Suspect Ordered To Provide Decryption Password: A Fifth Amendment Violation?

New developments in a still very new area of the law.

Computer Password Security

Bringing to the legal forefront an issue that Courts have begun encountering with increasing frequency, a Federal Magistrate Judge in Wisconsin has issued an order requiring a man suspected of possession of child pornography to provide the password to remove the encryption on his computer, reversing a previous decision he had made ruling that such an order would violate the man’s right against self-incrimination:

A federal magistrate is reversing course and ordering a Wisconsin man suspected of possessing child pornography to decrypt hard drives the authorities seized from his residence.

The development comes as a month after the same magistrate thwarted prosecutors’ demands that Jeffrey Feldman unlock drives they believe contain child pornography.

Decryption orders are rare, but are likely to become more commonplace as the public slowly embraces a technology that comes standard even on Apple computers. The orders have never squarely been addressed by the Supreme Court, despite varying opinions in the lower courts.

Just last month, U.S. Magistrate William Callahan Jr. said the Fifth Amendment right against compelled self-incrimination protected even those suspected of unsavory crimes, but added that “this is a close call.”

But prosecutors convinced Callahan to change his mind. Among other reasons, the authorities were able, on their own, to decrypt one drive from Feldman’s “storage system” and discovered more than 700,000 files, some of “which constitute child pornography,” the magistrate said.

When he ruled against the government last month, the magistrate said the authorities did not have enough evidence linking Feldman to the data, and that forcing the computer scientist to unlock it would be tantamount to forcing him to confess that it was his. But that theory is now out the door, because the data on the decrypted drive contains pictures and financial information linking Feldman to the “storage system,” the magistrate said last week.

“Such being the case, the government has now persuaded me that it is a ‘foregone conclusion’ that Feldman has access to and control over the subject encrypted storage devices. Thus, under the current state of the law as more particularly discussed in the court’s April 19 Decision and Order, Fifth Amendment protection is no longer available to Feldman with respect to the contents of the encrypted storage devices.”

Just over a month ago, Callahan had some to a very different conclusion:

This is a close call, but I conclude that Feldman’s act of production, which would necessarily require his using a password of some type to decrypt the storage device, would be tantamount to telling the government something it does not already know with ‘reasonably particularity’—namely, that Feldman has personal access to and control over the encrypted storage devices. Accordingly, in my opinion, Fifth Amendment protection is available to Feldman. Stated another way, ordering Feldman to decrypt the storage devices would be in violation of his Fifth Amendment right against compelled self-incrimination. (.pdf)

As I said above, this is not a new issue for the Courts. While requests for decryption orders are not common, largely because many people, including criminals who you’d think would know better, don’t both to encrypt their data, they are becoming far more common than they used to be. As I noted when I wrote about this in January of last year, part of the difficulty that Courts face in dealing with these issues is that much of Fifth and Fourth Amendment law was developed long before technology like this came into existence. What this means is that Courts find themselves having to decide what category an order compelling someone to decrypt their computer might fall. To make the analogy applicable to the types of cases that helped establish existing law, it boils down to a question of whether a computer password is like a key to locked closet or strongbox, or whether it is like the combination to a safe. Under existing law, someone served with a valid search warrant can be compelled to unlock a locked door or box, but they cannot be compelled to reveal the combination that would unlock a safe. To put it simply, Courts have held that the combination to a safe constitutes the constitutes of someone’s mind, and is thus protected by the Fifth Amendment from compelled disclosure while the key is simply a thing and, so long as the search warrant validly allows police to search the item that is locked, then the person whose property is being searched can be compelled to grant access. So, the question then becomes whether the computer password is more like a key or more like a combination to a safe.

In general, I find the argument that the computer password is more akin to a combination than a key to be persuasive. When someone unlocks a part of their home that is subject to a search warrant, they aren’t testifying to anything. However, when  they are giving a combination, or a password, they are testifying not only that they know what the combination/password is but also that they have control over the item in question, which would be one of the elements of the crime that prosecutors would be forced to prove at trial. They would, in other words, be testifying against themselves by their very actions. Of course, not every case is that cut and dry. The ruling in this particular, and especially the fact that Judge Callahan reversed himself, seems to be strongly influenced  by the fact that law enforcement had already partly decrypted the storage device and were able to identify child pornography on there. Since they already have probable cause to believe that the encrypted data contains more child pornography, that mitigates against many of the arguments that the suspect can make regarding his right against self-incrimination. Technically, he’s already been incriminated. Whether that makes the decision correct, of course, is a completely different question.

The Federal Courts have quite literally been all over the place on this issue in recent years. In February of last year, the 11th Circuit Court Of Appeals ruled that compelling a suspect to give out a password would be testimony and therefore would be protected by the 5th Amendment. However, other cases over the years have turned out differently:

For instance:

[A] Vermont federal judge concluded that Sebastien Boucher, who a border guard claims had child porn on his Alienware laptop, did not have a Fifth Amendment right to keep the files encrypted. Boucher eventually complied and was convicted.

On the other hand:

In March 2010, a federal judge in Michigan ruled that Thomas Kirschner, facing charges of receiving child pornography, would not have to give up his password. That’s “protecting his invocation of his Fifth Amendment privilege against compelled self-incrimination,” the court ruled (PDF).

This particular case is only at the very beginning stages. The ruling of the Magistrate Judge, which is a lower level, non-life tenure, position in the Federal Judiciary that typically handles the opening stages of criminal cases along with civil cases as consented to by the parties, will be appealed to the District Court Judge to whom the case is assigned, and that Judge will not be bound by the Magistrate Judge’s decision. Whatever the District Court Judge rules, his ruling can be appealed to the relevant Court of Appeals and, from there, potentially, to the Supreme Court. To date, there is no ruling from the Supreme Court on this issue, and that’s one of the reasons that Federal Courts have been ruling inconsistently on this issue. Eventually, though, this is an issue that is going to have to be heard by the nation’s highest Court. Let’s hope they get it right.

Here’s the opinion:

Order to Decrypt Computer by dmataconis

FILED UNDER: Crime, Law and the Courts, Science & Technology, , , , , , ,
Doug Mataconis
About Doug Mataconis
Doug Mataconis held a B.A. in Political Science from Rutgers University and J.D. from George Mason University School of Law. He joined the staff of OTB in May 2010 and contributed a staggering 16,483 posts before his retirement in January 2020. He passed far too young in July 2021.

Comments

  1. Suppose he were to claim not to know the password?

  2. @Stormy Dragon:

    As others have discussed, then it becomes a more complicated issue. Did he really forget or is he claiming he forgot falsely? Potentially, he could be held in contempt of court if a judge believed he was lying.

  3. john personna says:

    Does this mean encryption is stronger than I thought? Maybe the Chinese can help.

  4. John,

    My understanding is that Federal law enforcement still is unable to crack PGP and other forms of “strong” encryption, at least not without taking the risk that doing so would end up destroying the data they’re trying to gain access to

  5. stonetools says:

    In general, I find the argument that the computer password is more akin to a combination than a key to be persuasive.

    I agree here. I think this is going to the Supreme Court before too long as well.

    I have a feeling that those NSA supercomputers that are presumably capable of decrypting anything are going to be seeing a lot of work.

    Are there are any good encryption programs that anyone here can recommend?

  6. @stonetools:

    I may be incorrect here, but I seem to recall that law enforcement is not permitted to access NSA/CIA encryption resources unless it’s a case that implicates national security. I’m going to have to do some research to see if I’m right in that recollection

  7. PJ says:

    @Doug Mataconis:

    My understanding is that Federal law enforcement still is unable to crack PGP and other forms of “strong” encryption, at least not without taking the risk that doing so would end up destroying the data they’re trying to gain access to

    That sounds like something from a movie… PGP, etc doesn’t have a self destruct mode.

    On the subject, lets say that the NSA have something that’s really good at decrypting things (and I doubt it). They would never use it to decrypt a hard drive containing child pornography.

    —-

    If people now will get forced to give up their passwords, then there is things like plausible deniability.

  8. Tyrell says:

    I think that this should be only ordered and carried out with a terrorist suspect such as the Boston bomber.

  9. legion says:

    When someone unlocks a part of their home that is subject to a search warrant, they aren’t testifying to anything. However, when they are giving a combination, or a password, they are testifying not only that they know what the combination/password is but also that they have control over the item in question

    I’ve seen this argument before in this particular debate, and while I clearly see the reasoning, I’m not sure I agree with the conclusion/implication. Just because someone _knows_ a combination (or password) doesn’t necessarily prove that they a) chose that particular password or b) are the _only_ person that knows it.

  10. PJ says:

    @stonetools:
    TrueCrypt.

    I have a feeling that those NSA supercomputers that are presumably capable of decrypting anything are going to be seeing a lot of work.

    See my answer above. The NSA would never show their hands for something like this.

  11. Ben says:

    @stonetools:

    TrueCrypt. It can encrypt whole drives, or it can create partitions within drives as well. It uses multiple cascaded 256-bit ciphers and 512-bit hash. Law Enforcement isn’t even close to being able to crack something like that.

  12. PJ says:

    @legion:

    Just because someone _knows_ a combination (or password) doesn’t necessarily prove that they a) chose that particular password or b) are the _only_ person that knows it.

    That argument could be made if your password was 1234, considering that it’s very common, not so much if it’s h”jX2oq.:Kc5A4vpW=z^9nL”%;Be”8E#J@,!nB, or Gl5dtg4d for that matter.

  13. john personna says:

    @Doug Mataconis:

    I see that you can run PGP encryption on a whole disk, with a long key. That probably would be good for anything but a week at the NSA. Related:

    CUDA-enabled GPGPU app cracks PGP passwords 200x faster than a CPU

    Funny that gamer dollars generate spin-offs in so many mathematically intense problem domains.

  14. john personna says:

    @Doug Mataconis:

    Law Enforcement could probably not afford the NSA bill, even if they had slack hardware.

  15. Dave Schuler says:

    @PJ:

    That argument could be made if your password was 1234, considering that it’s very common, not so much if it’s h”jX2oq.:Kc5A4vpW=z^9nL”%;Be”8E#J@,!nB, or Gl5dtg4d for that matter.

    Well, damn. Not that you’ve published them I’ll need to change all my passwords. 😉

  16. @PJ:

    You have a point there. Which is why I doubt they’d ever open their bag of tricks unless there was national security risk involved. And, even then, they’d probably require that they do the decrypt it themselves rather than involving law enforcement in the process

  17. Electroman says:

    @john personna: Yep, 40,000 per second seems like a lot, doesn’t it? How many passwords are there, though?

    If you use a passphrase made up by stringing together four words – common ones, in the list of the 5000 most frequent words – it would take about 500 years to guarantee a brute-force compromise of your password – and that assumes that the cracker *knows* that it’s four common words strung together. Of course, brute-forcing isn’t the main way crackers do this nowdays, for that reason. Faster computers are good, but have their limits, Check this out for a good, very recent analysis of this:

    http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/

    PGP with a long key is very, very safe.

  18. Electroman says:

    Oh, I wanted to add that the best sysems available can do about 350 billion per second. At those rates, just add a fifth or sixth word.

  19. PJ says:

    @Electroman:

    Oh, I wanted to add that the best sysems available can do about 350 billion per second.

    You’re not thinking of 350 billion NTLM passwords? Which are a lot easier to crack.

  20. Electroman says:

    Not NLM specifically, but any fast-hash algorithm. Nope, PGP isn’t one, which I think was your point.

    Your best bet against any such attack is that the cracker doesn’t have access to the hashed value of your key. If that’s the case, then there is no speed, since the secret of fast cracking is not only the speed of hashing test data, but determining if the result worked. If you don’t have that, you’d better have proved Cramer’s Rule in Z mod 26. That joke only makes sense to cryptanalysts, so only they can see how unfunny it really is. 😉

  21. Anderson says:

    Orin Kerr’s blogged on this; I hope he gives us his thoughts on this case.

    I like the key/combo distinction. If I have to open my mouth and tell you something to give you my password, it’s testimony.

  22. Franklin says:

    Technically, he’s already been incriminated. Whether that makes the decision correct, of course, is a completely different question.

    I’ll preface this with the fact that my opinion is worthless when it comes to the law.

    1) I follow the judge’s thinking, but I simply disagree. When the police partially decrypted the data, that indicated that Feldman probably knew the password. So what? How does that change his right not to be a witness against himself? Let’s say police have footage of me inside a bank vault at night – they know I got in, but I still don’t have to tell them how.

    2) If they’ve got evidence from the partially decrypted drives, well it seems to me the problem is solved anyway. Prosecute him based on the evidence you have, not on the evidence you really wish you had if not for that pesky 5th Amendment.

  23. stonetools says:

    @Doug Mataconis:

    Would agree with all above who say that the NSA would not get involved in cases like this unless there was a national security angle. What I think will likely happen is that police departments will acquire this kind of equipment and expertise . They might even able to invoke national security by claiming they will need it to decrypt “terrorist emails.” Once acquired, then they will be able to use it for investigating other crimes.
    As to talk of “unbreakable” encryption schemes, I’m skeptical. The Germans in WW2 also thought their “Enigma” scheme was unbreakable but they were wrong. (What I found out recently is that the Germans also broke the Allied codes regularly).
    The NSA may have figured out PGP, for all we know. Whether they did or not, they’re not telling (They are the one agency that doesn’t leak).

  24. @Doug Mataconis:

    The issue is more that unless the encryption algorithm has a mathematical flaw, there’s no “shortcuts” to decrypting it beyond trying every possible combination until you find one that works, and the keys are sufficiently long that they’re unlikely to find the right combination in a reasonable amount of time even with the most powerful computers.

  25. stonetools says:

    @Stormy Dragon:

    Yet the FBI did decrypt part of his system, and found enough that they could persuade the judge to let them go further. I think the government may just have better decryption tools than we know.

  26. @stonetools:

    If they have some magic method for unencrypting drives, why haven’t they all been unencrypted? What happened is they came up with some information that allowed to guess the password on their own.

    Maybe they found the password written down on a post it note at the bottom of a drawer. Maybe they subpeonad his password to g-mail and tried that. Maybe they tried various things they no are important to him until they got one they fit. Maybe it was the drive he used most recently and the password was in a cache file somewhere.

    What they didn’t do is something that caused the laws of math to stop functioning so that they can easily decrypt things. That only happens in movies.

  27. PJ says:

    @stonetools:

    Yet the FBI did decrypt part of his system, and found enough that they could persuade the judge to let them go further. I think the government may just have better decryption tools than we know.

    Without knowing what kind of encryption he used, I find it more likely that he used either a much simpler password or that he used an inferior encryption for that drive. Could have been one of his older drives.

    Or that they didn’t decrypt is a much as they were able to salvage deleted files from it.

    The article mentions a “storage system”, could as well be older drives stacked in a book case…

  28. john personna says:

    This is an interesting thread. It does seem encryption is stronger than I thought.

    Not that I’ve worried too much about it. I figured that the only people I needed to worry about were burglars, and that relatively simple home-directory encryption would encourage them to just erase the drive and begin again.

    I’m not in the position where I need to keep anything special on my notebook, so it is kind of no big for me. If you had to carry patient or client records, I could see how you’d want to do better.

  29. legion says:

    @PJ:

    Or that they didn’t decrypt is a much as they were able to salvage deleted files from it.

    Indeed. I don’t understand how they could decrypt “part” of an encrypted hard drive… either you’ve broken the key or you haven’t. And the article only uses the singular “password”, so it doesn’t sound like he encrypted different things differently. They either recovered deleted files or they’re bluffing. Judges don’t take kindly to bluffs under oath…

  30. James Joyner says:

    I think the practicalities—how can you know whether the guy actually knows the password?–are more complicated that the Constitutional Law. SCOTUS has, for decades, interpreted the 5th Amendment very narrowly. If you can be compelled to provide blood, semen, mouth scrapings, and other DNA evidence, surely you can be compelled to provide a password. There’s no obvious reason why a password or encryption key should be any different than a key to a door or the combination to a safe; there’s simply no question that the police can compel the later, so long as they obtain a judicial warrant.

  31. PJ says:

    @James Joyner:

    If you can be compelled to provide blood, semen, mouth scrapings, and other DNA evidence, surely you can be compelled to provide a password. There’s no obvious reason why a password or encryption key should be any different than a key to a door or the combination to a safe; there’s simply no question that the police can compel the later, so long as they obtain a judicial warrant.

    Hidden volume.

    It may happen that you are forced by somebody to reveal the password to an encrypted volume. There are many situations where you cannot refuse to reveal the password (for example, due to extortion). Using a so-called hidden volume allows you to solve such situations without revealing the password to your volume.

    It’s not like you can be forced to give up a key to door and then give them a key and when they open the door with that key they end up in a different room than if they had used the key you usually use but haven’t given up…

  32. James Joyner says:

    @PJ: But, again, that’s an issue of practicality rather than the 5th Amendment.

  33. James in Silverdale, WA says:

    How can you compel someone to open their mouth and speak? You can can tie them down and take whatever physical samples you like. But a fact in your mind? All that is available is contempt, and that horse doesn’t ride very far.

    Until the executive declares you an enemy combatant, of course…