Federal Appeals Court: Fifth Amendment Protects Suspect From Having To Decrypt Hard Drive
Just one month ago, I made note of a decision from a Federal District Court Judge in Denver who had decided, after much briefing and several rounds of oral argument, that a criminal defendant could be required to reveal the password necessary to decrypt their PGP encrypted hard drive without implicating the Fifth Amendment. It was the latest in a series of rulings on this issue that have gone both ways on the question of whether being forced to reveal a password is testimony that would be protected by the right against self-incrimination, although none of them have made it past the District Court level as of yet. Earlier this week, though, the 11th Circuit Court of Appeals became the latest court to rule on the issue, and the three judge panel ended up coming down firmly on the side of the Fifth Amendment:
In a ruling that could have broad ramifications for law enforcement, a federal appeals court has ruled that a man under investigation for child pornography isn’t required to unlock his computer hard drives for the federal government, because that act would amount to the man offering testimony against himself.
The ruling Thursday appears to be the first by a federal appeals court to find that a person can’t be forced to turn over encyption codes or passwords in a criminal investigation, in light of the Fifth Amendment, which holds that no one “shall be compelled in any criminal case to be a witness against himself.”
The Atlanta-based U.S. Court of Appeals of the 11th Circuit ruled that “the Fifth Amendment protects [the man’s] refusal to decrypt and produce the contents of the media devices,” which the government believes contain child pornography.
The ruling could handcuff federal investigators, as more data are secured behind sophisticated encryption software. A Justice Department spokeswoman did not immediately respond to a request for comment
The man, identified in court documents only as John Doe because he has not been charged, was served with a subpoena in April 2011 to appear before a federal grand jury in Florida and produce the unencrypted contents of his laptop hard drives and five external hard drives. Authorities had seized the devices from Doe’s hotel room in October 2010.
Doe refused, invoking his right against self-incrimination. The Justice Department responded by obtaining a court order that granted Doe limited immunity and required him to decrypt the hard drives. He again refused to comply. A federal judge held Doe in contempt of court and ordered him imprisoned. Doe appealed the contempt finding to the 11th Circuit.
According to court documents, Doe’s hard drives were encrypted with a program called “TrueCrypt.” As a result, the Justice Department couldn’t find any files and couldn’t even prove that any existed on hidden portions of the drives.
The Fifth Amendment privilege isn’t triggered when the government merely compels some physical act, like unlocking a safe-deposit box, the court said. But the amendment protects testimony in which a person is forced to use “the contents of his own mind” to state a fact.
“We conclude that the decryption and production would be tantamount to testimony by Doe of his knowledge of the existence and location of potentially incriminating files; of his possession, control, and access to the encrypted portions of the drives; and of his capability to decrypt the files,” wrote Judge Gerald Bard Tjoflat.
Judge Tjoflat, writing for the three-judge panel, said the government was also hobbled because it could only show that the storage space on the drives could hold files that number in the millions — but not that they actually do.
“It is not enough for the Government to argue that the encrypted drives are capable of storing vast amounts of data, some of which may be incriminating,” the judge wrote. “Just as a vault is capable of storing mountains of incriminating documents, that alone does not mean that it contains incriminating documents, or anything at all.”
As I noted when I wrote about this issue back in early January, the issue here is whether revealing a password that would decrypt a computer constitutes testimony within the meaning of the Fifth Amendment. If it does, then a person asserting their rights cannot be forced to reveal the password. If it isn’t, however, then they can be compelled by Court Order and held in contempt if they refuse to do so. In many of these cases it’s been stated that the question is whether the password can be considered analogous to a key to a strongbox, or a combination to a safe. If law enforcement has a search warrant for the contents of a locked strongbox, it can compel the owner to provide the key that would open that box. However, if it has a search warrant for the contents of a safe the Supreme Court has held that an individual cannot be compelled to reveal the combination because it constitutes the “expression of the contents of an individual’s mind” and revealing it would constitute testimony under the Fifth Amendment.
In the Colorado case that was decided last month, the Judge decided that the Defendant could be compelled to decrypt the hard drive because the government already knew that she had sole control over the computer in question, which is the only incriminating fact that revealing the password would have allegedly revealed. The more I’ve thought about this ruling, the less sense it has made to me. Yes, it’s true that in that particular case, the government had been able to establish to the government’s satisfaction that it was already aware of who had dominion over the computer but that’s not the only incriminating fact that decrypting the computer would have revealed. It would have also revealed whatever potentially incriminating evidence is on the hard drive itself. It’s also worth noting that the Colorado decision just added to the conflict among Federal District Courts when it comes to this issue:
[A] Vermont federal judge concluded that Sebastien Boucher, who a border guard claims had child porn on his Alienware laptop, did not have a Fifth Amendment right to keep the files encrypted. Boucher eventually complied and was convicted.
On the other hand:
In March 2010, a federal judge in Michigan ruled that Thomas Kirschner, facing charges of receiving child pornography, would not have to give up his password. That’s “protecting his invocation of his Fifth Amendment privilege against compelled self-incrimination,” the court ruled (PDF).
This is, as I said, however, the first time that a Court of Appeals has ruled on the issue, and it’s fortunate that in this instance the Court recognized the rather obvious fact that forcing someone to reveal an encryption password is, in fact, an act in which the Fifth Amendment is implicated:
We hold that the act of Doe’s decryption and production of the contents of the hard drives would sufficiently implicate the Fifth Amendment privilege. We reach this holding by concluding that (1) Doe’s decryption and production of the contents of the drives would be testimonial, not merely a physical act; and (2) the explicit and implicit factual communications associated with the decryption and production are not foregone conclusions.
First, the decryption and production of the hard drives would require the use of the contents of Doe’s mind and could not be fairly characterized as a physical act that would be nontestimonial in nature. We conclude that the decryption and production would be tantamount to testimony by Doe of his knowledge of the existence and location of potentially incriminating files; of his possession, control, and access to the encrypted portions of the drives; and of his capability to decrypt the files.
We are unpersuaded by the Government’s derivation of the key/combination analogy in arguing that Doe’s production of the unencrypted files would be nothing more than a physical nontestimonial transfer. The Government attempts to avoid the analogy by arguing that it does not seek the combination or the key, but rather the contents. This argument badly misses the mark. In Fisher, where the analogy was born, and again in Hubbell, the Government never sought the “key” or the “combination” to the safe for its own sake; rather, the Government sought the files being withheld, just as the Government does here. Hubbell, 530 U.S. at 38, 120 S. Ct. at 2044 (trying to compel production of documents); Fisher v. United States, 425 U.S. at 394-95, 96 S. Ct. at 1572-73 (seeking to access contents possessed by attorneys).
Requiring Doe to use a decryption password is most certainly more akin to requiring the production of a combination because both demand the use of the contents of the mind, and the production is accompanied by the implied factual statements noted above that could prove to be incriminatory. See Hubbell, 530 U.S. at 43, 120 S. Ct. at 2047. Hence, we conclude that what the Government seeks to compel in this case, the decryption and production of the contents of the hard drives, is testimonial in character.
Moving to the second point, the question becomes whether the purported testimony was a “foregone conclusion.” We think not. Nothing in the record before us reveals that the Government knew whether any files exist or the location of those files on the hard drives; what’s more, nothing in the record illustrates that the Government knew with reasonable particularity that Doe was even capable of accessing the encrypted portions of the drives.
To be fair, the Government has shown that the combined storage space of the drives could contain files that number well into the millions. And the Government has also shown that the drives are encrypted. The Government has not shown, however, that the drives actually contain any files, nor has it shown which of the estimated twenty million files the drives are capable of holding may prove useful. The Government has emphasized at every stage of the proceedings in this case that the forensic analysis showed random characters. But random characters are not files; because the TrueCrypt program displays random characters if there are files and if there is empty space, we simply do not know what, if anything, was hidden based on the facts before us. It is not enough for the Government to argue that the encrypted drives are capable of storing vast amounts of data, some of which may be incriminating. In short, the Government physically possesses the media devices, but it does not know what, if anything, is held on the encrypted drives. Along 25 the same lines, we are not persuaded by the suggestion that simply because the devices were encrypted necessarily means that Doe was trying to hide something. Just as a vault is capable of storing mountains of incriminating documents, that alone does not mean that it contains incriminating documents, or anything at all.
In short, we conclude that Doe would certainly use the contents of his mind to incriminate himself or lead the Government to evidence that would incriminate him if he complied with the district court’s order. Moreover, the Government has failed to show any basis, let alone shown a basis with reasonable particularity, for its belief that encrypted files exist on the drives, that Doe has access to those files, or that he is capable of decrypting the files. The “foregone conclusion” doctrine does not apply under these facts.
The Fifth Amendment protects Doe’s refusal to decrypt and produce the contents of the media devices because the act of decryption and production would be testimonial, and because the Government cannot show that the “foregone conclusion” doctrine applies.
In the end, it strikes me that the 11th Circuit got it right here. Revealing a password is clearly testimonial and, if the government cannot even establish that there are files on the encrypted portions of the hard drive then its argument that all it was requiring the Defendant to do was reveal the contents of a locked box, then the Defendant should be free to exercise his Fifth Amendment rights. This is a hard case, of course, because it involves allegations of child pornography. However, it is in the hard cases that rights must be enforced most vigorously because that’s where the law ends up being tested the most and, in the end, it’s the rights of the individual that must prevail over the needs of the state. Most likely, this case will be appealed to the Supreme Court. Given the conflicting rulings from Federal Courts over the past three years on an issue that is only going to become more prevalent in the future, it’s quite likely that they Justices will take the case if and when it is presented to them. Here’s hoping that they get it right.
Here’s the opinion: