310 likes | 458 Views
Encryption & Privacy Post 9/11: A Double-Edged Sword?. Rick Aldrich, JD, LL.M, CISSP, CIPP-IT Booz | Allen | Hamilton Delivered at the Cyber Security & Global Affairs Workshop Barcelona, Spain, 28 Jun 2012. Legal Caveat. Presentation is not legal advice*
E N D
Encryption & Privacy Post 9/11: A Double-Edged Sword? Rick Aldrich, JD, LL.M, CISSP, CIPP-IT Booz | Allen | Hamilton Delivered at the Cyber Security & Global Affairs Workshop Barcelona, Spain, 28 Jun 2012
Legal Caveat Presentation is not legal advice* Designed to raise awareness of general legal principles applicable to information assurance and cyber security Consult your corporate legal counsel *The information contained in this briefing is for general guidance on matters of interest only. The application and impact of laws can vary widely based on the specific facts involved. Given the changing nature of laws, rules and regulations, there may be omissions or inaccuracies in information contained in this presentation. Accordingly, the information in this presentation is provided with the understanding that the author is not herein engaged in rendering legal advice and services. As such, it should not be used as a substitute for consultation with professional legal advisers.
Agenda Purpose Background Case Law Summary Questions
Agenda Purpose Background Case Law Summary Questions
Purpose • Update you on evolving legal developments in privacy and encryption issues as they apply in cyberspace • Alert you to potential legal pitfalls in information assurance, law enforcement and counterintelligence investigations relating to privacy and encryption • Identify trends in the law
Agenda Purpose Background Case Law Summary Questions
Background - Definitions • Encryption: "the transformation of data into a form that is impossible … to read without … appropriate knowledge (a key)." • Privacy: “freedom from unauthorized intrusion” • Does the use of encryption create a “reasonable expectation of privacy”?* • Can encryption be analogized to a “lock and key”? *See Orin Kerr, The Fourth Amendment in Cyberspace: Can Encryption Create a “Reasonable Expectation of Privacy?”
Banner Shredded Documents • United States v. Scott, 975 F.2d 927 (1st Cir. 1992) • Scott was engaged in tax evasion • In order to hide his illegal activity, he shredded paper documents that could potentially be used against him into 5/32” strips and placed them in the trash outside his house • Gov’t agents seized the strips from the trash and methodically pieced them together over several days, ultimately using them at trial against him • Scott moved to suppress, claiming the Gov’t should have obtained a search warrant first because he had a reasonable expectation the shredded documents would not be read by others. • Issue: Does Scott have a REOP in his shredded documents? • Holding • Trial court held yes, but 1st Circuit reversed • If one hand ripped paper and discarded it on the sidewalk, no one would contest that the police could pick it up and piece it together • Use of more sophisticated shredding equipment does not require police to refrain from more sophisticated reconstruction techniques.
Banner “Encoding” in a Foreign Language • United States v. Longoria, 177 F.3d 1179 (10th Cir. 1999) • Longoria and others in his narcotics conspiracy conducted their criminal activities in Spanish in front of English-only speaking bystanders • One of the bystanders was a Gov’t informant wearing a wire • The informant turned over the recordings for translation into English • The translated conversations were used against Longoria at his trial. • He objected claiming the Gov’t violated the 4th Amendment because he had a REOP • Issue: Does Longoria have a REOP in his foreign language statements? • Holding • Court held no • The fact that Longoria made his statements clearly audible to bystanders was sufficient undermine his REOP • Court held that if informants acts without electronic equipment do not violate 4th Amendment, then addition of wire does not • What Longoria revealed in Spanish, he risked might be understood by a listener or later translated.
Background – Communications Monitoring • Electronic communications increasingly ubiquitous • Companies and Government entities increasingly monitor electronic communications: • To defend systems from insider and outsider attacks • Hactivists • Cyber criminals • Cyber terrorists • Cyber espionage • Cyber war • To protect against lawsuits • Harassment • Assault • To protect intellectual property
Background – Encryption and the Law • “Reliance on protections such [as] individual computer accounts, password protection, and perhaps encryption of data should be no less reasonable than reliance upon locks, bolts, and burglar alarms, even though each form of protection is penetrable.” LaFave, 1 Search and Seizure § 2.6 at 721 (4th ed. 2006). • Virtually all government agencies and most corporations in the United States require users to click through “Notice and Consent” banners • Many also or alternatively require signed User Agreements to the same effect • Some seek to regain some privacy via encryption
Background – Encryption and the Law • Some U.S. government agencies now permit employees to access social media sites • Some employees access social media via encrypted connections (e.g., via https) • Some employees encrypt communications using an Agency issued CAC/PIV • Should that justify a “reasonable expectation of privacy” against government monitoring of those files or communications? • Should Government be permitted to intercept https and/or Personal Identify Verification (PIV) card-encrypted communications? • What about encrypted privileged communications (e.g., attorney-client)?
Background – Encryption and Data Breach laws • Data breach laws typically exclude the requirement to report if the data was encrypted • For example, California law requires that: [a]ny person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Cal. Civil Code § 1798.82(a). • Should data breach laws provide an encryption safe harbor? • What if the data was encrypted with a trivial algorithm or a poor passphrase used? • Payment Card Industry-Data Security Standards provide a safe harbor to card processors who comply with its standards
Background – Compromised Encryption • Published reports indicate RSA was hacked, possibly compromising encryption tokens • Subsequent attack against Lockheed Martin allegedly linked • About 30,000 companies, banks and government agencies use SecurID tokens • RSA has offered to replace all tokens (~40M) • Other encryption technologies that have reportedly been compromised • DES • SSL • Skype • DVD • iOS4 • GSM • Blu-Ray • HDMI • Cryogenically frozen RAM as a means of bypassing disk encryption
Background – Encryption and the Cloud • Cloud computing and cloud storage may expedite the need for more encryption • But some are encrypting the data in the cloud, rather than before it goes up or after it comes down, leaving open the opportunity for plain text interception en route • Similarly some use wireless keyboards that pass text in the clear en route to the computer providing yet another interception point • With the potential for cloud-stored data to be split among multiple countries, how does the foreign law impact the encryption? • UK law permits forcing a password under penalty of imprisonment • But cloud storage can arguably “hide” your data from border inspectors and others
Background – Balancing privacy and fighting evil • Good encryption w/good passwords can virtually guarantee long-term protection of the information • In Russian spy case, LE found 27-character password, steganography (would’ve taken 60.3B centuries by brute force method) • Brazilian police seized hard drives of Brazilian banker (Dantas) suspected of financial crimes • All the drives were encrypted (2 TrueCrypt, 3 PGP, AES-256) • Brazilian National Institute of Criminology and FBI failed to ever break encryption • Should this justify more invasive investigations? • FBI is alleged to have a Magic Lantern program that can surreptitiously install a keylogger on a suspects computer via a remotely installed virus to capture passwords • Alternate technique is a “sneak and peek” warrant that permits surreptitious entry into suspect’s home to install key logger • E.O. 13606 proposes sanctions for provide decryption technologies that can enable serious human rights abuses
Background – Encryption Back Doors • U.S. attempted to loosen restrictions on the export of encryption technology provided the systems included a key escrow system, but this largely failed • Most other countries do not adopt this approach • US sought legislation to require Clipper Chip, but it ultimately failed • FBI fears that intercepting communications may be impossible if encryption is employed widely • Part of FBI’s “Going Dark Program” • Seeking legislation to require all encrypted communications include back door for U.S. Gov’t • Would include RIM’s Blackberry, Facebook, Skype, others • Would still require court order to make use of back door • One government that tried this ended up having its legislators tapped when hackers figured out how to capitalize on the back door • Is this an effective means of dealing with encryption? Is there a better way?
Took effect 2011 Took effect 2010 Treaties • Cybercrime Convention • 47 nations have signed, 34 nations have ratified so far • Albania, Armenia, Azerbaijan, Bosnia and Herzegovina, Bulgaria, Croatia, Cyprus, Denmark, Estonia, Finland, France, Georgia, Germany, Hungary, Iceland, Italy, Latvia, Lithuania, Moldova,Montenegro,Netherlands, Norway, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Switzerland,Macedonia, Ukraine, United Kingdom, United States • Critics alleged it could require laws to force divulgence of decryption key • Article 18 addresses production orders for computer data. The Explanatory Notes state: “With respect to the modalities of production, Parties could establish obligations that the specified computer data or subscriber information must be produced in the manner specified in the order. This could include reference to a time period within which disclosure must be made, or to form, such as that the data or information be provided in "plain text“ … • Among signatories only Belgium and the UK have implemented it in domestic law Takes effect 2012
Nation-States with legislation permitting decryption orders* • Australia • Antigua and Barbuda (2 years and $15,000 fine for failure to comply) • Bahrain (no radio-frequency encryption) • Belgium (6-12 months, 20K BEF) • Denmark (telecomms only, with court order) • Finland (not suspect, only certificate services provider/maintainer) • France (3 yrs, €45K, increased criminal penalty if encryption aided crime) • Hong Kong • India (7 yrs) • Ireland (can’t require password, but can require decryption) • Malaysia (only during a search, 2 yrs, 100K ringgit) • Netherlands (in LE cases, can’t order suspect, but can others, 2 yrs) • Singapore (3 yrs, S$10,000) • South Africa (3 yrs, 2M Rand) • Thailand (200K baht, plus 5K baht/day) • Trinidad & Tobago (2 yrs, $15K) • United Kingdom (2 yrs) * Per Bert-Jaap Koops, Tilburg University, Netherlands (rechen.uvt.nl/koops/index.htm)
Agenda Purpose Background Case Law Summary Questions
Divulging Passphrases In re Boucher, 2007 WL 4246473 (D. Vt. Nov. 29, 2007) Boucher’s computer inspected at border w/B’s assistance and child porn found ICE shut down computer and seized it Later ICE could not access Z:/ drive as it was encrypted Obtained subpoena ordering B to provide passphrase B moves to quash Issue: Can B be made to tell passphrase? Can B be made to type passphrase privately? What if act not usable against Boucher? Foregone conclusion doctrine? Holding No B can’t be made to divulge passphrase as that is violative of his 5th Amend. right against self-incrimination No B can’t be made to type it privately, as it still violates his 5th Amend right against self-incrimination If act of production immunized, then fruits of hat act necessarily barred by derivative immunity in order to protect 5th Amend rt. Foregone conclusion doctrine inapplicable; BUT on appeal D/C ruled (19 Feb 09) US could subpoena unencrypted version of Z:/ drive Compare with subsequent cases May be very important in light of increasing tendency to encrypt data
Other Encryption/Password/5th Amend. cases • Drage case in UK • 19-year old Oliver Drage arrested by police investigating child sexual exploitation • Police seized the computer, but could not access its files due to 50-char. password • Police requested Drage provide encryption password, but he refused • Drage charged with violation of the Regulation of Investigatory Powers Act which requires suspects to provide encryption passwords. • RIPA provides for punishment for non-compliance with order to decrypt. • Sentenced to four months in a young offenders institution • Kirschner (Mich.) • Subpoena for password quashed. Relied on Justice Steven’s: “He may in some cases be forced to surrender a key to a strongbox containing incriminating documents, but I do not believe he can be compelled to reveal the combination to his wall safe -- by word or deed.”
Other Encryption/Password/5th Amend. cases • Fricosu (10th Cir.) • J. grants Gov’t request that Fricosu provide unencrypted drive. Fricosu claims 5th, says she may have forgotten password, appeals to 10 Cir. 10th Cir. denies appeal—no final j. Gov’t decrypts, allegedly w/PW from co-D, ex-husband. • In re Grand Jury Subpoena Duces Tecum (11th Cir.) • 11th Cir. Rules requiring Doe to decrypt drive violates 5th. Doesn’t fit “foregone conclusion” because Gov’t failed to show it knew whether files were on drive, where the files were on drive, or whether Doe could access them.
Encryption and Plain View Searches United States v. Kim, 677 F. Supp. 2d 930 (S.D. Texas, 2009) Kim was a DbA for GEXA, then fired. GEXA later noted unauthorized accesses to Db and Kim became a suspect. USSS sought warrant to search Kim’s home computer. Found encrypted files with names suggesting child porn. Sought expansion of warrant to search for child porn. Magistrate refused. USSS broke encryption of above files as part of hacking investigation, then offered evidence under plain view exception. Kim moved to suppress evidence, as exceeding scope of warrant in violation of 4th Amendment Who wins? Holding Court rules to suppress evidence from encrypted files. Doesn’t use “subjective” test, but “objective” test. Holds it was objectively unreasonable to look in encrypted files for evidence of hacking Would ruling have been different if hacking evidence were found? Does this provide future hackers with protection if they choose to hide the evidence of their crime in encrypted files with child porn-sounding names? May point to the risks of judges ruling on what is/is not reasonable in computer forensics cases when the technology is complex and constantly changing.
Border Searches United States v. Cotterman, 637 F.3d 1068 (9th Cir. 2011) April 6: Cotterman (C) and wife drove from Mexico to a port of entry in Arizona C was on a TECS watchlist for child porn, so directed to secondary inspection. Laptops and cameras checked but no porn found, though many files were password protected. Laptops and one camera sent 170 miles to Tucson lab for further inspection April 8: Found 75 child porn images in unallocated space. Asked C for password to open other files. C agreed by phone but left for Australia. April 11: Agents bypassed security and found 378 child porn images Searches legal? Holding Dist Ct: No. Apr 6 search was a valid “border search.” Apr 8-11 searches were “extended border search” requiring “reasonable suspicion” and court did not find such 9th Cir: Yes Fact that border agents needed to transport media to search it did not transform border search to extended border search Length of time retained by border agents was not sufficient to require reasonable suspicion Must factually assess each case Contrast with US v. Hanson
Encryption and 3rd Party Consent United States v. Buckner, 473 F.3d 551 (4th Cir. 2007) Police receive complaints of fraud linked to computer accounts of Michelle Buckner Michelle indicated she only use computer to play games, and consented to the police taking whatever they needed. Seized running computer, turned it off, mirrored it and did forensic search Evidence led to 20-count indictment against her husband, Frank Frank moved to suppress evidence, claiming it was password protected and wife could not consent to that over which she did not exercise joint access or control Who wins? Holding 4th Cir. rules for Government Notes that wife did NOT have actual authority to consent, but Apparent authority Located in common living room On at time of seizure (Frank away) Leased in wife’s name No indication of PW-protected files So police had objectively reasonable belief wife had authority to consent Data was not encrypted Compare Trulock v. Freeh (where officers told of password protections prior to consent search)
Agenda Purpose Background Case Law Summary Questions
Summary • There is no panacea for the protection of privacy rights • Protecting privacy must be balanced against the interests in solving cyber crimes, fighting cyber terrorism and deterring cyber war • Encryption can assist in the protection of privacy in some cases, but can lull the unsuspecting into a false sense of security in other cases • Technology can be complex and “real world” analogies for judges are often faulty • Governments will continue to try to balance privacy interests against protecting the public from crimes, terrorism and national security threats
Questions? Rick Aldrich Email: aldrich_richard@bah.com Office: 703-984-0785