This is a very interesting story on a subject (encryption) that I strongly believe will become much more common in not just cases like the one below, but in many other kinds of criminal cases, too.

But what can be done? The second to the last paragraph really tells it like it is.



"Self-incrimination rights at stake in child porn case"

Can U.S. authorities force man to give up password?

Glen McGregor, CanWest News Service
Published: Saturday, January 12, 2008


Peering into Sebastien Boucher's laptop computer, a U.S. border agent scrolled over a list of file names that suggested depictions of horrific abuse involving children as young as two years old.

When the agent asked if the laptop contained child pornography, Mr. Boucher's hands shook and the carotid artery in his neck throbbed, according to an court affidavit. He said he didn't know.

A subsequent inspection of Mr. Boucher's computer by the U.S. Department of Homeland Security allegedly uncovered videos showing pre-teen girls engaged in sex acts. He was charged with transporting child pornography.

But today, the U.S. Department of Justice's case against Mr. Boucher is mired in a dispute over the scope of the U.S. Constitution's Fifth Amendment and its power to protect suspects against self-incrimination in the information age.

And it has also had the strange effect of making a Canadian -- Mr. Boucher is a Canadian citizen who lives in Vermont -- a test case for one of the most fundamental of rights in the U.S. Constitution.

Also watching closely are Internet law experts. The sanctity of passwords has far-reaching implications for computer users who might encrypt sensitive personal information.

Mr. Boucher and his father were returning from Quebec to their home in Derry, Vt., when they were stopped at a border crossing south of Sherbrooke and pulled over for secondary inspection. The U.S. border guard noticed the laptop in the back seat of their car, according to an affidavit filed in Vermont District Court.

On the laptop hard-drive were approximately 34,000 images, the affidavit said, including one titled "Two year old being raped during diaper change."

The border guard asked Mr. Boucher if his computer contained child pornography. He said he didn't know, because he hadn't had a chance to check his temporary Internet files -- the images that are stored by Web browser automatically when surfing. Throughout the questioning, Mr. Boucher showed signs of nervousness, the affidavit said.

The border guard called in Agent Mark Curtis from the Department of Homeland Security. He examined the computer and, he said, found several images of adult pornography and animated child porn. Mr. Boucher was read his Miranda rights.

As Mr. Boucher watched, Agent Curtis says he examined more files, including "Pre-teen bondage", "11 year old lesbians," and at least one other video allegedly depicting sex acts involving what appeared to be pre-teen girls.

Mr. Boucher told the agent that he downloads pornographic images from Internet newsgroups and sometimes unknowingly downloads files with child pornography but deletes them, the affidavit said.

Agent Curtis the seized the computer, turned if off, and Mr. Boucher was arrested.

Two weeks later, however, investigators tried to make a copy of the hard-drive and discovered they were unable to access the same files that Agent Curtis had seen. The disk drive had been encrypted using a widely-used software application called Pretty Good Privacy and, without Mr. Curtis's password, it could not be opened.

It was not clear if Mr. Boucher had entered his password during the first inspection, or whether the drive had been unlocked previously.

Computer specialists working for prosecutors said there is no "back door" that law enforcement can use to unlock the files. A program that repeatedly guesses the password could be used, but it could take years before it cracked Mr. Boucher's code.

Without the password, the potentially incriminating files on his disk drive could not be viewed and key evidence against Mr. Boucher was inaccessible. To open it up, the grand jury issued a subpoena to compel Mr. Boucher to provide the password.

In response, Mr. Boucher's lawyers filed a motion contending that forcing him to give his the password would violate his Fifth Amendment right against self-incrimination.

Several U.S. courts have upheld the right for customs agents to search the contents of a computer, agreeing that it is no different than searching the baggage a traveler carries. Suspects can legally be compelled to give DNA samples.

In a hearing last year, the government conceded that forcing Mr. Boucher to verbally disclose the password before the grand jury would be "testimonial" and prohibited by the Fifth Amendment. He could merely "take the Fifth" when asked for the password.

But prosecutors had another idea: Mr. Boucher could be ordered to enter the password on his computer, without anyone seeing it, and unlock the disk without incriminating himself. The fact that he knew the password would not be used against him, they promised.

Judge Jerome Niedermeier of the Vermont District Court didn't buy it. Even entering the password himself would communicate facts that could be self-incriminating, Judge Niedermeier wrote in a ruling last month.

"Boucher would still be implicitly indicating that he knows the password and has access to the files," the judge concluded. "The contents of Boucher's mind would still be on display."

The motion to quash the order was granted.

Last week, the government filed an appeal of Judge Niedermeier's decision, and it's a good bet that whoever loses the next round will also appeal.

The case has angered some observers who accuse the Vermont court of letting a person alleged of possessing child pornography go free.

The case also has debunked a common Internet myth: that investigators can crack anyone's password with powerful computers. It has shown that encryption software such as Pretty Good Privacy is effective at keeping sensitive information from police.

Mr. Boucher is currently released under the condition he does not leave Vermont or New Hampshire. Reached at home, he declined to comment. His lawyers and the attorney prosecuting the case also declined.

Ottawa Citizen

Here is a second article that I just found while reasearching the topic to see if it has come up before.



January 7, 2008

If Your Hard Drive Could Testify ...
By ADAM LIPTAK, NY Times


A couple of years ago, Michael T. Arnold landed at the Los Angeles International Airport after a 20-hour flight from the Philippines. He had his laptop with him, and a customs officer took a look at what was on his hard drive. Clicking on folders called "Kodak pictures" and "Kodak memories" the officer found child pornography.

The search was not unusual: the government contends that it is perfectly free to inspect every laptop that enters the country, whether or not there is anything suspicious about the computer or its owner. Rummaging through a computer's hard drive, the government says, is no different than looking through a suitcase.

One federal appeals court has agreed, and a second seems ready to follow suit.

There is one lonely voice on the other side. In 2006, Judge Dean D. Pregerson of Federal District Court in Los Angeles suppressed the evidence against Mr. Arnold.

"Electronic storage devices function as an extension of our own memory" Judge Pregerson wrote, in explaining why the government should not be allowed to inspect them without cause. "They are capable of storing our thoughts, ranging from the most whimsical to the most profound."

Computer hard drives can include, Judge Pregerson continued, diaries, letters, medical information, financial records, trade secrets, attorney-client materials and ---the clincher, of course -- information about reporters' "confidential sources and story leads."

But Judge Pregerson's decision seems to be headed for reversal. The three judges who heard the arguments in October in the appeal of his decision seemed persuaded that a computer is just a container and deserves no special protection from searches at the border. The same information in hard-copy form, their questions suggested, would doubtless be subject to search.

The United States Court of Appeals for the Fourth Circuit, in Richmond, Va., took that position in a 2005 decision. It upheld the conviction of John W. Ickes Jr., who crossed the Canadian border with a computer containing child pornography. A customs agent's suspicions were raised, the court's decision said, "after discovering a video camera containing a tape of a tennis match which focused excessively on a young ball boy."

It is true that the government should have great leeway in searching physical objects at the border. But the law requires a little more -- a "reasonable suspicion" -- when the search is especially invasive, as when the human body is involved.

Searching a computer, said Jennifer M. Chac�n, a law professor at the University of California, Davis, "is fairly intrusive." Like searches of the body, she said, such "an invasive search should require reasonable suspicion."

An interesting supporting brief filed in the Arnold case by the Association of Corporate Travel Executives and the Electronic Frontier Foundation said there have to be some limits on the government's ability to acquire information.

"Under the government';s reasoning," the brief said, "border authorities could systematically collect all of the information contained on every laptop computer, BlackBerry and other electronic device carried across our national borders by every traveler, American or foreign." That is, the brief said, "simply electronic surveillance after the fact."

The government went even further in the case of Sebastien Boucher, a Canadian who lives in New Hampshire. Mr. Boucher crossed the Canadian border by car about a year ago, and a customs agent noticed a laptop in the back seat.

Asked whether he had child pornography on his laptop, Mr. Boucher said he was not sure. He said he downloaded a lot of pornography but deleted child pornography when he found it.

Some of the files on Mr. Boucher's computer were encrypted using a program called Pretty Good Privacy, and Mr. Boucher helped the agent look at them, apparently by entering an encryption code. The agent said he saw lots of revolting pornography involving children.

The government seized the laptop. But when it tried to open the encrypted files again, it could not. A grand jury instructed Mr. Boucher to provide the password.

But a federal magistrate judge quashed that subpoena in November, saying that requiring Mr. Boucher to provide it would violate his Fifth Amendment right against self-incrimination. Last week, the government appealed.

The magistrate judge, Jerome J. Niedermeier of Federal District Court in Burlington, Vt., used an analogy from Supreme Court precedent. It is one thing to require a defendant to surrender a key to a safe and another to make him reveal its combination.

The government can make you provide samples of your blood, handwriting and the sound of your voice. It can make you put on a shirt or stand in a lineup. But it cannot make you testify about facts or beliefs that may incriminate you, Judge Niedermeier said.

"The core value of the Fifth Amendment is that you can't be made to speak in ways that indicate your guilt," Michael Froomkin, a law professor at the University of Miami, wrote about the Boucher case on his Discourse.net blog.

But Orin S. Kerr, a law professor at the George Washington University, said Judge Niedermeier had probably gotten it wrong. "In a normal case," Professor Kerr said in an interview, "there would be a privilege." But given what Mr. Boucher had already done at the border, he said, making him provide the password again would probably not violate the Fifth Amendment.

There are all sorts of lessons in these cases. One is that the border seems be a privacy-free zone. A second is that encryption programs work. A third is that you should keep your password to yourself. And the most important, as my wife keeps telling me, is that you should leave your laptop at home.

What's your password, Hoover? Don't worry, I won't tell anyone.

"JB_is_great!" Isn't that what everyone else uses???

I thought your name was Dustan...?

Maybe if your actual password is "I confess to <some specific crime>" it would give you another method to claim the 5th.

On the other hand it would sink your defense if the random guesser software ever actually guessed it.

Child porn defendant locked up after ZIP file encryption broken

Posted by Declan McCullagh, NEWS.com 1/16/08

Government investigators were able to easily break the ZIP file encryption that a Texas man allegedly used to conceal illegal images, a recent court case shows.

The investigation of John Craig Zimmerman began when his employer, the Brownsville Fire Department, received an anonymous voice message in February 2007 alleging that Zimmerman was a pedophile and had child pornography on his department-owned work computer. A city programmer named Albert Castillo searched Zimmerman's computer and found adult pornography (technically a violation of department policy but not a crime) on an external hard drive.

What Castillo also found were some password-protected ZIP files titled "Cindy 5." Castillo apparently used a program called Zipkey 5.5 to brute-force at least some of the password-protected files and find images of a partly naked minor.

Homeland Security's Immigration and Customs Enforcement agents were called in, and volunteered that they had information from a previous investigation showing that Zimmerman previously bought a membership on a child porn Web site. (Left unanswered is why, if that was in fact the case, ICE never did anything about it.)

What happened next: Zimmermann's home was raided with a search warrant, additional images he allegedly took himself were found, he was indicted on counts of receiving and possessing child pornography, and he pleaded no contest except to say that the images had nothing to do with interstate commerce. In an opinion dated December 20, U.S. District Judge Andrew Hanen said there was a "rational basis" to assume that child pornography transmissions related to interstate commerce.

I mention this case not to show that there's something remarkable about decrypting one of the older ZIP archives: the symmetric encryption algorithm used has long been known to be anything but secure. Newer WinZip archives, starting with WinZip 9.0, use more secure 128- and 256-bit key AES encryption.

The reason I'm mentioning this case is to argue that as encryption becomes more widespread--it's part of OS X and Vista, after all--police will encounter it more frequently, and not just in cases involving illegal images. And not all encrypted files will be as easy to brute-force. Which means that the outcome of the Boucher case becomes more important than ever.

I found this on the Texas Tech law prof blog.


Enycryption In Child Porn Case Raises Constitutional Issues

The Washington Post is reporting on the Case of In Re Boucher, 2007 WL 4246473, decided November 29th 2007. Approximately a year before, on December 17, 2006, Boucher and his father crossed from Canada into the United States at a border station in Derby Line, Vermont. Boucher's car was subjected to inspection and the border agent viewed the contents of a laptop in the back seat of the car. The agent found suspected child pornography while viewing the contents of the laptop. The border agent contacted Special Agent Mark Curtis to continue the examination and questioning of Boucher.

Boucher made statements to the effect that he downloaded adult pornography and sometimes came across child pornography but promptly deletes it when he realizes its contents. Some of the files Agent Curtis saw in the directory were named in a manner that strongly suggested the content was, indeed, child pornography. He then asked Boucher to show him where his downloads were located on the laptop. Boucher navigated to drive Z where Agent Curtis located and viewed content that appeared to be adult and child pornography. After more examination, Boucher was arrested.

This would be a pretty straightforward case but for the fact that when government forensic experts examined the laptop, they could not get into drive Z because it was encrypted by Pretty Good Privacy (PGP) encryption software. The issue in the case was whether Boucher could be compelled to give up the password that allowed access to the drive. The obvious problem for the government and the court was the bar to self-incrimination as stated in the Fifth Amendment.

The government argued that it could compel Boucher to enter the password when no one was looking and give him immunity for the act of entering the password, which is different from using the underlying unencrypted content against him. The court rejected this argument by stating that by entering the password Boucher would be admitting that he knows what it is. This would be testimonial and barred by the Fifth Amendment.

There were variations on this argument of separating the act of providing the password to the production of the documents, but, with analysis, the court ultimately rejected all of them. The result was that court quashed the motion to compel. The government must get access to the hard drive without Boucher's involuntary cooperation.

Two lessons emerge. One is that PGP software is likely as good as the name implies in that government witnesses testified that there are no back doors or other hacks into encrypted material without the password. One assumes that having the laptop and mirrors of the drive in their possession that the government has made more than a casual attempt at cracking the encryption. On the other hand, the government may be attempting to establish a legal precedent before using hardened methods at gaining access. Why waste the effort when a court will give access.

This still has to go to the Second Circuit and possibly to the U.S. Supreme Court. The charged issue of child pornography and the possibility of terrorists using encryption are in the underlying context of an appeal. One point worth noting, however, is that PGP encryption software isn't exactly new compared to these "threats" of criminal activity. In fact, the government uses encryption for its own purposes, and would probably object if there were cracks that would leak its own documents. Banks and other entities that are required by law to protect sensitive documents have the same concern. The question is how to keep those levels of security available without compromising the Fifth Amendment when individuals are involved. I don't think that's possible. The Supreme Court can always surprise us. You never know, waterboarding may be an option when tortured logic is involved.

To show that this issue is nothing new and that, in fact, the government has been crying about this for a long, long time, just look at this article I dug up from the NY Times from 1995!

PGP software has been around for a very long time, and for $159.00, it is quite cheap and effective.


September 25, 1995
TECHNOLOGY: ON THE NET; The F.B.I. sting operation on child pornography raises questions about encryption.

By PETER H. LEWIS
FEDERAL agents swooped down on more than 125 homes and offices across the United States on Sept. 13, seizing computers and diskettes from people suspected of trafficking in child pornography over the America Online network. But to date, the number of arrests in the sting operation remains at 15.

More arrests are expected, but why haven't more occurred?

Last week, Louis J. Freeh, the director of the F.B.I., offered an oblique explanation for the seemingly low initial success rate.

At least some of the suspected child pornographers had used data encryption software, Mr. Freeh said Thursday in remarks at an International Cryptography Institute conference in Washington. In other words, they had scrambled their computer files so that only someone with the password -- or with proper code-breaking skills -- could view the contents.

Mr. Freeh wisely did not say whether the F.B.I. agents were able to decipher the encrypted files seized in the investigation. It would be foolhardy, from a law-enforcement perspective, to tip one's hand.

If the head of the F.B.I. acknowledged that his agency was powerless to crack a cryptography program like Pretty Good Privacy, the stampede for that software on the Internet would make the run on Windows 95 look puny.

From a political perspective, Mr. Freeh's coyness is shrewd as well. By making even a subtle suggestion that some child pornographers may walk free because of unbreakable cryptography, he gains more leverage in seeking Government-mandated controls over the use of encryption technology.

Mr. Freeh said that encryption was a "public safety" issue, and he said law-enforcement agencies around the world "will not tolerate" the use of private data encryption to impede investigations. He said encryption had also been encountered in the Philippines in a plot to blow up an American jet and to assassinate Pope John Paul II. (In that case, at least, one can presume the code was cracked.)

It seems worthwhile to point out that even if the suspects in the child pornography sting, called Operation Innocent Images, used cryptography, that did not provide evidence that they were doing something illegal. Our legal system is predicated on the belief that one is innocent unless proved guilty, and there is no exception clause for technology.

"Fortunately we are not yet at the point where the mere use of encryption overcomes the presumption of innocence," said David Sobel, staff counsel for the Electronic Privacy Information Center in Washington.

Another point to remember is that the F.B.I. identified more than 100 suspects, and gathered sufficient information to warrant raids, using existing laws and enforcement techniques. On the other hand, there is no denying that child pornographers use data encryption to keep co-workers, family members and police from discovering their secrets.

"We are involved in a couple of jobs every week resolving some kind of a child pornography investigation," said Eric K. Thompson, president of Access Data Inc. of Orem, Utah, a private company that specializes in cracking encrypted files for corporations and Government agencies.

The Government's elite code-breakers at the National Security Administration are prohibited by law from using their talents against American citizens. The F.B.I. has its own code-cracking experts, but it routinely calls on independent experts like Access Data to help on some cases.

After eight years of breaking into encrypted files, ranging from situations involving secretaries who simply forgot their passwords for important memos to cases involving corporate computer systems that were encrypted by disgruntled employees, Mr. Thompson has concluded: "Basically, the criminal element is becoming more computer literate, and they are discovering encryption. Files are becoming more difficult to break."

Dorothy Denning, an expert in cryptography and a professor of computer science at Georgetown University in Washington, said she recognized the importance of encryption for businesses seeking to protect information. At the same time, she said, she also recognized the problems that law-enforcement agencies face because of cryptography.

"So many people had been saying people in law enforcement weren't having this problem, and I didn't believe that," Dr. Denning said. So in May, she said, she spent two days calling sources at law-enforcement organizations. "I came up with over 20 cases -- child pornography, terrorism, murder, embezzlement, fraud, tax protesters, export violations -- and, in some cases, they were able to crack it, and others they couldn't," she said.

What can be done? The Administration's plan is to seek voluntary compliance with a "key escrow" plan, which would enable citizens to use strong, private cryptography as long as a copy of the software "key" were made available to law enforcement officials.

Last week, Mr. Freeh stressed that he preferred a voluntary approach. But "if consensus is impossible" on the encryption issue, he said, the F.B.I. might consider other approaches.

The debate is certain to heat up as more information about Operation Innocent Images becomes known. There are no comforting answers, only an echo of advice from a time predating the Internet: There is no solution. Seek it wisely.

Hey Greg, I hope you're not confusing me with this RTC character. I got to start posting more so there isn't any confusion.

quote:

---

Originally posted by Dustan:
Hey Greg, I hope you're not confusing me with this RTC character. I got to start posting more so there isn't any confusion.

---

This is the best argument for a private forum, right here.

Why do you say that, Fresno Bob? As a dues paying member, I am entitled to post my opinion here just like you are.

Your ability to voice your opinion doesn't make your motives any less suspect.

quote:

---

Originally posted by RTC:
Why do you say that, Fresno Bob? As a dues paying member, I am entitled to post my opinion here just like you are.

---

We have to pay dues!