Third Circuit Appeals Court Says All Writs Orders Can Be Used To Compel Passwords For Decryption

from the still-no-definitive-answer-on-the-Fifth-Amendment-though dept

The Third Circuit Court of Appeals has ruled that passwords can be compelled with All Writs Orders. Handing down a decision in the case of Francis Rawls, a former Philadelphia police officer facing child porn charges, the court finds the order lawful, but doesn’t go quite as far as to determine whether compelling password production implicates the Fifth Amendment.

The Third Circuit doesn’t touch the Fifth Amendment implications because Rawls failed to preserve them.

Even if we could assess the Fifth Amendment decision of the Magistrate Judge, our review would be limited to plain error. See United States v. Schwartz, 446 F.2d 571, 576 (3d Cir. 1971) (applying plain error review to unpreserved claim of violation of privilege against self-incrimination). Doe’s arguments fail under this deferential standard of review.

Orin Kerr highlights a footnote from the order [PDF], which shows even if the court had addressed the Fifth Amendment implications, it likely would have sided with government based on its interpretation of the government’s “foregone conclusion” argument.

It is important to note that we are not concluding that the Government’s knowledge of the content of the devices is necessarily the correct focus of the “foregone conclusion” inquiry in the context of a compelled decryption order. Instead, a very sound argument can be made that the foregone conclusion doctrine properly focuses on whether the Government already knows the testimony that is implicit in the act of production. In this case, the fact known to the government that is implicit in the act of providing the password for the devices is “I, John Doe, know the password for these devices.” Based upon the testimony presented at the contempt proceeding, that fact is a foregone conclusion.

However, because our review is limited to plain error, and no plain error was committed by the District Court in finding that the Government established that the contents of the encrypted hard drives are known to it, we need not decide here that the inquiry can be limited to the question of whether Doe’s knowledge of the password itself is sufficient to support application of the foregone conclusion doctrine.

This interpretation limits what the government has to assert to avail itself of this argument — one that’s sure to become more common as default encryption comes to more devices and communications services. As applied here, the government only has to show the defendant knows the password. It doesn’t have to make assertions about what it believes will be found once the device/account is unlocked. (That being said, the DHS performed a forensic scan of the one device it could access — the MacBook Pro — and found data and photos suggesting the locked external drives contained more child pornography.)

The court also addresses the All Writs Act being used to compel password production in service to a search warrant that still can’t be fully executed.

Doe asserts that New York Telephone should not apply because the All Writs Act order in that case compelled a third party to assist in the execution of that warrant, and not the target of the government investigation. The Supreme Court explained, however, that the Act extends to anyone “in a position to frustrate the implementation of a court order or the proper administration of justice” as long as there are “appropriate circumstances” for doing so. Id. at 174. Here, as in New York Telephone: (1) Doe is not “far removed from the underlying controversy;” (2) “compliance with [the Decryption Order] require[s] minimal effort;” and (3) “without [Doe’s] assistance there is no conceivable way in which the [search warrant] authorized by the District Court could [be] successfully accomplished.” Id. at 174-175. Accordingly, the Magistrate Judge did not plainly err in issuing the Decryption Order.

This shows just how malleable the New York Telephone decision is. This 1977 Supreme Court decision paved the way for widespread pen register use. Since that point, it has been used by the DOJ to argue for the lawfulness of encryption-defeating All Writs Orders (as in the San Bernardino iPhone case), as well as by criminal defendants arguing these same orders are unlawful.

In Apple’s case, the government argued the company was not “far removed” from the controversy, despite it being only the manufacturer of the phone. Apple’s distance as a manufacturer provided its own argument against the DOJ’s application of this Supreme Court decision.

In this case, the key words are “third party”: Rawls is arguing this isn’t nearly the same thing as forcing a phone company to comply with pen register orders. This is a “first party” situation where compliance may mean producing evidence against yourself for use in a criminal trial. The government likes the New York Telephone decision for its Fourth Amendment leeway. The defendant here is arguing this isn’t even a Fourth Amendment issue.

As the court points out, it can’t really assess the Fifth Amendment argument — not when it hasn’t been preserved for appeal. But even so, the court says law enforcement already has enough evidence to proceed with prosecution. If so, the only reason the government’s pressing the issue — which has resulted in Rawls being jailed indefinitely for contempt of court — is that it wants a precedential ruling clearly establishing the lawfulness of compelling the production of passwords. The court doesn’t quite reach that point, but the ruling here seems to suggest it will be easier (in this circuit at least) to throw people in jail for refusing to hand over passwords, since all the government is really being forced to establish is that it knows the defendant can unlock the targeted devices/accounts.

Filed Under: , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Third Circuit Appeals Court Says All Writs Orders Can Be Used To Compel Passwords For Decryption”

Subscribe: RSS Leave a comment
35 Comments
Anonymous Coward says:

Re: Re: Re:

Your logic is faulty.

I post as an AC because I am lazy, although is funny that you also posted as an AC.

My point is that the court and the government believes that the prosecution already has the evidence to convict this perv. They are holding him in contempt of court (and in a jail cell) is because ” the only reason the government’s pressing the issue — which has resulted in Rawls being jailed indefinitely for contempt of court — is that it wants a precedential ruling clearly establishing the lawfulness of compelling the production of passwords.”and the DHS performed a forensic scan of the one device it could access — the MacBook Pro — and found data and photos suggesting the locked external drives contained more child pornography.) ” So they go after the phone because it was a backup of the MacBook Pro (or vice versa). They already have the evidence needed to put this guy in prison, but are going after the password for precedential issues.

So if it is a forgone conclusion that the dirtbag goes to prison, why not give up the password? Like I said before, probably better to be in jail for contempt than in prison for being a child porn convict.

Anonymous Coward says:

Re: Re:

I can bet you money neither he nor you would remember a proper password after 6 months, much less the 18 that it’s already been.

I have to reset my passwords pretty often cause I forget all the time, and have been locked out of encrypted systems on the regular. And that’s after much shorter periods!!!

Anonymous Coward says:

Whats deal with a password manager ?
I know only one password that has all my others
linked into it , So honestly if they asked me for a specific password ,I dont know it but if they asked for my password manager password they then have free reign to my whole entire life star to finish .
would you trust them with only going after what they say they were after ???

Anonymous Coward says:

Seriously, what the fuck is going to happen to some one who forgets the password to one of their devices or encrypted partitions? You can’t prove you don’t know it. So now forgetting things is punishable by indefinite confinement?

If because of the 5th you can’t be compelled to go get some files, or tell them where the bodies are buried, or tell them what you did, what the fuck makes passwords a different kind of information?

If it’s such a foregone conclusion then why do they need you to fork over the password at all. If it’s a foregone conclusion then they should be able to get what they’re after without your help.

ShadowNinja (profile) says:

Re: Re:

Not to mention what if someone is framed because another person put an encrypted file on their computer, and they then report that person for say possessing child pornography on their computer?

The accused literally can’t prove themselves innocent by providing the password, because they won’t know it. The accused will never need to be brought to trial, the prosecutors can just keep a wrongly accused person in jail forever.

Anonymous Coward says:

Re: Re: Re: More evidence that we all need duress passwords

Both of you are forgetting it’s standard practice to make copies of the data in question.

Wiping won’t work, for that reason. (Unless the password is only used to convince a tamper-resistant device/service to divulge the real key, as in some Apple products—you could actually make that device wipe the key, and it’s difficult to make backups first.)

The "hidden volume" trick could. The government would enter the password and see mundane, non-incriminating data. But then they’ll just claim it’s a "foregone conclusion" that there’s an alternate incriminating password…

Ninja (profile) says:

Re: Re: More evidence that we all need duress passwords

It’s different. A good forensic exam will show the volume is there. I think what he meant is something like a panic button in form of a password. You type it and the volume will display fake data somehow, trick/fool the one that entered the fake password. I’m not sure how this would be feasible though. Maybe ‘decrypt’ the volume but pretend the file system is damaged beyond repair?

Anonymous Cowherd says:

Lawyer logic

I don’t see how it could be logically possible for government to establish that a defendant knows a password without the defendant telling them what the password is. After all, even if it is established that the defendant has at one point known the password, it’s always possible the password has been forgotten since then.

But then I’m no lawyer either.

Anonymous Coward says:

Re: Contempt from answering too...

Invalid password. Your password must have one each of the following:
– An uppercase letter
– A lowercase letter
– A numeral
– A special character (except { } ; : /)

Your password must:
– Not be your email address
– Not be something easily guessed
– Be between 8 and 64 characters

Please try again.

FarFromTopic says:

Re: Re: Contempt from answering too...

I presume your response was meant in jest, as those kinds of password “strengthening” rules have been thrown to the curb where they’ve always belonged.

Those “strong” password rules were developed in part by the NSA and CIA in order to weaken passwords to be more easily cracked.

Passwords where any character can be used for any position without entropy limiting rules can be hundreds or even thousands of times stronger than those where entropy limiting rules are applied.

I found a posting somewhere in the past that showed this rather pointedly.

To make the math “simpler”, lets start with a 4 character password.

Now, if we allow any of the 94 characters on a typical keyboard that can be used to form a password, that gives us roughly 78 million possible permutations.
If we apply the “supposed strong” rules, that number of possibilities drops below 217,000.

217k vs 78m = which is “stronger”?

Expand that to 8 characters and the numbers still show that “strong” rules weaken password complexity.

8 characters with strong rules equates to about 17 billion possibilities compared to the 6 quadrillion possibilities if the full set of printable ascii characters are allowed.

17 billion to 6 quadrillion – that is a roughly 350 times larger entropy pool that has to be brute forced through.

That One Guy (profile) says:

Rights? What rights?

Here, as in New York Telephone: (1) Doe is not “far removed from the underlying controversy;” (2) “compliance with [the Decryption Order] require[s] minimal effort;” and (3) “without [Doe’s] assistance there is no conceivable way in which the [search warrant] authorized by the District Court could [be] successfully accomplished.” Id. at 174-175. Accordingly, the Magistrate Judge did not plainly err in issuing the Decryption Order.

As arguments for bulldozing rights go that is not a pleasant one. ‘It’s easy’ to violate a right does not mean that right doesn’t exist. Confessing to a crime or leading investigators to a damning piece of evidence they otherwise wouldn’t have is likewise ‘easy’, but I would hope that those wouldn’t be considered acceptable, even if the court does seem to think it is this time around ‘because computers’.

Anonymous Coward says:

Layman view

From layman’s point of view:

1) US “All Writs Act” reeks of British “Writ of assistance”

2) I disagree with “Foregone conclusion” principle.
Just because the court concluded certain assumption must be true by “Preponderance of Evidence”, it should not give the court right to force defendant to produce said self-incriminating evidence.
Fifth Amendment should stand.

3) The act of production of this evidence is “not testimonial”, however the evidence itself is testimonial.
Wherefore it is against Fifth Amendment.

If court claims the evidence is “not testimonial”, court should be able to convict the defendant without this evidence.
And should proceed to do so.

4) I agree with court’s decision footnote.
“We know what is on the encrypted disk” is not equal to “Defendant confessed he can decrypt the disk”

That One Guy (profile) says:

Re: Layman view

3) The act of production of this evidence is "not testimonial", however the evidence itself is testimonial.
Wherefore it is against Fifth Amendment

If court claims the evidence is "not testimonial", court should be able to convict the defendant without this evidence. And should proceed to do so.

Yeah, the whole ‘Forcing someone to decrypt something and/or provide a password isn’t against the Fifth’ is an idea that never should have made it off the ground.

Beyond the fact that being able to provide a password creating a link between the contents and the person, this particular(and persistent) dishonest and/or absurd logic can be exposed simply by a demand from the accused for immunity to anything a password provides.

If forcing someone to provide a password isn’t forcing them to provide self-incriminating evidence against themself, then the prosecution loses nothing by granting immunity to anything found. If on the other hand they are being forced to provide self-incriminating evidence against themself, then that immunity would completely undermine the entire purpose behind demanding the accused decrypt something.

Anyone care to take a wild guess as to what the odds would be that such an offer would be accepted?

"We know what is on the encrypted disk" is not equal to "Defendant confessed he can decrypt the disk"

"We know what is on the encrypted disk" is to ‘… therefore it’s not forcing someone to provide self-incriminating evidence’ as ‘We know the accused is guilty’ is to ‘… therefore forcing them to confess to the crime isn’t forcing them to provide self-incriminating testimony’.

That One Guy (profile) says:

Re: Re:

He’s being publicly accused of involvement with child porn, a charge that’s likely to haunt him for the rest of his life no matter what the eventual verdict is.

There’s taking a fall and then there’s ‘throwing yourself off a cliff’. As such I really doubt he’s a willing patsy in this, even if the prosecution does seem to be using the case to try and set a favorable precedent with regards to forcing people to provide passwords in future cases.

Anonymous Coward says:

Re: Re: Re:

It’s probably unlikely. But it’s certainly strange that the prosecution is claiming that Rawls’ guilt is a foregone conclusion, and still hinging on the contents locked behind his password to make a case.

Rawls being a policeman also raises an eyebrow. It wouldn’t surprise me if those holding him in custody were treating him as one of their own, and it looks like Rawls is in this for the long-term game.

That One Guy (profile) says:

Re: Re: Re: Re:

It’s probably unlikely. But it’s certainly strange that the prosecution is claiming that Rawls’ guilt is a foregone conclusion, and still hinging on the contents locked behind his password to make a case.

Not strange at all, as I understand they have enough to hang him(metaphorically speaking), what they want is a precedent that will allow them to force others to hand over their passwords in future cases, and they’re trying to use this case to get it.

It’s like a smaller version of the DOJ/Apple fight, where they pick an unsympathetic suspect and press to have a legal precedent set that they can and will use against not-so-unsympathetic suspects in the future. It’s not about ‘seeing justice done’, it’s about using the system for their own ends to erode rights of the public and give them more power.

MarcAnthony (profile) says:

All rights reserved

I’m not sure how you can "fail to preserve" something that is inalienable; you have the RIGHT to not testify against yourself—it’s not an opt-in arrangement. I believe I read that the defendant in this case has already stated that he has forgotten the password, so any conclusion that he knows it is no longer forgone. Continuing to mete out punishment for a lack of production further implicates the right to remain silent; if he now produces the password, he will be testifying to the fact that he committed perjury.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...