Self-Incrimination vs. File-Encryption: Digital Forensics and the Death of the 5th Amendment

In January 2012, U.S. District Judge Robert Blackburn ruled that a defendant in a digital forensics criminal case must turn over the unencrypted contents of her currently encrypted laptop. The defendant, Ramona Fricosu of Colorado, is charged with bank fraud, wire fraud, money laundering, and providing false statements to financial institutions in connection with her alleged involvement in fraudulent real estate transactions with her husband.

During the criminal investigation, FBI agents seized three laptop computers while executing a search warrant on her home. One of the laptops, a Toshiba Satellite M305 is encrypted. Investigators believe the laptop contains evidence that could be used against her in the ongoing criminal proceeding.

On May 6, 2011, the U.S. government filed an application under the All Writs Act, 28 U.S.C. § 1651 requesting that the Court compel Ms. Fricosu to type her password into the encrypted laptop, thereby allowing the government to review the contents of the laptop for forensic review.  Ms. Fricosu asserted her Fifth Amendment right against self-incrimination, arguing that being ordered to turn over her password is a form of compelled testimony.

The U.S. government used existing case law to find a workaround: in a similar case (In re Boucher, 2:06-mj-91, 2009 WL 424718), a defendant was ordered to produce a password associated with a computer after government agents were unable to decrypt the computer. The judge found that the act of producing the password was testimonial, and therefore would conflict with the Fifth Amendment and previous case law which has stipulated that a defendant cannot be compelled to reveal the contents of their mind. Upon appeal of that decision, the grand jury revised their request that the defendant produce a password; they instead asked that the defendant produce an unencrypted version of the hard drive.

This decision hinged on the government’s argument that “[W]here the existence and location of the documents are known to the government, no constitutional rights are touched, because these matters are a foregone conclusion,” that is, they “add little or nothing to the sum total of the Government’s information.”

Judge Blackburn cited this case in his decision to compel Ms. Fricosu to produce an unencrypted copy of the hard drive, rather than the password that would unencrypt the hard drive:

“I find and conclude that the government has met its burden to show by a preponderance of the evidence that the Toshiba Satellite M305 laptop computer belongs to Ms. Fricosu, or, in the alternative, that she was its sole or primary user, who, in any event, can access the encrypted contents of that laptop computer.

The uncontroverted evidence demonstrates that Ms. Fricosu acknowledged to Whatcott during their recorded phone conversation that she owned or had such a laptop computer, the contents of which were only accessible by entry of a password. Of the three laptop computers found and seized during the execution of the search warrant of Ms. Fricosu’s residence, only one was encrypted, the Toshiba Satellite M305.

That laptop computer was found in Ms. Fricosu’s bedroom, and was identified as “RS.WORKGROUP.Ramona.” None of defendant’s countervailing arguments – the suggestions that the computer might have been moved during the search, that someone else may have randomly designated the computer account as “Ramona,” or that the fact that the hard drive was imaged before it was read somehow undermines its validity or authenticity– is sufficient to alter my conclusion that it is more likely than not that the computer belonged to and was used by Ms. Fricosu.

Accordingly, I find and conclude that the Fifth Amendment is not implicated by requiring production of the unencrypted contents of the Toshiba Satellite M305 laptop computer.” -Robert E. Blackburn, U.S. District Judge

To read the Judge’s order, please see case #1:10-cr-00509-REB-2, U.S. District Court, District of Colorado.

Next we will discuss both sides of the ruling, the potential ramifications of the ruling on digital forensics, and why the Electronic Frontier Foundation felt it was necessary to file a brief supporting the defendant back in July 2011.

The Electronic Frontier Foundation weighs in on Encryption, Fifth Amendment rights

The Electronic Frontier Foundation (EFF) is a non-profit organization serving as an advocate for digital rights (including the protection of consumer rights), and challenging potential legislation that would infringe on personal liberties or fair use (such as the Stop Online Piracy Act or the Protect IP Act). The EFF has long been the bane of major copyright holders like Sony and Viacom, as well as trade representatives, such as the Recording Industry Association of America (RIAA), and the Motion Picture Association of America (MPAA).

On July 8, 2011, the EFF filed an amicus brief (EFF Amicus) in support of the defendant, Ramona Fricosu’s opposition to the government’s demand that she enter a password into her laptop or otherwise provide the government with unencrypted access to the encrypted data stored on her laptop.

“EFF’s interest in this case is the sound and principled application of the Fifth Amendment to encryption passwords and encrypted information stored on computers…EFF submits this brief to help the Court apply the Fifth Amendment privilege against self-incrimination in a manner that ensures the constitutional rights of those who use this technological measure to protect their privacy and security.”

The EFF’s main argument is that the government is overreaching in its demand to have Ms. Fricosu turn over her password (or produce an unencrypted drive) by failing to recognize that her compliance with the government’s request is essentially a testimonial act. Under the Act of Production doctrine, known for its application in United States v. Hubbell (Hubbell I), the U.S. Supreme Court held that a person can invoke their Fifth Amendment rights against the production of documents only where the very act of producing the documents has a testimonial aspect and is incriminating in itself.

The EFF’s brief ends with the following conclusion:

The government is overreaching to try to compel Fricosu to supply an encryption password that they hope will give them access to the full contents of a laptop. The Court should decide this important constitutional question in a way that recognizes the substantial benefits of encryption to safeguard the security and privacy of digital information stored on computers. New technologies present new challenges for law enforcement, but this reality does not justify the abandonment of well-established constitutional protections that secure individuals’ rights. Decrypting data is an act with testimonial aspects that are protected by the Fifth Amendment.

The government cannot identify the evidence it hopes to find with any specificity, and it has not offered Fricosu immunity coextensive with her Fifth Amendment privilege against self-incrimination. For all the reasons discussed above, the government’s application should be denied.

Is the EFF’s argument valid? Let’s look at both sides of the decision.

Arguments in favor of the Ruling

A Foregone Conclusion

In United States v. Hubbell (Hubbell I), the defendant, Webster Hubbell invoked his Fifth Amendment privilege against self-incrimination while appearing before a grand jury. The government then subpoenaed the defendant, ordering him to produce eleven categories of documents. After being granted immunity for this production, the defendant complied and produced over 13,000 documents.

The contents of the produced documents as well as the defendant’s responses to a series of questions (which indicated that the documents had been in his custody) led to a second prosecution against Hubbell (Hubbell II). The prosecution argued that because the government’s possession of the documents resulted from the simple physical act of Hubbell’s production of those documents, the defendant’s immunity should not prevent the prosecution from making consequential use of the documents.

The Supreme Court ruled in favor of Hubbell, stating that if a defendant produces documents pursuant to a grant of immunity, the government may not use those documents to prepare criminal charges against the defendant. The Supreme Court’s ruling also held that because the government could not independently prove the existence or the whereabouts of the documents produced in response to the subpoena (i.e. without the help of the defendant), the Court rejected the prosecution’s argument that the papers’ existence and location were a foregone conclusion.

Ms. Fricosu’s case differs in one key way from United States v. Hubbell. In his decision ordering Ms. Fricosu to produce an unencrypted copy of the contents of her laptop, U.S. District Judge Robert E. Blackburn focused on the fact that the government was already aware that one of Ms. Fricosu’s laptops was encrypted prior to her testimony, and did not learn of the encrypted data as a result of her testimony. Instead, the government learned of the encrypted data via a recorded telephone conversation between Ms. Fricosu and her ex-husband Scott Whatcott while Fricosu was incarcerated.

The following excerpt is taken from “Order Granting Application under the All Writs

Act requiring defendant Fricosu to assist in the execution of previously issued Search Warrants,” filed on January 23, 2012 (Order):

The day following the execution of the search warrant [May 15, 2010], Mr. Whatcott called Ms. Fricosu from the Four Mile Correctional Center. Their conversation was recorded. During that call, the following relevant exchange occurred:

Ramona: Oh so anyway, earlier we were talking about that lawyer thing

Scott: Yes

Ramona: So um, in a way I want them to find it

Scott: OK

Ramona: In a way I don’t just for the hell of it

Scott: OK

. . . .

Ramona: Ookay (pause) uhm in a way I want them to find it

Scott: Mm-hmm

Ramona: and uhm because they will have to ask for my help uhm and in another way I don’t want them to find it let them let them work for it

Scott: Right

Ramona: you know what I mean

Scott: right (pause) yeah, if it’s there, they, they will find it

Ramona: uhm, can they get past what they need to get past to get to it

Scott: they will listen first

Ramona: it will shut off

Scott: (pause) what

Ramona: it was on my laptop

Scott: oh yeah

Ramona: yeah

Scott: OK

Ramona: I don’t know if they can get to it

Scott: it was on your laptop

Ramona: yes

Scott: OK (pause) and did you have any something like anything on your computer to protect it or something

Ramona: yeah

Scott: OK then I don’t know.

Ramona: I mean, I think I did

Scott: OK

Ramona: Ya know I haven’t

Scott: (SC [simultaneous conversation]) oh yeah that’s right

it was on your laptop wasn’t it?

Ramona: I think so but I’m not sure

Scott: OK

Ramona: yeah cause they kept asking me for passwords and I said, ya know no I just didn’t answer them

Scott: right (SC). Because when you went there you took your laptop

Ramona: yeah I think so I think I did

Scott: and so (SC) it would been on there

Ramona: yeah

Scott: OK

Ramona: and my lawyer said I’m not obligated by law to give them any passwords or anything they need to figure things out for themselves


During this conversation, which the defendant knew would be recorded, she mentioned the fact that her laptop was encrypted, and that the government would need to “figure things out for themselves”.

In his closing statement of his order, Judge Blackburn wrote, “The uncontroverted evidence demonstrates that Ms. Fricosu acknowledged to Whatcott during their recorded phone conversation that she owned or had such a laptop computer, the contents of which were only accessible by entry of a password.”

Ms. Fricosu and Mr. Whatcott’s conversation serves as the government’s independent proof of the existence and the whereabouts of the encrypted data, and thus demonstrates that the existence and location of the evidence is a foregone conclusion. As Blackburn states, “There is little question here but that the government knows of the existence and location of the computer’s files. The fact that it does not know the specific content of any specific documents is not a barrier to production.”

Production of Self-Incriminating Evidence is Routine

Let’s put the Fifth Amendment aside for a moment and look at another aspect of the criminal justice system: How is producing a password any different that producing a blood sample?

U.S. courts routinely order defendants to produce evidence that is highly self-incriminating: blood, semen, hair and handwriting samples can all be used to prove a defendant’s involvement in a crime. Why would a guilty defendant ever agree to turn over a blood sample that he knows will be the lynchpin in the prosecution’s case against him?

Because U.S. courts have found that the Fifth Amendment only protects evidence of a testimonial nature, or “the contents of one’s mind,” (Boucher) DNA, semen, and handwriting samples are not classified by U.S. court as being of a testimonial nature. Therefore, the Fifth Amendment provides no protection for these types of evidence.

Arguments Against the Ruling

The Life of the Mind

This leads us back to the question of whether providing a password can be classified as a compelled testimonial act. Does a password fall within the contents of one’s mind? Is there a distinction between a password that is maintained solely in one’s mind versus a password that has been physically written on a piece of paper and locked in a safe?

In the EFF’s brief, they write “The Supreme Court has explained that a witness might be ‘forced to surrender a key to a strongbox containing incriminating documents,’ but not ‘compelled to reveal the combination to a wall safe’… Forcing an individual to supply a password necessary to

decrypt data is more like revealing the combination to a wall safe than to surrender a key: the witness is being compelled to disclose information that exists in her mind, not to hand over a physical item.”

This specific argument may have led the prosecution and Judge Blackburn to modify the Court’s order; instead of requesting the defendant enter her password into the laptop, the language in the order now reads that Ms. Fricosu must “provide an unencrypted copy of the hard drive” from her Toshiba laptop. This still essentially forces Ms. Fricosu to produce her password, as she will need to enter the password into the laptop before the unencrypted contents can be reviewed or copied. This simple rephrasing of the order removes the teeth of the EFF’s entire argument.

Apples vs. Apples

How is a password different from a passcode combination? Judge Blackburn’s ruling in the Fricosu case is somewhat at odds with a previous ruling by the U.S. Supreme court that hinged on the compelled execution of a document. In Doe v. U.S. (Doe), the Supreme Court ruled that a previous order compelling a petitioner to sign a directive did not violate his Fifth Amendment right against self-incrimination.

However, in the sole dissenting opinion, Justice John Paul Stevens wrote, “A defendant can be compelled to produce material evidence that is incriminating. Fingerprints, blood samples, voice exemplars, handwriting specimens, or other items of physical evidence may be extracted from a defendant against his will.

But can he be compelled to use his mind to assist the prosecution in convicting him of a crime? I think not. He may in some cases be forced to surrender a key to a strongbox containing incriminating documents, but I do not believe he can be compelled to reveal the combination to his wall safe – by word or deed”.

A password is a string of alphanumeric characters used for authentication to gain access to a resource, such as a computer. A passcode (or combination lock code) is essentially the same thing: a string of characters (generally numerical) that is used for authentication to gain access to a resource, whether a locked safe, a door, or an ATM. The fact that court treats one of these terms with more reverence than the other shows a need for change; the Court’s view of technology is outdated.

Potential Ramifications

Whether you agree with the Court’s ruling or not, this case will have widespread ramifications as technology continues to evolve at lightning speed (or be rendered completely moot due to the speed of technological innovation).

Further Erosion of the Fifth Amendment

Most Americans are already of the opinion that the Fifth Amendment is a mirage; if the government wants a defendant to incriminate themselves, they will find a way to compel your cooperation. The Fifth Amendment privilege continues to narrow as clever prosecutors and Judges find new ways to reinterpret, subvert and bend existing case law to fit the needs of any given case.

This is not to say that the bad guys deserve to win; if the Judge had ruled that the defendant cannot be compelled to provide a password or unencrypted version of an encrypted hard drive, criminals would likely take this as the green-light to use the encryption issue as a rote criminal defense. The answer is somewhere in the middle; time is necessary to allow the courts to see the impact of their ruling and how it is applied in future cases. In addition, the development of new encryption and decryption technology may render this an esoteric ruling in a manner of months.

The Cat-and-Mouse Game

The Fricosu ruling will likely lead to more criminal defendants being ordered to turn over unencrypted copies of their hard drives, should the government feel that evidence is located within an encrypted drive. But what if the encrypted hard drive contains hidden volumes?

Encryption software already exists which allows a user to create a hidden volume within an encrypted volume. Thus, even if a defendant was ordered to produce a password or an unencrypted copy of a hard drive, the prosecution may still not” find” the evidence because they don’t know that any hidden volumes exist on an encrypted drive. As an example, imagine the police execute a search warrant of your home.

They search every room, including the attic, but do not find the evidence they seek because the evidence is stashed in a hidden compartment below the kitchen floor. The warrant allowed law enforcement to search the whole house; is it your fault that the police didn’t search long or hard enough to find the evidence in the hidden compartment?

Now apply this same analogy to an encrypted hard drive with a hidden volume. Unless a defendant admits that a hidden volume exists, a forensic examiner reviewing a formerly-encrypted hard drive may never know that they missed finding a key piece of evidence that was within their grasp.

In closing, technology continues to advance faster than legislation and jurisprudence. This gap will lead to collateral damage: defendants’ rights will be violated, the courts will continue to overreach, and criminals will try to stay one step ahead of law enforcement.

 

Citations

Order Granting Application under the All Writs Act, USA v. Fricosu,

10-cr-00509-REB-2 (U.S. Dist. Colo., 2012) (Order)

Amicus Curiae Brief, U.S.A. v. Fricosu (In re Defendant Fricosu),

No. 10-cr-00509-REB-2 (U.S. Dist. Colo., 2011) (EFF Amicus)

In re Grand Jury Subpoena to Sebastien Boucher,

2:06-mj-91, 2007 WL 4246473 (D. Vt. Nov. 29, 2007) (Boucher)

United States v. Hubbell,

530 U.S. 27 (2000) (Hubbell I)

United States v. Hubbell,

167 F.3d 552 (D.C. Cir. 1999) (Hubbell II)

Doe v. United States,

487 U.S. 201 (1988) (Doe)