'Sorry, I've Forgotten my Decryption Password' is Contempt of Court

Zarathustra[H]

Extremely [H]
Joined
Oct 29, 2000
Messages
38,641
The Register is reporting that the U.S. Third Circuit Court of Appeals today upheld a lower court ruling in which a man suspected of concealing child pornography was held in contempt after failing to successfully provide his decryption passwords for his external hard drives. This legal decision is somewhat controversial as many, including the EFF, believe that the forced disclosure of the contents of ones mind runs afoul of the 5th amendment.

It will be interesting to see if this case makes its way to the Supreme Court, and how it might rule.

Others take issue with the idea that technology might be allowed to trump legal process. In a 2015 California Law Review article arguing that forced decryption is necessary to balance individual rights and government power, Dan Terzian, presently an associate at Duane Morris LLP, argues that the EFF's view is too expansive.

"Scores of companies now encrypt their data," Terzian wrote. "In the EFF’s alternate universe, these companies are effectively immune from discovery and subpoenas."
 
It's not an accident they waited for a child porn case to do this. Kind of tired of being manipulated.

We all knew it would be a 'what about the children!?' case that would go down this road, always is. Rape or murder cases, not so much, as those are considered lesser crimes by the public.

Never did make sense to me. I can go look at pictures of corpses, videos of murders or executions. But if I look at pics of naked kids, that is jailtime and listed for life. Not arguing that crimes against children isn't horrible, but it is the only offense that you are not allowed to see photos of, unless your job is to look at those photos lol.
 
Technology has leapfrogged past the legal ability to handle it, and that likely isn't going to be remedied any time soon.

This will easily end up at the Supreme Court, but who knows if they'll take the case.
 
We all knew it would be a 'what about the children!?' case that would go down this road, always is. Rape or murder cases, not so much, as those are considered lesser crimes by the public.

Never did make sense to me. I can go look at pictures of corpses, videos of murders or executions. But if I look at pics of naked kids, that is jailtime and listed for life. Not arguing that crimes against children isn't horrible, but it is the only offense that you are not allowed to see photos of, unless your job is to look at those photos lol.
If something doesn't make sense, think more.
 
It is interesting given currently passwords for the most part are not contempt of court, as a court can order you to provide a key to a safe but can't order you to provide the combo to a safe.
 
If they guy had said photos locked up in a safe, and only he knew the combination and conveniently "forgot" that combination, the court could/would do the same thing (contempt).

As long as there's a proper search warrant and the content(s) being search for can reasonably be presumed to be in a safe (and the contents of the safe are covered by the warrant), it's fair game for a search. You're not obligated to divulge the combination to open it (5th amendment) but it can be opened by any means necessary without you revealing that combination.

A password protected (or encrypted) device can be considered much the same as a safe. I don't really see an issue here. As long as proper evidence gathering procedures are followed (you have a warrant and that warrant covers getting into the device to obtain evidence) there really shouldn't be any difference between this and a case from say... 60 years ago.

Same shit, different day & age.
 
It is all about what agenda the government is interested in pressing. IMO, it ISN'T child porn but wanting to set a nation wide legal precedent about encryption passwords. Keep in mind, this same government declined to pursue a child porn case when they would have been required to reveal surveillance techniques used on common citizens. They are hoping that in this case, child porn will make the courts more likely to rule in the government's favor.
 
It's not an accident they waited for a child porn case to do this. Kind of tired of being manipulated.


So you have seen other cases where the question of whether or not to compel a defendant to present a password was in question and the prosecution had compelling evidence that the evidence they are seeking is in the password protected device?

That is part of the process, they must have evidence that more evidence is in the device they are seeking access too.

In this case, they already had the computer unlocked which had logs saying the files were transferred to an external device and that the filenames where known filenames of child porn images.

Evidence from one device is pointing to more evidence on another.
Forensic examination of the computer indicated that the device had been used to visit known child exploitation sites and to download thousands of files with the same hash values as known child pornography files.

Furthermore they have sworn testimony that the defendant had these files on his computer system.
........... the defendant's sister had told police investigators "that Doe had shown her hundreds of images of child pornography on the encrypted external hard drives."

Now I am not saying that forcing someone to give up a password is the new good thing to do. But in a case like this, I think the Judge is correct and I do not see that the average case that came up in the past was anything at all like this one.

I don't think your comment is justified in this case. But that's me, if you read what I wrote and still think your comment is good so be it. You don't have to agree with me, it's just a discussion.
 
Technology has leapfrogged past the legal ability to handle it, and that likely isn't going to be remedied any time soon.

This will easily end up at the Supreme Court, but who knows if they'll take the case.

I don't think they will hear it at all, in fact, I don't think it'll even get close. Not with the sworn testimony of the man's on sister.
 
Hopefully they can find a way to release the guy, see if he does access the drive(or destroys it) then throw the book at him.

Darunion its not nekkid pictures of kids.... That someone took as a family photo. Google the 4 year old they saved by identifiying a chip bag that was exclusive to a specific country. It's things like people letting strangers crawl into their kids bed in exchange for money / other peoples kids etc.
Really really horrible things to the point I think skinning them and keeping them alive is acceptable.

Just tell the guy if its NOT what you are being prosecuted for they cant charge him
 
A password protected (or encrypted) device can be considered much the same as a safe. I don't really see an issue here. As long as proper evidence gathering procedures are followed (you have a warrant and that warrant covers getting into the device to obtain evidence) there really shouldn't be any difference between this and a case from say... 60 years ago.

Same shit, different day & age.

In legal theory, I get what you're saying, but I can't agree with it. Typically, this won't really be an issue because a defendant would probably be able to unlock said device/drive. But say said defendant is locked up, other prisoners decide to take out some vigilante justice, or maybe he just has an accident while in prison, and literally has damage to the brain such that he really cannot remember. I'd say whatever was encrypted is likely to stay that way no matter what a court wants. I also expect the odds of that happening to be extremely small, if ever, but could be exploited. Wouldn't take much to pay a guy off to whack the back of your head against some concrete in a fake fight, and boom, instant amnesia.
 
It's not an accident they waited for a child porn case to do this. Kind of tired of being manipulated.

But how do you balance the rule of law vs 5th amendment? As the article notes, does the act of encrypting something now mean it is entirely immune from discovery from the law? Seems like a pretty simple way to unbalance things.

I'm not sure of the right answer, TBH.
 
I thought you could not be compelled to incriminate yourself. Giving up the password would do that.

Tell them to go do some more police work and evidence gathering.
 
The court should just stop wasting their time and invest in a small cluster of GPU-accelerated password cracking servers. It's so easy to brute-force passwords that are less than 12 characters long now it's not funny.
 
Hopefully they can find a way to release the guy, see if he does access the drive(or destroys it) then throw the book at him

Even if he's released he'll never get any of that stuff back, once the cops take it, it's gone forever.
 
The court should just stop wasting their time and invest in a small cluster of GPU-accelerated password cracking servers. It's so easy to brute-force passwords that are less than 12 characters long now it's not funny.

Justice, powered by Nvidia?
 
The court should just stop wasting their time and invest in a small cluster of GPU-accelerated password cracking servers. It's so easy to brute-force passwords that are less than 12 characters long now it's not funny.

Yeah, as long as the device in question doesn't implement some sort of fail2ban type of implementation, introducing successive delays of increasing lengths after each failed attempt.

I don't understand why everything doesn't use this. It is so easy to implement.
 
Yeah, as long as the device in question doesn't implement some sort of fail2ban type of implementation, introducing successive delays of increasing lengths after each failed attempt.

I don't understand why everything doesn't use this. It is so easy to implement.

Flat encrypted storage isn't an active program, this isn't an iphone . I can copy your encrypted storage at a device level and make as many copies as I need to brute force against without the drives being aware I'm even doing it.

Edit: firmware encrypted drives pose more of a problem, of course.
 
Yeah, as long as the device in question doesn't implement some sort of fail2ban type of implementation, introducing successive delays of increasing lengths after each failed attempt.

I don't understand why everything doesn't use this. It is so easy to implement.
I'd be more worried about the type of cracking that'd need to be done.

Unlike a database dump where you've got a bunch of encrypted passwords and you're just computing and comparing, and it's easy for a high speed parallel processor to make it faster, these are locked external device. Depending on the type, it might not be something that easily lends itself to external computation. You'd have to figure out if the password encrypts the files directly, or does that man in the middle shit that most stuff normally does. If it's the former, you need something capable of virtualizing a compatible file system while you brute force it, if it's the latter, you need to find a way to extract the encrypted password, figure out how it's encrypted, then you might be able to gpu accelerate it.

Flat encrypted storage isn't an active program, this isn't an iphone . I can copy your encrypted storage at a device level and make as many copies as I need to brute force against without the drives being aware I'm even doing it.

Edit: firmware encrypted drives pose more of a problem, of course.

One of the locked devices is an iphone 6. And the rest came out of an iMac so they might be Apple devices, using some variant of whatever they're using these days.
 
I'd be more worried about the type of cracking that'd need to be done.

Unlike a database dump where you've got a bunch of encrypted passwords and you're just computing and comparing, and it's easy for a high speed parallel processor to make it faster, these are locked external device. Depending on the type, it might not be something that easily lends itself to external computation. You'd have to figure out if the password encrypts the files directly, or does that man in the middle shit that most stuff normally does. If it's the former, you need something capable of virtualizing a compatible file system while you brute force it, if it's the latter, you need to find a way to extract the encrypted password, figure out how it's encrypted, then you might be able to gpu accelerate it.



One of the locked devices is an iphone 6. And the rest came out of an iMac so they might be Apple devices, using some variant of whatever they're using these days.

You can't brute force an iPhone as you get 10 attempts and it then dumps everything.
 
Technology has leapfrogged past the legal ability to handle it, and that likely isn't going to be remedied any time soon.

This will easily end up at the Supreme Court, but who knows if they'll take the case.


No. The fifth was established for EXACTLY this sort of thing. You cannot compel me to divulge what is in my head, nor can you make assumptions on that.
 
You can't brute force an iPhone as you get 10 attempts and it then dumps everything.
That's the firmware lock. This was a separate app installed on the phone. That he apparently ended up unlocking anyway, this article sucks. Either way, none of the stuff that's currently locked is going to be aided by "gpu cracking servers".
 
Next time the Judge forgets his or her password (for anything), now we can make a Federal case about it.
 
No. The fifth was established for EXACTLY this sort of thing. You cannot compel me to divulge what is in my head, nor can you make assumptions on that.

Nope I cant. But they'll get what they want one way or another.

Laws are going to have to change to take technology into account. It may take another 200+ years, but it will have to happen eventually, and at the rate we're already giving up our privacy for so called security, I'm betting police backdoors will be standard on every phone and PC eventually.

Not saying you have to like it, but better expect it with the path we're on already.
 
Nope I cant. But they'll get what they want one way or another.

Laws are going to have to change to take technology into account. It may take another 200+ years, but it will have to happen eventually, and at the rate we're already giving up our privacy for so called security, I'm betting police backdoors will be standard on every phone and PC eventually.

Not saying you have to like it, but better expect it with the path we're on already.

I think that is the point though, it is up to them to get the evidence, it shouldn't rely on me to provide evidence against myself. Not that I want criminals to have a safety net, i just don't want the trickle down to work its way into civil cases.
 
Forgetting passwords is a very normal common occurrence... how do they prove you do remember it? My mom forgets her Apple password religiously (I know, as I'm CC'ed on her resets... lol). She's not resetting it all the time out of "willful defiance", she, unbelievably, actually forgot the password.

But of course since this is a pedo case, people are really hesitant to call this out for being total bullshit, out of risk of appearing to be pro-pedophilia, but then it will be precedent and we'll be holding normal people in contempt for simply forgetting a password.
 
I thought you could not be compelled to incriminate yourself. Giving up the password would do that.

Tell them to go do some more police work and evidence gathering.

It actually is a bit more complicated than that....

The current legal thinking, Constitutionally speaking, is that they cannot legally compel you to divulge a password to the court, BUT if they have other evidence that shows that the encrypted device contains illegal material or material that could be subject to subpoena, then they legally CAN compel you to enter said password and decrypt the contents for the court. Essentially, this is the same as the argument that they can't compel you to divulge the password to a safe, but, following an appropriately served warrant, they can compel you to open it (or allow someone else to). With a safe, they can always just hire a locksmith and/or someone with appropriate tools. However, with encrypted materials, you are looking at what is effectively an uncrackable safe, hence the legal dilemma.

So, by using the "I forgot" defense, he is trying to essentially sidestep the issue without decrypting the contents -- which gets into some very nebulous territory legally speaking for both the defendant and the judge making this ruling. The problem is that, quite often, passwords used for encryption are, by design, ungodly long nasty things -- which, there is no way on Earth almost anyone could actually remember without having them written down. So, the "I forgot" defense might actually be valid -- but that raises the question of did he have the password written down somewhere to begin with, and, if so, did he destroy that information? Which, although personally I hope this pedophile rots in jail for the rest of his natural life, his lawyer probably would have been better off attempting to use a defense stating that the records containing the (horrendously long, random, unrememberable) password had been destroyed. In this case, they could potentially charge him with destruction evidence, but that would have a fixed jail sentence attached to it, rather than the open ended potential inherent with "contempt of court". And, even that might be potentially avoided if they maintained that said material was destroyed prior to when he learned he was under investigation -- in which case it would be up to the prosecutor and the forensic analysts to determine the last date upon which the device was accessed in order to prove the last date upon which he definitively had access to the password.
 
Last edited:
So you have seen other cases where the question of whether or not to compel a defendant to present a password was in question and the prosecution had compelling evidence that the evidence they are seeking is in the password protected device?
That is part of the process, they must have evidence that more evidence is in the device they are seeking access too.
In this case, they already had the computer unlocked which had logs saying the files were transferred to an external device and that the filenames where known filenames of child porn images.
Evidence from one device is pointing to more evidence on another.

Furthermore they have sworn testimony that the defendant had these files on his computer system.

Now I am not saying that forcing someone to give up a password is the new good thing to do. But in a case like this, I think the Judge is correct and I do not see that the average case that came up in the past was anything at all like this one.
I don't think your comment is justified in this case. But that's me, if you read what I wrote and still think your comment is good so be it. You don't have to agree with me, it's just a discussion.

You may have a point on the mac pointing to external devices, but the sister's testimony is meaningless to me. She could have a grudge against the brother. As a general rule, I don't think I'd want to set a precedent based on hearsay. And even the computer pointing to external devices isn't necessarily meaningful.

Let's say you have 2 external drives. Let's also say that you have not downloaded child porn, but you do encrypt your drives. Now someone (let's say your evil sister) has gotten on your computer (let's assume she figured out your password) and downloaded kiddie porn to your external drives and changed the passwords on those.
Now you didn't download the porn and you don't have the password for the drives.

Is that a stretch? Perhaps, but it is possible. The courts may not side with him (courts have been whittling away at the 4th and 5th for decades), but IMO they should (despite the fact that he's probably despicable human being that should rot in jail).
 
This is why I think encrypted drives should have two passwords. One that unlocks the encryption (as normal) and the other that unlocks part of the drive but does so in a manner that masks the deletion of the data you deem sensitive (since they're going to clone the drive, destroying all of the data with a special password would raise flags and be useless as it'll only destroy the forensic clone, hence why you need to make it so it appears unlocked).

Sure, it'd be used for child porn. But you could use it for all sorts of things.
 
Back
Top