The Fifth Amendment to the United States Constitution protects American citizens from incriminating themselves, but it seems 'forgotten' passwords don't always fall under that. The US Third Circuit Court of Appeals upheld a ruling of contempt from a lower court over a man's claimed inability to remember his drive-decryption password.
A computer, pair of iPhones, and two external drives belonging to the anonymous defendant were seized as part of a child pornography investigation. The court ruling states that the defendant voluntarily provided the password for his iPhones but refused to offer up the passwords for his Apple Mac Pro or external hard drives. Forensic analysts were able to recover the password for the computer, but not the drives. When asked to enter in the passwords for his drives, the defendant entered in a number of incorrect passwords. The judge, however, didn't believe the defendant, and it eventually came out that he did have the passwords and had chosen not to reveal them because of the device's contents.
So are all our passwords up for grabs now?
The court already knew a bit about what it was getting into. In the process of analysis, those forensic analysts had discovered file signatures on the defendant's computer that matched the hash values of known child pornography files. They also had testimony from the defendant's sister that he had shown her said files on the external hard drives. The court ended up ruling that being forced to produce a password did not count as testimony and, as a result, did not fall under the protection of the Fifth Amendment.
In this particular case, the court had compelling evidence to force the issue, and this is the kind of situation where we want to see justice done, but it could potentially set a dangerous precedent. The Electronic Frontier Foundation told The Register that "any time suspects are forced to disclose contents of their mind, that's enough to trigger the Fifth Amendment, end of story."
Meanwhile, other legal experts note that data encryption is now standard within many businesses, and an inability to force decryption makes these companies "effectively immune from discovery and subpoenas."
The balance between personal privacy and pursuit of justice has never been murkier than it is in the current age of everything-encryption. There simply isn't as much physical evidence for investigators to pore over, and much of the digital evidence is locked up in encryption. At the same time, citizens have a right to privacy and to protecting that privacy.
The EFF's senior staff attorney Mark Rumold expects this question to climb its way up the courts and said he wouldn't be surprised to see the issue make its way to the Supreme Court.