Forgot my password legal defense?

For the serious discussion of weighty matters and worldly issues. No off-topic posts allowed.

Moderators: Azrael, Moderators General, Prelates

Vertana
Posts: 37
Joined: Mon Sep 08, 2008 11:28 am UTC

Forgot my password legal defense?

Postby Vertana » Mon Mar 02, 2009 11:15 pm UTC

I was just discussing with a friend that the forgot legal password (or pleading the fifth when asked about your password) might be held up in an American court and he was saying that it would not. We both searched the web and of course neither one of us could adequately support our positions on the issue. Could anyone be of help here? Either know about a court case or read somewhere about it being tried and upheld or overturned? Thanks in advance to anyone who chimes in on this issue.

User avatar
oxoiron
Posts: 1365
Joined: Fri Jul 13, 2007 4:56 pm UTC

Re: Forgot my password legal defense?

Postby oxoiron » Mon Mar 02, 2009 11:47 pm UTC

Vertana wrote:...forgot legal password...
What does that mean?
...(or pleading the fifth when asked about your password)...
I can't imagine why you couldn't 'plead the fifth' on the grounds that revealing your password would somehow incriminate yourself.

I'll try to remember to ask my wife about that; she's the expert.
"Whenever you find yourself on the side of the majority, it is time to reform (or pause and reflect)."-- Mark Twain
"There is not more dedicated criminal than a group of children."--addams

User avatar
bratwurst
Posts: 73
Joined: Fri Dec 19, 2008 11:37 pm UTC

Re: Forgot my password legal defense?

Postby bratwurst » Mon Mar 02, 2009 11:53 pm UTC

In respect to forgetting your password: I haven't a clue.

In respect to pleading the fifth: I'm reasonably sure that there is a court case somewhere that hinged on this, and the judge decided that the fifth amendment didn't cover it. The analogy used was that you are (apparently) required to turn over a physical key to a physically locked object, and this does not qualify as self-incrimination; therefore, you are required to turn over your encryption key. If I can find something about the case I'll post a link to the information.

On the other hand, there is always rubberhose-deniable encryption...

Edit: Note that the interesting property of that form of encryption is that it has multiple encrypted sections, arranged in such a way that you can give up one password under duress (i.e. to a court) and it will be impossible for them to prove that there is more encrypted data on your disk. That is, you could encrypt your whole disk, give up a key that would decrypt a few gigs, and the rest would be safe and indistinguishable from purely random bits.
Last edited by bratwurst on Tue Mar 03, 2009 4:10 am UTC, edited 1 time in total.

JoshuaZ
Posts: 401
Joined: Tue Apr 24, 2007 1:18 am UTC
Contact:

Re: Forgot my password legal defense?

Postby JoshuaZ » Tue Mar 03, 2009 3:22 am UTC

As mentioned by others there have been cases that establish that passwords are not covered under your right of non-incrimination, being more akin to keys or combinations for safes which you are obligated to provide. There are complicating issues. http://volokh.com/posts/1235508933.shtml gives an example of one recent case.

Regarding claiming to have forgotten a password, that would likely depend on how plausible the claim was. If you hadn't accessed the material in question in a few months you might have a case. If it were a few years even more. If however you had just accessed it days ago, a judge would likely find you in contempt.

However, there's a general point that needs to always be made in these sorts of situations: just because something might be a workable defense doesn't mean it is a great idea. The American justice system is very slow. If you are charged with anything at all related to a computer, they will likely confiscate as evidence all relevant equipment and then it may take years if ever for you to get it back even if you have been cleared of charges. In the most famous case of this sort when the Secret Service raided Steve Jackson Games, the company never got everything back from the feds and they almost went out of business for the disruption. So even if this sort of thing might work, it really isn't a situation you want to get into.

User avatar
ManaUser
Posts: 284
Joined: Mon Jun 09, 2008 9:28 pm UTC

Re: Forgot my password legal defense?

Postby ManaUser » Tue Mar 03, 2009 7:50 am UTC

Funny you ask about this just now. I was just reading about a case like this (same one JoshuaZ mentioned). It's not settled though, I expect this case or a similar one will make it all the to the supreme court eventually. I don't foresee it going well for him though.

If it turns out the 5th amendment defense is no good, he can try the "I forgot" route. It's been over a year already, maybe he really did forget in that time.

Mzyxptlk
Posts: 513
Joined: Tue Sep 23, 2008 8:41 am UTC

Re: Forgot my password legal defense?

Postby Mzyxptlk » Tue Mar 03, 2009 1:56 pm UTC

bratwurst wrote:On the other hand, there is always rubberhose-deniable encryption...

Edit: Note that the interesting property of that form of encryption is that it has multiple encrypted sections, arranged in such a way that you can give up one password under duress (i.e. to a court) and it will be impossible for them to prove that there is more encrypted data on your disk. That is, you could encrypt your whole disk, give up a key that would decrypt a few gigs, and the rest would be safe and indistinguishable from purely random bits.

This sounds extremely interesting. I should look into it when I have more time. Thanks for pointing it out. :)
"Once upon a time, an infinite number of people lived perfect, blissful, eternal lives."

Vertana
Posts: 37
Joined: Mon Sep 08, 2008 11:28 am UTC

Re: Forgot my password legal defense?

Postby Vertana » Tue Mar 03, 2009 2:21 pm UTC

Truecrypt also provides encryption in the form of "hidden partitions" in order to provide plausible deniability. Thanks for the replies; I'll definitely look into that court case cited above. As for the "forgetting legal password" question up top, I simply wrote this extremely early this morning and chalk that grammar up to fatigue.

Iv
Posts: 1207
Joined: Thu Sep 13, 2007 1:08 pm UTC
Location: Lyon, France

Re: Forgot my password legal defense?

Postby Iv » Tue Mar 03, 2009 3:18 pm UTC

About Truecrypt : in order to have plausible deniability, you need to have a truecrypt volume (it shows up as random data in the filesystem so it really is suspicious) and to put a hidden volume inside this first volume. This way, the randomness of the unallocated data will not appear suspicious and you can give the password of the first layer of encryption in order to comply with the court.

If you really are paranoid, you can even iterate many time through this process.

I am no law expert, but having forgotten a password seems to be a valid defense as long as it looks plausible to the judge, a detail often overlooked by us geeks. If you pretend to have forgotten the password to the volume that stores your mail or that stores data you used a few days ago, the judge will not be inclined to believe you. That you forgot the password of the archive you made 5 years ago or to the GPG key you revoked several months ago is far more plausible. I am almost sure that it is legal to forget a password but that it is punishable to lie in court, that is the crux of it.

User avatar
oxoiron
Posts: 1365
Joined: Fri Jul 13, 2007 4:56 pm UTC

Re: Forgot my password legal defense?

Postby oxoiron » Tue Mar 03, 2009 3:42 pm UTC

oxoiron wrote:I can't imagine why you couldn't 'plead the fifth' on the grounds that revealing your password would somehow incriminate yourself.

I'll try to remember to ask my wife about that; she's the expert.
Here goes my appeal to authority...My wife (Bill of Rights Expert) says that the state can get a warrant to search your computer, but they can't get a warrant to search your mind. The judge's ruling in the case mentioned above appears to confirm that. The right of refusal applies to any testimony that may incriminate one's self, including (at this time) encryption passwords.

The decision is here.
"Whenever you find yourself on the side of the majority, it is time to reform (or pause and reflect)."-- Mark Twain
"There is not more dedicated criminal than a group of children."--addams

User avatar
Veracious Sole
Posts: 137
Joined: Mon Sep 17, 2007 4:05 pm UTC

Re: Forgot my password legal defense?

Postby Veracious Sole » Tue Mar 03, 2009 4:04 pm UTC

oxoiron wrote:
oxoiron wrote:I can't imagine why you couldn't 'plead the fifth' on the grounds that revealing your password would somehow incriminate yourself.

I'll try to remember to ask my wife about that; she's the expert.
Here goes my appeal to authority...My wife (Bill of Rights Expert) says that the state can get a warrant to search your computer, but they can't get a warrant to search your mind. The judge's ruling in the case mentioned above appears to confirm that. The right of refusal applies to any testimony that may incriminate one's self, including (at this time) encryption passwords.

The decision is here.


Actually, A very recent decision states that passwords are not protected by the fifth amendment.

link: http://arstechnica.com/tech-policy/news/2009/03/court-self-incrimination-privilege-stops-with-passwords.ars
"I never knew words could be so confusing," Milo said to Tock as he bent down to scratch the dog's ear.
"Only when you use a lot to say a little," answered Tock. ~The Phantom Tollbooth~

User avatar
oxoiron
Posts: 1365
Joined: Fri Jul 13, 2007 4:56 pm UTC

Re: Forgot my password legal defense?

Postby oxoiron » Tue Mar 03, 2009 7:14 pm UTC

So much for my appeal to authority, although I'm tempted to give her a pass in light of how recent that decision is.

I'm curious to see how the appeal pans out.
"Whenever you find yourself on the side of the majority, it is time to reform (or pause and reflect)."-- Mark Twain
"There is not more dedicated criminal than a group of children."--addams

Seraph
Posts: 342
Joined: Mon Jul 16, 2007 4:51 pm UTC

Re: Forgot my password legal defense?

Postby Seraph » Tue Mar 03, 2009 7:18 pm UTC

Veracious Sole wrote:
oxoiron wrote:
oxoiron wrote:I can't imagine why you couldn't 'plead the fifth' on the grounds that revealing your password would somehow incriminate yourself.

I'll try to remember to ask my wife about that; she's the expert.
Here goes my appeal to authority...My wife (Bill of Rights Expert) says that the state can get a warrant to search your computer, but they can't get a warrant to search your mind. The judge's ruling in the case mentioned above appears to confirm that. The right of refusal applies to any testimony that may incriminate one's self, including (at this time) encryption passwords.

The decision is here.


Actually, A very recent decision states that passwords are not protected by the fifth amendment.

link: http://arstechnica.com/tech-policy/news/2009/03/court-self-incrimination-privilege-stops-with-passwords.ars

No it doesn't. A better statement of what it says is that once you incriminate yourself the 5th ammendment doesn't provide you any defence from being forced to do it again. So if you have a password protected drive that you allow law enforcement to access, and law inforcements spots something that they think is illegal, you can't then use the 5th amendment to refuse future access. In the case in question the accused allowed border agents to search his laptop (including allowing them to see contents on his encrypted drive), the agents saw questionable matieral, and then siezed the laptop. However, the next time they went to access the computer the encryption had kicked in.

In his decision the Judge states that there are two reasons when the 5th ammendment would prevent someone from revealing documents to a suppena:
1) The location of the documents is unknown to the government.
2) Providing the documents would "implicitly authenticate" the documents.
In the case you linked to #1 clearly doesn't apply (The govermnent knows the documents are on the computer). And unfortunatly for the accused #2 doesn't apply because the government says it can link the accused to the files without using the fact that he produced the password in responce to the suppoena.

User avatar
Veracious Sole
Posts: 137
Joined: Mon Sep 17, 2007 4:05 pm UTC

Re: Forgot my password legal defense?

Postby Veracious Sole » Tue Mar 03, 2009 7:32 pm UTC

Seraph wrote:No it doesn't. A better statement of what it says is that once you incriminate yourself the 5th ammendment doesn't provide you any defence from being forced to do it again. So if you have a password protected drive that you allow law enforcement to access, and law inforcements spots something that they think is illegal, you can't then use the 5th amendment to refuse future access. In the case in question the accused allowed border agents to search his laptop (including allowing them to see contents on his encrypted drive), the agents saw questionable matieral, and then siezed the laptop. However, the next time they went to access the computer the encryption had kicked in.

In his decision the Judge states that there are two reasons when the 5th ammendment would prevent someone from revealing documents to a suppena:
1) The location of the documents is unknown to the government.
2) Providing the documents would "implicitly authenticate" the documents.
In the case you linked to #1 clearly doesn't apply (The govermnent knows the documents are on the computer). And unfortunatly for the accused #2 doesn't apply because the government says it can link the accused to the files without using the fact that he produced the password in responce to the suppoena.

Hrmm . . . I hadn't realized the distinction, but then, I've not been trained in any form of law. Thanks for the clarification.
"I never knew words could be so confusing," Milo said to Tock as he bent down to scratch the dog's ear.
"Only when you use a lot to say a little," answered Tock. ~The Phantom Tollbooth~

User avatar
oxoiron
Posts: 1365
Joined: Fri Jul 13, 2007 4:56 pm UTC

Re: Forgot my password legal defense?

Postby oxoiron » Tue Mar 03, 2009 7:36 pm UTC

That's why I should leave the Law StuffTM to my wife.
"Whenever you find yourself on the side of the majority, it is time to reform (or pause and reflect)."-- Mark Twain
"There is not more dedicated criminal than a group of children."--addams

floodslayer
Posts: 28
Joined: Sat Mar 21, 2009 12:17 am UTC

Re: Forgot my password legal defense?

Postby floodslayer » Sat Mar 21, 2009 6:46 am UTC

An interesting line of thought. Does the existence of a brute-force method of accessing the files present some sort of inevitable discovery scenario ? True, the court may be limited in its ability to force you to reveal incriminating information, but if it can be shown that that information could inevitably become public knowledge without your consent, does the scenario change ? Is the case different when the brute-force solution is computationally infeasible ? If the prosecution could place a finite ceiling on the time it would take to crack the files via brute force, would a judge be likely to allow time for this ? I think the fact that this information can eventually be discovered makes it different from the case where testimony is the only way for the information to go on record.

User avatar
Diadem
Posts: 5654
Joined: Wed Jun 11, 2008 11:03 am UTC
Location: The Netherlands

Re: Forgot my password legal defense?

Postby Diadem » Sat Mar 21, 2009 9:51 am UTC

Even if it's not protected by the 5th amendment, how are they going to force you to tell it? Torture?
It's one of those irregular verbs, isn't it? I have an independent mind, you are an eccentric, he is round the twist
- Bernard Woolley in Yes, Prime Minister

User avatar
ManaUser
Posts: 284
Joined: Mon Jun 09, 2008 9:28 pm UTC

Re: Forgot my password legal defense?

Postby ManaUser » Sun Mar 22, 2009 4:04 am UTC

Diadem wrote:Even if it's not protected by the 5th amendment, how are they going to force you to tell it? Torture?

They would just keep you in jail until you tell them.

User avatar
Diadem
Posts: 5654
Joined: Wed Jun 11, 2008 11:03 am UTC
Location: The Netherlands

Re: Forgot my password legal defense?

Postby Diadem » Sun Mar 22, 2009 4:36 pm UTC

Indefinitely? Until the end of the trial? How long can they lock you up for refusing to cooperate?

Anyway after a few months in prison just say "Ok, I'm ready to cooperate" then give 'em a wrong password. When they tell you it's wrong, act surprised, offer a few similar-looking alternatives, and when they all fail admit you've forgotten. It's entirely believable.
It's one of those irregular verbs, isn't it? I have an independent mind, you are an eccentric, he is round the twist
- Bernard Woolley in Yes, Prime Minister

Alexius
Posts: 342
Joined: Mon Nov 03, 2008 4:45 pm UTC

Re: Forgot my password legal defense?

Postby Alexius » Sun Mar 22, 2009 6:41 pm UTC

Diadem wrote:Indefinitely? Until the end of the trial? How long can they lock you up for refusing to cooperate?

It's called civil contempt, and varies depending on precisely which court. In some cases, you can be locked up indefinitely for refusing to comply with a court order, ad long as the purpose of the imprisonment remains coercive rather than punitive. For instance, a Mr. H. Beatty Chadwick has been held in the county jail of Delaware County, PA, for almost 14 years for refusing to hand over money he allegedly wired out of the country just before his wife divorced him.
In other cases there's a time limit- for instance, 18 months for a grand jury.

User avatar
Gelsamel
Lame and emo
Posts: 8237
Joined: Thu Oct 05, 2006 10:49 am UTC
Location: Melbourne, Victoria, Australia

Re: Forgot my password legal defense?

Postby Gelsamel » Sun Mar 22, 2009 10:17 pm UTC

oxoiron wrote:
Vertana wrote:...forgot legal password...
What does that mean?
...(or pleading the fifth when asked about your password)...
I can't imagine why you couldn't 'plead the fifth' on the grounds that revealing your password would somehow incriminate yourself.


Because knowledge of your password might implicate you in a crime that deals with something you can only access using that password?

People have successfully pleaded the fifth on questions that the prosecution KNOWS the answer too. Ie. "Were you babysitting during X to Y?" can be fifth'd because answering that you were even there at the time, even though they know you were, could implicate you.
"Give up here?"
- > No
"Do you accept defeat?"
- > No
"Do you think games are silly little things?"
- > No
"Is it all pointless?"
- > No
"Do you admit there is no meaning to this world?"
- > No

User avatar
oxoiron
Posts: 1365
Joined: Fri Jul 13, 2007 4:56 pm UTC

Re: Forgot my password legal defense?

Postby oxoiron » Tue Mar 24, 2009 10:07 pm UTC

Looking at what you wrote, I am led to believe that you misunderstood what I wrote.

Unless you were just agreeing with me.
"Whenever you find yourself on the side of the majority, it is time to reform (or pause and reflect)."-- Mark Twain
"There is not more dedicated criminal than a group of children."--addams

*GC*
Posts: 32
Joined: Thu Feb 12, 2009 4:27 am UTC

Re: Forgot my password legal defense?

Postby *GC* » Thu Mar 26, 2009 8:42 pm UTC

I remember a few months ago there was a story on digg or fark about a guy who had something illegal encrypted on his laptop while crossing the Canadian border back into the US. He was searched and they searched this computer and forced him to give up the key. So the story was focusing on if that's legal search and seizure.

I think the password defense would never work unless talking about an encrypted passkey. Something like a windows password they could get the data easily without you giving up the password, either by accessing the drive as a slave from another machine or just brute forcing your simple "mypasswordisdefinitelynotpassword" password.

You would think from a national security stand point judges would be making sure to rule in favor of encryption rights as to not set a precedent that could compromise top secret documents.

User avatar
ManaUser
Posts: 284
Joined: Mon Jun 09, 2008 9:28 pm UTC

Re: Forgot my password legal defense?

Postby ManaUser » Thu Mar 26, 2009 10:11 pm UTC

*GC* wrote:I remember a few months ago there was a story on digg or fark about a guy who had something illegal encrypted on his laptop while crossing the Canadian border back into the US. He was searched and they searched this computer and forced him to give up the key. So the story was focusing on if that's legal search and seizure.

Sebastien Boucher. Unless there were two cases like that. This one is still ongoing. As of the last news story I could find, they were going to order him to decrypt the harddrive, rather than actually revealing the password (though it obviously amounts to the same thing.) No doubt the decision will be appealed. It seemed inevitable that this case or a similar one will go to the SCOTUS in the relatively near future. The encryption in question is PGP, incidentally, so this is a nice advertisement for them.


Return to “Serious Business”

Who is online

Users browsing this forum: No registered users and 15 guests