Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

AfterBites - Man Must Decrypt Hard Drive

The original article:

 --Judge Says Man Must Decrypt Drive
(February 26 & March 3, 2009)
A federal judge has ruled that a man suspected of having child
pornography on an encrypted drive on his laptop computer is not
protected by the Fifth Amendment. US District Judge William Sessions
ruled that Sebastien Boucher surrendered those rights when he allowed
his laptop to be searched the first time, and ordered Boucher to provide
the court with an unencrypted version of the drive in question. The
ruling reverses an earlier decision in which a judge ruled that Boucher
was protected from incriminating himself under the Fifth Amendment. The
original request from the US department of Justice had been to make
Boucher surrender his encryption passwords; the appeal asked only that
he decrypt the drive in view of the grand jury. Boucher's laptop was
searched in December 2006 while crossing the border into the US from
Canada. Agents claim to have seen the offending content, then shut down
the computer. When they tried to access the images after Boucher's
arrest, they were unable to because of his PGP program.

There are several things about this particular article that really bother me - and they're all about the rights of citizens to be free of government interference.

First, and foremost, is the publication of a suspect's name in a child pornography case. In the event that the suspect is not proven guilty (remember: innocent unless proven guilty) the government has already ruined this man's career prospects and reputation. If you don't believe me - just google for his name.

Second, is the notion that a border-check is "voluntary" and not coerced. It's ridiculous to say that someone "voluntarily surrendered their rights" when they were asked - however nicely - by a man with a gun at a border crossing. I've had this happen to me, returning to the US from abroad: you're forced to wait in line (I waited 2 hours!) and told you can't use your cell phone or leave, then you're asked "is this your bag? may I examine it?"  It sounds as if in this case the suspect was crossing the border in an automobile but it's the same scenario: wait in line, wait in line, and the man with the gun starts asking you questions. You have to answer them, and agree to any search, or you can turn around and go back.

Third, is the stupidity of trying to coerce someone legally into giving up a hard drive password. If the hard drive contains evidence that could convict him on a 20 year sentence, there's not much they can do to him that's worse than that, if he refuses to give up his password. They can't imprison him for 20 years for refusing the judge's request. What are they going to do, waterboard him?

Lastly, is the charges against him. Interstate commerce of child pornography? That's not how the guys who do child porn for a living transport their data, and the judge knows it. What's going on is that they're trying to coerce him further by layering on as many charges as they can think of, to see if they can make him crack or plea-bargain to a lesser charge. That's not how to do "justice" - criminal charges should not be used coercively!

Obviously, if the guy's guilty, he should suffer the consequences. But I'm very uncomfortable with my government's handling of this matter. If the border cop screwed up his evidence collecting, he screwed it up, and the case was lost at that moment. Precedent-setting rulings that further erode everyone's rights is not a good response to mishandling evidence. This case has been dragging on for 3 years and has probably cost the taxpayers a huge amount of money, and consumed the suspect's life. The publicity it has garnered for hard drive encryption has probably done more damage to law enforcement efforts against child pornography than busting any individual perpetrator would, already.

I've been entering and exiting the US for years with my laptop running TrueCrypt. I've always been careful to make sure that my crypted volume is unmounted when I travel, and the container file is not obviously named to indicate its purpose. Now, I'm wondering if that's a good idea. The Department of Justice has made some massive payouts in the past, when they've "outed" suspects and then admitted they had no case (think Richard Jewell, Stephen Hatfill, and Wen-Ho Lee) - aside from the downside of becoming a pariah, a multimillion-dollar cash settlement could be in the offing if you refuse to unlock your encrypted volume of your customer's syslog data. That's what's in my container file. That, and a few photos of my girlfriend (who is over 18).

Meanwhile, across the big wet, the Gary McKinnon case drags on. In a recent article in UK "infosecurity" magazine, McKinnon is described as having Asperger's syndrome:

"McKinnon was diagosed after a television interview when a member of the public believed that he showed signs of the condition."

I'm picturing that. No doubt some clinical psychiatrist just sitting there in front of the tube went "OMG! Asperger's!" The part that gets me is:

"...They're actually blind to the potential social consequences for them or for other people." (says McKinnon's psychiatrist)

OK, I'll buy that, but if that's the case - if he was blind to social consequences of his actions - why did he originally try so hard not to get caught? And, why is he trying so hard, now, to avoid the "social consequences" of his actions? He doesn't seem blind to them - in fact, he seems painfully aware of them.

Is there a medical syndrome for "people who got caught doing something naughty and are in denial about it"? I seriously wish they'd drop the whole McKinnon thing, and stop spending lots of money trying to extradite him. Leave him over there for the brits to deal with. That way, he can write a couple bad books about his exploits and go on the lecture circuit over there, charge huge speakers' fees, and buy himself all the anti-anxiety drugs he needs.

I feel bad for the actual sufferers of Aspergers' who are now going to have to deal with doubters assuming that they're just losers claiming an excuse from the doctor. Autism and Obsessive-Compulsive Disorder are nothing to joke about. Nor are they something for cowards to hide behind.

Subscribe to the Tenable Blog

Try for Free Buy Now

Try Tenable.io Vulnerability Management


Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.