Forced Decryption in Government Investigations

Two Sides

The targets of these subpoenas or orders argue that being required to provide an encryption password or to perform the decryption would be tantamount to compelling them to incriminate themselves, in violation of the Fifth Amendment. It is well-settled that the government can compel production of things that might be incriminating, such as blood or DNA samples or handwriting exemplars. But in some circumstances the act of producing evidence can have a testimonial character that implicates the Fifth Amendment. For instance, where the existence and location of subpoenaed documents are unknown to the government, the act of production may effectively concede possession, custody, or control over those documents.

Similarly, the act of production could implicitly authenticate documents whose authenticity otherwise had not been established. Thus, targets of forced decryption orders have argued that requiring them to decrypt a computer or to provide its contents in unencrypted form effectively compels them to acknowledge possession, custody, and control over the computer and the authenticity of its contents.

The government generally has sought to compel decryption or the production of a decrypted version of the media, rather than the production of the password itself, in implicit recognition of the fact that requiring a target to turn over a password would be compelling him to divulge the contents of his mind and therefore to make an incriminating statement. By contrast, the government argues, requiring production of the unencrypted version of the computer files is compelling the target to produce something he voluntarily created.'

The government's primary argument rests on the “foregone conclusion” doctrine articulated by the Supreme Court in the mid-1970s. Under that doctrine, the act of producing evidence is not considered testimonial if the government already possesses sufficient independent evidence to render the existence, possession, and authenticity of the evidence a “foregone conclusion.” In other words, where the government has enough other evidence establishing the existence, possession, and authenticity of the computer or other digital media, the implicit admission represented by the target's act of decryption is not deemed to implicate the Fifth Amendment. As some courts and commentators have put it: In those circumstances the implicit admission is not testimony, but rather an act of surrender.

The government has had mixed results in these cases to date, with a win-loss record of around 5-3. That's not a great record ' although it would be enough for first place in the NFC East ' and the results reflect how challenging it is to reconcile these competing Fourth and Fifth Amendment interests. Courts have struggled with these issues even within the same case; for instance, in one case involving a child pornography defendant in Wisconsin, the Magistrate initially denied the government's application and then granted it after further factual development, only to have the district court stay the order pending further briefing.

To date, only one case, involving a child pornography defendant in Florida, has been decided on the merits by a Circuit Court. In that case, In re Grand Jury Subpoena Duces Tecum, dated March 25, 2011, 670 F.3d 1335 (11th Cir. 2012), the Eleventh Circuit reversed the District Judge's order holding the target in contempt for refusing to produce the unencrypted contents of seized hard drives. The court first held that the act of decrypting seized hard drives would be tantamount to testimony by the target about his knowledge of the existence and location of potentially incriminating files, his possession of and access to the encrypted drives, and his ability to decrypt them. Id. at 1346. The court then concluded that the government had failed to satisfy the “foregone conclusion” test because it failed to demonstrate with any degree of particularity that it knew of the existence or location of encrypted files or that the target was capable of decrypting such files. Id. at 1346-49.

Looking Forward

In the months and years ahead, courts will continue to grapple with the fundamental question of whether there is a constitutionally sound way for law enforcement to get access to an encrypted electronic device when it has lawfully obtained a warrant for that device based on a showing of probable cause. The law in this area is still in an embryonic stage of development, so broad lessons are hard to come by. But there are a few takeaways from the first wave of cases:'

• This is very much a fact-based inquiry, in which the court's application of the “foregone conclusion” doctrine will turn on the quality and quantity of independent evidence the government can offer.
• In interviews of suspects, the government will likely put a premium on asking questions designed to establish a foundation for the future application of the doctrine, including questions about ownership of the device at issue, the suspect's knowledge of or access to its contents, or the suspect's ability to use encryption. The government may ask similar questions to provide a basis for arguing that a suspect has waived his Fifth Amendment privilege.
• Suspects who claim to have forgotten their passwords in the face of subpoenas or decryption orders may face skeptical reactions from courts and risk contempt sanctions. On the other hand, good cybersecurity includes stronger ' i.e., longer and more complex ' passwords, and even the best of us has forgotten a password after a vacation or other period of inactivity. So just because a suspect's forgetfulness is convenient doesn't mean it's not legitimate.
• It remains to be seen how the development of other types of decryption methods beyond passwords ' such as biometrics or a private encryption key generated by an encryption program ' might affect the analysis. If being compelled to provide or enter a password is considered a testimonial act analogous to providing the combination to a wall safe, would being compelled to use biometrics to decrypt be a non-testimonial act, analogous to turning over the key to a locked container?

This “foregone conclusion” issue arises when it's the suspect himself who holds the encryption key, as opposed to a service provider. Government attempts to get encryption keys from providers raise a whole other set of issues. But that's a story for another time.

Jason Weinstein is a partner in the Washington office of Steptoe & Johnson LLP. He is a former federal prosecutor and most recently served as deputy assistant attorney general in the U.S. Department of Justice's Criminal Division, where he oversaw the Computer Crime and Intellectual Property Section.

'

SPECIAL OFFER: Twitter, LinkedIn, Facebook and Google+ followers can get an online subscription to Business Crimes Bulletin for only $299. Click here, select Digital Only and use promo code BCBOL299 at checkout. This offer is valid for new subscribers only.

'

In the old days ' that is, just a few years ago ' encryption had something of a negative connotation among many law enforcement officials. If a suspect encrypted his files, the thinking went, he must have something to hide. That is far less true today. Encryption has gained much broader acceptance, and is more available, than ever before. Among other factors, state data breach laws generally provide a safe harbor for breach victims whose information was encrypted. Today, consumers can buy hard drives and thumb drives where encryption is the default. And in the wake of the Snowden leaks, makers of encryption products can expect a strong uptick in demand, as encryption will likely become even more widely used.

When I served in the Justice Department's (DOJ) Criminal Division, we grew increasingly concerned about the challenges posed when agents attempted to execute search warrants for computers or other digital media, only to discover that those media were encrypted. Where appropriate, we issued subpoenas or obtained court orders directing the suspects to decrypt the digital media or to provide unencrypted copies. When those suspects challenged the subpoenas or orders, the result was a showdown of sorts between the Fourth Amendment and the Fifth Amendment.

We litigated this issue aggressively when I was at DOJ, and targets of these orders pushed back with equal force, in some cases incurring contempt sanctions for failing to comply. Now that I have moved to “the other side of the aisle,” it's fair to say that I approach these issues from a different perspective. But no matter which side of the issue you're on, this will become an even more significant battleground in the years ahead, as more and more computer users ' both the innocent and the allegedly not-so-innocent ' adopt encryption as a standard operating procedure.

Two Sides

The targets of these subpoenas or orders argue that being required to provide an encryption password or to perform the decryption would be tantamount to compelling them to incriminate themselves, in violation of the Fifth Amendment. It is well-settled that the government can compel production of things that might be incriminating, such as blood or DNA samples or handwriting exemplars. But in some circumstances the act of producing evidence can have a testimonial character that implicates the Fifth Amendment. For instance, where the existence and location of subpoenaed documents are unknown to the government, the act of production may effectively concede possession, custody, or control over those documents.

Similarly, the act of production could implicitly authenticate documents whose authenticity otherwise had not been established. Thus, targets of forced decryption orders have argued that requiring them to decrypt a computer or to provide its contents in unencrypted form effectively compels them to acknowledge possession, custody, and control over the computer and the authenticity of its contents.

The government generally has sought to compel decryption or the production of a decrypted version of the media, rather than the production of the password itself, in implicit recognition of the fact that requiring a target to turn over a password would be compelling him to divulge the contents of his mind and therefore to make an incriminating statement. By contrast, the government argues, requiring production of the unencrypted version of the computer files is compelling the target to produce something he voluntarily created.'

The government's primary argument rests on the “foregone conclusion” doctrine articulated by the Supreme Court in the mid-1970s. Under that doctrine, the act of producing evidence is not considered testimonial if the government already possesses sufficient independent evidence to render the existence, possession, and authenticity of the evidence a “foregone conclusion.” In other words, where the government has enough other evidence establishing the existence, possession, and authenticity of the computer or other digital media, the implicit admission represented by the target's act of decryption is not deemed to implicate the Fifth Amendment. As some courts and commentators have put it: In those circumstances the implicit admission is not testimony, but rather an act of surrender.

The government has had mixed results in these cases to date, with a win-loss record of around 5-3. That's not a great record ' although it would be enough for first place in the NFC East ' and the results reflect how challenging it is to reconcile these competing Fourth and Fifth Amendment interests. Courts have struggled with these issues even within the same case; for instance, in one case involving a child pornography defendant in Wisconsin, the Magistrate initially denied the government's application and then granted it after further factual development, only to have the district court stay the order pending further briefing.

To date, only one case, involving a child pornography defendant in Florida, has been decided on the merits by a Circuit Court. In that case, In re Grand Jury Subpoena Duces Tecum, dated March 25, 2011, 670 F.3d 1335 (11th Cir. 2012), the Eleventh Circuit reversed the District Judge's order holding the target in contempt for refusing to produce the unencrypted contents of seized hard drives. The court first held that the act of decrypting seized hard drives would be tantamount to testimony by the target about his knowledge of the existence and location of potentially incriminating files, his possession of and access to the encrypted drives, and his ability to decrypt them. Id. at 1346. The court then concluded that the government had failed to satisfy the “foregone conclusion” test because it failed to demonstrate with any degree of particularity that it knew of the existence or location of encrypted files or that the target was capable of decrypting such files. Id. at 1346-49.

Looking Forward

In the months and years ahead, courts will continue to grapple with the fundamental question of whether there is a constitutionally sound way for law enforcement to get access to an encrypted electronic device when it has lawfully obtained a warrant for that device based on a showing of probable cause. The law in this area is still in an embryonic stage of development, so broad lessons are hard to come by. But there are a few takeaways from the first wave of cases:'

• This is very much a fact-based inquiry, in which the court's application of the “foregone conclusion” doctrine will turn on the quality and quantity of independent evidence the government can offer.
• In interviews of suspects, the government will likely put a premium on asking questions designed to establish a foundation for the future application of the doctrine, including questions about ownership of the device at issue, the suspect's knowledge of or access to its contents, or the suspect's ability to use encryption. The government may ask similar questions to provide a basis for arguing that a suspect has waived his Fifth Amendment privilege.
• Suspects who claim to have forgotten their passwords in the face of subpoenas or decryption orders may face skeptical reactions from courts and risk contempt sanctions. On the other hand, good cybersecurity includes stronger ' i.e., longer and more complex ' passwords, and even the best of us has forgotten a password after a vacation or other period of inactivity. So just because a suspect's forgetfulness is convenient doesn't mean it's not legitimate.
• It remains to be seen how the development of other types of decryption methods beyond passwords ' such as biometrics or a private encryption key generated by an encryption program ' might affect the analysis. If being compelled to provide or enter a password is considered a testimonial act analogous to providing the combination to a wall safe, would being compelled to use biometrics to decrypt be a non-testimonial act, analogous to turning over the key to a locked container?

This “foregone conclusion” issue arises when it's the suspect himself who holds the encryption key, as opposed to a service provider. Government attempts to get encryption keys from providers raise a whole other set of issues. But that's a story for another time.

Jason Weinstein is a partner in the Washington office of Steptoe & Johnson LLP. He is a former federal prosecutor and most recently served as deputy assistant attorney general in the U.S. Department of Justice's Criminal Division, where he oversaw the Computer Crime and Intellectual Property Section.

'