In a BBC article I read today, an American man has apparently been held in jail for several months because he couldn’t, or wouldn’t decrypt a pair of hard drives for law enforcement.
From the story: “According to the jailed man’s appeal, he appeared at the district attorney’s office to enter passcodes for the hard drives – but they failed to work.”
With respect to the case and its details, I don’t know anything more than what is described by the author. For the purposes of this discussion, let’s assume that he honestly tried to decrypt the drives for the authorities.
Regardless of his actual innocence or guilt, this is a bit scary to me.
On more than one occasion, I have lost data in encrypted files and drives – not due to hardware failure or encryption failure but due to my own human nature and incompetence. In none of these cases have I lost valuable data, so one could argue I didn’t take the care with the passphrase I would if the data really mattered to me.
Primarily, the data I have lost was data I encrypted to test out some aspect of a tool like TrueCrypt, or the encryption provided by Word to protect a document. But when I went to decrypt it an hour or days later, I discovered that the passphrase didn’t work, causing me to eventually throw up my arms and delete the file or reformat the drive.
When I do these kinds of explorations, I generally use the same passphrase, which is a sentence I can easily remember: “The quick brown fox jumps over the lazy dog.”
However, as my kids like to point out, I am not a great typist. For example, in typing the previous sentence just now, I produced: “The quick brown focx jumped over the lazy dog.”
In plaintext, this is easy to correct, and for many of us, this is how we type. We get the words down and then employ various correction techniques. When inputting a passphrase, this isn’t always the case, it’s only recently that the ability to show each character before printing the ‘*’ or to see the whole passphrase has been adopted.
Interestingly, I apparently make the same typo in the second passphrase field, so it verifies at the time of entry. Instead of knowing what I typed for a passphrase, I know what I think I typed. A couple of times I have been able to reproduce the typo after a couple of tries, but I have also failed after exhausting enough variants that I decided to just give up.
This aspect of the case is concerning because humans aren’t perfect and the idea of ending up in jail because I can’t get the passphrase right is a scary result. It is clear that the legal and societal realms are assuming some level of mathematical and algorithmic perfection and neglecting the human factors to some extent.
If that is the case, then I am deeply concerned about the consequences for the few of us that are less than perfect typists.
P.S. I considered posting this with all of my typos left in but I don’t want to become an internet meme either.
Title image courtesy of ShutterStock