Lock Out the FBI for $200
Child porn suspect keeps authorities out of his hard drive with cheap software.
Feb. 11, 2008 -- The widespread belief that any database, hard drive or electronic device can be hacked was disproved when a man accused of having child pornography on his computer managed to keep federal authorities out of his hard drive for more than a year — for the price of an average cell phone.
That computer protection used by the suspect is easy to obtain, even common on most computers, and, according to security experts, is almost impossible to breach, even for the FBI.
On Dec. 17, 2006, Sebastien Boucher was stopped by border patrol inspectors while crossing from Canada into Vermont. An inspector found a laptop in his car, which Boucher admitted belonged to him, according to an affidavit from an Immigration and Customs Enforcement agent.
After Boucher gave the agents access to his computer, they saw videos and file names that appeared to show pornography involving pre-teens, including one labeled "Two-year-old being raped during diaper change." Boucher, a Canadian citizen who is a lawful U.S. permanent resident, said he didn't know if his computer had child pornography because he could not check his temporary Internet files, the affidavit says. He was arrested and charged with transportation of child pornography, a felony that carries up to 20 years in prison.
But after Boucher's arrest, an investigator from the Vermont Department of Corrections was unable to access the images on Boucher's computer, which were stored in an encrypted drive called drive Z.
For more than a year, the government has not been able to see what is in drive Z, which is protected by an encryption program that is sold under the name Pretty Good Privacy, according to court records.
Pretty Good Privacy, which is more commonly known as PGP, is an industry standard of hard-drive encryption and email encryption, according to experts. Encryption is a complex, password-protected method of keeping information, hard drives, devices — almost anything — private.
"If you hand me someone's normal laptop, it is relatively easy to bypass passwords. All you have to do is rip out the hard drive out and put it into a different computer," said Charles Miller, a principal security analyst at Independent Security Evaluators and former employee of the National Security Agency. "PGP is full-disk encryption, which means the entire disk is encrypted and the only way in is to know the password. The program makes a key and that key is a password, without it you can't get into to the drive."
A desktop PC version of PGP is available for less than $200, and open-source (read: free) versions, sometimes called GPG, can be found online. Similar encryption services are also available in standard operating systems on PCs and Macs. Consumers often don't use them, however, because if they lose their password, there's no way to retrieve the protected information.
"People can't snoop because of strong encryption … It is similar to what protects your information and money at a bank," Miller said.
The software has proven to be instrumental in Boucher's case.
Secret Service Agent Matthew Fasvlo testified at a court hearing in 2007 that it is "nearly impossible" to access the encrypted files without the password.
"There are no 'back doors' or secret entrances to access the files. The only way to get access without the password is to use an automated system which repeatedly guesses passwords," Magistrate Judge Jerome Niedermeier, who was presiding over the case, wrote. "According to the government, the process to unlock drive Z could take years."
Jonathon Giffin, an assistant computer science professor at Georgia Tech, said without the password there was only one way to get into the computer: with "brute force."
"They start trying all possible passwords, hoping that they have passwords that you use," Giffin said. "The expected time it would take is years, decades, unless you have extremely powerful computers."
Even the FBI doesn't have that kind of computing power, according to Giffin.
"The FBI probably does not. The NSA probably does," he speculated. "That's really one of the NSA's jobs — to develop cryptosystems for our military as well as to crack the cryptosystems of other governments."
The government subpoenaed Boucher to try to force him to type in his password and give the government access to the computer.
In November, Niedermeier ruled that forcing Boucher to enter his password would violate his Fifth Amendment right against self-incrimination.
"If Boucher does know the password, he would be faced with the forbidden trilemma; incriminate himself, lie under oath, or find himself in contempt of court," the judge wrote.
In the 1990s, according to Virgil Gligor, an electrical and computer engineering professor at Carnegie Mellon University, the U.S. government attempted to prevent situations like Boucher's.
"In the late '90s, there was a government initiative, in which the government required any encryption mechanism to save keys [or passwords] and give keys to the government," Gligor said. "It failed."
Even since then, encryption programs have only improved.
"The quality of encryption that we have nowadays is actually … very good," Gilgor said.
Without that type of regulation proposed a decade ago, the government has been left with one option: to appeal the court's decision.
Russell Goldman contributed to this report.