Information Security and the Constitution

8 02 2012

by Charles Dayton

Note: This post first examines some of the legal justification for penetrating information security systems and accessing a person’s personal electronic information.   However, it then examines what I feel is an important aspect for this class, whether or not that person is legally compelled to leave the doors open to allow such access.  I have no legal background and a limited IT one so I am trying to present an objective background to this case to generate some lively discussion on what the implications of this are.

We all no doubt understand the need or at least the desire for secure storage of our personal information.  Nearly every day we read of another site that was hacked, another trove of credit cards stolen, even another computer’s webcam being hijacked and viewed by a third party.[1]  As a keylogger victim myself years ago, I feel such actions are terrifying and represent a real and personal invasion of privacy.  However, in much the same way that over the years the Supreme Court has limited some freedoms enumerated in the constitution (The First Amendment gives everyone the right to free speech, for example, but does not give someone the right to yell “Fire!” in a crowded movie theater), similar arguments have been made against total online anonymity and even provided legal justification government hacking, search and seizure of personal information.  From foiling terrorism plots to taking down child pornography rings, even the most ardent libertarian must agree that, in some cases, breaching information security safeguards is sometimes warranted.  Like everything in life, however, this argument is clearly not black and white.  We will look at a few examples of the gray area of information security and leave the reader to make his own conclusion of where he draws the line between a perceived societal and moral imperative and his Constitutional rights.

A quick history of constitutional case law

The US Constitution’s 4th Amendment protects citizens against unreasonable or unlawful search and seizure of one’s personal property.[2]  With the advent of computers, much of user online activity was expanded to the realm of “public use”.  Traditionally, a person within their own home or vehicle, for example, can have a reasonable expectation of privacy when it comes to the 4th Amendment (much of the reason that a police officer cannot search your car when he pulls you over without probable cause or a warrant).  With the Internet, the world is now in someone’s living room, complicating this expectation of privacy.  While certain things like company-issued cell phones were thought to be entirely public-use, your usual searching on Google, etc.  was considered private.[3]  Of course, in accessing many websites, you tend to waive this right by accepting that “privacy agreement” but that is an entirely different story.  The Patriot Act gave even more power for the government to eavesdrop on your conversations and collect information about your activities,[4]  though this expectation of privacy in most cases remains.

What about a warrant?

Of course, virtually any electronic data can be searched and seized with a warrant.  Such a warrant can only be issued by a judge and warrants require officers of the law to show probable cause and submit sworn affidavits before it can be issued.[5]  Naturally, back to our vehicle example above, if a police officer sees you with someone bound and gagged in the back of your vehicle (or you tell him you have someone in the trunk), the officer can assume probable cause that a crime is being committed and search the vehicle without a warrant.  In the cyber realm if you email the FBI child pornography (my cousin works in the cybercrime division of the FBI and it has happened), the FBI can search your computer without a warrant.

But how much do you have to cooperate even if there is a warrant?

Computer User, Incriminate Yourself?

How many times in a movie have we seen the mafia guy “plead the fifth” on the stand?  For those of you who do not know, the Fifth Amendment of the Constitution protects anyone from providing testimony that incriminates oneself: “No person shall be… compelled in any criminal case to be a witness against himself.”[6]  Let’s look at a quick example of this in action:

You stole a book from the campus bookstore.  No cameras saw you did it and there are no witnesses.  Campus security calls the police who round up everyone who was in the store and goes down the line and ask each person if he or she stole the book.  Knowing that lying to a police officer can cause a lot more problems than stealing a book, do you confess when it is your turn?  You don’t have to.  You “plead the fifth”.  You don’t have to tell them anything and they cannot assume your guilt by the exercising of your Constitutional rights.

So let’s take this to another level and look at another example:

For the sake of argument, you bought the same safe used at Fort Knox.  It would take anyone years to break into it.  Now let’s say you go rob a bank.  You take the money and put it in the safe and lock it up.  Only you know the combination.  The police know you were at the bank and saw you have a ski mask in your car (and using it as probable cause got a warrant and searched your car) but they can’t find the money.  They get a search warrant and stop by your house with your huge safe.  They attempt to force open the safe but cannot.  They show you the warrant and demand you open the safe for them.  Do you need to?

In the 1988 Supreme Court decision of John Doe vs. The United States, the Supreme Court ruled that a suspect can be compelled to provide blood samples,[7] handwriting examples[8] and such but, citing precedent, said that an attempt to force him “to disclose the contents of his own mind” was in violation of the self-incrimination (Fifth Amendment) clause.[9]  Based on all of this legal precedent above, it would appear pretty ironclad that you would not have to give them a combination that you memorized to implicate yourself.

So change this argument slightly.  What if, instead of a combination lock, you had a key.  Do you need to give up the key?  In a dissenting argument from above, Supreme Court Justice Stevens examines this question head on:

[The suspect] may in some cases be forced to surrender a key to a strongbox containing incriminating documents, but I do not believe he can be compelled to reveal the combination to his wall safe—by word or deed.[10]

While a dissention is not legally binding, this gives us a very good idea of what the Supreme Court is thinking: you must give up a key but if you memorize a combination you are protected by the Fifth Amendment.  At this point, however, you are probably asking why we care about this at all in a blog post about information security.

US V. Fricosu

In 2010, Ramona Fricosu and her husband Scott Whatcott were indicted for mortgage fraud (you can read the details of the indictment here or in my footnote).[11]  While serving a search warrant in her house, investigators uncovered, among other things, a Toshiba laptop with an encrypted drive.  Recorded jail house conversations between Ramona and her husband showed that there was probably incriminating information on the hard drive.  The government obtained a search warrant to search the drive but was unable to break the encryption.[12]  Eventually courts ruled that she had to provide the government with the same hard drive, decrypted, thus, in their opinion, avoiding the whole Fifth Amendment issue.  Was that right?

The Thousand Dollar Question(s)

In my opinion, all of this brings about several questions related to the Fifth Amendment but hinges on Information Security and how this encryption works.  I have opinions on these but do not know the answer myself and would love some expert feedback from anyone interested:

1)    For those tech experts out there, is the password just the key to open the lock or is it a combination?  The government is not asking to learn how things were encrypted but just that the encryption is “unlocked”.  As you’ve read above, this question of key vs. combination would really decide the constitutionality of this case.

2)    For those with a  legal background, the government argues that the data on the computer is a “foregone conclusion”, meaning that they already know illegal data is there (from the jailhouse tape recordings above, though this argument is far from ironclad) and just need to access it.  This type of argument has been used before in 2006 when border patrol agents saw child pornography on a laptop.  The laptop hard drive, however, was encrypted but the suspect had to provide the password.[13]  Does that apply here?

3)    With the shift to cloud systems, do you still have an “expectation of privacy” of your personal data?  Can user agreements (like Apple and the iCloud[14]) void this expectation?

4)    Do you think this is a violation of constitutional rights?  If the government, even though it is legally allowed to open a “safe” (electronic or physical) is unable to without your help, are you compelled to help them?

  1. If no, what is the burden of proof / evidence you think they would need (if any) to force you to open / unlock it?
  2. If yes, under what circumstances (if any) would this be acceptable?


[2] Cornell Legal Information Institute, http://www.law.cornell.edu/constitution/fourth_amendment

[3] Supreme Court Ruling, City of Ontario vs. Quon, No. 08-1332, http://www.supremecourt.gov/opinions/09pdf/08-1332.pdf

[4] Uniting And Strengthening America By Providing Appropriate Tools Required to Intercept And Obstruct Terrorism

(USA Patriot Act) Act Of 2001, http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_public_laws&docid=f:publ056.107.pdf

[5] Cornell Legal Information Institute, Search Warrant, http://www.law.cornell.edu/wex/search_warrant

[7] Supreme Court Case Schmerber V. California, 1966, http://caselaw.lp.findlaw.com/cgi-bin/getcase.pl?court=us&vol=384&invol=757

[8] Supreme Court Case Gilbert V. California, 1967, Wikipedia, http://en.wikipedia.org/wiki/Gilbert_v._California

[9] John Doe, Petitioner V. United States, 1988, http://www.law.cornell.edu/supremecourt/text/487/201

[10] Dissention, John Doe, Petitioner V. United States, 1988, http://www.law.cornell.edu/supremecourt/text/487/201

[11] FBI, Three Indictments Returned in Mortgage Fraud Schemes, http://www.fbi.gov/denver/press-releases/2010/dn102010.htm

[12] District of Colorado Case United States of America V. Ramona Camelia Fricosu, http://www.fbi.gov/denver/press-releases/2010/dn102010.htm

[14] Apple iCloud Privacy Policy, http://www.apple.com/privacy/

Advertisements

Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: