Saturday, July 23, 2011

DOJ takes swipe at EFF over encryption passphrases


The U.S. Department of Justice took a thinly veiled swipe at an online civil liberties group that's arguing a Colorado woman can't be forced to decrypt her laptop for police inspection.

In a legal brief filed yesterday in what is likely to be a precedent-setting case, the Justice Department claimed that the Electronic Frontier Foundation had previously agreed that being forced to type in your passphrase was legal and did not violate Americans' rights to self-incrimination.

Prosecutors are hoping to convince a federal judge to order Ramona Fricosu, accused of running a mortgage scam, to decrypt an encrypted laptop that police found in her bedroom during a raid of her home. Fricosu has been charged with bank fraud, wire fraud, and money laundering as part of an alleged attempt to use falsified court documents to illegally gain title to homes near Colorado Springs.
EFF staff attorney Hanni Fakhoury

EFF staff attorney Hanni Fakhoury
(Credit: EFF)

EFF's Know Your Rights guide, prosecutors said, warns the public that "a grand jury or judge may still order you to disclose your data in an unencrypted format under certain circumstances."

The upshot, they said, is that "EFF's 'Know Your Rights' publication correctly states that a judge may properly order the production of unencrypted data consistent with the Fifth Amendment." (The Fifth Amendment broadly protects Americans' right to remain silent--see CNET's Q&A with defense attorney Phil Dubois.)

EFF staff attorney Hanni Fakhoury, a former public defender in San Diego, wrote the guide. Fakhoury told CNET today that the Justice Department isn't exactly describing his work fairly:

    This (the guide) is simply stating the obvious: whether the Fifth Amendment privilege against self-incrimination applies is fact-dependent. EFF believes that under the facts presented in the Fricosu case, the privilege applies and prevents the government's attempt to force Ms. Fricosu to decrypt the laptop. Under a different set of facts, the outcome might be different; something that's true in most areas of the law.

    This is obviously a situation in which the government is trying to do something it has rarely tried to do before, so the courts are just starting to consider it. That is why EFF got involved in the first place, to assist the court by providing it with what we think the law should be. I'm flattered the government believes the guide I wrote is legal precedent, and I look forward to the day when that's actually the case.

The Justice Department also argues that Fricosu's Fifth Amendment rights are effectively nullified because the government obtained the laptop through a search warrant, not a grand jury subpoena.

"Evidence obtained through search warrants does not implicate the self-incrimination clause because search warrants do not compel individuals to make statements..." prosecutors said. "The applied-for order would use as the source of evidence only material seized with a warrant; it would not make use of any compelled statements."

Prosecutors have stressed that they don't actually require the passphrase itself, meaning Fricosu would be permitted to type it in and unlock the files without anyone looking over her shoulder. They say they're not demanding "the password to the drive, either orally or in written form," and that they know the laptop is hers because of a legally intercepted phone call she made to someone in prison.

Competing legal analogies: What's a PGP passphrase like?
The question of whether criminal defendants can be legally compelled to cough up their encryption passphrase remains an unsettled one, with law review articles for at least the last 15 years arguing the merits of either side of the issue. A U.S. Justice Department attorney wrote an article in 1996, for instance, titled "Compelled Production of Plaintext and Keys."

Much of the debate has been over which of two analogies comes closest to the truth. Prosecutors tend to view PGP passphrases as akin to someone possessing a key to a safe filled with incriminating documents. That person can, in general, be legally compelled to hand over the key. Other examples include the U.S. Supreme Court saying that defendants can be forced to provide fingerprints, blood samples, or voice recordings.

On the other side are civil libertarians citing other Supreme Court cases that conclude Americans can't be forced to give "compelled testimonial communications" and extending the legal shield of the Fifth Amendment to encryption passphrases. Courts already have ruled that such protection extends to the contents of a defendant's minds, so why shouldn't a passphrase be shielded as well?

While the U.S. Supreme Court has not confronted the topic, a handful of lower courts have.

In March 2010, a federal judge in Michigan ruled that Thomas Kirschner, facing charges of receiving child pornography, would not have to give up his password. That's "protecting his invocation of his Fifth Amendment privilege against compelled self-incrimination," the court ruled (PDF).

A year earlier, a Vermont federal judge concluded that Sebastien Boucher, who a border guard claims had child porn on his Alienware laptop, did not have a Fifth Amendment right to keep the files encrypted.

Update 3:15 p.m. PT: I've heard back from Phil Dubois, Fricosu's criminal defense attorney. Dubois' position remains, he said in an e-mail message:

    That to force my client (assuming that she has the ability) to decrypt the hard drive would be an unreasonable and therefore unconstitutional search and so a Fourth Amendment violation; and

    That to force her to decrypt the drive would not be the same as compelling her to surrender the key to a safe, the new technology making that analogy inapposite, but would instead be compelling her to use the content of her mind to perform an affirmative act to assist the government to prosecute her, which raises the Fifth Amendment problem.

No comments:

Post a Comment