Compelled decryption case law

s== Overview ==

The U.S. Supreme Court has yet to address the issue of compelling an individual to disclose a passcode or decrypt data, but has provided some insight in dicta in how it might rule on this issue. The lower federal courts and some state courts are beginning to see more cases as law enforcement officials are increasingly encountering encrypted data.

U.S. Supreme Court
While the U.S. Supreme Court has yet to opine on how the Fifth Amendment should apply to the compelled production of a passcode, it has discussed the production of combination number and keys to traditional real-world safes. During the current decryption debate, many have attempted to employ this key/combo metaphor to access smartphones. This key/combo distinction appears to have originated in a dissent by Justice John Paul Stevens in the 1988 case ‘’Doe v. United States.’’ There, Justice Stevens noted that while a suspect "may in some cases be forced to surrender a key to a strongbox containing incriminating documents," he cannot be "compelled to reveal the combination to his wall safe &mdash; by word or deed." His argument was premised on the idea that requiring someone to give up a safe combination required him to "use his mind to assist the prosecution in convicting him of a crime," whereas giving up a safe key would not. The Doe majority appeared to accept this dichotomy when noting in a footnote that "we do not disagree with the dissent that '[t]he expression of the contents of an individual's mind' is testimonial communication for the purposes of the Fifth Amendment." This dichotomy was later affirmed in Hubbell.

Eleventh Circuit
Beyond the Supreme Court, the only circuit court to have addressed the issue of compelled decryption arose in a 2012 Eleventh Circuit Court of Appeals case addressing government access to data on an encrypted hard drive. There, the government obtained a warrant to search the hotel room and any electronic devices found on a John Doe, who was suspected of sharing explicit material of children on the Internet.

Because forensic examiners from the FBI were unable to access certain portions of the drive, a grand jury subpoena was issued to require Doe to produce the unencrypted contents of the hard drives. Upon Doe’s claim that compliance with the subpoena would violate his Fifth Amendment privilege against self-incrimination, the government sought and received act-of-production immunity for such production. Although forensic examiners believed that there was encrypted information contained on the hard drive, because the drive was encrypted, an expert for the government could not determine what data was on the drive.

The government admitted that the material requested was compelled and incriminating; thus, the only question before the Eleventh Circuit was whether Doe’s act of producing the unencrypted data would be testimonial under the Fifth Amendment. The court noted that this question ultimately turned on whether the government could show with “‘reasonable particularity’ that, at the time it sought to compel the act of production, it already knew of the materials, thereby making any testimonial aspect a ‘foregone conclusion.’”

The court concluded that the testimony was not a “foregone conclusion” and that Doe had a valid Fifth Amendment privilege: “Nothing in the record before us reveals that the Government knows whether any files exist and are located on the hard drives; what’s more, nothing in the record illustrates that the Government knows with reasonable particularity that Doe is even capable of accessing the encrypted portions of the drives.”

District courts
In addition to the Eleventh Circuit, several district courts have also addressed the compelled decryption issue. Like the Eleventh Circuit case, these cases largely turned on the extent of the government’s knowledge concerning the documents. In the 2007 case ‘’In re Boucher,’’ border patrol agents stopped Sebastien Boucher and his father as they attempted to cross the Canadian border into the United States. One of the officers found a laptop computer in the backseat. Without needing to enter a password, he was able to access approximately 40,000 files on the laptop, some of which appeared to contain pornographic images.

An ICE special agent then investigated further, finding thousands of images of pornography, including one file labeled in a way to suggest it as child pornography, but he was unable to open. The laptop was later powered down and could not be accessed again due to an encryption program installed on the laptop.

Secret Service agents estimated that it would take years to crack the password using a brute force attack. To gain access to the data, the grand jury issued a subpoena requesting that Boucher provide “all documents, whether in electronic or paper form, reflecting any passwords” associated with the seized hard drives. Boucher moved to quash the subpoena on the grounds that it violated his Fifth Amendment right to self-incrimination.

The government conceded that Boucher could not be compelled to disclose his password as this would be inherently testimonial. Instead, the government asked that Boucher be compelled to enter his passcode. In granting his motion to quash the subpoena, the court noted that entering a password implicitly communicates facts: “By entering the password Boucher would be disclosing the fact that he knows the password and has control over the files on [the hard drive].”

The government later narrowed its request to requiring Boucher to produce an unencrypted version of the hard drive. The magistrate judge determined that the “foregone conclusion” doctrine did not apply because the government had not viewed most of the files on the drive. The district court judge reversed this decision, however, noting that the government need not be aware of the specific contents of the files, but instead must be able to demonstrate with “reasonable particularity that it knows of the existence and location of subpoenaed documents.” Because the government had already viewed some of the files on the hard drive, and ascertained that they might contain child pornography, providing the government access to the hard drive “add[ed] little or nothing to the sum total of the Government’s information.”

Like the government’s first request in the ‘’Boucher’’ case, the government in ‘’United States v. Kirschner’’ requested that the defendant produce the passcode to his encrypted computers. Relying on the Supreme Court’s safe key/combination dichotomy from ‘’Doe,’’ the district court found that revealing a passcode was the equivalent of revealing a safe combination, which would impermissibly require the defendant to reveal the contents of his mind.

In ‘’United States v. Fricosu,’’ the District Court for the District of Colorado rejected a Fifth Amendment claim made by a defendant who was ordered to produce the unencrypted contents of a hard drive found during the execution of a search warrant. With little explanation, the court noted that because the government already had possession of the hard drive, “there is little question here but that the government knows of the existence and location of the computer’s files. The fact that it does not know the specific content of any specific documents is not a barrier to production.” Moreover, the court found that the government had sufficiently demonstrated that the hard drive belonged to the defendant through independent evidence.

Finally, in ‘’In re Decryption of a Seized Storage System,’’ the District Court of Wisconsin initially rejected the government’s request to compel the defendant to decrypt certain hard drives found in his home that contained files with names that were indicative of child pornography. The court reasoned that although the government had proven that the drives actually contained data and that the defendant was in possession of the drive, it had not demonstrated he had “access to and control over the encrypted storage devices.” However, upon review, the court granted the government’s renewed request to compel production of decrypted data as the government had offered additional evidence to demonstrate that the defendant had control and access to the drives, such as showing that drive contained personal financial information and photographs of the defendant.

State courts
In addition to the federal courts, several state courts have addressed the scope of the right against self-incrimination in the context of encrypted data. In ‘’Commonwealth v. Baust,’’ Virginia’s Second Circuit Court addressed whether the government could force an individual to provide his smartphone passcode. Relying on the safe key/combination dichotomy from ‘’Doe,’’ the Virginia court held that revealing the passcode was like revealing a combination and therefore was considered testimonial. However, the court also held that requiring the defendant to enter his fingerprint into the device would not be considered testimonial as this did “not require the witness to divulge anything from his mental processes.”

Similarly, the Supreme Judicial Court of Massachusetts assessed whether requiring a defendant to enter his passcode in order to access an encrypted hard drive should be considered testimonial for purposes of his self-incrimination claim. The Massachusetts High Court noted that the “act of complying with the government’s demand could constitute testimonial communication where it is considered to be a tacit admission to the existence of the evidence demanded, the possession or control of such evidence by the individual, and the authenticity of the evidence.” Nonetheless, the court rejected the defendant’s claim, as he had already admitted to law enforcement officials that he had encrypted the device and had access to it. In doing this, the government did not need to rely on his production of the passcode to prove ownership or control of the laptop &mdash; depriving such production of any testimonial import.