Court Rules Defendant Must Reveal Computer’s Encryption Password
Late last week, the highest court in the Commonwealth of Massachusetts handed down a ruling that a criminal suspect can be required to decrypt the contents of their computer, becoming the latest court to rule in an area of law that involves the intersection of two separate Constitutional Amendments, technology, and the interest of the government in conducting criminal investigation:
The top court in Massachusetts has ruled that an attorney charged with mortgage fraud must decrypt his computers for police, who believe they contain evidence of the alleged crime.
The attorney, Leon Gelfgatt of Marblehead, Mass., had argued that doing so would violate his rights under the Fifth Amendment, which protects against self-incrimination.
But the Fifth Amendment doesn’t protect “foregone conclusions.” The Massachusetts Supreme Judicial Court, in a ruling Wednesday, said that state troopers already knew from interviewing Mr. Gelfgatt that he used the four computers to communicate with a sham company involved in the alleged scheme; that the computers were encrypted; and that only Mr. Gelfgatt could decrypt them.
“The Commonwealth’s motion to compel decryption does not violate the defendant’s rights under the Fifth Amendment because the defendant is only telling the government what it already knows,” wrote Justice Francis X. Spina, for the 5-2 majority.
Whether courts can compel criminal suspects and defendants to unlock their electronic devices is question that will loom larger as more people encrypt their data. Cyberattacks and revelations about U.S. government surveillance have led to a proliferation of encryption software, though its use isn’t widespread. Mr. Gelfgatt’s computers are encrypted with DriveCrypt Plus, according to court documents.
Christopher Loh, a spokesman for Massachusetts Attorney General Martha Coakley, said the ruling Wednesday “ensures that investigators can recover digital evidence when ordered by a court.”
Cyrus Farviar at Ars Technica has more details:
Because Gelfgatt already admitted to police that he owned and controlled the seized computers and had the ability to decrypt them, the court found that the act of decryption would not reveal anything new to the police. Therefore, the act of compelled decryption was not “testimonial.” Normally, the Fifth Amendment privilege prevents the government from forcing a witness to disclose incriminating information in his mind (like a password not written down anywhere else)—but only if that is information the police do not already know.
Jessie Rossman, an attorney with the American Civil Liberties Union of Massachusetts, told Ars that her organization is “disappointed in the decision.”
“For example, an individual can be forced to hand over a key to a locked safe if the government already knows that’s your safe—the documents in there have already been created,” she said.
“Your opening that safe, the documents are already there. That’s not new testimonial. But encrypted data needs to be transformed into something new when decrypted. A number of encrypted technology works such that when you look at [a hard drive] you can’t even tell what is empty space or what is not empty space. When you decrypt that computer it’s creating something new and if you didn’t have any knowledge, the act of decrypting tells you something you didn’t know beforehand. We believe that the Fifth Amendment and Article 12 needs to protect not only the act of entering a code but the act of producing decrypted files to the government.”
Marcia Hoffman, an attorney in San Francisco with extensive experience in digital law, told Ars that she also did not agree with the court’s ruling.
“The police think they’re going to find mortgage fraud, but they don’t know what they’re going to find, and they don’t know where that supposed evidence is,” Hoffman said. “That is not a foregone conclusion. They don’t seem to have a good sense. This is a fishing expedition.”
Fred Cate, a law professor at Indiana University, told Ars that this ruling could come with an unfortunate consequence. If someone admits to owning a computer and asserts that they possess the password, “its only likely effect is to encourage future defendants to be less forthcoming with police.”
This isn’t the first time that this issue has been before a Court, and the manner in which it has handled has not been at all consistent. In January 2012, I wrote about a case that was then pending in a Federal District Court in Denver regarding a woman under investigation by the Federal Government who was refusing to provide prosecutors with the password necessary to decrypt her hard-drive. After holding three separate hearings on the matter, the Judge hearing the case ultimately ordered the Defendant to produce the password. Just a month later, the 11th Circuit Court of Appeals issued an opinion in which a three judge panel ruled that a Defendant in a similar situation could not be required to produce the password or otherwise decrypt the hard drive. Then, in May of last year, a Federal Magistrate Judge in Wisconsin ordered a suspect in a child pornography investigation to provide the PGP password for his computer. There have also been rulings in factually similar cases from District Courts in Vermont and Michigan. None of these cases appears to have gone beyond the state they were at when I wrote about them, which leads me to believe that they were resolved via plea agreements most likely, but they, along with this ruling from the Massachusetts Court reveal an area of the law that is sorely in need of guidance from higher legal authorities.
As I’ve noted in the posts that I’ve written on this issue before, the issue for Courts in these cases is how a demand that a suspect or defendant produce a password is viewed under the law. If it is viewed as testimony, then it would be barred under the Fifth Amendment even if it were supported by a warrant signed by a Judge. If, however, it is merely viewed as giving law enforcement access to something that they have the legal right, due to a warrant, to search, then it is not testimonial and permissible as long as the Fourth Amendment is complied with. The analogy that has been made here is one that compares the password to either the key to a strongbox or the combination to a safe. If it’s viewed as analogous to the key, then its a Fourth Amendment issue and the subject of the warrant must provide access as long as there is a valid warrant. If, however, it is the combination to a safe, then requiring the subject to provide access is testimonial and forcing a person to reveal it would be barred by the Fifth Amendment because the combination constitutes the “expression of the contents of an individual’s mind.” The analogies are, admittedly, not perfect, but they have come to be adopted in large part due to the distinction that the case law makes between these two activities, and they are useful analogy in a situation where there is very little actual law to apply.
As for the merits of the issue itself, I stand by what I said when the 11th Circuit handed down its decision:
Revealing a password is clearly testimonial and, if the government cannot even establish that there are files on the encrypted portions of the hard drive then its argument that all it was requiring the Defendant to do was reveal the contents of a locked box, then the Defendant should be free to exercise his Fifth Amendment rights. This is a hard case, of course, because it involves allegations of child pornography. However, it is in the hard cases that rights must be enforced most vigorously because that’s where the law ends up being tested the most and, in the end, it’s the rights of the individual that must prevail over the needs of the state. Most likely, this case will be appealed to the Supreme Court. Given the conflicting rulings from Federal Courts over the past three years on an issue that is only going to become more prevalent in the future, it’s quite likely that they Justices will take the case if and when it is presented to them. Here’s hoping that they get it right.
I was wrong about that particular case making it to the Supreme Court, at least any time soon. It may be that the case remains mired somewhere in the thickets of the 11th Circuit and isn’t ripe for appeal yet, but that’s hard to determine considering that it was dealing with a Grand Jury Subpoena to an person whose name was kept under seal. Perhaps that case will reach the Supreme Court eventually. If not, this Massachusetts case has some potential to make it there if there are enough Federal Law and Constitutional issues at stake for the Court to take interest. In any case, though, there are already sufficient conflicts among the Federal Courts on this issue to justify a grant of certiorari when the time comes. Hopefully, when that happens, the Court will get it right.
Here’s the opinion