Risk
1/24/2012
12:51 PM
Connect Directly
RSS
E-Mail
50%
50%

When Uncle Sam Can Demand You Decrypt Laptop

Colorado woman argued that surrendering her full-disk encryption password would violate her Fifth Amendment right against self-incrimination, but a judge disagreed.

A judge has ruled that a Colorado woman accused by federal authorities of real estate fraud must surrender a copy of her laptop's hard drive to prosecutors, even though the drive is protected with full-disk encryption software.

The ruling by U.S. District Court Judge Robert Blackburn came Monday after the woman, Ramona Fricosu (aka Ramona Smith), had argued that being forced to produce the password would have violated her right against self-incrimination under the Fifth Amendment.

FBI agents had seized three desktops and three laptops during a search of the house where Fricosu was living with her mother and two children. Only one of the computers, a Toshiba Satellite M305 laptop, was protected by full-disk encryption, and agents couldn't access its contents. Accordingly, prosecutors sought a warrant to search the computer, based on evidence that Fricosu owned it. Notably, agents found the laptop in her bedroom. Furthermore, the FBI agent who studied the computer said that the encryption screen identified the laptop as "RS.WORKGROUP.Ramona," and noted that the latter part of the name would have been selected by the operating system by default, based on information that had been used to configure the PC.

[ A state-of-the-art security system won't much matter if a hacker gets a hold of an employee's password. Read 9 Password Security Policies For SMBs. ]

Prosecutors also produced a telephone conversation recorded between Fricosu and her co-defendant and ex-husband, Scott Whatcott, who at the time of the search was incarcerated on state charges at the Four Mile Correctional Center in Colorado. Discussing the laptop the day after the search of the house, Fricosu told Whatcott, "So um, in a way I want them to find it ... in a way I don't just for the hell of it."

Asked, "It was on your laptop?" by Whatcott, Fricosu replied, "Yes." Later, she said, "My lawyer said I'm not obligated by law to give them any passwords or anything they need to figure things out for themselves."

In his judgment, Blackburn referenced that conversation as proof that the laptop belonged to Fricosu. He also referenced case law, including a case in which a man was stopped while crossing the border from Canada into the United States. A border agent opened the man's laptop, and without having to enter a password, was able to find thousands of images that appeared to be adult pornography, as well as some child pornography. The defendant told a border agent that he sometimes downloaded child pornography from newsgroups by mistake, at which point he would immediately delete it, and showed the agent where it was stored on his computer.

The man was arrested, but when agents went to study the computer further, they found that it was password-protected. A grand jury issued a subpoena demanding that the man furnish the password, but he protested that it would violate his Fifth Amendment right against self-incrimination. A judge concurred. In response, the grand jury revised its request, and required the defendant to produce not a password, but a complete unencrypted copy of the drive partition on which the pornography had been stored. A court upheld that request, noting that "where the existence and location of the documents are known to the government, no constitutional rights are touched, because these matters are a foregone conclusion."

Fricosu had previously filed a motion seeking the return of the seized hard drive. Blackburn upheld that motion, and ordered the government to give Fricosu a copy of her hard drive by February 6, 2012. But he also ordered Fricosu to then supply the government with an unencrypted copy of the drive by February 21, 2012.

Those orders aside, might FBI agents have been able to defeat the full-disk encryption and access files on Fricosu's laptop without a password? According to security experts, it's possible, but not likely. If a full-disk encryption user employs a sufficiently strong key and passphrase, then brute-force techniques could be used to try and hack the encryption, but even with enormous processing power, it would be a longshot.

The right forensic tools in the right hands are just a start. The new Digital Detectives issue of Dark Reading shows you how to better apply the lessons they teach. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Bprince
50%
50%
Bprince,
User Rank: Ninja
1/24/2012 | 8:51:30 PM
re: When Uncle Sam Can Demand You Decrypt Laptop
Interesting case. Isn't this the same as finding a safe in the house of a suspected drug dealer and demanding the person open it (assuming the cops had a warrant to search the house)?
Brian Prince, InformationWeek/Dark Reading Comment Moderator
YMOM100
50%
50%
YMOM100,
User Rank: Apprentice
1/24/2012 | 10:47:55 PM
re: When Uncle Sam Can Demand You Decrypt Laptop
One issue is that by providing access, the defendant is admitting knowledge and control. There were three computers in the house. The government would need to prove the contents were under the control of Fricosu. In this case, the government has already proved that point to the court (and the defendant actually demanded the laptop be returned to her which is an admission of ownership.)

Where a safe is found in the house of a defendant the question of ownership of the safe is not normally an issue. It was located in the defendant's house, thus it is under his control. So, issuing a court order to open the safe is not a 5th Amendment issue. This would be similar to when courts have compelled defendant's to supply the key to their safe deposit boxes.
Dris
50%
50%
Dris,
User Rank: Apprentice
1/25/2012 | 12:16:55 AM
re: When Uncle Sam Can Demand You Decrypt Laptop
I fail to see the reasoning by the judge. I have encrypted archive files on my hard disk. My personal finance records, for example. I routinely use a security utility program to wipe all free and slack space so remnants of my private files can't be recovered. My archive encryption is strong encryption. I use Pretty Good Privacy (PGP) which last time I looked was "military grade", if that means anything. I have several user accounts on my machines as well as other people, so their trick of the user name in the machine name would probably not apply to the archives. I use a "used" machine and I never wiped the system, so all of the old owner's stuff is still there. Isn't there then a question of ownership of an archive? for ME, I am not about to divulge my passwords for my archives. Feel free to try to break my encryption. Giving up my passwords, in my opinion, amounts to allowing a fishing expedition. It is one thing in the case of the porn to see it and then want to get it later, which makes sense to me since after all, they already have knowledge. But, it is something else in my case as no one but me knows what is IN my archives. There is no tangible evidence in my archives as there might be in the drug dealer's safe. I will open my archives to assist in my defense, but I refuse to open my archives to assist in prosecution. Isn't THAT what the 5th amendment is all about? Wouldn't opening my archives amount to self-incrimination? Based on this article, I guess I am just going to have to accept being held in contempt of court if push comes to shove... This is as bad as the Clipper Chip hardware encryption that the Fed wanted to force on the public a while back instead of using individual encryption like PGP. You know the one, the hardware encryption chip with a backdoor master password that supposedly only the Fed and other authorities would have... The only legal encryption was going to be the chip with the backdoor! How would YOU like it to have the Fed be able to read anything YOU encrypted? Sorry, but I doubt I will be assisting the prosecution anytime soon... 5th amendment... Hey! Where are we going? And why are we in this handbasket?
theonlyaether
50%
50%
theonlyaether,
User Rank: Apprentice
1/25/2012 | 1:50:25 PM
re: When Uncle Sam Can Demand You Decrypt Laptop
If I'm understanding the judge's order, this is nothing like opening a safe. The government will give Fricosu a "copy" of the encrypted drive, and then Fricosu has 15 days to produce a decrypted "copy" of the drive. So in a sense the owner does not need to be compelled to produce their knowledge of the lock/code/password, but they do need to act on that knowledge, like in the case of a safe.

Unlike a safe... Firstly - a decrypted version will never be a copy, of course. Unlike a safe you're not simply removing an outer barrier, this is crypto - you're rearranging the contents like a puzzle. Secondly - what's to stop Fricosu from producing a selectively decrypted "copy"? Do they plan on using some kind of hashing algorithm to verify the drive's contents (doubtful)?

I'm going to assume that they're counting on the idea that the user is as ignorant as the judge in this case.
Jellico1969
50%
50%
Jellico1969,
User Rank: Apprentice
1/25/2012 | 9:58:14 PM
re: When Uncle Sam Can Demand You Decrypt Laptop
You know, it occurs to me that a plausible reply for her is to provide a password that she believes is the correct one, and when it doesn't work, she can claim the drive was damaged or altered while in possession of law enforcement officials. She can claim cooperation and it would be impossible for the prosecution to prove otherwise (unless she's stupid enough to talk about it on the phone). Anyway, that was my thought upon reading the judge's ruling.
MITDGreenb
50%
50%
MITDGreenb,
User Rank: Apprentice
2/17/2012 | 2:22:53 AM
re: When Uncle Sam Can Demand You Decrypt Laptop
I think the logic here is a bit flawed. Suppose we went back about a century. During a search of a house, the police find a handwritten notebook. It appears incriminating and, in fact, the occupant of the house is so agitated that the Police have it that she demands its return. The Police take it away only to find out that the text is written in code, whereupon the Police return and demand that the occupant/owner of the book:
1) give them the means to decode the book themselves. "A grand jury issued a subpoena demanding that the man furnish the password, but he protested that it would violate his Fifth Amendment right against self-incrimination. A judge concurred."
2) give them a decoded copy of the book by a certain date. The occupant argues that this is a breech of Fifth Amendment rights, but the government rules "where the existence and location of the documents are known to the government, no constitutional rights are touched, because these matters are a foregone conclusion."

Now, looking at this as a book... of known existence, ownership, and location... it seems ludicrous. It is not a foregone conclusion that the book would be decoded and, therefore, in my opinion, compelling the creation and forfeiture of a decoded copy constitutes a violation of self-incrimination.

randomchaos
50%
50%
randomchaos,
User Rank: Apprentice
5/29/2012 | 6:24:44 PM
re: When Uncle Sam Can Demand You Decrypt Laptop
Should we be able to write a message that the government cannot see? Obviously we can and will continue to do so, more now than ever.
Deathbecon
50%
50%
Deathbecon,
User Rank: Apprentice
10/8/2012 | 6:28:17 AM
re: When Uncle Sam Can Demand You Decrypt Laptop
Sorry probable cause does not negate the fifth amendment the first case you sighted observed that the office saw the intended evidence where the second is on hearsay evidence. I would not in her place give them the password because one the drive is protected because there was no direct evidence that the information is on the drive other than the direct mention of it on the phone conversation but that's not a direct observation by law enforcement. The second is there exists alternate methods of retrieving the information whether it is efficient or not has no bearing. There is still such a thing as privacy in this world and I would take this to the supreme court before I would give up the password.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3345
Published: 2014-08-28
The web framework in Cisco Transport Gateway for Smart Call Home (aka TG-SCH or Transport Gateway Installation Software) 4.0 does not properly check authorization for administrative web pages, which allows remote attackers to modify the product via a crafted URL, aka Bug ID CSCuq31503.

CVE-2014-3347
Published: 2014-08-28
Cisco IOS 15.1(4)M2 on Cisco 1800 ISR devices, when the ISDN Basic Rate Interface is enabled, allows remote attackers to cause a denial of service (device hang) by leveraging knowledge of the ISDN phone number to trigger an interrupt timer collision during entropy collection, leading to an invalid s...

CVE-2014-4199
Published: 2014-08-28
vm-support 0.88 in VMware Tools, as distributed with VMware Workstation through 10.0.3 and other products, allows local users to write to arbitrary files via a symlink attack on a file in /tmp.

CVE-2014-4200
Published: 2014-08-28
vm-support 0.88 in VMware Tools, as distributed with VMware Workstation through 10.0.3 and other products, uses 0644 permissions for the vm-support archive, which allows local users to obtain sensitive information by extracting files from this archive.

CVE-2014-0761
Published: 2014-08-27
The DNP3 driver in CG Automation ePAQ-9410 Substation Gateway allows remote attackers to cause a denial of service (infinite loop or process crash) via a crafted TCP packet.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.