Dec 01, 2011

As computer forensic investigators we are constantly faced with new and emerging technologies. Perhaps the most challenging issue today is data encryption. There are various levels of data encryption we encounter: an individual file can be locked with a password, a series of files can be placed in a password protected container file such as a .zip or .rar file and a desktop or laptop computer can be encrypted to require an initial password or key upon booting. As more companies realize the value of utilizing encryption tools to protect their digital data, it will become increasingly difficult for forensic investigators and law enforcement professionals to gather evidence from computers and other storage mediums.

Data encryption and password protection are not new concepts. Recently however, due to emerging data protection laws such as those surrounding HIPAA security and Sarbanes-Oxley compliance, their use is becoming much more prevalent. According to an article posted by the Digital War Room, the use of encryption is now increasing at a rate of about 20 percent a year. In addition to new federal laws, many states are also adopting laws that require the use of data encryption. While encrypting data seems like a "no brainer" there are some serious concerns surrounding the levels of encryption that should be instituted.

As U.S. citizens we expect a certain level of privacy when conducting online transactions or while performing our daily functions at work. But that same level of privacy we expect is inadvertently protecting criminals who are using these means to commit crimes. When levels of data encryption are too extreme it is difficult and even near impossible for law enforcement to prosecute these criminals. For example the same encryption protocols and techniques that protect such things as our banking information and health records also protect terrorists who are using technology to relay messages and pedophiles who use digital means to prey on children.

A prime example of this challenge is the case of Sebastian Boucher whose laptop was accessed by border patrol officials while he was crossing over the Canadian border. While it was initially ruled that he could not be forced to turn over his encryption passwords during the investigation, due to the Fifth Amendment right that one cannot be "compelled in any criminal case to be a witness against himself," this ruling was overturned and Boucher was required to provide the encryption password to the Z: drive on his computer. Originally Boucher was asked to provide all "passwords used or associated with" the laptop. Prosecutors were forced to narrow their request which was that they only wanted Boucher to decrypt the contents of his hard drive by typing in his password in front of the jury. In this instance, providing his password would be no different than providing the key to a locked safe or providing fingerprints and blood samples. The ACLU argued that this approach was still a violation of Boucher's Fifth Amendment right. In January 2010, Boucher was sentenced to 3 years in prison and deported. This has turned into a precedent setting case outlining new guidelines when dealing with electronic privacy.

The private sector, courts and law enforcement continue to grapple with issues surrounding access to encrypted data. Personal and corporate privacy as well as public safety are extremely important in today's digital world, but it is often difficult to find a balance between the two. While most Americans would agree that they would like to be protected from digital wrongdoings there is a flip side to the issue. The more advanced our encryption technology and laws become the more difficult it will be to prosecute criminals who fall under these same rights to protection and privacy. While the answer to this dilemma is not going to be found overnight, there are corporations today who have added policies which address data rights and access; others are automating the password process so that employees no longer control their own destiny; advances in technology and changes to our legal system will hopefully add balance to the inequities of data security and privacy.

Contact me at sgoldstein@capsicumgroup.com to learn more about this topic.