No Fifth Amendment Violation for Compelled Disclosure of Password

Published On January 26, 2012 | By Randy Sabett | General, Privacy
TwitterLinkedInFacebookRedditCopy LinkEmailPrint

On Tuesday, January 23rd, U.S. District Court Judge Robert Blackburn of Colorado ruled that forcing a criminal defendant to provide access to an encrypted hard drive does not violate that individual’s Constitutional right against self-incrimination.  The government had brought a case against the defendant, Ramona Fricosu, based on a 2010 investigation of fraudulent transactions in a mortgage scam.

During a search of the defendant’s home by the government (for which a warrant had been properly served), the government confiscated six computers, three of which were laptops.  One of the computers found in Ms. Fricosu’s bedroom was a laptop computer that “was password-protected by a program called PGP Desktop, and agents have been unable to decrypt it.”  The government asked the court to compel the defendant to type the password into the computer or provide a decrypted version of her data.

In deciding for the government, the court first distinguished between protected activities associated with a person’s “own compelled testimonial communications” (including not only written and spoken communications but also actions, such as turning over a document) and existing case law related to password protected information.  The court then further distinguished between activities related to password protected information that would violate the Fifth Amendment and those that would not.

The court first cited the rationale from In re Grand Jury Subpoena to Boucher, 2007 WL 4246473 (D. Vt. Nov. 29, 2007) that “under prevailing Supreme Court precedent, a defendant cannot be compelled to reveal the contents of his mind.”  In that case, “the magistrate judge found that the act of producing the password was testimonial and, therefore, privileged.”  The court then noted that on appeal in Boucher, the grand jury modified its request and required the defendant to produce an unencrypted version of the information on the subject hard drive rather than the password.  This resulted in the district court denying the defendant’s motion to quash.

Turning to the instant case, the court found that the government “knows of the existence and location of the computer’s files” and that it had met its burden of showing that the defendant was either the owner of the computer or its primary user.  As a result, the court found that “the Fifth Amendment is not implicated by requiring production of the unencrypted contents of the…computer.”  The court then ordered the production of the unencrypted contents of the hard drive.  The court also ordered that since the government had offered the defendant immunity, “the government SHALL BE precluded from using Ms. Fricosu’s act of production of the unencrypted contents of the computer’s hard drive against her in any prosecution.”

This case turned on the important distinction between compelled testimonial communications (prohibited by the Fifth Amendment) and the act of producing the unencrypted contents of an encrypted hard drive.  Since the prosecution (a) could establish that they knew that the defendant was the owner or primary user and (b) was willing to provide immunity, Judge Blackburn reasoned that providing the unencrypted contents of the hard drive in response to the government’s search warrant would not violate the defendant’s Fifth Amendment rights.

About The Author

Randy V. Sabett joined ZwillGen as Counsel in 2011. He advises clients on information security, privacy, IT licensing, and intellectual property. Randy has over 20 years of infosec experience, including as an NSA crypto engineer and a CISSP. He works closely with companies in helping them develop strategies to protect and exploit their information and IP based on various evolving business models, including SaaS, mobile applications, cloud, and more traditional client/server architectures. Specific areas on which he focuses include information security, privacy, IT licensing, IP strategy, big data, metrics, active defense, venture capital, legislative matters, government contracting, digital and electronic signatures, federated identity, state and federal information security and privacy laws, identity theft, and data breaches. He also drafts and negotiates a variety of technology transaction agreements.