The Privacy BlogThoughts on privacy, security, and other stuff.

Jun/13

4

Can you be forced to decrypt your files?

Declan McCullagh at CNET writes about the most recent skirmish over whether a person can be forced to decrypt their encrypted files.

In this case, Jeffery Feldman is suspected of having almost 20 terabytes of encrypted child pornography. Evidence of use of eMule, a peer to peer file sharing tool, showed filenames suggestive of such content. Child porn makes for some of the worst case law because it is such an emotionally charged issue.

A judge had ordered Mr. Feldman to decrypt the hard drive, or furnish the pass phrase, by today. After an emergency motion, he has been given more time while the challenge to the order is processed.

The challenge is over whether being compelled to decrypt data is equivalent to forced testimony against one’s self, which is forbidden by the Fifth Amendment. The prosecution position is that an encryption key is similar to a key to a safe, which may be compelled. Some prior cases have come down on the side of forcing the decryption, but not all.

If it was plausible that the suspect might not know how to decrypt the file, that would make things even more interesting. For now, the moral of the story is that you can’t rely on the Fifth Amendment to protect you from contempt of court charges in the United States if you try to protect your encrypted data. Outside the US, your mileage may vary.

· · ·

6 comments

  • Alli · June 6, 2013 at 1:01 pm

    Hi Lance–interesting article! I’m not sure how I feel about this particular issue. On one hand, I want to end the distribution of child pornography, but on the other hand it seems to potentially be a violation of the fifth amendment. A safe is different in my mind because it’s full of physical items.

    I wanted to email you but I couldn’t find your contact information on the site. I’m working on a social game that deals with privacy and would love to have you do a piece on it. If you’re interested, send me an email at alli@datadealer.com

  • Susan Vento · June 17, 2013 at 8:08 am

    Hi there Lance,
    I just have a quick question about your blog! Please email me when you get a chance.
    Susan

  • Chris Dial · July 11, 2013 at 12:20 am

    Interesting. I tend to encrypt anything personal, and I have some files filled with pictures from 2000 that I have forgotten the passphrase to. They were encrypted with PGP 1024 bit. I keep them around in the hopes that one day I will be able to unlock them. I wonder what would happen if the police demanded I do so?

  • Author comment by lance · July 11, 2013 at 9:02 am

    It probably depends on the details. If it is clear that the file has not been touched in a very long time, and the file name and context suggest that it is what you say, then your story would be plausible.
    This is a human rather than a programatic process. There is a huge amount of flexibility for judicial discretion and judgment.

  • Tom · July 27, 2013 at 4:55 pm

    RE: The compelling of passwords

    The Government has been compelling passwords from users since the mid-1990′s.

    They take the position that a password is not an utterance subject to 5th amendment protection. Often, they grant “act of production” immunity to a user to compel the production of the password. Of course, this does the user no good if the decryption of files would yield incriminating material relevant to their investigation.

    The best position to be in is to have nothing to hide.

  • Author comment by lance · July 27, 2013 at 5:00 pm

    I think we all have things we want to hide, even if they are not illegal.

Leave a Reply

<<

>>