Tweet
Please avoid making this into a political discussion.
If you do not know, for some ideas on what is, "too political," please review this thread:
What is, "too political," anyway?
Thanks!
URL1=http://news.cnet.com/8301-31921_3-57364330-281/judge-americans-can-be-forced-to-decrypt-their-laptops/
The article, pretty much, says 5th amendment does not apply, as the court does not need the person to provide the key, only provide the unencrypted contents of the HD to the court.
The point of this post is to focus on what security people should advise their clients to do.
There are sectors where privacy is important. Journalists often need to keep sources private, to protect sources from injury or death. Heath organizations impose requirements for patient data to remain private, and a HD (HD=Hard Disk) that includes private data on many patients when only data of one patient is demanded by the courts, can lead to problems. HR (HR=Human Resources) also must keep data private, and there is risk to expose many people's private data when an entire HD is decrypted exposing many people's HR data.
Assuming you have clients with needs to keep data private, what advice will you provide to them, in light of the mentioned decision?
Is there any defense beyond, "I can't remember?"
Certainly, such a claim would likely lead to being held in contempt of court, and a judge would mention something about the person making this claim having to spend time in jail until they remember, but what other legally defendable positions exist to help keep your data stored with encryption difficult to acquire as plain-text?
Maybe a key on a future-tech SmartCard with its own battery and some simple clock that auto-purges a key after it is unused for a certain time? (This would make recovery of a key "impossible" (for various definitions of impossible depending on the implementation of this, and technology available to attack such a device before expiration or after expiration.)
Are these the only 2 legally defendable positions? Being unable because of memory, or loss of key? Is there anything else?
Other related threads:
* Airport searches of laptops, other devices intrusive (International Travel, not domestic)
* Fifth amendment won't protect your password says federal court
* March 2, 2009 9:30 AM: "Court: self-incrimination privilege won't protect password" (article mentioned by Bascule in his thread)
I'm interested in comments on impact to security, privacy of data, and what plans you may have to legally protect your data.
Again, please avoid political discussion on right, wrong, and on laws that should, or should not be.
(Mods: if I am not around, and this thread goes political, feel free to dump in /dev/null and close it -- it won't offend me.)
If you do not know, for some ideas on what is, "too political," please review this thread:
What is, "too political," anyway?
Thanks!
URL1=http://news.cnet.com/8301-31921_3-57364330-281/judge-americans-can-be-forced-to-decrypt-their-laptops/
Originally posted by URL1
The point of this post is to focus on what security people should advise their clients to do.
There are sectors where privacy is important. Journalists often need to keep sources private, to protect sources from injury or death. Heath organizations impose requirements for patient data to remain private, and a HD (HD=Hard Disk) that includes private data on many patients when only data of one patient is demanded by the courts, can lead to problems. HR (HR=Human Resources) also must keep data private, and there is risk to expose many people's private data when an entire HD is decrypted exposing many people's HR data.
Assuming you have clients with needs to keep data private, what advice will you provide to them, in light of the mentioned decision?
Is there any defense beyond, "I can't remember?"
Certainly, such a claim would likely lead to being held in contempt of court, and a judge would mention something about the person making this claim having to spend time in jail until they remember, but what other legally defendable positions exist to help keep your data stored with encryption difficult to acquire as plain-text?
Maybe a key on a future-tech SmartCard with its own battery and some simple clock that auto-purges a key after it is unused for a certain time? (This would make recovery of a key "impossible" (for various definitions of impossible depending on the implementation of this, and technology available to attack such a device before expiration or after expiration.)
Are these the only 2 legally defendable positions? Being unable because of memory, or loss of key? Is there anything else?
Other related threads:
* Airport searches of laptops, other devices intrusive (International Travel, not domestic)
* Fifth amendment won't protect your password says federal court
* March 2, 2009 9:30 AM: "Court: self-incrimination privilege won't protect password" (article mentioned by Bascule in his thread)
I'm interested in comments on impact to security, privacy of data, and what plans you may have to legally protect your data.
Again, please avoid political discussion on right, wrong, and on laws that should, or should not be.
(Mods: if I am not around, and this thread goes political, feel free to dump in /dev/null and close it -- it won't offend me.)
Comment