The Fifth Amendment, Privacy, And Computer Passwords
Can the government force a criminal defendant to reveal a computer password? A Federal case in Denver is dealing with that question right now.
A Federal criminal case out of Denver raises the interesting question of whether or not a criminal suspect can be forced to reveal a password necessary to gain access to data on their computer:
Beyond the log-in screen of Ramona Fricosu’s laptop computer lies what federal prosecutors say could be the key evidence in the bank-fraud case against her.
There’s only one problem: Prosecutors don’t know her password.
Thus, in an extraordinarily rare move, prosecutors in Denver are seeking a court order forcing Fricosu to unlock the computer so that they can obtain files they would use to try to convict her and her ex-husband.
Civil-liberties groups nationwide have taken notice, saying the case tests the strength of rights against self-incrimination in a digital world. Prosecutors, meanwhile, say that allowing criminal defendants to beat search warrants simply by encrypting their computers would make it impossible to obtain evidence in an age when clues are more likely held within a hard drive than a file cabinet.
Lawyers for the government and Fricosu argued the issue for a third time in the past six months Tuesday. U.S. District Judge Robert Blackburn is expected to issue a ruling on the matter soon.
“If the government wins in this case, and they are able to force her to decrypt the laptop … it’s the erosion of the Fifth Amendment,” said Hanni Fakhoury, an attorney for the Electronic Frontier Foundation, which filed a brief in support of Fricosu. “It’s seeing the Fifth Amendment not keeping up with advances in technology.”
Prosecutors predict a different kind of doom if they lose.
“Failing to compel Ms. Fricosu,” Assistant U.S. Attorney Patricia Davies wrote in a court filing, “amounts to a concession to her and potential criminals (be it in child exploitation, national security, terrorism, financial crimes or drug trafficking cases) that encrypting all inculpatory digital evidence will serve to defeat the efforts of law enforcement officers … and thus make their prosecution impossible.”
The Fifth Amendment protects people from being forced to be a witness against themselves in a criminal proceeding. But its protections are not unlimited.
The debate, then, is about which pre-decided scenario this new situation fits into. Is a computer password like a key to a lockbox, as the government argues? Or is it akin to a combination to a safe, as Fricosu’s attorneys say?
While the key is a physical thing and not protected by the Fifth Amendment, the Supreme Court has said, a combination — as the “expression of the contents of an individual’s mind” — is.
If Blackburn treats Fricosu’s password like a key, “the meaning of ‘search warrant’ will be stretched and the rights to privacy and against self-incrimination shrunk,” Fricosu’s attorney, Philip Dubois, wrote in a court filing.
The government, quite obviously, would prefer that the Judge view the password as a key rather than a combination lock, because then the 4th Amendment applies rather than the 5th and Fricosu could be compelled to comply with a Court order to provide access to the computer, for which there is apparently probably cause to issue a warrant. In fact, the government is already in possession of the computer itself since it was obtained via a valid search warrant. They just can’t access the data because of the password (why they haven’t deployed password cracking techniques to break the security is a question not dealt with in the filings, apparently). To complete the analogy, the Government says that it already has a search warrant for the safe, requiring Ficousu to decrypt it would merely be asking her to open it so they can get inside, which courts have ruled is perfectly acceptable.
“Decrypting the data on the laptop can be, in and of itself, a testimonial act — revealing control over a computer and the files on it,” said EFF Senior Staff Attorney Marcia Hofmann. “Ordering the defendant to enter an encryption password puts her in the situation the Fifth Amendment was designed to prevent: having to choose between incriminating herself, lying under oath, or risking contempt of court.”
The government has offered Fricosu some limited immunity in this case, but has not given adequate guarantees that it won’t use the information on the computer against her.
“Our computers now hold years of email with family and friends, Internet browsing histories, financial and medical information, and the ability to access our online services like Facebook. People are right to use passwords and encryption to safeguard this data, and they deserve the law’s full protection against the use of it against them'” said EFF Staff Attorney Hanni Fakhoury. “This could be a very important case in applying Americans’ Fifth Amendment rights in the digital age.”
In the brief itself, the EFF makes a compelling case for the proposition that the act of being required to provide a password is a testimonial act protected by the 5th Amendment:
The Fifth Amendment generally protects a person from being compelled to give testimony that would incriminate her. United States v. Hubbell, 530 U.S. 27, 34 (2000) (Hubbell I); Fisher v. United States, 425 U.S. 391, 408 (1976). The privilege is limited to testimonial evidence, or a communication that “itself, explicitly or implicitly, relate[s] a factual assertion or disclose[s] information.” Doe v. United States, 487 U.S. 201, 210 (1988) (Doe I). Put a different way, the privilege protects the “expression of the contents of an individual’s mind.” Id. at 210 n.9; see also 220 n.1 (Stevens, J., dissenting). To illustrate this principle, the Supreme Court has explained that a witness might be “forced to surrender a key to a strongbox containing incriminating documents,” but not “compelled to reveal the combination to a wall safe.” Id. at 210 n.9; see also 219 (Stevens, J., dissenting). Forcing an individual to supply a password necessary to decrypt data is more like revealing the combination to a wall safe than to surrender a key: the witness is being compelled to disclose information that exists in her mind, not to hand over a physical item. Boucher I, 2007 WL 4246473 at *4.8
The fact that the witness might type the information into a keyboard rather than speak it out loud does not change that basic fact. The act of disclosing information may be so testimonial that the privilege applies to the production itself. United States v. Doe, 465 U.S. 605 (1984) (Doe II). An act of production has a sufficiently testimonial aspect to trigger Fifth Amendment protection when it forces a witness to admit the existence of papers, the fact that they were in her possession or control, and that they were authentic. Hubbell I, 530 U.S. at 36 (citing Doe II, 465 U.S. at 613 (internal quotation marks omitted)).
Forcing Fricosu to enter the laptop password into the computer or otherwise decrypt the data stored on the computer meets this standard because the act of doing so will imply assertions of fact. See Hubbell I, 530 U.S. at 37. The act would be an admission that she had control over the computer and the data stored on it before it was seized from her residence—which are critical admissions, particularly considering that she shared her residence with her co-defendant. The act would also show that she knows the encryption password and was able to access the encrypted data. If Fricosu knows the password, forcing her to perform the act of decrypting the data- on the laptop will put her in the “cruel trilemma” that the privilege is designed to protect against: having to choose between incriminating herself, lying under oath, or refusing to answer and risking contempt of court. Doe I, 487 U.S. at 212; Boucher I, 2007 WL 4246473 at *3.
My own instincts are to be more sympathetic to the EFF’s argument than the governments, but the analogy between safe that the government already has a valid search warrant for and the encrypted laptop is a compelling one. Again, the obvious solution here seems to be for the government to force decrypt the data itself, but that may not be technically possible in this case and I’ll admit to not being fully versed on what the applicable law is in that area. However it is worth noting that when the police have a valid search warrant for a residence to which they are unable to gain entry with an owner’s permission, they are permitted to undertake reasonable efforts to gain entry to execute the warrant. Isn’t that what they’d be doing by using electronic means to gain access to the encrypted data on a laptop hard drive already in their possession by virtue of a valid search warrant?
The fact that there have been three hearings on this issue in the Federal District Court is a pretty good indication of just how complicated these issues actually are, not to mention the fact that there isn’t an easy answer here. One would expect, though, that regardless of how the Judge ultimately ends up ruling this matter will be appealed to the the Court of Appeals and the Supreme Court. Given how new this issue is, I’m not sure how the Courts will decide this issue, but I’d advise keeping an eye on this case.