Judge Rules Americans Can Be Forced to Decrypt Personal Data — What Does That Mean For You?
In the data age, pretty much nobody stores sensitive information under physical lock and key. Whether it’s in Dropbox, Megaupload,...
In the data age, pretty much nobody stores sensitive information under physical lock and key. Whether it’s in Dropbox, Megaupload, a hard drive or an SD card, our confidential records are stored in ones and zeroes protected by encryption software.
So what happens when that data becomes evidence in a criminal trial, but because of your careful data husbandry, the government can’t access it? You may be required to decrypt it for them, handing over access to personal records that might incriminate you.
That’s one vision of the future of personal data under a ruling by a federal judge in Colorado. It’s a case that could bring the Fifth Amendment, and its protection against self-incrimination, firmly into the digital age.
Ramona Fricosu, who lives in rural southeastern Colorado, was indicted a year and a half ago on suspicion of mortgage-related bank fraud. Authorities seized several computers from her home, at least two of which were encrypted, according to her lawyer, Phil Dubois. One encrypted machine was already unlocked when it was seized, its records freely accessible, but another was protected with a password.
Federal prosecutors sought a court order to force Fricosu to decrypt that laptop, allowing them access to documents that they argue could be crucial evidence in their case against her. U.S. District Judge Robert Blackburn issued that order Monday.
“If the government is permitted to get orders compelling us to decrypt our drives, we are headed down a very bad road.””If the government is permitted to get orders compelling us to decrypt our drives, not only to investigate but prosecute us, we are headed down a very bad road,” said Dubois, who is filing an appeal.
Prosecutors contend that failing to compel a defendant to provide access is tantamount to letting them get away with crimes, so long as they use tough enough encryption keys to hide their records. A spokesman for the U.S. Attorney’s Office in Denver said attorneys couldn’t comment on an ongoing matter, but he referred to pleadings in the case, which outline the DOJ’s argument: “Failing to compel Ms. Fricosu amounts to a concession to her and potential criminals (be it in child exploitation, national security, terrorism, financial crimes or drug trafficking cases) that encrypting all inculpatory digital evidence will serve to defeat the efforts of law enforcement officers to obtain such evidence through judicially authorized search warrants, and thus make their prosecution impossible.”
But civil libertarians and information-freedom advocates say this flouts the Fifth Amendment, which protects Americans against unwillingly incriminating themselves.
“The Fifth Amendment protection against self-incrimination is not necessarily a right to prevent you from giving bad things over to the government, but you are protected from disclosing your thoughts,” said Hanni Fakhoury, a staff attorney for the Electronic Frontier Foundation, which filed an amicus brief in this case. “We argued that providing access to the contents is the equivalent to her ’emptying the thoughts of her mind,’ because it would require her password.”
Blackburn’s ruling is pretty limited to the facts of this case, and it also skirts one of the main constitutional questions surrounding cases like this. The order stipulates that if the government finds anything on Fricosu’s computer and uses it against her at trial, they can’t use the act of turning it over against her. That seems to meet the self-incrimination standard in the Fifth Amendment. The ruling compels Fricosu to decrypt the hard drive by Feb. 21, but Dubois said he is seeking a stay of execution on the order while he files a motion with the 10th Circuit Court of Appeals.
The computer, a Toshiba laptop, was encrypted with Symantec software called PGP Desktop (for Pretty Good Privacy), Dubois said. (Incidentally, he previously represented PGP’s creator, Phil Zimmermann, several years ago.) Were it protected by the lightweight protection built into Windows, government software and IT workers could have bypassed it and accessed the contents. They must follow certain evidentiary standards, but by and large, the government can do what it needs to do to access records on a seized device. But PGP’s secure whole-disk encryption is another thing entirely, and there’s no way to breach that wall without the key, Dubois said.
He wishes more people would use it, not just to stymie prosecutors, but to protect themselves against fraud and invasion of privacy. “But if we do, the government will more often be confronted with encrypted drives and media in general, and we’re going to see this over and over,” he said. “It’s always the case that the law lags behind technology, and it should … but it still has to recognize technology at some point, that this is the situation we have now, that’s different from what we had 40 years ago or 20.”
Fakhoury said the ruling’s narrow scope means he doesn’t consider it a watershed moment in information-related jurisprudence. But he agreed he expects to see many more cases like this in the future, as encryption becomes easier and more common. Appellate courts and even the U.S. Supreme Court will ultimately have to resolve it, he said.
“It is a case that prosecutors are going to use when arguing you can compel a defendant to do this. I think this is the beginning of a long fight ahead, until it gets resolved,” he said.