Tuesday, August 21, 2012
J. Adam Engel has posted Rethinking the Application of the Fifth Amendment to Passwords and Encryption in the Age of Cloud Computing (Whittier Law Review, Vol. 33, No. 3, 2012) on SSRN. Here is the abstract:
The Fifth Amendment privilege against self-incrimination protects a person from being compelled to provide a testimonial communication that is incriminating in nature. In a number of cases starting to wind through state and federal courts, the government has sought to compel suspects and defendants to provide passwords and encryption keys despite claims of Fifth Amendment Privilege by witnesses and suspects. For example, in a Colorado case, the government sought to compel the defendant to enter a password into a laptop or otherwise provide access to encrypted data stored on her computer. The government apparently believed that the encrypted computer files contained evidence of fraudulent real estate transactions.
Encryption means the process by which a person changes plain, understandable information into unreadable letters and numbers using a mathematical algorithm. Encrypted data is accessible only through the use of a password or encryption key. The use of encryption technology by consumers has grown in recent years; computer and software manufacturers consider disk encryption a basic computer security measure and include disk encryption tools as a standard feature on most new computers.
Recent cases have focused on information stored on portable devices such as cell phones or computers. Because these devices are easy to steal or lose, consumers commonly use passwords to limit access to the devices, and encryption to prevent any unauthorized users from accessing sensitive data.
The government may gain access to password protected electronic devices and encrypted data through a number of legal means. In many cases, the government may have seized the electronic devices after executing a search warrant. In other cases, the government may have conducted a warrantless search of password protected electronic devices and encrypted data under an applicable exception to the Fourth Amendment’s warrant requirement. Most recently, the third party service providers received subpoenas from law enforcement or private entities to provide information stored for users by the third party service providers.
This article addresses the question of whether the Fifth Amendment prevents the government from forcing a witness to provide a password or encryption key to permit access to digital files. The Fifth Amendment generally protects citizens from being compelled to give incriminating testimony. The privilege extends not only to “answers that would in themselves support a conviction,” but also includes statements “which would furnish a link in the chain of evidence” needed by the prosecution.
The question of whether passwords and encryption keys are covered by the Fifth Amendment privilege against self-incrimination turns on courts’ views of the nature of this information. The privilege against self-incrimination is limited to “testimonial” evidence, or evidence that, explicitly or implicitly, provides or discloses information. The privilege does not apply to physical evidence, such as fingerprints or blood samples.
This issue has appeared infrequently in courts. The few courts to address this issue have generally concluded that the provision of a password on encryption key is testimonial because the provision of this information is essentially an admission that the person had possession and control over, and access to, the computer, files, or data. Yet this is not the end of the analysis. Some of the early publications concerning this issue suggested that circumstances where suspects will successfully raise Fifth Amendment challenges to government efforts to compel the production of passwords and encryption keys were likely to be “rare.” A significant basis for this hypothesis was that, in many cases, production of the incrimination evidence would be exempt from Fifth Amendment protections under the foregone conclusion doctrine. Under the foregone conclusion doctrine, the provision of information is not subject to the Fifth Amendment privilege against self-incrimination when the existence and location of information are known to the government, and the act of providing the evidence adds little or nothing to the government’s case.
The foregone conclusion doctrine has been applied in limited instances to encrypted files stored on laptops and personal computers. However, recent changes in the technological landscape suggest that this issue is likely to become more prevalent in future litigation. The use of cloud computing services to store documents and images has grown significantly. Users of cloud services are less likely to actually save images and documents on handheld or personal devices but, instead, use handheld or personal devices to access images and documents saved on remote computers. In those situations, the possession of an encryption key or password may become important in order for the government to show ownership or access to records, websites or communications. As a result, suspects and defendants may be successful in arguing that the foregone conclusion doctrine does not make the privilege against self-incrimination inapplicable.