John Villasenor, Nonresident Senior Fellow, Governance Studies, Center for Technology Innovation
March 06, 2012 —
What happens when the government’s desire to access a suspect’s encrypted electronic documents runs up against the Fifth Amendment? As with so many of today’s technology-related constitutional questions, the answers are complex, evolving, and sometimes contradictory. However, across the relatively small set of court rulings that have directly addressed this issue, a few key things stand out.
Courts have consistently held that defendants cannot be forced to divulge passwords. However, and more practically with respect to the end result, a defendant can sometimes be forced to use a decryption password—without divulging it—and then to provide the files in readable form. Whether the government can compel decryption in this manner depends on a legal doctrine called “foregone conclusion” that was first articulated in a 1976 Supreme Court ruling relating to paper documents in a tax fraud case.
Under the “foregone conclusion” doctrine as applied to digital documents, handing over files is not considered testimony if the government already knows that the files exist and what machines they live on. And when there is no testimony, the protection of the Fifth Amendment’s self-incrimination clause is not available. Prosecutors with specific information about the existence and location of files on encrypted hard drives are more likely to convince a court to order a suspect to decrypt them.
In another child pornography case, officials at a Vermont border crossing inspected a laptop in a car entering the United States from Canada. Upon seeing filenames suggesting illegal images, they seized the computer and arrested its owner. The laptop turned out to be encrypted, and in February 2009 a federal district court judge ordered the defendant to reveal its contents, largely on the grounds that the government already knew it contained incriminating files. The defendant complied and was later convicted.
Let’s return now to the Florida man who refused to decrypt his seized hard drives. In that case the government suspected, but did not know with certainty, that the hard drives contained incriminating files. As Judge Gerald Bard Tjoflat, writing for a three-judge panel of the 11th U.S. Circuit Court of Appeals, explained in the decision, “We find no support in the record for the conclusion that the Government, at the time it sought to compel production, knew to any degree of particularity what, if anything, was hidden behind the encrypted wall.”
This ruling has been hailed as a victory for constitutional rights, and in a sense, it is. But there is also a potential dark side that we would be remiss not to acknowledge. Do we really want to provide terrorists and human traffickers with an impenetrable legal shield for documents that might otherwise incriminate them? Is the greater good really served if a rape or murder suspect escapes conviction because he hid evidence—for example, digital maps of a victim’s address—behind encryption? Could this legal framework allow encrypted, illegal images of children to be stored and exchanged with impunity?
It is, of course, too early to know what the Supreme Court will say on this matter. But at some point, it will weigh in. And when it does, what is the proper way to handle the intersection of encryption and the Fifth Amendment? The solution will probably require updating the “foregone conclusion” doctrine. In particular, its requirement related to the location of incriminating documents is not well matched to a world with billions of electronic devices, and in which cloud computing is rapidly becoming the norm. Instead, a requirement that the government must be able to show possession of incriminating documents before being able to compel their decryption might be more appropriate for the 21st century.
This piece has been edited and the full story can be found at Slate.com.