The Compelling of Passwords and Issues of Privacy

On Monday March 2nd, 2015, Quebec resident Alain Philippon arrived in Halifax on a flight from the Dominican Republic. He refused to divulge the password for his locked cell phone and has been charged with obstructing border officials. The compelling of one's password by border agents has, at this time, not been tested within the Canadian judicial system.

United States v. Boucher

What is thought to be the first case of its kind (which involves a Canadian named Sebastien Boucher) is United States v. Boucher. This case involved a password protected and encrypted volume of a hard drive, which was thought to contain child pornography. This case is thought to be the first case that addressed the question of whether a person can be compelled by the courts to surrender a password to decrypt a computer, despite the United States Constitution (and in particular the Fifth Amendment), which protects one from self-incrimination. Upon his crossing of the border, Boucher was in possession of a laptop, which was powered on at the time. Upon inspection by border agents (not having to enter a password into the computer) child pornography titles were found (the actual files were inaccessible) and animation depicting adult and child pornography. The border agent read Boucher his rights, which Boucher promptly waived. During his interview Boucher navigated to a part of his laptop hard drive (Z Drive), which was found by the border agent to contain images of child pornography. The laptop was then powered down and seized. During the subsequent forensic analysis of the laptops hard drive it was determined that the drive was encrypted using PGP (Pretty Good Privacy) software. The Z Drive was encrypted once the laptop was power down by the border agent. A Grand Jury subpoenaed Mr. Boucher to provide the password to unlock the encryption of the “Z Drive” of his laptop. U.S. Magistrate Judge Niedermeier initially quashed the subpoena, as he stated, “compelling Boucher to enter the password forces him to produce evidence that could be used to incriminate him”. The U.S. District Court, and in particular Judge Sessions reversed the earlier decision stating:

Boucher accessed the Z drive of his laptop at the ICE agent's request. The ICE agent viewed the contents of some of the Z drive's files, and ascertained that they may consist of images or videos of child pornography. The Government thus knows of the existence and location of the Z drive and its files. Boucher is directed to provide an unencrypted version of the Z drive viewed by the ICE agent.

Mr. Boucher was therefore compelled to surrender the password for the encrypted drive. He did so and was later sentenced to three years in prison and deported.

The Regulation of Investigatory Powers Act (RIPA)

One country that has passed legislation in regards to compelling a suspect to decrypt information or surrender their encryption password is the United Kingdom. The Regulation of Investigatory Powers Act (RIPA) Legislation (2000) enacted within the United Kingdom compels a suspect to either hand over the decrypted files or the decryption key in cases that involve,

  • Interests of national security,
  • The purpose of preventing or detecting crime,
  • The interests of the economic well being of the United Kingdom.

This legislation allows law enforcement to give a person or an organization a Section 49 disclosure notice. Within the notice imposing a disclosure requirement in respect to any protected and encrypted information, the law enforcement agency serving the notice must include descriptions of the protected information that the notice relates to.

This is similar to the Boucher case mentioned above whereby the border agents viewed titles of child pornography movies but were unable to access the movies themselves. In that situation the border agents could describe the protected material by the name only (and the fact that the name contained known child pornography references). Failure to comply with this a Section 49 disclosure notice may result on conviction on indictment to a prison term up to five years for investigations involving national security and up to two years for all other investigations, or on summary conviction to a prison term up to six months or a fine.

Canada Border Services Agency

The CBSA have not stated why they requested the password to Mr. Philippon's cellphone. A spokesperson for the CBSA has stated, "Officers are trained in examination, investigative and questioning techniques. To divulge our approach may render our techniques ineffective. Officers are trained to look for indicators of deception and use a risk management approach in determining which goods may warrant a closer look."

Mr. Philippon has stated that he will contest the charge, and faces a minimum fine of $1000, up to a maximum fine of $25,000 and the possibility of a year in jail.

Passwords and Privacy

There is no debating that the smartphones of today contain a significantly increasing amount of personal information than the cell phones of prior years. There is also no debating the significance of the digital data contained on such smartphones in the investigating of criminal acts and for civil matters. The data contained on smartphones can assist investigators in cases ranging from missing children cases to cyber-security cases.

For the last few months there has been a great debate raging on forums, bulletin boards, online articles, blogs and more about an individual’s right to privacy versus law enforcements needs to gather digital evidence in relation to a criminal act. This debate is not new, however it resurfaced earlier this year, due to Apple and Google making the decision to enable (by default) full encryption on their mobile devices, which would then make it extremely difficult (if not impossible) for members of Law Enforcement to gather data from those devices.

Apple and Google

Apple and Google have both said that even they won’t be able to access data contained on those devices (even with a warrant). It seems as though people on both sides of this argument have often strong and polarized opinions. In 2009 Google CEO Eric Schmidt (in relation to whether users should be sharing personal information with Google) was quoted as saying “If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place." In 2014 after announcing Google’s intent to encrypt data on a user’s cellphone, Schmidt stated that the U.S. government has only itself to blame for Google's new efforts to keep police out of a suspect’s smartphone.

The measures being put in place by Google and Apple has obviously been met with some resistance by members of the Law Enforcement community, in particular the FBI and the U.S. Deputy Attorney General James Cole. FBI Director James Comey has been quoted as saying that Apple and Google’s decision will take the country to a “very dark place” where law enforcement “misses out” on gathering evidence from digital devices to stop cyber-criminals and terrorists. U.S. Deputy Attorney General James Cole has been quoted as saying that the practices by Google and Apple could result in a child’s death. Comey and members of the Justice Department have met with the President of the United States and may be pushing for changes to be made to the Communications Assistance for Law Enforcement Act, which mandates that various telephone companies build back-doors into their networks to allow access for Law Enforcement. This act does not however apply to companies such as Google or Apple.

In response to the concerns brought forward from the Law Enforcement community, both Apple and Google have made further comments. Apple executives have stated that “law enforcement could obtain the same kind of information elsewhere, including from operators of telecommunications networks and from backup computers and other phones” and Google CEO Eric Schmidt has been quoted as saying “There are many, many ways law enforcement can get what it needs.”

The case involving Mr. Philippon will no doubt be a very important one within the Canadian legal landscape. It will most likely be debated not only within the halls of justice, but also within boardrooms and around water coolers.