January 2008 Archives

EU court says file sharers don't have to be named

So...under EU law, a court recently found that Internet Service Providers need not provide personally identifiable information in civil cases.  This has huge impact on the general strategy of the RIAA, which has been to file "John Doe" cases and expect that the ISPs involved will simply hand over the names and other information of those that the RIAA suspects (reasonably or not) of trading copyrighted material online.  The actual impact of this decision is somewhat limited, but when combined with recent statements by an EU regulator that IP addresses should be treated as personally identifiable information, it marks a pretty significant difference in public policy between the EU and the good ol' US of A.

CNN: Attorney general dances around waterboarding issue

In the latest and greatest installment of the Bush administration's ongoing "Torture or Not Torture" game show, the Attorney General of the United States of America testified before Congress, yet refused to provide his legal opinion of whether or not the practice of waterboarding constitutes "torture".  Though he was more than willing to say that if it was done to him, he'd consider it such.  Of course, that's not a legal opinion.

Let's forget for one moment that it's his duty as Attorney General to make his legal opinion known.  And let's forget for a moment the ramifications that such a decision would have politically for him.  If he thinks that, were it done to him, he'd consider waterboarding "torture", doesn't that really answer the question?

I guess it's just another notch in the belt for the Bush administrations systematic castration of our government's conception of separation of powers and oversight.

But then again, if it worked for the Spanish Inquisition, the Khmer Rouge, and the Japanese Military during WWII, it's good enough for us, right?

Judge: Man can't be forced to divulge encryption password

In a response to my last post, someone asked my opinion on the article linked above.  To summarize the facts, a gentleman was attempting to cross the border from Canada with a laptop that is alleged to have included a significant amount of pedophilic materials.  The agents saw the alleged images during a consensual search, and immediately arrested the suspect and took the laptop into custody.  However, after securing a warrant 14 days later to perform a full, in-depth search of the laptop, the officers found that the drive that they suspected to contain the illegal materials was PGP-encrypted, and inaccessible without the password.

The grand jury considering the indictment issued a subpoena requesting the password, and the suspect moved to quash the subpoena.  The District Court magistrate indeed quashed the subpoena, basing his decision on the idea that entering the password would somehow be "testimonial" in nature.

To provide a bit of background, there are many things that one may be legally compelled to provide to police without violating the Fifth Amendment protection against self-incrimination.  These include fingerprints, DNA, and the such.  It was the magistrate's opinion that producing the password "would be disclosing the fact that he knows the password and has
control over the files" on the computer.

In the abstract, this would seem perfectly rational, as the established test for testimonial statements or actions includes actions that indicate some form of control over the evidence.  However, it doesn't appear in any of the documentation that the defendants' control over the evidence is at issue here - it seems clear that he has acknowledged that this is in fact his laptop, and from other statements (presumably under Miranda warnings) that he knows that there may be illegal materials on his hard drive (his excuse is that he downloaded bulks of files from newsgroups, and could not be certain all of it was legal).

Further, the court completely discounts the government's attempts to liken the passphrase to a physical key, and instead concludes that disclosing the passphrase somehow "conveys the contents of one's mind".  Again, in the abstract, such a passphrase is in fact within the "contents of one's mind", but then again, so is the location of a physical key (assuming the key is not on the person of the suspect at the time).

I think the analysis here is far simpler than the court is willing to accept.  The fact that there is a password is known.  The fact that the laptop belongs to or has been under the control of the defendant is undisputed.  That the contents of the drive were "locked" is identical to someone throwing documents into a wall safe and closing the door.  The fact that the defendant knows there is a passphrase, and even that he knows what the passphrase is does not mean that he implcitly knows all of the contents of the laptop that may be protected by the encryption.  Producing the passphrase should not be seen as testimonial, and in addition, the fact that he produced the passphrase could be excluded as evidence at trial.

The crime is not encrypting the drive - the crime is what was hidden when the drive was encrypted.  This isn't a good set of facts to change existing precedent.  A password is a key, simply located in the mind rather than as a physical object.  Would the court deny the combination to a lock for the same reasons?

There's been some talk online about an article published that discusses police officers' rights to search your iPhone or other "smart phone" in a search pursuant to arrest.  Much ado has been made about this nothing, which is a principle of law that has been set in case law for at least 10 years regarding technology.

The specific article seems to focus on a recent 5th Circuit case, United States v. Finley (477 F.3d 250, 2007 - PDF), in which the defendant was arrested on suspicion of aiding in a drug transaction.  During the arrest, the officers obtained a cell phone from Finley, and delivered the phone to other officers who were performing a warrant search on Finley's "conspirator's" property.  The DEA agents here reviewed text messages on Finley's phone, and uncovered text messages that appeared to be related to drug transactions ("Call Mark I need 50" and "So u wanna get some frozen agua?").  During questioning (and under Miranda warnings), Finley admitted that these text messages were mostly related to marijuana transactions.

The question on appeal was whether the search of the cell phone's contents was permissible under the "search incident to arrest" doctrine.  For those not well-versed in this exception to the Constitutional warrant requirement, the basic gist is that, once you are placed under arrest the police officers conducting the arrest have the right to search your belongings for any evidence of the crime for which you are under arrest.  Such a search must be "reasonable" in scope and duration, and includes the opening of closed containers.

The outrage online seems to stem from the idea that your text messages and other information stored on your smart phone are somehow immune to this doctrine.  Unfortunately, it's been well-established that electronic "gadgets" such as pagers, cell phones, and other items that may contain incriminating evidence (perhaps even laptops?) are fair game for searches incident to arrest (articulated in United States v. Ortiz, 84 F.3d 977, 1996).

It's important to note that all of these analyses require that the owner of the property be "under arrest", and not merely stopped for questioning.  So if you're walking down the street and have done nothing, a police officer can't just stop you, tell you to give him your phone, and start digging through it for incriminating evidence.  Closed containers are still generally outside the purview of a Terry stop, unless there's reason to believe they contain weapons or other dangerous materials.