Giving Up The Password Gives Up Much More
September 12, 2016 (Fault Lines) — At oral argument before the 3d Circuit, the tired old analogies made their required appearances. This time, an ex-cop from Philly, Francis Rawls, had his butt on the line. He was believed to possess child porn on his encrypted computer, but the cops couldn’t prove it because they couldn’t gain access. What they wanted was his password.
If police think someone has child pornography on his computer, should investigators be able to force him to provide his passwords – or would that violate his constitutional right against self-incrimination?
That issue was at the heart of an appellate hearing Wednesday in federal court in Philadelphia in the case of Francis Rawls, a former Philadelphia police sergeant, who has not been charged with a crime but who has been in custody for nearly a year in contempt of court for failing to unlock his encrypted electronic devices.
Even though this battle has been fought in other cases before other courts, it has yet to be resolved. And so the same old arguments are made.
“Are you asking us to ignore the Fourth Amendment?” asked Judge Thomas I. Vanaskie of the U.S. Court of Appeals for the Third Circuit.
It was one of two amendments the judges regularly referenced during the hearing. The other was the Fifth Amendment, which Rawls’ attorneys believe protects his right to keep his passwords to himself.
Rawls was ordered to divulge his password, but told the judge he forgot. The judge didn’t buy it.
On Sept. 30, 2015, a federal judge – who did not believe Rawls’ explanation – found him in contempt of court and ordered him taken into custody, according to court documents. The next month, Rawls was fired from the Police Department.
Nathan Judish, an assistant U.S. attorney, argued Wednesday that a computer password was like a key to a safe, which authorities can force suspects to turn over if police already know what’s inside.
Much as it may seem to some that proclaiming “I forgot” will get you off the hook, don’t count on it. Judges make credibility judgments, and this one is pretty obvious. It’s not going to save you, no matter how brilliant a response you think it is.
But then, is a password “like a key to a safe”? On the surface, this analogy may have some appeal, and it’s certainly what the government contends, since a key is a physical object and no one is entitled to keep physical evidence from the government’s clutches. But it’s a poor analogy, because a password isn’t at all like a key. It’s not a thing, but an operation of the mind. It reveals that a person has knowledge as well as possession of that knowledge, and as a thought in a person’s head, is protected by the Fifth Amendment privilege against self-incrimination.
But as Rob Graham explains, and as may elude many lawyers because we just don’t know or think enough about how computers and encryption function, the revelation of a password discloses far more than just the password itself.
Passwords have content. This paper focuses on one real, concrete example, but let’s consider some hypothetical cases first.
As is well-known, people often choose the birth dates of their children as the basis for passwords. Imagine a man has a password “emily97513” — and that he has an illegitimate child named “Emily” who was born on May 13, 1997. Such a password would be strong evidence in a paternity suite.
As is well-known, people base passwords on sports teams. Imagine a password is “GoBears2017”, strong evidence the person is a fan of the Chicago Bears, despite testimony in some case that he’s never been to Chicago.
But these are hypos. So what? If you didn’t pick a stupid password based on your pet’s favorite chow, who cares? Well, that’s not all passwords reveal.
But these are hypotheticals; now let’s consider a real situation with passwords. Namely, good passwords are unique. By unique we mean that good passwords are chosen such that they are they so strange that nobody else would ever have chosen that password. When signing up for websites, we’re often advised to use a range of symbols and numbers. This helps deter people from being able to guess what your password is. Although, due to the complexity of the passwords we’re asked to supply, many people seem to forget their passwords. This leads to more people using different password managers, however, there is debate at which is the safest. Reading some lastpass vs dashlane reviews can always help people decide which one to use. Passwords are often far too complex, to the point where people need to store them in an application to remember them.
For example, Wikileaks published many “insurance” files — encrypted files containing leaks that nobody could decrypt. This allowed many people to mirror leak data without actually knowing the contents of the leaks. In a book on Wikileaks, the Guardian inadvertently disclosed that the password to the Manning leaks was ACollectionOfDiplomaticHistorySince_1966_ToThe_PresentDay#. It was then a simple matter of attempting to decrypt the many Wikileaks insurance files until the right one was found.
In other words, the content of the password was used to discover the files it applied to.
Much as the password is useful to the government to unlock what’s known, it can similarly lead to what’s unknown, at least until they have the password. But wait, there’s more!
Another example is password leaks. Major sites like LinkedIn regularly get hacked and get account details dumped on the Internet. Sites like HaveIBennPwned.com track such leaks. Given a password, it’s possible to search these dumps for corresponding email addresses. Thus, hypothetically, once law enforcement knows a person’s password, they can then search for email accounts the user might hold that they might not previously have know about.
Statistically, passwords are even more unique (sic) than fingerprints, DNA testing, and other things police regularly relying upon (though often erroneously) as being “unique”. Consider the password kaJVD7VqcR. While it’s only 10 character long, it’s completely unique. I just googled it to make sure — and got zero hits. The chances of another random 10 character password matching this one is one in 1018 chances. In other words, if a billion people each chose a billion random passwords, only then would you have a chance that somebody would pick this same random password.
The point isn’t to exhaust the possible uses to which the disclosed password could be put, far beyond its justification for disclosure. Rather, the point is that neither lawyers nor judges, nor the analogies we use to overcome the fact that we struggle to grasp and appreciate how the law developed for the physical world applies so poorly to the digital world, are aware of the scope to which such things as passwords apply. We really don’t understand the extent of damage disclosure can produce, or the content it reveals.
To guys like Rob Graham, whose days are spent living and breathing digital security as opposed to making analogies to compensate for our lack of knowledge and understanding, the potential damage that can flow from judges ordering the disclosure of passwords is beyond the court’s comprehension and appreciation.
No, this is no key to a safe. If anything, it’s a master key to a person’s life, including whatever the government has yet to learn about. And while the government won’t mind finding it, this is not what the judge meant when he ordered disclosure.