The District of Colorado recently handed down an order in United States v. Fricosu requiring the defendant to decrypt the contents on her laptop so the government could access it. According to the Court, compelled decryption did not violate the Fifth Amendment’s bar against compelled self-incrimination.
In reaching this decision, the Court relied upon In re Grand Jury Subpoena to Boucher, 2007 WL 4246473 (D. Vt. Nov. 29, 2007) (Boucher I) and In re Grand Jury Subpoena to Boucher, 2009 WL 424718 (D. Vt. Feb. 19, 2009) (Boucher II). The Boucher decisions, in turn, relied upon the Supreme Court’s decision in United States v. Doe, 487 U.S. 201 (1984).
Doe distinguished between compelling the testimony of new information to the government (not permitted under the Fifth Amendment) and compelling giving access to existing information (permitted so long as the act of production results in no new facts). Thus, a defendant may be compelled to provide a key to a wall safe. In contrast, a defendant may not be compelled to provide a combination since the combination itself would constitute new information. Therefore, the government may compel a defendant to provide access to a computer’s contents once it knows the defendant has the ability to access the computer. But it may not compel production of a password.
This may seem like a distinction without a difference, but there could be scenarios where information like the password is itself incriminating — for instance, if the password was “ImGuiltyScrewTheFeds.” Moreover, to the extent that people frequently reuse passwords, providing a password to the government could enable unsanctioned fishing expeditions across the Internet.
Although civil liberties groups have expressed concern about the decision, it will have little impact on tech savvy computer users. The defendant here used an encryption program called PGP Desktop. She could easily have avoided her current dilemma by using comparable encryption software with a “hidden container” feature, such as TrueCrypt. In effect, TrueCrypt permits its users to encrypt their computers with two different passwords. Using the first password to decrypt the system would reveal one set of data. Using the second password would reveal an additional hidden set of data. TrueCrypt is designed in such a way as to render it technically infeasible to detect the presence of the hidden data, absent the second password.
Absent any other information, the owner of a computer encrypted in such manner may plausibly deny the existence of hidden data. Moreover, the Fifth Amendment bars the government from compelling access to this hidden data since to do so would confirm that the hidden data exists.
That said, the government may compel access to hidden data should the government discover its existence through other means. In Fricosu, the court pointed to a recorded conversation between the defendant and her ex-husband as evidence that the defendant was capable of decrypting the laptop in question. While technology like TrueCrypt can make it technically impossible to tell if hidden data exists, revealing that fact to others could make it a moot point.