Mass. Supreme Court Says Defendant Can Be Compelled To Decrypt Data

Trailrunner7 (1100399) writes ... Security experts have been pounding the drum about the importance of encrypting not just data in transit, but information stored on laptops, phones, and portable drives. But the Massachusetts Supreme Judicial Court put a dent in that armor on Wednesday, ruling that a criminal defendant could be compelled to decrypt the contents of his laptops. The case centers on a lawyer who was arrested in 2009 for allegedly participating in a mortgage fraud scheme. The defendant, Leon I. Gelfgatt, admitted to Massachusetts state police that he had done work with a company called Baylor Holdings and that he encrypted his communications and the hard drives of all of his computers. He said that he could decrypt the computers seized from his home, but refused to do so. The MJSC, the highest court in Massachusetts, was considering the question of whether the act of entering the password to decrypt the contents of a computer was an act of self-incrimination, thereby violating Gelfgatt's Fifth Amendment rights. The ruling.

I lost the password

[pjh3000]

I lost the password in a hard drive crash.

Re:I lost the password

[pjh3000]

... the hard drive was recycled.

Re:I lost the password

[Defenestrar]

No, as the series of court rulings have gone, the Fourth Amendment does not protect you from lawful search and seizure (such as a safe or hard drive). The combination to the safe, or encryption key to the drive, is not incriminating evidence and providing it to allow for lawful search and seizure does not violate your rights. They can admit evidence produced by oneself into court (such as two sets of books in one's own handwriting for a case of fraud) and that is not a violation of the Fourth (or Fifth) - just so with information one puts on a hard drive. What they can not compel one to do is testify against oneself (which is the Fifth by the way) nor assume guilt because you do not take the stand (not that a prosecutor won't toe that line with the jury). So, if one can keep all details of a crime in one's head and manage to destroy all other evidence which could be subject to lawful search and seizure - then you've got a shot at being a criminal mastermind.

I'm not sure I entirely agree with the line of thought - but I can certainly follow the logic as well as the precedence.

What would be interesting is if one's pass-code was material evidence with respect to the case - but a possible way around that would be limited immunity or ruling it as inadmissible evidence...It would make for an interesting case study.

Re:I lost the password

[Jane+Q.+Public]

No, as the series of court rulings have gone, the Fourth Amendment does not protect you from lawful search and seizure (such as a safe or hard drive). The combination to the safe, or encryption key to the drive, is not incriminating evidence and providing it to allow for lawful search and seizure does not violate your rights.

In most circumstances, this is just plain false. As explained (but not very well) in TFA.

Unless it is already known "with particularity" that the drive or safe contains some specific illegal or incriminating material, a judge cannot compel someone to hand over a decryption key or combination. Because those are the only circumstances that would not compel him to incriminate himself. This has nothing to do with the Fourth amendment at all, it's just the Fifth.

Having said that: if they have probable cause or a warrant, they can force open a safe without violating either the 4th or 5th Amendments. The 4th only requires probable cause, and it doesn't require the suspect to incriminate herself, so the 5th isn't violated.

However, with decent encryption there is no way to do that with a hard drive, so the circumstances are very different and the 5th Amendment comes into play. The court cannot compel speech, or "a product of the mind" like a combination or encryption key, if in doing so the individual would incriminate himself. The exception -- the ONLY exception -- is when specific evidence or illegal material is already known to be inside, "with reasonable particularity" as the courts have put it. ONLY in those circumstances is a suspect not being forced to incriminate himself. (And of course if the court did compel disclosure, and the material in question turned out to not be there after all, then the witnesses who said it was would be in some very serious trouble.)

Simply suspecting something is inside is not sufficient. Probable cause is not sufficient. It is a far higher standard of evidence.

Lois Lerner Method

[bhlowe]

Take the 5th and say your computer crashed. That works for the IRS.

Ruling doesn't change much.

[timrod]

If you read the ruling, the court admits that the only reason they said the defendant could be compelled to decrypt his data was because he had already admitted to the police that he was involved in the case, and that the details of his involvement were on the hard drive. I'm sure if he had kept silent the entire time and told them nothing, it would've been a different story.

I lost the password

if it's good enough for the IRS....

Important Caveat

[Rary]

Haven't read the entire ruling, only scanned it, but there is an important caveat in it:

We now conclude that the answer to the reported question is, "Yes, where the defendant's compelled decryption would not communicate facts of a testimonial nature to the Commonwealth beyond what the defendant already had admitted to investigators."

Seems like this guy has said "I did this, this, and this, and these files show that, but I don't want to let you see them", and the Court has ruled that he has to, because he's already admitted to those things, and therefore he would not be incriminating himself in doing so.

Of course, the reality may be that there's evidence of further illegal activities that he hasn't admitted to in the encrypted files. That might make the case for self-incrimination. I'd have to read the full ruling to see what, if anything, they said about that possibility.

criminal defense attorney and programmer here

This is why you don't talk to the cops, especially if you find yourself in the fortunate situation of having illegally acquired 13 million dollars and encrypted all of the evidence. If you say nothing to the cops, you win. The only way you lose is if you brag to them about how awesome a job you did at getting away with the crime.

The people up here who are saying "tell them you lost the key" "tell them it was scrambled not encrypted, etc" are all idiots. Lying to the cops is a crime. Telling them nothing is the superior response.

Cop executing search warrant: "it's asking for a password"
Def: "I want a lawyer, I'm not talking to you"
Cop: "You encrypted it, didn't you?"
Def: "lawyer lawyer lawyer"
Cop: "We'll just get a warrant anyway and you'll go to jail. Help us help you."
Def: "did't you hear me? I want a lawyer"

That being said, I'm in FL so I'm covered by the 11th circuit ruling. Either way, silence is golden. I'd say that at least 30 percent of my cases would have turned out much better if clients hadn't consented to searches, admitted to elements of crimes or just generally blabbed when they should have remained silent.

Re:Except, of course, they have to prove you can

[Penguinisto]

From TFS:

He said that he could decrypt the computers seized from his home, but refused to do so.

Just because he was a dumbass doesn't mean the rest of us have to be.

But let's say you want to be honest - here's a conceptual idea:

Encrypt your stuff on a drive with two-factor auth. The first is a key that expires after x number of days, renewing the expiration every time you access it (let's say 3 to 14 days, tops.) The second factor is a passphrase. Shouldn't be hard to cook up if you use a high-bit-count SSL certificate as your key, and the encryption software checks the date. Keep the key on a separate but random-looking USB stick, SD chip, whatever. When you're not using it, stick it in a camera, unused smartphone, or similarly hidden. To prevent BIOS/EFI tinkering, insure that the encryption software double-checks that the system time is within the window (between last successful access and new expiry date) on boot, and destroys the key if the date is outside that window. Same with insuring that the HDD is in the same hardware it originally sat in, destroying the key if the software detects that a series of MAC addys and serial numbers don't match up.

After the keypair expires (after all, you've been in jail all this time and unable to access it, so...) you can truthfully say that the data is unreachable by any means (though I do suggest that your statement not end with the phrase "...so suck it, copper!") Of course, this means *you* can't access it either, but one would hope you had a backup of the data stashed somewhere beyond the reach of a warrant or the authorities' knowledge, yes?

Fun mental exercise either way. :)

Re:Except, of course, they have to prove you can

[Safety+Cap]

He should have remained silent. Being a lawyer he should have known that.

He must be a pretty shite lawyer. (Hopefully he isn't a criminal defense lawyer, because then he really IS a shite lawyer.)

FTFA:

“During his postarrest interview with State police Trooper Patrick M. Johnson, the defendant stated ... ‘[e]verything is encrypted and no one is going to get to it.’ The defendant acknowledged that he was able to perform decryption.”

What a dumb-bumble-fark. He deserves to burn for bragging/taunting the cops.

Rules for Talking to Cops

ONE Don't talk to cops, except what you are legally required to say (you must ID yourself, to whatever extent your state's laws specify) TWO The only thing that should come out of your piehole from the time your are arrested (especialy during any "post-arrest 'let's get the suspect to incriminate himself' interview") are the words: "I wish to remain silent and I want a lawyer." TREE STFU until you get a lawyer FOUR Remember that Everything you say will be used to burn you. Cops can lie and get away with it, and if you lie to a cop, you're fried. Do not believe anything they say, and don't try to talk your way out of it because you'll lose. NaN Getting (and following) legal advice from random people on the internets is about the stupidest thing you could do.

Same lie, two people, different outcome

Judge thinks you are lying. You're a geek, who presumably knows how to secure information on a computer. You saying "I lost the data" is equivalent to saying "My whole life is a lie and I don't actually know how to do any of the things I always talk about." Bullshit. You didn't lose the data. Your RAID6 didn't have a three-drive failure, and your backups weren't untested.

Same judge can think Lerner is telling truth. Lerner is an administrator, and she uses an iPhone and thinks the "e" on her desktop is the Internet, Her saying "I lost the data" is equivalent to her saying "I think the car's oil might be low, but I haven't looked. but the problem really could be oil, because I read a story in Readers Digest about a couple who saw some smoke coming out their hood, and when they finally got to town for someone to check it out, it turned out they were low on oil!" Her act is consistently dumb enough that no dumbness could be out of character.

When Lerner is asked the airspeed of an unladen swallow, she smiles helplessly, shrugs, and says "I don't know. What did you swallow?" When you're asked, you smugly immediately instinctively counter with "African or European?" and when the judge says "European," your eyes suddenly dart around and you say, unconvincingly, "Uh... I don't know anything about swallows."