Serial killer dies and takes encryption password to his grave

He was one of the best-known criminals to use encryption software, leaving behind an encrypted diary that has never been deciphered. Now Joseph Duncan has died at the age of 58.

Deutsche Version

When criminals use encryption programs such as PGP, TrueCrypt or VeraCrypt, the police are usually at a loss. Today’s crypto software is so secure that even the best IT forensic experts have no chance of cracking an encryption. This is at least true if the user uses a secure password. If, on the other hand, he uses his last name or a word that can be found in a dictionary, investigators can often solve the encryption. However, many criminals are smart enough to avoid this.

Cases where criminals or suspects have used modern encryption abound. I compiled a list of these years ago. Unfortunately, I have not managed to maintain and update it regularly. Nevertheless, there are now over 50 cases listed. I have made a note of numerous others, which I will include when the opportunity arises.

It is clear that only cases that are publicly known are on the list. However, this is only the tip of the iceberg, because as a rule, the police do not talk about it when they are dealing with good encryption technology.

On the occasion of this article, I have added two additional cases to the list. Both date back years and are not among the most spectacular of their kind, but they are fairly typical:

  • In 2012, police in Ontario, Canada, discovered encrypted files and storage devices on a man suspected of distributing child pronography. What encryption solution the suspect had used is not publicly known. Investigators were initially unsuccessful in breaking those encryptions. Nevertheless, the evidence was sufficient for charges to be filed. The suspect made a confession and was sentenced to one year in prison. Whether the police were able to obtain the encrypted data at some point after all is not mentioned in the press reports that I am aware of.
  • In 2015, police in New York seized the iPhone 5c of a suspected drug dealer. The contents of the smartphone were password-protected and thus encrypted. The public prosecutor’s office asked the manufacturer Apple for help, but the latter refused (similar to the case of the San Bernardino rampage). Nevertheless, IT specialists finally succeeded in decrypting the iPhone data. In addition, the accused made a confession. Unfortunately, I do not know how the case progressed.

Joseph Duncan

Another case on my list is that of the US serial killer and child murderer Joseph Duncan (1963-2021).

Quelle/Source: Mugshot

Duncan first became a delinquent when he was fifteen years old. In 1980, he raped a boy, which earned him a 20-year prison sentence. After being released on parole after 14 years, he is believed to have committed three murders, but they initially went undetected.

In 1997, Duncan was sent back to prison for three years for violating parole. He was later charged with sexual offenses against two children and briefly jailed, but was released on bail pending trial. Duncan took the opportunity to escape and killed four other people. He was arrested again a few weeks later.

Duncan was sentenced to death and eleven life sentences without the possibility of early parole. Before the death penalty was carried out, he died of cancer in prison on March 28, 2021 (thanks to Bill Briere for the tip).

Quelle/Source: Mugshot


The Encrypted Diary

Before his arrest, Duncan operated a website called “The Fifth Nail” (this name refers to a legend according to which there was a fifth nail in addition to the four nails with which Jesus was crucified). On his page Duncan wrote a blog in which he described some of his deeds, but this was not noticed at first. In doing so, he denied being a pedophile and claimed to have been sexually abused as a child.

On his blog, Duncan wrote:

I am working on an encrypted journal that is hundreds of times more frank than this blog could ever be (that’s why I keep it encrypted). I figure in 30 years or more we will have the technology to easily crack the encryption (currently very un-crackable, PGP) and then the world will know who I really was, and what I really did, and what I really thought.

So, according to Duncan, he kept a diary encrypted with PGP software, in which he described his activities in detail. After his arrest, Duncan’s blog came to attention, and indeed the police found some encrypted media in his possession that could contain a diary. Such a document could have been an important piece of evidence in court, but apparently investigators were unable to crack the PGP encryption.

Even after the conviction, Duncan’s diary would have been an interesting source of information, because it is quite possible that he committed other crimes that were not previously attributed to him. However, since PGP is considered secure encryption software, forensic experts can only realistically get at the contents of the files through the password. But it looks like Duncan chose a secure password at the time, and after his death a few days ago, it won’t be known by himself.

On his blog, Duncan wrote:

I figure in 30 years or more we will have the technology to easily crack the encryption (currently very un-crackable, PGP) and then the world will know who I really was, and what I really did, and what I really thought.

Let’s see if Duncan is right. If he really did use a good password, his diary should still be uncrackable in 30 years.

Cases like Josephn Duncan’s keep leading politicians and law enforcement officials to want to legally restrict the use of strong encryption programs. Bruce Schneier already wrote a few sentences on this topic 16 years ago in an article about Joseph Duncan, which I would like to endorse:

Technologies have good and bad uses. Encryption, telephones, cars: they’re all used by both honest citizens and by criminals. For almost all technologies, the good far outweighs the bad. Banning a technology because the bad guys use it, denying everyone else the beneficial uses of that technology, is almost always a bad security trade-off.

If you want to add a comment, you need to add it to the German version here.

Further reading: Wenn die Polizei vor der Verschlüsselungstechnik kapitulieren muss (Teil 3)


Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.