In the UK, its now a criminal offence under RIPA not to divulge decryption or in clear information.
I’m curious about this case – how do the LEO’s know there is naughty content on the device, if its encrypted?
Encrypted laptop poses legal dilemma
By JOHN CURRAN, Associated Press Writer 2 hours, 51 minutes ago
BURLINGTON, Vt. – When Sebastien Boucher stopped at the U.S.-Canadian border, agents who inspected his laptop said they found files containing child pornography. But when they tried to examine the images after his arrest, authorities were stymied by a password-protected encryption program. Now Boucher is caught in a cyber-age quandary: The government wants him to give up the password, but doing so could violate his Fifth Amendment right against self-incrimination by revealing the contents of the files.
Experts say the case could have broad computer privacy implications for people who cross borders with computers, PDAs and other devices that are subject to inspection. “It’s a very, very interesting and novel question, and the courts have never really dealt with it,” said Lee Tien, an attorney with the Electronic Frontier Foundation, a San Francisco-based group focused on civil liberties in the digital world.
For now, the law’s on Boucher’s side: A federal magistrate here has ruled that forcing Boucher to surrender the password would be unconstitutional. The case began Dec. 17, 2006, when Boucher and his father were stopped at a Derby Line, Vt., checkpoint as they entered the U.S.
Boucher, a 30-year-old drywall installer in Derry, N.H., waived his Miranda rights and cooperated with agents, telling them he downloads pornography from news groups and sometimes unknowingly acquires images that contain child pornography. Boucher said he deletes those images when he realizes it, according to an affidavit filed by Immigration and Customs Enforcement.
At the border, he helped an agent access the computer for an initial inspection, which revealed files with names such as “Two year old being raped during diaper change” and “pre teen bondage,” according to the affidavit. Boucher, a Canadian with U.S. residency, was accused of transporting child pornography in interstate or foreign commerce, which carries up to 20 years in prison. He is free on his own recognizance.
The laptop was seized, but when an investigator later tried to access a particular drive, he was thwarted by encryption software from a company called Pretty Good Privacy, or PGP. A grand jury subpoena to force Boucher to reveal the password was quashed by federal Magistrate Jerome Niedermeier on Nov. 29. “Producing the password, as if it were a key to a locked container, forces Boucher to produce the contents of his laptop,” Niedermeier wrote. “The password is not a physical thing. If Boucher knows the password, it only exists in his mind.” Niedermeier said a Secret Service computer expert testified that the only way to access Boucher’s computer without knowing the password would be to use an automated system that guesses passwords, but that process could take years.
The government has appealed the ruling. Neither defense attorney James Budreau nor Vermont U.S. Attorney Thomas Anderson would discuss the charge. “This has been the case we’ve all been expecting,” said Michael Froomkin, a professor at the University of Miami School of Law. “As encryption grows, it was inevitable there’d be a case where the government wants someone’s keys.” Authorities have encountered such dilemmas before, but have used other methods to learn passwords, including installing surveillance devices that capture keyboard commands. Sometimes investigators have given up before a case reached the courts. In a 2002 case, the FBI used a keyboard program to obtain gambling records from the computer of Nicodemo Scarfo, Jr., the son of a jailed New Jersey mob boss. In another case, an officer found child pornography on the laptop of a man who flew into Los Angeles International Airport from the Philippines. But a federal judge later suppressed the evidence, ruling that electronic storage devices are extensions of the human memory and should not be opened to inspection without cause. That case didn’t hinge on a password, though.
Orin Kerr, a law professor and computer crime expert at George Washington University, said the distinction that favors the government in Boucher’s case is that he initially cooperated and let the agent look at some of the laptop’s contents. “The government can’t make you give up your encryption password in most cases. But if you tell them you have a password and that it unlocks that computer, then at that point you no longer have the privilege,” he said. Tien, the attorney with the Electronic Frontier Foundation, said a person’s right to keep a password secret is a linchpin of the digital age. Encryption is “really the only way you can secure information against prying eyes,” he said. “If it’s too easy to compel people to produce their crypto keys, it’s not much of a protection.”
I once had a lawyer call me up asking me to act as expert for the defence in a case similar to this. 37 IIOC images were the basis for arrest, 34 of which had been recovered from deleted file space. In my early discussions with the lawyer, I surmised that the defendant could have inadvertently downloaded these in the pursuit of his personal browsing of adult content, been shocked and horrified, and sought to put them beyond reach by deleting them. I then asked for more details on the other three.
“Ah”, said the lawyer, uncomfortably. “He was printing those out when the police raided his home”.
Needless to say, the “shocked and horrified” mitigation went straight out of the window! My view on these matters is that people put their jobs, family, and liberty on the line when they view this kind of material on line, and that acquiring the habit of viewing adult content leads to a search for more and more extreme content due to the desensitisation as one becomes accustomed to the images, thereby leading to greater illicit thrill-seeking. This process continues until one breaks the law and is then eventually caught. The definition of obscene material in the UK is that which tends to corrupt and deprave those that view it – as I understand it from police who are engaged in this activity, rarely does a person decided to leap straight into the most taboo material, instead they wander down this slippery slope until its Too Late.
RIPA is a difficult law, and there is the question on how does one determine between the guilty party who has no knowledge of an encrypted item, and a guilty person who is concealing evidence of another crime, using cryptographic methods. There is very little case precedent on this, and many legal pundits are making hay on the speaking circuit with their opinions. RIPA can be used as a threat to encourage a suspect to divulge keymat/clearmat, however hardened criminals may well cop to a RIPA conviction, rather than face the potential greater penalties of their original offence. One of the interesting experiences with Highfire (www.cryptorights.org/research/highfire) was discussing with Amnesty their view on crypto – very opposed to it, as the use of crypto in harsh regimes had led to documented experience of individuals facing extreme coercive measures to divulge keymat – thus crypto was seen as an increased risk, not a risk reducer!