[cryptography] US Appeals Court upholds right not to decrypt a drive
smb at cs.columbia.edu
Fri Feb 24 16:28:41 EST 2012
On Feb 24, 2012, at 2:30 57PM, James A. Donald wrote:
> Bottom line is that the suspect was OK because kept his mouth zippered, neither admitting nor denying any knowledge of the encrypted partition.
> Had he admitted control of the partition, *then* they would have been able to compel production of the key.
> The court did not concede any right to refuse to decrypt a drive if you admit possession of the contents.
> So: Don't talk to police about the contents of your drive, or indeed anything of which they might potentially disapprove.
No, I don't think that that's quite what the ruling said. It's a long, complex opinion; what you said is close to one aspect of it, but not (in my non-lawyer opinion) precisely what the court said.
The first point, not addressed in your note but quite important to the ruling, is that the key has to be something you know, not something you have. If the keying material is on a smart card, you have to turn that over and you're not protected. If a PIN plus smart card is needed, you still have to turn over the smart card but not disclose the PIN.
Second, and going to the heart of your point, what's essential is whether or not they already know in reasonable detail what's on the encrypted drive; depending on the circumstances, they may already have that knowledge regardless of what you've said. The issue of admitting possession is not what this case focused on; in fact, the prosecution tried to finesse that point by granting limited immunity on that point. Quoting from the opinion:
'The U.S. Attorney requested that the court grant Doe immunity limited to “the use [of Doe’s] act of production of the unencrypted contents” of the hard drives. That is, Doe’s immunity would not extend to the Government’s derivative use of contents of the drives as evidence against him in a criminal prosecution. The court accepted the U.S. Attorney’s position regarding the scope of the immunity to give Doe and granted the requested order. The order “convey[ed] immunity for the act of production of the unencrypted drives, but [did] not convey immunity regarding the United States’ [derivative] use” of the decrypted contents of the drives.'
In other words, the fact of control of the encrypted data -- aka knowledge of the key -- was not at issue; the prosecution had agreed not to use that. What was important was the files on the drive. This is what distinguishes this case from Boucher (a case discussed in the opinion).
The other current case is Fricosu, where a trial judge has ordered her to decrypt her laptop. The Court of Appeals for that circuit -- the 10th; the opinion I cited is from the 11th, and hence not binding on this court -- declined to hear her appeal, not on the merits but because as a matter of procedure they won't intervene at this point in a trial. If she's convicted, she can appeal on the grounds that her Fifth Amendment rights were violated, but not until then. It's worth noting that the trial judge made his ruling on the same basis as the 11th Circuit Court of Appeals: did the government have enough prior knowledge of the contents that her rights were not infringed? An appellate court may find that he didn't rule correctly on that point, or it may decline to adopt the 11th Circuit's reasoning -- but the fundamental legal reasoning is the same; what's different is the facts of the case. (Btw, Fricosu did not talk to the police; however, she made injudicious statements to her husband in a monitored jailhouse call...)
--Steve Bellovin, https://www.cs.columbia.edu/~smb
More information about the cryptography