Privacy, The 5th Amendment And PGP Passwords

While doing some encryption research I ran across this Vermont ruling made on November 29, 2007.
It provides some good lessons about computer forensics and investigation and password management.

Magistrate Judge Jerome J. Niedermeier for the U.S. District Court for the District of Vermont ruled that a criminal defendant’s compliance with a grand jury subpoena requesting the PGP encryption password that protected a laptop computer’s contents would violate the Fifth Amendment privilege against compelled self-incrimination.
According to Niedermeier, “A password, like a combination, is in the suspect’s mind, and is therefore testimonial and beyond the reach of the grand jury subpoena.”
Here’s an excerpt from the court ruling that provides the background:

“On December 17, 2006, defendant Sebastien Boucher was arrested on a complaint charging him with transportation of child pornography in violation of 18 U.S.C. ¬ß 2252A(a)(1). At the time of his arrest government agents seized from him a laptop computer containing child pornography. The government has now determined that the relevant files are encrypted, password-protected, and inaccessible. The grand jury has subpoenaed Boucher to enter a password to allow access to the files on the computer. Boucher has moved to quash the subpoena on the grounds that it violates his Fifth Amendment right against self-incrimination.”

Basically, the agent caught Boucher with the laptop turned on and unsecured, and when the agent examined it, he found a lot of porn photos and videos, many that appeared to be underage children. When taking Boucher into custody, the agent shut down the computer. Subsequently when turning the computer back on and trying to re-access the porn files, he was prompted for the PGP password.
In this case regarding the Fifth Amendment’s self-incrimination issue, the court considered whether the communication of the PGP password would be a) compelled, b) testimonial in nature, and c) incriminating.
The subpoena established compulsion, and the content of the computer drive was incriminating. The judge then had to consider whether the subpoena for the PGP password would be considered a testimonial communication.
The government cited Doe II v. United States, a case that involved a subpoena that forced a criminal suspect to sign a form requesting his bank records from banks in the Cayman Islands and Bermuda. The government argued that the password in this case was non-testimonial, pointing out that the U.S. Supreme Court determined the form did not require the suspect to make a statement about the existence of, or control over, any bank accounts.
The judge said this case was different.

“Entering a password into the computer implicitly communicates facts. By entering the password Boucher would be disclosing the fact that he knows the password and has control over the files on drive Z. The procedure is equivalent to asking Boucher, ‚ÄúDo you know the password to the laptop?‚Äù If Boucher does know the password, he would be faced with the forbidden trilemma; incriminate himself, lie under oath, or find himself in contempt of court. Id. at 212. Unlike the situation in Doe II, Boucher would be compelled to produce his thoughts and the contents of his mind. In Doe II, the suspect was compelled to act to obtain access without indicating that he believed himself to have access. Here, when Boucher enters a password he indicates that he believes he has access.”

Quite an interesting analysis of when a suspect can and cannot be forced to reveal a password, such as for a PGP key.
So, even though the agent had actually seen the porn images on the laptop, because he shut down the computer and could not get back into the porn files, he could not force Boucher to enter the password for them.
This situation and accompanying decision was related solely to Boucher trying to get the court to quash the subpeona forcing him to reveal his PGP password.
However, as I read this I wondered about a couple of the other aspects of the case…
* The agent who shut down the computer was apparently not well-trained for computer forensics or the proper procedures to take to preserve evidence. Why the heck did he turn off the computer?
* Did anyone perform a search for the password? Most people write down their passwords,including PGP passwords, somewhere on something. Did the investigators check for sticky notes on the computer case? In the car? In Boucher’s home? Stored on his cell phone? Etc…
Of course the full investigative details were not provided in this very small slice of a view into this case, but it does make you wonder.
Does your organization have a team of folks trained in performing sound computer forensics activities?
Do your personnel write down their passwords and keep this documentation where others can find them?

Tags: , , , , , , , , , , , , , , , , , ,

Leave a Reply