Suspect Ordered To Provide Decryption Password: A Fifth Amendment Violation?
New developments in a still very new area of the law.
Bringing to the legal forefront an issue that Courts have begun encountering with increasing frequency, a Federal Magistrate Judge in Wisconsin has issued an order requiring a man suspected of possession of child pornography to provide the password to remove the encryption on his computer, reversing a previous decision he had made ruling that such an order would violate the man’s right against self-incrimination:
A federal magistrate is reversing course and ordering a Wisconsin man suspected of possessing child pornography to decrypt hard drives the authorities seized from his residence.
The development comes as a month after the same magistrate thwarted prosecutors’ demands that Jeffrey Feldman unlock drives they believe contain child pornography.
Decryption orders are rare, but are likely to become more commonplace as the public slowly embraces a technology that comes standard even on Apple computers. The orders have never squarely been addressed by the Supreme Court, despite varying opinions in the lower courts.
Just last month, U.S. Magistrate William Callahan Jr. said the Fifth Amendment right against compelled self-incrimination protected even those suspected of unsavory crimes, but added that “this is a close call.”
But prosecutors convinced Callahan to change his mind. Among other reasons, the authorities were able, on their own, to decrypt one drive from Feldman’s “storage system” and discovered more than 700,000 files, some of “which constitute child pornography,” the magistrate said.
When he ruled against the government last month, the magistrate said the authorities did not have enough evidence linking Feldman to the data, and that forcing the computer scientist to unlock it would be tantamount to forcing him to confess that it was his. But that theory is now out the door, because the data on the decrypted drive contains pictures and financial information linking Feldman to the “storage system,” the magistrate said last week.
“Such being the case, the government has now persuaded me that it is a ‘foregone conclusion’ that Feldman has access to and control over the subject encrypted storage devices. Thus, under the current state of the law as more particularly discussed in the court’s April 19 Decision and Order, Fifth Amendment protection is no longer available to Feldman with respect to the contents of the encrypted storage devices.”
Just over a month ago, Callahan had some to a very different conclusion:
This is a close call, but I conclude that Feldman’s act of production, which would necessarily require his using a password of some type to decrypt the storage device, would be tantamount to telling the government something it does not already know with ‘reasonably particularity’—namely, that Feldman has personal access to and control over the encrypted storage devices. Accordingly, in my opinion, Fifth Amendment protection is available to Feldman. Stated another way, ordering Feldman to decrypt the storage devices would be in violation of his Fifth Amendment right against compelled self-incrimination. (.pdf)
As I said above, this is not a new issue for the Courts. While requests for decryption orders are not common, largely because many people, including criminals who you’d think would know better, don’t both to encrypt their data, they are becoming far more common than they used to be. As I noted when I wrote about this in January of last year, part of the difficulty that Courts face in dealing with these issues is that much of Fifth and Fourth Amendment law was developed long before technology like this came into existence. What this means is that Courts find themselves having to decide what category an order compelling someone to decrypt their computer might fall. To make the analogy applicable to the types of cases that helped establish existing law, it boils down to a question of whether a computer password is like a key to locked closet or strongbox, or whether it is like the combination to a safe. Under existing law, someone served with a valid search warrant can be compelled to unlock a locked door or box, but they cannot be compelled to reveal the combination that would unlock a safe. To put it simply, Courts have held that the combination to a safe constitutes the constitutes of someone’s mind, and is thus protected by the Fifth Amendment from compelled disclosure while the key is simply a thing and, so long as the search warrant validly allows police to search the item that is locked, then the person whose property is being searched can be compelled to grant access. So, the question then becomes whether the computer password is more like a key or more like a combination to a safe.
In general, I find the argument that the computer password is more akin to a combination than a key to be persuasive. When someone unlocks a part of their home that is subject to a search warrant, they aren’t testifying to anything. However, when they are giving a combination, or a password, they are testifying not only that they know what the combination/password is but also that they have control over the item in question, which would be one of the elements of the crime that prosecutors would be forced to prove at trial. They would, in other words, be testifying against themselves by their very actions. Of course, not every case is that cut and dry. The ruling in this particular, and especially the fact that Judge Callahan reversed himself, seems to be strongly influenced by the fact that law enforcement had already partly decrypted the storage device and were able to identify child pornography on there. Since they already have probable cause to believe that the encrypted data contains more child pornography, that mitigates against many of the arguments that the suspect can make regarding his right against self-incrimination. Technically, he’s already been incriminated. Whether that makes the decision correct, of course, is a completely different question.
The Federal Courts have quite literally been all over the place on this issue in recent years. In February of last year, the 11th Circuit Court Of Appeals ruled that compelling a suspect to give out a password would be testimony and therefore would be protected by the 5th Amendment. However, other cases over the years have turned out differently:
[A] Vermont federal judge concluded that Sebastien Boucher, who a border guard claims had child porn on his Alienware laptop, did not have a Fifth Amendment right to keep the files encrypted. Boucher eventually complied and was convicted.
On the other hand:
In March 2010, a federal judge in Michigan ruled that Thomas Kirschner, facing charges of receiving child pornography, would not have to give up his password. That’s “protecting his invocation of his Fifth Amendment privilege against compelled self-incrimination,” the court ruled (PDF).
This particular case is only at the very beginning stages. The ruling of the Magistrate Judge, which is a lower level, non-life tenure, position in the Federal Judiciary that typically handles the opening stages of criminal cases along with civil cases as consented to by the parties, will be appealed to the District Court Judge to whom the case is assigned, and that Judge will not be bound by the Magistrate Judge’s decision. Whatever the District Court Judge rules, his ruling can be appealed to the relevant Court of Appeals and, from there, potentially, to the Supreme Court. To date, there is no ruling from the Supreme Court on this issue, and that’s one of the reasons that Federal Courts have been ruling inconsistently on this issue. Eventually, though, this is an issue that is going to have to be heard by the nation’s highest Court. Let’s hope they get it right.
Here’s the opinion: