1. 10

Because password disclosure is in the headlines yet again, I’m going to put my password scheme out there to get some feedback.

It’s been argued “It’s not as if the passcode itself does anything for the government.” — but what if that wasn’t so?

My proposal is as follows:

Concerned U.S. citizens should use strong randomly generated passwords, known only to their password manager software, and not themselves. To protect the password manager, use a passphrase - a sentence - that is, itself, an admission of a “major” crime. I call this the “confessional passphrase”.

Sounds silly? Not so fast.

It’s been said that the average American commits three felonies each day.

Even if you are one of the exceedingly rare individuals that does not regularly commit felonies, there are thousands upon thousands of victimless potential felonies you can choose to commit for the purposes of generating your passphrase, and a usual statute of limitions of 3 years for cycling the passphrase.

[Edit: Depending on the confessional content of the passphrase, the statute of limitations may be 7 years, or even your lifetime.]

My passphrase? “On June 7 2019 I …”

There may be concerns with using password manager software, keeping all your eggs in one basket, so to speak, but it isn’t practical or safe to be required to commit a felony per password needed, and many sites will not allow a long “confessional passphrase”. There is also the risk of individual passwords being compromised in data breaches, so I think it’s best that your “confessional passphrase” be kept solely between you and your password manager software.

I’d love to hear some feedback on how this might be expected to hold up.

  1.  

  2. 9

    I was a practicing lawyer in Australia, so I come to this with some knowledge, but I am not a US constitutional lawyer.

    The privilege against self-incrimination is phrased in the fifth amendment as follows:

    nor shall [a person] be compelled in any criminal case to be a witness against himself

    The privilege is against giving testimony. To this extent, the content of your password is immaterial. If your password contains an admission of a crime, that admission cannot be used against you in court (and under the fruit of the poisonous tree doctrine, nor can any evidence acquired solely because of that admission). If you are immune from prosecution relying on a statement, you can be compelled to answer questions (see Kastigar v US). (You cannot be compelled to say a particular thing, as a matter of first amendment law, but you can be compelled to answer questions.)

    As such, I think that the content of the passphrase – whether confessional or not – would not affect whether the 5th amendment privilege can protect you from being required to give over a password.

    The open legal question here is whether the act of giving your password is itself testamentary in nature, perhaps analogous to admitting ownership of contraband. If it is, the fifth amendment applies. If it is not, and it is instead analogous to handing over a physical key, then the fifth amendment does not apply, and you can be compelled to provide your password.

    This obviously isn’t legal advice; I might be wrong about all of this.

    1. 0

      The privilege is against giving testimony. To this extent, the content of your password is immaterial. If your password contains an admission of a crime, that admission cannot be used against you in court (and under the fruit of the poisonous tree doctrine, nor can any evidence acquired solely because of that admission).

      This still raises some interesting possibilities.

      What if, for example, the content of the confessional passphrase is a confession to the crime for which are you are being investigated and interrogated?

      I could see this creating a scenario where disclosing your passphrase would make you immune from prosecution, for example, if you were able to negotiate that you would not be prosecuted for crimes revealed by the confession in your confessional passphrase, and if it turns out that the confessional passphrase is, in fact, a confession to the crime for which you are being prosecuted.

      Also, following that reasoning, could you actually be actively prevented from disclosing your passphrase, if the prosecution and investigators had knowledge (or reasonable suspicion) that your passphrase was such a confession?

      Creating a situation where confessing to the crime, such as might be required for the purposes of a plea agreement, might grant immunity from prosecution is an interesting thought experiment (or a good future episode of Law & Order).

      Edit: I find it a stretch to imagine a statement such as “I am guilty of the crime of XXXXX committed on June 7 2019” could be argued to be non-testamentary in nature, forcing it instead to be considered analogous only to a physical key, but then again, I’m not a judge, prosecutor, or constitutional attorney.

      1. 8

        I could see this creating a scenario where disclosing your passphrase would make you immune from prosecution, for example, if you were able to negotiate that you would not be prosecuted for crimes revealed by the confession in your confessional passphrase, and if it turns out that the confessional passphrase is, in fact, a confession to the crime for which you are being prosecuted.

        Yeah that’s not how this works. Fruit of the poisonous tree only applies to the specific fruit of the passphrase disclosure. If you’re already under investigation, the confession in your passphrase can safely be ignored. The fruit of the poisonous tree Wikipedia article has some good discussion of exceptions, notably including parallel construction, inevitable discovery and independent sources.

        Parallel construction is sometimes done in a cleanroom environment to avoid fruit of the poisonous tree. It is very easy for this to be the case for password disclosure too. A technician, who is not otherwise involved in the investigation, could be the only law enforcement officer who ever sees your password. They can type it in where required, and therefore the content of the password is never known to the investigators. This type of process is entirely acceptable to courts.

        I find it a stretch to imagine a statement such as “I am guilty of the crime of XXXXX committed on June 7 2019” could be argued to be non-testamentary in nature, forcing it instead to be considered analogous only to a physical key, but then again, I’m not a judge, prosecutor, or constitutional attorney.

        It may be helpful to think about it in programming terms. The same sequence of bytes may be executable in one context and data in another. It is their context, not their content, which determines this. Some bytes are never executable (some text is never testamentary), but executable bytes in a non-executable context are still not executable (similarly, testamentary text in a non-testamentary context is still not testamentary).

        The debate is about whether the entering of a password is a testamentary context, whereas this post is about whether the text is testamentary.

        1. 1

          A technician, who is not otherwise involved in the investigation, could be the only law enforcement officer who ever sees your password. They can type it in where required, and therefore the content of the password is never known to the investigators. This type of process is entirely acceptable to courts.

          I wonder, if that practice was not followed, could a defendant make a legal argument that the investigators, having to essentially read and work with a phrase, over and over, that amounts to no less than a confession (at least in the eyes of a layperson), be tainted or biased by the exposure to the phrase? If a confessional passphrase was leaked to the media and widely reported, could that be a basis to claim that a potential juror (or jury) has been tainted, and move to dismiss the juror (or declare a mistrial?).

          [Edit: Also, in general, does intentionally complicating a potential investigation tend to work in favor of or against a defendant?]

          [Edit: What I’m getting at would be: Is there anything to be gained from such a passphrase scheme? Even better, are there any disadvantages that I might not be aware of?]

          It may be helpful to think about it in programming terms. The same sequence of bytes may be executable in one context and data in another. It is their context, not their content, which determines this. Some bytes are never executable (some text is never testamentary), but executable bytes in a non-executable context are still not executable (similarly, testamentary text in a non-testamentary context is still not testamentary).

          While I’m tempted snarkily to argue “but code is data and data is code!” and point at Lisp, this makes perfect sense to me on a logical level, and I really appreciate your effort to present these concepts as clearly as you have.

          Thank you!

          1. 3

            I wonder, if that practice was not followed, could a defendant make a legal argument that the investigators, having to essentially read and work with a phrase, over and over, that amounts to no less than a confession (at least in the eyes of a layperson), be tainted or biased by the exposure to the phrase?

            I think I’m not well-placed to answer this, as someone who has not done any criminal law work in the US.

            My suspicion is that you would need something a lot stronger than this to throw out the prosecution. I think the case of US v Ceccolini would be instructive here, though it doesn’t directly answer the question. A helpful quote from p 273-274:

            The constitutional question under the Fourth Amendment was phrased in Wong Sun v. United States, 371 U. S. 471 (1963), as whether “the connection *274 between the lawless conduct of the police and the discovery of the challenged evidence has ‘become so attenuated as to dissipate the taint.’”

            That’s kind of the key here: an assessment of the degree of the “taint” of illegality (compelled confession) against how significant that evidence was to the investigation.

            It’s worth noting too that even if you’re compelled to disclose your password, there’s nothing compelling you to assert the truth of the statement. My password can be “two plus two equals five”; that doesn’t mean I believe that to be true.

            in general, does intentionally complicating a potential investigation tend to work in favor of or against a defendant?

            In general, against. At the high end, it is obstruction of justice. At the low end, a judge will not look kindly on it. Judges are humans, and don’t blindly follow an algorithm. Any attempt to be “too clever” will likely fail, and put the judge offside. It’s very difficult for laypeople (and most lawyers!) to identify the line between a good technical argument and an argument which is “too clever” in the sense I’ve used it above. Being able to identify it is one of the skills that makes great litigators great.

            While I’m tempted snarkily to argue “but code is data and data is code!” and point at Lisp …

            Ah and that’s kind of my point! Data is only code when you evaluate it; and code is always data when it’s not evaluated. Context is key.

            I really appreciate your effort to present these concepts as clearly as you have.

            It’s my pleasure! Part of the reason I became a lawyer was my interest piqued in these sorts of questions by slashdot, and a desire to be able to think deeply and correctly about them. So I spent some enjoyable years studying them, and learning to think in the ways of the law.

    2. 6

      This reminds me of the classic “What Colour are your bits?” which was written about copyright but has a principle applicable here: the law does not work in the way programmers often assume it does, mixing bits and pieces of programmer-understanding with bits and pieces of lawyer-understanding is risky, and as a general rule, clever tricks programmers come up with to try to get around what (they think) the law does are unlikely to succeed.

      1. 1

        Thanks for posting this - it was a good read, which I was either never exposed to, or had completely forgotten.

        Also, the third comment is from Terry A. Davis! R.I.P.

      2. 4

        Short answer: the judge overseeing your trial is unlikely to be a python script.

        1. 4

          The law on this is in flux, and varies throughout the US (federal law is not the same across the US - learn about federal circuits if this surprises you).

          I would love to see this theory tested. I would not want to be the one out there testing it.

          Donate to the ACLU.

          1. 3

            I’d love to hear some feedback on how this might be expected to hold up.

            You should hire a lawyer for legal advice, not ask random devs.

            1. 2

              This issue has to be fought politically, not technically (or by technicality like making your passphrase an “admission”).

              The issue is convincing judges and politicians.

              1. 2

                I’d love to hear a lawyer’s take on this.

                My idea would be something simpler. If I were to visit a country that is known for demanding to know all my personal passwords I’d maybe:

                • assume everything is in a password manager
                • don’t take any devices with me
                • don’t put myself in a position to be able to login anywhere, because a) ssh keys or b) password I don’t know because password manager
                • get person A (not travelling with me) to encrypt my password manager file with a password I don’t know
                • visit the country

                Now I simply am truthfully not able to give out any passwords (don’t know them) and also can’t give out my password manager file (don’t have it online or with me) and then when I land try to contact person A to help me unlock my password file, probably by sending it to me to a newly created email address.

                Yes, this is kind of paranoid and would probably get me thrown into a holding cell until I relent, so I just choose to not visit those countries for now :P

                Actually the only difference to my current MO is:

                • I do know some of my passwords because they are not 64 random chars
                • I do know the password to my password manager
                • I have the file on my phone/laptop
                1. 2

                  The idea really is not for those visiting another county, but for those of us who live in South Africa, the United States, France, India, the UK and Ireland, for example (or other jurisdictions with password/key disclosure laws, as well as those without such laws but without existing legal precedents). In places like Belgium, perhaps most disturbingly, they can’t compel password/key disclosure or decryption from suspects, but they can against witnesses and uninvolved parties!

                  When I last travelled overseas, I zero’d out the hard disk on the netbook I took with me, restored my (encrypted) back-up over the ‘net, and uploaded a new back-up and zero’d the disk again before returning. (Thanks to the DBAN people for making the process easy.) That also protects you from data loss in case of hardware seizure.

                  This did, on my return trip, cost me hours of time and a missed flight, as I sat detained by security, trying to get me to explain why I was traveling with a “highly suspect” inoperable laptop. Not wanting to miss a connecting flight, I told them “Fine, keep it.” — wrong move. The laptop was now even more suspect. Since that incident, every time I fly, even domestically, I receive an SSSS ticket without fail, which apparently means I’m now on the TSA/DHS Secondary Security Screening Selection watchlist.

                2. 2

                  Ive thought about that. Even did it but never tested in court. Other cases showed me they can grant you immunity for the crime if it’s not an act of vience or otherwise highly damaging to another party. That covers you as far as what Fifth Amendment is really about (i.e. incarceration). If you say no, you’re confessing to an unknown, but serious, crime in a way that justifies an investigation followed by a court order with teeth.

                  On a general note, I encourage anyone investigating this topic to read Schneier et al’s Keys Under Doormats paper. It goes into both the difficulties and options governments have with regards to privacy tech. Far from dire given they have many options.

                  1. 1

                    In my personal opinion I believe this matter is simple:

                    The digital world is not unique or novel.

                    Without a warrant nobody has a right to look at the contents of your phone or computer or any digital archive same as any of your papers kept out of plain sight.

                    With a warrant the authorities are allowed to access your material in the confines of the warrant. You can not hide the evidence in a container and refuse to give up access to the container and remain in compliance with law. The digital domain is not some special place just as a crook hiding the evidence in a combination safe should not be some kind of immunity from the police gathering evidence for the prosecution.

                    However, I ran into this interesting article: http://blogs.denverpost.com/crime/2012/01/05/why-criminals-should-always-use-combination-safes/3343/

                    This article traces a line of argument that keeps cropping up that basically says a person can not be compelled to give up “the contents of his mind” in order to obey a court order.

                    As you can imagine the effect of this is kind of ridiculous as the headline of the article indicates. Smart crooks should be locking up the records of their crimes in combination safes rather than something with a key, which can be found and used.

                    I one hand I support this as the kind of conservative thinking we should ask for from the supreme court, since if the authorities are allowed to force us to give up a password how can we ensure the slippery slope is not ridden and they are allowed to force us to give up any other contents of our mind? For example, this is no different than a serial killer refusing to reveal the locations of the bodies.

                    I have no love for the serial killer, but we have decided on due process as the way to increase the longevity of our civilization.

                    This leads me to the awkward position of supporting backdoors into devices accessible by the government or funding for the government to be able to crack these digital safes without harming their contents.

                    Which is the lesser evil? Let hordes of criminals off the hook because they know how to set the password on their phone or give this power to the government?

                    I actually don’t know.

                    1. 2

                      This article traces a line of argument that keeps cropping up that basically says a person can not be compelled to give up “the contents of his mind” in order to obey a court order.

                      Interestingly, and a bit of a tangent, but I never knew this until today… the opposite also appears to be true - the government can stop you from revealing the contents of your mind, if they believe those contents constitute a threat to national security.

                      https://fas.org/blogs/secrecy/2010/10/invention_secrecy_2010/ and https://bloom.bg/1Odhrtz (the latter seems randomly selectively paywalled).

                      I can’t say I agree with this any more than I agree with mandated backdoors or compulsory key disclosure.

                      1. 2

                        This leads me to the awkward position of supporting backdoors into devices accessible by the government or funding for the government to be able to crack these digital safes without harming their contents.

                        I’d argue this is the wrong answer.

                        The societal cost of our freedoms may mean that crime will always exist and that criminals will have the opportunity to escape justice - only in a society completely devoid of both freedom and privacy can crime ever be completely eliminated and all transgressions provably punished.

                        Not being able to eliminate crime (or offensive speech, or harassment, etc.) is a very small price to pay when the alternative is eliminating privacy and freedom.

                        Edit: What if you build your own device, or implement your own cryptography, without the backdoors? Should the basics of cryptography or DIY computer system building be born secret information? Should just talking about computers or crypto be enough to land you in prison?

                        1. 1

                          Eliminate is such an absolute word. When people use absolute words like this I begin to suspect they are not interested in understanding the complexities of a position.

                          There are rarely absolutes in any system. All systems that I know of are based on a balance between rights and responsibilities, powers of the individual and powers of the state.

                          I strongly suspect the correct answer here is to give the state greater powers in breaking cryptography (or research into the same) including greater penalties for refusing to divulge passwords.

                          1. 3

                            Certainly, the word is absolute, but it was chosen deliberately, to take the idea of reducing crime to it’s logical end - elimination.

                            To quote an article from the National Institute of Justice, emphasis mine:

                            Soon after his inauguration, [President] Johnson acknowledged the need for a Federal response to crime and public safety. In a March 1965 address to Congress — the first by a president on the issue of crime — Johnson called for legislation to create an Office of Law Enforcement Assistance. He also established the President’s Commission on Law Enforcement and Administration of Justice, charging the members to draw up “the blueprints that we need … to banish crime.”

                            The task — breathtaking in scope — reflected not only the “can do” attitude of Johnson’s Great Society, but also a growing confidence in the ability of science and technology to solve problems. The Nation was already improving public health, harnessing atomic energy, and putting a man on the moon. Why not unleash that same creative power to eliminate crime?

                            The very explicit goal was not just to reduce, but to prevent crime. Obviously, a primary goal of law enforcement is the elimination of crime - but, the reality, if we wish to maintain our freedoms, makes that impossible.

                            The product of Johnson’s commission was something indeed balanced. “The Challenge Of Crime In A Free Society: A Report By The President’s Commission On Law Enforcement And Administration Of Justice” explicitly opens with a statement speaking of ways to reduce (not eliminate) crime, and goes on to make many observations that are still relevant today (emphasis again mine):

                            America’s form of government, its laws and its Constitution, all express the desire to maintain the maximum degree of individual liberty consistent with maintenance of social order. The process of striking this balance is complex and delicate. … Presumably, deterrence would best be served by placing a policeman on every corner. Street crimes would be reduced because of the potential criminal’s fear of immediate apprehension. Even indoor crimes, such as burglary, might be lessened by the increased likelihood of detection through a massive police presence. But few Americans would tolerate living under police scrutiny that intense. … In a democratic society privacy of communication is essential if citizens are to think and act creatively and constructively. Fear or suspicion that one’s speech is being monitored by a stranger, even without the reality of such activity, can have a seriously inhibiting effect upon the willingness to voice critical and constructive ideas. When dissent from the popular view is discouraged, intellectual controversy is smothered, the process for testing new concepts and ideas is hindered and desirable change is slowed. External restraints, of which electronic surveillance is but one possibility, are thus repugnant to citizens of such a society.

                            The report very clearly recognizes that creating an oppressive police state, in which all activity is scrutinized, would not be accepted by society and would not be conducive to maintaining social order - indeed, that it would lead to disorder and lawlessness.

                            I’m not sure the first time I read this historical 1960’s document, but it’s a great read, and it even has sections regarding wiretapping and electronic surveillance. In fact, when you read it, one of the overall takeaways is that you cannot have effective reductions in crime without having the respect and cooperation of the communities being policed.

                            I think this is an important conclusion that is often forgotten today. In my opinion, even with all all the discontent you see in the news media, actual dissent seems to be at a very low level compared to the 1960’s. I feel that most people would rather blog and express online outrage rather than putting themselves at risk to enact meaningful change.

                            Today, we are often conditioned by the media away from dissenting views and steered to accept the current popular view. We aren’t just told what is happening, but how we should feel about it. Unpopular views and contrary speech are often viciously attacked and silenced by majority mob rule, both online and off.

                            Many citizens and politicians alike are seeking absolute solutions, and they are actively working to condition us to accept less freedom and privacy to make it possible to implement what would be otherwise unacceptable solutions.

                            While I do recognize that I’m somewhat of a “freedom extremist”, on the opposite side of the argument on more than a few occations, and I accept that a balance is essential, I (and the government) also know the reality is that if there is widespread rebellion against certain measures, if “We The People” as a society simply will not tolerate some curtailments on our freedoms, then these measures simply cannot be implemented. I feel, very passionately, that it’s a responsibility of programmers and technologists to foster that discontent, to fuel the fires of rebellion, in those outside of our field.

                            While I argue that, in almost all cases, crime, even increased crime, is an acceptable trade-off to further curtailment of personal liberties, I am legitimately interested in hearing thoughts from the other side of the side - even if I’m not going to be convinced easily!