I figured this would happen. I haven’t mentioned it in my coverage of US v. Fricosu, but once the judgment was handed down that Ramona Fricosu must provide decrypted evidence, I wondered whether she would make the claim that she forgot the password. Such things happen quite often when it comes to data encryption software.
You see, the situation has been on-going since 2010. I don’t know about readers of this blog, but in my experience, not typing a password in over one year tends to lead to “password amnesia.” This is not the case if you only use one password, like I used to do in my younger days. In fact, I can still tell you what it was, over ten years later (but I won’t).
But once you graduate to more secure practices and start using multiple passwords, your memory starts to get a little sketchy. At least, mine does.
In Contempt? Or Being Honest?
I’ve already blogged that I thought that the judge’s decision in the Fricosu case was pretty straightforward. I still do; however, there are aspects to it that troubled me then, and still trouble me now, especially because of the above development.
The thing that always troubled me is: what if a person doesn’t remember the password anymore? I’ve been thinking about this on and off since I found out about the UK’s RIPA, the Regulation of Investigatory Powers Act. Under RIPA,
“…a suspect [is given] a time limit to supply encryption keys or make target data intelligible. Failure to comply is an offence under section 53 of the same Part of the Act and carries a sentence of up to two years imprisonment, and up to five years imprisonment in an investigation concerning national security.”
To quote myself:
…what if you honestly don’t remember the password? If you’re in the habit of encrypting a design for the world’s best toaster-oven because you’re afraid of industrial espionage, and happen to forget the password to unlock it…should you go to jail for it?
That’s assuming the government ends up believing your encrypted toaster-oven designs are actually, I don’t know, terrorism-related information.
The decision surrounding this latest development will be (my apologies to Ms. Fricosu whose life must be a living hell right now) the really interesting question to answer. The decision to force Fricosu to provide decrypted data was pretty straightforward, I thought.
But this latest twist? The government doesn’t have taped conversations revealing that Fricosu remembers the password, as far as I know. They can’t prove that she doesn’t remember it. Or that she does remember it, for that matter. I’m sure that forcing her to reveal the password, in an attempt to use it as a framework for generating other passwords, is a violation of the Fifth Amendment (the last ruling makes it abundantly clear that it would, and that’s why she’s not being forced to provide a password but decrypted information).
This is probably the worst post on which to push our managed disk encryption services from AlertBoot. And yet, I can’t help but think that if someone out there is placed in the same situation and is being accused erroneously of a crime — and the contents of the laptop will actually work to clear his name — he’d probably think it’s a godsend that he can have his AlertBoot encryption password reset after a quick confirmation of his identity.
Related Articles and Sites: