Tuesday, July 30, 2013
"U.S. Government Getting Password Information? (And Why the Story Raises More Questions Than Answers)"
There are three distinct legal issues here, so let’s take them one by one.
(a) The first issue is obtaining the passwords pursuant to legal process. As long as the government has a valid warrant, the legal process should be sufficient as I indicate above. As I mention above, there are some interesting questions about whether the government needs a warrant or if it can obtain the information using less legal process. But those questions are pretty complicated, so I’ll spare you the details.
(b) The second issue is what the government plans to do with the passwords after they get them. That’s a distinct question, and we don’t have any information on it in the article. It seems unlikely to me that the agents would plan to use the password to log in to a person’s account in the future to read their e-mails. Obviously, that’s a major source of concern from a policy and privacy perspective, and the possibility that the government might be doing this receives significant attention in the article. But I would think it’s more likely that investigators seek passwords when they think that a suspect may be using the same passwords for multiple accounts and purposes, and they want to get passwords to help in the process of decrypting seized files obtained elsewhere in their investigation. That’s my guess, at least. If the agents did use the passwords to directly access the account in the future, that would implicate the Fourth Amendment and the CFAA and require another search warrant for every future access. I don’t think it would implicate the Wiretap Act, though, because the government agent would become a party to the communication. But it’s hard to speculate on the legal issues because we don’t know what the government is doing with the password information in the cases in which it is obtaining passwords.
(c) Finally, the Fifth Amendment issues raised when the government tries to compel passwords from suspects are not implicated when the government tries to compel passwords from third parties. See Fisher v. United States, 425 U.S. 391, 397-98 (1976) (holding that there are no Fifth Amendment issues raised by compelling information from a suspect’s attorney because compelling the attorney to divulge information does not compel the suspect to do anything).