Home > Uncategorized > Do Defendants Have to Surrender their Passwords?

Do Defendants Have to Surrender their Passwords?

Sorry to be a bit behind in posting this, the latest in these blog postings. I’ve been in an airplane and airports so much lately that the last few weeks seem like a big blur. Anyway, a news item related to whether or not defendants must surrender their passwords when law enforcement orders them to do so surfaced last week. Oliver Drage, a UK citizen, received a sentence of four months of detention because he refused to turn the password for decrypting information on his computer to law enforcement officials after he was arrested last year for allegedly having child pornography photos on his computer. He was found guilty of the violation of the Regulation of Investigatory Powers Act (RIPA).

The legal systems in the UK and the US have many differences, yet they are both based on common law, where court rulings establish precedents that shape the meaning and applicability of laws that are passed. In the US many legal cases related to attempted forced surrender of passwords have occurred. One of the most interesting of these cases occurred decades ago in California. Several employees of an aerospace company announced their resignations, and at the same time offered to “sell” passwords used to decrypt a great deal of highly valuable information for which they were the custodians. This company’s management initially rejected the departing employees’ deal, instead going to the district attorney’s office and pressing for arrests on the basis of extortion. The district attorney declined to prosecute the employees, and ultimately the company had to meet the departing employees’ demands to get the information back.

In the US many rulings have gone the way of the Drage case. Time-after-time crime suspects have been ordered to reveal their passwords used to gain access to systems and/or encrypt/decrypt information. But passphrases have been an entirely different matter. If passphrases have been used for system access or for encryption/decryption, individuals have not been forced to reveal them. With one recent exception, courts have ruled that passphrases are in effect speech, and free speech is protected by the Fifth Amendment. So at least in the US, suspects must surrender any passwords, but not passphrases. If this does not really make sense to you, it might help to recognize the fact that the law is the law, not necessarily common sense, so rulings do not always make sense to the legally uninitiated.

Over the years my blog postings have given a disproportional amount of attention to legal issues in the cybersecurity arena. Due to a change in my responsibilities within Emagined Security, this will be my last posting at Emagined’s Web site. But if you want to keep finding out more about cybersecurity legal issues, advances and setbacks with security technology, considerations in performing security-related tasks such as penetration testing and forensics, other controversial issues, and more, you’ll find an entirely new series of my blog entries at http://baylinks.com/blogs/
I hope that you’ll enjoy this new series. Meanwhile, other Emagined staff will continue to add new postings at this, the current site, from time-to-time.

Categories: Uncategorized Tags:
Comments are closed.