Encryption Password Sparks US Constitutional Battle

A mortgage fraud case in the US has turned into a battle over the Constitutional Fifth Amendment as the Department of Justice argued that the US government can force individuals to disclose their encryption pass phrases.

Ramona Camelia Fricosu and her husband, Scott Anthony Whatcott, were indicted last year for scamming Colorado Springs residents facing foreclosure. After the FBI obtained search warrants and seized Fricosu’s laptop, agents discovered they could not view the contents because the laptop drive was encrypted. As a result, the FBI asked a Colorado federal district court on 6 May to compel Fricosu to enter her password, arguing that the contents of the drive were included under the warrants.

Decryption

The government doesn’t need the passphrase itself and said Fricosu can just type it in to decrypt the drive without anyone finding out her code. Prosecutors have likened the encryption key in this case to a physical key used on a safe, arguing that a warrant would require defendants to hand over the key to open the safe.

“Ms. Fricosu could enter the password without being observed by the government, or otherwise provide the unencrypted contents of the [laptop] by means she chose,” the government’s lawyers wrote in the brief filed with the court.

The case has wide-ranging implications for corporations and individuals as data encryption becomes more common. Recent data breaches have highlighted the importance of encrypting sensitive data, but the courts have yet to decide whether the government can compel defendants or suspects in criminal cases to hand up decryption keys.

Fricosu’s lawyers argued that Fricosu’s entering the password would be tantamount to self-incrimination or a violation of the Fifth Amendment. “If agents execute a search warrant and find, say, a diary handwritten in code, could the target be compelled to decode, i.e., decrypt, the diary?” Philip Dubois, Fricosu’s attorney wrote in a brief filed on 8 July.

The Electronic Frontier Foundation agreed, filing an amicus curiae brief on the same day. “Ordering the defendant to enter an encryption password puts her in the situation the Fifth Amendment was designed to prevent: having to choose between incriminating herself, lying under oath or risking contempt of court,” EFF attorney Marcia Hofmann said.

Inside Fricosu’s brain

EFF said the situation was different from a physical key because the passphrase wasn’t on a key chain, but inside “Fricosu’s brain”, and the courts have ruled that under the Fifth Amendment, defendants don’t have to provide information they know. The Supreme Court has ruled in the past that while defendants would be compelled to turn over a key to open the safe, they couldn’t be compelled to provide the combination to that safe because the numbers qualified as “contents of an individual’s mind”.

There is some legal precedent for both sides of the argument. A federal judge in Michigan ruled in a child exploitation case in March 2010 that the defendant would not have to provide his password. In 2009, a Vermont federal judge ruled the opposite in a similar case. In the Vermont case, the laptop had been seized by border agents.

There is a lesser expectation of privacy in certain situations, such as the border crossing, Andrew B. Serwin, chair of the privacy, security & information management practice at law firm Foley & Lardner, told eWEEK. The courts have defined some areas where the government has more leeway, Serwin said.

As encryption becomes more commonplace, it was important to ensure that passphrases and encrypted files receive full protection under the Fifth Amendment, the EFF said in a statement. The amount of personal data stored on computers, including correspondence with family and friends, online activity, financial records and medical information, need to be protected from the government.

Evidentiary value

The prosecutors have provided some limited immunity, but have not provided “assurances” that none of the data found on the computer would be used as evidence against Fricosu, the EFF said.

The Department of Justice said the contents have “evidentiary value”, and argued that if defendants are not required to enter their passwords, “public interests will be harmed”. If the judge decides Fricosu doesn’t have to enter her password, “potential criminals (be it in child exploitation, national security, terrorism, financial crimes or drug trafficking cases)” would be able to evade prosecution just by encrypting their data, according to the Justice Department.

The Justice Department is not just making up boogeymen to argue its case. The Middle East Media Research Institute published a paper on 12 July detailing how Al-Qaeda began to use encryption tools for online activities and communications.

“Compelling her to produce the passphrase also supposes that she ‘remembers’ it and can produce it,” wrote Cameron Camp, an ESET researcher, noting that the case becomes trickier if she claims she has “forgotten” the code.

As a last resort, FBI agents can try to decrypt the device without the password, a process that would “require significant resources and may harm the Subject Computer”, the government said.