A brief note before reading: This article was written in 2013, and much of its information is dated. This particularly pertains to the software referenced, as it was written before TrueCrypt was jeopardized. That said, many of the principles and arguments still hold water. However, for relevant information on software, please consult a more resent article.
In a void of legislation and little legal precedent, the issue of compelled decryption is of increasing importance. Compelled decryption is the concept that the government may subpoena the decryption of files or drives. As more and more crimes are becoming linked in some way to varying devices, it becomes increasingly evident that the United States of America’s lack of legislation on the issue is a detriment. In many recent cases the defense has possessed encrypted files or drives that have contained evidence. Under normal circumstances a subpoena could be issued for the data, but there have been multiple cases where the last line of defense has been the Fifth Amendment, which reads, “…nor shall be compelled in any criminal case to be a witness against himself…” The issue of compelled decryption and the Fifth Amendment has been raised multiple times, generally resulting in the plaintiff’s case being quashed, yet because of previous precedent consulted in the decisions made and the court decisions themselves, it is clear that in some situations serving a subpoena is unconstitutional. Legislation on the issue is little and the lack thereof damages both the ability for investigations to properly be undergone and the American people’s privacy, therefore shaky precedent should be replaced with steadfast law.
An introduction to the technologies at play is paramount in understanding the issue. Steganography’s purpose is not to make data incomprehensible, but to make it unfindable (Jambhekar 1-2). In the modern era cryptographers have taken to using what would appear as blank space on a hard drive, but having it actually contain hidden data. The process creates a plausibly deniable hidden section of the drive (Balogun, and Shao 38-39). For example, the program “TrueCrypt” can hide encrypted files within other encrypted files by making the them appear as a random string of ones and zeros (as if the section of the drive had been wiped and contains no data) (Balogun, and Shao 38-39). Technologies such as “TrueCrypt” may add testimonial value to encrypted files based on how they function.
[TrueCrypt] also allows volumes and operating systems to be hidden inside a visible TrueCrypt volume. The hidden volume is encrypted by a different key than the volume which contains it. It resides within the illusional random data created by the encryption of the visible volume. The user choses [sic] the volume to mount for use by the encryption key he supplies. If the legal system forces him to disclose his encryption key, he can disclose the key for the encrypted volume alone. The hidden volume, which will usually contain evidential information, remains oblivious to investigators… (Balogun, and Shao 38-39)
The concept that there could be data unknown to the government that would be revealed definitely adds to the government’s total knowledge, and therefore is not a foregone conclusion. A more detailed description of steganography and related technologies is given by Jambhekar in his essay “Steganography: To preserve the document security”, which was published in Golden Research Thoughts. In addition to techniques already discussed, modern technology has allowed computerized algorithms to replace the simple character substitutions of the past that constituted cryptography. Modern data encryption can can require decades to decrypt a single file. The ready availability of strong encryption software has allowed those with no technical expertise in the field to encrypt files with little to no effort.
It would seem that since it is so hard to break modern security techniques the obvious recourse would be to subpoena the decryption of all pertinent data. However, there are possible safeguards against such a course. The issue of the Fifth Amendment in regard to encryption has been raised multiple times in the court [United States v. Fricosu 10-CR-00509 and In re Boucher No. 2:06-mj-91]. In such cases however, there is little legal precedent and no legislation. Such cases are becoming increasingly common (Fricosu was decided in 2012 and Boucher in 2009), but the courts still relate to precedent set over two decades ago. To trigger the protection of the Fifth Amendment three requirements must be met: that the evidence be compelled, testimonial, and incriminating. In the issue of encryption the debated point is whether it is testimonial. Precedent on the issue of the exact definition of what “testimony” means is shaped in the cases of Doe v. United states and Fisher v. United states. Though the cases have little to do with encryption they are directly related to the matter of what testimonial evidence is, and have been heavily referenced in cases that directly involved encryption and the Fifth Amendment.
Much of current precedent is set by Doe v. United States No. 86-1753. In 1988, the plaintiff [Doe] claimed that he could not be forced to sign a release form to banks in question, as it would violate his Fifth Amendment rights. The court agreed with the plaintiff and quashed the subpoena because the release form held inherent testimonial value, as it would force Doe to admit that he possessed accounts at the banks in question. The United States government served a revised subpoena compelling Doe to sign a release that would require all banks at which he possessed an account to relate details relevant to the case. The court found the revision of the subpoena constitutional (Doe v. United States No. 86-1753). “…he expresses no opinion about the existence of, or his control over, any such account, he is authorizing the bank to disclose information relating to accounts over which, in the bank’s opinion, Doe can exercise the right of withdrawal” (Doe v. United States No. 86-1753). Doe pleaded his case in 1988, but it still holds precedent over how we handle the testimonial aspect of evidence.
The other case used to define testimony is Fisher v. United States. No. 74-18. In the case, the plaintiff stated that a subpoena served them was unconstitutional, as the subpoena was for tax returns prepared by the plaintiffs’ accountants, and so forth would breach their Fourth and Fifth Amendment rights. The two arguments were quashed, the Fourth was quashed on grounds that the papers were not the plaintiff’s private papers, and the Fifth because they had not personally written the papers. The only testimony given in delivering them was that the plaintiff believed them to be the correct documents (Fisher v. United States No. 74-18). The decision in Fisher that such documents are not testimony helped to define what exactly testimony means. It also implies that the files protected by encryption are not testimonial.
Such previous cases lead us to the legal state in which neither the content of encrypted files, nor the password trigger Fifth Amendment protection, but the act of complying with the subpoena may. Jeffrey Feldman v. United States shows that there may be circumstances where the target of a subpoena may be able to quash it due to the inherent testimonial value of decrypting a drive (Jeffrey Feldman v. United States. No. 13-M-449).
Aside from the form of testimony described in recent cases (which is well discussed in Morrison’s note “Passwords, Profiles, and the Privilege Against Self-lncrimination: Facebook and the Fifth”), there could be other value attached to the encrypted files or drives. Unveiling unknown layers of encryption would add to the government’s knowledge, and not be subject to the forgone conclusion doctrine. The information could not be discovered in any way other than compliance with the subpoena and the information is not in plain sight, and so should also trigger a Fourth Amendment violation.
This essay concludes that decrypting requested files and partitions is constitutional. However, decrypting all files on a computer is unconstitutional as there may be obfuscated files that are unknown. Since the files are not in plain view, and a specific location on the drive is not stated in the subpoena, a request for the decryption of an entire drive may be unconstitutional under the Fourth Amendment as well.
With the lack of real legislation on the issue such cases must be disputed using precedent set in previous cases rather than decisive law. In the modern era The United States requires proper legislation. Such views have been expressed in both Palfreyman and UngBerg’s notes. Palfreyman contrasts the American approach to the British. In the United Kingdom the R.I.P.A. [Regulations of Investigatory Powers Act] allows the compelled decryption of any file requested, which Palfreyman suggests is a step too far (Palfreyman 378). Palfreyman’s view is also held here. A middle ground must be found. It should not be easy to serve a decryption warrant, but it should be possible. Such legislation has been set in place for other types of evidence, such as the Omnibus Crime Control and Safe Streets Act of 1968, which deals in part with the government’s ability to conduct wiretaps. Such legislation may also aid in the protection of personal liberties as it would grant an alternative method to law enforcement, rather than taking actions like those in United States v. Scarfo No. 00-4313. Such legislation would not solve all related issues, but it would be the first positive step taken in a very long time.
Balogun, Adedayo M., and Ying Zhu Shao. “Privacy Impacts of Data Encryption on the Efficiency of Digital Forensics Technology.” International Journal of Advanced Computer Science & Applications 4.5 (2013): 36-40. Web. 15 Sep. 2013.
Doe v. United States. No. 86-1753. United States Court of Appeals for the Fifth Circuit. 22 Jun. 1988. Web. 2 Sept. 2013.
Fisher v. United States. No. 74-18. United States Court of Appeals for the Third Circuit. 21 Apr. 1976. Web. 3 Sept. 2013.
In re Boucher No. 2:06-mj-91. United States District Court for the District of Vermont. 19 Feb. 2009. Web. 29 Sept. 2013.
Jambhekar, Navin D. “Steganography: To preserve the document security.” Golden Research Thoughts 1.6 (2011): 1-2. Web. 15 Sept. 2013.
Jeffrey Feldman v. United States. No. 13-M-449. United States District Court Eastern District of Wisconsin. 19 Apr. 2013. Web. 11 Oct. 2013.
Morrison, Caren Myers. “Passwords, Profiles, and the Privilege Against Self-lncrimination: Facebook and the Fifth.” Arkansas Law Review 65.1 (2012): 133-162. Print.
Palfreyman, Brendan M. “Lessons from the British and American Approaches to Compelled Decryption.” Brooklyn Law Review 75.1 (2009): 345-378. Print.
UngBerg, Andrew J. “PROTECTING PRIVACY THROUGH A RESPONSIBLE DECRYPTION POLICY.” Harvard Journal of Law & Technology 22.2 (2009): 537-558. Print.
U.S. Const. amend. IV.
U.S. Const. amend. V.
United States v. Fricosu. No. 10-CR-00509. United States District Court for the District of Colorado. 23 Jan. 2012. Web. 29 Sept. 2013.
United States v. Scarfo. No. 00-4313. United States District Court for the District of New Jersey. 26 Dec. 2001. Web. 29 Sept. 2013.