Re: Judge orders defendant to decrypt PGP-protected laptop - CNET News

[Stephen Mullins <steve.mullins.work () gmail com>]

There are really two scenarios here.  In one you know the password and
may not wish to divulge it.  In the other, you have legitimately
forgotten the password.

Assuming this is all working through the legal system, you could
challenge the lower court rulings and wait for the Supreme Court to
make a ruling (I'm sure this will end up at that level before it's all
said and done).  You might rot in jail in the interim.

At that point you would consult with your lawyer on whether the
encrypted data is damaging enough to land you in prison for longer
than the "refusal to hand over password" mandatory sentence.

If you have legitimately forgotten the password then you would serve
the mandatory minimum sentence for refusal to hand over passwords to
law enforcement.  I believe the mandatory minimum sentence for someone
suspected of terrorism in the U.K. that refuses to hand over passwords
is 5 years.  The sentence for just about anything related to terrorism
is probably much more severe.  Your mileage may vary.

It would be stupid to make use of encryption technology in a nation
with mandatory minimum sentences for refusal to hand over passwords
unless the data you are encrypting is more damning than the minimum
sentence.  This leads to a fun situation where you can logically make
the argument that anyone using encryption MUST be up to felonious
deeds that carry a sentence greater than the minimum.  This just
doubles up on the defacto encryption ban in a nation with such laws.

On Fri, Mar 20, 2009 at 8:00 AM, Devnull <devnull () iamdevnull info> wrote:
> > While true, the penalty for doing this may be much less than the
> > penalty that would be imposed if the data is sufficiently
> > embarrassing.
> >
> > Kurt
>
> In this type of situation, where I had an encrypted (theoretically
> uncrackable) drive seized in a raid, what would be the best thing to
> do? Would I not divulge the key/passphrase, or should I do so? Which
> would have the least penalty?
> --
> -
> /dev/null
> We are the Pentium of Borg. Division is futile. You will be approximated.
>
> ------------------------------------------------------------------------
> This list is sponsored by: InfoSec Institute
>
> Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class.
> Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified 
> Penetration Tester exams, taught by an expert with years of real pen testing experience.
>
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> ------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

No time or budget for traveling to a training course in this fiscal year? Check out the online information security 
courses available at InfoSec Institute. More than a boring "talking head", train in our virtual labs for a total 
hands-on training experience. Get the certs you need: CEH, CPT, CEPT, CISA, CISSP, CISM

http://www.infosecinstitute.com/request_online_training.html
------------------------------------------------------------------------