By Paul Rosenzweig, The George Washington University
If the government requires that decryption keys are to be provided—especially by individuals—then, under what rules, if any, might these back doors be accessed? The courts have yet to definitively determine whether or not an effort to compel an individual to disclose the decryption key he holds, constitutes a violation of his Fifth Amendment privilege. Let us look at how courts have decided on some such cases.
The Fifth Amendment
It is fairly well-established now that in the US, third-party companies who hold an encryption key to a user’s data could be forced to provide it to government agencies, especially in cases where a grand jury investigation is involved. However, in cases where the end-point user holds his own encryption key, there is a much stronger argument to withhold that key under the Fifth Amendment protection against self-incrimination.
In general, the answer to the question of whether an individual can be forced to give up his decryption key turns on whether disclosing the decryption key is thought of more like the production of a physical object like the physical key to a lock box, which may be compelled under the law, or like the production of a person’s mental conceptions such as the memorized combination to a safe, whose disclosure cannot be forced.
Learn more about problems with privacy.
Physical or Mental Key?
Take the Supreme Court case, Doe v. United States. Doe was asked to be required to sign a blank bank consent form that the government was then going to use to get access to his bank. Doe objected, but lost—the court said that signing a form was more like the production of a physical object than it was like being asked to testify against yourself.
By contrast, in the United States v. Hubbell, a case arising out of the Whitewater investigation into Hillary and Bill Clinton, the documents produced by Hubbell, in response to a subpoena, were organized and selected through his own mental analysis, and thus, in that case, they were protected from disclosure.
Compelled Decryption Decisions
Only a few court cases have addressed the encryption question directly, and those that have are in disagreement. For example, in Commonwealth of Massachusetts v. Gelfgatt, Massachusetts’ highest court concluded that a defendant could be compelled to disclose a password upon pain of contempt of court for refusing to do so.
By contrast, in the case called In Re: Grand Jury Subpoena Duces Tecum, from the Eleventh Circuit Court of Appeals in Atlanta, the court decision on the issue determined that compelled decryption was unconstitutional because it was like requiring the individual to give up the mentally memorized the combination to his safe. Suffice to say, the final resolution of this question lies in the future. But the trend is in the individual’s favor.
This is a transcript from the video series The Surveillance State: Big Data, Freedom, and You. Watch it now, on Wondrium.
Are Biometrics Safe?
One recent technological development is the use of finger-scan biometrics to unlock a phone. So, what about them? Can a phone owner be ordered to put his thumb on the iPhone? Let’s take a look a case from a Virginia State Court in the Hampton Roads area.
The court held that a defendant could not be compelled to unlock his cell phone by means of entering his password. But the defendant also enabled an unlocking feature on his phone so that it could be unlocked with the swipe of his finger. And the court went on to hold that the finger swipe was not protected by the Constitution and could be compelled.
Physical Evidence can be Compelled
Since at least the mid-1960s, courts have drawn a distinction between the compulsion of physical evidence and the compulsion of testimony or oral statements. Only the latter is protected by the Fifth Amendment privilege against compelled self-incrimination.
The seminal case here is Schmerber v. California, in which a divided court held that compelled production of a blood sample, pursuant to a subpoena, was not a violation of a person’s privilege against self-incrimination—that the privilege only protected testimony, not physical evidence.
Today, of course, that distinction lies at the core of almost all major law enforcement techniques—DNA, blood type, fingerprints, hair samples—you name it. The entire cornucopia of CSI techniques all rely on the unprivileged nature of physical evidence taken from a suspect. So much so, that today we couldn’t imagine it otherwise.
Of course, the law could have gone in a completely different direction. But the distinction is now deeply embedded in our practice. And, hence, the finger swipe is no different than requiring a suspect to stand in a lineup, or a murder suspect to give a blood sample. What makes the state court case from Virginia especially compelling—and interesting—is that it is one of the starkest examples of where the law is at odds with good cyber practice.
Learn more about how technology outruns the law.
Passwords versus Biometrics
In the security domain, information security professionals are increasingly skeptical of passwords as inadequate. This is mostly because people use simple passwords, or because they often lose their encryption keys.
Most security professionals tend to think that some form of biometric identification is much more secure. And yet, the password appears to be a better legal safeguard at protecting privacy than the more security-robust biometrics. That’s exactly backward. But it is likely the right legally doctrinal answer because the law protects testimony from the mind, not physical evidence from the body.
Common Questions about Courts, the Fifth Amendment and Biometric Encryption
Legally speaking, while third-party companies cannot use the Fifth Amendment to withhold a decryption key from the government, an individual can still claim the same right if he or she holds the key.
For the courts, a password cannot be compelled from an individual, as it is a mental product; biometric protection is considered to be part of physical evidence which can be compelled.
In the security domain, information-security professionals are increasingly skeptical of passwords as inadequate. This is mostly because people use simple passwords, or because they often lose their encryption keys. Most security professionals tend to think that some form of biometric identification is much more secure.