When it comes to the law, your information is only as secure as your encryption passphrase.
My computer is every hacker’s dream: chock-full of personal information that can be used in deliciously evil ways. Stored on my hard drive are electronic copies of my passport, previous tax returns, and a plethora of other files that contain sensitive information. If accessed, this information would allow someone to easily steal my identity or worse.
Thankfully, I encrypt those files (meaning the only person who has access to them is me). I am the only person that knows the encryption password (sometimes called a passphrase) used to decrypt my files for viewing. Without the password, the files cannot be accessed.
Hackers and personal information aside, let’s pretend the files I encrypted contain incriminating information. Hypothetically speaking, could someone use the law to force me to divulge my encryption password so they could access my files?
According to a federal judge in Vermont, the answer to that question is no! Encryption passwords ARE protected by the the fifth amendment!
In Vermont, a man, Sebastien Boucher, was charged with transporting child pornography on his laptop across the U.S.-Canadian border. The arresting officer saw the incriminating files on Boucher’s laptop before shutting it down. Later on in the investigation, federal prosecutors attempted to access the files again and they discovered that the potentially damning content on Boucher’s laptop was now encrypted.
Needing the evidence, the federal prosecutors obtained a grand jury subpoena requiring Boucher to provide “any passwords” associated with his laptop in order to allow them access to the files.
U.S. Magistrate Judge Jerome Niedermeier threw out the subpoena, ruling that a person charged with a crime cannot be compelled to reveal their encryption password because it would be a violation of their 5th Amendment right to avoid self-incrimination. He made the analogy that requiring Boucher to give up his encryption password was akin to requiring Boucher to give up the key to a locked container and would unconstitutionally force Boucher to hand over the contents of his laptop.
Because Boucher, like most users, protected his encryption password by memorizing it (versus writing it down), forcing him to disclose his password would be forcing him to disclose something in his mind, a clear violation of the Constitutional protection against self-incrimination.
But what if Boucher’s encryption passphrase had been written down somewhere? Let’s pretend I’m not a very smart criminal and wrote down or gave someone else my encryption password. Could someone then legally force me to hand it over? It appears that the answer to this question is yes.
Contrast Boucher’s case with a case involving Hushmail, a Canadian company that provides encrypted web-based email. Like the encrypted files on Boucher’s computer, Hushmail users encrypt their email using an encryption password.
In order for this to work, Hushmail requires users to provide their password through a web-based interface. We assume (because best practices dictate) that this process stores a hashed (encrypted) copy of every user’s password on Hushmail’s servers, so Hushmail doesn’t have direct access to a user’s password. However, having created the user’s encryption keys, Hushmail also has the ability to reset the passwords on them. Therefore anyone with administrative access to Hushmail’s key servers has access to all encryption passwords (and thus, access to all encrypted emails). A hacker could break into hushmail’s servers over the internet to steal information, or into Hushmail’s datacenter and steal their servers and walk away with all their keys, or something like this could happen:
In September 2007, U.S. federal prosecutors subpoenaed Hushmail for decrypted emails associated with three email accounts suspected of being involved in the illegal sale of steroid drugs. Hushmail, complying with federal law, decrypted the emails using their stored encryption passphrases and turned over the information.
Lesson learned? Encrypting files and emails isn’t a total guarantee that your sensitive information will be protected. It’s also important to keep in mind that everyone who has access to your encryption passphrase also has access to the contents of the files you’re trying to protect.
(And the moral of the story? Don’t be like Alex’s mom.)
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
It is a scary thought that the average user now has to not only be concerned with whether their data is encrypted in transit, but also where the encryption is occurring. A related problem is that, if the user must be the sole manager of keys and key escrow, then there almost certainly will be mishandling of the keys in a majority of cases since most users will inevitably forget their passphrase, etc. Typical countermeasures to this (e.g. having a second, “master” personal key with a passphrase written down somewhere and stored in a safe, for instance) are a little too paranoid for the average user to contemplate.
So, we can’t rely on someone else’s escrow services since fifth amendment rights do not extend to the contracted agent. No surprise, there doesn’t seem to be any legal basis for such a thing– but it still means we need to be all the more suspicious of where the encryption is actually happening in our communications.
@Christoffer Heckman: I agree, it is scary that your privacy is less and less in your own control - unless you proactively take control of it. In the past your privacy was fragmented and unsearchable, while today more and more of your personal data is all stored in one place and searchable - so once your account is cracked, so much of your life is in an attackers hands.
On the other hand, we are better armed to protect our privacy now that we are armed with this information. We know that our our passwords are only safe when we keep them ourselves, and we understand that our data is only safe when we encrypt it.
Nice post. Thank you for the info. Keep it up.
This is getting a bit more subjective, but I much prefer the Zune Marketplace. The interface is colorful, has more flair, and some cool features like ‘Mixview’ that let you quickly see related albums, songs, or other users related to what you’re listening to. Clicking on one of those will center on that item, and another set of “neighbors” will come into view, allowing you to navigate around exploring by similar artists, songs, or users. Speaking of users, the Zune “Social” is also great fun, letting you find others with shared tastes and becoming friends with them. You then can listen to a playlist created based on an amalgamation of what all your friends are listening to, which is also enjoyable. Those concerned with privacy will be relieved to know you can prevent the public from seeing your personal listening habits if you so choose.
Nice post. I was continuously checking this website and I am impressed! Extremely helpful info particularly the ultimate section
Stackable boxes really are a must when moving house, irrespective of self-drive van hire or removal company lorry. Sturdy green, recyclable boxes that can be reused time and again are the best option for frequent house moves as well as for long-term storage - regardless of where the home move happens. There is nothing more frustrating than having to reload several times, because the awkward way in which things are packed prevent a completely loaded van making one tour and one tour only.
I like the helpful info you provide in your articles. I will bookmark your blog and check again here frequently. I am quite certain I will learn lots of new stuff right here! Good luck for the next!
Hello there, just became aware of your blog through Google, and found that it’s truly informative. I’m gonna watch out for brussels. I will appreciate if you continue this in future. Lots of people will be benefited from your writing. Cheers!
rzmukcmph, http://www.kxxozdacyl.com lqeajamcwx
issyacmph, http://www.mxwyylhwut.com rnlwwxelpg
iybzhcmph, http://neomalehealth.com/maxocum.php MaxoCum Review, oaZKuZu.
ynyfycmph, http://www.deliciousorchardstore.com/ Klonopin and alcohol, vkDJOMx.
aeqbocmph, http://privatehealthinsurances.com.au/ private health insurance, GpsAsAN.
iiyypcmph, http://www.apsachieveonline.org/staff/ Klonopin, xRGabwI.
zgkqfcmph, http://abilitiesnetwork.org/ Viagra suppliers in the uk, hnsbQQp.
etjiycmph, http://www.latitudescoach.com/ Cialis onset of action, GkMDHRl.
ujpizcmph, http://hteps.com/ Porn, BjmSJwW.
dapnucmph, http://eastputnamfire.com/ Live Sex, RCavRUc.
sxudvcmph, http://lifeinsurance-advice.com/ Life Insurance, WjthZrC.
ocbwycmph, http://maleenhancementdirect.com/ Vitalikor, wkOMoNl.
wmnmicmph, http://runthecoast.com/ Casino, BQDgQtC.
ffngjcmph, http://stevesmith12.com/ HCG Diet, RfYvUFu.
hwujacmph, http://www.b12-deficiency-symptoms.net/ Weird symptoms from vitamin b12 deficiency, qSVbhWb.
pyorncmph, http://onlinepokercz.com/ online poker, XhVppKx.
igkrkcmph, http://www.touchdowndc.com/ Xanax, UnwLSBV.
ffrxkcmph, http://www.endlesspinball.com/ Xanax half life, XeQhHVU.
pdqitcmph, http://conah.org/ Instant faxless payday loans, hCCkQIQ.
enxgdcmph, http://greatfitnesszone.com/ rush fit reviews, oETfMSG.
ohdlvcmph, http://incubator.rockefeller.edu/ Phentermine work, LigBEhB.
osgyycmph, http://www.bloggingcodex.com/ Xanax, RxUJeLn.
oiipvcmph, http://rouletteonlinew.com/ French roulette online, wcWFJno.
ubzqmcmph, http://oxyhivesoffer.com/ oxyhives in stores, CJtjLoj.
pitxucmph, http://priligydirect.com/ Purchase priligy, ogBGRKZ.
aucezcmph, http://goffernow.com/deals/coupons/tiger-direct tiger direct coupon codes free shipping, sbmKTLX.
kojiwcmph, http://www.phovihoa.com/ Fioricet, AgopFFw.
utxkjcmph, http://www.gailminogue.com/product-category/events/ Generic name for ambien, fwbciWq.
thfcqcmph, http://www.indentvoice.com/ Buy Butalbital, rEkOLfV.
fpxnncmph, http://blowjobvideostube.com/ Blonde office blowjob tube, zOviQTL.
ltwsicmph, http://photosbykathleen-sb.com/ Group masturbation videos, sxnEMIW.
vmrdkcmph, http://kingfenceco.com/ Island lawyer rhode celebrex, vTTXHiM.
dvbeccmph, http://www.ohhaivintage.com/valium.html Buy valium online no prescriptionbbuy generic valium online, ISJOGQT.
inmqtcmph, http://lesbianvideostube.com/ Lesbian porn tube free, KnSbPpN.
jfqyecmph, http://pghdialogue.org/ Propecia, nULzOwR.
sdpincmph, http://www.ideaparke.com/ Buy 2mg xanax, OKxLOMS.
ytpagcmph, http://hdsexcams4free.com/ Link cam4 to msn, IGFDYPK.
emsdecmph, http://paydayloanslearning.com/ Instant faxless payday loans, CSPwxvI.
eltrkcmph, http://www.centre4conflictstudies.org/ Buy valium online no prescription, cliqIjU.