Volume 85, No. 3, Spring 2013

Upgrading the Fifth Amendment: New Standards for Protecting Encryption Passwords

In United States v. Fricosu, law enforcement officers obtained a search warrant to search a suspect’s residence and seize all computer equipment. The officers seized six computers, two laptops, and four desktops. Upon inspection, the agents discovered that they could not access the computer files on one of the laptops because its contents were encrypted. The law enforcement agency believed the defendant used the computer to engage in fraudulent real estate transactions, but in order to prove its case it needed a decrypted version of the encrypted files. Invoking her Fifth Amendment privilege against self-incrimination, the suspect refused to provide the password necessary to access the files. To obtain the files, the prosecutor sought a court order requiring the suspect to produce either the password or an unencrypted version of the electronic files.

In an increasingly computerized and networked world, encryption is becoming more and more central to the preservation of privacy and security. Because of advances in encryption technology, it can take more than a human life span to crack an encrypted hard drive. For this reason, often the only method available to law enforcement to access some forms of encrypted information is the user’s password or encryption key. As a result, the government’s ability to access an individual’s digital library may depend on how easily it can obtain the encryption key.

This Comment addresses the question of whether the government may compel a suspect to decrypt computer files found on a lawfully seized computer, or whether the act of decryption warrants Fifth Amendment protection. This question remains unresolved, in part, because cases presenting this issue have only just begun to reach the federal courts. In addition, much of the scholarship to date has focused on the question of how Fourth Amendment search and seizure rules apply to the collection of digital evidence.

Faced with a dearth of authority, the handful of courts to address the issue of Fifth Amendment protection for encryption passwords have looked to Supreme Court jurisprudence concerning when the government may compel a defendant to produce hard copy documents. Under the Court’s “act-of-production doctrine,” the Fifth Amendment protects the explicit and implicit facts communicated by the act of producing documents—such as the documents’ existence, who possesses them, and their authenticity—but does not protect the content of the documents. This limited Fifth Amendment protection may be defeated where the government can show sufficient prior knowledge of these facts, such that the information communicated by the act of production (existence, possession, authenticity) is a “foregone conclusion.” While the Supreme Court has explored the question of how much prior knowledge the government must have in order for the foregone conclusion doctrine to apply in cases of compelled hard copy document production, it has yet to consider that question in the context of compelled decryption of electronic files.

This Comment argues that decrypting data is an act with testimonial aspects that are protected by the Fifth Amendment. Section II describes computer encryption and provides an overview of the Supreme Court’s act-of-production doctrine. Part III.A compares how two federal courts have applied the act-of-production doctrine in cases where the government sought to compel a defendant to produce his encryption password.

In Part III.B, the Comment proposes a legal framework to analyze whether an order to decrypt a computer violates a suspect’s Fifth Amendment privilege against self-incrimination. The framework establishes that decryption is a testimonial act protected by the Fifth Amendment. The Comment then proposes that the foregone conclusion doctrine should be abandoned in cases of compelled decryption. If courts choose to retain the foregone conclusion doctrine, the Comment argues in the alternative that the government’s prior knowledge must be evaluated with regard to the distinct characteristics of digital evidence.

Part III.C refutes two counterarguments to this proposed framework: namely, that increased protection is unnecessary given the privacy protection available under the Fourth Amendment, and that increased Fifth Amendment protection will make it impossible for law enforcement to prosecute criminals. Finally, Part III.D examines the consequences of this framework in the context of federal witness immunity.

Read Comment …