BURLINGTON, Vt. (AP) -- When Sebastien Boucher stopped at the U.S.-Canadian border, agents who inspected his laptop said they found files containing child pornography. But when they tried to examine the images after his arrest, authorities were stymied by a password-protected encryption program. Now Boucher is caught in a cyber-age quandary: The government wants him to give up the password, but doing so could violate his Fifth Amendment right against self-incrimination by revealing the contents of the files. Experts say the case could have broad computer privacy implications for people who cross borders with computers, PDAs and other devices that are subject to inspection. "It's a very, very interesting and novel question, and the courts have never really dealt with it," said Lee Tien, an attorney with the Electronic Frontier Foundation, a San Francisco-based group focused on civil liberties in the digital world. For now, the law's on Boucher's side: A federal magistrate here has ruled that forcing Boucher to surrender the password would be unconstitutional. The case began Dec. 17, 2006, when Boucher and his father were stopped at a Derby Line, Vt., checkpoint as they entered the U.S. Boucher, a 30-year-old drywall installer in Derry, N.H., waived his Miranda rights and cooperated with agents, telling them he downloads pornography from news groups and sometimes unknowingly acquires images that contain child pornography. Boucher said he deletes those images when he realizes it, according to an affidavit filed by Immigration and Customs Enforcement. At the border, he helped an agent access the computer for an initial inspection, which revealed files with names such as "Two year old being raped during diaper change" and "pre teen bondage," according to the affidavit. Boucher, a Canadian with U.S. residency, was accused of transporting child pornography in interstate or foreign commerce, which carries up to 20 years in prison. He is free on his own recognizance. The laptop was seized, but when an investigator later tried to access a particular drive, he was thwarted by encryption software from a company called Pretty Good Privacy, or PGP. A grand jury subpoena to force Boucher to reveal the password was quashed by federal Magistrate Jerome Niedermeier on Nov. 29. "Producing the password, as if it were a key to a locked container, forces Boucher to produce the contents of his laptop," Niedermeier wrote. "The password is not a physical thing. If Boucher knows the password, it only exists in his mind." Niedermeier said a Secret Service computer expert testified that the only way to access Boucher's computer without knowing the password would be to use an automated system that guesses passwords, but that process could take years. The government has appealed the ruling. Neither defense attorney James Budreau nor Vermont U.S. Attorney Thomas Anderson would discuss the charge. "This has been the case we've all been expecting," said Michael Froomkin, a professor at the University of Miami School of Law. "As encryption grows, it was inevitable there'd be a case where the government wants someone's keys." Authorities have encountered such dilemmas before, but have used other methods to learn passwords, including installing surveillance devices that capture keyboard commands. Sometimes investigators have given up before a case reached the courts. In a 2002 case, the FBI used a keyboard program to obtain gambling records from the computer of Nicodemo Scarfo, Jr., the son of a jailed New Jersey mob boss. In another case, an officer found child pornography on the laptop of a man who flew into Los Angeles International Airport from the Philippines. But a federal judge later suppressed the evidence, ruling that electronic storage devices are extensions of the human memory and should not be opened to inspection without cause. That case didn't hinge on a password, though. Orin Kerr, a law professor and computer crime expert at George Washington University, said the distinction that favors the government in Boucher's case is that he initially cooperated and let the agent look at some of the laptop's contents. "The government can't make you give up your encryption password in most cases. But if you tell them you have a password and that it unlocks that computer, then at that point you no longer have the privilege," he said. Tien, the attorney with the Electronic Frontier Foundation, said a person's right to keep a password secret is a linchpin of the digital age. Encryption is "really the only way you can secure information against prying eyes," he said. "If it's too easy to compel people to produce their crypto keys, it's not much of a protection." source
This is not the issue at hand, but I will answer your question: I do not need permission from the AP to post an article for educational or discussion purposes. The article was posted for educational purposes and is within the fair use requirements of the law. This issue was initially litigated between FreeRepublic.com and Los Angeles Times and others, but there was never a trial on the merits. So the area of law is not settled. However, I think the right to post this type of material in this manner is totally proper. Of course, I don't put my Adsense code on this site, so my use of this site is non-commercial. I do not think that even matters, as the AP never had any issue with sites like FR or posting articles for educational or discussion purposes. They chose not to be a part of the lawsuit or request that their articles not be posted on that site. To this day, AP articles I posted on that site nearly 10 years ago are still there with no issue. That usage is totally consistent with the 1st amendment rights granted to me and cannot simply be usurped by a copyright claim. I agree with the statement FR uses: "The Framers did not intend for the federal government through regulation and copyright law to restrict the right of the people to free speech. In fact, they explicitly prohibited it." Since this is a private site, they can do as they wish, including deleted this thread or article. browntwn Any thoughts on the government seeking to compel someone to turn over their password keys?
I can't see how it's legal to force a person to incriminate themselves. The government must prove it's case without the assistance of the accused.
This guy went looking for trouble. He told the authorities that he may have illegal content and then refused to let them look. He would have a stronger case if he told customs that he is not letting them inspect his laptop and said nothing else.
Correct me if i am wrong but does the US legal system stipulate that the onus is on the prosecutor to produce the evidence and prove the case against the accused beyond all reasonable doubt? If that is the case the evidence cannot be proven due to an encrypted file (or directory). I'm also sure that you cannot be charged or arrested for suspicion of a crime (apart from the home land security laws i hear of). A real can of worms if i ever heard of one. But it would be interesting to see if the FBI could actually crack the password (especially if the cipher is over 256kb). Theoretically (and realistically) it would be impossible to crack a file open by brute force before the statue of limitation would expire. But if they were to accomplish it, i would also wonder if the FBI used the rumored 'backdoor' that supposedly exists in these algorithms. If so (my god a whole heap of if's here) it will have huge ramifications on the security community.
Does it matter which way you are crossing. What I mean is that if your in the US and crossing to Canada you would have follow Canadian law since they would be the ones searching.... and vice versa. Which way was the person going?
It seems clear to me that this should be covered by the Constitutional protection against self-incrimination. If the government wants to see what is in those files, it can make a deal giving the owner immunity from prosecution. On a more practical level, "I forgot" is impossible to disprove. I own a 5GB PGPDisk that I forgot the password to five years ago. I'm still trying to remember the damned thing.
That would still require 24 bits from a used packet. Doubtful the laptop is being used anymore and it's sitting in an evidence room.