Florida appeals says you can be compelled to utter your phone's passphrase

Originally published at: http://boingboing.net/2016/12/13/florida-appeals-says-you-can-b.html

…

Just program the phone to wipe all data upon receipt of a “special” passphrase.

My passphrase is “FukDaJudge”.

Don’t tell anyone.

The real problem is that while I can’t forget my thumbs, I can forget a password. Using a destruction option would likely result in being charged with obstruction and tampering with evidence.

I’ll make like 36 character passwords and forget them all the time, unless there a built in mechanism to wipe a device after like 5 failed attempts from the beginning they’ll have to try to give you a defacto life sentence while you try to remember it.

I see another wrinkle with this. With the advent of BYOD, you have to create such passphrases to access your device because of regulatory reasons (based on your industry). Android and IOS enforce these domain policies explicitly when you add the accounts.

Depending on your job, you could be in violation of federal law by doing so. A fact I would happily point out to any officer asking for my phone’s unlock code, because it not only endangers my job and puts my company at risk, but is potentially a felony. Even without knowing the specific implications, I’d potentially be better off asking the officer to throw the book at me for not complying.

So, just what is the difference between forcing you to unlock a phone that contains proof of your crimes, and forcing you to confess to the crime? That’s an awfully fine hair they’re splitting there. And just how are they supposed to “force” you to surrender the code if you don’t want to give it? Given that Trump has not yet legalized torture of white Christian American citizens?

Something tells me this is going to be overturned, and given the lust law enforcement has for our phone data, it’s probably going to be appealed all the way to the Supreme Court.

So they can charge you with destruction of evidence? That seems… unwise. You need something with more plausible deniability.

Indefinite detention bans have been defeated in Congress for terrorism suspects and contempt of court has been used for up to 14 years of detention without conviction. Anything that happens to you during your stay in the hoosegow is just coercive incentives as far as the system is concerned.

So, clearly, a special coercive password needs to be used with two images, one squeaky clean, and another potentially dangerous. When you enter the emergency password one image is zapped and another is booted. Make sure that the images are encrypted and that the key is overwritten with the benign encryption key.

Or.

Learn to love steganography. You can’t be compelled to reveal the password if they have no clue that there’s anything to hide in the first place.

Or.

Pen. Paper. Solitaire cipher, and as the police break down the door calmly shuffle the deck of cards.

All technically plausible and yet all wildly impractical.

I wonder how a Trump supreme court judge will destroy freedom, liberty, human rights, and the rule of law. We may be entering an actual dark age.

They can already force you to unlock your home or your trunk. Anything you have a physical key to, including biometric keys like finger prints. Passwords have been exempted in many cases based on the difference being knowledge. A password is something you know rather than something you have, thus it is more akin to the forced confession you mention. So there is a nuanced issue going on when it comes to what specific things you can be coerced into doing that will incriminate you.

Forcing you to unlock a device reveals whatever evidence is actually there, including a "lack of any upskirt pictures ".

Forcing you to admit guilt may in fact force you to admit to guilt that doesn’t actually exist.

I’m still uncomfortable with it. Maybe “just” a slippery slope thing. Or maybe I worry that it is step on in framing someone. Or maybe I just love cryptography and dislike things that render it irrelevant.

As a practical matter if you refuse to unlock it and a judge believes they have a right to demand it & you know it they can jail you for contempt until you unlock the device, even jail you longer then a guilty verdict for the original crime (er, unless that is “life”)

FYI I’m not a lawyer, I never passed the bar anywhere, or even took more then a high school law class. I’m not an expert. If you need a legal opinion hire a lawyer, don’t take my ramblings as actually useful!

For entertainment purposes only!

Or, as I like to call it, “Welcome to computer security.”

If it was practical, everyone would be doing it.

That said, options 2 and 3 are jokes (Do you imagine someone actually using the solitaire cipher for the day-to-day?), and option one can be made quite practical provided you keep your legitimate and subversive actions separate. It would just require the engineering time to roll a custom implementation of Android with these features baked in. You could code it in a few months, easy.

Oh god. Is there an OS that can shield the real stuff? Like, completely pretend it isn’t there? Because this is getting to be too much.

The good ol’ policies of education and illumination help a lot in dealing with drink, drugs, terrorism. Just have a society where people are fairly content.

Is forcing you to unlock your phone more like forcing you to incriminate yourself, or more like forcing you to surrender the contents of a file cabinet in response to a subpoena? I tend to think the latter.

Yeah, I had to remind myself of the line between warrantless demands to open a phone on the spot by some bully-ass street officer, and judge asking for access during a trail. These are very different situations. In this situation that @anon75430791 brings up, the courts have procedures for dealing with protected / sensitive information, no? It seems important to keep the two separate, so that fighting (and potentially losing) one doesn’t affect the other.

Rather, they can take the key from you and use it themselves. Likewise, they can print a copy of a scanned fingerprint and use that instead. However, I am of the opinion that unless they find your password lying around or written down somewhere, speaking or writing down your password is testimony, and thus should not be coercible.

But then wouldn’t telling them where the key was also be “testimony?” unless your passphrase was “TotalUpskirtNut69”…