You’re probably familiar with the phrase “pleading the Fifth.” You know, that thing the defendants on crime shows do when they’re obviously guilty and they just don’t want to talk about it. Well that’s also a thing in real life, and it isn’t a de facto admission of guilt. For the unfamiliar and forgetful, the Fifth Amendment states that no person, “shall be compelled in any criminal case to be a witness against himself,” as well as a bunch of language about like, eminent domain and stuff. The point here being that the 11th Circuit Court of Appeals has just ruled that a defendant in a legal case who refuses to decrypt their hard drive for law enforcement is covered by the Fifth Amendment.
This ruling dates back to a 2010 child pornography case with a defendant we’ll refer to as John Doe. Long story short, a few questionable YouTube videos and some IP tracking lead law enforcement to Mr. Doe’s hotel room door where they seized 2 laptops and 5 external hard drives, a total of 5 terabytes of data. All of Doe’s data, however, was encrypted with TrueCrypt, ostensibly in order to protect himself from identity theft (not that his intent really matters anways). When the court asked him to decrypt the hard drives, he plead the Fifth, at which point the court found him in contempt and threw him in jail.
Now, 2 years later, the 11th Circuit Court of Appeals has ruled that Doe was not actually in contempt and had every right to refuse. Naturally this is going to complicate the prosecution’s case a bit. And that’s not the only thing it complicates. Fifth amendment law as it applies to cyber-security is already complicated, and this decision only serves to make it moreso.
Traditionally, the Fifth Amendment doesn’t cover physical acts. For instance, if you’re asked unlock a safe or open a door, the Fifth Amendment doesn’t have your back. At least if the there is a key involved, relaying a combination, on the other hand, is technically testimony. This ruling equates decrypting a computer with telling something a the combination to a safe. The court’s decision describes it as follows:
We hold that the act of Doe’s decryption and production of the contents of the hard drives would sufficiently implicate the Fifth Amendment privilege. We reach this holding by concluding that Doe’s decryption and production of the contents of the drives would be testimonial, not merely a physical act; and the explicit and implicit factual communications associated with the decryption and production are not foregone conclusions.
To further complicate the matter, full disk encryption is a tough nut to crack. Whereas a safe can be cracked or a door broken down (I’ll admit I’m not sure about the legal implications of warranted forced entry) encryption can be practically foolproof. Depending on the strength of your encryption, it might be impossible to crack a password in less than several hundred years, so if a defendant isn’t compelled dole out the key, the data is effectively off the table for lifetime of all parties involved.
As if this wasn’t complicated enough already, there is already an example — two, actually — where encrypted data was not covered by the Fifth Amendment. Just last month, a defendant in a mortgage scam case was forced to decrypt his laptop after a ruling by a different federal judge. Likewise, a defendant in a 2009 child pornography case in Vermont was compelled to decrypt his drive although in that case, the evidence was found by customs officials while the device while it was on, and the issue of decryption became an use when later on, during the trial, the computer was off.
The last messy thing about this whole deal is that it’s dealing with child pornography, one of the touchiest subjects relating to cyber-security, and just in general. Pleading the Fifth already carries connotations of guilt, and adding child pornography into the mix makes it really easy to appeal to fear or disgust. Fifth Amendment cases have a history of being messy, though. After all, those “Miranda Rights” you’ve probably memorized while watching Law and Order? They became law when the Supreme Court reversed the conviction of a man who confessed to kidnapping a raping a woman. Yeah. Not pretty either, although it’s worth noting that Miranda still wound up in jail.
All that being said, this issue will probably continue to be hotly debated considering the contradicting precedents and the fact that handing over an encryption password is just ever so slightly different from opening a combination lock if it is even different at all. That’s a distinction that may have to be made by an even higher court a few more years down the line.
(via Global Post)
- Smartphone encryption keys can be stolen wirelessly
- Lasers shot through diamonds generate the best encryption keys
- Pakistan banned encryption, wholesale