Information Security: Show me your Password
Protect your password. Don’t share it with anyone. Make it complicated so no one can guess it randomly. We do these things because our passwords safeguard our financial and personal worlds. We have passwords for our bank accounts, email, smart phones, and computers. We even have passwords for the hard drives in our computers in case the computer gets lost or stolen.
These passwords can protect our personal information or conceal evidence of criminal activity. It is that second use for these passwords that highlights the constitutional interplay between the Fifth Amendment freedom from self-incrimination and police search power. The issue is that the password itself is not incriminating, but the data it protects may be. To get at that data, prosecutors subpoena the bank or email provider who can access the information without the user’s password. The password doesn’t really guard the data, merely one user’s access to that data. So, courts have had little difficulty providing law enforcement access to financial records, emails, or countless other password protected records.
However, password protected hard drives change the discussion. In these hard drives, the password actually encrypts and changes the data to make it unreadable without the password. As such, the data on the hard drive becomes nearly inseparable from the password.
For more information on encryption, see [https://secure.wikimedia.org/wikipedia/en/wiki/Encryption].
So far, some courts have not recognized the nuance. Federal prosecutors in Colorado were building a mortgage fraud case against Scott and Ramona Fricosu. The FBI searched the Fricosu home on May 14, 2010 and seized six computers, one of which was equipped with an encrypted hard drive. Authorities monitored a jailhouse phone call between the two in which Ramona indicated that there was inculpatory evidence on the encrypted hard drive. Prosecutors presented this phone call to Judge Blackburn, USDC Colorado, in support of their petition for an order to compel Ramona to assist the authorities in their lawful search by turning over her password.
Judge Blackburn granted the petition and ordered Ramona Fricosu to turn over the password to the hard drive. The Electronic Frontier Foundation (EFF), stylized as a “digital civil liberties” organization, filed an amicus brief in the matter. [https://www.eff.org/sites/default/files/filenode/us_v_fricosu/fricosuamicus7811.pdf] The EFF took the position, citing the dissent in Doe v. United States, 487 U.S. 201 [http://laws.lp.findlaw.com/getcase/US/487/201.html], that compelling someone to enter a password into a computer is prohibited because that password only exists in the individual’s mind.
Meanwhile, a Florida man was ordered to turn over the unencrypted contents of his hard drive, following an offer of limited immunity, to aid in his prosecution for possession of child pornography. He refused, citing the Fifth Amendment, and was held in contempt of court. On appeal, the Eleventh Circuit held that the man had properly invoked his Fifth Amendment right and the limited immunity was not sufficient to overcome this right. [http://www.ca11.uscourts.gov/opinions/ops/201112268.pdf]
The fact that these two cases hinged on was that of the “foregone conclusion exception.” Based on the jailhouse conversation between Mr. and Ms. Fricosu (now divorced), authorities could tell the court with some particularity where on the decrypted hard drive they would find the evidence they were looking for. The government already knew what was there; therefore, the evidence is a foregone conclusion. In Florida, the authorities had multiple encrypted hard drives that they suspected were full of illegal pornography. They did not know the contents for a fact, however, and could not tell the court with particularity what would be found on the drives.
Both courts agreed that the act of decrypting a hard drive is testimonial and therefore subject to protection under the Fifth Amendment. As the digital age advances and companies and individuals become more savvy about protecting whatever they keep on their hard drives, expect more cases where the government will try to build on their successes with the foregone conclusion exception to the Fifth Amendment. Also, expect privacy minded people and organizations (like the EFF) to build on the rulings that decryption is testimonial.
In the end, Ms. Fricosu told the court that she had forgotten her password, and the government has not been able to get their hands on the contents of either the Colorado or Florida hard drives.
Ben is a third-year student and a staff writer from the Campbell Law Observer. Ben can be contacted at email@example.com.