By J. DeVoy
If you have encrypted data that is seized during an investigation, and law enforcement officers are incapable of decrypting it, can you refuse to provide the codes to remove encryption? The Electronic Frontier Foundation (“EFF”) believes so, and recently submitted an amicus brief to that effect in U.S. v. Fricosu, Case No. 2:10-cr-00509-01-REB (D. Colo.) (hey, cool, I’m admitted there! – Ed.).
Here’s a summary of the case from EFF’s press release:
Ramona Fricosu[] is accused of fraudulent real estate transactions. During the investigation, the government seized an encrypted laptop from the home she shares with her family, and then asked the court to compel Fricosu to type the password into the computer or turn over a decrypted version of her data. But EFF told the court today that the demand is contrary to the Constitution, forcing Fricosu to become a witness against herself.
The theory is that decrypting a computer is itself a testimonial act: It represents that the defendant had control or access to the computer, and possibly the files within. Even on a shared computer, providing a decryption code can be damning evidence. The EFF contends that forcing someone to decrypt their computer forces them to choose between lying, contempt of court, and self-implication – the exact situation the Fifth Amendment is supposed to prevent.
This is a very interesting case, and I can support it to some extent. I would disagree with the EFF if it claimed that forced decryption was problematic in civil cases, where the Fifth Amendment is little more than an abstraction, since the opposing party is not the state’s prosecutorial arm. So, torrenters, take note: This is not for you – unless you get charged with criminal copyright infringement. That’s pretty uncommon in and of itself, too, so you’re really screwed if that happens.
Read the EFF’s full amicus brief here.
H/T: Will
By Email
By RSS Feed
The Legal Satyricon 
I just lost how it’s perfectly acceptable to demand keys to a filing cabinet or code for a safe but it’s somehow a breach to force a password? someone enlighten me. I figure either both are forbidden or both are compellable.
Dan, The police can search and search for the keys to your cabinet or break it open just as they can guess and guess at your decryption keys or try to break your cipher, but this is more like asking you to tell them where the key is. I don’t know if that’s obligatory if they ask, but it’s the more apt analogy.
While I understand why you and your clients might not desire for such an application of the Fifth Amendment, to protect against being compelled to de-encypt data, to apply equally to civil proceedings as well as criminal proceedings, I am curious as to why you believe it does not so apply.
I must admit that I am not au fait with US Constitutional law. Therefore, before commenting I did look at this little primer on the 5th Amendment privilege in civil cases (http://bit.ly/o8TrAI).
As I understand it, the Fifth Amendment “applies alike to civil and criminal proceedings, wherever the answer might tend to subject to criminal responsibility him who gives it.” McCarthy v. Arndstein, 266 U.S. 34, 40 (1924). So, one can assert their 5th Amendment privilege in civil cases if their testimony could incriminate them in a crime, just as they can in criminal proceedings.
Assume, arguendo, that the EFF are correct and that the act of de-encrypting suspect data is a testimonial act to which 5th Amendment privilege can apply in criminal proceedings. Then, if the rule in McCarthy was to apply to the 5th Amendment privilege being claimed in civil proceedings generally, on what basis would you suggest a different rule might apply to the scenario where an adversary in civil proceedings seeks to compel the de-encryption of encrypted data?
Surely McCarthy means that any claim to 5th Amendment privilege which can be taken during the course of criminal proceedings can also be taken during the course of civil proceedings? The only difference, as I understand, is the consequences that might flow from asserting such a protection. I understand that in civil proceedings an adverse inference can be drawn from the asserting the 5th and there are limitations to stop litigants using the 5th Amendment as a sword and a shield simultaneously in civil proceedings.
Further, if the 5th Amendment protection was not offered in civil as well as criminal proceedings, it would be open to abuse by the Government instituting, or encouraging a private party to institute, civil process against a potential criminal suspect so as to work around the 5th Amendment protection. As you say, criminal proceedings are not oft brought against alleged copyright infringers so this probably would not be much of an issue in that field. However, to use the example of the Fricosu case, it could be an issue in cases involving alleged fraud against a private party.
I wonder what will ultimately happen in this case. I agree with EFF’s argument, since to hold otherwise would create a loophole in the 5th Amendment privilege not to provide the de-encryption password that one could drive a cart and horses through. That would substantially diminish the fundamental protections offered by the right not self-incriminate. Unfortunately, we do not have such strong protections in the UK and our courts seem not to be sympathetic to arguments that requiring one to provide data in an unencrypted form or the password violates the protection against self-incrimination. :(