Passwords tangled in Fifth Amendment

Passwords tangled in Fifth Amendment

Summary: A bank fraud case in Colorado could help determine the legal protection of users who password protect data. In the case, a woman is arguing that giving up her password to unlock encrypted data stored on a laptop is a violation of her Fifth Amendment rights.

TOPICS: Laptops

They are two tenets of multi-factor authentication.

Something you know. And something you have.

Under a legal lens, however, they are distinctly separate and now either one could influence how the Fifth Amendment, which in the U.S. protects against self-incrimination, evolves to reflect the digital world.

And in fact, either could help set legal precedence going forward as access controls evolve from passwords to secure tokens and biometrics.

The issues are woven into a nearly two-year-old bank fraud case currently being heard in U.S. District Count in Denver. In the case, prosecution likely will hinge on whether the defendant's password is ruled to be something she knows or something she has. Federal prosecutors want the court to force the woman to unlock her computer and reveal stored documents.

Basically, if the password is a physical thing she has, than the Fifth Amendment does not protect it. But if the password is deemed to be something the defendant knows, it is protected.

U.S. District Judge Robert Blackburn said he will issue his ruling soon following a hearing in the case Jan. 4, the third such hearing in the past six months.

The situation in this case is going to come up again and again," says Marcia Hofmann, senior staff attorney at the Electronic Frontier Foundation (EFF). "The court needs to find a way to deal with this."

The situation involves Ramona Fricosu, who along with her husband, was indicted in a mortgage scam in 2010 in Colorado Springs, Colo.

What federal prosecutors want now is access to a laptop taken from her home that they say may contain evidence pivotal to the case. The rub is that the data is protected behind a password.

The Denver Post reported that Patricia Davies, an assistant U.S. attorney, told the court that allowing Fricosu to hide behind a password will signal that "encrypting all inculpatory digital evidence will serve to defeat the efforts of law enforcement officers." She said such a situation would make prosecution impossible.

The Post also reported that Fricosu's attorney, Philip Dubois, told the judge if the password is treated like a key "the meaning of 'search warrant' will be stretched and the rights to privacy and against self-incrimination shrunk."

To illustrate the principle, the Supreme Court has previously explained that a witness might be "forced to surrender a key to a strongbox containing incriminating documents," but not "compelled to reveal the combination to a wall safe."

Civil liberty groups have jumped on the digital case.

"If the government is able to force people to turn over their encryption passwords, it is able to force people to be witnesses against themselves in ways that violate the constitution," said the EFF's Hofmann. The EFF has filed a brief in the Fricosu case.

Encrypting files, whether on a hard drive or hosted by a third-party, is becoming a de facto standard. Hofmann says as part of her legal practice she uses encryption to protect client files.

She says the most recent Supreme Court precedent, which came in 2000 (United States v. Hubbell), shows how the law could be applied in digital cases. The Court concluded the Fifth Amendment rights of defendant Walter Hubbell were violated when he produce documents after being granted immunity and was then prosecuted based on the contents of those documents.

"The way that case applies to passwords and encryption is very relevant," says Hofmann.

As these cases come up, each one has relevant points that can tip the outcome one way of the other. In the Fricosu case, prosecutors now seem to be attempting to get around the password question by saying they know the contents of the laptop, therefore the knowledge is a "forgone conclusion" and the defendant can't incriminate herself.

Hofmann says the advent of secure tokens, used to pass authentication or authorization information for access control, will open up another can of worms.

"That is an interesting question. I honestly don't know how the courts would come out on that," she said.  "The ultimate question is that in producing this thing does it reveal what a person knows."

The court would have to rule if the token is a "thing" the user possesses. In many cases today, users often store tokens for varying lengths of time and use them as keys to unlock access to data.

Biometrics provides another twist. Hofmann believes there could be circumstances where data protected by a fingerprint reader could have legal implications such as proving the user has control over the data and, if the authentication is successful, that the user owns the data.  "That is different than just supplying your fingerprint."

"These cases definitely get harder. I hope the judge understands these concerns and realizes there are serious consequences," she said. Consequences not only for the Fricosu case, but in the future for password-protected or encrypted digital data.

What direction do you think the court should go?  What legal/constitutional protections should users have in regards to their protected digital data?

Topic: Laptops


John Fontana is a journalist focusing on authentication, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he also blogs about industry issues and standards work, including the FIDO Alliance.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • RE: Passwords tangled in Fifth Amendment

    well what if it's a combination lock safe? do they physically destroy or hack the safe, or do they make people open it, or do they make people say the combinations?
    • RE: Passwords tangled in Fifth Amendment

      @fenom - case law to this point is that defendants could not be compelled to give up "something they know" like a combination or a location of potential evidence. If the item is "something they have", then the authorities could seize it and do whatever they wanted to uncover evidence, including destructive activities such as opening a safe or analyzing a tissue sample.
      terry flores
    • RE: Passwords tangled in Fifth Amendment

      @fenom In my mind, the Fifth amendment says a person should not be forced to say or do anything which is self-incriminating. People complain that it hinders law enforcement, as if that is a bad thing. That's exactly what it is supposed to do. It's called "checks and balances." The Fifth amendment was designed to prevent abusive practices by zealous law enforcement. There is no other reason for its existence. If you read it, most of the Constitution was created to protect citizens from an out of control government. Our nation was founded by people who were trying to get away from those types of governments. Unfortunately, that's exactly why the government has been slowly chipping away at our Constitutional rights. They want more power. They use fear to manipulate the sheep who inhabit this nation into giving up more rights every day.
      • RE: Passwords tangled in Fifth Amendment

        @BillDem You Sir are Right, and what one Party Starts the other Party continues and makes worse, then they exchange roles and start all over again! Bush indefinte detention of Non-Citizen Terrorists, Obama Indefinte detention of Domestic Terrorists! I doubt the Republicans in the Senate will threaten to filibuster either!
      • RE: Passwords tangled in Fifth Amendment

        @BillDem YES! EXACTLY! We have been living in a police state for years now, and a lot of sheeple just can't see it. Take for instance police using military tactics on the average citizen. No-knock-kick-the-door-in warrants, even against old folks, no-warrant searches of your cell phone even if you only got pulled over for speeding or anytime your arrested. The list goes on and on, and now they're trying to force you to incriminate yourself by forcing us to give them passwords.
        If our forefathers were alive today, they would be shocked and saddened by how our politicians and law enforcement has butchered the constitution...
      • Absolutely!

        The subjection of an American citizen starts in the public (i.e., government) schools, where children are taught to believe that the state can do no wrong and is a benevolent force for good. After indoctrination, the state employs fear to convince citizens that freedom is dangerous. In addition, the state decides to make "war" on something that the citizens are told is so evil and dangerous that only the state can protect them, provided, of course, that they submit to the indignities and loss of rights that are "necessary" to keep them secure. At the height of the war frenzy, dissenters are labeled as unpatriotic, uncooperative, treacherous, and crazy, and consequentially repressed by their fellow citizens, as well as by the state.
        sissy sue
  • RE: Passwords tangled in Fifth Amendment

    The Defence should make the Prosecution state what "they know".
    If the Prosecution doesn't "know" and they are lying, then the Defence should be able to get the case thrown out, surely?
    • RE: Passwords tangled in Fifth Amendment

      @lehnerus2000 - You watch too much television. The number of cases that have been overturned after proven misconduct is miniscule. The courts including SCOTUS have upheld even egregious violations since the Reagan years, it is an ongoing discussion in Fourth Amendment cases and the weakening of exclusionary rules.
      terry flores
      • RE: Passwords tangled in Fifth Amendment

        @terry flores
        D**** that Perry Mason (Raymond Burr). :)

        Seriously though, it's not my fault the US legal system is corrupt.
  • Simple at first sight ...

    ... existing laws appear adequate: if law enforcement have sufficient evidence to convince a judge to issue a warrant for searches ... then whether your key is physical, virtual or biometric is irrelevant.

    No doubt the legal profession will make it expensive to define 'sufficient evidence' ... but hopefully judges have the necessary leeway to exercise common sense.

    WRT to the 5th amendment and in the UK the police caution 'you do not have to say anything but ...' - these are fair protections against self-incrimination in the heat of the moment and against the potentially hideous twisting of common-sense and morality enshrined in Law of which the layman might well be ignorant ... but if the accusations are backed by 'sufficent evidence' ... then I think one should be forced to give testimony, even if self-incriminating.

    IANAL - you already knew that ;-)
    • RE: Passwords tangled in Fifth Amendment

      a warrant for searching is different than forcing a person to be used as authentication for biometric security.
      • RE: Passwords tangled in Fifth Amendment

        @tiderulz - the difference is between "evidence" and "compliance". Does the biometric key provide evidence that a person committed a crime? that is one thing. But the US also prosecutes people who "obstruct justice" by failing to comply with authorities. Destroying evidence is a common prosecution, as is lying to any authority at any time. So does failing to unlock an encryption fall into that category as well?
        terry flores
      • RE: Passwords tangled in Fifth Amendment

        @tiderulz Exaclty - A warrant for Searching is vastly different than forcing someone to show the police where something is.
    • RE: Passwords tangled in Fifth Amendment

      @johnfenjackson@... "forced to give testimony"

      There are significant differences between the self-incrimination protections in US and UK law, and both have been severely weakened in the last couple of decades. But your summary statement is contrary to both of them in principle, since you do not believe in the protection in the first place.
      terry flores
  • RE: Passwords tangled in Fifth Amendment

    "the Supreme Court has previously explained that a witness might be 'forced to surrender a key to a strongbox containing incriminating documents,' but not 'compelled to reveal the combination to a wall safe.'"

    If this is true, then the answer is simple. She is not required to give up her password. It is the same as the safe- no different. Having said that, I am not familiar with the Supreme Court's logic in making that ruling. I'm sure it makes sense.... the idea that you can't be forced to speak what you know- self-incrimination.
    • RE: Passwords tangled in Fifth Amendment

      It's not quite the same thing. With the physical safe, even without the combination, the authorities can gain access to the safe without the combination. It's not so easy to decrypt files without the key. There's no physical equivalent as there is by drilling through a physical lock.
      silent E
      • RE: Passwords tangled in Fifth Amendment

        @silent E
        Uh, yes there is - it's called a brute force crack. It's as identical as two things can be in two different realms. When you drill a lock you use brute physical force to bypass the locking mechanism and obtain the contents. A brute force crack uses brute logic to systematically determine the locking mechanism's key and obtain the contents without ever using the password. The authorities have possession of the laptop, the same as having possession of a safe, they may now do whatever they need to in order to bypass the security system and obtain the contents. Forcing the defendent to turn over the password is identical to turning over the combination to a safe - both are sequences of information that unlock access to materials, neither are phyiscal things which can be surrendered, the password (like the combination) doesn't exist physically, only within the mind of someone who knows it.
      • RE: Passwords tangled in Fifth Amendment

        @silent E
        And just to head off the comments that digitally cracking something isn't a physical equivalent - yes it is. Electricity is a physical phenomenon, the use of it to bypass a digital system is still a physical application. Apply enough electricity in the right fashion and you'll break in.
  • The Prosecution will loose

    I thought the feds had the ability to decrypt data. I wonder what encryption software the criminal was / is using?
    • RE: Passwords tangled in Fifth Amendment

      probably something as simple as Truecrypt