Passwords tangled in Fifth Amendment

They are two tenets of multi-factor authentication.

Something you know. And something you have.

Under a legal lens, however, they are distinctly separate and now either one could influence how the Fifth Amendment, which in the U.S. protects against self-incrimination, evolves to reflect the digital world.

And in fact, either could help set legal precedence going forward as access controls evolve from passwords to secure tokens and biometrics.

The issues are woven into a nearly two-year-old bank fraud case currently being heard in U.S. District Count in Denver. In the case, prosecution likely will hinge on whether the defendant's password is ruled to be something she knows or something she has. Federal prosecutors want the court to force the woman to unlock her computer and reveal stored documents.

Basically, if the password is a physical thing she has, than the Fifth Amendment does not protect it. But if the password is deemed to be something the defendant knows, it is protected.

U.S. District Judge Robert Blackburn said he will issue his ruling soon following a hearing in the case Jan. 4, the third such hearing in the past six months.

The situation in this case is going to come up again and again," says Marcia Hofmann, senior staff attorney at the Electronic Frontier Foundation (EFF). "The court needs to find a way to deal with this."

The situation involves Ramona Fricosu, who along with her husband, was indicted in a mortgage scam in 2010 in Colorado Springs, Colo.

What federal prosecutors want now is access to a laptop taken from her home that they say may contain evidence pivotal to the case. The rub is that the data is protected behind a password.

The Denver Post reported that Patricia Davies, an assistant U.S. attorney, told the court that allowing Fricosu to hide behind a password will signal that "encrypting all inculpatory digital evidence will serve to defeat the efforts of law enforcement officers." She said such a situation would make prosecution impossible.

The Post also reported that Fricosu's attorney, Philip Dubois, told the judge if the password is treated like a key "the meaning of 'search warrant' will be stretched and the rights to privacy and against self-incrimination shrunk."

To illustrate the principle, the Supreme Court has previously explained that a witness might be "forced to surrender a key to a strongbox containing incriminating documents," but not "compelled to reveal the combination to a wall safe."

Civil liberty groups have jumped on the digital case.

"If the government is able to force people to turn over their encryption passwords, it is able to force people to be witnesses against themselves in ways that violate the constitution," said the EFF's Hofmann. The EFF has filed a brief in the Fricosu case.

Encrypting files, whether on a hard drive or hosted by a third-party, is becoming a de facto standard. Hofmann says as part of her legal practice she uses encryption to protect client files.

She says the most recent Supreme Court precedent, which came in 2000 (United States v. Hubbell), shows how the law could be applied in digital cases. The Court concluded the Fifth Amendment rights of defendant Walter Hubbell were violated when he produce documents after being granted immunity and was then prosecuted based on the contents of those documents.

"The way that case applies to passwords and encryption is very relevant," says Hofmann.

As these cases come up, each one has relevant points that can tip the outcome one way of the other. In the Fricosu case, prosecutors now seem to be attempting to get around the password question by saying they know the contents of the laptop, therefore the knowledge is a "forgone conclusion" and the defendant can't incriminate herself.

Hofmann says the advent of secure tokens, used to pass authentication or authorization information for access control, will open up another can of worms.

"That is an interesting question. I honestly don't know how the courts would come out on that," she said.  "The ultimate question is that in producing this thing does it reveal what a person knows."

The court would have to rule if the token is a "thing" the user possesses. In many cases today, users often store tokens for varying lengths of time and use them as keys to unlock access to data.

Biometrics provides another twist. Hofmann believes there could be circumstances where data protected by a fingerprint reader could have legal implications such as proving the user has control over the data and, if the authentication is successful, that the user owns the data.  "That is different than just supplying your fingerprint."

"These cases definitely get harder. I hope the judge understands these concerns and realizes there are serious consequences," she said. Consequences not only for the Fricosu case, but in the future for password-protected or encrypted digital data.

What direction do you think the court should go?  What legal/constitutional protections should users have in regards to their protected digital data?