Uh oh. Someone set us up the bomb:
A Minnesota appeals court has ruled that the presence of encryption software on a computer may be viewed as evidence of criminal intent.
Ari David Levie, who was convicted of photographing a nude 9-year-old girl, argued on appeal that the PGP encryption utility on his computer was irrelevant and should not have been admitted as evidence during his trial. PGP stands for Pretty Good Privacy and is sold by PGP Inc. of Palo Alto, Calif.
But the Minnesota appeals court ruled 3-0 that the trial judge was correct to let that information be used when handing down a guilty verdict.
“We find that evidence of appellant’s Internet use and the existence of an encryption program on his computer was at least somewhat relevant to the state’s case against him,” Judge R.A. Randall wrote in an opinion dated May 3.
Randall favorably cited testimony given by retired police officer Brooke Schaub, who prepared a computer forensics report–called an EnCase Report–for the prosecution. Schaub testified that PGP “can basically encrypt any file” and “other than the National Security Agency,” nobody could break it.
So, basically, according to this article, if you use encryption to protect financial files or other personal records, and the man is investigating you for anything, the simple use of common encryption software could be used as evidence of you guilt.
This is truly frightening.
*** Update ***
As with all things law, I am not a lawyer, so there is the very distinct possibility that there are fine points that I simply do not understand and am thus getting my panties all in a bunch over something that already is a quite commonplace practice. I am after all, an idjit.
At any rate, more here on why maybe I am understating the case. And more here from Corante, and here from TechDirt.
I don’t think I am wrong.
John, I think the court is saying that the use of PGP was an aggravator in the case. The use of PGP alone is not criminal. Much of law is concerned with proving intent. Do you know why joyriding is the charge rather than auto theft. Intent. You have to prove the theft was an attempt to deprive and not just unauthorized use.
A person with a photo of a nude nine year old on their computer can arguably say they just stumbled across it. If they attempt to hide this photo it strengthens the intent argument.
There are serious governmental attempts though to limit or deny access to encryption efforts even for wholly legitimate reasons.
According to the article, it says that the simple existence of the PGP program was introduced as evidence of guilt. I am not arguing with you, I am just telling you what the article said.
John maybe I overlooked it but I can’t find the sentence that said PGP was introduced as evidence of guilt. I do see where they said it may be viewed as evidence of criminal intent. In other words it is used to hide criminal activity. I went and read your links in the update. I must say that this story is inadequately reported. This is a copy of my comment at Corante’s blog.
There was no evidence, apparently, that Levie used the encryption for anything related to the crime.
Was there no evidence or was the evidence merely not reported? I guess that’s why that word “apparently” is in that sentence.
John, I’m with you on keeping an eye on government attempts to control or restrict encryption. Here is a good page to bookmark. Scroll down to the Reason magazine area for some good reading. That is where I got my initial start on it. My subscription to Reason.
“We find that evidence of appellant’s Internet use and the existence of an encryption program on his computer was at least somewhat relevant to the state’s case against him,” Judge R.A. Randall wrote in an opinion dated May 3.”
“Randall favorably cited testimony given by retired police officer Brooke Schaub, who prepared a computer forensics report–called an EnCase Report–for the prosecution. Schaub testified that PGP “can basically encrypt any file” and “other than the National Security Agency,” nobody could break it.”……
EnCase is a forensic program that searches a hard drive sector by sector for specific data or text strings, uncovering anything that might have been concealed with a different file name or unsecurely deleted. The report implies that using PGP conceals any data from EnCase or other such programs; its questionable if NSA can break PGP if properly used but anyway …
The conviction depended on testimony of the girl along with forensic evidence from the guy’s browser (history) …but to say the existence of an encryption program on his machine is additional evidence of intent is questionable. PGP was there but there are so many others. Every OS, browser and many email programs have encryption…..so if this is carried on, their presence could
be used as additional evidence of intent?
In fact, if he had been smarter, he could have used their capabilities to conceal his Internet activity and not leave traces behind. Would such an operating system configuration be evidence of intent? Many use those capabilities to provide privacy from ISPs or others using shared computers. Will this now be a legal factor in prosecutions?
TechDirt’s sarcastic subject line-
“Because Only Criminals Use Encryption” is the same arguement the Feds have used against strong personal encryption since the early 90’s with PGP 1 and Schneier’s book, Applied Cryptography. The Patriot Act mentality scared many of us users for a while, but the commercial interests of e-commerce seems to have prevented a crackdown….however kcheretic is right about the rulings implications if certain authorities want to push it for political reasons. Your local DA could be wrangling for Senator and might use your protected data stream/file to ride into the State House.
Privacy is your right, exercise it.
The issue is relevancy. It is the lowest standard of proof in a court of law. Evidence is relevenat if it “has any tendency to make any fact that is of consequence …. more probable or less probable than it would be without the evidence.” If the notion that kid pornographers may try to hide pictures is relevant, the existence of encryption software is , at a minimum, relevant.
It is the defendant’s lawyers job to look for every angle. This was a long long-shot. That’s why the ruling was 3-0 on the appeals panel.
So let me try to wrap my brain around this…
This dirt bag was photographing a child naked, which the child testified to…and there is incriminating forensic evidence on his hard drive…but since he had encryption software that indicated that he was guilty of a crime?
It is a dangerous precedent to set…if you want to protect your computer files you are now going to be suspected of committing a crime(s). Guilty until proven innocent.
M. Scott Eiland
If I’m reading it right, the ruling seems to be that the existence of encryption software on the computer was relevant enough that admitting it didn’t constitute reversible error (which would have resulted in the conviction being thrown out). Since there was apparently a whole pile of other evidence implicating the guy, I can’t see anything really objectionable about this decision–by the time they introduced the evidence of encryption at trial, they already had the other evidence (kiddy porn actually on his computer) that almost certainly was what moved the jury to convict him. Now, if the issue was a search warrant, and the court had ruled that the existence of an encryption program alone was enough to justify a search, THAT would be a serious concern.
M. Scott Eiland
The link to Corante also has a quote from the opinion that makes an important point: the defendant claiming reversible error has the burden of proof to show both the error *and* the prejudice resulting from the error. Ernest Miller–while expressing concern about the relevance of the information–acknowledged that there was no clear showing of prejudice by the defendant, and that therefore it would not have been warranted to throw out the conviction.
The article didn’t say whether or not there were any encrypted files on his computer, but if there were, then it’s all in the nature of circumstantial evidence. The prosecutor puts on the testimony of the girl, the browser info, and then points out that you have these secret files, and lets the jury draw the conclusion as to what the files were.
The other thing, about intent, is also relevant. I’m certainly in favor of strong encryption (I’ve got PGP myself), but you have to admit that having such a program is evidence that you do not wish certain files to be read. If the cops can trace some sort of illegal files to you via some other means (like the testimony of an underage girl), and then you’ve got these encypted files that they can’t read, it’s a reasonable inference to make. It’s like in other criminal prosecutions where you’ve got a guy making a bunch of calls to a crime boss and then money shifts hands, but there is no wiretap. The fact that the calls were made at all is evidence, even if the cops don’t know what was discussed.
No one is saying that having or employing encryption programs is in itself a crime.
I think M. Scott has it right with the “encryption software as a basis for a search warrant” idea. That would be outrageous, but highly unlikely. A rookie attorney could get that thrown out, then, if you had a (very) ignorant ruling the ACLU , EFF and others would tear it up bigtime.
Admitting the PGP as relevant evidence is no big deal- any judge would in a case like this. It is the defense attorney’s job to rebut. So rebut – show that it is a red herring, misleading, wasn’t ever used, millions of people do, who wouldn’t encrypt in the era of identity theft, etc… Hell, I could have a jury crying for my client if the mere existence of PGP was a pillar of the prosecution’s case.
M. Scott Eiland
An obvious real-life example as to how perfectly legal and commonplace items can be relevant to a criminal prosecution:
When OJ Simpson was arrested after the notorious low-speed chase, he was in possession of his passport, several thousand dollars in cash, and a disguise. All of these things are legal to own, and indeed are owned by millions of Americans–were they relevant to the prosecution’s case against OJ?