Skip to main content

Can the government force you to decrypt private data?

locked laptop masterlock chains encryption keys
Image used with permission by copyright holder

Last month, a federal judge in Denver ordered a suspect to provide the government with the unencrypted contents of a computer she shared with her family. The order was put off while lawyers took the case to an appeals court, arguing the order violates Fifth Amendment protections against self-incrimination. Now, however, it looks as though the defendant will either have to decrypt her laptop or face contempt of court charges. The 10th U.S. Circuit Court of Appeals has refused to get involved, saying the criminal case has to reach a conclusion before it comes within the appeals’ court jurisdiction. The defendant has until February 27 to hand over her data.

At first glance this might seem to be a case of limited scope, but wait a second: Encryption isn’t just an optional tool computer geeks use to protect stuff on their hard drives. It protects everything from our passwords to our online banking sessions to everything we store in the cloud — like email, documents, receipts, and even digital goods. How did we get here? Can the government really order people to decrypt their data?

Recommended Videos

The case

The case involves Ramona Fricosu and her ex-husband Scott Whatcott, who were indicted in 2010 on bank fraud charges relating to a complicated mortgage scam. According to prosecutors, the pair offered to pay off the mortgages of homeowners desperate to get out from under upside-down situations in the wake of the housing bubble collapse. However, instead of paying off the mortgages and taking possession, they instead filed fraudulent paperwork with courts to obtain titles to the homes, then moved to sell them without paying the outstanding mortgage.

toshiba m305In May of 2010, the government executed search warrants at the residence Fricosu was sharing with her mother and two children. (Whatcott had also previously lived there, but at that point the couple was divorced and he was incarcerated.) Among the items seized by the government were six computers — three desktops and three notebooks, including a Toshiba Satellite M305 notebook. The government obtained a separate warrant to search the Toshiba M305 computer, but discovered the content was encrypted using PGP Desktop whole-disk encryption. The screen of the Toshiba was damaged; investigators had to hook up an external monitor.

The next day, Whatcott telephoned Fricosu from Colorado’s Four Mile Correctional Center. The conversation was recorded. In it, Fricosu says investigators had asked her for passwords to the computer, and that she didn’t answer, saying her lawyer had advised her she was not obligated to give passwords to investigators. She does, however, repeatedly refer to the notebook as her own computer and implies she knows the password to access it.

So far, authorities have not been able to break the computer’s encryption and access any data on the machine.

Rationale for decryption

Forcing a defendant to reveal a password or provide a decrypted version of data stored on a computer would seem to fly in the face of self-incrimination protections offered by the Fifth Amendment. However, there are several nuances and exceptions to Fifth Amendement protection. In issuing his order that Fricosu decrypt the notebook, U.S. District Judge Robert Blackburn indicated he believed the Fricosu case falls outside the lines, although he does note there’s not much case law to go on.

united states constitution shutterstockThe Fifth Amendment specifically provides that no person can be compelled to bear witness against himself. However, subsequent Supreme Court rulings have constrained that protection to apply only to compelled testimonial communications — typically written or verbal communications before a court. There is also case law that acknowledges that even if a document is not protected by Fifth Amendment privilege, the act of producing the document might be: If prosecutors only become aware of a document on the basis of requiring a defendant to produce it, that would amount to self-incrimination.

Under Supreme Court precedent, a defendant cannot be compelled to reveal the contents of his or her mind: There is, after all, a right to remain silent. Therefore, Fricosu cannot be compelled to produce the password.

However, Judge Blackburn finds that the government has reasonably established the Toshiba notebook belongs to Fricosu or was primarily used by her, and that the government “knows of the existence and location of the computer’s files.” His finding rests strongly on the recorded telephone conversation between Whatcott and Fricosu. Therefore, Blackburn concludes compelling Fricosu to provide decrypted versions of the computer’s contents — not the password itself — is not protected by the production exception. The judge also finds the search warrant that would cover the contents of the computer is valid.

Judge Blackburn has granted Fricosu limited immunity from the government using the act of producing the decrypted data against her. In other words, if the decrypted information contains something unexpected or even unrelated, the government would not be able to pursue prosecution based on the fact Fricosu was able to decrypt it.

What about the Fifth Amendment?

Does Fricosu’s case really fall outside the protections of the Fifth Amendment? Fricosu’s lawyer doesn’t think so, and neither do groups like the Electronic Frontier Foundation, which earlier this year filed an amicus (friend-of-the-court) brief (PDF) on Fricosu’s behalf.

The basic argument that Fricosu’s Fifth Amendment rights protect her from having to produce an unencrypted of its contents boils down to what the government does and doesn’t already know about those contents. Judge BlackBurn finds that the government has established that the contents of the computer are relevant to the case, and government attorneys argued that being required to provide access is no different than requiring suspects to sign authorization to enable investigators to probe overseas bank accounts and safety deposit boxes.

username and password shutterstock
Image used with permission by copyright holder

However, in instances where the government is able to compel defendants to disclose documents or accounts, the government has already become aware of the existence of those items through a third party. In Fricosu’s case, an argument could be made that the government has no idea what content it will find on the encrypted computer, or where that information might be located on the computer. (The EFF even argued that the government can’t really prove the notebook is the same one that was seized during the search.)

Although Judge Blackburn has granted Fricosu limited immunity to prevent the government from using the act of providing decrypted data against her, immunity does not extend to the data itself. An argument can be made that this limited immunity potentially violates a Supreme Court prohibition against derivative uses of compelled testimony. If the government were to use evidence obtained from the unencrypted laptop against Fricosu, the government might have to prove it obtained (or could have obtained) all that evidence from independent sources rather than solely from Fricosu herself. So far, the government has had no luck digging up the information it believes is on the notebook from other sources, nor have investigators made any progress decrypting the notebook. Nonetheless, Judge Blackburn found “the fact that [the government] does not know the specific content of any specific documents is not a barrier to production.”

Other cases

In his findings, Judge Blackburn notes there aren’t many other cases that parallel the circumstances in the Fricosu case. The most direct precedent seems to involve a border crossing in Vermont in 2006. During a search, an officer opened a computer and (without entering a password) viewed its files, including child pornography. The defendant was arrested and the notebook seized; however, when officers later tried to access the computer it was found to be password-protected. In that case, the defendant was not ordered to produce the password, but to produce an unencrypted version of the “Z” drive where officers had previously seen the material. A key part of that case, however, is that authorities had actually seen the illegal content on the computer. They knew where it was before the defendant was ordered to provide access to the information. In Fricosu’s case, prosecutors just know they have an encrypted computer. They have no independent evidence or testimony as to its contents.

In Washington State back in 2004, former King County sheriffs detective Dan Ring was arrested for improper use of law enforcement databases as well as other criminal charges. Although data found on Ring’s computer detailed some of his interactions with girlfriends, prostitution rings, and escort services in multiple countries, a portion of his hard drive was encrypted. Ring consistently claimed he couldn’t remember the password to the encrypted data, and partly as a result the case against him was dropped three days before it was set to go to trial. Ring retired — with pension — and the encrypted data has never been cracked.

Setting a precedent

In a statement yesterday, Fricosu’s attorney Phillip DuBois noted “It is possible that Ms. Fricosu has no ability to decrypt the computer, because she probably did not set up the encryption on that computer and may not know or remember the password or passphrase,” DuBois said in a statement Tuesday.

Notably, DuBois also defended PGP creator Philip Zimmerman when he was subject to criminal investigation from the U.S. Customs Service, which sought to classify the PGP algorithm as a munition subject to export controls. The case was dropped without indictment in 1996.

If Fricosu can be compelled to provide an unencrypted version of the data stored on the computer, it may set an ominous precedent for modern technology users. Folks who use services like DropBox, Apple’s iCloud, Amazon S3, and a myriad of other services all rely on their data being stored safely in encrypted form. Similarly, hard drives and SSDs with hardware-based encryption are becoming more and more mainstream — particularly with the proliferation of easily lost or stolen mobile devices. High-grade encryption isn’t just a tool for top-grade technophiles anymore: It’s in everyday products, and millions of people rely on it every day. If the government can compel users to produce unencrypted copies of their data — without knowing what that data might be — it could significantly stifle free speech and the freedom of information.

And that’s regardless of whether Fricosu remembers her password.

Image credit: Shutterstock/Maxx-Studio/J. Helgason/JMiks

Geoff Duncan
Former Digital Trends Contributor
Geoff Duncan writes, programs, edits, plays music, and delights in making software misbehave. He's probably the only member…
You can now try out ChatGPT Search for free
The ChatGPT Search icon on the prompt window

As part of its "12 Days of OpenAI" event, OpenAI has yet another update for ChatGPT, this time bringing its Search feature over to the free tier. The Google Search alternative was previously only for paid subscribers in the ChatGPT Plus or Pro tiers.

"We rolled it out for paid users about two months ago," Kevin Weil, OpenAI's chief product officer, said during Monday's livestream. "I can't imagine ChatGPT without Search now. I use it so often. I'm so excited to bring it to all of you for free starting today."

Read more
No, the Nvidia App isn’t killing your PC’s performance
The Nvidia app on the Windows desktop.

When I heard that the new Nvidia App could reduce performance by up to 15%, I was shocked. If this is the first you're hearing about it, I'm sure you're shocked, too. The news stems from Sebastian Castellanos, who posted on X about a big performance drop with the Nvidia App installed in both Black Myth: Wukong and The Talos Principle 2. Some news outlets ran with the claim, including Tom's Hardware and Dark Side of Gaming, showing original testing that backed up the performance loss.

The only problem? The Nvidia App isn't to blame.

Read more
This gaming PC with RTX 4070 is on sale for less than $1,000
The iBuyPower Y40 gaming PC with a keyboard and mouse.

A budget of $1,000 usually isn't enough for a fantastic gaming machine, but Walmart is making it happen with this offer for the iBuyPower Y40. The gaming desktop, which is powered by the Nvidia GeForce RTX 4070 graphics card, is currently available for only $999, following a $601 discount on its sticker price of $1,600. This is one of the most attractive gaming PC deals that we've found in recent memory, even with Black Friday less than a month behind us, so you're going to want to take advantage of it before the stock is sold out.

Why you should buy the iBuyPower Y40 gaming PC
The iBuyPower Y40 gaming PC is packed with components that will let you play the best PC games without any issues. In addition to the Nvidia GeForce RTX 4070 graphics card, it's equipped with the AMD Ryzen 7 7700 processor and 16GB of RAM, which is the best place to start for a gaming desktop according to our guide on how much RAM do you need. The gaming PC also comes with a liquid-cooling system, so it won't suffer from overheating if your gaming sessions last for several hours at a time.

Read more