Passphrases and the Fifth Amendment

Declan has the scoop, Judge: Man can't be forced to divulge encryption passphrase:

A federal judge in Vermont has ruled that prosecutors can't force a criminal defendant accused of having illegal images on his hard drive to divulge his PGP (Pretty Good Privacy) passphrase.

U.S. Magistrate Judge Jerome Niedermeier ruled that a man charged with transporting child pornography on his laptop across the Canadian border has a Fifth Amendment right not to turn over the passphrase to prosecutors. The Fifth Amendment protects the right to avoid self-incrimination.

Niedermeier tossed out a grand jury's subpoena that directed Sebastien Boucher to provide “any passwords” used with his Alienware laptop. “Compelling Boucher to enter the password forces him to produce evidence that could be used to incriminate him,” the judge wrote in an order dated November 29 that went unnoticed until this week. “Producing the password, as if it were a key to a locked container, forces Boucher to produce the contents of his laptop.”

Full text of the decision in In Re Boucher, 2007 WL 4246473 (D. Vermont, Nov. 29, 2009).

Long ago I wrote a lot about encryption keys, and touched on this issue. You can read the articles at The Metaphor is the Key: Cryptography, the Clipper Chip and the Constitution, 143 U. Penn. L. Rev. 709 (1995) and especially It Came From Planet Clipper, 1996 U. Chi. L. Forum 15.

The heart of the argument is that things in your head are not like objects in your possession: the core value of the Fifth Amendment is that you can’t be made to speak in ways that indicate your guilt. Giving up a passphrase to an encrypted message ties you to the encrypted information; if the info is, say, child porn, it creates a very strong inference that you knew what the data were and that you possessed them (there are exceptions, including email some else sent to you that is decryptable with you private key, but ignore those scenarios for now).

Other people, notably the redoubtable Orin Kerr, who argue that there is no Fifth Amendment issue here tend to focus on the analogy of possession of a physical key to a physical lock. The law is pretty clear that you can’t stop the cops from taking a physical key on the grounds that the stuff inside that safe will tend to incriminate you.

But the law is also clear that the Fifth Amendment protects you from having to make an oral or written disclosure which is “testimonial” – that, is, whose content might tend to tie you to crime. (Note that “content” means “informational content” – you can be forced to give a meaningless writing sample for handwriting comparison purposes.) This is why the cops are not able to force suspects to take them to the dead body.

It seems to me that the pure compelled disclosure case is not that hard, and that this Magistrate Judge got it right. Note, however, that this decision, emanating from the lowest-level official in the federal court system, is not precedential for other courts; and since it is pretty brief its persuasive power may not be all that great either.

Nor do I think that making a defendant decrypt something without divulging the key would in any way solve the problem, as it still ties the defendant to the content.

The hard case for me would be if the police provided limited “use immunity”: they would promise not to make the fact that your key decrypted the info any part of the prosecution. Thus, for example, the indictment would just say the information was on your hard drive, without mentioning that you had the only key to decrypt it. I think, given the current state of doctrine, that courts might well hold this to be consistent with the Fifth Amendment, making the underlying provision little more than a fairly cumbersome technicality. Doctrinally, that is not such a hard result to foresee, but it is not as simple to explain why this would apply to a coded message and not a dead body.

The flip side of the hard case is when the government provides use immunity and the suspect/defendant claims he doesn't know or has forgotten the passphrase. Then what?

In fact, I do have one ancient PGP key for which I seem to have forgotten the passphrase, so I know it can happen. But in most cases the police are likely to view this sort of memory malfunction as unduly convenient.

This entry was posted in Cryptography, Law: Constitutional Law. Bookmark the permalink.

4 Responses to Passphrases and the Fifth Amendment

  1. scared says:

    According to a fairly recent post by Professor Kerr, a national poll shows that better 40% think torture is “often” or “sometimes” justified.

    Adding in the “rarely” justified category, it looks to me like the fifth amendment is a dead letter.

    There’s enough hysteria around about “child porn” that I suspect that it would possible to whip up a majority in favor of waterboarding this guy until he coughs up his password.

  2. jim says:

    I would assume that the existence of encrypted files together with a refusal to divulge the passphrase would be sufficient reasonable suspicion for the police to confiscate the computer and attempt to decrypt them. There are, apparently, passphrase guessing tools out there, which are claimed to have something like a 55% success rate. Do you feel lucky?

  3. PHB says:

    Unfortunately Declan’s reporting only gives half the story.

    The fifth ammendment was superceeded by the secret 28th ammendment passed by Congress in closed session in 2002. The exact details of the ammendment are not known, although Whitehouse spokesperson Dana Perino assured reporters that Congressional leaders would have been informed if it was necessary.

    Under the 28th ammendment the defendant will be taken to Gitmo and waterboarded.

  4. There’s no need to resort to the 28th.

    Waterboarding isn’t really torture, in a precise sense. It is ah, umm, ah, a medical, umm, procedure—medical procedure.

    And there’s no need to take the, ah, patient to Gitmo. It can be performed in a humane manner at any hospital or veterinary clinic.

Comments are closed.