Federal Judge Orders Defendant To Reveal PGP Password To Law Enforcement

A Federal Judge deals with the clash between individual rights, law enforcement, and technology.

Earlier this month, I noted a criminal case pending in Federal Court in Denver that raised the question of whether or not a criminal suspect could be compelled to reveal the password to decrypt his computer’s hard drive to law enforcement, or whether such information would be covered by the 5th Amendment’s right against self-incrimination. On Monday, and after three separate hearings on the issue of whether or not the Fifth Amendment would allow the Defendant to remain silent, the Judge president over the case ordered that the password must be produced:

A judge on Monday ordered a Colorado woman to decrypt her laptop computer so prosecutors can use the files against her in a criminal case.

The defendant, accused of bank fraud, had unsuccessfully argued that being forced to do so violates the Fifth Amendment’s protection against compelled self-incrimination.

“I conclude that the Fifth Amendment is not implicated by requiring production of the unencrypted contents of the Toshiba Satellite M305 laptop computer,” Colorado U.S. District Judge Robert Blackburn ruled Monday. (.pdf)

The authorities seized the laptop from defendant Ramona Fricosu in 2010 with a court warrant while investigating financial fraud.

The case is being closely watched (.pdf) by civil rights groups, as the issue has never been squarely weighed in on by the Supreme Court.

Full disk encryption is an option built into the latest flavors of Windows, Mac OS and Linux, and well-designed encryption protocols used with a long passphrase can take decades to break, even with massive computing power.

The government had argued that there was no Fifth Amendment breach, and that it might “require significant resources and may harm the subject computer” if the authorities tried to crack the encryption.

Assistant U.S. Attorney Patricia Davies said in a court filing (.pdf) that if Judge Blackburn did not rule against the woman, that would amount to “a concession to her and potential criminals (be it in child exploitation, national security, terrorism, financial crimes or drug trafficking cases) that encrypting all inculpatory digital evidence will serve to defeat the efforts of law enforcement officers to obtain such evidence through judicially authorized search warrants, and thus make their prosecution impossible.”

The relevant section of Judge Blackburn’s opinion is clearly a win for the government, at least in this case:

The small universe of decisions dealing with the Fifth Amendment issues implicated by compelling a witness or defendant to provide a password to an encrypted computer or otherwise permit access to its unencrypted contents are instructive here. In In re Grand Jury Subpoena to Boucher, 2007 WL 4246473 (D. Vt. Nov. 29, 2007) (Boucher I), a laptop computer was found in the defendant’s car during a search incident to his crossing the border from Canada into the United States. During the initial search, an officer opened the computer and without entering a password was able to view its files, revealing thousands of images of what appeared to be, based on the names of the files, adult and some child pornography. An agent of the Bureau of Immigration and Customs Enforcement (“ICE”) was called in, who asked the defendant to show him where these images were located on the computer.6 The defendant naigated to a drive “Z,” which contained several images of child pornography. After the defendant was arrested and the laptop seized, the computer was found to be password protected.

When agents were unable to decrypt the computer, the grand jury issued a subpoena demanding the defendant produce any documents reflecting any passwords associated with the computer. Boucher I, 2007 WL 4246473 at *1-2. Noting that under prevailing Supreme Court precedent, a defendant cannot be compelled to reveal the contents of his mind, the magistrate judge found that the act of producing the password was testimonial and, therefore, privileged. Id. at *4-*6. Accord United States v. Kirschner, 2010 WL 1257355 at *3-4 (E.D. Mich. March 30, 2010). On appeal of that decision, the grand jury revised its request to require the defendant to produce, not the password itself, but rather an unencrypted version of the Z drive. In re Grand Jury Subpoena to Boucher, 2009 WL 424718 at *2 (D. Vt. Feb. 19, 2009) (Boucher II). Because of the revision to the request, the district court denied the motion to quash. The court noted that “[w]here the existence and location of the documents are known to the government, no constitutional rights are touched, because these matters are a foregone conclusion,” that is, they “add[] little or nothing to the sum total of the Government’s information.” Id. at *3 & *4 (quoting Fisher, 96 S.Ct. at 1581) (internal quotation marks omitted). Likewise, the defendant’s production was not necessary to authenticate the drive because he had already admitted possession of the computer, and the government had agreed not to use his act of production as evidence of authentication. Id. at *4. Accord United States v. Gavegnano, 2009 WL 106370 at *1 (4th Cir. Jan. 16, 2009) (where government independently proved that defendant wassole user and possessor of computer, defendant’s revelation of password not su bject to suppression).

There is little question here but that the government knows of the existence and location of the computer’s files. The fact that it does not know the specific content of any specific documents is not a barrier to production. See Boucher II, 2009 WL 424718 at *3 (citing In re Grand Jury Subpoena Duces Tecum Dated Oct. 29, 1992)(United States v. Doe), 1 F.3d 87, 93 (2nd Cir. 1993), cert. denied, 114 S.Ct. 920 (1994)).

Additionally, I find and conclude that the government has met its burden to show by a preponderance of the evidence that the Toshiba Satellite M305 laptop computer belongs to Ms. Fricosu, or, in the alternative, that she was its sole or primary user, who, in any event, can access the encrypted contents of that laptop computer. The uncontroverted evidence demonstrates that Ms. Fricosu acknowledged to Whatcott during their recorded phone conversation that she owned or had such a laptop computer, the contents of which were only accessible by entry of a password. Of the three laptop computers found and seized during the execution of the search warrant of Ms. Fricosu’s residence, only one was encrypted, the Toshiba Satellite M305. That laptop computer was found in Ms. Fricosu’s bedroom, and was identified as “RS.WORKGROUP.Ramona.” None of defendant’s countervailing arguments – the suggestions that the computer might have been moved during the search, that someone else may have randomly designated the computer account as “Ramona,” or that the fact that the hard drive was imaged before it was read somehow undermines its validity or authenticity7 – is sufficient to alter my conclusion that it is more likely than not that the computer belonged to and was used by Ms. Fricosu. Accordingly, I find and conclude that the Fifth Amendment is not implicated by requiring production of the unencrypted contents of the Toshiba Satellite M305 laptop computer.

As Orin Kerr notes, though, the Judge’s ruling only seems to apply when law enforcement can establish a clear nexus between the Defendant and the hard drive they want decrypted:

Based on a quick read of the opinion, the legal analysis in the Fricosu opinion is not a model of clarity. But it strikes me as a replay of the district court decision in Boucher: The Court ends up ordering the defendant to decrypt the hard drive, but only because the court made a factual finding that in this specific case, the government already knew the information that could be incriminating — and as a result, was a “foregone conclusion” that dissipated the Fifth Amendment privilege.

If I’m reading Fricosu correctly, the Court is not saying that there is no Fifth Amendment privilege against being forced to divulge a password. Rather, the Court is saying that the Fifth Amendment privilege can’t be asserted in a specific case where it is known based on the facts of the case that the computer belongs to the suspect and the suspect knows the password. Because the only incriminating message of being forced to decrypt the password — that the suspect has control over the computer — is already known, it is a “foregone conclusion” and the Fifth Amendment privilege cannot block the government’s application.

That’s still a significant victory for the government, of course, because it means that any time the facts of a case can establish that a computer belonged to the Defendant and wasn’t in the possession or control of any other person, then they could compel a Defendant to provide the password(s) necessary to allow them to access the data on the hard drive.

Of course, this is merely a District Court ruling and, as Bruce McQuain notes, other Courts have found differently in similar circumstances:

For instance:

[A] Vermont federal judge concluded that Sebastien Boucher, who a border guard claims had child porn on his Alienware laptop, did not have a Fifth Amendment right to keep the files encrypted. Boucher eventually complied and was convicted.

On the other hand:

In March 2010, a federal judge in Michigan ruled that Thomas Kirschner, facing charges of receiving child pornography, would not have to give up his password. That’s “protecting his invocation of his Fifth Amendment privilege against compelled self-incrimination,” the court ruled (PDF).

One hopes that this case will be appealed to the Court of Appeals, if only because this is an issue that is going to come up again and again in the future and some resolution would be helpful for all concerned.

Here’s the opinion:

United States v. Fricosu

FILED UNDER: Law and the Courts, Science & Technology, Terrorism, US Politics, , , , , , , , , , ,
Doug Mataconis
About Doug Mataconis
Doug Mataconis held a B.A. in Political Science from Rutgers University and J.D. from George Mason University School of Law. He joined the staff of OTB in May 2010 and contributed a staggering 16,483 posts before his retirement in January 2020. He passed far too young in July 2021.

Comments

  1. dennis says:

    She should tell the government to get bunked. Take it to the NSA if you can’t figure out how to unencrypt it. She shouldn’t have to do their legwork for them.

  2. Hey Norm says:

    As a thought experiment imagine a trove of kiddy porn in a locked brief-case…if presented with a Warrant to search the brief-case you would be obliged to open it. Now imagine that brief-case is difficult to open. Does that added degree of difficulty allow a special exception to the Warrant? If so wouldn’t we just all keep our bad stuff in impossible to open vaults? Same for the computer. Hiding behind a degree of difficulty, like encryption, seems like a reach to me. Do Warrants read that Police have a right to search the premises, unless it’s just too dang hard?
    Of course…I’m not into kiddy porn anymore…so maybe it’s just me.

  3. Anon says:

    I think it’s relevant to note that currently a person cannot be compelled to reveal the combination to a combination lock, but can be compelled to produce a physical key. Given that, I think this case was decided wrongly, since a password is much more like the combination to a combination lock than a physical key.

  4. dennis says:

    @ Hey Norm:

    Apples and oranges. I’ve been on many a warrant searches and, trust me, we’ve never had to ask for a key to search the premises.

    In a less flippant response than my first, I believe that turning over said property under a judge’s order is the extent of the woman’s responsibility to comply. It is not encumbent upon a defendant to do the police’s/prosecutor’s leg work. I think the same would apply with a combination lock. If I am ordered to turn over evidence and it is in a locked box, I’m sure I wouldn’t be asked for the combination; police would just break the lock. In this situation, they have to break the encryption.

  5. PD Shaw says:

    @dennis: Perhaps Doug or someone else knows the answer here, but refusal to comply with the order might result in imprisonment comparable to the sentence the defendant might get for the crime allegedly committed.

  6. Hey Norm says:

    @ Anon…
    I was unaware of that. Seems dumb…but it probably came from the Supreme Court so there you go.
    I agree a password is more like a combination.

  7. PJ says:

    It may happen that you are forced by somebody to reveal the password to an encrypted volume. There are many situations where you cannot refuse to reveal the password (for example, due to extortion). Using a so-called hidden volume allows you to solve such situations without revealing the password to your volume.

  8. PD Shaw says:

    Ok, I”ve done my own Wikipeedia research for contempt of court:

    In civil contempt cases there is no principle of proportionality. In Chadwick v. Janecka (3d Cir. 2002), a U.S. court of appeals held that H. Beatty Chadwick could be held indefinitely under federal law, for his failure to produce US$ 2.5 mill. as state court ordered in a civil trial. Chadwick had been imprisoned for nine years at that time and continued to be held in prison until 2009, when a state court set him free after 14 years, making his imprisonment the longest on a contempt charge to date

  9. Tsar Nicholas says:

    Excellent ruling. Judge Blackburn should be elevated to the 10th Circuit pronto.

  10. legion says:

    @Anon: I think this has it right… it comes down to how “testifying against oneself” is actually defined. IIRC, a key is a simple mechanical object, while a combination is a piece of information that the lock owner (in theory) chose & had some say in, making it a more complex created object (at least as far as the law is concerned), and therefore, compelling me to hand over a combo is more like testifying against myself than handing over a simple key… Is this right, Doug?

    If I write a note detailing my crimes & leave it on my desk, the police can get it with a warrant & use it as evidence. But if I use some cipher or other to conceal the contents of that note, I’m assuming I couldn’t be compelled to decrypt _that_, either, correct?

  11. dennis says:

    @PD Shaw:

    Without a doubt. You have to figure at this point that you’re going to prison; so, why make the prosecution’s job easier? Hire someone to unencrypt the laptop.

  12. Gustopher says:

    What if the pass phrase itself happens to be incriminating? The number of a swiss bank account filled with the proceeds of defrauding orphans and widows, or “I buried Jimmy Hoffa in a shallow grave behind 121 Willow St”.

  13. jd says:

    Untold millions of PCs are part of botnets without the knowledge of their owners. These botnets are used for various nefarious activities from denial of service attacks to porn storage. Do you really think you know the authenticity and purpose of every file on your hard drive? Think again. Then get some whole-drive encryption software and never, ever give up that password.

  14. PD Shaw says:

    @dennis: Except that in previous comment threads here I believe its been claimed that really good encryption might take several years to bust open. I have no idea myself. But if so he could sit in jail for several years for contempt of court while the government busts the encryption and then stand trial if the data incriminates him in a crime.

  15. Vast Variety says:

    What happens if she can’t remember the password?

  16. @legion:

    The distinction is between the key and the combination is that the key only provides access to the safe, the combination provides access to the safe and also shows the defendant was one of the people using it. Since the proving that later detail would be part of the prosecution’s case, the combination runs afoul of the fifth ammendment in a way the key does not.

  17. PD Shaw says:

    @Vast Variety: Then the whippings will commence.

    There’s more discussion about contempt at the Orin Kerr link, but what it sounds to me like:

    if she doesn’t provide the password its contempt and indefinite detention;
    If she says she doesn’t remember the password and the judge doesn’t believe her, its contempt and indefinite detention;
    If she says she doesn’t remember the password and the judge is unsure, the government may have to prosecute a criminal contempt case in which a jury decides whether her failure to remember is genuine;
    If its determined that she genuinely can’t remember, she can’t be held in contempt.

    Hobson’s choice

  18. James in LA says:

    I think the best one can do is use whole-drive destructive encryption. In other words, wave a magnet over the floppy disk. It is hard to imagine someone willing to part company with live data unless it were also meticulously and anonymously backed up. Just not to MegaUpload.

    It requires a kill-switch. A remote signal would be enough,

    Then, there is no password to give up. Only hash, and Hash For All.

    If the claim is “destruction of evidence,” well, hard drives break, Your Honor. It left my custody during the search, you know.”

    The (alleged) “law” will lose this battle. Well, they already lost it, but the chicken insists on its last, mad dance. Ditto, the Drug “war”.

    Scream and hollar for your rights or no one else will. Sometimes you have to do it very quietly.

  19. @PD Shaw: It’s almost certain that her refusal to decrypt the contents will result in an outcome that is _less_ impactful than the one that will obtain if she does decrypt it.

    If this court’s decision also becomes the ruling of the appellate court and/or Supreme Court, then we will likely see far many more refusals to decrypt, as the prison-term calculus is rather simple: don’t decrypt and take a 1-year term for obstruction, or decrypt and take a much longer term for the crime at hand.

    It’s obvious then that the logical next step will be for new legislation to be crafted that most harshly punishes _any_ encryption. Something on the order of life-without-parole sentences, or possibly even the death sentence. For that is the only surefire way to get criminal defendants to choose to voluntarily incriminate themselves and decrypt their information.

  20. @PJ: Such a facility in any encryption tool will be outlawed, as its only intent is to plausibly evade the state’s ability to detect whether a person is using encryption and can thus be forced by the state to decrypt or suffer the consequences.

  21. @PD Shaw: the standard technique of brute force decryption by the state will simply not work. Brute force decryption is not something that will take years to work, if this defendant has used strong encryption, it will take longer than the present life of the universe to find the keys using a brute-force approach.

    See “Theoretical limits for a brute-force attack” for some actual values.

  22. John D'Geek says:

    @Erica L. Canti:

    … as its only intent is to plausibly evade the state’s ability to detect …

    Actually, the forums typically call these hidden volumes “Wife Proofing”. There are plenty of “legitimate” reasons for hidden volumes.

    @James in LA: If that’s all you do, they’ll just retrieve the information anyway. Probably use a (relatively inexpensive) commercial service to do it.

    Secure wiping takes a lot more than a quick magnet pass.

  23. James in LA says:

    @John D’Geek: “Secure wiping takes a lot more than a quick magnet pass.”

    This was a rhetorical flourish, sorry. I was actually speaking of secure wiping at the sector level.

    It also appears the extradition of the Megaupload owner is going to take some time, and may not end the way the U.S. would like.

  24. James in LA says:
  25. Mike says:

    @dennis:

    dennis says: She should tell the government to get bunked.

    She could do that, but then she’d be in contempt of court. In that case, the judge can summarily throw her in jail for as long she refuses to comply, even the rest of her life if she never complies. It may be preferable for her to unencrypt the files and take the customary sentence for the crime than the rest of her life for the contempt charge.

  26. Derp says:

    She wasn’t ordered to provide her password. The order was for her to provide them with a decrypted copy. She can keep her password, she just has to hand over the data.

  27. Law and Order in KC says:

    Now the government gets to know what is on your mind, not just what’s is in your pocket.