we all have neural interfaces to storage? When the lines between what's in our heads and what's written down are sufficiently blurred, what's obstruction of justice and what's a fifth-amendment right?


What about the now.

What level of data protection counts as contempt or obstruction? What if I have provided the courts with all of the data, but for some reason they suspect there's more that I'm hiding? What if I honestly can not remember the password for some of my old data? Do I go to jail because my memory is gone?


A safe is obviously a safe. It obviously contains something.

Encrypted data isn't so clear cut. It's trivial to make a datastore that has several encryption keys, so that you could give out one key, and it'd "decrypt" to some boring stuff, whilst keeping the real data, and the alternate key, secret.

It'd also be trivial to devise a decryption algorithm, and key, which "decrypts" anyones hard drive to reveal illegal images even when none are really there...

So I don't think it's a good analogy. It's quite obvious when you have successfully got into a safe, but how do you know when you have successfully decrypted something, to the real stuff that is important and being hidden in it?


Is it actually trivial to encrypt arbitrary text in such a way that it could be decrypted to the source text or a different but still meaningful alternate text? That sounds really hard to do. Is this indeed a solved problem and I just don't know about it?


It is trivial. Just encrypt the true plaintext and the alternate plaintext with separate keys and place the results in a container. To decrypt, try both ciphertexts and return the one that validly decrypts with the provided key.


It's trivial cryptographically, but from a security point of view, it's not necessarily trivial at all.

If we assume the courts can order you to decrypt the drive (and without debating that point) - one has to consider that the court may be fully aware that the system has multiple hidden volumes, either by eyewitness testimony, 3rd party evidence (check out truecrypt's warnings on their site about full system encryption and what to watch out for. Things like finding the same windows installation doing every update twice. There are all kinds of information leaks that COULD pop up.

I'm not saying it's impossible - just as strong cryptography, which is easy and is all over, doesn't mean all our data is secure, neither would a more complex system like this protect someone from the legal system.


Or better yes, 50'000 containers of varying sizes, 49'998 of which are filled with random data.


The short answer on this is no. Check out unicity distance.

http://en.wikipedia.org/wiki/Unicity_distance


That's assuming the same algorithm is used throughout.

You can use one algorithm to encrypt/decrypt the original content. But you can use a different algorithm (with a different key) that would output a different output.

The secondary algorithm would be one that given a some text (ciphertext from the original encryption) along with the desired output, would return a suitable key. The most basic example to prove the point would be XOR.


That probably won't work: you need the combination of the algorithm + the key to get your data out. Of the 4 possible combinations, only 2 will yield valid data.

If you give a password, the cops will know what algorithm they must use (2 trials at most). Even if they don't know before hand which algorithm points to the real data, they can notice that it doesn't use all data.

With your method, you can at best cast doubt: is the data not extracted real data encrypted differently (algorithm or key), or random data that the software insert by default to give everyone plausible deniability?


that's now what is being suggested (i think). typically how it's done is to have separate pieces of information, related to different keys. you can then make a system that (1) produces the data associated with a valid key and (2) does not reveal how many valid keys there are.


A safe is obviously a safe. It obviously contains something.

http://en.wikipedia.org/wiki/The_Mystery_of_Al_Capone%27s_Va...


It'd also be trivial to devise a decryption algorithm, and key, which "decrypts" anyones hard drive to reveal illegal images even when none are really there...

Well the revealed images could not be significantly larger in size than then the "key material" you supplied plus the most concise description of the algorithm. http://en.wikipedia.org/wiki/Kolmogorov_complexity


> It'd also be trivial to devise a decryption algorithm, and key, which "decrypts" anyones hard drive to reveal illegal images even when none are really there...

How trivial? Remember that the whole hard drive must be consistent, including a file system. Fifty gigabytes of garbage followed by a 2-megabyte photograph followed by fifty more gigabytes of noise is not plausible.


Here's an interesting discussion on the matter from a few months ago: http://news.ycombinator.com/item?id=1762157

It seems that the primary contention here is whether a password constitutes physical evidence, which must be supplied upon the production of the correct edicts, or whether it constitutes "testimony", which I interpret to mean non-recorded ideation or mental processes. Supposedly the same argument could apply to a safe combination, hence a defendant cannot be compelled to reveal a combo but can be compelled to open the safe. But how do we prove that the defendant has access to the safe? And how do we prove that the defendant has access to the encrypted files?

IANAL but this question particularly is of course interesting to me. At first glance it seems that the 5th Amendment guarantee against self-incrimination would preclude decrypting drives and I've read several proclamations to that effect, but when we consider the rules surrounding surrender of physical evidence, including evidence contained in a safe, it does become less clear where information cryptography fits.

If a defendant handwrites letters in a custom cipher, can he be compelled to reveal the cipher or decode the letter? Perhaps that's a better analog than the safe in our situation.


"Supposedly the same argument could apply to a safe combination, hence a defendant cannot be compelled to reveal a combo but can be compelled to open the safe."

Can the defendant even be compelled to open a safe? Suppose you have a case in which the defendant has either specifically disclaimed ownership of the safe in question or disclaims any knowledge of the combination or has flatly refused to either confirm or deny ownership of the safe or knowledge of its combination on fifth amendment grounds. I'm no lawyer, but I suspect the standard procedure in such cases is that the judge issues a warrant that permits police to access the contents of the safe and no burden is placed on the defendant to do anything at all. Rather, because they have a warrant for the contents of the safe, the police are entitled to open it and they do just that, using a locksmith or mechanical means to force it open. The analogous situation with respect to encrypted data would be that the police are welcome to crack the encryption themselves by whatever means they deem appropriate, but the defendant isn't required to do their work for them.


I believe the police have the right to open the safe, but you aren't required to open it for them. If the police came into your house and said "show us every hidden object" so we can decide if it is illegal. You wouldn't be required to comply.


The servers taken from Instapaper were shown to have not even been booted, let alone shown to give access to any files. Standard procedure is to copy any drive you can get your hands on before seeing what's on it, to stop preventative measures like this.


This would require a costly hardware-based solution. If such a solution were to become popular, the law enforcement would certainly find ways to prevent it, e.g. x-ray the disks before switching power to find the crypto chip + thermite bomb.


The much more obvious way to implement this would be to have a tamper-proof hardware dongle that (a) accepts, as input, a passphrase; (b) uses that passphrase to derive a key; (c) used that derived key to decrypt some data stored, e.g., in flash on the processor chip; (d) confirms the data decrypted correctly, if correct return the key, else overwrite the flash with new random data, and return that new data.

That data, would of course be the actual key used to encrypt the drive.


And what would they do with it, and who says it would be a thermite bomb? It could be an integral part of the hardware.


I've always thought about this concept and how it would be applied in practice.


This may have been posted below as I did not read every comment but isn't impossible to prove that the file is a TrueCrypt volume to begin with? Couldn't you just claim it was a corrupt computer file that contained random data? How can they ask you for something that they have no proof even exists? There is no proof the file is a TrueCrypt volume so there is no way to prove there is even a password to find.


Evidence of it being mounted could exist, for instance in his shell history.


Contempt of Court is a serious business. You can be jailed indefinitely for it. For example: this guy was jailed for 14 years because he couldn't (or wouldn't) turn over information about missing assets during his divorce: http://www.judicialaccountability.org/articles/7year.htm


According to wikipedia, in order to prove contempt, the prosecutor must have:

  * Existence of a lawful order
  * The contemnor's knowledge of the order
  * The contemnor's ability to comply
  * The contemnor's failure to comply
It seems to me that the prosecutor cannot prove the contemnor's ability to comply, in the case of a forgotten password.


"I changed the password every 3 days and never memorized it. Current password was on a post-it on my monitor. Did you guys lose the post-it?"

Simple as that, right? They can't compel you to remember information you never had in memory. It's probably too late, as he's likely admitted to remembering the password. Dumb move.


They will probably request a lie detector test to be taken; ultimately, he will probably fail it. Great idea though.


Polygraphs are pseudoscience. The judge /might/ rule a polygraph as admissible evidence -- most will not, because of its inaccuracies -- but a "lie detector" is a gimmick.


Lie detectors cannot be used as evidence in a court.


This is one of those stories where I wish we had a bat-signal to summon grellas.


Just out of curiosity--

Does anyone know why it is important that a password can be more than 64 characters? Is he just saying "which makes it very hard to remember", or is there some legal significance to very long passwords?


Because my encryption keys are 2048^2 characters long (They're images). Its not just ``Very Hard to Remember'' but ``Damned hard to unfuck.''

(good point though, +reply, -op though.)


What is it with the long history treating inmates poorly in the south?

See: Cool Hand Luke http://www.imdb.com/title/tt0061512/


"If you want a picture of the future, imagine a boot stamping on a human face — forever."


Another reason on why you need to hide your TrueCrypt volumes, too.


Text of the article since the page is loading slowly...

  To anyone reading this thread-if you want a quicker response to your
  comments or questions, send them to me at:

  Matthew Bumgardner
  Santa Rosa County Jail
  P.O. Box 7129
  Milton, FL 32572

  Right now it takes about 3 weeks for a post on this forum to get to me,
  receive an answer, then have the answer sent back to my sister so she can
  post it here.

  This is Matthew Bumgardner, the one in jail. I have given this note to my
  sister so that it can be posted. Obviously I have no access to email, so this
  is the best I can do. Eventually I will get a copy of the posts in this thread
  and I will respond when I can. My sister should have already posted the letter
  I wrote. Every word is true. There are a few things I would like to add. First,
  this jail could generate some serious money for a decent civil rights attorney.
  They are already being sued for their mail policy. Inmates can only write on
  postcards. They can only send letters to attorneys, members of the media and public
  officials. If you were in here and wanted to write a family member, all you could
  send was a post card.

  The jail also denies access to legal materials. Their policy states that
  "inmates will be afforded reasonable access to the courts. This is accomplished
  by way of your attorney or public defender." This is a joke, since some inmates
  wait 6 months or moe to see their public defender. The policy goes on to state
  that pro se inmates must obtain a court order granting them pro se status in
  order to get access to the Law Library.

  I am a pro se inmate. I have obtained a Court Order granting me pro status.
  I have provided that document to the jail staff, and I am still being denied access.
  I have filed a new motion requesting an Order to allow me access to the Law Library
  and I have also written the judge. I am waiting to see what happens there. I also
  ahe a problem getting copies made. When I give my documents to the person making copies,
  I inform them that I need them returned immediately. The past two times it has taken
  several days fro the copies to be made. This is intentional. Since I am a Federal
  inmate the Government pays the jail or me to be here. They make decent money off of
  so, so there is no incentive for them to assist in my release.

  Although it may seem unnecessary to complain about the jail, it is actually important.
  The US attorney and judge that put me here knew exactly what they were doing. They
  figured that the constraints imposed by the jail would allow them to maintain their
  secrecy. They are wrong. It certainly slows things down, but I will not remain
  silent about this.

  This issue is more important that you might realize. Right now, this US
  Attorney and US District Judge think that holding people in contempt is the way to
  deal with encryption. If you read this and still do nothing, then you are telling
  them that they are right. You are telling tem that the 5th Amendment is no longer
  needed, and that they can issue supoenas that compel acts which are oppressive,
  unreasonable and not possible.

  I am not asking for my own personal army to help fight this. If you think that
  you are my army, you misunderstand this situation. I am your army in this battle.
  If you use encryption, or any password protected file, then this issue affects you.
  You could be thrown in jail and denied civil rights at the whim of the government.
  I am fighting this battle on my own, and I am willing to continue to do so. The
  outcome is going to possibly affect many more people. To me, it seems like more
  people should be getting involved.

  At the very least write the attorney and judge and tell them that what they did
  was wrong. Tell them that True Crypt can use more than just a password. Tell them
  that a password can be 64 characters long. Tell them they have no right to hold
  someone in contempt for failing to produce documents they have never seen. Tell
  them that the precedent in US vs. Hubbell and In Boucher II proves that they
  are wrong.

  The addresses are:

  David L. Goldberg
  Assistant U.S. Attorney
  21 E. Garden Street, Suite 400
  Pensacola, FL 32502

  Lacey A. Collier
  Sr. U.S. District Judge
  United States Courthouse
  One NOrth Palafax Street
  Pensacola, FL 32502

  If you don't have time to write a letter, at the very least please forward this
  to everyone you now. E-mail it to any media outlet you can think of. If enough
  people e-mail tis, a major media outlet might pick up the story.

  The Government can only do this in secrecy. If more people know about this it
  never would have happened.

  Thanks i advance for any assistance you can provide.


mirror?


It's on the wall next to the shower.


This may be a hoax. There are only two occurrences of his name on PACER, and both are discharged bankruptcy cases. Also, the federal inmate locator (http://www.bop.gov/iloc2/LocateInmate.jsp) shows no one by that name.


Why would a guy facing federal charges be locked up in county jail?


He said the federal government was paying the jail to keep him. To me that implies that it's not a federal jail. If I remember correctly, I have visited individuals held on federal charges in a county institution.


Because there are no federal jails, or at least very few. So local/state agencies hold them until and throughout trial.


He wouldn't, unless they're pulling a "Guantanamo" on his ass.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: