Subpoena, Search, or Incriminating Statement: Encryption Passphrases and Privacy

By Max Abend

CNET recently ran an article about a precedential case involving computer encryption. In one of only a handful of cases decided on the issue, Judge Robert Blackburn held that compelling the production of unencrypted documents in a defendant’s possession did not implicate either the Fourth or Fifth Amendments (U.S. v. Fricosu, 2012).

The defendant, Ramona Fricosu was accused of being involved in an illegal mortgage scam. Pursuant to a valid warrant, the FBI searched through her home and seized, inter alia, 6 computers. One of the computers, a Toshiba laptop, had “whole disk” encryption software (PGP Desktop) enabled. Because PGP Desktop essentially makes the contents of the drive unreadable, without the use of an encryption key or passphrase, the FBI is currently unable to view any of the files on the disk. As such, the FBI applied for a writ of assistance from the court to compel Ms. Fricosu to produce the encryption key or the unencrypted contents of the disk.

The court found that Ms. Fricosu was either the owner or sole user of the computer, and that she has the ability to view the unencrypted contents of the computer’s hard disk. Because the computer was seized with a valid warrant, Judge Blackburn granted the government’s application for a writ under the All Writs Act requiring Ms. Fricosu to assist the government in executing the previously issued search warrant. Practically, this amounts to a duty on Ms. Fricosu to either give the FBI her encryption passphrase, or to decrypt the drive itself and hand over its contents. From a policy standpoint, the DOJ argued in their brief that failing to compel Ms. Fricosu would signal all potential criminals that “…encrypting all inculpatory digital evidence will serve to defeat the efforts of law enforcement officers to obtain such evidence through judicially authorized search warrants, and thus make their prosecution impossible. While there is merit behind the argument, the same argument could be made concerning the production of actual self-incriminating testimony. That is, protecting the contents of the mind signals to criminals merely not to memorialize their thoughts in the form of a document.  In the instant case, to quote commenter Mergatroid Mania, “If she had hid the data somewhere, they could not force her to tell them where she hid it. In this case it’s on a computer, but they can force her to tell them how to get in?” (For this analogy to hold true, assume the government does not know the existence of specific data… see more below).

The ruling is interesting and arguably precedential because of the dichotomy presented. Basically, the issue is whether production of the key (or documents… throughout the rest of the post, simply “key”) is simply incident to a valid Fourth Amendment search, or whether it is a Fifth Amendment “statement.” It should be noted that the government only requests the production of the contents of the hard-drive, and that voluntary production of the key would also satisfy the command of the subpoena (but is not required as it is technically the “contents of the mind” of the defendant).

The government had a valid search warrant, so if the production of the key is simply ancillary to the larger search, then it is per se reasonable. Because it is interesting and informative for the blog, I’d like to distinguish this case from another.  The “PGP Desktop” software is unlike the standard “password protection” at issue in cases such as United States v. Andrus (483 F.3d 711). In that case, without a warrant, but with apparent consent by the defendant’s father, a co-occupant, the FBI bypassed the defendant’s password protection without knowledge of its existence. Because they bypassed the password protection, and were under no duty to question the father about his use of the computer, the FBI could not have known that the defendant had a subjective expectation of privacy, and that his father, not an actual owner or user of the computer, lacked the authority to consent to a search of it. In short, because the FBI never saw the defendant’s attempt to “lock” the computer, in the same manner that a padlock on a footlocker would be immediately apparent, it was reasonable for them to believe, ex ante, that there was no subjective expectation of privacy.

Because the government did in fact have a warrant in the Fricosu case, the following is merely hypothetical analysis. If the facts of the Fricosu case were changed to be the same as in Andrus, with the only difference being the PGP-Desktop software, it becomes clear that the FBI would be in a different boat. Presumably, the FBI used the same investigative software to try and image the Fricosu’s computer, and was stuck when the contents came up unreadable. The FBI then would be well informed that the plaintiff took affirmative steps to ensure the privacy of that information. That is, while the password protection at issue in Andrus was not “clearly” analogous to a lock (see the dissent for a refutation of this argument), PGP-Desktop is unequivocally a “lock.” Breaking through such lock, (hypothetically) without a warrant would violate Ms. Fricosu’s clear subjective expectation of privacy. The Andrus Court concluded “tentatively” that computers are “often a repository for private information the computer’s owner does not intent to share with others.” As such, it seems dubious that the 10^th Circuit or any other court would not find such an expectation of privacy as reasonable (see also the existence of ECPA).

Now, non-hypothetically, many (including Ms. Fricosu) argue that compelling production of the encryption key would be tantamount to a self-incriminating statement, and a violation of the 5^th Amendment protection.

This is a tough argument to make. In Boyd v. United States (116 U.S. 616) the court set out the “mere evidence rule” which basically stated that the government could only seize papers somehow connected directly to a crime, and not to obtain evidence to be used against a defendant in a criminal action:

Unfortunately for defendants however, this holding has been largely abrogated. The court has stated that the 5^th amendment does not protect against subpoenas for a person’s records and papers held by third parties, and that “The Fifth Amendment Privilege is a personal privilege: it adheres basically to the person, not to information that may incriminate him.” Couch v. United States, 335 U.S. 1 (1948) (upholding subpoena to defendant’s accountant for incriminating documents); In re Grand Jury Subpoena Duces Tecum, 1 F. 3d 87 – Court of Appeals, 2nd Circuit 1993 (contents of documents not privileged unless their very act of creation was compelled by government). The court recently has stated that some acts, which function as a statement of fact could be within the bounds of the Fifth Amendment privilege. In United States v. Hubbell, the defendant initially refused to acknowledge the existence of documents compelled by a subpoena. While the contents of the documents would not be protected, the very act of producing documents acknowledges that they exist, and could be in itself self-incriminating. 530 U.S. 27, 36 (2000). Judge Blackburn analyzes the Boucher line of cases, dealing with similar encryption issues. In that series of cases, the defendant himself navigated to and displayed the contents of a number of files. As such, the government viewed and knew of the existence of child pornography on the defendant’s computer. However, after seizing the computer, they were unable to access the files for evidentiary purposes due to password protection (coincidentally, also PGP Desktop). Since the encryption key was part of “the contents of the defendant’s mind,” it was protected by the Fifth Amendment, but the documents themselves were not, because, unlike Hubbell, the government already knew of their existence, and production of them would not amount to an incriminating admission. See In Re: Grand Jury Subpoena to Sebastian Boucher and In re Grand Jury Subpoena Duces Tecum, 1 F. 3d 87 – Court of Appeals, 2nd Circuit 1993.

The issue then becomes whether the production of the key is the authentication that self-incriminating documents exist (which would be privileged), or simply the production of the contents of documents known by the government to exist (which would not).  Judge Blackburn’s opinion analyzes both lines of precedent efficiently and accurately, but then applies them conclusorily. He finds that

However, in both Boucher and Subpoena Duces Tecum, the government knew of the existence of specific incriminating files as well as their contents. Moreover, in both cases, the government was at some point in possession of the incriminating documents, or a literal copy of them. In this case, presumably, the FBI doesn’t have knowledge of specific documents in existence on the computer. If they did, these files likely would have been specifically discussed in the opinion. Read not all that broadly, Judge Blackburn’s pronouncement seems to say that if the government knows that files exist on a computer, then the government can subpoena those files. That however is ludicrous… if the government knows of the existence of a computer, it is a foregone conclusion that there will be files on that computer. Such a rationale seems completely at odds with the “reasonable particularity” requirement of the original warrant that authorized the seizure of Ms. Fricosu’s computer in the first place.

It will be interesting to see how this issue ultimately gets resolved. The 10th circuit has not yet ruled on it because there has not yet been a final judgment.

The Full Text of the CNET article is available here:

http://news.cnet.com/8301-31921_3-57364330-281/judge-americans-can-be-forced-to-decrypt-their-laptops/

Judge Blackburn’s opinion is freely available here: http://scholar.google.com/scholar_case?case=7486865546677786730&q=us+v.+fricosu&hl=en&as_sdt=2,33&as_vis=1