in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Can The US Government Force You To Decrypt Your Protected Contents?

A recurring question that keeps popping up each year is whether the US government can force you to decrypt the contents of a computer or file that is protected with encryption?  In the UK, thanks to RIPA, the Regulation of Investigatory Powers Act, the answer to that same question is an unequivocal "yes, the government can force you to decrypt the contents or send you to jail."

But what about the US?  Things are more complicated in the US. (I'm not a lawyer, by the way.  The following is not legal advice yadda yadda yadda....)

US v. Fricosu

The story that's making me revisit the question this year is United States of America v. Ramona Camelia Fricosu.  In this particular case, Fricosu has been accused of conducting real estate scams.  In order to collect evidence for their case against Fricosu, prosecutors are looking to force the defendant to do the following:

  • Provide the decrypted contents of an encrypted laptop that was found in her residence, or
  • Provide the password to decrypt the encrypted laptop

Fricosu is arguing that this is illegal under the Fifth Amendment which gives one the right to remain silent.  As Fricosu's lawyer put it, per cnet.com:  "If agents execute a search warrant and find, say, a diary handwritten in code, could the target be compelled to decode, i.e., decrypt, the diary?"

The short answer turns out to be, it depends.

The Electronic Frontier Foundation has an excellent amicus brief that is well worth reading.  I should have done that instead of spending four hours reading through somewhat (quite honestly) boring legal judgments and opinions that define what is allowed under the Fifth, and then finding that the amicus brief already did an excellent job of referencing and summarizing all my hard work.

We Know vs. We Think We Know

I had never before looked into what the Fifth Amendment really protects.  I had a general idea, and I'd read the unwashed masses' opinions, comments, and whatnot, but never have I gone straight to the source (and supporting legal opinions) and read it.  What I've read today shows me that a lot of people out there, including myself, have a good, general idea of what it's about, but it's the technical exceptions that can trip us up.

For example, everyone knows the government compelling one to produce incriminating evidence is illegal.  Sounds about right, right?  But, it turns out that the government compelling you to produce incriminating evidence can be legal (not is but can be).

It's a question of what the government knows, and to what degree.  Under the "foregone conclusion doctrine," if the government already knows (not thinks it knows, or assumes, or believes it to be highly likely) about a particular piece of evidence and knows that you have it (and can prove that you have it), they can force you to present it.  Granted, the prosecutor can probably also do without the compelled evidence at that point because they have all this other evidence that essentially shows/proves whatever point they're trying to make with the compelled evidence but, whatever....

When I read this, it instantly reminded me of the Boucher case, which the EFF's amicus brief also references.  This blog had covered the Boucher case here, although the writer hadn't quite gone into the details.

Basically, a certain Mr. Boucher's laptop was inspected at the US-Canada border.  Child pornography was found and Boucher was arrested.  When the laptop was powered on at a later date, it was found that the laptop was protected with encryption software.  The US government compelled Boucher to enter the password to access the evidence.  The question was, is doing so self-incrimination?  At the time, I thought Boucher was protected under the Fifth.  After today's research, I got the feeling that because of the "foregone conclusion doctrine" perhaps the correct answer is "Boucher is screwed."

Turns out that latter feeling was accurate: Boucher had to provide access to the data, and in January 2010 he was sentenced to 3 years in prison and deported.

Fricosu an Entirely Different Story

The case of USA v. Fricosu is an entirely different story.  In this case, the government doesn't know what's inside the encrypted laptop or that it even belongs to her (she had a roommate, apparently).  They're making an educated guess that there is evidence of wrongdoing in the computer, but they have no idea what form such evidence might take (digital, obviously but that's not the point) or what it might be.

(Because of taped conversations, the government does know there is some kind of evidence in a laptop.  Is this that laptop?  They think so but do they know so?  Because if they don't, they can't ask Fricosu: the Fifth Amendment kicks in.)

While I'm not a legal expert, it should be a slam-dunk for the defendant where the forced production of a password or plaintext files is concerned.  In fact, it's enough to make me wonder what the government is trying to prove here.

Well, besides indirectly proving that strong disk encryption software is hard to break into, even with government resources.

(Also, definitely read the EFF's amicus brief, if you have time.  It's only 12 pages long and you'll be a smarter person for having read it.)


Related Articles and Sites:
http://news.cnet.com/8301-31921_3-20078312-281/doj-we-can-force-you-to-decrypt-that-laptop/?tag=mncol

 
<Previous Next>

Laptop Encryption Software: Hurley Medical Center Breaches 2,000 Patients' Info

Data Encryption Software: Stevens Institute Of Technology Shows What Not To Do

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.