The widespread belief that any database, hard drive or electronic device can be hacked was disproved when a man accused of having child pornography on his computer managed to keep federal authorities out of his hard drive for more than a year — for the price of an average cell phone.
That computer protection used by the suspect is easy to obtain, even common on most computers, and, according to security experts, is almost impossible to breach, even for the FBI.
On Dec. 17, 2006, Sebastien Boucher was stopped by border patrol inspectors while crossing from Canada into Vermont. An inspector found a laptop in his car, which Boucher admitted belonged to him, according to an affidavit from an Immigration and Customs Enforcement agent.
After Boucher gave the agents access to his computer, they saw videos and file names that appeared to show pornography involving pre-teens, including one labeled "Two-year-old being raped during diaper change." Boucher, a Canadian citizen who is a lawful U.S. permanent resident, said he didn't know if his computer had child pornography because he could not check his temporary Internet files, the affidavit says. He was arrested and charged with transportation of child pornography, a felony that carries up to 20 years in prison.
But after Boucher's arrest, an investigator from the Vermont Department of Corrections was unable to access the images on Boucher's computer, which were stored in an encrypted drive called drive Z.
For more than a year, the government has not been able to see what is in drive Z, which is protected by an encryption program that is sold under the name Pretty Good Privacy, according to court records.
Pretty Good Privacy, which is more commonly known as PGP, is an industry standard of hard-drive encryption and email encryption, according to experts. Encryption is a complex, password-protected method of keeping information, hard drives, devices — almost anything — private.
"If you hand me someone's normal laptop, it is relatively easy to bypass passwords. All you have to do is rip out the hard drive out and put it into a different computer," said Charles Miller, a principal security analyst at Independent Security Evaluators and former employee of the National Security Agency. "PGP is full-disk encryption, which means the entire disk is encrypted and the only way in is to know the password. The program makes a key and that key is a password, without it you can't get into to the drive."
A desktop PC version of PGP is available for less than $200, and open-source (read: free) versions, sometimes called GPG, can be found online. Similar encryption services are also available in standard operating systems on PCs and Macs. Consumers often don't use them, however, because if they lose their password, there's no way to retrieve the protected information.
"People can't snoop because of strong encryption … It is similar to what protects your information and money at a bank," Miller said.
The software has proven to be instrumental in Boucher's case.
Secret Service Agent Matthew Fasvlo testified at a court hearing in 2007 that it is "nearly impossible" to access the encrypted files without the password.