Skip to comments.Judge: Americans can be forced to decrypt their laptops
Posted on 01/24/2012 12:06:01 AM PST by LibWhacker
American citizens can be ordered to decrypt their PGP-scrambled hard drives for police to peruse for incriminating files, a federal judge in Colorado ruled today in what could become a precedent-setting case.
Judge Robert Blackburn ordered a Peyton, Colo., woman to decrypt the hard drive of a Toshiba laptop computer no later than February 21--or face the consequences including contempt of court.
Blackburn, a George W. Bush appointee, ruled that the Fifth Amendment posed no barrier to his decryption order. The Fifth Amendment says that nobody may be "compelled in any criminal case to be a witness against himself," which has become known as the right to avoid self-incrimination.
"I find and conclude that the Fifth Amendment is not implicated by requiring production of the unencrypted contents of the Toshiba Satellite M305 laptop computer," Blackburn wrote in a 10-page opinion today. He said the All Writs Act, which dates back to 1789 and has been used to require telephone companies to aid in surveillance, could be invoked in forcing decryption of hard drives as well.
Ramona Fricosu, who is accused of being involved in a mortgage scam, has declined to decrypt a laptop encrypted with Symantec's PGP Desktop that the FBI found in her bedroom during a raid of a home she shared with her mother and children (and whether she's even able to do so is not yet clear).
Colorado Springs attorney Phil Dubois, who once represented PGP creator Phil Zimmermann, now finds himself fighting the feds over encryption a second time.
"I hope to get a stay of execution of this order so we can file an appeal to the 10th Circuit Court of Appeals," Fricosu's attorney, Phil Dubois, said this afternoon. "I think it's a matter of national importance. It should not be treated as though it's just another day in Fourth Amendment litigation." (See CNET's interview last year with Dubois, who once represented PGP creator Phil Zimmermann.)
Dubois said that, in addition, his client may not be able to decrypt the laptop for any number of reasons. "If that's the case, then we'll report that fact to the court, and the law is fairly clear that people cannot be punished for failure to do things they are unable to do," he said.
Today's ruling from Blackburn sided with the U.S. Department of Justice, which argued, as CNET reported last summer, that Americans' Fifth Amendment right to remain silent doesn't apply to their encryption passphrases. Federal prosecutors, who did not immediately respond to a request for comment this afternoon, claimed in a brief that:
Public interests will be harmed absent requiring defendants to make available unencrypted contents in circumstances like these. Failing to compel Ms. Fricosu amounts to a concession to her and potential criminals (be it in child exploitation, national security, terrorism, financial crimes or drug trafficking cases) that encrypting all inculpatory digital evidence will serve to defeat the efforts of law enforcement officers to obtain such evidence through judicially authorized search warrants, and thus make their prosecution impossible.
While the U.S. Supreme Court has not confronted the topic, a handful of lower courts have.
In March 2010, a federal judge in Michigan ruled that Thomas Kirschner, facing charges of receiving child pornography, would not have to give up his password. That's "protecting his invocation of his Fifth Amendment privilege against compelled self-incrimination," the court ruled (PDF).
A year earlier, a Vermont federal judge concluded that Sebastien Boucher, who a border guard claims had child porn on his Alienware laptop, did not have a Fifth Amendment right to keep the files encrypted. Boucher eventually complied and was convicted.
Prosecutors in this case have stressed that they don't actually require the passphrase itself, and today's order appears to permit Fricosu to type it in and unlock the files without anyone looking over her shoulder. They say they want only the decrypted data and are not demanding "the password to the drive, either orally or in written form."
Because this involves a Fifth Amendment claim, Colorado prosecutors took the unusual step of seeking approval from headquarters in Washington, D.C.: On May 5, Assistant Attorney General Lanny Breuer sent a letter to Colorado U.S. Attorney John Walsh saying "I hereby approve your request."
The question of whether a criminal defendant can be legally compelled to cough up his encryption passphrase remains an unsettled one, with law review articles for at least the last 15 years arguing the merits of either approach. (A U.S. Justice Department attorney wrote an article in 1996, for instance, titled "Compelled Production of Plaintext and Keys.")
Much of the discussion has been about what analogy comes closest. Prosecutors tend to view PGP passphrases as akin to someone possessing a key to a safe filled with incriminating documents. That person can, in general, be legally compelled to hand over the key. Other examples include the U.S. Supreme Court saying that defendants can be forced to provide fingerprints, blood samples, or voice recordings.
On the other hand are civil libertarians citing other Supreme Court cases that conclude Americans can't be forced to give "compelled testimonial communications" and extending the legal shield of the Fifth Amendment to encryption passphrases. Courts already have ruled that that such protection extends to the contents of a defendant's minds, the argument goes, so why shouldn't a passphrase be shielded as well?
Fricosu was born in 1974 and living in Peyton as of 2010. She was charged with bank fraud, wire fraud, and money laundering as part of an alleged attempt to use falsified court documents to illegally gain title to homes near Colorado Springs that were facing "imminent foreclosure" or whose owners were relocating outside the state. Some of the charges could yield up to 30 years in prison; she pleaded not guilty. Her husband, Scott Whatcott, was also charged.
Something like that would probably be addressed via treaty. It might have to be in a truly enemy country (North Korea?) in which case you wouldn’t trust them with your data any further than you can throw them.
In the early days, PGP was open source. It was practically impossible for anyone to insert a back door; too many cryptologists and programmers would’ve seen it and raised the alarm. Now that Symantec owns it . . . who knows?
Oops, sorry, databoss. My last comment was meant for Loyal Sedition.
What do they do to journalists who refuse to give up sources? Jail them.
I would just give them a wrong passphrase. When it doesn't work, say, well, that is what I thought it was. At least shift the burden of proof of whether you are lying or not to them. But I stopped using PGP in email ages ago - figured it would flag me for this kind of problem.
Still available open source without the bells and whistles. www.gnupg.org/
Another interesting thing about this case is just how far encryption technology has advanced (as in, advanced in what is available to ordinary citizens and not just military cyphers working on cryptography). There used to be a time that having a 'password' meant nothing, and for the vast majority of people that still applies. However, nowadays it is possible to get a proper encryption program that can make it very difficult for someone to access your files (they can still do so, but it would be quite the task for the vast majority of entities that would be seeking to do so). Hence this case.
I wonder if some FReeper knows how far the technology available to the public has gone. With more and more information being stored in the Cloud one can expect such technology to get better.
If you own a safe, do you have to provide the combination for it to the government if they demand it?
If you don’t provide it can they legally put you in jail as a result. This is no different.
If past law doesn’t allow forcing the combination out of you by threat of jail then this will fail in the supreme court because it is no different.
You can simply encrypt the same file multiple times using different passwords each time. To undo it you have to use the right passwords in the right order. With good encryption without back doors and then piling on the layers it would be essentially impossible to undo it without the key information.
I think it is more about severe crime versus non crimes for me in this issue.
The solution: using TrueCrypt or any similar program, encrypt the entire drive, and then (still using the encryption program) create a “hidden” encrypted volume on the drive for things you don’t want just anyone to find. “Decrypting” merely means you have given the “key” to the processor so it can interpret the encrypted data on the drive. The drive is not suddenly readable to all. The “hidden” volume will look the same as empty space on the drive. Since it is indistinguishable from empty space, there is no way for the government to prove you have anything hidden on the drive.
This should, in theory, work. However, there is always the possibility that the government holds “back doors” to the publicly available encryption algorithms that will allow them to detect any double-encrypted files. Also, this will not guard against them “unwinding” the encryption, though whether that would reveal any hidden volumes might be debatable.
Truecrypt is open source, so the the possibility of back doors is just about non-existent. It sounds like you are suggesting they may have cracked the encryption, which may well be possible. Also, while I know they say the inner volume appears as empty space I don’t put a whole bunch of faith in that. The FAQ on that is here, in case anyone is interested:
What’s worse is that this isn’t some lib activist judge. This guy was appointed by W.
Thanks. I figured Symantec probably wouldn allow anyone to maintain open source versions. I guess Zimmerman must’ve stipulated otherwise when he sold it, which is a good thing; I won’t have to fall back on the ancient versions I downloaded in the early 90s. For now, I don’t use PGP. I’ve never been able to get a single one of my friends or relatives to show the least bit of interest (yet they still lick the flap shut on their snail mail).
Extensive list of countries and their crypto laws:
>> I guess Zimmerman mustve stipulated otherwise when he sold it
Yeah, exactly. My understanding is he insisted on that.
That is true....
The biggest practical problem here would be keeping the harmless “decoy” up to date. You would have to web surf entertainment sites, play games, etc. and that eats up time, and has to be done all the time. Now if the computer could be made to show operating systems running in both the decoy and the hidden volume simultaneously, keeping the decoy up to date would be easier, but that probably creates other problems.
This subject came up yesterday when my 16 yr old daughter was amazed that a woman got 5 years probation (yes, she does scan the news sites-which I am proud of! She is particularly political-which I am also proud of, heee) for SPANKING, not beating (no bruises), but SPANKING her child and the judge said “We don’t spank in this day and age...”
She said, so what do we do when the judicial branch oversteps it’s authority. What other branch deals with them. My 16 year old is a wildfire and doesn’t hesitate to tell you that her fear of the ‘whooping’ she would get tamed her a lot of times in her younger days. Thank GOD she outgrew most of it. Now she just needs to outgrow her mouth, but still... not so bad. Her brains makes up for most of it. ;o)
I did not have answer (but also... PROUD!) Maybe you guys can help me with this?
We need the format button called decrypt.