Federal Judge Orders Defendant To Reveal PGP Password To Law Enforcement
Earlier this month, I noted a criminal case pending in Federal Court in Denver that raised the question of whether or not a criminal suspect could be compelled to reveal the password to decrypt his computer’s hard drive to law enforcement, or whether such information would be covered by the 5th Amendment’s right against self-incrimination. On Monday, and after three separate hearings on the issue of whether or not the Fifth Amendment would allow the Defendant to remain silent, the Judge president over the case ordered that the password must be produced:
A judge on Monday ordered a Colorado woman to decrypt her laptop computer so prosecutors can use the files against her in a criminal case.
The defendant, accused of bank fraud, had unsuccessfully argued that being forced to do so violates the Fifth Amendment’s protection against compelled self-incrimination.
“I conclude that the Fifth Amendment is not implicated by requiring production of the unencrypted contents of the Toshiba Satellite M305 laptop computer,” Colorado U.S. District Judge Robert Blackburn ruled Monday. (.pdf)
The authorities seized the laptop from defendant Ramona Fricosu in 2010 with a court warrant while investigating financial fraud.
The case is being closely watched (.pdf) by civil rights groups, as the issue has never been squarely weighed in on by the Supreme Court.
Full disk encryption is an option built into the latest flavors of Windows, Mac OS and Linux, and well-designed encryption protocols used with a long passphrase can take decades to break, even with massive computing power.
The government had argued that there was no Fifth Amendment breach, and that it might “require significant resources and may harm the subject computer” if the authorities tried to crack the encryption.
Assistant U.S. Attorney Patricia Davies said in a court filing (.pdf) that if Judge Blackburn did not rule against the woman, that would amount to “a concession to her and potential criminals (be it in child exploitation, national security, terrorism, financial crimes or drug trafficking cases) that encrypting all inculpatory digital evidence will serve to defeat the efforts of law enforcement officers to obtain such evidence through judicially authorized search warrants, and thus make their prosecution impossible.”
The relevant section of Judge Blackburn’s opinion is clearly a win for the government, at least in this case:
The small universe of decisions dealing with the Fifth Amendment issues implicated by compelling a witness or defendant to provide a password to an encrypted computer or otherwise permit access to its unencrypted contents are instructive here. In In re Grand Jury Subpoena to Boucher, 2007 WL 4246473 (D. Vt. Nov. 29, 2007) (Boucher I), a laptop computer was found in the defendant’s car during a search incident to his crossing the border from Canada into the United States. During the initial search, an officer opened the computer and without entering a password was able to view its files, revealing thousands of images of what appeared to be, based on the names of the files, adult and some child pornography. An agent of the Bureau of Immigration and Customs Enforcement (“ICE”) was called in, who asked the defendant to show him where these images were located on the computer.6 The defendant naigated to a drive “Z,” which contained several images of child pornography. After the defendant was arrested and the laptop seized, the computer was found to be password protected.
When agents were unable to decrypt the computer, the grand jury issued a subpoena demanding the defendant produce any documents reflecting any passwords associated with the computer. Boucher I, 2007 WL 4246473 at *1-2. Noting that under prevailing Supreme Court precedent, a defendant cannot be compelled to reveal the contents of his mind, the magistrate judge found that the act of producing the password was testimonial and, therefore, privileged. Id. at *4-*6. Accord United States v. Kirschner, 2010 WL 1257355 at *3-4 (E.D. Mich. March 30, 2010). On appeal of that decision, the grand jury revised its request to require the defendant to produce, not the password itself, but rather an unencrypted version of the Z drive. In re Grand Jury Subpoena to Boucher, 2009 WL 424718 at *2 (D. Vt. Feb. 19, 2009) (Boucher II). Because of the revision to the request, the district court denied the motion to quash. The court noted that “[w]here the existence and location of the documents are known to the government, no constitutional rights are touched, because these matters are a foregone conclusion,” that is, they “add little or nothing to the sum total of the Government’s information.” Id. at *3 & *4 (quoting Fisher, 96 S.Ct. at 1581) (internal quotation marks omitted). Likewise, the defendant’s production was not necessary to authenticate the drive because he had already admitted possession of the computer, and the government had agreed not to use his act of production as evidence of authentication. Id. at *4. Accord United States v. Gavegnano, 2009 WL 106370 at *1 (4th Cir. Jan. 16, 2009) (where government independently proved that defendant wassole user and possessor of computer, defendant’s revelation of password not su bject to suppression).
There is little question here but that the government knows of the existence and location of the computer’s files. The fact that it does not know the specific content of any specific documents is not a barrier to production. See Boucher II, 2009 WL 424718 at *3 (citing In re Grand Jury Subpoena Duces Tecum Dated Oct. 29, 1992)(United States v. Doe), 1 F.3d 87, 93 (2nd Cir. 1993), cert. denied, 114 S.Ct. 920 (1994)).
Additionally, I find and conclude that the government has met its burden to show by a preponderance of the evidence that the Toshiba Satellite M305 laptop computer belongs to Ms. Fricosu, or, in the alternative, that she was its sole or primary user, who, in any event, can access the encrypted contents of that laptop computer. The uncontroverted evidence demonstrates that Ms. Fricosu acknowledged to Whatcott during their recorded phone conversation that she owned or had such a laptop computer, the contents of which were only accessible by entry of a password. Of the three laptop computers found and seized during the execution of the search warrant of Ms. Fricosu’s residence, only one was encrypted, the Toshiba Satellite M305. That laptop computer was found in Ms. Fricosu’s bedroom, and was identified as “RS.WORKGROUP.Ramona.” None of defendant’s countervailing arguments – the suggestions that the computer might have been moved during the search, that someone else may have randomly designated the computer account as “Ramona,” or that the fact that the hard drive was imaged before it was read somehow undermines its validity or authenticity7 – is sufficient to alter my conclusion that it is more likely than not that the computer belonged to and was used by Ms. Fricosu. Accordingly, I find and conclude that the Fifth Amendment is not implicated by requiring production of the unencrypted contents of the Toshiba Satellite M305 laptop computer.
As Orin Kerr notes, though, the Judge’s ruling only seems to apply when law enforcement can establish a clear nexus between the Defendant and the hard drive they want decrypted:
Based on a quick read of the opinion, the legal analysis in the Fricosu opinion is not a model of clarity. But it strikes me as a replay of the district court decision in Boucher: The Court ends up ordering the defendant to decrypt the hard drive, but only because the court made a factual finding that in this specific case, the government already knew the information that could be incriminating — and as a result, was a “foregone conclusion” that dissipated the Fifth Amendment privilege.
If I’m reading Fricosu correctly, the Court is not saying that there is no Fifth Amendment privilege against being forced to divulge a password. Rather, the Court is saying that the Fifth Amendment privilege can’t be asserted in a specific case where it is known based on the facts of the case that the computer belongs to the suspect and the suspect knows the password. Because the only incriminating message of being forced to decrypt the password — that the suspect has control over the computer — is already known, it is a “foregone conclusion” and the Fifth Amendment privilege cannot block the government’s application.
That’s still a significant victory for the government, of course, because it means that any time the facts of a case can establish that a computer belonged to the Defendant and wasn’t in the possession or control of any other person, then they could compel a Defendant to provide the password(s) necessary to allow them to access the data on the hard drive.
Of course, this is merely a District Court ruling and, as Bruce McQuain notes, other Courts have found differently in similar circumstances:
[A] Vermont federal judge concluded that Sebastien Boucher, who a border guard claims had child porn on his Alienware laptop, did not have a Fifth Amendment right to keep the files encrypted. Boucher eventually complied and was convicted.
On the other hand:
In March 2010, a federal judge in Michigan ruled that Thomas Kirschner, facing charges of receiving child pornography, would not have to give up his password. That’s “protecting his invocation of his Fifth Amendment privilege against compelled self-incrimination,” the court ruled (PDF).
One hopes that this case will be appealed to the Court of Appeals, if only because this is an issue that is going to come up again and again in the future and some resolution would be helpful for all concerned.
Here’s the opinion: