Sourav Mandal ([info]smandal) wrote,
@ 2008-02-20 09:29:00
Previous Entry  Add to memories!  Tell a Friend!  Next Entry
Entry tags:geekery, politics

The government, encryption and you
I was so busy with liquidating everything in Berkeley I didn't even notice that on November 29, 2007 a federal judge ruled that the 5th amendment protection extends to passphrases. (Coverage and a PDF of the ruling at Volokh.)

The case brings up some interesting issues, both technical and legal:


  • This idiot should have used an encryption scheme with plausible deniability, like TrueCrypt. TrueCrypt allows you to create a hidden volume that looks just like the free space, which TrueCrypt fills with random numbers. If you write to the outer volume without also entering the hidden volume passphrase, *poof* the hidden volume data is gone.

    The UK can compel passwords under RIPA, and the US can label you an "enemy combatant" and waterboard the outer volume passphrase out of you. With hidden volumes, they'd never know.

    (In the case the data is more valuable than the person, one could keep the encryption key on a USB stick or CDROM that he could destroy when threatened by force. But, I don't see why one wouldn't use hidden volumes here, either.)

  • The discussion comments made by lawyers seem to revolve around several "models" :

    • The encrypted volume is like a strong box, and the suspect can be compelled to produce the key
    • The encrypted volume is like a safe, and the suspect cannot be compelled to testify to the combination
    • The point of the 5th amendment is to prevent false confessions compelled by by torture. In this case, the suspect demonstrated his ability to unlock the volume, so he can be compelled to reproduce this action. It is not testimony because the fact is already established.
    • Finally, the one the DOJ came up with, which I must admit is creative: grant transactional immunity for the actual contents of the passphrase (e.g., "I killed Hoffa"), skirting the 5th amendment protection, then go after the suspect for anything incriminating in the data the passphrase unlocks.

  • Potentially in the future, all data and communications will be strongly encrypted and nothing will exist on paper. Should there be an "encryption exception" to the 5th amendment, a la the hearsay exception? This could be useful for, say, cyberterrorism.

    It is easy for me to argue "no" for two reasons. First, freedom of expression and privacy come first as a matter of principle. Second, one can use techniques already developed for cracking clandestine organizations: moles, pattern analysis, etc.

(Post a new comment)


[info]unixronin
2008-02-20 02:18 am UTC (link)
This idiot should have used an encryption scheme with plausible deniability, like TrueCrypt. TrueCrypt allows you to create a hidden volume that looks just like the free space, which TrueCrypt fills with random numbers.
I find the claim that the TrueCrypt volume cannot be distinguished from random data to be highly suspect. Now, VERY DIFFICULT to tell from random data, I'd buy. But impossible?

Of course, one can justifiably argue that he shouldn't have tried to take a laptop full of kiddie porn through Customs in the first place.

(Reply to this)(Thread)

[info]smandal
2008-02-20 09:19 am UTC (link)
Perhaps one can identify the hidden volume by using a dictionary attack -- find something you think is on there, and hashing it against the unlocked outer volume you can see if the entropy changes. Maybe eventually even cracking it -- but this would take immense computing power.

But to commit such resources you have to understand what you're looking for, and be confident that it's highly valuable. In the case where this person was just moving child porn, he'd have highly plausible deniability.

In case you warrant such a sophisticated investigation I guess you wouldn't have an opportunity to scramble the hidden data by writing over part of it. Maybe better to have the hidden volume key on destructible medium.

(Reply to this)(Parent)(Thread)

[info]unixronin
2008-02-20 11:34 am UTC (link)
Perhaps one can identify the hidden volume by using a dictionary attack -- find something you think is on there, and hashing it against the unlocked outer volume you can see if the entropy changes. Maybe eventually even cracking it -- but this would take immense computing power.
Yeah. Indistinguishable to casual examination, sure. I'd buy that assertion, no problem.

Still, going through Customs, where everyone with two brain cells knows by know they're going to want to see your laptop operating to "prove" you don't have a bomb in it, with your encrypted "cabinet" of kiddie porn unlocked and browsable, was a real bonehead maneuver. Even if they don't manage anything else, I kinda hope they get him on Felony Stupid.

(Reply to this)(Parent)(Thread)

[info]selfishgene
2008-02-20 06:45 pm UTC (link)
Felony stupid may be valid in this case. However there are real concerns here. Plenty of people travel with business secrets on their laptops. Do you trust Customs to view your company data? What if the Customs officer was just laid off from your company and wants revenge? They also claim the right to copy any data. How is that stored? FedGov's track record on secure storage of info is extremely bad.
Foreign companies are also vulnerable. Customs could be passing data from the laptop of an Airbus exec visiting the US, to Boeing. Entering America is already becoming a hassle for foreign business travelers, this just makes it worse. A trading nation can coast for a long time on it's reputation, but at some point people notice there are easier places to do business.

(Reply to this)(Parent)(Thread)

[info]unixronin
2008-02-20 07:05 pm UTC (link)
They also claim the right to copy any data. How is that stored? FedGov's track record on secure storage of info is extremely bad.
Indeed. One could well argue that it represents a warrantless search, which would be in violation of the Fourth Amendment. But then, the US Government trampling all over the Constitution is, sadly, no longer news.
Foreign companies are also vulnerable. Customs could be passing data from the laptop of an Airbus exec visiting the US, to Boeing. Entering America is already becoming a hassle for foreign business travelers, this just makes it worse. A trading nation can coast for a long time on it's reputation, but at some point people notice there are easier places to do business.
Agreed. Just one more way in which our government's raging paranoia is bad, in the long run, for all of us.

(Reply to this)(Parent)(Thread)

[info]smandal
2008-02-21 04:12 am UTC (link)
This question is still in the courts:

http://en.wikipedia.org/wiki/Border_search_exception#Electronic_materials

(Reply to this)(Parent)

[info]mac6uffin
2008-02-23 06:10 pm UTC (link)
Transactional immunity for the password = that is actually fucking brilliant.

Every once in a while the govt. hires a few smart people.

(Reply to this)

Create an Account
Forgot your login?
Login w/ OpenID
English • Español • Deutsch • Русский…