Wednesday, August 23, 2006

Encrypted Hard Drives and the Constitution

I spoke to a group a few months ago about how Customs Officers’ can search the hard drives of laptops carried by one coming into the US or leaving the US.

In my last post I talked about how the border search exception to the Fourth Amendment's warrant requirement lets (apparently, anyway – so far every federal court to address the issue has upheld the application of the exception in this context) the officers do this, and why.

After I did my presentation on that issue to the group, one of the people in the audience came up to me, quite agitated.

He said he handles computer security (in some capacity, I didn’t quite get the context) for a company, the executives of which often travel into and out of the country carrying laptops. He said the laptop hard drives have proprietary information on them, and are therefore encrypted. He was concerned about a Customs Officer’s wanting to see the files on the laptop.

At first, I am afraid I did not take the question that seriously – I told him (which I think is true) that the executives probably are not likely to have their laptops searched (but that was before the recent UK airline bombing plot, so who knows now).

That was a bad answer because it, of course, leaves open the possibility that they might have the laptop hard drives searched. And he, very reasonably, was not happy with that answer, so he pressed for a better one. He made it clear that the concept of giving the officer the encryption key was simply not an option because of the very sensitive nature of the information on the laptops. So we chatted about all this for a bit, and I finally told him his should probably come up with a procedure for this scenario, decide how they would handle it if it arose.

Let’s take the scenario he presented and parse out the options and the applicable law. The Customs Officers have a Fourth Amendment right to search “containers” (which, as I said before, includes a hard drive) when someone is entering or about to leave the country. I’ve run this scenario by prosecutors and based on their reaction and how I analyze the law, it looks to me like the scenario can have three basic resolutions:
  1. The laptop owner gives the Customs Officer the encryption key and the officer searches the laptop’s hard drive for contraband (data within the scope of a border search);
  2. the laptop owner refuses to give the Customs Officer the encryption key, says he/she has decided not to travel that day and walks away with the laptop (the prosecutors I’ve discussed this with say it would work, so we’ll assume it will, at least for now); and
  3. the laptop owner refuses to give the Customs Officer the encryption key and insists on traveling with it, citing some constitutional rule.
The first two options are self-resolving, so let’s focus on the third one.

The problem we have here is that the Fourth Amendment really does not apply to the act of refusing to hand over the encryption key.

(Ironically, it would apply if the laptop owner gives up the encryption key, because this would be consenting either to the “seizure” of the key or to letting the agent “search” it. Or it could be considered to be a waiver of the Fifth Amendment issue we’ll get to in just a moment.)

See, the Fourth Amendment only applies when government agents (like the Customs Officer) DO something . . . like taking your laptop away from you or breaking down your front door to go in and seize it or turning it on and looking through the unencrypted files against your objection. The Fourth Amendment does not apply when, as is the case here, you refuse to do something the government wants you to do and they try to make you do it.

The Fifth Amendment applies, in a very limited way, if and when the government wants you to do a very specific thing: give “testimony” that “incriminates” you.

There is a major difference between the Fifth Amendment and Miranda, which gives you a right to silence and to counsel; the Fifth Amendment, which is supposedly the foundation of Miranda, gives you neither of those things. To qualify for Miranda, you have to be in “custody,” i.e., the police have to have restrained your freedom of movement so you cannot just walk away. Since we’re assuming you can walk away, Miranda won’t apply; the Fifth Amendment is the only option.

The Fifth Amendment only applies, though, if you are “compelled” to give testimony. Being “compelled” is synonymous with being subpoenaed by a court or a grand jury and being ordered to testify; if you won’t, you, a la Judith Miller in Plamegate, will be locked up until you do. That’s being “compelled.”

That brings us to the first problem with trying to use the Fifth Amendment to refuse to give up the encryption key but still travel. It doesn’t seem that you can show you’re being “compelled” to do anything – if you can walk away (as in option #2), then you are not being compelled and the Fifth Amendment is off the table. And there probably are no other constitutional provisions that might apply.

Just for the sake of argument, let’s change things a bit: The laptop belongs to John Doe. He refuses to provide the encryption key when the Customs Officers ask for it and starts to walk away. They say he can go but tell him they’re keeping the laptop because they have probable cause to believe there’s contraband (child porn, say) in it because they have been “tipped” to that by a confidential informant. That should let them hold onto it under another Fourth Amendment exception (exigent circumstances – holding onto the laptop to prevent Doe from destroying the evidence on it) while they get a warrant to search it.

They get the warrant, but find they cannot search the files because the hard drive is encrypted. They call Doe and ask for the key and he says he won’t provide it. They can’t make him do this, so they go to a federal prosecutor who gets a grand jury to subpoena Doe. He appears before the grand jury, is asked for the encryption key, invokes his Fifth Amendment privilege and refuses to provide it.

Can he get away with that? Or will a judge find he cannot claim the Fifth Amendment privilege and lock him up until he gives up the key?

Good question, one that is not resolved.
To claim the Fifth, Doe has to be compelled (being threatened with being locked up works) to give “testimony” that “incriminates” him. Incriminates means the evidence can be used to convict him of a crime; you can’t claim the Fifth because evidence would embarrass you or hurt your business or implicate someone else in a crime. It has to implicate you in a crime.

So, purposes of analysis, we’ll say Doe can show the answer would incriminate him.
Is giving up an encryption key “testimony?” You might think it is, but it’s not that easy.

The Supreme Court has held that “testimony” is a communication; "testimony" therefore does not encompass physical evidence such as blood, hair or even handwriting. You cannot take the Fifth Amendment to refuse to provide samples of your handwriting because the Supreme Court has held that you’re just providing samples of physical evidence – how you shape letters, how much force you exert, etc. (You can’t be put under oath and compelled to write answers to questions asked you because the answers would be communications, or testimony.)

In 1988, in Doe v. United States, 487 U.S. 201), the Supreme Court held that someone cannot take the Fifth and refuse to sign a “compelled consent” because signing the consent form does not constitute “testimony.” The compelled consents (an oxymoron?) were (and are, I assume) used to get into “secret” bank accounts in places like the Cayman Islands.

The person (Doe in this case) was subpoenaed by a grand jury and told to sign a form that gave blanket consent to the bearer (FBI agents) to gain access to any and all bank accounts in his name. A number of people claimed they should not have to do this, that this was “testifying” against themselves (and could leave to the discovery of incriminating evidence). The Supreme Court said it was not testimony, it was just physical evidence – the same rationale as the Court applies to handwriting.

In the Doe case, the Court noted, in effect, that someone (i) cannot invoke the Fifth Amendment and refuse to hand over the key to a “strongbox” or a safe deposit box but (ii) but may be able to take the Fifth and refuse to “reveal the combination to his wall safe – by word or deed.” It depends on whether you are simply handing over physical evidence (like blood or handwriting) or whether you are “being forced to express the contents of your mind” by communicating.

So, basically, whether one use the Fifth Amendment privilege against self-incrimination as the basis for refusing to give up an encryption key depends on whether doing that is more analogous to handing over a key to a safe deposit box or to giving up the combination to a wall safe. (I think the Court was assuming the person had memorized the combination, btw.)

(Oh, and Miranda? Pretty much the same analysis, in that it only applies to “testimony,” to communications. The issue here, as I noted earlier, is “custody.” If the agents took Doe into custody and would not let him leave, then they would have to give him the Miranda warnings and honor his invocation of the right to silence or counsel if he did, invoke, either.)

1 comment:

Anonymous said...

What if your passphrase is "I have child porn on my computer?" Or "I am Dan Moore. The money is ... The proof is ..."

Or, you can say something like, "With all due respect, your honor, you do not know what my passphrase is. You can not say what it is not." This way, if the prosecution ever does crack your encryption, and it turns out to be something like K$#DD&#LL, perjury won't be added to your charges.

Wouldn't be the first time something weird like this was used in court.