Can the government force you to decrypt private data?

locked laptop masterlock chains encryption keys

Last month, a federal judge in Denver ordered a suspect to provide the government with the unencrypted contents of a computer she shared with her family. The order was put off while lawyers took the case to an appeals court, arguing the order violates Fifth Amendment protections against self-incrimination. Now, however, it looks as though the defendant will either have to decrypt her laptop or face contempt of court charges. The 10th U.S. Circuit Court of Appeals has refused to get involved, saying the criminal case has to reach a conclusion before it comes within the appeals’ court jurisdiction. The defendant has until February 27 to hand over her data.

At first glance this might seem to be a case of limited scope, but wait a second: Encryption isn’t just an optional tool computer geeks use to protect stuff on their hard drives. It protects everything from our passwords to our online banking sessions to everything we store in the cloud — like email, documents, receipts, and even digital goods. How did we get here? Can the government really order people to decrypt their data?

The case

The case involves Ramona Fricosu and her ex-husband Scott Whatcott, who were indicted in 2010 on bank fraud charges relating to a complicated mortgage scam. According to prosecutors, the pair offered to pay off the mortgages of homeowners desperate to get out from under upside-down situations in the wake of the housing bubble collapse. However, instead of paying off the mortgages and taking possession, they instead filed fraudulent paperwork with courts to obtain titles to the homes, then moved to sell them without paying the outstanding mortgage.

toshiba m305In May of 2010, the government executed search warrants at the residence Fricosu was sharing with her mother and two children. (Whatcott had also previously lived there, but at that point the couple was divorced and he was incarcerated.) Among the items seized by the government were six computers — three desktops and three notebooks, including a Toshiba Satellite M305 notebook. The government obtained a separate warrant to search the Toshiba M305 computer, but discovered the content was encrypted using PGP Desktop whole-disk encryption. The screen of the Toshiba was damaged; investigators had to hook up an external monitor.

The next day, Whatcott telephoned Fricosu from Colorado’s Four Mile Correctional Center. The conversation was recorded. In it, Fricosu says investigators had asked her for passwords to the computer, and that she didn’t answer, saying her lawyer had advised her she was not obligated to give passwords to investigators. She does, however, repeatedly refer to the notebook as her own computer and implies she knows the password to access it.

So far, authorities have not been able to break the computer’s encryption and access any data on the machine.

Rationale for decryption

Forcing a defendant to reveal a password or provide a decrypted version of data stored on a computer would seem to fly in the face of self-incrimination protections offered by the Fifth Amendment. However, there are several nuances and exceptions to Fifth Amendement protection. In issuing his order that Fricosu decrypt the notebook, U.S. District Judge Robert Blackburn indicated he believed the Fricosu case falls outside the lines, although he does note there’s not much case law to go on.

united states constitution shutterstockThe Fifth Amendment specifically provides that no person can be compelled to bear witness against himself. However, subsequent Supreme Court rulings have constrained that protection to apply only to compelled testimonial communications — typically written or verbal communications before a court. There is also case law that acknowledges that even if a document is not protected by Fifth Amendment privilege, the act of producing the document might be: If prosecutors only become aware of a document on the basis of requiring a defendant to produce it, that would amount to self-incrimination.

Under Supreme Court precedent, a defendant cannot be compelled to reveal the contents of his or her mind: There is, after all, a right to remain silent. Therefore, Fricosu cannot be compelled to produce the password.

However, Judge Blackburn finds that the government has reasonably established the Toshiba notebook belongs to Fricosu or was primarily used by her, and that the government “knows of the existence and location of the computer’s files.” His finding rests strongly on the recorded telephone conversation between Whatcott and Fricosu. Therefore, Blackburn concludes compelling Fricosu to provide decrypted versions of the computer’s contents — not the password itself — is not protected by the production exception. The judge also finds the search warrant that would cover the contents of the computer is valid.

Judge Blackburn has granted Fricosu limited immunity from the government using the act of producing the decrypted data against her. In other words, if the decrypted information contains something unexpected or even unrelated, the government would not be able to pursue prosecution based on the fact Fricosu was able to decrypt it.

What about the Fifth Amendment?

Does Fricosu’s case really fall outside the protections of the Fifth Amendment? Fricosu’s lawyer doesn’t think so, and neither do groups like the Electronic Frontier Foundation, which earlier this year filed an amicus (friend-of-the-court) brief (PDF) on Fricosu’s behalf.

The basic argument that Fricosu’s Fifth Amendment rights protect her from having to produce an unencrypted of its contents boils down to what the government does and doesn’t already know about those contents. Judge BlackBurn finds that the government has established that the contents of the computer are relevant to the case, and government attorneys argued that being required to provide access is no different than requiring suspects to sign authorization to enable investigators to probe overseas bank accounts and safety deposit boxes.

username and password shutterstock

However, in instances where the government is able to compel defendants to disclose documents or accounts, the government has already become aware of the existence of those items through a third party. In Fricosu’s case, an argument could be made that the government has no idea what content it will find on the encrypted computer, or where that information might be located on the computer. (The EFF even argued that the government can’t really prove the notebook is the same one that was seized during the search.)

Although Judge Blackburn has granted Fricosu limited immunity to prevent the government from using the act of providing decrypted data against her, immunity does not extend to the data itself. An argument can be made that this limited immunity potentially violates a Supreme Court prohibition against derivative uses of compelled testimony. If the government were to use evidence obtained from the unencrypted laptop against Fricosu, the government might have to prove it obtained (or could have obtained) all that evidence from independent sources rather than solely from Fricosu herself. So far, the government has had no luck digging up the information it believes is on the notebook from other sources, nor have investigators made any progress decrypting the notebook. Nonetheless, Judge Blackburn found “the fact that [the government] does not know the specific content of any specific documents is not a barrier to production.”

Other cases

In his findings, Judge Blackburn notes there aren’t many other cases that parallel the circumstances in the Fricosu case. The most direct precedent seems to involve a border crossing in Vermont in 2006. During a search, an officer opened a computer and (without entering a password) viewed its files, including child pornography. The defendant was arrested and the notebook seized; however, when officers later tried to access the computer it was found to be password-protected. In that case, the defendant was not ordered to produce the password, but to produce an unencrypted version of the “Z” drive where officers had previously seen the material. A key part of that case, however, is that authorities had actually seen the illegal content on the computer. They knew where it was before the defendant was ordered to provide access to the information. In Fricosu’s case, prosecutors just know they have an encrypted computer. They have no independent evidence or testimony as to its contents.

In Washington State back in 2004, former King County sheriffs detective Dan Ring was arrested for improper use of law enforcement databases as well as other criminal charges. Although data found on Ring’s computer detailed some of his interactions with girlfriends, prostitution rings, and escort services in multiple countries, a portion of his hard drive was encrypted. Ring consistently claimed he couldn’t remember the password to the encrypted data, and partly as a result the case against him was dropped three days before it was set to go to trial. Ring retired — with pension — and the encrypted data has never been cracked.

Setting a precedent

In a statement yesterday, Fricosu’s attorney Phillip DuBois noted “It is possible that Ms. Fricosu has no ability to decrypt the computer, because she probably did not set up the encryption on that computer and may not know or remember the password or passphrase,” DuBois said in a statement Tuesday.

bits before bombs how stuxnet crippled irans nuclear dreams usb thumb driveNotably, DuBois also defended PGP creator Philip Zimmerman when he was subject to criminal investigation from the U.S. Customs Service, which sought to classify the PGP algorithm as a munition subject to export controls. The case was dropped without indictment in 1996.

If Fricosu can be compelled to provide an unencrypted version of the data stored on the computer, it may set an ominous precedent for modern technology users. Folks who use services like DropBox, Apple’s iCloud, Amazon S3, and a myriad of other services all rely on their data being stored safely in encrypted form. Similarly, hard drives and SSDs with hardware-based encryption are becoming more and more mainstream — particularly with the proliferation of easily lost or stolen mobile devices. High-grade encryption isn’t just a tool for top-grade technophiles anymore: It’s in everyday products, and millions of people rely on it every day. If the government can compel users to produce unencrypted copies of their data — without knowing what that data might be — it could significantly stifle free speech and the freedom of information.

And that’s regardless of whether Fricosu remembers her password.

Image credit: Shutterstock/Maxx-Studio/J. Helgason/JMiks


I tried an LTE laptop for a month, and I wasn’t really convinced

LTE laptops offer up plenty of benefits and are becoming more common. After spending one month with one in my daily life in New York City, I really wondered if it is something that consumers really need in their lives.

Encryption-busting law passed in Australia may have global privacy implications

Controversial laws have been passed in Australia which oblige tech companies to allow the police to access encrypted messages, undermining the privacy of encryption with potentially global effects.

Apple’s first iPhone XR case lets you show off your handset’s color

Apple has released its first case for the iPhone XR. Costing $39, the case has a clear back so you can show off the color of your phone, whichever of the six options you went for.
Movies & TV

From 'GLOW' to 'Haunting of Hill House,' these are the best Netflix Originals

Netflix's stable of content has grown quickly, and the streaming service now boasts dozens of shows produced in-house. Looking for the cream of the crop? These are our picks for the best Netflix Original series.

3DMark’s Port Royal lets you benchmark ray tracing on Nvidia’s RTX cards

UL is adding another benchmarking utility to its popular 3DMark suite to help gamers measure their graphics card's ray tracing performance. You'll soon be able to measure how Nvidia's RTX 2070, 2080, and 2080 Ti stack up.

Snatch Apple’s 2017 15-inch MacBook Pro for up to $1,200 off at B&H

The latest deal at B&H is offering up 2017 15-inch Apple MacBook Pros, in space gray and silver, with Intel Core i7 quad-core CPUs, 16GB of RAM, and AMD Radeon Pro 560 GPUs with up to 2TB of SSD storage.

Microsoft’s Chromium Edge browser may be adding your Chrome extensions

Fans sticking to Google Chrome because due to its vast extension library might be able to switch over to Microsoft's latest iteration of Edge, as a project manager confirms that the company has its eyes on Chrome extensions.

Apple Mac users should take a bite out of these awesome games

Contrary to popular belief, there exists a bevy of popular A-list games compatible for Mac computers. Take a look at our picks for the best Mac games available for Apple fans.
Emerging Tech

An A.I. cracks the internet’s squiggly letter bot test in 0.5 seconds

How do you prove that you’re a human when communicating on the internet? The answer used to be by solving a CAPTCHA puzzle. But maybe not for too much longer. Here is the reason why.

Qualcomm’s dual-screen PC concept looks like two connected Surface Go tablets

In Qualcomm's video teaser, we got a glimpse of the company's vision for how a dual-screen ARM PC should work. The internet reacted to Qualcomm's video, calling the device in question merely a mashup of two Surface Go tablets.

Check out the best Green Monday deals for those last-minute gifts

Black Friday and Cyber Monday have come and gone, but that doesn't mean you've missed your chance of finding a great deal. We're talking about Green Monday, of course, and it falls on December 10.

Hololens 2 could give the Always Connected PC a new, ‘aggressive’ form

Microsoft is said to be leaning on Qualcomm to power its Hololens 2 headset. Instead of Intel CPUs, the next Hololens could use a Snapdragon 850 processor, allowing it to benefit from the always-connected features.

Chrome’s dark mode may cast its shadow over Macs by early 2019

By early 2019 Google may release a version of Chrome for Mac users that offers a Dark Mode feature to match MacOS Mojave's recent darkening.

These laptop bags will keep your notebook secure wherever you go

Choosing the right laptop bag is no easy feat -- after all, no one likes to second-guess themselves. Here are some of the best laptop bags on the market, from backpacks to sleeves, so you can get it right the first time around.