The Fifth Amendment, Privacy, And Computer Passwords
Can the government force a criminal defendant to reveal a computer password? A Federal case in Denver is dealing with that question right now.
A Federal criminal case out of Denver raises the interesting question of whether or not a criminal suspect can be forced to reveal a password necessary to gain access to data on their computer:
Beyond the log-in screen of Ramona Fricosu’s laptop computer lies what federal prosecutors say could be the key evidence in the bank-fraud case against her.
There’s only one problem: Prosecutors don’t know her password.
Thus, in an extraordinarily rare move, prosecutors in Denver are seeking a court order forcing Fricosu to unlock the computer so that they can obtain files they would use to try to convict her and her ex-husband.
Civil-liberties groups nationwide have taken notice, saying the case tests the strength of rights against self-incrimination in a digital world. Prosecutors, meanwhile, say that allowing criminal defendants to beat search warrants simply by encrypting their computers would make it impossible to obtain evidence in an age when clues are more likely held within a hard drive than a file cabinet.
Lawyers for the government and Fricosu argued the issue for a third time in the past six months Tuesday. U.S. District Judge Robert Blackburn is expected to issue a ruling on the matter soon.
“If the government wins in this case, and they are able to force her to decrypt the laptop … it’s the erosion of the Fifth Amendment,” said Hanni Fakhoury, an attorney for the Electronic Frontier Foundation, which filed a brief in support of Fricosu. “It’s seeing the Fifth Amendment not keeping up with advances in technology.”
Prosecutors predict a different kind of doom if they lose.
“Failing to compel Ms. Fricosu,” Assistant U.S. Attorney Patricia Davies wrote in a court filing, “amounts to a concession to her and potential criminals (be it in child exploitation, national security, terrorism, financial crimes or drug trafficking cases) that encrypting all inculpatory digital evidence will serve to defeat the efforts of law enforcement officers … and thus make their prosecution impossible.”
The Fifth Amendment protects people from being forced to be a witness against themselves in a criminal proceeding. But its protections are not unlimited.
The debate, then, is about which pre-decided scenario this new situation fits into. Is a computer password like a key to a lockbox, as the government argues? Or is it akin to a combination to a safe, as Fricosu’s attorneys say?
While the key is a physical thing and not protected by the Fifth Amendment, the Supreme Court has said, a combination — as the “expression of the contents of an individual’s mind” — is.
If Blackburn treats Fricosu’s password like a key, “the meaning of ‘search warrant’ will be stretched and the rights to privacy and against self-incrimination shrunk,” Fricosu’s attorney, Philip Dubois, wrote in a court filing.
The government, quite obviously, would prefer that the Judge view the password as a key rather than a combination lock, because then the 4th Amendment applies rather than the 5th and Fricosu could be compelled to comply with a Court order to provide access to the computer, for which there is apparently probably cause to issue a warrant. In fact, the government is already in possession of the computer itself since it was obtained via a valid search warrant. They just can’t access the data because of the password (why they haven’t deployed password cracking techniques to break the security is a question not dealt with in the filings, apparently). To complete the analogy, the Government says that it already has a search warrant for the safe, requiring Ficousu to decrypt it would merely be asking her to open it so they can get inside, which courts have ruled is perfectly acceptable.
The Electronic Frontier Foundation disagrees in an amicus brief filed in the case [available in PDF]:
“Decrypting the data on the laptop can be, in and of itself, a testimonial act — revealing control over a computer and the files on it,” said EFF Senior Staff Attorney Marcia Hofmann. “Ordering the defendant to enter an encryption password puts her in the situation the Fifth Amendment was designed to prevent: having to choose between incriminating herself, lying under oath, or risking contempt of court.”
The government has offered Fricosu some limited immunity in this case, but has not given adequate guarantees that it won’t use the information on the computer against her.
“Our computers now hold years of email with family and friends, Internet browsing histories, financial and medical information, and the ability to access our online services like Facebook. People are right to use passwords and encryption to safeguard this data, and they deserve the law’s full protection against the use of it against them'” said EFF Staff Attorney Hanni Fakhoury. “This could be a very important case in applying Americans’ Fifth Amendment rights in the digital age.”
In the brief itself, the EFF makes a compelling case for the proposition that the act of being required to provide a password is a testimonial act protected by the 5th Amendment:
The Fifth Amendment generally protects a person from being compelled to give testimony that would incriminate her. United States v. Hubbell, 530 U.S. 27, 34 (2000) (Hubbell I); Fisher v. United States, 425 U.S. 391, 408 (1976). The privilege is limited to testimonial evidence, or a communication that “itself, explicitly or implicitly, relate[s] a factual assertion or disclose[s] information.” Doe v. United States, 487 U.S. 201, 210 (1988) (Doe I). Put a different way, the privilege protects the “expression of the contents of an individual’s mind.” Id. at 210 n.9; see also 220 n.1 (Stevens, J., dissenting). To illustrate this principle, the Supreme Court has explained that a witness might be “forced to surrender a key to a strongbox containing incriminating documents,” but not “compelled to reveal the combination to a wall safe.” Id. at 210 n.9; see also 219 (Stevens, J., dissenting). Forcing an individual to supply a password necessary to decrypt data is more like revealing the combination to a wall safe than to surrender a key: the witness is being compelled to disclose information that exists in her mind, not to hand over a physical item. Boucher I, 2007 WL 4246473 at *4.8
The fact that the witness might type the information into a keyboard rather than speak it out loud does not change that basic fact. The act of disclosing information may be so testimonial that the privilege applies to the production itself. United States v. Doe, 465 U.S. 605 (1984) (Doe II). An act of production has a sufficiently testimonial aspect to trigger Fifth Amendment protection when it forces a witness to admit the existence of papers, the fact that they were in her possession or control, and that they were authentic. Hubbell I, 530 U.S. at 36 (citing Doe II, 465 U.S. at 613 (internal quotation marks omitted)).
Forcing Fricosu to enter the laptop password into the computer or otherwise decrypt the data stored on the computer meets this standard because the act of doing so will imply assertions of fact. See Hubbell I, 530 U.S. at 37. The act would be an admission that she had control over the computer and the data stored on it before it was seized from her residence—which are critical admissions, particularly considering that she shared her residence with her co-defendant. The act would also show that she knows the encryption password and was able to access the encrypted data. If Fricosu knows the password, forcing her to perform the act of decrypting the data- on the laptop will put her in the “cruel trilemma” that the privilege is designed to protect against: having to choose between incriminating herself, lying under oath, or refusing to answer and risking contempt of court. Doe I, 487 U.S. at 212; Boucher I, 2007 WL 4246473 at *3.
My own instincts are to be more sympathetic to the EFF’s argument than the governments, but the analogy between safe that the government already has a valid search warrant for and the encrypted laptop is a compelling one. Again, the obvious solution here seems to be for the government to force decrypt the data itself, but that may not be technically possible in this case and I’ll admit to not being fully versed on what the applicable law is in that area. However it is worth noting that when the police have a valid search warrant for a residence to which they are unable to gain entry with an owner’s permission, they are permitted to undertake reasonable efforts to gain entry to execute the warrant. Isn’t that what they’d be doing by using electronic means to gain access to the encrypted data on a laptop hard drive already in their possession by virtue of a valid search warrant?
The fact that there have been three hearings on this issue in the Federal District Court is a pretty good indication of just how complicated these issues actually are, not to mention the fact that there isn’t an easy answer here. One would expect, though, that regardless of how the Judge ultimately ends up ruling this matter will be appealed to the the Court of Appeals and the Supreme Court. Given how new this issue is, I’m not sure how the Courts will decide this issue, but I’d advise keeping an eye on this case.
Just waterboard the f’er.
I’m not comfortable with forcing disclosure. If this encroachment on self-incrimination passes, what’s to stop the next inevitable case in which the government seeks the assistance of the accused in obtaining evidence they cannot obtain on their own?
I know slippery-slope arguments are a dime a dozen, but in criminal law enforcement cases they too often come true, and law enforcement will always push for the next concession.
They can be forced to provide blood and DNA samples. Hair samples. Handwriting examples. Voice samples. You can make them strip to reveal identifying tattoos. You can make them stand for lineups. You can force them to provide dental samples in cases involving bites. So on, so forth. Those principles have been on the books for decades.
There are limits. If a cop shoots an unknown assailant you can’t force a suspect to undergo invasive and potentially-dangerous surgery to recover the bullet thereby to make the ID. I don’t believe, however, that forcing a computer password falls into that category, n’est ce pas?
Granted, I’m to the right of Satan when it comes to crime and punishment, but I’d say based upon long-standing precedents that mandating the provision of a computer password is A-OK.
While I’m decidedly on the left of Satan when it comes to L&O, I do think the key analogy more apt.
What I think, though, isn’t really germane. It’s what the courts will decide.
I wonder–non-facetiously–whether the decision will come down to the linguistic fact that encryption literature refers to ‘keys’.
I don’t have the pertinent law at my fingertips, but I seem to recall that federal criminalizes breaking someone’s encryption, and I don’t recall any exception for prosecutors. I’m on my phone, so researching this is too painful to contemplate.
Technically possible, yes. Feasible? Different question. All encrypted data, almost by definition, can be decrypted. The algorithms are well understood; the defendant is almost guaranteed to be using a publicly available encryption tool.
Encryption is designed on the “Trap Door” principle — far more difficult to undo than to do, so it makes it time consuming and expensive to “undo” (unless you already know the key). Legally speaking, the government can get the information a different way.
Using the safe analogy, since the government can simply crack the safe to get at the contents, aren’t they required to do so? Is there a point where hiring a safe cracker or demolitions expert to enter the safe is “cost prohibitive” and they can force the owner to open it?
There’s a huge difference between a password and a key/tattoo/hair/voice. A key/tattoo/hair/voice are physical items or characteristics.
If a person says they don’t know or don’t remember a password, there’s no way to show if he’s truthful or not. Are we going to lock people up on contempt of court indefinitely because they might know the password? If a corrupt cop places an encrypted file on a computer, does that mean the person can be held in contempt for not knowing its password? It’s one reason protection from self-incrimination exists: you can’t be compelled to produce what you don’t have and have it held against you when you can’t produce it.
@Tsar Nicholas: The list you included were all physical attributes of the suspect. I think it gets a whole lot different when the suspect is being forced to provide information.
Absent mind readers, this law is not enforceable other than contempt of court. A password is not a key. It is a piece of knowledge supported by a human mind, and thus falls under Fifth Amendment protections.
That this knowledge is a password is irrelevant. That this occurs in an era of already severe government intrusion means the Law nears to hear the word NO in this case.
In what way is a password not a combination?
I find the legal distinction between a key lock and a combination lock to be pretty surprising, but if that’s the settled law, that’s the settled law. It’s pretty clear that a password is a combination — it’s something non-tangible that you have to provide from memory, or have on a post-it note (or USB stick, or whatever).
(In fact, the password for my laptop is the combination to the lock on my middle school locker… a bit of useless information that I had never managed to purge, so I figured I would make use of it)
If this is decided in the government’s favor … how is this not “Thought Police”?
Not really. The EFF has already pointed out that a safe with a combination lock is very much like the computer and thus well within establish law that protects the suspect.
You are correct that the government could try to hack into the computer, but my guess is that the suspect used something other than just a Windows password. For example, if the data is protected using something on the level of Pretty Good Privacy encryption then the government is pretty much fucked at getting to the data. This is about as close as you can get to military grade encryption algorithms.
I think this is the correct view. A really solid password wont be a word it will look something like
One could make a string of numbers that is just as strong…just like a combination.
I think the best approach for passwords, especially for products like PGP that accept pass phrases, is Diceware.
Oh yes I love pass phrases. My Wireless runs a max length randomly generated passphrase of gibberish with all characters/symbols and lowercase/caps..
Who holds the most power: the maker or that which is made? The law makers oft-times break the law in attempts to get a conviction and since they’re the ones breaking the law it’s justified. (Somehow). To hack into to anyone’s system without his/her consent is against the law. Period. The FEDS have the ability ( I’m willingly to bet that they’ve already done it ) to crack the password, so…..they’re seeking her permission to give them what they already have basically. This is pretty interesting when you consider that if she doesn’t consent/give them the password and they crack it, do the Privacy Laws now get revamped from this point forward? On the other hand, if they get a conviction based on evidence that could have only been attained via the password, but she didn’t give it to them….how does she prove that they cracked her system to get the evidence? Of course at that point it’d be irrelevant. Guilty.
Probably because they don’t want to wait thousands of years to brute-force it.
If they could do that, then I would imagine the would, and it would be allowed by the warrant. The problem is that they can’t, they need the defendant’s assistance to do it. The case is whether they can compel the defendant to help them.
I hope not, since they most likely have the decryption key already on the computer (most disk encryption setups leave it on the computer), but they can’t use it without the password. Think of it this way, they have a lockbox and a key, but the lockbox has a billion keyholes, only one of which work, and only the defendant knows which one.
Are you thinking of the DMCA? I think that only makes it illegal when the encryption is part of a copyright protection scheme.
The Electronic Communications Privacy Act 18 USC 2510 (1986). Even though it points to data while in transit….there’s a part of the title that protects stored data as well. On the other side of it, I’m not too clear on why they aren’t able to just enforce say, The USA PATRIOT ACT of 2001?
I don’t see how forcing someone to reveal a password is any different from forcing them to reveal where a body is buried. Both are purely testimonial in nature. I think that the analogy to a key to unlock a safe is like comparing apples to dumptrucks. Handing over a piece of physical evidence is entirely different from being forced to reveal a memorized piece of information.