Skip to main content
  1. Home
  2. Computing
  3. Features

Can the government force you to decrypt private data?

By
locked laptop masterlock chains encryption keys
Image used with permission by copyright holder

Last month, a federal judge in Denver ordered a suspect to provide the government with the unencrypted contents of a computer she shared with her family. The order was put off while lawyers took the case to an appeals court, arguing the order violates Fifth Amendment protections against self-incrimination. Now, however, it looks as though the defendant will either have to decrypt her laptop or face contempt of court charges. The 10th U.S. Circuit Court of Appeals has refused to get involved, saying the criminal case has to reach a conclusion before it comes within the appeals’ court jurisdiction. The defendant has until February 27 to hand over her data.

At first glance this might seem to be a case of limited scope, but wait a second: Encryption isn’t just an optional tool computer geeks use to protect stuff on their hard drives. It protects everything from our passwords to our online banking sessions to everything we store in the cloud — like email, documents, receipts, and even digital goods. How did we get here? Can the government really order people to decrypt their data?

Recommended Videos

The case

The case involves Ramona Fricosu and her ex-husband Scott Whatcott, who were indicted in 2010 on bank fraud charges relating to a complicated mortgage scam. According to prosecutors, the pair offered to pay off the mortgages of homeowners desperate to get out from under upside-down situations in the wake of the housing bubble collapse. However, instead of paying off the mortgages and taking possession, they instead filed fraudulent paperwork with courts to obtain titles to the homes, then moved to sell them without paying the outstanding mortgage.

toshiba m305In May of 2010, the government executed search warrants at the residence Fricosu was sharing with her mother and two children. (Whatcott had also previously lived there, but at that point the couple was divorced and he was incarcerated.) Among the items seized by the government were six computers — three desktops and three notebooks, including a Toshiba Satellite M305 notebook. The government obtained a separate warrant to search the Toshiba M305 computer, but discovered the content was encrypted using PGP Desktop whole-disk encryption. The screen of the Toshiba was damaged; investigators had to hook up an external monitor.

The next day, Whatcott telephoned Fricosu from Colorado’s Four Mile Correctional Center. The conversation was recorded. In it, Fricosu says investigators had asked her for passwords to the computer, and that she didn’t answer, saying her lawyer had advised her she was not obligated to give passwords to investigators. She does, however, repeatedly refer to the notebook as her own computer and implies she knows the password to access it.

So far, authorities have not been able to break the computer’s encryption and access any data on the machine.

Rationale for decryption

Forcing a defendant to reveal a password or provide a decrypted version of data stored on a computer would seem to fly in the face of self-incrimination protections offered by the Fifth Amendment. However, there are several nuances and exceptions to Fifth Amendement protection. In issuing his order that Fricosu decrypt the notebook, U.S. District Judge Robert Blackburn indicated he believed the Fricosu case falls outside the lines, although he does note there’s not much case law to go on.

united states constitution shutterstockThe Fifth Amendment specifically provides that no person can be compelled to bear witness against himself. However, subsequent Supreme Court rulings have constrained that protection to apply only to compelled testimonial communications — typically written or verbal communications before a court. There is also case law that acknowledges that even if a document is not protected by Fifth Amendment privilege, the act of producing the document might be: If prosecutors only become aware of a document on the basis of requiring a defendant to produce it, that would amount to self-incrimination.

Under Supreme Court precedent, a defendant cannot be compelled to reveal the contents of his or her mind: There is, after all, a right to remain silent. Therefore, Fricosu cannot be compelled to produce the password.

However, Judge Blackburn finds that the government has reasonably established the Toshiba notebook belongs to Fricosu or was primarily used by her, and that the government “knows of the existence and location of the computer’s files.” His finding rests strongly on the recorded telephone conversation between Whatcott and Fricosu. Therefore, Blackburn concludes compelling Fricosu to provide decrypted versions of the computer’s contents — not the password itself — is not protected by the production exception. The judge also finds the search warrant that would cover the contents of the computer is valid.

Judge Blackburn has granted Fricosu limited immunity from the government using the act of producing the decrypted data against her. In other words, if the decrypted information contains something unexpected or even unrelated, the government would not be able to pursue prosecution based on the fact Fricosu was able to decrypt it.

What about the Fifth Amendment?

Does Fricosu’s case really fall outside the protections of the Fifth Amendment? Fricosu’s lawyer doesn’t think so, and neither do groups like the Electronic Frontier Foundation, which earlier this year filed an amicus (friend-of-the-court) brief (PDF) on Fricosu’s behalf.

The basic argument that Fricosu’s Fifth Amendment rights protect her from having to produce an unencrypted of its contents boils down to what the government does and doesn’t already know about those contents. Judge BlackBurn finds that the government has established that the contents of the computer are relevant to the case, and government attorneys argued that being required to provide access is no different than requiring suspects to sign authorization to enable investigators to probe overseas bank accounts and safety deposit boxes.

username and password shutterstock
Image used with permission by copyright holder

However, in instances where the government is able to compel defendants to disclose documents or accounts, the government has already become aware of the existence of those items through a third party. In Fricosu’s case, an argument could be made that the government has no idea what content it will find on the encrypted computer, or where that information might be located on the computer. (The EFF even argued that the government can’t really prove the notebook is the same one that was seized during the search.)

Although Judge Blackburn has granted Fricosu limited immunity to prevent the government from using the act of providing decrypted data against her, immunity does not extend to the data itself. An argument can be made that this limited immunity potentially violates a Supreme Court prohibition against derivative uses of compelled testimony. If the government were to use evidence obtained from the unencrypted laptop against Fricosu, the government might have to prove it obtained (or could have obtained) all that evidence from independent sources rather than solely from Fricosu herself. So far, the government has had no luck digging up the information it believes is on the notebook from other sources, nor have investigators made any progress decrypting the notebook. Nonetheless, Judge Blackburn found “the fact that [the government] does not know the specific content of any specific documents is not a barrier to production.”

Other cases

In his findings, Judge Blackburn notes there aren’t many other cases that parallel the circumstances in the Fricosu case. The most direct precedent seems to involve a border crossing in Vermont in 2006. During a search, an officer opened a computer and (without entering a password) viewed its files, including child pornography. The defendant was arrested and the notebook seized; however, when officers later tried to access the computer it was found to be password-protected. In that case, the defendant was not ordered to produce the password, but to produce an unencrypted version of the “Z” drive where officers had previously seen the material. A key part of that case, however, is that authorities had actually seen the illegal content on the computer. They knew where it was before the defendant was ordered to provide access to the information. In Fricosu’s case, prosecutors just know they have an encrypted computer. They have no independent evidence or testimony as to its contents.

In Washington State back in 2004, former King County sheriffs detective Dan Ring was arrested for improper use of law enforcement databases as well as other criminal charges. Although data found on Ring’s computer detailed some of his interactions with girlfriends, prostitution rings, and escort services in multiple countries, a portion of his hard drive was encrypted. Ring consistently claimed he couldn’t remember the password to the encrypted data, and partly as a result the case against him was dropped three days before it was set to go to trial. Ring retired — with pension — and the encrypted data has never been cracked.

Setting a precedent

In a statement yesterday, Fricosu’s attorney Phillip DuBois noted “It is possible that Ms. Fricosu has no ability to decrypt the computer, because she probably did not set up the encryption on that computer and may not know or remember the password or passphrase,” DuBois said in a statement Tuesday.

Notably, DuBois also defended PGP creator Philip Zimmerman when he was subject to criminal investigation from the U.S. Customs Service, which sought to classify the PGP algorithm as a munition subject to export controls. The case was dropped without indictment in 1996.

If Fricosu can be compelled to provide an unencrypted version of the data stored on the computer, it may set an ominous precedent for modern technology users. Folks who use services like DropBox, Apple’s iCloud, Amazon S3, and a myriad of other services all rely on their data being stored safely in encrypted form. Similarly, hard drives and SSDs with hardware-based encryption are becoming more and more mainstream — particularly with the proliferation of easily lost or stolen mobile devices. High-grade encryption isn’t just a tool for top-grade technophiles anymore: It’s in everyday products, and millions of people rely on it every day. If the government can compel users to produce unencrypted copies of their data — without knowing what that data might be — it could significantly stifle free speech and the freedom of information.

And that’s regardless of whether Fricosu remembers her password.

Image credit: Shutterstock/Maxx-Studio/J. Helgason/JMiks

Geoff Duncan
Geoff Duncan
Former Digital Trends Contributor
Geoff Duncan writes, programs, edits, plays music, and delights in making software misbehave. He's probably the only member…
Power up your tech game this summer with Dell’s top deals: Upgrade for a bargain
Dell Techfest and best tech on sale featured.

One of the best times to upgrade your tech stack, be it your desktop, a new laptop, or some high-resolution monitors, is when great deals are to be had. Well, I'm here to share that thanks to Dell's top deals, you can power up your tech game and have most of the summer to make it happen. Maybe you're happy with your current system or setup. That's excellent, but you're likely considering upgrading somewhere, and that's precisely what these deals are all about. Dell has a smorgasbord of deals on laptops, desktops, gaming desktops, monitors, accessories, and so much more. We'll call out a few of our favorite deals below, but for now, know that you should be shopping this sale if you're interested in anything tech-related.

 
What summer tech should you buy in Dell's top deals?

Read more
I love the MacBook Pro, but this Windows laptop came surprisingly close
Apple MacBook Pro 16 downward view showing keyboard and speaker.

There are some great machines in the 15-inch laptop category, which has recently been stretched to include the more common 16-inch laptop. The best among them is the Apple MacBook Pro 16, which offers fast performance for tasks like video editing and the longest battery life.

The Lenovo Yoga Pro 9i 16 is aimed not only at other 16-inch Windows laptops but also at the MacBook Pro 16. It offers many of the same benefits but at a lower price. Can it take a place at the top?
Specs and configurations

Read more
How to set an ‘Out of Office’ message in Microsoft Teams
Person using Windows 11 laptop on their lap by the window.

Many people use Microsoft Teams regularly to communicate with colleagues both inside of the office and remotely. It is considered one of the most efficient ways to ensure you can stay in contact with the people on your team, but what if you need to let people know you’re not readily available? Microsoft Teams has a method for you to set up an "Out of Office" status for your profile to let staff members know when you’ll be gone for the afternoon, for several days on vacation, or for an extended period.
Where do I go to set up my ‘Out of Office’ status for Teams?
It is important to note that your Microsoft Teams and Outlook calendars are synced. This includes your out-of-office status and automatic replies. So, whatever you set up in Microsoft Teams will reflect in Outlook. Similarly, you can set up your out-of-office status in Outlook, and it will be reflected in Teams; however, the former has a more straightforward instruction.

First, you can click on your profile icon in Teams and go directly to Schedule an out of office, as a shortcut. This will take you to the settings area where you can proceed. You can also click the three-dot icon next to your profile icon, then go to Settings > General, then scroll down to the bottom of the page. There, you'll find out-of-office settings and click Schedule.

Read more