Friday, February 15, 2008

And the password for your dirty pictures is...



Watch my lips. I use a password so no one else can see what’s on my computer--I have often wondered about this: What happens if a cop or a judge orders you to give them the password for your computer? Do you have to give it to them? After all, you encrypted the damned thing so other people wouldn’t see what’s on it. A Canadian named Sebastien Boucher is in just such a jam in Vermont.

Boucher, who lives in Vermont, crossed the border into the U.S. with his father. Customs agents inspected his laptop computer and found child pornography on it. He was arrested and could face as much as 20 years in prison on the child pornography charge. But after his arrest, they tried to access the files again and found them blocked by Pretty Good Privacy (PGP), an excellent encryption program that requires a password. They asked him for the password and he refused. Can he be forced to give it up?

Boucher said he frequently downloads adult pornography, making him one of, oh about 20 million people. He says sometimes he accidentally gets a child pornography site and when he sees it, he deletes it.

Now the fun starts.

A grand jury ordered him to give up the password. A federal magistrate quashed the order. See, he can’t be required to give up the password because that would violate his Fifth Amendment Rights on self-incrimination. Warrants won’t work because a password is not a physical thing like a container or a house. It exists only in his mind, the magistrate wrote. You can’t issue a warrant on the brain. The feds could turn the computer over to the computer boffins at say the FBI or NSA but the only thing they can do is run an automated guessing program and that could take decades to bust.

The government, of course, has appealed. Good luck to Mr. Boucher.

Programs like PGP (I’ve used it) base the encryption on a program that generates random numbers. Every time you encrypt something, the program issues a password based on that number that can be used to decrypt the fiel. You need to know the number to unlock the encryption. Many programs, including probably the browser you are reading this on, have encryption although programs like PGP are for hiding specific items or disks and virtually unbreakable. Many businesses use it, and even intelligence groups hide files with PGP.

For years, security experts have worried that someone (probably the buffoons in Congress) would require the software to include a “backdoor” to encryption programs so that the government or law enforcement agencies, could break them quickly. This was especially true after 9/11 although there is no evidence 9/11 had anything to do with encrypted messages. There were wild rumors after Microsoft released Vista that it came with a backdoor, and after the government issued new encryption standards, the web was alive with rumors the NSA had slipped a backdoor into the code. The rumor was reinforced by the fact the standards were sloppy and what would you expect from our government? Both rumors appear at this time to be erroneous.

So far, it appears, there are no backdoors yet, and the law so far is on Boucher’s side. If I encrypt something I have absolutely no obligation to reveal the password. So far.