Politech mailing list archives
FC: My experience with DoJ and PGP passphrases; more on FBI mob case
From: Declan McCullagh <declan () well com>
Date: Wed, 06 Dec 2000 12:21:52 -0500
Below is my take on the Scarfo case (which I think is fascinating). The indictment is now online at: http://www.cluebot.com/article.pl?sid=00/12/06/0138246
In addition to being the first case testing the legality of black bag passphrase snatching, this could be the first case to test compelled disclosure of a passphrase. That is, if prosecutors try to secure a court order instructing Scarfo to reveal his PGP passphrase, perhaps because they didn't manage to successfully snatch it. Lawyers have speculated about this for the better part of a decade: Is this self-incrimination in violation of the Fifth Amendment or not?
I ran into this problem myself last year when the Justice Department wanted me to decrypt messages in a prosecution of Carl Johnson, a cypherpunk who had occasionally sent me an email message encrypted to my PGP key. I turned over the two or three PGP-encrypted messages to DoJ, but since prosecutors couldn't read them DoJ tried to force me to decrypt them. My lawyer (Time Warner counsel) eventually concluded that because I was not the subject of the prosecution, I could be compelled to turn over the passphrase, and the Fifth Amendment didn't apply. Because I never offered Johnson confidential source status or wrote an article about him -- he was just a Net-denizen who emailed me a few times -- the relevant journalist shield laws did not apply.
After months of wrangling, I decrypted the messages. I think I should have held out longer. The messages weren't incriminating, but if it happened today I'd want to force DoJ to litigate that point.
Here's some background in the case: http://www.politechbot.com/p-00358.html http://www.politechbot.com/p-00359.html -Declan ******* http://www.wired.com/news/politics/0,1283,40541,00.html FBI Hacks Alleged Mobster by Declan McCullagh 2:00 a.m. Dec. 6, 2000 PST WASHINGTON -- Nicodemo S. Scarfo, the son of Philadelphia's former mob boss, was almost paranoid enough. Scarfo, who has been charged with masterminding a mob-linked loan sharking operation in New Jersey, reportedly used the popular PGP encryption software to shield his computer's secrets from prying eyes. But when the feds learned of Scarfo's security measures, they decided to do something that would bypass even the best encryption software: FBI agents sneaked into Scarfo's office in Belleville, New Jersey, on May 10, 1999, and installed a keyboard-sniffing device to record his password when he typed it in. A seven-page court order authorized the FBI and cooperating local police to break into Scarfo's first-floor "Merchant Services of Essex County" office as many times as necessary to deploy, maintain, and then remove "recovery methods which will capture the necessary key-related information and encrypted files." The case, which is awaiting trial, appears to be the first in which the U.S. government used such aggressive surveillance techniques during an investigation, and some legal observers say the FBI's breaking-and-entering procedures go too far. The spring 1999 investigation of the younger Scarfo, who is 35 years old, may be what prompted the Clinton administration to recommend changing federal law to allow police to conduct electronic "black bag" jobs. The idea first publicly surfaced in mid-1999, when the Justice Department proposed legislation that would let police obtain surreptitious warrants and "postpone" notifying the person whose property they entered for 30 days. After vocal objections from civil liberties groups, the administration backed away from the controversial bill. In the final draft of the Cyberspace Electronic Security Act submitted to Congress, the secret-search portions had disappeared. In January 2000, the Clinton administration seemed to change its mind. "When criminals like drug dealers and terrorists use encryption to conceal their communications, law enforcement must be able to respond in a manner that will not thwart an investigation or tip off a suspect," Attorney General Janet Reno and Deputy Defense Secretary John Hamre wrote in a seven-page letter to Congress. That letter, however, suggested the feds didn't need a new law -- and would instead rely on "general authorities" when asking judges to authorize black bag jobs. A related "secret search" proposal resurfaced in May 2000 in a Senate bankruptcy bill. In the Scarfo case, the FBI in May 1999 asked for "authority to search for and seize encryption-key-related pass phrases" from his computer as well as "install and leave behind software, firmware, and/or hardware equipment which will monitor the inputted data entered on Nicodemo S. Scarfo's computer by recording the key related information as they (sic) are entered." [...] See also (this is actually the article I was thinking about yesterday): http://www.wired.com/news/print/0,1294,33779,00.html Clinton Favors Computer Snooping by Declan McCullagh (declan () wired com) 6:00 p.m. Jan. 19, 2000 PST WASHINGTON -- Visions of stealthy black helicopters landing on your lawn and disgorging Nomex-clad troops to steal your PGP keys aren't just for conspiracy theorists. The Clinton administration wants to be able to send federal agents armed with search warrants into homes to copy encryption keys and implant secret back doors onto computers. "When criminals like drug dealers and terrorists use encryption to conceal their communications, law enforcement must be able to respond in a manner that will not thwart an investigation or tip off a suspect," Attorney General Janet Reno and Deputy Defense Secretary John Hamre wrote in a seven-page letter to Congress.[...]
------------------------------------------------------------------------- POLITECH -- the moderated mailing list of politics and technology You may redistribute this message freely if it remains intact. To subscribe, visit http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ -------------------------------------------------------------------------
Current thread:
- FC: My experience with DoJ and PGP passphrases; more on FBI mob case Declan McCullagh (Dec 07)