FC: My experience with DoJ and PGP passphrases; more on FBI mob case

[Declan McCullagh <declan () well com>]

Below is my take on the Scarfo case (which I think is fascinating). The 
indictment is now online at: 
http://www.cluebot.com/article.pl?sid=00/12/06/0138246

In addition to being the first case testing the legality of black bag 
passphrase snatching, this could be the first case to test compelled 
disclosure of a passphrase. That is, if prosecutors try to secure a court 
order instructing Scarfo to reveal his PGP passphrase, perhaps because they 
didn't manage to successfully snatch it. Lawyers have speculated about this 
for the better part of a decade: Is this self-incrimination in violation of 
the Fifth Amendment or not?

I ran into this problem myself last year when the Justice Department wanted 
me to decrypt messages in a prosecution of Carl Johnson, a cypherpunk who 
had occasionally sent me an email message encrypted to my PGP key. I turned 
over the two or three PGP-encrypted messages to DoJ, but since prosecutors 
couldn't read them DoJ tried to force me to decrypt them. My lawyer (Time 
Warner counsel) eventually concluded that because I was not the subject of 
the prosecution, I could be compelled to turn over the passphrase, and the 
Fifth Amendment didn't apply. Because I never offered Johnson confidential 
source status or wrote an article about him -- he was just a Net-denizen 
who emailed me a few times -- the relevant journalist shield laws did not 
apply.

After months of wrangling, I decrypted the messages. I think I should have 
held out longer. The messages weren't incriminating, but if it happened 
today I'd want to force DoJ to litigate that point.

Here's some background in the case:
http://www.politechbot.com/p-00358.html
http://www.politechbot.com/p-00359.html

-Declan

*******

http://www.wired.com/news/politics/0,1283,40541,00.html

   FBI Hacks Alleged Mobster
   by Declan McCullagh
   2:00 a.m. Dec. 6, 2000 PST

   WASHINGTON -- Nicodemo S. Scarfo, the son of Philadelphia's former mob
   boss, was almost paranoid enough.

   Scarfo, who has been charged with masterminding a mob-linked loan
   sharking operation in New Jersey, reportedly used the popular PGP
   encryption software to shield his computer's secrets from prying eyes.

   But when the feds learned of Scarfo's security measures, they decided
   to do something that would bypass even the best encryption software:
   FBI agents sneaked into Scarfo's office in Belleville, New Jersey, on
   May 10, 1999, and installed a keyboard-sniffing device to record his
   password when he typed it in.

   A seven-page court order authorized the FBI and cooperating local
   police to break into Scarfo's first-floor "Merchant Services of Essex
   County" office as many times as necessary to deploy, maintain, and
   then remove "recovery methods which will capture the necessary
   key-related information and encrypted files."

   The case, which is awaiting trial, appears to be the first in which
   the U.S. government used such aggressive surveillance techniques
   during an investigation, and some legal observers say the FBI's
   breaking-and-entering procedures go too far.

   The spring 1999 investigation of the younger Scarfo, who is 35 years
   old, may be what prompted the Clinton administration to recommend
   changing federal law to allow police to conduct electronic "black bag"
   jobs.

   The idea first publicly surfaced in mid-1999, when the Justice
   Department proposed legislation that would let police obtain
   surreptitious warrants and "postpone" notifying the person whose
   property they entered for 30 days.

   After vocal objections from civil liberties groups, the administration
   backed away from the controversial bill. In the final draft of the
   Cyberspace Electronic Security Act submitted to Congress, the
   secret-search portions had disappeared.

   In January 2000, the Clinton administration seemed to change its mind.
   "When criminals like drug dealers and terrorists use encryption to
   conceal their communications, law enforcement must be able to respond
   in a manner that will not thwart an investigation or tip off a
   suspect," Attorney General Janet Reno and Deputy Defense Secretary
   John Hamre wrote in a seven-page letter to Congress.

   That letter, however, suggested the feds didn't need a new law -- and
   would instead rely on "general authorities" when asking judges to
   authorize black bag jobs. A related "secret search" proposal
   resurfaced in May 2000 in a Senate bankruptcy bill.

   In the Scarfo case, the FBI in May 1999 asked for "authority to search
   for and seize encryption-key-related pass phrases" from his computer
   as well as "install and leave behind software, firmware, and/or
   hardware equipment which will monitor the inputted data entered on
   Nicodemo S. Scarfo's computer by recording the key related information
   as they (sic) are entered."

   [...]

See also (this is actually the article I was thinking about yesterday):

http://www.wired.com/news/print/0,1294,33779,00.html

   Clinton Favors Computer Snooping
   by Declan McCullagh (declan () wired com)

   6:00 p.m. Jan. 19, 2000 PST
   WASHINGTON -- Visions of stealthy black helicopters landing on your
   lawn and disgorging Nomex-clad troops to steal your PGP keys aren't
   just for conspiracy theorists.

   The Clinton administration wants to be able to send federal agents
   armed with search warrants into homes to copy encryption keys and
   implant secret back doors onto computers.

   "When criminals like drug dealers and terrorists use encryption to
   conceal their communications, law enforcement must be able to respond
   in a manner that will not thwart an investigation or tip off a
   suspect," Attorney General Janet Reno and Deputy Defense Secretary
   John Hamre wrote in a seven-page letter to Congress.

   [...] 




-------------------------------------------------------------------------
POLITECH -- the moderated mailing list of politics and technology
You may redistribute this message freely if it remains intact.
To subscribe, visit http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
-------------------------------------------------------------------------