Several years ago, I blogged about a case in which the government sought to compel a criminal defendant to provide the password to his encrypted computer, or at least, to provide an unencrypted copy of the contents of his hard drive. You can read that post here.
It’s time to revisit the topic, for two reasons. One, Gizmodo International Change Your Password Day was last week. (Try finding a Hallmark card for that!) You can read about how the editors of Gizmodo handle password security here. They have a range of different approaches, almost none of them as apathetic as mine, and some of which actually seem manageable. Anyhow, the point is, passwords are on my mind. Two, there’s a new court decision on point: United States v. Fricosu, from the District of Colorado.
In a nutshell, the FBI executed a search warrant at Ramona Fricosu’s house. The court’s opinion doesn’t describe what the agents were looking for, but it appears that they were investigating fraudulent real estate transactions. They seized, among other things, a laptop computer with an encrypted hard drive. The government couldn’t break the encryption, so it filed a motion with the court, asking it to order Fricosu to enter the password and decrypt the drive. Fricosu responded that, under the Fifth Amendment, she could not be “compelled . . . to be a witness against himself,” and so could not be required to provide the password or a decrypted copy of the drive.
The United States District Judge hearing the case ruled for the government, essentially following the reasoning in the Boucher case about which I wrote previously. The judge stated that although the Fifth Amendment sometimes protects the “act of production” of incriminating evidence, there was no Fifth Amendment concern in this case because (1) the government already knew that the hard drive existed and its location, so Fricosu was not being asked to produce anything the government didn’t already know she had, and (2) “the government ha[d] offered . . . Fricosu immunity, precluding it from using her act of producing the unencrypted contents of the laptop computer against her.” Accordingly, the court ordered Fricosu to provide the government with an unencrypted copy of the contents of the laptop.
As an interesting aside, Fricosu now claims that she has forgotten the password. Hmm. Since the judge has already found that the laptop was hers and that she had the ability to decrypt it, it seems as though Fricosu may end up being held in contempt of court. You can read more about the case here and here, and can read a critical analysis by the Electronic Frontier Foundation here.
Minor quibble w/ the current status of the Fricosu case. As the prosecutor said when interviewed about the possibility that Ms. Fricosu might claim that she could not remember the password, “She has not taken that position in court.”
In other words, she has not yet claimed that she cannot remember the password; in fact, a close reading of her lawyer’s comments suggests the possibility that this was just a hypothetical: “It’s very possible to forget passwords.”
Otherwise, great roundup of a fascinating issue.