Posted on 01/24/2012 12:06:01 AM PST by LibWhacker
American citizens can be ordered to decrypt their PGP-scrambled hard drives for police to peruse for incriminating files, a federal judge in Colorado ruled today in what could become a precedent-setting case.
Judge Robert Blackburn ordered a Peyton, Colo., woman to decrypt the hard drive of a Toshiba laptop computer no later than February 21--or face the consequences including contempt of court.
Blackburn, a George W. Bush appointee, ruled that the Fifth Amendment posed no barrier to his decryption order. The Fifth Amendment says that nobody may be "compelled in any criminal case to be a witness against himself," which has become known as the right to avoid self-incrimination.
"I find and conclude that the Fifth Amendment is not implicated by requiring production of the unencrypted contents of the Toshiba Satellite M305 laptop computer," Blackburn wrote in a 10-page opinion today. He said the All Writs Act, which dates back to 1789 and has been used to require telephone companies to aid in surveillance, could be invoked in forcing decryption of hard drives as well.
Ramona Fricosu, who is accused of being involved in a mortgage scam, has declined to decrypt a laptop encrypted with Symantec's PGP Desktop that the FBI found in her bedroom during a raid of a home she shared with her mother and children (and whether she's even able to do so is not yet clear).
Colorado Springs attorney Phil Dubois, who once represented PGP creator Phil Zimmermann, now finds himself fighting the feds over encryption a second time.
"I hope to get a stay of execution of this order so we can file an appeal to the 10th Circuit Court of Appeals," Fricosu's attorney, Phil Dubois, said this afternoon. "I think it's a matter of national importance. It should not be treated as though it's just another day in Fourth Amendment litigation." (See CNET's interview last year with Dubois, who once represented PGP creator Phil Zimmermann.)
Dubois said that, in addition, his client may not be able to decrypt the laptop for any number of reasons. "If that's the case, then we'll report that fact to the court, and the law is fairly clear that people cannot be punished for failure to do things they are unable to do," he said.
Today's ruling from Blackburn sided with the U.S. Department of Justice, which argued, as CNET reported last summer, that Americans' Fifth Amendment right to remain silent doesn't apply to their encryption passphrases. Federal prosecutors, who did not immediately respond to a request for comment this afternoon, claimed in a brief that:
Public interests will be harmed absent requiring defendants to make available unencrypted contents in circumstances like these. Failing to compel Ms. Fricosu amounts to a concession to her and potential criminals (be it in child exploitation, national security, terrorism, financial crimes or drug trafficking cases) that encrypting all inculpatory digital evidence will serve to defeat the efforts of law enforcement officers to obtain such evidence through judicially authorized search warrants, and thus make their prosecution impossible.
While the U.S. Supreme Court has not confronted the topic, a handful of lower courts have.
In March 2010, a federal judge in Michigan ruled that Thomas Kirschner, facing charges of receiving child pornography, would not have to give up his password. That's "protecting his invocation of his Fifth Amendment privilege against compelled self-incrimination," the court ruled (PDF).
A year earlier, a Vermont federal judge concluded that Sebastien Boucher, who a border guard claims had child porn on his Alienware laptop, did not have a Fifth Amendment right to keep the files encrypted. Boucher eventually complied and was convicted.
Prosecutors in this case have stressed that they don't actually require the passphrase itself, and today's order appears to permit Fricosu to type it in and unlock the files without anyone looking over her shoulder. They say they want only the decrypted data and are not demanding "the password to the drive, either orally or in written form."
Because this involves a Fifth Amendment claim, Colorado prosecutors took the unusual step of seeking approval from headquarters in Washington, D.C.: On May 5, Assistant Attorney General Lanny Breuer sent a letter to Colorado U.S. Attorney John Walsh saying "I hereby approve your request."
The question of whether a criminal defendant can be legally compelled to cough up his encryption passphrase remains an unsettled one, with law review articles for at least the last 15 years arguing the merits of either approach. (A U.S. Justice Department attorney wrote an article in 1996, for instance, titled "Compelled Production of Plaintext and Keys.")
Much of the discussion has been about what analogy comes closest. Prosecutors tend to view PGP passphrases as akin to someone possessing a key to a safe filled with incriminating documents. That person can, in general, be legally compelled to hand over the key. Other examples include the U.S. Supreme Court saying that defendants can be forced to provide fingerprints, blood samples, or voice recordings.
On the other hand are civil libertarians citing other Supreme Court cases that conclude Americans can't be forced to give "compelled testimonial communications" and extending the legal shield of the Fifth Amendment to encryption passphrases. Courts already have ruled that that such protection extends to the contents of a defendant's minds, the argument goes, so why shouldn't a passphrase be shielded as well?
Fricosu was born in 1974 and living in Peyton as of 2010. She was charged with bank fraud, wire fraud, and money laundering as part of an alleged attempt to use falsified court documents to illegally gain title to homes near Colorado Springs that were facing "imminent foreclosure" or whose owners were relocating outside the state. Some of the charges could yield up to 30 years in prison; she pleaded not guilty. Her husband, Scott Whatcott, was also charged.
The actual relevent wording of the Fifth Amendmant "nor shall be compelled in any criminal case to be a witness against himself"
That seems pretty clear to me.
In this changing, computer age, the government is quite keen to reinterprit the constitution in ways that benefit the government. I however, would choose to claim my understanding of the fifth amendment... over a judge's interpritation... PERIOD. I would rather accept the jail time for contempt of court. Particularly in the case of a potential felony conviction. The most time a Federal judge can keep you in jail for contempt of court is less than five years.
Me too. Vmware :-).
I only have 1/3rd of the password. Anyone puts in only 1/3rd or 2/3rds of the password and hits enter and the hard drive is wiped.
I tend to support the right of government to force people to decrypt at border crossings (no different than being searched by customs). But once in the US, forget it - and how does one PROVE that, in either case, that the ‘owner’ of the computer even knows the password.
What if he ‘forgot’ it?
Sounds to me, from the limited info, that it is just more evidence they seek from her computer. It is one thing to show a jury that that she signed for or signed on the document, but a lot more damning to show that she forged it on her laptop. That is why this is a 5th Amendment issue case - they want her to incriminate herself in this way by showing them that she has the forged documents.
If a person was/is under investigation of a crime, a judge could/can issue a search warrant. If the indicted person had say, a safe deposit box or a locker in a bus station, a judge could issue a search warrant that allowed the bank to open the safe deposit box or the police to cut off the lock on the locker or seize the key under a search warrant. On the other hand, the judge as I understand the Constitution couldn’t/can’t compel the accused to open the safe deposit box herself or order her to open it herself for the police.
Unless I’m missing something, wouldn’t forcing her to decrypt her computer or surrender the password be analogous to forcing her to go the bank and open the safe deposit box or the bus station and open the locker?
Much of the discussion has been about what analogy comes closest. Prosecutors tend to view PGP passphrases as akin to someone possessing a key to a safe filled with incriminating documents. That person can, in general, be legally compelled to hand over the key. Other examples include the U.S. Supreme Court saying that defendants can be forced to provide fingerprints, blood samples, or voice recordings.
On the other hand are civil libertarians citing other Supreme Court cases that conclude Americans can't be forced to give "compelled testimonial communications" and extending the legal shield of the Fifth Amendment to encryption passphrases. Courts already have ruled that that such protection extends to the contents of a defendant's minds, the argument goes, so why shouldn't a passphrase be shielded as well?
I’m with the civil libertarians on this one.
“the password to the drive, either orally or in written form.”
Like forcing her to type it into the computer is somehow different.
bookmark
Bookmark
My tagline says it all. Been saying it for past 5 years.
SFL
The very first thing the feds always do is make a bit-level copy of the hard drive (by taking the drive out of the machine and putting it on their own equipment). If you then enter an "erase all" pass-phrase which results in changes to the drive, they immediately charge you with obstruction of justice, restore the drive from the backup, and tell you to try again.
Better variation which would be more likely to pass legal tests: have your data on foreign server, and if you do not access the data for N days, it gets wiped. Then all you would have to do is stall for N days, and nobody but you knows what N is. Variation: have two pass phrases, where one shows your true data, and another shows innocuous data, and locks out or erases your true data.
In these days of multi-gig flash chips, you could also keep an encrypted copy of your data in a chip buried in the woods somewhere.
Or something in a similar vein -- have an obviously encrypted portion of the disk, but hide the actual sensitive data via steganography.
In the encrypted volume, put sensitive but non-incriminating data (such as tax returns, bank info, commonly used [but outdated] list of passwords, etc.) to justify its need to have been encrypted.
More along the idea you mentioned, I've seen programs for iOS devices (and I'm sure they exist elsewhere) where it uses a pair of passwords: a "dummy" password that unlocks a "safe" set of files and a "real" password that unlocks the real hidden content.
“I’m a law-abiding guy and have nothing to hide.”
Are you sure? Most of us break laws every day. Just the fact you post on FR makes you a criminal in some peoples minds. People who currently hold positions of power in the US govt.
Sophos has a free encryption tool which can be used for folders. I’ve found it a little easier to use than Truecrypt.
Didn't have to. The original was released under the GPL, and once it's out there with a GPL license, that can't be taken away -- the last GPL'd version is always free to use, modify, and distribute, though it will pretty much fork from a commercial version.
Note that the author(s) can provide the same source to a commercial vendor under a different license, and further development can continue on that source without those changes being subject to GPL provisions. The trick is that all authors have to sign off on that -- an open source project with a large number of contributors may find it impossible to get all contributing authors to agree to the separate license. Depending on the level of their contribution, of course, those parts may simply be excluded from the rest.
If it’s national security they can always call on NSA. To me it is clearly a fifth amendment issue.
Fed: "That's not believable, and I bet I could get a judge to hit you with a perjury charge. You were carrying the laptop in the airport, and security footage shows you using it!!!"
You: "See, that's the interesting part. I was trying various passphrases I used to use! I brought the laptop with me to try to figure it out in my spare time."
If it’s national security they can always call on NSA. To me it is clearly a fifth amendment issue.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.