Encryption software has been enjoying a prolonged day in the sun for about the last year. Thanks to the revelations of Edward Snowden about the NSA’s seemingly limitless capabilities, security experts have been pounding the drum about the importance of encrypting not just data in transit, but information stored on laptops, phones and portable drives. But the Massachusetts Supreme Judicial Court put a dent in that armor on Wednesday, ruling that a criminal defendant could be compelled to decrypt the contents of his laptops.

The case centers on a lawyer who was arrested in 2009 for allegedly participating in a mortgage fraud scheme. The defendant, Leon I. Gelfgatt, admitted to Massachusetts state police that he had done work with a company called Baylor Holdings and that he encrypted his communications and the hard drives of all of his computers. He said that he could decrypt the computers seized from his home, but refused to do so.

The MJSC, the highest court in Massachusetts, was considering the question of whether the act of entering the password to decrypt the contents of a computer was an act of self-incrimination, thereby violating Gelfgatt’s Fifth Amendment rights.

The court ruled that merely entering the password does not imply that Gelfgatt created the documents on the encrypted machines.

The court ruled, in a 5-2 decision, that merely entering the password does not imply that Gelfgatt created the documents on the encrypted machines or had sole control of them at all times and was not “testimonial”. The ruling reversed a lower court’s decision.

“Based on our review of the record, we conclude that the factual statements that would be conveyed by the defendant’s act of entering an encryption key in the computers are ‘foregone conclusions’ and, therefore, the act of decryption is not a testimonial communication that is protected by the Fifth Amendment. The investigation by the corruption, fraud, and computer crime division of the Attorney General’s office uncovered detailed evidence that at least two mortgage assignments to Baylor Holdings were fraudulent,” the MJSC’s ruling says.

“During his postarrest interview with State police Trooper Patrick M. Johnson, the defendant stated that he had performed real estate work for Baylor Holdings, which he understood to be a financial services company. The defendant informed Trooper Johnson that he had more than one computer at his home, that the program for communicating with Baylor Holdings was installed on a laptop, and that ‘[e]verything is encrypted and no one is going to get to it.’ The defendant acknowledged that he was able to perform decryption. Further, and most significantly, the defendant said that because of encryption, the police were ‘not going to get to any of [his] computers,’ thereby implying that all of them were encrypted.”

Although the MJSC’s ruling only applies in Massachusetts, it’s a tough blow for privacy advocates and others who have asserted the right to refuse to decrypt digital devices. Full disk encryption software is considered a valuable defense against both attackers and spot searches at international borders and in other situations. In its opinion, the MJSC acknowledged that without the password, it would have been extremely difficult for investigators to access Galfgatt’s data.

“According to the Commonwealth, the encryption software on the computers is virtually impossible to circumvent. Its manufacturer touts the fact that it does not contain a ‘back door’ that would allow access to data by anyone other than the authorized user. Thus, the Commonwealth states, the files on the four computers cannot be accessed and viewed unless the authorized user first enters the correct password to unlock the encryption,” the ruling says.

Still, not all of the MJSC justices supported the ruling. Justice Barbara Lenk, writing the dissenting opinion, said that the court’s holding that by entering the password the defendant isn’t asserting that he owned the computers or created the documents on them is incorrect.

“On this view, he would not be asserting that he owned them, had exclusive use and control of them, or was familiar with any of the files on them; that certain files contained the incriminating evidence sought; or that the documents were authentic. Such is far from the case,” Lenk wrote.

“In taking this view of the matter, the court maintains that the defendant merely would be entering a password, which he would not disclose to the Commonwealth, into the encryption program, and would not thereby be selecting and producing any documents. Such an artificial distinction between the act of entering the decryption key and the inevitable result of decrypting the devices, and thereby producing the files for inspection, obfuscates the reality of what the defendant is being compelled to disclose.”

Categories: Cryptography, Government, Privacy

Comments (8)

  1. Joe
    1

    Another opinion by geriatric technology-impaired judges whose secretaries still type up their rulings in WordPerfect.

    Ages of the Massachusetts Supreme Judicial Court judges:

    Roderick L. Ireland (70)
    Margot Botsford (67)
    Robert J. Cordy (65)
    Fernande R.V. Duffly (63)
    Ralph Gants (60)
    Barbara Lenk (67)
    Francis X. Spina (68)

    Reply
  2. Steve
    2

    So the Commonwealth concedes that “encryption software on the computers is virtually impossible to circumvent”. Yet it also claims that Gelfgatt being able to decrypt the drives “does not imply that Gelfgatt created the documents on the encrypted machines or had sole control of them at all times.” The judges do not see a contradiction here?

    Reply
  3. Allan
    3

    2 thoughts… er… questions really.

    1) If a person has stated that they know the combination to a safe, but refused to open the safe because the contents could be incriminating, can the court order that person to open the safe? I do not know the exact answer to this question, but that seems to be an accurate analogy. The only difference is that there is no physical safe to open manually with a saw or torch if the person refuses to open it.

    2) What if the person who claimed to know the key forgot the key? What recourse does the court have? How does a court levy any conviction or penalty on human imperfection?

    Reply
    • Guy
      4

      Here’s what the FDIC site has to say about court orders and bank safe deposit boxes:

      Can law enforcement authorities access my safe deposit box without my knowledge or permission?

      Mark Mellon, an attorney with the FDIC in Washington, says that if a local, state or federal law enforcement agency persuades the appropriate court that there’s “reasonable cause” to suspect you’re hiding something illegal in your box

      Reply
  4. Adam Elteto
    5

    When someone tells you you can remain silent, that is what you do, not start bragging about how you have encrypted your computers and you are not giving anything up.

    Reply
  5. Charles Batchelor
    6

    I would still refuse and then take it to the US a supreme Court. If it still goes against me, I would still a cert my rights and refuse.

    Reply
  6. Darren
    7

    This is an awful ruling.

    While Gelfgatt’s hubris did not help the situation, no agency should be able to force a person to provide an encryption key so the agency in question can prosecute said individual.

    If they don’t have a strong enough case “without” the laptop, then get back to good old fashioned investigation. I agree with the other poster in that Justices who are in their 60′s and 70′s don’t have the best grasp on what is technology.

    Reply
  7. Anonymous
    8

    We have the right to not testify against ourselves. We have the right not to speak, the right to not aid our prosecutors. This is a natural right.

    Reply

Leave A Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>