Mimesis Law
24 September 2017

Giving Up The Password Gives Up Much More

September 12, 2016 (Fault Lines) — At oral argument before the 3d Circuit, the tired old analogies made their required appearances. This time, an ex-cop from Philly, Francis Rawls, had his butt on the line.  He was believed to possess child porn on his encrypted computer, but the cops couldn’t prove it because they couldn’t gain access. What they wanted was his password.

If police think someone has child pornography on his computer, should investigators be able to force him to provide his passwords – or would that violate his constitutional right against self-incrimination?

That issue was at the heart of an appellate hearing Wednesday in federal court in Philadelphia in the case of Francis Rawls, a former Philadelphia police sergeant, who has not been charged with a crime but who has been in custody for nearly a year in contempt of court for failing to unlock his encrypted electronic devices.

Even though this battle has been fought in other cases before other courts, it has yet to be resolved. And so the same old arguments are made.

“Are you asking us to ignore the Fourth Amendment?” asked Judge Thomas I. Vanaskie of the U.S. Court of Appeals for the Third Circuit.

It was one of two amendments the judges regularly referenced during the hearing. The other was the Fifth Amendment, which Rawls’ attorneys believe protects his right to keep his passwords to himself.

Rawls was ordered to divulge his password, but told the judge he forgot. The judge didn’t buy it.

On Sept. 30, 2015, a federal judge – who did not believe Rawls’ explanation – found him in contempt of court and ordered him taken into custody, according to court documents. The next month, Rawls was fired from the Police Department.

Nathan Judish, an assistant U.S. attorney, argued Wednesday that a computer password was like a key to a safe, which authorities can force suspects to turn over if police already know what’s inside.

Much as it may seem to some that proclaiming “I forgot” will get you off the hook, don’t count on it. Judges make credibility judgments, and this one is pretty obvious. It’s not going to save you, no matter how brilliant a response you think it is.

But then, is a password “like a key to a safe”? On the surface, this analogy may have some appeal, and it’s certainly what the government contends, since a key is a physical object and no one is entitled to keep physical evidence from the government’s clutches. But it’s a poor analogy, because a password isn’t at all like a key. It’s not a thing, but an operation of the mind. It reveals that a person has knowledge as well as possession of that knowledge, and as a thought in a person’s head, is protected by the Fifth Amendment privilege against self-incrimination.

But as Rob Graham explains, and as may elude many lawyers because we just don’t know or think enough about how computers and encryption function, revelation of a password discloses far more than just the password itself.

Passwords have content. This paper focuses on one real, concrete example, but let’s consider some hypothetical cases first.

As is well-known, people often choose the birth dates of their children as the basis for passwords. Imagine a man has a password “emily97513” — and that he has an illegitimate child named “Emily” who was born on May 13, 1997. Such a password would be strong evidence in a paternity suite.

As is well-known, people base passwords on sports teams. Imagine a password is “GoBears2017”, strong evidence the person is a fan of the Chicago Bears, despite testimony in some case that he’s never been to Chicago.

But these are hypos. So what? If you didn’t pick a stupid password based on your pet’s favorite chow, who cares? Well, that’s not all passwords reveal.

But these are hypotheticals; now let’s consider a real situation with passwords. Namely, good passwords are unique. By unique we mean that good passwords are chosen such that they are they so strange that nobody else would ever have chosen that password.

For example, Wikileaks published many “insurance” files — encrypted files containing leaks that nobody could decrypt. This allowed many people to mirror leak data without actually knowing the contents of the leaks. In a book on Wikileaks, the Guardian inadvertently disclosed that the password to the Manning leaks was ACollectionOfDiplomaticHistorySince_1966_ToThe_PresentDay#. It was then a simple matter of attempting to decrypt the many Wikileaks insurance files until the right one was found.

In other words, the content of the password was used to discover the files it applied to.

Much as the password is useful to the government to unlock what’s known, it can similarly lead to what’s unknown, at least until they have the password.  But wait, there’s more!

Another example is password leaks. Major sites like LinkedIn regularly get hacked and get account details dumped on the Internet. Sites like HaveIBennPwned.com track such leaks. Given a password, it’s possible to search these dumps for corresponding email addresses. Thus, hypothetically, once law enforcement knows a person’s password, they can then search for email accounts the user might hold that they might not previously have know about.

Statistically, passwords are even more unique (sic) than fingerprints, DNA testing, and other things police regularly relying upon (though often erroneously) as being “unique”. Consider the password kaJVD7VqcR. While it’s only 10 character long, it’s completely unique. I just googled it to make sure — and got zero hits. The chances of another random 10 character password matching this one is one in 1018 chances. In other words, if a billion people each chose a billion random passwords, only then would you have a chance that somebody would pick this same random password.

The point isn’t to exhaust the possible uses to which the disclosed password could be put, far beyond its justification for disclosure. Rather, the point is that neither lawyers nor judges, nor the analogies we use to overcome the fact that we struggle to grasp and appreciate how the law developed for the physical world applies so poorly to the digital world, are aware of the scope to which such things as passwords apply. We really don’t understand the extent of damage disclosure can produce, or the content it reveals.

To guys like Rob Graham, whose days are spent living and breathing digital security as opposed to making analogies to compensate for our lack of knowledge and understanding, the potential damage that can flow from judges ordering the disclosure of passwords is beyond the court’s comprehension and appreciation.

No, this is no key to a safe. If anything, it’s a master key to a person’s life, including whatever the government has yet to learn about. And while the government won’t mind finding it, this is not what the judge meant when he ordered disclosure.

38 Comments on this post.

Leave a Reply

*

*

Comments for Fault Lines posts are closed here. You can leave comments for this post at the new site, faultlines.us

  • Kyle
    12 September 2016 at 11:05 am - Reply

    Good article, but statistically only strong passwords are likely to be unique. If you look in dumps where people got passwords out, you notice that the most common password is generally something like “12345678”. A random 10-digit character is not what most people have.

    • shg
      12 September 2016 at 11:27 am - Reply

      Generally true, but people inclined to use encryption aren’t the same as those who use 12345678 as a password.

  • Jason Peterson
    12 September 2016 at 12:14 pm - Reply

    But this is Child Porn we’re talking about.

    Don’t you scumbag lawyers ever get tired of setting these sick minded perverts free with your legal technicalities?

  • Jason Peterson
    12 September 2016 at 12:24 pm - Reply

    Yeah, but all the people using encryption are perverts and terrorists.
    Fuck them and fuck their rights.

    The Constitution should only apply to good Americans.

  • Jason Peterson
    12 September 2016 at 12:36 pm - Reply

    Seriously, do you guys think this is an actual attempt to get into this specific computer? Or is this just a “good case” for them to use to set the precedent that they want to set?

    In other words, if at some point it looks like they might not win…What are the chances that the government will suddenly “crack the password” and “drop the case”?

    • shg
      12 September 2016 at 2:30 pm - Reply

      Was it really necessary to start three separate threads?

      • Jason Peterson
        12 September 2016 at 4:05 pm - Reply

        Now that I fixed my reply button…
        Do you have any thoughts on my theory?

        Possible?
        Plausible?
        Dumbest post of the day award?

        • shg
          12 September 2016 at 4:10 pm - Reply

          Hard to say. What’s interesting is that in the earlier cases, there were tons of advocacy groups interested and involved. Not here. No clue why. Other than here, no one seems to be paying attention to this case at all.

  • a leap at the wheel
    12 September 2016 at 1:25 pm - Reply

    On topic question:
    Is there some way to use an independent third party to get the encrypted image from the prosecutor, get the key from the defendant, and return the decrypted data but not the key? This kind of escrow-ish thing is common in the tech world.

    Off topic rant:
    This is another area where Constitutional-Analysis-Via-Analogy is problematic. Not only isn’t the password not a key, the cyphertext isn’t a safe. It’s more accurate to say its a document that’s really hard to interpret without the contents of a defendant’s mind. We already have good case law that says the government can’t force a defendant to interpret a document for the prosecution, but I guess that doesn’t apply here because it’s hard to grasp, even if it’s a more accurate analogy.

    • Ben
      13 September 2016 at 1:31 pm - Reply

      Your off-topic rant leads to a yet even more ridiculous hypo. What if a defendant hand-wrote a letter in a manual cipher and the prosecution thinks that it’s incriminating. Could a court compel a defendant to decrypt his writing? That seems completely absurd, but how is it really different from this case?

  • Peter Gerdes
    12 September 2016 at 2:09 pm - Reply

    As a practical matter it seems that one could simply agree to decrypt the contents of the file without revealing the password itself.

    What bothers me, however, is that all the discussion of compelled password revelation seems to focus on narrow technical questions without examining what exactly the 5th amendment was designed to do.

    It’s my supposition (but I would like genuine historical insight/research on the point) that the 5th amendment was introduced because people recoiled against the idea that someone could be put on trial for a crime and then threatened with punishment if he didn’t then confess to his crimes, i.e., something seems wrong with punishing a man for refusing to aid in his own criminal conviction. However, if that is indeed the original motivation why would it not apply to supplying the government a password?

    More generally, what would the founders have thought of a court issuing the demand “Show us where you keep your papers that are critical of the crown.” As in the password case the judge could make a credibility call as to the existence of a stash of papers written by the accused critical of the crown (and indeed might have extremely strong evidence of this fact if the accused talked about such an archive and witnesses testified that he had retrieved papers from it to show them) and the very same arguments would seem to apply. Yet I have trouble believing they would not have held the 5th amendment to protect someone who refused to reveal such papers.

    However, I’m just supposing here and I would be grateful if anyone could provide some real information.

    • Peter Gerdes
      12 September 2016 at 2:14 pm - Reply

      I should have been more clear and said the self-incrimination clause of the 5th amendment everywhere I said 5th amendment.

    • Greg Prickett
      12 September 2016 at 6:59 pm - Reply

      The prosecution isn’t going to let him anywhere close to the evidence, promise to unencrypt or not. They would be concerned that he has a “poison pill” program and that he would activate it.

      That’s even considering the fact that the prosecution, if smart, has made several copies of the disk image of the computer in question.

      • Neil
        12 September 2016 at 8:22 pm - Reply

        In that case they could let him work against one of the copies, instead of working with the original.

        • shg
          12 September 2016 at 9:39 pm - Reply

          Greg offered one possibility. There are many others, including reasons we couldn’t possibly know. The point is whether the law allows it, not our speculation as to why they want the password in particular. Assume the govt has reasons why they have sought the password rather than alternatives.

          • Neil
            14 September 2016 at 11:04 am -

            In regards to using his password to get the contents of his other online accounts, if the government can read his email, then for practical purpose they can probably get to the contents of all his associated online accounts by invoking their ‘I forgot my password’ mechanisms.

          • shg
            14 September 2016 at 11:19 am -

            You’re just not getting this at all. Look beyond the mechanics of a single instance and try, just try, to grasp the bigger issue.

      • Dan Rosendorf
        14 September 2016 at 10:46 am - Reply

        If that really is the case than the prosecution is much less technically savvy than I could have imagined in my worst nightmares. Now I admit that I’m going off media reports that claim the software used for encryption is Apples fileVault but for pretty much any remotely standard encryption giving the defendant access (even to the actual computer) in a safe way is a trivial matter. It is much much easier to give him bulletproof safe access to what they really need him to decrypt which is pretty much one piece of meta data.

        Assuming there is a reason the prosecution really wants the “contents” of the password than I have to agree that should be taken to be a testimonial act and thus protected by the 5th amendment. Is there any way to actually figure out what the prosecution wants? Court documents or such?

  • Jason Peterson
    12 September 2016 at 3:46 pm - Reply

    I clicked “Reply” for that second one.
    Maybe you’re button is broken.

  • Jason Peterson
    12 September 2016 at 3:48 pm - Reply

    Yup.
    You’re reply button is busted. (At least in Tor Browser.)

    • shg
      12 September 2016 at 4:11 pm - Reply

      If the reply button is busted, you broke it. You’re in big trouble now.

  • Jason Peterson
    12 September 2016 at 3:49 pm - Reply

    I yes, I know it should be “your”.

  • Jason Peterson
    12 September 2016 at 3:51 pm - Reply

    tHat shoUld saay “And yes”.
    yuo need a eDit butTon.

    • Jason Peterson
      12 September 2016 at 3:57 pm - Reply

      Problem on my end. Sorry.
      I’ll try to remember to disable NoScript before replying, in the future.

    • shg
      12 September 2016 at 4:07 pm - Reply

      Okay, you got me laughing on that one. Well done.

  • Richard G. Kopf
    12 September 2016 at 6:41 pm - Reply

    SHG,

    Fascinating post.

    When analogies don’t work dolts like me are lost. At that point, we make up stuff. A simple password issue as in the Rawls case is hard enough.

    Now think about dual authentication via another device using yet a second password and an affirmative physical response on the second device such as hitting the “approve” option. Answer: Make up more stuff.

    All the best.

    RGK

    • shg
      12 September 2016 at 7:48 pm - Reply

      Whenever I think I have a handle on the technical side, guys like Rob remind me that there is a world of tech about which I know nothing. I am hopelessly behind no matter how hard I try to keep up.

  • Dan Rosendorf
    14 September 2016 at 10:14 am - Reply

    For a long time I felt that providing a password for the decryption of files was of a testimonial nature (in a sense further than just proving the you have access to the date decrypted) and thus should be protected under the fifth amendment. Having read a number of Orin Kerr’s articles on the subject I’m no longer so sure.

    What Mr. Graham points out is true if somewhat hypothetical in some cases, but really there should be no reason for those things to be an issue. For one I understand (but obviously am not a lawyer) there is the possibility of being given immunity in some way.

    But much more importantly there should be no reason for the government to actually require disclosure of the password in the sense of them needing to know its content. It is quite sufficient and technically feasible (at the very least in this case where the encryption is reported to be apple’s FileVault)to force the defendant to decrypt the content by entering the password in a way which makes it impossible for the government to ascertain its contents (the passwords). I don’t want to go into the exact technical details but pretty much you only need to decrypt the encryption key stored in a header which you can give the defendant on a completely different device.

    This becomes a considerably more complex question if the device storing the data (or rather the decryption key) has some sort of auto-destruction mechanism (think smart card with automatic lock). But in that case forcing the defendant to divulge the password as opposed to inputting it in a controlled environment (i.e. again in a way such that the government doesn’t get access to the password) is no different. There is little to prevent the defendant giving the government the wrong password multiple times and thus ensuring the auto-destruction. In reality it’s actually worse in this case since many people remember their passwords at least partially by muscle memory and might have completely legitimate problems reproducing the password on a piece of paper.

    Having said all that I would like to point to one (arguably not very principled) reason for allowing the government to force defendants to perform decryption. There is a very real chance that if it turns out that is not a possibility the government will force backdoors into encryption programs and ban use of encryption programs without such backdoors. Thus we will end up in a much worse situation all together.

    I strongly believe that people have a right to use strong cryptography to protect their data, but it is I think necessary to admit that strong cryptography is a completely new phenomenon in the world. Never before was there a safe you could make that would be unbreakable given reasonable time and effort (days). Strong cryptography provides a safe that assuming a flaw is not found in it protects the data absolutely. No matter how much computing or processing power and time you might have. Consider that an (extremely) lower bound on the amount of energy needed to brute force a 256 bit AES key is 5 years total energy output of the sun.

    We will need to come up with a way to deal with this issue.

    • Sgt. Schultz
      14 September 2016 at 10:58 am - Reply

      (but obviously am not a lawyer)

      You don’t say. Yet, you somehow managed to write that long, boring and totally clueless comment without going anywhere near the point of the post. That takes some mad skillz.

      • shg
        14 September 2016 at 11:20 am - Reply

        I don’t mind that people write incredibly stupid comments. I just wish they write shorter incredibly stupid comments.

        • Dan Rosendorf
          15 September 2016 at 4:39 am - Reply

          Hmm. Fair enough but your post doesn’t really match up with the court documents from what I assume is the case http://arstechnica.com/wp-content/uploads/2016/05/govporn.pdf . In these documents it is pointed out that the prosecution was not actually asking for the passwords but rather was compelling the defendant to decrypt the files. The things you talk about in your post all assume that the prosecution actually wanted the passwords but that doesn’t seem to be the case.

          • shg
            15 September 2016 at 6:17 am -

            The post wasn’t about the Philly case, which was merely the lead-in to the point of the post, but about what disclosure of passwords reveals beyond just the password. That’s what all that “Rob Graham” stuff was about. Not everyone is capable of getting past the concrete to grasp the larger conceptual issues.

            As an aside, people who begin comments with “Hmm” tend to be psychotic assholes. I’m not saying you are, but if you don’t want to give that impression, you might want to avoid creating that impression.

          • Dan Rosendorf
            15 September 2016 at 3:00 pm -

            Apparently comments only nest 5 deep so I end up looking like even more of a psychotic asshole by responding to my own post. I understand the point of the testimonial aspect of disclosing a password but I strongly disagree with Mr. Graham in the basic premise of his blog post which is that entering a password is the same as disclosing it.

            In all the court cases I remember (I know not being a lawyer and moreover not having access to westlaw or similar makes this really pulling stuff out of my psychotic asshole) there was no disagreement about the fact that disclosing a password is testimonial. What has been argued about is whether decrypting data by entering a password is testimonial.

          • shg
            15 September 2016 at 9:35 pm -

            I’m going to give it a try and explain the point. Disclosing a password is testimonial, but if that was *all* it was, it could be addressed by immunity or the foregone conclusion doctrine. Graham’s point was that it goes far beyond testimonial, because it can be used for a multitude of purposes that aren’t obvious to lawyers and judges, but are to more computer savvy individuals, including those who work for the govt. He gave non-exhaustive examples to make a larger point about unknown uses to which it can be put, and that we (lawyers and judges) fail to appreciate what we’re giving away when our only concerns are the specific things in front of us and the specific uses of the testimonial acts in court.

            If this doesn’t help you to understand, then there’s nothing more I can do.

      • losingtrader
        15 September 2016 at 7:57 pm - Reply

        I thought Sgt Shultz knew nothing and saw nothing. Meh, too much TV

        • shg
          15 September 2016 at 9:36 pm - Reply

          Not too many people recognize the reference. You’re old.

  • Rex Rollman
    15 September 2016 at 5:49 pm - Reply

    I don’t like this order because, in my opinion, no one should be forced to assist the government in their own prosecution.

  • Derek Ramsey
    9 December 2016 at 11:57 am - Reply

    The disclosed password gives access to everything, including saved passwords in web browsers. The problems Rob gives multiply when one disclosed password leads to more disclosed passwords. If this is a typical person’s main computer, it certainly is the master key to their digital and personal life.

    Technical alternatives include hidden volumes for plausible deniability, two-factor authentication (+ destruction), and long random passwords that must be written down (+ destruction).