Cenzic 232 Patent
Paid Advertising
web application security lab

Self Incrimination or Privacy

There’s a really interesting case being talked about over at the Washinton Post regarding a man who is accused of having downloaded child pornography on his computer and then encrypting it using PGP. This actually has some pretty interesting and wide-reaching implications for citizens in the US. Either a) he has to release the password and self-implicate (assuming he is guilty) b) lie under oath or c) find himself under contempt. This is a tough one.

Personally, I’d feel very uncomfortable holding up freedoms to save a pedophile, but at the same time, there are all kinds of legitimate reasons I may want to encrypt data (I do it all the time for customers, for instance). But maybe a guy has cheated on his wife and doesn’t want anyone to know about it. Or maybe he has a furry fetish and has hopes for a political campaign some day. I’m pretty torn on this issue, unfortunately because regardless of the outcome it can end up being a bad thing. I wish I could call this one a cut and dry case. But either way the outcome will be worth finding out about because either it will be a matter of imprisonment for contempt or a safe haven for anyone doing anything illegal. This will be a landmark case for our industry in many ways, for good or for bad.

Ugh… either way this one leaves a bad taste in my mouth.

13 Responses to “Self Incrimination or Privacy”

  1. Awesome AnDrEw Says:

    I noticed someone made a similar post on the forums concerning PGP and encryption concerns for the U.K., but a few individuals pointed out that it was possible to use programs such as TrueCrypt for plausible deniability. There are different solutions to the matter, but you’re right. He’s between a rock and a “hard-place” at the moment.

  2. yawnmoth Says:

    But maybe a guy has cheated on his wife and doesnít want anyone to know about it. Or maybe he has a furry fetish and has hopes for a political campaign some day.

    Or maybe his job required he have lots of customer information (complete with credit card numbers) on his laptop for the purpose of data analysis, or something.

    I, personally, don’t think the alleged crime should factor into the decision at all. The army has a “don’t ask, don’t tell” policy because your sexual orientation shouldn’t factor into their decision. Why should this be any different?

    As you said, this does have “wide-reaching implications”. This isn’t about one pedophile, so why should the case be reduced down to that?

    Besides, if you suspect someone’s a pedophile, there’s probably other evidence you can get to prove it. Monitor their internet traffic with Carnivore, for example. Pictures don’t just appear out of then air. If he’s actually making them, himself, a search warrant should prove that.

  3. yawnmoth Says:

    I guess he could be encrypting his traffic, but you can’t encrypt the originating / destination IP address of the TCP/IP packets. If the site in question is known to distribute material, there’s your conviction.

    And maybe try spoofing SSL certs if the IP addresses, alone, aren’t sufficient. Maybe call up Verisign and have them sign a cert of the offending organization (although I guess you’d need probable cause for that, too).

  4. Robert E. Lee Says:

    I see this as a 5th amendment issue. No one should be required to supply self-incriminating evidence to the government.

    Furthermore, passwords can actually be forgotten. Silence is not an admission of guilt. Anyone in this situation should be able to plead they forgot the password without having that be used against them. This is not the same thing as refusing a drug test.

    If they don’t have enough evidence without his password, then the case isn’t strong enough.

    “Personally, Iíd feel very uncomfortable holding up freedoms to save a pedophile…”

    That is the tricky thing about freedom; there is no justice unless it is applied universally.

    –Robert E. Lee

  5. JoeyAdms Says:

    I think if the crime is nonviolent, or not high risk, I don’t believe you should have to disclose that kind of information. I think it is just what you said it is, self incrimination.

    In my eyes, they have the physical evidence, and you have the right to silence.

    Now in trial, thats a different story, but I would assume the law for encryption keys would mimic that of safe combinations etc.

    This is just another demonstration as to why Law has not caught up with technology.

  6. RSnake Says:

    @Robert - “If they donít have enough evidence without his password, then the case isnít strong enough.” that’s actually a good point. Without the specifics of this case in question, on a more fundamental front - should you even be able to legally detain someone if you don’t have enough evidence to theoretically convict them once it goes to trial?

  7. Dan Weber Says:

    Orin Kerr had an excellent analysis at the time this first came up.

    http://volokh.com/posts/1197763604.shtml
    http://volokh.com/posts/1197670606.shtml

  8. Eponymous Says:

    Our 5th amendment is more important than a specific case. We should not just bend our constitution for any specific “pet outrages.” Because today it will be something we all agree on like child porn, tomorrow it will be less cut and dry examples of reprehensibility. I hate to invoke slippery slope, but it’s true, and it’s what a “constitution” is all about.

    You can’t encrypt the live photo sessions where this crap is taking place, and you can’t encrypt the lack of parental coaching which allows children to be fearful/gullible enough to not flip out, to express outrage, and then to contact the nearest adult when this stuff goes down. The more we focus on the sources of our problems and not the results, the better off we are in tackling our social problems. ALL children need to know, from a very early age, that the world is not all Disney and lollipops, and that evil people exist. If parents don’t want to corrupt their “innocence” by giving them adult information on adult behavior in order to protect themselves, they should consider that someone may try to take that innocence more completely later on. It’s far sadder when it’s a trusted adult who does it, but our culture of “childhood insulation” is what allows a lot of this to exist.

  9. WitchHunt Says:

    this article makes me look more suspicious using truecrypt..

  10. SolarFlare Says:

    @Eponymous

    “and you canít encrypt the lack of parental coaching which allows children to be fearful/gullible enough to not flip out, to express outrage, and then to contact the nearest adult when this stuff goes down.”

    Indeed, lack of education is the main cause problem.
    Also increasing pedophile awareness will not cut the problem out at all because the people that need the help the most are the ones who are at an age where they will not understand the concepts being explained to them.

    “If parents donít want to corrupt their ďinnocenceĒ by giving them adult information on adult behavior in order to protect themselves, they should consider that someone may try to take that innocence more completely later on.”

    That is very true. 90% of child pornography is filmed / photographed e.c.t. by the child’s parents / guardians. So realisticly the parents responsible for the acts in question will hold back the information from there children thus not solving anything.

  11. Zach Says:

    We don’t know the specifics so it’s hard to make a decision. If they have sufficient evidence that already supports it and this is just an attempt to make it “rock solid” I tend to believe he should be forced to give the information. If it’s simply a suspicion then he should have not be forced. I think the same laws should apply as search warrants. They should have sufficient evidence and cause and a court order. IMHO, anyways.

  12. x0r Says:

    Oh cmon let’s forget about “In dubio pro reo”
    and just claim everybody’s a guilty terrist, until contrary proved!
    I remember this nice comic of RSnake;
    http://ha.ckers.org/images/sla.ckers-comix/02112007.gif

    R.I.P. freedom like free!

  13. rdivilbiss Says:

    The laptop is property as would be a home.

    If the government has sufficient evidence to get a search warrant for your home, they may break in or ask you to supply the key to the door. Your choice.

    Is refusing to provide the key to the house a 5th amendment issue? Probably not. At which point the government simply kicks the door in.

    What is different here is the requirement that the defendant utter words or writings to provide the key to the property versus the government kicking the door in.

    4th or 5th amendment?

    If the higher court rules 4th, the defendant could possibly be required to provide the “key” without admitting any guilt. If that’s the case and the defendant refuses, we have a possible contempt of court issue, but the government is still faced with kicking the door in.

    Kicking the door in is simply a matter of time. Although the time may be longer than the defendant’s lifespan.