Mad, Beautiful Ideas
Encryption Passphrases may be Protected under the 5th Amendment

A Federal Judge in Vermont ruled on Monday that Encryption Passphrases are proteced under the 5th Amendment right to prevent self-incrimination. The case is interesting because officers know that the defendant’s laptop contains images of Child Pornography. A Customs agent saw them when the volume containing the images was left unencrypted when he was arrested, but automatically encrypted when the laptop was shut down during his arrest.

The authorities know this man has child pornography on his laptop, but can not access the data again without a passphrase that Boucher (the defendant) has refused to supply. Ignoring the type of crime, which is detestable, this becomes a question of the nature of the passphrase. Is it the same as a physical key? Or is it the contents of a persons own mind and divulging it would be testimony?

On Slashdot and Bruce Schnier’s Blog discussions regarding this issue, people seem awfully split on the issue, and everyone is still wary. After all, this is the kind of situation that will almost certainly need to be examined by the Supreme Court at some point, and I’m not well versed enough in the case law history of our Justices to even hazard a guess as to that decision would be.

Professor Orin Kerr evidently feels that Judge Niedermier in this case was wrong to deny the subpeona that would have forced Boucher to enter the passphrase that would have given authorities access to his data. He seems to feel that part of the reason this decision being incorrect was that Boucher has already proven that he knows the passphrase, and in so doing, provided some amount of evidence to the authorities prosecuting him in this case. Mr. Kerr’s post leaves me a little unclear how he’d stand on this issue if Boucher had never demonstrated knowledge of the passphrase necessary to decrypt the pornography on Boucher’s computer.

The dicussion is most interesting due to the lack of firm precedent in this case. Niedermier’s decision speaks of a 2000 Supreme Court decision (United States v. Hubbell, 530 U.S. 27, 43 (2000)) which held that while turning over a key to a lockbox (something physical) was not protected as providing testimony, the combination to a safe is considered testimony, and a person can not be forced to turn it over. Some of Kerr’s commentors (and myself) feel that even if he’s required only to enter the passphrase, and not actually to ‘disclose’ it to police (as they’ve attempted to force) is not significantly different from forcing him to tell it to police directly. The man was foolish to decrypt the files for the border control guard, certainly, but doing so then does not compel him to do so now. The use of the passphrase is functionally identical to the disclosure of it.

Also of interest is an 1886 decision (Boyd v. United States, 116 U.S. 616 (1886)), referenced by one of Professor Kerr’s commentors. The decision stated that under the 5th Amendment a person could not be compelled to provide private documents of an incriminatory nature. In my opinion, the files on a persons computer are covered under the description of ‘private documents’, and these days we happen to have more means to protect that information.

The only compelling analogy utilized in the comments was one comparing the passphrase to a combination to a safe which contained a physical key (a fair comparision). Can a person be compelled to provide physical evidence which is protected by intellectual evidence? It’s an interesting point, because in this case, the prosecuters know that the only thing the ‘combination’ will provide direct access to is the ‘key’ (a number) which can be used to decrypt the documents they are interested in. Is the fact that the passphrase enough to protect him under the same guise as a combination? Is the fact that the ‘personal files’ which the key would provide access to are potentially incriminating enough to save him from forced disclosure? Or, because the evidence being requested is analogous to a physical key (which would provide access to incriminating data) enough to justify forced disclosure?

At the end of the day, I disagree with Professor Kerr and agree with Judge Niedermier. I believe that the passphrase is analogous to the Combination in US v. Hubbell, and that turning it over would in effect be turning over incriminating documents as in Boyd v. US.

This may also come down to the fact that Boucher was foolish enough to provide the passphrase once. In doing so that first time, he may have waived his right to keep it secret. I’m not sure how this is going to play out in the courts, and I think Boucher deserves some time in prison for the child pornography witnessed to be on his computer. If he is compelled to unlock the data on his computer, I pray it’s solely because of the initial unlocking he did at the border.

*Disclaimer: I am not, nor have ever claimed, to be a Lawyer. I am a software engineer, with a large amount of interest in Information Security. I have experience working in judicial processes (though not the US Courts), which has given me some experience on how to think about these issues, though I lack formal training in either Written or Case Law. I respect Professor Kerr’s knowledge of the Law, and my disagreement with him is based on my interpretation of the decision, the news surrounding this issue, and the comments on his blog and elsewhere. *