Court Rules Defendant Must Reveal Computer’s Encryption Password

Another area where the law has yet to catch up to technology.

Computer Password Security

Late last week, the highest court in the Commonwealth of Massachusetts handed down a ruling that a criminal suspect can be required to decrypt the contents of their computer, becoming the latest court to rule in an area of law that involves the intersection of two separate Constitutional Amendments, technology, and the interest of the government in conducting criminal investigation:

The top court in Massachusetts has ruled that an attorney charged with mortgage fraud must decrypt his computers for police, who believe they contain evidence of the alleged crime.

The attorney, Leon Gelfgatt of Marblehead, Mass., had argued that doing so would violate his rights under the Fifth Amendment, which protects against self-incrimination.

But the Fifth Amendment doesn’t protect “foregone conclusions.” The Massachusetts Supreme Judicial Court, in a ruling Wednesday, said that state troopers already knew from interviewing Mr. Gelfgatt that he used the four computers to communicate with a sham company involved in the alleged scheme; that the computers were encrypted; and that only Mr. Gelfgatt could decrypt them.

“The Commonwealth’s motion to compel decryption does not violate the defendant’s rights under the Fifth Amendment because the defendant is only telling the government what it already knows,” wrote Justice Francis X. Spina, for the 5-2 majority.

Whether courts can compel criminal suspects and defendants to unlock their electronic devices is question that will loom larger as more people encrypt their data. Cyberattacks and revelations about U.S. government surveillance have led to a proliferation of encryption software, though its use isn’t widespread. Mr. Gelfgatt’s computers are encrypted with DriveCrypt Plus, according to court documents.

Christopher Loh, a spokesman for Massachusetts Attorney General Martha Coakley, said the ruling Wednesday “ensures that investigators can recover digital evidence when ordered by a court.”

Cyrus Farviar at Ars Technica has more details:

Because Gelfgatt already admitted to police that he owned and controlled the seized computers and had the ability to decrypt them, the court found that the act of decryption would not reveal anything new to the police. Therefore, the act of compelled decryption was not “testimonial.” Normally, the Fifth Amendment privilege prevents the government from forcing a witness to disclose incriminating information in his mind (like a password not written down anywhere else)—but only if that is information the police do not already know.

Jessie Rossman, an attorney with the American Civil Liberties Union of Massachusetts, told Ars that her organization is “disappointed in the decision.”

“For example, an individual can be forced to hand over a key to a locked safe if the government already knows that’s your safe—the documents in there have already been created,” she said.

“Your opening that safe, the documents are already there. That’s not new testimonial. But encrypted data needs to be transformed into something new when decrypted. A number of encrypted technology works such that when you look at [a hard drive] you can’t even tell what is empty space or what is not empty space. When you decrypt that computer it’s creating something new and if you didn’t have any knowledge, the act of decrypting tells you something you didn’t know beforehand. We believe that the Fifth Amendment and Article 12 needs to protect not only the act of entering a code but the act of producing decrypted files to the government.”

Marcia Hoffman, an attorney in San Francisco with extensive experience in digital law, told Ars that she also did not agree with the court’s ruling.

“The police think they’re going to find mortgage fraud, but they don’t know what they’re going to find, and they don’t know where that supposed evidence is,” Hoffman said. “That is not a foregone conclusion. They don’t seem to have a good sense. This is a fishing expedition.”

Fred Cate, a law professor at Indiana University, told Ars that this ruling could come with an unfortunate consequence. If someone admits to owning a computer and asserts that they possess the password, “its only likely effect is to encourage future defendants to be less forthcoming with police.”

This isn’t the first time that this issue has been before a Court, and the manner in which it has handled has not been at all consistent. In January 2012, I wrote about a case that was then pending in a Federal District Court in Denver regarding a woman under investigation by the Federal Government who was refusing to provide prosecutors with the password necessary to decrypt her hard-drive. After holding three separate hearings on the matter, the Judge hearing the case ultimately ordered the Defendant to produce the password. Just a month later, the 11th Circuit Court of Appeals issued an opinion in which a three judge panel ruled that a Defendant in a similar situation could not be required to produce the password or otherwise decrypt the hard drive. Then, in May of last year, a Federal Magistrate Judge in Wisconsin ordered a suspect in a child pornography investigation to provide the PGP password for his computer. There have also been rulings in factually similar cases from District Courts in Vermont and Michigan. None of these cases appears to have gone beyond the state they were at when I wrote about them, which leads me to believe that they were resolved via plea agreements most likely, but they, along with this ruling from the Massachusetts Court reveal an area of the law that is sorely in need of guidance from higher legal authorities.

As I’ve noted in the posts that I’ve written on this issue before, the issue for Courts in these cases is how a demand that a suspect or defendant produce a password is viewed under the law. If it is viewed as testimony, then it would be barred under the Fifth Amendment even if it were supported by a warrant signed by a Judge. If, however, it is merely viewed as giving law enforcement access to something that they have the legal right, due to a warrant, to search, then it is not testimonial and permissible as long as the Fourth Amendment is complied with. The analogy that has been made here is one that compares the password to either the key to a strongbox or the combination to a safe. If it’s viewed as analogous to the key, then its a Fourth Amendment issue and the subject of the warrant must provide access as long as there is a valid warrant. If, however, it is the combination to a safe, then requiring the subject to provide access is testimonial and forcing a person to reveal it would be barred by the Fifth Amendment because the combination constitutes the “expression of the contents of an individual’s mind.” The analogies are, admittedly, not perfect, but they have come to be adopted in large part due to the distinction that the case law makes between these two activities, and they are useful analogy in a situation where there is very little actual law to apply.

As for the merits of the issue itself, I stand by what I said when the 11th Circuit handed down its decision:

Revealing a password is clearly testimonial and, if the government cannot even establish that there are files on the encrypted portions of the hard drive then its argument that all it was requiring the Defendant to do was reveal the contents of a locked box, then the Defendant should be free to exercise his Fifth Amendment rights. This is a hard case, of course, because it involves allegations of child pornography. However, it is in the hard cases that rights must be enforced most vigorously because that’s where the law ends up being tested the most and, in the end, it’s the rights of the individual that must prevail over the needs of the state. Most likely, this case will be appealed to the Supreme Court. Given the conflicting rulings from Federal Courts over the past three years on an issue that is only going to become more prevalent in the future, it’s quite likely that they Justices will take the case if and when it is presented to them. Here’s hoping that they get it right.

I was wrong about that particular case making it to the Supreme Court, at least any time soon. It may be that the case remains mired somewhere in the thickets of the 11th Circuit and isn’t ripe for appeal yet, but that’s hard to determine considering that it was dealing with a Grand Jury Subpoena to an person whose name was kept under seal. Perhaps that case will reach the Supreme Court eventually. If not, this Massachusetts case has some potential to make it there if there are enough Federal Law and Constitutional issues at stake for the Court to take interest. In any case, though, there are already sufficient conflicts among the Federal Courts on this issue to justify a grant of certiorari when the time comes. Hopefully, when that happens, the Court will get it right.

Here’s the opinion

Commonwealth v Gelfgatt by Doug Mataconis

FILED UNDER: Law and the Courts, Policing, Science & Technology, , , , , , , , , , , , ,
Doug Mataconis
About Doug Mataconis
Doug Mataconis held a B.A. in Political Science from Rutgers University and J.D. from George Mason University School of Law. He joined the staff of OTB in May 2010 and contributed a staggering 16,483 posts before his retirement in January 2020. He passed far too young in July 2021.

Comments

  1. jim m says:

    The problem with the safe analogy is that if the defendant opens the safe and the police find that all the documents are in a foreign language they cannot force the defendant to translate them. That is really what is happening with the decryption. They already have access to the data, they are asking for people to translate it into a form they can read. What torques the police is that they lack the ability to crack the encryption.

    While I have little sympathy for criminals, the erosion of civil liberties is not worth it here. Hopefully the legal opinion will catch up to technology but I don’t anticipate it doing so for several years yet.

  2. Mu says:

    Is contempt of court a felony? If I had child pornography or fraud data on an encrypted drive and they couldn’t convict me without it I’d for sure take the contempt time to a felony conviction.

  3. Rafer Janders says:

    Good luck with that. If the defendant is anything like me, he’ll have forgotten what the password is….

  4. jim m says:

    @Mu: People can be held on contempt charges indefinitely. Since you have the ability to release yourself by complying at any time, the normal constitutional protections for due process and unusual and harsh sentencing do not apply. The longest time anyone has been imprisoned for contempt in the US is 14 years.

  5. Ron Beasley says:

    Just another example of how our Constitution is obsolete and I don’t trust a collection of old conservative white Catholic men to fix it.

  6. rudderpedals says:

    Rafers raises a dilemma: Defendant actually forgot the password but if all defendants are compelled to cough up “the” password how does the court distinguish between intentional and innocent forgetfulness?

    Or doesn’t it?

  7. jim m says:

    @Ron Beasley: It isn’t an issue of the Constitution. It is an issue of judges, who are typically older individuals who understand law but have little understanding of science and technology. The problem is educating people so they understand what technology does and can do.

    We saw this problem with DNA technology where the courts were leaning toward making genes patentable. It was a farce.

    Even if you change the Constitution you will still have this problem with judges who don’t understand technology and are incapable of keeping up with the changes. I don’t know what the answer is here, but it certainly is not solved with changing the Constitution. (unless, I suppose, your intent is to do away with judges and courts entirely. I’m not clear on how that works)

  8. Rafer Janders says:

    @rudderpedals:

    Personally, among all my accounts I have something like 40-50 passwords. I use certain tricks and devices to remember them, but frankly, the entire password system is broken and can’t continue. Most humans don’t have any ability to remember more than a few passwords, and the more complex they become, and the more passwords are needed, the harder it is.

  9. jim m says:

    @Rafer Janders: The best commentary on passwords and how ridiculous the current thinking on them is.

  10. Rafer Janders says:

    @jim m:

    Even if you change the Constitution you will still have this problem with judges who don’t understand technology and are incapable of keeping up with the changes. I don’t know what the answer is here, but it certainly is not solved with changing the Constitution.

    One answer would be eliminating lifetime terms and moving to clearly-delineated but shorter and non-renewable terms, such as say 10, 15 or 20 years.

  11. jim m says:

    @Rafer Janders: Yeah, we can’t do term limits for Congress, I’m not holding my breath for that to happen with the judiciary.

  12. Ron Beasley says:

    @jim m: @Rafer Janders: As fast as technology is moving I would lean towards 10 rather than 15 or 20.

  13. grumpy realist says:

    @jim m: At least with patents SCOTUS has at least gone in the direction of wanting to impose as light a touch as possible and not allow one over-broad patent to exempt everything.

    They also threw out the BSRA patents, remember.

  14. C. Clavin says:

    @Ron Beasley:
    The Constitution isn’t obsolete…it just isn’t being applied properly, or even consistently.
    But remember…if all else fails…torture them!!!!

  15. Rafer Janders says:

    @jim m:

    Yeah, don’t think it will happen — but it should.

  16. James in Silverdale, WA says:

    How do the cops intend to reach into the defendant’s mind and recover the encryption keys? How long can he be held in jail on contempt charges for this refusal to disclose?

    This appears to be a silly decision on the face of it. Cops are just mad at being told N-O, and there simply has not been enough of that lately.

  17. James in Silverdale, WA says:

    @jim m: “Even if you change the Constitution you will still have this problem with judges who don’t understand technology and are incapable of keeping up with the changes.”

    This is made worse by lifetime appointments. Moore’s Law assures they are being left behind at an ever increasing rate.

  18. stonetools says:

    @Rafer Janders:

    Two words: password managers. I use Roboform.

    Also too:

    XKCD on Passwords.

  19. george says:

    @jim m:

    While I have little sympathy for criminals, the erosion of civil liberties is not worth it here. Hopefully the legal opinion will catch up to technology but I don’t anticipate it doing so for several years yet.

    Sums it up nicely.

  20. rudderpedals says:

    @Rafer Janders: How do you manage 30-40 passwords? I remember three really good passwords and two PINs, and that’s it. For the rest I do what stonetools talked about, Schneier’s pwsafe and the password gorilla derivative password managers.

  21. rudderpedals says:

    What if there’s more than one password / one cleartext body? A technical workaround with some deniability would be a system that offers the real decrypted data with password A and phoney data with password B.

    All this work to prove you can’t make a songbird sing.

  22. stonetools says:

    I think biometric will eventually become the standard. It’s not foolproof, but you won’t forget your eye or your fingerprint.
    Now the court can already force you to give blood for a blood test, so the courts will most likely able to compel you to give up a fingerprint, etc.

  23. Rafer Janders says:

    @stonetools:

    It’s not foolproof, but you won’t forget your eye or your fingerprint.

    You also can’t change it once stolen or forged.

    Biometric is a horrible solution — if someone steals my password, I can get a new password. If someone steals my fingerprints or retinal scan, it’s theirs forever.

  24. stonetools says:

    @Rafer Janders:

    It’s less horrible than the typical password user, who uses one (dictionary) word for everything, or has his passwords written down on a piece of paper next to his computer. You’re right about passwords. People can’t remember G6/75hjkL or the like for 40 different websites. Now I use a password manager, but most folks don’t or won’t.

  25. Ben says:

    I pretty much have to use a password manager at work, because of our utterly insane password policies, but I haven’t yet found one that isn’t a horribly awful klugey mess. Keepass is what I’m using right now, but it’s nigh unusable.

  26. Grewgills says:

    “The Commonwealth’s motion to compel decryption does not violate the defendant’s rights under the Fifth Amendment because the defendant is only telling the government what it already knows,” wrote Justice Francis X. Spina, for the 5-2 majority.

    If that were true they wouldn’t need the password, after all it wouldn’t tell them anything they didn’t already know.

  27. DrDaveT says:

    @jim m:

    The problem with the safe analogy is that if the defendant opens the safe and the police find that all the documents are in a foreign language they cannot force the defendant to translate them.

    This.

    Or, better yet, the documents in the safe are in code. Can the defendant be forced to decode them? If not, how is that different?

    Or, forget the safe — the documents are sitting out in plain sight on his desk at home, and are obtained by legal search warrant. In code. What can the police/courts/state compel here?