Encryption defense attorney fights DOJ demands (Q&A)
CNET interviews Colorado-based attorney Phil Dubois, who once represented PGP legend Phil Zimmermann and now finds himself fighting the feds over encryption again.
The U.S. Department of Justice is determined to make sure that a case in Colorado will set a legal precedent allowing it to force Americans accused of crimes.
Phil Dubois is equally determined not to let that happen. The Colorado Springs-based attorney is representing Ramona Fricosu, accused of a mortgage scam, who is refusing to divulge the passphrase to an encrypted laptop found in her bedroom.
Dubois, who specializes in criminal defense and Internet law, says requiring Fricosu to decrypt the hard drive would be a clear violation of his client's Fifth Amendment right to remain silent. The case is currently before U.S. District Judge Robert Blackburn, and Dubois says if he loses, he'll appeal.
It's not Dubois' first encounter with encryption and threats of criminal prosecution. In the 1990s, he represented PGP creator Phil Zimmermann when the programmer was being investigated for allegedly exporting the encryption utility by posting it publicly online. The charges were dropped in 1996.
Dubois has also represented hackers and the owner of Clue.com, who was sued by Hasbro, the multibillion-dollar toy maker and manufacturer of the mystery board game Clue, because the company believed it should have the rights to that domain. Hasbro lost.
CNET spoke with Dubois about his current case, privacy, encryption, and the state of electronic civil liberties. Below is a transcript, lightly edited for space.
Q: So what's the status of the case? Will the next stage be handled by the magistrate judge or district judge?
Dubois: Judge Blackburn will be hearing this on July 22. The magistrate is out of the picture for this particular issue. The Department of Justice has suggested a sort of immunity, but the boundaries are unclear. Once the concept of immunity came up, the assistant U.S. attorney said only a district judge can do that.
What do you expect to happen on July 22?
Dubois: That's another interesting question. There are kind of two things going on here that boil down to one thing. The government let us know a month or two ago that: "We just can't break this encryption, so why doesn't your client just give us the password?" And we said, "We don't think so."
And then the U.S. Attorney came at me and said, "The experts at the computer lab said we can't make a copy of an encrypted drive." That brought a smirk to my face. I said, "Give me a copy of the drive."
Then they came back and said, "We can make a copy of the drive. But we don't want to give it to you because there's contraband on it." I said, "What contraband?" I filed a motion on the encrypted drive asking for a copy.
The Department of Justice is relying on the All Writs Act, which dates back to 1789. It doesn't seem intended to address this situation.
Dubois: It wasn't intended to address this. It was basically: If the judge orders someone to transfer title of property, he can also order whatever else is necessary to make that happen. It was pretty clearly necessary to allow judges to enter orders they've always been able to enter anyway. It wasn't designed to expand the judge's power or the government's power.
This is the place where technology has bumbled right on ahead of the law, as it always does. The framers of the Constitution did not foresee this particular situation, and even as the case law from the Fourth and Fifth Amendments has developed, we're treading on new ground here. The analogy,, is giving up the key to the safe vs. giving up the combination to the safe. That was a distinction that never should have been made.
Prosecutors are saying they don't necessarily want to learn the passphrase. They just want your client to disable the encryption so they can read the files. Does that distinction make a difference?
Dubois: It does under current Fifth Amendment law. The distinction matters because it has come down to this: If a person has to divulge the contents of her mind, that's a Fifth Amendment violation. If the person has to simply surrender or give up a key from her key chain, that's not a Fifth Amendment violation. The courts use the word "testimonial." There have been cases in which the courts have required people to sign a release permitting some Cayman Island banks to then comply with a subpoena sent to them by the feds.
If they're offering your client some limited form of immunity for decrypting the drive, have they put it in writing?
Dubois: In one of her pleadings, the assistant U.S. attorney said: Before the hearing, I'll show you the proposed immunity order. I don't think that whatever she writes on there is going to get the job done. The Electronic Frontier Foundation wrote a very nice brief on this and they hit the immunity issue pretty hard. They're dead right.
What the AUSA wants to do is say: "Make her decrypt the drive for us, and we won't tell the jury that she's the one who decrypted the drive for us. But we want to use everything we find in there against her."
If the feds found examples of hypothetical other crimes--tax evasion, copyright infringement, unpaid parking tickets--on the decrypted drive, then they could use that against your client?
Dubois: Indeed. Precisely right.
I let the judge know last week that if he rules against us, there will be an appeal in this case. So there will be at least a circuit level opinion.
Do any parallels come to mind between this case and your representing Phil Zimmermann in the 1990s?
Dubois: When I was representing Zimmermann, this subject came up. We used to talk about it. We knew at some point the issue would arise. The government would run into encrypted data, and it would do whatever it could to get in there, including turning to the courts and getting some compulsion order. It doesn't come as a surprise. Frankly, I'm surprised it took so long to arise.
The government is trying to expand its power. Back in the PGP days, the government was trying to prevent, futilely, the spread of encryption software around the world. Now they're trying to increase their power by narrowing the Fifth Amendment. Like the others, the Fifth Amendment is aimed directly at the government, primarily the executive. The executive wants, as it always has and always will, to narrow the Fifth Amendment and thereby increase its own power.
You're sounding almost libertarian. Care to come out of the closet?
Dubois: I have certain tendencies in that direction, I suppose. I kind of take issues as they arise.
The thing is, the idea of privacy is so completely different in my kids' world than in mine. Everybody's reported on this. You've got all these social-media sites, all the sharing of absurdly personal and private information. I don't quite grasp it. My concern is that this will become the norm.
The old legal term of "reasonable expectation of privacy" is critical. Zimmermann used to say that everyone needs to use encryption so that will become the norm. So everyone's e-mail will reasonably be expected to be private, and so on. But the general public hasn't adopted that. And I'm seeing a very disturbing trend in the other direction. [Ed. Note: The Fourth Amendment prohibits only "unreasonable" searches and seizures, which is where the concept of reasonable expectation of privacy becomes very important.]
Then the next step in this case is next week's hearing on July 22?
Dubois: It won't be an evidentiary hearing. The judge has made it clear he doesn't want to hear any more witnesses.
We'll have a hearing. The judge will, I'm betting, take it under advisement. I think the likelihood of him ruling from the bench is less than 50 percent. We'll wait attentively for his opinion.
A simple resolution to this is to say, "No, Ms. Prosecutor, the All Writs Act isn't for this. You got your search warrant, that's all you get. We're not going to expand the All Writs Act and we're not going to narrow the Fourth and Fifth Amendments, and we're not going to grow the government any more, just because you're frustrated by your inability to decrypt the hard drive." That would be the easy way to go.
Update July 14: CNET readers have, perfectly reasonably, pointed out that I failed to ask the obvious question of what encryption program was in use. Keep in mind that prosecutors have not proved whose laptop it is, and Fricosu has not to the best of my knowledge admitted ownership. Dubois replied, when I followed up: "Given that the government has not cracked it, there is good reason to suspect that it was PGP."