comScore
Uncategorized Friday, February 24th 2012 at 1:07 pm

Judge Rules Refusing to Decrypt Hard Drive is Covered by Fifth Amendment

By ( ) Comments

You’re probably familiar with the phrase “pleading the Fifth.” You know, that thing the defendants on crime shows do when they’re obviously guilty and they just don’t want to talk about it. Well that’s also a thing in real life, and it isn’t a de facto admission of guilt. For the unfamiliar and forgetful, the Fifth Amendment states that no person, “shall be compelled in any criminal case to be a witness against himself,” as well as a bunch of language about like, eminent domain and stuff. The point here being that the 11th Circuit Court of Appeals has just ruled that a defendant in a legal case who refuses to decrypt their hard drive for law enforcement is covered by the Fifth Amendment.

This ruling dates back to a 2010 child pornography case with a defendant we’ll refer to as John Doe. Long story short, a few questionable YouTube videos and some IP tracking lead law enforcement to Mr. Doe’s hotel room door where they seized 2 laptops and 5 external hard drives, a total of 5 terabytes of data. All of Doe’s data, however, was encrypted with TrueCrypt, ostensibly in order to protect himself from identity theft (not that his intent really matters anways). When the court asked him to decrypt the hard drives, he plead the Fifth, at which point the court found him in contempt and threw him in jail.

Now, 2 years later, the 11th Circuit Court of Appeals has ruled that Doe was not actually in contempt and had every right to refuse. Naturally this is going to complicate the prosecution’s case a bit. And that’s not the only thing it complicates. Fifth amendment law as it applies to cyber-security is already complicated, and this decision only serves to make it moreso.

Traditionally, the Fifth Amendment doesn’t cover physical acts. For instance, if you’re asked unlock a safe or open a door, the Fifth Amendment doesn’t have your back. At least if the there is a key involved, relaying a combination, on the other hand, is technically testimony. This ruling equates decrypting a computer with telling something a the combination to a safe. The court’s decision describes it as follows:

We hold that the act of Doe’s decryption and production of the contents of the hard drives would sufficiently implicate the Fifth Amendment privilege. We reach this holding by concluding that Doe’s decryption and production of the contents of the drives would be testimonial, not merely a physical act; and the explicit and implicit factual communications associated with the decryption and production are not foregone conclusions.

To further complicate the matter, full disk encryption is a tough nut to crack. Whereas a safe can be cracked or a door broken down (I’ll admit I’m not sure about the legal implications of warranted forced entry) encryption can be practically foolproof. Depending on the strength of your encryption, it might be impossible to crack a password in less than several hundred years, so if a defendant isn’t compelled dole out the key, the data is effectively off the table for lifetime of all parties involved.

As if this wasn’t complicated enough already, there is already an example — two, actually — where encrypted data was not covered by the Fifth Amendment. Just last month, a defendant in a mortgage scam case was forced to decrypt his laptop after a ruling by a different federal judge. Likewise, a defendant in a 2009 child pornography case in Vermont was compelled to decrypt his drive although in that case, the evidence was found by customs officials while the device while it was on, and the issue of decryption became an use when later on, during the trial, the computer was off.

The last messy thing about this whole deal is that it’s dealing with child pornography, one of the touchiest subjects relating to cyber-security, and just in general. Pleading the Fifth already carries connotations of guilt, and adding child pornography into the mix makes it really easy to appeal to fear or disgust. Fifth Amendment cases have a history of being messy, though. After all, those “Miranda Rights” you’ve probably memorized while watching Law and Order? They became law when the Supreme Court reversed the conviction of a man who confessed to kidnapping a raping a woman. Yeah. Not pretty either, although it’s worth noting that Miranda still wound up in jail.

All that being said, this issue will probably continue to be hotly debated considering the contradicting precedents and the fact that handing over an encryption password is just ever so slightly different from opening a combination lock if it is even different at all. That’s a distinction that may have to be made by an even higher court a few more years down the line.

(via Global Post)

10010011101000100111110101101

Filed Under |
  • Anonymous

    I guess that hard drives equate to papers and there is the Declaration of Independence to consider when one wishes to know how the founders felt on the issue of having your private papers seized or used against ones own interests, and the point that having your hard drive used as testimony is a valid one, yes the hard drive is a physical object but its contents are not a physical thing.

    I am sure this may get appealed but in the end he may refuse to EVER unlock those drives,

  • Azazeltje

    There a few half-truths in this article.

    For one, the Fifth Amendment DOES have your back if you’re talking about a combination-lock safe. The courts have distinguished between safes that lock with a physical key – which you can be forced to turn over – and safes that lock with combinations, because that requires you to turn over information. Telling the combo or entering it yourself is protected by the 5th as it’s considered a “testimonial” act.

    Also, neither of the previous two cases were legal precedent. To have precedential weight, a case must have been decided by a superior court, and the precedent applies only to the courts underneath the deciding body. 

    The Colorado case has no precedential weight, because it was decided by a trial court, and the appeals hasn’t happened yet. 

    The Vermont case WAS decided by the appellate court, so its decision would be binding precedent only for the Vermont courts in that circuit, BUT, that case has been mis-stated. 

    The appellate court there did not rule on the encryption issue. They ruled that the decrypted contents of the hard drive were admissable because some of them had already been seen by law enforcement. 

    The issue wasn’t that part of the drive was encrypted and part wasn’t; he used whole-disk encryption. But as he crossed the border, his laptop was ON and officers were able to find the illicit content. Once he was arrested and it shut off, officers were unable to get it to power on again without the encryption key. 

    So the court ruled that the entirety of the contents were admissible under “inevitable discovery.” 

    [Also, he voluntarily de-crypted the drives and then just challenged the admissibility.]

    All things said, 5th Amendment protections for encryption keys is probably proper, despite the power imbalance between law enforcement and criminals. 

  • http://Geekosystem.com Eric Limer

    Wooaaaah. Someone knows their stuff better than I do. Thanks for the info, I’ll update a bit there. Wasn’t aware of the more specific implications of the term “precedent,” or the physical vs. combination stuff. Thanks a ton for the clarification. 

  • http://lawblog.legalmatch.com/2012/02/29/amendment-protects-decrypt-hard-drives/ SFJD

    I’m honestly not sure how I feel about this. I strongly believe in all of the protections afforded by the Bill of Rights, including the privilege against self-incrimination. But at the same time, getting data off of seized computers is often the only way authorities can catch child pornographers, and we need to lock those people up and throw away the key.

  • Anonymous

    This article is rife with grammar errors.Go back and fix them!

  • Anonymous

     and it’s that division they use to take away peoples freedoms. if “intellectual property theft” doesnt motivate people they pull out their ace “child pornography” just say you are trying to stop that people will give up any and all rights online, they will allow more and more transgressions against privacy, they will allow the loss of more and more rights and they will convince themselves its making a difference against child pornography. its not, it never will. all it will do is punish the innocent and allow for greater amounts of bullying.

    “with the first link a chain is forged, the first freedom denied, the first speech censored, the first thought forbidden chains us all irrevocably”~jean luc picard.
    your rights are sacred, do not trade them away for the promise of security for you will end with neither.