I wouldn't say this issue is fully "worked out" yet.
Disclaimer: I am not a lawyer. Most of what I know about this is from the last twenty minutes of googling.
In 2007 a federal judge ruled that passwords aren't like keys to a safe, and that the government can't force somebody to hand them over. (United States v. Boucher http://news.cnet.com/8301-13578_3-9834495-38.html )
However, that decision was partially overruled in 2009. ( http://www.bennettandbennett.com/node/5608 ) The judge ruled that the defendant didn't have to provide his password, but he did have to provide the contents on the hard drive. In other words, if the defendant happend to have an unencrypted copy of the hard drive hidden away somewhere he could have offered that in place of the password.
Using your safe analogy, it would be like saying that you don't have to provide the government with the key to the safe, but you do have to provide them with an identical copy of everything contained within the safe.
Now, like me you're probably wondering how the government could prove that the contents you provide from a secondary source really matches up with what's on the encrypted drive. The Boucher case mentioned above was unique because border control agents had already viewed the contents of the guy's laptop in unencrypted form, so they knew what to expect. (In his case, child porn.)
From what I can find, there don't appear to be any laws in the U.S. (and no case law) which specifically require people to hand over their passwords at the government's request.
And what happens in the xkcd-inspired future where we all have neural interfaces to storage? When the lines between what's in our heads and what's written down are sufficiently blurred, what's obstruction of justice and what's a fifth-amendment right?
What level of data protection counts as contempt or obstruction? What if I have provided the courts with all of the data, but for some reason they suspect there's more that I'm hiding? What if I honestly can not remember the password for some of my old data? Do I go to jail because my memory is gone?
A safe is obviously a safe. It obviously contains something.
Encrypted data isn't so clear cut. It's trivial to make a datastore that has several encryption keys, so that you could give out one key, and it'd "decrypt" to some boring stuff, whilst keeping the real data, and the alternate key, secret.
It'd also be trivial to devise a decryption algorithm, and key, which "decrypts" anyones hard drive to reveal illegal images even when none are really there...
So I don't think it's a good analogy. It's quite obvious when you have successfully got into a safe, but how do you know when you have successfully decrypted something, to the real stuff that is important and being hidden in it?
Is it actually trivial to encrypt arbitrary text in such a way that it could be decrypted to the source text or a different but still meaningful alternate text? That sounds really hard to do. Is this indeed a solved problem and I just don't know about it?
It is trivial. Just encrypt the true plaintext and the alternate plaintext with separate keys and place the results in a container. To decrypt, try both ciphertexts and return the one that validly decrypts with the provided key.
It's trivial cryptographically, but from a security point of view, it's not necessarily trivial at all.
If we assume the courts can order you to decrypt the drive (and without debating that point) - one has to consider that the court may be fully aware that the system has multiple hidden volumes, either by eyewitness testimony, 3rd party evidence (check out truecrypt's warnings on their site about full system encryption and what to watch out for.
Things like finding the same windows installation doing every update twice. There are all kinds of information leaks that COULD pop up.
I'm not saying it's impossible - just as strong cryptography, which is easy and is all over, doesn't mean all our data is secure, neither would a more complex system like this protect someone from the legal system.
That's assuming the same algorithm is used throughout.
You can use one algorithm to encrypt/decrypt the original content. But you can use a different algorithm (with a different key) that would output a different output.
The secondary algorithm would be one that given a some text (ciphertext from the original encryption) along with the desired output, would return a suitable key. The most basic example to prove the point would be XOR.
That probably won't work: you need the combination of the algorithm + the key to get your data out. Of the 4 possible combinations, only 2 will yield valid data.
If you give a password, the cops will know what algorithm they must use (2 trials at most). Even if they don't know before hand which algorithm points to the real data, they can notice that it doesn't use all data.
With your method, you can at best cast doubt: is the data not extracted real data encrypted differently (algorithm or key), or random data that the software insert by default to give everyone plausible deniability?
that's now what is being suggested (i think). typically how it's done is to have separate pieces of information, related to different keys. you can then make a system that (1) produces the data associated with a valid key and (2) does not reveal how many valid keys there are.
It'd also be trivial to devise a decryption algorithm, and key, which "decrypts" anyones hard drive to reveal illegal images even when none are really there...
Well the revealed images could not be significantly larger in size than then the "key material" you supplied plus the most concise description of the algorithm.
http://en.wikipedia.org/wiki/Kolmogorov_complexity
> It'd also be trivial to devise a decryption algorithm, and key, which "decrypts" anyones hard drive to reveal illegal images even when none are really there...
How trivial? Remember that the whole hard drive must be consistent, including a file system. Fifty gigabytes of garbage followed by a 2-megabyte photograph followed by fifty more gigabytes of noise is not plausible.
It seems that the primary contention here is whether a password constitutes physical evidence, which must be supplied upon the production of the correct edicts, or whether it constitutes "testimony", which I interpret to mean non-recorded ideation or mental processes. Supposedly the same argument could apply to a safe combination, hence a defendant cannot be compelled to reveal a combo but can be compelled to open the safe. But how do we prove that the defendant has access to the safe? And how do we prove that the defendant has access to the encrypted files?
IANAL but this question particularly is of course interesting to me. At first glance it seems that the 5th Amendment guarantee against self-incrimination would preclude decrypting drives and I've read several proclamations to that effect, but when we consider the rules surrounding surrender of physical evidence, including evidence contained in a safe, it does become less clear where information cryptography fits.
If a defendant handwrites letters in a custom cipher, can he be compelled to reveal the cipher or decode the letter? Perhaps that's a better analog than the safe in our situation.
"Supposedly the same argument could apply to a safe combination, hence a defendant cannot be compelled to reveal a combo but can be compelled to open the safe."
Can the defendant even be compelled to open a safe? Suppose you have a case in which the defendant has either specifically disclaimed ownership of the safe in question or disclaims any knowledge of the combination or has flatly refused to either confirm or deny ownership of the safe or knowledge of its combination on fifth amendment grounds. I'm no lawyer, but I suspect the standard procedure in such cases is that the judge issues a warrant that permits police to access the contents of the safe and no burden is placed on the defendant to do anything at all. Rather, because they have a warrant for the contents of the safe, the police are entitled to open it and they do just that, using a locksmith or mechanical means to force it open. The analogous situation with respect to encrypted data would be that the police are welcome to crack the encryption themselves by whatever means they deem appropriate, but the defendant isn't required to do their work for them.
I believe the police have the right to open the safe, but you aren't required to open it for them. If the police came into your house and said "show us every hidden object" so we can decide if it is illegal. You wouldn't be required to comply.
The servers taken from Instapaper were shown to have not even been booted, let alone shown to give access to any files. Standard procedure is to copy any drive you can get your hands on before seeing what's on it, to stop preventative measures like this.
This would require a costly hardware-based solution. If such a solution were to become popular, the law enforcement would certainly find ways to prevent it, e.g. x-ray the disks before switching power to find the crypto chip + thermite bomb.
The much more obvious way to implement this would be to have a tamper-proof hardware dongle that (a) accepts, as input, a passphrase; (b) uses that passphrase to derive a key; (c) used that derived key to decrypt some data stored, e.g., in flash on the processor chip; (d) confirms the data decrypted correctly, if correct return the key, else overwrite the flash with new random data, and return that new data.
That data, would of course be the actual key used to encrypt the drive.
