Agentless Backup is Not a Myth

Civil liberties activists have lent their support to a case that will test whether a US citizen can refuse to decrypt personal data on the grounds that it might be self-incriminatory.

The case involves allegedly fraudulent real estate transactions. The government wants a Colorado court to compel Ramona Fricosu, who is accused of a mortgage scam, into either turning over the passphrase or providing a plain text version of the data held on an encrypted laptop. However, such an order would be in breach of Fifth Amendment protection against self incrimination, according to papers filed by the Electric Frontier Foundation (EFF) in support of Fricosu.

"Decrypting the data on the laptop can be, in and of itself, a testimonial act – revealing control over a computer and the files on it," said EFF Senior Staff Attorney Marcia Hofmann, in a statement. "Ordering the defendant to enter an encryption password puts her in the situation the Fifth Amendment was designed to prevent: having to choose between incriminating herself, lying under oath, or risking contempt of court."

Although prosecutors have made some concessions, they have failed to provide assurances that any data found on the computer won't be used as evidence against Fricosu. Lawyers for the EFF argued in an amicus brief (16-page/146KB PDF) in defence of Fricosu that the request would expose a potential treasure trove of personal data.

"Our computers now hold years of email with family and friends, internet browsing histories, financial and medical information, and the ability to access our online services like Facebook," said EFF Staff Attorney Hanni Fakhoury. "People are right to use passwords and encryption to safeguard this data, and they deserve the law's full protection against the use of it against them.

"This could be a very important case in applying Americans' Fifth Amendment rights in the digital age," she added.

Supreme Court rulings have previously decided that a subject can be compelled to turn over a key in their possession that unlocks a safe containing potentially incriminating evidence, but not the combination to a safe in much the same scenario.

We've asked the EFF whether or not the outcome of the case will have an effect on laptop border searches and the like, and will update this story as and when we hear more.

In the UK, the Regulation of Investigatory Powers Act gives police the powers to force suspects to decrypt files or hand over pass-phrases. Non-compliance is an offence all on its own, punishable on conviction by a two-year jail sentence – or a maximum of five years in cases where national security is involved.

Investigations into suspected possession of child abuse images and related offences is the "main reason" such section 49 notices have been served, but the power has been applied in a range of cases including counter-terrorism, insider dealing, theft and even aggravated burglary. Ministers argued in Parliament that the powers were needed to investigate terrorism and other serious crime.

However, as first reported in The Register back in 2009, the first person jailed for failing to hand over encryption keys to authorities was a schizophrenic software developer initially charged with explosives offences that were later dropped during a police inquiry. ®

What you need to know about cloud backup