When Can Police Force You to Decrypt Your Data?

When Can Police Force You to Decrypt Your Data?

Can police in the United States to force you to unlock an encrypted hard disk—or individual files on your PC—for inspection?

A pair of federal appeals court decisions issued on February 23 clarified the murky answers to these questions. The answer is basically:

  • If police know what you encrypted, they can make you decrypt it
  • If police don't know what you encrypted, they can't make you decrypt it

Take, for instance, the example of Ramona Fricosu, who in 2010 was indicted for mortgage fraud. After obtaining a search warrant, authorities seized her laptop. When they discovered it was encrypted, they demanded that she decrypt it by typing in her passphrase. Fricosu refused, arguing that doing so would violate her right to avoid self-incrimination.  A U.S. district court judge subsequently issued a court order demanding that she decrypt the laptop. Fricosu appealed, but on February 23, the 10th U.S. Circuit Court of Appeals rejected her petition and upheld the district court's decryption order.

At first glance, this looks like a clear violation of the Fifth Amendment to the U.S. Constitution, which states in part:

"No person shall ... be compelled in any criminal case to be a witness against himself."

However, prosecutors held a trump card against Fricosu, who faces decades in prison if convicted on all counts. It turns out that police have a recording of Fricosu speaking to a co-defendant in a conversation in which she acknowledges that her laptop contains an incriminating file. The appeals court ruled that when Fricosu referred to specific incriminating evidence in a conversation, she gave up her right to withhold that evidence in a subsequent legal proceeding. If she fails to decrypt the laptop, she can be imprisoned indefinitely for contempt of court.

What happens if prosecutors don't know what's on the hard drive? The 11th U.S. Circuit Court of Appeals answered that question February 23 as well. It ruled that an unnamed defendant ("John Doe") need not reveal the password to an encrypted hard drive that might contain incriminating information.

The Doe matter grew out of a child pornography investigation. In 2010, police in Florida began an investigation of an individual using a YouTube account to share pornographic images of underage girls. Investigators subsequently discovered several Internet Protocol (IP) addresses through which Doe connected to the Internet. Police traced three of the IP addresses to hotels at which Doe was a registered guest. Subsequently, authorities arrested Doe in a hotel and seized his laptop and several external hard drives. After discovering that certain portions of the hard drives were encrypted, the FBI attempted to decrypt those sections, but without success.

What did these sections contain? Investigators suspected they might contain depictions of child pornography, but had no proof. In April 2011, Doe was served with a subpoena ordering him to produce the unencrypted contents of his laptop and the external hard drives. Doe refused, invoking his Fifth Amendment right against self-incrimination. Subsequently, a district court declared Doe in contempt of court and ordered him to be detained until he complied with the subpoena. Doe then appealed.

In overturning the contempt citation, the federal appeals court concluded that under the circumstances, Doe had the right to "plead the Fifth." Investigators had no proof that the encrypted sections of the hard drives contained child pornography, or for that matter, any data whatsoever. But the ruling also concluded that if investigators had been able to prove that a specific incriminating file or files were on Doe's PC or hard drives, he had no Fifth Amendment privilege to refuse to produce the files in an unencrypted form.

The lessons are crystal clear. Encrypt your data. Don't tell anyone what you've encrypted if it's even remotely incriminating. If police demand that you decrypt the data, refuse. Plead the Fifth Amendment if a court orders you to decrypt the data. And in case the court rules against you, be prepared to spend several months in jail for contempt while you appeal your case.

These guidelines, of course apply only in the United States and only for ordinary civil and/or criminal investigations. They don't apply in other countries. In the United Kingdom, for instance, the Regulations of Investigatory Power Act gives the government the authority to order you to provide your passphrase, without providing any proof or even suspicion of wrongdoing. The penalty for failing to do so is up to two years in prison.

Have authorities asked—or attempted to coerce you—into decrypting encrypted data? Please share your experiences below.

Copyright © 2012 by Mark Nestmann

comments powered by Disqus