in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Data Encryption Software, US Fifth Amendment, Foregone Conclusion, And Act Of Production

I had previously delved into seeing what the US Fifth Amendment -- the right to remain silent / privilege against self-incrimination -- says as it pertains to data encryption.  I delve into it once more because I learned something new regarding it. (Revealing the conclusion first: experts still aren't in agreement on how the Fifth is supposed to apply to encrypted data.)

Act of Production Doctrine: Right to Remain Silent

In the US, one has a privilege against self-incrimination.  The right to remain silent emanates from this privilege (if you remain silent, you can't incriminate yourself).  But, it's not only a right to keep your mouth shut.  It extends to other areas as well.

For example, you also have rights in the form of not opening a suspect safe:  The authorities that arrest person A think that incriminating evidence may lie in a safe found at the house.  However, person A shares the house with two other roommates who are not suspects.  The authorities don't know for certain to whom the safe belongs to, or what the safe's contents happen to be.  Only the owner can produce the key.  They can't force person A to produce the safe's key: by producing it, person A is essentially saying that the safe belongs to him, and that any evidence in it can be tied to him.  He is incriminating himself by providing that key.

This is known as the act of production doctrine.  The right not to bear witness against oneself comes in many shapes and forms, be it words, safes, diaries, or encryption keys.  I knew of this previously from watching too many legal dramas on TV; I just had no idea what it was called.

Foregone Conclusion Doctrine: You Must Reveal Encryption Keys or Passwords

The act of production doctrine is not insurmountable, though.

In a post earlier this year, I noted that there are instances where you will have to reveal your encryption key or password to US authorities when asked to.  Despite the Fifth Amendment's right not to self-incriminate, the foregone conclusion doctrine defeats it:

It turns out that the government compelling you to produce incriminating evidence can be legal (not is but can be).

It's a question of what the government knows, and to what degree.  Under the "foregone conclusion doctrine," if the government already knows (not thinks it knows, or assumes, or believes it to be highly likely) about a particular piece of evidence and knows that you have it (and can prove that you have it), they can force you to present it.

For example, an oft quoted case is that of Sebastian Boucher who in 2009 was arrested at the US-Canadian border for owning a laptop with child pornography in it.  Boucher had to cough up the password to his encrypted computer drive because an ICE agent had seen the said material in the laptop prior to encryption kicking in.

In other words, when the government doesn't suspect anything as much as it actually knows, you're not really incriminating yourself.  (I guess you're merely aiding them in the quest for speedy justice).

Technology's Fast Pace is Reason Behind Ambiguity

Why is this popping up on this blog again?  Well, the question is not as of yet settled on whether the Fifth kicks in for encryption-related and other data security issues.  Despite what appear to be clear-cut doctrines on the Fifth Amendment, the courts have apparently handed down conflicting judgments related to searching smart phones which, as a non-lawyer, it seems to me that perhaps things haven't really settled on what is and is not allowed in the digital data security realm.  From law.com (my emphasis):

Boucher, thus, suggests that the foregone conclusion doctrine will permit the government, in many circumstances, to compel a person to provide the password or encryption key to files stored on cell phones, laptops, and personal computers. However, the increasing use of cloud computing services to store documents and images is a further complication. Users of cloud services are less likely to actually save images and documents on hand-held or personal devices but, instead, will use hand-held devices to access and share images and documents saved on remote computers.

In those situations, the possession of an encryption key or password may become important in order for the government to show ownership or access to records, websites, or communications. As a result, suspects and defendants may be successful in arguing that the foregone conclusion doctrine does not make the privilege against self-incrimination inapplicable.

There above observations give rise to interesting questions based on the current nature of cloud computing, which is not a pure cloud environment for most people.  For example, what happens if the password you provide to the authorities is reused both for the laptop and the cloud?

Take something like the Boucher case but with a twist: The password for accessing the laptop is also used for accessing a network with illicit materials, whose link is bookmarked to the computer's desktop.  Since the same password can be used to access incriminating material that the authorities know is there as well as that which they didn't know is there, is pleading the fifth allowed?  Assume the authorities cannot not help seeing the link or knowing what it points to.


Related Articles and Sites:
http://www.law.com/jsp/lawtechnologynews/PubArticleLTN.jsp?id=1202522259455

 
<Previous Next>

Encryption Key Management And Disk Encryption Software: Enterprises Coming Up Short With Encryption Keys

Data Encryption: SAIC Sued Over TRICARE Breach

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.