Monday, February 27, 2012

Limitations of the recent 11th Circuit compelled decryption case

One more post about encrypted drives, and then I promise I will move on. Many privacy advocates have been overjoyed by the recent Eleventh Circuit decision (discussed here), but as with all technology issues, we have to be careful with our understanding of the case. That decision can be much narrower than many think, and the evolution of technology is certain to restrict it.

First, the decision only applies to encrypted drives. Possibly only to drives protected by TrueCrypt or similar software. And, more importantly, it likely only applies to situations in which the password is text. "Passwords" that are entered with a fingerprint or facial scan are not likely to be protected under the Eleventh Circuit's ruling.

The Supreme Court has held, "The touchstone of whether an act of production is testimonial is whether the government compels the individual to use 'the contents of his own mind' to explicitly or implicitly communicate some statement of fact." Curcio v. United States, 354 U.S. 118, 128 (1957). Thus, "the Fifth Amendment privilege is not triggered where the Government merely compels some physical act, i.e., where the individual is not called upon to make use of the contents of his or her mind. The most famous example is the key to the lock of a strongbox containing documents."

Thus, the argument accepted by the Eleventh Circuit is that having to use the password to decrypt the files is not a "physical act" but uses the "contents of his or her mind." With fingerprints or retina scans, however, there would be no Fifth Amendment violation because it would be akin to providing a key (see Hubbell, 530 U.S. 27 (2000)).

Another restriction of this holding is that it does not apply if the government knows the contents of the drive. Suppose the browser history shows that files were downloaded to an external drive that does not appear when the drives are connected. Many courts would likely assume that the files were located on the inaccessible encrypted partitions. Thus, the government has the file name and content - they only need to show the possession. In this case, a password could likely be compelled because "the Government can show with
'reasonable particularity' that ... it already knew of the materials, thereby making any testimonial aspect a 'foregone conclusion.'" I have not seen this argument play out, but I would imagine at least some courts would agree.


Post a Comment