law and technology and rock and roll

recent | past | about | rss

Can A Court Force A Suspect To Disclose Their Encryption Key?

Posted by Matt on January 17, 2014         Tagged with: encryption, scc

Encryption is enjoying a surge of popularity right now. Government surveillance has made people realize the value of encrypting their private communications. Encryption software is getting easier to use. The Pirate Party of Canada has their Encrypt Everything campaign, and the EFF has HTTPS Everywhere.

It was inevitable that criminals would use encryption for their own purposes, and it was equally inevitable that when they got caught, law enforcement was going to want access to that encrypted data. Contemporary encryption software can be very secure when used by someone who knows what they're doing; it's still believed by many smart people that even the NSA can't crack it, so it's certainly beyond the capabilities of a local law enforcement agency.

As XKCD has observed, often the easiest way to access someone's encrypted data is to convince them to give you the decryption key. As much as I like to pick on them, those of us who live in western democracies can be still be fairly sure that our local police department won't convince us by way of a wrench. But they do have another way of coercing suspects to divulge their keys: the courts. And so the question arises: Can a court order a suspect to divulge their encryption key?

First, a quick discussion of terminology. The phrases "encrypt" and "password protect" are often used interchangeably in the media. Some of the news stories I link to from this post are going to do exactly that. But to me, each has a specific and distinct meaning and that's how I'm going to use them. To encrypt something means to scramble it in a way such that it cannot be read without knowing the key to unscramble it. Ideally, there are no shortcuts to unscrambling encrypted data. You either know the key, or you spend an incredibly long time (measured in thousands of years) trying to guess it. That's an over-simplification and cryptographers have a number of mathematical tricks to speed up the process, but that's the ideal we're shooting for.

To "password protect" something simply means to require a password before providing access to a device or to some data on the device. Encrypting something is certainly a form of password protection: the key serves as the password and without the key, you can't access the unscrambled data. But there are other forms of password protection. Sometimes password protection is enforced by the operating system on the device: the data on the device is sitting there, unscrambled, it's just that the operating system refuses to show it to you. This kind of thing is often trivial to circumvent.

That's why, even though we've all been password protecting our computers for years, this question has become more important with the rise of encryption. Law enforcement doesn't need your password to access your Windows laptop; they have ways to work around that kind of password protection. They don't have any way to work around encryption.

Now, back to the law. At least in the United Kingdom, it appears that answer to the above question is: yes. In a recent news story from the BBC, Syed Hussain was arrested for planning a terrorist attack. Police seized a USB memory stick from his home, but it was encrypted and they couldn't crack it. They called in GCHQ, still no luck. So they got a court order requiring him to provide the decryption key, and when he claimed he had forgotten the key, he got to spend an additional four months in jail. I don't know a great deal about UK law, so I'm going to pass the buck off to Techdirt, who point out that while UK citizens do enjoy a form of the right to silence, Part III of the Regulatory and Investigatory Powers Act makes it an offence to refuse to provide a decryption key when ordered to by a court.

Now let's turn to the US. (I'm no more a US constitutional lawyer than I am a UK constitutional lawyer, but I'll do my best). We've all seen crime shows in which the accused "pleads the fifth". Of course, they're referring to the Fifth Amendment to the US Constitution, which reads:

No person shall be held to answer for a capital, or otherwise infamous crime, unless on a presentment or indictment of a Grand Jury, except in cases arising in the land or naval forces, or in the Militia, when in actual service in time of War or public danger; nor shall any person be subject for the same offense to be twice put in jeopardy of life or limb; nor shall be compelled in any criminal case to be a witness against himself, nor be deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use, without just compensation.

There's a lot going on there, but what's important right now is that this amendment provides people arrested in the US protection against self-incrimination. Under US law, a person can refuse to answer questions where the answers to those questions might incriminate them. This is the "right to remain silent" that police officers caution suspects about when they're being arrested. The protection only applies to "testimonial" communication: "[T]o be testimonial, an accused’s communication must itself, explicitly or implicitly, relate a factual assertion or disclose information".

The issue of whether or not someone can be forced to divulge their encryption key seems like a very modern issue. But it can be analogized to a much older issue: can a suspect be forced to produce a document that the government knows exists, but can't access? Legal decisions involving constitutional law are always very fact specific. Broad principles get hammered out, but the devil is in the details. One of these broad principles has been that the act of producing a document can be a form of testimonial communication. It's not the contents of the document that are important; the mere fact that a suspect is able to produce it might be an acknowledgement that the document exists, it is in the suspect's possession or control and the suspect believes that it is authentic. Another of these broad principles has been that it isn't a Fifth Amendment violation to require the suspect to produce the document if the government already knows those things.

And so a Colorado woman accused of possessing child pornography was required to produce the unencrypted contents of her encrypted laptop since she had already admitted that the files in question existed, they were on her computer and she had access to them:

There is little question here but that the government knows of the existence and location of the computer’s files. The fact that it does not know the specific content of any specific documents is not a barrier to production.

A year later, a Wisconsin man (also accused of possessing child pornography) was not required to provide an unencrypted copy of the content of some encrypted storage devices because he had not admitted he had access to those devices:

This is a close call, but I conclude that Feldman’s act of production, which would necessarily require his using a password of some type to decrypt the storage device, would be tantamount to telling the government something it does not already know with ‘reasonably particularity’—namely, that Feldman has personal access to and control over the encrypted storage devices.

This was despite the fact that the devices were found in Feldman's home, where he had lived alone for 15 years. This should serve as a reminder that, if you get arrested, it's very important to be careful about what you say and who you say it to.

Last but not least, there's Canada. The Supreme Court of Canada has held that the right to remain silent is a principle of fundamental justice, which means it's protected by section 7 of the Charter of Rights and Freedoms:

Everyone has the right to life, liberty and security of the person and the right not to be deprived thereof except in accordance with the principles of fundamental justice.

I can only find one Canadian case where the issue of whether a court can order a suspect to divulge their key is an infringement of the suspect's right to remain silent was directly addressed: R. c. Boudreau-Fontaine, a decision of the Quebec Court of Appeal. Mr. Boudreua-Fontaine was charged with (of course) possessing child pornography and violating the terms of his probation. The police obtained a search warrant which required Mr. Boudreua-Fontaine to hand over all passwords necessary for them to search his computer. (It doesn't sound like the data was actually encrypted, just password protected. There seems to be some confusion on whether the data on the laptop could have been accessed without his password). He provided the passwords, but the whole thing ended up going to the appeal court on other issues. The appeal court had this to say about the search warrant:

[39] I note that it orders the respondent to disclose his password(s) [translation] "in order to establish that the computer was connected to the Internet by Mr. Boudreau-Fontaine, thus breaching the conditions of his probation." In other words, the justice of the peace was commanding the appellant to give essential information with the specific intent of having him incriminate himself. I cannot see how the criminal law can allow such an order. It should be noted that the respondent complied with the order but that he certainly would not have done so without it, proof being that he refused to speak with the police officers about the events of September 19 when he was arrested. As the respondent wrote in his written argument, this order raises the issues of the right to silence, the right to be presumed innocent, the right not to be conscripted against oneself, and the protection against self-incrimination. Commanded to participate in the police investigation and to give crucial information, contrary to his constitutional rights, the respondent made a statement (identification of his password) that is inadmissible and that renders the subsequent seizure of the data unreasonable. In short, even had the seizure been preceded by judicial authorization, the law will not allow an order to be joined compelling the respondent to self-incriminate.

[40] In R. v. Hebert, 1990 CanLII 118 (SCC), [1990] 2 S.C.R. 151 at para. 47, McLachlin J. writes:

... the right to silence may be postulated to reside in the notion that a person whose liberty is placed in jeopardy by the criminal process cannot be required to give evidence against himself or herself, but rather has the right to choose whether to speak or to remain silent.

[41] Without necessarily being detained, the respondent was compelled to participate in his self-incrimination and was given no choice in the matter: he had to help the police officers convict him. This approach is unacceptable.

So it sounds like, at least as far as the Quebec Court of Appeal is concerned, a Canadian court cannot order a suspect to divulge their encryption key. Of course, decisions of the QCCA are only binding in Quebec. I'll keep looking and see if I can find any decisions from other parts of the country on this issue.