The Micro-Hornbook on the Fifth Amendment and Encryption
Citation: 104 Geo L.J. Online 168 (2016)
The DOJ calls encryption a “zone of lawlessness.”1 Others call it an “[e]scape from [t]yranny.”2 Opinions on encryption clearly diverge. But this micro-hornbook isn’t about opinions. It’s about the law—on what happens when the government has the right to search digital data (perhaps through a search warrant), but can’t because the data is password protected and encrypted. Can the government, without violating the Fifth Amendment, force a phone’s owner3 to (a) produce the phone’s password or (b) produce the decrypted phone (i.e., force her first to enter the password and then to produce the phone)? The first question’s answer is easy; the second’s answer is hard; and this micro-hornbook sketches the answers for both.
I. Forcing Production of the Password?
Whether the government can force a person to divulge her password depends on the password’s type.
Unquestionably, the government can force people to produce bio-metric passwords like fingerprints. The Fifth Amendment does not protect against forced physical acts, such as the taking of fingerprint or voice samples, or even forcing a person “to make a particular gesture.”4 For this reason, a Virginia trial court reached the unremarkable conclusion that there is no cellphone exception to the Fifth Amendment.5 So if you use a fingerprint to unlock your phone, the government’s right to take fingerprint samples potentially allows it to access your phone.6 Whether it actually allows the government to access your phone depends on the circumstances, as a fingerprint won’t unlock an iPhone that’s gone untouched for more than 48 hours.7
Almost as certainly, the government can’t force you to produce a password.8 The touchstone doctrine here stems from an oft-repeated line of Supreme Court dicta: The government can “force [someone] to surrender a key to a strongbox containing incriminating documents,” but it can’t force him “to reveal the combination to [a] wall safe.”9 Because a password is essentially a combination, several courts have held that the government can’t force you to produce your password.10
II. Forcing Production of the Decrypted Phone?
The next, and more difficult, question is whether the government can force you to enter the password, which decrypts your phone. There is no right answer here, and you can argue it constitutional or not—unless you’re in the Eleventh Circuit or Massachusetts. The former’s litigants are bound by the rule that forced decryption is not constitutional, and the latter probably the opposite.11
The arguments trace three fronts: the key—combination dicta just discussed; forced decryption’s physicality; and the foregone conclusion exception.
A. The Key—Combination Dicta
The first front stems from the dicta instructing that a key’s production can be compelled but a combination’s cannot.12 Some courts have extended this dicta to forced decryption. Most notably, the Eleventh Circuit held that forced decryption—which requires the respondent “to use a decryption password”—“is most certainly more akin to requiring the production of a combination because both demand the use of the contents of the mind.”13
Yet this extension is questionable. For one thing, the referenced dicta concerns producing a safe’s unlocking mechanisms; it’s not about producing a safe’s contents, which is what forced decryption seeks. For another, safes and encryption differ markedly: the government can always crack a safe; rarely can it crack encryption.14 This chasm could persuade a court to disregard the dicta, or at least to apply it less mechanistically.15
B. Forced Decryption’s Physicality
The second front is forced decryption’s physicality. The government can compel you to perform physical acts, like providing handwriting or voice samples.16 This includes producing a safe’s key, assuming the above dicta is binding.
But what about forcing you to enter a password? Is this a compellable physical act? Three courts have answered no.17 In their view, forcing a person to use a password to decrypt a hard drive is not a physical act because it forces the person to “use the contents of his mind.”18 Also prevalent in these courts’ reasoning is the key—combination dicta already discussed: “A password, like a combination, is in the suspect’s mind, and is therefore testimonial . . . .”19
So far, no courts have answered differently. Yet nearly any court (save those in the Eleventh Circuit) could still decide the issue differently because they are not bound by the foregoing cases. And maybe courts should decide it differently because everything—even physical acts—requires minimally using your mind. You can’t produce a key unless you remember where you put it. Prosecutors arguing physicality should also challenge these three courts’ questionable approach of taking dicta on forcing people to produce unlocking mechanisms and then extending it to the issue of forcing people to use unlocking mechanisms (to produce the de-crypted data itself).
C. The Foregone Conclusion Doctrine
The final front is the “foregone conclusion” doctrine. Even if forced decryption is not a physical act, and even if forced decryption is more like producing a combination than a key, forced decryption is still constitutional if it falls within the foregone conclusion exception.
This exception permits the government to obtain documents that it already knows exist.20 Courts applying the exception to subpoenas for decrypted hard drives have divided on a fundamental issue: what is the document that the government must know of? Is it a particular file, or is it instead the existence of the hard drive’s contents generally?
Some courts require that the government know of “a certain file.”21 Other courts apparently require only that the government know of the potential for unencrypted files, even if it doesn’t know the contents of those files because they’re encrypted.22 What’s more, the government will always know this whenever it sees an iPhone’s password prompt. Thus, the first group of courts allows forced decryption only in the rare instances where the government already knows what’s on the hard drive, and the second group allows it virtually always. None of these courts explain their reasoning, or even acknowledge the issue. So lawyers on both sides will need to marshal reasons in favor of one approach and against the other.23
If the government wants a fingerprint, it’s getting it. If the government wants a password, it’s not getting it. And if the government wants a decrypted hard drive, it may or may not get it.
11. Compare In re Grand Jury Subpoena, 670 F.3d at 1346–47, 1349 n.28 (requiring “knowledge as to the files on the hard drives” and as to “what . . . was hidden behind the encrypted wall”), with Commonwealth v. Gelfgatt, 11 N.E.3d 605, 615–16 (Mass. 2014) (finding a foregone conclusion where the government knew the defendant owned and operated the encrypted computer), and id. at 620–21 (Lenk, J., dissenting) (arguing that a foregone conclusion requires knowledge of “a certain file”).
Obviously, one can still argue against these rules in the Eleventh Circuit and Massa-chusetts, but obtaining a favorable result would likely require reaching the Supreme Court.
20. See In re Grand Jury Subpoena, 670 F.3d at 1344–46 (“Where the location, existence, and authenticity of the purported evidence is known with reasonable particularity, the contents of the individual’s mind are not used against him, and therefore no Fifth Amendment protection is available.” (footnote omitted)); United States v. Ponds, 454 F.3d 313, 319–20 (D.C. Cir. 2006); In re Grand Jury Subpoena, Dated April 18, 2003, 383 F.3d 905, 910 (9th Cir. 2004); Butcher v. Bailey, 753 F.2d 465, 469 (6th Cir. 1985); see also Fisher v. United States, 425 U.S. 391, 411–12 (1976); In re Grand Jury Subpoe-na Duces Tecum Dated October 29, 1992, 1 F.3d 87, 93 (2d Cir. 1993). Some cases have modified the requirement that the government know the document’s location to require that the government know that the respondent possesses or controls the document. See United States v. Bright, 596 F.3d 683, 692 (9th Cir. 2010); Ponds, 454 F.3d at 324–25; Butcher, 753 F.2d at 469. Whatever the merits of this modification, it does not affect the analysis here. See Dan Terzian, Forced Decryption as a Foregone Conclusion, 6 Calif. L. Rev. Circuit 27, 29 n.8 (2015).
The enterprising defense lawyer will note the existence of a good faith basis for arguing that the foregone conclusion doctrine is no longer good law or requires a more burdensome proof of knowledge. See Vivek Mohan & John Villasenor, Decrypting the Fifth Amendment: The Limits of Self-Incrimination in the Digital Era, 15 U. Pa. J. Const. L. Heightened Scrutiny 11, 15–16 (2012) (arguing that the Circuit Courts’ decisions are inconsistent with the Supreme Court’s Hubbell decision).
22. See United States v. Fricosu, 841 F. Supp. 2d 1232, 1237 (D. Colo. 2012) (stating that “[t]he fact that [the government] does not know the specific content of any specific documents is not a barrier to production” and concluding that “the existence and the location” of the “unencrypted version of the Z drive” was a foregone conclusion); Commonwealth v. Gelfgatt, 11 N.E.3d 605, 615–16 (Mass. 2014) (finding a foregone conclusion where the government did not know any files on the hard drive but knew the defendant controlled the hard drives).
In addition to the two groups of courts discussed in the main text, a third group exists. But this group does not illuminate how the foregone conclusion doctrine applies to subpoenas seeking to force decryption. With this group, the government knew of particular files on the encrypted hard drive, so the court did not need to—and did not—consider whether knowledge of potential unencrypted data suffices. See In re Boucher, No. 2:06-mj-91, 2009 WL 424718, at *3–4 (D. Vt. Feb. 19, 2009) (“Second Circuit precedent, however, does not require that the government be aware of the incriminatory contents of the files; it requires the government to demonstrate ‘with reasonable particularity that it knows of the existence and location of subpoenaed documents.’”) (emphasis omitted); In re The Decryption of a Seized Data Storage System, No. 13-M-449 (E.D. Wis. Apr. 19, 2013) (order denying application to compel decryption), http://www.wired.com/images_blogs/threatlevel/2013/04/encryption-case.pdf [http://perma.cc/79NL-UF6J], overruled on other (foregone conclusion) grounds, No. 13-M-449 (E.D. Wis. May 21, 2013) (order granting ex parte request for reconsideration of the government’s application under the All Writs Act), http://ia801700.us.achive.org/6/items/gov.uscourts.wied.63043/gov.uscourts.wied.63043.6.0.pdf [https://perma.cc/FPK3-YYTC].