The Legal Issues Associated With Data Encryption
Essentially, cryptography involves the conversion of information into unintelligible text for subsequent transmission past unintended third parties ("encryption"), with the intended recipient then converting the text back into intelligible form ("decryption"). For the purposes of this article, "data encryption" will be the term utilized to describe the entire process. In the online age, data encryption is favored as a means of transmitting confidential information across public spaces, whether literal or virtual, without a concomitant disclosure of the contents of the confidential information to unintended recipients. Unsurprisingly, a substantial transmission of encrypted data travels through virtual portals like the Internet. Though data encryption was once largely limited to the dissemination of military and government information, it is now employed for a myriad of reasons applicable to the average user, including for basic activities such as Web browsing and online transactions.
Data encryption has existed in various forms since the times of antiquity and yet the legal questions surrounding it remain largely unresolved, particularly in the United States. This lack of resolution is not for a paucity of recent attention to the practice. Stories have sprung up in the press detailing how data encryption is a critical component of the present government strategy on national security matters. Additionally, courts in various jurisdictions have decided questions of first impression involving the protection, if any, afforded to individuals who wish to avoid compelled disclosure of encrypted personal data. As a result, the debate surrounding data encryption has at present unprecedented salience and resonance. However, this debate is firmly ensconced in an uncertain legal framework, as the United States has yet to codify a statute that deals with the competing interests associated with data encryption.
This article will discuss several of the pressing matters within the realm of data encryption, including: the Constitutional concerns that arise when an individual is forced by the government to divulge encrypted data; the recent disclosures in the press of government involvement with encrypted data; and the current global legal climate in which these issues are situated.
Data Encryption Online, Generally
Submitting personal information (like a Social Security Number or DOB) for an online application. Inputting a credit card number to pay for an item purchased in an online auction. Creating an account on any of the myriad social media websites. All of these acts, considered routine and often integral aspects of using the Internet, rely heavily on the use of data encryption. In fact, absent data encryption technology, users would have minimal protection against hackers or other criminal entities that wish to acquire their personal information. In that respect, data encryption facilitates the myriad activities and transactions now considered intrinsic to the enjoyment and utilization of the Internet, activities which are often now taken for granted as safe. This feeling of user safety in large part derives from the ubiquity of functioning data encryption technology. Given how integral this technology has become to the seamless operation of the Internet, a brief discussion of its mechanics is warranted.
Schematically, data encryption is accomplished through utilizing a conduit known as a key. The key, often a lengthy string of numerals or letters, is a piece of randomly generated information that facilitates the encryption and decryption of the information. But for the existence of a key, the algorithm designed to accomplish this task would fail. Accordingly, a key is integral to any successful data encryption system.
In the method most prevalent, the key is binary, as in the case of the popular public-key encryption system. The public key, as expected, is visible to the users and the general public and utilized to encrypt the data. On the other hand, the paired private key is known only to the user decrypting the data. Only through knowledge of both would a user be able to access the encrypted information, thereby adding a formidable obstacle to those who wish to steal it. In addition, the public-key system is ingeniously designed so that knowledge of one key would not allow the user to derive the other key, even though the two are necessarily related.
As for practical application, in addition to the benefits alluded to above, absent a reliable encryption key, online commerce (and the concomitant benefits received by the customers and retailers) would functionally cease, as it is encryption which provides the security assurances to customers that their personal information is unlikely to be stolen or misappropriated by thieves or the companies themselves. Moreover, most users would abstain from signing up for popular social network if they knew that whatever data they inputted could be raided at a moment's notice. Put simply: Without the aegis afforded by data encryption, the utility of the modern Internet would be severely curtailed. Unsurprisingly then, since encryption has gained such a foothold in the digital universe, it has recently led to some interesting legal conflicts.
A series of recent decisions have centered on the extent to which an individual has the right to refuse compelled disclosure of encrypted information. As seen in numerous other areas of technology law, these cases involve weighing the rights of the individual, as manifested through the utilization of data encryption to ensure privacy, versus the competing right of law enforcement to conduct effective investigations. Specifically, the foremost cases center on whether the prohibition of the Fifth Amendment against compelled self-incrimination therefore prohibits law enforcement officials from compelling an individual to disclose previously encrypted information.
One of the initial cases to directly confront this question was In re Boucher, 2009 WL 424718 (D. Vt. Feb. 19, 2009). In the case, the government suspected that the accused was knowingly transporting illicit and prurient materials in interstate or foreign commerce, a violation of 18 U.S.C. §2252A(a)(1). As evidence of the violation, government officials were granted a search warrant to conduct a search of the computer of the accused. Upon the initial arrest, an official viewed some files that could reasonably be construed as depicting children in prurient acts. To further the investigation, the official thereafter wished to view the entirety of the contents on the computer. However, the contents of the hard drive in question were encrypted, and the accused refused to provide the password to decrypt the hard drive on the grounds that doing so would run afoul of his Fifth Amendment privilege against compelled testimonial communications. See Doe v. United States, 487 U.S. 201 (1988) (holding that it is the "attempt to force" an accused to "disclose the contents of his own mind" that implicates the right of the Self-Incrimination Clause).
The Boucher court disagreed with the notion that requiring the accused to produce an unencrypted copy of his hard drive would violate the Fifth Amendment. In large part, the court's rationale was based on the undisputed fact that the government, having already viewed some files on the computer in question, therefore possessed sufficient awareness of the existence and location of the encrypted files on the hard drive. Accordingly, given the particularity of the government's preexisting knowledge of potentially incriminating files, requiring the accused to produce an unencrypted copy of his hard drive did not implicate any constitutional rights since such a production did not materially supplement the knowledge the government already possessed. Accordingly, the accused was forcibly compelled to produce a decrypted version of the hard drive. See also In re the Decryption of a Seized Data Storage System, No. 13 M-449, (E.D. Wis. April 19, 2013) (the government's knowledge of incriminating file names and technical ability to link those file names to files on encrypted drives rebuts the claim of compelled self-incrimination by the accused).
The Eleventh Circuit tackled the question of compelled disclosure of an encryption key in a case called In re Grand Jury Subpoena Ducus Tecum Dated March 25, 2011, 670 F.3d 1335 (11th Cir. 2012). Unlike the Boucher court, the Eleventh Circuit found that the mandated disclosure of an encryption key in this instance violated the Fifth Amendment. First, unlike in Boucher, the court in the instant case noted that the government had no prior preexisting knowledge of the contents of the hard drive in question. In fact, the government did not know whether the hard drive contained any data at all. Simply put, because a hard drive had sufficient space to contain the incriminating data alleged by the government, did not mean it actually did. Accordingly, the "foregone conclusion" rationale was inapplicable to this case, though the court noted that mere knowledge of a file name could constitute sufficient particularity to compel decryption. Second, as opposed to producing a key that would unlock a safe, asking the accused to decrypt his hard drive necessitated use of the "contents of his own mind," and therefore constituted a testimonial act.
The differing results in the two cases discussed above hinges largely on whether the government possessed particularized knowledge of the contents of the encrypted device ante to a decryption request. The next section of this article also deals with government knowledge of encrypted data, albeit in the context of surveillance conducted ostensibly for reasons of national security and not in response to a particularized suspicion that criminal activity is occurring.