Court: Decryption = Self Incrimination
The U.S. 11th Circuit Court of Appeals ruled today to uphold a lower court’s decision that law enforcement officials cannot legally force a suspect to decrypt the contents of his or her hard drive (or to reveal the decryption keys/password) if the officers do not already have direct knowledge of the encrypted data stored on the drive without violating the suspect’s rights under the 5th Amendment against self-incrimination.
While not directly contradictory to the recent ruling where a defendant was forced to provide her encryption key (which she conveniently forgot— still very much a developing story) because it simply defines a legal standard– it is self incrimination to reveal decryption keys for a data storage device where the contents are not known, but if the contents are known then the encryption key can likely still be demanded so that the data can be entered into evidence.
“We conclude that the decryption and production would be tantamount to testimony by Doe of his knowledge of the existence and location of potentially incriminating files; of his possession, control, and access to the encrypted portions of the drives; and of his capability to decrypt the files.”
— Judge Gerald Bard Tjoflat
We’re not lawyers, but the layperson’s interpretation of these two rulings seems pretty simple on the surface: If the police or prosecutors already know what’s on the encrypted drive they can demand it be decrypted so the data can be entered into evidence. If they don’t know what’s on the drive, they cannot go on a fishing expedition by demanding decryption and passwords.
Of course, the defendant in this case, Ramona Fricosu, was using the excellent free and open source product TrueCrypt— one wonders why he wasn’t leveraging the plausible deniability functionality that software provides, which creates two separate volumes with two separate decryption keys. It is computationally unfeasible to determine if there is a second hidden volume, as the pseudo-random data cannot be differentiated from free space. Again, seek the advice of an attorney since denying the existence of the second volume is likely to be considered perjury. However, the functionality is extremely useful to protect data when traveling to countries with repressive regimes.
UPDATE 3-1-12: Federal authorities just successfully decrypted Fricosu’s hard drive without her involvement. This renders the opposing rulings by the two different courts moot, which is almost a win for personal privacy. The appeals court’s ruling in favor of Fricosu’s 5th amendment rights will stand as the current legal precedent. However, this empasse is nowhere near settled. Legal experts expected this case to bubble up to the Supreme Court, so look for another case to show up in the news sometime soon. (Just don’t let it be your case on the docket; don’t keep self-incriminating information on devices that may end up in the hands of federal agents.)