FW: Judge orders defendant to decrypt PGP-protected laptop - CNET News

["Murda Mcloud" <murdamcloud () bigpond com>]

I think that the fear that encryption schemes have generated in various
governments is quite telling. Punishing people for forgetting or for
contempt of court may well become the norm in cases where encryption has
been a hurdle to an investigation. Or worse still, subject to the arbitrary
whims of a government that feels it must pry into the everyday existence of
their employers(ie us) in order to generate the hologram of safety which all
these extra laws produce.
The whole proposal of having the permission, by law, to monitor every single
email/phone call in the UK represents something that should be scaring
everybody. Law abiding citizen and criminal mastermind alike, unfortunately,
are placed in the same basket. 

http://www.mirror.co.uk/most-popular/2008/10/16/government-wants-power-to-mo
nitor-all-emails-and-website-visits-115875-20808458/

So what would be a low cost solution to this invasion of the privacy
illusion we currently believe is protecting everyone?
Encryption. Which, unfortunately, the government doesn't want you to use to
keep them from snooping on you.
I'm not sure there is a solution to the paranoid need for governments to try
and know everything about everyone. I suppose that their fear is more
important than ours, in their minds at least. I wouldn't want all of this
information to be held by a government whose departments have shown that
time and time again, humans on the inside of a system are the biggest
vulnerability when it comes to data breaches. Even the man mentioned in the
first post. If he hadn't allowed them access in the first place, this could
be a different story. 

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Shailesh Rangari
Sent: Sunday, March 08, 2009 8:45 AM
To: Stephen Mullins
Cc: vulcanius; security-basics () securityfocus com
Subject: Re: Judge orders defendant to decrypt PGP-protected laptop - CNET
News

Steve,

I agree that their is a real possibility that a said user may forget  
the password owing to numerous reasons,
But I am not aware of any technique that can prove beyond a reasonable  
doubt that the user has really forgotten his password or is pretending  
it to avoid a sentence.
Seems like the case is bound to set a precedent in the interpretation  
of this law. Any which ways it would be worthwhile to observe whether  
the US courts follow a similar course of action as their UK  
counterparts.

It is also kind of interesting that the UK courts follow a course of  
action which almost deters users from using encryption for the fear of  
forgetting keys that may lead to a sentence.
That leaves people in UK the option of using Key Escrow Encryption  
scheme only.

Shailesh

On Mar 7, 2009, at 5:10 PM, Stephen Mullins wrote:

> Is it not plausible that he forgot his key phrase after a year of not
> typing it?  A twenty to thirty character key phrase is pretty easy to
> forget if you don't use it frequently.  Frankly, I'm pretty sure that
> after a year I'd have forgotten a 20 to 30 character key phrase,
> especially if it was a truly strong pass and not based on natural
> language or 1337.
>
> The problem with this is that it takes us to where the U.K. is today -
> refusing to hand over passwords on demand to the police results in a
> minimum sentence of 2 years in prison.  This is essentially a defacto
> ban on encryption technology by virtue of the risks of forgetting a
> password being so great that it simply does not make sense to use it
> at all.
>
> I don't like where that leads.
>
> Steve Mullins
>
> On Fri, Mar 6, 2009 at 3:55 PM, vulcanius <vulcanius () gmail com> wrote:
> > IANAL but in my opinion there isn't an issue of self-incrimination
> > anymore. If it's true that he allowed the border agents to search his
> > laptop initially then he has, in my limited knowledge I believe,
> > waived certain rights.
> >
> > On Thu, Mar 5, 2009 at 8:33 PM, Shailesh Rangari <shailesh.sf () gmail com 
> > > wrote:
> > >
> > > Its strange that the act of revealing the password has essentially  
> > > been termed underprivileged by the courts in the mentioned case.
> > > The Supreme Court on earlier occasions has termed acts of  
> > > providing fingerprints, blood sample etc. underprivileged because  
> > > in principle they do not reveal a persons thoughts or knowledge of  
> > > a particular fact and also because possession of ones own  
> > > fingerprint is an undeniable fact.
> > >
> > > In case the Supreme Court concurs with the decision of the  
> > > District Court the options Mr. Boucher would have are interesting -
> > >
> > > 1) Self Incriminate - by providing the password that is known to  
> > > Mr. Boucher which in turn would turn testimonial of his knowledge  
> > > and control over the said laptop and its contents
> > > 2) Perjury - by lying on oath that he does not knows the password  
> > > that can be proved otherwise by the ICE Agent for he found the  
> > > laptop sans the encryption
> > > 3) Contempt of Court - by rejecting both the options mentioned above
> > >
> > > Regards,
> > > Shailesh
> > >
> > > On Mar 3, 2009, at 1:00 PM, tvlillard () msn com wrote:
> > >
> > > > Reference below is an interesting article concerning a Judge's  
> > > > order to decrypt of a harddrive.
> > > >
> > > >
> > > > Judge orders defendant to decrypt PGP-protected laptop - CNET News
> > > >
> > > > URL: http://news.cnet.com/8301-13578_3-10172866-38.html
> > > >
> > > >
> > > > Federal court orders defendant accused of having illegal data on  
> > > > his laptop to type in his PGP passphrase so prosecutors can  
> > > > access decrypted files.
> > > >
> > > >
> > > > Thanks
> > > > Terrence