Does the Fifth Amendment Protect the Refusal to Reveal Computer Passwords? In a Dubious Ruling, A Vermont Magistrate Judge Says Yes
FindLaw’s Writ – Colb: Does the Fifth Amendment Protect the Refusal to Reveal Computer Passwords? In a Dubious Ruling, A Vermont Magistrate Judge Says YesThis case raises some interesting questions about using cryptography. Not the usual ones about technical attacks, but about how strong crpyto behaves in court. In general, if someone finds an encrypted volume on your computer, is that prima fascia evidence of illegal materials and thus probable cause? Suppose it was called “my plans to kill the president”? In this particular case the defendant actually showed law enforcement people the contents of the encrypted directory, and the files located therein clearly indicated illegal content. That would seem to be his big mistake. The prosecutors are not guessing about the files in there, they know what is there already, and just want access.At the end of the day, the defendant can always decide if the punishment for contempt for not revealing the password is worse than the punishment for what will be found inside. If the contents are really bad, he is best off resisting. I can’t see anyone doing 20 years in jail to compel production of the password.Of course, in that amount of time, computers may be fast enough that brute forcing the password may be trivial. This is a real concern if the statute of limitations for your crime is very long or there is no limitation.
- Lance Cottrell
February 20th, 2008 at 1:12 pm
Several thoughts occur to me. First, if you value your security you should never, ever, give a file a name which reveals its content. Now in this case we are dealing with an accused pederast. But it could apply equally to anyone who has a file they don’t want to reveal. I would never name a file “passwords”. Would you?
My second thought is that lawyers and doctors and ministers are particularly vulnerable to these searches as they are particularly likely to have critical documents on their laptops.
Finally, everyone should note the extraordinary powers granted our customs people (“ICE”) and their ability to search anything and everything for any reason when you cross the border.
July 24th, 2008 at 9:51 pm
Simply put, 100% YES!
When confronted with this issue, courts have analogized electronic storage devices to closed containers, and have reasoned that accessing the information stored within an electronic storage device is akin to opening a closed container. Because individuals generally retain a reasonable expectation of privacy in the contents of closed containers, see United States v. Ross, 456 U.S. 798, 822-23 (1982), they also generally retain a reasonable expectation of privacy in data held within electronic storage devices. Accordingly, accessing information stored in a computer ordinarily will implicate the owner’s reasonable expectation of privacy in the information. See United States v. Barth, 26 F. Supp. 2d 929, 936-37 (W.D. Tex. 1998) (finding reasonable expectation of privacy in files stored on hard drive of personal computer); United States v. Reyes, 922 F. Supp. 818, 832-33 (S.D.N.Y. 1996) (finding reasonable expectation of privacy in data stored in a pager); United States v. Lynch, 908 F. Supp. 284, 287 (D.V.I. 1995) (same); United States v. Chan, 830 F. Supp. 531, 535 (N.D. Cal. 1993) (same); United States v. Blas, 1990 WL 265179, at *21 (E.D. Wis. Dec. 4, 1990) (“[A]n individual has the same expectation of privacy in a pager, computer, or other electronic data storage and retrieval device as in a closed container.”).
Although courts have generally agreed that electronic storage devices can be analogized to closed containers, they have reached differing conclusions over whether each individual file stored on a computer or disk should be treated as a separate closed container. In two cases, the Fifth Circuit has determined that a computer disk containing multiple files is a single container for Fourth Amendment purposes. First, in United States v. Runyan, 275 F.3d 449, 464-65 (5th Cir. 2001), in which private parties had searched certain files and found child pornography, the Fifth Circuit held that the police did not exceed the scope of the private search when they examined additional files on any disk that had been, in part, privately searched. Analogizing a disk to a closed container, the court explained that “police do not exceed the private search when they examine more items within a closed container than did the private searchers.” Id. at 464. Second, in United States v. Slanina, 283 F.3d 670, 680 (5th Cir. 2002), the court held that when a warrantless search of a portion of a computer and zip disk had been justified, the defendant no longer retained any reasonable expectation of privacy in the remaining contents of the computer and disk, and thus a comprehensive search by law enforcement personnel did not violate the Fourth Amendment.
July 24th, 2008 at 10:05 pm
My last thought on this topic is if you or your company have information you do not want a third party to obtain, you MUST:
1. Encrypt the file/folder; Have a passphrase, do NOT use a word due to software that can do dictionary attacks in multiple languages, but you must utilize a passphrase with numbers and characters. DO NOT write it down. If you are a corporation, remember, industrial espionage is rampant. Ex-KGB, and other out of work intelligence officers make a living applying their trade to the highest bidder these days. I prefer PGP, or Blowfish encryption.
2. Use a wiping utility, CyberScrub, Evidence-Eliminator, etc. that wipes the cache area of your computer; this is where passwords are sometimes stored, and the software also has features that allow you to destroy web browsing history, photographs, etc.
3. Trust your computer to no one. Software and hardware devices are cost as little as $30 and will record each character you type and e-mail it to the person who wants to know your passphrase, bank account info, etc. Of course, do NOT open e-mail you do not know who it is from since their is spyware you can be e-mailed, and it will install once opened.
4. If you want to put the icing on the computer security cake, use a proxy that does not keep logs of their users activity. Most do not.