This isn’t about the bad guys; we all know encryption helps defend against them. What isn’t so clear is our rights to data encryption when dealing with the legal system.
Date: December 8th, 2009
Author: Michael Kassner
I initially became interested in the topic of data encryption and the law due to the 2005 Minnesota appeals case, State of Minnesota versus Ari David Levie, in which Levie was accused of taking illegal pictures of a minor. I didn’t follow the entire case, just the appeal. The court was deciding whether it was legal or not to enter certain evidence — in this case, the fact that the defendant had an encryption utility on his computer.
The appeals court unanimously agreed with the trial judge: The prosecutor could mention that an encryption utility was installed on the defendant’s computer. That’s it. Nothing about what’s encrypted. Judge R. A. Randall mentioned the following in his opinion:
“Evidence of appellant’s computer usage and the presence of an encryption program on his computer was relevant to the state’s case.”
I remember a prosecutor mentioning there was plenty of other evidence in the trial with the defendant being convicted based on that evidence. Why then introduce the information about the encryption application?
I have read numerous articles interpreting what the appeals court ruling means. FUD factor aside, many feel this is a dangerous precedent because the mere presence of an encryption utility seems to imply criminal intent. It seems they are worried about how implication seems to be good enough.
A few years later in 2007, U.S. versus Boucher caught my eye. In this case, a U.S. Magistrate Judge decided the defendant was not required to divulge the password for an encrypted hard drive, saying that it violated 5th Amendment rights, the amendment protecting an individual from self-incrimination (to plead the 5th).
That ruling gave the privacy advocates some relief. But, U.S. versus Boucher was appealed in 2009. The case was overturned. The responsible U.S. District Judge’s reasoning was:
“Holding that the 5th Amendment privilege against self-incrimination does not require the conclusion that a criminal defendant may elect not to divulge a password for an encrypted hard drive.”
The prosecutors are learning. They changed tactics in the appeal:
“The Government stated that it does not in fact seek the password for the encrypted hard drive, but requires Boucher to produce the contents of his encrypted hard drive in an unencrypted format by opening the drive before the grand jury.”
I have not been able to find out what the new verdict means officially. I suspect the defendant will have a choice to make.
Other countries are dealing with this issue as well. The UK has an actual law. Regulation of Investigatory Powers Act (RIPA) part III gives police authority to ask for encryption keys or the data to be decrypted. The Register has an interesting article “UK jails schizophrenic for refusal to decrypt files“. The piece describes the circumstances behind the first person to be jailed under RIPA part III.
According to the Register, the case was a bit rough. It appears the defendant and his model rocket were never a real threat.
I found little documentation as to what our rights are when it comes to encrypting data. Then, I remembered the Electronic Frontier Foundation’s Web site. It’s not much, but the EFF offers the following advice:
Do not give the password to the authorities during the search; you have the right to remain silent.
Call a lawyer; in fact call a lawyer immediately upon being searched.
What happens next depends on individual circumstances. The EFF has this to say:
“A lawyer may be able to get your property back if the warrant was improper, negotiate a deal with the government’s attorneys to limit the search or get important files back, or convince the court to strictly limit the search so that they won’t search files that are legally privileged (like confidential legal or medical records), protected by the First Amendment (like private membership lists), or irrelevant to the case.”
Their advice turns a bit nebulous when dealing with a prosecutor:
“A prosecutor may ask a judge to order you to turn over your password. The law is unclear on whether such an order would be valid, but that is a matter to face with the assistance of counsel. No one other than a judge can force you to reveal your password.”
We are told to use encryption. It prevents the bad guys from stealing our data and identities. That’s good advice. It is also in our best interest to know the ramifications of using encryption. The only problem is no one seems to know what they are.