Yottabytes: Storage and Disaster Recovery

May 13 2016   11:10PM GMT

Man Jailed for Forgetting an Encryption Passcode

Sharon Fisher Sharon Fisher Profile: Sharon Fisher

Tags:
Encryption
government
privacy
Security

It’s like one of those nightmares where you keep trying to type in a password and it doesn’t work. Except in this case, it’s real life, and a man has been in jail for seven months – without being charged – for forgetting an encryption passcode.

Francis Rawls, a former sergeant in the 16th district of the Philadelphia Police Department, has been accused of having child pornography on two encrypted Macintosh hard drives, which had been seized in March, 2015. He was ordered by a judge in August, 2015, to provide the passcode to decrypt the drives, but he claims to not remember it.

I don’t know about you, but I’ve been known to forget a password over a long weekend, let alone five months.

Consequently, for the last seven months, Rawls has been in jail for contempt of court for refusing the judge’s order, though he hasn’t been charged with a crime. His attorney is claiming that having to provide the passcode violates his right to self-incrimination.

Back story

Courts have been deciding back and forth on the issue for several years now and, most recently, have decided that a phone password is more like the combination to a safe than a physical object such as a key. It matters because something that is the expression of one’s mind, like the combination to a safe, is protected under your Fifth Amendment rights not to incriminate yourself. A physical key, something you possess, is something you can be forced to produce.

The Fifth Amendment angle is, in fact, why police wanted Rawls to type in the passcodes himself rather than tell someone else what they were – because it was thought that the latter would amount to testifying against himself, writes Christine Hauser in the New York Times.

“Quite sensibly, Rawls refused,” writes William Grigg in this website Personal Liberty. “He is a veteran cop and knows – better than the public he supposedly served in that capacity – what happens when a targeted citizen offers the police unrestricted access to his home and personal effects. If he had acceded to the demand for his encryption codes, Rawls would have done the equivalent of allowing the police to rummage through every room, closet, and drawer in his home, while letting them inspect all of his correspondence, medical records, and personal finances. Diligent and motivated investigators would eventually find something that an ambitious prosecutor could use to manufacture a felony charge.”

The government is claiming it wouldn’t be self-incrimination because it knows there’s child pornography on the hard drives. “If the government already knows there’s child pornography on Rawls’s hard drives, then it’s not self-incrimination for Rawls to give his passwords,” explains Travis Andrews in the Washington Post. “Think of it like a search warrant: if an officer of the law is granted a search warrant to someone’s house, then that suspected party has no recourse but to allow the officer enter his house. Much like that hypothetical person wouldn’t be able to lock the door, Judge Rueter ruled that Rawls can’t refuse to provide the passwords.”

On the other hand…

Needless to say, Rawls’ defense attorney takes issue with this belief. “The government has not, as required by the relevant decryption precedents, demonstrated that the storage of any particular file or files on the hard drives is a foregone conclusion,” notes the brief. “Instead, it put forward only a suspect witness who gave attenuated testimony and a forensic examiner who was unable to offer any authoritative opinion regarding the contents of the hard drives.”

Nor does his attorney agree with the dodge of having Rawls type in the passcodes rather than provide them to someone else. “The fact that the government seeks to have the codes entered into a forensic interface rather than spoken aloud does not change the analysis,” notes the brief. “It still demands that Mr. Doe divulge the contents of his mind, not demonstrate his typing skill.”

In an interesting coincidence, Rawls is being compelled to enter his passcode using the All Writs Act, the same act under which the Federal Bureau of Investigation recently tried to force Apple to develop an operating system to make it easier for it to break into a suspected terrorist’s iPhone.

After Rawls was accused of having child pornography on his iPhone 6, he did enter the passcode to decrypt that, and no child pornography was found. Investigators were able to decrypt his Mac Pro using a passcode found on the iPhone 6, without finding child pornography on it, according to a brief filed in the case. And he did try, reportedly for several hours, to come up with the passcode to decrypt his hard drives.

Was it a ruse?

The fact that Rawls did willingly decrypt the phone, and did attempt to enter a passcode for the hard drives, is being called a “ruse” by prosecutors. The government “contended that Mr. Doe’s unlocking of the iPhone 6 and entry of passcodes for the hard drives ‘was a deliberate façade designed to feign compliance with the Court,’” writes Rawls’ defense attorney. How it would have looked different if he honestly did want to cooperate and honestly did forget the passcode, nobody seems to have said.

This isn’t the first time that someone has been jailed for contempt for refusing to provide a passcode for an encrypted drive – several people in the U.K. have been jailed for refusing to provide an encryption passcode — but it may be the first time in the U.S.

It’s also not the first time someone has refused to provide the passcode to decrypt their hard drive; Jeffrey Feldman, who was also accused of having child pornography, refused to provide a passcode, and several judges ruled several different ways on whether he had to provide it. In that case, however, investigators learned enough details about what was on the drives on their own that they dropped the attempt to have him decrypt them.

Solitary

To make matters worse for Rawls, because he is a police officer – that is, former police officer; he was fired, after 17 years on the force, after he was jailed – he was put into solitary confinement to protect him from the other inmates. So not only has he been in jail seven months; he’s been in solitary confinement for seven months.

“He spends 22 and a half hours of every day completely alone,” writes Andrews. “If someone visits him, they have to remain behind a barrier. Each month, he’s granted one fifteen-minute phone call.”

Meanwhile, government prosecutors have until May 16 to file their brief with the Third District Federal Circuit Court of Appeals in response to Rawls’ attorney’s motion to have him released.

On the other hand, Rawls has a long way to go to set any sort of record for longest jail time, without a charge, for contempt. H. Beatty Chadwick was released in 2009 after serving 14 years for contempt after saying he had lost $2.75 million and could not split it with his former wife. He pointed out that he would have served less time if he had been convicted of third-degree murder.

5  Comments on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • BigKat
    Do the hard drives have some sort of lock out/erasure feature after so many failed attempts? Couldn't they have cracked the password sooner than the 7 months?
    9,000 pointsBadges:
    report
  • techjim
    It is not unheard of to forget a password. That is why some sites offer a path to reset a password to gain access to an account. Can the court prove that he still knows the password and is deliberately withholding it?
    10 pointsBadges:
    report
  • Ben Rubenstein
    However this case ends up, it'll set an important precedent. 

    Also, I'd imagine that there is some other way to prove the officer's guilt (if he is in fact guilty), using third-party records, etc. Hard to imagine he is that good at covering his tracks. 
    11,255 pointsBadges:
    report
  • Kevin Beaver
    This is a scary aspect of technology/security and the reality of lack of knowledge among those in positions of power. I feel for the man if he truly forgot his password. If he didn't, well, that's another story. We live and work in a world where people say "Don't write down your passwords!" but when you see something like this, it certainly makes you want to go against best practice in order to protect yourself.
    24,490 pointsBadges:
    report
  • Sharon Fisher
    It's pretty hard to prove a negative. Reminds me of the time someone with my name had been a bad girl with her credit cards, and the company came after me, and when I said it wasn't me, demanded I prove it. Uh, how? Similarly, how can you *prove* you forgot something?
    9,090 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: