Embed Size (px)
Citation preview
Rick Aldrich, JD, LL.M, CISSP, CIPP-ITBooz | Allen | Hamilton
Delivered at the Cyber Security & Global Affairs WorkshopBarcelona, Spain, 28 Jun 2012
Encryption & Privacy Post 9/11: A Double-Edged Sword?
2
Legal Caveat
Presentation is not legal advice*
Designed to raise awareness of general legal principles applicable to information assurance and cyber security
Consult your corporate legal counsel
*The information contained in this briefing is for general guidance on matters of interest only. The application and impact of laws can vary widely based on the specific facts involved. Given the changing nature of laws, rules and regulations, there may be omissions or inaccuracies in information contained in this presentation. Accordingly, the information in this presentation is provided with the understanding that the author is not herein engaged in rendering legal advice and services. As such, it should not be used as a substitute for consultation with professional legal advisers.
3
Agenda
Purpose
Background
Case Law
Summary
Questions
4
Agenda
Purpose
Background
Case Law
Summary
Questions
5
Purpose
Update you on evolving legal developments in privacy and encryption issues as they apply in cyberspace
Alert you to potential legal pitfalls in information assurance, law enforcement and counterintelligence investigations relating to privacy and encryption
Identify trends in the law
6
Agenda
Purpose
Background
Case Law
Summary
Questions
7
Background - Definitions
Encryption: "the transformation of data into a form that is impossible … to read without … appropriate knowledge (a key)."
Privacy: “freedom from unauthorized intrusion”
Does the use of encryption create a “reasonable expectation of privacy”?*
Can encryption be analogized to a “lock and key”?
*See Orin Kerr, The Fourth Amendment in Cyberspace: Can Encryption Create a “Reasonable Expectation of Privacy?”
8
Shredded Documents United States v. Scott, 975 F.2d 927 (1st
Cir. 1992) – Scott was engaged in tax evasion– In order to hide his illegal activity, he
shredded paper documents that could potentially be used against him into 5/32” strips and placed them in the trash outside his house
– Gov’t agents seized the strips from the trash and methodically pieced them together over several days, ultimately using them at trial against him
– Scott moved to suppress, claiming the Gov’t should have obtained a search warrant first because he had a reasonable expectation the shredded documents would not be read by others.
– Issue: Does Scott have a REOP in his shredded documents?
Holding– Trial court held yes, but 1st Circuit reversed– If one hand ripped paper and discarded it on
the sidewalk, no one would contest that the police could pick it up and piece it together
– Use of more sophisticated shredding equipment does not require police to refrain from more sophisticated reconstruction techniques.
Banner
9
“Encoding” in a Foreign Language United States v. Longoria, 177 F.3d 1179
(10th Cir. 1999) – Longoria and others in his narcotics
conspiracy conducted their criminal activities in Spanish in front of English-only speaking bystanders
– One of the bystanders was a Gov’t informant wearing a wire
– The informant turned over the recordings for translation into English
– The translated conversations were used against Longoria at his trial.
– He objected claiming the Gov’t violated the 4th Amendment because he had a REOP
– Issue: Does Longoria have a REOP in his foreign language statements?
Holding– Court held no– The fact that Longoria made his statements
clearly audible to bystanders was sufficient undermine his REOP
– Court held that if informants acts without electronic equipment do not violate 4th Amendment, then addition of wire does not
– What Longoria revealed in Spanish, he risked might be understood by a listener or later translated.
Banner
10
Background – Communications Monitoring
Electronic communications increasingly ubiquitous
Companies and Government entities increasingly monitor electronic communications:– To defend systems from insider and outsider attacks
o Hactivistso Cyber criminalso Cyber terroristso Cyber espionageo Cyber war
– To protect against lawsuitso Harassmento Assault
– To protect intellectual property
11
Background – Encryption and the Law
“Reliance on protections such [as] individual computer accounts, password protection, and perhaps encryption of data should be no less reasonable than reliance upon locks, bolts, and burglar alarms, even though each form of protection is penetrable.” LaFave, 1 Search and Seizure § 2.6 at 721 (4th ed. 2006).
Virtually all government agencies and most corporations in the United States require users to click through “Notice and Consent” banners– Many also or alternatively require signed User Agreements to the same effect– Some seek to regain some privacy via encryption
12
Background – Encryption and the Law
Some U.S. government agencies now permit employees to access social media sites– Some employees access social media via encrypted connections (e.g., via https)– Some employees encrypt communications using an Agency issued CAC/PIV– Should that justify a “reasonable expectation of privacy” against government monitoring of
those files or communications?– Should Government be permitted to intercept https and/or Personal Identify Verification
(PIV) card-encrypted communications?– What about encrypted privileged communications (e.g., attorney-client)?
13
Background – Encryption and Data Breach laws
Data breach laws typically exclude the requirement to report if the data was encrypted
For example, California law requires that:
[a]ny person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Cal. Civil Code § 1798.82(a).
Should data breach laws provide an encryption safe harbor?– What if the data was encrypted with a trivial algorithm or a poor passphrase used?
Payment Card Industry-Data Security Standards provide a safe harbor to card processors who comply with its standards
14
Background – Compromised Encryption
Published reports indicate RSA was hacked, possibly compromising encryption tokens– Subsequent attack against Lockheed Martin allegedly linked– About 30,000 companies, banks and government agencies use SecurID tokens– RSA has offered to replace all tokens (~40M)
Other encryption technologies that have reportedly been compromised– DES– SSL– Skype – DVD– iOS4– GSM– Blu-Ray– HDMI – Cryogenically frozen RAM as a means of bypassing disk encryption
15
Background – Encryption and the Cloud
Cloud computing and cloud storage may expedite the need for more encryption
But some are encrypting the data in the cloud, rather than before it goes up or after it comes down, leaving open the opportunity for plain text interception en route– Similarly some use wireless keyboards that pass text in the clear en route to the computer
providing yet another interception point
With the potential for cloud-stored data to be split among multiple countries, how does the foreign law impact the encryption?– UK law permits forcing a password under penalty of imprisonment
But cloud storage can arguably “hide” your data from border inspectors and others
16
Background – Balancing privacy and fighting evil Good encryption w/good passwords can virtually guarantee long-term protection of
the information– In Russian spy case, LE found 27-character password, steganography (would’ve taken
60.3B centuries by brute force method)
Brazilian police seized hard drives of Brazilian banker (Dantas) suspected of financial crimes– All the drives were encrypted (2 TrueCrypt, 3 PGP, AES-256)– Brazilian National Institute of Criminology and FBI failed to ever break encryption– Should this justify more invasive investigations?
FBI is alleged to have a Magic Lantern program that can surreptitiously install a keylogger on a suspects computer via a remotely installed virus to capture passwords– Alternate technique is a “sneak and peek” warrant that permits surreptitious entry into
suspect’s home to install key logger
E.O. 13606 proposes sanctions for provide decryption technologies that can enable serious human rights abuses
17
Background – Encryption Back Doors U.S. attempted to loosen restrictions on the export of encryption technology
provided the systems included a key escrow system, but this largely failed
Most other countries do not adopt this approach
US sought legislation to require Clipper Chip, but it ultimately failed
FBI fears that intercepting communications may be impossible if encryption is employed widely– Part of FBI’s “Going Dark Program”– Seeking legislation to require all encrypted communications include back door for U.S. Gov’t– Would include RIM’s Blackberry, Facebook, Skype, others– Would still require court order to make use of back door
One government that tried this ended up having its legislators tapped when hackers figured out how to capitalize on the back door
Is this an effective means of dealing with encryption? Is there a better way?
18
Treaties
Cybercrime Convention– 47 nations have signed, 34 nations have ratified so far– Albania, Armenia, Azerbaijan, Bosnia and Herzegovina, Bulgaria, Croatia, Cyprus,
Denmark, Estonia, Finland, France, Georgia, Germany, Hungary, Iceland, Italy, Latvia, Lithuania, Moldova, Montenegro, Netherlands, Norway, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Switzerland, Macedonia, Ukraine, United Kingdom, United States
– Critics alleged it could require laws to force divulgence of decryption keyArticle 18 addresses production orders for computer data. The Explanatory Notes state: “With respect to the modalities of production, Parties could establish obligations that the specified computer data or subscriber information must be produced in the manner specified in the order. This could include reference to a time period within which disclosure must be made, or to form, such as that the data or information be provided in "plain text“ …Among signatories only Belgium and the UK have implemented it in domestic law
Took effect 2011Took effect 2010
Takes effect 2012
19
Nation-States with legislation permitting decryption orders*
Australia Antigua and Barbuda (2 years and
$15,000 fine for failure to comply) Bahrain (no radio-frequency encryption) Belgium (6-12 months, 20K BEF) Denmark (telecomms only, with court
order) Finland (not suspect, only certificate
services provider/maintainer) France (3 yrs, €45K, increased criminal
penalty if encryption aided crime) Hong Kong
* Per Bert-Jaap Koops, Tilburg University, Netherlands (rechen.uvt.nl/koops/index.htm)
India (7 yrs) Ireland (can’t require password, but can
require decryption) Malaysia (only during a search, 2 yrs,
100K ringgit) Netherlands (in LE cases, can’t order
suspect, but can others, 2 yrs) Singapore (3 yrs, S$10,000) South Africa (3 yrs, 2M Rand) Thailand (200K baht, plus 5K baht/day) Trinidad & Tobago (2 yrs, $15K) United Kingdom (2 yrs)
20
Agenda
Purpose
Background
Case Law
Summary
Questions
21
Divulging Passphrases
In re Boucher, 2007 WL 4246473 (D. Vt. Nov. 29, 2007)
– Boucher’s computer inspected at border w/B’s assistance and child porn found
– ICE shut down computer and seized it– Later ICE could not access Z:/ drive as it
was encrypted – Obtained subpoena ordering B to provide
passphrase– B moves to quash– Issue: o Can B be made to tell passphrase?o Can B be made to type passphrase privately?o What if act not usable against Boucher?o Foregone conclusion doctrine?
Holding– No B can’t be made to divulge passphrase as
that is violative of his 5th Amend. right against self-incrimination
– No B can’t be made to type it privately, as it still violates his 5th Amend right against self-incrimination
– If act of production immunized, then fruits of hat act necessarily barred by derivative immunity in order to protect 5th Amend rt.
– Foregone conclusion doctrine inapplicable; – BUT on appeal D/C ruled (19 Feb 09) US
could subpoena unencrypted version of Z:/ drive
– Compare with subsequent cases– May be very important in light of increasing
tendency to encrypt data
22
Other Encryption/Password/5th Amend. cases
Drage case in UK– 19-year old Oliver Drage arrested by police investigating child sexual exploitation– Police seized the computer, but could not access its files due to 50-char. password– Police requested Drage provide encryption password, but he refused– Drage charged with violation of the Regulation of Investigatory Powers Act which requires
suspects to provide encryption passwords.– RIPA provides for punishment for non-compliance with order to decrypt.– Sentenced to four months in a young offenders institution
Kirschner (Mich.)– Subpoena for password quashed. Relied on Justice Steven’s: “He may in some cases be
forced to surrender a key to a strongbox containing incriminating documents, but I do not believe he can be compelled to reveal the combination to his wall safe -- by word or deed.”
23
Other Encryption/Password/5th Amend. cases
Fricosu (10th Cir.)– J. grants Gov’t request that Fricosu provide unencrypted drive. Fricosu claims 5th, says she
may have forgotten password, appeals to 10 Cir. 10th Cir. denies appeal—no final j. Gov’t decrypts, allegedly w/PW from co-D, ex-husband.
In re Grand Jury Subpoena Duces Tecum (11th Cir.)– 11th Cir. Rules requiring Doe to decrypt drive violates 5th. Doesn’t fit “foregone conclusion”
because Gov’t failed to show it knew whether files were on drive, where the files were on drive, or whether Doe could access them.
24
Encryption and Plain View Searches
United States v. Kim, 677 F. Supp. 2d 930 (S.D. Texas, 2009)
– Kim was a DbA for GEXA, then fired. GEXA later noted unauthorized accesses to Db and Kim became a suspect.
– USSS sought warrant to search Kim’s home computer. Found encrypted files with names suggesting child porn.
– Sought expansion of warrant to search for child porn. Magistrate refused.
– USSS broke encryption of above files as part of hacking investigation, then offered evidence under plain view exception.
– Kim moved to suppress evidence, as exceeding scope of warrant in violation of 4th Amendment
– Who wins?
Holding– Court rules to suppress evidence from
encrypted files. – Doesn’t use “subjective” test, but “objective”
test.– Holds it was objectively unreasonable to
look in encrypted files for evidence of hacking
– Would ruling have been different if hacking evidence were found?
– Does this provide future hackers with protection if they choose to hide the evidence of their crime in encrypted files with child porn-sounding names?
– May point to the risks of judges ruling on what is/is not reasonable in computer forensics cases when the technology is complex and constantly changing.
25
Border Searches
United States v. Cotterman, 637 F.3d 1068 (9th Cir. 2011)
– April 6: Cotterman (C) and wife drove from Mexico to a port of entry in Arizona
– C was on a TECS watchlist for child porn, so directed to secondary inspection. Laptops and cameras checked but no porn found, though many files were password protected. Laptops and one camera sent 170 miles to Tucson lab for further inspection
– April 8: Found 75 child porn images in unallocated space. Asked C for password to open other files. C agreed by phone but left for Australia.
– April 11: Agents bypassed security and found 378 child porn images
– Searches legal?
Holding
• Dist Ct: No.– Apr 6 search was a valid “border search.”
– Apr 8-11 searches were “extended border search” requiring “reasonable suspicion” and court did not find such
• 9th Cir: Yes– Fact that border agents needed to transport
media to search it did not transform border search to extended border search
– Length of time retained by border agents was not sufficient to require reasonable suspicion
– Must factually assess each case
– Contrast with US v. Hanson
26
Encryption and 3rd Party Consent
United States v. Buckner, 473 F.3d 551 (4th Cir. 2007)
– Police receive complaints of fraud linked to computer accounts of Michelle Buckner
– Michelle indicated she only use computer to play games, and consented to the police taking whatever they needed.
– Seized running computer, turned it off, mirrored it and did forensic search
– Evidence led to 20-count indictment against her husband, Frank
– Frank moved to suppress evidence, claiming it was password protected and wife could not consent to that over which she did not exercise joint access or control
– Who wins?
Holding– 4th Cir. rules for Government– Notes that wife did NOT have actual
authority to consent, but
• Apparent authority
• Located in common living room
• On at time of seizure (Frank away)
• Leased in wife’s name
• No indication of PW-protected files
• So police had objectively reasonable belief wife had authority to consent
– Data was not encrypted– Compare Trulock v. Freeh (where officers
told of password protections prior to consent search)
27
Agenda
Purpose
Background
Case Law
Summary
Questions
28
Summary
There is no panacea for the protection of privacy rights
Protecting privacy must be balanced against the interests in solving cyber crimes, fighting cyber terrorism and deterring cyber war
Encryption can assist in the protection of privacy in some cases, but can lull the unsuspecting into a false sense of security in other cases
Technology can be complex and “real world” analogies for judges are often faulty
Governments will continue to try to balance privacy interests against protecting the public from crimes, terrorism and national security threats
