Sunday, September 11, 2016

What's the testimonial of passwords?

In this case described by Orin Kerr, the judge asks if entering a password has any testimonial other than "I know the password". Well, rather a lot. A password is content. While it's a foregone conclusion that this encrypted drive here in this case belongs to the suspect, the password may unlock other things that currently cannot be tied to the suspect. Maybe the courts have an answer to this problem, but in case they haven't, I thought I'd address this from a computer-science point of view.


Firstly, we have to address the phrasing of entering a password, rather than disclosing the password. Clearly, the court is interested in only the content of the disk drive the password decrypts, and uninterested in the password itself. Yet, entering a password is the same as disclosing it. Technically, there's no way to enter a password in such a way that it can't be recorded. I don't know the law here, and whether courts would protect this disclosure, but for the purposes of this blog post, "entering" is treated the same as "disclosing".

Passwords have content. This paper focuses on one real, concrete example, but let's consider some hypothetical cases first.

As is well-known, people often choose the birth dates of their children as the basis for passwords. Imagine a man has a password "emily97513" -- and that he has an illegitimate child named "Emily" who was born on May 13, 1997. Such a password would be strong evidence in a paternity suite.

As is well-known, people base passwords on sports teams. Imagine a password is "GoBears2017", strong evidence the person is a fan of the Chicago Bears, despite testimony in some case that he's never been to Chicago.

Lastly, consider a password "JimmyHoffaDieDieDie" in a court case where somebody is suspected of having killed Jimmy Hoffa.

But these are hypotheticals; now let's consider a real situation with passwords. Namely, good passwords are unique. By unique we mean that good passwords are chosen such that they are they so strange that nobody else would ever have chosen that password.

For example, Wikileaks published many "insurance" files -- encrypted files containing leaks that nobody could decrypt. This allowed many people to mirror leak data without actually knowing the contents of the leaks. In a book on Wikileaks, the Guardian inadvertently disclosed that the password to the Manning leaks was ACollectionOfDiplomaticHistorySince_1966_ToThe_PresentDay#. It was then a simple matter of attempting to decrypt the many Wikileaks insurance files until the right one was found.

In other words, the content of the password was used to discover the files it applied to.

Another example is password leaks. Major sites like LinkedIn regularly get hacked and get account details dumped on the Internet. Sites like HaveIBennPwned.com track such leaks. Given a password, it's possible to search these dumps for corresponding email addresses. Thus, hypothetically, once law enforcement knows a person's password, they can then search for email accounts the user might hold that they might not previously have know about.

Statistically, passwords are even more unique (sic) than fingerprints, DNA testing, and other things police regularly relying upon (though often erroneously) as being "unique". Consider the password kaJVD7VqcR. While it's only 10 character long, it's completely unique. I just googled it to make sure -- and got zero hits. The chances of another random 10 character password matching this one is one in 1018 chances. In other words, if a billion people each chose a billion random passwords, only then would you have a chance that somebody would pick this same random password.


Thus consider the case where the court forces a child porn suspect to enter the password in order to decrypt a TrueCrypt encrypted drive found in his house. The court may consider it a foregone conclusion that the drive is his, and thus Fifth Amendment protections may not apply. However, the content of the password is itself testimonial about all sorts of other things. For example, maybe child pornographers swap drives, so law enforcement tests this password against all other encrypted drives in their possession. They then test this password against all user account information in their possession, such as hidden Tor forums or public LinkedIn-style account dumps. The suspect's unique password is testimonial about all these other things which, before the disclosure of the password, could not be tied to the suspect.

2 comments:

aliyaa said...

Thank you for sharing this post. I found it very informative and helpful. Here I've a blog buy video testimonials.Hopefully you'll like our effort.

Unknown said...

That's great, thank you for sharing, very helpful for me! power divider