Can the State Require You to Decrypt a Computer Drive?

Here’s an interesting question, arising out of a case before a Colorado court: may the state require a defendant in a criminal trial to enter the password that will decrypt a computer drive with full disk encryption? The Electronic Frontier Foundation has entered a brief in the case of US v. Fricosu arguing Friday that to require the defendant either to hand over the information on the drive or to provide the password enabling the prosecution to get access to the data would infringe her constitutional right against self-incrimination. Apparently the authorities have offered a limited form of immunity to the defendant, who has been accused of fraudulent real estate transactions.

The EFF brief is available online.

It’s hard to think of parallels to this situation from which to argue. Where the state has a search warrant, it may use force to enter premises or containers such as cars or safes. And at the same time the state may not compel a defendant to testify or, indeed, (this cases aside) answer questions whether or not under oath. Here’s a situation where forceable entry is perhaps impossible or, at least, very very difficult. Law Technology News, for instance, says:

While no storage encryption technology is completely unbreakable, today’s algorithms come very close to being impenetrable. The Advanced Encryption Standard (AES), the current encryption benchmark, offers 128-, 192-, or 256-bit security levels. At the low end, 128-bit AES offers 3.4 x 1038 key combinations. At the top level, no known brute-force attack can break a 256-bit key AES in a reasonable amount of time (it would take many years even on the fastest computers available).


  1. Lawrence Gridin

    I see this issue arising a fair bit in the context of border searches. The Canada Border Services Agency will sometimes require people to hand over their password so that they can search a laptop or other electronic device being brought across the border. Ostensibly the purpose of such searches is to look for child pornography or other contraband.

    There are serious constitutional problems with this practice. However, several Canadian lower courts have upheld it (as well as an appeals court in the US). Some of these decisions were based on the premise that a computer is no different than any other object being taken across the border, which the CBSA has every right to search and examine. I believe that premise is wrong, particularly in light of the Supreme Court of Canada’s recent decision in R. v. Morelli. The court called the computer “the most private place in the home” and went on to hold:

    [105] … it is difficult to imagine a more intrusive invasion of privacy than the search of one’s home and personal computer. Computers often contain our most intimate correspondence. They contain the details of our financial, medical, and personal situations. They even reveal our specific interests, likes, and propensities, recording in the browsing history and cache files the information we seek out and read, watch, or listen to on the Internet.

    [106] It is therefore difficult to conceive a s. 8 breach with a greater impact on the Charter-protected privacy interests of the accused than occurred in this case.

    This CBSA practice has serious implications for travelers, but especially for lawyers and business people who may regularly carry sensitive documents across the border. What happens to solicitor client privilege when a lawyer carries a blackberry containing client emails across the border? Must a business person be forced to give up trade secrets if they want to travel abroad? I look forward to seeing these considerations balanced by a higher court in Canada.

  2. Seems to me the closest traditional parallel would be a paper document written in a language that only the defendant can translate. Hypo: The defendant is a college professor who is the only living “speaker” of a dead language. She took notes in that language. The government believes the content of the notes contains evidence of a crime. Compelling the professor to translate the notes into English would be an obvious 5th Amendment violation.

    How can compelled disclosure of an encryption password not be a similar violation?