Subpoena, Search, or Incriminating Statement: Encryption Passphrases and Privacy

By Max Abend

CNET recently ran an article about a precedential case involving computer encryption. In one of only a handful of cases decided on the issue, Judge Robert Blackburn held that compelling the production of unencrypted documents in a defendant’s possession did not implicate either the Fourth or Fifth Amendments (U.S. v. Fricosu, 2012).

The defendant, Ramona Fricosu was accused of being involved in an illegal mortgage scam. Pursuant to a valid warrant, the FBI searched through her home and seized, inter alia, 6 computers. One of the computers, a Toshiba laptop, had “whole disk” encryption software (PGP Desktop) enabled. Because PGP Desktop essentially makes the contents of the drive unreadable, without the use of an encryption key or passphrase, the FBI is currently unable to view any of the files on the disk. As such, the FBI applied for a writ of assistance from the court to compel Ms. Fricosu to produce the encryption key or the unencrypted contents of the disk.

The court found that Ms. Fricosu was either the owner or sole user of the computer, and that she has the ability to view the unencrypted contents of the computer’s hard disk. Because the computer was seized with a valid warrant, Judge Blackburn granted the government’s application for a writ under the All Writs Act requiring Ms. Fricosu to assist the government in executing the previously issued search warrant. Practically, this amounts to a duty on Ms. Fricosu to either give the FBI her encryption passphrase, or to decrypt the drive itself and hand over its contents. From a policy standpoint, the DOJ argued in their brief that failing to compel Ms. Fricosu would signal all potential criminals that “…encrypting all inculpatory digital evidence will serve to defeat the efforts of law enforcement officers to obtain such evidence through judicially authorized search warrants, and thus make their prosecution impossible. While there is merit behind the argument, the same argument could be made concerning the production of actual self-incriminating testimony. That is, protecting the contents of the mind signals to criminals merely not to memorialize their thoughts in the form of a document.  In the instant case, to quote commenter Mergatroid Mania, “If she had hid the data somewhere, they could not force her to tell them where she hid it. In this case it’s on a computer, but they can force her to tell them how to get in?” (For this analogy to hold true, assume the government does not know the existence of specific data… see more below).

The ruling is interesting and arguably precedential because of the dichotomy presented. Basically, the issue is whether production of the key (or documents… throughout the rest of the post, simply “key”) is simply incident to a valid Fourth Amendment search, or whether it is a Fifth Amendment “statement.” It should be noted that the government only requests the production of the contents of the hard-drive, and that voluntary production of the key would also satisfy the command of the subpoena (but is not required as it is technically the “contents of the mind” of the defendant).

The government had a valid search warrant, so if the production of the key is simply ancillary to the larger search, then it is per se reasonable. Because it is interesting and informative for the blog, I’d like to distinguish this case from another.  The “PGP Desktop” software is unlike the standard “password protection” at issue in cases such as United States v. Andrus (483 F.3d 711). In that case, without a warrant, but with apparent consent by the defendant’s father, a co-occupant, the FBI bypassed the defendant’s password protection without knowledge of its existence. Because they bypassed the password protection, and were under no duty to question the father about his use of the computer, the FBI could not have known that the defendant had a subjective expectation of privacy, and that his father, not an actual owner or user of the computer, lacked the authority to consent to a search of it. In short, because the FBI never saw the defendant’s attempt to “lock” the computer, in the same manner that a padlock on a footlocker would be immediately apparent, it was reasonable for them to believe, ex ante, that there was no subjective expectation of privacy.

Because the government did in fact have a warrant in the Fricosu case, the following is merely hypothetical analysis. If the facts of the Fricosu case were changed to be the same as in Andrus, with the only difference being the PGP-Desktop software, it becomes clear that the FBI would be in a different boat. Presumably, the FBI used the same investigative software to try and image the Fricosu’s computer, and was stuck when the contents came up unreadable. The FBI then would be well informed that the plaintiff took affirmative steps to ensure the privacy of that information. That is, while the password protection at issue in Andrus was not “clearly” analogous to a lock (see the dissent for a refutation of this argument), PGP-Desktop is unequivocally a “lock.” Breaking through such lock, (hypothetically) without a warrant would violate Ms. Fricosu’s clear subjective expectation of privacy. The Andrus Court concluded “tentatively” that computers are “often a repository for private information the computer’s owner does not intent to share with others.” As such, it seems dubious that the 10^th Circuit or any other court would not find such an expectation of privacy as reasonable (see also the existence of ECPA).

Now, non-hypothetically, many (including Ms. Fricosu) argue that compelling production of the encryption key would be tantamount to a self-incriminating statement, and a violation of the 5^th Amendment protection.

This is a tough argument to make. In Boyd v. United States (116 U.S. 616) the court set out the “mere evidence rule” which basically stated that the government could only seize papers somehow connected directly to a crime, and not to obtain evidence to be used against a defendant in a criminal action:

Unfortunately for defendants however, this holding has been largely abrogated. The court has stated that the 5^th amendment does not protect against subpoenas for a person’s records and papers held by third parties, and that “The Fifth Amendment Privilege is a personal privilege: it adheres basically to the person, not to information that may incriminate him.” Couch v. United States, 335 U.S. 1 (1948) (upholding subpoena to defendant’s accountant for incriminating documents); In re Grand Jury Subpoena Duces Tecum, 1 F. 3d 87 – Court of Appeals, 2nd Circuit 1993 (contents of documents not privileged unless their very act of creation was compelled by government). The court recently has stated that some acts, which function as a statement of fact could be within the bounds of the Fifth Amendment privilege. In United States v. Hubbell, the defendant initially refused to acknowledge the existence of documents compelled by a subpoena. While the contents of the documents would not be protected, the very act of producing documents acknowledges that they exist, and could be in itself self-incriminating. 530 U.S. 27, 36 (2000). Judge Blackburn analyzes the Boucher line of cases, dealing with similar encryption issues. In that series of cases, the defendant himself navigated to and displayed the contents of a number of files. As such, the government viewed and knew of the existence of child pornography on the defendant’s computer. However, after seizing the computer, they were unable to access the files for evidentiary purposes due to password protection (coincidentally, also PGP Desktop). Since the encryption key was part of “the contents of the defendant’s mind,” it was protected by the Fifth Amendment, but the documents themselves were not, because, unlike Hubbell, the government already knew of their existence, and production of them would not amount to an incriminating admission. See In Re: Grand Jury Subpoena to Sebastian Boucher and In re Grand Jury Subpoena Duces Tecum, 1 F. 3d 87 – Court of Appeals, 2nd Circuit 1993.

The issue then becomes whether the production of the key is the authentication that self-incriminating documents exist (which would be privileged), or simply the production of the contents of documents known by the government to exist (which would not).  Judge Blackburn’s opinion analyzes both lines of precedent efficiently and accurately, but then applies them conclusorily. He finds that

However, in both Boucher and Subpoena Duces Tecum, the government knew of the existence of specific incriminating files as well as their contents. Moreover, in both cases, the government was at some point in possession of the incriminating documents, or a literal copy of them. In this case, presumably, the FBI doesn’t have knowledge of specific documents in existence on the computer. If they did, these files likely would have been specifically discussed in the opinion. Read not all that broadly, Judge Blackburn’s pronouncement seems to say that if the government knows that files exist on a computer, then the government can subpoena those files. That however is ludicrous… if the government knows of the existence of a computer, it is a foregone conclusion that there will be files on that computer. Such a rationale seems completely at odds with the “reasonable particularity” requirement of the original warrant that authorized the seizure of Ms. Fricosu’s computer in the first place.

It will be interesting to see how this issue ultimately gets resolved. The 10th circuit has not yet ruled on it because there has not yet been a final judgment.

The Full Text of the CNET article is available here:

http://news.cnet.com/8301-31921_3-57364330-281/judge-americans-can-be-forced-to-decrypt-their-laptops/

 

Judge Blackburn’s opinion is freely available here: http://scholar.google.com/scholar_case?case=7486865546677786730&q=us+v.+fricosu&hl=en&as_sdt=2,33&as_vis=1

 

EU’s Article 29 Working Party adopted opinion regarding mobile geolocation services and required e.g. a prior informed consent from users. Yet The European Commission’s proposed reform of the EU’s 1995 data protection rules includes nearly nothing about geolocation.

By: Anne Aaltonen

On May 16, 2011, EU’s Article 29 Working Party (WP29) adopted an opinion setting out privacy compliance guidance for mobile geolocation services.

According to the opinion: “A smart mobile device is very intimately linked to a specific individual. Most people tend to keep their mobile devices very close to themselves, from their pocket or bag to the night table next to their bed. It seldom happens that a person lends such a device to another person. Most people are aware that their mobile device contains a range of highly intimate information, ranging from e-mail to private pictures, from browsing history to for example a contact list. This allows the providers of geolocation based services to gain an intimate overview of habits and patterns of the owner of such a device and build extensive profiles. From a pattern of inactivity at night, the sleeping place can be deduced, and from a regular travel pattern in the morning, the location of an employer may be deduced. The pattern may also include data derived from the movement patterns of friends, based on the so-called social graph. A behavioral pattern may also include special categories of data, if it for example reveals visits to hospitals and religious places, presence at political demonstrations or presence at other specific locations revealing data about for example sex life. These profiles can be used to take decisions that significantly affect the owner.”

Read more here:

http://www.infolawgroup.com/2011/05/articles/data-privacy-law-or-regulation/mobile-location-privacy-opinion-adopted-by-europes-wp29/

 

The European Commission proposed a comprehensive reform of the EU’s 1995 data protection rules to strengthen online privacy rights and boost Europe’s digital economy on 25 January 2012. It is strange that this reform talks very little about geolocation data.

 

Read more here:

 

http://ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htm

Senator Franken’s Comment to NTIA Focuses on Location Privacy

 

Page Hubben

On April 2, Senator Al Franken, Chairman of the Senate Judiciary Subcommittee on Privacy, Technology and the Law, wrote a letter to the National Telecommunications and Information Administration, an agency of the U.S. Department of Commerce, to comment on the Multistakeholder Process to Develop Consumer Data Privacy Codes of Conduct. One of Senator Franken’s primary focuses in the letter is location privacy, and he argues that the Location Privacy Protection Act he introduced last year provides an answer to some of the major issues.

 

Senator Franken’s main concern with location privacy is the lack of federal law governing commercial use of this data. He points out that because the Fourth Amendment does not apply to corporations, federal law allows companies to collect location information from customers and give the information to third parties. He notes that the Cable Act and the Communications Act prohibit cable and telephone service companies from disclosing customer location, but the Electronic Communications Privacy Act lets smartphone and app companies share the same information without obtaining consent.

 

The letter aligns the location privacy bill with President Obama’s recently released Consumer Privacy Bill of Rights. The President’s proposal calls for transparency, individual control, and respect for context. Senator Franken asserts that transparency is not satisfied by disclosures in a privacy policy. Accordingly, his bill requires companies to tell consumers what information will be collected and to whom it will be disclosed. To implement individual control, companies must obtain express authorization prior to collecting or disclosing location information. In Senator Franken’s view, the combination of these requirements preserves contextual integrity, because consumers can ensure that their information is used only within a specific context.

 

The letter enumerates recent events that triggered concerns over consumer privacy, such as the Carrier IQ software running secretly in mobile phones to collect location data and keystrokes. Such stories show that consumers appreciate the sensitive nature of location data, but the transition in technology has happened so rapidly that many people are unsure of when information is collected and by whom.

 

The Future of Privacy Forum, a think tank, sees these events diminishing consumer confidence and is working with industry and government agencies to create responsible privacy practices. Part of the issue in their view is that policy makers know there is a problem, but may not have a clear understanding of what is going on.

 

Nevertheless, regulation may be on the horizon. In addition to Senator Franken’s bill, Congressman Ed Markey released a draft of the Mobile Device Privacy Act earlier this year, which would require user permission to operate monitoring software on a mobile device. The Federal Trade Commission also specifically mentioned mobile data as a key area for privacy discussions, encouraging industry groups to regulate themselves.

 

Many feel that self-regulation can address consumer concerns more effectively than the government. The Future of Privacy Forum calls for app developers to create solutions, and NetChoice, an e-commerce trade group, ranked the location bill as one of the worst for companies operating online because they believe it would require a pop-up notice every time an app collects location information. Senator Franken addresses this concern directly in his letter: “[A]s I explained when I spoke on the floor of the Senate to introduce the legislation, my bill will not flood consumers with pop-up consent screens: a one-time consent screen will suffice.”

 

Criticism from business groups may be enough stall this bill, but given the growth of mobile technology and consumer unease when location data is improperly shared, this is an issue likely to stay on everyone’s radar.

Several recent NY Times articles reflect growing concerns over increasing government access to  and retention of communications and other data here in the U.S.:

 

Police Are Using Phone Tracking as a Routine Tool

By ERIC LICHTBLAU

Published: March 31, 2012

Law enforcement tracking of cellphones is a convenient surveillance tool in many situations, but it is unclear if using such technology without a warrant violates the Constitution.

 

U.S. Relaxes Limits on Use of Data in Terror Analysis

By CHARLIE SAVAGE

Published: March 22, 2012

Attorney General Eric H. Holder Jr. signed new guidelines on how analysts may access, store and search information gathered by government agencies about Americans.

 

And in the UK:

 

Britons Protest Proposal to Widen Surveillance

By ALAN COWELL

Published: April 2, 2012

Reported government plans to give intelligence services the ability to monitor the electronic communications of every person in the country drew fire on Monday.

 

Katherine J. Strandburg

 

Does your level of Fourth Amendment protection vary inversely with the convenience of your digital life?

Matthew Smith

Today, Ars Technica published an excellent rundown of the various approaches that policymakers have taken, or are taking, to attempt to secure the privacy of smartphone users.

The article ties in with another recent Ars piece, which pointed out that Apple has the “master keys” to the encryption of its iCloud service – and so, in theory, could give those keys to the police, if asked.

This situation exemplifies a truism that may well come to define the digital age: your level of privacy varies inversely with the convenience of your digital life. Here’s how it plays out.

Everyone has data that’s important to them – and the convenience of their digital life depends, in large part, on how easily they can organize, access, and play around with their data. Data can be anything from an address book and e-mails to a digital movie collection.

In the 1990s, the PalmPilot – arguably, the forerunner of modern smartphones – was successful, in large part, because it offered users easy, convenient access to their data. Of course, the PalmPilot posed no threat to privacy, as long as the user was able to hold onto it: the data never left the user’s possession. The drawback to this ecosystem was, as any PalmPilot user will remember, the need to “sync” the device whenever the user wished to update its data.

The game changer in this realm was the creation of mobile access to the Internet and the rise of “The Cloud.” Once the devices we carried with us gained access to the Internet, putting our data on the Internet was an obvious next step: keep the master copy of everything in the Cloud, and, any time there is a change, all of the user’s devices can be updated over their Internet connections, in real-time. Everything is always up-to-date, and always at hand.

But, of course, this convenience comes at a price. The user puts the privacy of their data at risk by entrusting it to a third party. The extent to which data given over to a third party is protected by the Fourth Amendment or other laws is still being worked out – largely because Cloud services are so new that laws regulating them have yet to develop – see the Ars Technica posts linked above. If Apple (or another company) possesses the keys to a user’s data, Apple (or the other company) can control who accesses that data. And frequently, the police look to access a user’s private data when they suspect the user of criminal activity.

As the Ars Technica rundown of smartphone privacy approaches above indicates, the law here is unsettled – but it is clear that, absent a strong stand in favor of privacy, users who store their personal data in Cloud services may well be trading off legal privacy protections by doing so.

So, what’s a tech-savvy citizen who values privacy and convenience to do?

One clue may come from the so-called Maker Manifesto: “if you can’t open it, you don’t own it.” Unless a user is personally responsible for the storage and security of their data – perhaps by purchasing or building a dedicated private web server to be set up in the home or setting up an always-connected PC at home for remote access to its hard drive – it is impossible to be certain of the security and privacy of the user’s data.

When a user personally controls access to their data, the level of government intrusion on that user’s privacy required to access that data is much greater. In the instance of a server set up in a private home, the government would be required to make entry into the home itself to access the data on the server. And traditionally, the home is the most-protected sphere under the Fourth Amendment.

Of course, this is costly – and, because software systems for remote data access are frequently built around the assumption that the user will be connecting to a third-party service (Apple iCloud, Google, Box.net, Dropbox) to access their data – many of the convenient features of data storage in the Cloud may be unavailable to a user setting up their own system.

Because of this cost – in terms of finance and convenience – the desirability of strong legal protections for users’ data stored with third parties is manifest. It remains to be seen whether (and how) Congress (and courts) will act to respond to this need.

Kevin Frick

“Can You Track Me Now?…Good.” Do Police Need a Warrant for Cell Phone Location Data?

Last week, the question of whether law enforcement officials required to get a warrant for cell-phone location took a step toward Supreme Court review, as the government appealed a magistrate judge’s denial of an order for such data absent probable cause to the Fifth Circuit. Many privacy organizations, including the ACLU and the Electronic Frontier Foundation, and the National Association of Criminal Defense Lawyers joined in submitting an amicus brief.

Cell phone tracking data as an issue is heating up for a variety of reasons. First and foremost, the prevalence of cell phone use makes the issue palpable for almost every citizen. However, there are some lesser known legal reasons that make the issue a timely one. These include the following:

• Law enforcement increasingly seek such data; judges are increasingly denying access: The first published decision on the issue emerged from Brooklyn in 2005, when Magistrate Judge Orenstein made public his denial of law enforcement’s request of cell phone location data. Since then, many judges have followed his lead.
• It implicates the important “third-party doctrine”: Under the third-party doctrine, information that has been volunteered to a third-party no longer receives Fourth Amendment protection. However, the third-party doctrine has been developed in quite different contexts, like whether police can search garbage put out for collection. Justice Sotomayor has called “ill-suited to the digital age.”
• The effect of the recent U.S. v. Jones on the issue isn’t clear: The majority opinion in Jones decided the case—concerning the installation of a GPS device on a suspect’s car—primarily on the principle of physical trespass, despite a concurrence by Justice Sotomayor recognizing that “physical intrusion is now unnecessary to many forms of surveillance.”

For these reasons and more, the issue of law enforcement collection of cell phone location data is likely that moves quickly and publicly toward Supreme Court review.

 

Update 4/2/12: Monday, the New York Times highlighted the issue, noting how many local police departments use location tracking data for routine investigations.