Third Circuit Appeals Court Says All Writs Orders Can Be Used To Compel Passwords For Decryption

from the still-no-definitive-answer-on-the-Fifth-Amendment-though dept

The Third Circuit Court of Appeals has ruled that passwords can be compelled with All Writs Orders. Handing down a decision in the case of Francis Rawls, a former Philadelphia police officer facing child porn charges, the court finds the order lawful, but doesn't go quite as far as to determine whether compelling password production implicates the Fifth Amendment.

The Third Circuit doesn't touch the Fifth Amendment implications because Rawls failed to preserve them.

Even if we could assess the Fifth Amendment decision of the Magistrate Judge, our review would be limited to plain error. See United States v. Schwartz, 446 F.2d 571, 576 (3d Cir. 1971) (applying plain error review to unpreserved claim of violation of privilege against self-incrimination). Doe’s arguments fail under this deferential standard of review.

Orin Kerr highlights a footnote from the order [PDF], which shows even if the court had addressed the Fifth Amendment implications, it likely would have sided with government based on its interpretation of the government's "foregone conclusion" argument.

It is important to note that we are not concluding that the Government’s knowledge of the content of the devices is necessarily the correct focus of the “foregone conclusion” inquiry in the context of a compelled decryption order. Instead, a very sound argument can be made that the foregone conclusion doctrine properly focuses on whether the Government already knows the testimony that is implicit in the act of production. In this case, the fact known to the government that is implicit in the act of providing the password for the devices is “I, John Doe, know the password for these devices.” Based upon the testimony presented at the contempt proceeding, that fact is a foregone conclusion.

However, because our review is limited to plain error, and no plain error was committed by the District Court in finding that the Government established that the contents of the encrypted hard drives are known to it, we need not decide here that the inquiry can be limited to the question of whether Doe’s knowledge of the password itself is sufficient to support application of the foregone conclusion doctrine.

This interpretation limits what the government has to assert to avail itself of this argument -- one that's sure to become more common as default encryption comes to more devices and communications services. As applied here, the government only has to show the defendant knows the password. It doesn't have to make assertions about what it believes will be found once the device/account is unlocked. (That being said, the DHS performed a forensic scan of the one device it could access -- the MacBook Pro -- and found data and photos suggesting the locked external drives contained more child pornography.)

The court also addresses the All Writs Act being used to compel password production in service to a search warrant that still can't be fully executed.

Doe asserts that New York Telephone should not apply because the All Writs Act order in that case compelled a third party to assist in the execution of that warrant, and not the target of the government investigation. The Supreme Court explained, however, that the Act extends to anyone “in a position to frustrate the implementation of a court order or the proper administration of justice” as long as there are “appropriate circumstances” for doing so. Id. at 174. Here, as in New York Telephone: (1) Doe is not “far removed from the underlying controversy;” (2) “compliance with [the Decryption Order] require[s] minimal effort;” and (3) “without [Doe’s] assistance there is no conceivable way in which the [search warrant] authorized by the District Court could [be] successfully accomplished.” Id. at 174-175. Accordingly, the Magistrate Judge did not plainly err in issuing the Decryption Order.

This shows just how malleable the New York Telephone decision is. This 1977 Supreme Court decision paved the way for widespread pen register use. Since that point, it has been used by the DOJ to argue for the lawfulness of encryption-defeating All Writs Orders (as in the San Bernardino iPhone case), as well as by criminal defendants arguing these same orders are unlawful.

In Apple's case, the government argued the company was not "far removed" from the controversy, despite it being only the manufacturer of the phone. Apple's distance as a manufacturer provided its own argument against the DOJ's application of this Supreme Court decision.

In this case, the key words are "third party": Rawls is arguing this isn't nearly the same thing as forcing a phone company to comply with pen register orders. This is a "first party" situation where compliance may mean producing evidence against yourself for use in a criminal trial. The government likes the New York Telephone decision for its Fourth Amendment leeway. The defendant here is arguing this isn't even a Fourth Amendment issue.

As the court points out, it can't really assess the Fifth Amendment argument -- not when it hasn't been preserved for appeal. But even so, the court says law enforcement already has enough evidence to proceed with prosecution. If so, the only reason the government's pressing the issue -- which has resulted in Rawls being jailed indefinitely for contempt of court -- is that it wants a precedential ruling clearly establishing the lawfulness of compelling the production of passwords. The court doesn't quite reach that point, but the ruling here seems to suggest it will be easier (in this circuit at least) to throw people in jail for refusing to hand over passwords, since all the government is really being forced to establish is that it knows the defendant can unlock the targeted devices/accounts.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 22 Mar 2017 @ 12:14pm

    So the douchbag probably knows he is going to be convicted, why not give up the password?

    Maybe he would rather be in jail on contempt charges than being in prison for child porn? Maybe he knows child porn convicts are not treated well in prison, much less ex policeman child porn convicts.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 22 Mar 2017 @ 1:46pm

      Re:

      Now we know why you pedophiles post as AC's. You are clearly hiding something are you not? Otherwise you have not reason to protect your identity.

      Your logic sucks, too bad your ass is not the one on the hook for this.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 22 Mar 2017 @ 2:10pm

        Re: Re:

        Your logic is faulty.

        I post as an AC because I am lazy, although is funny that you also posted as an AC.

        My point is that the court and the government believes that the prosecution already has the evidence to convict this perv. They are holding him in contempt of court (and in a jail cell) is because " the only reason the government's pressing the issue -- which has resulted in Rawls being jailed indefinitely for contempt of court -- is that it wants a precedential ruling clearly establishing the lawfulness of compelling the production of passwords."and the DHS performed a forensic scan of the one device it could access -- the MacBook Pro -- and found data and photos suggesting the locked external drives contained more child pornography.) " So they go after the phone because it was a backup of the MacBook Pro (or vice versa). They already have the evidence needed to put this guy in prison, but are going after the password for precedential issues.

        So if it is a forgone conclusion that the dirtbag goes to prison, why not give up the password? Like I said before, probably better to be in jail for contempt than in prison for being a child porn convict.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 6 Jul 2017 @ 5:44pm

      Re:

      I can bet you money neither he nor you would remember a proper password after 6 months, much less the 18 that it's already been.

      I have to reset my passwords pretty often cause I forget all the time, and have been locked out of encrypted systems on the regular. And that's after much shorter periods!!!

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Mar 2017 @ 12:24pm

    Whats deal with a password manager ?
    I know only one password that has all my others
    linked into it , So honestly if they asked me for a specific password ,I dont know it but if they asked for my password manager password they then have free reign to my whole entire life star to finish .
    would you trust them with only going after what they say they were after ???

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Mar 2017 @ 12:29pm

    Seriously, what the fuck is going to happen to some one who forgets the password to one of their devices or encrypted partitions? You can't prove you don't know it. So now forgetting things is punishable by indefinite confinement?

    If because of the 5th you can't be compelled to go get some files, or tell them where the bodies are buried, or tell them what you did, what the fuck makes passwords a different kind of information?

    If it's such a foregone conclusion then why do they need you to fork over the password at all. If it's a foregone conclusion then they should be able to get what they're after without your help.

    reply to this | link to this | view in chronology ]

    • icon
      ShadowNinja (profile), 22 Mar 2017 @ 2:03pm

      Re:

      Not to mention what if someone is framed because another person put an encrypted file on their computer, and they then report that person for say possessing child pornography on their computer?

      The accused literally can't prove themselves innocent by providing the password, because they won't know it. The accused will never need to be brought to trial, the prosecutors can just keep a wrongly accused person in jail forever.

      reply to this | link to this | view in chronology ]

  • icon
    Dave Cortright (profile), 22 Mar 2017 @ 12:53pm

    More evidence that we all need duress passwords

    Please please PLEASE tech companies, provide me the ability to set a duress password that will unlock the device without decrypting my real data. It's the next logical step.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 22 Mar 2017 @ 12:56pm

      Re: More evidence that we all need duress passwords

      Or a password that wipes the phone of all data.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 22 Mar 2017 @ 1:30pm

        Re: Re: More evidence that we all need duress passwords

        Both of you are forgetting it's standard practice to make copies of the data in question.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 23 Mar 2017 @ 12:31pm

          Re: Re: Re: More evidence that we all need duress passwords

          Both of you are forgetting it's standard practice to make copies of the data in question.

          Wiping won't work, for that reason. (Unless the password is only used to convince a tamper-resistant device/service to divulge the real key, as in some Apple products—you could actually make that device wipe the key, and it's difficult to make backups first.)

          The "hidden volume" trick could. The government would enter the password and see mundane, non-incriminating data. But then they'll just claim it's a "foregone conclusion" that there's an alternate incriminating password...

          reply to this | link to this | view in chronology ]

      • icon
        Cdaragorn (profile), 22 Mar 2017 @ 1:32pm

        Re: Re: More evidence that we all need duress passwords

        Do that and they'll throw you in jail for destruction of evidence. One that only unlocks part of the device is a far better option.

        reply to this | link to this | view in chronology ]

        • identicon
          FarFromTopic, 22 Mar 2017 @ 2:10pm

          Re: Re: Re: More evidence that we all need duress passwords

          Ah, but "we" would not have destroyed the data.
          "They" would do it by entering the password.

          Fuck 'em if "they" can't take a joke. :)

          reply to this | link to this | view in chronology ]

    • icon
      ThaumaTechnician (profile), 22 Mar 2017 @ 1:29pm

      Re: More evidence that we all need duress passwords

      This already exists and has for some time now. It's not simple to do, but...

      Google 'rubberhose crypto' then read this:
      https://veracrypt.codeplex.com/wikipage?title=Hidden%20Volume

      reply to this | link to this | view in chronology ]

      • icon
        Ninja (profile), 23 Mar 2017 @ 6:30am

        Re: Re: More evidence that we all need duress passwords

        It's different. A good forensic exam will show the volume is there. I think what he meant is something like a panic button in form of a password. You type it and the volume will display fake data somehow, trick/fool the one that entered the fake password. I'm not sure how this would be feasible though. Maybe 'decrypt' the volume but pretend the file system is damaged beyond repair?

        reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 22 Mar 2017 @ 2:31pm

      Re: More evidence that we all need duress passwords

      That strikes me as solving the wrong problem. Better to make it clear that forced decryption isn't allowed, and even trying will get a case tossed so prosecutors stop trying it.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 23 Mar 2017 @ 7:17am

      Re: More evidence that we all need duress passwords

      Already exists. Truecrypt hidden partitions.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Cowherd, 22 Mar 2017 @ 1:19pm

    Lawyer logic

    I don't see how it could be logically possible for government to establish that a defendant knows a password without the defendant telling them what the password is. After all, even if it is established that the defendant has at one point known the password, it's always possible the password has been forgotten since then.

    But then I'm no lawyer either.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Mar 2017 @ 1:28pm

    "As the court points out, it can't really assess the Fifth Amendment argument -- not when it hasn't been preserved for appeal."

    Way to bury the lede.

    reply to this | link to this | view in chronology ]

  • identicon
    FarFromTopic, 22 Mar 2017 @ 2:08pm

    Contempt from answering too...

    Free room and board, free internet, free cable, free healthcare?

    Sign me up.

    My encryption password? Whosafuckingcheetohfacedshitgibbonthatlikessuckingthesweatoffofkingkongsballs?Whyyouareyourhonor!

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 22 Mar 2017 @ 6:40pm

      Re: Contempt from answering too...

      Invalid password. Your password must have one each of the following:
      - An uppercase letter
      - A lowercase letter
      - A numeral
      - A special character (except { } ; : /)

      Your password must:
      - Not be your email address
      - Not be something easily guessed
      - Be between 8 and 64 characters

      Please try again.

      reply to this | link to this | view in chronology ]

      • identicon
        FarFromTopic, 22 Mar 2017 @ 8:37pm

        Re: Re: Contempt from answering too...

        I presume your response was meant in jest, as those kinds of password "strengthening" rules have been thrown to the curb where they've always belonged.

        Those "strong" password rules were developed in part by the NSA and CIA in order to weaken passwords to be more easily cracked.

        Passwords where any character can be used for any position without entropy limiting rules can be hundreds or even thousands of times stronger than those where entropy limiting rules are applied.

        I found a posting somewhere in the past that showed this rather pointedly.

        To make the math "simpler", lets start with a 4 character password.

        Now, if we allow any of the 94 characters on a typical keyboard that can be used to form a password, that gives us roughly 78 million possible permutations.
        If we apply the "supposed strong" rules, that number of possibilities drops below 217,000.

        217k vs 78m = which is "stronger"?

        Expand that to 8 characters and the numbers still show that "strong" rules weaken password complexity.

        8 characters with strong rules equates to about 17 billion possibilities compared to the 6 quadrillion possibilities if the full set of printable ascii characters are allowed.

        17 billion to 6 quadrillion - that is a roughly 350 times larger entropy pool that has to be brute forced through.

        reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 22 Mar 2017 @ 2:27pm

    Rights? What rights?

    Here, as in New York Telephone: (1) Doe is not “far removed from the underlying controversy;” (2) “compliance with [the Decryption Order] require[s] minimal effort;” and (3) “without [Doe’s] assistance there is no conceivable way in which the [search warrant] authorized by the District Court could [be] successfully accomplished.” Id. at 174-175. Accordingly, the Magistrate Judge did not plainly err in issuing the Decryption Order.

    As arguments for bulldozing rights go that is not a pleasant one. 'It's easy' to violate a right does not mean that right doesn't exist. Confessing to a crime or leading investigators to a damning piece of evidence they otherwise wouldn't have is likewise 'easy', but I would hope that those wouldn't be considered acceptable, even if the court does seem to think it is this time around 'because computers'.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Mar 2017 @ 3:47pm

    Layman view

    From layman's point of view:

    1) US "All Writs Act" reeks of British "Writ of assistance"

    2) I disagree with "Foregone conclusion" principle.
    Just because the court concluded certain assumption must be true by “Preponderance of Evidence”, it should not give the court right to force defendant to produce said self-incriminating evidence.
    Fifth Amendment should stand.

    3) The act of production of this evidence is "not testimonial", however the evidence itself is testimonial.
    Wherefore it is against Fifth Amendment.

    If court claims the evidence is "not testimonial", court should be able to convict the defendant without this evidence.
    And should proceed to do so.

    4) I agree with court's decision footnote.
    "We know what is on the encrypted disk" is not equal to "Defendant confessed he can decrypt the disk"

    reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 22 Mar 2017 @ 4:16pm

      Re: Layman view

      3) The act of production of this evidence is "not testimonial", however the evidence itself is testimonial. Wherefore it is against Fifth Amendment

      If court claims the evidence is "not testimonial", court should be able to convict the defendant without this evidence. And should proceed to do so.

      Yeah, the whole 'Forcing someone to decrypt something and/or provide a password isn't against the Fifth' is an idea that never should have made it off the ground.

      Beyond the fact that being able to provide a password creating a link between the contents and the person, this particular(and persistent) dishonest and/or absurd logic can be exposed simply by a demand from the accused for immunity to anything a password provides.

      If forcing someone to provide a password isn't forcing them to provide self-incriminating evidence against themself, then the prosecution loses nothing by granting immunity to anything found. If on the other hand they are being forced to provide self-incriminating evidence against themself, then that immunity would completely undermine the entire purpose behind demanding the accused decrypt something.

      Anyone care to take a wild guess as to what the odds would be that such an offer would be accepted?

      "We know what is on the encrypted disk" is not equal to "Defendant confessed he can decrypt the disk"

      "We know what is on the encrypted disk" is to '... therefore it's not forcing someone to provide self-incriminating evidence' as 'We know the accused is guilty' is to '... therefore forcing them to confess to the crime isn't forcing them to provide self-incriminating testimony'.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Mar 2017 @ 5:54pm

    What if this whole situation was fabricated and set up specifically to get courts to declare this stuff legal precedent, and Francis Rawls was a willing scapegoat who's just chillin out until the courts give the carte blanche go ahead?

    reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 22 Mar 2017 @ 6:03pm

      Re:

      He's being publicly accused of involvement with child porn, a charge that's likely to haunt him for the rest of his life no matter what the eventual verdict is.

      There's taking a fall and then there's 'throwing yourself off a cliff'. As such I really doubt he's a willing patsy in this, even if the prosecution does seem to be using the case to try and set a favorable precedent with regards to forcing people to provide passwords in future cases.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 22 Mar 2017 @ 10:30pm

        Re: Re:

        It's probably unlikely. But it's certainly strange that the prosecution is claiming that Rawls' guilt is a foregone conclusion, and still hinging on the contents locked behind his password to make a case.

        Rawls being a policeman also raises an eyebrow. It wouldn't surprise me if those holding him in custody were treating him as one of their own, and it looks like Rawls is in this for the long-term game.

        reply to this | link to this | view in chronology ]

        • icon
          That One Guy (profile), 23 Mar 2017 @ 8:44am

          Re: Re: Re:

          It's probably unlikely. But it's certainly strange that the prosecution is claiming that Rawls' guilt is a foregone conclusion, and still hinging on the contents locked behind his password to make a case.

          Not strange at all, as I understand they have enough to hang him(metaphorically speaking), what they want is a precedent that will allow them to force others to hand over their passwords in future cases, and they're trying to use this case to get it.

          It's like a smaller version of the DOJ/Apple fight, where they pick an unsympathetic suspect and press to have a legal precedent set that they can and will use against not-so-unsympathetic suspects in the future. It's not about 'seeing justice done', it's about using the system for their own ends to erode rights of the public and give them more power.

          reply to this | link to this | view in chronology ]

  • icon
    MarcAnthony (profile), 23 Mar 2017 @ 8:05am

    All rights reserved

    I'm not sure how you can "fail to preserve" something that is inalienable; you have the RIGHT to not testify against yourself—it's not an opt-in arrangement. I believe I read that the defendant in this case has already stated that he has forgotten the password, so any conclusion that he knows it is no longer forgone. Continuing to mete out punishment for a lack of production further implicates the right to remain silent; if he now produces the password, he will be testifying to the fact that he committed perjury.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 23 Mar 2017 @ 9:05am

      Re: All rights reserved

      Wrong, the person has stated that he knows what the password is, and testified to that fact.

      reply to this | link to this | view in chronology ]

      • icon
        MarcAnthony (profile), 23 Mar 2017 @ 10:15am

        Re: Re: All rights reserved

        He has stated he has forgotten the password and is being held in contempt. It's all over the news. Perhaps you should follow a story before trying to correct someone.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 27 Mar 2017 @ 10:33am

          Re: Re: Re: All rights reserved

          Perhaps you should read this article where the court states that he testified that he knows the password?

          reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: I Invented Email
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.