Security Basics mailing list archives
Re: Judge orders defendant to decrypt PGP-protected laptop - CNET News
From: Stephen Mullins <steve.mullins.work () gmail com>
Date: Sat, 28 Mar 2009 14:32:16 -0400
There are really two scenarios here. In one you know the password and may not wish to divulge it. In the other, you have legitimately forgotten the password. Assuming this is all working through the legal system, you could challenge the lower court rulings and wait for the Supreme Court to make a ruling (I'm sure this will end up at that level before it's all said and done). You might rot in jail in the interim. At that point you would consult with your lawyer on whether the encrypted data is damaging enough to land you in prison for longer than the "refusal to hand over password" mandatory sentence. If you have legitimately forgotten the password then you would serve the mandatory minimum sentence for refusal to hand over passwords to law enforcement. I believe the mandatory minimum sentence for someone suspected of terrorism in the U.K. that refuses to hand over passwords is 5 years. The sentence for just about anything related to terrorism is probably much more severe. Your mileage may vary. It would be stupid to make use of encryption technology in a nation with mandatory minimum sentences for refusal to hand over passwords unless the data you are encrypting is more damning than the minimum sentence. This leads to a fun situation where you can logically make the argument that anyone using encryption MUST be up to felonious deeds that carry a sentence greater than the minimum. This just doubles up on the defacto encryption ban in a nation with such laws. On Fri, Mar 20, 2009 at 8:00 AM, Devnull <devnull () iamdevnull info> wrote:
While true, the penalty for doing this may be much less than the penalty that would be imposed if the data is sufficiently embarrassing. KurtIn this type of situation, where I had an encrypted (theoretically uncrackable) drive seized in a raid, what would be the best thing to do? Would I not divulge the key/passphrase, or should I do so? Which would have the least penalty? -- - /dev/null We are the Pentium of Borg. Division is futile. You will be approximated. ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified Penetration Tester exams, taught by an expert with years of real pen testing experience. http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute No time or budget for traveling to a training course in this fiscal year? Check out the online information security courses available at InfoSec Institute. More than a boring "talking head", train in our virtual labs for a total hands-on training experience. Get the certs you need: CEH, CPT, CEPT, CISA, CISSP, CISM http://www.infosecinstitute.com/request_online_training.html ------------------------------------------------------------------------
Current thread:
- Re: Judge orders defendant to decrypt PGP-protected laptop - CNET News Stephen Mullins (Apr 02)