The Eleventh Circuit of the US Court of Appeals recently handed down a landmark ruling, establishing a precedent under which the contents of an encrypted hard-drive are protected by the Fifth Amendment’s ban on self-incrimination.
Briefly, the facts of the case are these: John Doe is suspected of possession child pornography. While Doe was staying at a hotel, law enforcement officials requested and were granted a warrant to search Doe’s hotel room. While searching that room, the officers discovered and legally seized just fewer than five TB of digital media storage, including two laptops and five other storage devices. At a later time, FBI forensic examiners analyzed the devices, but were unable to access certain encrypted contents within the drives. The forensics experts had no way of determining if any content, let alone illegal content, existed on the devices.
In his initial court appearance, the judge compelled Doe to reveal the encryption passes to these devices. When Doe refused, pleading the Fifth, the court held him in civil contempt, and incarcerated him. Doe appealed.
The Electronic Frontier Foundation submitted an Amicus Curiae to the appeals court arguing that the government’s attempts to force Doe to decrypt the information was unconstitutional. The court eventually agreed with the EFF, ruling that the act of decrypting data is testimorial and therefore protected by the Fifth Amendment. It went on to reason that the government’s limited offering of immuity was insufficient because it did not extend to the government’s use of the decrypted data against Doe.
“The government’s attempt to force this man to decrypt his data put him in the Catch-22 the 5th Amendment was designed to prevent – having to choose between self-incrimination or risking contempt of court,” said EFF Senior Staff Attorney Marcia Hofmann. “We’re pleased the appeals court recognized the important constitutional issues at stake here, and we hope this ruling will discourage the government from using abusive grand jury subpoenas to try to expose data people choose to protect with encryption. “
The appeals court ended up hinging the case on a relatively simple principle: if some independent witness can verify that the encrypted drive in question contains the contents that the government alleges it to contain, then the existence of such contents are deemed a foregone conclusion and are not protected. On the other hand, if the prosecution has no way of independently verifying the existence of the suspected content, then that content’s existence is not a foregone conclusion, and the defendant is protected under the Fifth Amendment and cannot be held in contempt of court for invoking it.
This ruling comes in contrast to a similar case, in which the courts decided that Ramona Fricosu be compelled to divulge the encryption key to a laptop in her possession. In the Fricosu case, the judge reasoned that the act of divulging the encryption pass in and of itself constituted Fricosu revealing the content of her mind, and thus was protected by the fifth amendment. Therefore, Fricosu was granted immunity from any evidence revealed in the act of divulging the password. The contents of the hard-drive itself, on the other hand, did not count as the contents of Fricosu’s mind, and therefore, were not protected by the Fifth Amendment. In other words, Fricosu’s knowledge of the encryption pass could not be used as evidence to establish Fricosu as the owner of the storage device in question, but any evidence content within the device is fair game.
Similar to Fricosu’s case, the government offered Doe act-of-production immunity, or, immunity from any evidence revealed in the act of decrypting his hard-drives. Also as in Fricosu’s case, the government attempted to claim that the information within the hard-drives would receive no such immunity. This is where the prosecution erred in Doe’s case. The court eventually ruled that because the prosecution had no evidence of what the drives contained, any evidence stored within would have derived directly from Doe’s act-of-production and would be have to be granted immunity as well.
Fricosu was given until February 21 to provide the unencrypted contents of her laptop or appeal the ruling. In a court document acquired by Wired.com, the Tenth Circuit Appeals Court denied Fricosu’s petition for permission to appeal. Wired reports that Fricosu now has until the end of month to comply with the decryption order or be jailed in contempt of court until she complies.