How to hide files from the law

How to hide files from the law

Summary: You encrypt your data to protect it from spying eyes, including the government's. Can you be forced to decrypt it and thus incriminate yourself? A US appeals court says NO. This may drive the full-disk-encryption market.

SHARE:

Good news for TrueCrypt The 5th Amendment says, in part, that no person ". . . shall be compelled in any criminal case to be a witness against himself. . . ." Thanks to this decision our computers are not necessarily witnesses against us as well.

The story The defendant, a John Doe, was accused of possessing child pornography. He was ordered to produce the unencrypted contents of his notebook hard drive and an additional 5 external drives. Mr. Doe, representing himself, refused, citing the 5th.

The U.S. Attorney then requested limited immunity for Mr. Doe, which did NOT protect him from using the drive's contents against him in a criminal prosecution. Mr. Doe again refused to decrypt the drives he was found in contempt of court and jailed. He appealed.

Mr. Doe spent almost 8 months in jail before his appeal succeeded.

The data that isn't there A property of good encryption is that not only can you not tell what the data is, you also can't even know if data is encrypted. Using forensic tools all you can see is a lot of random gibberish, whether data is encrypted or not.

Thus the government couldn't even prove that there might be data on the disks, let alone what the data might be. Update: Mr. Doe used TrueCrypt, an open source encryption product, to preserve his secrets. End update.

What is "testimony"? The district court judge didn't think decrypting the drives would constitute "testimony" under the 5th. Why did the appeals court disagree?

To win protection under the 5th, an individual must show three things: compulsion, a testimonial communication or act, and incrimination. Obviously the court was using compulsion, and the government expected incrimination.

Thus the key question: does the act of producing decrypted content constitute "testimony?" After all, simply handing over incriminating documents, as required by discovery proceedings every day, is not "testimony." The files themselves, should they exist, aren't protected under the 5th.

Would Doe’s act of decryption and production be testimonial? This is where the reasoning becomes subtle.

The appeals court reasoned that an act becomes testimonial when it requires you to use the contents of your mind to communicate some statement of fact. Surrendering the key to your safe deposit box doesn't qualify. Nor does handing over documents that the government can show with "reasonable particularity" it already knows exist.

In Mr. Doe's case, the court held that the decryption would require the use of the contents of his mind and is not simply a physical act, like handing over a key to a safe. Furthermore, the fact that the government did not know - could not know - whether any files were on the hard drives, meant that they failed the "reasonable particularity" test too.

The court then noted that if Mr. Doe had been given full immunity they could have compelled him to produce all the contents of the drives. But since they didn't, the 5th Amendment offered him more protection and thus his use of it was justified.

The Storage Bits take If computer privacy is of special interest I recommend reading this well-written and closely reasoned opinion (pdf). While the "conservative" wing of the current Supreme Court happily throws out decades of precedent on ideological grounds - 2 1 Supreme doesn't think women are entitled to equal protection under the Constitution? - the 5th is Constitutional bedrock. Update: Only 1 originalist Supreme, Scalia, has so opined. My wetware conflated him with Thomas, another staunch originalist. End update.

It will be interesting to see if this is appealed to the Supreme Court and, if it is, if they accept the case. If not, we can expect this ruling to be a major influence on other circuit courts.

This ruling may be a shot in the arm for the struggling full-disk-encryption market. With FDE, people only have to remember not to open the drive for law-enforcement to view, and not to talk to others about what may be on the drive. Either of these actions can create a "foregone conclusion" that allows the government to compel decryption.

Note also that Mr. Doe - a lawyer I'm guessing - won, but only after 8 months in jail and the related loss of income. Defending our rights is rarely easy, which is why they erode.

Courteous comments welcome, of course. I'd be surprised if this applied to customs inspection of notebook computers. You'd be better off placing encrypted copies in the cloud, deleting the originals, and downloading after returning to the US. Oh, and nothing in this post should be construed as legal advice.

Topics: Hardware, CXO, Government, Government US, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

65 comments
Log in or register to join the discussion
  • combination lock vs regular lock

    Dear Mr Harris,

    If I understood you correctly, if I use a combination lock, and keep the combination in my mind, the goverment should not be able to compell me to reveal the combination under 5th amendment.

    Are there any presedents?
    ForeverSPb
    • Combo lock vs key lock

      You appear to be correct. That example came up in the opinion, but with little discussion.
      R Harris
      • Then Does encryption really matter?

        Merely password protecting it would be like the combination of the safe wouldn't it?
        cornpie
      • It does

        Password protection IS encryption.
        danbi
        • No

          No, those are two completely separate and different things.
          bobbintb
    • Yes

      And they have compelled individuals to release the combination (a case in Vermont, I believe).

      On the other hand SCOTUS has used that very metaphor as an important distinction: a key to your safe can be compelled, but the combination not.

      So, it's muddled.
      x I'm tc
      • Just Remember

        They might be able to break the password, where as, the encryption will prove much more difficult.
        eargasm
      • encryption vs password

        Breaking the encryption algorithms is incredibly hard. The most common "cracks" today (pretty much the only ones!) is to figure out the password. If your password is weak, it WILL be guessed! If it's strong, your data will be safe for decades, at least (up until the algorithm is broken, if ever).
        Natanael_L
    • Then I guess you can't be compelled to turn over keys, either

      as the end result would be the same.

      Though nothing is stopping the government from getting a warrent, and a set of bolt cutters and bypassing the lock completely.
      William Farrel
      • combo vs key

        you can be compelled to turn over anything that is physical, what you can't be compelled to turn over is knowledge that is held in your brain which would equal self incrimination.

        but yes you are right the end results would be the same under the lock argument. However the encryption era changes the end results, which is why the courts and law enforcement have a problem with the current laws.
        darkside6966
    • The government can cut your combo lock, they can't cut True Crypt

      There is a difference here in your analogy of a combo lock versus an encrypted hard drive. The government could get a search warrant and cut the lock which is presumably locking some container that contains incriminating evidence. They do that themselves, and you are not compelled to incriminate yourself by opening the lock for them.

      On the other hand, the government can not cut the True Crypt lock. So, they secure a search warrant but cannot get the contents of the hard drive on their own, which means you would be required to use the password thus incriminating yourself, which is clearly a violation of the 5th amendment.
      Casper McGrady
  • combination lock vs regular lock

    From other articles I have read in the past month or so, Yes there are presedents on this. I belive these articles were on zdnet.

    If it was a combo lock or combo safe, it was cheap and easy to get a court order to get a locksmith to break into it.

    The problem the courts and prosecutors have with encryption is that it could take years and a ton of money just to attempt to break into your data.

    While the ruling is correct with the current laws, I do expect the fed government to change these laws in the future under the ruse of homeland security.
    darkside6966
  • Interesting case

    It's clear he couldn't be compelled to say whether or not there was incriminating evidence on the hard drive.

    It's clear that with a search warrant the state should be able to seize the hard drive and examine it forensically.

    If there's a search warrant for your apartment you can't take the 5th and keep the police from searching your apartment because your apartment might "testify against you".

    Suppose you were paralyzed but you could unlock the door to your apartment with some kind of brain-computer interface just by thinking about it. Police show up with a warrant and demand entrance. You still have to let them in, right?

    If so, I think the guy should have to provide access to all possessions and files covered by the warrant, whether the key is physical or mental or musical or chemical or whatever.

    I think the 5th is about keeping the privacy of your own thoughts and memories. Trying to use it as a trick to protect things outside your thoughts and memories doesn't seem right to me. There are other protections against unreasonable search and seizure that should suffice here.
    Ed Burnette
    • You agree with the court

      Ed,
      As you say, "the 5th is about keeping the privacy of your own thoughts and memories." That seems to cover his memory of the password.

      Do you really want to live in a country where mere suspicion of illegal information is enough to compel you to give up your privacy and to possibly incriminate yourself? I'll pass, thanks.
      R Harris
    • Search Warrant...

      Using the Search Warrant analogy for gaining entry to search a residence/office is interesting. Even with that "suspect" cannot be compelled to volunteer entry, however; with the warrant in hand officers can use brute force to enter which can cost "suspect" substantial sums of cash to repair damages incurred. Seems to me that in regards to a physical search of real property it would be simpler to just let the officers in to execute the search warrant, not sure how I feel about that in relation to encrypted data since I work in an industry where we are mandated to encrypt data and still allow auditors access as needed to enforce the law.
      l_creech
    • Actually

      No you don't have to let them in. The search warrant gives them a right to search your house whether or not you open the door for them or they break down the door themselves.
      Similarly the search warrant gives police a right to search your drive, whether or not you provide them with a decryption key or they break your encryption.
      Do you see the difference here? A door (for the most part) is way easier to break through than an encryption scheme, so rather than break it themselves, they are trying to compel the defendant into giving his key up. Since this is giving away information that could incriminate him, he is safely covered under the 5th amendment.
      Queuecumber
  • Conflicting holdings

    "[i]It will be interesting to see if this is appealed to the Supreme Court and, if it is, if they accept the case. If not, we can expect this ruling to be a major influence on other circuit courts.[/i]"

    Actually, that is quite likely. About 1-2 weeks ago another federal circuit held basically the opposite in a mortgage fraud scheme case. Technically, they said they didn't have jurisdiction, but the practical effect of their ruling was it left in place a court order for the defendant to provide passwords so the prosecution could decrypt her hard drive.

    The Supreme Court basically takes cases in only two circumstances: (1) There is a "conflict among the circuits", i.e., different equal federal appellate courts reach conflicting rulings as to what the law is; or (2) They want to address an important issue to establish what the law is.

    Keep in mind that "the law" constantly evolves. A position that might have been considered appropriate 20 years ago, before unbreakable encryption was possible for the average person, might not be considered appropriate today. Fifty years before [i]Brown v. Board of Education[/i], in [i]Plessey v. Ferguson[/i] the U.S. Supreme Court said that "separate but equal" school facilities based on race [i]was[/i] constitutionally permissible.
    Rick_R
    • Conflicting holdings?

      Rick, the case you are referring to is discussed in the opinion I've reviewed. In that case the defendant, Fricosu, was caught on a wiretap discussing the bogus documents. That gave the government the info they needed to specify with reasonable particularity the documents that she is now being compelled to produce. In the John Doe case, he kept his mouth shut and computer forensics could not determine what, if any, files he had on his drives. Therefore no particularity; thus compelling him to use the contents of his mind to incriminate himself is unconstitutional.
      R Harris
    • Precedent

      Differing opinions about court decisions which throw out decades of precedent are usually based on whose ox is being gored. Plessey v. Ferguson was indeed the law of the land, until the Supreme Court (finally "getting it right," as the saying goes) threw out "decades of precedent" in the Brown decision.
      Owen Glendower
  • If you were of sufficient interest

    If you were deemed a person of "sufficient interest" they could resort to rubber hose cryptography and get it out of you anyway.
    kraterz