Process over presumption: The Vermont encryption key decision

On Dec. 17, 2006, Canadian citizen and legal U.S. resident Sebastian Boucher crossed the U.S. border into Vermont at Derby Line. A U.S. Immigration and Customs Enforcement agent inspected the 30-year-old man's computer and reportedly found pornography and - significantly for this case - child pornography on the Z: drive. The laptop was seized as evidence and Sebastian Boucher was charged with transporting child pornography across interstate borders. Two days later, when agents tried to access the Z: drive, they found that it was encrypted using PGP.

In the course of 2007, a grand jury issued a subpoena ordering the accused to divulge his PGP encryption key; that subpoena was overruled on Nov. 20 by U.S. Magistrate Judge Jerome Niedermeier.

The case has created a wave of impassioned debate in the blogosphere, much of it consisting of abuse hurled at the defendant and contempt heaped upon the judge for letting a child pornographer go unpunished; a typical example of that kind of commentary, complete with original spelling, grammar and punctuation, is:

“What are they thinking? This is our children. We should do everything to put children pornographers behind bars, along with the pedophiles!!!! They have the laptop already, they have the evidence. This Judge needs to wake up and do the job he was hired to do. ‘My own opinion may the should check on all the people that agree with this decision!’"

More reasoned analysis can be found in Declan McCullagh’s review from Dec. 14, and in an excellent interview with a number of legal scholars by John Curran of Associated Press from Feb. 7, 2008, and I will not repeat their work here.

There are some implications of this decision if it is borne out on appeal. First, for corporate security managers, teach all employees what security specialists have been repeating for years: don’t carry sensitive materials across borders and don’t think that encryption will protect your laptop against seizure by border police. We have long known that many countries regard encryption on laptops with suspicion; in France, for example, “the government has access to private encryption keys, import and export of encryption software are restricted, and strict sanctions are imposed for using cryptographic techniques to commit a crime.” 

Here are my recommendations for anyone crossing an international border with a laptop computer:
1. Do not carry anything on the computer that you would regret being known to the officials from either side of that border.
2. Be prepared to divulge your decryption key(s) on demand; otherwise be prepared to have your computer seized.
3. Because of the risk of seizure, you must absolutely back up all operational data that you carry on your portable computer before you leave.
4. Make two backups before you leave so that data corruption of portions of either one may be compensated for using the other copy.

Another thought prompted by this interesting development over Fifth Amendment rights is the easy carryover of loathing for a crime and its perpetrators (child pornography and pornographers) into hostility for due process. The person quoted above who was foaming at the keyboard and implying that anyone who supports due process must be a pornographer illustrates a logical error that underlies extreme political discourse: if you disagree with our policies you must support criminals / perverts / our enemies / terrorists. We must steadfastly resist these forces of illogic and refocus the discussion on the arguments at hand. The rants and the ad hominem attacks are dangerous distractions that we can challenge by dragging them into the light of reason.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.