DOJ: We can force you to decrypt that laptop

Eugen Leitl eugen at
Tue Jul 12 02:51:33 PDT 2011

July 11, 2011 12:07 AM PDT

DOJ: We can force you to decrypt that laptop

by Declan McCullagh

The Colorado prosecution of a woman accused of a mortgage scam will test
whether the government can punish you for refusing to disclose your
encryption passphrase.

The Obama administration has asked a federal judge to order the defendant,
Ramona Fricosu, to decrypt an encrypted laptop that police found in her
bedroom during a raid of her home.

Because Fricosu has opposed the proposal, this could turn into a
precedent-setting case. No U.S. appeals court appears to have ruled on
whether such an order would be legal or not under the U.S. Constitution's
Fifth Amendment, which broadly protects Americans' right to remain silent.

In a brief filed last Friday, Fricosu's Colorado Springs-based attorney,
Philip Dubois, said defendants can't be constitutionally obligated to help
the government interpret their files. "If agents execute a search warrant and
find, say, a diary handwritten in code, could the target be compelled to
decode, i.e., decrypt, the diary?"

To the U.S. Justice Department, though, the requested court order represents
a simple extension of prosecutors' long-standing ability to assemble
information that could become evidence during a trial. The department claims:

    Public interests will be harmed absent requiring defendants to make
available unencrypted contents in circumstances like these. Failing to compel
Ms. Fricosu amounts to a concession to her and potential criminals (be it in
child exploitation, national security, terrorism, financial crimes or drug
trafficking cases) that encrypting all inculpatory digital evidence will
serve to defeat the efforts of law enforcement officers to obtain such
evidence through judicially authorized search warrants, and thus make their
prosecution impossible.

Prosecutors stressed that they don't actually require the passphrase itself,
meaning Fricosu would be permitted to type it in and unlock the files without
anyone looking over her shoulder. They say they want only the decrypted data
and are not demanding "the password to the drive, either orally or in written

The question of whether a criminal defendant can be legally compelled to
cough up his encryption passphrase remains an unsettled one, with law review
articles for at least the last 15 years arguing the merits of either
approach. (A U.S. Justice Department attorney wrote an article in 1996, for
instance, titled "Compelled Production of Plaintext and Keys.")

Much of the discussion has been about what analogy comes closest. Prosecutors
tend to view PGP passphrases as akin to someone possessing a key to a safe
filled with incriminating documents. That person can, in general, be legally
compelled to hand over the key. Other examples include the U.S. Supreme Court
saying that defendants can be forced to provide fingerprints, blood samples,
or voice recordings.

On the other hand are civil libertarians citing other Supreme Court cases
that conclude Americans can't be forced to give "compelled testimonial
communications" and extending the legal shield of the Fifth Amendment to
encryption passphrases. Courts already have ruled that that such protection
extends to the contents of a defendant's mind, so why shouldn't a passphrase
be shielded as well?

In an amicus brief (PDF) filed on Friday, the San Francisco-based Electronic
Frontier Foundation argues that the Justice Department's request be rejected
because of Fricosu's Fifth Amendment rights. The Fifth Amendment says that
"no person...shall be compelled in any criminal case to be a witness against

"Decrypting the data on the laptop can be, in and of itself, a testimonial
act--revealing control over a computer and the files on it," said EFF Senior
staff attorney Marcia Hofmann. "Ordering the defendant to enter an encryption
password puts her in the situation the Fifth Amendment was designed to
prevent: having to choose between incriminating herself, lying under oath, or
risking contempt of court."

The EFF says it's interested in this case because it wants to ensure that, as
computers become more portable and encrypting data becomes more commonplace,
passphrases and encrypted files receive full protection under the Fifth

Because this involves a Fifth Amendment claim, Colorado prosecutors took the
unusual step of seeking approval from headquarters in Washington, D.C.: On
May 5, Assistant Attorney General Lanny Breuer sent a letter to John Walsh,
the U.S. Attorney for Colorado, saying "I hereby approve your request."

While the U.S. Supreme Court has not confronted the topic, a handful of lower
courts have.

In March 2010, a federal judge in Michigan ruled that Thomas Kirschner,
facing charges of receiving child pornography, would not have to give up his
password. That's "protecting his invocation of his Fifth Amendment privilege
against compelled self-incrimination," the court ruled (PDF).

A year earlier, a Vermont federal judge concluded that Sebastien Boucher, who
a border guard claims had child porn on his Alienware laptop, did not have a
Fifth Amendment right to keep the files encrypted. Boucher eventually
complied and was convicted.

One argument published in the University of Chicago Legal Forum in
1996--constitutional arguments among legal academics have long preceded
actual prosecutions--says:

    The courts likely will find that compelling someone to reveal the steps
necessary to decrypt a PGP-encrypted document violates the Fifth Amendment
privilege against compulsory self-incrimination. Because most users protect
their private keys by memorizing passwords to them and not writing them down,
access to encrypted documents would almost definitely require an individual
to disclose the contents of his mind. This bars the state from compelling its
production. This would force law enforcement officials to grant some form of
immunity to the owners of these documents to gain access to them.

Translation: One way around the Fifth Amendment is for prosecutors to offer a
defendant, in this case Fricosu, immunity for what they say. But it appears
as though they've stopped far short of granting her full immunity for
whatever appears on the hard drive (which may not, of course, even be hers).

Fricosu was born in 1974 and living in Peyton, Colo., as of last fall. She
was charged with bank fraud, wire fraud, and money laundering as part of an
alleged attempt to use falsified court documents to illegally gain title to
homes near Colorado Springs that were facing "imminent foreclosure" or whose
owners were relocating outside the state. Some of the charges include up to
30 years in prison; she pleaded not guilty. Her husband, Scott Whatcott, was
also charged.

A ruling is expected from either Magistrate Judge Michael Hegarty or District
Judge Robert Blackburn.

Jennifer Guevin contributed to this report.

Read more:

More information about the cypherpunks-legacy mailing list