This Blog




AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.


AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Fifth Amendment Rights: Forcing Defendants To Decrypt Drives IS Against The Fifth

The Eleventh Circuit Court of Appeals has ruled that being forced to decrypt hard drives violates the Fifth Amendment, the right not to incriminate oneself.  I've covered two previous cases that deal with data encryption where it was ruled that being forced to decrypt hard drives did was not a violation of the same law.

Despite the outcome, all three cases are consistent in their rulings.

It IS a Violation and It ISN'T?  Isn't That Contradictory?

Not really.  As I learned quite recently, the Fifth Amendment is very specific on the subject of self-incrimination.  Most people think of it as a right not to incriminate oneself under any circumstances, period.  But, that's not true.

Otherwise, it would imply that you have the right not to let anyone to search your house, even with a warrant.  That should strike most people as obviously false: if the government has a warrant, then you have to let them search the house, even if there's evidence in the house implicating you of a crime.  The fact that you opened the door for the government can't be used as a violation of the Fifth later on.

As I noted in one of my Fricosu Fifth Amendment coverage posts,

The 5th amendment is a protection against compelled testimony incriminating oneself. However, you don't have a right to refuse to turn over incriminating evidence — such as documents, video or records of any type.

I should note before I go on that I'm not a lawyer.  I'm just reporting here on what I've found out.

The point is, the Fifth Amendment doesn't cover all evidence that could possibly implicate oneself; in specific instances where the government knows or can prove that evidence exists, the accused must produce that evidence.

The two cases I covered before are Boucher and Fricosu.  In both cases, encryption software prevented access to evidence that the government knew was there.  In other words, the government wasn't just speculating that something might be there because, gosh darn hey, that thing is encrypted!  Something must be hidden there, right?

The Eleventh Court's decision, on the other hand, involved a case where the government was only speculating.

The Case: Relevant Details

An unnamed man (John Doe) was subpoenaed to decrypt a laptop computer and five external drives suspected of containing child pornography.  The government was planning on using any information gleaned from the decrypted disks' contents against John Doe.

John Doe refused, saying he would invoke his Fifth Amendment rights.  He was held in contempt and jailed.

Some key observations:

  • It's not in dispute that the disks belong to John Doe.
  • There was no evidence that only John Doe had access to these drives.
  • There was no evidence that John Doe was able to decrypt the drives.
  • The government's forensic examiners could not recover any data because all of the disks were protected with encryption.
  • The forensic examiners could tell that there was "an 'enormous amount of data'", over 5 TB in total.

All interesting stuff, but the following is the most telling (my emphases):

Although they were unable to find any files, [forensic examiner] McCrohan testified that they believed that data existed on the still-encrypted parts of the hard drive....

When pressed by Doe to explain why investigators believed something may be hidden, McCrohan replied, "The scope of my examination didn't go that far."  In response to further prodding, "What makes you think that there are still portions that have data[?]," McCrohan responded, "We couldn't get into them, so we can't make that call."  Finally, when asked whether "random data is just random data," McCrohan concluded that "anything is possible."  At the conclusion of the hearing, the district court held Doe in contempt and committed him to the custody of the United States Marshal. 

The government's case appears to be, in essence, "you've got 5 TB of data.  You've downloaded child porn online.  There must be something there."

Eleventh Court Answers: More of the Same

John Doe appealed, and the Eleventh judged on the proceedings.  According to the Appellate Court's findings:

...We hold that Doe's decryption and production of the hard drives' contents would trigger Fifth Amendment protection because it would be testimonial, and that such protection would extend to the Government's use of the drives' contents.  The district court...erred in concluding that Doe's act of decryption and production would not constitute testimony

The court obviously offers a detailed explanation (begins on the second half of page 10) .  But the gist of it is this: there is no foregone conclusion that the encrypted disks contain the material the government is seeking.  The government has no way of showing "that it had knowledge of the contents of the documents from a source independent of the documents themselves," assuming those documents do exist in the encrypted disks (emphases are from the original text):

...the question becomes whether the purported testimony was a "foregone conclusion."  We think not.  Nothing in the record before us reveals that the Government knew whether any files exist or the location of those files on the hard drives; what's more, nothing in the record illustrates that the Government knew with reasonable particularity that Doe was even capable of accessing the encrypted portions of the drives....

To be fair, the Government has shown that the combined storage space of the drives could contain files that number well into the millions.  And the Government has also shown that the drives are encrypted.  The Government has not shown, however, that the drives actually contain any files, nor has it shown which of the estimated twenty million files the drives are capable of holding may prove useful.  The Government has emphasized at every stage of the proceedings in this case that the forensic analysis showed random characters.  But random 24characters are not files; because the TrueCrypt program displays random characters if there are files and if there is empty space, we simply do not know what, if anything, was hidden based on the facts before us....

Case law from the Supreme Court does not demand that the Government identify exactly the documents it seeks, but it does require some specificity in its requests—categorical requests for documents the Government anticipates are likely to exist simply will not suffice....

This is a critical difference from Boucher (where a government official saw the kiddie porn on the accussed's laptop before encryption kicked in) and Fricosu (where government officials have a recorded conversation where the accused notes there are files she doesn't want the government to see on her laptop).

So, again, all three cases regarding the Fifth Amendment are consistent, even if the rulings are different.  So far, c'est la meme chose.

Something New

There is one notable result coming out of this latest case, however.

The Eleventh Court of Appeals has ruled that "the act of producing decrypted documents is testimonial, not merely a physical act."  This has been something of a contentious point that hasn't been ruled on before, as far as I know (reminder: I'm not a lawyer).

In the Boucher and Fricosu cases, the foregone conclusion doctrine was used, so the courts didn't really have to make a judgment on whether providing decrypted documents is testimonial or not.  Some argued that it was not testimonial, since the documents were already there, just encrypted.  This latest finding (which could be contested all the way to the Supreme Court) appears to settle the matter on what's what

Related Articles and Sites:

<Previous Next>

Disk Encryption Software: Preferred Skin Solutions Data Breach

Disk Encryption Software: UC Berkeley Says Secure Desktop Computers


No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.