PA Supreme Court Rules Defendant Need Not Decrypt Drive
One of the perennial issues facing courts is the extent to which the government can compel an individual to decrypt the contents of a file, a computer or a server. Jumping into the fray, the Pennsylvania Supreme Court, on Nov. 20, considered the case of a child pornography suspect whose seized computer was encrypted with TruCrypt.
After the government seized the computers of Joseph Hill (a second time—the first time the seized computers had been wiped) having been led to the computers through a BitTorrent investigation of child pornography that led to his IP address, the investigators found Hill’s computer has a whole-disk encryption program on it and was password-protected with a strong password which only Hill knew. The government sought a court order compelling Hill to pony up the key. The Pennsylvania Supreme Court found that compelling Hill to state the password constituted an incriminating testimonial act and violated both the U.S. and Pennsylvania Constitution prohibition on compelled self-incrimination. It once again raises the question of whether a memorized password is “testimony” that can’t be compelled or a “key” that can—with the Keystone Court concluding the former.
Taking the Fifth
The Fifth Amendment to the U.S. Constitution provides that in criminal cases, no person may be compelled to “testify” against himself (or herself). A few salient points: First, a corporation has no Fifth Amendment privilege, although individuals in that corporation might. Thus, if a computer, file, account, etc., is “owned” by a corporation (and subject to its control) the user of the laptop can refuse to decrypt the device but the corporation as an entity cannot and must, if available, provide the decryption key. I say “if available” because, if the only person who can decrypt the device is the one asserting a personal privilege, then the corporation may, like the government, be unable to actually comply.
A second observation is that the Fifth Amendment applies only to something that is “testimonial” and “compelled.” The contents of the computer—like the contents of a file cabinet—are not protected under the Constitution (at least not as presently interpreted). Nobody “compelled” Hill to download child porn, nobody compelled him to use BitTorrent, nobody compelled him to store the files on the laptop. The fact that the contents of the computer are incriminating is not the point. The question is whether the thing that the government is compelling—produce the password—is itself “testimonial.” Does the production of the password to decrypt the disk provide the government with evidence it did not otherwise have (not, Does it enable them to make use of evidence it already has)? Think of it this way: The government compels a witness to produce “all guns you used to kill John Smith.” The “act of production” of the gun is “testimonial”—it admits not only that the witness had the gun in his possession, custody and control and that he had the ability to produce it, but also that this was the gun he used to kill John Smith.
To Key or Not to Key
To be “testimonial” courts frequently look at what precisely the witness is being compelled to do. In this case, the government later asserted that Mr. Hill might have a piece of paper with the password written on it (although it could not demonstrate this fact). Assume that to be the case—could the government compel Mr. Hill to produce the piece of paper?
Magic 8-Ball says: Situation unclear, ask again later.
Where, as here, the witness is being compelled to say something, courts are more likely to conclude that the “act” is “testimonial” even if the thing they are saying is just a recitation of numbers, letters and, of course, the mandatory exclamation point! So when a person arrested for drunk driving is asked to, for example, remember their birthday and the year when they were 6 years old, the government is compelling not just “testimony” (hell, they can easily look up his birthday and add six), but also compelling a “testimonial act”—they want to see what he remembers at that time to prove that he is impaired.
A key (pun intended) question is whether a password is akin to disclosure of the combination of a safe (testimony) or providing a key (an act), or whether it matters at all. The Pennsylvania high court found that it was like being forced to speak, and therefore it was testimonial.
The next question is whether production of the “key” is “compelled.” Since Hill was told he had to state the password or risk going to jail for refusal, it is certainly being compelled.
Finally, is the production of the password “incriminating?” Not the contents of the computer files, which would be undoubtedly incriminating, but the production of the password. Producing the password admits that the speaker owns the computer, is capable of controlling the computer and is likely aware of the files contained on the computer. It admits control and knowledge. As the Pennsylvania Supreme Court observed:
… compelling the disclosure of a password to a computer, that is, the act of production, is testimonial. Distilled to its essence, the revealing of a computer password is a verbal communication, not merely a physical act that would be nontestimonial in nature. As a passcode is necessarily memorized, one cannot reveal a passcode without revealing the contents of one’s mind. Indeed, a password to a computer is, by its nature, intentionally personalized and so unique as to accomplish its intended purpose ― keeping information contained therein confidential and insulated from discovery. Here, under United States Supreme Court precedent, we find that the Commonwealth is seeking the electronic equivalent to a combination to a wall safe — the passcode to unlock Appellant’s computer. The Commonwealth is seeking the password, not as an end, but as a pathway to the files being withheld. As such, the compelled production of the computer’s password demands the recall of the contents of Appellant’s mind, and the act of production carries with it the implied factual assertions that will be used to incriminate him. Thus, we hold that compelling Appellant to reveal a password to a computer is testimonial in nature.
This is not the first court to make such a finding. Federal courts in Florida have come to the same conclusions. As yet, the U.S. Supreme Court has not yet ruled on the Fifth Amendment’s application to an order to decrypt, provide a password for or provide plain text copies of files on an electronic device. Until then, we can expect that the law will remain murky.
My advice: Take the Fifth.