A federal judge has ordered a criminal defendant to decrypt his hard drive by typing in his PGP passphrase so prosecutors can view the unencrypted files, a ruling that raises serious concerns about self-incrimination in an electronic age.
In an abrupt reversal, U.S. District Judge William Sessions in Vermont ruled that Sebastien Boucher, who a border guard claims had child porn on his Alienware laptop, does not have a Fifth Amendment right to keep the files encrypted.
"Boucher is directed to provide an unencrypted version of the Z drive viewed by the ICE agent," Sessions wrote in an opinion last week, referring to Homeland Security's Immigration and Customs Enforcement bureau. Police claim to have viewed illegal images on the laptop at the border, but say they couldn't access the Z: drive when they tried again nine days after Boucher was arrested.
Boucher's attorney, Jim Budreau, already has filed an appeal to the Second Circuit. That makes it likely to turn into a precedent-setting case that creates new ground rules for electronic privacy, especially since Homeland Security claims the right to seize laptops at the border for an indefinite period. Budreau was out of the office on Thursday and could not immediately be reached for comment.
The Fifth Amendment says nobody can be "compelled in any criminal case to be a witness against himself," which Magistrate Judge Jerome Niedermeier ruled in November 2007 prevented Boucher from being forced to divulge his passphrase to prosecutors.
Originally, the U.S. Department of Justice asked the magistrate judge to enforce a subpoena requiring Boucher to turn over "passwords used or associated with" the computer. In their appeal to Sessions, prosecutors narrowed their request and said they only want Boucher to decrypt the contents of his hard drive before the grand jury, apparently by typing in his passphrase in front of them.
At issue in this case is whether forcing Boucher to type in that PGP passphrase--which would be shielded from and remain unknown to the government--is "testimonial," meaning that it triggers Fifth Amendment protections. The counterargument is that since defendants can be compelled to turn over a key to a safe filled with incriminating documents, or provide fingerprints, blood samples, or voice recordings, unlocking a partially-encrypted hard drive is no different.
Barry Steinhardt, director of the ACLU's technology and liberty program, said on Thursday that the opinion reached the wrong conclusion and that Boucher "should have been able to assert his Fifth Amendment rights. It's not the same thing as asking him to turn over the Xeroxed copy of a document."
"There is no distinction" between requiring a defendant to turn over the passphrase or type it in himself in front of a grand jury, Steinhardt said. "Either of those things results in an encrypted set of files being brought into plain view."
Judge Sessions reached his conclusion by citing a Second Circuit case, U.S. v. Fox, that said the act of producing documents in response to a subpoena may communicate incriminating facts in two ways: first, if the government doesn't know where the incriminating files are, or second, if turning them over would "implicitly authenticate" them.
Because the Justice Department believes it can link Boucher with the files through another method, it's agreed not to formally use the fact of his typing in the passphrase against him. (The other method appears to be having the ICE agent testify that certain images were on the laptop when viewed at the border.)
Sessions wrote: "Boucher's act of producing an unencrypted version of the Z drive likewise is not necessary to authenticate it. He has already admitted to possession of the computer, and provided the government with access to the Z drive. The government has submitted that it can link Boucher with the files on his computer without making use of his production of an unencrypted version of the Z drive, and that it will not use his act of production as evidence of authentication."
The defendant is a Canadian citizen who is a lawful permanent resident in the United States and lived with his father in Derry, N.H.
Boucher was initially arrested when customs agents stopped him and searched his laptop when he and his father crossed the border from Canada on December 17, 2006. An officer opened the laptop, accessed the files without a password or passphrase, and allegedly discovered "thousands of images of adult pornography and animation depicting adult and child pornography." Boucher was read his Miranda rights, waived them, and allegedly told the customs agents that he may have downloaded child pornography. But then--and this is key--the laptop was shut down after Boucher was arrested.
It wasn't until December 26 that a Vermont Department of Corrections officer tried to access the laptop--prosecutors obtained a subpoena on December 19--and found that the Z: drive was encrypted with PGP, or Pretty Good Privacy. (PGP sells software, including whole disk encryption and drive-specific encryption, which can be configured to forget the passphrase after a certain time. That would effectively re-encrypt the Z: drive.)
It's time to take another look at the intriguing case of United States v. Boucher, which may set the ground rules for whether or not criminal defendants can be compelled to divulge encryption passphrases.
When I last wrote about the Boucher case, the U.S. Department of Justice was refusing to comment on the matter. Here's my original article from last month for background.
The case arose because federal agents believe Boucher has child pornography on his laptop, and obtained a warrant to search it. But part of the hard drive was PGP-encrypted, and the Feds obtained a subpoena to force him to disclose (or even simply type in) his passphrase.
U.S. Magistrate Judge Jerome Niedermeier in Vermont rejected the subpoena on Fifth Amendment grounds--namely, that compelled disclosure of a passphrase amounted to self-incrimination. The Fifth Amendment says no person "shall be compelled in any criminal case to be a witness against himself."
The Washington Post, by the way, finally got around to writing about this (a month later) on Wednesday in a page one article. It quotes Boucher as saying that he likes to download Japanese cartoons and occasionally adult pornography, but that he does not seek to view child porn.
Now the Justice Department is filing a sealed appeal to the magistrate judge's decision to U.S. District Judge William K. Sessions. Sessions is a Clinton appointee, a former public defender who became a partner at the Middlebury, Vt. law firm Sessions, Keiner, Dumont & Barnes. He was part of the U.S. Sentencing Commission during the Clinton administration.
What's a bit odd is that, as far as I can tell, the Feds' appeal brief itself was filed under seal on January 2, and Boucher's reply brief in opposition filed on January 15 was also under seal. Considering that the original criminal complaint is public, and the magistrate judge's Fifth Amendment decision is public, there's no obvious reason why this extra secrecy is necessary. More on this as the case progresses.
The U.S. Department of Justice won't say when it believes an American citizen should be forced to divulge his or her PGP passphrase.
We've been trying for the last two days to get the DOJ to answer this question, which became an important one after last week's news about a judge ruling a criminal defendant can't be forced to divulge his passphrase on Fifth Amendment grounds.
The Fifth Amendment, of course, protects the right to avoid self-incrimination.
In the case of U.S. v. Sebastien Boucher, federal prosecutors think that the defendant has child pornography encrypted with PGP (Pretty Good Privacy) on his Alienware laptop. They sent him a grand jury subpoena demanding the passphrase--which is what a judge rejected on Fifth Amendment grounds.
"I won't be able to provide anyone for an interview," said DOJ spokesman Jaclyn Lesch. "The point you raise is one that we would want to address in court. I hope you understand."
We had asked the DOJ this: "In the DOJ's view, under what circumstances can a person be legally compelled to turn over an encryption passphrase?"
In one view, which prosecutors tend to share, a passphrase is like a document or key that must be forcibly turned over. The civil libertarian view treats a passphrase as the contents of someone's mind, which a defendant cannot be compelled to divulge.
The distinctions between these views are important to Americans' privacy rights and law enforcement needs. Unfortunately, we'll have to wait for future legal filings to find out what our public servants actually think.
News.com's Anne Broache contributed to this report
A federal judge in Vermont has ruled that prosecutors can't force a criminal defendant accused of having illegal images on his hard drive to divulge his PGP (Pretty Good Privacy) passphrase.
U.S. Magistrate Judge Jerome Niedermeier ruled that a man charged with transporting child pornography on his laptop across the Canadian border has a Fifth Amendment right not to turn over the passphrase to prosecutors. The Fifth Amendment protects the right to avoid self-incrimination.
Niedermeier tossed out a grand jury's subpoena that directed Sebastien Boucher to provide "any passwords" used with his Alienware laptop. "Compelling Boucher to enter the password forces him to produce evidence that could be used to incriminate him," the judge wrote in an order dated November 29 that went unnoticed until this week. "Producing the password, as if it were a key to a locked container, forces Boucher to produce the contents of his laptop."
Especially if this ruling is appealed, U.S. v. Boucher could become a landmark case. The question of whether a criminal defendant can be legally compelled to cough up his encryption passphrase remains an unsettled one, with law review articles for the last decade arguing the merits of either approach. (A U.S. Justice Department attorney wrote an article in 1996, for instance, titled "Compelled Production of Plaintext and Keys.")
This debate has been one of analogy and metaphor. Prosecutors tend to view PGP passphrases as akin to someone possessing a key to a safe filled with incriminating documents. That person can, in general, be legally compelled to hand over the key. Other examples include the U.S. Supreme Court saying that defendants can be forced to provide fingerprints, blood samples, or voice recordings.
Orin Kerr, a former Justice Department prosecutor who's now a law professor at George Washington University, shares this view. Kerr acknowledges that it's a tough call, but says, "I tend to think Judge Niedermeier was wrong given the specific facts of this case."
The alternate view elevates individual rights over prosecutorial convenience. It looks to other Supreme Court cases saying Americans can't be forced to give "compelled testimonial communications" and argues the Fifth Amendment must apply to encryption passphrases as well. Courts already have ruled that that such protection extends to the contents of a defendant's minds, so why shouldn't a passphrase be shielded as well?
In this case, Judge Niedermeier took the second approach. He said that encryption keys can be "testimonial," and even the prosecution's alternative of asking the defendant to type in the passphrase when nobody was looking would be insufficient.
Laptop files: Unencrypted, then encrypted
A second reason this case is unusual is that Boucher was initially arrested when customs agents stopped him and searched his laptop when he and his father crossed the border from Canada on December 17, 2006. An officer opened the laptop, accessed the files without a password or passphrase, and allegedly discovered "thousands of images of adult pornography and animation depicting adult and child pornography."
Boucher was read his Miranda rights, waived them, and allegedly told the customs agents that he may have downloaded child pornography. But then--and this is key--the laptop was shut down after Boucher was arrested. It wasn't until December 26 that a Vermont Department of Corrections officer tried to access the laptop--prosecutors obtained a subpoena on December 19--and found that the Z: drive was encrypted with PGP, or Pretty Good Privacy. (PGP sells software, including whole disk encryption and drive-specific encryption. It's a little unclear what exactly happened, but one likely scenario is that Boucher configured PGP to forget his passphrase, effectively re-encrypting the Z: drive, after a few hours or days had elapsed.)
According to Niedermeier's written opinion, prosecutors sent Boucher a grand jury subpoena asking for the passwords because:
Secret Service Agent Matthew Fasvlo, who has experience and training in computer forensics, testified that it is nearly impossible to access these encrypted files without knowing the password. There are no "back doors" or secret entrances to access the files. The only way to get access without the password is to use an automated system which repeatedly guesses passwords. According to the government, the process to unlock drive Z could take years, based on efforts to unlock similarly encrypted files in another case. Despite its best efforts, to date the government has been unable to learn the password to access drive Z.
The opinion added:
If the subpoena is requesting production of the files in drive Z, the foregone conclusion doctrine does not apply. While the government has seen some of the files on drive Z, it has not viewed all or even most of them. While the government may know of the existence and location of the files it has previously viewed, it does not know of the existence of other files on drive Z that may contain incriminating material. By compelling entry of the password the government would be compelling production of all the files on drive Z, both known and unknown.
Boucher is a Canadian citizen who is a lawful permanent resident in the United States and lives with his father in Derry, N.H. Two attorneys listed as representing him could not immediately be reached for comment on Friday.
So what happens next? It's possible that prosecutors will be able to establish that Boucher's laptop has child pornography on it without being able to access it: after all, there were at least two federal agents who looked at the laptop when the Z: drive was still unencrypted.
But if this ruling in the case is eventually appealed, it could have a far-reaching impact in a pro-privacy or pro-law-enforcement direction.
Michael Froomkin, a law professor at the University of Miami, has written that the government "would have a very hard time" trying to obtain a memorized passphrase. A similar argument, published in the University of Chicago Legal Forum in 1996, says:
The courts likely will find that compelling someone to reveal the steps necessary to decrypt a PGP-encrypted document violates the Fifth Amendment privilege against compulsory self-incrimination. Because most users protect their private keys by memorizing passwords to them and not writing them down, access to encrypted documents would almost definitely require an individual to disclose the contents of his mind. This bars the state from compelling its production. This would force law enforcement officials to grant some form of immunity to the owners of these documents to gain access to them.
But prosecutors think they can split the idea of immunity into two halves: divulging the passphrase, and then using the passphrase to decrypt the files. A 1996 article by Philip Reitinger of the Department of Justice's computer crime section proposes a clever device for forcing a defendant to divulge a PGP passphrase and then convicting him anyway (remember, the passphrase lets the key be used to decrypt the document):
Finally, even if the foregoing considerations require the government to grant act-of-production immunity to compel production of a key, the scope of the immunity should be quite narrow. The contents of the key are not privileged, and it is the contents that will be used to decrypt a document. Therefore, the government can use the contents of the decrypted document without impediment. Unless the government cannot authenticate the document to be decrypted without using the act of production of the key, granting act-of-production immunity should have little effect.
Translation: Giving a defendant limited immunity in terms of forcing them to turn over the passphrase can lead to a conviction. That's because the fellow technically isn't being convicted based on his passphrase; he's being convicted for what it unlocks. Isn't the law grand?
- prev
- 1
- next
