Has there ever been a court case related to encrypted data or secret codes without a computer being involved? If the cops get a warrant to tap a phone line and they hear me speaking with an associate using some sort of coded language (as spies and criminals often do on TV) can i be compelled to explain to them what all the little codewords actually mean?
Which was the base of this court case (and I think it is troublesome, that it had to be debated at all)
"One of the major issues in the law of digital evidence investigations is how the Fifth Amendment privilege against self-incrimination applies to unlocking phones"
Regarding the "Right to Silence", I recently learned something I didn't know. While I was familiar with the right to remain silent after arrest to avoid self-incrimination (based on the Miranda ruling). There is a separate right to remain silent unrelated to incrimination (5th amendment) but rather tied to 1st amendment free speech. Of course, we're all familiar with free speech rights but is there a corresponding right to "free silence"?
It turns out there is but it's not enumerated in the first amendment, so it's called an "implied right." It's been derived by the courts (including the Supreme Court) as logically inferred by the rights which are enumerated in the 1st amendment. What I found interesting is the boundaries of this implied right to silence are currently less well-defined than than the other 1st and 5th amendment rights. Apparently, some cases the court will be deciding this year may involve further fleshing out these fuzzy edges. I'm not an expert but as I recall, the scenarios may include things like whether social media networks can be compelled by a legislative statute to disclose (ie 'speak') their content moderation policies and whether public universities can enforce codes of conduct which may compel speech.
Personally, I'm all-in on the vital necessity of robustly expansive free speech rights, so I'm also all-in on robust freedom of silence rights. I used to think I understood the limits of free speech in the U.S. but reading this article by 1st amendment expert Ken White on free speech tropes surprised me. Highly recommended: https://www.theatlantic.com/ideas/archive/2019/08/free-speec...
Addendum: you must explicitly invoke your 5th amendment right to silence when being questioned by police in order to prevent your silence being used against you in court. It’s a shit ruling, but it’s also current law. This theoretically only applies if you have answered some questions but remained silent on others.
>And or course on a recorded interview/questioning, right? Because if there was no recording then it’s my word against police’s, right?
Nope. You need to express your desire to stay silent early in the "arrest or questioning" process with the police. I'm not an expert, so I don't want to pretend when your words can be used against you, but if a cop hears you say something, they can quote you in court.
Also, here is a fun twist. Your words can be used against you in court, but not for you. For instance: if the cop writes down a bunch of stuff you said while being arrested, and your defense lawyer wants to look at it -they are not allowed to see it-. They can only see the stuff the cops use to charge you
> Also, here is a fun twist. Your words can be used against you in court, but not for you. For instance: if the cop writes down a bunch of stuff you said while being arrested, and your defense lawyer wants to look at it -they are not allowed to see it-. They can only see the stuff the cops use to charge you
This is incorrect.
Withholding exculpatory evidence can get cops & prosecution into a lot of hot water.
I think time 8:40 of that "Don't Talk to the Police" video is a closer fit to geoduck14's comment.
> It cannot help you. You can't talk your way out of getting arrested, and contrary to what you might suppose if you never studied the Rules of Evidence, what you tell the police - even if it's exculpatory - cannot be used to help you at trial, because it's what we call hearsay. Under the rules of evidence - specifically Rule 801(d)(2)(A), if you want to look it up - everything you tell the police, as the saying goes, can and will be used against you but it cannot be used for you.
Professor James Duane, the speaker, refers to Federal Rules of Evidence Rule 801. Definitions That Apply to This Article; Exclusions from Hearsay [1]. My layperson understanding of 801(c) and 801(d)(2)(A) is: if you are the defendant, what you told the police prior to a trial is not hearsay when during the trial the prosecution (of their own volition) tells the court your words as evidence but is hearsay when during the trial you ask the prosecution to tell the court your words as evidence.
You have a First Amendment right to record the police, whether you're involved in a police interaction or you're a bystander [2]. If the police make you stop recording, try to make you delete the recording, or try to forcefully stop/delete/damage the recording/device, you sue them after the interaction is completely over. But regardless, beyond pleading the 5th Amendment, do not talk to the police at all, especially but not exclusively outside of a trial. You talk to your defense attorney, and your attorney handles the talking with everyone else. You can ask your attorney to admit your recording as evidence.
Extra notes for personal reference. The first speaker in the "Don't Talk to the Police" video is Professor James Joseph Duane of the Regent University School of Law [E1]. The second speaker is Officer George Bruch of the Virginia Beach Police Department (time 26:51 of the video [E2]).
In court, you must assert your right to not testify against yourself.
Upon arrest, you're not obligated to speak or answer anything.
The police are not officers of the court, nor involved in court proceedings during their interactions with the public, so there is no expectation or explicit penalty for not answering. In court, while being questioned, you're compelled, under penalty of perjury, to testify in full and truthfully unless there is a reason you can or may not:
> Do you solemnly (swear/affirm) that you will tell the truth, the whole truth, and nothing but the truth?
“Upon arrest” is doing a lot of work here. BEFORE an arrest, the 5th must be explicitly invoked, perhaps only if you have answered some other questions though. See the case law I linked.
The 4th (unreasonable search and seizure) is generally clearer, but I don’t know how it works online “stop and ID” states. IMO those laws are unconstitutional, but I haven’t looked into it because I don’t live in one.
> Don't talk to the police: Regent Law Professor James Duane gives viewers startling reasons why they should always exercise their 5th Amendment rights when questioned by government officials.
Yes, it means explicitly saying “I invoke my 5th amendment right.” Generally, if you’re being interviewed, this is surprisingly less of an issue, because you’ve already been read your rights, and the interview will be recorded (theoretically, they can disappear sometimes).
This applies to situations BEFORE an arrest, but you may have already been detained. (The 4th amendment and court precedent has more to say about this, but it’s an aside if you aren’t subject to it.)
If it’s your word against the police, with no recording or some other overwhelming evidence, you will lose in a US court. Police body cams help a lot here, but it’s still best to record every police interaction yourself. It’s an unfortunate situation.
Pre-Miranda, according to the case law. It amounts to “don’t talk to the police,” because although the original case was about a murder, it now applies to every voluntary conversation with police. It’s a really unfortunate precedent.
In the US, case law has ended up more protective of people who invoke their right to an attorney than those who merely invoke their right to remain silent.
In certain cases the police can restart interrogations after invocation of a right to remain silent, but if you invoke the right to an attorney any interrogation must stop until your counsel is present. These exceptions are narrow, but “being interrogated by the police” is the last place to chance stumbling into one.
The magic words are: “I will not answer any questions without a lawyer present.”
Yeah. Also, the police are legally allowed to lie to you, but you are not legally allowed to lie to the police.
I’m not interested in lying to the police, but when I know that they can lie to me, it’s a big disincentive to say anything to them at all. This is a problem.
As a pretty staunch civil libertarian, I agree with you about the asymmetry in rights. However, I'm curious about the statement:
> "you are not legally allowed to lie to the police."
I know that lying under oath in a court is perjury and in certain contexts some investigative agencies like the FBI can put you under oath and in that specific case materially false statements can be actionable. And I know that filing a false police report is against the law but I think that usually requires signing the report and it spells out that lying on the statement is perjury.
But, in the scenario of a police officer just walking up and asking you questions on a street corner, prior to arresting or detaining you, is anything you say about anything which is later deemed to be false or misleading cause for arrest? Maybe it is but I'm trying think of what law it would be violating. I do know that civil libertarians say that if a police officer talks to you, you can ask "Am I being detained?" and if they don't answer "Yes" you are free to just walk away.
My naive prior understanding is that things are more complicated and conditional than simply "Lying to a cop anytime, anywhere is always grounds for arrest and prosecution (even absent any other grounds for arrest)" but perhaps I was misinformed on this.
If the police are feds, you can catch up to 5 years in the slammer for "making false statements" to them. This law is relatively recent (mid 90s) and was pretty much passed so that the FBI could nail, or twist the arms of, people they think committed a crime but have zero actual evidence against.
State laws about lying to police vary by state. Ask your lawyer.
Good point. I don’t know enough to comment further about the legality of lying to police as a person of interest or as a suspect (who hasn’t been Mirandized?)
It’s shameful though how many false police reports are not prosecuted because they fall in line with the perceived powers of police forces.
The book You Have the Right to Remain Innocent talks about this for a good portion of it. There are nuances to simply shutting up, invoking the right to remain silent (implied by the 5th) and not speaking, invoking the 5th to not answer a question, and invoking the *6th* which is the right to a lawyer. The book agrees that invoking a lawyer is now the correct move since it puts some onus on law enforcement.
> I will not answer any questions without a lawyer present.
I'm curious. How do people get a lawyer, if they aren't exactly prepared for being questioned, but just somehow unexpectedly found themselves in some weird situation?
Somehow, I doubt most common folks already have an established lawyer (especially not knowing what sort of situation they may get into - as I get it, different lawyers specialize on different matters) and remember their phone number (OP reminds me that one probably doesn't want to unlock any phone). Or I'm wrong? What's the general approach here?
First, invoke. Then one of two things will happen. The happy path is that the police can’t sustain an arrest, and you didn’t help them by talking. You’ll be released, and you can - and absolutely should - look for a lawyer on your own time.
Otherwise, you’ll be arrested and taken to jail for processing. Your bail will almost always be predetermined by a bail schedule. For minor crimes you can post bail to the jail and leave within hours. Some jails even take credit cards. Search for a lawyer on your own after you are out.
Otherwise the rules are varied across jurisdictions. “You get one call” is a TV trope” - but you can use any phone calls you are granted to secure an attorney. The state bar, as mentioned, will refer you. Call your family and have them secure one. Some jails have the yellow pages for your own selection. If you have a non-criminal attorney (a will, employment law, etc.) they can give you a referral.
Also, worse comes to worse, you can receive a free court provided lawyer. Though public defenders are so overworked, you may not see them until the day of your trial.
As I said above, I am totally not an expert on any of this, so you should seek real answers from authoritative sources. However, I think I can safely clarify at least this much...
In this context, "Public University" means an institution substantially run by or funded by the U.S. government. Only some universities are public and many others are private. And different rules apply because the government is held to constitutional standards.
Conversely, "Public Domain" relates to the copyright status of a creative work and is entirely unrelated to how something is funded.
Legally, a "Code of Conduct" is basically just a contract. In the U.S. the "Freedom of Contract" and "Freedom of Association" between consenting adults are, thankfully, pretty damn expansive. If you want to create a non-government owned, run or funded project, club, cabal or coven which involves a contractual obligation requiring Taylor Swift tattoos and apple cider enemas, I'm pretty sure consenting adults can voluntarily agree to that if they chose to (although it should be noted, enforcement of such a contract will likely be limited to rejecting or expelling non-complying members).
Don't know why you're being downvoted, the issue isn't the contractual obligation but the method of enforcement.
If I sign a contract saying I'll take an apple cider enema and I don't, that doesn't automatically mean I've given permission to have one administered! That might mean I get kicked out of the contract but it doesn't mean that I can be forced to abide by the contract.
Yeah, my humorous (but still technically valid!) example was probably ill-advised in this forum.
Separately, although I am not a lawyer, I have decades of business experience which often involved working closely with lawyers and my circle of friends happens to include several attorneys, prosecutors and judges, so I'd say I have an unusually broad understanding of legal matters for a non-lawyer (especially contract, IP and business law). I also just find legal stuff interesting to learn about and I'm one of those oddballs who looks forward to June because I find well-written SCOTUS rulings (and dissents!) fun to read.
Yet, I'm still surprised at the lack of even high-school civics-level knowledge of basic legal principles I come across in otherwise intelligent, well-educated professionals including doctors, MBAs, engineers, etc. It's kind of sad because the latent engineer in me finds the system architecture of the U.S. legal framework to be fascinating. Yes, it's imperfect in many ways, yet it's still a brilliant, iterative, collection of attempts to solve a 'wicked' bundle of thorny problems through successive approximation. Despite its flaws it still ends up eventually getting things pretty close to as "right" as they probably can be with remarkable frequency.
I did consider that while writing and I decided any reader not from here and unfamiliar with our federal/state divide would understand "U.S. Government" to mean all levels of government.
Pedantically, I believe there are federal universities such as the army, navy and air force academies. There are also city colleges and all of these "government institutions" are funded or controlled by federal, state and/or city taxes which causes them to fall under additional constitutional restrictions.
The idea that code of conduct can’t exist is nonsense. The idea that it violates free speech is also nonsense, as it has been well settled that you don’t have free speech on private land.
I can imagine codes of conduct are helping somebody and I wouldn't want to spoil their good times but I'm still a little salty that sqlite was forced to change their terms, based loosely on the Benedictine Order Code, so they could have corporate sponsors. My intuition suggests a large and random set of assholes has been replaced by a specific and goal-oriented set of assholes.
I'll admit, the internet is everywhere, so every asshole is on the internet. I just remember before the Code of Conduct, there was definitely one less potential layer of assholes above, despite an ever present layer of assholes below, and there seemed to be more crazy and less conformist people.
Would write more but I need to go yell at a cloud.
The thing is that most people never ever have to deal with codes of conduct because, as it turns out, treating other with respect, really isn’t a difficult thing to do.
Public universities are part of the (state) government, so are bound by the first amendment.
Open source projects are not part of the government, so their freedom to associate with whoever they choose (with some limitations implied by eg the 14th amendment, but nothing likely to affect currently prominent codes of conduct) is protected by the 1st amendment.
The thing that allows these password disclosing laws to be compatible with self-incrimination is that the password itself is not the evidence, you are being compelled to give up other documentary evidence that incriminates you. This is common. People (companies in particular) are often forced to give up evidence that is used against them (corporate fraud convictions etc).
The reason it's a little different with passwords is passwords are considered to be equivalent to a key to a safe, and people could be required to hand a key over.
Although it appears the matter has now been settled as of this ruling.
Can you be compelled to hand it over? What if you lost it?
It seems like with a warrant they can be allowed to crack into your safe, and you may prefer to let them use the key so that you still have a working safe at the end of it.
There were different court cases in different states that ruled it did have to be handed over. As for whether or not someone genuinely lost it, I guess it would be up to the particulars of that case if they were believed or not.
The UK has a rather scary law where even if you do genuinely lose it they just assume you are lying.
The UK case is always what I assumed the main point of the right to remain silent was about. How can you compell someone to reveal something that you can't prove they know? Memory is fallible and it seems wrong to be incriminated since you forgot something or just never knew it in the first place.
The extension of that is you can just always say "I don't know". So the right to remain silent is basically a shortcut to avoid this issue.
Cryptography predates computers, so the only real question is has it shown up in public court records or not. I'd expect plenty of history in treason charges against caught spies, but whether the records are public or not is a different question.
for example: Article I, Section 9, Clause 2: The Privilege of the Writ of Habeas Corpus shall not be suspended, unless when in Cases of Rebellion or Invasion the public Safety may require it.
They will admit testimony by some cop to explain that "based on my training and experience, I believe 'going to the pool' to be code for 'soliciting a murder'"
IANAL but I don't think you're required to provide anything to "investigators". Certainly not before consulting your lawyer.
However I believe the court could eventually order you to produce the Rosetta Stone, after various proceedings. At that point you have to decide whether you want to comply with the order or not, and not doing so would likely have negative consequences like being held in contempt.
You could go to prison for refusing to provide password. Here is the story from 2014:
A 22-year-old man has been jailed for six months after refusing to provide passwords to his encrypted hard-drives, the Daily Mail reported. He was imprisoned under a section of RIPA, a UK law that was originally pushed as a counter-terrorism measure, but which has now ballooned to cover many different aspects of crime—something that has got civil liberties groups worried.
Christopher Wilson is suspected of attempting to break into a law enforcement website and “trolling” the Newcastle Police by fooling them with a prank phone call. However, these are not what he is going to prison for: he's spending time behind bars for not giving up his passwords.
What about being compelled to either unlock and open a safe, or provide the code to unlock it? I too am surprised that existing case law in the non-tech space wasn’t mentioned in the article.
It would have been helpful if the Ars journalist had scored an interview with his expert source — Berkeley academic Orin Kerr — rather than simply re-reporting Kerr’s own analysis:
A court or police compelling someone to open their safe would tautologically be for the purpose of discovering evidence of a crime which is exactly what the fifth amendment protects.
The reason it's not a been a big deal is courts is because, if police have a warrant, they're going to hire their go-to safe driller to drill the safe open.
Fun fact, I’m UK based and should I find the police demanding I open my (gun) safe I would legally have to refuse until an authorised firearms officer is present lest I lose my shotgun license.
what's troubling is that "your associate" might be, apple.
For example, when I add an account on my mac - not related to apple in any way - the computer will send information back to apple. Every time. I have cloud stuff turned off.
As far as my phone - most of this stuff is not only hidden, but apple doesn't let me run software to know who it is talking to, and what is being sent.
For criminal organizations, it's common to "decipher" coded language to juries. And it's really not that difficult when drug dealers are talking about "kings" in conversations that have nothing to do with royalty or poker. (a "king" generally means a kilogram of cocaine.)
What if a coded message, or not coded at all, was interpreted as something that was not the case?
Then is it the other legal team’s responsibility to point out that it’s bogus and refute the claim that it meant “I stole Jack’s peanuts”. Maybe by giving examples of other assumed ciphers that prove it actually decoded to “I can drink 5 beer cans in 2.5 minutes” or that it also means “Rabbits are actually slow” according to yet another assumed cipher?
How does that work? I mean I know if it’s a jury and then it can just come down to their individual and collective whims and fancy and but how does it work in general?
OK, but I think you missed the point of the question above. The point was whether a court can compel people to explain a secret code, and whether there should be a different standard, if that code involves the computer or not
But there is the essential difference — it is not the algorithm, whether performed manually or by machine, it is the testimony. A defendant need not testify against oneself. A computer cannot testify at all. The police can seize the computer and have a go at cracking it, it’s just a thing.
This one seems pretty cut and dry, frankly, since they’ve asked him to provide the code, and he refused. It sounds like the prosecution erred significantly in making closing arguments about pleading the fifth being indicative of guilty. The more interesting question, which is not involved in this case, is whether a defendant can be compelled to provide unlocked devices to law enforcement.
You can't be compelled but especially with spoken language it's going to be very easy for LE to decrypt it on their own by just correlating the coded language with whatever actions were taken later.
I read the article as well as the (imho much better) blog post on reason.com*, and it still feels tenuous to hope that this would be decided definitively by the Supreme Court.
In the original case the prosecution argued that the defendant’s lack of cooperation in unlocking their phone was evidence of guilt. Wouldn’t a Supreme Court ruling therefore be about whether or not a prosecutor may assert such a thing as evidence? That feels quite different from the original act of (and rights around) refusal to unlock the phone.
It’s as if the prosecution said “he had a gun, so he must be guilty!”, and hoping that the case will go to the Supreme Court to decide on the legality of the second amendment.
I am imagining an authentication system that doesn't just ask you for a password but beside making sure it's you who made the request, also makes sure that you request the access on your free will without being forced.
A primituve one would be requiring a main password to authenticate every 12 hours. If the main password is not used until that period passes. A second password that you don't memorize can be used to unlock but it is stored in a place that only you can access and only if you are totally free.
I think you read parent-comment wrong. My interpretation: unlock your phone normally at least every 12h. Only if you fail to do that, then the phone locks harder and you need to unlock with the non-memorizable password. Imagine the PIN/PUK system on SIM cards but with a timed lock-out as well. I agree that it sounds inconvenient though.
I'm not that familiar with the US law system, but wouldn't a written down password be worse? With a memorized password it's at least possible to claim you have forgotten.
Some encryption schemes allow two keys for unlocking, but they would show different content depending on the key. I think I remember trying that on TrueCrypt many years ago.
I would imagine the second password being in a safe in a Swiss bank.
It's not practical at all, but there should be possible to build systems that authenticate you only if you are free and doing that on your free will without any compulsion.
In many countries, they have laws saying suspects can't refuse to give passcodes (or if they do, they'll be jailed)
I think such laws are dangerous, as they could be used for a particularly evil type of attack: throw an encrypted cellphone in someone bag, then have them arrested for whatever wrong reason.
When they can't provide the passcode, they are automatically guilty!
I understand your point now, but the horrible thing is such laws turn normal objects into dangerous object: it increase the risks as "less dirty than usual" bad actors can cause the same potential amount of damage!
Generally speaking, if you non-cooperate with the police that’s one class of offense, but if you lie to the police (that’s what this would be seen as) and they catch you it’s a whole ‘nother level of offense.
In general, if you’re thinking about interactions with the police and you have an idea that feels “clever”, it is a bad idea.
It's legal to lie to the police under questioning in most circumstances, i.e. "I didn't rob that guy" if you robbed that guy. The big exceptions are falsely identifying yourself and lying while reporting a crime.
You might be thinking of 18 USC 1001 which makes it a felony to lie to a federal agent, and is extremely broad (both in terms of of what constitutes a lie and who counts as a federal agent).
Seems to me like there ought to be some kind of 14th Amendment “equal protection” cases presented to the court about the failure of police forces to dismiss false police reports.
If I filed a police report saying “X threatened me on my property” and it wasn’t true, I’d be prosecuted for a false report. Yet there are hundreds of instances of state and federal employees filing the same kind of false reports, yet nothing is done about it.
How are you lying to the police by unlocking a different profile of your phone? So long as the police doesn't say "oh, unlock this $specific profile of your phone please", you could have different profiles for different purposes (e.g. different set of apps installed, like one profile for work and another for personal settings).
That's an act of commission. You should simply do nothing, unlock nothing, and say nothing. Wait for an attorney.
It may not be difficult for the prosecutor to point out that you "unlocked" your phone into a mode you never use and in fact specifically use to deceive law enforcement.
Much simpler and safer to do absolutely nothing. Plus, you don't know for sure if that secondary mode being unlocked can enable third-party tools to break into the primary profile.
I think you're right, but generally speaking the 5th amendment gives wide rights, so in any interaction with the police in America one should always keep their mouth shut, and if pressed say that you won't speak without a lawyer. They literally say: "Anything you say can and will be used against you in a court of law." That is not an exaggeration.
It is very difficult to prosecute someone for a crime if they stay silent during the legal process, it's why the police are hyper-aggressive, they are trying to catch any idiot who will say anything that will get them arrested and charged, so they can report to the municipality, county (or state or whatever) that they have achieved x, y, z rates of charges, solved crimes etc., in order to secure better funding (meaning better salaries, benefits, pensions, and toys to terrorize you with).
For sure, I agree with everything you're saying, but the parent commenter was saying all non-cooperation is allowed which isn't true. I don't think they considered the case of resisting arrest or other similar cases.
People are consistently arrested and/or charged for resisting arrest for not identifying themselves in states that do not have “stop and ID” laws.
Even if you know to the letter what your state law requires, the police often don’t. If you take the arrest and sit in jail for 2-12 hours, you can fight it later in court. Somehow, this is a luxury for most people in the US.
"You were rude to me earlier, so I don't want to talk to you" may get you beaten up but won't get you in further legal trouble.
If it comes up at trial, you simply explain that the officer was rude to you, so you didn't want to talk to them, which caused them to be even more rude to you, which confirmed your decision to not talk to them.
but if they say "unlock your phone" rather than "unlock the main profile of your phone", its not like you're uncooperative. you've technically unlocked it.
I had this argument with my then-13 year old daughter. I had forbidden her from using "the phone". She accepted the punishment.
She then proceeded on another device to show me that in no place on the official Samsung website is the device referred to as "a phone". The device is always referred to as "a smartphone" and in one place the telephone communication application is referred to as "the phone". I conceded that she made a good case and that the punishment therefore applied to the telephone communication application only.
Does the alternative password enable your phone book and phone history? If so, then yes you have unlocked the phone. If not, then you have unlocked "a phone" but not "the phone".
I think unfortunately in almost all cases the spirit of the law is more important than the word of the law, and most courts frown upon this kind of chicanery. I think this encourages her to "well, actually" people more, which nobody likes being on the receiving end of :-)
> I think unfortunately in almost all cases the spirit of the law is more important than the word of the law, and most courts frown upon this kind of chicanery.
I was under the impression that the word of the law is preferred. If anybody here has experience, in any jurisdiction, I would love to know more.
> I think this encourages her to "well, actually" people more, which nobody likes being on the receiving end of :-)
Well, actually, I do want to encourage her to defend herself by all possible means, especially to be able to challenge the law :-)
in the original context though, you're not dealing with the law but an "order". you were "ordered" by some police officer to do something that you can't refuse.
That'd be some form of "plausible deniability" (although the term has a lot of different meanings depending on the context).
I know it exists for certain cryptocurrencies hardware wallets: they can be setup (but are not required to) so that one PIN unlocks the real wallet and another PIN unlocks a decoy wallet, which only has some coins.
P.S: people are probably going to point out the $5 wrench attack though
Isn't that the benefit of such a scheme? You ask for my password, I say no, you hit me with a $5 wrench, I say no. You keep hitting me, I input the decoy password and you think that is all the crypto (or content or whatever) I have.
$5 wrench attack works on known unknowns, but not well on unknown unknowns.
If they threaten to beat you with a $5 wrench and you refuse and refuse and refuse and eventually cave and unlock the wallet with $10 of Bitcoin they're going to hit you with a wrench because you wouldn't resist so hard over so little and you're obviously trying to be clever.
As long as a bad actor is aware of the possibility of decoy passwords, they have no incentive to stop hitting you with that $5 wrench no matter what you say.
I thought about that and could see two possible problems: What about notifications on the lock screen, how to plausibly handle those with a fake/2nd profile? Could that be seen as willfully misleading or hiding evidence?
Note: the verdict only applies to those in Utah. Other US states have other rulings. Wait until there is a US Supreme Court ruling that affects the entire nation.
Right now: do not use biometrics (can be legally forced); do not use numeric passcodes. Use alphanumeric password.
On iPhone at least you can require passcode by holding down the side button and either of the volume buttons for three seconds. Just ignore the power down/SoS screen that comes up (or tap cancel) - by the time you see it Face/Touch ID is already temporarily disabled. The iPhone will also give you a "rumble" confirmation so you can do it when the device is in a pocket, bag, etc.
Obviously doesn't help if they pull an elaborate Russ Albrecht-style move but useful for situations where you can see them coming (which is likely most of them).
> On iPhone at least you can require passcode by holding down the side button and either of the volume buttons for three seconds. Just ignore the power down/SoS screen that comes up (or tap cancel) - by the time you see it Face/Touch ID is already temporarily disabled.
You can also press and release the power button five times consecutively for the same power down/SOS screen, and then the biometric lock gets disabled (requiring the device passcode).
This basically happened to me when I was cuffed in the back of a squad car on the way to jail. I told the dispatcher I was being kidnapped. The cops in the front gave me the side-eye.
I know, also from experience because it was something I specifically tested, I can do this in the time I take to pick up the device, or take it out of my pocket.
Unless your concern is your device is out of your control when it is seized, in which case you could mitigate your concern by locking it when it will be out of your control, or if you really want to just never enable biometric authentication. Of course that puts you back in the bucket of every time you unlock your device it can be observed.
See the second sentence:
"Unless your concern is your device is out of your control when it is seized, in which case you could mitigate your concern by locking it when it will be out of your control, or if you really want to just never enable biometric authentication"
Well, borders in the USA have a special exemption to the 4th Amendment, so take everything with a grain of salt if you are entering or exiting the USA.
Prior legal rulings in the USA have been vague, but said that a numeric code does not require you to "testify" in that you don't really have to use a thought process. I'm paraphrasing, but basically numeric passcodes have been exempt from your right against self-incrimination.
How is a 6 digit pass code too few possibilities when the phone locks you out after like 5 missed attempts? It seems unrealistic to expect people to type their alphanumeric password every time they want to unlock their phone.
If I recall correctly, some early techniques to unlock passcode-protected phones involved bypassing the user interface and trying passcodes at a point in the execution flow prior to the code that locks out the UI.
I think modern devices have addressed this in various ways, but it’s not a good idea to rely on timed lockouts when it’s possible that techniques exist (or could eventually be found) to bypass the lockout.
In short, assume those lockouts are targeted at normal users. A sufficiently motivated actor with technical resources is another story.
I don't think this is meaningfully true for modern phones. The passcode is used by the phone's TPM to derive the actual encryption key, which never leaves the TPM. TPMs are designed to be impossible to retrieve the secret key from without being physically destroyed to prevent the kind of attack you describe.
This is why phone cracking devices like Cellebrite rely on exploits in phones rather than just cloning the disk and trying the small number of possible passcodes.
Literally the point of the HSMs in phones and laptops is to stop that.
If your device's encryption key is produced by a PBKDF then yes it's doable, but no actually secure system works like that. The way a secure system works is
1. You have an HSM ("Secure Enclave" in Apple speak, Trusted Computing Module in MS speak, and I can't recall the google/android name)
2. The HSM generates a random encryption key (or family of keys)
3. The HSM encrypts and decrypts the data with those keys (the keys themselves never leaving the HSM)
4. The HSM gates access to those keys based on an attempt limited use of your passcode/password
There were common flaws a few years ago that meant that you could glitch the HSMs into (essentially) not incrementing the attempt counters or similar but I haven't heard of such in a few years now (almost a decade now? essentially these kinds of flaws were discovered en mass once HSMs reached consumer hardware so more security researchers were able to investigate)
The important thing though is the encryption key is now fully random, rather than derived from your password, which is the difference between a 128+ bit key and a ~40-60 bit key.
That doesn't work with iPhones, the Secure Enclave in the only thing that can unlock the phone, and after the attempt limit is exceeded, passcode-protected data is erased by Secure Storage.
I guess if they really wanted to they could attempt to decap the chip and do something with a hardware attack, but thats difficult and dangerous.
How does gray key bypass this then? GK is still being purchased and sustainability contracts issued for LE today so I would imagine they have a way of attacking it, particularly 6 digit pins or less
I can’t seem to find it now, but I remember a news story a while back where a police agency was able to unlock an iPhone with a 6 digit numeric passcode in a little over a year, bypassing the hardware security module and time limits.
I am thinking that a numeric code is something that people can see you typing in again and again.
An ex-bf/gf that hates your guts will remember that your pin is 1-2-3-4-5-6, because that one time your hands were wet and she needed to see that photo from that party and you told her the PIN..
While if you have a word, new bf/gf will mean new word, and good luck knowing that.
A numeric code may be easier to shoulder surf. Nothing prevents you from changing a numeric code or ensures you will change an alphanumeric code however.
I watched a video where they had the iphone cracked open and slightly modified in a way that would allow them to reset the storage to brute force quickly without timeouts.
That shouldn’t be (at least easily) possible on newer iPhones anymore. The counters are now in rollback-protected dedicated memory; the lockout is implemented in the secure enclave.
It’s important to note that it’s not just ‘on command’, it’s on issuing a Section 49 order under the RIP Act, which has conditions and doesn’t like automatically result in you being locked up if you refuse (the police have to apply to a court to enforce it, and you have a chance to defend yourself).
The reason I say it’s important to note this is that the UK police absolutely will over represent these powers to bully you into voluntarily handing over unlock codes and passwords. Unless there’s a S49 notice, they’re just asking and you have every right to say ‘no thanks’, and even if they do issue one you can require your day in court to force the issue.
If they stop you on entry to the UK they can compel you to unlock any devices you are carrying. They are entitled to whatever data they find on the devices but they are not allowed to use the credentials on the devices to access remote services. However, the secret services have a long track record of ignoring the rules so I wouldn't trust them not to.
"Australia has no constitutional protection for the right to silence,[4] but it is broadly recognized by State and Federal Crimes Acts and Codes and is regarded by the courts as an important common law right and a part of the privilege against self-incrimination"
This one in particular is great because apparently the 5th amendment doesn't apply if you're not an English speaker and don't understand the extreme subtleties of the law, such that you can be compelled to incriminate
“To qualify for the Fifth Amendment privilege, a communication must be testimonial, incriminating, and compelled.” The Fifth Amendment privilege against self-incrimination thus only protects a defendant from being compelled to provide “testimonial” evidence, meaning that the communication “must itself, explicitly or implicitly, relate a factual assertion or disclose information.” Indeed, the Supreme Court has explicitly distinguished between “the use of compulsion to extort communications from a defendant” and merely “compelling a person to engage in conduct that may be incriminating,” such as providing samples of one’s voice, handwriting, or physical appearance, all of which are constitutionally permissible."
To be clear, I was responding to the commentary about the UK and Australia.
That said, even though America doesn’t have a perfect record on this, our Fifth Amendment rights are generally effective at protecting us from forced self-incrimination. We at least have the luxury of the Supreme Court that may hear and adjudicate our cases if our Fifth Amendment rights are violated.
> Americans are forced by their government to self-incriminate all the time and are sitting in jail for it.
“all the time” ← Can you please quantify that? I genuinely don’t believe it happens enough to justify your assertion. (I’d love to be corrected with some data if I’m wrong.)
All in all, I think it’s a mistake to expect a perfect system. Compared to the rest of the world, our Constitution is a massive luxury; Americans are beyond lucky. I can either focus on the fact that the overall system isn’t perfect or I can appreciate—i.e., not take for granted—the fact that we even have the codified set of rights that we do.
P.S. I personally know folks from Third World countries whose family members were executed for having the “wrong” opinion. We really do take a lot for granted here in America.
No, you simply aren’t seeing it because you aren’t exposed to communities who are regularly just getting hammered by police.
There is no “evidence” because it’s not on the record. It’s a lived experience by poor people. I don’t know if you’ve noticed but police kill a lot of innocent people that looks precisely like executing somebody for making the wrong decision, so I’m not sure how you’re not seeing it but it seems like you’re intentionally not seeing it.
It’s examples like my friend who did 10 months in county jail because he pissed hot during a two month probation on a drug charge related to a friend that he was driving the car with. This is an every day experience for me as a teenager. I was pulled over regularly and padded down and it was only because I had a white mom who would come bitch at the police that I didn’t have a record.
There is an entire country within America that has no access to constitutional rights. I suggest you just look up a little bit of black history and you’ll be informed on some of this.
> No, you simply aren’t seeing it because you aren’t exposed to communities who are regularly just getting hammered by police.
> […]
> There is an entire country within America that has no access to constitutional rights. I suggest you just look up a little bit of black history and you’ll be informed on some of this.
I really hate having to bring up my background and race, but I really have to here: I’m literally a black man who grew up in inner city America who also used to be a leftist activist years ago (one of my primary focuses used to be “police brutality”). This is absolutely not a foreign topic to me. I’ve personally had a number of bad encounters with the police going back all the way to my pre-teen years. I find it interesting that you simply assumed, based on my perspective, that I’m somehow just oblivious. Regardless, none of that changes anything I’ve said.
Also, your claim that a certain segment of Americans, such as poor black folks, have “no access to constitutional rights” is simply false. A more reasonable argument would be that a certain segment of Americans lack the resources to properly defend their Constitutional rights, but those rights haven’t gone anywhere.
None of this is "forced." If you are being interrogated by police without a lawyer, its because you are either a) and idiot, or b) not well educated about the American legal system (which means you probably received a poor education or you're a migrant). What this decision opens up is different from what you cited: here, we are not dealing with physical compulsion to speak or write or produce any kind of communication, which is severely delimited with the presence of a lawyer (or even the mention of one to the police), we are dealing with police, who've already seized some object which contains personal communication (much like safe), and the legal right to remain silent on the code to unlock it. Now if, for previous physical objects which would contain communications that were locked with a code, there was case precedence where that code was legally demanded by police, and granted by a court, then you might have an argument.
I think you're being overly harsh toward people who might speak to police without realizing the implications. Getting arrested or even detained is a high-stress experience, and judgment and decision-making skills suffer in those types of situations.
Beyond that, cops are trained to manipulate people into believing that either a) they are required to talk (despite being read their Miranda rights), or b) that talking actually will work out better for them in the long run than staying silent.
It does not matter what the constitution says police are going to do whatever they want no matter what, and case law proves that that’s exactly what they will, and will continue to do
You seem to be continuing to operate under the assumption that America works underneath the rule of law universally applied. It doesn’t, it never has.
As you so clearly reinforced my original point, the only way that you can actually have those rights apply to you is by either being smart or rich, and most people are neither
Am I missing something or is the headline (and most of the HN commentary) missing the point of this ruling? The ruling is not about whether you have the right to refuse to give your passcode (of course you have that right). Rather the ruling is about whether your refusal to give your passcode can be used against you at trial as incriminating evidence (?!)
> A court of appeals reversed the conviction, agreeing "with Valdez that he had a right under the Fifth Amendment to the United States Constitution to refuse to provide his passcode, and that the State violated that right when it used his refusal against him at trial." The Utah Supreme Court affirmed the court of appeals ruling.
In terms of the Fifth Amendment, it would seem that those issues are identical. Your right to silence means that your refusal to answer a question, provide interviews, etc, can't be brought up as evidence of your guilt.
Yes, but from TFA it sounds like the prosecution did this in closing arguments, when they’re not talking to a witness. Objections are typically not made by opposing sides in closing arguments (though possible). IANAL and don’t know precisely under which circumstances the judge should intervene in closing arguments. But implying that pleading the fifth is evidence of guilt is kinda “Prodecutorial No-Nos 101” and it’s not surprising it was overturned on appeal. What’s more surprising is that the prosecution then went to the state Supreme Court.
Ok thanks for the info. That case seems to be about if you can be charged with a crime if you refuse to reveal your password with a search warrant. While the case for this article seems to be about whether refusing to give a passcode when questioned by police can be used in court against you.
My “of course” comment above was about refusing police questioning (Miranda rights). not refusing a search warrant. That does seem like a much trickier issue.
Edit: added the clarification about Miranda rights
The case for this article is also about a search warrant.
> At some point thereafter, the officers
obtained a search warrant for the contents of Valdez’s phone. But
they were unable to access the phone’s contents because they could
not crack his passcode. So a detective approached Valdez, informed
him that he had a warrant for the contents of the cell phone, and
asked Valdez to provide his passcode. Valdez refused. Without the
passcode, the police were never able to unlock the phone to search
its contents
I agree with your analysis here, but I don't think it's settled case law that you can't be compelled to provide your passcode, that refusing to do so is covered under the 5th amendment.
People have been sent to jail on contempt charges for refusing to provide their password, before even getting to the point of going on trial for whatever they're accused of.
It's two issues. The fifth amendment covers both. The court covers both. That your silence is not incriminating is a natural and mandatory extension of the right to be silent.
Does it only to phones?! If so, it is probably because they are already compromised and backdoored, unless it applies to all other mediums and electronics. On the other hand, I remember I read border controls can operate within certain distance from the border inside the country, and as far as I know, they can ask you to provide the codes.
And you can refuse, and they can't compel you to comply. They can take your phone and do their best to break into it or image its internal storage, but they have no right to detain you based on a refusal to unlock your phone.
If you are not a US citizen, however, and you are trying to enter the country, they can use your refusal as a basis for denying you entry. Which is garbage, but... yeah.
> If you are not a US citizen, however, and you are trying to enter the country, they can use your refusal as a basis for denying you entry. Which is garbage, but... yeah.
Why is refusing to comply resulting in denying entry garbage?
The existence of a temporary workaround does not mean the original right to refuse to provide your password is somehow bad or (perhaps more to your point) futile.
Every barrier to surveillance makes it less likely. Increase the cost to decrease the behavior.
I would assume security exploits, mostly targeting old unpatched versions, with some undisclosed 0days in the more expensive products.
And against a modern Pixel/iPhone I would also expect the answer to how does it work to be "not so well". Consider the percentage of the population that uses a potato phone from 2018, consider the likelihood of them being the criminal in question, and the product starts working a lot better. Remember how FBI failed to decrypt the iPhone of some domestic terrorists: https://en.wikipedia.org/wiki/Apple%E2%80%93FBI_encryption_d...
For what it's worth, Android no longer supports full-device encryption, it encrypts filesystem subtrees. For a single-user phone, there's not much of a difference; your "user files" key is obtained from the hardware secret store when you type your PIN.
Chinese netizens posed this question the other day, about how their police never seem to run into the US police issues unable to gain access; especially to iPhones.
Many conspiracy theory surfaced from back door to rooted iCloud servers in China.
Till a supposedly policemen chimed in and said they'd just browse through the millions upon millions of security footage to see the perp unlocking their phone with passcode.
Problem with Apple iPhone authentication scheme is their reductive logic of eliminating one of three basic authentications by using OR logic, instead of AND logic.
In short, they are still single-factor authentication.
If I were SCOTUS, here's how I would settle this question:
The accused can't be compelled to produce a password, and the prosecution can't use the defendant's silence as an argument against them. BUT the police can explain in court that they were unable to search and/or seize what's listed on the warrant due to an unknown password and unbreakable encryption.
In other words, they can't say "Joe wouldn't give us his phone password and that means he's guilty". But they can say "we were unable to search his phone or collect these documents listed on the warrant due to unbreakable phone security".
There's not a huge difference between those two statements when it comes to the jury. They'll understand that evidence is missing, and that the defendant can probably produce it but won't. Maybe civil libertarians won't like that, but I think that's misplaced: there is a warrant, remember, it's not just a random search. And the defendant can always produce it if it's exculpatory.
That merely adds a layer of indirection rather than solving anything. It is still using the person's silence against them and saying "there is proof behind that door." If there is proof it needs to be produced. If the State can always go "well there's encrypted data and inside the encrypted data is the reason to imprison this guy." You dont need the evidence, you just need to know its not visible. Why ever even seek the decryption order if you automatically get the negative implication for free?
Its never been the defendants job to prove their innocence. Remember that's where we start. A defendant is innocent. An innocent person does not need to unlock anything, they're innocent.
Are we supposed to tell the prosecutor that they can't ask the police witnesses questions about how their legal, warranted search went? Or that the police can't answer?
I was a juror on a trial where this was tried.
The prosecution showed logs from the mobile phone companies’ towers showing where it have been seen, including overnights, and calls from it to the guys friends. Also didn’t help him that it was on a loan application in his name.
This helped convict them of aggravated burglary.
(Incidentally, one of the others failed to provide his passcode but we found it implausible that he could have forgotten it, unlike the USA in England this is absolutely something you can be done for here and he was. I don’t want to get in to the pros/ cons of this law but the basic idea is that its seen as a key, albeit intangible, to a locked container which investigators can require you to open)
Could police ever compel me to provide the passcode or even an unlocked device if I have a dissociative disorder that can't even guarantee my own knowledge of the passcode? It's entirely possible for me to lose access to it without being able to help myself and it'd be a real shame if they thought I was lying then. Fun thought experiment, though.
You don't even need a disorder for that. Anyone could forget a passcode. They can't prove that you remember it, or that you have any idea what it is, but what they can do is lock you in a jail cell anyway. If your lucky you might get out after only several years https://arstechnica.com/tech-policy/2020/02/man-who-refused-...
Once when I was running CyanogenMod (wow, long time ago) on my Android phone, I made use of the feature to set my device's storage encryption password to something different from my screen unlock code.
And then I proceeded to not reboot my phone for months, and forget what the encryption password was. I was very surprised upon next reboot to find I couldn't get into my phone. Fortunately I remembered it, but it took me a good day or so to figure it out.
So yes, it's perfectly possible to forget a passcode. But the authorities, of course, may not believe you've forgotten it. Which is why it's so important that it should be entirely legal to just refuse to provide it in the first place.
I'd argue that people are far more likely to forget a password/passcode than to have dissociative personality disorder and then have only one personality be aware of the password and then also be cured of the disorder/personality or otherwise be unable to ever manifest that personality to allow for questioning by police.
I think in that case it'd probably be treated more or less the same. Jailed for months/years for contempt of court, either locked up in a cell or a hospital with court ordered mental health treatment depending on if the judge believes the person actually has the disorder or not.
An estimated 1% or so of the population is suspected to have DID, and memory gaps don't exclusively work like "some identity knows the password but it's not me". I can totally forget things without someone else in the system still knowing them. Nobody really has to hold the memory for it to become inaccessible.
If you have a dissociative disorder, then you may just be shot as that is the US police response to most kinds of mental distress, so then from their pointer of view they've solved the problem.
Dissociative identity disorder isn't necessarily mental distress. Would be pretty irrational to shoot someone over not being able to unlock their phone.
If LEO have a search warrant and find a locked safe in your house (that may include private data or evidence of crime), are they allowed to crack it or order you to open it?
Bull crap. I personally was on probation as a juvenile for a petty offense. One day the PO asks my parents to take me to talk with her to see how I'm doing. She then asked me for a facebook password and I refused. After which she put me in a court house cell for 8 hours and made me miss an entire day of school.
I eventually gave this psychopath my password because I had nothing incriminating and I hadn't eaten all day.
Nice to know USA is literally Nazi Germany but better at hiding their dirty secrets.
I can't even understand why this was even still up for debate - 5th amendment allows you to not incriminate yourself - being forced to give up your passcode is no different then being forced to give up any secrets you might have.
Not sure why this hasn't been slapped down a long, long time ago.
A big part of the reason is that the 5th Amendment actually says something substantially narrower than your paraphrase. It actually says that no person "shall be compelled in any criminal case to be a witness against himself."
So there's a common argument that the 5th amendment only protects you against being forced to give evidentiary testimony against yourself. Giving up a passcode is arguably different, since the passcode is not (necessarily) evidence in itself, in the sense that it might not be introduced as evidence at trial to establish guilt or innocence. Rather, it is information that will allow law enforcement to access other non-testimonial evidence.
I'm not arguing for this position, just providing a perspective on why this isn't as open-and-shut as people often think it should be.
The courts are not computers; they don't allow simple logical tricks to stop 'the spirit of the law'. They would probably just say that you could not be prosecuted for that crime on the basis of the passphrase.
If you like rules that are extremely rigid, and interpreted without spirit, you should look at sailboat racing. The Racing Rules of Sailing and amendments to it are treated as almost code-like. The 1988 America's Cup is a paradigmatic example: https://en.wikipedia.org/wiki/1988_America%27s_Cup
I am unfamiliar with sailboat racing, and cannot knowledgeably comment on whether "[the rules] are extremely rigid, and interpreted without spirit" and whether "The Racing Rules of Sailing and amendments to it are treated as almost-code-like".
But I can say that the 1988 America's cup does not support either of those points.
----
Background:
First of all, the opinion of the appellate court is better written and clearer than the Wikipedia article: https://nycourts.gov/reporter/archives/mercury_sandiego.htm I'm going to be quoting it a lot because it says things more plainly and authoritatively than I could.
"The America's Cup, a silver cup trophy, is the corpus of a charitable trust created in the 19th century under the laws of New York." Such a charitable trust is governed by a "Deed of Gift" written by those who gave the cup to the trust. "[George] Schuyler executed [wrote/signed] the present Deed of Gift in 1887, donating the Cup to the New York Yacht Club".
The gist of the deed is that one yacht club can challenge the current holder of the cup to a race to win the cup (the race is 10 months after the challenge is issued); the two clubs are free to agree to whatever rules they want, but if they fail to agree then the deed gives some fallback rules. One of the rules that the 1887 deed gave is that for single-mast vessels the load water-line length must be between 65 and 90 feet. However, "In 1956 the New York Yacht Club obtained a court order amending the Deed of Gift to reduce the minimum load water-line length to its present 44 feet". For context, the America, the ship for which the cup was named, was 89ft 10in.
From 1956 until 1987 all challengers agreed to a lower maximum length than that 90ft limit, because even though longer boats were faster, they were more expensive.
----
Why I don't believe that this supports your points:
- Because the issue was about the Deed of Gift, not The Racing Rules of Sailing, this was decided by the NY courts, not by the International Yacht Racing Union (IYRU).
- Because reasons ("see, e.g., Crouch v National Assn. For Stock Car Auto Racing, 845 F2d 397, 403; Finley & Co. v Kuhn, 569 F2d 527, 539") the court specifically did not interpret The Racing Rules of Sailing, and just interpreted the deed. If Mercury Bay wanted The Racing Rules of Sailing to come into it, they should have brought it to the IYRU--which they totally could have done--and not to the NY Supreme Court.
- The discussion in the decision of the court by word-count I would say is 90% about about the spirit and intent of the deed and what the author intended, and 10% about rigid textual interpretation.
in the spirit of fun, we might set up a system that could deny access if
- more than one person present
- gps location matches known government building
- if law enforcement officers have recently been spotted at a residence or office
- biometrics sense elevated blood pressure/heart rate or other signs of duress
It'd be simpler to have a separate Under Duress password that behaves differently. Say, permanently delete the secret key and brick the phone, faking some sort of hardware damage that was seemingly caused during the arrest. Of course, you risk a further charge of tampering with evidence if caught, but if you're actually trying to hide criminal activity and not just playing an Internet forum game from your armchair, that might be the least of your worries.
That sounds like something they could reasonably argue was destruction (spoliation?) of evidence, and in some cases judges are allowed to tell juries to assume evidence that was destroyed is harmful to or counters the defense's arguments.
Also destruction of evidence is a crime, so you could pick up additional charges as well.
Don't play games with the law: talk to a lawyer. The law is not code, you generally aren't going to win with clever interpretation (see myriad cases where the "intent" of the people making the law is considered by the court) or "hack". If you're ever dealing with legal issues, civil or criminal, talk to a lawyer.
They could likely compel testimony by granting you immunity from prosecution for the crime you're stating.
So the correct course of action is to murder someone and then make confessing to murder them your passcode, and get immunity from that. #lifehack #modernsolutions :D :D
It depends on how you look at it, but the trend over recent history has been to think the government has most powers to execute 'governing' which are not forestalled by a constitutional or legislative prohibition. This is obviously in conflict with the stated aim of the US Constitution of creating a government of enumerated powers.
What about the less convoluted scheme of "I forgot it?"
The "I do not recall" answer in high profile trials is so common that it's essentially become a meme. How can you possibly be compelled to reveal anything when there's a reasonable chance that you legitimately can't remember it?
I suspect you’d actually be ordered to provide access to this device (which you regularly access).
In particular, I don’t remember the pin or password to some devices and accounts. They are shapes, on the pin-pad or keyboard. There are enough alternative ways of logging in (the apple face thingy, yubikey, you could hypothetically have devices setting up arbitrarily complex interlocking login processes) that I suspect the court would just define what they want, rather than how they want you to do it.
I could be wrong though, no actual experience here with the legal system at all.
My guess is you would be charged with obstruction of justice. This would be similar to you destroying evidence requested under subpoena. Now, as a matter of legal strategy, this may be a better charge to face than whatever is on your phone. Of course, this is not legal advice and YMMV.
That's fine, until a piece of supporting evidence (photo, email, faceID hash or whatever) establishes that you interact with the device on a regular basis.
I think it is illegal to make a credible threat against certain public figures, though, or something along those lines, right? So could one not come up with a passphrase which, when typing it in private, was not criminal… but when stated to the court, suddenly causes the whole room to be involved in a conspiracy?
Or, what if the passphrase includes top secret information?
Or, what if you passphrase is a declaration that you are under one of those secret court warrant thinamajiggies.
> I think it is illegal to make a credible threat against certain public figures, though, or something along those lines, right?
The Brandenburg v. Ohio (1969) Supreme Court case allows for criminalizing speech only if the speech is "directed to inciting or producing imminent lawless action and is likely to incite or produce such action" [1]. "imminent" means that there has to be a near-future, clear time window. "I will kill X president within 3 days" could be illegal. "I will kill X president within a year" is too vague. Regardless, either one could be interpreted as evidence of criminal intent to harm the president. (If you were only joking about killing the president and the jury believes you, then you're fine.)
This assumes you even have the right to a jury, or that you've even been charged with anything, or that you have the right to know what the charges are if they have been filed.
My passphrase is "the best place to fire a mortar launcher at the white house would be from the roof of the rockefeller hewitt building because of minimal security and you'd have a clear line of sight to the president's bedroom".
It's kinda interesting but I think a judge might not rule in your favor this because the passphrase itself isn't necessarily your claim of fact as an under-oath testimony. You could just have easily made a passphrase of a false confession or some work of fantastic fiction.
But even that could be revealed with the same controls used in courts that handle those issues like unauthorized disclosure of the nuclear missile silo location.
I suppose for the most part one critical function of judges is to override legislation when it appears that injustice would take place. We can't have murderers who say "sorry found some sweet loophole lol". And similarly we can't have abusive cops/prosecutors who want to harass citizens "tell us all your secrets and I'm sure you're guilty of something lol". Judges should be able to make sane tradeoff in the name of justice.
Wow - I like that idea. I'll add it the reboot of Matlock Ive been writing :) Kidding aside - it shows how extremely complicated the modern world has become that some thing like that is even plausible.
I think a novel defense could be never admitting the phone is 'yours' in the first place. Divulging the password is tantamount to admitting you have access to the particular device in question.
You might argue, well the police will have ways to prove it's your phone. Okay, so let them prove it, don't assist them. Well, then they can force you to produce your password, whether you admit it's your phone or not. But by divulging a password, you're admitting you own a phone somewhere, and part of your defense might be (however implausible) that you don't own/use a phone.
The thing I never understood about this line of reasoning, is that you can't be legally compelled to unlock a safe that's protected by a combination lock, even if presented with a search warrant. The police can of course attempt to break into the safe.
I'm not sure if that bit relies on the 5th amendment, or something else. But how is a passcode for a phone any different than a combination for a safe?
The underlying issue is that giving the password is, in the majority of cases, equivalent to admitting that you own/control the device. In other words, it can easily force you to reveal your involvement in a crime, i.e. to bear witness against yourself.
> since the passcode is not (necessarily) evidence in itself
Unless the passcode is a decryption key, in which case the evidence simply does not exist without the passcode. It is indistinguishable from random noise. It’s less like “unlocking a safe,” and more like “instructing nanobots to reassemble a pile of dirt into evidence.”
You might have an argument if there was no authentication/error-detection on the ciphertext, such that many keys would give valid decodings, and more so if it was a simple xor, such that any plain text could be a valid decoding given the appropriate key. But that's not a remotely practical cryptosystem for several reasons.
This seems like a highly questionable metaphysical argument. The decryption key does exist and, therefore, so does the information. The question is just who has access to that passcode.
It's because the 5th Amendment is there to prevent the state from torturing you into confession for a crime and then using that as evidence against you. i.e. the point is to ensure the evidence is genuine and not a false confession given under duress, since most innocent people will say anything to stop pain. (This isn't obvious from the text, though if you ponder "why would they have included this seemingly random narrow right", you can deduce the explanation. But there's bigger historical context re: the Star Chamber if you're interested in looking that up.)
Meaning: its point isn't to prevent access to real evidence. It's not an attempt to grant you privacy. It's an attempt to ensure justice is served correctly.
This is also why you lose that right when you're granted immunity. The state can force you to provide testimony in that case.
Corollary here is that it's actually quite surprising courts are willing to side with the accused here. It's probably only a matter of time before rulings come to the contrary. If you care about privacy as a human right, you really need another amendment to make it solid.
> If you care about privacy as a human right, you really need another amendment to make it solid.
You would need some kind of catch-all amendments stating that the enumeration of certain rights shall not be construed to deny others, and that the powers not delegated to the feds are reserved to the States or to the people. You could put them right at the end of the original amendments for emphasis as a closing statement of the Constitution.
But if we enacted those who would ever enforce them? The feds would probably treat them as if they didn't exist.
I don't see how the 5th amendment protects you against torture. You can choose to waive your constitutional right to not incriminate yourself, so surely you can also be tortured into waiving the same right?
> I don't see how the 5th amendment protects you against torture. You can choose to waive your constitutional right to not incriminate yourself, so surely you can also be tortured into waiving the same right?
The short response here is: How often do you see that happening in the US?
But in any case, note that I'm explaining what it was intended to do and what its meanings and implications are. Whether it is successful in achieving its goal is beside the point for this conversation.
Yup, the US Constitution definitely needs a right to privacy amendment. It is of course spectacularly difficult to amend, but an amendment that ensures a right to choose abortion (and other reproductive privacy issues) plus strong digital privacy rights might garner a coalition of both pro-choice people and libertarians, and that could be enough to get it passed.
>being forced to give up your passcode is no different then being forced to give up any secrets you might have.
Actually, the case is even stronger than you make it out to be. IIRC, one of the key constitutional issues is that providing a password is equivalent to saying "yes, this is mine". So even if we disregard the contents of the device, the issue is that you are establishing a legally relevant relationship with a piece of evidence.
I'm recalling this from a looong time ago, when I took a constitutional law class, so I hope those with fresher knowledge not hesitate to jump in.
Search warrants can compel you to give police access to your property, which can include your body (in cases of blood draw warrants in the case of DWI). The police can obtain a search warrant for your physical filing cabinet, which includes taking measures to access it if you won't unlock it for them.
Police can easily get warrants for your phone; you just can't be compelled to give the code to unlock. I suspect in the future we'll see a different level of cooperation from phone makers.
yep, surprised it doesn't exist already - one password to get you in, one password to wipe or hide everything you want and then let the police in to a completely sanitized version of what you want them to see.
TrueCrypt and other tools had this around for ages. Something with nested partitions. One key unlocked the main partition that you are supposed to fill with something credible. And then another key that looks a partition even deeper that should contain your true secrets.
From my reading about this case, is this not down partially to the specific language the court was looking at? That is, the warrants were compelling someone to produce the password, which is a form of testimony, but that a lot of times the warrant instead compels the device to be unlocked, which does not require testimony?
There are ways to use the law to coerce the desired behavior. Border Patrol will do helpful things like take apart your car if you exercise your rights.
What is unreasonable about a warrant? Where did this adversarial attitude to law enforcement come from? The whole reason we have a rich and functioning society is thanks to law.
> Where did this adversarial attitude to law enforcement come from?
They screw up very frequently. Sometimes maliciously, sometimes through incompetence, sometimes both. I can't convey the depth of this in a small comment box, but there's abundant evidence around on this topic if you care to look.
Overall, even when you're talking about legitimately designated authority given to a person ... it's VERRRY easy for a human being to screw up and get it wrong, and it has huge impact over the lives of their targets. Needs to be approached by the authorities with extreme caution. In practice, probably many of them aren't aware of the weight of their actions, or don't care.
Do you have a source for that? Frequently is a relative term. 1,000 fuck-ups can be a lot or a little depending on the total number of interactions we are talking about.
While I don't know how many interactions there has been, according to https://www.washingtonpost.com/investigations/interactive/20... for example New York has had over 10000 officers involved in cases where they settled ("46% by officers named in multiple payments" "more than 5,000 officers were named in two or more claims") across 10 years. They seem to currently have 36000 officers, I don't know how long they stay on the job on average or how the numbers have fluctuated over the years, but even if it's just 1 year and their size hasn't changed that would mean about 2.8% of police force in NYC was involved in misconduct that resulted in settlement.
These don't include number of cases where legal action wasn't taken or which got thrown out due to qualified immunity (these are somewhat related, if case is unlikely to get past qualified immunity it's quite unlikely legal action will be taken). And probably cases which actually went to trial as it seems to focus on settlements.
Additionally there is for example https://www.nyclu.org/en/publications/cop-out-analyzing-20-y... which covers 2000-2020 misconduct complaints. According to it disciplinary actions were taken 4283 times, meaning that even if conduct was enough to reach settlement it doesn't necessarily mean it results in any actions taken against the officer.
I mean... police can force you to open your door, your safe, or virtually any other container of secrets. The 5th Amendment doesn't give you broad protection to hide things from police when they have a warrant.
A phone is unique thing not because it contains so many secrets, but because you have to give testimony (as opposed to property, like a key) in order to open it, and it's impossible to open by bashing the door down or cutting it open. It's a technological coincidence, not a legal/philosophical doctrine, that makes phones secure against compulsion by law enforcement.
> I mean... police can force you to open your door, your safe, or virtually any other container of secrets.
No, they can't. They can force you to let them try to open it, but they can't force you to open it for them.
If you have some mechanism like "if you try to open this incorrectly it destroys the contents", and you intentionally don't disclose that with the expectation that they're going to try and fail and destroy the contents, you might get charged with destruction of evidence.
(EDIT: Replies suggest that disclosure may not suffice.)
If they have a warrant, they can force you under threat of legal action if you don't comply. If they don't have a warrant, you can claim the 4th. If they try to get you to divulge the password/code/secret, you plead the 5th. If you let them in, well... Politely tell them they are no longer welcome. Please leave. If they don't comply, they are trespassing (unless they have a warrant, in which case none of the above applies and you're probably going to jail, wear clean underwear).
Right, but that doesn't cover "and I booby trapped it". Why wouldn't you be open to charges in that case? Obstruction, destruction of evidence, contempt of court - such mechanisms exist in part to cover such cases.
I think there's a case to be made that if the contents contain a booby trap before the warrant is issued and executed, they found what was inside, a booby trap was inside. Similar to a canary, an action that causes destruction of evidence deliberately after the warrant was issued is not the same as a system in place beforehand that performs the action automatically in every case without input from the user. This obviously doesn't apply to say a passcode that wipes evidence as that requires deliberate action, but it would apply to something like wiping if the wrong passcode is entered 3 times.
Exactly. Intent also seems like it should matter. If your intent was "destroy evidence if the police comes knocking" that's one thing. If your intent was "have an extra secure safe to protect my secrets from anyone who might steal them" and you made that decision without knowledge of any warrant, that seems like it ought to be fine.
I'm not sure it's directly applicable, but courts have repeatedly ruled that you can't booby-trap your own property; I'm not quite sure this applies to, say, [non-explosively] erasing a USB drive by entering a decoy PIN.
Yeah we aren't talking about land mines here, just devices that destroy the owner's property, and more specifically software systems that destroy information. It is well established that weapons that harm people automatically are illegal.
It's an interesting area, the 5th is actually really narrow (and of course other jurisdictions have something else). It's not obvious what can be compelled; e.g. it wouldn't seem like a court ordering you to defeat such a measure would run afoul of 5th, but maybe something else.
I have been curious about when/where destruction of evidence takes place. Presumably during the crime, the perpetrator does their best to hide the evidence.
Does it only become destruction after you have been informed the police are interested in you? What if you do it before a warrant is issued? What if your device will self destruct if a password is not entered every N days and you withhold that information?
> I mean... police can force you to open your door, your safe
Actually, the government cannot compel you to give the combination to a safe [1]. If it's locked with a key, not a keypad or combination lock, they can force you to give the key. The distinction is that the former is a product of the mind, while the latter is a physical object. Furthermore, what if you forgot the combination? There's no real way to tell if someone has forgotten the combination or is deliberately withholding it.
> If it's locked with a key, not a keypad or combination lock, they can force you to give the key. The distinction is that the former is a product of the mind, while the latter is a physical object. Furthermore, what if you forgot the combination?
Sounds a bit silly. The location of the key is "a product of the mind." What if you forgot the location of the key?
If law enforcement has a warrant to search your safe, they could presumably expand that search to the rest of your house if you forgot where the key is. The core distinction is that the key is a physical object, it exists somewhere even if you forgot where it is. By comparison the combination is a product of the mind. The only way to retrieve it is for someone to talk to the police (which they have a constitutional right not to do).
IANAL but you could likely successfully claim that you forgot where the key is, exactly because that's a product of the mind. If they have evidence that you do actually know then you might be compelled to hand it over, though.
The UK's laws to compel people to give up passwords seems to make it a de facto crime to forget one's password. Worse yet, it seems like it's illegal to possess random bytes on your devices. I wonder if the UK would change course if people started emailing random bytes to politicians and other supporters of this law, while giving tips to law enforcement that these individuals are coordinating criminal acts over encrypted communications.
But ... If you're going to compell someone to give up the contents of their mind under threat of being found guilty if their mind isn't working properly, you may as well just do away with trial.
IOW, if you're going to compell speech, just compell the suspect to confess; it's the same thing.
Subtle distinction: I don't think the police, even with a warrant, can force you to open anything. They can use force to open something if you refuse (or seemingly, if they feel like it), but they can't make you do it.
A court on the other hand, can compel you to open something.
Yes, but that is a court order issued by the court not the police.
An order to unlock something coming from the cops is entirely different, even if they have a warrant. Warrants would allow them to seize a phone, but you don’t have to provide the password.
You might be able to argue that decrypting the phone's filesystem is forcing you to provide them with information which is not relevant to the case at hand but still incriminating in other ways, since a phone could reasonably be expected to hold vast amounts of unrelated days.
If you save incriminating documents into an encrypted .ZIP file, the state cannot compel you to provide the password, because the password is in your mind. The contents of the mind cannot be demanded to incriminate self.
The state can install a keylogger if they have a warrant, and the results of the keylogger can be admitted as evidence.
It’s “you can’t be forced to open it because it requires you saying the password,” not “you can’t be forced to open it because it contains important secrets.”
Right, if they can figure out a way to reveal your secrets without forcing you to say something, they’re allowed to do that (with warrant of course).
If the government hadn't always have the possibility and right to break into a safe you wouldn't give up the combination to, then that would have been a debate for decades. The reason this is a debate is because they can't crack it.
I'd go so far as to say they never needed permission to refuse, so thanks for confirming the traditional position that coercion is not a valid means of confession.
Orin Kerr noted, commenting on this case, that it's restricted to the question of whether suspects can be compelled to divulge their passwords, even though the more common legal question is whether suspects can be compelled to unlock their phone.
And the prosecutor may try to entice you with a limited concise immunity deal to excuse you of "whatever crime" that passphrase would accuse you of, of which you would say "is that not a fishing trip?" And refuse that deal.
> the government was becoming dissatisfied with the obstruction of criminal investigations that strict adherence to the rule engendered
Also
> The Court recognized that while the rejection of the mere evidence rule may "enlarge the area of permissible searches," the protections of the 4th Amendment, like the reasonableness and warrant requirements, would sufficiently safeguard the right to privacy.
So SCOTUS think that government would be satisfied with Bill of Rights. What if government thinks it is just too frustrating to follow laws?
what do you mean, "what if?"? Its already there. There's plenty of examples. For instance, the FBI is involved in background checks for gun purchases in the US. They are legally required to destroy any results of said check. They have not (to my knowledge) ever passed an audit.
I dont know what this is supposed to imply, they misplaced the money, they couldnt pass audit and decades later they still fail every audit. The implications being, widespread waste fraud and abuse could have taken place and we have no records to hold those responsoble to account. In reality, of course there was widespread waste fraud and abuse, it seems all of our guns keep ending up in the hands of nazis and islamic extremists so this one isnt hard to figure out.
Passkeys take the passwords out of the user's hand. That's good for some users but bad for all, especially at the moment with missing migration possibilities between iOS and Android.
Like all the rest of the computer stuff, it stops being yours and becomes theirs and you are only allowed to use it.
What, "the West" meaning everything from Bulgaria to Canada to Estonia? That's way overly broad claim.
This ruling isn't even for all of the US, currently only at the Utah state Supreme Court level, it hasn't gone to the Tenth Circuit Court of Appeals or Supreme Court. This is not necessarily the last word on the topic, not even just for the US.
Another of many factors is whether the person was being detained or merely questioned, whether they had been formally notified of their right to remain silent, etc.
Unfortunately the encrypted phone market is a total mess. The Darknet Diaries podcast has a good episode about this. https://darknetdiaries.com/episode/105/
Nothing has to be on your phone for a cop to demand its contents. At which point, if they want to find something incriminating, rest assured they will.
“Nothing to fear if you’re not doing anything wrong” is a fallacy that serves only the cops
Doesn't strike me as wise. Your phone is always on you, if you have a biometrics killswitch you're better off than repeatedly entering your password, day in and day out, in public locations where a highly motivated actor WILL be able to figure out your password with mere binoculars and two or three observations.
This is why I hate when I get a 1Password prompt to reenter my nonbio password at inopportune times in a public place. My keystrokes can be secretly filmed from a distance. When I gain access to passwords that I copy and paste by fingerprint, the forcible theft of my machine puts me at near 0 risk. (My preferred way to login while in public.)
You are not leaving fingerprints on your device? Btw. there have been successful unlocks of biometric sensors using photographs of fingers, so you better wear gloves all the time.
Reminder to iPhone users that five fast presses of the side button will pop up the emergency calling page; it will also lock your phone in a way that requires your passcode to unlock even if you use biometrics.
Know how to disable it immediately. On Graphene and many Android phones, holding down the power button will reboot it with pin required to complete start up.
If you feed a bunch of a target's personal info into an LLM, would it guess their password more quickly than a human? What about an LLM trained specifically for the task?
