The challenge, however, may be too big for police to solve, according to a University of Waterloo professor. Depending on the nature of the password, they may not be able to decode it, says Doug Stinson, a professor at the University of Waterloo who specializes in cryptography. “If the password is really a random alphanumeric password that is 26 characters in length, then an exhaustive search is basically impossible,” says Stinson.
The comments follow Justice Julianne Parfett’s decision to grant police extra time to crack the code. “The evidence before me indicates that multiple computers have been working 24/7 to unravel the password, but it has yet to happen,” wrote Parfett in R. v. Seguin as she granted the Crown’s application to keep the hard drive for at least another year.
Police seized the laptop in February 2014 as part of a child pornography investigation that hasn’t yet resulted in any criminal charges. Police normally must not keep goods seized in an ongoing investigation for more than a year under the Criminal Code unless a Superior Court judge approves an extension.
The extension, granted under s. 490 of the code for a single hard drive from a computer, is unusual, says Michael Spratt, an Ottawa defence lawyer not associated with the case. “These are very broad search and seizure powers. Are police going to be able to keep that property in perpetuity?” asks Spratt, a partner at Abergel Goldstein & Partners LLP in Ottawa.
The “larger issue” from the case is whether police should be able to seize someone’s property even without grounds to arrest, according to Spratt, who’s also vice president of the Defence Counsel Association of Ottawa.
The investigation by Ottawa police began in August 2013 after Microsoft alerted authorities about 89 images of child pornography uploaded to a cloud-based storage service. A law enforcement request to the Internet service provider tracked the account at a home in an Ottawa suburb.
Five months after receiving the information, Ottawa police were observing the residence before executing a search warrant when they saw Justin Seguin leaving the house. Seguin is a relative of the people who live at the residence. The screen name of the Microsoft account was that of a relative who lived in the house, the court heard. Police arrested Seguin shortly after leaving the house. They seized his laptop, iPhone, and a thumb drive.
Police examined the iPhone and thumb drive and didn’t find any evidence of child pornography. They seized several computers from the residence but later returned them as they discovered no illegal images.
Seguin declined to provide his password when officers detained him at the police station. The student in the computer technician program at Algonquin College said only that he had a 26-digit alphanumeric password on his laptop.
Parfett rejected the argument of Crown attorney Kerry McVey that the original search warrant also extended to the laptop. “A search warrant is insufficient to justify searching a person who was seen leaving a residence that is the subject of a search warrant that has yet to be executed,” wrote Parfett in the ruling issued March 24.
The Superior Court judge concluded Seguin’s arrest wasn’t lawful. However, there was no violation of the Charter of Rights and Freedoms because there were exigent circumstances surrounding the seizure, according to Parfett. Seguin’s computer skills were one of the factors that justified the police action. “It is apparent that he is very knowledgeable about computers and would have had no difficulty quickly destroying any evidence had he been alerted to the risk in time,” the judge stated.
The powers under s. 490 normally apply in very “complex” investigations to guard against the defence gaining early access to police files or to protect informants, according to the policy manual for federal prosecutors. Parfett also cited a previous case involving an alleged income tax fraud involving numerous documents as an example of the complexity of an investigation the Crown must establish.
The Superior Court judge concluded that the investigation itself wasn’t complex. “But decrypting the hard drive in circumstances where a 26-digit alpha-numeric password has been used is very complex. And without knowing the contents of the hard drive, the investigation cannot move forward. There has been no ‘foot-dragging’ in this investigation nor any evidence of procrastination or bad faith. It is not a matter of lack of training or resources. It is a matter of decrypting a hard drive, which is a long and complex procedure,” wrote Parfett, in granting the 12-month extension.
Stinson explains that there are 62 possibilities for each character as they could be upper- or lower-case letters or one of 10 numbers. “This is an enormous number of passwords, far too many to try them all even with the fastest computers,” he says. “On the other hand, if the password is weak in that it is made up of recognizable words, then a search might be feasible.”
It’s a view shared by Carlisle Adams, a professor at the University of Ottawa who has also held senior positions in the cryptography field in the private sector.
If truly random, “there is essentially no hope of finding the right value,” says Adams.
He wonders, though, whether the password is indeed 26 characters in length. “Why wouldn’t a person with a 12- or 15-letter password simply claim it was 26 letters so police will search 26-letter strings for a long time and then give up?” he asks.
Bruce Simpson, an Ottawa lawyer representing Seguin, didn’t respond to requests for comment on the case.