What decryption orders mean for the Fifth Amendment

A federal judge in Colorado recently handed down a ruling that forced a defendant to decrypt her laptop hard-drive, despite the Fifth Amendment's stricture against compelling people to testify against themselves. The Electronic Frontier Foundation's Marcia Hoffman has commentary on the disappointing ruling:

In the order issued yesterday, the court dodged the question of whether requiring Fricosu to type a passphrase into the laptop would violate the Fifth Amendment. Instead, it ordered Fricosu to turn over a decrypted version of the information on the computer. While the court didn't hold that Fricosu has a valid Fifth Amendment privilege not to reveal that data, it seemed to implicitly recognize that possibiity. The court both points out that the government offered Fricosu immunity for the act of production and forbids the government from using the act of production against her. We think Fricosu not only has a valid privilege against self-incrimination, but that the immunity offered by the government isn't broad enough to invalidate it. Under Supreme Court precedent, the government can't use the act of production or any evidence it learns as a result of that act against Fricosu.

The court then found that the Fifth Amendment "is not implicated" by requiring Fricosu to turn over the decrypted contents of the laptop, since the government independently learned facts suggesting that Fricosu had possession and control over the computer. Furthermore, according to the court, "there is little question here but that the government knows of the existence and location of the computer's files. The fact that it does not know the specific content of any specific documents is not a barrier to production." We disagree with this conclusion, too. Neither the government nor the court can say what files the government expects to find on the laptop, so there is testimonial value in revealing the existence, authenticity and control over that specific data. If Fricosu decrypts the data, the government could learn a great deal it didn't know before.

In sum, we think the court got it wrong.

Disappointing Ruling in Compelled Laptop Decryption Case


    1. Yes, she wasn’t forced, just threatened with indefinite detention. Good show.

      And this is why I use the hidden volume feature of TrueCrypt. Give them a password – let them browse through your fake documents all they like.

        1. Not exactly, but what Mantissa is talking about is basically having a hidden volume or folder (encrypted) reside on the system, while a not hidden (but encrypted) folder/volume also resides on the system.  TrueCrypt can be setup to access different volumes via different passwords, allowing access to the non-hidden non incriminating files.

          You can also go a step further and have hidden volumes/files inside volume/files.

    2. I thought for a moment that your username meant “Gym Raper”, but immediately realized my error and that it in fact should be read as “GRIM Raper.”

  1. I don’t know much about US law, so I’ve got a question.

    From a US legal/constitutional perspective, how does this differ from being forced to hand over physical items or admit them to your house as a result of the search warrant?Does the 5th amendment provide some form of protection from search warrants and seizure of physical items? I.e. are you under any obligation to cooperate with a warrant and therefore incriminate yourself?

    1. I was wondering the same thing.  Is the Fifth Amendment supposed to protect against her admitting she knows how to provide the files, or is it supposed to protect against her providing the files themselves?  For instance, if they knew she had an unencrypted drive, hidden in a location only she knew, could she be compelled to tell them where it is without any Fifth Amendment implications?

      1. The post doesn’t reveal the context, which makes ithe ruling a lot less worrying.

        She was an alleged mortgage fraudster. She was caught on tape saying the documents describing the fraud were on her laptop and that she had taken measures to stop law enforcement from getting them.

        I don’t think it’s a 5th ammendment issue, since they were demanding access to evidence that they knew existed. They don’t want testimony. The judge also prevented the cops from saying that encryption implies guilt (i.e. “if you had nothing to hide, why did you encrypt the docs and refuse to tell us the password”).

        It would be against the 5th ammendment if they said, “tell us about the documents on your laptop”. This is clearly testimony.

        It’s a grey area if they ask, “your laptop probably contains some information, so tell us the password so we can fish through the documents on the laptop until we find some criminal evidence”. I think it comes down to probably cause and justifying the search, as it would with documents in a safe. I don’t think there’s a 5th amendment defence to a password. Otherwise a combination lock code would be protected by the 5th amendment while a key to a lock would not.

        1. This is the problem with trying to apply <21st century legal reasoning in the 21st century.  The key to the lock is not protected by the 5th amendment but if the defendant HID the key then the LOCATION would be protected by the 5th amendment.  In the case of the password there is no difference between the "key" and the "location of the key."  As far as I'm concerned keeping the password private is no different from hiding the key and simply not mentioning its whereabouts.

          1. That doesn’t seem accurate, either about the law or the argument. It seems more a matter of testifying as to ownership. I also don’t see how there’s any difficulties here arising from treating digital information as analogous to information stored in any other medium.

            Like, if there was a lockbox the government had evidence to prove it was yours and also had evidence that you kept certain incriminating information in it, they could compel you to produce the contents of that box, or force a search of the box, even if they did not know where the key was. If your house has an unbreakable door with an unpickable lock that doesn’t mean you don’t have to open it when presented with a warrant to search it just because the state doesn’t know where the key is.

            Now, if the government had evidence as to the existence of incriminating information, but did not have evidence of ownership, then requiring you to produce the location of the key could be considered self-incriminating testimony if that knowledge is considered an indication of ownership and control of the box of incriminating evidence. But since the prosecutors in this case do seem to have exactly that, evidence that the computer is hers and the files are her responsibility, it doesn’t seem like the 5th amendment argument should hold water.

          2. I also don’t see how there’s any difficulties here arising from treating digital information as analogous to information stored in any other medium.

            That’s not what I’m arguing.  I’m arguing about the legal status of an encryption key vs. an actual physical key.  In the former case, testimony is exactly equivalent to the key itself.  In the latter testimony about the key is different from the actual physical key (obviously).

            There aren’t enough details in the story to make all the wild assumptions you infer that I’m making.  In the case that the government cannot prove there is incriminating evidence in a safe but they suspect there is they cannot compel you to testify as to where you might have hidden the key.  My argument is that in such a case you should also not have to give up an encryption key for the exact same reason.

  2. Technically, with the way the Supreme Court has interpreted the Fifth Amendment, it only applies traditionally to oral or written testimony. As such, if data exists on the computer and the state can establish probable cause that it believes there is case-relevant data stored on the computer, Fifth Amendment protections would not apply. Rather, the Fourth Amendment would have to be invoked and as long as there is probable cause, the search is legal–even requiring him to unencrypt the files would be legal.

     The Court probably would consider this analogous to requiring a person to open a safe it reasonably believes it storing incriminating documents.

    Not saying its right, just that is the way judicial precedent probably establishes the case.

  3. If you had a search warrant to search her file cabinet she would be required to unlock it.  I don’t really see how this is different.

    1. I agree with this analogy, however…  this filing cabinet may be something like Fort Knox, not a Master Lock.

    2. Not really.  If the warrant was to search a locked file cabinet, then the police are allowed inside.  The owner doesn’t have to help them.  The owner can just stand by, say nothing, and the police will open it with a crowbar.  I’ve seen too many episodes of “Cops” to not know that when there’s a safe in the house and the alleged perp refuses to open it, they just haul it away and allow a specialist to cut it open.

      The problem in this case from the prosecution perspective is that they don’t have a big enough crowbar.

    3. Also, the computer is really not like a filing cabinet. Your entire life could be on the hard drive – it has the potential to store incredible amounts of info about yourself that you couldn’t possibly fit in a filing cabinet. 

      1. Well, let’s say this Twinkie represents the normal amount of paperwork in a single filing cabinet.  According to this morning’s FTK report, the files in this hard drive would be a Twinkie 35 feet long weighing approximately six hundred pounds.

        Now that’s a big Twinkie.

  4. This is why you want to use something like TrueCrypts “partition within a partition” approach.  You decrypt the 1st partition.  It can’t be shown whether the 2nd encrypted partition is an encrypted partition or gibberish.  The burden of proof is on the prosecution so let them show the 2nd partition even exists.  Whenever they bring it up you just object… facts not in evidence.  :)  And I would gladly and gleefully spend some time in jail after telling the judge to blow me.

  5. You’re supposed to destroy and/or lose your hard drive, not encrypt it!  This woman wouldn’t last a DAY in Washington.

  6. The government (AUSA) and the court got it very very wrong and ethics complaints should be filed against both for malpractice.

  7. “Neither the government nor the court can say what files the government expects to find on the laptop…”

    Fifth Amendment issues aside, it doesn’t seem like this should be allowed if they can’t actually say what evidence they’re looking for.  They don’t issue warrants to rummage through a person’s house, looking for illegal things.  The same should apply to hard drives.

    1. You raise an excellent point.  If the warrant is not specific enough it runs the risk of invalidating other evidence.  The warrant has to say what they expect to find.  I don’t recall the exact name of the legal principle but it was something like “Elephant in a matchbox” rule.  If you’re looking for an elephant then searching the matchbox cannot be justified.  So if the warrant is too vague a good lawyer will challenge it as being unnecessarily broad.  Even if the judge doesn’t agree it’s certainly grounds for appellate review.

  8. I think both the legal theory and coverage of this case are lacking.

    To me, the best “model” is not the 5th amendment, with its right to withhold (possibly self incriminating testimony) , but the 4th amendment, with its inherent right against “fishing expeditions” in state searches of private/secure areas.

    Of course, in any case with a compelling enough probable cause (based on the weight of other evidence), it is clearly criminal not to permit a search (hence the requirement for a well-founded warrant or subpoena).  However, this is not supposed to be carte blanche for the state to search anything otherwise off-limits to it: there is a very high burden of probable cause/reasonable suspicion to do so.  The test is: if the search the state is trying to compel is a “fishing expedition” (given the lack of, or weak evidence already acquired), then it is absolutely forbidden by the 4th amendment.

    Now, I haven’t looked closely enough at this to determine the weight of the rest of the evidence and how well it justifies opening up the laptop.  It very well may.  But this may all simply be an attempt to score a “mortgage fraud” conviction on flimsy evidence, in which case, breaching the encrypted laptop would be going too far.

    So, it seems neither side wants to admit what is really at play in this case: not whether “encryption is inviolable”, but whether the weight of the prevailing evidence justifies a coerced search per the 4th amendment.

    Thus, the defense in this sort of case would really do better to follow a 4th amendment analysis rather than “wasting” 5th amendment arguments on *unconditional* defense of encryption, in my opinion.   

    Besides, if the defendant refuses to decrypt, assuming the order stands, that can only amount to contempt (or obstruction, I suppose), which is a much lesser charge than what is at stake in this case.  If the judge tries to levy an excessive penalty for refusal to comply with a decryption order, that is another matter entirely (cruel and unusual punishment).

    1. The fact that she holds the encryption key seems to be the basis for the Fifth Amendment argument, though, whether or not the warrant is valid.  As EFF states, “there is testimonial value in revealing the existence, authenticity and control over that specific data.”  So if they find anything illegal, she’s already implicitly admitted that she’s responsible for that content by providing the password, and has essentially testified against herself.  It makes it more difficult for her to reasonably argue that the content was not her responsibility.

      1. Yeah, I understand that.  And in a sense, it “works”.  But I don’t really like the argument, nor the case law tradition (much of which has luckily been successful, in terms of privacy).  A password is not testimony; it’s a “key” to a “thing” that contains (potential) evidence (consider that if it were a physical box with a physical key, the failure to divulge the location of the key would not typically be considered a 5th amendment issue, rightfully I’d say).

        Chosing the wrong theoretical model eventually will bite you.  Look at how the use of “substantive due process” in the civil rights arena has lead to all kinds of problems (basically the state being able to take away rights as long as it makes a flimsy showing of there being some “administrative remedy,” e.g., onerous gun registration requirements), when in fact the better (and I’d say intended) constitution model is “privileges and immunities”.

        1. A password is not testimony; it’s a “key” to a “thing” that contains (potential) evidence (consider that if it were a physical box with a physical key, the failure to divulge the location of the key would not typically be considered a 5th amendment issue, rightfully I’d say).

          This is an “opinion,” not a “fact.”  In digital land there is no difference between the word and the thing.  One can make perfect sense of either interpretation.

          Overall you do have some really good points about making this a 4th amendment case instead of a 5th amendment case though.

          1. Fair enough.  It’s just a question of which interpretation leads to fewer bizarre consequences when applied to case law and real world situation…

            (Oh, by the way, the thing called “precedent” that is often confused for “the law” is also highly based on “opinion” …)

    2. Could you even indict or prosecute a mortgage fraud case without having exactly the kind of information about a person’s files that could be used as probable cause for overriding their 4th amendment right against search and seizure of their computer files? I can’t imagine it would escape her attorney that 4th amendment protections would be more relevant and provide stronger protection if they could argue it.

      Isn’t it more likely that they tried putting forward a novel 5th amendment argument precisely because the government had the requisites for a coerced search? It just seems like they were unable to block the government’s search on other grounds and took a stab at equating the production of a password as equivalent to testifying as to the location or existence of files that can be used to incriminate her. Obviously, the argument is crazy.

      1. That thought had occurred to me (that the 5th amendment argument was being used because the government’s case for doing a 4th amendment search  was strong, or perceived to be strong). 

        In that case, yes its predictable the defense attorney would throw anything to the wall and see what sticks.  But that would be something of a shame, because (a) no one believes the 5th amendment should be used to (or was intended to) excuse someone genuinely guilty of serious wrongdoing, and (b) this case would not be nearly as significant as the “digital rights” community is making it out to be.

        1. I think the problem is that in PATRIOT Act America, 4th amendment protections are violated routinely and massively.  Some people saw encryption as a protection against a government willing to violate our rights.  Now for some reason they’re surprised to learn that the government’s willing to violate our right to encrypt as well.

          Encryption is still a great technical bulwark against government spies, but we shouldn’t fool ourselves into thinking the government will simply tolerate it.

        2. I think shades of subtlety may have been lost in iterations of coverage. The EFF article links here:


          “If I’m reading Fricosu correctly, the Court is not saying that there is no Fifth Amendment privilege against being forced to divulge a password. Rather, the Court is saying that the Fifth Amendment privilege can’t be asserted in a specific case where it is known based on the facts of the case that the computer belongs to the suspect and the suspect knows the password. Because the only incriminating message of being forced to decrypt the password — that the suspect has control over the computer — is already known, it is a “foregone conclusion” and the Fifth Amendment privilege cannot block the government’s application.”

          It seems like whether or not producing the password CAN be protected under the 5th amendment is what the “digital rights” community is concerned about? But I can’t see how treating a digital key as more speech-like than an actual key makes any sense.

          1. There you have it.  This isn’t so much a case where the government is simply “fishing”, so I don’t think the digital rights community has much to worry about.  In fact, a “favorable” ruling on 5th amendment grounds in this case might set the stage for a backlash later.

        3. I believe in (a).  The whole point of the 5th amendment is that even if a person is guilty, the government cannot force them to provide testimony against themselves. 

          The justice system is set up so the government must follow certain rules to convict someone of a crime.  The rules are in place because the government is much more powerful than an individual and must exercise that power with caution.  If the government breaks the rules to get a conviction, it doesn’t matter whether the person is guilty, because the conviction is automatically unjust. 

          That doesn’t necessarily mean the 5th applies to this case, but its an important distinction. 

  9. Given that effectively unbreakable encryption now exists accessible to pretty much anyone we can’t really judge this in comparison to anything else.  If you hold the position that you should never be compelled to give up the password then that position is pretty much equal to saying that no paper records are ever able to be used as evidence again.
    I’m sure that the Enrons and Bernie Maddoffs of this world will be delighted.

    1. But the difference there is the fact there would be multiple paper trails leading to and from companies like Enron.  You wouldn’t necessarily need all the records to prove your case in something like that. 

      1. But all of those files could be routinely encrypted.  Say every company encrypts all their servers and files (as I’m sure many here would argue they should) and only uses secure email.  This is particularly relevant if someone know’s they are doing something nefarious.

  10. In a way, this is also a positive precedent: We’re establishing that just because your documents live on a hard-drive, doesn’t mean they’re different from the documents in your filing cabinet. As others have pointed out, you’d also be compelled to give up a key to a safe.

    So next time somebody’s computer is seized and imaged at a border crossing, the lawyers can cite this decision: it’s still their effects. Or email scanning. Or what have you.

    1. Exactly.  This effectively shifts you from a 5th amendment to a 4th amendment regime, which is better fitting, and still provides overwhelming civil/privacy rights protection (when used properly).

      1. NO, this is horrible!!
        The file cabinet analogy really needs to die, already.
        This would be more like, the court searches your file cabinet, but finds that your papers are all enciphered.
        And then, a judge orders you to assist the prosecution in your conviction, by providing information and assistance to them, in interpreting the obfuscated documents.
        And, they can also punish you if the blanks that you fill in don’t provide compelling enough evidence.
        So, in America, you can now be forced to write your own confession.

  11. Just goes to show that any country’s constitution (or whatever their version thereof is called) doesn’t mean shit if they really want to get you badly enough. The Man makes up the rules as he goes, and if he gets caught out later, just says: “Oops! Heh-heh, my bad!” and carries on as ever, with nothing ever being done about it. Those who rely on such “rules” (or, indeed, expect authorities to conform to such rules) are hopelessly naive.

    1. Not necessarily… the court wants to get what it can get, as usual.  The defense is appealing this, and it will be sorted out within the judicial system, possibly to your liking. Besides you haven’t commented based on knowledge of the facts (is the weight of evidence that the defendant WAS engaging in criminal fraud?)

  12. I’ve never used encryption software, so I’m curious if there are any that offer a “nuclear option” of a special password that immediately wipes the drive, or simply invalidates the real key, effectively destroying the information forever (or until quantum computers exist, anyway)?

    1. If as an example you were in custody and required to give said password, and provided the nuclear one instead, you would probably be charged with destruction of evidence…(obviously a lesser charger, but just something to be aware of.)

      1. What of an under duress password? Say decrypts what amounts to a giant porn locker instead of whatever things the judge can’t say they’re looking for. Embarassing enough to not want random TSA people clicking around but not incriminating.

        1. Check two terms, if you’re not familiar with them already:
          On The Fly Encryption & Plausible Deniability.
          Of course it’s not perfect, but you should encrypt private data and if you have something you want to keep truly private, at least use plausible deniability.

      2. Pretty sure you can set some to wipe the drive by default if enough time passes without password access.  That way if you stall a bit, you didn’t do it, the alarm did.

  13. What’s wrong with “I can’t remember the password.  Yes, I used it yesterday, but now I forgot it.”?
    Hell, I forget stuff all the time.  What are they gonna do, drug me so I’ll give it up?  My government wouldn’t do something like that to…… Oh, wait; never mind.

    1. Click through on the articles and you can find this extract from a decision handed down by a federal court:

      “It has long been the practice of courts viewing such testimony as false and intentionally evasive, and as a sham or subterfuge that purposely avoids giving responsive answers, to ignore the form of the response and treat the witness as having refused to answer.”

      1. How many times did Reagan say “I don’t recall.” when he was forced to testify about his trading arms for hostages in Iran-Contra?  Oh wait, I forgot the laws don’t apply to the American Robber Class, just to us peasants.

    2. I’ve literally had to use the ‘forgot password’ thing every day for a week on a few things because I couldn’t remember what I’d used and the new one hadn’t stuck well enough for me to figure out which letter was capitolized or what (only remembering case insensetive version is a pain in the neck.)

      Gets even worse when you can have the computer remember things for you.

  14. “OK, judge, you win. To decrypt it you type ‘/format a:’.”

    Yes – I realize that doesn’t really get rid of the data.

  15. Seems to me the 4th is satisfied in that the government has the laptop with enough probable cause to believe the evidence they seek is on it (by the defendant’s own admission). If they could decrypt the data on it without obtaining the password from the defendant (the equivalent to blasting the door off the safe without getting the combination), the government can use the evidence obtained in a court of law.

    I believe the 5th protects you (or at least it ought to) against compelling you to reveal information to the government that would lead to your incrimination. In this case, revealing a password. It’s not the password itself that’s the issue (if it were written down and discovered in a desk drawer, there would be nothing to stop the government from examining the files). It’s compelling someone to reveal information to help the government find evidence against you that’s wrong.

    Otherwise, there’s nothing to stop the government from literally torturing you for information and using what was learned from that torture to incriminate you in court.

    1. Producing a password can only be incriminating if knowledge of it is used as evidence of ownership and control. If it isn’t, then it can’t be.

      1. I don’t believe you can be compelled to say anything to the government you don’t want to on the grounds that what you say may be used against you. In other words, you have the right to remain silent.

  16. Does truecrypt have an option for a shadow password?  If you use it instead of the real password, the files in the sensitive partition are scrambled and deleted, while the less sensitive files are revealed as if nothing is different?

    1. Or if stuff is reallyllllllyylylylly sensitive and you need to keep it, then encrypt it onto a thumb drive and hide that fuckin thing where nobody can ever find it and don’t ever say anything to anyone about it.  Keep it to yourself.

  17. I don’t see how offering her immunity covering the data in her own files wasn’t sufficient.

    (And in the case of mortgage/financial fraud, too generous; taking peoples houses — those fuckers need to be waterboarded.)

    1. If they offered her immunity from prosecution for the data in her files, then I don’t really understand how those files are even useful to the prosecution.

  18. Friscou should simply hand over a blank hard drive — then leave it to the government to prove that the encrypted hard drive actually contained any data.

  19. except 5th amendment doesn’t apply if the search warrant is to produce specific items in a specific box of known ownership.  in this case it’s not clear they know what’s on the computer

  20. Evidence can be seized involuntarily from a suspect, but the 5th amendment protects them from being required to “interpret” that evidence.

    So for example, the government can force you to turn over the maps you keep in your basement.  And if your basement was locked, you could be required to turn over the key.  But they can’t then force you to explain what the different symbols you made on the map mean.

    Now, if you had written a legend for the maps, they could demand that you turn it over too.  But if the legend was just in your memory, you couldn’t be required to dictate it to them.

    The question is: is a password a basement key or a map legend?

    Of course literally, it’s neither.  But nothing about computer software is ever understood literally, because all it is literally is a bunch of electrons flying through circuitry.  What matters is the metaphor we use to represent what’s happening in the computer.  And the answer to the question hinges on what metaphor we use.

    You could say the password is a metaphorical map legend, used to make sense of a metaphorical map.  You need the encryption key to interpret the meaning of the encrypted data.  You have the map before you, available for examination, but it’s meaningless to you until it’s interpreted using the appropriate legend.

    Or, you could say the password is a metaphorical key, used to unlock a metaphorical encryption door standing between you and the metaphorical map.  In this reading, the true map is sealed behind a door, and it’s not available at all until the door is unlocked.

    Both readings are equally imaginary, and it’s no surprise that the government is going to chose to imagine the one which serves them best.

  21. Let the get warrents etc etc. I will not be forced to assist them in their investigation. A defendant is not required to build the states case against themselves.

  22. The US is slowly but surely joining China and Israel on my list of countries that you couldn’t pay me to visit.

Comments are closed.