The Privacy BlogPrivacy, Security, Cryptography, and Anonymity

TAG | legal

EU flag on keyboard

If this amendment passes, it will significantly reduce the perceived advantages of using servers outside the US. No only would the server still be subject to whatever legal process exists in the hosting country, but they would also be open to legal hacking by the USG.

Newly Proposed Amendment Will Allow FBI to Hack TOR and VPN Users | Hack Read

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

· ·

EU Flags photo

A New York district judge has ruled that Microsoft must comply with US search warrants for emails stored in European data centers. The argument is that as a US company, Microsoft is subject to the order, and because it has control of its European subsidiary which in turn has control of the data center in Europe, it should therefor comply.

This will put Microsoft, and many other US Internet companies, in a tricky place. The EU data protection laws are being expanded to explicitly bar EU subsidiaries of US companies from sending data outside the EU for law enforcement or intelligence purposes.

This also further undermines confidence in the security and privacy of data held by US Internet companies.

Microsoft ordered to hand over overseas email, throwing EU privacy rights in the fire | ZDNet

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

· ·

Policeman with cellphone

In a unanimous decision, the Supreme Court ruled that police must obtain a warrant before searching suspect’s cellphone. Before this, cellphones were treated just like anything else a suspect might carry, including wallet, keys, address book, or various other “pocket litter”.

Police are generally allowed to search suspects for weapons and to prevent the distraction of evidence. Because of the massive amount of storage on a modern smartphone, and its direct connection into so many other stores of data and communications, the court felt that the contents of these devices was qualitatively different and deserving of greater protection.

It is important to remember that the police can still take the phone, and that they can then get a warrant to search it if there is probable cause. They are simply prevented from searching it without the warrant, possibly in the hope (but not expectation) of finding evidence.

This decision may lay the groundwork for according similar protections to cloud stored data, which once would have been kept in the home in hard copy. Law enforcement officials claim that technology is making life easier for criminals and harder for law enforcement. I find that hard to believe and have not seen any really good studies of the matter. If you have, please let me know!

It strikes me that the routine preservation of emails and other communications, along with the massive use of server logged communications from text messages to social media, actually makes things much easier for law enforcement on the whole.

The fact that the decision was unanimous suggests that we may be entering a period of re-evaluating outdated precedents from the pre-internet era.

Some key quotes from the decision:

  • Regarding treating phones like other pocket litter – “That is like saying a ride on horseback is materially indistinguishable from a flight to the moon,”
  • On the impact on law enforcement – “Privacy comes at a cost.”
  • “Cell phones differ in both a quantitative and a qualita- tive sense from other objects that might be kept on an arrestee’s person. The term “cell phone” is itself mislead- ing shorthand; many of these devices are in fact minicom- puters that also happen to have the capacity to be used as a telephone. They could just as easily be called cameras, video players, rolodexes, calendars, tape recorders, librar- ies, diaries, albums, televisions, maps, or newspapers.”
  • “The scope of the privacy interests at stake is further com- plicated by the fact that the data viewed on many modern cell phones may in fact be stored on a remote server. Thus, a search may extend well beyond papers and effects in the physical proximity of an ar- restee, a concern that the United States recognizes but cannot defini- tively foreclose.”
  • “Our answer to the question of what police must do before searching a cellphone seized incident to an arrest is accordingly simple—get a warrant,”

Some Excellent Articles for further reading:

With cellphone search ruling, Supreme Court draws a stark line between digital and physical searches – The Washington Post

Police Need a Warrant to Search Your Cellphone, Supreme Court Says | Re/code

Supreme Court: Police Need Warrants to Search Cellphone Data – WSJ

Note: In the picture above, the policeman is actually just using his own cellphone.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

· · ·

Jun/14

26

If you don’t admit you won’t decrypt

Broken Disk

The Massachusetts High Court recently ruled that a suspect can be compelled to decrypt disks, files, and devices which have been seized by law enforcement. The crux of the question before the court was whether compelling the password for decryption is forbidden by the Fifth Amendment protection against self incrimination.

The analogy one most often sees is to being compelled to provide the combination to a safe, the contents of which are subject to a search warrant. That is well settled law, you can be compelled to do so.

The court said:

We now conclude that the answer
to the reported question is, “Yes, where the defendant’s compelled decryption would not
communicate facts of a testimonial nature to the Commonwealth beyond what the defendant
already had admitted to investigators.” Accordingly, we reverse the judge’s denial of the
Commonwealth’s motion to compel decryption.

In this case, there was nothing testimonial about decrypting the files because the defendant has already admitted to owning the computers and devices, and to being able to decrypt them.

The much more interesting situation will come in a case where the defendants say they never had, or have forgotten, the password. One can not be compelled to do something impossible, but generally the proof of the impossibility falls on the defendant. In this case one would have to prove a negative. How could you prove that you don’t have the password? The only thing that can be proved is that you do, and that only by doing so.

This ruling is only binding in the sate of Massachusetts, but is likely to be influential in cases in other areas.

Massachusetts High Court Permits Compelled Decryption of Seized Digital Evidence | The National Law Review

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

Update: It looks like I am wrong about providing the combination to a safe being settled law. Thanks Joey Ortega for setting me straight.

· ·

IStock 000005044123XSmall

The US Second Circuit court of appeals just ruled on a very important case about Fourth Amendment protections for seized computer files. While this ruling is only binding on courts in the 2nd circuit, it will be influential, and we are likely to see this issue addressed by the Supreme Court before too long.

The reality of computer forensics is that investigators start by grabbing everything off the computers they are searching, then look for the specific information specified in the warrant. Generally this is done by making a direct image of the computer’s hard drive. From there additional copies are made so the chain of evidence is clean, and the original image can be shown to be unchanged. It is impractical to try to capture only the targeted information because the volumes are often so large the search must be automated and may take considerable time. Additionally, suspects may have taken steps to try to hide files on the disks.

The upshot of this is that the law enforcement entity now has a great many documents far outside the scope of the warrant. This is where we come to the specifics of the case United States v. Ganias. In 2003 the government searched Ganias’ computers as part of a fraud investigation. As I described, they captured full images of all the computer’s hard drives to 19 DVDs. After competing their searches, they kept the DVDs.

In 2006, they thought Ganias might be involved in tax related crimes, so they obtained warrants to search the DVDs they had in storage for this different set of documents.

The 2nd Circuit ruled to suppress the evidence obtained from that 2006 warrant because the documents searched should never have been seized in the first place.

The ruling recognizes the realities of the search process, and allows for capture of full drive images, and keeping that data for a reasonable time, but specifically forbids keeping it indefinitely as a source of information in future searches. That would completely void the Fourth Amendment which requires that the warrant specify the specific things to be searched.

As a reminder, the full text of the Amendment is: 

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

Thanks to the Washington Post for a more detailed legal analysis: Court adopts a Fourth Amendment right to the deletion of non-responsive computer files – The Washington Post

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

Older posts >>