'Sorry, I've Forgotten my Decryption Password' is Contempt of Court

I only have one question! What is the software used to encrypt this drive? I want it for myself, nothing important or special on my shitty PC stuff. If the Government can't crack it, I want it!
 
This is why I think encrypted drives should have two passwords. One that unlocks the encryption (as normal) and the other that unlocks part of the drive but does so in a manner that masks the deletion of the data you deem sensitive (since they're going to clone the drive, destroying all of the data with a special password would raise flags and be useless as it'll only destroy the forensic clone, hence why you need to make it so it appears unlocked).

Sure, it'd be used for child porn. But you could use it for all sorts of things.
TrueCrypt had that option. The only problem was that it's pretty obvious that there's something there when the volume size and the disk size don't match up at all. Between that and the secret volume being advertised as a feature, it wasn't exactly clever.
 
The court should just stop wasting their time and invest in a small cluster of GPU-accelerated password cracking servers. It's so easy to brute-force passwords that are less than 12 characters long now it's not funny.
That's not the point of this legal case.

You can't brute force an iPhone as you get 10 attempts and it then dumps everything.
Only if you enable that option!
 
It actually is a bit more complicated than that....

The current legal thinking, Constitutionally speaking, is that they cannot legally compel you to divulge a password to the court, BUT if they have other evidence that shows that the encrypted device contains illegal material or material that could be subject to subpoena, then they legally CAN compel you to enter said password and decrypt the contents for the court. Essentially, this is the same as the argument that they can't compel you to divulge the password to a safe, but, following an appropriately served warrant, they can compel you to open it (or allow someone else to). With a safe, they can always just hire a locksmith and/or someone with appropriate tools. However, with encrypted materials, you are looking at what is effectively an uncrackable safe, hence the legal dilemma.

So, by using the "I forgot" defense, he is trying to essentially sidestep the issue without decrypting the contents -- which gets into some very nebulous territory legally speaking for both the defendant and the judge making this ruling. The problem is that, quite often, passwords used for encryption are, by design, ungodly long nasty things -- which, there is no way on Earth almost anyone could actually remember without having them written down. So, the "I forgot" defense might actually be valid -- but that raises the question of did he have the password written down somewhere to begin with, and, if so, did he destroy that information? Which, although personally I hope this pedophile rots in jail for the rest of his natural life, his lawyer probably would have been better off attempting to use a defense stating that the records containing the (horrendously long, random, unrememberable) password had been destroyed. In this case, they could potentially charge him with destruction evidence, but that would have a fixed jail sentence attached to it, rather than the open ended potential inherent with "contempt of court". And, even that might be potentially avoided if they maintained that said material was destroyed prior to when he learned he was under investigation -- in which case it would be up to the prosecutor and the forensic analysts to determine the last date upon which the device was accessed in order to prove the last date upon which he definitively had access to the password.

Pretty much this. My reading of the case is that the prosecution has other evidence that shows that this guy is guilty, and got a warrant to search the contents of the hard drive. So this explanation is spot on for this case.
 
Why couldn't a precedent-setting case on personal digital privacy be about a pirate or something? Why did it have to be child pornography? There is no judge on the planet that would want to be holding that bag of crap at the end of the day.
 
So if they are unable to crack the encryption or brute-force the password and he truly forgot his password, then that is a life sentence. There are murderers who have had shorter sentences, been released, and then murdered again. That has a traumatic effect on all friends and family of the victims. A person who only downloads and views child porn, does not create a victim. Yet there are times when they get longer sentences than murderers and sexual predators, sometimes even a life sentence. http://www.johntfloyd.com/child-pornography-sentences/
Where does the 8th amendment stand in all this?
 
So if they are unable to crack the encryption or brute-force the password and he truly forgot his password, then that is a life sentence. There are murderers who have had shorter sentences, been released, and then murdered again. That has a traumatic effect on all friends and family of the victims. A person who only downloads and views child porn, does not create a victim. Yet there are times when they get longer sentences than murderers and sexual predators, sometimes even a life sentence. http://www.johntfloyd.com/child-pornography-sentences/
Where does the 8th amendment stand in all this?

The 8th doesn't apply here; bail isn't an option, and the punishment of being held indefinitely due to contempt is not considered cruel or unusual by the courts.

I now point out the entire point of jail is to reform prisoners, not lock them up proportionally to the damage they do to society (even though that is more often then not how punishment is handed out).
 
I want CP peddlers to go to jail.
I want to retain my rights.
I have encrypted devices I have forgot the passwords to. Nothing illegal. Mostly tax, and compliance related crap from the apt. complex I sold a few years ago. If they get a warrant, I essentially get life until I remember the password. The possibility of innocent people being damaged by this far outweighs the possibility of protecting the populous. In the case of this deviant, he is not the one that harmed anyone in the first place. There will always be pedos, always be a market for cp, and their will always be a piece of trash willing to exploit children to serve that market. Not saying to give this guy a pass. He has a problem, like as not, he will fuck up again and get caught. I do not see the need to set such a terrible precedent just to get this one perv.

Going to destroy all encrypted shit I no longer remember passwords for later. I have paper copies of the stuff I need to keep anyway.
 
Nothing pisses me off more than when the shockwaves cast forth in the pursuit of justice of a scumbag wind up screwing with my rights as a citizen....be it encryption or guns....too many people in the "big gov" just licking their chops for cases like this to be the precedent to throw to the wolves "We COULD have brought this child molester/murderer to justice.....BUT....."
 
This is why I think encrypted drives should have two passwords. One that unlocks the encryption (as normal) and the other that unlocks part of the drive but does so in a manner that masks the deletion of the data you deem sensitive (since they're going to clone the drive, destroying all of the data with a special password would raise flags and be useless as it'll only destroy the forensic clone, hence why you need to make it so it appears unlocked).

Sure, it'd be used for child porn. But you could use it for all sorts of things.
Truecrypt had exactly that functionality.
 
Apple tries to protect itself from saying "we cannot unlock the phones ourselves!" You could see where this could put them into legal jeopardy if this precedent is set.
 
Apple tries to protect itself from saying "we cannot unlock the phones ourselves!" You could see where this could put them into legal jeopardy if this precedent is set.
Except apple are (in theory) engineering their phones such that they really can't unlock them themselves. The FBI wants them to change their methodology to allow for easier breaking into the phones.
 
every website has a forgot your password link. Likely everyone in that courtroom has used such a convenience. Is it really unbelievable that someone forgot a password?
 
No. The fifth was established for EXACTLY this sort of thing. You cannot compel me to divulge what is in my head, nor can you make assumptions on that.


While I agree with you, I do understand why some are pushing back against this as well.

Historically you could have a key to a locked file cabinet. The file cabinet could either be broken or you could be compelled to open it.

Today, the contents of a billion file cabinets can fit on one drive, which can be encrypted. Way more information than can be accurately fit in the mind, and the fact that all that data can be held by simply remembering a key that one cannot be compelled to provide has huge implications.

This is not to mention the issue of shielding information from discovery using the fifth amendment by way of encryption mentioned in the article which is also troubling.

My gut instinct is to come down on the side of the fifth amendment, but I do understand that encryption technology and the capacity to store large amounts of data encrypted has complicated matters in a way that our founding fathers couldn't possibly have imagined.

It's not as straightforward of an issue as it may first seem, and I am interested to hear what some of the top legal and constitutional minds in the country may have to say about it. If - that is - they can express it in a way a layman can understand.
 
The 8th doesn't apply here; bail isn't an option, and the punishment of being held indefinitely due to contempt is not considered cruel or unusual by the courts.

I now point out the entire point of jail is to reform prisoners, not lock them up proportionally to the damage they do to society (even though that is more often then not how punishment is handed out).
But my point is what if he truly has forgotten the password. Obviously the court does not believe him. So that puts him in jail indefinitely with no way out.
 
I only have one question! What is the software used to encrypt this drive? I want it for myself, nothing important or special on my shitty PC stuff. If the Government can't crack it, I want it!
Don't be too sure that the government can't crack it. Do you really think they'd want you to know what they can or cannot actually break into? Do you think they want you to know what companies already provide them with back-doors into "secure" systems? Of course not.

They may *say* that they cannot get into something, but they may or may not be telling the truth. Heck, the person who says that might think it is true, but the reality may be something different.

So, don't be too sure that when the government says they can't break into something, they *really* cannot break into something. Paranoid? Maybe. But the government doesn't exactly have the best track record when it comes to honesty.
 
I thought you could not be compelled to incriminate yourself. Giving up the password would do that.

Tell them to go do some more police work and evidence gathering.


No, this is not correct. There is a difference between a being compelled to produce evidence when the demand is just and being forced to give testimony that will incriminate yourself. The Judge is ruling that that providing the encryption key is not testimony.

And as TwistedAegis pointed out earlier, the alternative is to allow everyone a guaranteed full-proof way to avoid prosecution, stick to digital crimes and keep your shit encrypted and you are immune from prosecution. That can not be allowed to stand as it is. If the prosecution already has evidence that reasonably points to additional evidence stored in an encrypted format I do not think it's an over reach to compel the defendant to unlock it. And if sworn testimony from your own sister isn't compelling, what is?

This Doctor was a pediatrician too.
 
Yeah, as long as the device in question doesn't implement some sort of fail2ban type of implementation, introducing successive delays of increasing lengths after each failed attempt.

I don't understand why everything doesn't use this. It is so easy to implement.

Two different things going there though.

It's one thing to use that security scheme from a device point of view, it's driven through a software/firmware executable. That isn't the same thing as the actual encrypted data. For instance, you have a drive and it is marketed as a secure storage device only. You plug it in and it installs this security app that interacts with it's own firmware so that in order to access the device you have to go through the fail2ban executable.

I get your drive, rip it out of the case, and I put it on a drive replicator that creates a raw clone of the drive without the drive's special firmware.

Now I haven't decrypted any data yet, but I just left your fail2ban firmware in the garbage can.
 
Two different things going there though.

It's one thing to use that security scheme from a device point of view, it's driven through a software/firmware executable. That isn't the same thing as the actual encrypted data. For instance, you have a drive and it is marketed as a secure storage device only. You plug it in and it installs this security app that interacts with it's own firmware so that in order to access the device you have to go through the fail2ban executable.

I get your drive, rip it out of the case, and I put it on a drive replicator that creates a raw clone of the drive without the drive's special firmware.

Now I haven't decrypted any data yet, but I just left your fail2ban firmware in the garbage can.


Oh I agree. I know how full disk encryption currently works. If it could be made a part of the disk firmware though, something like fail2ban could make it more or less impenetrable. Say, have a humanly readable password with a fail2ban style protection, that unlocks an impossibly long and virtually impossible to brute force long key, used to encrypt the raw data on the disk, so even if someone dismantles the drive and is able to read a copy of the encrypted data, they can do nothing with that encrypted data, because the key is so strong that no super computer in the next 50 years can ever brute force it.

It would seemingly be relatively cheap to incorporate this in drive firmware, and create software the host can use to interface with it.
 
Laws are going to have to change to take technology into account. It may take another 200+ years, but it will have to happen eventually, and at the rate we're already giving up our privacy for so called security, I'm betting police backdoors will be standard on every phone and PC eventually.

Just wait until they figure out a way to read your mind.

In 200 years, police backdoors will be standard in your brain :eek:
 
I'd be more worried about the type of cracking that'd need to be done.

Unlike a database dump where you've got a bunch of encrypted passwords and you're just computing and comparing, and it's easy for a high speed parallel processor to make it faster, these are locked external device. Depending on the type, it might not be something that easily lends itself to external computation. You'd have to figure out if the password encrypts the files directly, or does that man in the middle shit that most stuff normally does. If it's the former, you need something capable of virtualizing a compatible file system while you brute force it, if it's the latter, you need to find a way to extract the encrypted password, figure out how it's encrypted, then you might be able to gpu accelerate it.



One of the locked devices is an iphone 6. And the rest came out of an iMac so they might be Apple devices, using some variant of whatever they're using these days.

Umm, they already have access to all the data on all the devices except the encrypted external drives.

This is not about unlocking an iPhone.

This is about whether or not a defendant can be forced to divulge a password, in this case an encryption key, that will likely produce additional incriminating evidence.

In most cases this has already been set as precedent and the answer is NO. But in most cases the device is a single device, not a secondary device in which other devices point specifically to the evidence contained on the encrypted device. The man's iMac says the files are on the external drive.

And what I must stress again, the Man's own Sister has testified under oath that he showed her hundreds of these images and that they were stored on the encrypted device. Someone said the cops needed to go back and do more Police work, that was it, they did do it, and these things are some of the results. This is not a case where the cops are on a fishing trip looking for an excuse to charge this guy.

This Doctor is a criminal who thought he was too smart to get caught. He was wrong. He thought he was too smart to be convicted but he is already fucked. And for those that believe this will set some sort or precedent, people have been force to give up passwords before, when the evidence is compelling enough. That is the law and it's been the law. This case will not change it.
 
Man they sure seem to care a lot about child pr0n. Oh wait.

https://hardforum.com/threads/to-ke...sses-child-pr0n-case.1926564/#post-1042864619

I disagree with this man, vehemently as it were. But, I do think compelling him to provide his PW is wrong. If they have enough to convict why not convict him then compel him to unlock the HDDs. It sounds like they have enough to convict him and this is more for creating case law.
 
A defendant shouldn't be forced to hand over damning evidence. If the prosecution want what's on his computer they should decrypt it themselves.

How is this different than finding a potential murderer in contempt for not handing over the murder weapon?
 
Oh I agree. I know how full disk encryption currently works. If it could be made a part of the disk firmware though, something like fail2ban could make it more or less impenetrable. Say, have a humanly readable password with a fail2ban style protection, that unlocks an impossibly long and virtually impossible to brute force long key, used to encrypt the raw data on the disk, so even if someone dismantles the drive and is able to read a copy of the encrypted data, they can do nothing with that encrypted data, because the key is so strong that no super computer in the next 50 years can ever brute force it.

It would seemingly be relatively cheap to incorporate this in drive firmware, and create software the host can use to interface with it.

I don't understand why anyone would want this. Why would you wish for a full proof way to protect data when we all know that data can be evidence in criminal activity?

You know the little guy sometimes get's fucked because of shit like DMCA and stuff. But usually it's a company fucking the little guys and it's data stored in their records and corporate email and falsified testing that shows how some Jackass in the government or some company is fucking hundreds of thousands of us little guys. And you think it's a good idea to develop a bullet proof vault that these assholes can put all their stuff in so they can never be caught?

I do not get some people's thinking?
 
I don't understand why anyone would want this. Why would you wish for a full proof way to protect data when we all know that data can be evidence in criminal activity?

You know the little guy sometimes get's fucked because of shit like DMCA and stuff. But usually it's a company fucking the little guys and it's data stored in their records and corporate email and falsified testing that shows how some Jackass in the government or some company is fucking hundreds of thousands of us little guys. And you think it's a good idea to develop a bullet proof vault that these assholes can put all their stuff in so they can never be caught?

I do not get some people's thinking?

My take is a feeling of security. Why can't I own a lock that no one but me can open? Why must I allow a weakness in any security measure just in case the government or enforcement agency needs access?

I guess maybe it is just how I feel personally. The police enforcement don't help me sleep at night, the locks on my doors do. I guess I apply that same feeling across the board.
 
Why couldn't a precedent-setting case on personal digital privacy be about a pirate or something? Why did it have to be child pornography? There is no judge on the planet that would want to be holding that bag of crap at the end of the day.


Because a copyright pirate usually isn't facing like 5,000 counts of a 3 year sentence so he doesn't go to extreme measures to protect himself like this guy did. This guy made sure to keep all his dirt in "one" encrypted place (actually two encrypted external drives), and he did what he thought was enough to delete other evidence that pointed to the files on the drives. But when his computer died he authorized BestBuy to try to recover lost files not realizing that their policy is to check all recovered files to make sure they are not corrupted and were fully working files. That started the ball rolling.

But I don't get why you guys keep thinking there is a precedent in this case. There is not. This is not the first time someone has been forced to give up a password. The precedent for this was set years ago.

Every case that comes along you guys think it's precedent setting.
 
I don't understand why anyone would want this. Why would you wish for a full proof way to protect data when we all know that data can be evidence in criminal activity?

You know the little guy sometimes get's fucked because of shit like DMCA and stuff. But usually it's a company fucking the little guys and it's data stored in their records and corporate email and falsified testing that shows how some Jackass in the government or some company is fucking hundreds of thousands of us little guys. And you think it's a good idea to develop a bullet proof vault that these assholes can put all their stuff in so they can never be caught?

I do not get some people's thinking?


It is certainly a tradeoff. I just generally tend to fall on the side of privacy in that tradeoff.

Depending on your perspective you may not.

I don't think there are necessarily any rights or wrongs here (within reason, go too far in any direction, and there might be) just different levels of preference and perspective on the subject matter.

Like many people these days, I consider the data stored on my computer and in my phone to be almost analogous with the thoughts I have in my mind, and as such my inclination is to have 5th amendment rights extend to them. If someone is snooping through my phone in order to incriminate me (I swear I have nothing to worry about today, but who knows, maybe a day of civil disobedience or whistleblowing may some day come) I feel like that truly would be a matter of me being forced to incriminate myself. My computer and my phone are not just tools and devices I use, they are my mind outside of my mind.
 
Last edited:
Child predators are sub-human loathsome creatures, but compelling someone to violate their rights by divulging what is in their mind whether they legitimately remember it or not should be fought at all levels of government. See there is a notion that government should be a champion of your rights, not it's detractor and I see our rights being whittled away on a daily basis. More ceding of our rights to government than ever before. This is independent of who is in the WH. It's been getting worse and worse since Bush1 and successively down the line. An incremental usurpation of a citizens rights is the true crime here.
 
Because a copyright pirate usually isn't facing like 5,000 counts of a 3 year sentence so he doesn't go to extreme measures to protect himself like this guy did. This guy made sure to keep all his dirt in "one" encrypted place (actually two encrypted external drives), and he did what he thought was enough to delete other evidence that pointed to the files on the drives. But when his computer died he authorized BestBuy to try to recover lost files not realizing that their policy is to check all recovered files to make sure they are not corrupted and were fully working files. That started the ball rolling.

But I don't get why you guys keep thinking there is a precedent in this case. There is not. This is not the first time someone has been forced to give up a password. The precedent for this was set years ago.

Every case that comes along you guys think it's precedent setting.

I'll admit to some imprecise language here, but I wasn't aware of previous instances of contempt of court being issued for the "I forgot" defense. That said, you seem familiar with the legal world (I only know what I get from the news), I'm all for getting schooled.

Mainly, I was just being wistful that we aren't having this conversation about encryption in regards to something a little more innocuous, so we could talk about encryption, instead of child pornography.
 
Following this train of thought, if this counts as contempt then I would guess it would be legal to force this information out of him as well. Like using hypnosis, sodium thiopenthal or something that is just as equally not damaging mentally or physically.
This doesn't really sound right.

If he is guilty, he should go to jail. But I think they need to crack the lock and not the guy.

A lot of supercomputers around the world are used to calculate the weather and stuff like that. Why not use their powers for cracking passwords in these cases?
I don't like it when people say about IT stuff that "It cannot be done, we have to find a non-IT way to do it.". As it stands, all passwords can be cracked.
This password can be cracked too and someone should work on it and try to get the means from the government.
 
I don't see how they can hold him longer than if he actually destroyed the evidence. For all intents and purposes, he has, and he may actually have by actually forgetting the password.
 
I'm betting police backdoors will be standard on every phone and PC eventually.

Several issues with that besides the privacy ones. Encryption is math, it's not some magic thing that only a few have access to, you can't make math illegal. So open source encryption already exists, and is already being made by many companies / projects all over the world. You are not going to get all those shut down. So sure, maybe the built in encryption will have a back door, and that encryption will be good enough for the majority of people who don't care that hackers will find those back doors (and no you can't guarantee that bad people won't be able to use those back doors, if they exist both good guys and bad guys will be able to use it). So anyone that actually cares about privacy will use one of the already existing encryption software products without said back doors and we are back to square one.

TLDR: cat is out of bag for encryption, too late to backdoor into the past.
 
I don't understand why anyone would want this. Why would you wish for a full proof way to protect data when we all know that data can be evidence in criminal activity?

You know the little guy sometimes get's fucked because of shit like DMCA and stuff. But usually it's a company fucking the little guys and it's data stored in their records and corporate email and falsified testing that shows how some Jackass in the government or some company is fucking hundreds of thousands of us little guys. And you think it's a good idea to develop a bullet proof vault that these assholes can put all their stuff in so they can never be caught?

I do not get some people's thinking?

We have a full proof way to protect data. If the guy wrote the complex password down on a sticky note, never memorized it, then ate the paper. Data gone. Information is destroyed all the time and society hasn't fallen.
 
We have a full proof way to protect data. If the guy wrote the complex password down on a sticky note, never memorized it, then ate the paper. Data gone. Information is destroyed all the time and society hasn't fallen.
Schrodingers data.
 
I'll admit to some imprecise language here, but I wasn't aware of previous instances of contempt of court being issued for the "I forgot" defense. That said, you seem familiar with the legal world (I only know what I get from the news), I'm all for getting schooled.

Mainly, I was just being wistful that we aren't having this conversation about encryption in regards to something a little more innocuous, so we could talk about encryption, instead of child pornography.

I get schooled by our real lawyers here all the time. We do have a few that come to the [H].

And I really wasn't addressing the "I forgot ..." part of this. I think it's coming down to the Judge calling his "bullshit" card and saying that he just doesn't believe the defendant's claim.

There are certainly several levels to this case.

I tried finding information about previous cases in which a defendant was forced to give up a password, ( I did say that this isn't a precedent and has been done before), but my searches keep turning up the Apple iPhone unlock cases and some others.

I did find this and it's an interesting and more detached take on the issue.
http://blog.al.com/live/2008/06/forcing_suspect_to_divulge_pas.html
 
Last edited:
We have a full proof way to protect data. If the guy wrote the complex password down on a sticky note, never memorized it, then ate the paper. Data gone. Information is destroyed all the time and society hasn't fallen.

I don't even know what kind of a point you are trying to make.

Wait until it's you.

Wait until some investment broker steals your life's savings and you need their records to prove it.

"Oopps It's encrypted"

I get this, I really do. I really do understand what many of you guys are concerned about. But it just always sounds to me like many of you don't think about the other side of the coin.
 
Last edited:
As much as I like to see guys like this guy get punished. I like the 5th amendment a hell of a lot more. Based on the courts logic here if you really did forget the password to a device that the government wants access to you could basically end up sitting in prison for the rest of your life. This guy may be a shitty person but the court is dead wrong here they have no right to compel him to give information which may incriminate himself.
 
Back
Top