Risk
1/24/2012
12:51 PM
50%
50%

When Uncle Sam Can Demand You Decrypt Laptop

Colorado woman argued that surrendering her full-disk encryption password would violate her Fifth Amendment right against self-incrimination, but a judge disagreed.

A judge has ruled that a Colorado woman accused by federal authorities of real estate fraud must surrender a copy of her laptop's hard drive to prosecutors, even though the drive is protected with full-disk encryption software.

The ruling by U.S. District Court Judge Robert Blackburn came Monday after the woman, Ramona Fricosu (aka Ramona Smith), had argued that being forced to produce the password would have violated her right against self-incrimination under the Fifth Amendment.

FBI agents had seized three desktops and three laptops during a search of the house where Fricosu was living with her mother and two children. Only one of the computers, a Toshiba Satellite M305 laptop, was protected by full-disk encryption, and agents couldn't access its contents. Accordingly, prosecutors sought a warrant to search the computer, based on evidence that Fricosu owned it. Notably, agents found the laptop in her bedroom. Furthermore, the FBI agent who studied the computer said that the encryption screen identified the laptop as "RS.WORKGROUP.Ramona," and noted that the latter part of the name would have been selected by the operating system by default, based on information that had been used to configure the PC.

[ A state-of-the-art security system won't much matter if a hacker gets a hold of an employee's password. Read 9 Password Security Policies For SMBs. ]

Prosecutors also produced a telephone conversation recorded between Fricosu and her co-defendant and ex-husband, Scott Whatcott, who at the time of the search was incarcerated on state charges at the Four Mile Correctional Center in Colorado. Discussing the laptop the day after the search of the house, Fricosu told Whatcott, "So um, in a way I want them to find it ... in a way I don't just for the hell of it."

Asked, "It was on your laptop?" by Whatcott, Fricosu replied, "Yes." Later, she said, "My lawyer said I'm not obligated by law to give them any passwords or anything they need to figure things out for themselves."

In his judgment, Blackburn referenced that conversation as proof that the laptop belonged to Fricosu. He also referenced case law, including a case in which a man was stopped while crossing the border from Canada into the United States. A border agent opened the man's laptop, and without having to enter a password, was able to find thousands of images that appeared to be adult pornography, as well as some child pornography. The defendant told a border agent that he sometimes downloaded child pornography from newsgroups by mistake, at which point he would immediately delete it, and showed the agent where it was stored on his computer.

The man was arrested, but when agents went to study the computer further, they found that it was password-protected. A grand jury issued a subpoena demanding that the man furnish the password, but he protested that it would violate his Fifth Amendment right against self-incrimination. A judge concurred. In response, the grand jury revised its request, and required the defendant to produce not a password, but a complete unencrypted copy of the drive partition on which the pornography had been stored. A court upheld that request, noting that "where the existence and location of the documents are known to the government, no constitutional rights are touched, because these matters are a foregone conclusion."

Fricosu had previously filed a motion seeking the return of the seized hard drive. Blackburn upheld that motion, and ordered the government to give Fricosu a copy of her hard drive by February 6, 2012. But he also ordered Fricosu to then supply the government with an unencrypted copy of the drive by February 21, 2012.

Those orders aside, might FBI agents have been able to defeat the full-disk encryption and access files on Fricosu's laptop without a password? According to security experts, it's possible, but not likely. If a full-disk encryption user employs a sufficiently strong key and passphrase, then brute-force techniques could be used to try and hack the encryption, but even with enormous processing power, it would be a longshot.

The right forensic tools in the right hands are just a start. The new Digital Detectives issue of Dark Reading shows you how to better apply the lessons they teach. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Deathbecon
50%
50%
Deathbecon,
User Rank: Apprentice
10/8/2012 | 6:28:17 AM
re: When Uncle Sam Can Demand You Decrypt Laptop
Sorry probable cause does not negate the fifth amendment the first case you sighted observed that the office saw the intended evidence where the second is on hearsay evidence. I would not in her place give them the password because one the drive is protected because there was no direct evidence that the information is on the drive other than the direct mention of it on the phone conversation but that's not a direct observation by law enforcement. The second is there exists alternate methods of retrieving the information whether it is efficient or not has no bearing. There is still such a thing as privacy in this world and I would take this to the supreme court before I would give up the password.
randomchaos
50%
50%
randomchaos,
User Rank: Apprentice
5/29/2012 | 6:24:44 PM
re: When Uncle Sam Can Demand You Decrypt Laptop
Should we be able to write a message that the government cannot see? Obviously we can and will continue to do so, more now than ever.
MITDGreenb
50%
50%
MITDGreenb,
User Rank: Apprentice
2/17/2012 | 2:22:53 AM
re: When Uncle Sam Can Demand You Decrypt Laptop
I think the logic here is a bit flawed. Suppose we went back about a century. During a search of a house, the police find a handwritten notebook. It appears incriminating and, in fact, the occupant of the house is so agitated that the Police have it that she demands its return. The Police take it away only to find out that the text is written in code, whereupon the Police return and demand that the occupant/owner of the book:
1) give them the means to decode the book themselves. "A grand jury issued a subpoena demanding that the man furnish the password, but he protested that it would violate his Fifth Amendment right against self-incrimination. A judge concurred."
2) give them a decoded copy of the book by a certain date. The occupant argues that this is a breech of Fifth Amendment rights, but the government rules "where the existence and location of the documents are known to the government, no constitutional rights are touched, because these matters are a foregone conclusion."

Now, looking at this as a book... of known existence, ownership, and location... it seems ludicrous. It is not a foregone conclusion that the book would be decoded and, therefore, in my opinion, compelling the creation and forfeiture of a decoded copy constitutes a violation of self-incrimination.

Jellico1969
50%
50%
Jellico1969,
User Rank: Apprentice
1/25/2012 | 9:58:14 PM
re: When Uncle Sam Can Demand You Decrypt Laptop
You know, it occurs to me that a plausible reply for her is to provide a password that she believes is the correct one, and when it doesn't work, she can claim the drive was damaged or altered while in possession of law enforcement officials. She can claim cooperation and it would be impossible for the prosecution to prove otherwise (unless she's stupid enough to talk about it on the phone). Anyway, that was my thought upon reading the judge's ruling.
theonlyaether
50%
50%
theonlyaether,
User Rank: Apprentice
1/25/2012 | 1:50:25 PM
re: When Uncle Sam Can Demand You Decrypt Laptop
If I'm understanding the judge's order, this is nothing like opening a safe. The government will give Fricosu a "copy" of the encrypted drive, and then Fricosu has 15 days to produce a decrypted "copy" of the drive. So in a sense the owner does not need to be compelled to produce their knowledge of the lock/code/password, but they do need to act on that knowledge, like in the case of a safe.

Unlike a safe... Firstly - a decrypted version will never be a copy, of course. Unlike a safe you're not simply removing an outer barrier, this is crypto - you're rearranging the contents like a puzzle. Secondly - what's to stop Fricosu from producing a selectively decrypted "copy"? Do they plan on using some kind of hashing algorithm to verify the drive's contents (doubtful)?

I'm going to assume that they're counting on the idea that the user is as ignorant as the judge in this case.
Dris
50%
50%
Dris,
User Rank: Apprentice
1/25/2012 | 12:16:55 AM
re: When Uncle Sam Can Demand You Decrypt Laptop
I fail to see the reasoning by the judge. I have encrypted archive files on my hard disk. My personal finance records, for example. I routinely use a security utility program to wipe all free and slack space so remnants of my private files can't be recovered. My archive encryption is strong encryption. I use Pretty Good Privacy (PGP) which last time I looked was "military grade", if that means anything. I have several user accounts on my machines as well as other people, so their trick of the user name in the machine name would probably not apply to the archives. I use a "used" machine and I never wiped the system, so all of the old owner's stuff is still there. Isn't there then a question of ownership of an archive? for ME, I am not about to divulge my passwords for my archives. Feel free to try to break my encryption. Giving up my passwords, in my opinion, amounts to allowing a fishing expedition. It is one thing in the case of the porn to see it and then want to get it later, which makes sense to me since after all, they already have knowledge. But, it is something else in my case as no one but me knows what is IN my archives. There is no tangible evidence in my archives as there might be in the drug dealer's safe. I will open my archives to assist in my defense, but I refuse to open my archives to assist in prosecution. Isn't THAT what the 5th amendment is all about? Wouldn't opening my archives amount to self-incrimination? Based on this article, I guess I am just going to have to accept being held in contempt of court if push comes to shove... This is as bad as the Clipper Chip hardware encryption that the Fed wanted to force on the public a while back instead of using individual encryption like PGP. You know the one, the hardware encryption chip with a backdoor master password that supposedly only the Fed and other authorities would have... The only legal encryption was going to be the chip with the backdoor! How would YOU like it to have the Fed be able to read anything YOU encrypted? Sorry, but I doubt I will be assisting the prosecution anytime soon... 5th amendment... Hey! Where are we going? And why are we in this handbasket?
YMOM100
50%
50%
YMOM100,
User Rank: Apprentice
1/24/2012 | 10:47:55 PM
re: When Uncle Sam Can Demand You Decrypt Laptop
One issue is that by providing access, the defendant is admitting knowledge and control. There were three computers in the house. The government would need to prove the contents were under the control of Fricosu. In this case, the government has already proved that point to the court (and the defendant actually demanded the laptop be returned to her which is an admission of ownership.)

Where a safe is found in the house of a defendant the question of ownership of the safe is not normally an issue. It was located in the defendant's house, thus it is under his control. So, issuing a court order to open the safe is not a 5th Amendment issue. This would be similar to when courts have compelled defendant's to supply the key to their safe deposit boxes.
Bprince
50%
50%
Bprince,
User Rank: Ninja
1/24/2012 | 8:51:30 PM
re: When Uncle Sam Can Demand You Decrypt Laptop
Interesting case. Isn't this the same as finding a safe in the house of a suspected drug dealer and demanding the person open it (assuming the cops had a warrant to search the house)?
Brian Prince, InformationWeek/Dark Reading Comment Moderator
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] Assessing Cybersecurity Risk
[Strategic Security Report] Assessing Cybersecurity Risk
As cyber attackers become more sophisticated and enterprise defenses become more complex, many enterprises are faced with a complicated question: what is the risk of an IT security breach? This report delivers insight on how today's enterprises evaluate the risks they face. This report also offers a look at security professionals' concerns about a wide variety of threats, including cloud security, mobile security, and the Internet of Things.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.