We all know what multi-factor authentication is. Typically, it involves two of three classes of authentication; (1) something you know (a password or passphrase); (2) something you have (a token or key); and (3) something you are (a biometric). Traditionally, the last of these, a unique biometric signature, has been the holy grail of identification, authorization, and identity management, and has been considered the most secure of the three factors.
But after a ruling last week by a Circuit Court judge in Virginia Beach, Virginia, the biometric may, in fact be the least legally protected of the three forms of authentication. The Court ruled that the government can compel a suspect to produce a biometric to decrypt the contents of a cell phone, but could not similarly compel the defendant to produce a PIN code or password.
Courts elsewhere have been all over the map over whether a person can, consistent with the Fifth Amendment right against self incrimination, be compelled to produce passwords or tokens, but this is the first time a party has been compelled to produce a biometric to unlock the contents of a device. It won’t be the last.
Compelled Decryption
The Fifth Amendment in the United States provides that, in a criminal case, no person shall be compelled to be a witness against himself or herself. As such, it is a testimonial privilege applicable in criminal cases. You can’t be forced to testify. It doesn’t mean you can’t be forced to incriminate yourself, or that you can conceal incriminating evidence or information. You can’t be forced to testify. So what does THAT mean?
It means more than simply being compelled in a court to take the stand and testify. It includes being compelled to make statements out of court that might be used in court. It includes being forced to make statements in civil, administrative or even foreign proceedings, which reasonably might be used against you in a U.S. criminal proceeding.
It also means that not only the substance of the compelled testimony cannot be used against you, but also anything that is derived from the compelled testimony (what the law calls the “fruits of the poisonous tree”) cannot be used against you either.
For the most part, however, the Fifth Amendment does not apply to the contents of items or documents that are themselves incriminating. Courts have reasoned that you were not “compelled” to create these documents or records. So if you keep a diary (“Tuesday, I went for a walk, enjoyed a cup of coffee, watered the lawn, and killed my neighbor…”) and the police find it, they can use it against you.
But even there, the law is a bit muddy. While they can introduce the diary as evidence against you, they can’t force you to reveal the fact that you kept a diary, or where the diary is, or the fact that the diary they show you is, in fact, authentic. Those things would force you to “be a witness” against yourself. Compelled self-incrimination. Same things would be true if the government subpoenaed, for example, “all guns used by you on June 8 to kill your neighbor.”
The act of production would not only admit that you had a gun, and that you had possession, custody and control over the gun, and that you knew where the gun was, but also that you used that gun, that you used it on June 8, and that you did, in fact kill your neighbor. The physical gun, while incriminating is not privileged (the government could get a search warrant and seize it, and use it against you) but the act of production is privileged.
Cell Phone Video
Virginia Beach, Virginia EMS Captain David Baust has at best a complicated relationship with his girlfriend. He was arrested for attempting to strangle her, and during the course of the investigation of that incident, police learned that he might have also “unlawfully” filmed her as well. The police apparently found video recording equipment in his bedroom.
Suspecting that video of the strangulation incident was on Baust’s cell phone, the police got a warrant to seize and search (it’s supposed to be the other way around, search and seize) Captain Baust’s cell phone. However, when the police actually obtained the cell phone, it was password locked — and biometrically locked. So could they compel Baust to provide the PIN? To swipe his finger? To unlock the phone? That’s where the situation gets muddy.
The Court in Virginia Beach ruled last week that the Commonwealth could force Baust to provide his biometric fingerprint and to use it to decrypt the contents of the phone in question, just as they could force a drunk driver to give a blood sample,
Something You Have
Let’s start with the easiest of the three factors for authentication. Something you have. A private PGP key. A crypto fob. A thumb drive. A physical object. A key.
Can the government, consistent with the Fifth Amendment, compel you to produce an object — even if that object is incriminating, or leads to something incriminating, or enables the government to open or understand something that is incriminating?
Maybe.
Remember, the act of producing the object — whether it’s the thumb drive, the key, or the diary itself is incriminating. It admits that you have possession of the key, in the case of Public Key encryption that the documents were written by (or at least encrypted by) you, that you presumably have knowledge of the contents of the documents, that you were the one who opened or read them, that you have possession of the documents, and that you have the ability to decrypt the documents.
So if the government finds a bunch of encrypted files (which ultimately prove to be child pornography) compelling you to produce the private key not only give the cops access to the kiddie porn, it vitiates a defense that “hey, I had no idea what was on my computer. The files were encrypted.” The act of production is essentially an admission. A compelled admission.
So the government can only compel production of the “thing you have” if they are willing to give what is called “Doe” immunity, or “use and derivative use” immunity, or 18 USC 6001 immunity to the “act of production.”
This comes from a series of Supreme Court cases, most notably Doe v. United States, 487 U.S. 201, 210 n. 9, 108 S.Ct. 2341, 2347 n. 9, 101 L.Ed.2d 184 (1988)), and United States v. Hubbell, 530 U.S. at 43, 120 S.Ct. at 2047 the latter case involving President Clinton’s Assistant Attorney General and personal attorney, Webster Hubbell. So if the immunity granted is “coextensive” with the scope of the privilege, then a person can be compelled to produce the key, BUT — and this is a big BUT — the government can’t use the fact that the person produced the key in any way against them.
In the Doe 108 S.Ct.2341 case, the Supreme Court made the distinction between a combination to a lockbox (something you know) and a key to the same lockbox (something you have).
Justice Stevens noted in dissent that a person “may in some cases be forced to surrender a key to a strongbox containing incriminating documents, but I do not believe he can be compelled to reveal the combination to his wall safe – by word or deed.” The Doe majority observed it is the “extortion of information from the accused,” the attempt to force him to “disclose the contents of his own mind” that implicates the Self-Incrimination Clause.
In Hubbell, the court went further, with Justice Stevens reiterating the “key” “combination” dichotomy, but then adding, “The act of exhibiting such physical characteristics [put on a shirt, provide a blood sample or a handwriting exemplar, or record his voice] is not the same as a sworn communication by a witness that relates either express or implied assertions of fact or belief.
Something you are. So under the Doe/Hubbell line of cases, the court can compel you to produce a key, can compel you to “exhibit a physical characteristic” but can’t compel you to provide the government with a password. They may even force you to use your password to decrypt the contents of a drive and produce the decrypted contents.
A Few Illustrations
Sebastien Boucher travelled from Canada to Vermont with a laptop computer. The ICE agents suspected he had child porn on the computer, and ordered Boucher to open the computer and he navigated to a Z drive, where they briefly saw child porn. They arrested Boucher and seized the computer, but the drive was now encrypted. In re Grand Jury Subpoena to Boucher, 2007 WL 4246473 (D.Vt. Nov. 29, 2007) When the government tried to compel Boucher to pony up his password, the Court found the compelled testimony incriminating and refused to order Boucher to speak up.
So the government essentially said, OK, don’t tell us the password, (testimony) deliver us the unencrypted drive (a thing). In that case, the court had no problem ordering Boucher to produce the drive, especially where the government already knew of its existence and the fact that Boucher was in possession of it. In re Grand Jury Subpoena to Boucher, 2009 WL 424718 at *2 (D.Vt. Feb. 19, 2009)
In US v. Fricosu, 841 F. Supp. 2d 1232 – Dist. Court, D. Colorado 2012 the police seized a bunch of computers from Ramona Fricosu’s home while her husband was in jail. One computer had a PGP encrypted segment called RS.WORKGROUP.Ramona. In a taped jail conversation with her husband, Ramona told him that her attorney advised her that she could not be compelled to produce the password for that directory. She was wrong.
The Court found that the naming of the directory with “workgroup.ramona” indicated ownership and control, and her statements to her husband similarly admitted ownership and control over the encrypted files.
Thus, the existence and control of the files was a “foregone conclusion” and she could be compelled to decrypt or provide the decryption key for the drive. A similar result obtained when a defendant was compelled to decrypt the contents of a government issued laptop computer that contained child pornography, where the court found that the existence of the files was a “foregone conclusion.”
In In re Grand Jury Subpoena Duces Tecum, 670 F. 3d 1335 – Court of Appeals, 11th Circuit 2012 forensic examiners examined a seized comptuer and found 5TB of encrypted data. The District Court ordered the computer owner to decrypt the drive, but the Federal Court of Appeals reversed noting “(1) Doe’s decryption and production of the contents of the drives would be testimonial, not merely a physical act; and (2) the explicit and implicit factual communications associated with the decryption and production are not foregone conclusions.”
State Courts have gone through the same analysis. Earlier this year, the Massachusetts Supreme Judicial Court (the Supreme Court) wanted to force an attorney to “privately enter an encryption key into computers seized from him…” The Court found that the attorney’s statements that “everything is encrypted” and “no one is going to get it,” to be an admission of ownership and control, and therefore this was a “foregone conclusion.” Thus, the attorney could be forced to decrypt the drive.
This “foregone conclusion” analysis was also used to compel a doctor to produce medical records and communications regarding patient treatment in the face of a Civil Investigative Demand by the government in US v. SABIT, Dist. Court, ED Michigan 2014
To Have, to Hold, To Know, To Be
While there appears to be a coherent theme to the exercise of privilege here, the truth is, the Courts are all over the map on this one. With the new case out of Virginia Beach, the Courts appear to be saying that it’s ok to compel production of a KEY – such as a PGP key, or to compel production of a decrypted drive (even if no such decrypted drive exists until the target decrypts it.) The Virginia Beach court said that is was OK to compel production of a biometric — just like you make people stand in a lineup, give a voice or blood sample, or use any other physical characteristic like fingerprints. Finally, courts seem to suggest that you can even compel someone to give up a password if that person’s ownership of the files in question is a “foregone conclusion.”
Why is this Wrong?
When I was in sixth grade, I was engaged in a battle of wills with my teacher, who insisted that I take notes in a class which I believed was not worthy of taking notes. While he insisted that the notes were for our personal use, he collected our notes periodically. Being a lefty and a fan of DaVinci, I decided to take notes in mirror writing. When the teacher collected the notes, he complained that he could not read them. I retorted, “I thought they were for us to use, not you.” I was a wise ass even then.
The decryption and the Fifth Amendment present tough choices. If we allow people to decrypt free of consequence and free of compelled decryption, we will see (and already do see) circumstances where bad guys and really bad guys will routinely encrypt information about child porn, drug dealing, terrorism and other bad stuff, with the REALLY bad guys willing to stay in jail for contempt of court rather than decrypting the drives.
But Courts are essentially wrong distinguishing between various methods of encryption and decryption. They are all, at their core, a mechanism for protecting the privacy and security of data. Indeed, a person encrypting a drive with a biometric would have cause to believe that this was more secure, and that they had a greater expectation of privacy in the biometric than they do in a simple four digit PIN.
To say that announcing the numbers “2580” as a password is testimonial incrimination, but handing over a complex PGP key, or causing a complicated mathematical calculation based upon a biometric is not “testimonial” misses the point.
The purpose of the Fifth Amendment is not simply to protect utterances. It is fundamentally a conception of privacy that there are certain things the government simply cannot do, no matter how much it wants to. It’s both a “zone of privacy” a concept of individual rights, and the idea of fundamental fairness that is embedded in the right against self-incrimination. The right should be read broadly — not an absolute, but a broad right — to protect against unnecessary encroachment.
The best way to think of it is to imagine that the governments of Iran, North Korea, Syria, or Cuba seize the contents of your encrypted drive. The local gendarme wants you to decrypt the drive for them. Should you have to do it? If your gut reaction is no (believe me, you will have a gut reaction) then we should consider allowing the same rights here.
Until then, we may all be forced to give the police the finger. At least when they ask for it.