Note to self: Encrypt data, memorize password
Court rules that prosecutors can't force people to decrypt data that could potentially be used against them.
In a case that serves as a reminder to: a) use encryption, and b) memorize the encryption pass-phrase, an appeals court has ruled that people have a constitutional right not to be forced to decrypt data that potentially includes evidence that could be used to prosecute them in court.
The Fifth Amendment privilege against self-incrimination that prohibits authorities from forcing a suspect to reveal the combination to open a lock on a safe in an investigation also applies to the digital equivalent--data locked up with encryption, the U.S. District Court of Appeals for the Northern District of Florida ruled yesterday.
Compelling a suspect to reveal the pass-phrase, in either case, would essentially be forcing testimony out of that person that could be used against him or her, the court said.
"Requiring (defendants) to use a decryption password is most certainly more akin to requiring the production of a combination because both demand the use of the contents of the mind, and the production is accompanied by the implied factual statements...that could prove to be incriminating," the court said.
Marcia Hofmann, senior staff attorney at the Electronic Frontier Foundation, praised the decision, saying it means that just because information is in digital form doesn't preclude people from enjoying constitutional protections.
"Encryption is going to be used more and more by average people," she said. "The important thing here is that the government is not going to be able to force people to decrypt data just to basically conduct a fishing expedition."
The situation might be different if the suspect were to have written down the pass-phrase, she said. The key to this case is that the information sought was in the mind of the defendant.
Even though the data being protected could easily be obtained with a warrant if it were not locked up with encryption technology, the act of using the cryptographic lock puts it in a protected zone if it can only be accessed by memory.
"This ruling keeps with the spirit of the Fifth Amendment, which is intended to make sure law enforcement does its job," Hofmann said. "If they're going to prosecute you, they have to make the case against you and can't force you to help them out with that."Encryption not only helps people maintain their privacy from data thieves but it is also helpful in protecting civil liberties in the event of overreaching law enforcement or government investigations, Hofmann said.
This case, which involves an unidentified suspect accused of possessing child pornography, is different from one in Colorado in which a court ordered a defendant to decrypt the contents of a laptop seized by authorities. In the Colorado case, prosecutors had reason to suspect that evidence that would be useful to the investigation was on the laptop, she said. Law enforcement agents had recorded a conversation between the defendant and her husband in which she made reference to specific files on the computer that would be useful in the case, according to Hofmann.
"We still think the case in Colorado was wrongly decided, but that's the critical difference that led the courts to come to two different decisions," Hofmann said.The EFF provides more analysis in this blog post. The defendant had used the TrueCrypt hard drive encryption program.