Massachusetts Ignores 5th Amendment; Says Defendant Can Be Forced To Decrypt His Computer
from the that's-unfortunate dept
For many years, courts have struggled with the legal question of whether or not law enforcement can force a defendant in a lawsuit to decrypt encrypted files. All the way back in 2007, we wrote about a judge in Vermont finding that such forced decryption represented a Fifth Amendment violation, as it could be considered a form of self-incrimination. However, that was just one court. Other courts have ruled the other way. Not surprisingly, the Justice Department doesn’t believe the Fifth Amendment should apply in these situations, but courts still seem to be divided as judges go back and forth on the issue.
Unfortunately, it appears that Massachusetts’ highest court has now gone over to the wrong side of the debate, finding that there is no Fifth Amendment violation in forcing people to decrypt their computers. In this ruling, the court said that there was “an exception” to the Fifth Amendment, if the results are a “foregone conclusion.” As Cyrus Farivar at Ars Technica summarizes:
That exception, the MSJC said, can be invoked when “an act of production does not involve testimonial communication where the facts conveyed already are known to the government, such that the individual ‘adds little or nothing to the sum total of the Government’s information.’”
Of course, that seems like a fairly dangerous “exception.” Prosecutors can just claim that such facts are “already known.” Furthermore, if the information adds little or nothing, then… why is it even needed? It’s difficult to see why anyone should be forced to decrypt information on the basis that… it’s not really needed. Here’s the key paragraph from the ruling:
When considering the entirety of the defendant’s interview with Trooper Johnson, it is apparent that the defendant was engaged in real estate transactions involving Baylor Holdings, that he used his computers to allegedly communicate with its purported owners, that the information on all of his computers pertaining to these transactions was encrypted, and that he had the ability to decrypt the files and documents. The facts that would be conveyed by the defendant through his act of decryption—his ownership and control of the computers and their contents, knowledge of the fact of encryption, and knowledge of the encryption key—already are known to the government and, thus, are a “foregone conclusion.” The Commonwealth’s motion to compel decryption does not violate the defendant’s rights under the Fifth Amendment because the defendant is only telling the government what it already knows.
Given the back and forth nature of so many of these rulings, you have to imagine that it’ll eventually end up before the Supreme Court. Hopefully that Court’s renewed belief in the Fourth Amendment will extend to the Fifth as well.
Filed Under: 5th amendment, decrypt, encryption, massachusetts, self-incrimination
Comments on “Massachusetts Ignores 5th Amendment; Says Defendant Can Be Forced To Decrypt His Computer”
If they’re really going to claim that forcing someone to hand over their encryption key doesn’t violate the 5th because it’s (somehow) not forcing them to provide incriminating evidence against themselves, then there’s a really easy way to prove it: provide, in writing, full immunity for anything found on the decrypted drive/device. They get the evidence that they ‘already know'(though if they already knew it, what exactly did they need it for…?), and the one who handed over the key isn’t building their case for them.
However, you can be sure that there is no way in hell they’d ever offer such a ‘deal’, as everyone involved knows full well that handing over the encryption keys is handing over self-incriminating evidence, no matter how much they like to pretend and/or lie otherwise.
This ruling is INSANE
Specifically this part: “The Commonwealth’s motion to compel decryption does not violate the defendant’s rights under the Fifth Amendment because the defendant is only telling the government what it already knows.”
What…the…fuck!?!? They’re actually codifying an exemption of a constitutional right on the basis of a presumption of guilt by the PROSECUTOR? So we’re now not only violating the constitution, but universal human rights as well?
This entire contortion of a ruling makes zero sense. Evidence is compelled of the accused that the prosecution believes will incriminate that same accused, as evidenced by the prosecution “already knowing” what it will say/be/read, and that same presumption of guilt is what obviates the law of the land?
This is a ruling that cannot be allowed to stand….
Re: This ruling is INSANE
Actually, that’s the precedent case as well.
In re Boucher Basically, his computer was searched going through US Customs and Child Pornography was found. When the computer was powered off, disk encryption prevented them from confirming the evidence.
My question is basically what’s stopping the person from simply saying they forgot the password? Can they hold you in contempt?
Give you a simple example, I’ve used PGP for email for a long time. If they asked me for emails from say 10 years ago, there’s simply no way I could provide them my private signing key from back then. Would that automatically make me a criminal?
Re: Re: This ruling is INSANE
It is simpler than that, if you use encryption you are a criminal.
Re: This ruling is INSANE
According to the Ars article, he bragged a bit about his systems being encrypted and that they could never get info off them.
He should have taken Popehat’s advice: STFU! & ask for a lawyer.
Re: Re:
Moot point.
It shouldn’t have mattered what he said, as had he been dealing with a judge that actually respects the Constitution and the rights of the accused, they would have stated/noted that forcing someone to hand over encryption keys is forcing them to provide evidence against themselves, and therefor prohibited it.
Re: Re:
Good point. If he hadn’t already told them that he knew the key, this may have been a different ruling.
Re: Re: Re:
But knowing that he has the key isn’t the same as knowing the contents of what that key encrypts.
Presumably the only reason they would need to get the key from him is to be able to find incriminating information on his computer that he has not shared with them, thus it would be information not known to the government and would add substantially to the “sum total of the Government’s information”.
If the government already has the facts of the crime known to them, then they don’t need the encryption key at all. Just try him in court with the facts you already have.
Re: Re: Re: Re:
If you have relevant documents in your locked file cabinet, you can’t refuse a subpoena for those documents on 5th amendment grounds. You can’t be compelled to testify against yourself. But you are not completely protected from turning over evidence in your possession that can incriminate you.
This judge felt that confessing that he has the key is all that was needed to compel the man to use the key.
Re: Re: Re:2 Re:
True, for as far as you have carried the analogy. The other half of the analogy, which you didn’t carry is, the court cannot, indeed under Fourth Amendment may not compel, require, indeed, even ask for production of information/documents/recordings, etc. that are not germane to the matter in hand. I believe the term of art is ‘responsive material(s)’, and the provision is, a subpoena must be ‘narrowly tailored’ to the responsive materials. In the case of subpoenas where it’s not possible to separate materials that clearly, the court is obligated to enter and enforce a protective order, covering destruction of materials not responsive in the case at bar.
Decrypting the hard drive is providing access not only to the ‘responsive material(s)’, but also to a plethora of other information which under other provisions of the Constitution, court decisions, even the rules of procedure, the court may not see. I could even name a case in which a court would be absolutely barred from seeing certain documents – for example, a letter from the accused to his lawyer, or priest, or doctor, that he typed on his computer, printed out one copy for mail/fax/personal deliver, and kept on on the hard drive for record-keeping purposes.
If the court in this case did not enter a protective order, and still ordered the drive decrypted…well, it would take a lawyer or judge to outline what kind of effect that could have on the case. At a minimum, I would expect an appeal of some description on that basis alone.
Re: Re: Re:3 Re:
Actually, if you read the opinion, you’ll see that the Commonwealth requested that the court compel the defendant to comply with its protocol for handling electronic files. Industry-standard practice is to image the drive and run specific searches for responsive material, usually in coordination with defense counsel.
Re: Re: Re:2 Re:
Re: Re: Re:3 Re:
This analogy is broken and only works if the files inside the locked cabinet are encrypted. Encryption isn’t limited to digital devices, after all. I would equate the lock on said cabinet as being more akin to the password your OS asks for at logon, not the password required for decryption which is completely separate.
Re: Re: Re:3 Re:
No, but you can’t be forced to physically open the cabinet, either.
You can absolutely be compelled to turn over the documents in your locked safe. It’s called a subpoena. Sure, they have ways of breaking the lock if you don’t comply. But you are definitely subject to criminal penalties for not complying as well.
Re: Re: Re:
And yet, even with that admission they would be getting a new piece of evidence. That statement made to police may be later excluded at trial, or may be explained away in other fashion. The act of decrypting the drive is a new piece of evidence that they cannot have had (because if they had it then they wouldn’t need this process).
Source: I’m a criminal defence lawyer. And this is one scary-ass ruling. Feel free to apply the XKCD rule to that statement, it works just as well that way.
If the government knows, and can be prove that they know it, then they do not need to decrypt the drive. If they cannot prove it, then the do not know it, but only suspect it; in which case forcing the person to decrypt is self incriminating, as they cannot get the conviction without having the data decrypted for them.
Re: Re:
But parallel construction requires that the government obscure the source of their information so that they are not caught spying on US citizens or forced to reveal their true source.
If you had attended the secret hearing about the secret laws that were secretly interpreted in a secret manner you’d know that, but it’s a secret so you don’t.
Re: Re: Re:
He wouldn’t be able to tell you if he knew.
Apply that logic to the Senate report on the CIA torture program. One can argue that its existence and many of the sordid details are already known to the public. The facts are “already known” and the results a “foregone conclusion.”
Re: Re:
Ah, but you’re failing to consider the ‘National Security: You Get Nothing’ angle, where even if the facts are ‘already known’, they still can’t be officially known, due to [REDACTED] posing a critical threat to [REDACTED] if it became known to [REDACTED].
Re: Re: Re:
Also known as the “nanny nanny boo boo” directive within government agency circles.
Re: Re: Re:
I keep wondering, what if ‘they’ or everyone knew everything. Methods, technology, what we know and when we knew it. So what. Short of exposing humint (humans on the ground in ‘our’ service) what is the problem? Would it change anything?
Re: Re: Re: Re:
Sorry, probably the wrong place to bring this up, but the comment above struck me. Would be better on an FOIA post.
oxymoronic
So, if I understand correctly, there is a Fifth Amendment exception where you can be forced to disclose information only if that information has no significant impact on the case … and the prosecution already has the information. That sounds like a pretty good thing for the defense, then. Either the information protected by encryption is covered by the Fifth Amendment, that information adds nothing to the prosecution’s body of information… so there is no justification for getting into the computer, anyway.
I don’t think it’s a matter of judges going back and forth on the issue as much as it’s a matter of different fact situations leading to different situations.
And I wouldn’t count on the Supreme Court wrapping things up in a neat little bow. The foregone conclusion doctrine is not some new concept they just made up to deal with encryption. It’s been kicking around since 1976 and SCOTUS has already had multiple chances to consider it. (Encryption might be new, but similar issues arose even before encryption, such as whether a suspect could be forced to divulge the combination to a wall safe).
Re: Re:
A wall safe can always be physically removed and cut open, though, if the owner proves recalcitrant. You can’t do that with encryption.
Re: Re: Re:
The crypto analogy to cutting open a wall safe is to crack the crypto. Just like with a physical wall safe, this is generally, but not always, possible if enough resources are devoted to do it. Really good crypto requires a LOT of resources to crack it, of course.
Re: Re: Re: Re:
When Glenn Greenwald’s husband stopped to change planes in England, his encrypted laptop hard drive was supposedly brute-force decrypted within a few hours of his arrest. It seems kind of odd that the US federal government is passing out million-dollar bomb-proof vehicles to every small-town police force that puts their hands out, but apparently not (yet) allowing local police to access the fed’s encryption-cracking supercomputers.
When that starts happening, there will be no need to force people to hand over encryption keys — hard drives will be cracked open while the suspect is being fingerprinted.
Re: Re: Re:2 Re:
[citation needed]
What you say is mathematically impossible, even with supercomputers. They might have copied his hard drive that quickly, but not decrypted it unless they actually got the keys.
Re: Re: Re:3 Re:
“[citation needed]”
http://www.bbc.co.uk/news/uk-23898580
(Greenwald later insisted there was no sheet of paper containing a password, however.) How do we really know that the encrypted drive’s contents was actually revealed? Because a government spokesman said so!
Re: Re: Re:3 Re:
“What you say is mathematically impossible, even with supercomputers”
This is not true. It is mathematically possible, and there exist several supercomputers that can accomplish it. If your crypt is given to one of these systems, and if the quantity of encoded data is significant, and if you aren’t using the best possible crypt (almost nobody is), then the crypto can be cracked in a period of time ranging from an hour to a couple of days. How long it actually takes is partly a matter of luck and partly a matter of how much encoded data there is to work with (the more the better).
Re: Re: Re: Re:
No, that’s not accurate. “Really good crypto” literally requires every computer in the world to work until after the death of the Sun and still not have a 1% chance of brute-forcing it. That’s not sci-fi or a goal; that’s the reality of modern, high-grade cryptography. It can’t be “cut open” like a safe unless a flaw in the algorithm is found.
Re: Re: Re:2 Re:
” “Really good crypto” literally requires every computer in the world to work until after the death of the Sun and still not have a 1% chance of brute-forcing it.”
Lots of crypto engineers have proven this wrong. What you’re citing is how long it would take to crack the crypto if what you’re doing is just trying all possible keys. That’s not how it’s done in reality.
Re: Re:
A wall safe is the perfect analogy here.
Here’s what Supreme court Justice Stevens once wrote:
He may in some cases be forced to surrender a key to a strongbox containing incriminating documents, but I do not believe he can be compelled to reveal the combination to his wall safe ?- by word or deed.
There’s been a few other instances where the Supreme Court has also used this analogy of a key/combination to help decide whether a subpoena is appropriate.
This judge, however, seems to think that once you’ve revealed that you know the combination to a safe, there’s no more significant self-incrimination left. That combination then becomes more like a key, in terms of 5th amendment considerations, that should be turned over.
The lesson here – don’t confess knowledge of encryption keys.
Re: Re: Re:
Note, however, that Justice Stevens’s statement in Doe v. U.S. was in dissent. The majority of the court held “in order to be testimonial, an accused’s communication must itself, explicitly or implicitly, relate a factual assertion or disclose information.” The court in fact compelled the defendant to sign the form allowing production of the foreign bank records.
While I don’t agree with the court’s outcome here, I do think it’s based on a fair reading of the precedent. The decision itself is only a few pages long and makes the case pretty clearly.
(Note that only two out of the seven Massachusetts Supreme Judicial Court dissented. This is not one random judge.)
Re: Re: Re: Re:
Agreed. Those comments of Steven’s were in a dissent. However, Stevens was able to use the same analogy later in 2000 (Hubbel) when the court rejected a subpoena that tried to force a man to identify which documents were relevant –
The assembly of those documents was like telling an inquisitor the combination to a wall safe, not like being forced to surrender the key to a strongbox.
I can see how this court thought that having the suspect use the key (that he already admitted having) was non-testimonial. But I wonder if there isn’t further self-incrimination in having a person prove/verify that the password he claimed knowledge of actually works.
– not actually an attorney
Don't Talk to Cops
It appears that the plaintiff told the investigators that information was there, then refused to decrypt. If he had kept his mouth shut, he might not be in this predicament.
The presumption by the prosecutors that he was telling the truth that evidence was there is actually hilarious. What if he lied, and then they get in there, after all of this, and all they see is well not incriminating, unless he managed to encrypt a ham sandwich.
You know what the government doesn’t know? the encryption key and the number of or content of the encrypted files/drive. As such, those are not ‘forgone conclusions’, and compelling the release of the encryption key or decryption of the drives does not qualify for this exemption.
the biggest problem or so it seems recently is that the supreme court comes out with ‘supposed knowledgeable rulings’ that even an idiot wouldn’t believe are true. the common sense, sense and knowledge seems to be fast going out the window, particularly when old companies appear threatened by new services and technologies and when law enforcement have royally screwed up and needs help in excusing their behaviours. that means that no one, basically, has a clue what is legal and just
This ruling contradicts itself.
“We need you to disclose your password, so we can view the information we already know is on your hard drive.”
Basically, the court is saying they have a strong suspicion of what’s on the defendant’s hard drive, but the prosecution isn’t able to absolutely ‘prove’ it beyond a shadow of a doubt.
So the court is demanding the defendant decrypt the hard drive, so the prosecution has absolute evidence to ‘prove’ his guilt.
This is exactly the situation the 5th amendment is supposed to protect against. It doesn’t matter if the defendant verbally or non-verbally incriminates himself. It ultimately leads to the same thing. Self incrimination.
Moral of the corrupt justice system story. I forgot my password. That’s my story and I’m sticking to it.
Exactly where did this “exception” to a Constitutional amendment come from? I’m pretty sure that Constitutional amendments can’t simply have exceptions slapped on them by random government agencies because it’d be convenient to have them; that’s the entire point.
Why is it that week after week, year after year, every time someone in power has to choose between doing things the right way and doing them the easy way, they always choose the easy way?
Re: Re:
Ummm… because it’s easy?
Here is my answer: “Damn, where did I put that sticky note with the password written on it…”
Re: Re:
You do NOT want the DOJ looking for that sticky note. They have lots of gloves, but no lube at all.
Looks like The Old Colony State is going to have to change its' official Motto now
Ense petit placidam sub libertate quietem
Obvoiusly in latin. I gusee the Mass. Supreme court does not know any latin.
“By the sword we seek peace, but peace only under liberty”
Everyone here (including Mike, unfortunately) is misunderstanding the ruling. It’s important to clarify exactly what has been permitted by earlier rulings and what is permitted by this ruling.
The 5th Amendment, in relevant part, states “nor shall be compelled in any criminal case to be a witness against himself . . . .” The Supreme Court has held that this means that you cannot be compelled to testify against yourself. The 5th only protects testimony. It does not prevent the court from compelling you to produce evidence that you have in your possession, regardless of whether or not it may incriminate you. For example, the court can compel you to turn over guns, drugs, accounting documents, and anything else that is evidence.
There’s an exception to the 5th Amendment for testimony about “foregone conclusions.” That is, if the testimony does not tell the government anything it doesn’t already know, the court can compel you to reveal it.
Now, let’s apply the law to these facts: The contents of the encrypted files themselves are not testimony, they are evidence. That means that the court can compel their production. The court also knows, because of his statements, that the computer and the files are his. The only question before the court was whether or not the decryption of the files can be compelled. The court can only compel the decryption if 1) the decryption is not testimony, or 2) the decryption is testimony but the knowledge the testimony reveals is a “foregone conclusion.”
We will all agree that if the decryption is not testimony then the 5th Amendment isn’t implicated. It’s only if it is testimony that we have any question. The court here held that the act of decryption reveals only that the defendant has ownership and control of the computer and the files, which, crucially, is a fact the court already knows. It’s a foregone conclusion that the computer is his. The contents of the files isn’t a foregone conclusion, but it doesn’t matter because the 5th Amendment doesn’t protect against compelled production of incriminatory evidence.
Re: Re:
disagree. Decrypting an entire drive reveals much more than simple ownership; It also potentially reveals much more than anything a defendant has previously stated is on the drive, including things the defendant may not even know is on the drive.
Additionally, it’s practically impossible to decrypt a drive without revealing the key – whether through watching the defendant type it in, or searching for it in RAM post-decryption, or fingerprinting the keyboard after the key has been entered.
Also, if the defendant has never claimed the ability to decrypt the drive – simply admitted knowledge of it’s encryption – then the act of decryption is, in fact, testimony that he knows the key.
Re: Re: Re:
The court’s point is that the contents of the drive isn’t testimonial, it’s evidence. Just like the court can compel you to turn over your financial documentation even if it’s incriminatory, the court can compel you to turn over the contents decrypted files. No court disagrees with that. The only issue raised here is whether compelling decryption violates the 5th. The answer, as the court explained in its opinion and I explained in my post, is no, because all decryption testifies to is that the defendant has control over the computer, which the government already knows.
As to your third point, here’s an excerpt from page 3 of the opinion:
On the day of his arrest, the defendant was interviewed by law enforcement officials after having
been advised of the Miranda rights. In response to questioning, he said that he had more than one
computer in his home. The defendant also informed the officials that “[e]verything is encrypted
and no one is going to get to it.” In order to decrypt the information, he would have to “start the
program.” The defendant said that he used encryption for privacy purposes, and that when law
enforcement officials asked him about the type of encryption used, they essentially were asking for
the defendant’s help in putting him in jail. The defendant reiterated that he was able to decrypt
the computers, but he refused to divulge any further information that would enable a forensic
search.
Re: Re:
but how does the fact that the prosecution is already in possession of said evidence mean to any of that?
Re: Re:
There’s an exception to the 5th Amendment for testimony about “foregone conclusions.” That is, if the testimony does not tell the government anything it doesn’t already know, the court can compel you to reveal it.
Here’s the huge hole in that argument: If they already know what’s on the drive, then why do they need to force the person to decrypt it? If they’re not going to find anything they don’t ‘already know’, then what use is forcing the person to decrypt it?
Also, and maybe it’s just my vision not being what it used to be, but could you point out exactly where that ‘exception’ is listed, because for the life of me I can’t find it.
‘No person shall be held to answer for a capital, or otherwise infamous crime, unless on a presentment or indictment of a Grand Jury, except in cases arising in the land or naval forces, or in the Militia, when in actual service in time of War or public danger; nor shall any person be subject for the same offence to be twice put in jeopardy of life or limb; nor shall be compelled in any criminal case to be a witness against himself, nor be deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use, without just compensation.’
Is it in the footnotes or something and they forgot to add the asterisk to the main document? Something like *Unless the prosecution pinky swears that they already have the evidence, and they just want the accused to hand over self-incriminating evidence as verification‘?
Re: Re: Re:
Sure. No problem.
It’s in the Constitution of the Commonwealth of Massachusetts. Right there under ?A Declaration of the Rights of the Inhabitants of the Commonwealth of Massachusetts?. Article XII:
Do you see it now? It says, ?No subject shall ? be compelled to ? furnish evidence against himself.?
Plain as daylight. All you have to do is read the words.
Re: Re: Re: Re:
Honestly, that just makes me disagree with you more – isn’t the decryption of the drive ‘furnishing evidence’? And the act of compelling the defendant to decrypt it compelling him to furnish it against himself?
Re: Re: Re:2 Re:
Might want to get your sarcasm detector checked, it seems to be on the fritz there.
Re: Re: Re:3 Re:
Oh, I misread the name with the one from the comment above it. whoops!
Re: Re: Re: Re:
didn’t realize a states constitution trumped the US constitution.
We can go back to slavery, no more women voting or poor white folk for that matter, taking guns away and removing your rights to free speech.
You are a fucking tool!
Re: Re: Re:2 Re:
Perhaps you can point out what there ‘trumps’ the US Constitution, as both of them seem to be saying the same thing, just in different words.
Re: Re: Re:2 Re:
It is a long time since I did civics in an american school, but IIRC the states are bound by their own constitutions except where this conflicts with the federal constitution – so although the US Constitution doesn’t protect him, the plain reading of the MA constitution would appear to do so.
That wouldn’t matter if it was a federal trial, but this is a state trial.
I’ve only skimmed the ruling, but it seems that the matter of that above quoted passage of the state constitution wasn’t commented on. I assume that means that it was misquoted, or has been amended or watered down to provide no more protection than the federal Constitution. (Even if the matter wasn’t raised, here the judges would generally point out that they’re being asked an irrelevant question.)
Re: Re: Re:
You’re misunderstanding. The 5th Amendment doesn’t protect the contents of the hard drive at all. The 5th protects testimony, and the contents aren’t testimony. The only thing that compelled decryption reveals is that it’s his encryption, which the prosecution already knows that it’s his laptop and he testified that only he could decrypt it. That’s the foregone conclusion, not the contents of the hard drive, which is plain old evidence.
As for the foregone conclusion exception to the 5th Amendment, you’ll have to take that up with the Supreme Court. From Fisher v. U.S.
It is doubtful that implicitly admitting the existence and possession of the papers rises to the level of testimony within the protection of the Fifth Amendment. The papers belong to the accountant, were prepared by him, and are the kind usually prepared by an accountant working on the tax returns of his client. Surely the Government is in no way relying on the “truthtelling” of the taxpayer to prove the existence of or his access to the documents. 8 Wigmore ? 2264, p. 380. The existence and location of the papers are a foregone conclusion and the taxpayer adds little or nothing to the sum total of the Government’s information by conceding that he in fact has the papers. Under these circumstances by enforcement of the summons “no constitutional rights are touched. The question is not of testimony but of surrender.” In re Harris, 221 U. S. 274, 279 (1911).
Of course, if you question the power of the Supreme Court to decide what the 5th covers and doesn’t cover, ask yourself where the 5th Amendment says it applies to the states in the first place…
Re: Re:
I don’t think we can all agree that decryption is not testimony. Providing the key may be tantamount to incriminating yourself; as part of the definition of testimony, the dictionary includes “evidence or proof provided by the existence or appearance of something.”
A digital key is unlike a key to a safe, which contains static stuff. Encrypted digital files are not tangible evidence that can be produced. Until they are transformed, you have an unknowable Schr?dinger’s cat scenario, sans the key?not a forgone conclusion.
Re: Re: Re:
I should have been more clear. The Supreme Court, in well-settled law, has stated that evidence is not testimony. You can be compelled to produce evidence against yourself. The dictionary definition of testimony doesn’t matter; it’s the legal definition, as defined by the body authorized by the Constitution to define, that matters.
And the court is not blind. The fact that files are encrypted doesn’t mean the court throws up its hands and says it’s a fair cop. Encrypted files are seen by the law as just regular evidence. Clever technical finaglings don’t usually help in court.
And, as I (and the courts) have said multiple times, the only foregone conclusion is that it’s his encryption. There doesn’t need to be an exception for the content of the files, because the content is not protected by the 5th Amendment because it’s not testimony.
Re: Re: Re: Re:
Good points.
I liken it to a storage locker or safe filled with information. You can claim that it’s locked, and refuse to give the key, and the state can still cut their way in and view the evidence. Encryption is a key, not unlike a key to a lock…
The story may have been different if the guy never mentioned the computers and never taunted the police with the encryption, he made it clear he had something hidden and made a warrant to get it all but a foregone conclusion.
Re: Re: Re: Re:
You assume that the ‘body authorized by the Constitution’ to define that term, got the definition correct?
No disrespect here, but given, for example Roe v. Wade or or Marbury v. Madison or even – maybe especially? – (shudder) National Federation of Independent Business v. Sebelius, I find your faith in that particular body to be a bit…misguided, shall we say.
Re: Re:
Decrypting the contents requires providing an answer (the password) that can then be used to incriminate the person. It’s not at all the same supplying physical evidence.
Re: Re: Re:
In other words, it’s like asking “where did you dump the body?”
Re: Re: Re:
Did no one in this thread actually read the court’s opinion? Tell me, what 5th Amendment-protected facts, exactly, does decrypting the contents reveal? The contents themselves aren’t protected by the 5th, so that’s out. The only other piece of information revealed is that he was able to decrypt the files, which the government already knows because he testified to that fact. That’s why there’s no 5th Amendment right implicated here.
Re: Re: Re: Re:
The fact remains that the evidence is impossible to obtain without the defendant’s testimony.
Re: Re: Re:2 Re:
That’s true of many kinds of evidence. It doesn’t matter. The 5th Amendment doesn’t entitle you to withhold evidence unless you would be testifying against yourself. As explained many times so far, compelling the defendant here to decrypt the contents of the files only implicates the 5th Amendment insofar as it demonstrates that they’re his files. However, the Supreme Court has held that where a fact is already known to the government, the 5th Amendment doesn’t protect it. Here, the fact that these are his files is already known because he testified to that fact.
Re: Re: Re:3 Re:
Let me try to clear the mud here.
The disk drive has many sets of files, let’s call them A, B, and C for now. The government knows he has set A of files on the disk.
Him providing the password will also demonstrate that sets B and C (which the government doesn’t know about yet; set B might be, for instance, a set of illegally downloaded movies) are his files.
Producing the password, he is testifying against himself; he’s testifying that sets A, B, and C are his. He is admitting, in my example, to having pirated movies (set B) and having pictures of adorable kittens (set C).
The problem is not his withholding the contents of his drive. The problem is that, by decrypting it, he is admitting to having the contents of his drive – all of it, including pirated movies and cat pictures.
Re: Re: Re:4 Re:
The catch is that the government is not saying that it knows he has set A. The government is saying that it knows, based on his testimony, that he has all of the files on the drive, which may include A, B, C, or anything else. None of the contents of the drive are protected by the 5th Amendment, and the government already has the knowledge that the drive is his.
Think about it. Under your theory, the government could not ever compel you to produce your business records because they might demonstrate that you were conducting some other illegal activity. Yet we know that the government is entitled to such evidence.
Re: Re: Re:5 Re:
Actually, a bit of clarification. The defense could always request a protective order to limit the scope of discovery to those reasonably related to the crime at issue, but that doesn’t implicate the 5th Amendment. It’s really the 4th and statutory law that controls there.
Re: Re: Re:5 Re:
The contents of the drive are readily available to the government: they just don’t know how to interpret them. Making sense of those bytes requires the defendant to supply information in his head to translate those bytes into intelligible data which can then be used, the government hopes, to determine guilt.
Re: Re: Re:6 Re:
This.
Unfortunately, it seems that defendants can be forced to supply information which is solely in their heads, at least in some contexts. For instance (correct me if I am wrong), they could be forced to tell the court what they saw at some date and time, which is something (their memory) which is solely on their heads.
It is one of these situations where what the law is and what the law ought to be diverge. The 5th amendment is too limited. In the same way we should never be forbidden to speak (1st amendment), we should never be forced to speak.
Re: Re: Re:6 Re:
Correct. The 5th Amendment, however, doesn’t bar the government from compelling the defendant to unlock his files unless there is some testamentary fact that will be revealed thereby. That’s why the court here invoked the foregone conclusion doctrine. The government already knew that this was his drive and that only he could decrypt it (because he testified to it). The fact that the contents of the drive are encrypted is a technical nicety that the court holds doesn’t matter.
Now, you may be of the opinion that the government shouldn’t be able to compel a defendant to perform any overt act to assist in his defense. You must then realize, however, that then the government couldn’t compel production of all kinds of evidence, and moreover, such a limitation does not appear anywhere in the 5th Amendment or in caselaw. We would need to have court rulings to that effect, and the logic of the Massachusetts court is fairly compelling.
Re: Re: Re:7 Re:
Not a lawyer here:
Isn’t there an issue with the specificity of the warrant with regards to what they are looking for? Decrypting a whole hard drive might open someone to something not being sought, and therefore incriminating. Giving the key in this instance might be different?
Re: Re: Re:7 Re:
“The government already knew that this was his drive and that only he could decrypt it (because he testified to it).”
What if he testifies that there is nothing of interest to them on any of his drives?
Re: Re: Re:5 Re:
Re: Re: Re:4 Re:
Trying to be even more clear:
Only someone who has the key can produce encrypted files which, together with the key, will decrypt to something which is not complete gibberish (that is not generally true – see for instance the OTR protocol – but it’s true of all full-disk encryption software).
By producing the key or decrypting the disk in front of these gentlemen, he undeniably proves that the resulting files were made by someone who had the key – which is supposed to be only himself.
Therefore, by producing the key or decrypting the disk, he is testifying that all the files are his. This includes files the government knows about, AND files the government didn’t know about.
This last set is the self-incrimination bit. He is testifying that he possesses files the government didn’t have the foggiest idea he possessed (I believe the canonical example is “midget porn”, whatever that is).
Re: Re: Re:5 Re:
It’s not the ownership of the particular files on the drive that implicates the 5th Amendment. It’s the control of the drive itself that’s testimonial. Moreover, he had already testified that he was the only one able to decrypt the drive:
On the day of his arrest, the defendant was interviewed by law enforcement officials after having been advised of the Miranda rights. In response to questioning, he said that he had more than one computer in his home. The defendant also informed the officials that “[e]verything is encrypted
and no one is going to get to it.” In order to decrypt the information, he would have to “start the program.” The defendant said that he used encryption for privacy purposes, and that when law enforcement officials asked him about the type of encryption used, they essentially were asking for
the defendant’s help in putting him in jail. The defendant reiterated that he was able to decrypt the computers, but he refused to divulge any further information that would enable a forensic search.
And again, under the theory you’re positing, the government would never be able to compel production of any document that might contain evidence of any other crime, which we know is not the case. The defendant’s remedy under those types of situations is to seek a protective order or find a challenge under the 4th. But here, under the 5th, the only testimonial bit is that it’s his drive, which he already testified to.
Re: Re: Re:3 Re:
Someone further up the page posted what they claimed was an excerpt from the equivalent section of the MA state constitution, which was stricter than the fifth amendment and also exempted suspects from providing evidence against themselves.
Since it wasn’t mentioned in the decision, I assume the section has been amended or watered down to the same level as the fifth amendment, or it was misquoted, because otherwise the defendant’s lawyer isn’t very good.
Re: Re:
Re: Re:
As far as I see it, decryption keys are not evidence, they are testimony. But I am not a lawyer, so I ask you: Could Ali Baba be legally compelled to reveal the phrase ‘open sesame’?
Re: Re:
A self evident truth is that an inanimate object can be evidence, but never testimony in and of itself, while the spoken word can be both. Anything said prior to a trial, like during an investigation, is evidence. Once a trial begins, anything said during its course is testimony. I’m surprised someone who claims to be a lawyer fails to grasp this simple concept.
PROSECUTION: Please state for the court the password for your computer.
DEFENDANT: I plead the fifth.
This is the appropriate response and one supported clearly by both constitutions (state and federal). It makes perfect sense because answering any questions proposed by the prosecution requires the defendant to supply an answer vocally, on official record, that is by definition testimony. The only way it could become evidence is if they force, or otherwise trick, said defendant into writing the password onto a piece of paper, then entered that as evidence. Kind of a long shot though, constitutionally speaking. Especially in light of other rulings.
On top of all that, we have this which is copied from the very Constitution of the Commonwealth of Massachusetts itself:
“Article XII. No subject shall be held to answer for any crimes or offence, until the same is fully and plainly, substantially and formally, described to him; or be compelled to accuse, or furnish evidence against himself.“
https://malegislature.gov/Laws/Constitution
I see nothing on that page which would suspend this article of law in any way, shape, or form, for this particular situation specifically.
Re: Re: Re:
I assume that’s been watered down by judgements, or the various judges don’t like the defendant very much and hope his lawyers don’t notice their mistake.
I see a market opportunity!
I see a market for an encryption system that will have an alternate self-destruct password, i.e. you agree to enter your password and enter the destruction password. Is this out there already?
Re: I see a market opportunity!
Every forensic examiner worth his salt duplicates the hard drive (using a write blocker) before doing anything else. A self-destruct password would do nothing but annoy the judges.
What would work better is having half of the key in hardware, with an anti-theft system which detects that the computer case has been opened and forgets the key when that happens. Attempting to duplicate the hard drive would instead erase the key. Add something like SecureBoot plus a boot password plus geofencing plus other tricks and you have a pretty secure anti-theft solution.
Re: I see a market opportunity!
TrueCrypt had something similar, there was the ‘real’ password, which would unlock access to the encrypted information, and a ‘false’ password, which would unlock a ‘decoy’/secondary section.
Re: I see a market opportunity!
Too late…
http://www.kali.org/how-to/emergency-self-destruction-luks-kali/
…and it’s free!
We need to implent...
Yet another cause for encrypted data structures that feature “false bottom” partitions
I suppose it also would hurt to have multi-component keys for one’s security, so that it’s possible to render a hard-drive incapable of being opened, even by yourself.
Of course that could lead to having something encrypted turning into “obstruction of justice” or “contempt of court”. But it might remind activists and legislators that the term justice has little meaning anymore here in the US.
From Anonymous Coward Give you a simple example, I’ve used PGP for email for a long time. If they asked me for emails from say 10 years ago, there’s simply no way I could provide them my private signing key from back then. Would that automatically make me a criminal?
Possibly, yes. And if someone wants to put you in jail it might stand.
As of this posting I have not received a US National Security Letter or any classified gag order from an agent of the United States
This post does not contain an encrypted secret message
Thursday, June 26, 2014 3:39:26 PM
promotion bullfight limit stream digging salon fever honey
Re: We need to implent...
“As of this posting I have not received a US National Security Letter or any classified gag order from an agent of the United States”
Please remain alert for the possible absence of this statement from future communications.
Re: We need to implent...
Re: Re: We need to implent...
The way the UK does it, that wouldn’t help: if you get a court order to supply your encryption keys, and refuse, you’re in contempt and get punished. Then, when you’re about to get out, they ask for a new order, and you again cough up or get punished for contempt in relation to the new order.
Of course, after a few years, you might not remember the password, and if you can convince the court of that then you’re not in contempt.
Here's a question...
If the police find a confession written in Spanish (or latin, greek, russian, etc), could they compel the defendant to translate it?
Re: Here's a question...
That’s not a good analogy. A better analogy would be a confession written in a language of the defendant’s own design. The only one who knows how to translate that language being the defendant itself.
That’s a direct analog to old-school pen-and-paper cryptography (creating your own language is basically a codebook variant). What is the jurisprudence on encrypted pen-and-paper diaries? Is the defendant forced to decrypt his notes?
The “encrypted pen-and-paper diary” is a way, way better analogy to an encrypted computer than a “locked safe” analogy. Why aren’t lawyers and judges using it?
Re: Re: Here's a question...
Well, of course, the police could just go get a translator in my example – the point was, regardless of that, could he be compelled. I was trying to avoid actual cryptography in my example
Decryption as a wall safe
Encryption can be considered, sometimes, as an analogue to a wall safe in that it “keeps others from accessing the contents”.
But there is a difference: Decryption creates something that did not exist previously: unencrypted files.
So consider another analogy: If the court demands your financial records as evidence, can it force you to create them where they did not exist before? Or perhaps, translate them, if you wrote them in code? I seem to recall some lawsuit involving an encoded diary…
Evidence and testimony
The distinction between physical evidence and testimony is not always black and white; the prosecution can’t force a defendant to tell it where the loot is located because such an admission is testimonial as to custody, control, possession and knowledge.
I think we’ll all agree that neither could the government force a suspect to produce all child pornography or illegal drugs in his possession, because even though the physical evidence is not incriminating in itself compelling the defendant to use his mind to testify clearly is so.
It however raises another interesting issue, if the defendant in this case had used a shared computer with friends or a remote storage server with joint access — where multiple persons could upload encrypted files, the government could not force the suspect to decrypt because the ability to decrypt would testify as to ownership, control and knowledge as to the contents.
So the lesson apart from don’t do crime is never store potentially incriminating data locally but always use a shared online resource with no easy authentication.
If the government can’t prove you own the data, or doesn’t know where the data is located, it can’t force you to use the labor of your mind to incriminate yourself.
Re: Evidence and testimony
Re:
Actually, even if the government knows that defendant has the password to unlock the computer because he has admitted so much making the foregone conclusion applicable, there could still be partitions, folders and files encrypted by others.
What if the computer is shared, and the defendant knows the password to the administrator account but doesn’t admit to control over data put in other accounts by other users?
In such a scenario, it could be argued that the government’s power to compel production should only extend to the administrator account and data it knows the defendant controls.
Re:
It’s not the ownership of the particular files on the drive that implicates the 5th Amendment. It’s the control of the
drive itself that’s testimonial.
What about control, custody and knowledge of the contents of single encrypted files and folders?
If you control the file, and admit you know how to decrypt it, you testify that you know the contents.
In some contexts, the act of decryption is therefore testimonial because the act of decryption or the ability to decrypt authenticates knowledge of the contents.
And it’s an incriminating admission if possession of the contents is itself criminal, and the mens rea for culpability is knowing possession of child pornography.
Re:
Producing the password, he is testifying against himself; he’s testifying that sets A, B, and C are his. He is admitting, in my example, to having pirated
movies (set B) and having pictures of adorable kittens (set C).
The problem is not his withholding the contents of his drive. The problem is that, by decrypting it, he is admitting to having the contents of his drive
– all of it, including pirated movies and cat pictures.?
If he has admitted that he is the only one with custody, control and ownership of the computer, your example is not applicable because the government knows he is the sole person control of the computer and all data within it.
However, if he is smart, which most criminals aren’t, he (a) either doesn’t talk to the police; (b) shares the computer with friends in a manner making authentication of every fileset impossible; (c) stores everything in a remote location like an online backup.
Why this is creepy
I have been wondering: why do these “forced decryption” cases creep us so much?
Here is what I have so far. It doesn’t matter what the laws and courts say; I’m trying to understand our feelings.
First, a password is a kind of thing that should be kept exclusively on our mind, and it is a kind of thing that we consider to be highly private (“Never tell it to anyone, not even your wife. Never write it down.”) Being forced to reveal the password goes against that.
That does not explain why it still feels creepy even if we do not have to reveal the password, only the data. I believe that is because the level of privacy we give the password extends to the data. As Snowden said, the math is still sound; the data is as secure as the password. If we treat the password as a most private thing, whatever that password encrypts is also treated as a most private thing.
We end up treating the encrypted container as being as secure as our mind (which it is, if the math is sound). We feel safe putting our most hidden feelings on the container, things like embarrassing love letters. It being possible that someone would force us to bare it all for the world to see, under the color of law and authority, feels as wrong as being forced to strip naked in front of a live television transmission.
The closest analogy for how we treat an encrypted container would be a secret diary. Something we write down, for nobody else to ever read. Somewhere we can write down our most embarrassing thoughts. The main difference being that it’s protected by math, and that it’s infinitely bigger.
Methinks the ones who treat an encrypted container as a “wall safe” have read too many cyberpunk novels, where the container would be represented in virtual reality as a virtual safe and its password as a virtual key. That’s a bad analogy, and makes for bad law. Encryption isn’t some wall made of virtual material which we put around the data; it actually scrambles the data. Technically, the data is mixed with the key using a heavily nonlinear process, in a way which is reversible if and only if the key is known.
Re:
Admitting that a file belongs to him is testimonial, and with shared computers, social networks and the cloud the distinction between yours and mine is becoming fluid.
To sum it up, the fact that a file abc is on computer xyz does not necessarily prove that (a) it was recently put there by the defendant; (b) the defendant being the only one with control and custody; and (c) that the defendant is aware of the actual contents.
Even if the defendant now claims control and custody, the file could still be very old and have been generated by a previous user with access to the system.
Always plead the 5th
I think the correct response here would have been to say that you plead the 5th on the question of whether you can decrypt the hard drives or not, and if you claim the 5th then compelling you to answer the question is illegal.
How would courts handle a perfect safe?
I don’t see how the quality of the lock changes the legal analysis, however.
That does present an interesting hypothetical. Let us imagine someone did have an impenetrable strong-box, one into which it was impossible to break without destroying the contents. (Maybe it incinerated the documents if it detected an attempted crack).
Under what circumstances could a court of law then require the owner of the safe to open it?
Re: How would courts handle a perfect safe?
I think that this is how the argument is made legitimate for the courts. I see it and the safe as the same problem.
Evidence and testimony
I see your point, but charging everyone in all these situations cost a lot of money.
Everyone charged with a crime must be booked, and must get a defense lawyer and there is probably more paperwork to be done.
And the police does not decide itself if the person subsequently gets prosecuted.
I don’t think the system could afford such overaggressive charging in all cloud scenarios, nor do I think that you could get a jury to find the defendant guilty beyond a reasonable doubt.
If I share a cloud account with 20+ persons, I don’t think that the government has the resources or will to charge everyone.
Evidence and testimony
The only reason why the government charges everyone in your scenario is that it hopes that at least one suspect will break under interrogation and rat out the others.
People in these situations usually know each other well.
But in my cloud scenario,a group of N persons need only have one interest in common — sharing an online datadump.
An online datadump can be seized, but proving whom to direct the subpoena is difficult, because an IP address does not identify a person, and he/she may be overseas or use an anonymous non-logging proxy.
Evidence and testimony
Possibilities for storing encrypted data include useNet, Pastebins, forums and social networks outside the US.
Encrypt a large gigabyte file and split into segments and upload it to a binary UseNet newsgroup or a Pastebin like service.
If the government can’t prove you have it, and you don’t register with real name, the government can’t force you to use the contents of your mind to identify where the data is located.
Re: Evidence and testimony
That would be different, wouldn’t it?
How about you have 20 incriminating documents. You shred them into little pieces, and ship the pieces to 10 people you don’t really know to hold onto them for you. The process of showing these documents (a) to exist and (b) where they might be located would be a serious challenge.
If you are going to go to that extent…
False confession.
Maybe the person really doesn’t know the decryption password after all and being compelled to admit so would be self incriminating.
The comments in this article are great. Thanks particularly for ‘actually an attorney’ for reminding me everything I’ve read on this subject but was very hazy on remembering. Slightly confusing, though fascinating subject.
One thought I’d had- what if the password itself was more testimonial in nature, for example:
AllJohnDoesWhistleblowerDocumentsAreInHere&$HSndauv&*bna23
or
JohnDoeHasCommitedSuchAndSuchCrimeSpecificallyReleventToFilesHere&nda9343&*nke3R
Would this change things, and if so, how?
a few comments on encryption:
snowden said “properly implemented” encryption works BUT endpoint security and transit are so often bad that they rarely have to bother actually cracking the encryption- they just get the key/pass by other means. When it does come to breaking encryption- as John sorta said above, the time to ‘brute force’ figures often quoted are marketing BS; Even if you had the perfect encryption algorithm, properly implementing it (for example obtaining sufficient entropy) is challenging at best. It doesn’t matter how good your encryption algorithm is if you don’t have enough entropy; which is why the NSA/NIST/RST poisoned PRNG’s where such a big deal- they subverted ANY encryption implemented with them.
forget it
Forgetfulness is not a crime.”I absolutely would provide the key right now if I could remember it, but this situation is so stressful to me that I just can’t remember even part of it.”
Plausible deniability
One other thing I forgot to mention on this subject – plausible deniability is your friend in this situation. Some encryption systems including whole disk encryption use this strategy. And steganography is another good idea.
civil vs. criminal case
As a businessperson. not a lawyer, I see a hole in this issue big enough to drive a truck through. The 5th Amendment only applies to criminal cases. If law enforcement were to have a third part commence a civil case that involves information that might be on the computer, it must be disclosed. Then, it could be released to law enforcement.
Comments?