This is an article written in October 2008 which relates to the US case of Boucher with regards to the use of encryption and decryption powers.
Posted on October 31, 2008 by Clifford Davidson
On October 9, in the case R v. S and A  EWCA Crim 2177, the Criminal Division of the England and Wales Court of Appeal held that requiring criminal defendants to disclose an encryption key allegedly protecting criminal materials does not violate the privilege against self-incrimination under U.K. law or Article 6 of the European Convention of Human Rights. The U.K. court’s ruling is at odds with Magistrate Judge Jerome J. Niedermeier’s ruling on a similar issue in the District of Vermont, In re Boucher, No. 06-mj-91, 2007 WL 4246473 (D. Vt. Nov. 29, 2007).
R v. S and A involved two defendants whose encrypted laptops were seized in the course of an anti-terrorism investigation. The authorities located several suspicious files that they could not open due to encryption. Pursuant to section 53 of the Regulation of Investigatory Powers Act of 2000, the defendants were served with a notice requiring them to reveal the encryption key. Defendants refused and applied to stay the notices.
As the United Kingdom lacks a written constitution, the privilege against self-incrimination is a common law principle. It is not absolute and is subject to numerous statutory exceptions. The court did not address this issue at length, however, because it found that requiring the defendants to reveal an encryption code did not trigger the privilege. The court found that the encryption key existed ‘independent of the will of the subject,’ much like the key to a drawer. Even though the defendants created the key initially, ‘once created, the key to the data, remains independent of the appellant’s ‘will’ even when it is retained only in his memory, at any rate until it is changed.’ The court noted that while evidence of the defendants’ knowledge of the encryption key could itself be incriminating, the trial judge could preclude such evidence and was a minimal intrusion into the right against self-incrimination as compared to national security.
In In re Boucher, Magistrate Judge Niedermeier considered Boucher’s motion to quash a subpoena requiring that he produce all documents reflecting any passwords used or associated with his computer. At hearing on the motion, prosecutors offered to allow Boucher to enter the code without any monitoring, rather than to reveal it outright, and further offered not to comment at trial upon his knowledge of the password. This was not protective enough for the Magistrate, as discussed below.
Unlike the British court, the Magistrate found that requiring Boucher to reveal or enter the encryption code he used to protect his alleged child pornography triggered his Fifth Amendment rights, which prevent compelled disclosure of incriminating information of a testimonial nature. See Fisher v. United States, 425 U.S. 391, 408 (1976). The Magistrate cited United States v. Doe, 465 U.S. 605, 612 (1984) and Doe v. United States, 487 U.S. 201, 209-212 (1988), for the premise that the mere act of producing a non-testimonial document or object can be testimonial where it reveals a defendant’s knowledge. The Magistrate drew upon the same key/locked drawer metaphor as the British court, but citing Doe v. United States at 218, held that unlike surrendering a key, disclosing a password reveals the contents of one’s mind and is therefore testimonial. In re Boucher, 2007 WL 4245473, at *4. Magistrate Judge Niedermeier’s ruling quashing the subpoena was appealed to District Judge William K Sessions III and, according to the PACER docket, has been pending since May.
February 24, 2009
Boucher Court: No Right to Refuse to Produce Encrypted Data
Late last week a federal court in Vermont decided that a criminal defendant’s compelled act of producing unencrypted contents of an encrypted laptop is not protected by the Fifth Amendment’s privilege against compelled self-incrimination. The closely watched case of United States v. Boucher is a throwback to cyberlaw’s Cryptozoic Era, the days of Clipper Chip, CALEA, United States v. Bernstein, the shadowy legal status of PGP, and crypto export regs. The court’s resolution of this issue is not going to satisfy everyone, especially persons who believe that encrypting their laptops is a good protection against suspicionless border searches.
However, the court’s ruling neatly solves the government’s problem with gaining access to the growing amount of encrypted data the is being created in response to privacy, data breach, and identity theft concerns. As I read this opinion, so long as the government has a general idea of what might be hidden among the encrypted data, and it can point at the computer housing it, there is no Fifth Amendment impediment to a demand for production of that data in an unencrypted format.
Following his arrest for transportation of child pornography and seizure of the laptop containing the evidence against him, Boucher claimed that his refusal to tell police the password protecting an encrypted portion of the laptop’s hard drive is protected by the Fifth Amendment’s privilege against compelled self-incrimination.
A magistrate judge agreed with Boucher in United States v. Boucher, No. 2:06-mj-91 (D. Vt. Nov. 29, 2007), and it quashed a grand jury subpoena directing Boucher to divulge the password. The magistrate concluded that the act of entering the laptop password was a testimonial act under the privilege. The legal ins and outs of the case are dissected by Prof. Orin Kerr in this Volokh Conspiracy post, and I commend anyone who wants to understand this area of the law better to go there and read it.
Last week, the district court reversed that ruling, though ‘reversed’ is probably not the correct word, since the district court decided a slightly different issue than the magistrate. This is because, on appeal, the government changed its legal approach to the case. Rather than demanding that Boucher give authorities his password, it instead demanded that Boucher turn over the contents of his encrypted hard drive in an unencrypted format. Looking at the case this way, the district court decided that the Fifth Amendment did not give Boucher a constitutional right to refuse.
Any evidence of child pornography on the defendant’s laptop is not protected by the Fifth Amendment because this evidence was voluntarily created by the defendant. The question faced by the district court was whether the act of producing the contents of the laptop was itself a compelled communication of incriminating facts. Courts have held that compelled production of incriminating documents would not violate the Fifth Amendment in two situations: (1) if the existence and location of the evidence was previously unknown to the police or (2) if the act of production would implicitly authenticate the evidence. The district court decided that neither circumstance was present in this case. The government already knew that unencrypted portions of the laptop’s hard drive contained child pornography. And, as for the second circumstance, the government promised the court that it would not use Boucher’s act of producing the contents of the laptop to prove that the child pornography it contained belonged to him.
The court said that the encrypted portions of Boucher’s laptop were similar to the daily calendar at issue in In re Grand Jury Subpoena, 1 F3d 87 (2d Cir. 1993). In that case, the government subpoenaed the original of the defendant’s daily calendar, at a time when it already had a copy of that document. The Second Circuit ruled that the Fifth Amendment would not be violated by compelling production of the original, since the existence and location of the calendar were a foregone conclusion and the defendant had already testified about his possession and use of it.
The court reasoned that the compelling Boucher to produce the vast expanse of unknown, encrypted data on his laptop ‘adds little or nothing to the sum total of the Government’s information’ (quoting the Supreme Court’s opinion in Fisher v. United States, 425 U.S. 391 (1976) about him, so it was not therefore protected by the Fifth Amendment privilege. No doubt many will find this to be a weak spot in the court’s opinion. The Second Circuit may weigh in too; the defendant has already filed an interlocutory appeal to that court.
Posted by Thomas O’Toole on February 24, 2009
February 26, 2009 1:30 PM PST
Judge orders defendant to decrypt PGP-protected laptop
by Declan McCullagh
A federal judge has ordered a criminal defendant to decrypt his hard drive by typing in his PGP passphrase so prosecutors can view the unencrypted files, a ruling that raises serious concerns about self-incrimination in an electronic age.
In an abrupt reversal, U.S. District Judge William Sessions in Vermont ruled that Sebastien Boucher, who a border guard claims had child porn on his Alienware laptop, does not have a Fifth Amendment right to keep the files encrypted.
‘Boucher is directed to provide an unencrypted version of the Z drive viewed by the ICE agent,’ Sessions wrote in an opinion last week, referring to Homeland Security’s Immigration and Customs Enforcement bureau. Police claim to have viewed illegal images on the laptop at the border, but say they couldn’t access the Z: drive when they tried again nine days after Boucher was arrested.
Boucher’s attorney, Jim Budreau, already has filed an appeal to the Second Circuit. That makes it likely to turn into a precedent-setting case that creates new ground rules for electronic privacy, especially since Homeland Security claims the right to seize laptops at the border for an indefinite period. Budreau was out of the office on Thursday and could not immediately be reached for comment.
The Fifth Amendment says nobody can be ‘compelled in any criminal case to be a witness against himself,’ which Magistrate Judge Jerome Niedermeier ruled in November 2007 prevented Boucher from being forced to divulge his passphrase to prosecutors.
Originally, the U.S. Department of Justice asked the magistrate judge to enforce a subpoena requiring Boucher to turn over ‘passwords used or associated with’ the computer. In their appeal to Sessions, prosecutors narrowed their request and said they only want Boucher to decrypt the contents of his hard drive before the grand jury, apparently by typing in his passphrase in front of them.
At issue in this case is whether forcing Boucher to type in that PGP passphrase–which would be shielded from and remain unknown to the government–is ‘testimonial,’ meaning that it triggers Fifth Amendment protections. The counterargument is that since defendants can be compelled to turn over a key to a safe filled with incriminating documents, or provide fingerprints, blood samples, or voice recordings, unlocking a partially-encrypted hard drive is no different.
Barry Steinhardt, director of the ACLU’s technology and liberty program, said on Thursday that the opinion reached the wrong conclusion and that Boucher ’should have been able to assert his Fifth Amendment rights. It’s not the same thing as asking him to turn over the Xeroxed copy of a document.’
‘There is no distinction’ between requiring a defendant to turn over the passphrase or type it in himself in front of a grand jury, Steinhardt said. ‘Either of those things results in an encrypted set of files being brought into plain view.’
Judge Sessions reached his conclusion by citing a Second Circuit case, U.S. v. Fox, that said the act of producing documents in response to a subpoena may communicate incriminating facts in two ways: first, if the government doesn’t know where the incriminating files are, or second, if turning them over would ‘implicitly authenticate’ them.
Because the Justice Department believes it can link Boucher with the files through another method, it’s agreed not to formally use the fact of his typing in the passphrase against him. (The other method appears to be having the ICE agent testify that certain images were on the laptop when viewed at the border.)
Sessions wrote: ‘Boucher’s act of producing an unencrypted version of the Z drive likewise is not necessary to authenticate it. He has already admitted to possession of the computer, and provided the government with access to the Z drive. The government has submitted that it can link Boucher with the files on his computer without making use of his production of an unencrypted version of the Z drive, and that it will not use his act of production as evidence of authentication.’
The defendant is a Canadian citizen who is a lawful permanent resident in the United States and lived with his father in Derry, N.H.
Boucher was initially arrested when customs agents stopped him and searched his laptop when he and his father crossed the border from Canada on December 17, 2006. An officer opened the laptop, accessed the files without a password or passphrase, and allegedly discovered ‘thousands of images of adult pornography and animation depicting adult and child pornography.’ Boucher was read his Miranda rights, waived them, and allegedly told the customs agents that he may have downloaded child pornography. But then–and this is key–the laptop was shut down after Boucher was arrested.
It wasn’t until December 26 that a Vermont Department of Corrections officer tried to access the laptop–prosecutors obtained a subpoena on December 19–and found that the Z: drive was encrypted with PGP, or Pretty Good Privacy. (PGP sells software, including whole disk encryption and drive-specific encryption, which can be configured to forget the passphrase after a certain time. That would effectively re-encrypt the Z: drive.)
Court of Appeal orders men to disclose encryption keys: “Two men have been told that they cannot rely on their right to silence to refuse to give British police a computer password.”
(Via OUT-LAW News.)
A landmark ruling over the Regulation of Investigatory Powers Act 2000 (RIPA) may just have reduced our rights to refuse to self-incriminate. Or not, if you accept the arguments of the judges involved.…
(Via The Register – Public Sector.)