How to hide files from the law
Summary: You encrypt your data to protect it from spying eyes, including the government's. Can you be forced to decrypt it and thus incriminate yourself? A US appeals court says NO. This may drive the full-disk-encryption market.
Good news for TrueCrypt The 5th Amendment says, in part, that no person ". . . shall be compelled in any criminal case to be a witness against himself. . . ." Thanks to this decision our computers are not necessarily witnesses against us as well.
The story The defendant, a John Doe, was accused of possessing child pornography. He was ordered to produce the unencrypted contents of his notebook hard drive and an additional 5 external drives. Mr. Doe, representing himself, refused, citing the 5th.
The U.S. Attorney then requested limited immunity for Mr. Doe, which did NOT protect him from using the drive's contents against him in a criminal prosecution. Mr. Doe again refused to decrypt the drives he was found in contempt of court and jailed. He appealed.
Mr. Doe spent almost 8 months in jail before his appeal succeeded.
The data that isn't there A property of good encryption is that not only can you not tell what the data is, you also can't even know if data is encrypted. Using forensic tools all you can see is a lot of random gibberish, whether data is encrypted or not.
Thus the government couldn't even prove that there might be data on the disks, let alone what the data might be. Update: Mr. Doe used TrueCrypt, an open source encryption product, to preserve his secrets. End update.
What is "testimony"? The district court judge didn't think decrypting the drives would constitute "testimony" under the 5th. Why did the appeals court disagree?
To win protection under the 5th, an individual must show three things: compulsion, a testimonial communication or act, and incrimination. Obviously the court was using compulsion, and the government expected incrimination.
Thus the key question: does the act of producing decrypted content constitute "testimony?" After all, simply handing over incriminating documents, as required by discovery proceedings every day, is not "testimony." The files themselves, should they exist, aren't protected under the 5th.
Would Doe’s act of decryption and production be testimonial? This is where the reasoning becomes subtle.
The appeals court reasoned that an act becomes testimonial when it requires you to use the contents of your mind to communicate some statement of fact. Surrendering the key to your safe deposit box doesn't qualify. Nor does handing over documents that the government can show with "reasonable particularity" it already knows exist.
In Mr. Doe's case, the court held that the decryption would require the use of the contents of his mind and is not simply a physical act, like handing over a key to a safe. Furthermore, the fact that the government did not know - could not know - whether any files were on the hard drives, meant that they failed the "reasonable particularity" test too.
The court then noted that if Mr. Doe had been given full immunity they could have compelled him to produce all the contents of the drives. But since they didn't, the 5th Amendment offered him more protection and thus his use of it was justified.
The Storage Bits take
If computer privacy is of special interest I recommend reading this well-written and closely reasoned opinion (pdf). While the "conservative" wing of the current Supreme Court happily throws out decades of precedent on ideological grounds - 2 1 Supreme doesn't think women are entitled to equal protection under the Constitution? - the 5th is Constitutional bedrock. Update: Only 1 originalist Supreme, Scalia, has so opined. My wetware conflated him with Thomas, another staunch originalist. End update.
It will be interesting to see if this is appealed to the Supreme Court and, if it is, if they accept the case. If not, we can expect this ruling to be a major influence on other circuit courts.
This ruling may be a shot in the arm for the struggling full-disk-encryption market. With FDE, people only have to remember not to open the drive for law-enforcement to view, and not to talk to others about what may be on the drive. Either of these actions can create a "foregone conclusion" that allows the government to compel decryption.
Note also that Mr. Doe - a lawyer I'm guessing - won, but only after 8 months in jail and the related loss of income. Defending our rights is rarely easy, which is why they erode.
Courteous comments welcome, of course. I'd be surprised if this applied to customs inspection of notebook computers. You'd be better off placing encrypted copies in the cloud, deleting the originals, and downloading after returning to the US. Oh, and nothing in this post should be construed as legal advice.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
combination lock vs regular lock
If I understood you correctly, if I use a combination lock, and keep the combination in my mind, the goverment should not be able to compell me to reveal the combination under 5th amendment.
Are there any presedents?
Combo lock vs key lock
Then Does encryption really matter?
It does
Yes
On the other hand SCOTUS has used that very metaphor as an important distinction: a key to your safe can be compelled, but the combination not.
So, it's muddled.
Just Remember
encryption vs password
Then I guess you can't be compelled to turn over keys, either
Though nothing is stopping the government from getting a warrent, and a set of bolt cutters and bypassing the lock completely.
combo vs key
but yes you are right the end results would be the same under the lock argument. However the encryption era changes the end results, which is why the courts and law enforcement have a problem with the current laws.
combination lock vs regular lock
If it was a combo lock or combo safe, it was cheap and easy to get a court order to get a locksmith to break into it.
The problem the courts and prosecutors have with encryption is that it could take years and a ton of money just to attempt to break into your data.
While the ruling is correct with the current laws, I do expect the fed government to change these laws in the future under the ruse of homeland security.
Interesting case
It's clear that with a search warrant the state should be able to seize the hard drive and examine it forensically.
If there's a search warrant for your apartment you can't take the 5th and keep the police from searching your apartment because your apartment might "testify against you".
Suppose you were paralyzed but you could unlock the door to your apartment with some kind of brain-computer interface just by thinking about it. Police show up with a warrant and demand entrance. You still have to let them in, right?
If so, I think the guy should have to provide access to all possessions and files covered by the warrant, whether the key is physical or mental or musical or chemical or whatever.
I think the 5th is about keeping the privacy of your own thoughts and memories. Trying to use it as a trick to protect things outside your thoughts and memories doesn't seem right to me. There are other protections against unreasonable search and seizure that should suffice here.
You agree with the court
As you say, "the 5th is about keeping the privacy of your own thoughts and memories." That seems to cover his memory of the password.
Do you really want to live in a country where mere suspicion of illegal information is enough to compel you to give up your privacy and to possibly incriminate yourself? I'll pass, thanks.
Search Warrant...
Actually
Similarly the search warrant gives police a right to search your drive, whether or not you provide them with a decryption key or they break your encryption.
Do you see the difference here? A door (for the most part) is way easier to break through than an encryption scheme, so rather than break it themselves, they are trying to compel the defendant into giving his key up. Since this is giving away information that could incriminate him, he is safely covered under the 5th amendment.
Conflicting holdings
Actually, that is quite likely. About 1-2 weeks ago another federal circuit held basically the opposite in a mortgage fraud scheme case. Technically, they said they didn't have jurisdiction, but the practical effect of their ruling was it left in place a court order for the defendant to provide passwords so the prosecution could decrypt her hard drive.
The Supreme Court basically takes cases in only two circumstances: (1) There is a "conflict among the circuits", i.e., different equal federal appellate courts reach conflicting rulings as to what the law is; or (2) They want to address an important issue to establish what the law is.
Keep in mind that "the law" constantly evolves. A position that might have been considered appropriate 20 years ago, before unbreakable encryption was possible for the average person, might not be considered appropriate today. Fifty years before [i]Brown v. Board of Education[/i], in [i]Plessey v. Ferguson[/i] the U.S. Supreme Court said that "separate but equal" school facilities based on race [i]was[/i] constitutionally permissible.
Conflicting holdings?
Precedent
If you were of sufficient interest
A few things to ponder...
Also, this is probably a bad case from an emotional standpoint to be the precedent. After all, it's hard for anyone to feel sympathy fo or defend an accused pedophile. For those interested in the law, it may be easier to push the context of the case to the side, but the general public probably at least emotionally believes he should be forced to comply as result of the subject matter.
And here's a thought. What if the password itself could be viewed as self incrimination? Example, what if Lee Harvey Oswald's password (humor me) to an ecrypted drive was " I killed JFK"?
FDE vs Folder encryption