Data Recovery, Legal

Eleventh Circuit Rules Defendant Cannot Be Compelled to Divulge Encryption Passphrase

Barely three weeks after I penned Another Judge Rules Encryption Passphrase not Testimonial Under Fifth Amendment Analysis, the Eleventh Circuit has held that a defendant’s “decryption and production of the hard drives’ contents would trigger Fifth Amendment protection because it would be testimonial, and that such protection would extend to the Government’s use of the drives’ contents.”

For the reasons set forth in my previous posts on this topic, and for the reasons more fully set forth below, I disagree, and I hope the Government petitions for a writ of certiorari on this issue.

In this case, captioned,  In re Grand Jury Subpoena Duces Tecum Dated March 25, 2011, law enforcement officials began an investigation of an individual using a YouTube.com account whom the Government suspected of sharing explicit materials involving underage girls.  During the course of the investigation, officers obtained several  IP  addresses from which the account accessed the internet.  Three of these IP addresses were then traced to hotels, which hotels’ guest registries revealed the sole common hotel registrant during the relevant times was defendant.

Although probable cause was not raised as an issue in this case, it should be noted that the Government’s forensic investigator testified the Government believed that data existed on the still-encrypted parts of the hard drive and “introduced an exhibit with nonsensical characters and numbers, which it argued revealed the encrypted form of data.” Further, the Government’s forensic expert conceded that, although encrypted, it was possible the volumes contained nothing.  When defendant asked the forensic expert, “So if a forensic examiner were to look at an external hard drive and just see encryption, does the possibility exist that there actually is nothing on there other than encryption?  In other words, if the volume was mounted, all you would see is blank.  Does that possibility exist?,”  the expert replied: “Well, you would see random characters, but you wouldn’t know necessarily whether it was blank.” And, when pressed by defendant to explain why Government believed something may be hidden, the expert replied, “The scope of my examination didn’t go that far.”  In response to further prodding, “What makes you think that there are still portions that have data[?],” the expert explained, “We couldn’t get into them, so we can’t make that call.”  Finally, when asked whether “random data is just random data,” the expert concluded that “anything is possible.”

Of course, everything the expert said –taken in isolation– was true, but I fail to see why these explanations undermine the Government’s right to the unencrypted data.  Sure, the expert could or should have pointed to circumstantial trace evidence (such as registry data, link files, that should exist had the defendant possessed and viewed the files as alleged).  Sure, the Government could or should have asked for an adverse inference as to the presence and use of a forensic wiping utility, if trace evidence was not be present, as it should have been had the defendant possessed and viewed the files, as alleged.  But the Government wasn’t required to have probable cause as to the encrypted volumes specifically, because probable cause as to the entire computing equipment had already been satisfied.

Indeed, some discussion of the Fourth Amendment is here necessary:  The Fourth Amendment provides that, “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”  As relevant here, the warrant must describe the place to be searched with particularity, and the things to be seized.  Note that the comma following the word “searched,” limits the particularity requirement to the place to be searched. And, although warrants must establish probable cause and particularly name the place to be searched, the Supreme Court has rejected the argument that warrants must include “a specification of the precise manner in which they are to be executed.” Dalia v. United States, 441 U.S. 238, 257 (1979).

In this case, the place to be searched was the hotel where defendant was staying and, presumably, any computers found therein were identified as the “things to be seized.”  But, some urge that computer hard drives should be regarded as a “virtual home” or “virtual warehouse.” See, e.g., Orin Kerr, Searches and Seizures in a Digital World, 119 Harv. L. Rev. 531, 539, 542 (2005) (“While houses are divided into rooms, computers are more like virtual warehouses . . . While computers are compact at a physical level, every computer is akin to a vast warehouse of information.”). If so, the warrant may be construed to refer to the computers as among the “places to be searched” (in addition to the hotel room), as well as the things to be seized. See United States v. Ross, 456 U.S. 798, 821 (1982) (“When a legitimate search is under way, and when its purpose and its limits have been precisely defined, nice distinctions between closets, drawers, and containers, in the case of a home, or between glove compartments, upholstered seats, trunks, and wrapped packages, in the case of a vehicle, must give way to the interest in the prompt and efficient completion of the task at hand”).  My point here is that, if the warrant was sufficient to justify the search of the computers, that justification extended to all portions of each computer.

Assuming the Government has a right to inspect all portions of the hard-drives, based on probable cause to believe they were an instrumentality of a crime, then it is appropriate to begin the Fifth Amendment analysis. Under the Fifth Amendment, “[n]o person … shall be compelled in any criminal case to be a witness against himself.”  The courts have consistently interpreted this provision as “protect[ing] a person . . . against being incriminated by his own compelled testimonial communications.” Fisher v. United States, 425 U.S. 391, 409 (1976).  Thus, to be afforded the protection, the statement must be: (1) compelled, (2) testimonial in nature, and (3) serve to incriminate the declarant in a criminal proceeding. If these elements are met, the declarant has the right “not to answer questions put to him in any proceeding, civil or criminal, formal or informal, where the answers might incriminate him in future criminal proceedings.” Lefkowitz v. Turley, 414 U.S. 70, 77 (1973).

In this case, there was no dispute that defendant had care, custody, and control of the computers and hard-drives. As the sole owner, no one else could have created the encrypted volumes, and the Eleventh Circuit’s opinion does not indicate that defendant claimed someone else had created those volumes.  Therefore, it is not clear to me why defendant’s mere knowledge of the passphrase is an admission of guilt, any more than it would be to surrender the a key hanging about his neck, or to surrender the combination code to a safe in a home, that was properly within the scope of a valid search warrant (as these hard-drives were).  Knowledge of the passphrase is not an element of the crime, but rather possession of child pornography.  (Conversely, a murderer’s knowledge of the secret location of his victim’s grave would be incriminating, because only the murderer would know that location). Therefore, although the court intoned, “the Government appears to concede, as it should, that the decryption and production are compelled and incriminatory,” I don’t agree that the act of decryption and production, by itself, is incriminatory (even though the fruits of that production could contain evidence that is incriminating).

That leaves the question of whether the passphrase is testimonial.  The Court noted, “an act of production can be testimonial when that act conveys some explicit or implicit statement of fact that certain materials exist, are in the subpoenaed individual’s possession or control.” Yet, as noted above, it is uncontroverted that defendant had exclusive care, custody, and control of the encrypted volumes, and knows the passphrase, regardless of whether those volumes contain contraband.  Citing United States v. Hubbell, 530 U.S. 27 (2000) and Fisher v. United States, supra, the court relied upon the so-called “foregone conclusion” doctrine, which posits that an act of production is not testimonial—even if the act conveys a fact regarding the existence or location, possession, or authenticity of the subpoenaed materials—if the Government can show with “reasonable particularity” that, at the time it sought to compel the act of production, it already knew of the materials, thereby making any testimonial aspect a “foregone conclusion.” I contend that exception is here met, because it is not in dispute that the contraband was traced back to three separate IP addresses in different hotel rooms rented by defendant, and that there was no other plausible repository for those files to exist but his computer equipment, and this satisfies the “reasonable particularity” requirement.

About barristerharri

The author, Sean L. Harrington, is a digital forensics examiner, cybersecurity attorney, and e-discovery and litigation consultant with the private practice digital forensics firm of Attorney Client Privilege, LLC (http://attyClientPriv.com). Harrington holds the MCSE, CISSP, CHFI, CSOXP, and CCFP, has served on the board of the Minnesota Chapter of the High Technology Crime Investigation Association (http://mn-htcia.org), is a member of Infragard, a member of the Financial Services Roundtable cyber- legislative working group, a member of the Minnesota Ediscovery Working Group, a member of Century College's Computer Forensics Advisory Board and [erstwhile] Investigative Sciences for Law Enforcement Technology (ISLET) board, and is a council member of the Minnesota State Bar Association (MSBA) Computer & Technology Law Section. (http://mntech.typepad.com). Harrington earned a certificate in computer forensics from Century College's pioneering digital forensics program and graduated with honors from Taft Law School.

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 986 other followers

%d bloggers like this: