Third Circuit Appeals Court Says All Writs Orders Can Be Used To Compel Passwords For Decryption
from the still-no-definitive-answer-on-the-Fifth-Amendment-though dept
The Third Circuit Court of Appeals has ruled that passwords can be compelled with All Writs Orders. Handing down a decision in the case of Francis Rawls, a former Philadelphia police officer facing child porn charges, the court finds the order lawful, but doesn't go quite as far as to determine whether compelling password production implicates the Fifth Amendment.
The Third Circuit doesn't touch the Fifth Amendment implications because Rawls failed to preserve them.
Even if we could assess the Fifth Amendment decision of the Magistrate Judge, our review would be limited to plain error. See United States v. Schwartz, 446 F.2d 571, 576 (3d Cir. 1971) (applying plain error review to unpreserved claim of violation of privilege against self-incrimination). Doe’s arguments fail under this deferential standard of review.
Orin Kerr highlights a footnote from the order [PDF], which shows even if the court had addressed the Fifth Amendment implications, it likely would have sided with government based on its interpretation of the government's "foregone conclusion" argument.
It is important to note that we are not concluding that the Government’s knowledge of the content of the devices is necessarily the correct focus of the “foregone conclusion” inquiry in the context of a compelled decryption order. Instead, a very sound argument can be made that the foregone conclusion doctrine properly focuses on whether the Government already knows the testimony that is implicit in the act of production. In this case, the fact known to the government that is implicit in the act of providing the password for the devices is “I, John Doe, know the password for these devices.” Based upon the testimony presented at the contempt proceeding, that fact is a foregone conclusion.
However, because our review is limited to plain error, and no plain error was committed by the District Court in finding that the Government established that the contents of the encrypted hard drives are known to it, we need not decide here that the inquiry can be limited to the question of whether Doe’s knowledge of the password itself is sufficient to support application of the foregone conclusion doctrine.
This interpretation limits what the government has to assert to avail itself of this argument -- one that's sure to become more common as default encryption comes to more devices and communications services. As applied here, the government only has to show the defendant knows the password. It doesn't have to make assertions about what it believes will be found once the device/account is unlocked. (That being said, the DHS performed a forensic scan of the one device it could access -- the MacBook Pro -- and found data and photos suggesting the locked external drives contained more child pornography.)
The court also addresses the All Writs Act being used to compel password production in service to a search warrant that still can't be fully executed.
Doe asserts that New York Telephone should not apply because the All Writs Act order in that case compelled a third party to assist in the execution of that warrant, and not the target of the government investigation. The Supreme Court explained, however, that the Act extends to anyone “in a position to frustrate the implementation of a court order or the proper administration of justice” as long as there are “appropriate circumstances” for doing so. Id. at 174. Here, as in New York Telephone: (1) Doe is not “far removed from the underlying controversy;” (2) “compliance with [the Decryption Order] require[s] minimal effort;” and (3) “without [Doe’s] assistance there is no conceivable way in which the [search warrant] authorized by the District Court could [be] successfully accomplished.” Id. at 174-175. Accordingly, the Magistrate Judge did not plainly err in issuing the Decryption Order.
This shows just how malleable the New York Telephone decision is. This 1977 Supreme Court decision paved the way for widespread pen register use. Since that point, it has been used by the DOJ to argue for the lawfulness of encryption-defeating All Writs Orders (as in the San Bernardino iPhone case), as well as by criminal defendants arguing these same orders are unlawful.
In Apple's case, the government argued the company was not "far removed" from the controversy, despite it being only the manufacturer of the phone. Apple's distance as a manufacturer provided its own argument against the DOJ's application of this Supreme Court decision.
In this case, the key words are "third party": Rawls is arguing this isn't nearly the same thing as forcing a phone company to comply with pen register orders. This is a "first party" situation where compliance may mean producing evidence against yourself for use in a criminal trial. The government likes the New York Telephone decision for its Fourth Amendment leeway. The defendant here is arguing this isn't even a Fourth Amendment issue.
As the court points out, it can't really assess the Fifth Amendment argument -- not when it hasn't been preserved for appeal. But even so, the court says law enforcement already has enough evidence to proceed with prosecution. If so, the only reason the government's pressing the issue -- which has resulted in Rawls being jailed indefinitely for contempt of court -- is that it wants a precedential ruling clearly establishing the lawfulness of compelling the production of passwords. The court doesn't quite reach that point, but the ruling here seems to suggest it will be easier (in this circuit at least) to throw people in jail for refusing to hand over passwords, since all the government is really being forced to establish is that it knows the defendant can unlock the targeted devices/accounts.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: 5th amendment, all writs act, compelled, francis rawls, passwords, third circuit
Reader Comments
Subscribe: RSS
View by: Time | Thread
Maybe he would rather be in jail on contempt charges than being in prison for child porn? Maybe he knows child porn convicts are not treated well in prison, much less ex policeman child porn convicts.
[ link to this | view in thread ]
I know only one password that has all my others
linked into it , So honestly if they asked me for a specific password ,I dont know it but if they asked for my password manager password they then have free reign to my whole entire life star to finish .
would you trust them with only going after what they say they were after ???
[ link to this | view in thread ]
If because of the 5th you can't be compelled to go get some files, or tell them where the bodies are buried, or tell them what you did, what the fuck makes passwords a different kind of information?
If it's such a foregone conclusion then why do they need you to fork over the password at all. If it's a foregone conclusion then they should be able to get what they're after without your help.
[ link to this | view in thread ]
More evidence that we all need duress passwords
[ link to this | view in thread ]
Re: More evidence that we all need duress passwords
[ link to this | view in thread ]
Lawyer logic
But then I'm no lawyer either.
[ link to this | view in thread ]
Way to bury the lede.
[ link to this | view in thread ]
Re: More evidence that we all need duress passwords
Google 'rubberhose crypto' then read this:
https://veracrypt.codeplex.com/wikipage?title=Hidden%20Volume
[ link to this | view in thread ]
Re: Re: More evidence that we all need duress passwords
[ link to this | view in thread ]
Re: Re: More evidence that we all need duress passwords
[ link to this | view in thread ]
Re:
Your logic sucks, too bad your ass is not the one on the hook for this.
[ link to this | view in thread ]
Re:
The accused literally can't prove themselves innocent by providing the password, because they won't know it. The accused will never need to be brought to trial, the prosecutors can just keep a wrongly accused person in jail forever.
[ link to this | view in thread ]
Contempt from answering too...
Sign me up.
My encryption password? Whosafuckingcheetohfacedshitgibbonthatlikessuckingthesweatoffofkingkongsballs?Whyyouareyourhonor!
[ link to this | view in thread ]
Re: Re:
I post as an AC because I am lazy, although is funny that you also posted as an AC.
My point is that the court and the government believes that the prosecution already has the evidence to convict this perv. They are holding him in contempt of court (and in a jail cell) is because " the only reason the government's pressing the issue -- which has resulted in Rawls being jailed indefinitely for contempt of court -- is that it wants a precedential ruling clearly establishing the lawfulness of compelling the production of passwords."and the DHS performed a forensic scan of the one device it could access -- the MacBook Pro -- and found data and photos suggesting the locked external drives contained more child pornography.) " So they go after the phone because it was a backup of the MacBook Pro (or vice versa). They already have the evidence needed to put this guy in prison, but are going after the password for precedential issues.
So if it is a forgone conclusion that the dirtbag goes to prison, why not give up the password? Like I said before, probably better to be in jail for contempt than in prison for being a child porn convict.
[ link to this | view in thread ]
Re: Re: Re: More evidence that we all need duress passwords
"They" would do it by entering the password.
Fuck 'em if "they" can't take a joke. :)
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Rights? What rights?
Here, as in New York Telephone: (1) Doe is not “far removed from the underlying controversy;” (2) “compliance with [the Decryption Order] require[s] minimal effort;” and (3) “without [Doe’s] assistance there is no conceivable way in which the [search warrant] authorized by the District Court could [be] successfully accomplished.” Id. at 174-175. Accordingly, the Magistrate Judge did not plainly err in issuing the Decryption Order.
As arguments for bulldozing rights go that is not a pleasant one. 'It's easy' to violate a right does not mean that right doesn't exist. Confessing to a crime or leading investigators to a damning piece of evidence they otherwise wouldn't have is likewise 'easy', but I would hope that those wouldn't be considered acceptable, even if the court does seem to think it is this time around 'because computers'.
[ link to this | view in thread ]
Re: More evidence that we all need duress passwords
[ link to this | view in thread ]
Layman view
1) US "All Writs Act" reeks of British "Writ of assistance"
2) I disagree with "Foregone conclusion" principle.
Just because the court concluded certain assumption must be true by “Preponderance of Evidence”, it should not give the court right to force defendant to produce said self-incriminating evidence.
Fifth Amendment should stand.
3) The act of production of this evidence is "not testimonial", however the evidence itself is testimonial.
Wherefore it is against Fifth Amendment.
If court claims the evidence is "not testimonial", court should be able to convict the defendant without this evidence.
And should proceed to do so.
4) I agree with court's decision footnote.
"We know what is on the encrypted disk" is not equal to "Defendant confessed he can decrypt the disk"
[ link to this | view in thread ]
Re: Layman view
3) The act of production of this evidence is "not testimonial", however the evidence itself is testimonial. Wherefore it is against Fifth Amendment
If court claims the evidence is "not testimonial", court should be able to convict the defendant without this evidence. And should proceed to do so.
Yeah, the whole 'Forcing someone to decrypt something and/or provide a password isn't against the Fifth' is an idea that never should have made it off the ground.
Beyond the fact that being able to provide a password creating a link between the contents and the person, this particular(and persistent) dishonest and/or absurd logic can be exposed simply by a demand from the accused for immunity to anything a password provides.
If forcing someone to provide a password isn't forcing them to provide self-incriminating evidence against themself, then the prosecution loses nothing by granting immunity to anything found. If on the other hand they are being forced to provide self-incriminating evidence against themself, then that immunity would completely undermine the entire purpose behind demanding the accused decrypt something.
Anyone care to take a wild guess as to what the odds would be that such an offer would be accepted?
"We know what is on the encrypted disk" is not equal to "Defendant confessed he can decrypt the disk"
"We know what is on the encrypted disk" is to '... therefore it's not forcing someone to provide self-incriminating evidence' as 'We know the accused is guilty' is to '... therefore forcing them to confess to the crime isn't forcing them to provide self-incriminating testimony'.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
He's being publicly accused of involvement with child porn, a charge that's likely to haunt him for the rest of his life no matter what the eventual verdict is.
There's taking a fall and then there's 'throwing yourself off a cliff'. As such I really doubt he's a willing patsy in this, even if the prosecution does seem to be using the case to try and set a favorable precedent with regards to forcing people to provide passwords in future cases.
[ link to this | view in thread ]
Re: Contempt from answering too...
- An uppercase letter
- A lowercase letter
- A numeral
- A special character (except { } ; : /)
Your password must:
- Not be your email address
- Not be something easily guessed
- Be between 8 and 64 characters
Please try again.
[ link to this | view in thread ]
Re: Re: Contempt from answering too...
Those "strong" password rules were developed in part by the NSA and CIA in order to weaken passwords to be more easily cracked.
Passwords where any character can be used for any position without entropy limiting rules can be hundreds or even thousands of times stronger than those where entropy limiting rules are applied.
I found a posting somewhere in the past that showed this rather pointedly.
To make the math "simpler", lets start with a 4 character password.
Now, if we allow any of the 94 characters on a typical keyboard that can be used to form a password, that gives us roughly 78 million possible permutations.
If we apply the "supposed strong" rules, that number of possibilities drops below 217,000.
217k vs 78m = which is "stronger"?
Expand that to 8 characters and the numbers still show that "strong" rules weaken password complexity.
8 characters with strong rules equates to about 17 billion possibilities compared to the 6 quadrillion possibilities if the full set of printable ascii characters are allowed.
17 billion to 6 quadrillion - that is a roughly 350 times larger entropy pool that has to be brute forced through.
[ link to this | view in thread ]
Re: Re:
Rawls being a policeman also raises an eyebrow. It wouldn't surprise me if those holding him in custody were treating him as one of their own, and it looks like Rawls is in this for the long-term game.
[ link to this | view in thread ]
Re: Re: More evidence that we all need duress passwords
[ link to this | view in thread ]
Re: Re: More evidence that we all need duress passwords
[ link to this | view in thread ]
Re: More evidence that we all need duress passwords
[ link to this | view in thread ]
All rights reserved
I'm not sure how you can "fail to preserve" something that is inalienable; you have the RIGHT to not testify against yourself—it's not an opt-in arrangement. I believe I read that the defendant in this case has already stated that he has forgotten the password, so any conclusion that he knows it is no longer forgone. Continuing to mete out punishment for a lack of production further implicates the right to remain silent; if he now produces the password, he will be testifying to the fact that he committed perjury.
[ link to this | view in thread ]
Re: Re: Re:
It's probably unlikely. But it's certainly strange that the prosecution is claiming that Rawls' guilt is a foregone conclusion, and still hinging on the contents locked behind his password to make a case.
Not strange at all, as I understand they have enough to hang him(metaphorically speaking), what they want is a precedent that will allow them to force others to hand over their passwords in future cases, and they're trying to use this case to get it.
It's like a smaller version of the DOJ/Apple fight, where they pick an unsympathetic suspect and press to have a legal precedent set that they can and will use against not-so-unsympathetic suspects in the future. It's not about 'seeing justice done', it's about using the system for their own ends to erode rights of the public and give them more power.
[ link to this | view in thread ]
Re: All rights reserved
[ link to this | view in thread ]
Re: Re: All rights reserved
[ link to this | view in thread ]
Re: Re: Re: More evidence that we all need duress passwords
Wiping won't work, for that reason. (Unless the password is only used to convince a tamper-resistant device/service to divulge the real key, as in some Apple products—you could actually make that device wipe the key, and it's difficult to make backups first.)
The "hidden volume" trick could. The government would enter the password and see mundane, non-incriminating data. But then they'll just claim it's a "foregone conclusion" that there's an alternate incriminating password...
[ link to this | view in thread ]
Re: Re: Re: All rights reserved
[ link to this | view in thread ]
Re:
I have to reset my passwords pretty often cause I forget all the time, and have been locked out of encrypted systems on the regular. And that's after much shorter periods!!!
[ link to this | view in thread ]