Federal judge decrees that divulging your PGP passphrase violates the fifth amendment.

Dec 20, 2007

I can't say that I'm wild about the circumstances behind this (in fact, it's taken two days to calm down sufficiently to write about it without ranting), but the ramifications of this ruling are far-reaching and not a bit relevant these days.

In 2006, a Canadian citizen named Sebastien Boucher crossed the border into the United States and was stopped. His laptop was searched by US Customs agents. Allegedly, thousands of images related to child pornography were found on the drive (in case you haven't heard, US ICE (Immigration and Customs Enforcement) reserves the right to examine and make disk images of laptops these days). Following his arrest, the laptop was powered down and seized as evidence. A week later they booted it back up and discovered that the partition on the hard drive containing the images was encrypted with PGP Disk and could not be examined. What probably happened was that they caught him with the software accessing the encrypted partition, but when they shut it down they lost access to the data because the passphrase was wiped from RAM. Oops.

To cut to the chase, US Magistrate Judge Jerome Niedermeier ruled that Boucher could not be compelled to divulge the passphrase to the encrypted disk partition because it constituted a violation of his fifth amendment rights, the right to freedom from self-incrimination.

Now, this is interesting for everyone else in the country who doesn't like the idea of strange people poking around inside their laptops while traveling. First of all, more and more people carry business-related information with them on the road. If you have a laptop, chances are you don't have a choice because you could be called upon to work anywhere, anywhen. By allowing them to take images of your laptop's hard drive you run the risk of exposing that data, and consequently running afoul of any NDAs that you've had to sign. Secondly, why in the hell would they want to be poking around in there without probable cause? When last I checked, personal privacy was a concept predicated on the idea that what you do on your own time was nobody else's business unless you made it public, and not on the idea that wanting to keep something private meant that you were hiding something.