Note: Interesting litigation. With our split supreme court, I'm curious to see how this turns out.
------------
The Colorado prosecution of a woman accused of a mortgage scam will test
whether the government can punish you for refusing to disclose your
encryption passphrase.
The Obama administration has asked a federal judge to order the
defendant, Ramona Fricosu, to decrypt an encrypted laptop that police
found in her bedroom during a raid of her home.
Because Fricosu has opposed the proposal, this could turn into a
precedent-setting case. No U.S. appeals court appears to have ruled on
whether such an order would be legal or not under the U.S.
Constitution's Fifth Amendment, which broadly protects Americans' right
to remain silent.
In a brief filed last Friday, Fricosu's Colorado Springs-based attorney,
Philip Dubois, said defendants can't be constitutionally obligated to
help the government interpret their files. "If agents execute a search
warrant and find, say, a diary handwritten in code, could the target be
compelled to decode, i.e., decrypt, the diary?"
To the U.S. Justice Department, though, the requested court order
represents a simple extension of prosecutors' long-standing ability to
assemble information that could become evidence during a trial. The
department claims:
Public interests will be harmed absent requiring
defendants to make available unencrypted contents in circumstances like
these. Failing to compel Ms. Fricosu amounts to a concession to her and
potential criminals (be it in child exploitation, national security,
terrorism, financial crimes or drug trafficking cases) that encrypting
all inculpatory digital evidence will serve to defeat the efforts of law
enforcement officers to obtain such evidence through judicially
authorized search warrants, and thus make their prosecution impossible.
Prosecutors stressed that they don't actually require the passphrase
itself, meaning Fricosu would be permitted to type it in and unlock the
files without anyone looking over her shoulder. They say they want only
the decrypted data and are not demanding "the password to the drive,
either orally or in written form."
The question of whether a criminal defendant can be legally compelled to
cough up his encryption passphrase remains an unsettled one, with law
review articles for at least the last 15 years arguing the merits of
either approach. (A U.S. Justice Department attorney wrote an article in
1996, for instance, titled "Compelled Production of Plaintext and
Keys.")
Much of the discussion has been about what analogy comes closest.
Prosecutors tend to view PGP passphrases as akin to someone possessing a
key to a safe filled with incriminating documents. That person can, in
general, be legally compelled to hand over the key. Other examples
include the U.S. Supreme Court saying that defendants can be forced to
provide fingerprints, blood samples, or voice recordings.
On the other hand are civil libertarians citing other Supreme Court
cases that conclude Americans can't be forced to give "compelled
testimonial communications" and extending the legal shield of the Fifth
Amendment to encryption passphrases. Courts already have ruled that that
such protection extends to the contents of a defendant's mind, so why
shouldn't a passphrase be shielded as well?
In an amicus brief (PDF)
filed on Friday, the San Francisco-based Electronic Frontier Foundation
argues that the Justice Department's request be rejected because of
Fricosu's Fifth Amendment rights. The Fifth Amendment says that "no
person...shall be compelled in any criminal case to be a witness against
himself."
"Decrypting the data on the laptop can be, in and of itself, a
testimonial act--revealing control over a computer and the files on it,"
said EFF Senior staff attorney Marcia Hofmann. "Ordering the defendant
to enter an encryption password puts her in the situation the Fifth
Amendment was designed to prevent: having to choose between
incriminating herself, lying under oath, or risking contempt of court."
The EFF says it's interested in this case because it wants to ensure
that, as computers become more portable and encrypting data becomes more
commonplace, passphrases and encrypted files receive full protection
under the Fifth Amendment.
Because this involves a Fifth Amendment claim, Colorado prosecutors took
the unusual step of seeking approval from headquarters in Washington,
D.C.: On May 5, Assistant Attorney General Lanny Breuer sent a letter to
John Walsh, the U.S. Attorney for Colorado, saying "I hereby approve
your request."
While the U.S. Supreme Court has not confronted the topic, a handful of lower courts have.
In March 2010, a federal judge in Michigan ruled that Thomas Kirschner,
facing charges of receiving child pornography, would not have to give up
his password. That's "protecting his invocation of his Fifth Amendment
privilege against compelled self-incrimination," the court ruled (PDF).
A year earlier, a Vermont federal judge concluded
that Sebastien Boucher, who a border guard claims had child porn on his
Alienware laptop, did not have a Fifth Amendment right to keep the
files encrypted. Boucher eventually complied and was convicted.
One argument published in the University of Chicago Legal Forum in
1996--constitutional arguments among legal academics have long preceded
actual prosecutions--says:
The courts likely will find that compelling someone to
reveal the steps necessary to decrypt a PGP-encrypted document violates
the Fifth Amendment privilege against compulsory self-incrimination.
Because most users protect their private keys by memorizing passwords to
them and not writing them down, access to encrypted documents would
almost definitely require an individual to disclose the contents of his
mind. This bars the state from compelling its production. This would
force law enforcement officials to grant some form of immunity to the
owners of these documents to gain access to them.
Translation: One way around the Fifth Amendment is for prosecutors to
offer a defendant, in this case Fricosu, immunity for what they say. But
it appears as though they've stopped far short of granting her full
immunity for whatever appears on the hard drive (which may not, of
course, even be hers).
Fricosu was born in 1974 and living in Peyton, Colo., as of last fall. She was charged with
bank fraud, wire fraud, and money laundering as part of an alleged
attempt to use falsified court documents to illegally gain title to
homes near Colorado Springs that were facing "imminent foreclosure" or
whose owners were relocating outside the state. Some of the charges
include up to 30 years in prison; she pleaded not guilty. Her husband,
Scott Whatcott, was also charged.
A ruling is expected from either Magistrate Judge Michael Hegarty or District Judge Robert Blackburn.
Jennifer Guevin contributed to this report.