Whether the Fifth Amendment right against self-incrimination is implicated when a defendant is asked to reveal a password was, until now, a theoretical question. The topic was the subject of heated geek-debates which were akin to the early Christians slugfests about how many angels could dance on the head of a pin. Two recent federal cases have finally brought the matter into the legal limelight. The arguments are academic. The practicalities are marginally meaningful. Let me tell you why.
First, the cases. In USA v Ramona Fricosu, the defendant was ordered to decrypt her encrypted hard drive. Fricosu was accused of bank fraud and the government believed there was evidence on her laptop. She fought the order on the grounds that the government cannot force her to testify against herself, arguing that revealing her password is testimonial. The government responded that a password is not testimonial. Much like ordering a blood test from a suspected drunk driver or swab of the cheek from a suspected sex offender, a password is more like a key to a lock than an admission of guilt or testimony, prosecutors theorized.
The judge in the case issued an early decision, completely weaseling around the Fifth Amendment issue. Instead of dealing with whether or not a password is testimonial and whether or not it invokes the protection of the Fifth Amendment, the court ordered the defendant to provide the government with a non-encrypted version of the computer drive. That’s basically the same thing as providing the password, but the court avoided the big-time constitutional ramifications and the inevitable scrutiny that would ensue.
A 2009 case, U.S. v Boucher, was similar. The U.S. District Court in Vermont ordered the defendant to produce an unencrypted version of the media, avoiding the password issue.
Another recent case held that yes, indeed, a password is testimonial and does implicate the Fifth Amendment protection against self-incrimination. The U.S. Court of Appeals for the 11th Circuit thought more deeply than the common analogies to providing blood or a key to a lock. Here is what the court ruled in In re Grand Jury Duces Tecum, released March 11, 2011.
“We hold that the act of Doe’s decryption and production of the contents of the hard drives would sufficiently implicate the Fifth Amendment privilege. We reach this holding by concluding that (1) Doe’s decryption and production of the contents of the drives would be testimonial, not merely a physical act; and (2) the explicit and implicit factual communications associated with the decryption and production are not foregone conclusions.
First, the decryption and production of the hard drives would require the use of the contents of Doe’s mind and could not be fairly characterized as a physical act that would be nontestimonial in nature. We conclude that the decryption and production would be tantamount to testimony by Doe of his knowledge of the existence and location of potentially incriminating files; of his possession, control, and access to the encrypted portions of the drives; and of his capability to decrypt the files.”
Form Over Substance
The court seemed to recognize that the mind is a more complex device than a lock. In so doing, it recognized that there is more going on with regard to information technology and securing it than securing a locker. While this recognition is important and gratifying to the information technology sector, it is academic, really a matter of form over substance.
The more important question than, “Is a password testimonial, thus implicating the Fifth Amendment protection against self-incrimination?” is, “Does it make any difference whatsoever”? The answer to that second question is twofold and can save the government and defendants lots of money and time. Here’s why.
On a technical note, the government has all sorts of programs that defeat passwords. They don’t really need the defendant to reveal his or her password. If they are demanding the password, it’s the one time in a million that they have run into a situation in which they do not have the software or decryption capability to defeat it.
If encryption is employed, a password is required to decrypt the contents. Just as with your BlackBerry or other smartphone, if you don’t provide the correct password given a certain number of attempts, the contents of the media are “wiped.” By “wiped,” I mean the contents are completely scrubbed. The contents are deleted and overwritten by a neutral character, such as an “x” or “0” or “1.”
Besides (and this may sound cynical), but as a practical matter, who’s going to remember their password after all that litigation? Seriously. I had to reset the password to my blog three times last week because I forgot the password. I have to use GPS to get home from places I’ve been a million times. And the government is going to order people to remember stuff when they’ve been under stress and it’s been a year or two since they’ve even accessed the system?
The probability of the defendants remembering the passwords are slim. So why bother with all the litigation for a moot point? Is it to bankrupt the defendant (because that’s what usually happens)? Is it to make a point? (Really, what is the point?) Is it because the government can do it? (We do it because we can!) What happens, if at the end of the day, the defendant really has forgotten the password and the disk gets wiped of its contents? Does the government prosecute the defendant for destroying evidence? (Well, the defendant didn’t destroy the evidence, the government did, didn’t it?) Does the government prosecute the defendant for obstruction of justice? (Why? Because the defendant can’t remember something?)
Of course, I don’t have any answers. I don’t proclaim to. I just have questions. Lots of them. The philosophical discussions we had in law school about password production and the Fifth Amendment were for fun. The litigation taking place now is for big money. Just walking through the door of a federal courthouse costs a defendant tens of thousands of dollars. Not chump change. Not these days. And the reverberations run deep.•
By the way. . . news is that the defendant in the Fricosu case has forgotten her password. Shocking!
Courtesy of the Connecticut Law Tribune, March 26, 2012
No comments:
Post a Comment