U.S. Government Getting Password Information? (And Why the Story Raises More Questions Than Answers)

Over at CNET, Declan McCullagh has an article claiming that “the U.S. government” is requesting passwords from service providers in online investigations, at least “according to two industry sources familiar with these orders.” I have a hard time understanding what is going on, or if there’s actually a “there” there from a legal perspective. Here’s why:

1) The article says that there are two sources that are familiar with this practice, but the sources are not named and we don’t know much about them or how often this practice occurs. All we know about the sources is that one “has worked at a large Silicon Valley company,” and another is in the “Internet industry.” The source who has worked in Silicon Valley suggests that this has happened more than once, as the relevant sentence refers to having seen “requests.” But the other sources quoted in the article are unfamiliar with the practice. And if the two sources are right, we don’t know if this happened in two cases over several years or if it is happening more often than that. If this is happening routinely, it’s a big story. But it’s hard to know what is going on factually.

2) The story rotates between calling the government’s actions “requests” and “demands,” but other than the one reference in passing to “orders” there is nothing about the legal process used when the government is compelling passwords. There are interesting questions under both the relevant statutes and the Fourth Amendment about whether compelling passwords requires a warrant or can be obtained with lesser process. I won’t bore you with the details. But at least from my perspective, whether there’s a story here depends in part on the legal process used to compel passwords.

If the government has obtained search warrants to compel providers to hand over passwords, then I don’t see the story as particularly newsworthy. It’s common for search warrants to search home computers to include a provision allowing the officers to search for and seize computer passwords. See, e.g., United States v. Chase, 2011 WL 4954650 (D.Minn. 2011) (discussing computer search warrant that includes “all computer passwords” among the property to be seized). Granted, if the government gets legitimate access to plaintext contents in a remote account pursuant to a search warrant, the investigators won’t need the person’s account password. So in an ordinary case, you wouldn’t expect the government to get passwords: The passwords won’t be relevant evidence. But there are at least some cases in which a password might be evidence and therefore property included in a search warrant. From the standpoint of existing law, at least, I don’t know of a principle by which passwords should be categorically excluded from search warrants.

I realize that some readers would argue that it is small-minded to base a legal analysis only on “existing law,” and that we should be taking an aspirational view of the law to condemn the government’s conduct. But at least for those small-minded people who want to know about existing law, I don’t see a major legal issue here as long as the government has a valid warrant.

3) The story suggests that there are really complex and novel legal issues raised by this, but in so doing it mixes up a few questions and creates a lot of confusion. Here’s the article’s passage on the law:

Whether the National Security Agency or FBI has the legal authority to demand that an Internet company divulge a hashed password, salt, and algorithm remains murky.

“This is one of those unanswered legal questions: Is there any circumstance under which they could get password information?” said Jennifer Granick, director of civil liberties at Stanford University’s Center for Internet and Society. “I don’t know.”
Granick said she’s not aware of any precedent for an Internet company “to provide passwords, encrypted or otherwise, or password algorithms to the government — for the government to crack passwords and use them unsupervised.” If the password will be used to log in to the account, she said, that’s “prospective surveillance,” which would require a wiretap order or Foreign Intelligence Surveillance Act order.

If the government can subsequently determine the password, “there’s a concern that the provider is enabling unauthorized access to the user’s account if they do that,” Granick said. That could, she said, raise legal issues under the Stored Communications Act and the Computer Fraud and Abuse Act.

The Justice Department has argued in court proceedings before that it has broad legal authority to obtain passwords. In 2011, for instance, federal prosecutors sent a grand jury subpoena demanding the password that would unlock files encrypted with the TrueCrypt utility.

The Florida man who received the subpoena claimed the Fifth Amendment, which protects his right to avoid self-incrimination, allowed him to refuse the prosecutors’ demand. In February 2012, the U.S. Court of Appeals for the Eleventh Circuit agreed, saying that because prosecutors could bring a criminal prosecution against him based on the contents of the decrypted files, the man “could not be compelled to decrypt the drives.”

In January 2012, a federal district judge in Colorado reached the opposite conclusion, ruling that a criminal defendant could be compelled under the All Writs Act to type in the password that would unlock a Toshiba Satellite laptop.

Both of those cases, however, deal with criminal proceedings when the password holder is the target of an investigation — and don’t address when a hashed password is stored on the servers of a company that’s an innocent third party.

“If you can figure out someone’s password, you have the ability to reuse the account,” which raises significant privacy concerns, said Seth Schoen, a senior staff technologist at the Electronic Frontier Foundation.

There are three distinct legal issues here, so let’s take them one by one.

(a) The first issue is obtaining the passwords pursuant to legal process. As long as the government has a valid warrant, the legal process should be sufficient as I indicate above. As I mention above, there are some interesting questions about whether the government needs a warrant or if it can obtain the information using less legal process. But those questions are pretty complicated, so I’ll spare you the details.

(b) The second issue is what the government plans to do with the passwords after they get them. That’s a distinct question, and we don’t have any information on it in the article. It seems unlikely to me that the agents would plan to use the password to log in to a person’s account in the future to read their e-mails. Obviously, that’s a major source of concern from a policy and privacy perspective, and the possibility that the government might be doing this receives significant attention in the article. But I would think it’s more likely that investigators seek passwords when they think that a suspect may be using the same passwords for multiple accounts and purposes, and they want to get passwords to help in the process of decrypting seized files obtained elsewhere in their investigation. That’s my guess, at least. If the agents did use the passwords to directly access the account in the future, that would implicate the Fourth Amendment and the CFAA and require another search warrant for every future access. I don’t think it would implicate the Wiretap Act, though, because the government agent would become a party to the communication. But it’s hard to speculate on the legal issues because we don’t know what the government is doing with the password information in the cases in which it is obtaining passwords.

(c) Finally, the Fifth Amendment issues raised when the government tries to compel passwords from suspects are not implicated when the government tries to compel passwords from third parties. See Fisher v. United States, 425 U.S. 391, 397-98 (1976) (holding that there are no Fifth Amendment issues raised by compelling information from a suspect’s attorney because compelling the attorney to divulge information does not compel the suspect to do anything).