February 26, 2009 1:30 PM PST
Judge orders defendant to decrypt PGP-protected laptop
by Declan McCullagh
A federal judge has ordered a criminal defendant to decrypt his hard drive by typing in his PGP passphrase so prosecutors can view the unencrypted files, a ruling that raises serious concerns about self-incrimination in an electronic age.
In an abrupt reversal, U.S. District Judge William Sessions in Vermont ruled that Sebastien Boucher, who a border guard claims had child porn on his Alienware laptop, does not have a Fifth Amendment right to keep the files encrypted.
‘Boucher is directed to provide an unencrypted version of the Z drive viewed by the ICE agent,’ Sessions wrote in an opinion last week, referring to Homeland Security’s Immigration and Customs Enforcement bureau. Police claim to have viewed illegal images on the laptop at the border, but say they couldn’t access the Z: drive when they tried again nine days after Boucher was arrested.
Boucher’s attorney, Jim Budreau, already has filed an appeal to the Second Circuit. That makes it likely to turn into a precedent-setting case that creates new ground rules for electronic privacy, especially since Homeland Security claims the right to seize laptops at the border for an indefinite period. Budreau was out of the office on Thursday and could not immediately be reached for comment.
The Fifth Amendment says nobody can be ‘compelled in any criminal case to be a witness against himself,’ which Magistrate Judge Jerome Niedermeier ruled in November 2007 prevented Boucher from being forced to divulge his passphrase to prosecutors.
Originally, the U.S. Department of Justice asked the magistrate judge to enforce a subpoena requiring Boucher to turn over ‘passwords used or associated with’ the computer. In their appeal to Sessions, prosecutors narrowed their request and said they only want Boucher to decrypt the contents of his hard drive before the grand jury, apparently by typing in his passphrase in front of them.
At issue in this case is whether forcing Boucher to type in that PGP passphrase–which would be shielded from and remain unknown to the government–is ‘testimonial,’ meaning that it triggers Fifth Amendment protections. The counterargument is that since defendants can be compelled to turn over a key to a safe filled with incriminating documents, or provide fingerprints, blood samples, or voice recordings, unlocking a partially-encrypted hard drive is no different.
Barry Steinhardt, director of the ACLU’s technology and liberty program, said on Thursday that the opinion reached the wrong conclusion and that Boucher ‘should have been able to assert his Fifth Amendment rights. It’s not the same thing as asking him to turn over the Xeroxed copy of a document.’
‘There is no distinction’ between requiring a defendant to turn over the passphrase or type it in himself in front of a grand jury, Steinhardt said. ‘Either of those things results in an encrypted set of files being brought into plain view.’
Judge Sessions reached his conclusion by citing a Second Circuit case, U.S. v. Fox, that said the act of producing documents in response to a subpoena may communicate incriminating facts in two ways: first, if the government doesn’t know where the incriminating files are, or second, if turning them over would ‘implicitly authenticate’ them.
Because the Justice Department believes it can link Boucher with the files through another method, it’s agreed not to formally use the fact of his typing in the passphrase against him. (The other method appears to be having the ICE agent testify that certain images were on the laptop when viewed at the border.)
Sessions wrote: ‘Boucher’s act of producing an unencrypted version of the Z drive likewise is not necessary to authenticate it. He has already admitted to possession of the computer, and provided the government with access to the Z drive. The government has submitted that it can link Boucher with the files on his computer without making use of his production of an unencrypted version of the Z drive, and that it will not use his act of production as evidence of authentication.’
The defendant is a Canadian citizen who is a lawful permanent resident in the United States and lived with his father in Derry, N.H.
Boucher was initially arrested when customs agents stopped him and searched his laptop when he and his father crossed the border from Canada on December 17, 2006. An officer opened the laptop, accessed the files without a password or passphrase, and allegedly discovered ‘thousands of images of adult pornography and animation depicting adult and child pornography.’ Boucher was read his Miranda rights, waived them, and allegedly told the customs agents that he may have downloaded child pornography. But then–and this is key–the laptop was shut down after Boucher was arrested.
It wasn’t until December 26 that a Vermont Department of Corrections officer tried to access the laptop–prosecutors obtained a subpoena on December 19–and found that the Z: drive was encrypted with PGP, or Pretty Good Privacy. (PGP sells software, including whole disk encryption and drive-specific encryption, which can be configured to forget the passphrase after a certain time. That would effectively re-encrypt the Z: drive.)