There’s an interesting case in the U.S. District Court in Vermont where a prosecutor is trying to force a suspect to give up the password to the encrypted contents of his computer. The suspect claims that doing so would be self-incrimination, and he has every right to refuse the government’s request. I won’t get into what the charges are since that will just portray one of the uglier parts of our society, and that will just spark more of an emotional argument instead of a technical or legal one.
Why is this case so interesting? A case of this kind has never made it up to this legal level, and now a judge needs to balance privacy and civil liberties while protecting the interests of the public. The judge presiding over the case likens this to having a safe with potentially incriminating evidence. The government can force you to give up the key to your safe since the key is physical, but if your safe has a combination lock, the government cannot force you to disclose the combination. Doing so is considered a “testimonial act conveying the contents of one’s mind,” which is protected by the Fifth Amendment. In my opinion, whether a physical safe has a key or combination lock, a government official will find a way to break the safe open to review its contents.
Why are the folks in Vermont having such a tough time?
The encrypted contents on the suspect’s computer are protected using 256 bit encryption, and the government’s computer forensics experts testified it would take years of a brute force password attack to get into files. Trying to decrypt the file is out of the question since it would take a supercomputer several years to decrypt 256 bit encryption. The only real way to get access to the data, according to the government experts, is to get the suspect to give up the password.
Why am I confused?
Most encryption products include a failsafe to allow authorized users to get access to their data in case they forget their passwords. The AlertBoot managed hard drive encryption service offers such support to its customers. Yes, security is important, but you should never be in a situation where you lose access to your data because you implemented security. I wonder which product was used in this case where there is no way to recover the password or reset it by contacting the software vendor.
The law is continually trying to catch up with technology, and it will be interesting to see how this case ends.