Encryption software has been enjoying a prolonged day in the sun for about the last year. Thanks to the revelations of Edward Snowden about the NSA’s seemingly limitless capabilities, security experts have been pounding the drum about the importance of encrypting not just data in transit, but information stored on laptops, phones and portable drives. But the Massachusetts Supreme Judicial Court put a dent in that armor on Wednesday, ruling that a criminal defendant could be compelled to decrypt the contents of his laptops.
The case centers on a lawyer who was arrested in 2009 for allegedly participating in a mortgage fraud scheme. The defendant, Leon I. Gelfgatt, admitted to Massachusetts state police that he had done work with a company called Baylor Holdings and that he encrypted his communications and the hard drives of all of his computers. He said that he could decrypt the computers seized from his home, but refused to do so.
The MJSC, the highest court in Massachusetts, was considering the question of whether the act of entering the password to decrypt the contents of a computer was an act of self-incrimination, thereby violating Gelfgatt’s Fifth Amendment rights.
The court ruled, in a 5-2 decision, that merely entering the password does not imply that Gelfgatt created the documents on the encrypted machines or had sole control of them at all times and was not “testimonial”. The ruling reversed a lower court’s decision.
“Based on our review of the record, we conclude that the factual statements that would be conveyed by the defendant’s act of entering an encryption key in the computers are ‘foregone conclusions’ and, therefore, the act of decryption is not a testimonial communication that is protected by the Fifth Amendment. The investigation by the corruption, fraud, and computer crime division of the Attorney General’s office uncovered detailed evidence that at least two mortgage assignments to Baylor Holdings were fraudulent,” the MJSC’s ruling says.
“During his postarrest interview with State police Trooper Patrick M. Johnson, the defendant stated that he had performed real estate work for Baylor Holdings, which he understood to be a financial services company. The defendant informed Trooper Johnson that he had more than one computer at his home, that the program for communicating with Baylor Holdings was installed on a laptop, and that ‘[e]verything is encrypted and no one is going to get to it.’ The defendant acknowledged that he was able to perform decryption. Further, and most significantly, the defendant said that because of encryption, the police were ‘not going to get to any of [his] computers,’ thereby implying that all of them were encrypted.”
Although the MJSC’s ruling only applies in Massachusetts, it’s a tough blow for privacy advocates and others who have asserted the right to refuse to decrypt digital devices. Full disk encryption software is considered a valuable defense against both attackers and spot searches at international borders and in other situations. In its opinion, the MJSC acknowledged that without the password, it would have been extremely difficult for investigators to access Galfgatt’s data.
“According to the Commonwealth, the encryption software on the computers is virtually impossible to circumvent. Its manufacturer touts the fact that it does not contain a ‘back door’ that would allow access to data by anyone other than the authorized user. Thus, the Commonwealth states, the files on the four computers cannot be accessed and viewed unless the authorized user first enters the correct password to unlock the encryption,” the ruling says.
Still, not all of the MJSC justices supported the ruling. Justice Barbara Lenk, writing the dissenting opinion, said that the court’s holding that by entering the password the defendant isn’t asserting that he owned the computers or created the documents on them is incorrect.
“On this view, he would not be asserting that he owned them, had exclusive use and control of them, or was familiar with any of the files on them; that certain files contained the incriminating evidence sought; or that the documents were authentic. Such is far from the case,” Lenk wrote.
“In taking this view of the matter, the court maintains that the defendant merely would be entering a password, which he would not disclose to the Commonwealth, into the encryption program, and would not thereby be selecting and producing any documents. Such an artificial distinction between the act of entering the decryption key and the inevitable result of decrypting the devices, and thereby producing the files for inspection, obfuscates the reality of what the defendant is being compelled to disclose.”