Can you be forced by law to decrypt your computer? US v. Fricosu court case rages on

Passwords screenshot

Passwords screenshot

In Colorado, a District Court judge is deliberating on whether Ramona Fricosu, accused of committing financial fraud, has to disclose her laptop password to decrypt the stored content.

Marcia Hoffman of the Electronic Frontier Foundation (EFF) is counsel for the defendant. She alleges that Fricosu should not be compelled to give up her password for two main reasons:

  • The government haven’t specifically identified what they are looking for on the laptop. This makes it seem somewhat of an evidence-fishing trip.
  • Requiring disclosure of the password would breach her US Constitutional Fifth Amendment right against forced self-incrimination. There hasn’t been any immunity offered for loss of this protection.

In contrast, the Prosecution says failing to demand data decryption harms public interests. The team alleges it defeats the efforts of law enforcement in securing successful prosecutions and signals an unjustified concession to Fricosu.

Furthermore, Assistant U.S. Attorney Patricia Davies is quoted in, “if the defendant is not compelled to unlock her computer, that would amount ‘to a concession to her and potential criminals (be it in child exploitation, national security, terrorism, financial crimes or drug trafficking cases) that encrypting all inculpatory digital evidence will serve to defeat the efforts of law enforcement officers to obtain such evidence through judicially authorized search warrants, and thus make their prosecution impossible.'”

I think this slightly exaggerated justification extends beyond the circumstances of the current case. It presupposes defendant guilt and diminishes the importance of assessing individual interests against those of the state.  US v.fricosu screengrab

Such polarised viewpoints highlight the necessity in finding the correct balance for conflicting interests.

With the US ruling due soon, it is worth considering how a similar scenario might pan out across the pond in the UK.

For the law, we look to the UK Regulation of Investigatory Powers Act 2000 (RIPA). RIPA Part III was added to the original statute in 2007, after a consultation and much controversy, creating specific provisions for access to encrypted content.

A RIPA s49 Notice seeks the disclosure to law enforcement of the encryption key or the decrypted data in an intelligible form.

There are strict procedural requirements for s49 Notice including proportionality to the aim, balancing individual privacy against public interest and necessity of key disclosure as the most reasonably practical option.

In the UK, there have been cases where individuals were jailed for refusing to hand over their passwords to the authorities. Oliver Drage was sentenced to four months in jail for this s53 RIPA offence.

Recorded usage of s49 notices seems to have fallen in the last year. The Report of the Chief Surveillance Commissioner for 2010-11 notes a drop in granted notices to 26, down from 38 in 2009-2010.

Despite this decline, in the correct context, our encrypted data remains well within the reach of UK law enforcement.

And all this leads me to believe that the arguments being uttered in the US against self-incrimination and guaranteeing individual privacy and data security will continue to transcend across the Atlantic for the foreseeable future.

What do you think?