Oh no really I understand the implications and everything... but let's say you do forget the password, what can they do realistically? It seems highly immoral to throw you in jail because you forgot a password.

Now let's say you're in the middle of a murder case, and it is about to be thrown away because of lack of evidence. So they ask you to provide the key to your encrypted drive, but you've forgotten the key... So now do you go to jail on a life in prison sentence because of it? Do they let you go? Do they keep you in prison while they try to decrypt it which might take millions of years?

I can always say "I forgot, this whole ordeal has affected me psychologically and I can't seem to recall the key because of it". Then what happens? I go to jail for 4 months? Which might be a total injustice since there's a possibility it's actually true. Or maybe it's a loophole for a crook because he might have had to serve life in prison, and now he's only doing 4 months thanks to encryption.

A judge can easily send you to jail if there's proof you did something. The same way your girlfriend can easily send you packing because she has proof you cheated. The question is, can you send your girlfriend packing for cheating if you have no proof? If you have no proof then you're sending her packing because of an idea on your head (not real fact and you might be wrong), which is hardly fair and will probably be looked at with contempt and frowned upon by peers (read the rest of the world). Now can the state send you to jail because it thinks that you have child porn on your hard drive, without ever proving you have it?

What happens then when the state has the power to lock you up without proof?

<i>I understand the implications and everything</i>

I don't think you do.

<i>I can always say "I forgot[...]" Then what happens? I go to jail for 4 months?</i>

No, you go to jail for a few months and then they take you back to court to see if your memory has improved. If you don't have the key or if you produce a key that doesn't reveal the data they wanted it to, you go back to jail for longer.

If you can't produce the data the state demands, either because it isn't there or never existed, or because you really forgot, then you can stay in jail the rest of your life.

That is the purpose, goal, and implication that so-called law enforcement wished for and got from data investigation rules.

I said realistically. From what I've seen this "lost my password" is in the US a non issue, and in the UK it warrants a few months of jail time (treated as a misdemeanor depending on the severity of the charges). In any case, it's almost impossible to prove intent in cases like this. It can't be treated as obstruction of justice because the drives were not encrypted after the fact. And intent can't be proven, so at max you get a misdemeanor charge, fines and a year in jail (using us law as a basis for time served).

I'm pretty sure that there is a limit to the amount of time you can spend in jail for that (only a few months), at least for criminal cases.

I remember reading about a guy who was basically given an indefinite jail sentence in a civil case because the judge didn't believe that he really lost all his money is poor investments.

However I remember that the article highlighted the distinction between criminal and civil cases.

Wow, that's an interesting point of view (as enshrined in law). For example, I own some DVDs or say Blu-Ray discs. Shouldn't the company provide me the key to decrypt them in case the police want to decrypt them? I suspect those companies wouldn't appreciate that.

Also, since encrypted data, if done properly is very hard to distinguish between random noise, and people often use writes with random noise as a secure erasure technique, it could also be that you erased that data? That is a thorny issue as well.

Is "I erased the data on that drive securely using random bits" a valid defense?

It is a valid defense if you deleted the data before the investigation took place. If you did so with the intent of destroying evidence (of course, after the investigation starts) your obstructing justice which carries a maximum sentence of 20 years in the U S of A.

> The issue of "what if you forget your password" is covered in the law, which basically says you have to know and keep control/ability to decrypt all encrypted media you own.

Heh. Would love to see them take that at face value. "But officer, I need this list of Blu-Ray disk keys. Otherwise, I can't decrypt all my movies the way I'm legally required to!"

And that would explain why I heard of people emailing him encrypted documents / random bits. I'm sure he knows how to decrypt those.

So you're right, it is crap.

In terms of the law, you don't own those blueray movies so it isn't the same.

The law is fuzzy on the issue of someone emailing you an encrypted archive you didnt have the password to.

> In terms of the law, you don't own those blueray movies so it isn't the same.

If that works, I might try telling them that the file they can't open is a DRM'd media file which I no longer have rights to and do not own.

For some people, that might even be true.

Seriously. I love this kind of thinking! Hell, it might just work.