Yottabytes: Storage and Disaster Recovery

Oct 31 2018   7:18PM GMT

An Incredibly Gnarly Legal Encryption Discussion

Sharon Fisher Sharon Fisher Profile: Sharon Fisher


New news in the world of whether you can be forced to decrypt your phone by law enforcement.

As I wrote in May 2017:

As you may recall, the whole issue boils down to how a device is encrypted. Traditionally, courts have ruled that you can be compelled to give up something you have, such as your fingerprint, which is used to encrypt your phone, but you cannot be compelled to give up something you know, such as a password. That’s because simply admitting you have the correct password on a particular encrypted phone or other storage device could be considered self-incrimination.”

There’s been discussion and some case law recently about the self-incrimination part that looks like it will change. Because encryption is so common, the reasoning goes, it should be okay for law enforcement to force someone to decrypt their storage, if it is obvious that it belongs to the person. But law enforcement can’t use the mere fact that someone knows the password as evidence of guilt, that theory goes. (By the way, if you start researching this issue, there’s a commonly cited case, Fisher v. United States. It ain’t me.)

In a recent case, Judge Charles Breyer in the Northern California District Court ruled that a defendant, Ryan Spencer, did have to provide the encryption key for several devices in his home that law enforcement alleged contained child pornography, because it was a “foregone conclusion” that they were his, since they were in his home and he said they were.

In other cases, the “foregone conclusion” that had to be met was that the files law enforcement was looking for was on the encrypted devices, which was a much higher bar. However, the judge wrote, law enforcement wasn’t looking for a particular file; it was looking to decrypt the entire device.

“Turning over the decrypted devices would not be tantamount to an admission that specific files, or any files for that matter, are stored on the devices, because the government has not asked for any specific files,” Breyer writes. “Accordingly, the government need only show it is a foregone conclusion that Spencer has the ability to decrypt the devices. That the government may have access to more materials where it seeks a hard drive through a search warrant than it would have had if it sought specific files through subpoena is simply a matter of the legal tool the government uses to seek access. To the extent Spencer contends that the government has not adequately identified the files it seeks, that is an issue properly raised under the Fourth Amendment, not the Fifth.”

Does it seem unlikely to you that someone could know the password and yet not know what files are on the device? People could have files saved to their devices by other people in the household, other people who have remote access to it, or even by hackers. “I happen to know the passcode to my sister’s smart phone,” writes Orin Kerr in a forthcoming paper in the Texas Law Review on the subject. “I learned it at a family event when I wanted to use her phone to google something. I asked her for the passcode, and she told me. If the government obtained a court order requiring me to enter in the password, I could comply with the order because I know the password. But critically, I have no idea what files are stored in my sister’s phone. The only thing I know about my sister’s phone is its password. Unlocking the phone would admit I know the passcode, but it wouldn’t admit that I know what is on the phone. Because I don’t.”

The upshot of it all is that law enforcement may be able to force people to decrypt their drives, but not use the fact that he was able to do so as evidence of his guilt, Breyer writes. “Once Spencer decrypts the devices, however, the government may not make direct use of the evidence that he has done so,” he writes. “If it really is a foregone conclusion that he has the ability to do so, such that his decryption of the device is not testimonial, then the government of course should have no use for evidence of the act of production itself.”

Well, that’s something. In other words, they can’t have it both ways – if they’re going to say it’s a “foregone conclusion” that they’re his drives, they then can’t turn around and say it’s a surprise to them that he has the password.

And this stuff gets incredibly picky. In an amicus brief Kerr recently wrote, he lays out the distinction between a person giving law enforcement a password, vs. entering the password without law enforcement seeing it.

The reason this is all being discussed is that it’s a change. In 2013, for example, the Electronic Frontier Foundation and the American Civil Liberties Union submitted an amicus indicating that this kind of compelled decryption was a violation of someone’s Fifth Amendment rights. Basically, encryption is now common enough that simply knowing the password can’t be seen as incriminatory.

That’s not to say that the Fifth Amendment is never a protection against giving out passwords, Kerr notes. “Imagine the government obtains a search warrant to search a home for computer-stored images of child pornography,” he writes. “The home has three residents. The search yields one computer, and that computer has an encrypted hard drive that requires a password to use. Further assume that investigators have no evidence about which resident owns or uses the computer. In an effort to bypass the encryption, investigators obtain court orders requiring each of the three residents to enter the password. In such a case, each resident would have a valid Fifth Amendment privilege against complying with the order.”

In addition, hidden files, hidden volumes, and files that are themselves encrypted on the disk could also be protected under the Fifth, Kerr writes.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: