Pretty Good Privacy is Pretty Legally Protected

Posted 01/10/08 at 04:17:00PM | by

Erin Simon

A federal magistrate judge has ruled that a criminal suspect has a Fifth Amendment right not to divulge his PGP passphrase. The suspect, Sebastian Boucher, was charged with transporting child pornography on his laptop across the US-Canadian border. Customs agents had searched Boucher's laptop in December 2006 and found kiddie porn on the Z drive without entering a password. Boucher was arrested and the laptop was shut down. When investigators later tried to access the Z drive again, they found it encrypted with Pretty Good Privacy. Prosecutors then got a grand jury to issue a subpoena ordering Boucher to turn over his password. He refused, and prosecutors offered to let him type the password into the laptop with nobody looking. Magistrate Judge Jerome Niedermeier quashed (read as: cancelled) the subpoena, finding that even the prosecutors' compromise would require Boucher to give protected evidence against himself.

The Fifth Amendment protects against self-incrimination, but not everything that might incriminate you falls within that protection. For example, you can be forced to turn over your fingerprints, blood, or handwriting, because it's already obvious that you have fingerprints, blood, and can write. The inquiry hinges on whether the what you're being asked to do is "testimonial," whether it divulges facts about you and what you know. The Supreme Court has analogized the difference between testimonial and nontestimonial acts to the difference between the combination to a lock and a physical key; you can be compelled to turn over a key, but being forced to turn over a combination would reveal that you knew the combination. Revealing the contents of your mind is testimonial, so it's protected by the Fifth Amendment.

Magistrate Judge Niedermeier found the PGP passphrase more akin to a combination, because inputting the password would reveal that Boucher actually knew the password. Whether people have a Fifth Amendment right to keep their passwords private has been debated in legal scholarship for a long time; this is the first published decision to enter the fray. Don't think this settles the issue, though. Magistrate judges are low on the totem pole, so expect this to be appealed.

View / Add Comment(s)

-ADVERTISEMENT-

RELATED CATEGORIES

News & Views
The Law Blog

FWD: The Fourth Amendment and Your Email The government can't snoop in your email without probable cause (at least in Ohio) (at least for now).

Does Google's Street View Encroach on Personal Privacy Rights? Google adds street-level images to its map site, but some people are concerned about the company peeking into their windows

Better Know A Statute: 47 U.S.C. § 230 The inaugural part of our Better Know A Statute series welcomes the esteemed Communications Decency Act Section 230, granting immunity since 1996.

Comments

login or register to post comments

if they had already accessed

Submitted by soggybomb on Thu, 2008-01-10 16:41.

if they had already accessed the laptop's drive, it wouldn't be self-incrimination, because they already found the incriminating evidence. the person later just tried to bury it.

The primary investigation -

Submitted by erin on Tue, 2008-01-15 09:57.

The primary investigation - when the guy was first stopped and agreed to let customs agents look at his laptop - showed some files with names that indicated that they were child pornography. It didn't reveal the entire contents of the computer, and turning over the password would give agents access to /every/ file on the drive, not just the ones the first investigator saw.

When that first investigation happened, the laptop had been on - presumably Boucher had already input the password that session. When the laptop was rebooted, the PGP reset and needed a password again.

Criminals have more rights

Submitted by DiRTDOG on Thu, 2008-01-10 17:39.

Criminals have more rights than innocent people... very sad.

Look at it this way...

Submitted by ogman on Thu, 2008-01-10 18:55.

While I understand and even agree with the sentiment of your comment, here's a different way to think about it. Criminals often end up unintentionally protecting the rights of the innocent. This alleged criminal merely brought to the courts attention an issue that could effect innocent people. Because of this, you now know that you can legally protect your privacy using an encryption tool and some government entity will not be able to force you to reveal it. Unfortunately, these issues are rarely brought to the legal systems attention without at least the allegation of wrongdoing.

I find the whole tale a bit suspect.

Submitted by HeartBurnKid on Fri, 2008-01-11 10:40.

If the drive wasn't encrypted before, why would it be encrypted when the police went in for a second look? Drives don't just encrypt themselves, and since the man was under arrest, I doubt they let him have access to the laptop... The whole story just stinks, like maybe he wouldn't open up the encrypted drive for the customs agents and they just decided to charge him with child pornography.

The PGP only went into

Submitted by Shalbatana on Fri, 2008-01-11 11:27.

The PGP only went into effect when the HD was rebooted. Presumably when they first looked at teh laptop, it was already started up.

My question is, is pgp really that good? Are you telling me that no one in the police/FBI (whatever) can get around the encryption? Or is that against the rules as well? If they can't defeat it, then hell...I want that encryption.

Not that I'm hiding anything like he is. I just don't want people to access my passwords, files, etc.

There's no time like the future.

So what, he was cruising

Submitted by HeartBurnKid on Fri, 2008-01-11 15:35.

So what, he was cruising down the street with his laptop on, looking at the kiddie porn behind the wheel? Yikes, and I thought people yakking on cell phones was bad...

The rest of the story

Submitted by LEO on Fri, 2008-01-11 19:57.

Google the article. The guy crossed the border, was stopped and input his password. The child porn was found and he was arrested. Of course someone turned off the computer and did not obtain his password first. It wasn't until the investigators tried to retrieve the images for court that this 5th admendment issue was raised.

PGP

Submitted by kanehi on Sun, 2008-01-20 05:23.

Ever since it's inception the government already had problems with PGP. The government had a difficult time cracking the code even with a simple one word password.

You have to remember the Bill of Rights is there to protect the citizens. It protects both the innocent and accused. It's flawed but it's better than nothing.

- Advertisement -