Another Federal Court Says Compelled Decryption Doesn't Raise Fifth Amendment Issues
from the not-a-blanket-statement,-but-more-often-than-not dept
Another federal court is wrestling with compelled decryption and it appears the Fifth Amendment will be no better off by the time it’s all over. A federal judge in North Carolina has decided compelling decryption of devices is only a small Fifth Amendment problem — one that can be overlooked if the government already possesses certain knowledge. [h/t Orin Kerr]
The defendant facing child porn charges requested relief from a magistrate’s order to compel decryption. The government isn’t asking Ryan Spencer to turn over his passwords. But it wants exactly the same result: decrypted devices. The government’s All Writs Order demands Spencer unlock the devices so law enforcement can search their contents. As the court notes in the denial of Spencer’s request, the Fifth Amendment doesn’t come into play unless the act of production — in this case, turning over unlocked devices — is both “testimonial” and “incriminating.”
Spencer argued both acts are the same. The government may not ask him directly for his passwords, but a demand he produce unlocked devices accomplishes the same ends. As the court notes, the argument holds “superficial appeal.” It actually holds a bit more than that. A previous dissenting opinion on the same topic said the government cannot compel safe combinations by “either word or deed.”
This opinion [PDF], however, goes the other way. Judge Breyer likes the wall safe analogy, but arrives at a different conclusion than Justice Stevens did in an earlier dissent. The court finds drawing a Fifth Amendment line at password protection would produce a dichotomy it’s not willing to accommodate.
[A] rule that the government can never compel decryption of a password-protected device would lead to absurd results. Whether a defendant would be required to produce a decrypted drive would hinge on whether he protected that drive using a fingerprint key or a password composed of symbols.
The refusal to craft this bright line ultimately makes little difference. The line already exists. Almost no courts have said the compelled production of fingerprints is a Fifth Amendment violation. Producing passwords, however, is an issue that’s far from settled. In the cases that have gone the government’s way, the key appears to be what the government already knows: the “foregone conclusions.” The same goes here.
The court admits producing unlocked devices strengthens the government’s case even before any searches take place.
So: the government’s request for the decrypted devices requires an act of production. Nevertheless, this act may represent incriminating testimony within the meaning of the Fifth Amendment because it would amount to a representation that Spencer has the ability to decrypt the devices. See Fisher, 425 U.S. at 410. Such a statement would potentially be incriminating because having that ability makes it more likely that Spencer encrypted the devices, which in turn makes it more likely that he himself put the sought-after material on the devices.
But that only deals with the incrimination side. Is it testimonial? The court thinks it isn’t. Or at least, it believes whatever testimonial value it adds is almost nonexistent. All the government needs to show is that the defendant has the ability to unlock the devices.
Turning over the decrypted devices would not be tantamount to an admission that specific files, or any files for that matter, are stored on the devices, because the government has not asked for any specific files. Accordingly, the government need only show it is a foregone conclusion that Spencer has the ability to decrypt the devices.
It’s a low bar but one that’s sometimes difficult to reach if the government can’t clearly link the defendant to the locked devices obtained during the search of a residence or business. As the court notes, it requires more than a reasonable assumption that files the government seeks might reside on the locked devices.
But it is nonsensical to ask whether the government has established with “reasonable particularity” that the defendant is able to decrypt a device. While physical evidence may be described with more or less specificity with respect to both appearance and location, a defendant’s ability to decrypt is not subject to the same sliding scale. He is either able to do so, or he is not. Accordingly, the reasonable particularity standard cannot apply to a defendant’s ability to decrypt a device.
The government needs far more if it seeks to compel decryption.
The appropriate standard is instead clear and convincing evidence. This places a high burden on the government to demonstrate that the defendant’s ability to decrypt the device at issue is a foregone conclusion. But a high burden is appropriate given that the “foregone conclusion” rule is an exception to the Fifth Amendment’s otherwise jealous protection of the privilege against giving self-incriminating testimony.
And the court finds the government does possess clear, convincing evidence.
All three devices were found in Spencer’s residence. Spencer has conceded that he owns the phone and laptop, and has provided the login passwords to both. Moreover, he has conceded that he purchased and encrypted an external hard drive matching the description of the one found by the government. This is sufficient for the government to meet its evidentiary burden. The government may therefore compel Spencer to decrypt the devices.
There is one caveat, however.
Once Spencer decrypts the devices, however, the government may not make direct use of the evidence that he has done so.
As the court points out, if the government’s foregone conclusion is the correct conclusion, additional evidence linking Spencer to the locked devices will be unnecessary. The government should have no use for the testimony inherent in the act — the concession that Spencer owned and controlled the now-unlocked devices, making him ultimately criminally responsible for any evidence located in them.
In terms of compelled production, passwords continue to beat fingerprints for device security, but only barely.