Corante

About this Author
Ernest Miller Ernest Miller pursues research and writing on cyberlaw, intellectual property, and First Amendment issues. Mr. Miller attended the U.S. Naval Academy before attending Yale Law School, where he was president and co-founder of the Law and Technology Society, and founded the technology law and policy news site LawMeme. He is a fellow of the Information Society Project at Yale Law School. Ernest Miller's blog postings can also be found @
Copyfight
LawMeme

Listen to the weekly audio edition on IT Conversations:
The Importance Of ... Law and IT.

Feel free to contact me about articles, websites and etc. you think I may find of interest. I'm also available for consulting work and speaking engagements. Email: ernest.miller 8T gmail.com

Amazon Honor System Click Here to Pay Learn More

The Importance of...

Category Archives

June 09, 2005

May 27, 2005

More on Crypto and Criminal Evidence

Email This Entry

Posted by Ernest Miller

A few days ago I took note of State v. Levie, in which Levie was convicted of solicitation of a child to engage in sexual conduct, which included taking nude photos (Mere Presence of Encryption on PC Relevant to Criminal Acts). Levie had appealed the case in part based on the district judge allowing evidence that a common cryptography program was on Levie's computer.

Prof. Orin Kerr takes issue with the characterization of the case as holding that the presence of a cryptography program is relevant evidence of a crime (Myth of Crypto as a Crime).

Obviously, the idea that using encryption necessarily reflects criminal activity is rather silly; Internet users use encryption all the time for all sorts of legitimate reasons. As many critics of the new decision have noted, it makes no sense to see encryption as inherently linked to crime. But contrary to the blogospheric common wisdom, no court ever said it was. [emphasis in original]
Kerr argues, instead, that the court was using the presence of the cryptography program as evidence that Levie was a sophisticated computer user, which would explain why the police found no child pornography or nude child photos on his computer.
Although the opinion is not clear on this, it's not hard to imagine why the contents of the computer were relevant. The girl had testified that the defendant had put nude pictures of her on his computer, but no pictures were recovered. The defense presumably argued that the lack of pictures showed the niece was lying. The government pointed to the Internet search terms as corroboration, and argued that the lack of photos on the defendant's computer only reflected the fact that he was savvy enough to get rid of the images, hide them, or encrypt them because he knew the police were coming. The evidence of the defendant's careful effort to hide the files and evade law enforcement was the downloaded text of the state statute and the copy of PGP. Not slam-dunk evidence, obviously, but not entirely irrelevant.
That is certainly the argument I would make about the interpretation of this case should the issue rise again, but I'm not sure that is really what is going on. As Kerr notes, "the opinion is not clear on this".

Were there encrypted files on the computer or not? The district judge says, "evidence tends to show that an encrypting capability was employed by the Defendant", but there is no mention of what the evidence might be, other than the presence of PGP on the computer. Were there encrypted files? Were there erased files? Were those erased files encrypted? Any evidence of that nature would end the legal discussion pretty darn quickly. Since it isn't mentioned, we can presume that there wasn't. If you don't have any evidence of actual encryption going on and either erasure or transfer of the encrypted files, it is hard to see how mere presence of a program that "may be included on every Macintosh computer that comes out today" according to the State's own witness is relevant here.

If the presence of PGP simply shows that one is a sophisticated computer user, why mention only PGP? Wouldn't there be other evidence of sophistication? Again, the state's own witness testified that PGP "may be included on every Macintosh computer that comes out today," which wouldn't prove one wit about the user's sophistication, unless one presumes that Macintosh users are, by definition, sophisticated. One wonders how sophisticated this guy was, since he didn't completely wipe his browser.

As for hiding files, PGP is no evidence of that either. PGP encrypts files, it doesn't hide them. If Levie had a "military-grade" disk-erasing program, that would be clearly relevant, but there's nothing like that in the record.

Even if the evidence of PGP was excluded, it doesn't mean Levie goes free. The error wasn't prejudicial, and there was plenty of other evidence to hang a conviction on.

Comments (6) + TrackBacks (0) | Category: Cryptography

May 24, 2005

Mere Presence of Encryption on PC Relevant to Criminal Acts

Email This Entry

Posted by Ernest Miller

C|Net News reports that the Minnesota State Court of Appeals has upheld a ruling in which the presence of an encryption program on a computer was relevant to a criminal child sex abuse case (Minnesota Court Takes Dim View of Encryption).

The case, Minnesota v. Levie, involves the uncle of a nine-year-old girl who sought to have her pose nude for his digital camera. The Court upheld his conviction on two counts of solicitation of a child to engage in sexual conduct.

In his appeal, Levie challenged, among other things, the introduction of evidence that he had a file encryption program on his computer.

He [retired police officer Brooke Schaub] also testified that he found an encryption program, PGP, on appellant’s computer; PGP “can basically encrypt any file;” and, “other than the National Security Agency,” he was not aware of anyone who could break such an encryption. But Schaub also admitted that the PGP program may be included on every Macintosh computer that comes out today,...
The judge found this relevant:
After closing arguments and an adjournment, the court explained its findings orally, noting that: ... the “evidence tends to show that an encrypting capability was employed by the Defendant;”
Which led to Levie's argument on appeal:
Appellant first argues that he is entitled to a new trial because the district court erred in admitting irrelevant evidence of his internet usage and the existence of an encryption program on his computer. Rulings involving the relevancy of evidence are generally left to the sound discretion of the district court. And rulings on relevancy will only be reversed when that discretion has been clearly abused. “The party claiming error has the burden of showing both the error and the prejudice.”

Appellant argues that his “internet use had nothing to do with the issues in this case;” “there was no evidence that there was anything encrypted on the computer;” and that he “was prejudiced because the court specifically used this evidence in its findings of fact and in reaching its verdict.” We are not persuaded by appellant’s arguments. The record shows that appellant took a large number of pictures of S.M. with a digital camera, and that he would upload those pictures onto his computer soon after taking them. We find that evidence of appellant’s internet use and the existence of an encryption program on his computer was at least somewhat relevant to the state’s case against him. [citations omitted]

I can see that this evidence wasn't clearly prejudicial, and thus not meriting throwing out the conviction, but I really don't see why it was relevant. What, exactly, is the presence of an encryption program supposed to be relevant for? There was no evidence, apparently, that Levie used the encryption for anything related to the crime.

As Techdirt notes sarcastically, the rules seems to be "if you had nothing to hide, why would you encrypt it?" (Because Only Criminals Use Encryption).

Comments (2) + TrackBacks (0) | Category: Civil Liberties | Cryptography | Security

August 16, 2004

Rumors of SHA-1 Vulnerability

Email This Entry

Posted by Ernest Miller

Ed Felten breaks what may be very important news on Freedom to Tinker (SHA-1 Break Rumored).

SHA-1 is a member of the SHA family of cryptographic hash functions. Basically, a hash takes a file and then creates a "unique" and much shorter identifier for that file. Change even 1 bit of a file and the hash will be completely different. The hash is "unique" in the sense that is extremely improbable that two unrelated files will have the same hash. There are many uses for such a technique and the SHA family (particularly SHA-1) is commonly used in all sorts of programs and protocols:

If SHA-1 is completely broken, the result would be significant confusion, reengineering of many systems, and incompatibility between new (patched) systems and old.
To put it mildly.

If true, this would also be evidence that even seemingly foolproof and well-tested algorithms can become vulnerable.

Comments (0) + TrackBacks (0) | Category: Cryptography

March 15, 2004

A Race the FBI Can't Win: The Increasingly Asymmetric Costs of Wiretap Surveillance vs. Wiretap Avoidance

Email This Entry

Posted by Ernest Miller

LawMeme briefly summarizes and collects a number of articles on several law enforcement agencies' (FBI, DOJ and DEA) recent petition to the FCC to expand government wiretap capability (FBI seek to expand the system-formerly-known-as-Carnivore).

C|Net News reports that the petition "aims to give police ready access to any form of Internet-based communications" (FBI adds to wiretap wish list):

Legal experts said the 85-page filing includes language that could be interpreted as forcing companies to build back doors into everything from instant messaging and voice over Internet Protocol (VoIP) programs to Microsoft's Xbox Live game service. The introduction of new services that did not support a back door for police would be outlawed, and companies would be given 15 months to make sure that existing services comply.

That's just wonderful. And I suppose only the US government will have access to these backdoors?

The Washington Post (reg. req.) talks to one of the leading experts on wiretapping, CDT's James X. Dempsey (Easier Internet Wiretaps Sought):

But privacy and technology experts said the proposal is overly broad and raises serious privacy and business concerns. James X. Dempsey, executive director of the Center for Democracy & Technology, a public interest group, said the FBI is attempting to dictate how the Internet should be engineered to permit whatever level of surveillance law enforcement deems necessary.
"The breadth of what they are asking for is a little breathtaking," Dempsey said. "The question is, how deeply should the government be able to control the design of the Internet? . . . If you want to bring the economy to a halt, put the FBI in charge of deploying new Internet and communications services."

Dempsey is right. The amount of intervention in technology development necessary for the FBI and DOJ to accomplish what they want with regard to wiretapping is enormous. The costs will be both direct (money out of consumer's pockets) and indirect (loss of innovation). However, that is only half the picture. Unfortunately for the FBI, the costs to defeat the wiretapping are relatively small and will continue to decrease. We have here an asymmetric situation that will only grow more asymmetric as time goes on.

The problem is with the underlying architecture of the internet. Advances in technology along with the end-to-end/layers principle mean that it will always be cheaper to add encryption to the edges of the network than to increase the amount of surveillance at the center of the network. How much does it cost to write an encrypted VoIP app? Not much. How much does it cost to build the surveillance mechanism and conduct the surveillance across all possible ISPs? A heck of a lot more.

Ok. Now that the first encrypted VoIP app is compromised ... how much will it cost to build another encrypted layer on top of the first one? How much will it cost to conduct surveillance on this new layer? Hmmmm, if this progression continues, as we add additional layers of encryption and surveillance, the costs will increasingly diverge. Not a game you can win ultimately. In fact, it doesn't make much sense to even start. The FBI should be happy with what they've got.

Nor should we forget how darn cheap computing is getting. I wish my first computer had the power of a Treo 600. How hard is it to write voice encryption software for Treos and all the follow-on smart phones? How hard will be to add additional layers to the communications stack especially given all the various options for communication being made available through ubiquitous grid-network wireless?

If I were the FBI, I wouldn't waste my time on a battle I ultimately couldn't win and instead would concentrate my efforts on the place where I could still achieve my goals - the ends. You want to know what someone is up to online? I would recommend, for example, key loggers, "real" spyware, and social engineering. It ain't gonna be easy, but you have a chance of winning in the long term. The sooner you quit a race you can't win, the faster you can enter a race where you have a chance.

Bonus FBI Inanity: Sunday, March 14th was the 54th birthday of the FBI's "Top Ten Most Wanted Fugitive List." What better way to celebrate than with a humorous quiz? For example,

5. What Bible-carrying female impersonator was captured in 1964 while working as "Bobo the Clown" with a traveling carnival?
ANSWER: Leslie Douglas Ashley. And for extra credit, Isaie Aldy Beausoleil [apparently another man] was arrested in 1953 dressed as a woman...acting v-e-r-y suspiciously in a Chicago ladies' restroom.
7. Who was arrested in Japan, extradited to the U.S., and in Honolulu presented FBI Agents--in all seriousness--with [sic] a Monopoly "Get Out of Jail Free" card?
ANSWER: James Robert Ringrose, arrested in 1967.
And this one is really a laugh riot, har-d-har-har:
4. What Top Ten terrorist who was apprehended in 1995 said at his trial in New York City, "I am a terrorist, and I am proud of it"?
ANSWER: Ramzi Ahmed Yousef, who masterminded the 1993 World Trade Center bombing in New York and planned the bombing of an American airplane in the Far East, an act that was prevented. Judge Kevin Thomas Duffy of Manhattan's Federal District Court called him "an apostle of evil [who] wanted to kill for the thrill of killing human beings."

Bonus FBI Inanity 2: A Strengthened Partnership to Protect Children: Name that Sexual Predator! - That's the real name for the page - no foolin'. Frankly, I am somewhat disturbed when law enforcement agencies turn child abuse into a game.

UPDATE

Brother Dana has some observations here: Following The Chinese Way

Comments (3) + TrackBacks (0) | Category: Civil Liberties | Cryptography | Cybercrime | Internet | Privacy | Security | WiFi

October 27, 2003

DRM Companies Fund Felten's Attacks on DRM

Email This Entry

Posted by Ernest Miller

Famed computer science professor Ed Felten runs the Freedom to Tinker blog, where his discussions of cryptography, security, copyright and freedom and technology generally are deservedly popular. Popularity comes with a price, however. In this case, the cost is the expense of bandwidth. In order to offset some of his costs Felten decided to try Google AdSense (ADS). The system puts AdWords on the bottom of the individual entry pages for Freedom to Tinker. The ads are supposed to be "relevant to what your readers see on your pages."

Interestingly, the ads on Felten's site are almost all for copyright/patent enforcement and digital rights management - topics upon which Felten has strong opinions, most of which would not be viewed favorably by the advertisers. I'm not sure which is more ironic - Felten advertising DRM systems - or DRM companies funding Felten through advertisements.

Be sure to read the comments on Felten's site.

Comments (1) + TrackBacks (0) | Category: Cryptography | Digital Rights Management | Oddities

Poor Traffic Light Engineering Practices

Email This Entry

Posted by Ernest Miller

The Detroit News has a story on special infrared transmitters that can can broadcast a signal to receivers on traffic lights, turning the light from red to green (Gadget may wreak traffic havoc). The purpose of the devices is to ease the way for emergency vehicles. However, now civilian knock offs are being sold, allowing the average citizen to clear their own traffic path. The traffic headaches this can cause will be enormous, not to mention the problems it will cause for emergency vehicles. The consumer devices themselves are probably legal to sell currently.

Educated Guesswork notes how easily this could have been prevented with some simple cryptography (Remote traffic light control).

Ed Felten notes how poor engineering practices might result in poor law: banning transmitters and thus creating a black market (Remote Controls for Traffic Lights).

Comments (0) + TrackBacks (0) | Category: Cryptography | Security

October 21, 2003

1) Respond to Nonexistent Threat; 2) ... ; 3) Profit!

Email This Entry

Posted by Ernest Miller

Tim Oren has an interesting post on his Due Diligence blog concerning the intersection of security and business concerns in the design of systems (What's Your Threat Business Model?). He uses SSL as an example of how business models and security models can interact in odd ways.

Comments (0) + TrackBacks (0) | Category: Cryptography | Security

October 16, 2003

Famous Crypto Case Ends With Whimper, Not Bang

Email This Entry

Posted by Ernest Miller

According to C|Net News' Declan McCullagh, the famous cryptography export case Bernstein v. US DOJ has been dismissed due to statements by the DOJ that they promise not to enforce the law against cryptographic researchers (Cold War encryption laws stand, but not as firmly). Bernstein's case involved the desire of a cryptography researcher to distribute encryption software, which is/was strictly controlled by export regulations. The case has gone through many permutations and procedural twists. It has certainly resulted in changes to government regulations such that encryption software is much less tightly controlled than it once was. More importantly, the case has been one of the main sources for several once novel legal arguments, particularly those establishing that computer code is speech protected by the First Amendment.

See also EFF's archive on the case ("Legal Cases - Crypto - Bernstein v. US Dept. of Justice (formerly Bernstein v. Dept. of State)" Archive).

Comments (0) + TrackBacks (0) | Category: Cryptography