Can the destruction of an encryption key be counted as destruction of evidence?

[w23]

State: IL

Can I be forced to hand over my encryption keys in court? I have searched alot about this, and can't seem to find a defenite answer. And if so, can I be held liable for additional security measures? Lets say I have supersecretencryptedfile.txt that is encrypted and lets say to decrypt it, I need two keys: one is key.txt that is located on the computer, and the other I have memorized. If the cops beat down my door and I hit the self destruct button that erases key.txt, would that be destruction of evidence? What if I place a measure that would destroy key.txt when the cops seized my computer? Would me not telling them be obstruction of justice, or could I argue I don't have to assist in an investigation against myself? (5th amendment?) Lastly, if I claimed to forget the key in court, would that work?

Thanks for the help.

[CdwJava]

Yes, you might be charged ... you might not ... it will depend on the details.

Oh, and if you are ordered by the court to release the encryption code and you refuse, expect to go to jail (even if you claim to have forgotten it).

No one can predict what might happen in a random and broad set of hypothetical circumstances.

- Carl

[tranquility]

This is a complex legal question with very fact specific case law where the isssues affect many basic rights. Go to [url=http://www.SSRN.com]Social Science Research Network (SSRN) Home Page[/url] and go to the legal section and do some query strings on your topic. I bet there are at least a few papers there on the topic.

[w23]

Okay, thanks for the help guys, and I'll be sure to check out SSRN.com.

Me and a friend were just discussing this, and he suggested a way to keep the data safe:

1. A encryption key of about 22 characters is chosen and memorized

2. The encryption key is [manually] ran through various hashing algorithms is a specific pattern. (for the sake of discussion, lets say I run it through tiger128, then ripe128, then whirlpool256, then sha256)

3. The result is a long string of characters that looks like this: b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

4. The above string becomes the key and is then used as the password to mount the encrypted drive, unlock the encrypted files, etc. Due to its sheer volume, remembering it would be impossible. Measures are also taken to make sure the key is not stored on the computer's hard drive in any form.

Forensic analysis of the computer shows that I have about 9 or 10 different hashing algorithms. Because of this, there is no way to determine which ones I did or did not use. The premise would be, that if a court orders I hand over the keys, I comply even though they have no idea how to use the keys, as they also need the process I used to obtain the final key to actually unlock the data.

Could I be ordered to actually divulge the process? I'm almost positive that would fall under assisting an investigation against me, therefore be a violation of my 5th amendment rights. They would then be forced to find the process themselves. Sound reasonable?

[tranquility]

Please re-read the 5th amendment.

Case law is all over the place, but the testimonial protection is not what you think it is. Although I do recall one federal case which held that a person could not be compelled to turn over his password. Couple of years ago having to do with border search, child porn seen by officer, when computer searched later found encrypted with PGP. I'm pretty sure it was appealed. I don't know the result.

If they really, really want it--they'll get it.

See some of the issues at:
[url=http://papers.ssrn.com/sol3/papers.cfm?abstract_id=402420]SSRN-The Privacy Privilege: Law Enforcement, Technology and the Constitution by Susan Brenner[/url]
[url=http://papers.ssrn.com/sol3/papers.cfm?abstract_id=630901]SSRN-The Fourth Amendment Unplugged: Electronic Evidence Issues & Wireless Defenses - Wireless Crooks & the Wireless Internet Users Who Enable Them by Tara Swaminatha[/url]

And, for the best ones, search for Orin Kerr and choose the ones which most interesting to you.

[w23]

I see.
Well, I guess the only real option would to be line the hard drives with thermite, then.


Thanks for the help.

edit: Yeah, I read about the child porn/PGP case too, and from last I heard it was appealed, mostly because the boarder agents already saw the pictures on the laptop.

[tranquility]

I believe the issue on appeal is that the defendant put in his password at the border on the request of the agent and the government wants to deem that a waiver. But, I'm not entirely sure.

[w23]

Not exactly.

What happened was when they checked the laptop, the virtual drive with the CP was already mounted. (It showed up as drive Z) The agents said they saw a few pictures, at which point they shut down the computer and arrested him. When the computer was shut down, the drive was unmounted, and hence, encryption key erased. In order to mount the drive again (and access the data) the PGP passphrase needs to be entered.

The judge ruled he didn't have to hand over the keys under the 5th amendment, but it was appealed and the prosecution argued that it wouldn't be self-incriminating since the agents already saw the CP on the computer, and the key would only confirm this. (or something to that effect) And I think the next judge agreed and the guy was ordered to hand over the key, but that was in May, and I have yet to find any news of whether or not he complied or if that too was appealed.

Now, as much as I agree that child porn is morally despicable, and those in possession should be thrown in jail with the rapists, I would rather the feds loose this case, if it means that I don't have to surrender my keys.

But it looks like thats not gonna happen.

Was weird is the EFF isn't all over this.
I would have bet this would be right up their ally......

edit: It was Febuarary, not may. Here is a link to the latest news, in case your interested: [url]http://news.cnet.com/8301-13578_3-10172866-38.html[/url]

[tranquility]

After doing a quick read of the decision by the magistrate and the reversal by the judge, I like my description better, but YMMV. The government's key is that there is no testimonial protection of the password as they know what's there and the defendant already can be connected with the machine/data.

See:
[url=http://volokh.com/posts/1197670606.shtml]The Volokh Conspiracy - Magistrate Judge Finds Fifth Amendment Right Not to Enter Encryption Passphrase:[/url]

For a discussion on the original case. Enjoy the comments which bring up some interesting issues. Note the article is writen by the same guy I recommended, Orin Kerr.

[w23]

In response to the agents' request, Boucher waived his Miranda rights and agreed to show the agents where the pornography on the computer was stored. The agents gave the computer to Boucher, who navigated through the machine to a part of the hard drive named "drive Z." The agents then asked Boucher to step aside and started to look through the computer themselves. They came across several videos and pictures of child pornography. Boucher was then arrested, and the agents powered down the laptop.

I didn't know he waived his rights.
My mistake.

Given that this post might be of interest to a non-lawyer crowd, I should add an important point that will be obvious to the lawyers but not obvious to the computer crowd: This opinion does not really settle the legal issue. It's only an opinion by one judge, and that judge isn't even a "real" federal District Court judge. The opinion is only the decision of one Magistrate Judge, who is sort of an assistant judge in the federal system.

So, if I understand this correctly, we still don't have a definite answer yet.
In order for this argument regarding encryption keys to be settled, it would need to go to supreme court and they would have to decide if encryption keys are information in your brain or keys to a locked safe. And if thats true, in the meantime, it would mean the lower courts would decided on a case by case basis, right?

[cyjeff]

Information in your brain isn't necessarily protected.

You would be surprised how very easy it is to crack most encryption.

[w23]

Information in your brain isn't necessarily protected.

You would be surprised how very easy it is to crack most encryption.

I use AES, Serpent, Twofish, and Camilla for securing various privileged medical and legal documents. If you have any sources as to why any (or all) of these ciphers can be broken, please tell me, I would very much like to know how. As far as I know, all of these algorithms are still secure. Not only that, but they are all freely available for individual analysis.

Meaning, ts highly unlikely that any one person or entity (read government, with a few hundred math geniuses) can break any of these algorithms and yet have it still be secure in the public eye (read thousands of math geniuses, including the original authors of the ciphers).

[cyjeff]

Ah, and there we have it.

Who does the information belong to? Not yours because you encrypted it, but whom does the information belong to?

[w23]

If you are referring to the medical and legal documents, I work for a company where it is required that we keep records of such things, and I took extra measures to insure that such information was secure.I'm not a hacker or cracker and I did not steal the information, if thats what you were implying.

The original question of this topic was asked due to the subject was brought up by a coworker about the hypothetical scenario that the cops would confiscate our servers for embezzlement, and whether his private medical records would be safe.

(At least, I hope it was hypothetical. I'm just the Tech guy, and as a rule, I try not to look at the company data too much, so if there was something like embezzlement, I'd be the last to know about it, and yet probably the first person they would ask. )

[steelworker34]

W32, have you ever seen a program called TrueCrypt?

It has this feature (along with other enc/dec software) called deniable encryption; whereby you have a big file and multiple keys. The file decrypt to different content depending on which password you use; meaning courts/etc can't really prove you gave them the wrong key.

[url=http://en.wikipedia.org/wiki/Deniable_encryption]Deniable encryption - Wikipedia, the free encyclopedia[/url]

Fascinating technology.