Welcome to the SecAware blog

I spy with my beady eye ...

12 Jul 2011

You have the right to remain silent ...

... while we force you to enter your passphrase into your computer to decrypt the data potentially comprising or incriminating evidence. According to the cNet article:
Prosecutors stressed that they don't actually require the passphrase itself, meaning Fricosu would be permitted to type it in and unlock the files without anyone looking over her shoulder. They say they want only the decrypted data and are not demanding "the password to the drive, either orally or in written form."

The ramifications of governments 'allowing' 'ordinary' 'citizens' access to strong encryption are many and varied.  What if citizens have the nerve to protect information which they consider highly confidential but which the government desires to access?  Of course the government has the resources to try to defeat the cryptosystem, whether by brute-force attack or cryptanalysis.  It also has the resources and means to attempt to steal passphrases using Trojans or other surveillance techniques, or insert and access backdoors, or insist on escrow.   We know it has the rubber hose necessary for coercive cryptanalysis.  And if it had the means to read citizens' minds, you can bet it would apply them.  But for now, being forced to go through the courts to demand that citizens decrypt their own information for the benefit of the government (and, arguably at least, for society at large) is, for me, a step too far. 

Just like the so-called rule of law "innocent until proven guilty", I accept that some guilty parties will 'get away with it' if their crypto-secrets are in fact strong enough to remain secret, but on balance this is better than the alternative.  If the government has the legal right to demand that its citizens incriminate themselves, the government cannot also demand the support of its citizens - the very citizens who give it the authority and power to act on their behalf.  George Orwell saw it coming.

Gary (Gary@isect.com)

No comments:

Post a Comment