Disturbing Decision by US Courts Regarding Encryption

30 November -0001

Sebastien Boucher was arrested at the Canadian/US border crossing for having child pornography on his laptop has been ordered to reveal the password to decrypt an encrypted drive on his laptop for inspection by a grand jury. The laptop was equipped with PGP industry standard encryption software. However, it seems that when agents first inspected the laptop it was simply asleep (only entering hibernation will cause PGP to re-encrypt drives and require a password) and they were able to inspect contents of the hard drive. Agents apparently found thousands of pornographic images (surprise) and a video titled "2yo getting raped during diaper change" and arrested him on child pornography charges. However, after Mr. Boucher's arrest, it seems his laptop was powered off, which caused PGP to re-encrypt the drive containing the images and video in question. Mr. Boucher is now being ordered to provide the password to decrypt the drive again.

This case has several problems, the first of which begins with the evidence against Mr. Boucher. As anyone who has ever received and e-mail alleging to contain a picture of Anna Kournikova naked knows, filenames are often not descriptive of content, especially with respect to pornography. It is possible for advertisers to embed links in video files so that anyone opening the video file will be forwarded to a website rather than viewing an actual video. Advertisers often spread videos like this across newsgroups and file sharing sites with outrageous names in order to get people to their sites.

Regardless, once this initial piece of "evidence" piqued the interest of border agents they began searching the contents of the hard drive and found several purported pieces of child pornography. Mr. Boucher stated that he downloads pornographic content from newsgroups and deletes material he later realizes is child pornography. If Mr. Boucher unknowingly downloaded child pornography, say by visiting a newsgroup, selecting 100 messages, and downloading them all, then browsing through a handful of them and archiving the rest without knowing that some of the archived images contained illegal content, should he be held responsible? Whose job is it to screen this content? Should Mr. Boucher be responsible for inspecting every piece of digital content he downloads? Even so, if Mr. Boucher deleted the files, a forensic image would certainly reveal them on his hard drive, and he could be charged all the same. Shouldn't it be the ISP's or the newsgroup hosts responsibility to filter content, not Mr. Bouchers?

Ultimately the ruling of the court that Mr. Boucher must provide the password to decrypt the drive is disturbing. This seems to fly in the face of Mr. Boucher's 5th amendment rights. I suspect that the case is complicated by the fact that Mr. Boucher allowed customs agents to inspect the contents of his hard drive in the first place - providing the government with reasonable suspicion that the drive does in fact contain illegal material. Had they not been allowed to inspect the contents of the drive in the first place Mr. Boucher would likely be in a much more favorable legal position.

Border agents can, supposedly, require people to decrypt devices at the border for inspection. This is why a technology like TrueCrypt's hidden volume is important. It allows people to plausibly hide encrypted partitions within encrypted partitions. This works because encryption ostensibly makes a segment of the hard drive randomly scrambled. Who is to say if a randomly scrambled segment of hard disk contains within it a second randomly scrambled portion? The idea is to create a partition, put some innocuous content in it, then create a second, inner partition with the true hidden content in that. In order to access the hidden content the first partition must be decrypted, then the second partition must be decrypted. This allows people to decrypt the first partition and claim that there is no further encryption, and without analysis of drive changes over time and active use it is impossible to detect the inner, hidden partition. Had Mr. Boucher used such technology, or simply put his machine into hibernate mode he likely wouldn't be in such a difficult position.

Ref: http://news.cnet.com/8301-13578_3-10172866-38.html
http://privacylaw.proskauer.com/uploads/file/Boucher.pdf