Patrick Lambert looks at some high-profile cases of defendants being forced to give up passwords and encryption keys. What are your options when it happens to you outside of a court of law?
As IT admins and techies most of us take security seriously. Even management in most businesses has started to realize in the last couple of years how important it is to have a secure network and locked down computers. You may even think you're completely safe from attackers with your firewall, NAT router, antivirus software, security software, and full-disk encryption on your laptop for when you're on the road. Perhaps you keep up to date with the latest exploits, and make sure to always be two steps ahead of the bad guys, making yourself to be the least desirable target of all. But then, what happens if the people trying to breach your security aren't malicious crackers or online criminals, but the law? What plans have you made for when you're confronted by someone with a badge, and they ask you to open your laptop, give them your encryption password, or show them all your documents? That's what happened to Ramona Fricosu recently when she was put in jail for refusing to unlock her laptop, and it happens very often at border checks and other controls, and various other circumstances.
In this particular Colorado case, prosecutors say that Fricosu is suspected of having committed real estate fraud, and that the law enforcement authorities need to have full access to her unencrypted files. The defendant refused, and the EFF is helping her by opposing the government's request. But the judge side-stepped the issue. Since the EFF claimed that turning over her password would be a 5th amendment violation, the judge forced the woman to turn over an unencrypted version of the files. Federal prosecutors said that "not allowing the government access to encrypted computers would make it impossible to prosecute crimes such as terrorism, child exploitation, and drug trafficking." Of course, the EFF attorney disagrees and claims that the government, in this case, is trying to make encryption into something only criminals would use. So far, the 10th U.S. Circuit Court of Appeals refused to take on the case until Fricosu's criminal case is concluded first. [Editor's Note: In a separate case, the 11th U.S. Circuit Court of Appeals declared in a ruling last Thursday that forcing a defendant to unencrypt their hard disks is unconstitutional.]
This isn't the first time where someone suspected to be involved in some crime has had law enforcement officials or prosecutors demand to have access to documents, computers, and any other locked digital assets. There's been no ground-breaking standard set so far, and judges have actually ruled in various ways, sometimes claiming that encrypted documents were akin to protected speech, and other times more like a locked safe, which can be broken into. When it's a clear cut case that's in front of a court, there's very little that we as technology enthusiasts can do. Whether we fight the order, and hire an attorney to defend our rights to privacy is a personal matter, and something each of us has to decide. But things become much more gray when it comes to random searches and controls, where we're not accused of a crime, and when it's far less obvious that the officers have any right to see our data.
It's a sad fact that laptop seizures at the U.S. border are becoming more common, as shown by yet another high profile case last month. A lot of people don't realize that the Fourth Amendment does not require border agents to have a reasonable suspicion before searching laptops or other digital devices at the border, including international airports. The question that's still unclear, however, is whether or not an officer can force you to provide your encryption key. And for those of us who care about our digital security or privacy, that's the most important point. What would you do if you entered the country and a border agent asked for your password? Or what about random searches in which you aren't suspected of a crime, but they'd like to have a look, just in case? There's several ways to approach the issue.
The first way is obviously to comply. Many people think that if they don't have anything to hide, then talking to cops or other government officers and allowing them to search their car, their belonging, or their digital data, is the safest course of action, and the fastest way to be on their way. It's a personal decision, but one I tend to disagree with. For a good argument on this (although mostly about physical searches rather than digital ones), I recommend watching this video. The second way is to fight it. If someone asks you what's on your laptop, your smartphone, or if they ask to take it away from you for a bit, you refuse. They may still take it, but they won't be able to read the encrypted content. Then, it's up to them to decide whether to push it or not. In many cases they won't, but if they do, then that may mean legal troubles for you.
Then there's the third option, which is to try and trick them. That's what TrueCrypt's Plausible Deniability is all about, where you have two separate encrypted partitions inside of one. If you enter the right password, then you get access to your files. But if you enter a dummy password, you get access to a separate, hidden partition. This method has quickly become a favorite of tech savvy travelers, and will fool most officers, but not experienced investigators. While they may not be able to prove you have other hidden files, they may get suspicious. So once again, it's up to you to decide, but the important takeaway is that this decision should be made now, before you encounter these types of situations. That way, you'll be prepared, and know what to do when your security doesn't get breached by criminals, but by people with a badge.