Wednesday, August 23, 2006

Encrypted Hard Drives and the Constitution

I spoke to a group a few months ago about how Customs Officers’ can search the hard drives of laptops carried by one coming into the US or leaving the US.

In my last post I talked about how the border search exception to the Fourth Amendment's warrant requirement lets (apparently, anyway – so far every federal court to address the issue has upheld the application of the exception in this context) the officers do this, and why.

After I did my presentation on that issue to the group, one of the people in the audience came up to me, quite agitated.

He said he handles computer security (in some capacity, I didn’t quite get the context) for a company, the executives of which often travel into and out of the country carrying laptops. He said the laptop hard drives have proprietary information on them, and are therefore encrypted. He was concerned about a Customs Officer’s wanting to see the files on the laptop.

At first, I am afraid I did not take the question that seriously – I told him (which I think is true) that the executives probably are not likely to have their laptops searched (but that was before the recent UK airline bombing plot, so who knows now).

That was a bad answer because it, of course, leaves open the possibility that they might have the laptop hard drives searched. And he, very reasonably, was not happy with that answer, so he pressed for a better one. He made it clear that the concept of giving the officer the encryption key was simply not an option because of the very sensitive nature of the information on the laptops. So we chatted about all this for a bit, and I finally told him his should probably come up with a procedure for this scenario, decide how they would handle it if it arose.

Let’s take the scenario he presented and parse out the options and the applicable law. The Customs Officers have a Fourth Amendment right to search “containers” (which, as I said before, includes a hard drive) when someone is entering or about to leave the country. I’ve run this scenario by prosecutors and based on their reaction and how I analyze the law, it looks to me like the scenario can have three basic resolutions:
  1. The laptop owner gives the Customs Officer the encryption key and the officer searches the laptop’s hard drive for contraband (data within the scope of a border search);
  2. the laptop owner refuses to give the Customs Officer the encryption key, says he/she has decided not to travel that day and walks away with the laptop (the prosecutors I’ve discussed this with say it would work, so we’ll assume it will, at least for now); and
  3. the laptop owner refuses to give the Customs Officer the encryption key and insists on traveling with it, citing some constitutional rule.
The first two options are self-resolving, so let’s focus on the third one.

The problem we have here is that the Fourth Amendment really does not apply to the act of refusing to hand over the encryption key.

(Ironically, it would apply if the laptop owner gives up the encryption key, because this would be consenting either to the “seizure” of the key or to letting the agent “search” it. Or it could be considered to be a waiver of the Fifth Amendment issue we’ll get to in just a moment.)

See, the Fourth Amendment only applies when government agents (like the Customs Officer) DO something . . . like taking your laptop away from you or breaking down your front door to go in and seize it or turning it on and looking through the unencrypted files against your objection. The Fourth Amendment does not apply when, as is the case here, you refuse to do something the government wants you to do and they try to make you do it.

The Fifth Amendment applies, in a very limited way, if and when the government wants you to do a very specific thing: give “testimony” that “incriminates” you.

There is a major difference between the Fifth Amendment and Miranda, which gives you a right to silence and to counsel; the Fifth Amendment, which is supposedly the foundation of Miranda, gives you neither of those things. To qualify for Miranda, you have to be in “custody,” i.e., the police have to have restrained your freedom of movement so you cannot just walk away. Since we’re assuming you can walk away, Miranda won’t apply; the Fifth Amendment is the only option.

The Fifth Amendment only applies, though, if you are “compelled” to give testimony. Being “compelled” is synonymous with being subpoenaed by a court or a grand jury and being ordered to testify; if you won’t, you, a la Judith Miller in Plamegate, will be locked up until you do. That’s being “compelled.”

That brings us to the first problem with trying to use the Fifth Amendment to refuse to give up the encryption key but still travel. It doesn’t seem that you can show you’re being “compelled” to do anything – if you can walk away (as in option #2), then you are not being compelled and the Fifth Amendment is off the table. And there probably are no other constitutional provisions that might apply.

Just for the sake of argument, let’s change things a bit: The laptop belongs to John Doe. He refuses to provide the encryption key when the Customs Officers ask for it and starts to walk away. They say he can go but tell him they’re keeping the laptop because they have probable cause to believe there’s contraband (child porn, say) in it because they have been “tipped” to that by a confidential informant. That should let them hold onto it under another Fourth Amendment exception (exigent circumstances – holding onto the laptop to prevent Doe from destroying the evidence on it) while they get a warrant to search it.

They get the warrant, but find they cannot search the files because the hard drive is encrypted. They call Doe and ask for the key and he says he won’t provide it. They can’t make him do this, so they go to a federal prosecutor who gets a grand jury to subpoena Doe. He appears before the grand jury, is asked for the encryption key, invokes his Fifth Amendment privilege and refuses to provide it.

Can he get away with that? Or will a judge find he cannot claim the Fifth Amendment privilege and lock him up until he gives up the key?

Good question, one that is not resolved.
To claim the Fifth, Doe has to be compelled (being threatened with being locked up works) to give “testimony” that “incriminates” him. Incriminates means the evidence can be used to convict him of a crime; you can’t claim the Fifth because evidence would embarrass you or hurt your business or implicate someone else in a crime. It has to implicate you in a crime.

So, purposes of analysis, we’ll say Doe can show the answer would incriminate him.
Is giving up an encryption key “testimony?” You might think it is, but it’s not that easy.

The Supreme Court has held that “testimony” is a communication; "testimony" therefore does not encompass physical evidence such as blood, hair or even handwriting. You cannot take the Fifth Amendment to refuse to provide samples of your handwriting because the Supreme Court has held that you’re just providing samples of physical evidence – how you shape letters, how much force you exert, etc. (You can’t be put under oath and compelled to write answers to questions asked you because the answers would be communications, or testimony.)

In 1988, in Doe v. United States, 487 U.S. 201), the Supreme Court held that someone cannot take the Fifth and refuse to sign a “compelled consent” because signing the consent form does not constitute “testimony.” The compelled consents (an oxymoron?) were (and are, I assume) used to get into “secret” bank accounts in places like the Cayman Islands.

The person (Doe in this case) was subpoenaed by a grand jury and told to sign a form that gave blanket consent to the bearer (FBI agents) to gain access to any and all bank accounts in his name. A number of people claimed they should not have to do this, that this was “testifying” against themselves (and could leave to the discovery of incriminating evidence). The Supreme Court said it was not testimony, it was just physical evidence – the same rationale as the Court applies to handwriting.

In the Doe case, the Court noted, in effect, that someone (i) cannot invoke the Fifth Amendment and refuse to hand over the key to a “strongbox” or a safe deposit box but (ii) but may be able to take the Fifth and refuse to “reveal the combination to his wall safe – by word or deed.” It depends on whether you are simply handing over physical evidence (like blood or handwriting) or whether you are “being forced to express the contents of your mind” by communicating.

So, basically, whether one use the Fifth Amendment privilege against self-incrimination as the basis for refusing to give up an encryption key depends on whether doing that is more analogous to handing over a key to a safe deposit box or to giving up the combination to a wall safe. (I think the Court was assuming the person had memorized the combination, btw.)

(Oh, and Miranda? Pretty much the same analysis, in that it only applies to “testimony,” to communications. The issue here, as I noted earlier, is “custody.” If the agents took Doe into custody and would not let him leave, then they would have to give him the Miranda warnings and honor his invocation of the right to silence or counsel if he did, invoke, either.)

Sunday, August 20, 2006

TSA Copying Hard Drives? 4th Amendment Issues?

I'm hearing the TSA is copying the hard drives from laptops (some, I assume, not all) that are taken through airport screening.

I'm hearing they're using a pretty simple process, to expedite the copying (which, if true, dealt with my initial disbelief that this is happening -- the problem of how much time it would take to do a true mirror image of many/some of the laptops people bring with them to their flights).

What I'm hearing comes from people I think are credible sources, so I'm going to assume it's true, at least for now.

That brings to the issues which I have been asked about, namely, how can they do this? Isn't this a violation of the constitution? Don't we have a right to privacy in the contents of our laptop data?

Briefly, the answer to the last question is "yes," and the answer to the second question is, I'm afraid, "no."

And that brings us to the first question: How can they do this?
The only constitutional provision that would be implicated is the Fourth Amendment, which protects us from "unreasonable searches and seizures." "Reasonable searches and seizures" are ok. Searches are "reasonable" if they are conducted pursuant to a search warrant OR if they fall within an exception to the warrant requirement.

The TSA agents definitely do not have a search warrant. They must, therefore, be relying on either of two exceptions to the Fourth Amendment's warrant requirement.

One possibility is the border search exception. The border search exception is one of the oldest 4th Amendment exceptions. It lets officers/agents search you, your bags, all that without a warrant AND without probable cause or reasonable suspicion (as you can see from the opinion quoted below). The premise is that governments have the right to control what comes into/out of their border. We are probably all familiar with this in the context of customs searches of luggage when someone comes into (or goes out of -- the exception applies both way) the United States.

I started noting federal court decisions on the appliability of the border search exception to laptops a few years ago. I suspect the issue had never come up until then. The early (2-3 years ago) arguments on this tried to say something courts have found credible in other contexts: That a laptop is a "container," like luggage, but it is a much more complex container than luggage, can contain so much information it should be treated differently . . . basically as a container+.

That argument has worked elsewhere but has failed miserably in the border search context. Courts have done what the 9th Circuit does in the case quoted below, said a laptop is a container like any other container and can be searched by customs agents as such.

I can't find law on TSA searches, but I suspect that the same basic rationale is being applied here OR that these searches are based on another exception, the administrative search exception, which supports DUI checkpoints and airport screening generally.

The "administrative search" exception (which some think is about to swallow the Fourth Amendment) lets the government conduct searches and/or seizures without a search warrant when it is acting for a purpose other than the enforcement of criminal law.
So DUI checkpoints are (the Supreme Court has said) NOT about catching people who are driving drunk just so they can be prosecuted; the checkpoints are, instead, about ensuring safety on our highways by discouraging drunk driving.

The same thing holds for airport screening: When we go through the metal detectors and have our luggage screened it's not because the agents are trying to gather evidence to be used to convict us -- each of us -- of a crime. It is, instead, for a different, administrative purpose -- air travel.

Now, I wonder how and why checking the contents of someone's hard drive contributes to that administrative function. If and when this comes up in court, it seems to me that the person whose laptop hard drive was searched can argue that the search was unreasonable in scope, i.e., that copying and seachng the data on someone's hard drive is not sufficiently related to maintaining airport security to bring it within the scope of the adminstrative search exception.

One more point: Copying someone's hard drive is, I think, a "seizure" not a "search." Searches violate privacy, while seizures violate possessory interests. Since they don't actually "read" the files when they make the copy, there is no compromise of privacy, no "search." I'd say, though, that there is definitely an interference with possessory interests because (a) the laptop is taken away and "held" while the copy is made and (b) the government "takes" the copy, which means you no longer have exclusive possession and control of the data on the hard drive.

Ninth Circuit border search exception case:

First, we address whether the forensic analysis of Romm's laptop falls under the border search exception to the warrant requirement. We review the legality of a border search de novo. United States v. Okafor, 285 F.3d 842, 845 (9th Cir.2002). Under the border search exception, the government may conduct routine searches of persons entering the United States without probable cause, reasonable suspicion, or a warrant. See United States v. Montoya de Hernandez, 473 U.S. 531, 538, 105 S.Ct. 3304, 87 L.Ed.2d 381 (1985).

For Fourth Amendment purposes, an international airport terminal is the "functional equivalent" of a border. See Okafor, 285 F.3d at 845 (citing Almeida-Sanchez v. United States, 413 U.S. 266, 272-73, 93 S.Ct. 2535, 37 L.Ed.2d 596 (1973)). Thus, passengers deplaning from an international flight are subject to routine border searches. . . .

We assume for the sake of argument that a person who, like Romm, is detained abroad has no opportunity to obtain foreign contraband. Even so, the border search doctrine is not limited to those cases where the searching officers have reason to suspect the entrant may be carrying foreign contraband. Instead, " 'searches made at the border ... are reasonable simply by virtue of the fact that they occur at the border.' " United States v. Flores-Montano, 541 U.S. 149, 152- 53, 124 S.Ct. 1582, 158 L.Ed.2d 311 (2004) (quoting United States v. Ramsey, 431 U.S. 606, 616, 97 S.Ct. 1972, 52 L.Ed.2d 617 (1977)). Thus, the routine border search of Romm's laptop was reasonable, regardless whether Romm obtained foreign contraband in Canada or was under "official restraint."

United States v. Romm, --- F.3d ----, 2006 WL 2042827 (Ninth Circuit Court of Appeals, July 24, 2006).

Friday, August 18, 2006

NSA Surveillance Held Unconstitutional

As everyone probably knows by now, Anna Diggs Taylor, a federal judge in Detroit has held that the NSA surveillance program is unconstitutional and therefore unenforceable. See ACLU v. NSA, U.S. District Court - Eastern District of Michigan).

The implementation of the decision has been stayed, to give the Department of Justice time to appeal the ruling. (I hope it’s an expedited appeal.)

The judge held that the program violates the First Amendment, as well as the Fourth Amendment (and is illegal for other reasons, as well, including the separation of powers doctrine). I don’t even want to try to summarize the entire decision here, as you can read it online if you are so inclined.

Instead, I want to comment briefly on her Fourth Amendment analysis . . . which was also brief. After tracing the history and purpose of the Fourth Amendment – which is to preserve privacy against government intrusions, especially in our homes and other important enclaves -- she concluded that the NSA wiretapping program has “obviously” been implemented “in violation of the Fourth Amendment.”

At the end of her opinion, she explains that none of the justifications the Administration has offered for the current surveillance program – e.g., that the threat of terrorism makes it impracticable to apply for and get wiretapping warrants – have any merit. As she said, the government’s argument as to “the need for speed and agility is . . . weightless.”

She also found that the program has been implemented in violation of the FISA (Foreign Intelligence Surveillance Act) statutes, which impose special requirements when federal agents are investigating terrorism and related activities (versus plain old “crime”). And she found that it violates Title III, a set of statutes which Congress adopted in 1968 to implement the Katz decision, the one I mentioned in an earlier post; Katz is important in this context because in Katz the Supreme Court held that wiretapping the content of phone conversations is a “search” under the Fourth Amendment, and so cannot constitutionally be done unless the government gets a search warrant beforehand.

I think Judge Taylor’s opinion is very well-reasoned and reaches the correct result. No one can argue against the need to prevent terrorism, but the government cannot use the threat of terrorism to bypass constitutional procedures that were created to guarantee us certain fundamental rights. If we allow that, we effectively surrender those rights.

Wednesday, August 16, 2006

Cybercrime treaty: criticisms

Earlier this month, the Senate finally ratified the Council of Europe's Convention on Cybercrime. Since the United States signed the Convention almost five years ago, this means it has now gone into effect for this country (along with other countries that have ratified it).

As I noted in an earlier post, it took the U.S. a surprising long time (almost five years) to ratify the Convention on Cybercrime. The amount of time it took was surprising given (a) that we helped write it and very much lobbied for its adoption and (b) that because we helped write it, we do not need to adopt any new legislation to implement the treaty. The delay was due to concerns that have been expressed by EFF, EPIC and the ACLU, among others.

Basically, these concerns center on three issues, each of which I am going to address, briefly, in this post. I’m going to address them in the order they crop up in the Convention.

The first issue is the “misuse of devices” issue. Article 5 of the Convention requires countries that sign and ratify it to criminalize “the production, sale, procurement for use, import, distribution or otherwise making available of” either (i) “a device, including a computer program, designed or adapted primarily for the purpose of committing any of the offences established in accordance with” Articles 2-5 of the Convention or (ii) “a computer password, access code, or similar data by which the whole or any part of a computer system is capable of being accessed.” A separate provision makes the possession of such items a crime. Articles 2-5 require parties to criminalize, basically, unauthorized access and unauthorized access with damage to a system or the data it contains. All of the provisions of Article 5 require that the item be possessed, imported, distributed, etc., with the intent that it be used in the commission of one of these crimes.

Those who are concerned about this argue that the provision sweeps too broadly, that it could be used to prosecute researchers or simply the average citizen who happens to be in possession of an item encompassed by Article 5. The drafters of the Convention and the U.S. Department of Justice respond that these “innocents” do not need to be concerned because the provision requires not simply possession/distribution/etc. but also that the person have engaged in this conduct with the intent to facilitate the commission of a crime. I think that is a very good point. My concern, there, would be that intent is often inferred in cases like this (which are essentially aiding and abetting cases), and inferences of intent can be expansive and sometimes problematic.

The second issue, which I will only summarize because it would take a LONG time to go through all of its aspects, is that the provisions of the Convention which provide for cooperation among law enforcement officers of various countries (i) threaten privacy and (ii) sweep too broadly. As to (i) I will only say that the Convention clearly reflects the current state of our Fourth Amendment law, which is good and not-so-good. The basic Fourth Amendment requirements are fine in most respects but, I think, inadequate in others (especially when it comes to obtaining traffic data, i.e., non-content data involved in the transmission of email and other electronic communications).

As to (ii), the concern lies with Article 14 which says, essentially, that the provisions establishing mechanisms for reciprocal law enforcement cooperation apply when police are investigating (a) crimes defined under the Convention; (b) “other criminal offences committed by means of a computer system;” and (c) “the collection of evidence in electronic form of a criminal offence.” They therefore can apply to the investigation of ANY crime as long as a computer was involved in its commission. On the one hand, I can see law enforcement’s position: If police are investigating a crime and digital evidence is involved, why should it matter if the crime can be technically defined as a “cybercrime?” Shouldn’t they be able to proceed anyway? On the other hand, I can see the critics’ issue. This is, after all, styles as a “cybercrime” convention, so it seems logical, at least, that it should be limited to cybercrimes, i.e., crimes in which the computer plays a central role in the commission of the offense.

Now to the third issue, which is probably the source of most criticism of the Convention. The argument here is that the procedural provisions facilitating cooperation among law enforcement do not require “double criminality.” As I noted in an earlier post, extradition treaties – treaties that let the U.S. hand Perpetrator X over to Brazil to be prosecuted for a crime committed in that country – require “double criminality,” i.e., require that the act have been a crime in both countries. The premise is that to do otherwise would be unfair. There has, for example, been a gentleman in Nebraska who has for years been putting up pro-Nazi websites. It is a crime to create such a website in Germany, and over the years German authorities asked U.S. authorities to turn this guy over to them for prosecution. U.S. authorities properly refused to do so, because what he is doing is protected speech under our First Amendment. We can’t turn him over to be prosecuted for what he is lawfully doing here.

Critics of the Convention argue that it does not have a “double criminality” provision that acts as a restraint on its law enforcement cooperation measures, and I would agree . . . no such provision is explicitly included in the Convention. (It is in Article 24, which governs extradition.) I do not think, though, that this is a major problem because Article 15 says that each party to the Convention must:

ensure that the establishment, implementation and application of the powers and procedures provided for in this Section are subject to conditions and safeguards provided for under its domestic law, which shall provide for the adequate protection of human rights and liberties, including rights arising pursuant to obligations it has undertaken under the 1950 Council of Europe Convention for the Protection of Human Rights and Fundamental Freedoms, the 1966 United Nations International Covenant on Civil and Political Rights, and other applicable international human rights instruments, and which shall incorporate the principle of proportionality.

As far as the U.S. is concerned, this imports our Bill of Rights, which guarantees due process which should, aside from anything else, prevent our law enforcement processes from being used to persecute dissidents in other countries. There’s also the fact that if someone in the U.S. is being investigated by a country for being a political dissident, and U.S. authorities assist with the investigation, that person cannot be extradited from the U.S. (even under the Convention) because it requires double criminality for extradition.

There are other issues that arise under the Convention, and maybe I’ll post on them later.

Bottom line: it’s far from perfect but it is, I believe, far from being as horrendous as some claim.

Sunday, August 06, 2006

Computer car theft

You may have heard about this. Several stories appeared earlier this summer about thieves using laptops to steal cars equipped with keyless entry and ignition systems.

According to some of these stories, David Beckham, the British soccer star, has had two BMW X5’s stolen from him this year. In each case, the thieves used the laptop technique to take the cars. The second theft apparently occurred while Beckham and his sons were eating at a restaurant in Madrid.

This is a good example of how beneficial technology can be compromised for criminal purposes. As one reporter explained, “decrypting one 40-bit code sequence can not only disengage the security system and unlock the doors, it can also start the car. . . . The owner of the code is now the true owner of the car.” I’ve read that thieves can also disable tracking systems – GPS systems – that are intended to make it easier to find stolen vehicles.

As far as I know, this is only happening in Europe, where it is becoming more common. It probably won’t take long, though, for it to migrate here to the U.S.

The process of compromising the vehicle’s entry and ignition systems apparently takes about 20 minutes, and I gather the thieves need to have the vehicle parked in a relatively out of the way place . . . since people might be suspicious if they walked by and saw a laptop hooked up to a parked car.

Does this kind of theft raise any new legal issues?
I really don’t think it does, at least not in terms of the theft of the vehicle. All the thieves are doing, after all, is stealing a car, and car theft has been criminalized in this country and abroad for many, many years.

I think our existing car theft statutes would easily encompass this kind of activity. Take Alaska’s car theft state, for example. Alaska Statutes section 11.46.360(a) It makes it a crime (a felony) if “having no right to do so . . . [a] person drives, tows away, or takes the car, truck, motorcycle, motor home, bus, aircraft, or watercraft of another”. Most car theft statutes will be structured similarly.

The essence of the crime lies in taking a vehicle that belongs to someone else; the method one uses to accomplish that is irrelevant. So it really doesn’t matter whether the thief uses a Slim Jim or a laptop.

It seems to me, though, that a prosecutor could also add a “hacking” charge.

As I explained in an earlier post, in terms of criminal law “hacking” consists of gaining access to computer system without being authorized to do so. As I also noted in response to a comment on that post, we have aggravated hacking (or cracking) statutes that make it a more serious crime to hack a system and cause “damage” by, say, copying or destroying data.
It looks to me like the laptop car thief “hacks” the car’s computer system.

As I explained in that earlier post, our law doesn’t do a particularly good job of defining “access” in the context of “hacking,” but I think a prosecutor could make a good argument that a laptop car thief does gain “access” to the car’s computer system. As I noted earlier, one of the phrases used to define “access” is “communicate with,” as in “communicating with” a computer system. Another phrase used for this purpose is “make use of,” again as in “making use of” a computer system.

If you buy that analysis, then it seems laptop car thieves can be charged both with car theft and with hacking the car’s computer system. Now, they might argue that hacking the car’s computer system was merely part of the process of stealing the vehicle, so they should not be charged with both crimes. I suspect that argument would not work.

One of the defining traits of modern American criminal law (anyway) is that prosecutors tend to carve a course of conduct up into multiple offenses, a technique courts generally support. The premise – in this instance – would be that the thief really did commit two distinct and severable crimes: (i) hacked the car’s computer system; and (ii) stole the car. A prosecutor who wanted to charge such a thief with both crimes could point out that he could have stopped with (i) but, instead, chose to proceed with the “second” crime, the theft.

Legal issues aside, this is another example of how technology we adopt to make our lives easier can have unforeseen, unfortunate consequences.