March 28, 2017
The Legal Significance of Encryption
March 28, 2017
Please note, I am not a lawyer, and I am not offering any legal advice. This essay is simply the result of researching multiple sources and offering my best interpretations of the issues at hand. Please consult your attorney for any actual legal advice on the matter.
The opinions represented in this article are mine and mine alone and do not necessarily represent those of any of my employers past, present, or future.
This essay is for academic purposes only, and the suggestions offered should not be used for conducting any illegal activities.
This essay will attempt to elucidate some of the legal backgrounds to encryption laws, examine the legal protections that encryption can give sensitive data, and offer several practical suggestions for protecting this data.
As computing technology grows and digitized data becomes more ubiquitous, the need for securely storing and retrieving that data becomes paramount. This is especially true in any sector where the data is inherently sensitive, such that any leakage could cause significant financial or reputation loss (such as medical or financial verticals). The main way this has been accomplished is through the use of specialized encryption software. This is critical to protecting sensitive data in the modern world, and it is important to understand not only the technological protections encryption offers but the legal ones as well.
Encryption is simply a set of mathematical algorithms whereby a secret (e.g. a passphrase, a keyfile, etc.) is applied to a set of data, with the result being a seemingly random chunk of data called ciphertext. However, encryption is two-way: the same secret can then be applied to the chunk of data to obtain the original data (Thompson & Jaikaran, 2016, p. 2). This can be modeled through the following formulas:
Algorithm (data, secret) => ciphertext
Algorithm (ciphertext, secret) => data
The whole process can be compared to a lockbox: one places the documents into a lockbox and locks it with a key or a combination, which protects anyone without the key from accessing the data. However, encryption offers significantly more protection, since a lockbox can feasibly be broken or forced open. With encryption, unless one has the key, the data is lost.
Legally, this results in a difficult situation when encryption is utilized to hide incriminating data (e.g. child pornography or financial fraud). To implicate the perpetrators, accessing this data is often a necessary part of the investigation. However, the level of security encryption offers only allows three possible options for law:
Use breakable encryption: either the encryption algorithms or software implementations need to be broken so as to allow access to a very specific subset of people (e.g. government officials). This would be the equivalent of a “master key” that allows access to the data from any entity that has the key. This is extremely difficult since it is technologically infeasible to guarantee that only the proper authorities use this “master key.” Moreover, it is politically infeasible to force every single provider of encryption software to allow this kind of access (Thompson & Jaikaran, 2016, p. 1).
Force the individual to give up the key: the individual with the secret needs to be compelled to gain access to the sensitive data. While this has worked in several historical cases, this often runs against the issue of 5th Amendment laws, which are typically construed as the “right to no self-incrimination.”
Forcefully gain access to the data: the individual would be surveilled aggressively so as to steal any encryption secret he may have. This could include using malware to capture keystrokes as they enter their passwords, or stealing keyfiles from the computer. This, however, would likely only be permitted in the most serious of circumstances (Colarusso, 2011).
The remainder of this paper will be focused on (2) and its implications within 5th Amendment legislature, since it is the most common means of gaining access to the data in question.
The 5th Amendment Framework
As stated, the primary difficulty with forcing individuals to deliver data that may be incriminating is existing 5th Amendment laws. (While there are also tangential 1st and 4th Amendment issues, they will not be the focus of this paper). Specifically, the 5th Amendment states that “No person… shall be compelled in any criminal case to be a witness against himself” (U.S. Const. amend. V.). From this, a framework has been developed that determines when a statement falls under the 5th Amendment. The statement must be:
Testimonial (Engel, 2012, p. 107)
While the first two are typically a given for most cases, the issue is determining whether a statement is “testimonial.” To count as a testimonial, the statement, “must itself, explicitly or implicitly, relate a factual assertion or disclose information” (Doe v. United States, 1988). This is often paired with the concept of bringing forth information from “one’s own mind” (Engel, 2012, p. 110).
This framework, however, does not give exact guidance concerning cases of the production of private documents. Therefore, two closely related doctrines have been created to augment the framework: the “Act of Production” Doctrine, and the “Foregone Conclusion” Doctrine.
The “Act of Production” Doctrine
In most cases, bringing forth any kind of information that was pre-existing is not covered by the 5th Amendment, since it was already voluntarily created and not being brought forth from “one’s own mind” (DeBlis, 2015). However, it has been determined that the very act of producing a document, in itself, may have some testimonial content (namely, if one produces a particular document, one testifies that the document exists, is authentic, and is owned by oneself) (Thompson & Jaikaran, 2016, p. 7). This has been codified in the “Act of Production” Doctrine, which states that although the contents of pre-existing, involuntary documents may not be applicable under 5th Amendment laws, the act of producing them may be testimonial. This is generally applicable in areas where requests for production are broad and not already a “foregone conclusion.”
The “Foregone Conclusion” Doctrine
The “Foregone Conclusion” Doctrine offers a notable exception to 5th Amendment protections for the production of documents. It is closely tied to the previous “Act of Production” Doctrine and essentially determines whether the production of incriminating documents may be counted as a testimonial. The doctrine states that an exception occurs when an investigator can prove three things of the document being compelled:
The existence of the documents
The authenticity of the documents
The possession of the documents by the individual being subpoenaed (Engel, 2012, p. 121)
Assuming these can be determined, the production of the documents does not inherently add anything “new” to the situation, since they are already a “foregone conclusion.” Therefore, the doctrine states that the production is not testimonial, and therefore not covered under the 5th Amendment framework.
Application in Encryption Cases
While the application of the above doctrines and laws in encryption cases is still highly under-determined, there have been several notable encryption cases where they have been utilized. Mainly, there are three main areas where they are applied:
Surrender of an encryption passcode -- This is typically protected under the 5th Amendment since it will involve the individual to bring forth the passcode out of his own mind, as well as admit to the existence, authenticity, and possession of the encrypted data (Thompson & Jaikaran, 2016, p. 12).
Surrender of a biometric passcode (e.g. fingerprint or retinal scanners) -- This is typically not protected under the 5th Amendment since it does not bring forth any new information (Thompson & Jaikaran, 2016, p. 13). However, this is a highly under-determined area of law that seems highly debatable.
Surrender of the unencrypted data -- This is protected by 5th Amendment laws depending on the applicability of the “Foregone Conclusion” Doctrine (Thompson & Jaikaran, 2016, p. 14). If the existence, authenticity, and possession of the documents are known with reasonable certainty beforehand, it will likely not be protected (e.g., In re Boucher, 2009). However, if any of those are not proven, it is likely to be protected (e.g., Doe v. United States, 1988).
Practical Suggestions for Securing Data
As seen, encryption can offer significant legal protections to sensitive data, apart from the more obvious technological protections. However, this is only true if applied carefully to the data being protected. Therefore, the following steps are suggested to secure legal protections to sensitive data:
Don’t use biometric authentication -- This is often highly contested and is not likely to guarantee the safety of the data. If used at all, it should be coupled with a passcode (e.g. in a two-factor authentication system).
Take care in encrypted file organization and naming -- All that typically needs to be determined is that the incriminating data resides in the encrypted area, with reasonable certainty. Therefore, giving revealing names or structure to encrypted files is likely to allow for this reasonable certainty.
Use cloud technologies -- Since the data physically resides elsewhere and it is difficult to trace a particular account back to an individual, it becomes infeasible to access the data or prove ownership of it in any way other than knowing the passcode. This makes the data technologically protected (since it is a monumental task to find the necessary data among all possible cloud providers), and legally protected (since it is difficult to apply the “Foregone Conclusion” Doctrine in this case) (Engel, 2012, p. 126). Two sub-recommendations are suggested:
Use cloud platforms anonymously -- Access to an account should not be able to be proven through any means other than knowing the correct location, account name, and password for the data. This may include using an anonymous method of network access, such as an encrypted VPN connection or an anonymization system like Tor or I2P. This may also include the regular cleaning of logs or caches that may indicate cloud platform access.
Use pre-Internet encryption -- While many cloud providers encrypt data on their end, it is suggested to encrypt the data before storing it within a cloud provider. This allows for further legal protection by adding another layer of difficulty in obtaining the sensitive files.
Colarusso, D. (2011). Heads in the Cloud, a Coming Storm: The Interplay of Cloud Computing, Encryption, and the Fifth Amendment's Protection Against Self-incrimination. Boston University Journal of Science & Technology Law, 17(1). Retrieved March 13, 2017.
DeBlis, M. J., III. (2015, August 21). Deconstructing the “Act of Production” Doctrine. Deblis Law. Retrieved March 13, 2017, from https://www.deblislaw.com
Doe v. United States, 487 U.S. 201 (1988).
Engel, J. A. (2012). Rethinking the Application of the Fifth Amendment to Passwords and Encryption in the Age of Cloud Computing. Whittier Law Review. Retrieved March 13, 2017.
In re Grand Jury Subpoena to Sebastien Boucher, No. 2:06-mj-91, 2009 WL 424718 (D. Vt. Feb 19, 2009).Thompson, R. M., II, & Jaikaran, C. (2016). Encryption: Selected Legal Issues (Rep. No. R44407). Washington D.C.: Library of Congress. Congressional Research Service.U.S. Const. amend. V.