Data Encryption And the Law

This article discusses several of the pressing matters within the realm of data encryption, including: the Constitutional concerns that arise when an individual is forced by the government to divulge encrypted data; the recent disclosures in the press of government involvement with encrypted data; and the current global legal climate in which these issues are situated.

Data Encryption Online

Submitting personal information (like a Social Security Number or DOB) for an online application. Inputting a credit card number to pay for an item purchased in an online auction. Creating an account on any of the myriad social media websites. All of these acts, considered routine and often integral aspects of using the Internet, rely heavily on the use of data encryption. In fact, absent data encryption technology, users would have minimal protection against hackers or other criminal entities that wish to acquire their personal information. In that respect, data encryption facilitates the myriad activities and transactions now considered intrinsic to the enjoyment and utilization of the Internet, activities which are often now taken for granted as safe. This feeling of user safety in large part derives from the ubiquity of functioning data encryption technology. Given how integral this technology has become to the seamless operation of the Internet, a brief discussion of its mechanics is warranted.

Schematically, data encryption is accomplished through utilizing a conduit known as a key. The key, often a lengthy string of numerals or letters, is a piece of randomly generated information that facilitates the encryption and decryption of the information. But for the existence of a key, the algorithm designed to accomplish this task would fail. Accordingly, a key is integral to any successful data encryption system.

In the method most prevalent, the key is binary, as in the case of the popular public-key encryption system. The public key, as expected, is visible to the users and the general public and utilized to encrypt the data. On the other hand, the paired private key is known only to the user decrypting the data. Only through knowledge of both would a user be able to access the encrypted information, thereby adding a formidable obstacle to those who wish to steal it. In addition, the public-key system is ingeniously designed so that knowledge of one key would not allow the user to derive the other key, even though the two are necessarily related.

As for practical application, in addition to the benefits alluded to above, absent a reliable encryption key, online commerce (and the concomitant benefits received by the customers and retailers) would functionally cease, as it is encryption which provides the security assurances to customers that their personal information is unlikely to be stolen or misappropriated by thieves or the companies themselves. Moreover, most users would abstain from signing up for popular social networks if they knew that whatever data they inputted could be raided at a moment's notice. Put simply: Without the aegis afforded by data encryption, the utility of the modern Internet would be severely curtailed. Unsurprisingly then, since encryption has gained such a foothold in the digital universe, it has recently led to some interesting legal conflicts.

Compelled Disclosure

A series of recent decisions have centered on the extent to which an individual has the right to refuse compelled disclosure of encrypted information. As seen in numerous other areas of technology law, these cases involve weighing the rights of the individual, as manifested through the utilization of data encryption to ensure privacy, versus the competing right of law en- forcement to conduct effective investigations. Specifically, the foremost cases center on whether the prohibition of the Fifth Amendment against compelled self-incrimination therefore prohibits law enforcement officials from compelling an individual to disclose previously encrypted information.

One of the initial cases to directly confront this question was In re Boucher, 2009 WL 424718 (D. Vt. Feb. 19, 2009). In the case, the government suspected that the accused was knowingly transporting illicit and prurient materials in interstate or foreign commerce, a violation of 18 U.S.C. '2252A(a)(1). As evidence of the violation, government officials were granted a search warrant to conduct a search of the computer of the accused. Upon the initial arrest, an official viewed some files that could reasonably be construed as depicting children in prurient acts. To further the investigation, the official thereafter wished to view the entirety of the contents on the computer. However, the contents of the hard drive in question were encrypted, and the accused refused to provide the password to decrypt the hard drive on the grounds that doing so would run afoul of his Fifth Amendment privilege against compelled testimonial communications. See, Doe v. United States, 487 U.S. 201 (1988) (holding that it is the “attempt to force” an accused to “disclose the contents of his own mind” that implicates the right of the Self-Incrimination Clause).

The Boucher court disagreed with the notion that requiring the accused to produce an unencrypted copy of his hard drive would violate the Fifth Amendment. In large part, the court's rationale was based on the undisputed fact that the government, having already viewed some files on the computer in question, therefore possessed sufficient awareness of the existence and location of the encrypted files on the hard drive. Accordingly, given the particularity of the government's preexisting knowledge of potentially incriminating files, requiring the accused to produce an unencrypted copy of his hard drive did not implicate any constitutional rights since such a production did not materially supplement the knowledge the government already possessed. Accordingly, the accused was forcibly compelled to produce a decrypted version of the hard drive. See also, In re the Decryption of a Seized Data Storage System, No. 13 M-449, (E.D. Wis. April 19, 2013) (the government's knowledge of incriminating file names and technical ability to link those file names to files on encrypted drives rebuts the claim of compelled self-incrimination by the accused).

The Eleventh Circuit tackled the question of compelled disclosure of an encryption key in a case called In re Grand Jury Subpoena Ducus Tecum Dated March 25, 2011, 670 F.3d 1335 (11th Cir. 2012). Unlike the Boucher court, the Eleventh Circuit found that the mandated disclosure of an encryption key in this instance violated the Fifth Amendment. First, unlike in Boucher, the court in the instant case noted that the government had no prior preexisting knowledge of the contents of the hard drive in question. In fact, the government did not know whether the hard drive contained any data at all. Simply put, because a hard drive had sufficient space to contain the incriminating data alleged by the government, did not mean it actually did. Accordingly, the “foregone conclusion” rationale was inapplicable to this case, though the court noted that mere knowledge of a file name could constitute sufficient particularity to compel decryption. Second, as opposed to producing a key that would unlock a safe, asking the accused to decrypt his hard drive necessitated use of the “contents of his own mind,” and therefore constituted a testimonial act.

The differing results in the two cases discussed above hinges largely on whether the government possessed particularized knowledge of the contents of the encrypted device ante to a decryption request. The next section of this article also deals with government knowledge of encrypted data, albeit in the context of surveillance conducted ostensibly for reasons of national security and not in response to a particularized suspicion that criminal activity is occurring.

Data Encryption and National Security

The intersection between data encryption and national security has recently become a more prominent debate. As the government attempts to minimize threats to national security, intercepting communications, even if encrypted, could become a viable tool. Major players in the telecommunications and computer industry could thus be implicated since they control the pathways by which the vast preponderance of individuals communicate electronically.

However the collaboration is structured, it raises compelling questions about the future viability of data encryption as a method of ensuring at least a modicum of security for the average Internet user. In fact, a recent report indicated that current data encryption technologies could contain systematic vulnerabilities, thereby rendering their effectiveness largely in question.

As detailed above, data encryption and the security to the user it provides, serves to facilitate a substantial portion of the online activities now taken for granted as safe. Whether this disclosure jeopardizes confidence in the viability of data encryption remains to be seen. Alternatively, given the ubiquity of communication electronically these days, even if confidence is jeopardized users may not have the technical skill or desire to change their behavior. However, what is certain is that the lack of definitive legal guidance in this area, as detailed below, is another significant obstacle to clarity.

Governing Legal Structures

The United States generally does not have a statutory framework to govern situations when the government wishes to compel encryption key disclosure from the owner. As detailed earlier in this article, questions of compelled disclosure in the context of encryption have been solely decided by the judiciary, to differing results. On the other hand, the United Kingdom has created a law designed solely to compel disclosure of encryption keys in proscribed situations. The Regulation of Investigatory Powers Act (RIPA)'requires the accused to supply either decrypted information or the encryption key to the authorities and a refusal to do so carries a maximum penalty of two years in prison for a failure to disclose. To date, RIPA has been utilized against animal rights activists and sexual abusers.

In this country, there does not appear to be a statute analogous to RIPA. In fact, the foremost law dealing with issues surrounding data encryption centers on issues of intellectual property, the Digital Millennium Copyright Act (DMCA), 17 U.S.C. '512, contains provisions designed to prevent individuals from circumventing methods utilized by digital rights holders to protect their copyrighted material. Theoretically, these provisions could be used against individuals who design software to encrypt data, as they could be abetting the ability of infringers to encrypt material they have stolen from the rightful copyright owner. Expectedly, complaints have arisen about the breadth of the provisions, and whether they indirectly inhibit research on the next generation of data encryption technology.

Whatever the ultimate result, the DMCA provisions discussed here are mired in uncertainty, and do not directly address the often conflicting interests in the realm of data encryption. In that respect, it's a microcosm of the entirety of the legal approach to the issue.

Conclusion

Without precise guidance from a statute, courts are left to adjudicate critical questions of constitutional law arising in the context of data encryption, often with differing results. Amidst that uncertainty, recent news could cast doubts on whether data encryption remains able to prevent disclosure of personal information. Ultimately, the only certainty about the current data encryption debate is that it is unlikely to be resolved any time soon.

Richard Raysman is a Partner at Holland & Knight. Peter Brown is a Partner at Baker & Hostetler and a member of this newsletter's Board of Editors. They are co-authors of Computer Law: Drafting and Negotiating Forms and Agreements (Law Journal Press).

Essentially, cryptography involves the conversion of information into unintelligible text for subsequent transmission past unintended third parties (encryption), with the intended recipient then converting the text back into intelligible form (decryption). For the purposes of this article, data encryption will be the term utilized to describe the entire process.

In the online age, data encryption is favored as a means of transmitting confidential information across public spaces, whether literal or virtual, without a concomitant disclosure of the contents of the confidential information to unintended recipients. Unsurprisingly, a substantial transmission of encrypted data travels through virtual portals like the Internet. Though data encryption was once largely limited to the dissemination of military and government information, it is now employed for a myriad of reasons applicable to the average user, including for basic activities such as Web browsing and online transactions.

Data encryption has existed in various forms since the times of antiquity and yet the legal questions surrounding it remain largely unresolved, particularly in the United States. This lack of resolution is not for a paucity of recent attention to the practice. Stories have sprung up in the press detailing how data encryption is a critical component of the present government strategy on national security matters. Additionally, courts in various jurisdictions have decided questions of first impression involving the protection, if any, afforded to individuals who wish to avoid compelled disclosure of encrypted personal data. As a result, the debate surrounding data encryption has at present unprecedented salience and resonance. However, this debate is firmly ensconced in an uncertain legal framework, as the United States has yet to codify a statute that deals with the competing interests associated with data encryption.

This article discusses several of the pressing matters within the realm of data encryption, including: the Constitutional concerns that arise when an individual is forced by the government to divulge encrypted data; the recent disclosures in the press of government involvement with encrypted data; and the current global legal climate in which these issues are situated.

Data Encryption Online

Submitting personal information (like a Social Security Number or DOB) for an online application. Inputting a credit card number to pay for an item purchased in an online auction. Creating an account on any of the myriad social media websites. All of these acts, considered routine and often integral aspects of using the Internet, rely heavily on the use of data encryption. In fact, absent data encryption technology, users would have minimal protection against hackers or other criminal entities that wish to acquire their personal information. In that respect, data encryption facilitates the myriad activities and transactions now considered intrinsic to the enjoyment and utilization of the Internet, activities which are often now taken for granted as safe. This feeling of user safety in large part derives from the ubiquity of functioning data encryption technology. Given how integral this technology has become to the seamless operation of the Internet, a brief discussion of its mechanics is warranted.

Schematically, data encryption is accomplished through utilizing a conduit known as a key. The key, often a lengthy string of numerals or letters, is a piece of randomly generated information that facilitates the encryption and decryption of the information. But for the existence of a key, the algorithm designed to accomplish this task would fail. Accordingly, a key is integral to any successful data encryption system.

In the method most prevalent, the key is binary, as in the case of the popular public-key encryption system. The public key, as expected, is visible to the users and the general public and utilized to encrypt the data. On the other hand, the paired private key is known only to the user decrypting the data. Only through knowledge of both would a user be able to access the encrypted information, thereby adding a formidable obstacle to those who wish to steal it. In addition, the public-key system is ingeniously designed so that knowledge of one key would not allow the user to derive the other key, even though the two are necessarily related.

As for practical application, in addition to the benefits alluded to above, absent a reliable encryption key, online commerce (and the concomitant benefits received by the customers and retailers) would functionally cease, as it is encryption which provides the security assurances to customers that their personal information is unlikely to be stolen or misappropriated by thieves or the companies themselves. Moreover, most users would abstain from signing up for popular social networks if they knew that whatever data they inputted could be raided at a moment's notice. Put simply: Without the aegis afforded by data encryption, the utility of the modern Internet would be severely curtailed. Unsurprisingly then, since encryption has gained such a foothold in the digital universe, it has recently led to some interesting legal conflicts.

Compelled Disclosure

A series of recent decisions have centered on the extent to which an individual has the right to refuse compelled disclosure of encrypted information. As seen in numerous other areas of technology law, these cases involve weighing the rights of the individual, as manifested through the utilization of data encryption to ensure privacy, versus the competing right of law en- forcement to conduct effective investigations. Specifically, the foremost cases center on whether the prohibition of the Fifth Amendment against compelled self-incrimination therefore prohibits law enforcement officials from compelling an individual to disclose previously encrypted information.

One of the initial cases to directly confront this question was In re Boucher, 2009 WL 424718 (D. Vt. Feb. 19, 2009). In the case, the government suspected that the accused was knowingly transporting illicit and prurient materials in interstate or foreign commerce, a violation of 18 U.S.C. '2252A(a)(1). As evidence of the violation, government officials were granted a search warrant to conduct a search of the computer of the accused. Upon the initial arrest, an official viewed some files that could reasonably be construed as depicting children in prurient acts. To further the investigation, the official thereafter wished to view the entirety of the contents on the computer. However, the contents of the hard drive in question were encrypted, and the accused refused to provide the password to decrypt the hard drive on the grounds that doing so would run afoul of his Fifth Amendment privilege against compelled testimonial communications. See, Doe v. United States, 487 U.S. 201 (1988) (holding that it is the “attempt to force” an accused to “disclose the contents of his own mind” that implicates the right of the Self-Incrimination Clause).

The Boucher court disagreed with the notion that requiring the accused to produce an unencrypted copy of his hard drive would violate the Fifth Amendment. In large part, the court's rationale was based on the undisputed fact that the government, having already viewed some files on the computer in question, therefore possessed sufficient awareness of the existence and location of the encrypted files on the hard drive. Accordingly, given the particularity of the government's preexisting knowledge of potentially incriminating files, requiring the accused to produce an unencrypted copy of his hard drive did not implicate any constitutional rights since such a production did not materially supplement the knowledge the government already possessed. Accordingly, the accused was forcibly compelled to produce a decrypted version of the hard drive. See also, In re the Decryption of a Seized Data Storage System, No. 13 M-449, (E.D. Wis. April 19, 2013) (the government's knowledge of incriminating file names and technical ability to link those file names to files on encrypted drives rebuts the claim of compelled self-incrimination by the accused).

The Eleventh Circuit tackled the question of compelled disclosure of an encryption key in a case called In re Grand Jury Subpoena Ducus Tecum Dated March 25, 2011, 670 F.3d 1335 (11th Cir. 2012). Unlike the Boucher court, the Eleventh Circuit found that the mandated disclosure of an encryption key in this instance violated the Fifth Amendment. First, unlike in Boucher, the court in the instant case noted that the government had no prior preexisting knowledge of the contents of the hard drive in question. In fact, the government did not know whether the hard drive contained any data at all. Simply put, because a hard drive had sufficient space to contain the incriminating data alleged by the government, did not mean it actually did. Accordingly, the “foregone conclusion” rationale was inapplicable to this case, though the court noted that mere knowledge of a file name could constitute sufficient particularity to compel decryption. Second, as opposed to producing a key that would unlock a safe, asking the accused to decrypt his hard drive necessitated use of the “contents of his own mind,” and therefore constituted a testimonial act.

The differing results in the two cases discussed above hinges largely on whether the government possessed particularized knowledge of the contents of the encrypted device ante to a decryption request. The next section of this article also deals with government knowledge of encrypted data, albeit in the context of surveillance conducted ostensibly for reasons of national security and not in response to a particularized suspicion that criminal activity is occurring.

Data Encryption and National Security

The intersection between data encryption and national security has recently become a more prominent debate. As the government attempts to minimize threats to national security, intercepting communications, even if encrypted, could become a viable tool. Major players in the telecommunications and computer industry could thus be implicated since they control the pathways by which the vast preponderance of individuals communicate electronically.

However the collaboration is structured, it raises compelling questions about the future viability of data encryption as a method of ensuring at least a modicum of security for the average Internet user. In fact, a recent report indicated that current data encryption technologies could contain systematic vulnerabilities, thereby rendering their effectiveness largely in question.

As detailed above, data encryption and the security to the user it provides, serves to facilitate a substantial portion of the online activities now taken for granted as safe. Whether this disclosure jeopardizes confidence in the viability of data encryption remains to be seen. Alternatively, given the ubiquity of communication electronically these days, even if confidence is jeopardized users may not have the technical skill or desire to change their behavior. However, what is certain is that the lack of definitive legal guidance in this area, as detailed below, is another significant obstacle to clarity.

Governing Legal Structures

The United States generally does not have a statutory framework to govern situations when the government wishes to compel encryption key disclosure from the owner. As detailed earlier in this article, questions of compelled disclosure in the context of encryption have been solely decided by the judiciary, to differing results. On the other hand, the United Kingdom has created a law designed solely to compel disclosure of encryption keys in proscribed situations. The Regulation of Investigatory Powers Act (RIPA)'requires the accused to supply either decrypted information or the encryption key to the authorities and a refusal to do so carries a maximum penalty of two years in prison for a failure to disclose. To date, RIPA has been utilized against animal rights activists and sexual abusers.

In this country, there does not appear to be a statute analogous to RIPA. In fact, the foremost law dealing with issues surrounding data encryption centers on issues of intellectual property, the Digital Millennium Copyright Act (DMCA), 17 U.S.C. '512, contains provisions designed to prevent individuals from circumventing methods utilized by digital rights holders to protect their copyrighted material. Theoretically, these provisions could be used against individuals who design software to encrypt data, as they could be abetting the ability of infringers to encrypt material they have stolen from the rightful copyright owner. Expectedly, complaints have arisen about the breadth of the provisions, and whether they indirectly inhibit research on the next generation of data encryption technology.

Whatever the ultimate result, the DMCA provisions discussed here are mired in uncertainty, and do not directly address the often conflicting interests in the realm of data encryption. In that respect, it's a microcosm of the entirety of the legal approach to the issue.

Conclusion

Without precise guidance from a statute, courts are left to adjudicate critical questions of constitutional law arising in the context of data encryption, often with differing results. Amidst that uncertainty, recent news could cast doubts on whether data encryption remains able to prevent disclosure of personal information. Ultimately, the only certainty about the current data encryption debate is that it is unlikely to be resolved any time soon.

Richard Raysman is a Partner at Holland & Knight. Peter Brown is a Partner at Baker & Hostetler and a member of this newsletter's Board of Editors. They are co-authors of Computer Law: Drafting and Negotiating Forms and Agreements (Law Journal Press).